Stop feeding entire files into the context window.
Start giving agents exactly the code intelligence they need.
Every time an AI coding agent reads a file to answer a question, it consumes thousands of tokens. Most of those tokens are irrelevant to the task. The agent doesn't need 500 lines of a file to know that validateToken takes a string and returns a Promise<User> โ but it reads them anyway, because that's all it has.
Multiply that across a debugging session touching 20 files and you've burned 40,000+ tokens on context gathering alone.
SDL-MCP fixes this. It indexes your codebase into a searchable symbol graph and serves precisely the right amount of context through a controlled escalation path. An agent that uses SDL-MCP understands your code better while consuming a fraction of the tokens.
flowchart TD
Codebase["Your Codebase"]
Indexer["Indexer<br/>12 languages<br/>Rust native or Tree-sitter fallback"]
Graph["LadybugDB graph<br/>symbols, edges, metrics, versions"]
MCP["38 unique MCP tool surfaces<br/>flat, gateway, and code-mode"]
CLI["13 CLI commands"]
HTTP["HTTP API and graph UI"]
Agent["AI coding agent<br/>Claude Code, Claude Desktop, Cursor, Windsurf, Codex, Gemini"]
Codebase --> Indexer --> Graph
Graph --> MCP
Graph --> CLI
Graph --> HTTP
MCP --> Agent
- Index once โ SDL-MCP parses every symbol in your repo and stores it as a compact metadata record (a "Symbol Card") in a graph database
- Query efficiently โ Agents use MCP tools to search, slice, and retrieve exactly the context they need
- Escalate only when necessary โ A four-rung ladder controls how much code the agent sees, from a 100-token card to full source (with justification required)
# Install
npm install -g sdl-mcp
# Initialize, auto-detect languages, index your repo, and run health checks
sdl-mcp init -y --auto-index
# Start the MCP server for your coding agent
sdl-mcp serve --stdioPoint your MCP client at the server and the agent gains access to all SDL-MCP tools. That's it.
npx users: Replace
sdl-mcpwithnpx --yes sdl-mcp@latestin all commands above.
Full Getting Started Guide โ
The core innovation. Named after the adjustable aperture that controls light flow in optics, the Iris Gate Ladder lets agents dial their context "aperture" from a pinhole to wide-open.
flowchart TB
R1["~100 tokens<br/>Rung 1: Symbol Card<br/>Name, signature, summary, dependencies, metrics"]
R2["~300 tokens<br/>Rung 2: Skeleton IR<br/>Signatures and control flow with bodies elided"]
R3["~600 tokens<br/>Rung 3: Hot-Path Excerpt<br/>Identifier-focused lines with context"]
R4["~2,000 tokens<br/>Rung 4: Raw Code Window<br/>Policy-gated full source"]
R1 --> R2 --> R3 --> R4
Most questions are answered at Rungs 1-2 without ever reading raw code. That's where the token savings come from.
| Scenario | Reading the file | Using the Ladder | Savings |
|---|---|---|---|
"What does parseConfig accept?" |
~2,000 tok | ~100 tok | 20x |
"Show me the shape of AuthService" |
~4,000 tok | ~300 tok | 13x |
"Where is this.cache set?" |
~2,000 tok | ~500 tok | 4x |
Why it matters:
- 4โ20x token savings on typical code understanding queries
- Most questions answered at Rungs 1โ2 without ever reading raw code
- Controlled escalation prevents agents from over-consuming context
- Policy-gated raw access ensures agents prove they need full source
Iris Gate Ladder Deep Dive โ
Every function, class, interface, type, and variable becomes a Symbol Card: a compact metadata record (~100 tokens) containing everything an agent needs to understand a symbol without reading its code.
flowchart TB
Card["Symbol Card: validateToken"]
Kind["Kind: function (exported)"]
File["File: src/auth/jwt.ts:42-67"]
Signature["Signature: (token: string, opts?: ValidateOpts) -> Promise<DecodedToken>"]
Summary["Summary: validates JWT signature and expiration"]
Invariants["Invariants: throws on expired token"]
SideEffects["Side effects: logs to audit trail"]
Deps["Dependencies: verifySignature, checkExpiry, jsonwebtoken, AuditLogger"]
Metrics["Metrics: fan-in 12, fan-out 4, churn 3/30d"]
Context["Context: auth-module, request-pipeline, auth.test.ts"]
ETag["ETag: a7f3c2..."]
Card --> Kind --> File --> Signature --> Summary --> Invariants --> SideEffects --> Deps --> Metrics --> Context --> ETag
Cards include confidence-scored call resolution (the pass-2 resolver traces imports, aliases, barrel re-exports, and tagged templates to produce accurate dependency edges), community detection (cluster membership), and call-chain tracing (process participation with entry/intermediate/exit roles).
Why it matters:
- ~100 tokens per symbol vs. ~2,000 tokens to read the full file
- Confidence-scored dependency edges trace real call relationships across files
- Community detection and call-chain tracing reveal architectural structure
- ETag-based conditional requests avoid re-fetching unchanged symbols
- Workflow ETag caching now seeds
slice.buildwithknownCardEtagsso repeated slice builds can skip unchanged cards
Indexing & Language Support Deep Dive โ
Instead of reading files in the same directory, SDL-MCP follows the dependency graph. Starting from symbols relevant to your task, it traverses weighted edges (call: 1.0, config: 0.8, import: 0.6), scores each symbol by relevance, and returns the N most important within a token budget.
flowchart TD
Task["Task: Fix the auth middleware"] --> Slice["sdl.slice.build"]
Slice --> Auth["authenticate"]
Slice --> Validate["validateToken"]
Slice --> Config["JwtConfig"]
Auth --> Hash["hashPassword"]
Validate --> User["getUserById"]
Config --> Env["envLoader"]
Env -. frontier outside budget .-> Frontier["spillover frontier"]
Slices have handles, leases, refresh (delta-only updates), and spillover (paged overflow). You can also skip the symbol search entirely โ pass a taskText string and SDL-MCP auto-discovers the relevant entry symbols.
Why it matters:
- Follows the dependency graph, not directory boundaries, for cross-cutting context
- Weighted edge scoring (call > config > import) prioritizes the most relevant symbols
- Token-budgeted: returns only what fits within your budget (~800 tokens vs. ~16,000 for raw files)
- Natural-language task-text auto-discovers entry symbols โ no symbol IDs needed
git diff tells you what lines changed. SDL-MCP tells you what that change means and who's affected.
flowchart TD
Change["Modified validateToken() signature"]
Sig["signatureDiff<br/>added options?: object"]
Inv["invariantDiff<br/>added throws on expired"]
Fx["sideEffectDiff<br/>added logs to audit trail"]
Blast["Blast radius"]
A1["authenticate()<br/>distance 1"]
A2["refreshSession()<br/>distance 1"]
A3["AuthMiddleware<br/>distance 2"]
A4["auth.test.ts<br/>re-run recommended"]
Change --> Sig
Change --> Inv
Change --> Fx
Sig --> Blast
Inv --> Blast
Fx --> Blast
Blast --> A1
Blast --> A2
Blast --> A3
Blast --> A4
PR risk analysis (sdl.pr.risk.analyze) wraps this into a scored assessment with findings, evidence, and test recommendations. Fan-in trend analysis detects "amplifier" symbols whose growing dependency count means changes ripple further over time.
Why it matters:
- Semantic diffs show what a change means, not just what lines moved
- Ranked blast radius identifies which dependent symbols are most at risk
- Fan-in trend analysis detects "amplifier" symbols whose changes ripple further over time
- PR risk scoring produces actionable findings with test re-run recommendations
Delta & Blast Radius Deep Dive โ
SDL-MCP doesn't wait for you to save. As you type in your editor, buffer updates are pushed to an in-memory overlay store, parsed in the background, and merged with the durable database. Search, cards, and slices reflect your current code, not your last save.
flowchart LR
Editor["Editor keystrokes"] --> Push["sdl.buffer.push"]
Push --> Overlay["Overlay store"]
Overlay --> Reads["Merged reads<br/>search, cards, slices"]
Overlay --> Persist["save / idle checkpoint"]
Persist --> DB["LadybugDB durable graph"]
Why it matters:
- Search, cards, and slices reflect unsaved editor changes in real time
- No manual re-index needed during active development
- Background AST parsing with in-memory overlay keeps queries fast
Raw code access (Rung 4) is policy-gated. Agents must provide:
- A reason explaining why they need raw code
- Identifiers they expect to find in the code
- An expected line count within configured limits
Requests that don't meet policy are denied with actionable guidance ("try getHotPath with these identifiers instead"). Every access is audit-logged.
The sandboxed runtime execution tool (sdl.runtime.execute) has its own governance layer: enabled by default, but still guarded by executable allowlisting, CWD jailing, environment scrubbing, concurrency limits, and timeout enforcement. The outputMode parameter ("minimal" | "summary" | "intent") defaults to "minimal" for ~95% token savings, with sdl.runtime.queryOutput enabling on-demand output retrieval when needed.
Why it matters:
- Proof-of-need gating prevents agents from wastefully reading raw code
- Denied requests include actionable next-best-action guidance
- Full audit logging of every code access decision
- Sandboxed runtime with executable allowlisting, CWD jailing, and environment scrubbing
Governance & Policy Deep Dive โ
sdl.agent.context is SDL-MCP's task-shaped context engine. Give it a task type (debug, review, implement, explain), a description, and a budget โ it selects the right Iris Gate rungs, collects evidence, and returns context tuned to the job. In Code Mode, sdl.context provides the same retrieval surface without dropping into sdl.workflow.
The feedback loop (sdl.agent.feedback) records which symbols were useful and which were missing, improving future slice quality.
sdl.context.summary generates portable, token-bounded context briefings in markdown, JSON, or clipboard format for use outside MCP environments.
Why it matters:
- Task-shaped context retrieval plans the right Iris Gate path within a token budget
- Feedback loop records what was useful/missing, improving future slice quality
- Portable context summaries export findings for use outside MCP environments
Agent Context Deep Dive โ ยท Context Modes โ
Run tests, linters, and scripts through SDL-MCP's governance layer instead of uncontrolled shell access. 16 runtimes (Node.js, Python, Go, Java, Rust, Shell, and more), code-mode or args-mode, smart output summarization with keyword-matched excerpts, and gzip artifact persistence.
Why it matters:
- Run tests, linters, and scripts under governance instead of uncontrolled shell access
- 16 runtimes supported (Node, Python, Go, Java, Rust, Shell, and more)
- Executable allowlisting, CWD jailing, timeout enforcement, and environment scrubbing
- Smart output summarization with keyword-matched excerpts and gzip artifact persistence
Runtime Execution Deep Dive โ
Agents forget everything between sessions. SDL-MCP fixes this with an opt-in graph-backed memory system that lets agents store decisions, bugfix context, and task notes linked directly to the symbols and files they relate to. Memory is disabled by default and must be explicitly enabled in the configuration. When enabled, memories are stored both in the graph database (for fast querying) and as checked-in markdown files (for version control and team sharing).
flowchart LR
Session1["Agent session 1<br/>records bugfix memory"] --> Store["sdl.memory.store"]
Store --> Graph["LadybugDB memory node"]
Store --> Files[".sdl-memory/bugfixes/<id>.md"]
Graph --> Link1["MEMORY_OF -> authenticate()"]
Graph --> Link2["HAS_MEMORY -> repo"]
Session2["Agent session 2"] --> Surface["sdl.memory.surface"]
Surface --> Graph
Graph --> Recall["Relevant memory surfaced<br/>race condition fix in authenticate()"]
When enabled, memories are automatically surfaced inside graph slices โ when an agent builds a slice touching symbols with linked memories, those memories appear alongside the cards. During re-indexing, memories linked to changed symbols are flagged as stale, prompting agents to review and update them. Four MCP tools (store, query, remove, surface) provide full CRUD plus intelligent ranking by confidence, recency, and symbol overlap. Memory tools are only available when memory is enabled in the configuration.
Why it matters:
- Structured knowledge persists across sessions, linked directly to symbols and files
- Opt-in and disabled by default โ enable via
"memory": { "enabled": true }in config - When enabled, automatically surfaced inside graph slices when touching related symbols
- Stale memories flagged when linked symbols change during re-indexing
- Dual storage: graph DB for fast querying + markdown files for version control and team sharing
Development Memories Deep Dive โ
Tree-sitter gives SDL-MCP fast, syntax-level symbol extraction across 11 languages. SCIP (Source Code Intelligence Protocol) supplements this with compiler-grade cross-references from tools like scip-typescript, scip-go, and rust-analyzer. Generate a .scip index file, point SDL-MCP at it, and heuristic edges are upgraded to exact compiler-verified edges, external dependency symbols become first-class graph nodes, and new implements edges reveal interface/trait relationships that syntax analysis cannot discover.
flowchart LR
Compiler["Compiler / Type Checker"] --> SCIP[".scip index file"]
SCIP --> Ingest["sdl.scip.ingest"]
Ingest --> Upgrade["Heuristic edges โ exact edges"]
Ingest --> External["External dependency nodes"]
Ingest --> Implements["implements edges"]
Why it matters:
- Upgrades heuristic call resolution to compiler-verified exact edges (confidence 0.95)
- External dependencies (npm packages, Go modules, crate deps) become searchable graph nodes
- Interface/trait implementations tracked via
implementsedges - Auto-ingest on
sdl.index.refreshkeeps SCIP data current with zero manual steps - Complementary: tree-sitter provides structure, SCIP provides semantic precision
SCIP Integration Deep Dive โ
Access all 32 flat SDL action tools directly from the command line with sdl-mcp tool. No MCP server, transport, or SDK is required.
# Search for symbols
sdl-mcp tool symbol.search --query "handleAuth" --output-format pretty
# Build a task-scoped slice
sdl-mcp tool slice.build --task-text "debug auth flow" --max-cards 50
# Pipe JSON args, chain commands
echo '{"repoId":"my-repo"}' | sdl-mcp tool symbol.search --query "auth"Features include typed argument coercion (string, number, boolean, string[], json), budget flag merging, stdin JSON piping with CLI-flags-win precedence, auto-resolved repoId from cwd, four output formats (json, json-compact, pretty, table), typo suggestions, and per-action --help. The CLI dispatches through the same gateway router and Zod schemas as the MCP server โ identical code paths, identical validation.
Why it matters:
- All MCP tool actions accessible from any terminal โ no server, transport, or SDK required
- Same code paths and Zod validation as the MCP server โ identical behavior
- Four output formats (json, json-compact, pretty, table) for scripting and CI pipelines
- Auto-resolves repoId from cwd, supports stdin JSON piping and per-action
--help
The tool gateway consolidates the 32 flat SDL action tools into 4 namespace-scoped tools (sdl.query, sdl.code, sdl.repo, sdl.agent), reducing tools/list overhead from the full flat schema surface to a compact gateway surface.
flowchart LR
Before["Flat mode<br/>32 flat action tools<br/>plus universal discovery/info"] --> After["Gateway mode<br/>4 namespace tools<br/>plus universal discovery/info"]
After --> Savings["Smaller tools/list payload<br/>lower agent startup overhead"]
Each gateway tool accepts an action discriminator field (e.g., { action: "symbol.search", repoId: "x", query: "auth" }) and routes to the same handlers with double Zod validation. Thin wire schemas in tools/list keep the registration compact while full validation happens server-side. Legacy flat tool names are optionally emitted alongside for backward compatibility.
Why it matters:
- Large reduction in
tools/listoverhead for gateway-first agents - 32 flat action tools consolidated into 4 namespace-scoped tools for simpler agent selection
- Fewer tool choices means faster and more accurate tool dispatch by the agent
- Backward-compatible: legacy flat tool names optionally emitted alongside
| Category | Tool | One-Line Description |
|---|---|---|
| Repository | sdl.repo.register | Register a codebase for indexing |
sdl.repo.status | Health, versions, watcher, prefetch, live-index stats | |
sdl.repo.overview | Codebase summary: stats, directories, hotspots, clusters, with conditional ETag fetch support | |
sdl.index.refresh | Trigger full or incremental re-indexing | |
| Live Buffer | sdl.buffer.push | Push unsaved editor content for real-time indexing |
sdl.buffer.checkpoint | Force-write pending buffers to the durable database | |
sdl.buffer.status | Live indexing diagnostics and queue depth | |
| Symbols | sdl.symbol.search | Search symbols by name (with optional semantic reranking) |
sdl.symbol.getCard | Get a symbol card with ETag-based conditional support | |
sdl.symbol.getCards | Batch-fetch up to 100 cards in one round trip | |
| Slices | sdl.slice.build | Build a task-scoped dependency subgraph |
sdl.slice.refresh | Delta-only update of an existing slice | |
sdl.slice.spillover.get | Page through overflow symbols beyond the budget | |
| Code Access | sdl.code.getSkeleton | Signatures + control flow, bodies elided, with conditional ETag fetch support |
sdl.code.getHotPath | Lines matching specific identifiers + context, with conditional ETag fetch support | |
sdl.code.needWindow | Full source code (policy-gated, requires justification) | |
| Deltas | sdl.delta.get | Semantic diff + blast radius between versions |
| Policy | sdl.policy.get | Read current gating policy |
sdl.policy.set | Update line/token limits and identifier requirements | |
| Risk | sdl.pr.risk.analyze | Scored PR risk with findings and test recommendations |
| Context | sdl.context.summary | Token-bounded portable briefing (markdown/JSON/clipboard) with conditional ETag fetch support |
| Agent | sdl.agent.context | Task-shaped context retrieval with budget-controlled rung planning and conditional ETag fetch support |
sdl.agent.feedback | Record which symbols were useful or missing | |
sdl.agent.feedback.query | Query aggregated feedback statistics | |
| Runtime | sdl.runtime.execute | Sandboxed subprocess execution with outputMode (minimal/summary/intent) |
sdl.runtime.queryOutput | On-demand retrieval and keyword search of stored output artifacts | |
| Memory | sdl.memory.store | Store or update a development memory with symbol/file links |
sdl.memory.query | Search memories by text, type, tags, or linked symbols | |
sdl.memory.remove | Soft-delete a memory from graph and optionally from disk | |
sdl.memory.surface | Auto-surface relevant memories for a task context | |
| Code Mode | sdl.context | Code Mode task-shaped context retrieval for explain/debug/review/implement work |
sdl.workflow | Multi-step operations with budget tracking, ETag caching, and transforms | |
sdl.manual | Self-documentation โ query usage guide, action schemas, output format reference | |
| SCIP | sdl.scip.ingest | Ingest a pre-built SCIP index for compiler-grade cross-references (with dry-run support) |
| File | sdl.file.read | Read non-indexed files (configs, docs, templates) with line-range, search, or JSON-path modes |
| Meta | sdl.info | Runtime diagnostics โ version, Node.js, platform, database, config paths |
sdl.usage.stats | Session and lifetime token savings statistics | |
sdl.action.search | Search SDL action catalog to discover the right tool for a task |
Complete MCP Tools Reference (detailed parameters & responses) โ
| Command | Description |
|---|---|
sdl-mcp init |
Bootstrap config, detect repo/languages, optionally auto-index |
sdl-mcp doctor |
Validate runtime, config, DB, grammars, repo access |
sdl-mcp index |
Index repositories (with optional --watch mode) |
sdl-mcp serve |
Start MCP server (--stdio or --http) |
sdl-mcp tool |
Access all 35 MCP tool actions directly (docs) |
sdl-mcp info |
Runtime diagnostics โ version, Node.js, platform, database, config |
sdl-mcp summary |
Generate copy/paste context summaries from the CLI |
sdl-mcp health |
Compute composite health score with badge/JSON output |
sdl-mcp benchmark |
Run CI regression benchmarks |
sdl-mcp export |
Export sync artifact |
sdl-mcp import |
Import sync artifact |
sdl-mcp pull |
Pull by version/commit with fallback |
sdl-mcp version |
Show version and environment info |
CLI Reference โ ยท Configuration Reference โ
SDL-MCP works with any MCP-compatible client:
| Client | Transport | Setup |
|---|---|---|
| Claude Code | stdio | sdl-mcp init --client claude-code |
| Claude Desktop | stdio | sdl-mcp init --client claude-code |
| Cursor | stdio | Standard MCP server config |
| Windsurf | stdio | Standard MCP server config |
| Codex CLI | stdio | sdl-mcp init --client codex |
| Gemini CLI | stdio | sdl-mcp init --client gemini |
| OpenCode | stdio | sdl-mcp init --client opencode |
| Any MCP client | stdio / http | sdl-mcp serve --stdio or --http |
A VSCode extension (sdl-mcp-vscode/) provides live buffer integration for real-time indexing of unsaved edits.
| Component | Technology |
|---|---|
| Runtime | Node.js 24+ / TypeScript 5.9+ (strict ESM) |
| Graph Database | LadybugDB (embedded, single-file) |
| Indexer (default) | Rust via napi-rs (multi-threaded) |
| Indexer (fallback) | tree-sitter + tree-sitter-typescript |
| MCP SDK | @modelcontextprotocol/sdk |
| Validation | Zod schemas for all payloads |
| Transports | stdio (agents) ยท HTTP (dev/network) |
flowchart TD
Clients["MCP clients<br/>Claude Code, Claude Desktop, Cursor, Windsurf, Codex, Gemini"]
Gateway["Tool gateway<br/>sdl.query, sdl.code, sdl.repo, sdl.agent"]
Flat["Flat tools and optional code-mode surfaces"]
Policy["Policy engine<br/>proof-of-need, budgets, audit logging"]
Graph["LadybugDB graph<br/>symbols, edges, files, versions, memories"]
Indexer["Indexer pipeline<br/>Rust native or Tree-sitter fallback<br/>pass 1, pass 2, semantic enrichment"]
Clients --> Gateway
Clients --> Flat
Gateway --> Policy
Flat --> Policy
Policy --> Graph
Indexer --> Graph
Full Architecture Documentation โ
| Document | Description |
|---|---|
| Getting Started | Installation, 5-minute setup, MCP client config |
| MCP Tools Reference | Detailed docs for all 37 unique tool surfaces (parameters, responses, examples) |
| CLI Reference | All CLI commands and options |
| Configuration Reference | Every config option with defaults and guidance |
| Agent Workflows | Workflow instructions for CLAUDE.md / AGENTS.md |
| Architecture | Tech stack, data flow, component diagram |
| Iris Gate Ladder | Context escalation methodology |
| Troubleshooting | Common issues and fixes |
| Topic | What You'll Learn |
|---|---|
| Iris Gate Ladder | Four-rung context escalation with token savings analysis |
| Graph Slicing | BFS/beam search, edge weights, wire formats, auto-discovery |
| Delta & Blast Radius | Semantic diffs, ranked impact analysis, PR risk scoring |
| Live Indexing | Real-time editor buffer integration and overlay architecture |
| Governance & Policy | Proof-of-need gating, audit logging, runtime sandboxing |
| Agent Context | Task-shaped context retrieval, feedback loops, portable context summaries |
| Context Modes | Precise vs broad retrieval, adaptive symbol ranking, benchmark trade-offs |
| Indexing & Languages | Rust/TS engines, two-pass architecture, 12-language support |
| Runtime Execution | Sandboxed subprocess execution with governance |
| CLI Tool Access | Direct CLI access to all tool actions, output formats, stdin piping, scripting |
| Tool Gateway | 35โ4 tool consolidation, token reduction, thin schemas, migration guide |
| Semantic Engine | Pass-2 call resolution, embedding search, LLM summaries, confidence scoring |
| Semantic Embeddings Setup | Dependencies, model installation, provider configuration, tier-by-tier setup |
| Code Mode | sdl.context, sdl.workflow, action discovery, manual reference, one-call workflows |
| Development Memories | Graph-backed cross-session memory, file sync, staleness detection, auto-surfacing |
| SCIP Integration | Compiler-grade cross-references, external deps, implements edges, auto-ingest |
| Token Savings Meter | Per-call meter, session summaries, lifetime tracking, sdl.usage.stats |
This project is source-available.
- Free Use (Community License): You may use, run, and modify this software for any purpose, including internal business use, under the terms in
LICENSE. - Commercial Distribution / Embedding: You must obtain a commercial license before you sell, license, sublicense, bundle, embed, or distribute this software as part of a for-sale or monetized product. See
COMMERCIAL_LICENSE.md.
Questions? Contact gmullins.gkc@gmail.com.