@homenshum/convex-mcp-nodebench 0.9.4 → 0.9.6

package/dist/index.js

@@ -79,7 +79,7 @@ for (const tool of ALL_TOOLS) {
 // ── Server setup ────────────────────────────────────────────────────
 const server = new Server({
     name: "convex-mcp-nodebench",
-    version: "0.9.4",
+    version: "0.9.6",
 }, {
     capabilities: {
         tools: {},

package/dist/tools/actionAuditTools.js

@@ -72,7 +72,10 @@ function auditActions(convexDir) {
             }
             const body = lines.slice(startLine, endLine).join("\n");
             // Check 1: ctx.db access in action (FATAL — not allowed)
-            if (/ctx\.db\.(get|query|insert|patch|replace|delete)\s*\(/.test(body)) {
+            // BUT: skip if ctx.db is inside an inline ctx.runMutation/ctx.runQuery callback
+            // e.g. ctx.runMutation(async (ctx) => { ctx.db.patch(...) }) — the inner ctx is a mutation context
+            const hasInlineCallback = /ctx\.run(Mutation|Query)\s*\(\s*async\s*\(/.test(body);
+            if (/ctx\.db\.(get|query|insert|patch|replace|delete)\s*\(/.test(body) && !hasInlineCallback) {
                 actionsWithDbAccess++;
                 issues.push({
                     severity: "critical",

package/dist/tools/authorizationTools.js

@@ -81,11 +81,13 @@ function auditAuthorization(convexDir) {
                     const identityAssign = body.match(/(?:const|let)\s+(\w+)\s*=\s*await\s+ctx\.auth\.getUserIdentity\s*\(\s*\)/);
                     if (identityAssign) {
                         const varName = identityAssign[1];
-                        const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|if\\s*\\(\\s*!${varName}\\s*\\)`).test(body);
+                        // Recognize: if (!var), if (var === null), if (var), var &&, var ?, throw on !var, comparisons
+                        const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|if\\s*\\(\\s*${varName}\\s*\\)|${varName}\\s*&&|${varName}\\s*\\?|throw.*!${varName}|${varName}\\s*!==?\\s*null|===\\s*${varName}|!==\\s*${varName}`).test(body);
                         if (!hasNullCheck) {
                             uncheckedIdentity++;
+                            // Queries can intentionally return different data for auth/unauth — warning not critical
                             issues.push({
-                                severity: "critical",
+                                severity: ft === "query" ? "warning" : "critical",
                                 location: `${relativePath}:${i + 1}`,
                                 functionName: funcName,
                                 message: `${ft} "${funcName}" calls getUserIdentity() but doesn't check for null. Unauthenticated users will get undefined identity.`,
@@ -97,11 +99,13 @@ function auditAuthorization(convexDir) {
                     const authUserAssign = body.match(/(?:const|let)\s+(\w+)\s*=\s*await\s+getAuthUserId\s*\(/);
                     if (authUserAssign) {
                         const varName = authUserAssign[1];
-                        const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|throw.*!${varName}`).test(body);
+                        // Recognize: if (!var), if (var === null), if (var), var &&, var ?, throw on !var, comparisons
+                        const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|if\\s*\\(\\s*${varName}\\s*\\)|${varName}\\s*&&|${varName}\\s*\\?|throw.*!${varName}|${varName}\\s*!==?\\s*null|===\\s*${varName}|!==\\s*${varName}`).test(body);
                         if (!hasNullCheck) {
                             uncheckedIdentity++;
+                            // Queries can intentionally return different data for auth/unauth — warning not critical
                             issues.push({
-                                severity: "critical",
+                                severity: ft === "query" ? "warning" : "critical",
                                 location: `${relativePath}:${i + 1}`,
                                 functionName: funcName,
                                 message: `${ft} "${funcName}" calls getAuthUserId() but doesn't check for null. Unauthenticated users will get null userId.`,

package/dist/tools/functionTools.js

@@ -76,8 +76,11 @@ function auditFunctions(convexDir) {
         if (fn.type === "httpAction")
             continue; // httpActions don't have args/returns validators
         if (!fn.hasArgs) {
+            // Public mutations/actions without args validators are a security concern (unvalidated client input)
+            // Queries and internal functions: just a best-practice recommendation
+            const isSecurity = !fn.isInternal && (fn.type === "mutation" || fn.type === "action");
             issues.push({
-                severity: "critical",
+                severity: isSecurity ? "critical" : "warning",
                 location: `${fn.relativePath}:${fn.line}`,
                 functionName: fn.name,
                 message: `${fn.type} "${fn.name}" is missing args validator`,
@@ -94,8 +97,9 @@ function auditFunctions(convexDir) {
             });
         }
         if (!fn.hasHandler) {
+            // Old shorthand syntax (query(async (ctx) => {})) works fine — just a style recommendation
             issues.push({
-                severity: "critical",
+                severity: "warning",
                 location: `${fn.relativePath}:${fn.line}`,
                 functionName: fn.name,
                 message: `${fn.type} "${fn.name}" is missing handler property (may be using old syntax)`,
@@ -284,7 +288,7 @@ export const functionTools = [
             const functions = extractFunctions(convexDir);
             // Store audit result
             const db = getDb();
-            db.prepare("INSERT INTO audit_results (id, project_dir, audit_type, issues_json, issue_count) VALUES (?, ?, ?, ?, ?)").run(genId("audit"), projectDir, "function_audit", JSON.stringify(issues), issues.length);
+            db.prepare("INSERT INTO audit_results (id, project_dir, audit_type, issues_json, issue_count) VALUES (?, ?, ?, ?, ?)").run(genId("audit"), projectDir, "functions", JSON.stringify(issues), issues.length);
             const critical = issues.filter((i) => i.severity === "critical");
             const warnings = issues.filter((i) => i.severity === "warning");
             // Aggregate issues by category for cleaner output

package/dist/tools/qualityGateTools.js

@@ -77,17 +77,18 @@ function runQualityGate(projectDir, thresholds) {
         }
         catch { /* skip */ }
     }
-    // Check 4: Type safety (as any casts)
+    // Check 4: Type safety (as any casts) — exclude test/eval files
     const typeSafety = getLatest("type_safety");
     if (typeSafety) {
         try {
             const issues = JSON.parse(typeSafety.issues_json);
-            const asAnyIssues = Array.isArray(issues)
-                ? issues.filter((i) => i.message?.includes("as any")).length
-                : 0;
+            // Exclude test, eval, benchmark, and fixture files from production quality gate
+            const testEvalPattern = /test|__tests__|spec|\.test\.|\.spec\.|fixtures|mocks|evaluation|liveEval|liveApiSmoke|benchmark|calibration|harness|quickTest|comprehensiveTest|comprehensiveEval/i;
             // Each as-any issue represents a FILE, count from message for actual number
             const actualCasts = Array.isArray(issues)
                 ? issues.reduce((sum, i) => {
+                    if (testEvalPattern.test(i.location ?? ""))
+                        return sum; // skip test/eval files
                     const countMatch = i.message?.match(/(\d+)\s+`as any`/);
                     return sum + (countMatch ? parseInt(countMatch[1], 10) : 0);
                 }, 0)
@@ -102,13 +103,13 @@ function runQualityGate(projectDir, thresholds) {
         }
         catch { /* skip */ }
     }
-    // Check 5: Unbounded collects
+    // Check 5: Unbounded collects (only warning-level — indexed collects are downgraded to info)
     const queryEfficiency = getLatest("query_efficiency");
     if (queryEfficiency) {
         try {
             const issues = JSON.parse(queryEfficiency.issues_json);
             const unbounded = Array.isArray(issues)
-                ? issues.filter((i) => i.message?.includes(".collect()")).length
+                ? issues.filter((i) => i.severity === "warning" && i.message?.includes(".collect()")).length
                 : 0;
             checks.push({
                 metric: "unbounded_collects",

package/dist/tools/queryEfficiencyTools.js

@@ -63,13 +63,16 @@ function auditQueryEfficiency(convexDir) {
                 const chain = lines.slice(chainStart, i + 1).join("\n");
                 if (!/\.take\s*\(/.test(chain) && !/\.paginate\s*\(/.test(chain)) {
                     collectWithoutLimit++;
-                    // Check if it's a bounded table or could be large
                     const tableMatch = chain.match(/\.query\s*\(\s*["'](\w+)["']\s*\)/);
+                    // Indexed queries are bounded by the index range — lower severity
+                    const hasIndex = /\.withIndex\s*\(/.test(chain);
                     issues.push({
-                        severity: "warning",
+                        severity: hasIndex ? "info" : "warning",
                         location: `${relativePath}:${i + 1}`,
                         message: `.collect() without .take() limit${tableMatch ? ` on table "${tableMatch[1]}"` : ""}. Could return entire table.`,
-                        fix: "Add .take(N) before .collect(), or use .paginate() for large result sets",
+                        fix: hasIndex
+                            ? "Consider adding .take(N) for predictable result sizes, even with index filtering"
+                            : "Add .take(N) before .collect(), or use .paginate() for large result sets",
                     });
                 }
             }

package/dist/tools/reportingTools.js

@@ -75,7 +75,7 @@ function buildSarif(projectDir, auditTypes, limit) {
                 tool: {
                     driver: {
                         name: "convex-mcp-nodebench",
-                        version: "0.9.4",
+                        version: "0.9.6",
                         informationUri: "https://www.npmjs.com/package/@homenshum/convex-mcp-nodebench",
                         rules: [...rulesMap.values()],
                     },

package/dist/tools/storageAuditTools.js

@@ -133,7 +133,7 @@ export const storageAuditTools = [
             }
             const { issues, stats } = auditStorageUsage(convexDir);
             const db = getDb();
-            db.prepare("INSERT INTO audit_results (id, project_dir, audit_type, issues_json, issue_count) VALUES (?, ?, ?, ?, ?)").run(genId("audit"), projectDir, "storage_usage", JSON.stringify(issues), issues.length);
+            db.prepare("INSERT INTO audit_results (id, project_dir, audit_type, issues_json, issue_count) VALUES (?, ?, ?, ?, ?)").run(genId("audit"), projectDir, "storage", JSON.stringify(issues), issues.length);
             return {
                 summary: {
                     ...stats,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@homenshum/convex-mcp-nodebench",
-  "version": "0.9.4",
+  "version": "0.9.6",
   "description": "Convex-specific MCP server applying NodeBench self-instruct diligence patterns to Convex development. Schema audit, function compliance, deployment gates, persistent gotcha DB, and methodology guidance. Complements Context7 (raw docs) and official Convex MCP (deployment introspection) with structured verification workflows.",
   "type": "module",
   "bin": {