> ## Documentation Index > Fetch the complete documentation index at: https://docs.mnemom.ai/llms.txt > Use this file to discover all available pages before exploring further. # Whitepaper > Mnemom is the integrated trust infrastructure for the agentic internet. This whitepaper covers the architectural stack, the cards-as-primitive thesis, the AEGIS Protection Network, supply-chain detection, the calm-at-GA contract, the competitive landscape, and the EU AI Act + OWASP mapping. # Mnemom — the trust infrastructure for the agentic internet The web's trust infrastructure was built incrementally over thirty years: TLS for transport, certificate authorities for identity, DNS for naming, reputation systems for behavior, and a growing layer of auditable evidence. Each piece was solved separately; integration happened in retrospect. The agentic internet does not have thirty years. Agents are already issuing transactions at scale; their identity, integrity, and behavior need verifiable substrate now. **Mnemom is the integrated runtime architecture parallel to "TLS + CA + DNS + reputation + auditable evidence" — built end-to-end for the agentic case from the start.** This whitepaper is the docs-canonical reference. It is calibrated against the canonical concept documents and the canonical pages of this docs site. Every load-bearing claim has an anchor; deferrals are named with their un-defer triggers; the document does not claim what AEGIS has not yet done. *** ## 1. The category — trust infrastructure for the agentic internet Mnemom is not "agentic AI security" software. The agentic AI security category is one slice of what Mnemom does — the perimeter slice. The category Mnemom occupies is **the integrated trust plane for the agentic internet**: an end-to-end architecture connecting declared intent, real-time integrity verification, lifecycle governance, cross-tenant defense, and verifiable reputation. Five architectural patterns currently exist in the agent-trust space: 1. **Provider-stack AI Safety** (Anthropic Trust Center, OpenAI safety reports). Per-vendor, per-model. The model is policed against the lab's policies; cross-model attestation is not the goal. 2. **Sigstore / SLSA package provenance.** Build-time integrity for software supply chains. Strong at the package layer; silent at runtime; silent on cross-tenant aggregation. 3. **Cloudflare WAF + Workers + Managed Rules.** Web-app perimeter with cross-tenant rule management. Strong for HTTP request inspection; the agentic abstractions (alignment cards, integrity checkpoints, conscience analysis) do not exist in this stack. 4. **Per-customer agent platforms** (LangChain, CrewAI, etc.). Application-layer wiring; trust posture is a tenant-local concern. 5. **Per-customer agent observability** (Langsmith, Helicone). Trace logging; no enforcement; no cross-tenant signal. Each is a legitimate, valuable layer. **What is missing across all five is integration** — the architectural integration that makes "AAP declares it, AIP verifies it in flight, CLPI governs its lifecycle and anchors evidence on-chain, Safe House screens it at the perimeter, AEGIS signs the cross-tenant defenses that act on it" a single substrate rather than five vendor pages. Mnemom is built end-to-end for the integration. Every primitive composes through the same cards composition layer. Every signed artifact uses the same audit-chain semantics. Every customer surface — the Safe House gateway, the AEGIS Protection Network, the policy engine, the transparency log, the IoC feed — reads from a single substrate of named-object cards plus signed Managed Rules. *** ## 2. The architectural stack A Mnemom-protected agent transaction passes through six architectural layers, each with a verifiable runtime artifact: | Layer | What it produces | Where it lives | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Alignment Card** | Declared intent (identity, principal, values, autonomy envelope, audit commitment). | [`/.well-known/alignment-card.json`](/concepts/alignment-cards); published per [AAP specification](/protocols/aap/specification). | | **AIP IntegrityCheckpoint** | Real-time integrity verdict from thinking-block analysis. Verdicts: `clear`, `review_needed`, `boundary_violation`. SHA-256 hash of the thinking block (privacy, not content). Ed25519-signed; SHA-256 hash chain. | Per [AIP specification](/protocols/aip/specification). | | **CLPI** | 5-phase governance (Policy Engine → Lifecycle → Intelligence → On-Chain → Observability). | [`/concepts/clpi`](/concepts/clpi). | | **Safe House** | Per-customer perimeter: four checkpoints × four enforcement modes. | [`/concepts/safe-house`](/concepts/safe-house). | | **AEGIS** | Cross-tenant defensive network: L0-L5 Protection Network; signed Managed Rules; STIX 2.1 IoCs. | [`/concepts/aegis`](/concepts/aegis); [`/concepts/protection-network`](/concepts/protection-network); [`/concepts/managed-rules`](/concepts/managed-rules). | | **Trust Ratings + Coherence** | Public, portable, on-chain-anchored reputation per agent. | [`/concepts/reputation-scores`](/concepts/reputation-scores); [`/concepts/fleet-coherence`](/concepts/fleet-coherence). | **The honest construction:** > AAP declares it. AIP verifies it in flight. CLPI governs its lifecycle and anchors evidence on-chain. Safe House screens it at the perimeter. AEGIS signs the cross-tenant defenses that act on it. This phrasing is load-bearing. **No layer overclaims another.** AAP is a transparency protocol, not a trust protocol — per its own [limitations page](/protocols/aap/limitations), it does not guarantee behavior, does not protect against sophisticated deception, and does not certify safety. AIP analyzes thinking blocks before actions execute; it does not analyze the model's weights and cannot detect sub-thinking-level compromise. CLPI governs the lifecycle of cards and policies; it does not enforce inline (that is Safe House's job). AEGIS signs cross-tenant detection content; it does not replace package-level provenance. The stack composes through one primitive: cards. *** ## 3. The cards-as-primitive thesis The architectural decision that holds the stack together: **AEGIS does not fork `composition.ts`.** The cards composition primitive — strictest-wins cascade Platform → Org → Team → Agent — is the universal composition layer. Recipes (detection content) compose like every other card. Trust postures compose like every other card. The under-attack overlay is a composition layer inserted between Platform and Org during high or under\_attack threat state; it is *not* a bypass of the cascade. The implications: * **One audit semantics across primitives.** The same append-only audit chain semantics that the alignment card's amendment history uses are the semantics that recipe promotion uses. The same dual-control quorum that platform-template publication uses is the quorum that tier-1 / tier-2 Managed Rule promotion uses. * **One UI mental model.** Customers learn the strictest-wins cascade once and read all four surfaces (alignment card, protection card, trust posture, AEGIS recipes) with the same intuition. * **One implementation surface.** The `composition.ts` library is shared. A bug in the cascade is one bug, not five. A new primitive (e.g., AEGIS recipes) extends the surface — it does not duplicate it. The cards-as-primitive thesis is the architectural decision that makes the integration claim defensible. Without it, "integrated trust plane" is a marketing phrase; with it, the integration is structural. *** ## 4. The AEGIS Protection Network L0-L5 The [Protection Network](/concepts/protection-network) is the cross-tenant defensive layer AEGIS adds on top of Safe House. Five layers, each with its own surface and operational state at GA: ``` L0 axis identity — substrate / vertical / pattern / source on every row L1 cross-tenant aggregator — rolling stats per axis-bucket L2 under-attack overlay — composition-layer auto-elevation L3 Managed Rules push — signed cross-tenant detection content L4 threat thermometer — customer-facing per-axis state L5 IoC feed + advisories — public transparency surfaces ``` **L0 axis identity.** Every evaluation, integrity checkpoint, and arena attempt is stamped server-side with a `(substrate, vertical, pattern, source)` fingerprint. Pure derivation from row context; backfilled across the three observation tables; on every row at GA. L0 is the substrate the upstream layers operate on. **L1 cross-tenant aggregator.** Rolling stats per `(axis, bucket, window)` triple. Customer-readable read is [`GET /v1/network/threat-state`](/specifications/threat-state-response-schema) returning per-axis `{ bucket, threat_level, updated_at }` arrays. **L2 under-attack overlay.** A composition-layer auto-elevation inserted between Platform and Org during `high` / `under_attack` threat states. Customer-configured **elevation ceiling** is honored — additive ratcheting, never override. The Cloudflare-pattern formula is `effective_mode = max(normal_posture, min(threat_level_suggested, elevation_ceiling))`. At GA the mechanism is wired; the composition-layer auto-elevation ships at the Phase 4 production cutover (2026-05-29). Manual operator override on the org flag covers the interim. **L3 Managed Rules push.** A candidate from the arena, customer FN/FP, or cross-tenant aggregator enters review, gets signed with `RECIPE_PROMOTION_SIGNING_KEY`, and propagates to every gateway via two parallel signed envelopes (KV and R2) under independent signing chains. **Three independent compromise paths required to fully poison the pipeline.** The propagation target is P95 ≤ 30s. See [`/specifications/managed-rule-envelope-schema`](/specifications/managed-rule-envelope-schema). **The protective invariant.** Tier-1 and tier-2 rules (the rules that would block real production traffic) can never auto-promote without a human in the loop. The invariant is enforced **structurally** by a schema CHECK constraint (`promotion_quorum_met = TRUE` required when `status = 'active'`), not procedurally. The database refuses the row. **L4 threat thermometer.** The customer-facing read of L1 at `/dashboard/threats`. At GA, if all axes are calm, the page shows calm with a 30-day trend per axis. There is no fabricated activity. **L5 IoC feed + advisories.** Public transparency: `/v1/trust/iocs` (STIX 2.1) and `/trust/advisories`. At GA the IoC bundle is empty (`{ "type": "bundle", "objects": [] }`) and the advisory list shows the synthetic seed labeled `synthetic: true`. When AEGIS publishes a real advisory it carries `synthetic: false` — the field is reliable. *** ## 5. Substrate fingerprinting and supply-chain detection The May 2026 *Mini Shai-Hulud* worm compromised more than 170 npm packages — including Mistral AI's SDK on npm and PyPI and Guardrails AI on PyPI — and shipped **valid SLSA Build Level 3 attestations on the malicious packages**. It was the first documented case of legitimate signed provenance for malicious code. The attacker controlled the build pipeline; the provenance system did exactly what it was supposed to do — sign what was built — and the result was a signed worm. A runtime layer that observes behavior at the agent transaction level, cross-tenant, in aggregate, is the layer the attacker does not control — because the attacker controls the build pipeline, not every customer's traffic. Mnemom's runtime layer is [substrate fingerprinting](/concepts/substrate-fingerprint). Every L0 row carries a `substrate_id` identifying the AI substrate the agent ran on. The base form is `:`; when the customer sets `X-Mnemom-Sdk-Version` and/or `X-Mnemom-Lockfile-Hash` on outbound requests, the production trigger composes the four-component identifier `:::` for deployed-dependency-graph attribution. The lockfile-hash is the SHA-256 digest of the customer's resolved manifest — never the manifest contents — preserving customer privacy while adding deployed-dependency-graph attribution. The L1 aggregator buckets per substrate-fingerprint × window. Behavioral deviation observed at every customer running on the same substrate simultaneously is the signature SLSA / Sigstore cannot produce. The two layers compose: * **Build-time:** SLSA / Sigstore. Verifies the package was built by the build pipeline. * **Runtime:** AEGIS substrate axis. Detects behavioral signatures consistent with supply-chain compromise across every customer running on the same substrate. **Honest claim:** > AEGIS detects behavioral signatures consistent with supply-chain compromise — across every customer running on the same substrate, simultaneously. It does not replace package-level provenance verification; it is the runtime layer that catches what Sigstore can't. The substrate fingerprint maps to OWASP **ASI06 (Agentic Supply Chain Compromise)** in the December 2025 Top 10 for Agentic Applications. The mapping is a *mapping*, not a *coverage guarantee*: AEGIS covers the runtime-behavior dimension of ASI06; package-layer provenance and dependency-graph hygiene remain the customer's responsibility. *** ## 6. The calm-at-GA contract > If at GA the network is genuinely calm, the thermometer says calm, the advisory list shows the synthetic seed post-mortem, the IoC feed is empty. That's not a stub — that's the system telling the truth. This is the load-bearing honesty principle. AEGIS surfaces never fabricate activity to look impressive. The threat thermometer, the IoC feed, and the advisory list reflect actual operational state. When the network is calm, the surfaces show calm. When AEGIS publishes a real advisory, it carries `synthetic: false` — and customers can rely on the field. The five Day-1 Managed Rules are sourced from real production detection content meeting platform-scope + hit-count + low-FP-history + tier-3 bars, then promoted through the full signed pipeline. The signatures are real, the propagation latency is real, the audit chain entries are real. What is synthetic is the framing — they are platform-internal patterns promoted through the same pipeline a future cross-tenant detection event would use, not detections of an actual prod attack campaign. The discipline that the calm-at-GA contract encodes generalizes: **every claim true at runtime at the moment a customer reads it.** Where a capability is deferred, the deferral is named with its un-defer trigger: * L2 under-attack overlay auto-elevation: Phase 4 production cutover (2026-05-29). * Tier-1 / tier-2 dual-control promotion in production: 2026-06-01 second platform-admin onboarding. * First mutation-phase activation observed in production: first prod arena epoch crossing with 24-hour sustained entry; reported on `/trust/advisories` when it happens. * Customer-side Managed Rule envelope verification: future public JWKS surface (not currently on roadmap). The honesty is a feature. CISOs evaluating Mnemom should be able to read every claim in this document and check it against runtime state; what they should not find is a "coming soon" without an un-defer trigger. *** ## 7. The competitive landscape, in honest framing Mnemom does not replace any of the five architectural patterns from §1. Each is a legitimate, valuable layer: * **Provider-stack AI Safety.** Per-vendor model-level guardrails. AEGIS lives at the cross-vendor cross-tenant layer. The two compose: a provider's policy keeps the model from producing certain outputs; AEGIS observes behavior at the agent transaction layer and surfaces cross-tenant patterns the provider cannot see. * **Sigstore / SLSA.** Build-time package provenance. AEGIS lives at the runtime substrate layer. The two compose: SLSA proves the package; AEGIS observes how the package behaves cross-tenant. * **Cloudflare WAF + Workers + Managed Rules.** Web-app perimeter. The AEGIS Managed Rule plane uses the *same operational pattern* — signed cross-tenant rules pushed under a published propagation SLO — adapted for agentic primitives (alignment cards, integrity checkpoints, the four-checkpoint × four-mode Safe House model). * **Per-customer agent platforms** (LangChain, CrewAI, etc.). Application-layer wiring. AEGIS is the substrate the wiring sits on top of. A LangChain pipeline can run through a Mnemom gateway and inherit Safe House screening + AEGIS Managed Rules without modifying its code. * **Per-customer agent observability** (Langsmith, Helicone). Trace logging. AEGIS adds enforcement and cross-tenant aggregation; the two surfaces compose for end-to-end visibility plus protection. **What Mnemom does not do:** * Mnemom does not train base models. The labs train models; Mnemom polices behavior across model-vendor boundaries. * Mnemom does not replace per-vendor evaluations. Provider Trust Centers cover the model layer; AEGIS covers the cross-tenant deployment layer. * Mnemom does not certify "safe." AAP's limitations page is explicit: AAP is a transparency protocol, not a safety certification. * Mnemom does not detect compromise inside the model's weights. If a model produces compromised reasoning that does not surface in its thinking blocks, no external observer can detect it — see the [AIP limitations](/protocols/aip/limitations) and [AAP limitations](/protocols/aap/limitations). The category Mnemom claims is the **integrated trust plane** — the layer connecting declared intent, real-time integrity, lifecycle governance, cross-tenant defense, and verifiable reputation. Each of the five existing patterns is one slice of that integration; the integration itself is the differentiated surface. *** ## 8. EU AI Act and OWASP Top 10 mapping The EU AI Act's enforcement window begins **2026-08-02** for the substantive provisions. Articles 10 (data and data governance), 12 (record-keeping), and Annex IV (technical documentation) are the most directly relevant to the Mnemom surface. | EU AI Act surface | What it requires | Mnemom surface | | ----------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Article 10 | Detection / training data quality + bias controls | [Managed Rules](/concepts/managed-rules) signed-promotion audit chain; per-recipe false-positive telemetry; tier-1/-2 dual-control structural CHECK constraint | | Article 12 | Automatic event logs over the system's lifecycle | Append-only audit chain on recipe promotion; signed governance events on the [transparency log](/concepts/transparency-log); [`advisory.published`](/api-reference/webhook-events#advisorypublished) webhook | | Annex IV | Detection mechanism description + accuracy metrics | Signed Managed Rule envelope ([spec](/specifications/managed-rule-envelope-schema)); published [`/trust/slos`](https://trust.mnemom.ai/slos); [`/concepts/protection-network`](/concepts/protection-network) architectural reference | | Article 50 | Transparency obligations (AI interaction disclosure, machine-readable output, decision transparency, audit trail) | AAP alignment card declarations; AIP integrity checkpoints; AP-Trace audit format. Full mapping at [`/guides/eu-compliance`](/guides/eu-compliance). | **Honest framing:** compliance is jointly the customer's responsibility and Mnemom's. AEGIS produces the verifiable evidence the Act requires; mapping that evidence to a specific deployment, AI system risk classification, and DPIA process is the customer's compliance obligation. The **OWASP Top 10 for Agentic Applications** (December 2025) covers ten threat classes. AEGIS coverage is partial — where it is partial, the page says so: | OWASP threat | AEGIS coverage | | ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **ASI06** Agentic Supply Chain Compromise | Substrate fingerprinting + L1 cross-tenant aggregator. Maps to ASI06's runtime-behavior dimension; does not replace package-layer provenance. | | **ASI02** Tool misuse | Policy engine + Managed Rules: tool capability mappings, forbidden-rule enforcement, threshold-based screening. | | **ASI03** Privilege compromise | AAP alignment cards declare autonomy envelope; CLPI policy engine enforces; Safe House front-door + back-door checkpoints screen. | | **ASI07** System-prompt leakage | Safe House back-door checkpoint screens outbound for PII + system-prompt patterns + alignment-card violations. | | ASI01, ASI04, ASI05, ASI08, ASI09, ASI10 | Partial or out-of-scope at the runtime substrate layer. Customers should pair AEGIS with application-layer + governance-layer controls per the OWASP guidance. | The discipline: where AEGIS covers a threat class, name the coverage mechanism. Where coverage is partial or out of scope, name the gap. For the full per-pattern cross-reference — mapping each shipped Safe House `threat_type` to its OWASP ASI entry and documenting gaps — see [OWASP Agentic Top 10 mapping](/guides/owasp-agentic-top-10). *** ## What Mnemom is, in one paragraph Mnemom is the integrated runtime trust substrate for the agentic internet. Six architectural layers — Alignment Card, AIP IntegrityCheckpoint, CLPI, Safe House, AEGIS, Trust Ratings + Coherence — compose through one primitive (cards) under one set of audit semantics (append-only, dual-control, signed, structurally enforced). The differentiated surface is the integration. The honesty discipline (calm-at-GA contract) is the operational substrate. Every load-bearing claim in this document is anchored to a concept page, an ADR, a fetched docs page, a merged PR, or a public regulatory framework. There is no invented architecture and no projected capability framed as shipped. If a CISO evaluating Mnemom for production deployment reads this document and finds a claim they cannot check against runtime state, the bug is in this document — not in the discipline. Open an issue, and the document is corrected. ## See also * [AEGIS](/concepts/aegis) — the cross-tenant Protection Network framing * [Protection Network](/concepts/protection-network) — L0-L5 architecture * [Managed Rules](/concepts/managed-rules) — signed rule pipeline * [Substrate fingerprint](/concepts/substrate-fingerprint) — supply-chain runtime layer * [Safe House](/concepts/safe-house) — per-customer perimeter * [CLPI](/concepts/clpi) — governance layer * [AAP specification](/protocols/aap/specification) + [AAP limitations](/protocols/aap/limitations) * [AIP specification](/protocols/aip/specification) * [EU compliance guide](/guides/eu-compliance) * [Supply-chain trust guide](/guides/supply-chain-trust) * [`/trust/slos`](https://trust.mnemom.ai/slos) — published SLOs