The obvious approach is a shared vector store with metadata filtering to separate what each agent can see. It works until someone writes a bug, adds a new code path, or bypasses the filter entirely — the boundary is only as strong as every line of application code that touches it.
The other thing that bothered me was visibility. Once agents start writing memory autonomously you have no idea what they actually know. If something goes wrong you're debugging a black box.
So I built something around vaults — separate directories with independent vector indexes. Access control is declared via CLI and enforced server-side on every request, independent of what the application code does. Agents write context at runtime and retrieve it semantically in future sessions without manual reindexing, and every vault is just a folder on your machine you can open, read, and edit at any time.
Fully local, pip installable.
github.com/Filippo-Venturini/ctxvault
FiloVenturini•1h ago
This version adds server-side enforcement: access rules are declared via CLI and checked on every request, independent of what the agent implementation does. The boundary doesn't disappear if you write a bug.
Also added MCP server support, so Claude Desktop can use it with no integration code.