MemoryLink

CLI tool that prevents secret leaks before they happen.

🔒 100% local. Zero telemetry. Your secrets never leave your machine.

🎯 What is MemoryLink?

MemoryLink is a Code Agent Memory OS.
It treats Git Diffs as "Execution Truth" and uses them to prevent Agents from making mistakes.

Why not just use "Chat Memory" (Mem0/DiffMem)?
Chat memory only remembers what you said. MemoryLink remembers what you did (code changes).
It enforces this truth with Safety Gates (AST checks, Secret Scanning) that block your Agent from introducing regressions or leaks.

🛡️ Core Features

MEMORYLINK is a Dual-Engine system:

1. Memory Engine: Remembers your rules, context, and decisions.
2. Gate Engine: Blocks mistakes (Secrets + Syntax) before commit.

| Protection | What It Does | |:---|:---| | 🧠 Memory | Stores project rules ("Use Hooks, not Classes") | | 🔍 Scan | Detects 127 secret patterns (API keys, PII) | | 🪝 Git Hooks | Blocks bad commits automatically | | 🚫 CI/CD Block | Blocks PRs with secrets or syntax errors | | 🔐 Quarantine | Encrypts detected secrets (AES-256-GCM) |

How It Works:

You Code → Git Commit → MemoryLink Scans 
                        ↓
            1. 🧠 Check Memory (Rules)
            2. 🛡️ Check Gates (Secrets + Syntax)
                        ↓
             ⚠️ Warning (or 🚫 Block)

Result: Your AI Agent gets smarter and safer over time.

🛠️ Works With

| Category | Supported | |----------|-----------| | AI Agents | Cursor, Windsurf, Antigravity, GitHub Copilot | | OS | macOS, Linux, Windows (WSL2) | | Node.js | v18+ |

👀 What You'll See

When MemoryLink blocks a commit:

┌─────────────────────────────────────────────────────┐
┌ 🧠 MEMORY CHECK: 1 CONFLICT                         ┐
│  • Rule: "Never use default exports in utils/"      │
│    Violation: src/utils/date.ts uses default export │
│                                                     │
├ 🛡️ GATE CHECK: 1 SECRET DETECTED                    ┤
│  🔴 HIGH: AWS Access Key                            │
│     File: src/config.ts:15                          │
│                                                     │
└─────────────────────────────────────────────────────┘

📦 Installation

Prerequisites

• Node.js 18+ (install)
• npm or pnpm

Install from npm

npm install -g memorylink

Verify Installation

ml --version

🚀 Quick Start (30 seconds)

1. Initialize MemoryLink

cd your-project
ml init

What happens:

1. ✅ Scans project for secrets
2. ✅ Creates .memorylink/ (Active Memory)
3. ✅ Installs Git hooks (Red/Blue Gates)

2. Capture Your First Memory

Tell your Agent a rule so it never forgets:

ml capture -t "api-rules" -c "Always use snake_case for API response types"

Now, if an Agent tries to use camelCase, MemoryLink will know.

🎯 Core Commands

| Command | What It Does | |---------|--------------| | ml capture | Save a new memory/rule | | ml query | Retrieve memories by topic | | ml list | List all memories (with dates) | | ml delete | Delete a memory | | ml gate | Check code (Secrets + Syntax) | | ml scan | Find existing secrets |

ml scan - Find Secrets

ml scan                    # Scan entire project
ml scan --path src/        # Scan specific directory
ml scan --json             # JSON output for CI/automation (v2.1)

ml doctor - Health Check (v2.1)

ml doctor                  # Basic health checks
ml doctor --full           # Full diagnostics + benchmarks
ml doctor --json           # JSON output for automation

ml mode - Switch Protection Level

ml mode                    # View current mode
ml mode active             # Block on secrets (teams/CI)
ml mode inactive           # Warn only (default)

ml gate - Manual Check

ml gate --rule block-quarantined              # Check project
ml gate --rule block-quarantined --diff       # Check staged files only
ml gate --rule block-quarantined --history    # Check git history

🔒 6-Layer Protection

Layer 1: On-demand scan      → ml scan catches secrets immediately
Layer 2: Pre-commit hook     → Blocks before commit (staged files)
Layer 3: Pre-push hook       → Blocks before push (full scan)
Layer 4: CI/CD gate          → Auto-enforces when running in CI
Layer 5: Quarantine          → AES-256-GCM encrypted isolation
Layer 6: Audit trail         → Tracks everything with timestamps

💡 Bonus: ml gate --history scans Git history for old leaks!

📊 Active vs Inactive Mode

| Mode | Behavior | Exit Code | Use Case | |------|----------|-----------|----------| | INACTIVE (default) | ⚠️ Warns but allows | 0 | Local development | | ACTIVE | ❌ Blocks commit/push | 1 | Production, CI/CD |

Mode Priority

MemoryLink checks these in order (highest to lowest):

1. CLI Flag         --mode active / --enforce / --monitor
2. ENV Variable     ML_MODE=active / ML_MODE=inactive
3. CI Detection     GitHub Actions, GitLab CI, etc. (auto ACTIVE!)
4. Config File      .memorylink/config.json
5. Default          inactive

One-Time Override

ML_MODE=active git push      # Force blocking for this push
ML_MODE=inactive git push    # Allow this push (temporary)
git push --no-verify         # Emergency bypass (Git built-in)

🎨 127 Secret Patterns

| Category | Examples | |----------|----------| | Cloud | AWS, Azure, GCP, DigitalOcean, Heroku | | AI/ML | OpenAI, Claude/Anthropic, HuggingFace, Groq, Perplexity, Replicate | | Payment | Stripe, PayPal, Square, Razorpay, PhonePe, Cashfree | | Auth | GitHub, GitLab, Slack, Discord, JWT, OAuth, Clerk | | Database | Supabase, PlanetScale, Turso, Neon, Upstash | | India | Aadhaar, PAN, GSTIN, UPI, IFSC, Paytm, PhonePe, Instamojo | | Personal | SSN, Credit Card, Phone, Email | | Browser | localStorage, sessionStorage, cookies |

🌐 19 CI Platforms Auto-Detected

✅ GitHub Actions    ✅ GitLab CI       ✅ Jenkins
✅ CircleCI          ✅ Travis CI       ✅ Buildkite
✅ Azure Pipelines   ✅ TeamCity        ✅ Bitbucket
✅ Drone CI          ✅ AppVeyor        ✅ Semaphore
✅ Buddy             ✅ Vercel          ✅ Netlify
✅ Bitrise           ✅ Codeship        ✅ Generic CI

CI always enforces ACTIVE mode automatically!

🛠️ CI/CD Setup

GitHub Actions

Add to .github/workflows/memorylink.yml:

name: MemoryLink Gate
on: [pull_request, push]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g memorylink
      - run: ml gate --rule block-quarantined

Quick Setup Command

ml ci --provider github    # Creates the workflow file for you

🚫 Handling False Positives

Option 1: Inline Comment

const API_ENDPOINT = "https://api.example.com"; // ml:ignore

Option 2: Mark as False Positive

ml gate --mark-false <finding-id>

Option 3: Config File

Add to .memorylink/config.json:

{
  "ignores": {
    "values": ["test_key_not_real"],
    "patterns": ["example-api-key"],
    "files": ["tests/**", "docs/**"]
  }
}

📁 Directory Structure

.memorylink/
├── config.json         # User preferences
├── records/            # Safe content storage
├── quarantined/        # Encrypted secrets
├── audit/              # Security audit logs
└── falsePositives.json # Ignored findings

🔐 Security Features

| Feature | Implementation | |---------|----------------| | Key Location | ~/.memorylink/keys/ (NOT in project!) | | Encryption | AES-256-GCM (industry standard) | | Secret Masking | AKIA****MPLE in all output | | Zero Telemetry | 100% local, no network calls | | Package Safety | .gitattributes + files field |

🔧 Troubleshooting

| Problem | Quick Fix | |---------|-----------| | ml: command not found | npx memorylink or fix PATH | | Hooks not running | ml hooks --install | | False positive | Add // ml:ignore comment | | Mode not changing | Check ml mode output | | CI not blocking | Verify CI=true is set |

📚 Documentation

• Product Guide - Complete guide with testing & results
• Quick Reference - Cheat sheet
• FAQ - Common questions
• Troubleshooting - Problem solutions
• Patterns - All 127 patterns
• Comparisons - vs other tools
• Threat Model - Security boundaries & design
• Remediation Guide - How to rotate leaked secrets

🤝 Contributing

See CONTRIBUTING.md for guidelines.

📄 License

MIT License - see LICENSE

🙏 Support

• Issues: GitHub Issues
• Discussions: GitHub Discussions

❓ FAQ

Q: Why no MCP integration yet?

MCP (Model Context Protocol) support is planned for v3.0. We're ensuring the core secret detection is bulletproof first.

Q: Does MemoryLink follow security standards?

Yes! MemoryLink follows security best practices aligned with OWASP guidelines. Full OWASP ASI06 compliance documentation is planned for v3.0.

Q: Is it safe to use in enterprise environments?

Absolutely. 100% local operation, zero telemetry, AES-256-GCM encryption, and project-isolated keys make it enterprise-ready.

Q: What makes MemoryLink different from gitleaks?

Better UX (color-coded output), India-specific patterns (Aadhaar, PAN, UPI), zero-config setup, and smart mode switching.

MemoryLink - Protect your secrets from AI leaks 🔒