Rebuild embeddings for a user-scoped subset of memories (issue #39). WHEN: A small set of memories, a project, or the caller's corpus needs fresh embeddings without running the destructive global --re-embed CLI. BEHAVIOR: Re-runs the configured embedding pipeline on memories owned by the authenti...
AI agents invoke rebuild_embeddings to trigger actions in Forgetful. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool triggers an external computation pipeline (re-embedding) on stored data. It modifies embeddings (vector representations) in place, but explicitly states it does not reset vector storage and is scoped to a user subset. It's not a simple read, but also not purely destructive since it regenerates rather than deletes.
From the tool's definition Re-runs the configured embedding pipeline on memories owned by the authenticated user... Never resets vector storage.
Documented attack patterns abuse exactly the kind of access rebuild_embeddings gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Forgetful, and nothing reaches the server without passing your rules. This is the rule we recommend for rebuild_embeddings:
{
"version": "1",
"default": "deny",
"tools": {
"rebuild_embeddings": {
"limits": [
{
"counter": "rebuild_embeddings_rate",
"window": "minute",
"max": 10,
"scope": "grant"
}
]
}
}
}rebuild_embeddings stays usable, but rate-capped — a runaway agent can't fire it dozens of times a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Rebuild embeddings for a user-scoped subset of memories (issue #39). WHEN: A small set of memories, a project, or the caller's corpus needs fresh embeddings without running the destructive global --re-embed CLI. BEHAVIOR: Re-runs the configured embedding pipeline on memories owned by the authenticated user, scoped by memory_ids and/or project_id. Never resets vector storage. Returns a structured result so the caller can act on partial success. NOT-USE: Switching embedding providers/dimensions across the whole corpus - use the offline --re-embed CLI for that destructive migration. Args: memory_ids: Explicit ids to rebuild (already user-scoped server-side). project_id: Restrict to a single project owned by the caller. Returns: Dict with keys: rebuilt_ids (list[int]), skipped_ids (list[int]), failed (list of {memory_id, reason}). It is categorised as a Execute tool in the Forgetful MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Forgetful MCP server in PolicyLayer and add a rule for rebuild_embeddings: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Forgetful. Nothing to install.
rebuild_embeddings is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the rebuild_embeddings rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for rebuild_embeddings. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
rebuild_embeddings is provided by the Forgetful MCP server (scottrbk/forgetful). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 59 Forgetful tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
59 Forgetful tools catalogued and risk-classified — across an index of 42,500+ MCP servers.