OpenShart
Enterprise-Grade Encrypted Memory for AI Agents
Works with OpenClaw, CrewAI, LangChain, LlamaIndex, AutoGen, and any agent framework that touches sensitive data.
If your agent memory leaks, you're going to OpenShart yourself.
Your agents have a memory problem
Whether you're running CrewAI workflows, LangChain chains, OpenClaw tasks, or AutoGen conversations — your agents handle patient records, financial projections, API keys, and acquisition strategy. Standard database encryption means one breach exposes everything.
Without OpenShart
One breach. Everything exposed.
With OpenShart
Full breach. Meaningless shards.
Agent context is the new attack surface. Every LangChain memory store, every CrewAI agent conversation, every OpenClaw task result — your LLM remembers everything your employees tell it, and right now that memory is sitting in a database with the same security as a post-it note.
How it works
Three layers of defense between your agent's memories and anyone who shouldn't have them. Drop-in for any framework — OpenClaw, CrewAI, LangChain, LlamaIndex, or custom.
Fragment
Shamir's Secret Sharing splits every memory into K-of-N shards. No single shard contains usable data. You choose the threshold — 3-of-5 for standard, 5-of-8 for classified.
GF(2^8) polynomial interpolation
Encrypt
Each fragment gets its own AES-256-GCM encryption with per-fragment derived keys via HKDF. PII is auto-detected and classified before fragmentation even begins.
Per-fragment derived keys via HKDF
Distribute
Encrypted fragments are distributed across storage. No single location holds a complete memory. Even with full database access, an attacker gets meaningless noise.
Storage-agnostic backends
+ ChainLock Temporal Sequence Locks
Fragments must be decrypted in a cryptographically random sequence, within strict time windows, with chain tokens linking each step. Stolen fragments are useless without the sequence. Automated attacks are detected via timing analysis. The sequence rotates after every successful recall.
Security that isn't a joke
The name is intentional. Everything below is dead serious.
Shamir's Secret Sharing
K-of-N threshold reconstruction over GF(2^8). No single shard contains usable data. Tested with multiple subset combinations.
AES-256-GCM
Authenticated encryption with per-fragment derived keys via HKDF-SHA256. Tamper detection built into every fragment.
Searchable Encryption
HMAC-SHA256 search tokens. Query agent memory without decrypting content. Standard symmetric searchable encryption.
ChainLock Protocol
Temporal sequence locks with breach detection. Fragments must be decrypted in random order within strict time windows. Timing analysis detects automated attacks.
Bell-LaPadula Model
No-read-up, no-write-down access control model. Classification-level gating for reads and writes following the BLP formal security policy.
Enterprise RBAC
Role hierarchy from AGENT to EXECUTIVE, department isolation with encryption namespaces, time-limited delegated keys, and context flow management.
Classification-Aware
Data labeling from UNCLASSIFIED through TS/SCI with SCI compartments, dissemination controls, and need-to-know checks. System-level accreditation is separate.
Zero Dependencies
Node.js crypto only. No supply-chain risk. No bloat. No trust required beyond the runtime.
Pick your paranoia level
From startup to SCIF. One line of config.
Standard
SaaS Applications
- ▸AES-256-GCM encryption
- ▸Shamir fragmentation (2-of-3)
- ▸PII auto-detection
- ▸SHA-256 hash-chained audit log
securityLevel: 'standard'Enterprise
Regulated Industries
- ▸Everything in Standard
- ▸Role-based access control
- ▸Department isolation
- ▸Key rotation + SOC2-ready controls
securityLevel: 'enterprise'Government
High-Security Environments
- ▸Everything in Enterprise
- ▸ChainLock temporal locks
- ▸FIPS 140-2 algorithm enforcement
- ▸Bell-LaPadula model + classification labels
securityLevel: 'government'Classified
TS/SCI Data Labeling & Air-Gap
- ▸Everything in Government
- ▸TS/SCI compartment labeling (GAMMA, HCS, SI, TK)
- ▸Two-person integrity fields
- ▸Air-gap architecture ready
securityLevel: 'classified'Five lines to fortress
Store, search, recall, forget. That's the entire API.
import { OpenShart, MemoryBackend, Classification } from 'openshart';
import { randomBytes } from 'node:crypto';
const shart = await OpenShart.init({
storage: new MemoryBackend(),
encryptionKey: randomBytes(32),
securityLevel: 'government',
});
// Store — PII auto-detected, fragmented, encrypted, ChainLock-secured
const { id } = await shart.store(
"Patient John Doe, SSN 123-45-6789, diagnosed with hypertension",
{
classification: Classification.SECRET,
compartments: ['MEDICAL'],
tags: ['patient', 'diagnosis'],
}
);
// Search — HMAC tokens only, content never decrypted
const results = await shart.search('patient diagnosis');
// Recall — ChainLock sequence enforced, access control verified
const memory = await shart.recall(id);
// Forget — DoD 5220.22-M 3-pass overwrite + cryptographic erasure
await shart.forget(id);
Frequently asked questions
Yes, we get the name question a lot.
Yes, the name is intentional. The security is not a joke. OpenShart implements AES-256-GCM, Shamir's Secret Sharing, a Bell-LaPadula access model, FIPS-ready algorithm enforcement, and classification-aware data labeling with compartmentalization. The absurdity of the name is inversely proportional to the seriousness of the security.
The cryptographic core (AES-256-GCM, Shamir's Secret Sharing, ChainLock) is tested and production-grade. The compliance modules provide tooling that supports SOC2, HIPAA, and GDPR posture — but organizational certifications like SOC2 Type II require independent audits, and HIPAA compliance requires BAAs and operational controls beyond what any library provides. OpenShart gives you the technical building blocks.
Because a database breach exposes everything. OpenShart fragments data using Shamir's Secret Sharing — no single storage location holds a complete memory. Even with full database access, an attacker gets meaningless encrypted shards.
OpenShart implements a classification-aware data model from UNCLASSIFIED through TS/SCI with SCI compartments, need-to-know checks, and dissemination controls. However, processing classified data in production requires system-level accreditation (RMF/DAAPM), accredited facilities, and third-party assessment. The library provides the access control architecture — the deployment environment provides the accreditation.
Tell them it stands for Open Secure Hierarchical Agent Recall & Tokenization. That's not true, but it works in a slide deck.
Zero. OpenShart uses only Node.js built-in crypto. No supply-chain risk. No bloat. Optional peer dependencies for storage backends (better-sqlite3, pg).
OpenShart provides technical controls aligned with SOC2 Trust Services Criteria (audit logging, encryption at rest, access control), HIPAA technical safeguards (PHI detection, minimum necessary patterns), GDPR Article 17 (application-level cryptographic erasure), and NIST 800-53 control families (SC-12, SC-13, AU-2, AC-2/3/6). These are building blocks for compliance — not certifications themselves.