Citadel — a self-hosted Organization Vault and seat-capture CLI built on Cognee.
Project description
▛▜ ▛▜ ▛▜ ▛▜ ▛▜ ▛▜ ▛▜
▕══════════════════════════════════▏
▕ ____ _ _____ _ ___ ___ _ ▏
▕ / ___|| |_ _/ \ | \| __| | ▏
▕ | |__ | | | |/ _ \| |) | _|| |__ ▏
▕ \___| |_| |_/_/ \_\___/|___|____|▏
▕══════════════════════════════════▏
▕ ▟▀▙ ▟▀▙ ▟▀▙ ▏
▕▄▄▄▄█ █▄▄▄▄▄▄▄█ █▄▄▄▄▄▄▄█ █▄▄▄▄▄▄▄▄▏
Citadel
A self-hosted Organization Vault — shared, access-controlled memory for your team and its AI agents. Built on Cognee.
Citadel turns approved sources — commits, sessions, docs, issues — into structured, source-linked knowledge, and exposes it to people and agents through a CLI, a hosted MCP endpoint, an HTTP API, and a web UI. Capture is personal-by-default (your private Node); the shared Central vault evolves only through governed promotion and org sync.
Features
- One-command onboarding —
citadel onboardwires the seat token, autosync git/session hooks, MCP server, and capture roots. Idempotent, self-contained. - Autonomous capture — fail-silent git pre-push + Claude Code
SessionEndhooks snapshot work to your private Node. No per-session ceremony. - Headless by design — every teammate command speaks
--json, so Claude / Codex / Cursor and CI can drive it. Token from env, never argv. - Hosted MCP — agents connect with a URL + token;
citadel_searchto read,citadel_ingest/citadel_contributeto write. Per-call audit. - Governed sharing — seat writes stay on your Node; Central updates via org sync and the Promotion Agent. Secrets blocked on every write path.
- Live knowledge graph — Central + all seat Nodes on one canvas, plus a real-time activity timeline in the web UI.
- Zero-dependency client —
pip install citadel-archiveis pure stdlib; the server stack is an opt-in extra.
Quick start
Teammate CLI
pipx install citadel-archive # the `citadel` command (zero-dep client)
# upgrade: pipx install --force citadel-archive --pip-args=--no-cache-dir
citadel onboard # token + hooks + MCP + capture roots (idempotent)
citadel status # connection · identity · local setup (--json for agents)
No Python yet? The bootstrap installer checks for Python 3.10+, asks before installing it if it's missing, then sets up pipx + the CLI:
curl -fsSL https://raw.githubusercontent.com/masumi-network/Citadel-Archive/main/install.sh | sh(
citadelis a Python tool; pipx keeps its interpreter isolated so you don't manage Python yourself. Add-s -- -yto skip prompts,--dry-runto preview.)
▙ ▟ ▙ ▟ ▙ ▟ ▙ ▟
███████████████ CITADEL
██ ▟▀▙ ▟▀▙ ██ the organization vault
██ █ █ █ █ ██
███████████████
citadel onboard installs the bundled autosync hooks (kb.hooks.* — no vendored
skill), writes the seat token to your shell rc (masked), adds the MCP server, and
offers Approved Capture Roots. Get a ctdl_… seat token from a vault admin (the
Access page or POST /api/access/tokens). One token per person or agent; rotate
anything that lands in chat or logs.
Self-host the server
uv sync --dev # full server stack (cognee, fastapi, …)
cp .env.example .env # set providers, access keys, database
uv run uvicorn kb.server:app --reload --port 8000
Open http://localhost:8000/ for the UI. See
docs/operations.md for deployment, environment, and
integrations.
How it works
| Concept | What it is |
|---|---|
Node (seat:{slug}) |
Your private working memory. Default target for all capture. |
Central (masumi-network) |
The shared org vault. Read-only for seats; evolves via sync + promotion. |
| Capture | Approved Capture Roots auto-sync to your Node; everything else needs approval. |
| Promotion | A Promotion Agent moves qualifying Node knowledge into Central (tag-governed). |
Four surfaces sit on the same FastAPI process and the same ctdl_ tokens: the
CLI, the hosted MCP endpoint (/mcp/), the HTTP API, and the web
UI. The domain language is defined in CONTEXT.md; architecture
decisions live in docs/adr/.
Usage
CLI
citadel onboard # one-command setup
citadel doctor [--fix] # diagnose (and repair) your local setup
citadel status [--json] # health + identity + local setup + knowledge mesh
citadel capture [--dry-run] [--json] # push summaries of Approved Capture Roots
citadel search "what did we decide about the vault?" # HTTP-backed via your seat (--json)
citadel ingest "A durable note" --tag decision # → your seat Node, cognified inline
citadel mcp add cursor # wire another coding tool to the hosted MCP
citadel seat create "Jane Dev" jane # admin: mint a seat + its seat-scoped writer token
MCP (hosted)
Agents connect with a URL and a token — no clone, no local Python. Add to a
project .mcp.json:
{
"mcpServers": {
"citadel": {
"type": "http",
"url": "https://citadel-archive-production.up.railway.app/mcp/",
"headers": { "Authorization": "Bearer ${CITADEL_MCP_ACCESS_TOKEN}" }
}
}
}
HTTP API
export CITADEL_BASE_URL=https://citadel-archive-production.up.railway.app
# Read — flat, agent-friendly alias over search
curl -fsS -H "Authorization: Bearer $CITADEL_MCP_ACCESS_TOKEN" \
"$CITADEL_BASE_URL/api/knowledge?q=payment+flow&limit=5"
# Contribute (writer) — routed through the Learning Process with conflict detection
curl -fsS -X POST "$CITADEL_BASE_URL/api/contribute" \
-H "Authorization: Bearer $CITADEL_MCP_ACCESS_TOKEN" -H "Content-Type: application/json" \
--data '{"title":"Decision: deepseek-v4-flash","content":"Standardized on it via OpenRouter.","tags":["decision"]}'
Full endpoint reference: docs/operations.md.
Python
import asyncio
from kb import Citadel
async def main() -> None:
kb = Citadel.from_env()
await kb.ingest("Citadel keeps my Organization Vault organized.", tags=["personal"])
print(await kb.search("What does Citadel do?"))
asyncio.run(main())
Skills & agent discovery
The agent skills live in skills/ and are installable straight from this repo:
npx skills add masumi-network/Citadel-Archive
The hosted /skills
index and the
discovery manifest
publish each skill's sha256 / SRI integrity and the MCP endpoint, token
requirements, and public/private boundary — without exposing vault content.
Documentation
| Topic | Doc |
|---|---|
| Operations & self-hosting | docs/operations.md |
| Teammate rollout (5 min) | docs/onboarding/teammate-rollout.md |
| Autonomous sync | docs/onboarding/citadel-autosync.md |
| Domain glossary | CONTEXT.md |
| Architecture decisions | docs/adr/ |
| Brand | brand.md |
| Publishing the CLI | PUBLISHING.md |
| Repo | Visibility | Role |
|---|---|---|
| Citadel Archive (this) | Public | app, MCP plugin, docs, agent skills (no vault content) |
| Vault Backup Mirror | Private | manifest-only backup of vault evidence |
| Railway deployment | Private | live Organization Vault |
Contributing
Issues and pull requests welcome. Tests run with uv run pytest; lint with
uv run ruff check .. Keep the lightweight client free of server dependencies —
the base package is stdlib-only (a test guards the import boundary).
License & attribution
Apache-2.0. Citadel builds on Cognee (developed by Topoteretes UG, Apache-2.0) and imports it as a dependency rather than vendoring it, so upstream can be upgraded independently.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file citadel_archive-0.2.2.tar.gz.
File metadata
- Download URL: citadel_archive-0.2.2.tar.gz
- Upload date:
- Size: 917.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9d2a74ee5b1f398643095860079a3eb79f77bd0d573964dc09e7ea5d79496893
|
|
| MD5 |
ede38b02a825c67dace7f93a36e3b33f
|
|
| BLAKE2b-256 |
aade5e3010a85c9668ccce9f05ea643853f8524eaacbe717551453f936c903a0
|
Provenance
The following attestation bundles were made for citadel_archive-0.2.2.tar.gz:
Publisher:
publish.yml on masumi-network/Citadel-Archive
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
citadel_archive-0.2.2.tar.gz -
Subject digest:
9d2a74ee5b1f398643095860079a3eb79f77bd0d573964dc09e7ea5d79496893 - Sigstore transparency entry: 2047812673
- Sigstore integration time:
-
Permalink:
masumi-network/Citadel-Archive@9d0c97d56fd969d8786e84fc63762dcccfdad6be -
Branch / Tag:
refs/tags/v0.2.2 - Owner: https://github.com/masumi-network
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@9d0c97d56fd969d8786e84fc63762dcccfdad6be -
Trigger Event:
push
-
Statement type:
File details
Details for the file citadel_archive-0.2.2-py3-none-any.whl.
File metadata
- Download URL: citadel_archive-0.2.2-py3-none-any.whl
- Upload date:
- Size: 320.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
184112cd4c7bbcbb5385034be75a7ad8f5c4455b19a4210c8ec881a58794835b
|
|
| MD5 |
f745b4e995918eff4fc1db541832e9a8
|
|
| BLAKE2b-256 |
e4fd0db859582d239a2e20b0de91f19b8d898f30ebd3bb9dc84b037318041f7a
|
Provenance
The following attestation bundles were made for citadel_archive-0.2.2-py3-none-any.whl:
Publisher:
publish.yml on masumi-network/Citadel-Archive
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
citadel_archive-0.2.2-py3-none-any.whl -
Subject digest:
184112cd4c7bbcbb5385034be75a7ad8f5c4455b19a4210c8ec881a58794835b - Sigstore transparency entry: 2047812688
- Sigstore integration time:
-
Permalink:
masumi-network/Citadel-Archive@9d0c97d56fd969d8786e84fc63762dcccfdad6be -
Branch / Tag:
refs/tags/v0.2.2 - Owner: https://github.com/masumi-network
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@9d0c97d56fd969d8786e84fc63762dcccfdad6be -
Trigger Event:
push
-
Statement type: