Your agent "remembers" everything during a conversation and forgets everything on restart. That sentence sounds obvious, and it hides the conceptual error that sinks more agentic systems in production than anything else: confusing the context (the volatile RAM of one turn) with memory (the durable state that survives compaction, session resets, and window rotation). This module separates the two. It treats the moment an untrusted value becomes "the agent's memory" as a security boundary. And it asks you to model the most uncomfortable fact about real memory: something true yesterday can be confidently false today.
The mental model: the agent as a (θ, C) pair
The insight that reorders the whole design is to formalize the agent as a pair (θ, C): θ is the model's weights (fixed at training time) and C is the context/memory (updated at runtime). In 2025–2026, an agent's continual learning happens in token-space: you update C, not θ. The agent improves by rewriting readable files and memories, not by adjusting gradients. That is enormous. The agent's knowledge becomes interpretable, versionable, portable across models, and, as you'll see, attackable.
A kitchen analogy, my own, not cited. What a cook keeps on the counter while plating a dish is the context: it holds little, gets wiped between services, and a new order sweeps it clean. The recipe book, the allergy board for regulars, the note that "this supplier failed in March": that's the memory. It lives off the counter, persists between turns, and is consulted on demand. Retraining the model is sending the cook back to culinary school. Updating memory is writing a new line on the board. In production, ~99% of useful learning is the second kind.
Tulving's taxonomy applied: what to persist, and with which policy
The canonical frame for what to persist is CoALA, which adapts Tulving's taxonomy and organizes agent memory into four kinds (working, episodic, semantic, procedural) and separates internal actions (over memory) from external actions (over the world). This isn't cognitive decoration. Each kind demands a different write, retrieval, decay, and safety policy.
| Type | What it holds | Write / decay policy | Dominant risk |
|---|---|---|---|
| Working | The current turn (what's in the window) | Volatile; rotated/compacted | Loss from aggressive compaction |
| Episodic | Past events and trajectories | Append with timestamp; decay by relevance | Treating one observation as permanent truth |
| Semantic | Facts about the world/user | Temporal versioning, NOT overwrite | Staleness ("confidently wrong") |
| Procedural | Skills / how-to | Validate the refinement loop | Most dangerous to poison: amplifies each session |
The root error is confusing types: treating an episodic observation ("the user said today they prefer mornings") as a permanent semantic fact produces both staleness and the poisoning of false precedents. Procedural memory is the worst of all to poison. A malicious procedure synthesized from one trajectory re-injects itself, amplified, into every future session, and almost nobody validates that skill-refinement loop.
The memory lives off the counter: an OS-style hierarchy
MemGPT introduced the metaphor that nearly every later framework rests on: treat the context window as RAM and an external store as disk, with core/recall/archival levels, and (this is the part that matters) the agent itself calling functions to page information between levels. The insight isn't the hierarchy. It's that memory management is tool-use the model decides, not a passive pre-loading pipeline. That's what enables long horizon without retraining.
Continual learning in token-space, no retraining
The most underrated improvement lever: an agent gets better by accumulating textual experience. Reflexion showed it without gradients: the agent stores verbal self-reflections of its failures and retrieves them on retries, improving its performance. This is real continual learning: interpretable (you read the memory), versionable (you diff it), portable (you move it between models), and operationally safer than touching weights. Again, this updates C, not θ. No fine-tuning is happening here.
Why the author lineage matters here
Reflexion and CoALA share Princeton authors (Narasimhan and Yao). That's not a coincidence: Reflexion's useful episodic memory is exactly the "episodic" kind CoALA formalizes. Continual learning in token-space isn't an isolated trick. It's the operationalization of the taxonomy.
The write-path is the real trust boundary
Here is the security thesis of the module. The most dangerous moment in the whole architecture is when untrusted content (an org document, a user message) becomes trusted memory: source attribution collapses, and from then on it's re-read as the agent's own knowledge. The systematic study identifies a taxonomy of six poisoning classes and four write channels: C1 explicit instruction, C2 system-prompt policy, C3 compaction, C4 experience-to-procedure synthesis. Each channel is a distinct attack surface. Defending the input alone covers none of them well.
And memory is a persistent surface, not a one-turn one. MINJA demonstrates a >95% injection success rate (and ~70%+ end-to-end attack success) poisoning an agent's memory using only benign queries, with no privileged access; the poisoned memory triggers malicious actions when another victim later retrieves it. A one-turn injection becomes a multi-session backdoor. This is what couples memory tightly to security: a poisoned memory is strictly worse than an ordinary injection because it survives the turn that planted it.
The central defense is provenance / source-aware memory: tag every entry with its origin and a trust level, and quarantine or downgrade in retrieval whatever comes from untrusted sources. Write policy matters too: a narrow policy roughly halves attack success (one aggressive-policy system shows 66.67% attack success vs 34.25% for a stricter one). Pre-approved memory writes without validation are a risk, not an optimization.
Treat anything written to memory as true because it's "inside" the agent. No source, no trust level, no write policy. This is the default, and the open door for weak-signal poisoning. Source attribution is already gone by the time you read the entry back.
Every entry carries source and trust_level. At retrieval, untrusted-origin entries are quarantined or down-weighted. The write-path enforces a narrow policy: which keys, which fields, from which origins. Cheap to add, disproportionately effective against the attacks input filters miss.
Temporal evolution vs replacement: the "confidently wrong" failure
Today's number-one production gap isn't fact retrieval. It's the temporal evolution of state. Systems treat change as replacement (overwrite) instead of evolution (a versioned transition). A user who moves from New York to San Francisco should show a temporal transition, not an overwrite that erases the history. Without precise timestamps, temporal ordering, and a decay/invalidation mechanism, high-relevance facts turn confidently wrong.
Compaction is directed information loss (and an attack channel)
Compacting means summarizing the context and restarting the window with the summary, preserving decisions and unresolved bugs while discarding redundant tool outputs. The risk is asymmetric: compact too hard and you lose context whose importance only shows up later. It's also channel C3: an attacker can repeat content so it reads as important ("salience-driven") and survives the summary. People treat compaction as pure cost optimization and ignore its security role.
Durable execution: the workflow's state is memory too
There's a class of memory that stays invisible until it fails in production: the durable execution state. An agent turn with tool-calls, human-in-the-loop, and a non-deterministic LLM needs its progress to survive crashes. The technique is journal/replay: log each step, and on a crash re-run from the start while returning the journaled results. LLM calls are treated as idempotent activities and are not re-executed on replay. Confusing "agent memory" with "durable execution state" gives you fragile systems that lose work or duplicate side effects, like booking or cancelling the same appointment twice.
A last honest caveat. Embedding/RAG pipelines are often oversold as the meaning of "agent memory." For personal and episodic user memory, agentic search over readable files frequently beats them on freshness and traceability, removes the vector-index drift, and adds one fewer poisoning surface. RAG still earns its place on huge corpora. As the default for user memory, it's complexity you probably don't need yet.