Vault · v1.0 local archive · VOAF open format

Your AI memory. Sealed. Yours.

Every AI interaction, every agent decision, every policy verdict is archived in an open, signed, portable format on your own device. Exportable. Searchable. Verifiable by anyone with the public spec. This is the substrate for what comes next: Recall in mid-2026, your Personal Model in Q3 2026.

See the doctrineRead the VOAF spec →
VOAF
Open audit format
v1.0 published
SQLite
Local storage
On your device
SHA-256
Chained audit
Tamper-evident
Unlimited
Retention
Fortress and above
Principle

Providers forget. You remember.

AI providers are optimized for the 500 million-user average. They cannot know you. They will not carry your history across models, vendors, or companies. When a provider rotates its memory layer, your context is gone.

Vault is built for the opposite incentive. One user. One history. One copy, owned locally, portable forever. The structural differentiator against any frontier model is not intelligence, it is longitudinal context that cannot be reproduced at planetary scale.

Memory doctrine

Three stages. One continuous archive.

Vault is not a feature. It is the substrate. Every stage builds on the one before. You are not migrating data between products. You are accumulating a record that becomes more valuable every month.

Live now
Stage 01 · 2026 shipping

Vault. The archive.

Every request, every response, every policy decision, every agent action lands in a local SQLite store on your device. VOAF-formatted. SHA-256 chained. Third-party verifiable via the open-source vigil-verify CLI. Exportable as JSONL at any time. No Vigil dependency to read the data. No subscription required to access what you already have.
SQLite localVOAF v1.0vigil-verifyJSONL export
Mid-2026
Stage 02 · In engineering

Recall. The search layer.

Local vector index over your Vault. Natural-language query across every AI conversation you have ever had. "What did the advisor AI recommend on tax treatment last quarter?" returns the exchange, the policy verdict, and the signed VOAF record in seconds. Runs on device. No cloud retrieval. No provider leak.
Local vectorsSemantic searchOn-device inferenceZero cloud reads
Q3 2026
Stage 03 · In engineering

Personal model. The edge.

A local 7B-parameter model fine-tuned on six months of your accumulated Vault history using QLoRA and a LoRA adapter. Your vocabulary. Your ontology. Your decision style. It runs alongside the frontier model, not instead of it. The frontier knows the world. Your model knows you. The two together are what Vigil is building toward.
QLoRA fine-tuneMLX adapter7B baseLocal inference
What Vault does today

Four capabilities. Shipping now.

Vault v1.0 is live in every Vigil installation. The four things it does are deliberately small. The value is in doing them correctly, durably, and in an open format that outlives us.

Capability 01

Archive. Every exchange.

Every AI request and response intercepted by the proxy is appended to Vault. Every policy decision rendered by the Execution Gate is recorded. Every VARP revocation event is logged. The archive is complete by default, not by configuration.
Local SQLite · Append-only · Zero-config
Capability 02

Seal. Each record signed.

Every record is hashed with SHA-256 and chained to the previous entry. Tampering with any single record invalidates every record after it. The chain is verifiable by anyone with the vigil-verify CLI, with no reference back to Vigil servers required.
SHA-256 chain · Offline verifiable · Open CLI
Capability 03

Export. Any time.

One click exports your entire Vault as a JSONL bundle in VOAF-M format. Import into any tool that reads the spec. Drop it in an insurance claim. Hand it to your auditor. Take it with you if you leave Vigil. Your history is not held hostage by a subscription.
JSONL export · VOAF-M format · Portable
Capability 04

Replay. Any incident.

Pick any Vault record. Vault reconstructs the full exchange, the policy context, the scope classification, the detection model scores, and the final verdict. Court-admissible narrative. Insurance-grade evidence. Debuggable for your own purposes.
Full reconstruction · Signed provenance · Court-ready
New in Vault

Integrated with the Cloud Agent Registry.

Every agent that routes through Vigil Gateway receives a TAP-issued certificate. The Cloud Agent Registry is the directory of those agents. Vault now indexes every record by agent identity, not just by session. Your archive knows which agent did what, when it was authorized, and when its authority ended.

Agent-keyed memory, not session-keyed.

Traditional logs key by user and timestamp. That is enough for a single-model world. It falls apart the moment you have a calendar agent, a banking agent, a research agent, and a coding agent all operating on your behalf. Vault keys every record by the TAP agent identity that produced it.

The result is a per-agent history you can reason about. Every agent has a lifespan. Every agent has a scope. Every agent has a revocation event if something went wrong. Vault carries all of it.

  • 01

    Agent-scoped queries

    "Show me everything my research agent did in the last 30 days." One filter, complete history, cryptographically sealed. Works identically whether the agent is active, dormant, or revoked.

  • 02

    Revocation-aware records

    When an agent is revoked via VARP, Vault flags every record produced by that agent from the revocation moment forward. The history remains searchable. The authority state is clearly marked. No silent loss of context.

  • 03

    Cross-surface agent continuity

    A single agent identity persists across desktop, cloud Gateway, and partner B2B2C deployments. Vault consolidates the full cross-surface history under one agent ID. No more piecing together logs from three vendors.

  • 04

    Registry-backed attribution

    Every Vault record carries the signing authority, the issuing TAP certificate, and the revocation endpoint. The record tells you who vouched for the action at the moment it happened. Attribution is not reconstructed, it is recorded.

vault query · by agent identity
$ vigil vault query --agent agt_a47e9c1b \
    --since "30d" --include-revoked

 agent_id     agt_a47e9c1b
 registry     vigil-authority/v2
 principal    user@example.com
 scope        chat.read, chat.write,
               stripe.read
! status       REVOKED 2026-04-18T09:12Z
 records      847 total
 chain_ok     true (SHA-256 verified)

# Records in window:
#   pre-revocation:  801 (VOAF sealed)
#   post-revocation:  46 (flagged, quarantined)

$ vigil vault export --agent agt_a47e9c1b \
    --format voaf-m --out agent-trail.jsonl
✓ Wrote 847 records · 12.3 MB · SHA-256 chain intact
Format

VOAF. Open by design.

The Vigil Open Audit Format is the substrate Vault writes to. One JSONL line per record. Hash-chained. Signed. Third-party verifiable. Published as a tagged specification so other tools can read and write it without Vigil.

Open spec, dominant issuing authority.

The format is open so adoption compounds. Any tool that handles AI audit evidence can read a Vault export. Any regulator can verify a record without asking us. Any partner can issue records in the same format without licensing.

The economics are open spec, proprietary issuance. Vigil is the dominant origin of VOAF records in the wild. The comparison is DigiCert for certificates or FICO for scores. The format is the rail. The issuance is the business.

github.com/vigilsec/voaf-spec carries the tagged v1.0 specification.

// VOAF v1.0 record · one JSONL line
{
  "voaf_version": "1.0.0",
  "record_id": "voaf_7f2a81c9",
  "agent_id": "agt_a47e9c1b",
  "issuer": "vigil-authority/v2",
  "ts": "2026-04-22T08:14:32Z",
  "surface": "gateway.openai",
  "request": { /* parsed intent */ },
  "response": { /* action scored */ },
  "verdict": "allow",
  "agency": 0.34,
  "policy_rev": "rev_412",
  "prev_hash": "0x3b7e...c9f1",
  "self_hash": "0x4c8f...e2a1",
  "signature": "0x9a1d...b3e7"
}
Tier access

Retention scales with the coverage envelope.

Every paid tier ships Vault. What changes is retention depth and access to the layers above it. Personal model access begins at Citadel as a preview, lands fully at Sovereign when it ships in Q3 2026.

Guardian
Guardian
$129 / year
90-day rolling Vault retention. VOAF export. vigil-verify CLI.
Vault baselineSQLite local · SHA-256 chain · Export anytime
Fortress
Fortress
$249 / year
Unlimited retention. Full Vault history preserved for the life of your subscription.
Everything in Guardian, plusUnlimited retention · Registry agent keys
Citadel · Popular
Citadel
$449 / year
Recall preview access. First Vault users onto the local vector index when it ships in mid-2026. Personal model waitlist priority.
Everything in Fortress, plusRecall early access · Model waitlist priority
Sovereign
Sovereign
$99 / month
Personal model access on day one when it ships in Q3 2026. Full-fidelity local inference on your accumulated Vault.
Everything in Citadel, plusPersonal model day-one · Priority support

Your AI life is a record. Start keeping it.

Vault runs from the day you install Vigil. Nothing to configure. Nothing to opt into. Every interaction sealed from the first one. The earlier you start, the deeper the substrate when Recall and the Personal Model arrive.

Download VigilRead the VOAF spec →
PlatformThe AI defense platform for AI·Buildv2.1.0 · 362 tests · 11 crates · 31 endpoints · <10ms p99·PatentsVIGIL-2026-001 · VIGIL-2026-002·RegulatoryNIST docket 2025-0035 · mmk-190r-hvap