Krolik: 30 Free MCP Tools for Code Intelligence (2026)
Krolik adds 30 MCP tools for code intelligence to Claude Code, Cursor, and Windsurf. Free, Apache 2.0, self-hosted. Traces bugs to file:function in 5 seconds.
Krolik is a free, open-source MCP server by Anatoly Koptev that adds 30 code intelligence tools to your AI coding agent. It parses 16 programming languages, runs a knowledge graph on Apache AGE, and pinpoints the root-cause file and function from a Prometheus alert in 5 seconds. No SaaS, no telemetry: self-hosted on Docker or Go 1.24+.
Krolik is a free, open-source MCP server that gives AI coding agents 30 tools for structural code intelligence. Built by Anatoly Koptev under Apache 2.0, it parses 16 languages via tree-sitter, indexes code into an Apache AGE knowledge graph, and bridges Prometheus alerts to the root-cause file and function in 5 seconds. Works with Claude Code, Cursor, Windsurf, Aider, and Cline. Self-hosted only.
Maker: Anatoly Koptev · Protocol: MCP · Auth: none
Compatible agents: Claude Code, Cursor, Windsurf, Aider, Cline, Any MCP client
Required runtime: Docker (recommended) OR Go 1.24+ with a C compiler, OpenAI-compatible LLM endpoint (mandatory), PostgreSQL 14+ with Apache AGE extension (optional, for code_graph), pgvector + ox-embed-server (optional, for semantic search reranking)
About Krolik
Krolik is an open-source MCP (Model Context Protocol) server built by Anatoly Koptev, a Staff Software Engineer with 14 years of production infrastructure experience. It adds 30 structured code intelligence tools to any MCP-compatible AI coding agent. Released under Apache 2.0 with no telemetry and no SaaS dependency, Krolik indexes codebases into an Apache AGE property graph on PostgreSQL, enabling queries that grep and keyword search cannot answer. As of v1.21.0 (June 20, 2026), the project has shipped 35 releases on GitHub. Krolik runs as a Go 1.24+ binary or Docker container, exposing all tools over Streamable HTTP on port 8897. It uses tree-sitter to parse 16 languages including Go, Python, TypeScript/JS, Rust, Java, C, C++, Ruby, C#, PHP, Svelte, Astro, Kotlin, Swift, and HTML into abstract syntax trees, then stores every symbol, call edge, and import relationship in an Apache AGE property graph. An optional ox-embed-server companion adds ONNX embeddings with ColBERT cross-encoder reranking for semantic search. An optional ox-codes companion deepens dead-code detection. Authentication is not required for local connections; an OpenAI-compatible LLM endpoint is supplied via environment variable. Any editor or agent that implements the Model Context Protocol can call Krolik's tools: Claude Code, Cursor, Windsurf, Aider, and Cline are all confirmed. The 30 tools cover the full development cycle: repo_analyze and explore for codebase overview, symbol_search and semantic_search for finding code, call_trace and impact_analysis for understanding change blast radius up to depth 10, dataflow_analyze for security taint tracking, debug_investigate for a 7-phase root-cause pipeline that goes from Prometheus alert to file:function in 5 seconds, rewrite for AST-based code transformations across 16 languages, and review_pr for differential PR analysis with persistent learnings. Krolik is entirely free to use. There is no paid tier, no hosted cloud option, and no telemetry. Self-hosting requires Docker (recommended) or Go 1.24+ with a C compiler for CGO tree-sitter bindings. PostgreSQL with Apache AGE is optional but required for the knowledge graph tools. The LLM API cost is the only ongoing expense. Since its first release, Krolik has shipped 35 versions, adding language support for Kotlin, Swift, and HTML, fleet monitoring via fleet_versions, WordPress plugin search via wp_plugin_search, and persistent learning across sessions via remember_graph_insights. Anatoly Koptev develops and maintains the project from the SF Bay Area.
Key Features
- 30 MCP tools over Streamable HTTP: Krolik exposes 30 callable tools via Streamable HTTP on port 8897, covering the full development cycle from repo overview to security taint analysis.
- 16-language tree-sitter parsing: Tree-sitter AST parsing supports 16 languages: Go, Python, TypeScript/JS, Rust, Java, C, C++, Ruby, C#, PHP, Svelte, Astro, Kotlin, Swift, HTML, and TSX.
- Apache AGE knowledge graph: Every symbol, call edge, import, and route handler is stored in an Apache AGE property graph on PostgreSQL, enabling natural language Cypher queries that grep cannot answer.
- 7-phase debug pipeline: debug_investigate runs a 7-phase async pipeline from a Prometheus alert or error message to the root-cause file and function in approximately 5 seconds.
- Hybrid semantic search: semantic_search combines BM25F lexical scoring, pgvector 768-dim embeddings, one-hop graph expansion, and ColBERT cross-encoder reranking for concept-level code retrieval.
- AST-based code rewriting: rewrite applies structural search-replace patterns with wildcard bindings ($x) across all 16 supported languages in a single pass, without regex fragility.
- Dataflow taint tracking: dataflow_analyze traces user inputs through the IL and CFG to find unescaped data paths and injection-risk sinks before they reach production.
- Persistent learning across sessions: remember_graph_insights stores codebase knowledge to a graph store so future debug and review queries benefit from prior analysis without re-indexing.
Use Cases
- Production incident debugging: Agent receives a Prometheus alert, calls debug_investigate, and gets the root-cause file and function in 5 seconds via a 7-phase async pipeline.
- Safe refactoring: Before changing a function, agent calls impact_analysis with depth 10 to see every direct and transitive caller across the entire codebase.
- Security taint tracking: Agent calls dataflow_analyze to trace unescaped user inputs through the IL/CFG and identify potential injection points before they reach production.
- Codebase-wide AST rewriting: Agent calls rewrite with a tree-sitter pattern to replace a deprecated API across all 16 supported languages in one pass.
- Automated PR review: Agent calls review_pr to compute the differential blast radius of a pull request and persists learnings for use in future reviews of the same codebase.
Install
claude mcp add -s user -t http go-code http://127.0.0.1:8897/mcp
Requirements
- Clone and start the Krolik server: git clone https://github.com/anatolykoptev/go-code && cd go-code && docker compose up -d
- Set LLM_API_BASE and LLM_API_KEY environment variables pointing to an OpenAI-compatible endpoint
- Optionally install PostgreSQL 14+ with Apache AGE and set DATABASE_URL for knowledge graph features
- Optionally run ox-embed-server for ONNX embedding-based semantic search reranking
Actions
debug_investigate
Runs a 7-phase async pipeline from an error or Prometheus alert to the root-cause file and function, completing in approximately 5 seconds.
{"tool": "debug_investigate", "arguments": {"query": "rate(http_requests_total{status=\"500\"}[5m]) > 0.1", "depth": 3}}query(string) — required: The error message, Prometheus alert expression, or Jaeger trace to investigate.depth(number): How many call levels to trace when following the root-cause hypothesis.
semantic_search
Finds code by concept using hybrid BM25F lexical scoring, pgvector 768-dim embeddings, one-hop AGE graph expansion, and ColBERT cross-encoder reranking.
{"tool": "semantic_search", "arguments": {"query": "user authentication token validation", "limit": 10}}query(string) — required: Natural language description of the code to find.limit(number): Maximum number of results to return.
symbol_search
Searches functions, types, and constants by name pattern across all indexed files and languages.
{"tool": "symbol_search", "arguments": {"pattern": "HandleAuth*", "language": "go"}}pattern(string) — required: Name pattern to match, supports wildcards.language(string): Filter results to one language (e.g. 'go', 'python', 'typescript').
call_trace
Traces call chains bidirectionally from a given symbol with configurable depth, showing all callers or all callees.
{"tool": "call_trace", "arguments": {"symbol": "CreateOrder", "direction": "up", "depth": 5}}symbol(string) — required: Fully qualified or partial function or method name to trace.direction(string): Trace direction: 'up' to find callers or 'down' to find callees.depth(number): Maximum number of call levels to follow.
impact_analysis
Calculates the blast radius of changing a symbol: all direct and transitive callers up to depth 10 across the entire codebase.
{"tool": "impact_analysis", "arguments": {"symbol": "parseUserToken", "depth": 10}}symbol(string) — required: Symbol name to analyze for change impact.depth(number): Maximum traversal depth for impact calculation, up to 10.
dataflow_analyze
Tracks taint flow through the IL/CFG to detect unescaped inputs, dead stores, and potential injection paths in security-sensitive code.
{"tool": "dataflow_analyze", "arguments": {"symbol": "processUserInput", "source": "http.Request.FormValue"}}symbol(string) — required: Starting function or symbol to trace dataflow from.source(string): Taint source to track (e.g. an HTTP input function).
rewrite
Applies structural AST search-replace patterns across 16 languages using wildcard matching, without regex or text substitution.
{"tool": "rewrite", "arguments": {"pattern": "fmt.Sprintf(\"%s\", $x)", "replacement": "$x.String()", "language": "go"}}pattern(string) — required: Tree-sitter AST pattern to find, supports $x wildcard bindings.replacement(string) — required: Replacement pattern using the same $x bindings.language(string): Language to run the rewrite in. Omit to apply across all indexed files.
review_pr
Analyzes a pull request by computing the differential blast radius and persisting learnings for future reviews of the same codebase.
{"tool": "review_pr", "arguments": {"pr_url": "https://github.com/org/repo/pull/42"}}pr_url(string): GitHub pull request URL to analyze.diff(string): Raw unified diff text if no PR URL is available.
understand
Returns type-aware symbol analysis with complexity metrics, including type signatures, references, and cyclomatic complexity.
{"tool": "understand", "arguments": {"symbol": "OrderService.PlaceOrder"}}symbol(string) — required: Fully qualified or partial symbol name to analyze.
code_graph
Queries the Apache AGE property graph using a natural language question translated to Cypher, returning graph relationships between symbols.
{"tool": "code_graph", "arguments": {"query": "Which functions call the database layer from the HTTP handlers?", "depth": 3}}query(string) — required: Natural language question about code relationships.depth(number): Maximum graph traversal depth for the generated Cypher query.
dead_code
Identifies unused symbols using cross-encoder confidence scoring per symbol, with deeper analysis available via the ox-codes companion.
{"tool": "dead_code", "arguments": {"language": "typescript", "threshold": 0.8}}language(string): Restrict analysis to one language. Omit to scan all indexed languages.threshold(number): Confidence threshold (0.0 to 1.0) above which a symbol is reported as dead.
code_health
Grades a repository from A to F on code health based on dead code, complexity, and dependency metrics. Requires the ox-codes companion.
{"tool": "code_health", "arguments": {}}repo_analyze
Performs a deep, quick, or issue/PR-focused analysis of a repository and returns a structured overview.
{"tool": "repo_analyze", "arguments": {"repo_path": "/workspace/my-service", "mode": "deep"}}repo_path(string) — required: Absolute path or GitHub URL of the repository to analyze.mode(string): Analysis mode: 'deep' for full indexing, 'quick' for overview, 'issues' or 'prs' for issue/PR context.
explore
Returns a quick sub-second overview of a repository without cloning, useful for getting initial context before deeper analysis.
{"tool": "explore", "arguments": {"repo_url": "https://github.com/org/repo"}}repo_url(string): GitHub repository URL. Omit to explore the currently indexed workspace.
file_parse
Parses a single file with tree-sitter and returns either a flat list of symbols or the full AST in JSON.
{"tool": "file_parse", "arguments": {"file_path": "src/auth/token.go", "output": "symbols"}}file_path(string) — required: Relative or absolute path to the file to parse.output(string): Output format: 'symbols' for a flat list or 'ast' for the full AST.
dep_graph
Builds a dependency graph for the indexed codebase and outputs it in Mermaid, Graphviz DOT, or JSON format.
{"tool": "dep_graph", "arguments": {"format": "mermaid"}}format(string): Output format: 'mermaid', 'graphviz', or 'json'.
code_compare
Compares two repositories structurally across architecture, API surface, and code quality dimensions.
{"tool": "code_compare", "arguments": {"repo1": "https://github.com/org/service-v1", "repo2": "https://github.com/org/service-v2"}}repo1(string) — required: Path or URL of the first repository.repo2(string) — required: Path or URL of the second repository.
prepare_change
Assesses the risk of a planned code change by identifying affected symbols, tests, and dependent services before any code is written.
{"tool": "prepare_change", "arguments": {"symbol": "UserService.UpdateEmail", "change_description": "Add email uniqueness validation"}}symbol(string) — required: Symbol to be changed.change_description(string) — required: Plain English description of the intended change.
code_research
Performs BM25F plus embedding-based search optimized for large monorepos where semantic_search may be too broad.
{"tool": "code_research", "arguments": {"query": "distributed transaction rollback", "limit": 5}}query(string) — required: Natural language research query.limit(number): Maximum number of results.
design_search
Finds system components or modules by a natural language UI or workflow description using multilingual-e5-large embeddings.
{"tool": "design_search", "arguments": {"description": "The checkout flow that shows a cart summary before payment"}}description(string) — required: UI or workflow description to search for in the codebase.
resolve_frame
Unminifies a JavaScript or TypeScript stack frame by resolving it through a source map back to the original file and line number.
{"tool": "resolve_frame", "arguments": {"frame": "at t.e.n.processEvent (bundle.min.js:1:43291)", "source_map_url": "https://cdn.example.com/bundle.min.js.map"}}frame(string) — required: Minified stack frame text to unminify.source_map_url(string): URL to the source map file. If omitted, Krolik attempts to locate it automatically.
site_analyze
Crawls a website to produce a tech stack fingerprint and SEO audit including meta tags, canonical URLs, and structured data.
{"tool": "site_analyze", "arguments": {"url": "https://example.com"}}url(string) — required: Root URL of the site to analyze.
site_crawl
Runs a breadth-first crawl of a website and returns all discovered URLs with their status codes.
{"tool": "site_crawl", "arguments": {"url": "https://docs.example.com", "depth": 3}}url(string) — required: Starting URL for the BFS crawl.depth(number): Maximum crawl depth from the starting URL.
fleet_versions
Diffs pinned container image versions in configuration files against the versions actually running in the deployed environment.
{"tool": "fleet_versions", "arguments": {}}remember_graph_insights
Persists learnings about the codebase to a knowledge store so future queries benefit from prior analysis context.
{"tool": "remember_graph_insights", "arguments": {"insights": "The auth package uses singleton pattern; token validation always goes through TokenService.Validate before any DB write."}}insights(string) — required: Free-text learnings about the codebase to persist for future sessions.
repo_search
Discovers GitHub repositories matching a query by combining SearXNG web search with GitHub API results, ranked by an LLM.
{"tool": "repo_search", "arguments": {"query": "Go microservices gRPC health check", "limit": 5}}query(string) — required: Natural language query to find matching repositories.limit(number): Maximum number of repositories to return.
review_delta
Computes differential blast radius for a code diff and persists learnings, functionally identical to review_pr but accepts raw diffs directly.
{"tool": "review_delta", "arguments": {"diff": "--- a/auth.go\n+++ b/auth.go\n@@ -12,7 +12,8 @@"}}diff(string) — required: Unified diff text to analyze.
wp_plugin_search
Searches the WordPress.org plugin directory for plugins matching a query, returning plugin names, versions, and active install counts.
{"tool": "wp_plugin_search", "arguments": {"query": "woocommerce payment gateway"}}query(string) — required: Search query for the WordPress plugin directory.
How to Invoke
Exposed as 30 MCP tools via Streamable HTTP on port 8897. Register with: claude mcp add -s user -t http go-code http://127.0.0.1:8897/mcp. Agent calls tools by name (e.g. debug_investigate, semantic_search, symbol_search) with JSON arguments.
Pricing
Completely free and open source under Apache 2.0. No paid tier, no hosted SaaS, and no telemetry. Self-hosted: only ongoing cost is your own LLM API usage.
Strengths
- 30 tools cover the entire development workflow from initial exploration to security auditing, so agents rarely need a second code intelligence tool.
- Apache 2.0 license with no telemetry or SaaS lock-in: the LLM API cost is the only ongoing expense.
- 16-language support including Kotlin, Swift, and HTML makes Krolik one of the broadest tree-sitter-based code intelligence tools available in 2026.
- Compatible with every major MCP client (Claude Code, Cursor, Windsurf, Aider, Cline) via a single URL registration.
Weaknesses
- 2 GitHub stars as of June 2026: the community is nascent and documentation beyond the README is limited.
- Some key features (semantic_search reranking, dead_code depth) require optional companion services (ox-embed-server, ox-codes) that add setup complexity.
- No hosted cloud option: teams must run Docker or a Go build on their own infrastructure, which blocks quick evaluation.
Frequently Asked Questions
What is Krolik and what does it do?
Krolik is a free, open-source MCP (Model Context Protocol) server that adds 30 code intelligence tools to AI coding agents. Built by Anatoly Koptev, a Staff Software Engineer with 14 years of production experience, it is available at krolik.tools and on GitHub at github.com/anatolykoptev/go-code under Apache 2.0 license. The server runs locally via Docker or Go 1.24+ and exposes all tools over Streamable HTTP on port 8897. Agents call tools by name with JSON arguments, covering everything from symbol search and call graph tracing to security taint analysis and pull request review. As of v1.21.0 (June 20, 2026), Krolik has shipped 35 releases and supports 16 programming languages. The standout capability is debug_investigate: a 7-phase async pipeline that goes from a Prometheus alert or error to the root-cause file and function in approximately 5 seconds.
How much does Krolik cost in 2026?
Krolik is completely free to use. There is no paid tier, no hosted SaaS product, and no subscription. The project is released under the Apache 2.0 license, which permits commercial use, modification, and redistribution. The only ongoing expense is the cost of the OpenAI-compatible LLM endpoint that you supply via environment variable, since Krolik requires a language model for tools like code_graph and debug_investigate. Hosting Krolik on your own server adds standard compute costs for Docker or a Go binary. Two optional companion services, ox-embed-server and ox-codes, are also open source under the same license. There is no freemium model, no usage limit, and no feature gating behind a paid plan.
What are the main features of Krolik?
Krolik provides 30 MCP tools divided into several capability groups. Code discovery tools include symbol_search, semantic_search, code_research, and design_search for finding code by name, concept, or UI description. Analysis tools include call_trace, impact_analysis, understand, and dep_graph for mapping how code connects. The debug_investigate tool runs a 7-phase pipeline from a Prometheus alert to the root-cause function in about 5 seconds. Security tools include dataflow_analyze for taint tracking and dead_code for finding unused symbols. Transformation tools include rewrite for AST-level structural code changes across 16 languages. Review tools include review_pr and review_delta for computing blast radius before merging. Additional tools cover fleet monitoring (fleet_versions), web crawling (site_analyze, site_crawl), and persistent learning (remember_graph_insights).
Is Krolik free to use?
Yes, Krolik is free to use with no restrictions. It is released under the Apache 2.0 open source license, which means you can use it commercially, modify it, and redistribute it without paying any fees. There is no freemium tier with locked features, no usage-based billing, and no telemetry or phone-home. The only cost is what you pay your LLM provider for the API endpoint that Krolik calls internally, and any cloud compute you use to host the Docker container or Go binary. Both optional companion services, ox-embed-server for ONNX embeddings and ox-codes for deeper dead-code analysis, are also free and open source.
What are the best alternatives to Krolik?
The strongest alternatives in the code intelligence MCP category as of mid-2026 are CodeGraph, GitNexus, and codebase-memory-mcp. CodeGraph (47,400 GitHub stars) and GitNexus (42,000 stars) both pre-compute codebase structure on-device and serve it over MCP with no cloud or embeddings API required, making them better choices if you want instant setup and a large community for support. Codebase-memory-mcp supports 158 languages, far more than Krolik's 16, and uses tree-sitter plus LSP for higher-fidelity type resolution. Choose Krolik if you specifically need its debug_investigate pipeline (Prometheus-to-function in 5 seconds), its dataflow taint analysis, or its site crawl and fleet monitoring tools, which the above alternatives do not provide. Repomix (26,200 stars) is another option if your goal is compressing codebase context for prompts rather than calling structured analysis tools.
Who is Krolik best for?
Krolik is best for backend engineers, security engineers, and platform teams who use AI coding agents (Claude Code, Cursor, Windsurf) to navigate large codebases. Backend engineers benefit from call_trace and impact_analysis when planning refactors, because the tools show exactly which code will break before a single line is changed. Security engineers get the most value from dataflow_analyze, which traces user input through the CFG to identify injection risks in code that is too large to audit manually. Platform teams debugging production incidents benefit most from debug_investigate, which connects Prometheus alerts to the root-cause function in seconds. Krolik is not the right choice for teams that want a hosted, zero-setup solution, or for individual developers who only work on small codebases where grep is sufficient.
How do you get started with Krolik?
Getting started with Krolik takes about 5 minutes assuming Docker is installed. First, clone the repository from github.com/anatolykoptev/go-code and start the server with docker compose up -d from the project directory. Set the LLM_API_BASE and LLM_API_KEY environment variables to point to your OpenAI-compatible LLM endpoint before starting. Once the container is running on port 8897, register it in Claude Code with: claude mcp add -s user -t http go-code http://127.0.0.1:8897/mcp. For Cursor and Windsurf, add the MCP URL http://127.0.0.1:8897/mcp in their MCP settings panel. Optional: add a PostgreSQL database with Apache AGE for the code_graph tools, and run ox-embed-server for embedding-based semantic search. Without the optional companions, repo analysis, symbol search, call tracing, and debug investigation all work immediately.
How does Krolik compare to CodeGraph in 2026?
Krolik and CodeGraph both deliver code intelligence over MCP, but they target different pain points. CodeGraph (47,400 GitHub stars, launched January 2026) focuses on pre-indexing codebase structure on-device for fast context delivery to agents, with zero external dependencies and sub-millisecond query times. Krolik (2 GitHub stars) trades community size for breadth: its 30 tools go far beyond structure queries to include dataflow taint analysis, 7-phase production incident debugging connected to Prometheus and Jaeger, AST rewriting across 16 languages, fleet monitoring, and site crawling. If your agent mainly needs to read code structure and keep token usage low, CodeGraph's simplicity and community support make it the better choice. If you need an agent that can debug production incidents, track security vulnerabilities through dataflow analysis, or transform code at the AST level, Krolik provides capabilities that CodeGraph does not have.