Tools Matrix
All 22 Code Scalpel MCP tools — exact limits sourced from limits.toml
22
Total Tools
3
Tiers
7
Languages
22
Community Tools
Community (Free)
All 22 tools with sensible limits. Single-file focus for rename/extraction. MIT-licensed.
Pro (Licensed)
All 22 tools. Limits removed. Cross-file extraction, semantic validation, all vulnerability types, custom policy rules.
Enterprise (Licensed)
Pro features + HIPAA/SOC2/PCI-DSS compliance evidence, signed audit trail, PDF reports, deep analysis, schema generation.
| Tool Name | Category | Community | Pro | Enterprise | Key Features |
|---|---|---|---|---|---|
analyze_code |
Analysis |
1 MB file limit |
✓ 100 MB file limit |
✓ 100 MB file limit |
AST parsing, functions, classes, complexity metrics. All 7 languages on every tier. |
get_file_context |
Analysis |
2,000 line limit |
✓ Unlimited lines |
✓ Unlimited lines |
File overview: imports, exports, functions, security warnings |
crawl_project |
Analysis |
500 files, no parsing |
✓ Unlimited + parsing |
✓ Unlimited + parsing |
Project-wide inventory, hotspot detection, complexity metrics. Community: file list only — full AST parsing and complexity analysis require Pro. |
get_project_map |
Analysis |
500 files, basic detail |
✓ Unlimited, detailed |
✓ Unlimited, comprehensive |
Architecture visualization, module hierarchy, circular import detection |
get_symbol_references |
Analysis |
200 files, 200 refs |
✓ Unlimited |
✓ Unlimited |
Find all usages, definitions, and call sites for a named symbol |
get_call_graph |
Graph |
Depth 10, 200 nodes |
✓ Unlimited |
✓ Unlimited |
Function call chains, entry points, circular import detection |
get_cross_file_dependencies |
Graph |
Depth 3, 200 files |
✓ Unlimited |
✓ Unlimited |
Cross-file dependency chains with confidence scoring and diagrams |
get_graph_neighborhood |
Graph |
k=2, 100 nodes |
✓ Unlimited |
✓ Unlimited |
k-hop subgraph around a node; impact radius analysis |
extract_code |
Extraction |
No cross-file deps, 1 MB |
✓ Cross-file deps, 100 MB |
✓ Cross-file deps, 100 MB |
Token-efficient extraction of functions/classes by name. Community: extracts target symbol only. Pro/Enterprise: resolves cross-file dependencies. |
update_symbol |
Modification |
Syntax validation, 10/call |
Semantic validation, unlimited |
✓ Full validation, unlimited |
Safe in-place symbol replacement with backup. Validation depth: Community=syntax, Pro=semantic, Enterprise=full (type-safe + semantic). |
rename_symbol |
Modification |
Single-file only |
✓ Project-wide |
✓ Project-wide + org-wide |
Rename a symbol and update references. Community: renames definition within one file. Pro: updates all references across the entire project. Enterprise: org-wide scope. |
simulate_refactor |
Modification |
Basic analysis, 5 MB |
Advanced analysis, 100 MB |
✓ Deep analysis, 100 MB |
Preview refactoring impact without executing. Analysis depth: Community=basic, Pro=advanced, Enterprise=deep. |
security_scan |
Security |
OWASP Top 10 only, 100 findings |
✓ All vuln types, unlimited |
✓ All vuln types, unlimited |
Taint-based vulnerability detection. Community: OWASP Top 10, max 100 findings, 500 KB files. Pro/Enterprise: all types (incl. business logic, deserialization), no limits. |
cross_file_security_scan |
Security |
50 modules, depth 5 |
✓ Unlimited |
✓ Unlimited |
Cross-module taint tracking; detects vulnerabilities spanning import boundaries |
unified_sink_detect |
Security |
50 sinks (Py/JS/TS/Java/C/C++) |
✓ Unlimited (Py/JS/TS/Java/C/C++) |
✓ Unlimited (Py/JS/TS/Java/C/C++) |
Polyglot dangerous-sink detection: SQL injection, XSS, command injection, path traversal across 6 languages. |
scan_dependencies |
Security |
50 dependencies, OSV lookup |
✓ Unlimited, OSV lookup |
✓ Unlimited, OSV lookup |
Check requirements/package files against the OSV vulnerability database |
type_evaporation_scan |
Security |
Frontend only, 50 files |
✓ Full-stack, unlimited |
✓ Full-stack + schema gen |
Detect TypeScript type-safety erosion: any widening, unsafe casts. Enterprise adds full-stack schema generation. |
code_policy_check |
Governance |
100 files, built-in rules only |
Unlimited + custom rules |
✓ HIPAA/SOC2/PCI-DSS + audit trail |
Code style and compliance enforcement. Community: built-in rules only, no custom rules, no compliance frameworks. Pro: custom rules. Enterprise: compliance frameworks + tamper-resistant audit trail + PDF certificates. |
verify_policy_integrity |
Governance |
50 files, no HMAC signing |
✓ HMAC-SHA256, unlimited |
✓ HMAC-SHA256, unlimited |
Cryptographically verify policy files have not been tampered with. Community: file presence check only — no signature validation and no tamper detection. |
symbolic_execute |
Symbolic |
100 paths, depth 10, int/bool/str/float |
✓ Unlimited depth, +list/dict |
✓ Unlimited, all constraint types |
Symbolic execution to find edge cases and dead code. Constraint types expand per tier: Community adds primitives; Pro adds collections; Enterprise supports all types. |
generate_unit_tests |
Testing |
10 tests, pytest only |
✓ Unlimited, pytest + unittest |
✓ Unlimited, all frameworks |
Generate test cases from symbolic execution paths. Frameworks: Community=pytest, Pro=pytest+unittest, Enterprise=all (including hypothesis, nose, etc.). |
validate_paths |
Utilities |
100 paths |
✓ Unlimited |
✓ Unlimited |
Verify file paths are accessible; detect Docker mounting issues and alias mismatches |
Tier Comparison Summary
- Community: All 22 tools with per-tool limits (500-file scanner, 1 MB files, single-file rename). Vulnerability scanning limited to OWASP Top 10. No custom policy rules, no HMAC policy signing. MIT-licensed.
- Pro: All 22 tools. Limits removed (scanner: 100,000 files, files: 100 MB). Cross-file extraction, semantic validation, all vulnerability types, full-stack type scanning, custom policy rules, project-wide rename, HMAC policy signing. Requires license.
- Enterprise: All Pro features plus HIPAA/SOC2/PCI-DSS compliance frameworks, tamper-resistant audit trail, PDF compliance certificates, deep refactor analysis, full-stack schema generation, all test frameworks and constraint types. Requires license.
📋 Important Details
File Selection (Community Limits): When Community tier file limits are exceeded (e.g., 500 files in crawl_project), files are selected lexicographically (alphabetically by path) after filtering ignored directories. This ensures deterministic, reproducible behavior. Pro and Enterprise have no file count limits.
Grace Period: All tiers include a 7-day grace period for expired licenses. Pro/Enterprise tools revert to Community limits after the grace period.
Offline Usage: License validation is offline (JWT cryptographic verification). Online checks happen every 24 hours to validate revocation status, with a 48-hour grace period if network is unavailable.
Audit Logs (Enterprise): Centralized tamper-resistant logging to audit.log. All tools using audit trails automatically gain disk-backed logging.
Known Limitations: See our Known Limitations page for transparency about edge cases and design trade-offs.