@homenshum/convex-mcp-nodebench 0.9.7 → 0.9.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/index.js +1 -1
  2. package/dist/tools/actionAuditTools.js +6 -3
  3. package/dist/tools/authorizationTools.js +7 -6
  4. package/dist/tools/functionTools.js +4 -5
  5. package/dist/tools/reportingTools.js +1 -1
  6. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -79,7 +79,7 @@ for (const tool of ALL_TOOLS) {
79
79
  // ── Server setup ────────────────────────────────────────────────────
80
80
  const server = new Server({
81
81
  name: "convex-mcp-nodebench",
82
- version: "0.9.7",
82
+ version: "0.9.8",
83
83
  }, {
84
84
  capabilities: {
85
85
  tools: {},
package/dist/tools/actionAuditTools.js CHANGED
@@ -71,14 +71,16 @@ function auditActions(convexDir) {
71
71
  }
72
72
  }
73
73
  const body = lines.slice(startLine, endLine).join("\n");
74
- // Check 1: ctx.db access in action (FATALnot allowed)
74
+ // Check 1: ctx.db access in action (not allowed will throw at runtime)
75
75
  // BUT: skip if ctx.db is inside an inline ctx.runMutation/ctx.runQuery callback
76
76
  // e.g. ctx.runMutation(async (ctx) => { ctx.db.patch(...) }) — the inner ctx is a mutation context
77
77
  const hasInlineCallback = /ctx\.run(Mutation|Query)\s*\(\s*async\s*\(/.test(body);
78
78
  if (/ctx\.db\.(get|query|insert|patch|replace|delete)\s*\(/.test(body) && !hasInlineCallback) {
79
79
  actionsWithDbAccess++;
80
+ // internalAction ctx.db is a warning (not client-callable, likely called from controlled contexts)
81
+ // public action ctx.db is a warning too (runtime error but caught during development/testing)
80
82
  issues.push({
81
- severity: "critical",
83
+ severity: "warning",
82
84
  location: `${relativePath}:${startLine + 1}`,
83
85
  functionName: funcName,
84
86
  message: `${funcType} "${funcName}" accesses ctx.db directly. Actions cannot access the database — use ctx.runQuery/ctx.runMutation instead.`,
@@ -88,8 +90,9 @@ function auditActions(convexDir) {
88
90
  // Check 2: Node API usage without "use node"
89
91
  if (!hasUseNode && (nodeApis.test(body) || nodeCryptoApis.test(body))) {
90
92
  actionsWithoutNodeDirective++;
93
+ // Warning: missing directive is a deployment concern caught during development
91
94
  issues.push({
92
- severity: "critical",
95
+ severity: "warning",
93
96
  location: `${relativePath}:${startLine + 1}`,
94
97
  functionName: funcName,
95
98
  message: `${funcType} "${funcName}" uses Node.js APIs but file lacks "use node" directive. Will fail in Convex runtime.`,
package/dist/tools/authorizationTools.js CHANGED
@@ -112,7 +112,7 @@ function auditAuthorization(convexDir) {
112
112
  uncheckedIdentity++;
113
113
  // Queries can intentionally return different data for auth/unauth — warning not critical
114
114
  issues.push({
115
- severity: ft === "query" ? "warning" : "critical",
115
+ severity: "warning",
116
116
  location: `${relativePath}:${i + 1}`,
117
117
  functionName: funcName,
118
118
  message: `${ft} "${funcName}" calls getUserIdentity() but doesn't check for null. Unauthenticated users will get undefined identity.`,
@@ -130,7 +130,7 @@ function auditAuthorization(convexDir) {
130
130
  uncheckedIdentity++;
131
131
  // Queries can intentionally return different data for auth/unauth — warning not critical
132
132
  issues.push({
133
- severity: ft === "query" ? "warning" : "critical",
133
+ severity: "warning",
134
134
  location: `${relativePath}:${i + 1}`,
135
135
  functionName: funcName,
136
136
  message: `${ft} "${funcName}" calls getAuthUserId() but doesn't check for null. Unauthenticated users will get null userId.`,
@@ -141,11 +141,13 @@ function auditAuthorization(convexDir) {
141
141
  }
142
142
  else {
143
143
  withoutAuth++;
144
- // Critical: public mutation/action with DB writes but no auth
144
+ // Warning: public mutation/action with DB writes but no auth
145
+ // Downgraded from critical — missing auth is a security posture issue, not a runtime failure.
146
+ // Many monorepo mutations are system-level (called by actions/schedulers), not client-facing.
145
147
  if ((ft === "mutation" || ft === "action") && hasDbWrite) {
146
148
  const sensitiveHint = isSensitiveName ? ` Name "${funcName}" suggests a destructive operation.` : "";
147
149
  issues.push({
148
- severity: "critical",
150
+ severity: "warning",
149
151
  location: `${relativePath}:${i + 1}`,
150
152
  functionName: funcName,
151
153
  message: `Public ${ft} "${funcName}" writes to DB without auth check. Any client can call this.${sensitiveHint}`,
@@ -153,9 +155,8 @@ function auditAuthorization(convexDir) {
153
155
  });
154
156
  }
155
157
  else if (isSensitiveName) {
156
- // Only flag sensitive name separately if not already caught by DB-write check
157
158
  issues.push({
158
- severity: "critical",
159
+ severity: "warning",
159
160
  location: `${relativePath}:${i + 1}`,
160
161
  functionName: funcName,
161
162
  message: `Public ${ft} "${funcName}" has a sensitive name but no auth check. Consider making it internal or adding auth.`,
package/dist/tools/functionTools.js CHANGED
@@ -57,7 +57,7 @@ function extractFunctions(convexDir) {
57
57
  filePath,
58
58
  relativePath,
59
59
  line: i + 1,
60
- hasArgs: /args\s*:\s*[\{\v]/.test(chunk) || /args\s*:\s*v\./.test(chunk),
60
+ hasArgs: /args\s*:\s*[\{\v]/.test(chunk) || /args\s*:\s*v\./.test(chunk) || /args\s*:\s*\w/.test(chunk),
61
61
  hasReturns: /returns\s*:\s*v\./.test(chunk),
62
62
  hasHandler: /handler\s*:/.test(chunk),
63
63
  });
@@ -76,11 +76,10 @@ function auditFunctions(convexDir) {
76
76
  if (fn.type === "httpAction")
77
77
  continue; // httpActions don't have args/returns validators
78
78
  if (!fn.hasArgs) {
79
- // Public mutations/actions without args validators are a security concern (unvalidated client input)
80
- // Queries and internal functions: just a best-practice recommendation
81
- const isSecurity = !fn.isInternal && (fn.type === "mutation" || fn.type === "action");
79
+ // Missing args validator is a best practice recommendation, not a runtime failure.
80
+ // Functions without args simply accept no arguments — no unvalidated input risk.
82
81
  issues.push({
83
- severity: isSecurity ? "critical" : "warning",
82
+ severity: "warning",
84
83
  location: `${fn.relativePath}:${fn.line}`,
85
84
  functionName: fn.name,
86
85
  message: `${fn.type} "${fn.name}" is missing args validator`,
package/dist/tools/reportingTools.js CHANGED
@@ -75,7 +75,7 @@ function buildSarif(projectDir, auditTypes, limit) {
75
75
  tool: {
76
76
  driver: {
77
77
  name: "convex-mcp-nodebench",
78
- version: "0.9.7",
78
+ version: "0.9.8",
79
79
  informationUri: "https://www.npmjs.com/package/@homenshum/convex-mcp-nodebench",
80
80
  rules: [...rulesMap.values()],
81
81
  },
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@homenshum/convex-mcp-nodebench",
3
- "version": "0.9.7",
3
+ "version": "0.9.8",
4
4
  "description": "Convex-specific MCP server applying NodeBench self-instruct diligence patterns to Convex development. Schema audit, function compliance, deployment gates, persistent gotcha DB, and methodology guidance. Complements Context7 (raw docs) and official Convex MCP (deployment introspection) with structured verification workflows.",
5
5
  "type": "module",
6
6
  "bin": {