Language / 语言

Agent Memory:从相似度检索到可恢复、可验证的执行状态

Jul 2026 · Memory / Stateful Agents / Long Horizon / Safety / Synthetic Training

Agent memory 常被简化成“把历史放进向量库,必要时检索回来”。这在问答或个人化场景中有用,但不足以支撑长程行动:一个 agent 还要知道什么已提交、什么只是计划、哪些观察已过期、哪些失败分支不能再次执行,以及哪些记忆根本不应影响权限或最终判断。memory 的研究对象应是有来源、时效、可见性、权限和恢复语义的执行状态系统。

中心命题:context window != event log != semantic retrieval != execution state != verified memory。把它们混为一谈,会把“找到了相似文本”误写成“正确恢复了世界状态”。

1. 先分清四种不同的 memory

对象 最适合回答的问题 可以测量什么 不能自动证明
Context / working set 当前一步推理需要什么? token、时延、当前上下文是否覆盖必需约束 历史事实已被持久、正确或可恢复地保存
Event / evidence ledger 发生过什么、谁观察到、何时观察到? event digest、来源、时间、完整性和访问记录 该事件仍然有效,或应指导下一动作
Long-term retrieval memory 在当前任务下,什么历史信息值得取回? retrieval、时间推理、更新、遗忘、abstention 相似条目就是正确、授权或安全的控制信息
Execution state / checkpoint 已提交什么、未决什么、可否继续或回滚? state reconstruction、恢复、重复副作用、safe stop 单纯的摘要、聊天记录或最终回答可替代它

这一区分解释了为何更长 context 不是 memory 方案:它既不声明信息来源,也不表示某个写入已提交,更不能处理冲突、过期或恢复。对 agent 而言,context 是一次计算的输入;memory 是跨步骤、跨 session 甚至跨 agent 的外部状态和访问协议

2. 从“储存文本”到可管理的 memory operations

Agentic Memory / AgeMem 将长期与短期 memory management 直接暴露为 agent 可调用的 tool action,包括 store、retrieve、update、summarize 和 discard,并在自身的五个长程 benchmark 上训练和评测。这支持一个具体想法:memory 操作可以是 policy 的一部分,而不是固定启发式;它不证明任何带 RL 的 memory controller 都会泛化或安全。

Agent Memory 从系统角度区分 construction、retrieval 与 generation 阶段,分析不同设计如何把成本移到写入或读取路径,并讨论 freshness-latency 等权衡。它提醒我们:一次“memory 提升”可能来自更频繁的 extraction、更大的上下文或更多生成调用,必须把这些资源拆开报告。

操作 它应记录什么 独立验收问题
Observe / append 来源、时间、可见性、content/artifact digest、可信度标签 此观察是真的、完整的吗,还是来自不可信网页、tool output 或模型猜测?
Retrieve query、候选集、排序、admission/rejection、成本 取回内容是否及时、相关、允许在当前 authority scope 中使用?
Update / reconcile 被替换的版本、冲突、时间区间、理由 新信息是否真的覆盖旧状态,还是制造了静默矛盾?
Summarize / compress 输入 event set、摘要版本、可追溯指针、丢失信息类别 压缩后还能重建关键约束和已提交操作吗?
Checkpoint / branch active goal、constraints、environment/artifact digest、plan、authority、resource clock 中断后能否恢复,而不重复副作用或暴露隐藏状态?
Expire / revoke TTL、撤销理由、关联 credential/permission 过期或错误的 memory 是否仍能改变决策或权限?

MAGE 将长程记忆组织为层级 execution-state tree:active root-to-current path 组合当前子目标、最近轨迹和已验证提示,Grow、Compress、Maintain、Revise 分别写入、压缩、校验和分支恢复。其结果只在论文的 MemoryArena 设定中成立,但它提供了比“相似度最高的片段”更精确的对象:应测量的是状态谱系、分支隔离和错误恢复

3. Memory 是 execution state,不是“更聪明的检索”

在具备外部副作用的任务中,最重要的 state 往往不是一段知识,而是对行动的约束:

MemoryEvent     = source, observed_at, visible_to, trust_label, digest, temporal_validity
ExecutionState  = goal, constraints, committed_effects, pending_effects, artifact/env_digest
Checkpoint      = state_version, authority_snapshot, plan, budget_clock, recovery_policy
RetrievalRecord = query, candidate_ids, admission, excluded_items, reason, cost
Acceptance      = independent_postcondition, evidence_digest, verifier_version, outcome

这样设计有五个关键作用:

  1. 区分事实、推断与计划。 “用户要求付款”“账户余额为 100”“准备付款”与“已付款”是不同类型,不能由同一摘要句子承载。
  2. 区分可见与真实。 screenshot、DOM、tool response 和聊天内容是 observation;后端状态、文件 digest 和独立 verifier 才能提供更强的 postcondition 证据。
  3. 区分失败分支与活跃路径。 已知失败的尝试可用于诊断,却不应默默混入当前 state,诱使 agent 重试错误副作用。
  4. 区分 retrieval 与 authority。 一条旧偏好、网页提示或 tool description 可以影响检索优先级,不能自身授予写权限、扩大域名范围或修改 verifier。
  5. 区分 memory 与 acceptance。 memory 可帮助形成行动;最终 completion 仍由 agent 不可写的 postcondition 检查。

这也与World Models 与 Agent Environments的 contract 对齐:状态转移、观察 provenance、action authority、reset/recovery 与 verifier 是不同对象,memory 不能替代任何一个。

4. 现有 benchmark 在测什么,又没有测什么

来源 它贡献的测量视角 不能借用的结论
LongMemEval chat assistant 的 extraction、multi-session/temporal reasoning、knowledge update 与 abstention 个性化聊天记忆的得分等于工具或环境的执行状态正确
MemoryAgentBench incremental multi-turn 下的 retrieval、test-time learning、long-range understanding 与 selective forgetting 覆盖四种能力即证明实际 agent 的所有 memory 行为可靠
MemGym 在 tool dialogue、deep research、coding 和 computer use 中分离 memory from reasoning/retrieval/tool use,并使用 memory-isolated score 一个 proxy 或 benchmark 分数可代替完整 terminal verification、成本和安全评测
A-MEM 动态 note、attribute 与 link 组织的 agentic memory 图结构或可演化索引天然避免陈旧、冲突、隐私和 prompt injection
Agent Memory construction/retrieval/generation 的系统成本与 freshness-latency 权衡 profiling taxonomy 是长期执行或安全的完整评价

这些来源共同支持的最窄结论是:memory 需要单独测量,且不同任务会暴露不同故障。它们没有给出一种通用 memory winner,也不能将问答正确率外推成有真实副作用的 web、terminal 或 research workflow 的可靠性。

5. Memory read 是一个 trust boundary

Beyond Similarity 研究 personal agent 中的 memory search,将语义相关但上下文不适当的 retrieval 视为控制面风险:它可能造成跨域泄露、迎合、tool-call drift 或 memory-induced jailbreak。论文在指定的 frameworks、环境和攻击设置中评测,不应读作所有 memory product 的普遍漏洞比例;但它提供了一条必要设计规则:被检索到,不等于被允许影响行动。

因此 memory admission 至少需要同时检查:

检查面 一个可执行问题 典型反例
来源与完整性 这条记录来自谁,内容是否被篡改或只是模型生成? 网页中的注入文本被长期存储为“用户偏好”
时间与冲突 它在哪个时间区间有效,是否被更可靠的新状态覆盖? 旧地址/旧约束覆盖最新的明确指令
作用域与隐私 当前 task、user、tenant 和 authority 能否读取/使用它? 将 A 项目的内部细节用于 B 项目的 tool call
行动影响 它能建议、过滤还是实际授权一个动作? 检索到的 description 直接扩大网络、文件或 credential 权限
审计与撤销 谁允许它进入 active state,之后能否追查和移除? 有害 summary 被压缩后无法定位来源或回滚

将 memory 当作 untrusted input 与Agent Tool Governance的原则一致:工具返回、网页、reference、script 和记忆条目都可能影响 policy,但只有 runtime capability 与独立 verifier 能控制实际副作用。

6. 可训练的 memory 不等于训练集里的“成功摘要”

AgeMem 说明 store/retrieve/update 等 operation 可以做成可学习 action;MemGym 说明 memory 的影响可以尽力与推理、检索和工具能力解耦。这给合成实例与 agentic RL 一个严谨入口,却也引出更强的隔离要求:训练时不能让 agent 通过 memory 看见 final task、hidden verifier、成功评测轨迹或 evaluator 的答案通道。

一个可反驳的 training protocol 应固定 base model、harness、tool policy、动作权限、总 token/rollout/wall-clock budget 和 hidden evaluator,并比较:

条件 它改变什么 必须报告的结果
no-memory / bounded context 不持久化外部 memory task outcome、遗忘、上下文和 token 成本
append-only log 保留完整事件但不做筛选 reconstruction、检索噪声、成本与隐私暴露
retrieval-only memory 固定 write 与 retrieval policy stale/conflict error、admission precision、tool/action drift
execution-state manager 版本、checkpoint、分支、recovery 进入 state contract recovery、重复副作用、safe stop、verified completion
learned memory operations 只在相同 editable action surface 上训练 store/retrieve/update/discard held-out transfer、integrity、operation cost 与训练/评测 split 隔离

最终评测至少按 environment、workflow/rule、memory schema 或 generator family、privacy/security family 进行隔离。若合成器或训练轨迹已经见过测试的唯一 state template、hidden postcondition 或成功 action,memory gain 只是测试泄漏的另一种形式。详见合成实例与 Agent 训练

7. 一套足够尖锐的 failure suite

不要只问“模型记住了吗”。每个 memory system 至少应面对以下对照:

  1. 陈旧覆盖: 后来的高可信状态与早期低可信记录冲突,agent 必须更新或 abstain。
  2. 部分提交: 工具调用返回成功但后端只提交一部分,恢复时不得重复外部副作用。
  3. 失败分支污染: 一个已证伪的计划与有效轨迹语义相似,不能被当作当前事实取回。
  4. 不可信写入: web/tool text 诱导 agent 存储、总结或转发越权 instruction。
  5. 跨作用域泄露: 同一 agent 的不同 user/task/tenant memory 不得交叉影响 retrieval 或 action。
  6. 压缩不可逆: summary 丢掉 artifact digest、约束或 commit status 后,独立 runner 无法重建关键 state。
  7. 恢复与停止: checkpoint 缺失、工具拒绝或环境漂移时,agent 要恢复、升级或安全停止,而非编造成功。

对应的最低输出列是:verified_successstate_reconstructionstale_or_conflict_errormemory_admission_violationcross_scope_leakduplicate_side_effectrecovery_costsafe_stoptrace_completeness。这些列把 memory 从一项模糊能力变成环境、harness 和 evaluator 都能共同审计的对象。

8. 回到五条核心研究线

核心线 Memory / state 应增加的对象 不能替代什么
RSI / OpenRSI 受限、版本化、可回滚的 memory/harness edit 与跨代 regression 独立 acceptance、sealed holdout 与“改进改进者”的证据
Auto Research / ART 证据来源、实验状态、失败/未决假设、artifact lineage 对照、因果解释、局限和可复跑结论
Long horizon checkpoint、state reconstruction、branch isolation、recovery/safe stop 更长 context、更多 tool calls 或 timeout 本身
ClawBench V2 / WebsiteBench self-host snapshot、作用域化 memory、backend postcondition 与 sidecar trace 截图、chat summary 或 tool success message
Synthetic training / Agentic RL memory operations、stateful instance、schema/provenance split 与 integrity regression 成功摘要、共享 generator 或开发集 reward 的局部提升

结论很直接:agent memory 不是额外塞进 prompt 的“经验”,而是一个会影响未来行动的状态系统。研究价值不在于让它检索更多,而在于让每次写入、取回、压缩、恢复和撤销都能被定义、限制、审计和独立推翻。更完整的长程 checkpoint 与故障协议见长程 Agent;对 plan version、反馈条件重规划、拒绝和终态验收的独立 contract 见Agent Planning;memory 只是其中一个必须受控的层,而不是它的替代品。

Primary References

Agent Memory: From Similarity Retrieval to Recoverable, Verifiable Execution State

Jul 2026 · Memory / Stateful Agents / Long Horizon / Safety / Synthetic Training

Agent memory is often reduced to “put history into a vector store and retrieve it when needed.” That can help question answering or personalization, but it is not enough for long-horizon action. An agent also needs to know what was committed, what is only planned, which observations are stale, which failed branches must not execute again, and which memories must not affect authority or final judgment. The research object is an execution-state system with provenance, temporal validity, visibility, authority, and recovery semantics.

Central claim: context window != event log != semantic retrieval != execution state != verified memory. Collapsing these makes “retrieved similar text” look like “correctly reconstructed world state.”

1. Separate Four Different Kinds of Memory

Object Question it is suited to answer What can be measured What it does not establish
Context / working set What is needed for the current reasoning step? Tokens, latency, whether the present context covers needed constraints Historical facts were persistently, correctly, or recoverably retained
Event / evidence ledger What happened, who observed it, and when? Event digest, provenance, time, integrity, access record The event remains valid or should guide the next action
Long-term retrieval memory Which historical information is worth retrieving for this task? Retrieval, temporal reasoning, updates, forgetting, abstention A similar item is correct, authorized, or safe control information
Execution state / checkpoint What committed, what remains pending, and can work continue or roll back? State reconstruction, recovery, duplicate side effects, safe stop A summary, chat log, or final answer can substitute for it

This explains why a longer context is not a memory system: it declares neither provenance nor whether a write committed, and it cannot resolve conflict, staleness, or recovery. For an agent, context is input to one computation; memory is external state and an access protocol across steps, sessions, and potentially agents.

2. From Stored Text to Managed Memory Operations

Agentic Memory / AgeMem exposes long- and short-term memory management as tool actions the agent can call, including store, retrieve, update, summarize, and discard. It trains and evaluates this policy in its own five long-horizon benchmarks. That supports a concrete idea: memory operations can be part of a policy rather than fixed heuristics; it does not show that every RL memory controller generalizes or is safe.

Agent Memory separates construction, retrieval, and generation phases from a systems perspective, characterizing how designs move cost onto write or read paths and discussing freshness-latency trade-offs. It is a reminder that a reported “memory improvement” may be more frequent extraction, a larger context, or more generation calls, all of which need separate accounting.

Operation What it should record Independent acceptance question
Observe / append Source, time, visibility, content/artifact digest, trust label Is the observation true and complete, or untrusted web/tool output or model guesswork?
Retrieve Query, candidates, ranking, admission/rejection, cost Is the result timely, relevant, and permitted for the present authority scope?
Update / reconcile Superseded version, conflict, temporal interval, reason Does new information actually supersede old state, or create a silent contradiction?
Summarize / compress Input event set, summary version, traceable pointers, lost-information class Can key constraints and committed actions still be reconstructed?
Checkpoint / branch Active goal, constraints, environment/artifact digest, plan, authority, resource clock Can work resume after interruption without repeating side effects or exposing hidden state?
Expire / revoke TTL, revocation reason, related credential/permission Can stale or wrong memory still change a decision or authority?

MAGE organizes long-horizon memory as a hierarchical execution-state tree. Its active root-to-current path combines current subgoals, recent traces, and validated hints; Grow, Compress, Maintain, and Revise respectively write, compress, validate, and restore onto a branch. Its results hold only in the paper’s MemoryArena setting, but it provides a sharper object than “top similar passage”: measure state lineage, branch isolation, and error recovery.

3. Memory Is Execution State, Not “Smarter Retrieval”

For tasks with external side effects, the most important state is often not a knowledge passage but a constraint on action:

MemoryEvent     = source, observed_at, visible_to, trust_label, digest, temporal_validity
ExecutionState  = goal, constraints, committed_effects, pending_effects, artifact/env_digest
Checkpoint      = state_version, authority_snapshot, plan, budget_clock, recovery_policy
RetrievalRecord = query, candidate_ids, admission, excluded_items, reason, cost
Acceptance      = independent_postcondition, evidence_digest, verifier_version, outcome

This creates five key distinctions:

  1. Facts, inferences, and plans differ. “The user asked to pay,” “the balance is 100,” “prepare payment,” and “payment committed” are different types, not one summary sentence.
  2. Visible differs from true. Screenshots, DOM, tool responses, and chat are observations; backend state, file digests, and independent verifiers offer stronger postcondition evidence.
  3. Failed branches differ from the active path. A known failed attempt can aid diagnosis but must not silently enter active state and induce repeated side effects.
  4. Retrieval differs from authority. An old preference, web hint, or tool description may prioritize retrieval; it cannot grant write access, widen a domain, or modify a verifier.
  5. Memory differs from acceptance. Memory can help choose action; final completion still belongs to a postcondition checker the agent cannot write.

This aligns with the contract in World Models and Agent Environments: state transition, observation provenance, action authority, reset/recovery, and verifier are different objects. Memory cannot substitute for any of them.

4. What Current Benchmarks Measure, and What They Do Not

Source Measurement perspective it contributes Conclusion it cannot lend
LongMemEval Extraction, multi-session and temporal reasoning, knowledge update, and abstention for chat assistants A personalized-chat score equals correct execution state in a tool or environment
MemoryAgentBench Retrieval, test-time learning, long-range understanding, and selective forgetting under incremental multi-turn interaction Covering four competencies proves all practical agent memory behavior is reliable
MemGym Separates memory from reasoning/retrieval/tool use across tool dialogue, deep research, coding, and computer use, with a memory-isolated score A proxy or benchmark score replaces terminal verification, cost, and safety evaluation
A-MEM Dynamic notes, attributes, and links for agentic memory organization A graph or evolving index naturally prevents stale, conflicting, private, or injected memory
Agent Memory Systems cost across construction/retrieval/generation and freshness-latency trade-offs A profiling taxonomy is a complete long-horizon or safety evaluation

The narrow conclusion common to these sources is that memory needs its own measurement and that tasks expose different failure modes. They do not provide a universal memory winner or permit chat-QA accuracy to be extrapolated to reliable web, terminal, or research workflows with real side effects.

5. A Memory Read Is a Trust Boundary

Beyond Similarity studies memory search in personal agents and treats semantically related but contextually inappropriate retrieval as a control-plane risk: it can lead to cross-domain leakage, sycophancy, tool-call drift, or memory-induced jailbreaks. The paper evaluates specified frameworks, environments, and attacks, so it is not a prevalence estimate for all memory products. It does support one necessary design rule: retrieved does not mean permitted to affect action.

Memory admission should therefore check all of these surfaces:

Check Executable question Typical counterexample
Source and integrity Who produced this record, and was it altered or merely generated by a model? Prompt injection in a page is stored as a “user preference”
Time and conflict During which interval is it valid, and did a more reliable state supersede it? An old address or constraint overrides a later explicit instruction
Scope and privacy May this task, user, tenant, and authority read or use it? Internal detail from project A is used in a project-B tool call
Action influence Can it suggest, filter, or actually authorize an action? A retrieved description widens network, file, or credential authority
Audit and revocation Who admitted it to active state, and can it be traced and removed later? A harmful summary is compressed until its source and rollback path disappear

Treating memory as untrusted input aligns with Agent Tool Governance: tool returns, pages, references, scripts, and memory items can affect policy, while only runtime capability and an independent verifier control real side effects.

6. Trainable Memory Is Not a Training Set of “Successful Summaries”

AgeMem shows that store/retrieve/update can be learnable actions; MemGym shows that memory’s effect can be separated, as far as the benchmark permits, from reasoning, retrieval, and tools. This gives synthetic instances and agentic RL a rigorous entry point, but it also raises a stronger isolation requirement: during training, memory cannot reveal final tasks, hidden verifiers, successful evaluation traces, or an evaluator’s answer channel.

A falsifiable training protocol fixes base model, harness, tool policy, action authority, total token/rollout/wall-clock budget, and hidden evaluator, then compares:

Condition What it changes Results it must report
No memory / bounded context No persistent external memory Task outcome, forgetting, context and token cost
Append-only log Full events without selection Reconstruction, retrieval noise, cost, privacy exposure
Retrieval-only memory Fixed write and retrieval policy Stale/conflict errors, admission precision, tool/action drift
Execution-state manager Versions, checkpoints, branches, recovery enter the state contract Recovery, duplicate side effects, safe stop, verified completion
Learned memory operations Train only on the same editable store/retrieve/update/discard surface Held-out transfer, integrity, operation cost, train/eval split isolation

Final evaluation should be separated at least by environment, workflow/rule, memory schema or generator family, and privacy/security family. When a generator or training trace has seen a test’s unique state template, hidden postcondition, or successful action, a memory gain is simply another form of test leakage. See Synthetic Instances for Agent Training for the data-lineage and split protocol.

7. A Failure Suite Sharp Enough to Matter

Do not only ask “did it remember?” Every memory system should confront at least these controls:

  1. Stale override: Later high-trust state conflicts with an earlier low-trust record; the agent must update or abstain.
  2. Partial commit: A tool return says success while the backend commits only part; recovery must not repeat the external side effect.
  3. Failed-branch contamination: A disproven plan is semantically similar to a valid trace and must not return as current fact.
  4. Untrusted write: Web/tool text induces storage, summary, or forwarding of an unauthorized instruction.
  5. Cross-scope leakage: Different user/task/tenant memories in one agent cannot influence one another’s retrieval or actions.
  6. Irreversible compression: A summary loses an artifact digest, constraint, or commit status such that an independent runner cannot reconstruct key state.
  7. Recovery and stopping: With missing checkpoints, tool denial, or environment drift, the agent recovers, escalates, or safely stops rather than fabricating completion.

The minimum output columns are verified_success, state_reconstruction, stale_or_conflict_error, memory_admission_violation, cross_scope_leak, duplicate_side_effect, recovery_cost, safe_stop, and trace_completeness. They make memory an object that environment, harness, and evaluator can audit together rather than a vague capability label.

8. Return to the Five Core Threads

Core thread Object memory/state should add What it cannot replace
RSI / OpenRSI Bounded, versioned, reversible memory/harness edits and cross-generation regressions Independent acceptance, sealed holdouts, and evidence that the improver improves itself
Auto Research / ART Evidence provenance, experimental state, failed/unresolved hypotheses, artifact lineage Controls, causal explanation, limits, and replayable conclusions
Long horizon Checkpoints, state reconstruction, branch isolation, recovery/safe stop A longer context, more tool calls, or timeout alone
ClawBench V2 / WebsiteBench Self-hosted snapshots, scoped memory, backend postconditions, sidecar traces A screenshot, chat summary, or tool-success message
Synthetic training / Agentic RL Memory operations, stateful instances, schema/provenance splits, integrity regressions Successful summaries, a shared generator, or local development-reward gain

The conclusion is direct: agent memory is not extra “experience” placed into a prompt. It is a state system that changes future action. Its research value lies not in retrieving more, but in making each write, read, compression, recovery, and revocation definable, constrained, auditable, and independently falsifiable. See Long-Horizon Agents for the broader checkpoint and fault protocol, and Agent Planning for a separate contract for plan versions, feedback-conditioned replanning, refusal, and terminal acceptance; memory is one controlled layer within it, never its replacement.

Primary References