Engram is built on a single security principle: your memories stay on your machine. There is no Engram cloud backend, no analytics pipeline, and no call home on startup or shutdown. The only network traffic Engram ever generates is the request you explicitly configure to your extraction endpoint — and you can point that at a fully local inference server to eliminate network traffic entirely.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/xantorres/engram/llms.txt
Use this file to discover all available pages before exploring further.
Local-first design
Every piece of data Engram manages — facts, the review queue, audit logs, and context files — lives in a plain-file store on your local filesystem. Nothing is transmitted to Engram servers because no Engram servers exist.| Property | Detail |
|---|---|
| Cloud backend | None |
| Telemetry / analytics | None |
| Auto-update checks | None |
| Network calls at startup | None |
| Network calls during operation | Only to your configured extractor endpoint |
Engram’s only outbound network call is to the
extractor.base_url you set in config.toml (or ENGRAM_EXTRACTOR_URL). If you never run engram harvest, no network calls occur at all.Extractor network model
The extractor is the component that calls an LLM to identify durable facts in a session transcript. It is the only component that makes an outbound request. What is sent: The text content of the transcript file you pass toengram harvest. No store contents, no previously captured memories, and no system metadata are included in the request.
Where it goes: Exactly the endpoint you configure — no proxies, no fallback URLs.
Fully offline operation with LM Studio or Ollama
Fully offline operation with LM Studio or Ollama
Point the extractor at a local inference server and Engram operates with zero network traffic:Or with Ollama:Once configured,
engram harvest, engram sync, engram recall, and all MCP operations run entirely on-device.Cloud provider (OpenAI, Anthropic, etc.)
Cloud provider (OpenAI, Anthropic, etc.)
If you prefer a cloud model for extraction quality, set the endpoint and model accordingly. Only the transcript content is sent — store contents are never transmitted.Review your provider’s data-processing and retention policies before harvesting transcripts that contain sensitive personal information.
API key handling
Engram reads the extractor API key fromextractor.api_key in config.toml or from the ENGRAM_EXTRACTOR_KEY environment variable. The value is held in memory for the duration of the process and:
- Is never written to the store (memory-log, registry, or any other store file).
- Is never included in
audit.jsonlentries. - Is never logged to stdout or stderr.
Store file permissions
Engram applies strict filesystem permissions to all store files at creation time:| Item | Permission |
|---|---|
| Store directory and all subdirectories | 0700 (owner read/write/execute only) |
| All store files (Markdown, YAML, JSONL) | 0600 (owner read/write only) |
ls -la.
Version control guidance
The store is plain text (Markdown + YAML + JSONL), which makes it tempting to commit to Git for history and backup. This is safe for non-sensitive stores — but exercise caution if your store contains curated-kind facts.| Scenario | Recommendation |
|---|---|
Store contains only preference, tooling, project, infra facts | Git is reasonable; review diffs before pushing to a shared remote |
Store contains identity, fiscal, health, people, location, or constraint facts | Keep the store out of version control; use encrypted backup instead |
| Public or team-shared repository | Never commit the store; add the store directory to .gitignore |
.gitignore entry:
Backup options
Because the store is plain files, any file-sync or backup tool works:Encrypted backup with restic
Encrypted backup with restic
Encrypted sync with rclone + cloud storage
Encrypted sync with rclone + cloud storage
Time Machine / system snapshots
Time Machine / system snapshots
The store directory is automatically included in Time Machine backups (macOS) and most system snapshot tools. No configuration needed. Verify the store path is not excluded in your backup software’s exclusion list.
Sensitive-kind quarantine
Engram enforces an additional layer of protection for memories tagged with sensitive kinds regardless of store-level permissions. Facts taggedidentity, fiscal, people, health, location, or constraint are always routed to the tier-3 review queue and require explicit --confirm before being written. They can never be added to bridge.kind_allowlist for automatic promotion.
See Tiered Writes for the full write-safety model.