In March 2025, a developer installed a package from npm. The postinstall hook silently edited MEMORY.md — a single markdown file that Claude Code loads automatically at session start. Within one session, the compromised agent was recommending that teams store API keys in committed source files and steering them away from secrets managers. Cisco's researchers, who found the attack, called it a persistent memory compromise. The more instructive framing: it worked because the file had real authority over agent behavior.
That's the architecture worth understanding — not as an attack surface to fear, but as a tool to build deliberately.
How a context file becomes institutional memory
CLAUDE.md, AGENTS.md, MEMORY.md — the names vary by tool, but the mechanism is identical. A markdown file placed in the project root is loaded verbatim into the agent's context window at session start. No vector database, no fine-tuning, no infrastructure. The file is the persistent layer.
Teams found this solves a concrete production problem. An AI that forgets every session wastes time. After months on a production codebase, engineers were still correcting agents: we use pnpm, not npm; the test command is make test-integration. A federated set of markdown files — one per domain, maintained by the team that owns the domain — eliminated that overhead entirely. A January 2026 study covering 124 pull requests found that AGENTS.md files cut median task completion time by 28.64% and token consumption by 16.58%.
AGENTS.md is now stewarded by the Linux Foundation's Agentic AI Foundation, adopted in 60,000+ open-source projects, and supported by Copilot, Cursor, Devin, Codex, and others. It is becoming infrastructure. What Cisco found is what always happens when something becomes infrastructure: it gets targeted.
One team's 77-page operational wiki
The most instructive production implementation comes from a DevOps engineer who applied Andrej Karpathy's LLM Wiki pattern to day-to-day AWS operations across dozens of accounts. The architecture has three layers: a raw/ directory of immutable source documents — Confluence exports, architecture diagrams, meeting transcripts — that the agent reads but never writes; a wiki/ directory of 77 LLM-maintained markdown pages across nine knowledge domains that the agent owns; and a root AGENTS.md that defines naming conventions, frontmatter standards, and cross-linking requirements.
The compounding effect was real. Ingesting one PR review standards document automatically created cross-references to deployment workflow, change management, and Terraform standards — connections a human wouldn't maintain consistently. When queried about deployment process, the agent returned specifics about progressive rollout order and change request gates without re-reading any source document.
Two failure modes emerged that are worth planning for. The agent never checked its own wiki unprompted — every retrieval required an explicit instruction. And at 77 pages, index summaries became too coarse: the agent was selecting the wrong wiki page because one-line descriptions couldn't distinguish close topics. Both problems have architectural fixes, but neither fixes itself.
How to structure your own neural linkage system
The pattern works best when the structure is explicit from the start. If you're building this for a B2B team:
- Start with one authoritative root file. Your
AGENTS.mdorCLAUDE.mdis the entry point. It should define scope, naming conventions, and what other files exist. Keep it under 200 lines — beyond that, agents lose the thread. - Federate ownership. Each functional domain — engineering, security, operations — maintains its own slice. The root file imports or references them. Domain teams update their slice; they don't need to own the whole system.
- Separate source from synthesis. Raw documents go in one directory; the AI's synthesized wiki pages go in another. Don't let the agent overwrite source material.
- Make lesson capture explicit. The agent will not save reusable lessons autonomously. Build a convention: after a non-trivial task, prompt the agent to flag what should be added to the wiki.
- Treat write access as a permission boundary. The Cisco attack worked because a supply chain payload could write to the file the agent trusted. Separate your human-reviewed instructions from AI-maintained memory. Consider keeping the root context file in version control with normal review gates.
The Karpathy framing is precise: Obsidian is the IDE, the LLM is the programmer, the wiki is the codebase. Codebases don't improve by accident. Neither do wikis.
SaaS Squash works with B2B teams to map where AI tools touch operational knowledge and design the file architectures and access controls to match. If your agents are starting from scratch every session, that is the right problem to solve first.