Next action
After indexing, the repo is queryable. Search symbols, view the knowledge graph, or open the wiki to start documenting. See all migration options.
Ready when you are
Index your first push.
src.land is Citadel hosted. Install the citadel-cli binary, push to your namespace, and query the graph from the web UI or over MCP.
citadel-cli auth login
device code: WXYZ-4823 - approve in browser
download the binary at src.land/help
Start with one repo
Point it. It indexes.
Paste any GitHub, GitLab, or git remote URL. No install, no webhook setup. History, symbols, audit row, and graph arrive together.
citadel-cli import https://<remote>/repo.git
1. cloning over HTTPS (read-only)
2. building symbol index
cloned
986 symbols indexed (go + ts)
audit row written - keyed to your namespace
knowledge graph ready
What arrives
Everything, at once.
The import produces the same four outputs as a native push: a full clone, a symbol index, an immutable audit entry, and a queryable knowledge graph. Nothing is deferred.
cloneindexauditgraph
Permissions and scope
accessRead-only clone over HTTPS or SSH. GitHub OAuth, GitLab token, or any public remote.
arrivesCommit history, branches, tags, source files, and symbol graph.
not includedIssues, pull requests, CI status, and star counts are not imported. Those remain on your origin host.
- No training on your code. Data use →
- Every action audited. Audit log →
- Scoped, revocable tokens. Agent tokens →
- Open standards: OAuth, WebAuthn, MCP. Standards →
- Self-host the single binary. Self-host →
Who is this for?
Find your path.
developer
Push, query, review.
Git over SSH, a queryable symbol graph, and pull requests with CODEOWNERS gates.
Get started →
agent-builder
One token, real tools.
A bearer token scoped per namespace grants MCP tools over a real protocol. Agents are entities with IDs and audit rows.
See agent tokens →
security / compliance
Logged and revocable.
Every human push and agent read lands in the same audit log. Tokens are scoped per namespace and action.
See security →
self-host
One Go binary.
Offline license, no phone-home, air-gap support. Your Postgres, your data, your metal.
See on-prem →
What src.land is
Four surfaces, one index.
Git hosting plus a queryable knowledge graph, KG-backed wiki, agent-safe access, and a neutral import path from any remote.
knowledge graph
Code, queryable.
Symbols, callers, impact, and cross-language edges - rebuilt on every push.
Explore the graph →
wiki
Docs that stay in sync.
API reference blocks, coverage reports, and drift reconciliation tied to the graph.
See the wiki →
agents
Built for MCP.
Scoped bearer tokens, real protocol tools, and an audit row for every agent action.
Agent access →
migration
Bring your repos.
Import or mirror from any git remote. History and indexing arrive together.
Import path →
01
No harvesting
We never index your code to rank, sell or train an AI model.
No trending feed, no public-repo showcase, no training corpus. We host your code, public or private, and the only index we build is yours - query it right here. Follow the live demo loop →
git push origin main
audit row #1170 keyed to db@src.land
kg indexed 986 symbols indexed (go + ts)
pg edges +6
02
What a push produces
Four artifacts land on every push.
| Artifact | Written |
|---|---|
| audit row | actor - action - namespace - timestamp |
| kg symbols | functions, types, consts - each with a body hash |
| pg edges | depends_on - pins - from go.mod, package.json |
| cross-lang edge | TS fetch() resolved to its Go handler |
03
Accountable
Every action is logged, all access is revocable.
Human pushes and agent reads land in the same audit log. Tokens are scoped per namespace and action, and you can revoke any of them. See agent access →
GET /api/namespaces/rethunk/kg/symbols?q=processPayment
matches: processPayment (function) pay.go
matches: processPaymentRefund (function) refund.go
total: 2
See it live
Follow the loop, step by step.
Every stop below is a public, anon-readable surface running on our own source. No account needed.
01
A push writes an audit receipt.
Every commit lands one immutable row in the audit log: who pushed, what changed, when. Open the repo home to see the push receipts keyed to this namespace.
02
The receipt produces a queryable project graph.
Each push rebuilds the knowledge graph: symbols extracted, cross-language edges indexed, callers mapped. Open insights to query the live graph for this repo.
03
Every symbol is searchable across languages.
The index is fully searchable by name, kind, and file. Functions, types, and variables from Go and TypeScript resolve in a single query. Open search to browse it.
04
Agents read the same index over a real protocol.
The wiki surface exposes the same project context that an MCP client receives: pages, symbol tables, caller lists. No scraping, no polling. Open the wiki to browse it.
Security & governance
Built for teams that get audited.
No magic
Built on standards.
No vendor transport layer. Agents connect over RFC 8628 device flow; auditors page the audit log over plain HTTPS.
FAQ
Direct answers.
Do you index my code to train models?
No. We never index your repositories to train, rank, or sell.
Is it self-hostable?
Yes - one Go binary, offline license validation, no phone-home. Run it air-gapped.
How do agents connect?
A bearer token to the built-in MCP server - over 76 purpose-built tools, no HTML scraping.
Can I bring my existing repos?
Import over HTTPS or SSH, or mirror continuously with source-wins push rejection.
Is the audit log tamper-evident?
Not yet. Today it is standard Postgres rows; hash-chaining is on the roadmap. We won't claim WORM until it ships.
What does it cost?
Free for solo and open source. Pro is $4 per seat / month; Enterprise is $15 per seat / month and adds SSO, SCIM, policy, and configurable audit retention. Self-host is a separate binary - see Deploy. See full pricing
git, indexed.
A push is the unit of work. Browse the public fixture or start with your own namespace.