Engram enforces access through memory scopes.

• Facts are stored with scopeId.
• Reads and writes are controlled by scope policy.
• Private scopes (private-*) are member-only.
• Shared scopes are explicitly membership-based unless readPolicy="all".

• Agent routing notifications are created only from enriched facts.
• Notification consumption is by agentId.
• Removing a member from scope removes pending notifications for that scope.

• No cross-scope recall without explicit scope permission.
• Multi-scope recall executes as fan-out across permitted scopes only.
• Dedup runs only on shared/team scopes, never private scopes.