// SCAN REPORT

M3 Memory

43 tools. 20 can modify or destroy data without limits.

3 destructive tools with no built-in limits. Policy required.

Last updated: 11 Jun 2026

20 can modify or destroy data

23 read-only

43 tools total

Community server · catalogue entry verified 11/06/2026

How to control M3 Memory ↓

TOOL MAP

What M3 Memory exposes to your agents

Read (23) Write / Execute (17) Destructive / Financial (3)

Running more than one server? Check your whole stack →

MOST DANGEROUS TOOLS

Critical Risk

The most dangerous M3 Memory tools

Destructive · High files_corpus_delete This tool permanently removes data from the memory corpus. Destructive · High files_entity_coalesce_unapply This tool performs irreversible operations on persistent memory data by dropping edges (deleting relationship links) and clearing flags (removing metadata). Destructive · Medium retire_focus 'Clears' implies irreversible removal of the current system focus entry. Execute · Medium debug_bisect Git bisect is a tool that executes binary search through git history by running commands and checking out commits, which constitutes executing external operations.

20 of M3 Memory's 43 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

POLICY

How to control M3 Memory

PolicyLayer is an MCP gateway — it sits between your AI agents and M3 Memory, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations

{
  "files_corpus_delete": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations

{
  "debug_report": {
    "limits": [
      {
        "counter": "debug_report_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations

{
  "check_thermal_load": {
    "limits": [
      {
        "counter": "check_thermal_load_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

Create a free account and register M3 Memory — nothing to install.
Add these rules — paste them, or build them visually. Tune the limits to your setup.
Point your MCP client (Claude, Cursor, anything) at your gateway URL.

ENFORCE POLICY ON M3 MEMORY →

Free to start. No card required.

FULL CATALOGUE

All 43 M3 Memory tools

DESTRUCTIVE 3 tools

Destructive files_corpus_delete Delete a corpus's settings row. Cascade=True also deletes its Destructive files_entity_coalesce_unapply Reverse one coalescence cluster (drop edges, clear flags, strip Destructive retire_focus Clears the current system focus entry.

EXECUTE 4 tools

Execute debug_bisect Automated git bisect placeholder. Execute files_extract_pending Drain leaves with extraction_status='pending' through the LLM extractor. Execute grok_ask Queries Grok 3 for real-time info from X and fast reasoning. Execute query_local_model Sends a complex reasoning task to the best available local/network LLM.

WRITE 13 tools

Write debug_report Generate and persist a structured debugging report. Write files_dedup_review Record a review decision: 'kept' | 'merged' | 'ignored'. Write files_entity_coalesce_review Record review decisions in BULK: pass a list of {uuid, action} where Write files_ingest files_ingest Write log_activity Routes AI data to the correct agent_memory.db table. Write files_corpus_create Register a new corpus with optional default overrides. Write files_corpus_set Update settings for an existing corpus. None args are no-ops. Write files_entity_coalesce_apply files_entity_coalesce_apply Write files_health DB integrity + FTS5 sync check. Set rebuild=True to fix drift. Write files_link_rename Re-point an existing file_node at a new path (rename / move). Write files_promote Promote (ascend) a fact / leaf / file_summary from files.db to Write save_handoff Saves the current AI session state for another agent to resume. Write update_focus Updates the 'Current Focus' ticker for the Pulse dashboard.

READ 23 tools

Read check_thermal_load Checks the system thermal pressure level (Protocol 2). Read debug_analyze Root cause analysis with memory-augmented reasoning. Read debug_correlate Cross-reference logs and decisions. Read debug_history Search past debugging sessions. Read debug_trace Execution flow analysis — reads source, finds callers. Read files_corpus_get Fetch a single corpus's settings + counts. Read files_corpus_list Enumerate corpora with row counts. Read files_dedup Scan leaf embeddings for near-duplicates. Detection only — Read files_dedup_list List near-duplicate candidate pairs with text snippets and paths. Read files_entity_coalesce Detect provisional-entity coalescing candidates (quarantine noise + Read files_entity_coalesce_list List entity-coalescing candidate pairs (name + score + band). Read files_get Fetch one record by UUID. Tries file_nodes then leaves. Read files_index Return file-level summaries for triage. Read files_promotable List top promotion candidates by usage-weighted heuristic score. Read files_promotion_list List existing promotions. source_superseded=True surfaces Read files_search Hybrid FTS5 + vector search over leaves. Read files_staleness_review Compare filesystem against files.db. Surfaces stale, touched-only, Read files_stats Corpus-level counters: file_nodes, leaves, embed coverage. Read files_watch_once Single-pass staleness check + notification dispatch. Suitable Read get_news_headlines get_news_headlines Read m3_web_search Alias for web_search. Primary: Perplexity sonar-pro. Fallback: Grok grok-3-latest. Read query_decisions query_decisions Read web_search Searches the live web for current data.

EXPLORE

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

FAQ

Questions about M3 Memory

Can an AI agent delete data through the M3 Memory MCP server? +

Yes. The M3 Memory server exposes 3 destructive tools including files_corpus_delete, files_entity_coalesce_unapply, retire_focus. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through M3 Memory? +

The M3 Memory server has 13 write tools including debug_report, files_dedup_review, files_entity_coalesce_review. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach M3 Memory.

How many tools does the M3 Memory MCP server expose? +

43 tools across 3 categories: Destructive, Read, Write. 23 are read-only. 20 can modify, create, or delete data.

How do I enforce a policy on M3 Memory? +

Register the M3 Memory MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every M3 Memory tool call.

Deterministic rules across all 43 M3 Memory tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON M3 MEMORY →

Free to start. No card required.

43 M3 Memory tools catalogued and risk-classified — across an index of 43,000+ MCP servers.