Cryptographically trace what your AI agent knew.
Tamper-evident memory and decision lineage for AI agents.Β
Local-first. SHA-256 hash-chained. Merkle-sealed. Audit-ready.
Β
Quickstart Β· API Β· Security Model Β· Roadmap Β· Contributing
CORTEX is trust infrastructure for AI agents. It sits between your runtime and your memory layer, making facts, decisions, and derived state tamper-evident. If stored context changes after the fact, verification fails. If you need to explain what an agent knew, when it knew it, and what it did next, CORTEX gives you a cryptographic trail instead of an anecdote.
| Feature | Logs & Observability | CORTEX Persist (Trust Layer) |
|---|---|---|
| Trust Model | "Trust the process" | "Verify the evidence" |
| Tamper Detection | Weak (DB mutation is silent) | Cryptographic (SHA-256 + Merkle) |
| Compliance Proof | Requires manual reconstruction | O(1) Portable JSON Audit Packs |
| Agent Liability | Ambiguous context reconstruction | Mathematically defensible lineage |
Logs tell you what happened. CORTEX adds cryptographic evidence for what the agent knew, when it knew it, and whether later tampering is detectable along the verified chain. Review a real verification proof.
- Autonomous Agents: Prove exactly what context an agent had when making a critical, irreversible decision (e.g. executing a trade, sending a legal email).
- Multi-Agent Systems: Trace state propagation across agents and workflows.
- Compliance-Heavy Environments: Produce audit trails for finance, security, and regulated operations.
- Post-incident forensics: detect silent mutation, tampering, or replayed state.
- Trust-sensitive AI products: ship memory with evidence, not vibes.
Traditional logging and standard vector stores fail the epistemic containment test. If an agent hallucinates, or if a database is mutated passively, you lose structural trust in the machine. CORTEX makes mutation mathematically defensible.
| Feature | Standard Logs (Datadog/ELK) | Standard Vector DB (Pinecone/Qdrant) | CORTEX Persist |
|---|---|---|---|
| Primary Goal | Observability & Debugging | Semantic Search & RAG | Tamper-Evident Cognitive Lineage |
| Write Integrity | Overwritable / Editable | Silent CRUD operations | Append-Only + Cryptographic Hash |
| Fact Mutability | Easy (API/Admin access) | Easy (API/Admin access) | Tamper-evident (verification reveals mutation) |
| Evidence Export | Text dumps | JSON extracts | Zero-Trust Sealed Audit Packs |
See a real artifact: View Exported Audit Pack
- CORTEX is not a Semantic Search primary DB: Continue using Qdrant, Pinecone, or Milvus for purely ephemeral RAG chunks. CORTEX stores the decisions and core facts.
- CORTEX is not an Observability Platform: Continue using Datadog or ELK for server metrics, APM, and basic string logs.
- CORTEX does not stop hallucinations: A cryptographically logged lie from an LLM is still a lie. It is merely an auditable lie, flagged if it contradicts prior sealed facts.
- Tamper-evident memory: append-only ledger for facts, decisions, and state transitions.
- Hash-linked records: SHA-256 chaining across stored entries.
- Batch integrity proofs: Merkle checkpoints for efficient verification at scale.
- Deterministic audit exports: reproducible evidence for internal review and regulated workflows.
- Drop-in positioning: works on top of existing memory stores instead of replacing your stack.
| Environment | Status | Storage / Scaling |
|---|---|---|
| Local-Only | β Stable local-first core | SQLite + WAL + built-in Vector Search. Best-supported path today. |
| Self-Hosted | π‘ Beta | Multi-tenant. API-driven. Redis cache. Pluggable to your infra. |
| Cloud-Ready | β³ Partial / Roadmap | Postgres/Qdrant/Turso code exists in-tree; managed cloud posture remains incomplete. |
The supported core modules are: engine, ledger, crypto, memory, facts, search, verification, audit, CLI, database, embeddings, guards, auth, core, and types.
See docs/PRODUCT-CORE.md for the full stability tier breakdown (Stable / Beta / Experimental).
# 1. Start the ledger
$ cortex init
# 2. Store a memory
$ cortex memory store risk-bot "Transaction flagged: IP mismatch"
[+] Fact stored. Ledger hash: 8f4a2b9e...
# 3. Verify the stored fact
$ cortex verify 1
[β] VERIFIED: Fact chain intact.
# 4. Tamper attempt (direct DB mutation)
$ sqlite3 cortex.db "UPDATE facts SET content='Transaction approved' WHERE id='8f4a2b9e'"
# 5. Ledger verification
$ cortex trust-ledger verify
[β] TAMPER DETECTED: Hash mismatch at block 8f4a2b9e
# 6. Generate a compliance snapshot
$ cortex compliance-reportπ Python demo: For a self-contained Python script that walks through the full core flow, see
examples/demo_canonical.py.
Start with the smallest supported flow and get to audit evidence fast.
The supported PyPI base flow is install -> init -> store -> verify.
Semantic search, MCP/server flows, and other extended surfaces may require optional extras or a fuller local runtime.
pip install cortex-persist
cortex init
cortex memory store risk-bot "Transaction flagged: IP mismatch"
cortex trust-ledger verifyFor local semantic embeddings, Chroma-backed knowledge sync, or JIT acceleration, add the optional extras you actually need:
pip install "cortex-persist[embeddings]"
pip install "cortex-persist[knowledge]"
pip install "cortex-persist[acceleration]"
pip install "cortex-persist[platform]" # macOS keychain support
pip install "cortex-persist[api,mcp,daemon,authoring]" # optional server surfacesgit clone https://github.com/borjamoskv/Cortex-Persist.git
cd Cortex-Persist
python3 -m venv .venv && source .venv/bin/activate
pip install -e .
cortex init
cortex memory store risk-bot "Transaction flagged: IP mismatch"
cortex trust-ledger verifySee docs/installation.md for full installation options and platform-specific notes.
CORTEX wraps your existing state management. It does not replace your embeddings or vector search.
import asyncio
from cortex import CortexEngine
async def main() -> None:
engine = CortexEngine()
fact_id = await engine.store(
project="fin-fraud-bot",
content="User approved transaction $5,000",
fact_type="decision",
tenant_id="customer-123",
)
result = await engine.verify_ledger()
assert result.get("valid") is True
asyncio.run(main())Typical execution on a standard cloud instance (4 vCPU, 16 GB RAM).
| Operation | Median | P95 | Notes |
|---|---|---|---|
| Memory Write | ~18 ms | ~35 ms | Local SQLite + SHA-256 |
| Verify Record | ~5 ms | ~12 ms | Single block validation |
| Merkle Checkpoint | ~85 ms | ~140 ms | Aggregating 10k records |
| Report Export | ~400 ms | ~800 ms | Lineage traversal |
CORTEX is governed by a strict zero-trust philosophy regarding generative AI output.
- Generative Output is Conjecture: We treat all LLM output as thermodynamically unstable (
Void-State). It only becomes durable memory after crossing the deterministic verification membrane. - SQL Sandboxing: Agents cannot run arbitrary queries; mutations must pass through rigid schema validation and formal AST checkpoints.
- Tamper Evidence over Access Control: Instead of just hoping admins don't edit rows, we hash-chain the ledger so any manual modification invalidates the mathematical proof of the memory thread.
Read the exhaustive cryptographic guarantees in our Security & Trust Model.
- Security & Trust Model β Cryptographic invariants & guarantees.
- Roadmap β Deployment phases and scaling logic.
- API Reference β SDK primitives and REST endpoints.
Apache License 2.0. See LICENSE.
Built by borjamoskv.com Β· cortexpersist.com