Detailed Analysis
A developer operating under the handle rudi193-cmd has released willow-1.7, a locally hosted Model Context Protocol (MCP) server that fundamentally extends Claude Code's capabilities by adding persistent memory, a Postgres-backed knowledge graph, and a GPG-based authorization framework — all running entirely on-device without cloud exposure. The system connects to Claude Code via stdio at session start, providing 44 discrete tools that span persistent knowledge storage (structured as atoms, entities, and edges), per-collection SQLite databases with full audit trails, inference routing through local Ollama models with free-tier cloud fallbacks, and a task queue called Kart that allows Claude to submit shell commands for asynchronous execution. Session handoffs — structured documents written to disk and indexed in Postgres — allow successive Claude sessions to resume context from where prior sessions ended, directly addressing one of the most persistent friction points in working with stateless AI coding assistants.
The authorization layer, branded SAFE (Signed Application Framework for Entitlement), represents the most architecturally distinctive element of the project. Every agent seeking knowledge graph access must possess a dedicated folder on a separate filesystem partition containing both a JSON manifest declaring its permissions and data streams and a GPG-detached signature of that manifest. The gate enforces all four checks — folder existence, manifest presence, signature presence, and GPG verification — on every access attempt, logging and denying on any failure. Critically, revocation requires no code changes: deleting an agent's folder is sufficient to terminate its access permanently. The developer reports running 17 distinct AI agents, described as "professors," through this gate in production for several months, each scoped to its declared data streams. This filesystem-as-ACL design is notable for its auditability and simplicity relative to token-based or certificate-authority approaches common in cloud identity systems.
The project situates itself within a growing ecosystem of open-source efforts to give Claude Code durable, cross-session memory. Projects such as mem0ai's MCP integration, MemPalace, and memory-mcp have established the general pattern — vector stores, optional graph layers, and proactive hooks that query memory at session start — but willow-1.7 extends this baseline in two significant directions: it adds a formal consent and authorization model that most comparable tools lack entirely, and it builds toward a multi-client architecture rather than treating Claude as the sole or permanent consumer. The developer explicitly frames Claude Code as "just the first client," with the MCP server designed to accept connections from any MCP-compatible agent, including local models and potential future tools. An accompanying installer repository, willow-seed, handles full bootstrapping from a fresh partition using only Python's standard library and consent gates before every action.
The longer-term roadmap reveals ambitions that extend well beyond tooling convenience. The developer describes a planned small model called Yggdrasil, intended to be trained on the operational patterns willow-1.7 generates — session handoffs, ratified knowledge atoms, governance logs — with the goal of eventually replacing the cloud fallback fleet entirely and making the system fully air-gappable. Beyond that, the developer envisions an open-source Claude Code equivalent: a terminal AI agent that boots from a local repository, connects to willow via stdio, and has no telemetry or mandatory cloud account. The stated personal motivation — building tools for two daughters that "help them think instead of thinking for them," with session-scoped consent that expires when the user walks away — frames the project explicitly as a counter-model to the prevailing "agree once, we own everything forever" data relationship between users and AI platforms.
The release arrives at a moment when the AI industry is actively debating the appropriate boundaries of memory, consent, and data sovereignty in agentic systems. Anthropic itself has been developing Claude's agentic capabilities, including Claude Code's use of MCP as a tool integration layer, while broader questions about long-running AI agents with persistent context and access to sensitive user data remain largely unresolved at both the technical and policy levels. Willow-1.7's consent-first, local-first architecture represents a practical instantiation of one answer to those questions: granular, cryptographically enforced, filesystem-anchored access control layered directly beneath the AI's operational surface. Whether projects like this catalyze broader adoption of consent frameworks in agent infrastructure remains to be seen, but they demonstrate that such frameworks are buildable today, without waiting for platform-level solutions.
Read original article →