Gives Claude eight tools to store, retrieve, and cryptographically erase encrypted memory cells on COTI V2 mainnet via a SAIHM operator endpoint. You get `saihm_remember`, `saihm_recall`, `saihm_forget` for core persistence, plus `saihm_share` and `saihm_revoke_share` for selective access control. The server itself holds no keys or storage, it just forwards tool calls over HTTPS to the operator's protocol stack. Cells are encrypted per-agent, persisted to Filecoin, and audited on-chain. Reach for this when you need Claude to remember context across sessions with true GDPR Article 17 erasure guarantees and user-owned storage. Ships with a reporting library that operators can use to compose MCP calls into bespoke compliance reports without extra services.
Sovereign, encrypted, sharable, persistent memory protocol for AI agents.
· Apache-2.0 · COTI V2 mainnet
Evaluate it offline first: runnable demos across every major model, no account needed — See it run.
A Model Context Protocol server that exposes eight tools any MCP-capable AI agent (Claude Code, Claude Desktop, custom agents) can call to gain a persistent, encrypted memory layer the user owns:
saihm_remember — store an encrypted memory cellsaihm_recall — retrieve and decrypt your memoriessaihm_forget — true cryptographic erasure (GDPR Art. 17)saihm_status — your protocol-runtime stats and storage tier dashboardsaihm_share / saihm_revoke_share — selectively share a memory with another agent or usersaihm_governance_propose / saihm_governance_vote — protocol governance via gSAIHMEach tool forwards to a SAIHM operator endpoint that runs the full protocol stack on COTI V2 mainnet. The server itself holds no crypto, no storage, and no protocol runtime — those live behind the operator endpoint.
| Tool | Title | Behavior |
|---|---|---|
saihm_remember | Remember | writes a new memory cell |
saihm_recall | Recall | read-only; safe to repeat |
saihm_forget | Forget (GDPR erasure) | destructive — irreversible erasure |
saihm_status | Status | read-only |
saihm_share | Share | writes a sharing contract |
saihm_revoke_share | Revoke share | withdraws a grant |
saihm_governance_propose | Propose (governance) | opens a proposal |
saihm_governance_vote | Vote (governance) | casts a vote |
Each tool carries MCP annotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) and a human-readable title, so MCP hosts can gate confirmations and agents can select the right tool at reasoning time.
This package speaks MCP. For production client-side cryptography —
post-quantum sealing, authenticated sharing, and provable erasure performed on
your own machine so the operator stays blind — pair it with
@saihm/client-pro.
Runnable, one-command demos ground a memory you own in every major model — Claude, GPT, DeepSeek, Qwen, Kimi, GLM — then prove you can erase it, alongside drop-in adapters for LangChain, LlamaIndex, CrewAI, AutoGen, and LangGraph. Each runs offline in about a minute; no account needed.
demo-claude-code wires this server into Claude Code and Cursor as an MCP server.Measured — up to ~86% fewer context tokens. Most agents re-send their entire transcript every turn, so context spend grows ~O(N²) over a session; recalling a bounded set of memory cells instead cut input tokens by 62.8%–85.9% across a realistic multi-session coding task. The benchmark is open, offline, and deterministic — reproduce the number rather than trust it:
git clone https://github.com/citw2/saihm-token-benchmark
cd saihm-token-benchmark && npm install && node benchmark.mjs
npm install @saihm/mcp-server
# or run directly without install:
npx @saihm/mcp-server
The server needs two env vars:
SAIHM_ENDPOINT_URL=https://operator.example.com/mcp
SAIHM_AUTH_HEADER=Bearer <token-issued-by-your-operator>
Don't have an endpoint and token yet? They're issued by a SAIHM operator. The quickest path is a free trial — sign in with GitHub, no card, for testing on real infrastructure (see Free trial below). Otherwise join the hosted SAIHM service at https://saihm.coti.global (managed, non-custodial storage — see Join SAIHM below), or run your own operator endpoint. Until one is configured, the tools have nowhere to reach and will return an error.
SAIHM_ENDPOINT_URL — the SAIHM operator endpoint. Operators publish
their endpoint URLs at https://saihm.coti.global.SAIHM_AUTH_HEADER — the Authorization header value the operator
expects (typically a Bearer <token> issued to you after key-bound
enrolment). The server is authentication-agnostic and never transmits
raw private keys; the operator's enrolment flow keeps your
signing key on your machine.Place these in a .env file alongside the server (the .gitignore excludes
all .env* files from any future repo).
Want to test SAIHM on real infrastructure before you pay? Start a free trial
— for testing purposes, no card — by proving you're a unique person once through
a GitHub device sign-in. It runs through the non-custodial
@saihm/mcp-server-pro
client, which seals cells on your own machine so the operator stays blind:
SAIHM_TIER=FREE \
npx -y @saihm/mcp-server-pro free-join
It prints a short code and a link: open https://github.com/login/device in
your browser and enter the code. The sign-in stays in your browser — this
client never sees or holds your GitHub token; it is exchanged server-side and
kept ephemeral. When free-join returns, start the server normally (drop
free-join) and it self-onboards on the free trial. No card, and nothing to
cancel — it's a fixed, one-time allowance, not an auto-renewing subscription.
Ready for production? Upgrade in place to a monthly plan — same signing key, same memories, no re-onboarding.
{
"mcpServers": {
"saihm": {
"command": "npx",
"args": ["@saihm/mcp-server"],
"env": {
"SAIHM_ENDPOINT_URL": "https://operator.example.com/mcp",
"SAIHM_AUTH_HEADER": "Bearer <token>"
}
}
}
}
The server itself persists nothing. The operator endpoint runs the full protocol stack: cells are encrypted under a per-cell DEK, sealed by a per-agent KEK, persisted to the operator's configured durable storage, and audited on COTI V2 mainnet. See the operator's documentation for tier details, and Storage is the operator's responsibility (by design) below.
For operators — read this first. SAIHM does not hard-wire your durable storage to any single provider, and it does not silently provision storage for you. Choosing and configuring where cells are persisted is your job, on purpose. This is a deliberate design choice for operator convenience and data sovereignty — not a missing feature. If memory writes fail with a storage error, it almost always means the backend has not been configured yet.
Why it works this way:
What you configure (your operator deployment guide lists the exact settings):
If neither is configured, the endpoint has nowhere durable to put cells and will reject writes rather than lose data. That refusal is intentional.
You have two paths, and either is fine:
@saihm/client-pro
and @saihm/mcp-server-pro),
it only ever stores ciphertext and never holds your keys — so you get
managed storage without giving up custody. Enrol via Join SAIHM at
https://saihm.coti.global (a paid hosted service).A reporting library is bundled as a sub-export, so operators can compose the eight MCP calls into bespoke reports with their own tooling (no extra dependency, no extra service):
import {
validateBespokeTemplate,
registerTemplate,
generateRegistryAttestation,
StubPublicRegistry,
InMemoryReportingRuntime,
GDPR_ART15_FIELDS,
REGISTRY_ATTESTATION_FIELDS,
type BespokeReportTemplate,
} from "@saihm/mcp-server/reporting";
FIELD_UNIVERSE) — 280 fields (262 framework + 18 ledger). Templates that project a field outside this set are rejected at validation.public / self / operator-self / operator-for-downstream.report_generated / report_rejected / template_registered / template_superseded / erasure_chain_broken / rate_limit_exceeded) under a stable, domain-separated receipt namespace.registry-attestation (public auth) for end-to-end plumbing verification.fieldProjections[] entry MUST be in FIELD_UNIVERSE.scope.customerIdHashes 64-hex; max 10,000 per template.scope.timeRange window ≤ 366 days.fieldProjections length 1–200.framework ∈ {gdpr-art-15, gdpr-art-17, soc2-t1, soc2-t2, iso27001, aml, audit-export, billing-history, registry-attestation}.format ∈ {pdfa3, json, csv}.const template: BespokeReportTemplate = {
templateId: "acme-q1-summary",
templateVersion: 1,
operatorIdHash: "ab".repeat(32),
scope: {
customerIdHashes: ["cd".repeat(32)],
timeRange: { from: "2026-01-01T00:00:00Z", to: "2026-04-01T00:00:00Z" },
},
framework: "gdpr-art-15",
fieldProjections: [GDPR_ART15_FIELDS[0], GDPR_ART15_FIELDS[1]],
format: "pdfa3",
};
const v = validateBespokeTemplate(template);
if (!v.valid) throw new Error(v.errors.join(", "));
const runtime = new InMemoryReportingRuntime(); // replace with your audit-ledger runtime
const reg = await registerTemplate(template, runtime);
if (reg.ok) console.log("registered:", reg.templateHash);
In production, replace InMemoryReportingRuntime with a runtime that persists audit payloads to your operator's audit ledger. Operators who inject signature verifiers should use pure-crypto libraries (@noble/curves for EIP-712, @noble/post-quantum for FIPS 204 ML-DSA) — the package itself bundles no EVM tooling.
The server enforces a small set of defaults so misconfiguration cannot leak the Authorization header in transit:
SAIHM_ENDPOINT_URL must use https://. Plain http:// is rejected at construction time, except for 127.0.0.1 and localhost (so a local operator endpoint works during development).AbortController that aborts after 30s, preventing a hung endpoint from starving the MCP server.Content-Length exceeds 16 MB are rejected before deserialisation.Authorization is never included in thrown error messages or stdout.ethers, no eth_*, no Solidity. If operators inject signature verifiers via AuthVerifiers, they should use pure-crypto libraries (@noble/curves, @noble/post-quantum).Trust model: this client trusts whatever endpoint the operator configures. Cell IDs, audit anchors, and report receipts returned from that endpoint are surfaced to the agent verbatim — operators are the authority for content shown via saihm_recall. Verifying receipts against COTI V2 mainnet anchors is out of scope for this server; consume the cellId and auditCellId fields and verify against your own SAIHM mainnet read path.
For distribution integrity, each release carries the npm registry signature; verify with npm audit signatures (and inspect npm view @saihm/mcp-server --json | jq .dist).
The published npm package has a minimal runtime surface:
| Dependency | License | Role |
|---|---|---|
| Node.js (≥ 20.x) | MIT | Runtime |
@modelcontextprotocol/sdk | MIT | MCP SDK; binds the eight-tool surface |
| TypeScript | Apache-2.0 | Build-time only |
tsx | MIT | TypeScript runner for tests + CLI |
No copyleft, no proprietary dependencies. Cryptographic primitives at the
operator-endpoint layer (ML-DSA-65 / Ed25519 / key derivation) are not bundled into
this MCP server; operators implementing the protocol stack are recommended
to use @noble/post-quantum and @noble/curves (MIT) rather than rolling
custom code.
draft-saihm-memory-protocol-01
(2026-05-27) is In ISE Review in the Independent Submission Stream. It is
not an Internet Standard, is not endorsed by the IETF, and has no formal
standing in the IETF standards process.
https://datatracker.ietf.org/doc/draft-saihm-memory-protocol/@saihm/mcp-server@0.3.4 published (2026-06-22) adds a
conspicuous "Storage is the operator's responsibility (by design)" section —
documenting BYO storage and the Join-SAIHM hosted, non-custodial option.
0.3.3 (2026-06-22) was
a documentation release that states the Independent-Submission status
precisely (no implied IETF endorsement) and cross-references the
companion package @saihm/client-pro. 0.3.2 (2026-06-22) corrected
the documented operator-endpoint path to /mcp (the
canonical SAIHM_ENDPOINT_URL path) across the README and client
comments. 0.3.1 (2026-05-28) was a metadata patch that sources the
MCP serverInfo.version from package.json (was hardcoded
"0.1.0" from 0.1.0 through 0.3.0).
0.3.0 (also 2026-05-28) aligned the saihm_status response shape
with draft-saihm-memory-protocol-01 §3.4 (full eight-field
schema: prs, bfsi, bfsi_window_start_ts, bfsi_R,
bfsi_M, shards, contracts, governance). 0.2.0 (also
2026-05-28) aligned the cell-tuple response shape with §2.1;
0.1.3 was the OpenSSF Best Practices Passing badge release
(2026-05-19).A 12-month roadmap is maintained in the project's AAIF proposal and will be mirrored to https://saihm.coti.global/roadmap with the v0.2.x release. Near-term tracks:
Apache-2.0 — see LICENSE.
SECURITY.md for private vulnerability
disclosureCONTRIBUTING.md and
CODE_OF_CONDUCT.mdGOVERNANCE.mdCHANGELOG.mdSAIHM_ENDPOINT_URL*Your SAIHM operator endpoint URL (issued at https://saihm.coti.global/join).
SAIHM_AUTH_HEADER*secretAuthorization header (typically 'Bearer <token>') issued by your operator.
io.github.ericm1018/skillfm-llm-cost-optimizer-openai-anthropic-usage
io.github.mikerawsonnz/llm-orchestration-agent
io.github.mikerawsonnz/authenticated-llm-agent
labforgedev/copilot-memory-mcp
csoai-org/agent-prompt-injection-firewall-mcp
io.github.mikerawsonnz/authenticated-multi-llm-agent