ai-memory v0.7.0 ships procurement-grade compliance evidence as a paired document set: the NSA CSI MCP security mapping (every concern + recommendation structurally addressed) and the honest-limitations companion (every substrate boundary plainly stated). Plus the Memory Portability Spec v1, ship-gate certification, the A2A-gate evidence, and the MCP Registry presence. Every artefact codegraph-anchored to release/v0.7.0 HEAD.
Federal procurement reviewers read these two documents in sequence to form a complete picture of substrate coverage. The mapping document claims structural coverage; the limitations companion documents the boundaries the substrate cannot reach. Together they form the substrate's honest perimeter.
10 of 10 NSA security concerns structurally addressed at the substrate layer. 7 of 7 NSA recommendations implemented. Closure of concern (j) tool invocation path confusion landed via #1154 (daemon serverInfo Ed25519 signing at MCP initialize) — 47 dedicated tests pin the contract. Every claim traces to a codegraph-verified capability_id in the inventory. Public-facing procurement-grade page with per-concern anchors, file references, and verification commands for independent review.
The follow-up question a reviewer should ask the mapping document: what automated check exercises each control? Every NSA concern + recommendation mapped to the named unit/integration test (file::test_name), the CI workflow job, and the do-1461 live-fleet harness check id. 19 controls; 18 with named automated checks; 9 with live-fleet PASS rows; 7 mitigations honestly marked config-asserted with no harness row.
What ai-memory does NOT defend against. Operating-system boundary, hardware attestation (AgenticMem commercial-layer concern), LLM hallucination above the substrate, operator policy authoring, prompt injection at LLM input. Modeled on Microsoft AGT LIMITATIONS.md discipline — substrate honesty as procurement asset.
Every claim in the mapping document traces to a capability_id in this inventory. The inventory in turn traces every capability_id to a file path + line number + (where applicable) GitHub issue or PR reference. Reproducible from a fresh checkout at commit 4add7a852.
27 substrate primitives catalogued, each with codegraph anchor, file path + line numbers, issue/PR references, and grep verification commands. The JSON inventory is the source of truth Task E's mapping document consumes.
Capability rollup, newly-documented defensive layers (RequestValidator, DoS multi-layer, substrate-native verify-* family, MCP client attestation, sqlcipher), originating-brief corrections applied, v0.7.x gap-fix candidates, full reproducibility methodology.
ai-memory's compliance posture is built on top of pre-existing procurement-grade artefacts. The NSA CSI mapping pairs with these.
Export envelope contract: any ai-memory deployment may produce and any ai-memory deployment may ingest without data loss. Source-of-truth for the schema is the SQLite + Postgres ladder (v33 → v55 with 22 in-process migrations).
Final-baseline regression 15,951 / 0 off a pristine rig (reproduced at 15,952 / 0 on an independent re-run); 1,809 canonical tests (1,600 lib + 209 integration); performance budgets validated against PERFORMANCE.md; A2A-gate certification; LongMemEval-S R@5 96.4–97.8% (binary-faithful matrix; the 97.8% headline is the LLM-query-expansion shadow harness).
GitHub Security Advisory surface + security@alpha-one.mobi email channel. Supported version matrix. Vulnerability-report rubric. v0.7.0 secure-default posture documented.
Submission to the official MCP Registry tracked under audit issue #1153 Task H. The NSA CSI document explicitly cites the MCP Registry under Choose supported MCP projects when possible.
During the codegraph-driven audit of issue #1153, three substrate-level gap-fix candidates were identified. These are NOT NSA CSI gaps (the mapping claims 100% structural coverage); they are substrate-side tightenings that close partial-coverage edges and consumer-default friction. All three have since shipped.
Closes the partial-coverage edge on NSA concern (j) Tool invocation path confusion. Substrate already has load_daemon_signing_key at src/governance/audit.rs:558; #1154 threads it into the MCP initialize response so clients can TOFU-pin daemon identity on first connect.
Closes the consumer-responsibility gap on output-poisoning. HTTP Accept-Provenance: verbose header + MCP capability negotiation flag lets consumers opt into Form 4/5/6 provenance signals per-session without flipping the wire default (backwards-compat preserved).
Extends K8 quota dimension from (agent_id) to (agent_id, namespace) compound so a malicious agent operating across namespaces cannot bypass per-namespace allotments. Shipped at schema v50 (pre-v50 rows backfill to the _global sentinel namespace).