// SCAN REPORT

Local Rag

29 tools. 6 can modify or destroy data without limits.

2 destructive tools with no built-in limits. Policy required.

Last updated: 11 Jun 2026

6 can modify or destroy data

23 read-only

29 tools total

Community server · catalogue entry verified 11/06/2026

How to control Local Rag ↓

TOOL MAP

What Local Rag exposes to your agents

Read (23) Write / Execute (4) Destructive / Financial (2)

Running more than one server? Check your whole stack →

MOST DANGEROUS TOOLS

Critical Risk

The most dangerous Local Rag tools

Destructive · Medium delete_annotation This tool permanently deletes annotations from the codebase metadata. Destructive · High remove_file This tool permanently deletes a file from the semantic search index without reversibility. Execute · High wiki This tool executes a workflow rebuild operation, which is an automated process that can modify state and have side effects. Write · Medium annotate This tool writes/creates persistent annotations in a semantic code search system.

6 of Local Rag's 29 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

POLICY

How to control Local Rag

PolicyLayer is an MCP gateway — it sits between your AI agents and Local Rag, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations

{
  "delete_annotation": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations

{
  "index_files": {
    "limits": [
      {
        "counter": "index_files_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations

{
  "affected": {
    "limits": [
      {
        "counter": "affected_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

Create a free account and register Local Rag — nothing to install.
Add these rules — paste them, or build them visually. Tune the limits to your setup.
Point your MCP client (Claude, Cursor, anything) at your gateway URL.

ENFORCE POLICY ON LOCAL RAG →

Free to start. No card required.

FULL CATALOGUE

All 29 Local Rag tools

DESTRUCTIVE 2 tools

Destructive delete_annotation Remove an annotation that is no longer relevant — e.g. a bug that was fixed, a constraint that no longer appli Destructive remove_file Remove a specific file from the RAG index.

EXECUTE 1 tools

Execute wiki Run the wiki rebuild workflow. The

WRITE 3 tools

Write index_files Index files in a directory for semantic search. Without patterns, indexes the project from config and prunes d Write annotate Attach a persistent note to a file or symbol that surfaces inline in future read_relevant results. Call this i Write create_checkpoint Save a checkpoint so future sessions know what was done and why. REQUIRED: call this as your final step after

READ 23 tools

Read affected Given changed files (or the working-tree diff against HEAD by default), report the test files that transitivel Read git_context Show git context for the working tree: uncommitted changes annotated with index status, recent commits, and ch Read impact Symbol-level blast radius: the transitive callers of a function or method as a pruned call tree, plus the test Read callees List the functions/methods a symbol directly calls (one hop out), each resolved to its definition file:line. T Read dependents List all files that import a given file (reverse dependencies). Shows the blast radius before modifying a file Read depends_on List all files that a given file imports (its dependencies). Shows the resolved import graph — what this file Read file_history Get the commit history for a specific file. Returns commits that touched the file, sorted by date (newest firs Read get_annotations Retrieve persistent notes attached to files or symbols. Pass path to get all notes for a file. Pass query to s Read index_status Show the current state of the RAG index for a project directory. Read list_checkpoints List conversation checkpoints, most recent first. Cross-session by default. Read project_map Visualize how files relate to each other — imports, exports, and fan-in/fan-out. Faster than reading import st Read read_conversation Read the full verbatim text of past conversation turns by session + turn index. The read counterpart to search Read read_relevant Get the actual content of the most relevant code chunks — individual functions, classes, or sections — with ex Read search Search the full codebase by meaning — finds files that grep misses. Use natural language ( Read search_analytics Show search usage analytics: query counts, zero-result queries, low-relevance queries, top searched terms. Read search_checkpoints Semantic search over checkpoint titles and summaries. Read search_commits Semantically search git commit history. Use this to find why code was changed, when decisions were made, or wh Read search_conversation Search through conversation history. Finds past decisions, discussions, and tool outputs from current or previ Read search_symbols Find where a function, class, type, or interface is defined — by name, not semantics. Faster than grep for sym Read server_info Show the current MCP server configuration: resolved project directory, database location, index status, embedd Read trace Show how one symbol reaches another: the connecting call sub-graph from Read usages Find call sites and references to a symbol across indexed files — with file paths, line numbers, and matching Read write_relevant Find the best file and location to insert new code or docs. Returns semantically appropriate insertion points

EXPLORE

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

FAQ

Questions about Local Rag

Can an AI agent delete data through the Local Rag MCP server? +

Yes. The Local Rag server exposes 2 destructive tools including delete_annotation, remove_file. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Local Rag? +

The Local Rag server has 3 write tools including index_files, annotate, create_checkpoint. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Local Rag.

How many tools does the Local Rag MCP server expose? +

29 tools across 4 categories: Destructive, Execute, Read, Write. 23 are read-only. 6 can modify, create, or delete data.

How do I enforce a policy on Local Rag? +

Register the Local Rag MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Local Rag tool call.

Deterministic rules across all 29 Local Rag tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

ENFORCE POLICY ON LOCAL RAG →

Free to start. No card required.

29 Local Rag tools catalogued and risk-classified — across an index of 43,000+ MCP servers.