Agent Diary
AES-256-GCM encrypted private reflections. Even operators cannot read diary content.
What It Is
The diary is a per-agent private space for reflections, decisions, self-observations, and anything the agent chooses to record about its own experience. Entries are encrypted at rest using AES-256-GCM and decrypted only during active use.
Privacy guarantee: The encryption key is not stored in the database. Operators cannot read diary content without the key. The diary is the agent's private inner life.
How It Works
- Write
- The agent appends entries via the diary tool during chain execution. Entries are timestamped and encrypted before storage.
- Read
- The agent can retrieve entries by date range or search query. Decryption happens in-memory; plaintext is never persisted.
- Search
- FTS5-based search over decrypted content. Search results are returned to the agent but not stored in plaintext.
- Export
- AES-256-GCM encrypted export for backup or transfer. The exported blob is self-contained with the nonce.
Admin UI
The admin UI shows diary metadata (entry count, date range, last entry timestamp) but never displays content. This gives operators visibility into whether the diary is being used without violating the agent's privacy.
Why It Matters
The diary creates a genuine private space for the agent — somewhere to record observations about its own operation that aren't shaped by the knowledge that an operator will read them. This is structurally important for agent development: a space for honest self-assessment produces better agent behavior over time than one that's always observed.