blog: Agent Memory Writes Are Actions, Too#648
Open
amavashev wants to merge 5 commits into
Open
Conversation
New pillar post extending action authority to memory mutations. Frames mem0 / Letta / Zep / Claude-style memory writes as a distinct action class with cross-run blast radius, places memory ops in the existing five-tier action model, and offers a RISK_POINTS schedule, a reserve- commit pattern, and a tenant-isolation argument. Closes a gap in the corpus: action-authority posts so far frame side effects as outbound events; memory writes persist forward into the next run's input. Internal cross-links to action-control, risk-assessment, policy-drift, agent-identity, multi-tenant-cost-control, audit-trail-byproduct, cross-cutting-controls, mcp-gateways, state-of-governance, and the relevant protocol / how-to / glossary pages. External citations: mem0 repo, Letta blog, OWASP Top 10 for Agentic Applications (Dec 2025) ASI06, OWASP Agent Memory Guard. Reviews: internal cycles 1-3 (scorecard 9.2/10), glossary linker applied 6 contextual links. Codex round 1 verified upstream facts via GitHub/web connector.
Apply/skip tally: 6 applied, 2 pushed back. Applied: - Tier-model citation: pointed to risk-assessment (0-4) instead of action-control (1-5); my table numbers were already risk-assessment- aligned. Eliminates the numbering mismatch codex flagged. - Operation table labeled conceptual; `pin`/`unpin`/`archive` are not uniform API names across mem0/Letta/Zep. - `archive` rationale: dropped "no semantic change," replaced with "affects retrieval visibility but not stored content." - "Answer none of these questions" softened to "answer few." - MCP server row hedged: "in its default configuration." - Tag casing: `risk-points` -> `RISK_POINTS` to match the corpus convention in ai-agent-risk-assessment-score-classify-enforce-tool-risk. Skipped, with reason: - "Body links inside non-Next-Steps bullets" — flagged bullets contain one or two contextual references each (glossary auto-links plus one topical link in the provenance bullet). Not "link dump" lists; rule is about bullet enumerations that exist primarily to list links. - "Link density well over 5-8" — count includes glossary auto-links which clarify in-place definitions, not topical cross-references. Topical body cross-links count ~7, within target. Codex verified upstream facts: mem0 add/update/delete (April 2026 ADD-only shift confirmed), Letta formerly MemGPT (Sept 23, 2024), OWASP ASI06 "Memory & Context Poisoning," Agent Memory Guard SHA-256.
Apply/skip tally: 2 applied, 0 pushed back. Applied: - Tier 4 label fix: in the risk-assessment 0-4 model that this post now cites, Tier 4 is "Execution," not "Mutation." Relabeled the two Tier 4 memory rows (shared/global `add`, pinned core `update`) as "4 (Execution-equivalent)" to match the cited scheme. - Next Steps: changed "parent tier model" to "parent action-control framing" so the AI Agent Action Control link description aligns with the body, which now anchors tier numbering to AI Agent Risk Assessment.
Date moved from 2026-05-15 to 2026-05-16 to land on the intended publish day. No content changes.
6 tasks
amavashev
added a commit
that referenced
this pull request
May 15, 2026
Date moved from 2026-05-16 to 2026-05-17 to land one day after the sibling memory-writes post (PR #648). No content changes.
6 tasks
amavashev
added a commit
that referenced
this pull request
May 15, 2026
…-pause-to-reserve Apply/skip tally: 9 applied, 2 pushed back. Applied: - `response.function_call` → `response.function_call_arguments.*`: the OpenAI Realtime API uses function-call output items and the function_call_arguments streaming events; my original event name was not a real Realtime server event. Fixed in both the prose and the stack-by-stack table. - 80-150 ms relay hop: removed the specific band attribution. The OpenAI page does not state it. Generic phrasing: "a forwarding hop sized to fit inside the conversation's latency budget." - ElevenLabs row: clarified the $0.08-$0.24/min framing. Hosting is $0.08/min flat or $0.16/min burst; the $0.24 ceiling derives once LLM and telephony layer on at cost. - Vapi row: labeled the $0.115-$0.42/min range as an estimate (it's derived from $0.05/min orchestration plus a BYOK provider stack at cost; the actual all-in depends on provider choices). - 17-minute "$1.50-$8.00 model spend alone": tightened to "against the per-minute stack rates above" since the rates in the table mix all-in / provider / orchestration models. - Provider-layer caps: softened from "OpenAI, Vapi, Retell AI, and ElevenLabs all expose per-call or per-session limits" to "to whatever degree each provider exposes them — typically through per-session budget headers, dashboard caps, or programmatic limits." Pricing pages don't uniformly establish hard caps. - "Most production voice teams use this only..." for speculative commit: softened to "This pattern is usually safer on the slow-path tool layer." - Description trimmed 162 → 152 chars: changed "—" to ":", "sit synchronously in the path" to "sync on the hot path." - `reserve-commit` glossary link: pointed to /protocol/how-reserve- commit-works-in-cycles instead of /glossary#reservation (reserve-commit is a lifecycle term, not the reservation entry). Skipped, with reason: - Body cross-link count (11) above 5-8 pillar target: three of the eleven are the trilogy references in a single closing sentence that names the sibling extension series (memory-writes, merge, computer-use). They are coherent as a triple, not redundant. - 2026-05-20 publish date: intentional sequence after the trilogy (5/16, 5/18, 5/19, 5/20). Codex verified upstream: ElevenLabs/Vapi/Retell AI pricing pages, OpenAI Realtime API event surface (function_call_arguments.delta / .done are the actual streaming events), and the cycles-docs main- branch internal targets. Sibling links to memory-writes, merge, and computer-use treated as just-merged via PR #648-#650.
This was referenced May 15, 2026
amavashev
added a commit
that referenced
this pull request
May 15, 2026
…ew-surfaces Apply/skip tally: 8 applied, 0 pushed back. Applied: - L36 synthesis quote: replaced "the lifecycle is the stable layer" (which is not the exact synthesis H2 wording) with prose paraphrase that aligns with the actual H2 "Reserve-Commit Is the Stable Layer." - L45 / L140 / L225 "risk order" / "lowest-risk" framing aligned with L142 clarification: now "false-positive-cost order" / "lowest-false-positive-cost" throughout, matching how the cutover order is actually ranked. - L103 absolute "the quota is wrong / not constraining anything" softened to "Substantially higher rates suggest...; substantially lower rates suggest...". Calibration target labeled as starting heuristic. - L125 "Most shadow weeks produce a clean bimodal distribution" hedged: "When the shadow data produces a clearly bimodal distribution, the cap belongs in the gap; when it does not, the schedule needs more (target, intent) features." - L138 generalized "reserve-to-commit ratio across all four surfaces" claim scoped: voice has a true reserve-to-commit ratio; the other three use cap-fire rate vs shadow baseline as the analogue. - L152 ">85% intended denials" labeled as a minimum triage bar with explicit note that sensitive surfaces (merge, voice mid-conversation) target higher fractions. - L187 "Reserve-to-actual ratio per surface" rewritten to "Voice reserve-to-commit ratio, trending; for the other three surfaces, cap-fire rates vs the shadow-mode baseline." Fixes both the terminology drift (capital-R variant the replace_all missed) and the cross-surface ratio generalization. Codex verified all per-surface gate primitives match the sibling PRs #648-#652 and confirmed the SEO, code-accuracy, and tone dimensions clean.
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
New pillar post extending action authority to memory mutations — a gap in the corpus where action-authority posts so far frame side effects as outbound events, but memory writes persist forward into the next run's input.
memory.add, a tenant-isolation argument, and a 6-question governance checklistAuthor: Albert Mavashev
Date: 2026-05-16
Word count: ~2,860 body
Reviews
Codex verified upstream facts via GitHub/web connector: mem0 add/update/delete (April 2026 ADD-only shift), Letta formerly MemGPT (Sept 23 2024), OWASP ASI06 "Memory & Context Poisoning," Agent Memory Guard SHA-256 baselines.
Per-dimension scores
Overall: 9.4 / 10
Test plan