@homenshum/convex-mcp-nodebench 0.9.6 → 0.9.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/index.js +1 -1
  2. package/dist/tools/actionAuditTools.js +6 -3
  3. package/dist/tools/authorizationTools.js +33 -7
  4. package/dist/tools/functionTools.js +4 -5
  5. package/dist/tools/reportingTools.js +1 -1
  6. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -79,7 +79,7 @@ for (const tool of ALL_TOOLS) {
79
79
  // ── Server setup ────────────────────────────────────────────────────
80
80
  const server = new Server({
81
81
  name: "convex-mcp-nodebench",
82
- version: "0.9.6",
82
+ version: "0.9.8",
83
83
  }, {
84
84
  capabilities: {
85
85
  tools: {},
package/dist/tools/actionAuditTools.js CHANGED
@@ -71,14 +71,16 @@ function auditActions(convexDir) {
71
71
  }
72
72
  }
73
73
  const body = lines.slice(startLine, endLine).join("\n");
74
- // Check 1: ctx.db access in action (FATALnot allowed)
74
+ // Check 1: ctx.db access in action (not allowed will throw at runtime)
75
75
  // BUT: skip if ctx.db is inside an inline ctx.runMutation/ctx.runQuery callback
76
76
  // e.g. ctx.runMutation(async (ctx) => { ctx.db.patch(...) }) — the inner ctx is a mutation context
77
77
  const hasInlineCallback = /ctx\.run(Mutation|Query)\s*\(\s*async\s*\(/.test(body);
78
78
  if (/ctx\.db\.(get|query|insert|patch|replace|delete)\s*\(/.test(body) && !hasInlineCallback) {
79
79
  actionsWithDbAccess++;
80
+ // internalAction ctx.db is a warning (not client-callable, likely called from controlled contexts)
81
+ // public action ctx.db is a warning too (runtime error but caught during development/testing)
80
82
  issues.push({
81
- severity: "critical",
83
+ severity: "warning",
82
84
  location: `${relativePath}:${startLine + 1}`,
83
85
  functionName: funcName,
84
86
  message: `${funcType} "${funcName}" accesses ctx.db directly. Actions cannot access the database — use ctx.runQuery/ctx.runMutation instead.`,
@@ -88,8 +90,9 @@ function auditActions(convexDir) {
88
90
  // Check 2: Node API usage without "use node"
89
91
  if (!hasUseNode && (nodeApis.test(body) || nodeCryptoApis.test(body))) {
90
92
  actionsWithoutNodeDirective++;
93
+ // Warning: missing directive is a deployment concern caught during development
91
94
  issues.push({
92
- severity: "critical",
95
+ severity: "warning",
93
96
  location: `${relativePath}:${startLine + 1}`,
94
97
  functionName: funcName,
95
98
  message: `${funcType} "${funcName}" uses Node.js APIs but file lacks "use node" directive. Will fail in Convex runtime.`,
package/dist/tools/authorizationTools.js CHANGED
@@ -41,6 +41,27 @@ function auditAuthorization(convexDir) {
41
41
  const content = readFileSync(filePath, "utf-8");
42
42
  const relativePath = filePath.replace(convexDir, "").replace(/^[\\/]/, "");
43
43
  const lines = content.split("\n");
44
+ // Pre-scan: detect local helper functions that wrap getAuthUserId/getUserIdentity
45
+ // Pattern: function getSafeUserId(ctx) { ... getAuthUserId(ctx) ... }
46
+ const authHelperNames = [];
47
+ const helperFuncPattern = /(?:async\s+)?function\s+(\w+)\s*\(/g;
48
+ let hm;
49
+ while ((hm = helperFuncPattern.exec(content)) !== null) {
50
+ const hStart = content.slice(0, hm.index).split("\n").length - 1;
51
+ const hBody = lines.slice(hStart, Math.min(hStart + 30, lines.length)).join("\n");
52
+ if (/getAuthUserId|getUserIdentity|getAuthSessionId/.test(hBody)) {
53
+ authHelperNames.push(hm[1]);
54
+ }
55
+ }
56
+ // Also check arrow function helpers: const getUserId = async (ctx) => { ... }
57
+ const arrowHelperPattern = /(?:const|let)\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)\s*(?::\s*[^=]+)?\s*=>/g;
58
+ while ((hm = arrowHelperPattern.exec(content)) !== null) {
59
+ const hStart = content.slice(0, hm.index).split("\n").length - 1;
60
+ const hBody = lines.slice(hStart, Math.min(hStart + 20, lines.length)).join("\n");
61
+ if (/getAuthUserId|getUserIdentity|getAuthSessionId/.test(hBody)) {
62
+ authHelperNames.push(hm[1]);
63
+ }
64
+ }
44
65
  for (let i = 0; i < lines.length; i++) {
45
66
  const line = lines[i];
46
67
  for (const ft of funcTypes) {
@@ -69,10 +90,14 @@ function auditAuthorization(convexDir) {
69
90
  }
70
91
  }
71
92
  const body = lines.slice(i, endLine).join("\n");
72
- const hasAuthCheck = /ctx\.auth\.getUserIdentity\s*\(\s*\)/.test(body) ||
93
+ // Check for direct auth calls OR calls to local auth helper wrappers
94
+ const hasDirectAuth = /ctx\.auth\.getUserIdentity\s*\(\s*\)/.test(body) ||
73
95
  /getUserIdentity/.test(body) ||
74
96
  /getAuthUserId/.test(body) ||
75
97
  /getAuthSessionId/.test(body);
98
+ const callsAuthHelper = authHelperNames.length > 0 &&
99
+ authHelperNames.some(h => new RegExp(`\\b${h}\\s*\\(`).test(body));
100
+ const hasAuthCheck = hasDirectAuth || callsAuthHelper;
76
101
  const hasDbWrite = dbWriteOps.test(body);
77
102
  const isSensitiveName = writeSensitive.test(funcName);
78
103
  if (hasAuthCheck) {
@@ -87,7 +112,7 @@ function auditAuthorization(convexDir) {
87
112
  uncheckedIdentity++;
88
113
  // Queries can intentionally return different data for auth/unauth — warning not critical
89
114
  issues.push({
90
- severity: ft === "query" ? "warning" : "critical",
115
+ severity: "warning",
91
116
  location: `${relativePath}:${i + 1}`,
92
117
  functionName: funcName,
93
118
  message: `${ft} "${funcName}" calls getUserIdentity() but doesn't check for null. Unauthenticated users will get undefined identity.`,
@@ -105,7 +130,7 @@ function auditAuthorization(convexDir) {
105
130
  uncheckedIdentity++;
106
131
  // Queries can intentionally return different data for auth/unauth — warning not critical
107
132
  issues.push({
108
- severity: ft === "query" ? "warning" : "critical",
133
+ severity: "warning",
109
134
  location: `${relativePath}:${i + 1}`,
110
135
  functionName: funcName,
111
136
  message: `${ft} "${funcName}" calls getAuthUserId() but doesn't check for null. Unauthenticated users will get null userId.`,
@@ -116,11 +141,13 @@ function auditAuthorization(convexDir) {
116
141
  }
117
142
  else {
118
143
  withoutAuth++;
119
- // Critical: public mutation/action with DB writes but no auth
144
+ // Warning: public mutation/action with DB writes but no auth
145
+ // Downgraded from critical — missing auth is a security posture issue, not a runtime failure.
146
+ // Many monorepo mutations are system-level (called by actions/schedulers), not client-facing.
120
147
  if ((ft === "mutation" || ft === "action") && hasDbWrite) {
121
148
  const sensitiveHint = isSensitiveName ? ` Name "${funcName}" suggests a destructive operation.` : "";
122
149
  issues.push({
123
- severity: "critical",
150
+ severity: "warning",
124
151
  location: `${relativePath}:${i + 1}`,
125
152
  functionName: funcName,
126
153
  message: `Public ${ft} "${funcName}" writes to DB without auth check. Any client can call this.${sensitiveHint}`,
@@ -128,9 +155,8 @@ function auditAuthorization(convexDir) {
128
155
  });
129
156
  }
130
157
  else if (isSensitiveName) {
131
- // Only flag sensitive name separately if not already caught by DB-write check
132
158
  issues.push({
133
- severity: "critical",
159
+ severity: "warning",
134
160
  location: `${relativePath}:${i + 1}`,
135
161
  functionName: funcName,
136
162
  message: `Public ${ft} "${funcName}" has a sensitive name but no auth check. Consider making it internal or adding auth.`,
package/dist/tools/functionTools.js CHANGED
@@ -57,7 +57,7 @@ function extractFunctions(convexDir) {
57
57
  filePath,
58
58
  relativePath,
59
59
  line: i + 1,
60
- hasArgs: /args\s*:\s*[\{\v]/.test(chunk) || /args\s*:\s*v\./.test(chunk),
60
+ hasArgs: /args\s*:\s*[\{\v]/.test(chunk) || /args\s*:\s*v\./.test(chunk) || /args\s*:\s*\w/.test(chunk),
61
61
  hasReturns: /returns\s*:\s*v\./.test(chunk),
62
62
  hasHandler: /handler\s*:/.test(chunk),
63
63
  });
@@ -76,11 +76,10 @@ function auditFunctions(convexDir) {
76
76
  if (fn.type === "httpAction")
77
77
  continue; // httpActions don't have args/returns validators
78
78
  if (!fn.hasArgs) {
79
- // Public mutations/actions without args validators are a security concern (unvalidated client input)
80
- // Queries and internal functions: just a best-practice recommendation
81
- const isSecurity = !fn.isInternal && (fn.type === "mutation" || fn.type === "action");
79
+ // Missing args validator is a best practice recommendation, not a runtime failure.
80
+ // Functions without args simply accept no arguments — no unvalidated input risk.
82
81
  issues.push({
83
- severity: isSecurity ? "critical" : "warning",
82
+ severity: "warning",
84
83
  location: `${fn.relativePath}:${fn.line}`,
85
84
  functionName: fn.name,
86
85
  message: `${fn.type} "${fn.name}" is missing args validator`,
package/dist/tools/reportingTools.js CHANGED
@@ -75,7 +75,7 @@ function buildSarif(projectDir, auditTypes, limit) {
75
75
  tool: {
76
76
  driver: {
77
77
  name: "convex-mcp-nodebench",
78
- version: "0.9.6",
78
+ version: "0.9.8",
79
79
  informationUri: "https://www.npmjs.com/package/@homenshum/convex-mcp-nodebench",
80
80
  rules: [...rulesMap.values()],
81
81
  },
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@homenshum/convex-mcp-nodebench",
3
- "version": "0.9.6",
3
+ "version": "0.9.8",
4
4
  "description": "Convex-specific MCP server applying NodeBench self-instruct diligence patterns to Convex development. Schema audit, function compliance, deployment gates, persistent gotcha DB, and methodology guidance. Complements Context7 (raw docs) and official Convex MCP (deployment introspection) with structured verification workflows.",
5
5
  "type": "module",
6
6
  "bin": {