subcog
Subcog is a persistent memory system for AI coding assistants. It captures decisions/learned context during coding sessions, stores them in SQLite (default) plus indexing (FTS5) and vector search (usearch HNSW), supports hybrid retrieval (BM25 + vector with RRF fusion), provides a knowledge-graph layer, and exposes an MCP server for agent interoperability. It also offers optional HTTP serving with JWT auth and Claude Code hook integration.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security model depends on transport: default stdio/MCP has no network exposure and uses implicit same-user execution; optional HTTP transport requires JWT and relies on reverse proxy for HTTPS. README claims encryption at rest (default true), secrets detection/redaction, PII filtering, and audit logging. Scope/granular authorization is not described, and TLS is not natively enforced in the HTTP mode per README (suggested via reverse proxy).
⚡ Reliability
Best When
You want local persistent memory for an AI coding workflow with hybrid search and agent/IDE integration via MCP/Claude hooks.
Avoid When
You need a purely HTTP JSON REST API with OpenAPI/SDKs or you cannot manage local persistence/security configurations for stored sensitive data.
Use Cases
- • Give AI coding assistants long-lived memory of decisions and learnings across sessions
- • Hybrid semantic+keyword retrieval of relevant past context for code changes
- • Knowledge-graph queries over entities/relationships extracted from memories
- • IDE/agent workflow integration via MCP tools and Claude Code hooks
- • Compliance workflows like exporting stored memories (e.g., GDPR export)
Not For
- • Use as a full hosted SaaS memory service without running local infra (it is primarily a local/single-binary system)
- • Scenarios requiring a public multi-tenant API without careful deployment/security hardening
- • Use cases needing standardized REST/GraphQL SDKs (integration is mainly CLI/MCP)
Interface
Authentication
HTTP mode supports `--jwt-secret` with configurable expiry and CORS configuration; scope/granular authorization is not described. MCP/stdio transport uses implicit same-user execution (no credentials required).
Pricing
Self-hosted/open-source (MIT). Operational costs depend on local hardware and optional external LLM providers used for embedding/LLM-powered features.
Agent Metadata
Known Gotchas
- ⚠ MCP tools are exposed as consolidated tool names; agents should treat tool-name-like strings as tool invocations (not shell commands) unless explicitly instructed otherwise.
- ⚠ When using optional HTTP transport, you must manage JWT secret/expiry and (ideally) run behind HTTPS via reverse proxy; misconfiguration could expose the service.
- ⚠ HTTP transport notes that TLS should be handled via reverse proxy; using it without proper HTTPS would weaken security.
- ⚠ Embeddings/LLM-powered features may require external providers/config; agents should expect additional provider configuration beyond pure local storage.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for subcog.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.