Forget RAG. The Best AI Agent Memory Is a Plain Text File.

The Plain Text Revolution

The idea is almost comically simple. Create a markdown file in your project root. Write your conventions, architecture notes, and common gotchas. The AI reads it at session start, and suddenly it knows your codebase.

AGENTS.md emerged from collaboration between OpenAI Codex, Amp, Google's Jules, Cursor, and Factory. It uses plain markdown with no required format; the closest file to the edited directory takes priority. By August 2025, 20,000 projects had adopted it. Within months, that number tripled.

Claude Code takes the pattern further with hierarchical loading: memory files at the project root apply everywhere, while subdirectory files load only when the agent works in that directory. Its auto-memory system extracts learnings from conversations after roughly 10,000 tokens and updates every 5,000 tokens thereafter. Boris Cherny from the Claude Code team recommends updating the file "multiple times weekly for anything Claude repeatedly gets wrong."

After three months of maintained memory files, one developer reported the experience felt "like a team member who's been on the project for months rather than a contractor starting fresh every morning." Another distilled the practice into a single rule: "Whenever you find yourself giving the same instruction twice, add it to AGENTS.md instead."

The Ceiling You Cannot Ignore

File-based memory works. It also has limits. Research from HumanLayer found that frontier LLMs follow roughly 150 to 200 instructions with reasonable consistency. Claude Code's system prompt already consumes about 50 of those slots, leaving perhaps 100 to 150 for project-specific memory. Stuffing more instructions in does not cause the agent to ignore only the new ones; quality degrades uniformly across all instructions.

The "lost in the middle" problem, documented by Stanford researchers in 2023, makes this worse. Language models perform well on information at the beginning and end of their context but drop 15 to 30% on content positioned in the middle. Even million-token context windows, as Mem0's research demonstrated, "merely delay" the fundamental problem. The useful analogy from Anthropic's context engineering framework: context is RAM (fast, limited, volatile), while memory is disk storage (slower, larger, persistent). You cannot solve a storage problem by buying more RAM.

Practitioners converge on capping memory files at roughly 30 items with regular pruning. The /init command in Claude Code auto-generates a starting file by analyzing the codebase, but beneath the surface, it is simply a well-crafted prompt that writes markdown. Nothing more.

The Benchmark Wars

When file-based memory hits its ceiling, developers reach for managed memory services. Three startups dominate the space: Mem0, Zep, and Letta. Each claims superiority on the LoCoMo benchmark. None have published results under identical, independently verified conditions. They have, however, published detailed takedowns of each other's methodology.

Mem0 claims 26% accuracy improvement over OpenAI's built-in memory (66.9% vs. 52.9%) with 90% token reduction. Zep disputes those numbers, claiming 75.14% accuracy and accusing Mem0 of misconfiguring Zep's concurrent search settings. Letta, born from UC Berkeley's MemGPT research, quietly demonstrated that its plain filesystem approach scored 74%, beating Mem0's more complex graph variant at 68.5%. Mem0 did not respond to Letta's requests for clarification.

Cognee reported an impressive 92.5% accuracy on multi-hop retrieval evaluations, but with a critical caveat: it requires 3.3 hours to process a single sample. And on the tasks that arguably matter most (multi-hop conflict resolution, where the agent must reason across contradictory memories), all providers collapse. The best result reported on MemoryAgentBench is 7% accuracy.

The hybrid approach shows promise in theory. Research from NVIDIA and BlackRock demonstrates that combining knowledge graphs with vector retrieval produces 2.8x accuracy improvement on complex queries. Graphiti's temporal knowledge graphs track how facts change over time, solving one of the thorniest problems in memory management. But these systems demand infrastructure, operational expertise, and ongoing maintenance. For most coding agents working on most codebases, a curated text file still delivers more value per hour of setup.

The Unsolved Problems: Poisoning and Forgetting

Persistent memory creates persistent vulnerabilities. Palo Alto Networks Unit 42 demonstrated that indirect prompt injection can poison an agent's long-term memory, with malicious instructions surviving session restarts and being incorporated into system prompts. Memory contents injected this way are often prioritized over direct user input.

The attack surface is broad and mostly undefended. The MINJA attack achieves over 95% injection success through ordinary queries, requiring no elevated privileges. ChatGPT's "spAIware" vulnerability (September 2024) allowed injected instructions to survive across sessions, app restarts, and even device changes. Microsoft recently identified "AI Recommendation Poisoning" as a growing trend, where promotional instructions planted in innocent-looking content persist in memory and steer future recommendations.

In Microsoft's scenario, a CFO's AI assistant strongly recommends a specific vendor for cloud infrastructure based on what appears to be thorough analysis. Weeks earlier, the CFO had clicked "Summarize with AI" on a blog post that quietly planted the recommendation into the assistant's memory. Millions in budget allocated on a poisoned suggestion.

Defenses exist but lag far behind attacks. A-MemGuard cuts attack success rates by over 95%, but standard detection systems still miss two-thirds of poisoned entries because malicious content appears benign when examined individually. MEXTRA research showed that agents using certain scoring functions leak over 30% of private user queries from memory.

The counterpoint exists. The Sanity.io team built an agent that processed 7,400 messages over six days while maintaining coherence: "It still knows file paths from the early days, still remembers why architectural decisions were made." When the architecture works, the experience is transformative. But memory corruption in early steps cascades through every downstream decision, and production agents averaging 50 tool calls per task with 100:1 input-to-output token ratios make inefficient memory management prohibitively expensive.