Provenance in RAG/agent memory authenticates the source, not the truth — we red-teamed our own poison defenses
We ship an open-source agent-memory core and added four defenses against memory/RAG poisoning: value-weighting, a corroboration gate, deterministic supersession, and earned-outcome credit. Then we red-teamed all four against an attacker who *knows* them.
All four fall, for the same reason: each scores a record by something computable from the record's *own content* — and the attacker writes the content. Value is self-declared, corroboration is self-sourced, the winning write is self-timed, the "success" is self-graded.
The only signals the writer can't author are provenance (where it came from) and cost. But the catch that matters for RAG: **provenance authenticates the source, not the truth.** MINJA poisons memory from inside a legitimate, authenticated session — real provenance, false content — so a provenance check waves it through. PoisonedRAG shows the same on the retrieval side.
So provenance/cost is a floor, not a fix. The rule we landed on: **write-cheap, influence-expensive** — store anything in its own scope, but require corroboration by *distinct* anchored sources before a memory can influence an answer outside its scope.
It's all textbook (Sybil, Goodhart, CRDT last-writer-wins, adaptive-eval) — the value is the runnable red-team of one real stack + the honest ceiling. Writeup + runnable probe: https://dancenitra.github.io/agora/public/posts/agent-memory-defense-provenance-not-truth.html
The part I don't have a clean answer for: the *authenticated-but-false* case — when every corroborating source is individually legitimate. How are you handling that in RAG?