Detailed Analysis
Sekha, an open-source Python library released under the MIT license, addresses one of the most persistent friction points in AI-assisted development workflows: the statelessness of Claude Code sessions. Built by Thoth-soft and available via pip, the tool provides two distinct capabilities — cross-session memory persistence and hard-enforcement of user-defined rules — through Claude Code's Model Context Protocol (MCP) interface. Memory is stored as plain markdown files and retrieved via grep-based search, with Claude itself driving the save and retrieval process through six exposed MCP tools. The design philosophy is deliberately minimal, requiring zero runtime dependencies and running on pure Python standard library, making it immediately deployable across Windows, macOS, and Linux environments with no configuration beyond `sekha init`.
The more architecturally significant feature is Sekha's rule enforcement mechanism, which exploits Claude Code's `PreToolUse` hook to intercept and hard-block tool calls before they execute. This distinguishes Sekha from competing tools in the persistent memory space — including Mem0, Letta, Zep, and Basic Memory — where rules are stored but remain advisory, meaning the model retains discretion over whether to follow them. Sekha's enforcement operates at the execution layer rather than the reasoning layer, meaning rules governing specific command patterns, file paths, or tool names cannot be bypassed through prompt phrasing or even the `--dangerously-skip-permissions` flag. The developer is transparent about scope limitations: behavioral rules such as "always confirm before acting" remain prompt-level suggestions and are not enforceable, as no hook exists for the model's internal reasoning — only for its discrete actions.
Sekha enters a crowded but still-maturing ecosystem of persistent memory solutions for Claude Code. Tools like claude-mem (which has accumulated over 46,000 GitHub stars) and mcp-memory-service pursue similar goals through different architectures, with some leveraging AI-driven compression, semantic embeddings, tiered storage, and multi-machine synchronization. Sekha's deliberate choice to avoid embeddings and databases in favor of flat markdown files and grep-based search represents a tradeoff: lower retrieval sophistication in exchange for radical simplicity, auditability, and zero external dependencies. The 349-test suite and nine-cell CI matrix suggest an emphasis on reliability over feature breadth, positioning Sekha as a tool for developers who prioritize predictability.
The security dimension of persistent memory tools deserves attention in this context. Research has documented cases where injected instructions persisted in Claude Code's memory layer as authoritative system-level directives — a form of memory poisoning that can lead to insecure code generation across future sessions. Sekha's plain-text markdown storage model makes the memory corpus fully human-readable and auditable, which partially mitigates this risk compared to opaque vector databases. However, the rule-enforcement model itself introduces a separate trust consideration: rules are written by the user and enforced blindly by the hook, meaning poorly scoped rules could inadvertently block legitimate operations. The project's README threat model, which the developer explicitly references, suggests an awareness of this tradeoff.
Sekha's emergence reflects a broader structural tension in agentic AI development: models like Claude are increasingly used in long-running, multi-session workflows for which they were not architecturally designed. The session boundary problem — losing accumulated context, preferences, and project-specific knowledge each time a session closes — has driven a wave of third-party tooling that effectively patches statelessness at the infrastructure level rather than waiting for first-party solutions. Anthropic's own `CLAUDE.md` convention provides a static context mechanism, but it requires manual maintenance and offers no enforcement guarantees. As Claude Code matures into a more central development tool, the demand for persistent memory with hard guardrails is likely to grow, and projects like Sekha are establishing design patterns — hook-based enforcement, transparent storage, explicit threat modeling — that may influence how such capabilities are eventually built into the platform itself.
Read original article →