Stop feeding entire files into the context window.
Start giving agents exactly the code intelligence they need.
Every time an AI coding agent reads a file to answer a question, it consumes thousands of tokens. Most of those tokens are irrelevant to the task. The agent doesn't need 500 lines of a file to know that validateToken takes a string and returns a Promise<User> — but it reads them anyway, because that's all it has.
Multiply that across a debugging session touching 20 files and you've burned 40,000+ tokens on context gathering alone.
SDL-MCP fixes this. It indexes your codebase into a searchable symbol graph and serves precisely the right amount of context through a controlled escalation path. An agent that uses SDL-MCP understands your code better while consuming a fraction of the tokens.
Your Codebase
│
┌──────┴──────┐
│ Indexer │ Native Rust (fast) or Tree-sitter (universal)
│ 12 langs │ TS · JS · Python · Go · Java · C# · C · C++ · PHP · Rust · Kotlin · Shell
└──────┬──────┘
│
▼
┌───────────────────────┐
│ Symbol Graph (DB) │ Functions, classes, interfaces, types, edges, metrics
│ LadybugDB (graph) │ Persisted. Incremental. Versioned.
└───────────┬───────────┘
│
┌──────────┼──────────┐
│ │ │
▼ ▼ ▼
29 MCP 10 CLI HTTP API
Tools Commands + Graph UI
│
▼
AI Coding Agent
(Claude Code, Claude Desktop, Cursor, Windsurf, any MCP client)
- Index once — SDL-MCP parses every symbol in your repo and stores it as a compact metadata record (a "Symbol Card") in a graph database
- Query efficiently — Agents use MCP tools to search, slice, and retrieve exactly the context they need
- Escalate only when necessary — A four-rung ladder controls how much code the agent sees, from a 100-token card to full source (with justification required)
# Install
npm install -g sdl-mcp
# Initialize, auto-detect languages, index your repo, and run health checks
sdl-mcp init -y --auto-index
# Start the MCP server for your coding agent
sdl-mcp serve --stdioPoint your MCP client at the server and the agent gains access to all SDL-MCP tools. That's it.
npx users: Replace
sdl-mcpwithnpx --yes sdl-mcp@latestin all commands above.
The core innovation. Named after the adjustable aperture that controls light flow in optics, the Iris Gate Ladder lets agents dial their context "aperture" from a pinhole to wide-open.
Token Cost What the Agent Sees
────────────────────────────────────────────────
~100 RUNG 1 ▸ Symbol Card
Name, signature, summary, dependencies, metrics
"What does this function do and what does it call?"
~300 RUNG 2 ▸ Skeleton IR
Signatures + control flow, bodies replaced with /* ... */
"What's the shape of this class?"
~600 RUNG 3 ▸ Hot-Path Excerpt
Only lines matching specific identifiers + context
"Where exactly is `this.cache` initialized?"
~2,000 RUNG 4 ▸ Raw Code Window Policy-gated
Full source code, requires justification
"I need to rewrite this error handler"
Most questions are answered at Rungs 1-2 without ever reading raw code. That's where the token savings come from.
| Scenario | Reading the file | Using the Ladder | Savings |
|---|---|---|---|
"What does parseConfig accept?" |
~2,000 tok | ~100 tok | 20x |
"Show me the shape of AuthService" |
~4,000 tok | ~300 tok | 13x |
"Where is this.cache set?" |
~2,000 tok | ~500 tok | 4x |
Every function, class, interface, type, and variable becomes a Symbol Card: a compact metadata record (~100 tokens) containing everything an agent needs to understand a symbol without reading its code.
┌─────────────────────────────────────────────────────────┐
│ Symbol Card: validateToken │
│─────────────────────────────────────────────────────────│
│ Kind: function (exported) │
│ File: src/auth/jwt.ts:42-67 │
│ Signature: (token: string, opts?: ValidateOpts) │
│ → Promise<DecodedToken> │
│ Summary: Validates JWT signature and expiration, │
│ returns decoded payload or throws │
│ Invariants: ["throws on expired token"] │
│ Side FX: ["logs to audit trail"] │
│ Deps: calls: [verifySignature, checkExpiry] │
│ imports: [jsonwebtoken, AuditLogger] │
│ Metrics: fan-in: 12 │ fan-out: 4 │ churn: 3/30d │
│ Cluster: auth-module (8 members) │
│ Process: request-pipeline (intermediate, depth 1) │
│ Test: auth.test.ts (distance: 1, proximity: 0.9)│
│ ETag: a7f3c2... (for conditional requests) │
└─────────────────────────────────────────────────────────┘
Cards include confidence-scored call resolution (the pass-2 resolver traces imports, aliases, barrel re-exports, and tagged templates to produce accurate dependency edges), community detection (cluster membership), and call-chain tracing (process participation with entry/intermediate/exit roles).
Indexing & Language Support Deep Dive →
Instead of reading files in the same directory, SDL-MCP follows the dependency graph. Starting from symbols relevant to your task, it traverses weighted edges (call: 1.0, config: 0.8, import: 0.6), scores each symbol by relevance, and returns the N most important within a token budget.
"Fix the auth middleware" → slice.build
│
BFS over graph
│
┌──────────────────┼──────────────────┐
▼ ▼ ▼
authenticate validateToken JwtConfig
│ │ │
▼ ▼ ▼
hashPassword getUserById envLoader
│
◆ frontier
(outside budget)
8 cards returned · ~800 tokens
vs. reading 8 files · ~16,000 tokens
Slices have handles, leases, refresh (delta-only updates), and spillover (paged overflow). You can also skip the symbol search entirely — pass a taskText string and SDL-MCP auto-discovers the relevant entry symbols.
git diff tells you what lines changed. SDL-MCP tells you what that change means and who's affected.
Modified: validateToken() signature
│
├── signatureDiff: added `options?: object` parameter
├── invariantDiff: added "throws on expired"
└── sideEffectDiff: added "logs to audit trail"
│
▼
Blast Radius (ranked):
1. authenticate() ← direct caller, distance 1
2. refreshSession() ← direct caller, distance 1
3. AuthMiddleware ← calls authenticate, distance 2
4. auth.test.ts ← test coverage, flagged for re-run
PR risk analysis (sdl.pr.risk.analyze) wraps this into a scored assessment with findings, evidence, and test recommendations. Fan-in trend analysis detects "amplifier" symbols whose growing dependency count means changes ripple further over time.
Delta & Blast Radius Deep Dive →
SDL-MCP doesn't wait for you to save. As you type in your editor, buffer updates are pushed to an in-memory overlay store, parsed in the background, and merged with the durable database. Search, cards, and slices reflect your current code, not your last save.
Editor keystrokes → sdl.buffer.push → Overlay Store → merged reads
│
on save / idle
│
▼
LadybugDB (durable)
Raw code access (Rung 4) is policy-gated. Agents must provide:
- A reason explaining why they need raw code
- Identifiers they expect to find in the code
- An expected line count within configured limits
Requests that don't meet policy are denied with actionable guidance ("try getHotPath with these identifiers instead"). Every access is audit-logged.
The sandboxed runtime execution tool (sdl.runtime.execute) has its own governance layer: disabled by default, executable allowlisting, CWD jailing, environment scrubbing, concurrency limits, and timeout enforcement.
Governance & Policy Deep Dive →
sdl.agent.orchestrate is an autonomous task engine. Give it a task type (debug, review, implement, explain), a description, and a budget — it plans the optimal Iris Gate path, executes it, collects evidence, and returns a synthesized answer.
The feedback loop (sdl.agent.feedback) records which symbols were useful and which were missing, improving future slice quality.
sdl.context.summary generates portable, token-bounded context briefings in markdown, JSON, or clipboard format for use outside MCP environments.
Agent Orchestration Deep Dive →
Run tests, linters, and scripts through SDL-MCP's governance layer instead of uncontrolled shell access. Three runtimes (Node.js, Python, Shell), code-mode or args-mode, smart output summarization with keyword-matched excerpts, and gzip artifact persistence.
Agents forget everything between sessions. SDL-MCP fixes this with a graph-backed memory system that lets agents store decisions, bugfix context, and task notes linked directly to the symbols and files they relate to. Memories are stored both in the graph database (for fast querying) and as checked-in markdown files (for version control and team sharing).
Agent Session 1 Agent Session 2
───────────── ─────────────
"Fixed race condition in sdl.memory.surface
authenticate() — added mutex" │
│ ┌────┴─────┐
▼ │ Relevant │
sdl.memory.store │ memories │
│ │ surfaced │
├──▶ Graph DB (Memory node) └────┬─────┘
│ ├── MEMORY_OF ──▶ authenticate() │
│ └── HAS_MEMORY ◀── Repo ▼
│ "Previous fix: race condition
└──▶ .sdl-memory/bugfixes/a1b2c3.md in authenticate() — mutex added"
(YAML frontmatter + markdown)
Memories are automatically surfaced inside graph slices — when an agent builds a slice touching symbols with linked memories, those memories appear alongside the cards. During re-indexing, memories linked to changed symbols are flagged as stale, prompting agents to review and update them. Four MCP tools (store, query, remove, surface) provide full CRUD plus intelligent ranking by confidence, recency, and symbol overlap.
Development Memories Deep Dive →
Access all 29 tool actions directly from the command line with sdl-mcp tool. No MCP server, transport, or SDK — just your terminal.
# Search for symbols
sdl-mcp tool symbol.search --query "handleAuth" --output-format pretty
# Build a task-scoped slice
sdl-mcp tool slice.build --task-text "debug auth flow" --max-cards 50
# Pipe JSON args, chain commands
echo '{"repoId":"my-repo"}' | sdl-mcp tool symbol.search --query "auth"Features include typed argument coercion (string, number, boolean, string[], json), budget flag merging, stdin JSON piping with CLI-flags-win precedence, auto-resolved repoId from cwd, four output formats (json, json-compact, pretty, table), typo suggestions, and per-action --help. The CLI dispatches through the same gateway router and Zod schemas as the MCP server — identical code paths, identical validation.
The tool gateway consolidates all 29 MCP tools into 4 namespace-scoped tools (sdl.query, sdl.code, sdl.repo, sdl.agent), reducing tools/list overhead from ~3,742 tokens to ~713 tokens — an 81% reduction.
Before: 29 tools × full JSON Schema = ~3,742 tokens at conversation start
After: 4 tools × thin schema = ~713 tokens at conversation start
─────────────
~3,029 tokens saved per conversation
Each gateway tool accepts an action discriminator field (e.g., { action: "symbol.search", repoId: "x", query: "auth" }) and routes to the same handlers with double Zod validation. Thin wire schemas in tools/list keep the registration compact while full validation happens server-side. Legacy flat tool names are optionally emitted alongside for backward compatibility.
| Category | Tool | One-Line Description |
|---|---|---|
| Repository | sdl.repo.register | Register a codebase for indexing |
sdl.repo.status | Health, versions, watcher, prefetch, live-index stats | |
sdl.repo.overview | Codebase summary: stats, directories, hotspots, clusters | |
sdl.index.refresh | Trigger full or incremental re-indexing | |
| Live Buffer | sdl.buffer.push | Push unsaved editor content for real-time indexing |
sdl.buffer.checkpoint | Force-write pending buffers to the durable database | |
sdl.buffer.status | Live indexing diagnostics and queue depth | |
| Symbols | sdl.symbol.search | Search symbols by name (with optional semantic reranking) |
sdl.symbol.getCard | Get a symbol card with ETag-based conditional support | |
sdl.symbol.getCards | Batch-fetch up to 100 cards in one round trip | |
| Slices | sdl.slice.build | Build a task-scoped dependency subgraph |
sdl.slice.refresh | Delta-only update of an existing slice | |
sdl.slice.spillover.get | Page through overflow symbols beyond the budget | |
| Code Access | sdl.code.getSkeleton | Signatures + control flow, bodies elided |
sdl.code.getHotPath | Lines matching specific identifiers + context | |
sdl.code.needWindow | Full source code (policy-gated, requires justification) | |
| Deltas | sdl.delta.get | Semantic diff + blast radius between versions |
| Policy | sdl.policy.get | Read current gating policy |
sdl.policy.set | Update line/token limits and identifier requirements | |
| Risk | sdl.pr.risk.analyze | Scored PR risk with findings and test recommendations |
| Context | sdl.context.summary | Token-bounded portable briefing (markdown/JSON/clipboard) |
| Agent | sdl.agent.orchestrate | Autonomous task execution with budget control |
sdl.agent.feedback | Record which symbols were useful or missing | |
sdl.agent.feedback.query | Query aggregated feedback statistics | |
| Runtime | sdl.runtime.execute | Sandboxed subprocess execution (Node/Python/Shell) |
| Memory | sdl.memory.store | Store or update a development memory with symbol/file links |
sdl.memory.query | Search memories by text, type, tags, or linked symbols | |
sdl.memory.remove | Soft-delete a memory from graph and optionally from disk | |
sdl.memory.surface | Auto-surface relevant memories for a task context |
Complete MCP Tools Reference (detailed parameters & responses) →
| Command | Description |
|---|---|
sdl-mcp init |
Bootstrap config, detect repo/languages, optionally auto-index |
sdl-mcp doctor |
Validate runtime, config, DB, grammars, repo access |
sdl-mcp index |
Index repositories (with optional --watch mode) |
sdl-mcp serve |
Start MCP server (--stdio or --http) |
sdl-mcp tool |
Access all 25 MCP tool actions directly (docs) |
sdl-mcp summary |
Generate copy/paste context summaries from the CLI |
sdl-mcp health |
Compute composite health score with badge/JSON output |
sdl-mcp export |
Export sync artifact |
sdl-mcp import |
Import sync artifact |
sdl-mcp pull |
Pull by version/commit with fallback |
sdl-mcp version |
Show version and environment info |
CLI Reference → · Configuration Reference →
SDL-MCP works with any MCP-compatible client:
| Client | Transport | Setup |
|---|---|---|
| Claude Code | stdio | sdl-mcp init --client claude-code |
| Claude Desktop | stdio | sdl-mcp init --client claude-code |
| Cursor | stdio | Standard MCP server config |
| Windsurf | stdio | Standard MCP server config |
| Codex CLI | stdio | sdl-mcp init --client codex |
| Gemini CLI | stdio | sdl-mcp init --client gemini |
| OpenCode | stdio | sdl-mcp init --client opencode |
| Any MCP client | stdio / http | sdl-mcp serve --stdio or --http |
A VSCode extension (sdl-mcp-vscode/) provides live buffer integration for real-time indexing of unsaved edits.
| Component | Technology |
|---|---|
| Runtime | Node.js 20+ / TypeScript 5.9+ (strict ESM) |
| Graph Database | LadybugDB (embedded, single-file) |
| Indexer (default) | Rust via napi-rs (multi-threaded) |
| Indexer (fallback) | tree-sitter + tree-sitter-typescript |
| MCP SDK | @modelcontextprotocol/sdk |
| Validation | Zod schemas for all payloads |
| Transports | stdio (agents) · HTTP (dev/network) |
| Document | Description |
|---|---|
| Getting Started | Installation, 5-minute setup, MCP client config |
| MCP Tools Reference | Detailed docs for all 29 tools (parameters, responses, examples) |
| CLI Reference | All CLI commands and options |
| Configuration Reference | Every config option with defaults and guidance |
| Agent Workflows | Workflow instructions for CLAUDE.md / AGENTS.md |
| Architecture | Tech stack, data flow, component diagram |
| Iris Gate Ladder | Context escalation methodology |
| Troubleshooting | Common issues and fixes |
| Topic | What You'll Learn |
|---|---|
| Iris Gate Ladder | Four-rung context escalation with token savings analysis |
| Graph Slicing | BFS/beam search, edge weights, wire formats, auto-discovery |
| Delta & Blast Radius | Semantic diffs, ranked impact analysis, PR risk scoring |
| Live Indexing | Real-time editor buffer integration and overlay architecture |
| Governance & Policy | Proof-of-need gating, audit logging, runtime sandboxing |
| Agent Orchestration | Autopilot mode, feedback loops, portable context summaries |
| Indexing & Languages | Rust/TS engines, two-pass architecture, 12-language support |
| Runtime Execution | Sandboxed subprocess execution with governance |
| CLI Tool Access | Direct CLI access to all 29 actions, output formats, stdin piping, scripting |
| Tool Gateway | 29→4 tool consolidation, 81% token reduction, thin schemas, migration guide |
| Semantic Engine | Pass-2 call resolution, embedding search, LLM summaries, confidence scoring |
| Semantic Embeddings Setup | Dependencies, model installation, provider configuration, tier-by-tier setup |
| Development Memories | Graph-backed cross-session memory, file sync, staleness detection, auto-surfacing |
This project is source-available.
- Free Use (Community License): You may use, run, and modify this software for any purpose, including internal business use, under the terms in
LICENSE. - Commercial Distribution / Embedding: You must obtain a commercial license before you sell, license, sublicense, bundle, embed, or distribute this software as part of a for-sale or monetized product. See
COMMERCIAL_LICENSE.md.
Questions? Contact gmullins.gkc@gmail.com.
