Einstein (memory plugin)
Einstein is the official long-term memory plugin for AiHummer. It gives an agent a durable, searchable memory that survives restarts and conversations, without ever turning that memory into a black box. The guiding rule is simple: canonical Markdown is the source of truth, the system indexes and proposes changes, and every promotion into long-term memory is reviewed by a human.
The plugin runs host-native as its own small Python service (standard library
only — no heavyweight framework) and talks to the gateway over the
aihummer.memory.v1 contract. The in-gateway memory subsystem (claims, recall,
the data-fence) is described on the concept page
Memory (Einstein); this page covers the
plugin that backs it.
Facts
| Field | Value |
|---|---|
| Version | 1.0.0 |
| Port | 8820 |
| Runtime | Python (standard library), host-native |
What it is
Einstein stores memory as human-readable Markdown — the canonical record a person can open, read and edit. On top of that record it builds the machinery an agent needs at turn time:
- Retrieval — fetch the memory relevant to the current conversation.
- Search — full-text and embedding-based lookup over stored facts.
- Embeddings — vectors for semantic recall, served over HTTP.
Because the Markdown is canonical, nothing about the indexes is precious: they can be rebuilt from the source of truth at any time, and a reviewer always reads the same text the agent reads.
How it is used
At turn time the gateway asks Einstein for the memory relevant to the current context. Recall is delivered to the model as a tool result wrapped in a data-fence, never as injected instructions — so a malicious note that found its way into memory cannot hijack the agent. New facts observed in a conversation are extracted as claims with evidence and queued for review rather than written straight into memory.
[!NOTE] The system indexes and proposes, but never silently rewrites memory. Promotion of a claim into long-term memory is a deliberate, human-reviewed step. Memory mode (auto / review / off) and retrieval mode (fulltext / embedding) are admin-configurable.
The v2 memory platform (on by default)
Einstein ships the full v2 memory platform, and all of its power is on out of the box — nothing to wire up by hand: claim extraction, a review queue, a background deriver (facts, links and entities from evidence), a “dream”/consolidation pass (dedup and memory self-healing), a memory graph and contradiction detection. The background scheduler runs on a 900 s interval by default. Every flag is admin-configurable (Web UI), but you don’t need to change any of them for full operation.
[!NOTE] The only human step is approving a write to canonical memory (
MEMORY.md). Every v2 worker writes only to a separate sidecar store and never touches the canonical Markdown. When Einstein derives an edit worth committing to canon, it is shown in the review UI and applied with one click (reviewed_uimode, the default). So all the power is available immediately, yet the core guarantee holds: memory is never rewritten behind your back. If preferred, an operator can choosepreview_only(show edits only) via theEINSTEIN_CANONICAL_MEMORY_WRITE_MODEsetting.
Installation
Einstein is a built-in plugin: it installs automatically for every tenant, carries a “Built-in” badge in the plugin list and cannot be removed or stopped — memory is part of the product core. There is nothing to install separately; the full lifecycle of regular plugins is described in Install & updates. There are no containers — Einstein runs as its own systemd service alongside the gateway.
Security and limits
- Source of truth is Markdown. Indexes and embeddings are derivable; the canonical text is what a human reviews and edits.
- No silent rewrites. The v2 platform works out of the box, but a write to
canon goes through one-click human approval (
reviewed_ui); workers write only to the sidecar and never touch the canonical Markdown. - Data-fenced recall. Memory reaches the model as fenced tool output, never as instructions, which blocks indirect prompt injection.
- Secured Web UI. The plugin’s review/management UI is access-controlled.
- Host-native. Runs under systemd, not in a container.