Tools
Hyrax ships 39 audit tools across 6 domain groups. Each tool is a focused checklist the agent runs against your repo; tools in the same group share an LLM call so cross-tool patterns get caught in one pass.
Tools are auto-discovered from tools/<name>.yaml in the repo root (typed metadata + structured prompt sections). Adding one is described in the project README.
This page is generated by scripts/generate_tools_doc.py. Edit the source tools/<name>.yaml description field and re-run the script — don't hand-edit this file.
Security
auth — Authentication & Authorization Audit
Identify weaknesses in authentication and authorization that could allow unauthorized access, privilege escalation, or session hijacking. This tool goes deeper than security (which covers broad vulnerability classes) by focusing specifically on auth architecture, session lifecycle, and permission enforcement across the entire request chain.
compliance — Compliance Audit
Identify regulatory compliance gaps that could expose the organization to legal liability, fines, or audit failures. This tool detects missing privacy controls, PII handling violations, data retention issues, and audit trail gaps across GDPR, SOC2, and HIPAA frameworks.
harden — Hardening Audit
Identify code that works in the happy path but fails under edge cases, concurrency, bad input, or resource pressure. These are not feature bugs — they are robustness gaps that cause intermittent failures, data corruption, or hard-to-debug production issues.
privacy — Privacy & Data Protection Audit
Identify privacy violations and data protection gaps that could expose user PII, violate regulations (GDPR, CCPA), or create liability through improper data handling. This tool catches issues that security scanners miss because they require understanding data flow and business context.
security — Security Audit
Identify security vulnerabilities that could allow unauthorized access, data leakage, or code execution. Covers code-level vulnerabilities, HTTP security headers, CORS policies, cookie attributes, secret detection, and supply chain risks. This tool catches issues that automated scanners miss by understanding code context and data flow.
Correctness
a11y — Accessibility Audit
Identify accessibility (a11y) violations that prevent users with disabilities from using the application. Focus on programmatic issues detectable through code review: missing ARIA attributes, keyboard traps, non-semantic markup, and missing text alternatives. This primarily applies to frontend/UI code — for backend-only repos, limit scope to API response patterns that affect client-side accessibility.
ai-usage — AI/LLM Usage Audit
Identify issues in how a codebase integrates with AI/LLM services — from missing error handling and cost controls to prompt injection vulnerabilities and overuse of LLMs for tasks that should be deterministic. Even repos without AI may benefit from this audit (missing opportunities).
concurrency — Concurrency Audit
Identify concurrency bugs that cause race conditions, data corruption, deadlocks, or unhandled failures in asynchronous code. These issues are intermittent and hard to reproduce, making them especially dangerous in production. Focus on shared mutable state, async/await misuse, and missing synchronization.
cost — Cost Efficiency Audit
Identify code patterns that waste compute, memory, storage, network bandwidth, or third-party API credits. Focus on unbounded resource consumption, expensive operations in hot paths, and missing safeguards that allow costs to spike unexpectedly in production.
gaps — Gap Analysis Audit
Identify structural gaps — places where the codebase is missing standard patterns that peer features implement, or where important user-facing states are unhandled. This tool catches the things nobody notices until a user hits them: missing error handling, missing empty states, inconsistent behavior across similar features, and architectural blind spots.
i18n — Internationalization Audit
Identify internationalization (i18n) issues that prevent proper localization, break translations, or cause incorrect display of locale-sensitive data. Focus on hardcoded user-facing strings, missing translation keys, and patterns that make translation impossible or error-prone.
resilience — Resilience Audit
Identify missing fault tolerance patterns that cause cascade failures, hung services, and poor degradation under partial outages. Focus on external service calls, resource isolation, and recovery mechanisms that determine whether a single dependency failure takes down the entire system.
state-mgmt — State Management Audit
Identify state management anti-patterns that cause bugs (stale data, race conditions, lost updates), performance problems (unnecessary re-renders, memory leaks), and UX issues (state not surviving navigation, lost form data). Covers both frontend state (React, Vue, Redux, Zustand) and backend state (sessions, caching, in-memory stores). Scope boundary: This tool focuses on how state is managed, stored, and synchronized — Redux/Zustand stores, React state, caching, URL state, and backend in-memory state. For API call patterns (error handling, retries, timeouts), see api-layer. For concurrency bugs (missing locks, thread safety, deadlocks), see concurrency. For memory leaks from listeners/timers, see perf.
tests — Test Quality Audit
Identify gaps in test coverage, tests that provide false confidence, and patterns that lead to flaky or unmaintainable test suites. Maps source files to their corresponding test files and identifies testing gaps where critical code paths lack coverage. The goal is not 100% coverage but ensuring that critical paths, security-sensitive code, and complex logic are adequately tested.
Maintainability
cleanup — Dead Code & Cleanup
Identify code that is no longer used, reachable, or necessary. Dead code increases maintenance burden, confuses developers, inflates bundle sizes, and can mask real bugs. This tool finds it so it can be safely removed.
code-quality — Code Quality Audit
Identify structural code quality issues that make the codebase harder to understand, maintain, and extend. This is not about formatting or lint rules — it is about architecture, decomposition, naming, and consistency. These issues accumulate technical debt that slows down every future change.
error-ux — Error Message & UX Audit
Identify poor error handling UX that frustrates users, leaks internal details, or makes debugging impossible. This tool bridges the gap between the security tool (which catches leaked stack traces as vulnerabilities) and the gaps tool (which catches missing error boundaries structurally) by focusing on the user-facing quality of error experiences.
migration — Migration Health Audit
Identify incomplete, stalled, or risky migrations — both code-level pattern migrations (e.g., class components to hooks, Redux to Zustand) and database schema migrations. Halfway-done migrations are a persistent source of bugs, confusion, and tech debt. This tool quantifies migration progress and flags risks that the modernize tool (which focuses on adopting new patterns) and cleanup tool (which focuses on dead code) don't cover.
modernize — Modernization Audit
Identify code that uses outdated patterns, deprecated APIs, or legacy approaches that have better modern alternatives. Modernization reduces maintenance burden, improves developer experience, and often brings security and performance improvements for free.
refactor — Refactor / Consolidation Audit
Identify code that is repeated across multiple files and should be consolidated into shared helpers, utilities, hooks, or abstractions. This is NOT about style or formatting — it is about finding 10-50 line patterns that are copy-pasted (with minor variations) across many files, where a single well-designed helper would replace them all. The goal is to find the highest-leverage refactors: places where one new helper simplifies 20+ files.
Performance
bundle-size — Bundle Size Audit
Identify JavaScript bundle size problems — barrel imports that defeat tree-shaking, heavy dependencies with lighter alternatives, missing code splitting, synchronous imports that should be lazy-loaded, and duplicate packages bundled multiple times. Only relevant for JS/TS repos that ship browser bundles.
frontend-perf — Frontend Performance Audit
Identify client-side performance issues — render blocking patterns, missing lazy loading, unoptimized images, expensive re-renders, and patterns that degrade Core Web Vitals (LCP, CLS, INP).
perf — Performance Audit
Identify code patterns that cause memory leaks, excessive CPU usage, slow queries, unnecessary network calls, or poor user-perceived performance. Focus on issues that are systemic or affect hot paths — not micro-optimizations.
Architecture
api-contract — API Contract & Type Safety Audit
Identify mismatches between what an API promises and what it actually delivers. API contract violations cause runtime errors that are invisible at compile time — wrong field names, unexpected nulls, missing error shapes, and stale generated clients. Scope boundary: This tool focuses on the contract between API producers and consumers — spec accuracy, type safety, response shape consistency, and generated client freshness. For API design patterns (error handling, retries, client wrappers, caching), see api-layer. For input validation (missing schema enforcement, sanitization), see data-validation. For database schema issues (column types, constraints, migrations), see schema or database.
api-documentation — API Documentation Audit
Verify that API endpoints have adequate documentation — OpenAPI/Swagger specs, docstrings, JSDoc comments, request/response type annotations, and error response documentation. Flag undocumented endpoints, missing type definitions, and absent API changelogs for versioned APIs.
api-layer — API Layer Audit
Identify inconsistencies, gaps, and anti-patterns in how the codebase interacts with APIs — both as a client (making requests) and as a server (handling requests). A clean API layer is critical for reliability, security, and developer productivity. Scope boundary: This tool covers API design and usage patterns — how clients call APIs, how servers handle requests, error propagation, retries, and caching. For contract accuracy and type safety (spec drift, generated clients, response shape mismatches), see api-contract. For input validation completeness (missing schema validation, sanitization), see data-validation.
data-validation — Data Validation
Identify missing or incomplete input validation at system boundaries where untrusted data enters the application. Missing validation leads to data corruption, unexpected crashes, security vulnerabilities, and poor user experience. This tool checks that every entry point validates its inputs thoroughly. Scope boundary: This tool focuses on application-layer input validation — ensuring data is validated, coerced, and constrained at every boundary where untrusted input enters the system. For API contract accuracy (spec drift, response shape mismatches, type coverage), see api-contract. For database schema constraints (NOT NULL, CHECK, UNIQUE at the DB level), see schema. For SQL injection and query safety, see database. For XSS and injection attacks, see security.
database — Database Safety Audit
Identify database runtime risks: SQL injection, N+1 query patterns, ORM misuse, transaction safety issues, connection pool exhaustion, and query performance problems. Focus on patterns that cause data corruption, security vulnerabilities, or performance degradation under production load. Scope boundary: This tool focuses on query-level and runtime database issues — how the application queries, connects, and transacts with the database. For schema design issues (missing constraints, data types, migration safety, index design, schema drift), see schema. For application-level input validation (missing Pydantic/Zod schemas on request handlers), see data-validation.
multi-tenant — Multi-Tenant Isolation Audit
Identify weaknesses in tenant isolation that could allow one tenant to access, modify, or interfere with another tenant's data. Multi-tenant bugs are among the highest-severity issues a SaaS application can have — a single missing WHERE tenant_id = ? clause can expose an entire customer's data. This tool systematically checks every layer of the stack for tenant boundary enforcement.
schema — Database Schema & Migration Audit
Identify database schema weaknesses, migration risks, data type problems, and ORM modeling anti-patterns that cause data integrity bugs, production outages during deploys, or performance degradation under real data volumes. These issues are invisible in code review because they only manifest with production data sizes and concurrent access. Scope boundary: This tool focuses on schema design and migrations — table structure, constraints, data types, indexes as they relate to schema correctness, and migration safety. For query-level issues (SQL injection, N+1 queries, connection pooling, transaction isolation, query timeouts), see database. For application-level input validation (missing Pydantic/Zod schemas, form validation), see data-validation.
versioning — API Versioning Audit
Identify API versioning gaps, missing deprecation notices, breaking changes without version bumps, and absent migration paths that cause client breakage, integration failures, and painful upgrades. Focus on public-facing APIs, internal service contracts, and schema evolution practices.
Operations
config — Configuration Audit
Identify configuration hygiene issues that make deployments fragile, environments inconsistent, or secrets insecure. Focus on hardcoded values that should be configurable, missing validation, and configuration that varies by environment but is baked into code.
deployment — Deployment Safety Audit
Identify deployment configuration issues — Dockerfile anti-patterns, missing health checks, unsafe rollout patterns, missing rollback capability, and container security gaps that cause production incidents during deploys.
deps — Dependency Audit
Identify vulnerable, unmaintained, and problematic dependencies, and analyze the project's dependency tree for security vulnerabilities, license conflicts, phantom/unused deps, lock file health, version currency, deprecated packages, and supply chain integrity. Unlike other audit tools that rely on code reading, this tool runs native package audit commands and queries package registries for real-time data. It produces higher-confidence findings than pattern-matching alone.
docs — Documentation Audit
Find documentation that has drifted from the actual code. Inaccurate docs are worse than no docs — they actively mislead developers, waste debugging time, and cause incorrect implementations. This tool cross-references every doc claim against the codebase.
feature-flags — Feature Flag Hygiene Audit
Identify stale, inconsistent, or risky feature flag usage that leads to dead code, unreachable code paths, and operational surprises. Feature flags are powerful but accumulate tech debt rapidly — a flag that's been 100% rolled out for six months is just dead code with extra indirection. This tool catches flag hygiene issues that cleanup (general dead code) and config (configuration management) don't specifically target.
logging — Logging Quality Audit
Identify logging practices that reduce debuggability, leak sensitive data, create excessive noise, or prevent effective log aggregation. Focus on patterns that make production incidents harder to diagnose and security-sensitive data that should never appear in logs.
monorepo — Monorepo Health
Identify structural problems in monorepo workspaces that cause build failures, version drift, circular dependencies, and package boundary violations. These issues compound silently — a single inconsistent dependency version or leaked internal import can cascade into hours of debugging across teams.
observability — Observability Audit
Identify gaps in error tracking, logging, metrics, and tracing that make it difficult to detect, diagnose, and resolve production issues. Focus on silent failures, missing instrumentation on critical paths, and patterns that leave operators blind when things go wrong.