MemFlow is a reduced-scope local-first product. Its security comes from refusing to expose broad functionality, and from actively scanning content at the MCP boundary before it reaches persistent storage or third-party AI providers.

• bind localhost by default
• fixed MCP tool allowlist
• no shell execution
• no browser automation
• no autonomous loops
• no dynamic remote MCP connectors
• strict schema validation on every write/import
• import/export audit trail
• runtime security sweep on all write operations (enabled by default, warn level)

• memory CRUD
• prompt-cache read/write
• import/export/merge
• stats and health

• shell / terminal
• browser / web automation
• workflow execution
• swarm / hive / coordination
• agent spawn / stop / list
• arbitrary GitHub integration
• remote search / research / scraping
• code execution

MemFlow includes a built-in Security, Confidentiality, and Privacy Sweep that inspects all write-tool payloads at the MCP boundary before they are stored locally, written to shared MongoDB, or passed through an agent session.

The sweep only runs on write tools to avoid false positives on read/search operations:

• memory_store, memory_profile_store, memory_cache_store, memory_cache_auto_store
• memory_session_checkpoint, memory_session_compact, memory_agent_finalize
• memory_pattern_promote, memory_import, memory_merge

Read-only tools (memory_search, memory_list, memory_retrieve, memory_export, etc.) are not swept — scanning query strings for secrets would produce false positives (e.g. searching for user@company.com would trigger an email warning).

Control sweep behavior via CLI or config file:

memflow security:sweep                      # Show current settings
memflow security:sweep:enable               # Enable sweep
memflow security:sweep:disable              # Disable sweep
memflow security:sweep:level --level redact # Change enforcement level
memflow security:sweep:rules --pii on       # Enable PII detection
memflow security:sweep:rules --api-keys off # Disable API key detection

Or edit ~/.memflow/config.json directly:

{
  "securitySweep": {
    "enabled": true,
    "level": "warn",
    "rules": {
      "privateKeys": true,
      "apiKeys": true,
      "databaseUris": true,
      "pii": false
    },
    "customPatterns": [
      { "name": "Internal Token", "regex": "CORP-TOKEN-[A-Z0-9]{16}" }
    ]
  }
}

Agents or users with legitimate need to store sensitive content (e.g., storing a redacted credential reference deliberately) can bypass the sweep for a single request:

{ "metadata": { "bypassSecuritySweep": true } }

Or via coordinates:

{ "coordinates": { "namespace": "...", "scope": "workspace", "bypassSecuritySweep": true } }

Bypass requests are always logged to stderr with a [SECURITY SWEEP BYPASSED] notice. They are never silently ignored.

• accidental exposure of non-memory tools
• unbounded or recursive agent/tool loops
• hidden cost generation
• unsafe import payloads
• namespace escape between repos/teams
• stale or unverifiable memory poisoning
• private credential round-trip to third-party AI providers

MemFlow should not publish until these checks pass:

• MCP tool inventory reviewed
• dependency inventory reviewed
• remnant code scan completed
• secret scan completed
• import fuzz tests completed
• namespace isolation tests completed
• deterministic merge tests completed
• security sweep unit tests passing

Shared memory entries must support:

• provenance
• confidence
• freshness
• source identification
• reversible export/import

MemFlow should prefer explicit trust signals over implicit magic.