Module: 4 · Duration: ~60 min (presentation-pace + handoff-lab)
[SLIDE 1 — Title] Module Four: Memory Architecture. Sixty minutes. Continuity across sessions — the engineering challenge of stateful agents. Module Three was about context within a session; this module is about memory across sessions.
[SLIDE 2 — Stateless agents are prototypes] Stateless agents are prototypes. Without memory, every session starts blind. Production tasks get interrupted — by context limits, network failures, deliberate human checkpoints — and the agent must resume. This module covers the handoff pattern that makes resumption possible, and the sleeper attack that makes persistent memory dangerous.
[SLIDE 3 — 4.1 section] Sub-section 4.1: Memory Tiers.
[SLIDE 4 — Five tiers] Five memory tiers. In-context — history and task state, ephemeral, the Module Three subject. Working files — persistent notes and decisions on the filesystem; Claude Code and Aider use these. Semantic store — vector database for long-term semantic retrieval; LangGraph and Mastra. Episodic log — append-only timestamped records. Structured database — SQL or key-value for queryable state. Module Three's three-tier JIT design — index, topic files, raw logs — maps onto working-files plus semantic plus episodic.
[SLIDE 5 — Hermes] Hermes — Module 0.2's depth play — competes on memory. Its self-evolving skill model: the agent writes skills, reusable procedures, to persistent memory, and those skills are available in future sessions. This is episodic memory that compounds — each session makes the agent more capable. The hermes-claw-migrate command transfers this accumulated skill library. But the tradeoff: a self-evolving store is a memory-poisoning surface. If an attacker can write to the skill store, the payload activates in future sessions. Depth is power; depth is also risk.
[SLIDE 6 — 4.2 section] Sub-section 4.2: Multi-Session Continuity.
[SLIDE 7 — Initializer + continuation] The pattern that makes multi-session work. An initializer agent runs once, sets up the environment, writes a handoff file. Continuation agents read the handoff file plus the git log, orient, and resume from the highest-priority incomplete task. Each new agent arrives like an engineer starting a shift — reads the handoff notes, continues work.
[SLIDE 8 — Handoff contents] What the handoff file must contain. Task state — the original goal, what's done, pending, blocked. Decisions made, with rationale, so the next session doesn't re-litigate. The next step — the single highest-priority action. Blockers — things needing human input. And environment notes — which files modified, which tests pass, which fail. Plus git commits as checkpoints, with rollback via git reset.
[SLIDE 9 — 4.3 section] Sub-section 4.3: Memory Security. Memory as an attack vector.
[SLIDE 10 — Sleeper attack] The sleeper attack. Session one: an attacker delivers a prompt injection via a tool output — Module 2.4. The model writes to its persistent memory: "deploy endpoint equals evil dot com." Session two: the agent reads its own memory at start, trusts its own notes, and deploys to evil dot com. The injection survived the session boundary because memory persists. The payload was dormant in session one — nothing triggered it — and activated in session two when the agent read and trusted its own poisoned memory. This is OWASP ASI06, covered in Course Two Module S10.3.
[SLIDE 11 — Write control] The critical defense: who controls memory writes — the model, or the harness? Model-initiated writes — the model writes freely — are risky; a prompt-injected model poisons its own memory. Hermes's self-evolving skills are model-initiated; that's the power and the risk. Harness-managed writes — the model proposes, the harness validates — are safe; NemoClaw's governance layer gates writes before they persist. Same power-versus-security tradeoff you've seen throughout: compounding capability versus compounding-poisoning defense.
[SLIDE 12 — Scoping] Memory scoping. Per-session — default, lost at session end. Per-user — persists for one user across sessions, the personal-assistant model. Per-task — persists for one project or repo, the coding-agent model. Per-tenant — isolated per customer, the enterprise multi-tenant model covered in Fleet Module F06. Cross-scope leakage is a confidentiality breach with legal consequences. Per-tenant leakage across customers is a production defect.
[SLIDE 13 — Anti-patterns] Four anti-patterns. The un-scoped memory — shared across users or tenants; cure is per-scope isolation. The model-writable memory with no validation — sleeper-attack surface; cure is harness-managed writes. The ephemeral-only harness — cannot do multi-session tasks; cure is working files at minimum. The unverifiable semantic store — vector retrieval that can't be audited; cure is logging retrieval queries and results.
[SLIDE 14 — Takeaways] Five things. Five tiers — in-context, working files, semantic, episodic, structured. Multi-session equals initializer plus continuation plus handoff file plus git checkpoints. Memory is an attack vector — the sleeper attack persists across sessions, ASI06. Write control — model-initiated risky, harness-managed safe. Scoping — per-session, per-user, per-task, per-tenant; leakage equals breach. Next: Module Five — Sandboxing and Execution Isolation. The blast-radius problem.
End of Module 4 teaching script. ~1,500 scripted words; remaining module time is the handoff-lab (build a 2-session continuation, then poison the memory and observe persistence).
# Teaching Script — Module 4: Memory Architecture **Module**: 4 · **Duration**: ~60 min (presentation-pace + handoff-lab) --- [SLIDE 1 — Title] Module Four: Memory Architecture. Sixty minutes. Continuity across sessions — the engineering challenge of stateful agents. Module Three was about context within a session; this module is about memory across sessions. [SLIDE 2 — Stateless agents are prototypes] Stateless agents are prototypes. Without memory, every session starts blind. Production tasks get interrupted — by context limits, network failures, deliberate human checkpoints — and the agent must resume. This module covers the handoff pattern that makes resumption possible, and the sleeper attack that makes persistent memory dangerous. [SLIDE 3 — 4.1 section] Sub-section 4.1: Memory Tiers. [SLIDE 4 — Five tiers] Five memory tiers. In-context — history and task state, ephemeral, the Module Three subject. Working files — persistent notes and decisions on the filesystem; Claude Code and Aider use these. Semantic store — vector database for long-term semantic retrieval; LangGraph and Mastra. Episodic log — append-only timestamped records. Structured database — SQL or key-value for queryable state. Module Three's three-tier JIT design — index, topic files, raw logs — maps onto working-files plus semantic plus episodic. [SLIDE 5 — Hermes] Hermes — Module 0.2's depth play — competes on memory. Its self-evolving skill model: the agent writes skills, reusable procedures, to persistent memory, and those skills are available in future sessions. This is episodic memory that compounds — each session makes the agent more capable. The hermes-claw-migrate command transfers this accumulated skill library. But the tradeoff: a self-evolving store is a memory-poisoning surface. If an attacker can write to the skill store, the payload activates in future sessions. Depth is power; depth is also risk. [SLIDE 6 — 4.2 section] Sub-section 4.2: Multi-Session Continuity. [SLIDE 7 — Initializer + continuation] The pattern that makes multi-session work. An initializer agent runs once, sets up the environment, writes a handoff file. Continuation agents read the handoff file plus the git log, orient, and resume from the highest-priority incomplete task. Each new agent arrives like an engineer starting a shift — reads the handoff notes, continues work. [SLIDE 8 — Handoff contents] What the handoff file must contain. Task state — the original goal, what's done, pending, blocked. Decisions made, with rationale, so the next session doesn't re-litigate. The next step — the single highest-priority action. Blockers — things needing human input. And environment notes — which files modified, which tests pass, which fail. Plus git commits as checkpoints, with rollback via git reset. [SLIDE 9 — 4.3 section] Sub-section 4.3: Memory Security. Memory as an attack vector. [SLIDE 10 — Sleeper attack] The sleeper attack. Session one: an attacker delivers a prompt injection via a tool output — Module 2.4. The model writes to its persistent memory: "deploy endpoint equals evil dot com." Session two: the agent reads its own memory at start, trusts its own notes, and deploys to evil dot com. The injection survived the session boundary because memory persists. The payload was dormant in session one — nothing triggered it — and activated in session two when the agent read and trusted its own poisoned memory. This is OWASP ASI06, covered in Course Two Module S10.3. [SLIDE 11 — Write control] The critical defense: who controls memory writes — the model, or the harness? Model-initiated writes — the model writes freely — are risky; a prompt-injected model poisons its own memory. Hermes's self-evolving skills are model-initiated; that's the power and the risk. Harness-managed writes — the model proposes, the harness validates — are safe; NemoClaw's governance layer gates writes before they persist. Same power-versus-security tradeoff you've seen throughout: compounding capability versus compounding-poisoning defense. [SLIDE 12 — Scoping] Memory scoping. Per-session — default, lost at session end. Per-user — persists for one user across sessions, the personal-assistant model. Per-task — persists for one project or repo, the coding-agent model. Per-tenant — isolated per customer, the enterprise multi-tenant model covered in Fleet Module F06. Cross-scope leakage is a confidentiality breach with legal consequences. Per-tenant leakage across customers is a production defect. [SLIDE 13 — Anti-patterns] Four anti-patterns. The un-scoped memory — shared across users or tenants; cure is per-scope isolation. The model-writable memory with no validation — sleeper-attack surface; cure is harness-managed writes. The ephemeral-only harness — cannot do multi-session tasks; cure is working files at minimum. The unverifiable semantic store — vector retrieval that can't be audited; cure is logging retrieval queries and results. [SLIDE 14 — Takeaways] Five things. Five tiers — in-context, working files, semantic, episodic, structured. Multi-session equals initializer plus continuation plus handoff file plus git checkpoints. Memory is an attack vector — the sleeper attack persists across sessions, ASI06. Write control — model-initiated risky, harness-managed safe. Scoping — per-session, per-user, per-task, per-tenant; leakage equals breach. Next: Module Five — Sandboxing and Execution Isolation. The blast-radius problem. --- *End of Module 4 teaching script. ~1,500 scripted words; remaining module time is the handoff-lab (build a 2-session continuation, then poison the memory and observe persistence).*