Memory Provenance: Cross-Tenant Vector Retrieval with Cryptographic Chain-of-Thought

#1. Introduction

Multi-agent systems running on shared memory substrates face a tension that has not yet been resolved cleanly in the literature. On one side, cross-tenant pattern recognition is a structural advantage of multi-tenant deployment: when tenant A’s agents have processed a class of contracts, tenant B’s agents can benefit from the patterns A’s processing produced, without requiring B to first observe the same contracts independently. On the other side, proof-of-authorship is a regulatory and contractual necessity: a regulator auditing tenant B’s deployment cannot accept “this insight came from somewhere in the substrate” as a reasoning trace; the trace must resolve to specific agents acting under specific authorization within specific tenants.

Existing memory architectures choose one or the other. Single-tenant memory layers (each tenant’s engrams strictly isolated, no cross-tenant retrieval) preserve provenance trivially but forfeit the pattern-recognition compounding effect. Shared-pool memory layers (all tenants’ engrams in one retrievable space) capture the compounding effect but produce traces that cannot resolve to authoring tenant or agent. The literature on agent memory architectures published in 2026 (Memory for Autonomous LLM Agents, Governance-Aware Vector Subscriptions) acknowledges the tension but does not resolve it.

We describe a memory substrate that achieves both properties simultaneously through two paired primitives: per-engram visibility classes that declare the cross-tenant accessibility of each engram, and cryptographic chain-of-thought that pins every reasoning step to the QNFT seed of the agent that produced it. The substrate is deployed in production. We document the visibility class taxonomy, the chain-of-thought integration with the audit chain, the empirical operating properties, and the structural argument for why the combination resolves the tension rather than splitting the difference.

#2. The visibility class taxonomy

Each engram in the memory substrate carries a visibility_class field with one of four values:

flowchart LR
E[Engram createdby tenant T agent A] —> V{Visibility class}
V —>|private| P[Tenant T principal onlyread-restricted]
V —>|tenant-shared| TS[All tenant T membersread-allowed]
V —>|network-public| NP[Any tenant on substrateopt-in only]
V —>|world-public| WP[Anyone substrate-externalfully exposed]

private — Readable only by the tenant’s principal-tier identities (typically tenant-admin members). Used for engrams containing customer data, internal documents, sensitive negotiations, or anything the tenant has not classified as shareable. Default classification for engrams written by agents acting on tenant data.

tenant-shared — Readable by all members of the originating tenant. Used for shared playbooks, team knowledge, internal canon documents, agent operating notes. The tenant’s RBAC layer further restricts which tenant members can read which tenant-shared engrams.

network-public — Readable by any tenant on the substrate, opt-in only. Used for cross-tenant pattern engrams (the tenant has explicitly declared that the engram’s content is appropriate for cross-tenant retrieval). The originating tenant retains attribution; reading tenants see the engram with explicit identification of the source tenant and the source agent.

world-public — Readable by anyone, including substrate-external readers. Used for documentation, blog posts, marketing content, public canon documents. World-public engrams are equivalent to publicly-published content; no privacy boundary applies.

Default classification is private. Promoting an engram to a more permissive class is an explicit action recorded in the audit chain; the promotion event itself is a chain entry that the originating tenant can later cite for evidence of the consent decision.

#3. The cryptographic chain-of-thought

Every reasoning step that produces or modifies an engram is recorded in the audit chain with a structured chain-of-thought entry:

flowchart TD
Q[User query orupstream event] —> A1[Agent A reasoning step 1signed by QNFT_A_step1]
A1 —> A2[Agent A reasoning step 2signed by QNFT_A_step2]
A2 —> RET[Vector retrievalacross visible engrams]
RET —> E1[“Engram E1 foundvisibility=network-publicsource_qnft=QNFT_B_originating”]
E1 —> A3[Agent A reasoning step 3cites E1 by QNFTsigned by QNFT_A_step3]
A3 —> ENG[New engram E_newparent_chain=[E1]visibility=tenant-sharedcreated_by=QNFT_A]
ENG —> AUDIT[Audit chain entryresource=E_newactor=QNFT_A]

The chain-of-thought has four operative properties:

Per-step signing. Each reasoning step’s chain entry includes the agent’s QNFT seed (actor_qnft_seed_hex) and a step-specific identifier. Verifying the chain entry confirms not only that the step occurred but also that the named agent took the step.

Retrieval citation. When a reasoning step retrieves cross-tenant engrams via vector search, the step’s chain entry records the retrieved engrams’ QNFT seeds. The audit chain therefore preserves the intellectual provenance of every reasoning step: which engrams contributed to the step’s output, regardless of which tenant produced those engrams.

Parent linkage. When a reasoning step produces a new engram, the new engram’s chain entry includes a parent_chain field listing the QNFT seeds of the engrams that informed it. The new engram is therefore not just a leaf in the substrate’s memory graph; it is a node with cryptographically-verifiable ancestors.

Visibility declaration. The new engram’s visibility class is declared at creation time and recorded in the chain entry. Promoting the engram to a more permissive class is a separate chain entry that supersedes the original declaration; the audit chain preserves the full visibility lifecycle.

#4. Cross-tenant retrieval with provenance

The combination of visibility classes and chain-of-thought enables cross-tenant retrieval that preserves provenance at every step:

sequenceDiagram
participant TA as Tenant A agent
participant Mem as Memory substrate
participant Ven as Vector index
participant Aud as Audit chain
participant TB as Tenant B (originating)

Tenant A’s agent queries the substrate for engrams matching a topic. The substrate’s vector retrieval respects visibility: A’s query receives matches from A’s private engrams (only if the agent has tenant-A-internal authorization), A’s tenant-shared engrams, all network-public engrams from any tenant (including B), and all world-public engrams.

Each retrieved engram carries its source tenant’s QNFT and the originating agent’s QNFT. A’s reasoning step cites the retrieved engrams by QNFT, producing an audit-chain entry that records the citation. When A produces a new engram informed by the retrieval, the new engram’s parent_chain includes the cited QNFTs, preserving the intellectual lineage.

Tenant B (the originating tenant of one of A’s retrieved engrams) can later query the substrate for “who has cited my engrams?” and receive the QNFT trace of A’s reasoning step. This is the reciprocal property: not only does A’s chain preserve B’s contribution, but B can audit how A used B’s contribution. The cross-tenant network effect compounds without forfeiting attribution.

#5. The structural argument

The conventional framing of the memory tradeoff treats provenance and pattern recognition as scalar properties that must be balanced. We argue this framing is wrong.

Provenance is a property of the audit chain, which records who did what. Pattern recognition is a property of the retrieval index, which surfaces semantically similar content regardless of who produced it. When the audit chain and the retrieval index are separate layers with explicit interaction at retrieval time, both properties hold simultaneously without compromise.

Conventional memory architectures conflate the two layers. A shared-pool architecture stores engrams in a retrieval index that does not preserve attribution; provenance is lost at retrieval time because the retrieval interface returns content without metadata. A strictly-isolated architecture preserves attribution by refusing cross-tenant retrieval; pattern recognition is lost because the retrieval interface cannot reach across boundaries.

The substrate we describe maintains attribution as metadata on every engram (the QNFT seed of the originating tenant and agent), preserves it through retrieval (the retrieval interface returns engrams with metadata), and propagates it into reasoning chains (each step’s chain entry records the cited QNFTs). The audit chain records the citations; the retrieval index returns the matches. The two layers cooperate; neither forfeits its property.

#6. Empirical operating properties

The substrate has been deployed across a multi-tenant orchestration window with the following observed properties:

• Engrams across multiple tenants under all four visibility classes
• Cross-tenant retrievals with full provenance preserved on every retrieval
• Audit-chain entries recording every reasoning-step citation
• Zero observed instances of provenance loss across the operating corpus

The retrieval index is a vector store (the reference deployment uses Cloudflare Vectorize) that has been benchmarked at low single-digit milliseconds per query for tens-of-thousands-of-engrams workloads. Provenance metadata is returned with every retrieval; the latency overhead of provenance is dominated by the vector search itself.

We have not yet observed network-public engrams reaching the threshold where cross-tenant pattern surfacing becomes statistically significant (the threshold is approximately 100 tenants, per substrate-network-effect modeling). The substrate is operating with low single-digit tenants currently; the network-public visibility class is therefore architecturally validated but not yet empirically activated as a pattern-recognition layer.

#7. Comparison to alternative architectures

We discuss alternative memory architectures and the tradeoffs they make.

RAG with single-tenant index. Each tenant has its own vector index; cross-tenant retrieval is not supported. Provenance is trivial (every retrieval is from the tenant’s own index); pattern recognition is restricted to within-tenant patterns. Appropriate for high-isolation deployments; loses the cross-tenant compounding effect.

RAG with shared-pool index. All tenants’ engrams are in one vector index; cross-tenant retrieval is supported but provenance is not preserved at retrieval time. Pattern recognition is maximal; provenance is lost. Appropriate for non-regulated deployments; unsuitable for regulated buyers who require attribution.

Federated retrieval. Each tenant maintains its own index; queries are dispatched to all federated tenants and results are merged. Provenance is preserved (each result identifies its source); cross-tenant retrieval is supported but at higher latency. Appropriate for cross-organization knowledge sharing; the substrate-internal version is what we describe here, with substrate-managed visibility classes replacing per-tenant federation negotiation.

Constitutional memory (Anthropic Claude memory mode). Memory is scoped to the model session and the user account; cross-account retrieval is not supported by the model layer. Provenance is preserved within the session; cross-tenant pattern recognition does not apply. Appropriate for individual user memory; orthogonal to multi-tenant substrate memory.

The substrate’s combination of visibility classes plus chain-of-thought is the closest match for the multi-tenant orchestration use case where regulatory attribution and cross-tenant compounding both matter.

#8. Adversarial-parallel verification

The substrate’s gate function probes the memory layer for the following adversarial vectors:

• Cross-tenant private leak. A tenant A query attempts to retrieve a tenant B private engram. The visibility filter at the retrieval index must reject the match. Probe verified: private engrams are scoped to their originating tenant at retrieval time.
• Visibility-class downgrade. A tenant attempts to read a network-public engram and re-emit its content as a private engram in their own tenant without attribution. The chain-of-thought integration ensures the new engram’s parent_chain records the original engram’s QNFT, preventing attribution stripping.
• QNFT seed forgery in citation. A reasoning step claims to cite an engram that does not exist. The audit chain entry’s actor_qnft_seed_hex and citation QNFTs must resolve to actual entities in the substrate’s identity registry; non-existent QNFTs fail verification.
• Chain entry replay. A reasoning step’s audit chain entry is duplicated in an attempt to forge multiple citations from one actual citation. The chain’s chain_seq monotonicity and h_self linkage prevent replay.

All four probes pass in adversarial-parallel review.

#9. Forward work

Network-public pattern surfacing at scale. The substrate must reach approximately 100 tenants before network-public pattern recognition becomes statistically meaningful. This is forward operational work, not architectural.

Embedding versioning. As foundation models evolve, the embedding spaces in which engrams are vector-indexed evolve. Cross-version retrieval requires either re-embedding archival engrams or maintaining version-specific indices. The substrate currently maintains a single-version index; multi-version support is forward work.

Engram retention policies. Per-tenant retention policies (e.g., “delete tenant-shared engrams older than 90 days unless explicitly retained”) interact with the audit chain’s append-only requirement; the chain records the deletion event but the engram body must be removed from the retrieval index. Reconciling retention with audit immutability is forward work.

Cross-substrate federation. The substrate’s network-public visibility class operates within one substrate deployment. Cross-substrate federation (Mumega substrate retrieving from another substrate’s network-public engrams) requires a federation protocol that is not yet specified. This is candidate W3C / standards-track forward work.

#10. Conclusion

We describe a memory substrate that achieves cross-tenant pattern recognition and proof-of-authorship simultaneously through paired primitives: per-engram visibility classes (private, tenant-shared, network-public, world-public) and cryptographic chain-of-thought (every reasoning step signs with the agent’s QNFT seed; every citation records the cited engrams’ QNFTs).

The structural insight is that provenance and pattern recognition are properties of separate layers (audit chain and retrieval index respectively) that cooperate rather than compete. The substrate is deployed in production with empirical observation of the property; cross-tenant retrieval preserves attribution at every step.

We propose the substrate’s combination as a reference for multi-tenant agent memory architectures where regulatory attribution and cross-tenant pattern compounding are both load-bearing requirements. Forward work includes scale-out validation, embedding versioning, retention policy reconciliation, and cross-substrate federation.

Companion to Mumega 200.003 — QNFT Cryptographic Identity Primitive (the identity primitive that signs every reasoning step) and Mumega 200.102 — EU AI Act Article 12 Reference Implementation (the audit chain that records every citation).