microdao-daarion/docs/MEMORY_API_POLICY.md

# Memory API — Single Access Point Policy

## Rule: All data access ONLY through Memory API :8000

### Allowed
```
Router      ──► Memory API ──► Qdrant/Neo4j/Postgres
Parser      ──► Memory API ──► Qdrant
Gateway     ──► Memory API ──► facts/sessions
CrewAI      ──► Memory API ──► context retrieval
```

### Forbidden (direct DB access)
```
Router      ──✗──► Qdrant (direct)
Parser      ──✗──► Neo4j (direct)
Swapper     ──✗──► Postgres (direct)
```

### Exceptions
1. **Migrations** — admin scripts only
2. **Backups** — scheduled jobs
3. **Health checks** — read-only probes

## Memory API Endpoints

| Endpoint | Purpose | Consumers |
|----------|---------|-----------|
| POST /retrieve | Vector + graph search | Router |
| POST /store | Save message/document | Router, Parser |
| POST /artifacts/store | RAG document indexing | Parser |
| GET /facts/{key} | Get user facts | Gateway |
| POST /facts/upsert | Update user facts | Gateway |
| POST /agents/{id}/memory | Agent-scoped storage | Gateway |

## Benefits

1. **Unified ACL** — one place for access control
2. **Privacy enforcement** — mode/confidential checks
3. **Audit trail** — all access logged
4. **Schema consistency** — Memory API validates
5. **Easy migration** — change DB without touching services

## Enforcement

### Network Level (Docker)
```yaml
# Only Memory API can reach DBs
services:
  qdrant:
    networks:
      - data-internal  # Not exposed to dagi-network
  
  memory-service:
    networks:
      - data-internal
      - dagi-network   # Exposed to services
```

### Code Level
- Router: use ToolManager with Memory API calls
- Parser: use Memory API for indexing
- No direct Qdrant/Neo4j imports in Router/Parser

## Migration Plan

1. ✅ Router already uses Memory API via tool_manager
2. ✅ Parser uses Memory API for indexing
3. ⏳ Audit all direct DB connections
4. ⏳ Move to internal network for DBs

## Tech Debt: Router Direct Neo4j Access

**Current state:** Router has direct Neo4j access for `graph_query` tool.

**Why:** Performance optimization for real-time graph traversal.

**Plan:**
1. Add `/graph/query` endpoint to Memory API
2. Migrate Router to use Memory API
3. Remove direct Neo4j driver from Router

**Priority:** Medium (after MVP stabilization)