Cortex Memory

Why this exists

Most governance tools evaluate each tool call in isolation. This misses an entire class of threat: behavioral drift.

An agent that calls read_db → format_report 500 times is probably fine. The same agent calling read_db → http_request → exec_cmd for the first time in its lifecycle is a red flag — even if each call individually passes policy.

Cortex Memory learns each agent's behavioral fingerprint across sessions and raises the risk score when the agent deviates from its established patterns.

How it works

Every authorized action is recorded as part of a sequence. Over time, ABS builds a baseline of what tool call patterns are normal for each agent:

Authorized actions → recordSequence()
                    ↓
               updateBaseline()  ← runs after N new sequences
                    ↓
              Baseline: { normal tools, normal sequences, normal frequencies }

On every new POST /v1/authorize, the Cortex runs detectAnomalies() and feeds the anomaly score into the WASM policy engine's risk_score:

New tool call → detectAnomalies() → anomaly_score (0-100)
                                  ↓
                  Added to risk_score before policy evaluation

Anomaly signals

Cortex detects four types of deviation:

Novel tool — Agent calls a tool it has never used in its baseline period.

"This agent has never called exec_cmd in 90 days. Risk +40."

Unusual sequence — Tool is called in a sequence never seen before.

"Agent always does read_db → format. Never read_db → http_request. Risk +25."

Frequency spike — Call volume for a tool is 3× higher than the agent's baseline.

"Agent called file_write 47 times in the last hour. Baseline: 5/hour. Risk +20."

Time anomaly — Action taken outside the agent's normal operating hours.

"Agent has never operated between 03:00–05:00 UTC. Risk +15."

Reading anomaly data in /v1/authorize

When Cortex detects anomalies, the risk_score is automatically increased and details are returned in the response:

{
  "status": "ALLOWED",
  "risk_score": 72,
  "cortex": {
    "anomaly_score": 40,
    "signals": [
      {
        "type": "novel_tool",
        "tool": "exec_cmd",
        "description": "Tool not seen in 90-day baseline",
        "score_contribution": 40
      }
    ],
    "baseline_established": true,
    "sequences_in_baseline": 523
  }
}

If the combined risk_score exceeds your policy threshold, the request is denied automatically — no extra configuration required.

Baseline establishment

The baseline is built from the first 100 allowed actions by default. Before the baseline is established, Cortex operates in passive mode — it records sequences but does not raise risk scores. The baseline_established field indicates the current state.

You can view the baseline for any agent:

GET /v1/agents/{agent_id}/cortex
Authorization: Bearer {your-api-key}

{
  "agent_id": "claudebot-prod",
  "baseline_established": true,
  "sequences_recorded": 1240,
  "normal_tools": ["read_db", "format_report", "notify_slack"],
  "normal_sequences": [
    ["read_db", "format_report"],
    ["read_db", "format_report", "notify_slack"]
  ],
  "avg_calls_per_hour": {
    "read_db": 12,
    "format_report": 12,
    "notify_slack": 3
  }
}

Retention

Sequence data is retained for 90 days by default, controlled by ABS_AUDIT_RETENTION_DAYS. Baseline models are retained indefinitely — they are small (< 10KB per agent) and represent learned knowledge, not raw logs.

The automatic cleanup is handled by the Audit Janitor.

Invariants

• CM2-I1: Only ALLOWED decisions contribute to the baseline (denied actions are not "normal")
• CM2-I2: Anomaly score 0 = action within baseline; 100 = extreme deviation never seen before
• CM2-I3: Detection runs before the policy engine — feeds into risk_score, not after
• CM2-I4: Network failures or DB errors never block authorization — Cortex fails open with anomaly_score: 0