@homenshum/convex-mcp-nodebench 0.9.2 → 0.9.4

package/dist/index.js

@@ -79,7 +79,7 @@ for (const tool of ALL_TOOLS) {
 // ── Server setup ────────────────────────────────────────────────────
 const server = new Server({
     name: "convex-mcp-nodebench",
-    version: "0.9.2",
+    version: "0.9.4",
 }, {
     capabilities: {
         tools: {},

package/dist/tools/actionAuditTools.js

@@ -36,7 +36,10 @@ function auditActions(convexDir) {
     let actionsWithoutErrorHandling = 0;
     let actionCallingAction = 0;
     // Node APIs that require "use node" directive
-    const nodeApis = /\b(require|__dirname|__filename|Buffer\.|process\.env|fs\.|path\.|crypto\.|child_process|net\.|http\.|https\.)\b/;
+    // NOTE: process.env is polyfilled by Convex in both runtimes — NOT a Node-only API
+    // NOTE: crypto.subtle / crypto.getRandomValues are Web Crypto API — available without "use node"
+    const nodeApis = /\b(require\s*\(|__dirname|__filename|Buffer\.|fs\.|path\.|child_process|net\.|http\.|https\.)\b/;
+    const nodeCryptoApis = /\bcrypto\.(create|randomBytes|pbkdf2|scrypt|sign|verify|getCiphers|getDiffieHellman|getHashes|Hash|Hmac|Cipher|Decipher)\b/;
     for (const filePath of files) {
         const content = readFileSync(filePath, "utf-8");
         const relativePath = filePath.replace(convexDir, "").replace(/^[\\/]/, "");
@@ -80,7 +83,7 @@ function auditActions(convexDir) {
                 });
             }
             // Check 2: Node API usage without "use node"
-            if (!hasUseNode && nodeApis.test(body)) {
+            if (!hasUseNode && (nodeApis.test(body) || nodeCryptoApis.test(body))) {
                 actionsWithoutNodeDirective++;
                 issues.push({
                     severity: "critical",

package/dist/tools/authorizationTools.js

@@ -70,7 +70,9 @@ function auditAuthorization(convexDir) {
                 }
                 const body = lines.slice(i, endLine).join("\n");
                 const hasAuthCheck = /ctx\.auth\.getUserIdentity\s*\(\s*\)/.test(body) ||
-                    /getUserIdentity/.test(body);
+                    /getUserIdentity/.test(body) ||
+                    /getAuthUserId/.test(body) ||
+                    /getAuthSessionId/.test(body);
                 const hasDbWrite = dbWriteOps.test(body);
                 const isSensitiveName = writeSensitive.test(funcName);
                 if (hasAuthCheck) {
@@ -79,7 +81,6 @@ function auditAuthorization(convexDir) {
                     const identityAssign = body.match(/(?:const|let)\s+(\w+)\s*=\s*await\s+ctx\.auth\.getUserIdentity\s*\(\s*\)/);
                     if (identityAssign) {
                         const varName = identityAssign[1];
-                        // Look for null check: if (!var), if (var === null), if (var == null), if (!var)
                         const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|if\\s*\\(\\s*!${varName}\\s*\\)`).test(body);
                         if (!hasNullCheck) {
                             uncheckedIdentity++;
@@ -92,21 +93,38 @@ function auditAuthorization(convexDir) {
                             });
                         }
                     }
+                    // Check: getAuthUserId called but return not null-checked
+                    const authUserAssign = body.match(/(?:const|let)\s+(\w+)\s*=\s*await\s+getAuthUserId\s*\(/);
+                    if (authUserAssign) {
+                        const varName = authUserAssign[1];
+                        const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|throw.*!${varName}`).test(body);
+                        if (!hasNullCheck) {
+                            uncheckedIdentity++;
+                            issues.push({
+                                severity: "critical",
+                                location: `${relativePath}:${i + 1}`,
+                                functionName: funcName,
+                                message: `${ft} "${funcName}" calls getAuthUserId() but doesn't check for null. Unauthenticated users will get null userId.`,
+                                fix: `Add: if (!${varName}) { throw new Error("Not authenticated"); }`,
+                            });
+                        }
+                    }
                 }
                 else {
                     withoutAuth++;
                     // Critical: public mutation/action with DB writes but no auth
                     if ((ft === "mutation" || ft === "action") && hasDbWrite) {
+                        const sensitiveHint = isSensitiveName ? ` Name "${funcName}" suggests a destructive operation.` : "";
                         issues.push({
                             severity: "critical",
                             location: `${relativePath}:${i + 1}`,
                             functionName: funcName,
-                            message: `Public ${ft} "${funcName}" writes to DB without auth check. Any client can call this.`,
+                            message: `Public ${ft} "${funcName}" writes to DB without auth check. Any client can call this.${sensitiveHint}`,
                             fix: `Add: const identity = await ctx.auth.getUserIdentity(); if (!identity) throw new Error("Not authenticated");`,
                         });
                     }
-                    // Critical: sensitive-named function without auth
-                    if (isSensitiveName) {
+                    else if (isSensitiveName) {
+                        // Only flag sensitive name separately if not already caught by DB-write check
                         issues.push({
                             severity: "critical",
                             location: `${relativePath}:${i + 1}`,

package/dist/tools/dataModelingTools.js

@@ -35,6 +35,46 @@ function auditDataModeling(convexDir) {
         tableNames.add(m[1]);
         totalTables++;
     }
+    // Detect spread-imported table providers (e.g. ...authTables adds "users", "sessions")
+    // Strategy 1: Known spreads from popular Convex packages
+    const knownSpreads = {
+        authTables: ["users", "authSessions", "authAccounts", "authRefreshTokens", "authVerificationCodes", "authRateLimits", "authVerifiers"],
+    };
+    // Strategy 2: Parse inline comments next to spreads for table name hints
+    // e.g. ...authTables, // `users`, `sessions`
+    const spreadCommentPattern = /\.\.\.(\w+)\s*,?\s*\/\/\s*(.+)/g;
+    let sm;
+    while ((sm = spreadCommentPattern.exec(content)) !== null) {
+        const spreadName = sm[1];
+        const comment = sm[2];
+        // Extract backtick-quoted or quoted table names from comment
+        const commentTables = [...comment.matchAll(/[`"'](\w+)[`"']/g)].map(m => m[1]);
+        // Merge known + comment-discovered tables
+        const tables = new Set([
+            ...(knownSpreads[spreadName] ?? []),
+            ...commentTables,
+        ]);
+        for (const t of tables) {
+            if (!tableNames.has(t)) {
+                tableNames.add(t);
+                totalTables++;
+            }
+        }
+    }
+    // Strategy 3: If no comment matched, still apply known spreads
+    const simpleSpreadPattern = /\.\.\.(\w+)/g;
+    let sm2;
+    while ((sm2 = simpleSpreadPattern.exec(content)) !== null) {
+        const tables = knownSpreads[sm2[1]];
+        if (tables) {
+            for (const t of tables) {
+                if (!tableNames.has(t)) {
+                    tableNames.add(t);
+                    totalTables++;
+                }
+            }
+        }
+    }
     // Per-table analysis
     let currentTable = "";
     let tableStartLine = 0;

package/dist/tools/paginationTools.js

@@ -45,16 +45,18 @@ function auditPagination(convexDir) {
                 functionsUsingPagination.add(relativePath);
             }
         }
-        // Check: functions using paginate but missing paginationOptsValidator in args
+        // Check: public queries using paginate but missing paginationOptsValidator in args
+        // NOTE: internalQuery doesn't need paginationOptsValidator — it's not client-callable
         const funcPattern = /export\s+(?:const\s+(\w+)\s*=|default)\s+(query|internalQuery)\s*\(/g;
         let m;
         while ((m = funcPattern.exec(content)) !== null) {
             const funcName = m[1] || "default";
+            const funcType = m[2];
             const startLine = content.slice(0, m.index).split("\n").length - 1;
             const chunk = lines.slice(startLine, Math.min(startLine + 30, lines.length)).join("\n");
             if (/\.paginate\s*\(/.test(chunk)) {
-                // Check for paginationOptsValidator
-                if (!/paginationOptsValidator/.test(chunk) && !/paginationOpts/.test(chunk)) {
+                // Only flag public queries — internalQuery can use paginate with hardcoded opts
+                if (funcType === "query" && !/paginationOptsValidator/.test(chunk) && !/paginationOpts/.test(chunk)) {
                     missingPaginationOptsValidator++;
                     issues.push({
                         severity: "critical",

package/dist/tools/reportingTools.js

@@ -75,7 +75,7 @@ function buildSarif(projectDir, auditTypes, limit) {
                 tool: {
                     driver: {
                         name: "convex-mcp-nodebench",
-                        version: "0.9.2",
+                        version: "0.9.4",
                         informationUri: "https://www.npmjs.com/package/@homenshum/convex-mcp-nodebench",
                         rules: [...rulesMap.values()],
                     },

package/dist/tools/typeSafetyTools.js

@@ -18,10 +18,10 @@ function collectTsFiles(dir) {
     const entries = readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {
         const full = join(dir, entry.name);
-        if (entry.isDirectory() && entry.name !== "node_modules" && entry.name !== "_generated") {
+        if (entry.isDirectory() && entry.name !== "node_modules" && entry.name !== "_generated" && !entry.name.startsWith("_type")) {
             results.push(...collectTsFiles(full));
         }
-        else if (entry.isFile() && entry.name.endsWith(".ts")) {
+        else if (entry.isFile() && entry.name.endsWith(".ts") && !entry.name.endsWith(".d.ts")) {
             results.push(full);
         }
     }

package/dist/tools/vectorSearchTools.js

@@ -44,7 +44,13 @@ function auditVectorSearch(convexDir) {
     if (existsSync(schemaPath)) {
         const schema = readFileSync(schemaPath, "utf-8");
         const lines = schema.split("\n");
+        // Track current table context: scan for "tableName: defineTable(" or "tableName = defineTable("
+        let currentTable = "";
         for (let i = 0; i < lines.length; i++) {
+            const tableMatch = lines[i].match(/(\w+)\s*[:=]\s*defineTable\s*\(/);
+            if (tableMatch) {
+                currentTable = tableMatch[1];
+            }
             // Match .vectorIndex("name", { ... })
             const viMatch = lines[i].match(/\.vectorIndex\s*\(\s*["']([^"']+)["']/);
             if (viMatch) {
@@ -56,7 +62,7 @@ function auditVectorSearch(convexDir) {
                 const filters = filterMatch
                     ? filterMatch[1].match(/["']([^"']+)["']/g)?.map(s => s.replace(/["']/g, "")) ?? []
                     : [];
-                vectorIndexes.push({ table: viMatch[1], dimensions: dims, filterFields: filters, line: i + 1 });
+                vectorIndexes.push({ tableName: currentTable || viMatch[1], indexName: viMatch[1], dimensions: dims, filterFields: filters, line: i + 1 });
                 // Check: uncommon dimension size
                 if (dims > 0 && !KNOWN_DIMENSIONS[dims]) {
                     const nearest = Object.keys(KNOWN_DIMENSIONS)
@@ -99,18 +105,19 @@ function auditVectorSearch(convexDir) {
         const relativePath = filePath.replace(convexDir, "").replace(/^[\\/]/, "");
         const lines = content.split("\n");
         for (let i = 0; i < lines.length; i++) {
+            // vectorSearch("tableName", "indexName", options) — first arg is TABLE name
             const vsMatch = lines[i].match(/\.vectorSearch\s*\(\s*["']([^"']+)["']/);
             if (vsMatch) {
                 vectorSearchCallCount++;
-                const indexName = vsMatch[1];
-                // Check if the referenced index exists
-                const matchingIdx = vectorIndexes.find(vi => vi.table === indexName);
+                const tableName = vsMatch[1];
+                // Check if the referenced table has any vector index
+                const matchingIdx = vectorIndexes.find(vi => vi.tableName === tableName);
                 if (!matchingIdx && vectorIndexes.length > 0) {
                     issues.push({
                         severity: "critical",
                         location: `${relativePath}:${i + 1}`,
-                        message: `vectorSearch references index "${indexName}" which is not defined in schema.ts.`,
-                        fix: `Add a .vectorIndex("${indexName}", { ... }) to the appropriate table in schema.ts`,
+                        message: `vectorSearch references table "${tableName}" which has no vectorIndex defined in schema.ts.`,
+                        fix: `Add a .vectorIndex("by_embedding", { ... }) to the "${tableName}" table in schema.ts`,
                     });
                 }
                 // Check: no filter parameter when filterFields exist
@@ -119,7 +126,7 @@ function auditVectorSearch(convexDir) {
                     issues.push({
                         severity: "info",
                         location: `${relativePath}:${i + 1}`,
-                        message: `vectorSearch on "${indexName}" doesn't use filter — available filterFields: ${matchingIdx.filterFields.join(", ")}`,
+                        message: `vectorSearch on "${tableName}" doesn't use filter — available filterFields: ${matchingIdx.filterFields.join(", ")}`,
                         fix: "Add filter parameter to narrow results and improve performance",
                     });
                 }
@@ -131,7 +138,7 @@ function auditVectorSearch(convexDir) {
                         issues.push({
                             severity: "critical",
                             location: `${relativePath}:${i + 1}`,
-                            message: `Vector dimensions mismatch: code uses ${codeDims} but schema defines ${matchingIdx.dimensions} for index "${indexName}".`,
+                            message: `Vector dimensions mismatch: code uses ${codeDims} but schema defines ${matchingIdx.dimensions} for table "${tableName}".`,
                             fix: `Ensure embedding model output (${codeDims}) matches schema dimensions (${matchingIdx.dimensions})`,
                         });
                     }
@@ -139,7 +146,7 @@ function auditVectorSearch(convexDir) {
             }
         }
     }
-    const tablesWithVectors = [...new Set(vectorIndexes.map(vi => vi.table))];
+    const tablesWithVectors = [...new Set(vectorIndexes.map(vi => vi.tableName))];
     const dimensions = [...new Set(vectorIndexes.map(vi => vi.dimensions).filter(d => d > 0))];
     return {
         issues,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@homenshum/convex-mcp-nodebench",
-  "version": "0.9.2",
+  "version": "0.9.4",
   "description": "Convex-specific MCP server applying NodeBench self-instruct diligence patterns to Convex development. Schema audit, function compliance, deployment gates, persistent gotcha DB, and methodology guidance. Complements Context7 (raw docs) and official Convex MCP (deployment introspection) with structured verification workflows.",
   "type": "module",
   "bin": {