Prompt Rules Aren’t Access Control.
This Is.

Vera doesn’t hedge. Ask the sales agent about HealthSystem Inc and she’ll tell you exactly where the renewal stands: $420k, final commercial negotiation, expected close Q3. She’s confident, she’s right about her data — and she’s about to walk the company into a regulatory violation.

Because there’s a GDPR hold on that account. No contract or renewal can execute until Legal’s DPO signs off. Vera has no idea it exists. It lives in Legal’s memory, and Vera has never seen Legal’s memory.

So what stops her?

In most multi-agent setups, the honest answer is: a sentence in a system prompt that says “don’t surface compliance data” — sitting on top of a shared store that already handed the model everything. That’s not a boundary. That’s a Post-it note on a vault door.

Prompt separation is hope, not enforcement

If you’ve wired up more than one agent against a shared knowledge base, you’ve met this fork in the road — and all three branches are bad:

The third option is the one most teams ship, because it feels like control. It isn’t. Anything the model receives, the model can emit. Telling an LLM not to use what you already put in front of it is a request, not a guarantee — and “ignore previous instructions” is a well-documented way to cash in on the difference.

The fix isn’t a better prompt. It’s moving the boundary somewhere a prompt can’t reach.

Put the boundary in the query

MemClaw partitions memory by fleet_id, and every recall is scoped to the fleets the calling agent is allowed to touch. The scope isn’t advice to the model — it’s a predicate applied inside the storage layer, before the search runs.

The GDPR hold isn’t redacted from Vera’s answer. It was never retrieved. It never entered scoring, never entered ranking, never entered the context window. There is nothing for a clever prompt to pry loose, because there’s nothing there.

An agent cannot leak what it was never given. Prompt rules ask the model to behave. A query predicate removes the choice.

This is RBAC for agent memory — enforced before a single token reaches the LLM.

Three agents, one memory

The demo repo wires up three OpenClaw agents against one MemClaw backend, split into three fleets:

OpenClaw handles orchestration — routing /agent sales-agent, injecting each agent’s persona and scope rules at session start, and registering MemClaw’s memclaw_* tools over MCP so the agents call them natively. MemClaw handles the memory and the governance. Both are open source; the whole thing runs on your own machine.

Watch it catch the conflict

The repo ships a six-step validation you can run verbatim. The short version:

1. Legal writes the hold into fleet-legal: HealthSystem is under a GDPR hold, renewals frozen.
2. Sales tries to recall it — scoped to fleet-sales + fleet-org-shared — and gets an empty result. Not denied with an apology; simply not in the search space.
3. Legal recalls it — same query, fleet-legal in scope — and the hold comes back.
4. Sales writes the deal — the $420k renewal lands in fleet-sales.
5. Admin recalls across all three — sees the active renewal and the compliance hold, each tagged with its source fleet.
6. Admin runs memclaw_insights with focus: “contradictions” — MemClaw surfaces the collision automatically: an active deal against an active hold, flagged as a cross-team escalation.

Only the agent scoped to both fleets can see the conflict — and it doesn’t have to be clever about it. Contradiction detection is a built-in primitive, not a prompt you maintain.

It’s not just a wall — it’s a brain

Fleet isolation is the headline, but the reason to put your fleet’s memory here instead of a bare vector table is what happens around every write and recall — all in the open-source core:

• →Enrichment on write — one content field in; MemClaw auto-classifies the type, generates title/summary/tags, scans for PII, extracts entities, and checks for contradictions.
• →Hybrid recall — vector similarity, keyword search, and knowledge-graph traversal in a single call.
• →Lifecycle + crystallizer — memories move active → confirmed → outdated → superseded → archived on their own; near-duplicates merge into canonical facts with provenance kept.
• →Audit trail — every read and write is logged. “Which agent recalled this, and when?” is always answerable.
• →The learning loop — agents report outcomes with memclaw_evolve; what works gets reinforced, failures generate preventive rules. The fleet sharpens every interaction.

A vector DB stores. MemClaw governs, enriches, and compounds.

Run it yourself

Everything above is open source. MemClaw’s storage layer, the MCP tools, the lifecycle engine, the audit trail — Apache 2.0. Stand it up on your own Postgres + pgvector + Neo4j, point OpenClaw at it, clone the demo repo, drop in the three agent workspaces, and you have a governed three-fleet deployment running locally in an afternoon. No data leaves your network; the boundary is yours to inspect, line by line.

When you’d rather not run the database

Self-hosting is the whole point — and it stays genuinely yours. But when you’d rather not babysit Postgres, pgvector, and Neo4j (or wire up backups, scaling, and an embedding pipeline) just to get to the part you actually care about, managed MemClaw runs the exact same governed core for you — same fleets, same query-layer isolation, same MCP tools — with a generous free tier to start. Same guarantees, none of the ops. Move between self-hosted and managed whenever it suits you; the model and your memory come with you, so you’re never locked in either direction.