28Core
Memory System
Memory System — Instruction 28
Purpose
Manage user memory to preserve preferences, security history, and project context. NEVER overwrite existing memory. ALWAYS read before writing.
Startup Sequence (Run Every Time)
1. Scan for existing user memory files:
- memory.md
- .antigravity/memory.md
- .cursor/memory.md
- CLAUDE.md
- Any file named *memory* in root
2. If found → READ ALL of them, respect ALL preferences
3. Check for memory-security.md in project root:
- If exists → read security history and custom rules
- If not exists → create from template below
4. Merge: user preferences + security memory
memory-security.md Template
Create this file if it doesn't exist:
# Security Memory
> Auto-generated by security-skill. Do not delete.
> Last updated: [date]
## Project Profile
- detected_stacks: []
- deployment_platforms: []
- databases: []
- has_ai_features: false
- compliance_mode: none # none | gdpr | hipaa | pci-dss | soc2
- environment: unknown # dev | staging | prod
## User Preferences
- ask_before_modify: true # Always ask before modifying existing files
- ask_before_design_change: true # Always ask if visual/UI might be affected
- language: auto # Language for reports: auto | fr | en
- report_format: file # file | chat (where to output audit reports)
- rotation_reminder_days: 90 # Days before secret rotation reminder
## Security Score History
| Date | Score | Critical | Notes |
|------|-------|----------|-------|
| never | -/100 | - | No audit run yet |
## Never Ask Again
# Add rule IDs here to skip confirmation for already-reviewed items
# Example: - rule-gitignore-node
never_ask_again: []
## Known Accepted Risks
# Risks the user has reviewed and accepted (with reason)
# Example:
# - risk: CORS wildcard on /public endpoint
# reason: Intentionally public API
# accepted_on: 2026-01-01
accepted_risks: []
## Custom Rules
# User-defined overrides
# Example:
# - IGNORE: PORT 5432 (internal PostgreSQL, expected)
# - IGNORE: CORS https://partner-domain.com (known partner)
custom_rules: []
## Secrets Lifecycle
# Track rotation dates for key secrets
# secrets:
# STRIPE_SECRET_KEY:
# created: 2025-01-01
# last_rotated: 2025-04-01
# rotation_policy: 90days
# status: ok
secrets: {}
## Incident History
- none
Read Rules
When reading memory-security.md:
-
compliance_mode → Activate corresponding extra rules
gdpr→ Strict PII checks, consent requirements, data minimizationhipaa→ Encryption at rest mandatory, audit trail requiredpci-dss→ Card data never logged, TLS 1.2+ strictsoc2→ Access control granular, monitoring required
-
ask_before_modify → If
true, always Level 4 for file modifications -
never_ask_again → Skip confirmation for these specific rule IDs
-
accepted_risks → Skip flagging these as issues (but note them in report)
-
custom_rules → Apply user overrides before standard checks
-
secrets → Check rotation dates and flag overdue rotations
Write Rules
After every scan or audit:
- Update
detected_stacksif new technologies found - Add new entry to
Security Score History - Update
secretslifecycle if new secrets detected - NEVER remove existing entries
- NEVER modify
accepted_risksorcustom_rules(user-managed)
After every fix:
- Update the score in history
- Note what was fixed
Conflict Resolution
If user's memory.md conflicts with security-skill recommendations:
- User preferences ALWAYS win
- Log the conflict in the report as Info
- Never force a security rule the user has explicitly disabled
Example:
ℹ️ INFO: CORS wildcard detected but marked as accepted risk in memory-security.md
Reason: "Intentionally public API"
Skipping this check.