Agent memory is moving to graphs, and the provenance defenses now being built for it all check one thing: the provenance of the records an agent retrieves. We show that this entire class of defense is blind by construction. A long-term graph memory runs a global selection step over writable graph structure, so structure that an untrusted principal writes changes \emph{which} authenticated facts are selected while the cited evidence stays fully authenticated; faithful information-flow control (IFC), checking the provenance of what the reader uses (all of it authenticated), makes the byte-identical decision to no defense at all, across document-QA substrates and real multi-session agent memory. In the most consequential instance, a no-source structural write silently misdirects $28$ irreversible ledger transfers over $499$ live actions: faithful IFC permits every one, and \authselect\ prevents every one. We then characterize exactly which memories are exposed: a selector admits the channel when its structural term can reallocate an $Ω(1)$ share of top-$k$ membership past a selected fact's margin. Personalized PageRank can, since a sourceless write reroutes conserved random-walk mass; a content-fixed reranker cannot, and Graphiti's node-distance, which leans on structure \emph{more} than PageRank does, stays immune. Reallocatability, not reliance, is the predictor. We prove the immune case in general and the open case under a chokepoint condition we verify. Closing the channel forces any provenance defense to recompute selection on the authenticated subgraph, which is what \authselect\ does, at zero over-block and $2$--$3\%$ latency.

翻译：代理记忆正转向图结构，目前为其构建的来源防御机制均聚焦于一点：代理检索记录的来源。我们证明，这类防御机制在架构上存在固有盲区。长期图记忆会在可写图结构上执行全局选择步骤，因此不可信主体写入的结构会改变哪些已认证事实被选中，而被引用的证据仍保持完全认证状态；忠实的流控制（IFC）会检查使用者所引用内容（全部经认证）的来源，这使得基于字节级决策的防御机制在文档问答基座和真实多会话代理记忆场景下与无防御机制效果完全相同。在最极端的实例中，零来源结构写入可在499次实时操作中静默误导向28次不可逆账本转移：忠实的IFC全数许可，而\AuthSelect\机制则全部阻止。我们随后精确刻画了哪些记忆处于暴露状态：当选择器的结构项可将前k个成员资格中Ω(1)份额重新分配至超出选定事实边界时，该通道即被激活。个性化PageRank算法存在此风险（因无来源写入可重新分配守恒随机游走质量），而内容固定的重排序算法则不会，且更依赖结构的Graphiti节点距离算法（其结构依赖度高于PageRank）仍保持免疫性。预测因子是"可重分配性"而非"依赖性"。我们证明了免疫情况的普遍性，并在经验证的关键路径条件下推导了开放情况的证明。要闭合该通道，任何来源防御机制都必须对认证子图重新执行选择——这正是\AuthSelect\机制以零误拦和2%-3%延迟代价实现的功能。