Skip to content
continuum

Pointing an AI at your codebase is a trust decision.

Here is exactly what trusts what.

Config is shareable. Identity is not.

In Continuum, agents connect to your memory through Engram — the MCP server — and every connection authenticates against an OAuth 2.1 authorization server first; Engram refuses any request not carrying a valid, scoped token. Reading and writing memory are separately granted permissions, not a single key to everything.

This is why Continuum's connection config can live in your repository, committed, visible to anyone who clones: it contains an endpoint, a client ID, a callback port — and no secrets. The config removes the setup step, not the auth step. Who actually gets in is decided by the authorization server, per person, per scope, every time.

A database per tenant. Physically.

Tenant isolation in Continuum is not a filter clause — it's a separate database. No query path exists from one tenant's memory to another's, because no shared tables exist to query. Isolation you can verify beats isolation you're asked to assume.

The ingest client refuses secrets by default.

The safety floor is built into the ingest tool and cannot be configured downward: known secret filenames are blocked unconditionally, binaries are skipped, dependency and build directories are excluded. Above the floor, a project-level ignore file adds whatever exclusions your repo needs — and removing a file from scope archives it from memory on the next run. What shouldn't be remembered, isn't.

Self-hosted, on your terms.

The Engram server runs on your infrastructure. The database is yours. The authorization server is yours. Continuum's job is to be excellent inside your boundary, not to ask you to extend it.

Air-gapped, when self-hosted isn't enough.

Some networks have no path out — and Continuum doesn't need one. In the air-gapped deployment profile, Engram serves embeddings from a local model on your hardware, over an OpenAI-compatible endpoint, with zero external network calls. Same memory, same tools, same OAuth 2.1 contract — inside the enclave, where it stays.

We treat silent wrong answers as the worst defect class.

The same discipline that governs retrieval governs this page: every claim on it is verifiable, and capabilities we haven't validated aren't claimed. When the answer to a security question is "not yet," that's the answer you'll get.

Questions we haven't answered here? Ask them directly. Request early access →