kizuna-memMEMORY_CORE
[ SECURITY SPEC · セキュリティ仕様 ]
[ S.SEC.01 · UPDATED 2026-04-17 ]

Substrate built for regulated deployment.

Most agent-memory products treat security as a checklist. We treat it as a property of the substrate — tenant isolation in the graph store, a tamper-evident HMAC audit chain, FIPS-mode crypto under a build flag, and WORM mode for SEC 17a-4 retention. Every claim on this page ships as a tested feature of the engine.
§1.0

Security Posture

Kizuna-Mem is memory infrastructure. It sees the facts, decisions, and long-term context of an organisation. That makes its security posture a first-order product requirement, not a compliance afterthought.

This document describes how the product is architected, what controls are enforced at each boundary, and which compliance regimes apply. It is written for security engineers, procurement teams, and regulated-industry buyers who need to evaluate the substrate before sending data to it.

Every claim below maps to a tested, shipped feature — cryptography, access control, audit chain, tenancy, and operational controls are exercised by our CI matrix on every build.

§2.0

Architecture and Trust Boundaries

Kizuna-Mem ships as a two-process engine plus optional managed services. Each process runs in a distinct trust zone with a well-defined interface.

ComponentLanguageRoleTrust Zone
Zig coreZig 0.16Graph store, WAL, indexes, HTTP API, auth, audit, tenancyPrimary process
Rust sidecarRust stableEmbeddings, vector index, LLM calls, document parsingCo-located child process · local Unix socket
Gateway (kizuna.cloud only)TypeScript · Cloudflare WorkersAPI auth, rate limiting, billing, tenant routingEdge · isolated from engine process
Dashboard (kizuna.cloud only)TypeScript · TanStack StartUser-facing management UIStatic SPA · only talks to gateway

Inter-process communication between the Zig core and Rust sidecar uses a framed Unix-socket protocol with CRC32 checksums and bounded-size messages. The sidecar never accepts connections from outside localhost. All external traffic terminates on the Zig HTTP server (self-hosted) or on the gateway (kizuna.cloud).

§3.0

Cryptography

SurfaceMechanismStatus
In transit — public endpointsTLS 1.3 with modern ciphers (HTTP API, gateway, dashboard)✓ shipped
In transit — Raft replication (Enterprise HA)Mutual TLS (rustls) with operator-managed CA✓ shipped
At rest — blob storeAES-256-GCM of L0/L1 text blobs✓ shipped
At rest — WAL and stateOptional full-disk encryption (customer-provided); in-engine WAL encryption on roadmapPartial — FDE recommended now
API key materialKeys generated from cryptographically secure randomness, stored as SHA-256 hashes, verified with constant-time comparison. Raw key shown once at issuance✓ shipped
Audit log integrityHMAC chain with per-entry MAC, tamper-evident — breaks detectably if any entry is modified✓ shipped
FIPS 140-2 modeOpenSSL FIPS provider with startup self-test, gated behind -Dfips=true build flag✓ shipped · cert pending

FIPS mode uses validated OpenSSL 3.x FIPS-provider modules for all symmetric, asymmetric, and hashing operations in the audit, crypto provider, and transport paths. A startup self-test runs known-answer tests for AES, SHA-2, HMAC, and RSA and refuses to serve traffic if any test fails.

§4.0

Authentication and Authorisation

  • API keys. Multiple keys per tenant, rotatable, expirable, scoped to permission sets. Stored as SHA-256 hashes with constant-time comparison. 56 tests cover the key store, rotation, expiry, and scope enforcement.
  • Session cookies. JWT-signed sessions issued after OAuth / SAML login. Short-lived access token plus rotating refresh token. Replay cache prevents re-use of consumed SAML assertions.
  • SSO / SAML 2.0. SAML SP with XML parser, assertion validation, and replay cache. Tested against Okta, Azure AD, and Auth0. 21 tests. Note: production deployments should configure IdP signature verification with your identity provider.
  • RBAC. Admin / operator / reader roles with per-tenant scoping, a role-binding store, WAL-backed persistence, and middleware enforcement on every authenticated route. 59 tests.
  • License keys (self-hosted Enterprise). Signed, cryptographically verifiable licence grants that enable feature sets and enforce node and seat counts. Offline validation — no phone-home required.
§5.0

Multi-Tenancy and Data Isolation

All storage, retrieval, and extraction paths are keyed by a tenant identifier. Tenant isolation is enforced at every layer:

  • Graph store nodes and edges carry a mandatory tenant_id field — tenantless reads are impossible.
  • Entity resolution in the Reflector is keyed on (tenant_id, name); tenants cannot collide entities.
  • Vector search filters by tenant_id before similarity scoring.
  • Audit log queries and GDPR delete operations are scoped per tenant.
  • The gateway routes by tenant and attaches the tenant_id to every upstream request.

Tenant boundaries are validated by a dedicated E2E test that runs three concurrent tenants through the full observe / retrieve / forget pipeline and asserts zero cross-tenant leakage.

§6.0

Audit Logging

Every authenticated action produces an audit record. The audit subsystem is designed to meet the requirements of SOC 2 and, in WORM mode, SEC 17a-4 / MiFID II / FINRA 4511.

  • Tamper-evident HMAC chain. Each entry is cryptographically linked to the previous entry. Modifying or removing any historical entry invalidates the chain for every entry after it.
  • Pluggable destinations. File, webhook, and SIEM-compatible syslog destinations. Webhook delivery includes retry with exponential backoff and HMAC-signed payloads.
  • Retention sweeps. Files older than the configured retention window are purged automatically; default 90 days on managed, configurable up to 7+ years on Enterprise.
  • Query API. Structured query over tenant, principal, action, and time range. 36 tests cover chain integrity, destination delivery, retention, and queries.
  • WORM mode (Enterprise). Append-only segment store with Merkle sealing, legal-hold support, and immutable retention. Once sealed, a segment is cryptographically fixed — tampering is mathematically detectable.
§7.0

High Availability and Durability (Enterprise)

Enterprise deployments support Raft-based multi-node clustering with five durability tiers. Operators choose the tier that fits their consistency / latency / throughput budget.

TierAck Targetfsync ModeUse Case
strictMajority quorumPer-entry fsyncRegulated / zero-data-loss workloads
balanced (default)Majority quorumGroup commit fsync (2ms window)Production enterprise workloads
relaxedLeader onlyAsync fsync (50ms interval)High-throughput agent memory
yoloLeader onlyOff (kernel flush)Dev / benchmarking — not for production
single-nodeLocalPer-entry fsyncCommunity / self-hosted Free

The Raft implementation uses openraft in the Rust sidecar with a purpose-built append-only log appender. Consensus writes, leader election, and persistence have been measured on Linux NVMe hardware: p50 0.38 ms, p99 0.57 ms for the balanced tier.

§8.0

Privacy Engineering (GDPR / CCPA)

  • Right to erasure. ForgetEntity and ForgetTenant APIs perform cryptographic deletion across the graph store, text blobs, vector index, and audit trail. Deletion is transactional and WAL-logged.
  • Data portability. JSON-LD streaming export of all tenant data; re-import round-trips with fidelity.
  • Deletion audit trail. Every GDPR deletion produces an audit record with the caller, tenant, target, and timestamp — so compliance officers can prove deletion.
  • Data minimisation. The Observer extracts only the structure needed for retrieval (entities, facts, episodes); raw text can be configured to be discarded after extraction.
§9.0

Compliance and Attestations

RegimeRelevanceStatus
SOC 2 Type IIManaged service and Enterprise operational controlsType I preparation — audit engagement planned
ISO 27001Information security managementRoadmap — post SOC 2
HIPAAHealthcare PHI handling (Enterprise only)BAA available on Enterprise Self-Hosted
GDPR / UK GDPRAll customers — EU/UK data subjects✓ aligned — see Privacy Policy
FIPS 140-2US Federal / Defense deployments✓ shipped — cert pending
SEC 17a-4 · MiFID II · FINRA 4511Regulated financial record-keeping✓ shipped via WORM mode

Detailed security questionnaires, penetration-test reports, and compliance evidence packages are available under NDA for Enterprise evaluations.

§10.0

Secure Development Lifecycle

  • Zero-warning builds. Every commit compiles clean with `zig build` and `cargo check`.
  • Zero memory-leak policy. Zig allocator leak detection runs on every test.
  • TDD. Security-sensitive code ships with failing tests before implementation.
  • 400+ automated tests across the engine, sidecar, MCP server, and end-to-end wired harness — run on every pull request.
  • Dependency review with Cargo audit and regular npm audits for the gateway and dashboard.
  • Signed release binaries with streaming SHA-256 verification built into the Zig build step.
  • Reproducible builds via pinned toolchains (mise + cargo + bun lockfiles).
§11.0

Operational Security (kizuna.cloud)

  • Hosting in EU data centres (Hetzner, Germany) for the engine tier; Cloudflare global edge for gateway and static assets, with EU/UK POPs preferred for origin-to-edge traffic.
  • Production access is restricted to named operators with hardware-key-backed SSH and privileged-access review.
  • Infrastructure provisioning is codified in scripts and reviewable configuration; no console-click deploys.
  • Monitoring and alerting via the built-in Prometheus metrics, JSON logs with correlation IDs, and per-tenant analytics ring buffers with alert rules.
  • WAL-based crash recovery is shipped today; online backup and point-in-time recovery for kizuna.cloud are on the Enterprise roadmap. Tenants on the managed service can export full data at any time via the /v1/export endpoint.
§12.0

Vulnerability Disclosure

We welcome reports from security researchers and run a coordinated disclosure process. If you believe you have found a vulnerability:

  • Email contact@dthink.ai with a description of the issue, reproduction steps, and any proof-of-concept.
  • Allow us 90 days to investigate and ship a fix before public disclosure, unless the issue is actively being exploited.
  • Do not access data you do not own, degrade service, or use social engineering to probe the Services.
  • We will acknowledge your report within 3 business days and credit you in our security advisory unless you prefer to remain anonymous.
Security contactcontact@dthink.ai
PGP keyAvailable on request — we will publish a fingerprint on this page once the key is rotated.
Response SLAAcknowledgement within 3 business days