Built on the ACFA paper · coordinator-free Byzantine aggregation →

Your security stack watches the network. Nothing watches what your agents tell each other.

Memora is the missing layer — Byzantine-fault-tolerant shared memory where one compromised agent is mathematically unable to fork the state of the rest, and every write is signed, attributable, and exactly replayable.

First 25,000 ops free on signup · exact Q16.16 integer math · ARM and x86 resolve to the identical bytes

The silent fork

Frameworks run dozens of agents over shared state in a dumb key-value store.

AutoGen, CrewAI, LangGraph — they all point at Redis or Postgres. If one agent is prompt-injected and writes poisoned JSON or tensors, every other agent reads the poison and the swarm hallucinates. On a network partition, Redis forks silently and never tells you. There is no mathematical guardrail for shared agent state.

Memora is that guardrail.

# Redis, network partition
agent_A> SET policy {"risk": 0.2}
agent_B> SET policy {"risk": 0.9}   # partitioned
# ...heals...
> GET policy
"{\"risk\": 0.9}"   // silently forked. which won?

# Memora, same partition
> db.get("policy")
root 0bf8038db4421365   // both replicas re-converge, byte-identical

Near-zero friction

Three lines. Under three seconds to first sync.

1

Install

One pre-compiled Rust wheel. No C-extensions, no NumPy, no build step.

pip install memora-swarm
2

Paste your key

One key, the whole engine — CRDT, E4 trust and ACFA conviction. First 25k ops free on signup, then metered.

import memora_swarm as memora
db = memora.Blackboard("./swarm.memora",
  node_id="agent_12", api_key="opti_sk_...")
3

Synced

Background delta-sync via the nearest region. "Synced" prints in under 3 seconds.

db.connect("swarm_001")
# → Synced ✓

Already using a framework?

One pip install backs your framework's memory with Memora.

Keep the code you have. Each package is a live-tested adapter that routes your framework's shared state through Memora's Byzantine-fault-tolerant engine — and pulls in memora-swarm automatically. One command, everything installed.

LangChain

pip install memora-langchain

A drop-in BaseChatMessageHistory. Shared, poison-resistant chat history for RunnableWithMessageHistory — concurrent writers merge, no turns lost.

MemoraChatMessageHistoryView on PyPI →

CrewAI

pip install memora-crewai

Hands your crew remember_shared / recall_shared plus Byzantine-robust crew_vote / crew_consensus — one rogue agent can't skew the vote or corrupt the memory.

MemoraCrewMemory.tools()View on PyPI →

Microsoft AutoGen

pip install memora-autogen

Implements the autogen_core.memory.Memory protocol. Give every agent on a team one MemoraMemory on the same room and they reason over one trusted, shared context.

MemoraMemoryView on PyPI →

On a custom or unsupported framework? The integration source and getting-started examples show the raw pattern to adapt in a few lines.

Three layers · one full service

Every key gets all three. The same math ships to our cloud and on-prem to you — unchanged.

L1
OR-Set CRDT + delta-state
Conflict-free JSON beliefs. Never forks.
Included
L2
E4 trust-weighted mean
Smoothly down-weight conflicting state by trust.
Included
L3
ACFA Q16.16 multi-Krum + G-Set
Byzantine-robust tensors; auto-ban equivocators.
Included

Shield · live conviction

When an agent equivocates, the math bans it. Permanently.

round 1  · 5 agents submit signed tensors
         · resolved root  0bf8038db4421365   byte-identical across the swarm
         · agent_5 signs TWO conflicting round-1 tensors  ⚠ equivocation
         · self-authenticating G-Set conviction proof forms automatically
         · convicted set = [agent_5]   → excluded from aggregation
         · clean resolved root  0bf8038db4421365   (honest state intact)
round 2  · agent_5 attempts to rejoin  →  BANNED (permanent)

No coordinator. No human in the loop. The conviction proof is a mathematical object anyone can verify — powered by the same Q16.16 kernel in the ACFA paper.

In the wild · 2026

The documented attacks, incidents, and regulations Memora closes.

Multi-agent security is now its own discipline — memory poisoning, self-replicating AI worms, rogue agents, and cascading inter-agent failure. Each item below is a real, published source. Memora is the memory-integrity layer that neutralises the shared-state half of the problem.

OWASP ASI06 · 2026

Memory & Context Poisoning

A single poisoned write silently corrupts every agent that reads shared memory — and, unlike a one-shot prompt injection, it persists across sessions. Agent Security Bench measured an 84% average attack success rate; MINJA reports >95% injection success against production agents.

How Memora closes it: Every write is Ed25519-signed and attributable to a node; the OR-Set CRDT cannot fork, and ACFA multi-Krum rejects poisoned contributions from the agreed state. Geometric outliers are filtered; values within the honest statistical spread are bounded, not eliminated (see paper §7.1).
Source: OWASP Top 10 for Agentic Applications (2026)
Incident · Morris-II worm

Self-replicating prompt worms & cascading failure

A zero-click adversarial prompt cascades across a multi-agent network — each infected agent's output is trusted as the next agent's input, turning one compromise into a swarm-wide breach (OWASP ASI08).

How Memora closes it: One compromised agent is mathematically unable to move the agreed aggregate. The cascade is contained — blast radius bounded to the attacker's own node, which is then convicted.
Source: Morris-II, Cornell Tech / IBM
OWASP ASI10 · 2026

Rogue agents & equivocation

An agent that double-signs or acts maliciously inside the swarm is still treated as a trusted peer by every other agent.

How Memora closes it: G-Set equivocation proofs convict a double-signing agent automatically and evict it permanently from the aggregate — a mathematical object anyone can verify.
Source: OWASP GenAI Security Project
Root cause · inter-agent trust

“Internal agent comms are trusted”

Multi-agent systems are built assuming messages between agents are secure and trustworthy — the exact assumption inter-agent attacks and AI worms exploit (OWASP ASI07).

How Memora closes it: Memora removes the assumption entirely: no write is trusted on faith — each is signed, verified, and Byzantine-tolerated before it is allowed to touch shared state.
Source: Multi-Agent Risks from Advanced AI (arXiv:2502.14143)
Regulation · EU AI Act

Art. 12 & 13 — traceability & tamper-proof logging

From 2 August 2026, high-risk AI must automatically log agent identity and every action with cryptographic tamper-evidence and output verification. Non-compliance: up to €35M or 7% of global turnover.

How Memora closes it: Every op is signed, attributable to a node, and exactly replayable from an append-only log with byte-identical roots — a compliance-grade, tamper-evident audit trail by construction.
Source: EU AI Act, Articles 12 & 13

Memora contains, attributes, and evicts — it does not replace input filtering at the model boundary. It is the layer that makes a compromised agent unable to fork, poison, or silently corrupt the rest.

One full service. Metered by the op.

Every agent gets the whole engine — CRDT, E4 trust, and ACFA Byzantine conviction. You only pay for the ops you run.

Start here — no card
Free
$0
  • ·The full service: CRDT + E4 + ACFA
  • ·Unlimited agents
  • ·First 25,000 ops free on signup
  • ·Then transition to metered
Get your free API key
Free → metered, same key
The whole service, one price
Metered
$0.35/ 1,000 ops
  • ·Everything, unlimited agents
  • ·After the free 25k signup ops
  • ·$0.35 / 1,000 ops
  • ·Drops to $0.20 / 1,000 above 2M
Sign in to add a card
On-prem
Enterprise
Custom
  • ·On-prem relay binary (the moat)
  • ·SSO + dedicated support
  • ·Custom SLAs + volume pricing
  • ·The same math, inside your perimeter
Contact

An op is a semantic state change — a put or a tensor submission, never keepalive or sync chatter. Idle swarms cost nothing. At 85% of the free allowance we prompt you to add a card so nothing ever stops mid-run.