Critical-risk tools in Trace
4 of the 178 tools in Trace are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
delete_corpusDestructiveRemove a saved corpus (manifest + packed body). Returns JSON: { deleted: bool, name }.
-
remove_dead_codeDestructiveSafely remove a dead symbol from its file. Verifies the symbol is actually dead (multi-signal detection or zero incoming edges) before removal. Warns about orphaned imports in o...
-
repair_indexDestructiveApply a targeted repair to the local SQLite index. Modes: drop-orphans (delete embedding rows whose symbol_id no longer exists), drop-vec (drop the entire vector store — search ...
-
apply_codemodDestructiveBulk regex find-and-replace across files. Dry-run by default — first call shows preview, second call with dry_run=false applies. Use for mechanical changes like adding async/awa...
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.