You finally got your system to beat Mem0 on its own benchmark. Spin up a fresh DB. Things are good, confabs down, productivity is up. A week or two...
For further actions, you may consider blocking this person and/or reporting abuse
The "looks like it is working" failure mode is the convergence point I keep watching peers name under different vocabularies this week. Marcos Henrique's Poirot post landed on it from the incident-response side (well-formatted wrong report). Shudipto Trafder's hallucination measurement framework named it as the gap between demo and deployment. The thread under Raffaele Zarrelli's push-by-state post from this morning called it "actively steering with confidence." Your version specific to memory adherence is the production formulation: the store exists, writes occasionally happen, and the goldfish symptom only shows up days later when somebody notices a confidently wrong recall. Different domains, identical failure shape, and none of the standard observability catches it.
The three-place hook architecture you describe maps onto why pull-by-relevance is structurally blind for memory adherence specifically. A durable fact that has not been written yet has no relevance hook for the ranker to grip on, which is the same atom Raffaele just named in another thread ("openness is not a similarity signal"). Session-start injection, in-band write validation, and end-of-turn nudge are the three places push-by-state has to compensate, because relevance scoring has nothing to score against until after the act of capture has happened. The model is not refusing to write. It has no salience signal that this is the moment to write.
The native-competitor lesson is the part I think most teams will under-budget. CLAUDE_CODE_DISABLE_AUTO_MEMORY=1 is one line, but the broader pattern is that when two pathways exist for the same operation, the one closer to the model's root instructions wins, regardless of how loud the secondary one is. Same shape as IAM versus prompt-injection: the system-level boundary wins over the prompt-level instruction every time, in both directions.
The piece all of this rests on, and the part I have not seen anyone in the cluster name out loud yet, is that the architecture (hooks, validation gate, nudge, native-competitor disable) requires the largest amount of sustained smooth-operator discipline of any agent fix I have read this year. Engineering-perfect as a recommendation, unverifiable as a real-life property. The failure mode is the operator quietly dropping one of these after a frustrating Tuesday and nobody noticing until the goldfish symptom returns. The system architecture is the easy half. Operator discipline holding across months is the hard half, and there is no planted-fault test for that one.
One concrete question, since Recall is push-style and you have been running it for months: at the end-of-turn nudge, do you ever surface the not-yet-written candidate to the operator instead of the model, or is the loop fully closed inside the model's pass? The handoff-to-operator path is the one I keep coming back to for the case where the model itself has no salience signal that something was durable.
I have an even better post coming up, the incomplete push everything enters as data model only acts your prompt and searches the graph with keywords they can't force action becuase its been dismantled into tokens and returned as graph IDs
mitigates outside prompt injection through the memory store, and BM25 can track a manipulative word list and flag third-party, with a value, and that can also be tracked by the DBs' stood-up functions like a trendline derivative that only decays with time. So long, cons get timed out or pushed below a safety threshold, you can do a hashed allow list on known good DB members. make untrusted members earn trust through the same mechanism. I'm still working out the details, but I'm stoked about the functional memory layer and model defense security for free woot^^next week I'll have the goods.
The dismantle-into-tokens-and-return-as-graph-IDs move is the structural form of the same boundary discipline you already have at the IPC layer: untrusted content cannot route through an executable path because the path has been removed by construction. The reputation-derivative-that-decays-with-time piece is the part I am most curious about, since trust-accumulated-through-observed-behavior beats trust-declared-at-registration by exactly the same margin that last-caught-a-planted-violation beats last-reviewed. Will read next week's post first thing.
One concrete question waiting for the goods: does the decay rate adapt to source class (one-off prompt vs persistent integration), or is it a single global curve? The two cases have different blast radii and probably want different half-lives.
From 920c6e3b ("BM25-carried bad-word probe accumulates a decay-only injection score on the actor"):
A bad-word / injection-signature hit raises a numeric injection-suspicion score that accumulates on the writer, not on the flagged cell. The cost lands on the actor's standing.
It is a ratchet with decay: the score only ever goes up on hits. The only thing that brings it down is time-decay, described as "the same exponential form as currency, its own tau."
So the function is exponential decay of the form S(t) = S0 · e^(−t/τ) applied to the accumulated score, with its own time constant τ (the same shape as the currency/staleness axis, not necessarily the same τ value).
Deliberately decay-only / no buy-back: an attacker cannot wash the score out by flooding good cells. Volume does nothing; only elapsed time clears it. Same asymmetry as the rest of the trust math: easy to lose, slow to regain.
The score feeds the writer's trust, so a writer racking up injection-suspicion gets their cells down-weighted out of the push automatically. The rise-vs-decay slope is the escalating-threat trend.
A flag is never a silent hard block (32c17f94): a single signature match does not nuke a cell, because a cell about injection looks like one attempting it. It feeds the flag plus the trust score, and a per-writer trend on injection-phrase density does the real escalation detection.
The accumulate-on-actor versus accumulate-on-cell choice is the part that turns this from a per-write detector into a behavioral one, and I think it is the load-bearing decision. A flag that lands on the cell only tells you "this content matched a signature." A flag that lands on the writer plus decays only with time tells you "this actor's history has a slope," which is the only quantity that survives the case where one cell legitimately discusses injection content. The single-signature-is-never-a-block rule is the consequence of that choice rather than an exception to it.
The no-buy-back property is the structural anti-Sybil piece worth keeping forward. Volume can pile up around an actor without diluting their accumulated suspicion, because the asymmetry is hard-coded: hits add, time subtracts, nothing else moves the score. That removes the obvious gaming path of creating many good cells under the same identity to swamp a flag, and it does it without a registration whitelist or a captcha. Same shape as rate-limit-on-bad-event-class primitives, applied to writer reputation rather than request volume.
One concrete question about τ: is τ_injection independently tunable from τ_currency, or coupled? If coupled, fast currency decay forces fast trust-regain too, which creates an awkward case for high-velocity legitimate writers (a CI bot legitimately writing many cells in a short window can look indistinguishable from an actor working off accumulated suspicion via volume + time). Decoupled τs let you say "this class of writer regains trust at a different rate than the content goes stale," which seems like the property you would want.
The "trend on injection-phrase density" callback to the trending-confidence display from the earlier thread is the part where the architecture starts looking unified. Same instrumentation primitive at two different sites: track derivative, react to slope rather than instantaneous value, externalize the curve to the decision surface. Different signals, identical mechanism.
I get blown sometimes by how readily the frontier models lean into using the system; they start responding with short descriptors and cell IDs, emergent behavior. They would reach for it and suggest its use (I speculate the signature of the IDs being present in auto memory was being inferred as missing a function). This was before the hooks; now it takes this shape. From 920c6e3b / 32c17f94): Try its free and no ex-fill.github.com/H-XX-D/recall-memory-su...
Great article. I especially agree that memory adherence is a systems problem, not just a prompting problem. Curious whether you've tested this approach across different model families (GPT, Claude, Gemini) and seen meaningful differences in write reliability?
dev.to/hendrixx/memory-adherence-i... for you