Roadmap.

Operator admin for in-production template editing: list all templates, get and edit with live preview before save, full version history, and one-click revert to any prior version. Separate from the Stable mail templates system it manages.

Operator-side export tooling for support and recovery workflows.

CLI token issuance with output-as-JSON, full-ID surfacing, and operator-grade flags for headless agent and operator workflows. Includes atomic token rotation (rotate-token) that revokes and reissues in one operation.

Atomic token rotation for agents: the active token is revoked and a replacement issued in one operation with no window between them.

Per-agent activity aggregation surfaced on the operator dashboard, with namespace and action breakdowns.

Inline comment threads carry a `resolved` flag keyed on (pr_id, file_path, diff_hunk_hash). Resolution persists; threads are manually re-opened after rebase if the underlying hunk changes.

Database-canonical support pipeline with email round-trip: replies by email feed back into the ticket thread; operator queue lives on the operator dashboard.

Reviewers propose inline patch fragments on a PR comment; the author accepts or rejects each; accepted suggestions are returned as unified patch fragments for the author to apply as a commit on the source branch.

Org-defined checklist templates attach to a PR by path-glob or label predicate; merge is blocked until every item is resolved. Unresolved count surfaces on the checklist section.

Per-repo topic tagging with a popular-topics suggestion surface. Topics are editable from repo settings, surfaced on the repo home page, and manageable from citadel-cli (`repo topic list/set/popular`).

Aggregate repo summary: 52-week commit activity, 30-day contributors, an all-time contributors graph, a community-profile completeness scorecard, languages, license, releases, open issue/milestone counts, stars, pins, and topics. Rendered on repo home and available in citadel-cli (`repo insights`) with JSON output.

Namespace-scoped repo create, list, and delete with hard-purge cascade and slug-hold tombstone on delete. Create seeds an optional .gitignore template and SPDX license on the first commit.

open / changes_requested / approved / dismissed transitions with role-guarded transitions and a merge-block that gates on all required reviewers, CODEOWNERS zones, and unresolved checklists. PR metadata lifecycle (draft, merge methods) lives under PR lifecycle and merge methods.

Sign in directly with a passkey assertion: conditional, optional, or required mediation, with email-scoped lookups for non-resident credentials.

Per-org member roster, role assignment, and invitation flow, gated on org settings permissions.

Operator UI for waitlist hygiene: accept, reject, expire, and bulk import.

Two operator surfaces on top of the anti-squat rule engine: a slug denylist with full CRUD and CSV bulk-import, and a slug review queue for deciding on flagged namespace-claim requests.

Operator UI for grant CRUD against the namespace tree (bulk grant, dedup, lookup-user, revoke) with audit at every transition, surfaced under the operator dashboard.

Cross-tenant operator view: waitlist admin, grants admin, mail metrics, feature funnels, and agent-activity rollup.

Public provider registry plus authenticated link/unlink flows for third-party identities. citadel-cli lists providers without a session, opens or prints provider authorize URLs for linking, and respects last-provider guardrails on unlink.

Self-serve developer surface for third-party OAuth clients: registration, scopes, redirect URIs, and rotation.

Citadel runs its own OAuth 2.1 AS: authorization code with PKCE, device authorization flow for headless CLI auth, refresh and revoke, and a discovery document. Enables third-party clients to connect without pre-shared secrets and CLI tools to authenticate without a browser session.

Label autocomplete with prefetched repo labels: multi-select chip input on issue create and edit.

Chip-based assignee + milestone filter on the issues list with debounced user-search autocomplete.

Account and repo delete cascade hard-purge with a slug-hold tombstone so the namespace can't be re-squatted before review.

Top-bar search across membership and grants (orgs, projects, repos, agents), ranked by frecency, gated on the caller's permission graph.

Roll-up of dashboard, symbol, help, and repo-scoped search: one permission-aware discovery surface across namespaces, repos, and the help corpus.

Roll-up of org create/delete, members, settings, transfer, rename, passkey policy, and org dashboard: the namespace-tree administration surface for organizations.

Roll-up of the shared Markdown renderer and opt-in Mermaid/KaTeX extensions: same allow-list on client and server.

Repo-root CODEOWNERS parsed on PR open and push: glob, directory-prefix, and `**` wildcards. Matched owners are auto-added as required reviewers; a PR spanning multiple zones requires an approver from each before the merge button enables.

Full-text search across symbols and files with a regex variant and cross-namespace queries (gated on read permissions). Exposed over HTTP and via the kg_search MCP tool.

Icon toolbar with heading dropdown, bold / italic / underline / strike, inline code, lists, links, and tables.

Site-wide shortcut registry with a scope stack and g-chord sequences. Covers command palette, help search, issues, repo browsing, and commit navigation. A discoverable modal lists all active bindings for the current context.

Issues attach to any node in the namespace tree: user, org, project, or repo. Cross-namespace close-references resolve on default-branch push. Public repos may expose read-only issue lists to anonymous visitors when issues_public_read is enabled.

Shared namespace settings shell across orgs and projects, plus repo settings, reusing the same webhook management and delivery-history UX where the namespace can emit events.

Streamable MCP transport with 76 tools and 5 curated prompts (commit-message, spec-scaffold, PR triage, PR review, issue summary) across knowledge graph, project graph, issues, labels, and audit: kg_search, pr_kg_impact, and kg_impact_cross among the registry. OAuth 2.1 for third-party clients; scoped tokens for headless agents.

Tree/blob browsing, ref enumeration, commit log/detail, go-to-file overlay, fuzzy path filter, and web-editor blob writes under each repo's namespace. The CLI mirrors tree, blob, commit list, and per-SHA commit detail for scripts and headless agents.

Admin metrics dashboard with mail metrics, feature funnels, waitlist breakdown, and agent-activity rollup.

Public profile pages with profile README rendering, avatar, joined date, company, public email, sponsor URL, and public namespace list, gated on visibility.

Move an org, project, or user namespace between owners with audit, idle-period invariants, and an in-app accept handshake. Distinct from repo ownership transfer.

Rename an org, project, or user namespace and leave a tombstone forwarder that resolves old slugs to the new path until the alias is released. Distinct from repo slug rename under a parent namespace.

Time-based codes as a second factor, with recovery codes for break-glass. Step-up enforced on sensitive surfaces.

WebAuthn passkeys as a second factor with enrol, list, rename, and delete (last-factor guard) under the account portal.

Client and server renderers sharing one allow-list and round-tripping the same math output.

Scrape endpoint exposing push and MCP tool latency histograms, knowledge-graph queue depth, audit-emit drop counter, and Go runtime metrics. Bearer-token gated; absent token disables the endpoint.

KG symbol comparison between two refs: added, removed, and modified symbols across the indexed graph. Unified git diffs on the commit-detail page and the arbitrary two-ref /compare route ship under Two-ref compare and Commit diff view.

Read-side Git API for default branch, tree, blob, refs, commit log/detail, topics, and insights, plus authenticated blob-write for the web editor and CLI.

Full diff view on the commit detail page: split/unified toggle, Lezer syntax highlight via CitadelEditor palette, character-level inline edit highlights, collapsible hunk context, line permalinks from the gutter, omitted-line separators between non-contiguous hunks, and a file filter with a / shortcut.

Dedicated commit-detail route with per-file diff stats, parent and child links, parsed trailers, and reviewer attribution.

File-level blame strip on the blob viewer showing the latest commit that touched the file: author avatar, commit subject, relative age, and SHA link, collapsed by default and toggled from the toolbar. A true per-line git blame view (porcelain-backed, with optional knowledge-graph symbol enrichment) toggles from the same toolbar and is exposed as a blame_lines MCP tool.

WYSIWYG plus code-mode editing with multi-language syntax highlight, a Citadel-aligned theme, and protected-branch enforcement, backed by the same blob-write API as the CLI.

On a write conflict, the editor surfaces a three-pane resolution view (theirs / yours / merged) before letting the user retry the write.

The web editor opens any text-shaped file and refuses anything binary, replacing the prior extension allow-list.

Per-namespace deploy tokens with scoped permissions, optional expiry, last-used tracking, and a one-time cleartext reveal on creation. Managed from namespace settings with create, list, and revoke.

Per-repo default-branch protection: the web-editor blob-write API rejects direct writes to the protected default branch, and SSH git push is guarded by a server-side receive hook that rejects force-pushes and deletion of the default. Configurable from repo settings.

Per-IP global rate-limit middleware across API surfaces with a configurable burst cap, a suspicious-pattern triage queue that writes to the audit log, and a ban-writer integration with the existing fail2ban reconciler.

Inline review workflow on the PR primitive: batched reviews (pending inline comments submitted atomically with a verdict), suggested edits, CODEOWNERS scoped approvals plus non-binding reviewer hints, org-defined checklists, per-reviewer mark-file-as-viewed progress, files-changed tab with path filter and split/unified lazy expand, multi-line comment anchoring, and hunk-hash thread resolution. Draft/merge metadata lives under PR lifecycle and merge methods; verdict states under PR review state machine.

Outbound mail for auth, support, and notifications with delivery, open, bounce, and complaint events ingested for the operator dashboard.

Passwordless email sign-in with templated, locale-aware messages and bounce + complaint handling closing the loop on deliverability.

Funnel event capture across signup, onboarding, and first-action with an admin feature-funnel viewer.

Variant-assignment framework for the onboarding funnel: hashes user identity into buckets, records exposure events via the telemetry pipeline, and surfaces per-variant conversion in the operator feature-funnel view.

Pre-consent banner with essential / analytics / marketing categories, GDPR-aligned defaults, and analytics-script gating that only loads after the user grants consent.

List and revoke registered trusted devices from Settings → Access. Onboarding registers the first device; this surface manages the ongoing fleet, separate from passkey management and session audit.

CRUD for SSH public keys in Settings → SSH keys. Keys are resolved by the git-over-SSH layer to identify the pushing user and enforce namespace-graph permissions.

Namespace-routed settings layout (Profile, Access, OAuth Clients, Privacy, and org administration), replacing the prior tab stack.

Async account-deletion runner that revokes sessions, cascades through namespace and repo state, and audit-logs the entire chain.

Signup → onboarding → account portal funnel with profile, devices, MFA, OAuth clients, deletion, export, and support all hanging off one nav.

Knowledge-graph-backed symbol search across repos the caller can read: function, type, and interface lookups with file and line jump.

In-app feedback and bug reporting dialog with structured fields, routed to the internal support pipeline. Accessible from the help menu and error boundary screens.

Discrete-permission walker over the namespace tree with a closed catalog of permission atoms. One pass authorises reads, writes, and admin.

Issues service with create / read / update / close, comments, labels, milestones, assignees, mentions, reactions, templates, cross-repo autolinks, and free-text + qualifier list search (in:title, in:comments, author:, no:milestone, no:assignee). Anonymous visitors may read public-repo issues when issues_public_read is enabled. Repo, pull-request, and milestone list endpoints accept sort and direction query params.

GitHub-parity issue management: lock/unlock conversation (with reason), pin up to 3 issues per repo, transfer an issue to another repository, close with state_reason (completed vs not_planned), edit issue title after creation, and list sort (newest/oldest/most-commented/recently-updated/least-recently-updated). Backend service and API plus full frontend UI.

In-app notifications bell plus a full inbox page with thread grouping. @-mention emission, dedup, retroactive promotion on resolve, mark-as-unread, dismiss, per-thread mute, participation and watch dispatch on issue/PR activity, pulls.review_requested when a reviewer is added, and per-user preferences with an independent per-kind email-digest cadence.

Standalone milestone CRUD with list and detail routes, open/closed state tabs with per-state counts and sort, progress tracking against open and closed issues, and due-date tracking. Separate surface from the issues list with its own API and frontend routes.

Email and domain allowlist for the closed-alpha waitlist, enforced server-side, with an operator UI for additions and removals.

Outbound issue, comment, label, assignee, PR, PR-review, push, force_push, tag_push, branch_delete, and pin_advance.auto/.manual events with HMAC-SHA256 signing, retry/backoff, server-side test ping, per-delivery redeliver, configurable payload content-type, 30-day delivery history, per-webhook commit_list_cap, recursive-CTE namespace fan-out, shared org/project/repo settings UI, and citadel-cli management commands.

Server-side markdown rendering with sanitisation parity against the client renderer, enforced by a multi-sample test corpus.

Two-step onboarding funnel (device-trust plus namespace claim) with telemetry and an A/B test runner.

Locale-aware email templates for auth, account, contact auto-reply, support reply, and operator digests, all rendered server-side.

Push and fetch over SSH. Public-key auth resolves to the owning user; the namespace-graph walker decides what they can do; every operation lands in the audit log. citadel-cli wraps clone/push/pull with system git and completed live smoke against src.land.

Cross-compiled CLI (Linux, macOS, Windows) with 33 shipped SDD specs and race/lint-verified coverage across auth/providers, SSH keys, account security, org invitations, namespaces/profiles, repo clone/push/pull, commits, tree/blob browse, topics, insights, deploy tokens, webhooks, notifications, project graph, KG, global search, audit, and structured output in json/yaml/ndjson/csv/table.

Authored help articles indexed at build time with staleness checks against the live source they describe.

Reserved-slug list and reserved-pattern matcher prevents impersonation slugs at signup and namespace create.

Create and delete org-shaped namespaces with cascade rules, audit at every step, and slug-hold protection on delete.

Repo-author-supplied issue templates surfaced in the new-issue UI; rendered as a structured form with required fields enforced server-side. A template builder UI authors typed fields (short text, long text, dropdown, checkboxes, radio, and multi-select) with drag-reorder, persisted via a create/update/delete API that writes the template as a git blob.

External images are proxied through the Citadel domain so the browser never leaks the user's IP to third-party hosts and the Content Security Policy stays tight. Responses are cached for 24 hours.

On default-branch push, commit messages are parsed for closing keywords and matching cross-repo issues auto-close with provenance audit rows, gated by auto-close-issues-on-merge (default on). PR-merge close-refs ship as a separate item using the same repo setting.

Background runner that hard-purges tombstoned namespaces and prunes expired sessions / stale exports.

Append-only log keyed by namespace, actor, and action. Reads, writes, pushes, merges, token issues, token uses, OAuth consents, and admin actions all land here.

@-mentions resolve to namespace nodes (user, org, project, repo, agent) and emit notifications with TTL-based dedup so refactors don't re-spam.

Ratified v1 prompt registry exposed via MCP prompts/list and prompts/get: five curated prompts (commit-message-from-diff, review-pr, summarize-issue, plus two more) with typed argument schemas, ready for agent consumption alongside the tool surface.

Server-side HTML shell that renders README and content surfaces for ratified crawler user-agents (Googlebot, Bingbot, Slurp, DuckDuckBot, Baiduspider, YandexBot, facebookexternalhit, Twitterbot, LinkedInBot, Applebot) with an in-process LRU cache. Decouples bot-facing SSR from the SPA bundle so crawlers always see fully-rendered markup without paying the JS render cost.

usePageMeta hook manages document title, meta description, canonical URL, Open Graph + Twitter card tags, and noindex on a per-route basis. Default OG image lives under public/og-default.svg and overrides land per-page. Keeps share previews accurate without round-tripping through SSR for every internal navigation.

Global upgrade-modal opener registered by the App shell; gated client calls trigger the modal with a required-plan token rather than failing silently. Decouples in-flow paywall surfacing from the billing settings page.

Indexer ingests Go, TypeScript, and Python symbols on every push; the read side answers symbol, file, walk, full-text, and impact queries. Cross-language edges link TypeScript fetch calls to Go HTTP handlers and Go SQL calls to their database tables. The full TS → API → DB call chain is graph-navigable.

Operator UI for audit sessions with actor, namespace, and action filters, range queries, and per-session timeline expansion. The programmatic query surface (cursor pagination and kind-glob filter) ships as a separate Alpha item.

Core Web Vitals (LCP, FID, CLS, INP, FCP, TTFB) collected client-side and posted to Plausible as a single `web-vitals` event with per-metric props. Gated on analytics cookie consent; admin routes are excluded from collection.

Front-door sign-in / sign-up UI that orchestrates magic link, passkey conditional mediation, OAuth providers, password reset, email probe, and device-register cookie posture in a single funnel-step component. Distinct from the post-signup onboarding wizard.

FEATURE_TRACKER grid at /roadmap with phase and maturity filters: the canonical public view of feature maturity labels.

Better agent registration: scoped-token wizards, default-policy templates, and fleet-level rotation and revoke from the operator dashboard.

Code review primitives modelled as edges on the project graph rather than threads on a pull request; agents and humans both navigate it.

Hide or minimize a comment with a reason (off-topic, outdated, spam), edit a comment with full edit history, link to any comment by permalink, and quote-reply into the composer. Reactions on pull-request comments.

Slash commands in a comment body (assign, unassign, label, unlabel, milestone, close, reopen) run as the commenting user over HTTP and MCP, gated by the same permission atoms as the equivalent API call.

Create a branch from any ref, rename it (open pull requests redirect their base), and delete it under a default-branch guard; create annotated or lightweight tags and delete them. SSH tag push and delete require tags:write and tags:delete respectively. List, filter, and sort branches and tags, and download a source archive (zip or tar.gz) of any ref.

Per-repo collaborator grants over the namespace tree: add, update, and remove users and the discrete permission atoms they hold, scoped so a grantor can only assign atoms they hold themselves. Managed from repo settings.

Per-repo configuration: description, website URL, archive/unarchive, visibility, issues enable/disable, issues public-read and create-policy granularity, delete-branch-on-merge, and auto-close-issues-on-merge.

Alternate Transport Protocol adapter exposing the MCP tool registry over a protocol-distinct wire format. Live dispatch with JWT/opaque-token auth, wired handler table, and HTTP endpoints (GET /atp/tools, POST /atp/call, GET /atp/healthz), proving the tool surface decouples cleanly from any single wire protocol.

Operator-initiated bulk data exports with create-and-poll status tracking and a full request list. Separate from the user-facing account export, which produces a per-user archive.

The CLI surfaces MCP resources/list and resources/read alongside tool calls.

The binary exposes `citadel mcp stdio` (newline-delimited JSON-RPC over stdin/stdout, process-boundary trust) and `citadel mcp serve --addr :PORT` (HTTP listener with full OAuth bearer verification) so headless agents talk to the same tool surface the SPA does.

Side-by-side graph view that highlights node and edge changes between two project-graph snapshots: added, removed, renamed.

Off-platform references live in the graph with their own pin chains, so a GitHub issue or Jira ticket is a first-class node, navigable in the same diff view.

User-visible banner that surfaces when the knowledge-graph indexer queue runs hot, so push latency stays predictable.

First cross-language pair: TypeScript fetch calls are matched to Go HTTP route handlers, and Go SQL calls are matched to their logical database tables, making the full TS → API → DB call chain graph-navigable.

Cross-language edge layer in the knowledge-graph indexer: links calls and queries that cross language boundaries into typed edges. Index-time cross-namespace resolver writes dst_namespace_id edges across repos; distinct from the read-side KG cross-namespace impact query.

Account confirmation resend with exponential backoff and per-address rate limits.

Per-user pinned repos with prefetch on dashboard mount and a header toggle on the repo page.

Recovery flow with proof upload, public + authenticated entry points, an operator queue + decision UI, and audit at every transition.

Operator view of dynamic-client-registration clients with initial-access-token minting for OAuth bootstrapping. Separate from the self-serve OAuth client registry and the user-facing consent flow.

First-party OAuth client CRUD plus dynamic client registration, with a public client-info endpoint and rotation. Implementation lives behind the developer portal work.

Dynamic client registration plus an in-app consent screen for third-party MCP clients connecting over OAuth 2.1.

Reactions on issues and comments, deduped per user, queryable from the API and from MCP.

Bare path-and-number references and explicit affects-blocks are linkified in renders and preserved in the close-refs index.

Two-step email change (confirm-old plus verify-new) with audit and revocation of dangling sessions.

Org plan management with free / pro / enterprise tiers, seat assignment and purchased-seat pool decoupling, usage panel, invoice and order history, past-due recovery UX, plan-change proration notice, and seat-limit enforcement, all without leaving the org settings.

Lazy-loaded graph view with worker-driven layout. Read-only by default; write surfaces gate on the project-graph permission.

Two-snapshot diff over the indexed graph: added, removed, and changed symbols and files between any two commits.

Returns the transitive set of callers and dependents for a symbol or file within one repo: basis for review-as-graph. Distinct from PR KG blast radius (PR-scoped MCP tool) and KG cross-namespace impact (cross-repo BFS).

Latency budget (slow-query log at configurable threshold), regex safety (pattern-length cap, DoS guard), HMAC-signed cursor pagination for both plain and regex modes, and cross-namespace scope, completing the production-grade surface.

Markdown renderer and WYSIWYG decorations autolink bare commit SHAs to the commit-detail route on the active repo.

The composer takes an editor-context hint (org, project, repo, user) so mention suggestions are scoped to the surface the editor is rendered in.

Citadel-aligned syntax theme covering Go, TypeScript, Python, Rust, Shell, and TOML, keyed to the user's colour-scheme preference.

End-user data export bundle plus D-90 audit-log anonymisation for completed deletions, with a typed request-audit row that distinguishes export, delete, and anonymise lifecycle states.

Cross-repo graph of issues, repos, and external references with read / write / ingest endpoints and a status rollup.

Star and unstar any repo with one tap. Stars surface on the namespace dashboard and feed repo-insights aggregates.

Typing a slug-shaped @-mention in the WYSIWYG editor resolves the slug and promotes the text into a structured mention node when the namespace exists.

Real avatars in the @-mention dropdown and assignee chips, with kind-specific affordances for users, orgs, projects, repos, and agents.

Transfer repository ownership to another user or to an org recipient: pending-transfer inbox, accept handshake, path alias on accept so the old slug forwards, and re-home on completion so the prior owner loses control.

Opt-in lazy-loaded Mermaid and KaTeX extensions on top of the base renderer; default-on for README, support replies, and help.

Per-org activity feed sourced from audit, knowledge-graph, and project-graph events, with dashboard rollups and follow-ups.

Authored markdown README at the user-slug route with the same renderer and sanitiser used for repo READMEs.

Rendered profile READMEs cached at the namespace level and evicted on web-editor blob writes, so first paint stays fast under load.

One-shot avatar import on first link to a federated identity provider, with fallback to a deterministic placeholder when no source is available.

Per-repo release CRUD on top of git tags: name, body, draft/prerelease flags, latest pointer, and listing with draft visibility gates. Surfaced in the web UI, the API, and citadel-cli (`release list/latest/view/create/edit/delete`).

Emoji reactions on release pages: same deduped per-user model as issue and comment reactions, backed by the releases API and queryable from the web UI.

Inbound /api/security/wazuh-webhook handler with HMAC-SHA256, 5-minute idempotency, net.ParseIP guard, and a fail2ban exec interface. Auth-failure log lines feed Wazuh decoders; three rules cover auth-burst L12, privesc L13, and anomalous-outbound L10. Ships install script (Ubuntu/Fedora), Vector log-shipper config (journald + syslog → Wazuh:1514), and a citadel-ids fail2ban jail. Triage tiers documented in operator.md.

Opt-in 24-hour avatar-sync runner for users who keep their canonical avatar elsewhere.

Avatar uploads with content-type sniff, dimension caps, and a per-user storage prefix. UI lives in Settings → Profile.

Per-user pinned namespaces with frecency-aware ordering on the dashboard and the command palette.

Per-org agent-action counter with a buffered channel and batch flush, daily + monthly aggregator, plan-tier included quota (free/pro/enterprise), Polar metered-usage line-item reporter, soft and hard caps, threshold alerts deduped per period (80% / 100%), and an org-settings usage panel. Instrumented on the MCP tool dispatch path and REST handlers where actor_type=agent.

APNs HTTP/2 (ES256 JWT) and Pushy (Android, no Firebase) transports with auto-deregistration on token-gone, fan-out wired into the existing notification emit path, per-device preference filter, and a Capacitor shell scaffold over the React SPA.

Per-org landing with pinned repos, recent activity, members snapshot, and policy posture.

Per-org rules over passkey enrolment and assertion: platform-authenticator-only, attestation format constraints, and an authenticator-model allow-list, with member conformance counts.

Async post-receive worker pool that drains an ingest queue when pushes land, when an operator triggers a recovery scan, or when a project is reindexed.

Account-level privacy knobs: telemetry opt-out, frecency opt-out, and avatar auto-import preferences for OAuth and Gravatar sources. Lives in Settings → Privacy.

Within-repo symbol and full-text search UI. Distinct from dashboard search (namespace-wide membership) and cross-repo symbol search, scoped to one repo's knowledge graph index.

Static help corpus indexed at build time; fuzzy match (typo-tolerant) plus a staleness check that flags articles when the underlying source moves.

Outbound push, force_push, tag_push, and branch_delete events with a configurable commit_list_cap (1-250, default 20) and pusher_id provenance. Ref classifier covers all six update cases; SSH and HTTPS receive paths both snapshot refs before/after pack-write.

pin_advance.auto and pin_advance.manual events fire when a submodule pin shifts: auto on post-receive ingest, manual on a project-graph pins-edge write. Recursive-CTE namespace fan-out delivers to the event namespace and every parent scope; before/after SHA carried on the payload.

Webhook-driven primary with periodic poll fallback (default 15 min), nacl/secretbox encryption-at-rest for upstream credentials, inbound HMAC-SHA256 webhook verification with idempotency, source-wins push rejection across SSH and HTTPS paths, exponential backoff on failure, and a per-mirror status panel in repo settings. PAT scrub on error messages.

Public contact form with auto-reply opt-in, operator digest, and rate limiting: routes internally, so we never publish a contact inbox.

Wire-protocol-agnostic ProtocolServer interface decoupling the ~76-tool Citadel surface from any specific wire protocol. R16 mitigation: MCP and ATP implementations share the same registry, so a future standard can land without re-plumbing tool dispatch.

Framed-event streams across repos, orgs, agents, agent tokens, OAuth clients, org members, and pending transfers. Each stream replays from a ring buffer on connect then diffs against a UUID-keyed snapshot as changes land. Backs citadel-cli watch subcommands.

Async export-bundle runner that drains queued requests, builds zip archives, expires stale exports, and emails completion notices.

Per-org tool-routing table populated on extension install; `GET /api/orgs/:org/extensions/tools` expands installed manifests into `org/<slug>/tools/<ext-id>/<tool-name>` entries. Startup-load only today; in-memory hot-patch deferred until the MCP server has dynamic tool registration.

Phase-3 extension platform foundation: citadel-extension.toml manifest parser, publisher registration + submission queue, org-scoped install / uninstall, Ed25519 publisher-keypair signing on package upload, and per-org tool-routing table. Marketplace browse + detail UI under /marketplace.

Transitive blast-radius query across namespace boundaries: BFS over cross-repo kg_edges (dst_namespace_id) from a seed symbol in any readable repo. HTTP route is Pro-gated; the kg_impact_cross MCP tool mirrors the same QueryImpactCross path. Distinct from intra-repo KG impact.

Queryable audit-log surface with cursor pagination, time-range bounds, kind-glob filter, and actor and namespace filters. Single-event get expands cascade children. RBAC-gated: callers see own and permitted-namespace events; operators see all.

Weekly vuln-scan workflow chains govulncheck, osv-scanner, and bun/npm audit with SBOM emit; dep-autopr workflow opens patch-level Go and frontend bumps automatically. A vuln-gate.sh severity classifier gates merges; SLA + triage runbook lives under operator.md.

Branches and tags fetched once on the diff page mount and reused across both ref selectors so typing never blocks on the network.

Touch-target sweep and virtual-keyboard tweaks for the web editor on small screens.

Wider container with two-column issue and issue-new layouts (body plus a metadata sidebar) on the surfaces that benefit.

Watch any repo at a level: all activity, participating, or ignore. Owners auto-watch their repo on create. New issues and pull requests fan an inbox notification out to every watcher except the author. Toggle from the repo header.

Per-repo engineering metrics over a selectable window: deployment frequency (sourced from deployment.published audit events on release create), mean time to restore, pull-request cycle time and throughput, and issue throughput and resolution time. Rendered as metric cards with empty states on insights/analytics.

14-day rolling view and clone counts per repo at GitHub-style Insights → Traffic. SSH upload-pack and receive-pack events aggregate into daily repo_traffic_snapshots rows; the read API zero-fills missing days and rate-limits authenticated callers. Rendered as metric cards on a dedicated insights/traffic route.

Attach binary assets to any release: upload, download, list, and delete. Multipart upload with a configurable per-asset size cap, private object storage with time-limited signed download URLs, and best-effort storage cleanup when an asset or its parent release is removed. Frontend upload UI ships; the API returns 503 until CITADEL_RELEASE_OBJSTORE_BUCKET is provisioned.

Issues link to one another with typed edges: blocks, relates-to, duplicates, and tracked-by. Sub-issue parent/child relationships roll a completion progress bar up to the parent, guarded against cycles and over-deep nesting, with a relations sidebar. Task-list checkboxes auto-convert to tracked sub-issues.

Import a repository from GitHub, GitLab, or Gitea: git objects plus labels, milestones, issues, pull requests, and comments mapped through the native services. Upstream credentials encrypted at rest, source issue/PR numbers and author identities preserved, with a guided wizard and per-entity progress. Imported refs feed the knowledge-graph ingest queue; a startup stale-job sweep recovers hung import runs.

Reusable canned responses for issue and pull-request comments: author once, insert from a picker in any comment composer. Also exposed to agents over MCP.

Commit OpenPGP signatures are verified against per-user registered signing keys and surface a Verified badge on the commit-detail page. Users add verified email addresses under Settings → Access (with a public /settings/emails/confirm route) so commits authored under those addresses attribute correctly.

Knowledge-graph-backed navigation inside the blob viewer: a jump-to-definition overlay, a lightweight hover card on symbols, and a per-file symbol-outline panel.

Knowledge-graph find-references for a symbol or offset: lists inbound reference sites across the indexed repo. Exposed as GET /kg/references and the kg_references MCP tool with cursor pagination and read-permission gating.

Repo tree keyboard navigation: a `t` fuzzy go-to-file overlay and a recursive fuzzy path filter on the tree walk so large repos stay navigable without scrolling the full listing.

Inline before/after image diff panel on pull-request and commit diffs when both sides of a hunk are renderable images, side-by-side preview without leaving the diff view.

Authenticated raw blob streaming endpoint for binary and large file download outside the JSON blob API, used by the image diff panel and direct download links.

Dedicated /labels route listing every repo label with open-issue counts per label, sortable and linked into filtered issue lists. Distinct from the inline label chip inputs on issue create and edit.

Mutually exclusive label groups: at most one label from a scoped group may be applied to an issue; adding another atomically replaces the prior member. Enforced in the issues service with row-level locking on concurrent writes.

Pull-request list rows show label chips and assignee avatars; the list supports label and assignee query filters with batched label/assignee loading on the API.

Full pull-request metadata lifecycle: draft and ready-for-review, reopen, edit title and body, add/remove reviewers, and merge via merge commit, squash, or rebase. Backend and PR detail UI ship together. Review verdict transitions live under PR review state machine; inline threads under Code review surface.

On merge, scan the PR title and body for closing keywords and auto-close referenced issues with provenance audit rows. Shares the auto-close-issues-on-merge repo setting with Issue closes-resolver (push path).

MCP pr_kg_impact tool returns the knowledge-graph blast radius for files touched by a pull request: intra-repo transitive callers and dependents to scope review. Distinct from symbol-level KG impact and cross-namespace KG cross-namespace impact.

Rename a repository slug under its org or project parent with anti-squat checks and a tombstone alias that forwards the old path until released. Distinct from org/project/user namespace rename.

Offset-based list pagination (`offset`, `total_count`, page size) on releases, webhook deliveries, knowledge-graph search, and other list APIs, with numbered Pagination controls on the matching frontend list surfaces.

Arbitrary two-ref /compare view: file stats, lazy-expand hunks, split/unified toggle, ignore-whitespace, and path filter. Distinct from per-commit diff on the commit-detail page and KG symbol diff under Repo diff.

Throttled API responses include Retry-After and X-RateLimit-* headers so clients and agents can back off without guessing from bare 429 bodies.

Per-repo Atom feeds for releases and tags, consumable by any feed reader.

Operator-published site banner with severity and expiry: served to all signed-in users, retired by expiring it now, audit-logged on every change.

Background-job health dashboard: per-job last-run time, consecutive-failure count, in-flight flag, and cadence, with a safe idempotent manual trigger for opted-in jobs.

Scan for orphaned on-disk bare repositories with no matching namespace and purge them (dry-run supported), closing the filesystem-GC gap left by database-only namespace deletes.

Runtime open/closed switch for self-service signup, flipped from the admin UI with immediate effect and an audit row; an environment override pins the state as config-as-code.

Deny-only policy overlay: an operator-authored rule targets a permission atom plus a condition and runs after the RBAC walker grants access, able to flip an allow to a deny. Broader org-wide policy (required reviewers, required CI) remains roadmapped.

Extractors beyond Go, TypeScript, and Python (Rust, Shell, and more), each landing behind the same indexer pipeline so query surfaces don't change.

Org-wide policy beyond the shipped deny-only overlay: required reviewers, required CI, branch-protection rules, secret scanning, driven by the same RBAC walker.

Promote project graph to be the canonical read surface for agents: walks, pins, status, and review state all answer one MCP call.

Re-bench against projected agent and repo growth before scaling out from a single host.

Cross-tenant activity rollup for the operator dashboard, aggregating activity across all namespaces and repos rather than within a single org or agent.

FIPS build tag, BYO-LLM via `OPENAI_BASE_URL`, inference audit trail (audit_log schema + every `Chain.Embed` call logged), encrypted-at-rest enforcement (fail-fast in sovereign mode), data-residency manifest, admin inference-audit API, and air-gap install + attestation bundle.

Operator-side billing-provider configuration check and one-shot setup runner. Surfaces whether access tokens, webhook secrets, and product IDs are wired for the active mode.

Operator view of incoming contact form submissions with list and per-submission detail, separate from the auto-reply and digest that fire at submission time.

Manual trigger for the operator digest email, useful for testing template changes and on-demand summaries outside the scheduled cadence.

Every LLM call (embedding or chat) records the model endpoint, prompt hash, response hash, token counts, and actor on `audit_log` for compliance and procurement attestation. Operator API surfaces the trail under `/api/admin/inference-audit`.

Offline Ed25519 license file validator with expiry, grace, and IP-allowlist checks. Customers verify their own license posture before booting; citadel-cli wraps it as `self-host license validate`.

Configurable embeddings backend with provider fallback: the primary provider gets the first attempt, failures fail fast to the next provider, and the chain accepts a local stub for air-gapped or sovereign deployments.

SCIM 2.0 (RFC 7643/7644) endpoints for user and group provisioning with scoped SCIM tokens, drop-in for enterprise identity providers that do not use OAuth.

Configurable per-tenant audit retention with a daily purge job, archive interface, and dry-run preview. Replaces unbounded log growth with a policy the operator owns.

Tails the host fail2ban log and mirrors ban and unban events into the audit log with cursor-based state, making authentication attacks visible alongside the user activity that provoked them.

Operator switch between embeddings-backed and lexical-fallback knowledge-graph modes, persisted in the database with a short in-process cache and a public status endpoint.

Adapter layer that exposes the MCP tool registry over a second protocol surface, so agents that do not speak OAuth 2.1 still reach the same tool set under scoped tokens.

Process-based metrics (load average, memory total + available, root filesystem use), aggregated server-side and surfaced on the operator dashboard.

Periodic cost snapshots across cloud and service vendors with per-vendor threshold alerts, hysteresis to suppress flaps, and an audit row plus operator email when a threshold trips.

Enterprise self-host posture: Helm chart for clustered deployments, single-binary installer for non-cluster hosts, packaged migrations, and an offline license file. Broader supported configurations and packaging polish continue under the Future bucket.

Lift Citadel from single-host to a clustered runtime (same operating model, more nodes) without changing the binary contract.

Deeper review-as-graph: agent-attributable approvals, review provenance edges, and machine-checkable review policies.

Broader supported configurations, signed-binary distribution polish, and air-gapped install workflows beyond the initial Helm + single-binary shipment.

Cross-Citadel agent identity and project-graph federation so an agent registered in one instance can act in another under explicit consent.

Broader release-model and license-posture decisions, both gated on Phase-2 outcomes and a real consumer signal.

An agent identity that survives a move from one Citadel to another, with the audit trail intact and the namespace-graph permissions resolving across the boundary.