One governed memory for every agent
Estratos is a hosted MCP memory server. Model your company as a hierarchy, capture memories from chat or the app, and let any MCP client retrieve exactly the right scope — with reviews, versions, audit, and hard tenant isolation around all of it.
Layered hierarchies
Model your company, then attach memory to it
A hierarchy is an ordered set of layers — for an accounting firm, root then clients then services. Each folder is addressed by a dot-path like root.pennine-joinery.vat. Scoped memories attach to one folder. Tagged memories attach to a whole layer — optionally to one segment value — so a rule you write once applies everywhere it should.
- Scoped memory on a folder: the VAT profile for one client
- Layer-wide tagged memory: your working-papers standard, on every services scope
- Value-targeted tagged memory: a VAT sign-off rule wherever the service is vat
- Layers carry naming guidance and examples so folders stay consistent
A concrete example
root.pennine-joinery.vat
a scoped memory: this client is on the VAT flat-rate scheme
layer: services
a layer-wide tagged memory: how the firm formats working papers
services = vat
a value-targeted tagged memory: the VAT sign-off checklist, applied to every VAT engagement
Scope-based retrieval
Ask for a scope, get the whole picture
An agent calls retrieve with a path. Estratos walks root to target and assembles one Markdown bundle: at each depth it interleaves scoped memories, then eligible layer-wide tagged memories, then eligible value-targeted ones — in a fixed, predictable order. Each block carries a header naming its kind, title, key, id, and version.
- Paths address scopes, never individual memories — no memory is ever fetched on its own
- Headers always show the canonical path, even when you retrieve through a renamed alias
- Zero matches returns an empty bundle; a scope with one memory is still a scope retrieval
<!-- scoped: root.acme.content | title: Voice guidance |
key: voice-guidance | memory_id: 019f… | version: 3 -->
Write in plain English. Short sentences. No jargon
unless the client uses it first.
<!-- tagged: services=content | title: Writing style |
key: writing-style | memory_id: 019f… | version: 2 -->
House style: sentence case headings, Oxford comma,
British spelling.
A real retrieval bundle — Markdown blocks, each with a provenance header.
Review workflow
Proposals, approvals, and roles
Owners and Admins publish directly. Basic users propose: their creates, edits, and deletes — from the app or from an MCP client — enter a review queue as a diff. Approvers approve and publish, request changes, or reject, with an optional note back to the proposer. A pending proposal is visible only to its author, including through their own agent, until it is approved.
- Scoped proposals: any Admin or Owner can approve
- Tagged proposals: Owner-only, because they affect every client
- Proposers can edit and resubmit when changes are requested, or withdraw a pending one
- Roles set the ceiling; a token can never exceed its user's role
Version history
Every change is versioned and reversible
Each memory is append-only under the hood: saving writes a new version with its change type, author, and content hash. Open the version history to compare any version against the current one as a line diff, and roll back to an earlier version — which simply writes it forward as a new version. Deleting writes a tombstone version, so memories are never hard-deleted.
- A new version on every save, with author and change type recorded
- Server-rendered line diff between versions
- One-click rollback that preserves the full trail
- Soft deletes via tombstone versions — nothing is silently lost
Exports
Take your memory with you
Generate a ZIP of any scope you can access — everything you can read, a single subtree, or tagged memories only. Exports run in the background and land in your export history to download. Every file carries front-matter with the memory id, kind, title, key, canonical path or layer and value, and version. Exports contain only what you're allowed to see, never deleted memories or another organization's data.
- Scope picker: everything, a subtree, or tagged only
- Predictable ZIP layout with per-file front-matter
- Runs asynchronously; download from your export history
- Files expire on a schedule so stale archives don't linger
Audit log
A record of everything that matters
Estratos records the important actions — logins, OAuth authorizations and token grants, every MCP tool call, memory creates, updates, deletes, and rollbacks, proposals and their decisions, renames, hierarchy publishes, invites, and role changes. Filter by event type, actor, or free text, or scope to a date range; open a row for its metadata. Memory content is never written to the audit log.
- Actor, target, request id, and time on every event
- Filters by event type, actor, free-text search, and date range
- Covers both web and MCP activity in one place
- No memory bodies in audit metadata — a hard rule
MCP & security
A standard MCP endpoint, secured with OAuth 2.1
Estratos exposes exactly six memory tools at one endpoint. Connect a compliant client by URL and it discovers the OAuth server, registers itself, and completes the authorization-code flow — no client ID or API key in the config. Tokens are scoped to one organization and one resource, and identity comes only from the token, never a parameter.
Six memory tools
describe_hierarchy, retrieve, list_memories, remember, remember_tagged, and delete_memory — each enforcing its own OAuth scope when called.
OAuth 2.1 + PKCE
Authorization-code flow with mandatory PKCE (S256), dynamic client registration, and RFC 8414 / 9728 discovery documents. Tokens are hashed, expiring, and revocable.
Resource-bound tokens
Resource indicators (RFC 8707) are required and validated against the canonical MCP URL. A token is bound to one account and cannot address another.
Plugin marketplace
Install Estratos Memory in Claude Code from a published marketplace manifest, or add the MCP server URL by hand — same OAuth auto-discovery either way.
Row-level isolation
Every tenant-owned table enforces PostgreSQL row-level security. Cross-tenant reads and writes fail even via raw SQL under the app's database role.
API keys for headless use
For scripts and CI, mint a scoped API key and send it as a Bearer token. Long-lived, revocable, and limited to the scopes you grant.
Full connection steps, tool reference, and protocol details are in the MCP documentation.
Plans & quotas
Usage that scales with your plan
Signup starts a 14-day trial with full entitlements — no card required. Your plan sets the ceilings that matter for shared memory: how many team members and how many memories your organization can hold. Usage meters on the billing screen read live counts, and the memory limit is enforced when a memory is published or an agent stores one, with a clear, friendly error.
- 14-day trial on signup, upgrade through Stripe Checkout
- Entitlements for team-member and memory ceilings
- Live usage meters for members and memories
- Limits enforced in the app and through MCP tools alike
Give your agents a memory
Start a 14-day trial, define a hierarchy, and connect your first agent. No credit card required.