Agent Memory Bridge is a local-first MCP server for reusable engineering memory and lightweight coordination. This page explains the default data boundary, what is stored locally, how to report vulnerabilities, and the trust boundary around optional classifier and embedding commands.

AMB stores runtime data in the local bridge home configured for the process. The main persistent store is SQLite with FTS5 indexes. Logs, watcher state, reflex state, telemetry files, and benchmark outputs are also local files when those features are enabled.

The bridge does not require a hosted service for normal MCP use. Network access is not part of the core store, recall, browse, stats, forget, promote, export, claim_signal, extend_signal_lease, or ack_signal contract.

Depending on which features you enable, AMB may store:

• memory records, signal records, titles, namespaces, tags, and structured content
• provenance metadata such as source client, source model, session id, workspace label, transport label, actor, correlation id, and timestamps
• SQLite FTS indexes derived from memory content
• optional embedding sidecar rows derived from memory content
• local operational logs, watcher state, reflex state, and service state
• metadata-only telemetry spans when telemetry is explicitly enabled
• benchmark and calibration reports generated by local scripts

Treat the bridge database as sensitive project memory. Do not store secrets, credentials, access tokens, private keys, customer data, regulated data, or personal data unless you have intentionally decided that your local storage, backup, retention, and access controls are appropriate for that data.

When opening public issues, discussions, or pull requests, do not paste:

• live bridge databases or raw exports from private namespaces
• API keys, tokens, credentials, private keys, cookies, or session identifiers
• proprietary source code, customer data, regulated data, or private transcripts
• full local paths, hostnames, usernames, or workspace labels that identify a private machine or organization
• raw classifier payloads if they include private memory content
• raw embedding command payloads or vectors if they reveal private memory content

Prefer minimal reproductions with placeholder namespaces, sanitized records, and short snippets that show the behavior without exposing private data.

Please report suspected vulnerabilities privately instead of opening a public issue with exploit details or sensitive data.

Use the repository's private vulnerability reporting channel if it is available. If that channel is not available, contact the maintainer through the repository profile or package metadata and include only the minimum sanitized detail needed to start triage.

Helpful reports include:

• affected version or commit
• operating system family and Python version
• the enabled AMB features involved
• a sanitized reproduction or proof of concept
• impact assessment and any known workaround

Classifier-assisted enrichment is optional and off by default. When configured with provider = "command", AMB runs the configured classifier command locally and sends classification candidates to it as JSON over stdin. Candidate payloads can include memory text, titles, source ids, and fallback tags. AMB then reads the classifier's JSON response from stdout.

This command is trusted local code. AMB does not sandbox it, audit it, restrict its file access, restrict its network access, or protect secrets from the process environment. Only configure classifier commands that you control and are willing to run with the same local privileges as the bridge process.

Recommended practice:

• keep [classifier].mode = "off" unless you need classifier-assisted enrichment
• use shadow mode before assist mode on a private corpus
• review the command implementation and dependencies before enabling it
• avoid commands that upload memory content unless that is an explicit and acceptable part of your deployment
• keep minimum_confidence high enough that low-confidence tags stay out of assist-mode writes

If the classifier command fails, returns invalid JSON, times out, or emits low-confidence predictions, AMB keeps deterministic keyword and rule behavior as the fallback path.

Semantic and hybrid retrieval are optional. The default retrieval mode remains lexical, and the bundled embedding provider is a deterministic local token-hash sidecar intended for shadow testing and regression checks.

When configured with embedding_provider = "command", AMB runs the configured embedding command locally and sends memory text to it as JSON over stdin. The command returns vectors as JSON over stdout. AMB stores only the resulting vector sidecar, content hash, logical model id, vector dimension, and timestamp in SQLite; it does not store the raw command string in memory_embeddings.

This command is trusted local code. AMB does not sandbox it, audit it, restrict its file access, restrict its network access, or protect secrets from the process environment. Only configure embedding commands that you control and are willing to run with the same local privileges as the bridge process.

Recommended practice:

• keep [retrieval].mode = "lexical" unless you are deliberately testing semantic or hybrid retrieval
• test command embeddings on a copied bridge database before rebuilding a live sidecar
• set embedding_model and embedding_dim explicitly so sidecar health checks cannot silently mix incompatible vectors
• avoid commands that upload memory content unless that is an explicit and acceptable part of your deployment
• treat embedding vectors as potentially sensitive derived data when sharing bug reports or benchmark artifacts

If the embedding command fails, returns invalid JSON, times out, or emits vectors with the wrong dimension, AMB reports a sanitized command error and keeps the authoritative memories table unchanged.