Tool Reference
Complete guide to Code Scalpel's 22 MCP tools for surgical code operations
Overview
Code Scalpel provides 22 specialized MCP tools for AI-assisted code operations. All tools are available at all tiers (Community, Pro, Enterprise) with tier-based limits and progressive feature enhancement.
π Key Principles
- Token Efficiency: 99% reduction vs traditional file reading (50 tokens vs 10,000+)
- AST-Based Accuracy: Zero hallucination via real parsers (Python ast, tree-sitter)
- Multi-Language: Python (full AST), JavaScript/TypeScript/Java (tree-sitter/heuristic)
- Tier Scaling: All tools available; limits expand by tier (Community β Pro β Enterprise)
Tool Categories
π Code Analysis (4 tools)
Understand code structure, complexity, and architecture without reading full files.
analyze_code
All TiersPurpose: Static code structure analysis via AST parsing. Returns functions, classes, imports, and complexity metrics without hallucination risk.
get_file_context
All TiersPurpose: Token-efficient "strategic glance" at a file. Returns structured summary including functions, classes, imports, complexity, and security warnings.
crawl_project
Community: 100 files Pro: 1000 files Enterprise: UnlimitedPurpose: Project-wide analysis providing comprehensive structure, complexity metrics, and code intelligence across all files. Bird's-eye view of entire codebase.
get_project_map
Community: 100 files Pro: Enhanced Enterprise: FullPurpose: Architectural reconnaissance engine generating comprehensive project structure visualizations. Shows packages, modules, complexity hotspots, and architectural patterns.
βοΈ Code Extraction (3 tools)
Surgically extract specific code elements by name with maximum token efficiency.
extract_code
Community: Single-file Pro: Cross-file depth=1 Enterprise: UnlimitedPurpose: Primary code retrieval tool. Surgically extracts specific functions/classes/methods by name. Agent sends ~50 tokens, receives ~200 (vs 10,000+ for full file).
get_symbol_references
Community: 10 files, 50 refs Pro: Unlimited Enterprise: + Risk ScoringPurpose: Find all references to a symbol (function, class, variable) across the project for safe refactoring and impact analysis. AST-based accuracy eliminates false positives.
get_cross_file_dependencies
Community: Depth=1, 50 files Pro: Depth=5, 500 files Enterprise: UnlimitedPurpose: Analyze import/require statements and trace dependency chains across file boundaries with confidence scoring. Gathers complete code context for AI-assisted editing.
βοΈ Code Modification (2 tools)
Surgical, safe code modification with automatic validation and backup.
update_symbol
All Tiers (No Restrictions)Purpose: Primary write tool for surgical code modification. Replace specific functions/classes/methods with new code while preserving surrounding context. Atomic write with backup.
rename_symbol
Community: Single-file Pro: Cross-file (bounded) Enterprise: Org-widePurpose: Safely rename functions, classes, or methods while automatically updating all references. AST-based transformation ensures syntactic correctness and preserves formatting.
π Code Flow Analysis (3 tools)
Understand function relationships, call graphs, and execution paths.
get_call_graph
Community: Depth=3, 50 nodes Pro: Depth=50, 500 nodes Enterprise: UnlimitedPurpose: Generate static call graphs showing function-to-function relationships, entry points, and circular dependencies. Primary architecture visualization tool.
symbolic_execute
Community: 3 paths, 10 loop iterations Pro: 10 paths, 100 iterations Enterprise: UnlimitedPurpose: Formal verification and path exploration powered by Z3 Theorem Prover. Treats variables as mathematical symbols to solve for inputs that trigger specific code paths.
get_graph_neighborhood
Community: k=1 Pro: k=5 Enterprise: UnlimitedPurpose: Extract localized subgraph around a specific function to avoid the "Exploding Graph Problem". Surgically explore dependency chains without loading entire codebase.
π Security Analysis (5 tools)
Comprehensive security vulnerability detection with taint analysis and dependency scanning.
security_scan
Community: 50 findings Pro: Unlimited + Remediation Enterprise: + Custom RulesPurpose: Primary Single-File SAST engine. Identifies SQL injection, XSS, command injection via sophisticated Python taint analysis. Sink detection for JS/TS/Java.
cross_file_security_scan
Community: 10 modules, depth=3 Pro: 100 modules, depth=10 Enterprise: UnlimitedPurpose: Detect vulnerabilities that span multiple files by tracking tainted data flow across module boundaries. Answers "How does untrusted data flow through my entire system?"
unified_sink_detect
Community: 50 sinks Pro: Unlimited + Context Enterprise: + Risk ScoringPurpose: Polyglot detection of dangerous "sinks" (functions where untrusted data execution leads to vulnerabilities). Confidence scoring and CWE mapping reduce false positives.
scan_dependencies
Community: 50 dependencies Pro: Unlimited + Reachability Enterprise: + CompliancePurpose: Software Composition Analysis (SCA) to identify security risks in project dependencies. Scans manifests against OSV database with typosquatting detection and license compliance.
type_evaporation_scan
All TiersPurpose: Detect type safety violations where type hints are present but can be bypassed at runtime. Focuses on Python's dynamic type system vulnerabilities.
π Policy & Compliance (2 tools)
Enforce organizational standards, best practices, and regulatory compliance.
code_policy_check
Community: Style Pro: + Best Practices Enterprise: + CompliancePurpose: Unified enforcement of coding standards, best practices, security patterns, and compliance requirements. Single interface for style, security, and regulatory auditing.
verify_policy_integrity
Enterprise OnlyPurpose: Cryptographic guardian of governance model. Ensures policy definitions (allowlists, denylists, compliance rules) haven't been tampered with. Fail-closed security.
π§ͺ Testing & Validation (2 tools)
Automated test generation and pre-flight safety validation for code changes.
generate_unit_tests
Community: 5 tests Pro: 20 tests + Parametrized Enterprise: Unlimited + Bug ReproductionPurpose: Automatically create comprehensive unit tests using symbolic execution. Explores all execution paths to generate concrete test cases with specific input values.
simulate_refactor
All TiersPurpose: Pre-flight safety validator for code modifications. Performs "dry run" analysis to detect security regressions, breaking changes, and behavioral inconsistencies before applying changes.
π§ Utility (2 tools)
Path validation and file system operations with Docker awareness.
validate_paths
Community: 100 paths Pro/Enterprise: UnlimitedPurpose: Pre-flight checklist for filesystem operations. Validates file paths are accessible, exist, and safe before expensive operations. Docker-aware with volume mount suggestions.
Tier Comparison Summary
| Feature | Community | Pro | Enterprise |
|---|---|---|---|
| All 22 Tools | β Available | β Available | β Available |
| security_scan findings | 50 max | Unlimited | Unlimited + Custom |
| symbolic_execute paths | 3 paths | 10 paths | Unlimited |
| crawl_project files | 100 files | 1,000 files | Unlimited |
| extract_code dependencies | Single-file | Cross-file depth=1 | Unlimited depth |
| generate_unit_tests | 5 tests | 20 tests | Unlimited |
| Remediation Suggestions | β | β | β |
| Compliance Reporting | β | β | β (HIPAA, SOC2, GDPR, PCI-DSS) |
| Custom Policies | β | β | β |
Common Integration Patterns
Typical Workflow: Analyze β Extract β Modify β Verify
- Understand Structure:
analyze_codeorget_file_context - Extract Code:
extract_codewith symbol name - Verify Safety:
security_scanon extracted code - Check Impact:
get_symbol_referencesto find all call sites - Simulate Changes:
simulate_refactorwith proposed modifications - Apply Changes:
update_symbolif simulation passes - Validate: Re-run
security_scanand tests
Getting Started
Ready to use these tools? Check out our documentation for installation instructions, configuration guides, and detailed usage examples.