Shared memory + orchestration for your coding agents. Local-first MCP, vector RAG.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-pouyahasanamreji-continuum": {
"args": [
"-y",
"pnpm"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
One MCP server. Tell any client to read the plot — it becomes the orchestrator. Dispatches fresh agents in isolated worktrees, shares lessons across every Claude Code / Codex / Cline chat on the project.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
## Summary `pnpm` accepts package names from the env lockfile `configDependencies` section and uses those names directly when creating config dependency symlinks under `node_modules/.pnpm-config`. A malicious repository can commit a crafted `pnpm-lock.yaml` whose env-lockfile document contains a traversal-shaped config dependency name such as `../../PWNED_CFGDEP`. During `pnpm install`, pnpm installs the config dependency and creates a symlink at a path derived from that name. In local testin
pnpm: `patch-remove` could delete project-selected files outside the patches directory
## Summary The `patch-remove` deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause `pnpm patch-remove` to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it. ## Security boundary - Traversal and absolute paths that resolve
pnpm: Hoisted install imports lockfile alias outside node_modules
## Summary The hoisted dependency alias issue tracked as GHSA-fr4h-3cph-29xv / CAND-PNPM-059 has been addressed in both pnpm and pacquet. A crafted lockfile alias could be joined directly under a hoisted `node_modules` directory. Traversal aliases could escape that directory, while reserved aliases such as `.bin` or `.pnpm` could overwrite pnpm-owned layout. This patch validates package-name semantics and path containment before graph insertion or filesystem work. ## Security boundary - The
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal
## Summary The staged-tarball filename traversal reported as GHSA-v23m-ccfg-pq9h / CAND-PNPM-038 is fixed on `main` by [pnpm/pnpm#12303](https://github.com/pnpm/pnpm/pull/12303), merged as `65443f4bdf1f0db9c8c7dc58fee25252607e9234`. Before the fix, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, deri
pnpm: Reserved bin name deletes PNPM_HOME during global remove
<details> <summary>Maintainer Action Plan</summary> ## Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: `CAND-PNPM-085` / `GHSA-4gxm-v5v7-fqc4` - Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-4gxm-v5v7-fqc4 - Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1 - S
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in productivity
Dynamic problem-solving through sequential thought chains
Persistent memory using a knowledge graph
Local-first AI memory with knowledge graphs and hybrid search. 17+ AI tools via MCP. Free.
MCP server for monday.com integration.
MCP Security Weekly
Get CVE alerts and security updates for io.github.pouyahasanamreji/continuum and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
One MCP server. Tell any client to read the plot — it becomes the orchestrator.
Dispatches fresh agents in isolated worktrees, shares lessons across every Claude Code / Codex / Cline chat on the project.
Quick Start • Memory & Vectors • Workflow • MCP Tools • Wire It In • Configuration

Your agents forget. Continuum remembers.
Point any MCP client at Continuum and tell it to read the plot. The client becomes an orchestrator — it researches the codebase, verifies the plan, persists a dispatch record, and hands you a ready-to-paste prompt for a fresh agent in an isolated git worktree. Every other Claude Code / Codex / Cline chat on the project sees what's reserved, shares what's been learned, and never re-explains the codebase. One local server: vector knowledge base, orchestration protocol, agent registry — shared across every MCP-speaking app on your machine.
flowchart TD
CC["Claude Code"]
CX["Codex"]
CL["Cline"]
YOU["YOU"]
subgraph CONTINUUM["CONTINUUM ORCHESTRATOR"]
direction LR
PLOT["PLOT.md<br/>protocol"]
KNOW["KNOWLEDGE<br/>(vectorized)"]
AGENTS["AGENTS<br/>registry"]
PANEL["WEB PANEL<br/>(humans)"]
end
DB[("SQLite + sqlite-vec<br/>one file, your disk")]
CC -- MCP --> CONTINUUM
CX -- MCP --> CONTINUUM
CL -- MCP --> CONTINUUM
YOU -- HTTP --> CONTINUUM
CONTINUUM --> DB
No SaaS. No telemetry. No keys to manage. Boots in seconds. Survives reboots. Scales with you.
| 🧠 Vectorized memory | Every lesson your agents learn becomes a 768-dim embedding indexed in sqlite-vec. Recall is semantic, fuzzy, and instant — no exact-match games. |
| 🔍 RAG-native search | knowledge_search({q: "how do we handle webhook retries?"}) returns ranked metadata (slug + kind + agentSlug + timestamps); follow up with knowledge_get({slug}) for the body. Metadata first keeps top-K context cheap; only fetch what's worth reading. |
| 🗺️ Canonical workflow | Every project gets a PLOT.md seeded with a 4-phase dispatch protocol — Intake → Research → Verify → Handoff. Stop re-explaining your process. |
| 🤖 Multi-agent registry | State machine + reserved-path tracking stops parallel agents from clobbering each other across git worktrees. |
| 📚 Two-tier knowledge | fundamental lessons are binding rules loaded on every dispatch. situational lessons surface via semantic search when relevant. |
| 🖥️ Human web panel | Astro + React UI to browse projects, agents, plot, and knowledge while AI clients drive everything via MCP. |
| 🔌 Client-agnostic | Standard MCP / Streamable HTTP. Works with Claude Code, Codex, Cline, Cursor, or anything that speaks the protocol. |
| 🔒 Local-first | One SQLite file. WAL mode. No cloud. Optional embedder is your call (O |