Critical-risk tools in Lunch Money
8 of the 44 tools in Lunch Money are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
delete_categoryDestructiveDelete a single category or category group. By default fails (HTTP 422) if dependencies exist, returning a structured
-
delete_manual_accountDestructiveDelete a manually-managed account. Optionally also delete its transactions/rules/recurring items, and/or its balance history. Both deletion options are irreversible.
-
delete_tagDestructiveDelete a tag. By default fails (HTTP 422) with a structured
-
delete_transactionDestructiveDelete a single transaction. Fails for split/group transactions and their parents — unsplit/ungroup first. Irreversible.
-
delete_transaction_attachmentDestructiveDelete a transaction file attachment. Irreversible.
-
delete_transaction_groupDestructiveDelete (ungroup) a transaction group. The original child transactions remain and revert to normal ungrouped transactions.
-
delete_transactions_bulkDestructiveBulk-delete transactions by ID (1-500). Fails if any ID is a split or group parent, or part of a split/group; unsplit or ungroup those first. Irreversible.
-
remove_budgetDestructiveRemove the budget for a specific category and period. The request is idempotent — succeeds even if no budget exists for the period.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.