What ships in each release

Warden acts as an Axum (Rust web framework) middleware layer.

On every incoming HTTP request, it evaluates the source IP address against a configurable list of CIDR (Classless Inter-Domain Routing) ranges.

Requests outside the allowlist receive an immediate 403 Forbidden response; the request body is never read or logged.

The gradatum-eval crate exposes three coverage levels — smoke (a small set of fast sanity queries), full LongMemEval (deterministic, anchored on a public dataset), and governance-bench (write / forget / consolidate cycles targeting axes not covered by standard benchmarks).

Scores are computed deterministically so results are comparable across versions.

DocumentStore (note read/write), IndexStore (full-text search index using FTS5 — SQLite's built-in full-text engine), VectorStore (embeddings and semantic search (ANN planned v0.5.3)), QueueStore (async job queue).

The default implementation targets SQLite.

Optional alternative backends (LanceDB, remote libsql) are planned for later releases.

gradatum-admin install walks through interactive initialization (directories, permissions, base configuration).

A downloadable one-liner script covers the bootstrapping case where no binary is pre-installed.

gradatum-admin doctor inspects the installation state — dependencies, permissions, connectivity — and reports deviations with corrective suggestions.

Four mechanisms are covered — session trace (structured log of decisions made during the session), vault discipline (write rules to prevent duplicate entries), context sliding window (compaction protocol before the context window saturates), and skill crystallization (process for promoting an ad-hoc pattern into a reusable named skill). Internally referenced as SKILL.md Mode 2.

These conventions ship as Markdown files injected directly into the agent's context.

A dedicated identity/ locus in the vault holds four sections for each agent: rules, capabilities, constitution, and identity.

This locus is read-only for the agent itself; writes require administrative credentials.

The identity bundle is injected into the agent's context at the start of every session via the rendering pipeline (Phase A covers static injection). Phases B through D will add dynamic rendering and identity distillation.

At startup, each binary (gradatum-server, gradatum-worker, gradatum-admin) reads only the configuration files whose for= directive matches its own name.

This prevents configuration conflicts between co-located components and simplifies deployments where multiple gradatum processes run on the same host.

A skeleton tree parses the document hierarchy; each logical section becomes one atomic note, so a clause is never split across two chunks.

Table extraction converts tabular rows into indexable sentences (RowToSentence) so column relationships survive retrieval.

A noise filter discards non-informative nodes (table of contents, executive summaries, glossaries) that degrade retrieval quality.

Ingestion runs as a background Job::Ingest with progress tracking and automatic retry via the job queue.

A redirect_table maps every past title or path to the canonical ULID anchor, so [[old-title]] resolves correctly after the note is renamed.

Backlinks are indexed at write time, exposing links_in/links_out on every search result for graph-neighborhood traversal.

vault_search_multi merges results from multiple queries using Reciprocal Rank Fusion (RRF), so wikilink clusters surface naturally alongside keyword matches.

On each vault_write, the previous version is stored in a .history/<ulid>/ directory before the note is updated (Copy-on-Write semantics).

Dedicated history/* endpoints let callers inspect or restore any prior version by timestamp or sequence number.

Lifecycle configuration caps storage at max_versions=50 per note, pruning the oldest revisions automatically.

vault_write accepts an optional write_if_match parameter containing the SHA-256 hash of the note version the caller last read.

If the stored note has changed since that read, the server returns 409 Conflict with a WriteConflict descriptor — the caller decides how to merge.

Writes without a hash succeed unconditionally, preserving backward compatibility for append-only workflows.

Trust is calculated from four sources: the writing agent, the distillation chain, the number of corroborating notes, and the confidence score at ingestion.

Distilled notes inherit a weighted mean of their source trust scores multiplied by the distillation confidence.

The trust field integrates with temporal decay (F-17): notes from less-trusted provenance decay faster in search ranking.

Each note carries a validity state (valid, temporal, or expired) and a document kind (static, versioned, or event), which together determine its decay profile.

A recency score computed relative to the current date is blended with the semantic score using a configurable temporal weight (default 0.40).

Event notes use a raw cosine relevance gate before decay is applied, preventing stale event records from surfacing on unrelated queries.

A QaEvent struct is captured by the gateway intercept layer at each LLM completion: model identifier, prompt/completion token counts, cost estimate, latency, and a feature_id tag.

Events are stored in an append-only event_log table, queryable via the jobs introspection API for per-feature cost breakdowns.

The event log feeds the distillation learn job (F-22), which uses token patterns to identify cost-optimization candidates over time.

The PrivacyFilter is registered as a WriteHook on DocumentStore; it runs synchronously on every vault_write before the note reaches the index.

The initial textual pass uses heuristic pattern matching. A later ONNX (portable neural network runtime) Named Entity Recognition model runs fully on-device with no data leaving the host.

Filtered fields are marked in the note frontmatter so downstream processes know redaction has occurred.

A DriftDetector is registered as a WriteHook on DocumentStore at startup; it monitors writes to the identity/ locus without a direct vault dependency.

On each write, the detector computes a semantic distance between the new content and the last validated version; divergence above threshold triggers a drift_detected event.

The drift event is surfaced via the jobs SSE (Server-Sent Events) stream, allowing operators or higher-level workflows to review the change before it takes effect.

VaultScope encodes the vault identifier, the agent identifier, and the locus path as a single composable value, eliminating ambiguity when multiple vaults share a worker.

Every background job (distillation, purge, audit, migration, and others) carries a VaultScope, making cross-vault operations a first-class primitive rather than a per-job workaround.

All existing jobs are migrated to use VaultScope in a single coordinated change — no incremental per-job migration is needed.

Each note carries a lifecycle_state field; transitions are explicit API calls with optional guard conditions so no note skips a required validation step. Draft notes are excluded from search by default; Deprecated notes are downweighted.

Operators define [[vault.lifecycle]] rules in TOML: conditions such as age, decay score, or locus pattern trigger a Job::Purge(Lifecycle). The purge job runs after distillation so no note is deleted before its value has been extracted.

Configurable history pruning caps per-note version history with max_versions and a TTL, preventing unbounded growth of the .history/ directories.

vault_forget(scope, dry_run: true) returns the full list of affected notes and any derived skills before any state change — the operator reviews and confirms explicitly.

On confirmed deletion, notes are marked forgotten=true and decay accelerates over a configurable window, removing them from search results progressively rather than immediately.

Cascade behavior is configurable: forgetting a knowledge/ topic can optionally propagate to linked skills/ and peers/ entries derived from it, with each cascade step listed in the dry-run preview.

A TemporalIndex is derived at write time from frontmatter fields (occurred_at, valid_from, event-date, created) — no LLM extraction, no separate store. This release ships the index and the vault_timeline API surface; higher-level temporal reasoning ships in v0.5.0.

The vault_timeline tool exposes before/after/around/upcoming queries; the index is fully reconstructible via a ReIndex job if frontmatter changes.

Job::Validate cross-checks temporal contradictions between notes (e.g., two notes asserting conflicting event orders) as part of the memory validation pipeline.

Four distillation modes run as Job::Distill: Semantic (synthesizes topic clusters into a single knowledge note), Learn (requires enough recorded LLM interactions (QaEvents) to extract meaningful cost and quality patterns), Peer (requires ≥5 sessions, builds a user behavior profile), and Rationale (preserves the reasoning chain behind decisions).

Distilled notes inherit a trust score computed from their source notes, and a Note History fingerprint is stored so drift from the validated version can be detected later.

DistillSource supports multi-vault targeting via VaultScope, allowing a distillation job to draw from notes across isolated vaults.

A dedicated GET /api/v1/lessons/recall endpoint queries the lessons-learned corpus with semantic search and returns ranked results with source attribution.

A vault_lessons_recall MCP tool exposes the same surface directly to MCP clients, with optional role and tag filters so agents retrieve only domain-relevant lessons.

A pre-action hook fires automatically when the agent is about to start a new task, injecting the top-3 matching lessons into the context before the first response.

The gateway parses ChatMessage::User as either a plain string or a Vec<ContentPart> (text + image_url), matching the OpenAI chat completions schema, so existing text-only clients are unaffected.

A vision routing gate inspects the content array at request time: messages containing image parts are forwarded to a configured vision-capable endpoint; text-only messages follow the standard routing path.

Configuration exposes a vision_endpoint field in the gateway TOML; if unset, image-bearing requests return a 422 with an explicit error rather than silently stripping the image.

The gradatum-db-sqlite crate exposes a libsql feature flag; enabling it replaces the local SQLite connection with a remote libsql endpoint.

The DocumentStore, IndexStore, and QueueStore traits remain unchanged — the swap is purely a configuration-level choice with no application code changes.

An internal poll loop on the libsql queue backend (500 ms interval) bridges the remote queue to the existing channel-based worker dispatch.

The gradatum-db-lancedb crate implements the VectorStore trait backed by LanceDB, an embedded columnar vector database.

Switching is opt-in via configuration — IndexStore (full-text) stays on SQLite; only the vector path moves to LanceDB, keeping the deployment simple.

A Parquet-backed DocStore variant (planned for a later phase) will extend LanceDB to cover document storage as well for very large vaults.

Five surfaces ship in the MVP: a dashboard (live vault metrics and recent activity), a note browser with inline markdown rendering, a search panel with score and section filters, a review queue (notes pending lifecycle validation), and a jobs monitor showing background task status.

Authentication is handled via a single API key injected at startup; no OAuth or user database is required for the single-user deployment.

A WHY scores panel surfaces the curator confidence and section classification for each note — making the reasoning behind search ranking visible and auditable.

The interface is read-only for vault content by design; writes still go through the standard API so the vault write path remains the sole source of truth.

The gradatum-mcp crate publishes vault tools (vault_write, vault_search, vault_forget, vault_timeline, and others) as MCP capabilities with full JSON Schema definitions.

Authentication is handled MCP-side, decoupled from the HTTP API auth layer, so the MCP surface has its own access control.

The stdio transport (for local clients) and the Streamable HTTP transport (F-56, for remote clients) are both supported from the same crate.

A single POST+GET /mcp endpoint handles all MCP traffic; responses are either plain JSON or upgrade to Server-Sent Events (SSE) per-request, without maintaining a persistent connection.

This replaces the deprecated HTTP+SSE transport (spec 2024-11-05), which required a persistent SSE connection incompatible with most load balancers.

The local stdio transport is preserved for desktop clients; optional backward-compatible SSE mode allows a smooth migration for existing integrations.

A background validation job computes a composite quality score; notes above a configurable threshold are accepted, notes with specific error patterns are routed to a repair strategy.

Three repair strategies: contradiction patch (corrects numeric contradictions against source notes), entity scrub (removes hallucinated entity claims), and grounding rewrite (reconstructs under-anchored text from source material). Internally: ContradictionPatch, EntityScrub, GroundingRewrite.

Repaired notes are stored with an audit flag (HEALED_ACCEPT) and a change log; notes that cannot be repaired are discarded cleanly — never silently stored.

Each user is represented by a UserRecord with a Bearer JWT; an admin invitation flow provisions new users without exposing the root credential.

Isolation is per-locus type: identity/ and peers/ are always private; knowledge/ and skills/ are configurable as shared or private per deployment.

ACL policies in gradatum-acl-policy enforce locus-level access at the storage layer, so isolation is structural rather than enforced only at the API boundary.

Gradatum acts as an OAuth 2.1 resource server: it validates tokens and publishes Protected Resource Metadata (RFC 9728) but delegates token issuance to a self-hosted identity provider using OIDC (OpenID Connect) — such as Kanidm.

The IdentityProvider trait decouples the identity provider from gradatum-auth (D-14), so the IdP is replaceable without modifying the authorization layer.

PKCE (Proof Key for Code Exchange) S256, Dynamic Client Registration, and explicit consent flows are required — bearer-static tokens are not accepted, matching what Claude for mobile and ChatGPT require.

Job::Audit(AuditMode) supports three modes: Detect (identifies duplicates and near-duplicates by semantic similarity), Deduplicate (merges or flags them), and Both (full pass).

The audit produces a per-locus vault score reflecting coverage, freshness, and uniqueness — visible in the jobs introspection API.

Conflict reports list notes with contradictory claims so operators or distillation jobs can resolve them explicitly rather than leaving ambiguity in the search index.

A ContextBuilder composes four injection zones: identity and capabilities (Zone A), sliding-window memory (Zone B), pinned high-priority notes (Zone C), and proactive recalls triggered by relevance (Zone D).

The library is consumed by gradatum-server, gradatum-worker, and the agent runtime — not a standalone service, no port, no network dependency.

The capabilities zone injects the JSON Schema of available vault tools so the agent can discover and call them without hardcoded tool lists.

When the context window approaches its limit, Job::Summarize compresses the oldest segments into a vault note stored under the session locus.

On the next session or context reset, the sliding window is restored from the vault — the agent continues with compressed but coherent history rather than a blank slate.

A companion SKILL.md documents the sliding-window discipline so agents know when and how to trigger the compaction themselves.

After each response, ProactiveRecall runs a vault_search against the current context; notes whose cosine similarity exceeds the configured threshold are injected into Zone D of the next context window.

Zone D recall is passive by default — the agent is notified that related notes exist; active retrieval still requires an explicit vault_search call.

ContextBuilder::with_proactive_recall() toggles and configures the feature; the threshold and maximum injected notes are operator-tunable.

vault://main/me.md is a Markdown note in the vault storing explicit preferences, context, and constraints; it is injected into Zone A of the context on every session.

The profile complements the automatically inferred peers/ locus (built by the Peer distillation job) — explicit declarations in me.md override inferred values.

Operators edit me.md directly with any Markdown editor; changes take effect on the next context assembly without requiring a restart or re-distillation.

Each skill carries metadata: applies_to roles, trigger keywords, and tags; skill_select(role, task) runs a role/keyword match to return only the relevant subset.

Selection is not semantic search — it is deterministic metadata matching, which makes the result predictable and auditable without an embedding lookup.

The selected skills are injected into Zone A by ContextBuilder; unselected skills remain in the library and are not loaded into the context window.

A consolidation job runs monthly or quarterly (configurable); it requires a corpus of at least 90 days of matured notes before it produces meaningful output.

Output is written to knowledge/consolidated/ as named mental-model notes that describe recurring reasoning patterns, not just topic summaries.

Consolidated models are injected at a high-priority slot in the agent context, allowing the agent to reason from first principles rather than scanning hundreds of individual notes.

ChatContent becomes a union type (Text | Image); ChatMessage::User accepts Vec<ChatContent> instead of a single string — this is a semver-breaking change.

The multimodal input path touches gateway, curator, worker, engine, and agent crates; all must be updated together in a coordinated release.

Image content is processed by a vision-capable model routed through the gateway; the existing text path is unchanged for text-only clients.

A desktop Cargo feature flag activates the screen-capture pipeline in gradatum-agent; it is disabled by default and has no runtime cost when not enabled.

Captured screenshots are passed to the multimodal chat API (F-03) for analysis; the agent can then act on the visual content using the standard tool-calling interface.

The desktop feature depends on F-03 being available; it is not usable on text-only deployments.

L4 BYOC builds on the existing deployment levels (L0 local through L3 managed); at L4, the user provides their own cloud compute (VMs, containers, or serverless) and storage.

Cloud provider load balancing (ALB, CloudFront, or equivalent) replaces the built-in reverse proxy; mTLS is recommended for inter-service communication at this scale.

Deploy tooling and multi-tenant authentication are shipped alongside the crate changes so operators can provision L4 environments without building custom orchestration.