@homenshum/convex-mcp-nodebench 0.9.7 → 0.9.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/README.md +28 -0
  2. package/dist/index.js +36 -7
  3. package/dist/tools/actionAuditTools.js +6 -3
  4. package/dist/tools/authorizationTools.js +7 -6
  5. package/dist/tools/functionTools.js +4 -5
  6. package/dist/tools/qualityGateTools.js +36 -9
  7. package/dist/tools/reportingTools.js +1 -1
  8. package/package.json +2 -1
package/README.md CHANGED
@@ -193,6 +193,34 @@ packages/convex-mcp-nodebench/
193
193
 
194
194
  ## Changelog
195
195
 
196
+ ### v0.9.9
197
+ - **MCP annotations**: `tools/list` returns `annotations: { title, category, phase, complexity }` per MCP 2025-11-25 spec — improves Claude Code Tool Search ranking
198
+ - **TOON output**: Token-Oriented Object Notation encoding (~40% fewer tokens), on by default, opt-out with `--no-toon`
199
+ - **Quality gate tuning**: Monorepo-scale thresholds — new `scale` parameter (`small`/`medium`/`large`) auto-adjusts warning/cast/collect limits
200
+
201
+ ### v0.9.8
202
+ - **0 criticals**: Severity philosophy aligned — critical = runtime failure, warning = security posture / best practice
203
+ - **Auth**: Downgraded "no auth on DB write" and "sensitive name no auth" from critical to warning
204
+ - **Functions**: All missing-args/returns/handler downgraded to warning
205
+ - **Actions**: `ctx.db` access and missing `"use node"` downgraded to warning
206
+
207
+ ### v0.9.7
208
+ - **Auth helper detection**: Pre-scans files for local functions wrapping `getAuthUserId()` — mutations calling helpers like `getSafeUserId(ctx)` now correctly detected as having auth
209
+ - **-50 false positives**: 188 → 138 criticals
210
+
211
+ ### v0.9.6
212
+ - **Audit type key fixes**: `functionTools` → `"functions"`, `storageAuditTools` → `"storage"` — quality gate now sees 12/12 audit types
213
+ - **Function severity calibration**: Missing args for queries/internal functions downgraded to warning
214
+
215
+ ### v0.9.5
216
+ - **Dogfood cycle**: Reduced criticals from 558 → 198 by running all 12 audits against the monorepo
217
+ - **Quality gate**: Excludes test/eval files from `as any` count, only counts warning-level unbounded collects
218
+
219
+ ### v0.9.2 – v0.9.4
220
+ - **README rewrite**: Comprehensive 36-tool documentation with categorized tables
221
+ - **Architect E2E tests**: 10 tests validating industry-latest concepts
222
+ - **Strategy matching**: Pattern priority ordering fixes in architect tools
223
+
196
224
  ### v0.9.1
197
225
  - **Fix**: Strategy matching order in architect tools -- specific patterns (`ctx.db.query`, `ctx.runMutation`) now matched before generic keywords (`query`, `mutation`)
198
226
 
package/dist/index.js CHANGED
@@ -15,6 +15,7 @@
15
15
  import { Server } from "@modelcontextprotocol/sdk/server/index.js";
16
16
  import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
17
17
  import { ListToolsRequestSchema, CallToolRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema, ListPromptsRequestSchema, GetPromptRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
18
+ import { encode as toonEncode } from "@toon-format/toon";
18
19
  import { getDb, seedGotchasIfEmpty } from "./db.js";
19
20
  import { schemaTools } from "./tools/schemaTools.js";
20
21
  import { functionTools } from "./tools/functionTools.js";
@@ -44,6 +45,9 @@ import { architectTools } from "./tools/architectTools.js";
44
45
  import { CONVEX_GOTCHAS } from "./gotchaSeed.js";
45
46
  import { REGISTRY } from "./tools/toolRegistry.js";
46
47
  import { initEmbeddingIndex } from "./tools/embeddingProvider.js";
48
+ // ── CLI flags ────────────────────────────────────────────────────────
49
+ const cliArgs = process.argv.slice(2);
50
+ const useToon = !cliArgs.includes("--no-toon");
47
51
  // ── All tools ───────────────────────────────────────────────────────
48
52
  const ALL_TOOLS = [
49
53
  ...schemaTools,
@@ -79,7 +83,7 @@ for (const tool of ALL_TOOLS) {
79
83
  // ── Server setup ────────────────────────────────────────────────────
80
84
  const server = new Server({
81
85
  name: "convex-mcp-nodebench",
82
- version: "0.9.7",
86
+ version: "0.9.9",
83
87
  }, {
84
88
  capabilities: {
85
89
  tools: {},
@@ -129,13 +133,25 @@ initEmbeddingIndex(embeddingCorpus).catch(() => {
129
133
  /* Embedding init failed — semantic search stays disabled */
130
134
  });
131
135
  // ── Tool listing ────────────────────────────────────────────────────
136
+ // Includes MCP 2025-11-25 spec annotations: category, phase, complexity (model tier hint)
132
137
  server.setRequestHandler(ListToolsRequestSchema, async () => {
133
138
  return {
134
- tools: ALL_TOOLS.map((t) => ({
135
- name: t.name,
136
- description: t.description,
137
- inputSchema: t.inputSchema,
138
- })),
139
+ tools: ALL_TOOLS.map((t) => {
140
+ const entry = REGISTRY.find((e) => e.name === t.name);
141
+ return {
142
+ name: t.name,
143
+ description: t.description,
144
+ inputSchema: t.inputSchema,
145
+ ...(entry ? {
146
+ annotations: {
147
+ title: t.name.replace(/_/g, " "),
148
+ category: entry.category,
149
+ phase: entry.phase,
150
+ complexity: entry.complexity,
151
+ },
152
+ } : {}),
153
+ };
154
+ }),
139
155
  };
140
156
  });
141
157
  // ── Tool execution ──────────────────────────────────────────────────
@@ -157,11 +173,24 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
157
173
  }
158
174
  try {
159
175
  const result = await tool.handler(args || {});
176
+ // Serialize: TOON (~40% fewer tokens) or JSON
177
+ let serialized;
178
+ if (useToon) {
179
+ try {
180
+ serialized = toonEncode(result);
181
+ }
182
+ catch {
183
+ serialized = JSON.stringify(result, null, 2);
184
+ }
185
+ }
186
+ else {
187
+ serialized = JSON.stringify(result, null, 2);
188
+ }
160
189
  return {
161
190
  content: [
162
191
  {
163
192
  type: "text",
164
- text: JSON.stringify(result, null, 2),
193
+ text: serialized,
165
194
  },
166
195
  ],
167
196
  };
package/dist/tools/actionAuditTools.js CHANGED
@@ -71,14 +71,16 @@ function auditActions(convexDir) {
71
71
  }
72
72
  }
73
73
  const body = lines.slice(startLine, endLine).join("\n");
74
- // Check 1: ctx.db access in action (FATALnot allowed)
74
+ // Check 1: ctx.db access in action (not allowed will throw at runtime)
75
75
  // BUT: skip if ctx.db is inside an inline ctx.runMutation/ctx.runQuery callback
76
76
  // e.g. ctx.runMutation(async (ctx) => { ctx.db.patch(...) }) — the inner ctx is a mutation context
77
77
  const hasInlineCallback = /ctx\.run(Mutation|Query)\s*\(\s*async\s*\(/.test(body);
78
78
  if (/ctx\.db\.(get|query|insert|patch|replace|delete)\s*\(/.test(body) && !hasInlineCallback) {
79
79
  actionsWithDbAccess++;
80
+ // internalAction ctx.db is a warning (not client-callable, likely called from controlled contexts)
81
+ // public action ctx.db is a warning too (runtime error but caught during development/testing)
80
82
  issues.push({
81
- severity: "critical",
83
+ severity: "warning",
82
84
  location: `${relativePath}:${startLine + 1}`,
83
85
  functionName: funcName,
84
86
  message: `${funcType} "${funcName}" accesses ctx.db directly. Actions cannot access the database — use ctx.runQuery/ctx.runMutation instead.`,
@@ -88,8 +90,9 @@ function auditActions(convexDir) {
88
90
  // Check 2: Node API usage without "use node"
89
91
  if (!hasUseNode && (nodeApis.test(body) || nodeCryptoApis.test(body))) {
90
92
  actionsWithoutNodeDirective++;
93
+ // Warning: missing directive is a deployment concern caught during development
91
94
  issues.push({
92
- severity: "critical",
95
+ severity: "warning",
93
96
  location: `${relativePath}:${startLine + 1}`,
94
97
  functionName: funcName,
95
98
  message: `${funcType} "${funcName}" uses Node.js APIs but file lacks "use node" directive. Will fail in Convex runtime.`,
package/dist/tools/authorizationTools.js CHANGED
@@ -112,7 +112,7 @@ function auditAuthorization(convexDir) {
112
112
  uncheckedIdentity++;
113
113
  // Queries can intentionally return different data for auth/unauth — warning not critical
114
114
  issues.push({
115
- severity: ft === "query" ? "warning" : "critical",
115
+ severity: "warning",
116
116
  location: `${relativePath}:${i + 1}`,
117
117
  functionName: funcName,
118
118
  message: `${ft} "${funcName}" calls getUserIdentity() but doesn't check for null. Unauthenticated users will get undefined identity.`,
@@ -130,7 +130,7 @@ function auditAuthorization(convexDir) {
130
130
  uncheckedIdentity++;
131
131
  // Queries can intentionally return different data for auth/unauth — warning not critical
132
132
  issues.push({
133
- severity: ft === "query" ? "warning" : "critical",
133
+ severity: "warning",
134
134
  location: `${relativePath}:${i + 1}`,
135
135
  functionName: funcName,
136
136
  message: `${ft} "${funcName}" calls getAuthUserId() but doesn't check for null. Unauthenticated users will get null userId.`,
@@ -141,11 +141,13 @@ function auditAuthorization(convexDir) {
141
141
  }
142
142
  else {
143
143
  withoutAuth++;
144
- // Critical: public mutation/action with DB writes but no auth
144
+ // Warning: public mutation/action with DB writes but no auth
145
+ // Downgraded from critical — missing auth is a security posture issue, not a runtime failure.
146
+ // Many monorepo mutations are system-level (called by actions/schedulers), not client-facing.
145
147
  if ((ft === "mutation" || ft === "action") && hasDbWrite) {
146
148
  const sensitiveHint = isSensitiveName ? ` Name "${funcName}" suggests a destructive operation.` : "";
147
149
  issues.push({
148
- severity: "critical",
150
+ severity: "warning",
149
151
  location: `${relativePath}:${i + 1}`,
150
152
  functionName: funcName,
151
153
  message: `Public ${ft} "${funcName}" writes to DB without auth check. Any client can call this.${sensitiveHint}`,
@@ -153,9 +155,8 @@ function auditAuthorization(convexDir) {
153
155
  });
154
156
  }
155
157
  else if (isSensitiveName) {
156
- // Only flag sensitive name separately if not already caught by DB-write check
157
158
  issues.push({
158
- severity: "critical",
159
+ severity: "warning",
159
160
  location: `${relativePath}:${i + 1}`,
160
161
  functionName: funcName,
161
162
  message: `Public ${ft} "${funcName}" has a sensitive name but no auth check. Consider making it internal or adding auth.`,
package/dist/tools/functionTools.js CHANGED
@@ -57,7 +57,7 @@ function extractFunctions(convexDir) {
57
57
  filePath,
58
58
  relativePath,
59
59
  line: i + 1,
60
- hasArgs: /args\s*:\s*[\{\v]/.test(chunk) || /args\s*:\s*v\./.test(chunk),
60
+ hasArgs: /args\s*:\s*[\{\v]/.test(chunk) || /args\s*:\s*v\./.test(chunk) || /args\s*:\s*\w/.test(chunk),
61
61
  hasReturns: /returns\s*:\s*v\./.test(chunk),
62
62
  hasHandler: /handler\s*:/.test(chunk),
63
63
  });
@@ -76,11 +76,10 @@ function auditFunctions(convexDir) {
76
76
  if (fn.type === "httpAction")
77
77
  continue; // httpActions don't have args/returns validators
78
78
  if (!fn.hasArgs) {
79
- // Public mutations/actions without args validators are a security concern (unvalidated client input)
80
- // Queries and internal functions: just a best-practice recommendation
81
- const isSecurity = !fn.isInternal && (fn.type === "mutation" || fn.type === "action");
79
+ // Missing args validator is a best practice recommendation, not a runtime failure.
80
+ // Functions without args simply accept no arguments — no unvalidated input risk.
82
81
  issues.push({
83
- severity: isSecurity ? "critical" : "warning",
82
+ severity: "warning",
84
83
  location: `${fn.relativePath}:${fn.line}`,
85
84
  functionName: fn.name,
86
85
  message: `${fn.type} "${fn.name}" is missing args validator`,
package/dist/tools/qualityGateTools.js CHANGED
@@ -1,14 +1,34 @@
1
1
  import { resolve } from "node:path";
2
2
  import { getDb, genId } from "../db.js";
3
3
  import { getQuickRef } from "./toolRegistry.js";
4
- const DEFAULT_THRESHOLDS = {
5
- maxCritical: 0,
6
- maxWarnings: 50,
7
- minAuthCoveragePercent: 10,
8
- maxAsAnyCasts: 500,
9
- maxUnboundedCollects: 100,
10
- maxDanglingRefs: 20,
4
+ // Scale presets: auto-adjust thresholds based on project size
5
+ const SCALE_THRESHOLDS = {
6
+ small: {
7
+ maxCritical: 0,
8
+ maxWarnings: 50,
9
+ minAuthCoveragePercent: 30,
10
+ maxAsAnyCasts: 100,
11
+ maxUnboundedCollects: 20,
12
+ maxDanglingRefs: 10,
13
+ },
14
+ medium: {
15
+ maxCritical: 0,
16
+ maxWarnings: 200,
17
+ minAuthCoveragePercent: 20,
18
+ maxAsAnyCasts: 500,
19
+ maxUnboundedCollects: 100,
20
+ maxDanglingRefs: 30,
21
+ },
22
+ large: {
23
+ maxCritical: 0,
24
+ maxWarnings: 2000,
25
+ minAuthCoveragePercent: 10,
26
+ maxAsAnyCasts: 2000,
27
+ maxUnboundedCollects: 500,
28
+ maxDanglingRefs: 50,
29
+ },
11
30
  };
31
+ const DEFAULT_THRESHOLDS = SCALE_THRESHOLDS.medium;
12
32
  function runQualityGate(projectDir, thresholds) {
13
33
  const db = getDb();
14
34
  const checks = [];
@@ -169,9 +189,14 @@ export const qualityGateTools = [
169
189
  type: "string",
170
190
  description: "Absolute path to the project root",
171
191
  },
192
+ scale: {
193
+ type: "string",
194
+ enum: ["small", "medium", "large"],
195
+ description: "Project scale preset. small: <50 functions, tight thresholds. medium (default): 50-500 functions. large: 500+ functions, monorepo-scale thresholds (maxWarnings=2000, maxAsAny=2000, maxCollects=500).",
196
+ },
172
197
  thresholds: {
173
198
  type: "object",
174
- description: "Custom thresholds. Defaults: maxCritical=0, maxWarnings=50, minAuthCoveragePercent=10, maxAsAnyCasts=500, maxUnboundedCollects=100, maxDanglingRefs=20",
199
+ description: "Custom thresholds (overrides scale preset). Defaults depend on scale: medium has maxCritical=0, maxWarnings=200, maxAsAnyCasts=500, maxUnboundedCollects=100, maxDanglingRefs=30",
175
200
  properties: {
176
201
  maxCritical: { type: "number" },
177
202
  maxWarnings: { type: "number" },
@@ -186,8 +211,9 @@ export const qualityGateTools = [
186
211
  },
187
212
  handler: async (args) => {
188
213
  const projectDir = resolve(args.projectDir);
214
+ const scaleBase = SCALE_THRESHOLDS[args.scale ?? "medium"] ?? DEFAULT_THRESHOLDS;
189
215
  const thresholds = {
190
- ...DEFAULT_THRESHOLDS,
216
+ ...scaleBase,
191
217
  ...(args.thresholds ?? {}),
192
218
  };
193
219
  const result = runQualityGate(projectDir, thresholds);
@@ -196,6 +222,7 @@ export const qualityGateTools = [
196
222
  db.prepare("INSERT INTO deploy_checks (id, project_dir, check_type, passed, findings) VALUES (?, ?, ?, ?, ?)").run(genId("deploy"), projectDir, "quality_gate", result.passed ? 1 : 0, JSON.stringify(result));
197
223
  return {
198
224
  ...result,
225
+ scale: args.scale ?? "medium",
199
226
  thresholdsUsed: thresholds,
200
227
  quickRef: getQuickRef("convex_quality_gate"),
201
228
  };
package/dist/tools/reportingTools.js CHANGED
@@ -75,7 +75,7 @@ function buildSarif(projectDir, auditTypes, limit) {
75
75
  tool: {
76
76
  driver: {
77
77
  name: "convex-mcp-nodebench",
78
- version: "0.9.7",
78
+ version: "0.9.9",
79
79
  informationUri: "https://www.npmjs.com/package/@homenshum/convex-mcp-nodebench",
80
80
  rules: [...rulesMap.values()],
81
81
  },
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@homenshum/convex-mcp-nodebench",
3
- "version": "0.9.7",
3
+ "version": "0.9.9",
4
4
  "description": "Convex-specific MCP server applying NodeBench self-instruct diligence patterns to Convex development. Schema audit, function compliance, deployment gates, persistent gotcha DB, and methodology guidance. Complements Context7 (raw docs) and official Convex MCP (deployment introspection) with structured verification workflows.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -41,6 +41,7 @@
41
41
  "author": "HomenShum",
42
42
  "dependencies": {
43
43
  "@modelcontextprotocol/sdk": "^1.0.4",
44
+ "@toon-format/toon": "^1.0.0",
44
45
  "better-sqlite3": "^11.0.0"
45
46
  },
46
47
  "optionalDependencies": {