Source-Wire is an agent-first memory architecture skeleton.
It is designed for systems where AI agents need to search, cite, update, and reason over source-backed context without turning every imported note or chat message into trusted memory automatically.
Current public status: Source-Wire is Apache-2.0 licensed as a source package. It is published to npm, released on GitHub, undeployed, and not a hosted runtime. Read Public Status before deployment, hosted-runtime, production-use, or contribution assumptions.
Product direction: Source-Wire is intended to become a public BYO, owner-hosted memory system that adopters can run with their own device/server, PostgreSQL-compatible database, API keys, data sources, and MCP-capable agent harnesses. The current repo is the contracts-first public package, not that full runtime yet. Read Product Direction.
Memory-engine baseline path: Source-Wire-Memory-Engine is an AGPLv3 reference runtime candidate. It stays separate while Source-Wire audits the boundary, license path, and owner-hosted setup path. Read Memory Engine Baseline Audit PRD.
Owner-hosted setup path: the synthetic owner-hosted setup package is complete as public proof for adopters who bring their own device/server, PostgreSQL-compatible database, credentials, source packets, and MCP-capable harnesses. Read Owner-Hosted Setup Final Proof, Owner-Hosted Setup PRD, and Owner-Hosted Setup Issue Slices. This does not approve API server runtime, MCP server runtime, database migrations, managed hosting, deployment, npm publishing, GitHub release creation, real data, AGPLv3 code copying, or private implementation code copying.
Owner-hosted setup contract: Source-Wire now exports a synthetic owner-brings checklist contract for future BYO setup work. Read Owner-Hosted Setup Contract. It does not start a runtime, connect a database, deploy services, import private data, or create trusted memory.
Owner-hosted setup readiness: Source-Wire also includes a synthetic readiness fixture matrix for database, API, MCP, source update safety, and Mission Control setup health. Read Owner-Hosted Setup Readiness Fixture Matrix. It does not run real setup checks yet.
Owner-hosted setup smoke: npm run owner-hosted-setup:readiness-smoke checks that synthetic setup readiness cases are complete and blocked cases include shaped failure records. Read Owner-Hosted Setup Readiness Smoke. It does not require secrets or external services.
Source update safety smoke: npm run owner-hosted-setup:source-update-safety-smoke proves the synthetic update path requires caller-supplied snapshots, blocks folder crawling and broad private import, keeps trusted memory delta 0, and preserves owner or application-controlled review. Read Owner-Hosted Setup Source Update Safety Smoke.
Daily workflow synthetic path: Source-Wire now exports a synthetic daily owner memory workflow contract and fixture matrix. npm run daily-workflow:smoke proves read-only asks, bounded updates, owner review, follow-up evidence separation, Mission Control summary shape, no runtime inclusion, no folder crawling, no MCP approval bypass, and no automatic trusted memory promotion. Read Daily Workflow Contract, Daily Workflow Synthetic Smoke, and Daily Workflow Claim Boundary.
Runtime readiness gate: Source-Wire now exports a synthetic runtime-readiness contract and fixture matrix. npm run runtime-readiness:smoke proves private-proof, API policy, MCP policy, database posture, source update, memory-engine boundary, and release boundary gates while keeping API runtime, MCP runtime, database migrations, deployment, managed hosting, real data, AGPLv3 code copying, private implementation copying, and automatic trusted memory promotion blocked. Read Runtime Readiness Contract, Runtime Readiness Fixture Matrix, and Runtime Readiness Smoke.
Runtime proof intake gate: Source-Wire now includes a synthetic redacted private-proof intake manifest. npm run runtime-proof-intake:smoke proves private proof metadata can be acknowledged for PRD refresh without importing private repo paths, raw private content, real data, secrets, AGPLv3 code, private implementation code, runtime implementation, database migrations, or deployment. Read Runtime Proof Intake Contract and Runtime Proof Intake.
Owner-hosted setup claim boundary: latest main documents a BYO setup direction, not managed hosting or production runtime. Database migrations remain blocked, and Source-Wire-Memory-Engine stays separate. Read Owner-Hosted Setup Claim Boundary.
Owner-hosted setup closeout: the setup package is complete as a synthetic proof. Source-Wire now includes a narrow synthetic owner-hosted API policy route, MCP adapter skeleton, synthetic threat-boundary package, synthetic API policy contract package, synthetic MCP adapter contract package, synthetic database posture package, synthetic hosted-runtime fixture package, and synthetic deployment-boundary package, but production runtime implementation remains blocked unless separately approved. Read Owner-Hosted Setup Final Proof, Owner-Hosted Setup Go/No-Go Gate, Runtime Skeleton Implementation Proof, Runtime Skeleton Smoke, Runtime Threat Boundary Implementation Proof, Runtime Threat Boundary Smoke, API Policy Contract Implementation Proof, API Policy Contract Smoke, MCP Adapter Contract Implementation Proof, MCP Adapter Contract Smoke, Database Posture Implementation Proof, Database Posture Smoke, Public-Safe Fixture Implementation Proof, Public-Safe Fixture Smoke, Deployment Boundary Implementation Proof, and Deployment Boundary Smoke.
Runtime implementation gate: all six current runtime implementation gates are implemented as synthetic packages only. Threat-model, API contract, MCP contract, database posture, public-safe fixture, and deployment-boundary implementations exist, but API runtime, MCP runtime, route handlers, migrations, real database connections, live runtime services, deployment config, and hosted services remain blocked. Read Runtime Implementation Gate, Deployment Boundary Implementation Packet, Deployment Boundary Implementation Proof, Deployment Boundary Implementation Slices, and Deployment Boundary Smoke.
Threat model implementation: npm run runtime:threat-boundary-smoke validates the approved synthetic trust-boundary package for unauthorized callers, cross-namespace access, source-memory separation, prompt injection, secrets, audit gaps, backup restore drift, deployment exposure, MCP bypass prevention, and owner/application-controlled trusted memory approval. It does not add a server, database, deployment, connector, real data, private code, AGPLv3 code, or automatic trusted memory promotion.
API contract implementation: npm run runtime:api-policy-smoke validates the approved synthetic API policy contract package for request envelopes, endpoint groups, capability checks, namespace resolution, denied results, citations and gaps, audit metadata, source maintenance, candidate review, trusted-memory approval boundaries, handoff/status evidence, and MCP-through-API policy routing. It does not add an API server, route handlers, MCP server runtime, database, deployment, connector, real data, private code, AGPLv3 code, or automatic trusted memory promotion.
MCP contract implementation: npm run runtime:mcp-adapter-smoke validates the approved synthetic MCP adapter contract package for tool declarations, input validation, MCP-to-API envelopes, capability mapping, namespace forwarding, denied results, citations and gaps, audit metadata, source evidence search, trusted memory search, context assembly, candidate review, source maintenance, handoff/status evidence, and trusted-memory approval boundaries. It does not add an MCP server runtime, API server, route handlers, database, deployment, connector, real data, private code, AGPLv3 code, or automatic trusted memory promotion.
Database posture implementation: npm run runtime:database-posture-smoke validates the approved synthetic database posture package for data classes, lifecycle states, namespace isolation, deletion and retention behavior, backup and restore risk, derived data inheritance, and owner or application-controlled trusted memory approval. It does not add database migrations, real database connections, PostgreSQL setup, pgvector setup, API server runtime, MCP server runtime, live connectors, Mission Control UI, deployment, managed hosting, real data, private code, AGPLv3 code, or automatic trusted memory promotion.
Public-safe fixture implementation: npm run runtime:fixture-smoke validates the approved synthetic hosted-runtime fixture package for caller identity, namespaces, source evidence, candidates, trusted memory, denied cases, audit metadata, MCP-through-API policy routing, and no automatic trusted memory promotion. It does not add database migrations, real database connections, PostgreSQL setup, pgvector setup, API server runtime, MCP server runtime, live connectors, Mission Control UI, deployment, managed hosting, real data, client data, private code, AGPLv3 code, or automatic trusted memory promotion.
Deployment-boundary implementation: npm run runtime:deployment-boundary-smoke validates the approved synthetic deployment-boundary package for local development, owner-hosted runtime review, managed-hosted deferral, stop conditions, rollback evidence, claim boundaries, no-hosted-service proof, MCP-through-API policy routing, and owner-controlled trusted memory promotion. It does not add deployment config, cloud provider config, Docker or container deployment config for runtime services, hosted services, managed hosting, database migrations, real database connections, PostgreSQL setup, pgvector setup, API server runtime, MCP server runtime, live connectors, Mission Control UI, real data, client data, private code, AGPLv3 code, or automatic trusted memory promotion.
Runtime implementation decision: after setup, daily workflow, Unit 33 runtime-readiness alignment, and the owner-approved runtime PRD refresh, the next public runtime decision is still no-go for production runtime code. The refreshed path is to approve one narrow implementation boundary at a time after the public owner-hosted runtime PRD and wrapper-runtime gate stay green. Read Runtime Implementation Decision Gate, Private Proof To Runtime Extraction Readiness, and Runtime PRD Refresh Approval Status.
Owner-hosted runtime skeleton: exact approval is recorded and implemented for one narrow public-safe API server runtime skeleton and MCP server runtime skeleton unit. npm run runtime:owner-hosted-smoke proves API policy routing, MCP-through-API routing, citation and gap preservation, denied results, audit metadata, source evidence separation, and owner or application-controlled trusted-memory approval. This does not approve production runtime, database migrations, real database connections, live connectors, Mission Control UI, deployment, managed hosting, real data, public contribution acceptance, or automatic trusted memory promotion. Read Owner-Hosted Runtime Implementation Proof, Owner-Hosted Runtime Smoke, Owner-Hosted Runtime Implementation Packet, and Owner-Hosted Runtime Implementation Slices.
Share for review: use Share For Technical Review for safe invite copy, first commands, feedback routing, and review-only boundaries.
Public share kit: use World Share Kit for YouTube, Substack, social, Discord, and direct-review copy that preserves release, runtime, data, and contribution boundaries.
World share packet: use World Share Packet or npm run world:share-packet for the exact safe copy, first reviewer commands, owner preflight, feedback route, and blocked launch channels in one place.
Operator summary: use World Share Operator Summary or npm run world:share-operator-summary for the short current-state answer before deciding what to share or approve next.
Post-share monitor: after public sharing, use World Share Post-Share Monitor or npm run world:post-share-monitor to verify open reviewer feedback stays structured while pull requests remain blocked.
Share-readiness audit: Source-Wire is ready for technical review, npm package installation, GitHub release review, and source package reuse under Apache-2.0, but not deployment, hosted runtime use, production runtime use, or code contribution acceptance. Read the First-Time Visitor Share-Readiness Audit.
Snapshot boundary: npm @source-wire/contracts@0.1.0 and GitHub release v0.1.0 are immutable first-release snapshots. Latest main may contain post-release documentation and readiness hardening. Read Release Snapshot Boundary.
Known v0.1.0 package issue: the immutable npm artifact exports SOURCE_WIRE_PACKAGE_VERSION as 0.0.0 even though package metadata is 0.1.0. Latest main fixes this source export and adds a consumer-smoke guard. Correcting the registry artifact requires a future owner-approved patch release.
Current owner-decision status:
- Completed: #255 First public release path
- Completed: #256 Branch governance path
- Completed: #257 Hosted runtime PRD path
- Completed: #258 Contribution terms before accepting code
Use Node.js 22 with npm. For complete setup details, read Quickstart.
git clone https://github.com/DanielJD1216/Source-Wire.git
cd Source-Wire
npm install
npm run readiness:reportTo prove the same first-reviewer path from a temporary clean checkout-style copy:
npm run reviewer:smokeFor the full local verification gate:
npm run publish:readinessDespite the command name, publish:readiness is now a local readiness and boundary gate. It does not publish a new package version.
Use World Share Packet, Share For Technical Review, and Reviewer Feedback Guide when sharing the repo or sending feedback.
- repository ruleset governance,
- hosted runtime,
- production runtime use,
- code contribution acceptance.
- Source Graph Adapter Contract.
- Source Connection Contract.
second-brain.v1response contract.- MCP tool behavior contract.
- Owner-hosted setup checklist contract.
- Daily workflow synthetic contract and fixture matrix.
- Runtime readiness synthetic contract and fixture matrix.
- Runtime proof intake synthetic contract and redacted manifest.
- Synthetic fixtures for notes, chat exports, project context, and
/2nd-brainexamples. - Synthetic owner-hosted API and MCP runtime skeleton with policy-routed fixture smoke.
- Threat model implementation approval packet and slice map.
- Synthetic threat-boundary package and fixture matrix.
- API contract implementation approval packet and slice map.
- Synthetic API policy contract package and fixture matrix.
- Synthetic database posture package and fixture matrix.
- Database posture implementation proof, smoke, packet, and slice map.
- Synthetic hosted-runtime fixture package and fixture matrix.
- Public-safe fixture implementation proof, smoke, packet, and slice map.
- Synthetic deployment-boundary package and fixture matrix.
- Deployment-boundary implementation proof, smoke, packet, and slice map.
- A public extraction checklist for future safety reviews.
- A lightweight TypeScript package boundary.
- A minimal synthetic in-memory runtime boundary for owner-hosted API plus MCP policy proof.
- A narrow synthetic owner-hosted API policy route and MCP adapter skeleton that keeps MCP behind Source-Wire API policy.
- A synthetic trust-boundary evaluator that keeps source evidence separate from trusted memory and requires owner or application-controlled approval for trusted memory creation.
- A synthetic database posture evaluator that keeps source evidence, candidates, trusted memory, audit, embeddings, caches, backups, and exports in separate classes before any real database exists.
- A synthetic hosted-runtime fixture evaluator that proves caller identity, namespace isolation, source evidence, candidates, trusted memory, denied cases, audit metadata, MCP-through-API routing, and no automatic trusted memory promotion.
- A synthetic deployment-boundary evaluator that proves local development readiness, owner-hosted review, managed-hosted deferral, stop conditions, rollback evidence, claim boundaries, no-hosted-service proof, MCP-through-API routing, and owner-controlled trusted memory promotion.
- Hosted runtime backend code.
- Database migrations or database connection code.
- Mission Control UI.
- Real user data.
- Real Memory Records or Sources.
- Private proof history.
- Screenshots.
- Database values or migrations.
- Memory-engine fork code.
- Live connectors.
- Tokens, local paths, domains, emails, account IDs, client names, or private project history.
- Docs Index
- Product Direction
- Memory Engine Baseline Audit PRD
- Memory Engine Baseline Audit Issue Slices
- Memory Engine Baseline Audit Issue Drafts
- Owner-Hosted Setup PRD
- Owner-Hosted Setup Issue Slices
- Owner-Hosted Setup Contract
- Owner-Hosted Setup Readiness Fixture Matrix
- Owner-Hosted Setup Readiness Smoke
- Owner-Hosted Setup Source Update Safety Smoke
- Daily Workflow Contract
- Daily Workflow Synthetic Smoke
- Daily Workflow Claim Boundary
- Runtime Readiness Contract
- Runtime Readiness Fixture Matrix
- Runtime Readiness Smoke
- Runtime Readiness Implementation Proof
- Runtime Proof Intake Contract
- Runtime Proof Intake
- Runtime PRD Refresh Approval Request
- Hosted Runtime PRD Proof Intake Gate Refresh
- Hosted Runtime Child Issue Proof Intake Gate Refresh
- Hosted Runtime Child Issue Publisher Write Gate Refresh
- Owner-Hosted Setup Claim Boundary
- Owner-Hosted Setup Final Proof
- Owner-Hosted Setup Docs Audit
- Owner-Hosted Setup Go/No-Go Gate
- Runtime Implementation Decision Gate
- Runtime Implementation Decision Proof
- Runtime Threat Boundary Implementation Proof
- Runtime Threat Boundary Smoke
- API Policy Contract Implementation Proof
- API Policy Contract Smoke
- Database Posture Implementation Proof
- Database Posture Smoke
- Public-Safe Fixture Implementation Proof
- Public-Safe Fixture Smoke
- Deployment Boundary Implementation Proof
- Deployment Boundary Smoke
- Owner-Hosted Setup Issue Drafts
- Public Status
- World Share Kit
- World Share Packet
- World Share Operator Summary
- World Share Post-Share Monitor
- Share For Technical Review
- First-Time Visitor Share-Readiness Audit
- Repository Metadata
- Technical Reviewer Guide
- Reviewer Feedback Guide
- Contributing Boundary
- Support Boundary
- Security Policy
- Public Adopter Walkthrough
- Architecture Map
- Quickstart
- API Reference
- TypeScript Examples
- Minimal Runtime TypeScript Example
- Runtime Implementation Gate
- Runtime Boundary Readiness
- Minimal Synthetic Runtime Boundary
- Synthetic Runtime Boundary Example
- Owner-Hosted Setup Contract
- Daily Workflow Contract
- Runtime Readiness Contract
- Runtime Proof Intake Contract
- Source Graph Adapter Contract
- Source Connection Contract
second-brain.v1Contract- MCP Tool Behavior Contract
- Runtime Boundary
- Runtime Implementation Gate
- Runtime-Adjacent Options Decision Matrix
- Runtime-Adjacent Evidence And Scoring
- Runtime-Adjacent Recommendation
- License Options Decision Matrix
- License Evidence And Scoring
- License Recommendation
This repo is currently a contract package skeleton with a minimal synthetic runtime boundary.
It can define public shapes, validate public fixtures, and execute synthetic in-memory policy proof cases. It does not run a memory backend, database, MCP server, Mission Control UI, memory-engine integration, or live connector.
Source-Wire exposes its current JSON schemas through stable package subpaths and a typed schema registry.
Source-Wire includes a tiny local CLI for validating explicit files against explicit schema names.
Source-Wire runs package checks and public-safety scanning on push and pull request.
The CI docs include a stable log marker map for reading GitHub Actions Package Checks output.
Source-Wire can run a full local readiness gate with package dry-run, installed package smokes, runtime-boundary smokes, docs links, command-doc setup checks, and public-safety checks. The public package is @source-wire/contracts@0.1.0, and the first GitHub release is v0.1.0.
- Publish Readiness
- World-Share Readiness
- World Share Packet
- World Share Operator Summary
- World Share Post-Share Monitor
- Owner Launch Checklist
- Release Implementation Runbook
- Release Review Packet
- Release Approval Request Packet
- Owner Approval Record Packet
- Release Candidate Readiness
- Release Snapshot Boundary
- Hosted Runtime PRD
- Hosted Runtime PRD Slice Map
- Hosted Runtime Slice Approval Request
- Hosted Runtime Child Issue Publication Packet
- Owner-Hosted Runtime Implementation Packet
- Owner-Hosted Runtime Implementation Proof
- Owner-Hosted Runtime Implementation Slices
- Owner-Hosted Runtime Smoke
- Hosted Runtime PRD Preparation
- Contribution Terms PRD Preparation
- Contribution Terms PRD
- Contribution Policy
- Legal Review Question Packet
- License Approval Rehearsal
- License Decision Gate
- Apache-2.0 License Implementation Readiness
- Release Decision
- License And Version Policy
- Owner License Approval Packet
- Future License Change Plan
The publish-readiness docs include a local success marker map for npm run publish:readiness.
Run the license implementation check before any future package version, hosted runtime, or contribution work:
npm run license:rehearsalIt verifies the current Apache-2.0 license implementation and confirms deployment, hosted runtime, production runtime use, and code contribution acceptance remain blocked.
All fixtures are fictional and synthetic.
- Markdown vault fixture
- Chat export fixture
- Project context pack fixture
/2nd-brainexample fixture- Owner-hosted API plus MCP boundary fixture
- Runtime readiness fixture
- Runtime skeleton fixture
The owner-hosted API plus MCP boundary fixture contains synthetic proof cases only. It is schema-backed and validated by the current CLI.
The runtime readiness fixture contains synthetic proof cases only. It is smoke-validated by npm run runtime-readiness:smoke and does not approve API runtime, MCP runtime, database migrations, deployment, managed hosting, real data, package publishing, or release mutation.
The runtime skeleton fixture contains synthetic owner-hosted API policy and MCP adapter cases only. It is smoke-validated by npm run runtime:skeleton-smoke and does not start a server, connect a database, run a real MCP server, import data, or promote trusted memory automatically.
The minimal synthetic runtime boundary exports in-memory TypeScript policy code and validates it against the owner-hosted API plus MCP boundary proof cases.
Use Node.js 22 with npm from the repository root. For the complete local setup path, read the Quickstart.
Install dependencies first:
npm installRun it with:
npm run minimal-runtime:smokeIt does not start a server, connect to a database, run a real MCP server, store memory, or imply Source-Wire hosts memory.
The synthetic runtime skeleton example proves the narrow owner-hosted API policy route and MCP adapter path with synthetic fixtures.
Run it with:
npm run runtime:skeleton-smokeRun the packet proof with:
npm run runtime:skeleton-packetIt does not start a server, connect to a database, run a real MCP server, import private data, copy private implementation code, copy AGPLv3 code, or promote trusted memory automatically.
The synthetic runtime boundary example is a local and installed-package smoke proof for the future owner-hosted API plus MCP boundary.
Use Node.js 22 with npm from the repository root. For the complete local setup path, read the Quickstart.
Install dependencies first:
npm installRun it with:
npm run runtime-boundary:smokeRun the installed package proof with:
npm run runtime-boundary:installed-smokeRun the diagnostic regression proof with:
npm run runtime-boundary:diagnostics-smokeIt does not start a server, connect to a database, or imply Source-Wire hosts memory.
Imported source text is evidence, not trusted memory.
Source-Wire examples should preserve citations, source identity, stale state, and review boundaries. Trusted Memory Records should require an explicit owner or application approval path.
Before adding new public examples or docs, review: