Governance

Palimem is built for teams that need to know what the agent knew, when, and why. This guide covers retention, audit export, PII scanning, and legal hold.

Retention policy

Retention policies evict low-salience records after a configurable window. Eviction appends a retention retract event to the WAL — it does not delete WAL history.

Retention is configured per namespace via the operator CLI or environment variable:

# Example: retain session-scope episodes for 30 days
MEMORY_SERVICE_RETENTION_SESSION_DAYS=30

Variable	Scope	Default	Purpose
`MEMORY_SERVICE_RETENTION_SESSION_DAYS`	session	90	Days to retain session episodes
`MEMORY_SERVICE_RETENTION_BELIEF_DAYS`	all	365	Days to retain unconfirmed beliefs
`MEMORY_SERVICE_RETENTION_NOTE_DAYS`	all	30	Days to retain low-salience notes

Records exempt from retention eviction:

fact records (high-confidence, operator-accepted)
preference records
Records under legal_hold: true

Legal hold

Mark a subject as protected from memory_forget and retention eviction:

{
  "tool": "memory_remember",
  "scope": "repository",
  "namespace": "my-project",
  "topic": "compliance",
  "field": "gdpr_consent_version",
  "memory_type": "fact",
  "value": "2.1",
  "legal_hold": true
}

When legal_hold: true, any subsequent memory_forget call for this subject returns:

{ "error": { "code": "legal_hold" } }

Release the hold by writing a new value with legal_hold: false (requires elevated operator authorization in production deployments).

Audit export

memory_audit_export produces a compliance-ready structured export of the full WAL:

{
  "tool": "memory_audit_export",
  "scope": "repository",
  "namespace": "my-project",
  "from": "2026-01-01T00:00:00Z",
  "to": "2026-06-30T23:59:59Z",
  "format": "jsonl"
}

The export includes:

Every WAL event with full provenance
source, tool, actor, request_id for each write
Legal hold flags and timestamps
Supersession chain (which event superseded which)

Store audit exports according to your organization’s retention schedule.

PII pre-store scanning

When enabled, Palimem runs a PII scan on the serialized value before WAL append in memory_remember. This is a write-path hook, not a separate MCP tool.

Enable per namespace:

MEMORY_SERVICE_PII_SCAN_ENABLED=1
MEMORY_SERVICE_PII_SCAN_NAMESPACE=my-project

Scan results are surfaced through memory_status under profile_engine.pii_scan. Rejected writes return:

{ "error": { "code": "pii_detected", "detail": "..." } }

Temporal queries for audits

Use memory_query_temporal to reconstruct the belief trajectory of a subject for a compliance audit:

{
  "tool": "memory_query_temporal",
  "scope": "repository",
  "namespace": "my-project",
  "topic": "auth",
  "field": "provider"
}

This returns the ordered sequence of all values for auth.provider from creation to now, including retraction events.

Point-in-time recall

Use as_of on memory_get to answer “what did the agent believe on this date?”:

{
  "tool": "memory_get",
  "scope": "repository",
  "namespace": "my-project",
  "topic": "auth",
  "field": "provider",
  "memory_type": "fact",
  "as_of": "2026-03-01T00:00:00Z"
}

Governance checklist

Control	How to configure
Retain session data ≤ 90 days	`MEMORY_SERVICE_RETENTION_SESSION_DAYS=90`
Protect compliance records	Write with `legal_hold: true`
Export WAL for compliance	`memory_audit_export` monthly
Scan writes for PII	`MEMORY_SERVICE_PII_SCAN_ENABLED=1`
Audit point-in-time belief	`memory_query_temporal` per subject

Non-goals for v1.7.0

Multi-tenant fleet SaaS with centralized governance — v1 is local-first, single-tenant
Automated PII remediation — manual review required after scan detection
RBAC for namespace access — operator-level config only

Next steps

Supersession & audit — how the immutable WAL works
Export & import — audit export and review workflows
MCP tools reference — full arguments for audit and temporal tools
Configuration reference — environment variables for governance controls