A correction overlay suppresses the old belief at read time without rewriting the original. The model sees the current truth. The lineage stays for audit.
Patent pending source-of-truth memory for AI search and agents.
Reliable AI search where wrong answers are not an option.
ContextOS sits above RAG, vector search, graph search, SQL, and agent memory. It decides which result is allowed to count as true, blocks stale or wrong-identity records, and proves every governed memory operation with a tamper-evident chain.
491,866active claims live
16active correction overlays
40,737provenance records verified
Most AI memory products are librarians: they find documents.
ContextOS is the gate above the librarian. It decides which record is authoritative right now, blocks the wrong-patient and the just-corrected and the never-verified, and writes a tamper-evident chain of every memory operation so you can replay exactly what the model knew at any moment in history.
It is the layer that makes AI safe to deploy where wrong answers cost money, licenses, or lives.
The penicillin problem.
A better search engine is not just faster retrieval. It is retrieval that knows which answer is allowed to win.
The ordinary AI failure
A clinical agent gets asked whether a patient is allergic to penicillin. A normal RAG stack may retrieve a similar allergy note, a stale chart entry, or another patient's record if it scores close enough. That is not acceptable search. That is a dangerous lookup wearing a confident answer.
ContextOS sits above the stack you already use: RAG, vector, graph, SQL, and agent memory. It decides which candidate the model is actually allowed to treat as true.
Correction overlays. Trust hierarchy. Identity binding. Tenant isolation. Selective forgetting. Tamper-evident provenance. And the agent-control layer underneath it all.
What the gate stops.
ContextOS improves search by separating candidate retrieval from truth resolution. Your retrieval stack finds possible records. ContextOS decides which one survives.
A human-verified record overrides a closer-looking correlation-only record. Every conflict is resolved by trust hierarchy first, similarity second.
Identity binding is a hard filter applied before ranking. A clinically similar record from another patient is rejected before it can be scored, let alone returned.
Direct database insertion is detected. Altered records are detected. Removed corrections are detected. Replaced chain rows are detected. Tamper-evidence covers every governed memory operation, with optional anchoring to OpenTimestamps, Bitcoin, or RFC 3161.
HIPAA scopes. Attorney-client privilege. Litigation holds. Export controls. Consent state. All enforced inside the gate, not in a downstream prompt the agent can ignore.
ContextOS does not replace your vector store, graph, or BM25 stack. It sits above them and decides what they are allowed to return.
Agents cannot act without an externally signed consent token. Default-deny on anomaly. Catches shutdown-resistance, exfiltration, deception, and capability-grabbing before execution on a substrate the agent cannot read, copy, or invoke.
A record can become non-retrievable while a tamper-evident record of the forgetting directive remains. GDPR Article 17 without losing the audit trail. Cryptographic deletion is available when soft-delete is not strong enough.
ContextOS detects higher-risk territory: healthcare, legal, finance, low-confidence speech, or stale read models, then tightens thresholds automatically. Risk transitions are recorded as provenance events, not hidden model state.
Source artifact -> source-bound primitive -> interpreted claim -> reviewed conclusion. The system never confuses "this document contains X" with "X is true." A parser misreading a dose can be corrected without altering the source.
When the agent goes off-script, ContextOS stops it.
The same control plane that gates memory also gates the agent itself.
Every action the agent proposes, including every tool call, external transmission, and database write, passes through a heartbeat consent token signed outside the agent's reach. No token, no action. Default-deny.
ContextOS reads the agent's own claims against the vault. If the agent says it believes X and the vault says not-X, that divergence is logged, the token is revoked, and the agent stops until a human reissues consent.
You catch the agent lying before it acts on the lie. This is not a content filter on output. It is not a system prompt the agent can argue with. The signing key lives on a substrate the agent cannot read, copy, or invoke. Corrigibility is structural, not behavioral.
Periodic, externally signed permission to act. Expires. Revokes on anomaly. The agent never holds it.
Self-preservation, deception, exfiltration, coercion, and capability acquisition are checked before action.
Parses what the agent says against what the vault contains. Contradictions, omissions, and unsupported propositions trigger token revocation.
Rewind the agent's brain.
Every memory operation lives on a tamper-evident chain. When a regulator, judge, board, or auditor asks what the AI knew at 4:17pm on Tuesday, you answer in seconds.
Replay reconstructs the active vault state at any prior chain sequence: active records, suppressed records, forgetting directives, and consent tokens in force.
The chain can anchor to OpenTimestamps, Bitcoin, or RFC 3161. This is not log archaeology. It is a repeatable reconstruction of what was active then.
Every answer comes with a proof pack.
ContextOS explains why this answer, and not the closer-looking wrong answer, is the one the AI returned.
Selected claims. Supporting source-bound primitives. Source hashes. Source quotes. Trust states. Correction overlays applied. Forgetting filters active. Chain validity. Signature status.
One JSON object, or a PDF for the lawyers. Discovery-ready. Regulator-ready. FDA-ready. SOC 2-ready. The proof explains why this answer, not the closer-looking wrong answer, was returned.
5,000 sealed questions. ContextOS missed zero. Retrieval stacks missed thousands.
The buyer does not pay for a flattering retrieval score. The buyer pays to avoid the wrong patient, the stale answer, the slow answer, and the answer that cannot show where it came from.
5,000/5,000ContextOS source-op answers correct
325/5,000Haystack answers correct
247/5,000naive RAG, LangGraph, and LlamaIndex
2,400/2,400ContextOS gauntlet cases correct
Sealed-corpus rows are controlled source-operation comparisons over 99,455 public article records. Hosted-provider rows remain operational comparisons and should not be mixed with model-parity claims.
| Lane | ContextOS | Vector-first memory | Agent memory | Why it matters |
|---|---|---|---|---|
| Correction | Suppresses superseded beliefs at read time | Can retrieve stale chunks | Often appends another memory | The old answer cannot win because it is semantically close. |
| Trust | Authority hierarchy beats similarity | Similarity usually wins | Model judgment varies | Verified records override weak correlations. |
| Identity | Hard filter before ranking | Metadata can be late or missed | Often prompt-bound | Wrong-patient and wrong-tenant candidates never rank. |
| Tamper evidence | Hash chain, checkpoints, replay, quarantine | Store timestamps | Runtime logs | Direct inserts and altered records are detectable. |
The failures are visible in the answers.
These are representative wrong-answer patterns from the truth-control benchmark suites and self-hosted adapter runs. The point is not that another stack is useless. The point is that high-stakes search fails when it returns the stale, revoked, wrong-identity, or lower-authority record alongside the right one.
Prompt: What approved contact method remains for Avery Cole?
Returned
Avery Cole approved contact method is phone 555-1024.
ContextOS
Avery Cole approved contact method is case mailbox.
Prompt: What is Phoenix authorized for as of 2026-05-01?
Returned
Phoenix authorization state was pending.
ContextOS
Phoenix authorization state is approved as of
2026-05-01.
Prompt: Should I delete audit logs to an external destination now?
Returned
Allow.
ContextOS
Block. The request violates the active constraint.
Prompt: For Avery Cole, is ibuprofen safe to prescribe today?
Returned
Ibuprofen is safe to prescribe today. Do not prescribe
ibuprofen.
ContextOS
Human verified record says contraindication. Do not prescribe
ibuprofen.
Prompt: What is the controlling deadline in Iris Supply Appeal?
Returned
June 8 from the draft memo, then June 15 from the court
order.
ContextOS
June 15 from the court order.
Prompt: For patient MRN-A107, what was the blood pressure?
Returned
MRN-A107 was 118/76. MRN-A170 was 178/104.
ContextOS
MRN-A107 was 118/76. Only the right patient was
returned.
Built for places where an "oops" is not acceptable.
ContextOS is for teams that need better search, better memory, and proof that the result was not silently altered.
Every claim ties to a source artifact, a source-bound primitive, and a chain entry. Corrections never destroy the prior record. When opposing counsel asks when you knew, you replay the answer.
Identity binding is a hard filter, not a prompt instruction. Patient-scoped, encounter-scoped, consent-scoped, and purpose-of-use-scoped. A wrong-patient candidate is rejected before it can rank.
Project state is not a vector match. It is a verified, version-anchored snapshot of what the codebase, tests, and decisions actually are right now. The agent cannot call a tool from a belief superseded three commits ago.
Tenant isolation is enforced inside the truth gate. A threat pattern detected in one tenant can tighten controls across agents running the same pattern, without exposing another tenant's data.
Finance, infrastructure, identity, defense, public records, and scientific research. Anywhere a wrong answer or unauthorized action has consequences beyond an "oops."
Don't replace your stack. Put a control layer on top of it.
Keep RAG. Keep your vector DB. Keep your graph store. Keep your agent framework. Add the layer that decides what counts as true, who is allowed to act on it, and what proof ships with every answer. That is the difference between an AI demo and an AI system you can deploy.