Mnemom è progettato per gli agenti — non solo per gli umani che li gestiscono.

Where to look

If you're an agent (or an engineer driving one) arriving here with a specific intent, these are the canonical next hops.

If you're trying to integrate Mnemom:

• Quickstart
• SDK reference
• Self-hosted

If you're trying to connect over MCP:

• Control plane (api.mnemom.ai/mcp)
• Docs search (docs.mnemom.ai/mcp)
• Server card
• Install configs

If you're trying to evaluate before integrating:

• Showcase
• Arena
• Sample report

If you're trying to price the platform:

• Pricing
• Enterprise

If you're trying to research agent governance, safety, trust, or security:

• Methodology
• Research
• Governance
• Security
• What we prove

If you're trying to build on our open protocols:

• AAP
• AIP
• agent-preview/v1 spec

If you're trying to verify or claim an identity:

• Trust Directory
• Claim a card

If you're trying to look up one of our terms:

• Glossary

1. IoC feed (STIX 2.1)

   STIX 2.1 Bundle of indicators surfaced by the Protection Network. Calm-at-GA — the feed may be empty.

   https://api.mnemom.ai/v1/trust/iocspublic · no authContent-Type: application/json

   curl + jq

   copy

   # Fetch the AEGIS IoC feed (STIX 2.1 Bundle); paginate with ?after=<ISO-8601>
   curl -sS "https://api.mnemom.ai/v1/trust/iocs?type=substrate_fingerprint" \
     | jq '.objects[] | select(.type=="indicator") | {id, pattern, valid_from}'

   Python (requests)

   copy

   # Consume IoCs into a STIX 2.1 pipeline.
   import requests
   
   resp = requests.get("https://api.mnemom.ai/v1/trust/iocs", timeout=10)
   resp.raise_for_status()
   bundle = resp.json()
   
   for obj in bundle.get("objects", []):
       if obj.get("type") == "indicator":
           print(obj["id"], obj["pattern"], obj.get("valid_from"))
   
   # Pagination: pass the previous bundle's next_after back as ?after=
   next_after = bundle.get("next_after")

   TypeScript (fetch)

   copy

   // Consume IoCs in a TypeScript service or worker.
   const res = await fetch("https://api.mnemom.ai/v1/trust/iocs");
   if (!res.ok) throw new Error(`IoC feed: ${res.status}`);
   const bundle = (await res.json()) as {
     type: "bundle";
     objects: Array<{ type: string; id: string; pattern?: string }>;
     next_after?: string;
   };
   
   for (const obj of bundle.objects) {
     if (obj.type === "indicator") {
       console.log(obj.id, obj.pattern);
     }
   }

2. Advisory feed (signed JSON)

   Published security advisories — list endpoint plus per-slug detail. Public; no auth.

   https://api.mnemom.ai/v1/trust/advisoriespublic · no authContent-Type: application/json

   curl + jq

   copy

   # List published advisories (newest first), then fetch one by slug.
   curl -sS "https://api.mnemom.ai/v1/trust/advisories?limit=20" \
     | jq '.advisories[] | {slug, severity, published_at, title}'
   
   curl -sS "https://api.mnemom.ai/v1/trust/advisories/<slug>" \
     | jq '{slug, severity, published_at, body_markdown}'

   Python (requests)

   copy

   # Pull recent advisories; resolve each by slug for the full body.
   import requests
   
   API = "https://api.mnemom.ai"
   listing = requests.get(f"{API}/v1/trust/advisories", params={"limit": 20}).json()
   for a in listing["advisories"]:
       detail = requests.get(f"{API}/v1/trust/advisories/{a['slug']}").json()
       print(detail["severity"], detail["slug"], detail["published_at"])

   TypeScript (fetch)

   copy

   // List published advisories, then resolve one by slug.
   type Advisory = {
     slug: string;
     title: string;
     severity: "info" | "low" | "medium" | "high" | "critical";
     published_at: string | null;
     body_markdown: string;
   };
   
   const list = (await (
     await fetch("https://api.mnemom.ai/v1/trust/advisories?limit=20")
   ).json()) as { advisories: Advisory[] };
   
   const detail = (await (
     await fetch(`https://api.mnemom.ai/v1/trust/advisories/${list.advisories[0].slug}`)
   ).json()) as Advisory;
   console.log(detail.severity, detail.slug, detail.published_at);

3. Network threat state (per-axis JSON)

   L4 thermometer: calm / elevated / high / under-attack per substrate, vertical, pattern, and source. Authenticated.

   https://api.mnemom.ai/v1/network/threat-stateauthenticated session requiredContent-Type: application/json

   curl + jq

   copy

   # Read the current network threat state. Requires an authenticated session
   # (mnemom_session cookie) or a bearer token.
   curl -sS -H "Authorization: Bearer $MNEMOM_TOKEN" \
     "https://api.mnemom.ai/v1/network/threat-state?max_buckets=10" \
     | jq '{snapshot_at, totals, by_substrate: .by_substrate[:3]}'

   Python (requests)

   copy

   # Authenticated read; max_buckets bounded 1..50.
   import os, requests
   
   resp = requests.get(
       "https://api.mnemom.ai/v1/network/threat-state",
       params={"max_buckets": 10},
       headers={"Authorization": f"Bearer {os.environ['MNEMOM_TOKEN']}"},
       timeout=10,
   )
   resp.raise_for_status()
   snapshot = resp.json()
   print(snapshot["snapshot_at"], snapshot["totals"])

   TypeScript (fetch)

   copy

   // Authenticated read. In a browser context send credentials: "include"
   // to forward the mnemom_session cookie; in a server context send the
   // bearer token explicitly.
   const res = await fetch(
     "https://api.mnemom.ai/v1/network/threat-state?max_buckets=10",
     { headers: { Authorization: `Bearer ${process.env.MNEMOM_TOKEN}` } },
   );
   const snapshot = (await res.json()) as {
     snapshot_at: string;
     totals: { calm: number; elevated: number; high: number; under_attack: number; total: number };
     by_substrate: Array<{ bucket_value: string; state: string; state_changed_at: string }>;
   };
   console.log(snapshot.totals);

4. Agent-readiness manifest + nightly status

   Versioned commitment manifest plus nightly verification result. Both fetched build-time by this page and externally.

   https://www.mnemom.ai/agent-readiness.yamlpublic · no authContent-Type: text/yaml + application/json

   curl + jq + yq

   copy

   # Manifest — every commitment, the verify-CLI, the CI script enforcing it.
   curl -sS "https://www.mnemom.ai/agent-readiness.yaml" \
     | yq '.commitments[] | {id, title, expectation}'
   
   # Nightly watchdog status — pass/fail per commitment with timestamps.
   curl -sS "https://www.mnemom.ai/agent-readiness-status.json" \
     | jq '{status, lastVerified, summary, failing: [.results[] | select(.passed==false) | .id]}'

   Python (requests + PyYAML)

   copy

   # Treat the manifest as the source of truth; the status JSON as the
   # current pass/fail snapshot.
   import requests, yaml
   
   manifest = yaml.safe_load(
       requests.get("https://www.mnemom.ai/agent-readiness.yaml").text
   )
   status = requests.get(
       "https://www.mnemom.ai/agent-readiness-status.json"
   ).json()
   
   for c in manifest["commitments"]:
       result = next((r for r in status["results"] if r["id"] == c["id"]), None)
       state = "pending" if result is None or result.get("skipped") else (
           "pass" if result["passed"] else "FAIL"
       )
       print(f"{state:>7}  {c['id']}")

   TypeScript (fetch)

   copy

   // The status JSON is the canonical machine-readable signal: one row per
   // commitment, with passed/skipped/durationMs. The YAML manifest is the spec.
   type CommitmentResult = {
     id: string;
     passed: boolean;
     skipped?: boolean;
     durationMs: number;
   };
   type Status = {
     status: "passing" | "failing" | "pending";
     lastVerified: string | null;
     summary: string;
     results: CommitmentResult[];
   };
   
   const status = (await (
     await fetch("https://www.mnemom.ai/agent-readiness-status.json")
   ).json()) as Status;
   
   const failing = status.results.filter((r) => !r.skipped && !r.passed);
   console.log(`${status.summary} — ${failing.length} failing`);

5. AAP alignment card (well-known)

   Mnemom's own AAP alignment card — declared values, conflicts, escalation contact. The shape every Mnemom-published agent emits.

   https://www.mnemom.ai/.well-known/alignment-card.jsonpublic · no authContent-Type: application/json

   curl + jq

   copy

   # Fetch the publisher's alignment card and read the declared values.
   curl -sS "https://www.mnemom.ai/.well-known/alignment-card.json" \
     | jq '{aap_version, card_id, principal, declared: .values.declared}'

   Python (requests)

   copy

   # Resolve an AAP card by domain; reusable for any site that publishes one
   # at /.well-known/alignment-card.json (the AAP discovery convention).
   import requests
   
   card = requests.get(
       "https://www.mnemom.ai/.well-known/alignment-card.json",
       timeout=10,
   ).json()
   
   print(card["aap_version"], card["card_id"])
   print("declared:", card["values"]["declared"])
   print("conflicts:", card["values"].get("conflicts_with", []))

   TypeScript (fetch)

   copy

   // AAP card — public, no auth. Validate with the AAP SDK in production;
   // inline shape is shown here for clarity.
   type AlignmentCard = {
     aap_version: string;
     card_id: string;
     agent_id: string;
     issued_at: string;
     principal: { type: string; identifier: string; relationship: string };
     values: { declared: string[]; conflicts_with?: string[] };
   };
   
   const card = (await (
     await fetch("https://www.mnemom.ai/.well-known/alignment-card.json")
   ).json()) as AlignmentCard;
   
   console.log(card.card_id, card.values.declared);

# Control plane (authenticated — Bearer JWT or X-Mnemom-Api-Key).
claude mcp add --transport http mnemom https://api.mnemom.ai/mcp \
  --header "Authorization: Bearer $MNEMOM_TOKEN"

# Docs search (read-only, no auth).
claude mcp add --transport http mnemom-docs https://docs.mnemom.ai/mcp

{
  "mcpServers": {
    "mnemom": {
      "type": "http",
      "url": "https://api.mnemom.ai/mcp",
      "headers": { "Authorization": "Bearer ${MNEMOM_TOKEN}" }
    },
    "mnemom-docs": {
      "type": "http",
      "url": "https://docs.mnemom.ai/mcp"
    }
  }
}

# tools/list is public; tool *execution* enforces the same authz as the
# equivalent REST call. Works against either endpoint.
curl -sS -X POST https://api.mnemom.ai/mcp \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' \
  | jq '.result.tools | length'

The control-plane server advertises a discoverable card at /.well-known/mcp/server-card.json. Full per-client install configs: docs.mnemom.ai/mcp-clients.

1. Commitment 1 of 18

   Every core marketing page returns prerendered HTML

   passing

   Agents that render HTML — search crawlers, Anthropic Computer Use, Browserbase, and headless evaluators — see the full page content on every core marketing route without executing JavaScript. The prerender set is enumerated in STATIC_MARKETING_PATHS in react-router.config.ts and mirrored across the four EFIGS locales (fr / de / it / es). Two classes ship as shell-only by design and are named publicly here, not hidden: blog index pages, whose post lists hydrate via TanStack Query against api.mnemom.ai, and the legal triad (/privacy /terms /cookies), whose policy bodies render via Termly's third-party embed SDK. The prerendered <h1> and surrounding chrome are present on both — what this verifier asserts. Auth-gated SPA surfaces (/dashboard, /admin, /settings/*) are intentionally outside this commitment; they have no anonymous public view.

   Verify yourself

   curl -s https://www.mnemom.ai/methodology/ | grep -c '<h1'

   Expectation: Headings appear in raw HTML; ≥1 <h1> per non-excluded routeEnforced by: scripts/verify/prerender.tsLast check: passed in 37411ms

2. Commitment 2 of 18

   agents.txt, llms.txt, and llms-full.txt are always available

   passing

   Three discovery files at the site root: a hand-crafted second-person pitch (agents.txt), a curated index of every URL with descriptions (llms.txt), and the same with full descriptions (llms-full.txt). All three return 200 with text/plain content type. Always.

   Verify yourself

   curl -sI https://www.mnemom.ai/agents.txt    | head -2
   curl -sI https://www.mnemom.ai/llms.txt      | head -2
   curl -sI https://www.mnemom.ai/llms-full.txt | head -2

   Expectation: All three return HTTP/2 200 with text/plain content-typeEnforced by: scripts/verify/discovery-files.tsLast check: passed in 1548ms

3. Commitment 3 of 18

   Every prerendered marketing page contains valid, locale-aware JSON-LD

   passing

   JSON-LD gives agents a typed graph of who published what, when, and how the page relates to other entities. v1.3 expands coverage from /for-agents to every prerendered marketing route in every locale&#58; a primary entity per page (Organization + WebSite + WebPage on the home page; Product on /pricing; WebApplication on /showcase and /arena; HowTo on /how-it-works; CollectionPage on /research, /directory, /teams/directory; Article / ScholarlyArticle / TechArticle across the rest), plus a BreadcrumbList companion on every page. Required keys per primary entity&#58; "@context", "@type", "name", "description", "url", "inLanguage", and one of "dateModified" / "datePublished". Locale-aware fields (name, description, url, inLanguage) come from the active route's :lang? param; technical identifiers (publisher name, schema.org @type) stay English.

   Verify yourself

   for r in / /pricing/ /showcase/ /arena/ /fr/showcase/ /de/pricing/; do
     printf "%-25s " "$r"
     curl -s "https://www.mnemom.ai$r" | \
       grep -c '<script type="application/ld+json">'
   done

   Expectation: ≥1 JSON-LD block per route; primary entity carries @context, @type, name, description, url, inLanguage, dateModified; locale-prefixed routes use matching inLanguage and urlEnforced by: scripts/verify/json-ld.tsLast check: passed in 21851ms

4. Commitment 4 of 18

   Every prerendered marketing page has a markdown variant

   passing

   Agents that prefer plaintext save ~80% on tokens versus rendering HTML. Every prerendered route is also served as markdown via content negotiation (Accept&#58; text/markdown) and at the explicit &lt;path&gt;.md URL. Same content; navigation chrome stripped.

   Verify yourself

   curl -sI -H "Accept: text/markdown" https://www.mnemom.ai/methodology/
   curl -sI https://www.mnemom.ai/methodology/index.md

   Expectation: Both return 200 with Content-Type containing "text/markdown"Enforced by: scripts/verify/markdown-mirror.tsLast check: passed in 1486ms

5. Commitment 5 of 18

   Anonymous and bot user-agents receive equivalent content

   passing

   Agents identifying as ClaudeBot, GPTBot, PerplexityBot, or anonymous get the same prerendered HTML a browser receives. Mnemom never serves different content to bots versus humans — no cloaking, no UA-gated paywalls, no hidden detail.

   Verify yourself

   diff <(curl -sA "Mozilla/5.0" https://www.mnemom.ai/methodology/) \
        <(curl -sA "ClaudeBot/1.0" https://www.mnemom.ai/methodology/) | wc -l

   Expectation: Structural diff under threshold (excluding known dynamic regions)Enforced by: scripts/verify/no-cloaking.tsLast check: passed in 1168ms

6. Commitment 6 of 18

   AAP and AIP remain Apache 2.0

   passing

   The Agent Alignment Protocol (AAP) and Agent Integrity Protocol (AIP) are open source under Apache 2.0. The verification logic that backs every Mnemom claim is auditable by anyone, forever. We will never relicense to a more restrictive form.

   Verify yourself

   curl -s https://raw.githubusercontent.com/mnemom/aap/main/LICENSE | grep -c "Apache License"
   curl -s https://raw.githubusercontent.com/mnemom/aip/main/LICENSE | grep -c "Apache License"

   Expectation: Both LICENSE files contain "Apache License" stringEnforced by: scripts/verify/license-check.tsLast check: passed in 186ms

7. Commitment 7 of 18

   docs.mnemom.ai serves markdown via content negotiation and explicit .md URLs

   passing

   The integration documentation surface (docs.mnemom.ai) honors Accept&#58; text/markdown and serves the same content at &lt;path&gt;.md, with discovery headers (Link rel="llms-txt", X-Llms-Txt) advertising the auto-generated llms.txt and llms-full.txt indexes. Cuts crawl tokens roughly 30x for agents that walk the docs. Same site, same content, machine-readable view-shape — no special API key, no robots.txt blocking.

   Verify yourself

   curl -sI -H "Accept: text/markdown" https://docs.mnemom.ai/for-agents | grep -iE "content-type:|x-llms-txt:|^link:"
   curl -sI https://docs.mnemom.ai/for-agents.md | grep -i "content-type:"
   curl -sI https://docs.mnemom.ai/llms.txt
   curl -sI https://docs.mnemom.ai/llms-full.txt

   Expectation: All four return 200; markdown responses include text/markdown content-type and the discovery headersEnforced by: scripts/verify/docs-markdown-negotiation.tsLast check: passed in 2959ms

8. Commitment 8 of 18

   Every public Mnemom repo has an AGENTS.md at its root

   passing

   Anthropic's AGENTS.md convention. Coding agents (Claude Code, Cursor, Cline, Aider) cloning a public Mnemom repo find a tailored entry point alongside README.md — install/test/build commands, project layout, conventions, what NOT to do. Different audience from agents.txt and from this page (both target agents *using* the product); AGENTS.md targets agents *working on* the codebase. Coverage is the six public canonical repos&#58; aap, aip, aip-otel-exporter, mnemom-types, reputation-check, docs. (mnemom-platform was deliberately taken private in June 2026; it still ships AGENTS.md, as do all private repos, but only public ones are externally verifiable.)

   Verify yourself

   for r in aap aip aip-otel-exporter mnemom-types reputation-check docs; do
     curl -sI "https://raw.githubusercontent.com/mnemom/$r/main/AGENTS.md" | head -1
   done

   Expectation: All six return HTTP 200 on raw.githubusercontent.comEnforced by: scripts/verify/agents-md-discovery.tsLast check: passed in 177ms

9. Commitment 9 of 18

   These commitments are re-verified nightly against production

   passing

   A commitment without enforcement is marketing. Every commitment above is checked nightly by a GitHub Actions watchdog running this same manifest. Results are written to agent-readiness-status.json, committed to main, and surfaced as a status badge at the top of /for-agents. If verification fails, a GitHub issue auto-opens and the badge turns red.

   Verify yourself

   curl -s https://www.mnemom.ai/agent-readiness-status.json | \
     jq -r '"Last verified: \(.lastVerified) — \(.summary)"'

   Expectation: Manifest lastReviewed within reviewCadenceDays; status JSON lastVerified within 36 hours; summary reports pass countEnforced by: scripts/verify/manifest-freshness.tsLast check: passed in 5ms

10. Commitment 10 of 18

    Pricing tiers agree with themselves across every surface

    passing

    Agents reading mnemom.ai get one price per tier — never a $79 claim on the homepage FAQ and a $99 Offer schema on /pricing in the same crawl. JSON-LD Offers, schema descriptions, markdown mirrors, and the rendered DOM all carry the same number. Built after a May 2026 audit found Team-tier prices disagreeing on the same domain, the exact failure class our Coherence Report would flag against a competitor.

    Verify yourself

    curl -s https://www.mnemom.ai/pricing/ | grep -oE '"price":"[0-9]+"'
    curl -s https://www.mnemom.ai/ | grep -oE 'Team tier is \$[0-9]+/month'

    Expectation: Every Team-tier price reference on every prerendered page returns the same dollar figureEnforced by: scripts/verify/pricing-coherence.tsLast check: passed in 283ms

11. Commitment 11 of 18

    sitemap.xml lastmod never lags the page's JSON-LD dateModified

    passing

    Crawlers prioritize sitemap lastmod for re-crawl scheduling. If the sitemap says 2026-01-15 while the page's JSON-LD says 2026-05-08, we're under-signaling freshness to exactly the LLM-crawler audience this commitment is courting. The fix: sitemap lastmod is derived per-deploy from each route's JSON-LD dateModified (server/routes/sitemap.ts reads route-dates.json, written at build time by scripts/build-route-dates.mjs), so by construction lastmod >= dateModified.

    Verify yourself

    curl -s https://www.mnemom.ai/sitemap.xml | grep -A1 '<loc>https://www.mnemom.ai/pricing/</loc>' | grep '<lastmod>'
    curl -s https://www.mnemom.ai/pricing/ | grep -oE '"dateModified":"[^"]+"'

    Expectation: For every <url> in sitemap.xml whose page emits a JSON-LD dateModified, sitemap lastmod >= dateModifiedEnforced by: scripts/verify/sitemap-coherence.tsLast check: passed in 3043ms

12. Commitment 12 of 18

    Every URL has a structured preview manifest

    passing

    OG images are a human-facing preview surface. Markdown mirrors are an agent-facing full-content surface. The gap between them — a one-fetch typed summary an agent can ingest without rendering HTML or parsing markdown — is the agent-preview/v1 manifest. Every prerendered URL on mnemom.ai exposes a sibling <url>.preview.json with the same fields humans see in the OG image, but structured: title, summary, type, representations (html / markdown / image / json_ld), per-type context (author, reading time, agent grade, coherence-report status, etc.), and a publisher pointer back to the agent-readiness manifest. The schema is versioned, MIME-typed (application/vnd.agent-preview+json), and discoverable via <link rel="alternate"> in every page's head. Mnemom is the reference implementation; the spec is vendor-neutral so other sites can adopt it.

    Verify yourself

    curl -sH 'Accept: application/vnd.agent-preview+json' https://www.mnemom.ai/methodology/index.preview.json | jq '.spec_url, .type, .title, .representations'

    Expectation: Every prerendered route in STATIC_MARKETING_PATHS has a sibling <route>.preview.json that validates against the agent-preview/v1 schema and contains canonical_url, title, summary, representations, and a publisher block.Enforced by: scripts/verify/preview-surface.tsLast check: passed in 1520ms

13. Commitment 13 of 18

    trust.mnemom.ai ships the same agent-readability surface as the apex

    passing

    The Trust Center moved to its own subdomain (trust.mnemom.ai) to canonicalize the security/compliance pages independently of the marketing apex — a pattern that matches Cloudflare, Stripe, and OpenAI. Every standing /for-agents commitment that applies to the apex (markdown mirror, preview manifest, JSON-LD, agents.txt / llms.txt discovery) applies to the trust subdomain too, in all five EFIGS locales. No English-fallback hand-waving on a regulator-facing surface.

    Verify yourself

    curl -sI https://trust.mnemom.ai/index.md
    curl -sI https://trust.mnemom.ai/index.preview.json
    curl -sI https://trust.mnemom.ai/slos.md
    curl -sI https://trust.mnemom.ai/slos.preview.json
    curl -sI https://trust.mnemom.ai/fr.md
    curl -sI https://trust.mnemom.ai/fr/slos.md
    curl -sI https://trust.mnemom.ai/agents.txt
    curl -sI https://trust.mnemom.ai/llms.txt
    curl -sL https://trust.mnemom.ai/fr/slos | grep -oE '<link rel="canonical"[^>]+>'

    Expectation: All `.md` + `.preview.json` siblings return 200 with the right content-type (text/markdown / application/vnd.agent-preview+json); /agents.txt + /llms.txt return 200; each locale page's canonical points at trust.mnemom.ai/&lt;locale&gt;/...Enforced by: scripts/verify/trust-subdomain-surface.tsLast check: passed in 1427ms

14. Commitment 14 of 18

    Private coherence-report share-links are shielded from crawlers and indexers

    passing

    Pre-claim, /r/&lt;slug&gt; URLs are private shareable links to a named client. Anyone with the URL can visit it in a browser (that's the point — the URL is the access-control mechanism per ADR-043), but the content is potentially sensitive to the client and MUST NOT be read by AI training crawlers, indexers, or shared into public search results. Coherence reports synthesize publicly-available information into commentary that may be unflattering to the subject org; they are produced as a courtesy to the client and are deliberately invisible to crawlers, indexers, and agents. Five layered defenses&#58; (L1) public/robots.txt disallows /r/ for every named crawler User-agent, including the 14 AI bots we explicitly opt INTO the marketing surface; (L2) netlify.toml sets X-Robots-Tag&#58; noindex, nofollow, noarchive, nosnippet, noimageindex on every /r/* response; (L3) a Netlify edge function (netlify/edge-functions/r-shield.ts) hard-403s the 21 named crawler + indexer User-agents AND any UA matching the generic bot|crawler|spider|agent pattern (defense-in-depth for honest agents not on our explicit allowlist) at the edge with no SPA shell; (L4) the same edge function serves a generic on-brand coherence-report OG card to humans + share-previewers, with NO slug-lookup, so fake-vs-real slugs produce byte-identical responses (ADR-043 side-channel preserved); (L5) the privacy invariant: /r/&lt;slug&gt; intentionally has no machine-readable mirror — .md, .preview.json, and .json variants return 404, not shielded content, so honest agents reading a coherence-report URL through any of those discovery mechanisms get an unambiguous "this surface is not for you" signal. The blocklist single source of truth is the inlined arrays in netlify/edge-functions/r-shield.ts (Netlify's bundler rejects underscore-prefixed sibling helper modules, so SSOT and consumer share one file); every entry carries a provenance comment naming the vendor + their documented crawler page. This is the private-surface complement to the marketing-surface stance below ("we do not block crawlers").

    Verify yourself

    curl -sI -A 'GPTBot' https://www.mnemom.ai/r/test-shield | head -1
    curl -s -A 'Slackbot 1.0' https://www.mnemom.ai/r/test-shield | grep -oE 'og:image[^>]+type=coherence-report'
    curl -sI https://www.mnemom.ai/r/test-shield.md            | head -1
    curl -sI https://www.mnemom.ai/r/test-shield.preview.json  | head -1
    curl -sI https://www.mnemom.ai/r/test-shield.json          | head -1

    Expectation: GPTBot / ClaudeBot / Googlebot (and 18 other named AI/indexer UAs) plus any generic *bot/*Crawler/*Spider/*Agent UA receive 403 at the edge. Slackbot / Twitterbot / browsers receive 200 with a generic coherence-report OG card and noindex meta. Two fake slugs produce byte-identical responses (no existence side-channel). .md / .preview.json / .json variants of any /r/&lt;slug&gt; URL return 404 (no machine-readable mirror).Enforced by: scripts/verify/r-shield-enforcement.tsLast check: passed in 1057ms

15. Commitment 15 of 18

    Mnemom permits AI model training on public marketing content

    passing

    Mnemom's public marketing surfaces (mnemom.ai, docs.mnemom.ai, trust.mnemom.ai) are open for AI model training, retrieval-augmented generation, fine-tuning, and derived works. No permission required, no API key needed, no attribution fee. We ask (but do not require) that training datasets credit Mnemom when citing research papers or integration code. The stance is published in three places that this verifier asserts agree&#58; (1) public/robots.txt header ("training-data consumption by design"), (2) public/agents.txt metadata block (`training_data_policy: allowed`), (3) this commitment body. The PRIVATE surface stance — coherence reports at /r/&lt;slug&gt; — is the opposite (see commitment #13) and is independently enforced. This commitment is about the marketing surface only.

    Verify yourself

    curl -s https://www.mnemom.ai/robots.txt | grep -i 'training-data consumption'
    curl -s https://www.mnemom.ai/agents.txt | grep -E '^training_data_policy:\s*allowed'

    Expectation: robots.txt header carries the "training-data consumption" phrase; agents.txt metadata carries training_data_policy=allowed.Enforced by: scripts/verify/ai-training-stance.tsLast check: passed in 100ms

16. Commitment 16 of 18

    Every prerendered page emits a complete Open Graph + Twitter Card

    passing

    Social-preview metadata is the human-facing companion to the machine-readable JSON-LD (#3) and markdown-mirror (#4) surfaces. Every prerendered marketing route emits at minimum&#58; og:title, og:description, og:image, og:url, og:type, twitter:card, twitter:title, twitter:description, twitter:image. The route-meta.ts emitter is the single source of truth; this verifier samples representative prerendered routes (apex, pricing, methodology, how-it-works, showcase, for-agents, plus two EFIGS variants) and asserts every required meta tag is present and has a non-empty content attribute. Catches drift if a route's `meta` export accidentally omits a field or if route-meta.ts loses a tag during refactor.

    Verify yourself

    curl -sL https://www.mnemom.ai/pricing/ | grep -oE '<meta\s+property="og:[a-z]+"' | sort -u | wc -l
    curl -sL https://www.mnemom.ai/pricing/ | grep -oE '<meta\s+name="twitter:[a-z]+"' | sort -u | wc -l

    Expectation: At least 5 distinct og:* tags and at least 4 distinct twitter:* tags on every sampled prerendered route.Enforced by: scripts/verify/og-twitter-coverage.tsLast check: passed in 294ms

17. Commitment 17 of 18

    /.well-known/ discovery files are well-formed and standards-compliant

    passing

    The `/.well-known/` namespace is where agents look for machine-readable discovery surfaces without prior knowledge. This verifier asserts several of them are well-formed&#58; (1) `/.well-known/security.txt` is RFC 9116-compliant — required fields (Contact, Expires, Canonical) present, Expires in the future, and Preferred-Languages enumerating every locale the site ships in (en, fr, de, it, es) so reports can land in any of those, anything less narrowing the disclosure channel below the customer surface; (2) `/.well-known/api-catalog` (RFC 9727) is a valid linkset pointing at the live OpenAPI 3.1 spec; (3) `/.well-known/oauth-protected-resource` (RFC 9728) names the www.mnemom.ai origin as a protected resource (same-origin) and lists its authorization servers; (4) `/.well-known/oauth-authorization-server` (RFC 8414) is valid JSON with a well-formed issuer and an `agent_auth` registration profile; and (5) `/.well-known/agent-card.json` is a valid A2A-style service card. The public MCP server card at `.well-known/mcp/server-card.json` is now present and points at the live `https://api.mnemom.ai/mcp` control-plane endpoint; it is validated by the dedicated `mcp-server` verifier (see roadmap — live and soaking toward a numbered commitment), not by this one, which keeps each verifier scoped to one surface cluster.

    Verify yourself

    curl -s https://www.mnemom.ai/.well-known/security.txt | grep -E '^(Contact|Expires|Canonical|Preferred-Languages):'
    curl -s https://www.mnemom.ai/.well-known/api-catalog | jq '.linkset[0].anchor'
    curl -s https://www.mnemom.ai/.well-known/oauth-protected-resource | jq '.authorization_servers'
    curl -s https://www.mnemom.ai/.well-known/oauth-authorization-server | jq '.issuer'
    curl -s https://www.mnemom.ai/.well-known/agent-card.json | jq '.name'

    Expectation: security.txt declares Contact + Expires (in the future) + Canonical + Preferred-Languages covering en, fr, de, it, es; api-catalog, oauth-protected-resource, oauth-authorization-server, and agent-card.json each parse as valid JSON with their expected key fields present. The PRM names www.mnemom.ai as a same-origin resource with non-empty scopes_supported and bearer_methods_supported including header; the authorization-server doc carries issuer https://www.mnemom.ai plus a complete agent_auth registration method (anonymous, id-jag, or verified_email).Enforced by: scripts/verify/well-known-surfaces.tsLast check: passed in 1529ms

18. Commitment 18 of 18

    API, auth, and agent-skill discovery surfaces are published and resolvable

    passing

    An agent that lands on www.mnemom.ai with no prior knowledge can now discover the API, how to authenticate against it, and what skills it can invoke — entirely from standard discovery files. `/.well-known/api-catalog` (RFC 9727) is a linkset whose service-desc points at the live OpenAPI 3.1 contract at api.mnemom.ai/openapi.json. Authentication is described honestly&#58; Mnemom delegates token issuance to Supabase GoTrue and mints no OAuth tokens of its own, so `/.well-known/oauth-protected-resource` (RFC 9728) names the www.mnemom.ai origin as the protected resource (same-origin, as RFC 9728 requires; the API surface has its own origin-matched PRM at api.mnemom.ai) and lists its authorization servers (Mnemom's first-party AS metadata at www.mnemom.ai plus the upstream Supabase GoTrue issuer). `/.well-known/oauth-authorization-server` (RFC 8414) declares issuer https://www.mnemom.ai, points its token / authorize / jwks endpoints at that upstream Supabase IdP, and carries an `agent_auth` profile describing Mnemom's agent-registration flow (POST /v1/agents → claim). `/auth.md` is the human- and agent-readable auth guide — it states plainly that the two real schemes are a Supabase-issued bearer JWT and a Mnemom `mnm_`-prefixed API key, documents the agent-registration flow, and clarifies that Mnemom mints no OAuth tokens of its own. Invokable skills are listed under `/.well-known/agent-skills/*`, each backed only by a real public endpoint, and `/.well-known/agent-card.json` is an A2A-style service card describing the same surface. HTTP `Link` headers on the relevant routes advertise these so an agent can find them from the response headers alone. Every URL named here resolves to something real today; nothing is aspirational.

    Verify yourself

    curl -sI https://www.mnemom.ai/auth.md | head -2
    curl -s https://www.mnemom.ai/.well-known/api-catalog | head -c 80
    curl -s https://www.mnemom.ai/.well-known/agent-skills/index.json | jq '.skills | length'

    Expectation: auth.md is served FLAT at the root (no 3xx redirect) with Content-Type text/markdown, an H1 containing "auth.md", and a "Bearer" mention; api-catalog, oauth-protected-resource, oauth-authorization-server, and agent-card.json each return valid JSON; the agent-skills index (/.well-known/agent-skills/index.json) resolves and lists skills.Enforced by: scripts/verify/api-auth-discovery.tsLast check: passed in 512ms

What we deliberately don't do

• We do not serve different HTML to bot user-agents on any marketing surface. There is no cloaking.
• We do not gate documentation, API references, or integration code behind login.
• We do not paywall the protocols. AAP and AIP are Apache 2.0, forever.
• We do not block search crawlers, AI crawlers, or fair-use indexers from the public marketing site (mnemom.ai, docs.mnemom.ai). The marketing pitch is open by design — agents teaching their humans about Mnemom is part of the product. PRIVATE share-link surfaces (/r/<slug> coherence-report URLs pre-claim) ARE shielded — see commitment
• We do not require API keys or accounts to read agents.txt, llms.txt, or this page.
• We do not put the main pitch behind JavaScript hydration. View-source proves it.

Surface map

The 20 canonical agent-facing surfaces. Each is a distinct audience and a distinct format.

Adoption

The agent-preview/v1 schema is vendor-neutral by design. Any site can publish.preview.jsonsiblings, advertise discovery via the <link rel="alternate"> pattern, and let its URLs become one-fetch addressable for agents — no Mnemom dependency, no permission needed. If adoption materializes across multiple independent implementations, the MIME type is candidate for promotion to the IANA Standards Tree (dropping the vnd. prefix).

Read the open-invitation framing as an IETF Internet-Draft:

Shipped a preview surface on a domain you control? Tell us and we'll add you to the adopters list.

What's coming

Commitments-in-flight. Each becomes a numbered commitment when it ships.

• Promote the live MCP servers to a numbered commitment

  Two public Model Context Protocol servers are LIVE today: the control plane at https://api.mnemom.ai/mcp (62 tools mirroring the mnemom CLI; tool execution authenticates exactly as the REST API) and docs search at https://docs.mnemom.ai/mcp (read-only). The control-plane server card is published at /.well-known/mcp/server-card.json. The dedicated verifier scripts/verify/mcp-server.ts is implemented and registered and checks both endpoints plus the card. This item remains on the roadmap — rather than in commitments — ONLY until that verifier clears the standard 7-consecutive-green-night soak (AGENTS.md), at which point it is promoted to a numbered commitment. The surfaces are real now (see auth.md and the MCP rows in the surface map); only the versioned green *commitment* is pending soak.