npm - @homenshum/convex-mcp-nodebench - Versions diffs - 0.9.2 → 0.9.3 - Mend

@homenshum/convex-mcp-nodebench 0.9.2 → 0.9.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js +1 -1
package/dist/tools/authorizationTools.js +4 -3
package/dist/tools/dataModelingTools.js +40 -0
package/dist/tools/reportingTools.js +1 -1
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -79,7 +79,7 @@ for (const tool of ALL_TOOLS) {
 // ── Server setup ────────────────────────────────────────────────────
 const server = new Server({
     name: "convex-mcp-nodebench",
-    version: "0.9.2",
+    version: "0.9.3",
 }, {
     capabilities: {
         tools: {},

package/dist/tools/authorizationTools.js CHANGED Viewed

@@ -97,16 +97,17 @@ function auditAuthorization(convexDir) {
                     withoutAuth++;
                     // Critical: public mutation/action with DB writes but no auth
                     if ((ft === "mutation" || ft === "action") && hasDbWrite) {
+                        const sensitiveHint = isSensitiveName ? ` Name "${funcName}" suggests a destructive operation.` : "";
                         issues.push({
                             severity: "critical",
                             location: `${relativePath}:${i + 1}`,
                             functionName: funcName,
-                            message: `Public ${ft} "${funcName}" writes to DB without auth check. Any client can call this.`,
+                            message: `Public ${ft} "${funcName}" writes to DB without auth check. Any client can call this.${sensitiveHint}`,
                             fix: `Add: const identity = await ctx.auth.getUserIdentity(); if (!identity) throw new Error("Not authenticated");`,
                         });
                     }
-                    // Critical: sensitive-named function without auth
-                    if (isSensitiveName) {
+                    else if (isSensitiveName) {
+                        // Only flag sensitive name separately if not already caught by DB-write check
                         issues.push({
                             severity: "critical",
                             location: `${relativePath}:${i + 1}`,

package/dist/tools/dataModelingTools.js CHANGED Viewed

@@ -35,6 +35,46 @@ function auditDataModeling(convexDir) {
         tableNames.add(m[1]);
         totalTables++;
     }
+    // Detect spread-imported table providers (e.g. ...authTables adds "users", "sessions")
+    // Strategy 1: Known spreads from popular Convex packages
+    const knownSpreads = {
+        authTables: ["users", "authSessions", "authAccounts", "authRefreshTokens", "authVerificationCodes", "authRateLimits", "authVerifiers"],
+    };
+    // Strategy 2: Parse inline comments next to spreads for table name hints
+    // e.g. ...authTables, // `users`, `sessions`
+    const spreadCommentPattern = /\.\.\.(\w+)\s*,?\s*\/\/\s*(.+)/g;
+    let sm;
+    while ((sm = spreadCommentPattern.exec(content)) !== null) {
+        const spreadName = sm[1];
+        const comment = sm[2];
+        // Extract backtick-quoted or quoted table names from comment
+        const commentTables = [...comment.matchAll(/[`"'](\w+)[`"']/g)].map(m => m[1]);
+        // Merge known + comment-discovered tables
+        const tables = new Set([
+            ...(knownSpreads[spreadName] ?? []),
+            ...commentTables,
+        ]);
+        for (const t of tables) {
+            if (!tableNames.has(t)) {
+                tableNames.add(t);
+                totalTables++;
+            }
+        }
+    }
+    // Strategy 3: If no comment matched, still apply known spreads
+    const simpleSpreadPattern = /\.\.\.(\w+)/g;
+    let sm2;
+    while ((sm2 = simpleSpreadPattern.exec(content)) !== null) {
+        const tables = knownSpreads[sm2[1]];
+        if (tables) {
+            for (const t of tables) {
+                if (!tableNames.has(t)) {
+                    tableNames.add(t);
+                    totalTables++;
+                }
+            }
+        }
+    }
     // Per-table analysis
     let currentTable = "";
     let tableStartLine = 0;

package/dist/tools/reportingTools.js CHANGED Viewed

@@ -75,7 +75,7 @@ function buildSarif(projectDir, auditTypes, limit) {
                 tool: {
                     driver: {
                         name: "convex-mcp-nodebench",
-                        version: "0.9.2",
+                        version: "0.9.3",
                         informationUri: "https://www.npmjs.com/package/@homenshum/convex-mcp-nodebench",
                         rules: [...rulesMap.values()],
                     },

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@homenshum/convex-mcp-nodebench",
-  "version": "0.9.2",
+  "version": "0.9.3",
   "description": "Convex-specific MCP server applying NodeBench self-instruct diligence patterns to Convex development. Schema audit, function compliance, deployment gates, persistent gotcha DB, and methodology guidance. Complements Context7 (raw docs) and official Convex MCP (deployment introspection) with structured verification workflows.",
   "type": "module",
   "bin": {