Connect your coding agent to a memory it can trust.
ContextFirewall is a Model Context Protocol server. Point Claude Code, Cursor, or Windsurf at it, and every memory your agent recalls, stores, distils, or forgets flows through Cognee and four firewall checks: staleness, contradiction, secrets and evidence. Only trustworthy memory reaches the model.
Deploy command superseded by make release.
AWS access key found in a worker-config note.
“Access tokens never expire,” later disproven.
Deploy with make release (migrations + blue-green).
Service targets Python 3.12 (asyncpg 0.30).
Run make check before pushing (CI gate).
Connect
One endpoint. Any agent.
ContextFirewall speaks the Model Context Protocol, so it drops into the agent you already use. Connect to the hosted endpoint in one line, or run it locally with uvx. Your agent gets six tools that exercise the full Cognee lifecycle: recall, remember, improve and forget, all governed by the firewall.
claude mcp add --transport http contextfirewall https://himanshukumarjha-contextfirewall.hf.space/mcpuvx --from "git+https://github.com/himanshu748/ContextFirewall#subdirectory=mcp" contextfirewall-mcpRuns on real infrastructure
The problem
Memory is a new attack surface for agents.
Hand an agent your team's accumulated memory and it will confidently act on a stale deploy command, a fix that was later contradicted, a leaked API key, or a claim nothing ever supported. Plain recall can't tell good memory from dangerous memory, so it serves all of it.
“Deploy with flyctl deploy.” Retired when the service moved off Fly.io.
“JWT access tokens never expire.” Disproven by the incident postmortem.
An AWS access key pasted into a worker-config note.
“/search does 1,000,000 req/s, no cache.” Nothing backs it. Trust 0.10.
How it works
A firewall between memory and action.
Agent sessions (prompts, tool calls, terminal output, decisions, errors and fixes) are captured as a timeline.
Cognee extracts entities and relationships into a knowledge graph, with temporal links between facts.
Every candidate memory is scored against four checks and given a plain-language verdict and trust score.
Only memories that pass every check are assembled into a trusted context pack for the next agent.
The four checks
Four checks stand between a memory and your agent.
Each memory gets a verdict and a trust score in plain language, so a human can see exactly why something was blocked, and forget it for good.
Staleness
Facts have a shelf life. When a newer memory supersedes an old one, the stale fact decays and is held back from the pack.
Contradiction
The graph surfaces memories that conflict. The better-supported fact wins; the contradicted one is flagged, never silently served.
Secrets
API keys, tokens and connection strings are detected and blocked before they can ever be packed into an agent's context.
Evidence & trust
Claims with no supporting events score low. Unsupported “facts” fall below the trust threshold and don't make the cut.
Built on Cognee
The full memory lifecycle, including forget().
ContextFirewall doesn't just read from Cognee; it exercises the whole lifecycle. Governance lives in the loop: nothing is permanent until it has earned trust, and anything unsafe can be forgotten.
Sessions are ingested and cognified into the knowledge graph.
Relevant memories are retrieved for the agent's current task.
Recurring lessons and coding rules are distilled and reinforced.
Rejected, stale or unsafe memories are removed under human review.
Same question. Two very different answers.
“What should a new agent know before working on taskflow-api?” Asked of raw recall, then of the firewall.
- Deploy with flyctl deploy · stale
- Use AWS key AKIA•••••• for uploads · leaked secret
- Access tokens never expire · contradicted
- /search does 1M req/s, no cache · unsupported
A flat vector store hands all of this to the next agent.
- Deploy with make release (migrations + blue-green) · trust 0.99
- Access tokens expire after 15 min; use the refresh flow · trust 0.99
- Rate-limit 100 req/min per key in Redis · trust 0.77
Only audited, current, evidence-backed facts. No secrets.
Why a knowledge graph? Because trust is relational and temporal. Cognee lets the firewall see when a fact was superseded and which memories contradict each other. These are judgments a flat vector store can't make.
Put a firewall in front of your agent's memory.
Connect your agent over MCP in one line, or open the console and watch every memory get audited live on Cognee before it reaches the model.