@homenshum/convex-mcp-nodebench 0.9.9 → 0.10.0

package/README.md

@@ -193,34 +193,6 @@ packages/convex-mcp-nodebench/
 
 ## Changelog
 
-### v0.9.9
-- **MCP annotations**: `tools/list` returns `annotations: { title, category, phase, complexity }` per MCP 2025-11-25 spec — improves Claude Code Tool Search ranking
-- **TOON output**: Token-Oriented Object Notation encoding (~40% fewer tokens), on by default, opt-out with `--no-toon`
-- **Quality gate tuning**: Monorepo-scale thresholds — new `scale` parameter (`small`/`medium`/`large`) auto-adjusts warning/cast/collect limits
-
-### v0.9.8
-- **0 criticals**: Severity philosophy aligned — critical = runtime failure, warning = security posture / best practice
-- **Auth**: Downgraded "no auth on DB write" and "sensitive name no auth" from critical to warning
-- **Functions**: All missing-args/returns/handler downgraded to warning
-- **Actions**: `ctx.db` access and missing `"use node"` downgraded to warning
-
-### v0.9.7
-- **Auth helper detection**: Pre-scans files for local functions wrapping `getAuthUserId()` — mutations calling helpers like `getSafeUserId(ctx)` now correctly detected as having auth
-- **-50 false positives**: 188 → 138 criticals
-
-### v0.9.6
-- **Audit type key fixes**: `functionTools` → `"functions"`, `storageAuditTools` → `"storage"` — quality gate now sees 12/12 audit types
-- **Function severity calibration**: Missing args for queries/internal functions downgraded to warning
-
-### v0.9.5
-- **Dogfood cycle**: Reduced criticals from 558 → 198 by running all 12 audits against the monorepo
-- **Quality gate**: Excludes test/eval files from `as any` count, only counts warning-level unbounded collects
-
-### v0.9.2 – v0.9.4
-- **README rewrite**: Comprehensive 36-tool documentation with categorized tables
-- **Architect E2E tests**: 10 tests validating industry-latest concepts
-- **Strategy matching**: Pattern priority ordering fixes in architect tools
-
 ### v0.9.1
 - **Fix**: Strategy matching order in architect tools -- specific patterns (`ctx.db.query`, `ctx.runMutation`) now matched before generic keywords (`query`, `mutation`)
 

package/dist/index.js

@@ -15,7 +15,6 @@
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { ListToolsRequestSchema, CallToolRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema, ListPromptsRequestSchema, GetPromptRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
-import { encode as toonEncode } from "@toon-format/toon";
 import { getDb, seedGotchasIfEmpty } from "./db.js";
 import { schemaTools } from "./tools/schemaTools.js";
 import { functionTools } from "./tools/functionTools.js";
@@ -45,9 +44,6 @@ import { architectTools } from "./tools/architectTools.js";
 import { CONVEX_GOTCHAS } from "./gotchaSeed.js";
 import { REGISTRY } from "./tools/toolRegistry.js";
 import { initEmbeddingIndex } from "./tools/embeddingProvider.js";
-// ── CLI flags ────────────────────────────────────────────────────────
-const cliArgs = process.argv.slice(2);
-const useToon = !cliArgs.includes("--no-toon");
 // ── All tools ───────────────────────────────────────────────────────
 const ALL_TOOLS = [
     ...schemaTools,
@@ -83,7 +79,7 @@ for (const tool of ALL_TOOLS) {
 // ── Server setup ────────────────────────────────────────────────────
 const server = new Server({
     name: "convex-mcp-nodebench",
-    version: "0.9.9",
+    version: "0.9.4",
 }, {
     capabilities: {
         tools: {},
@@ -133,25 +129,13 @@ initEmbeddingIndex(embeddingCorpus).catch(() => {
     /* Embedding init failed — semantic search stays disabled */
 });
 // ── Tool listing ────────────────────────────────────────────────────
-// Includes MCP 2025-11-25 spec annotations: category, phase, complexity (model tier hint)
 server.setRequestHandler(ListToolsRequestSchema, async () => {
     return {
-        tools: ALL_TOOLS.map((t) => {
-            const entry = REGISTRY.find((e) => e.name === t.name);
-            return {
-                name: t.name,
-                description: t.description,
-                inputSchema: t.inputSchema,
-                ...(entry ? {
-                    annotations: {
-                        title: t.name.replace(/_/g, " "),
-                        category: entry.category,
-                        phase: entry.phase,
-                        complexity: entry.complexity,
-                    },
-                } : {}),
-            };
-        }),
+        tools: ALL_TOOLS.map((t) => ({
+            name: t.name,
+            description: t.description,
+            inputSchema: t.inputSchema,
+        })),
     };
 });
 // ── Tool execution ──────────────────────────────────────────────────
@@ -173,24 +157,11 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
     }
     try {
         const result = await tool.handler(args || {});
-        // Serialize: TOON (~40% fewer tokens) or JSON
-        let serialized;
-        if (useToon) {
-            try {
-                serialized = toonEncode(result);
-            }
-            catch {
-                serialized = JSON.stringify(result, null, 2);
-            }
-        }
-        else {
-            serialized = JSON.stringify(result, null, 2);
-        }
         return {
             content: [
                 {
                     type: "text",
-                    text: serialized,
+                    text: JSON.stringify(result, null, 2),
                 },
             ],
         };
@@ -378,7 +349,9 @@ After running all audits, summarize:
 - Total issues by severity (critical/warning/info)
 - Top 5 most impactful issues to fix first
 - Quality gate score and grade
-- Trend direction if previous audits exist (use convex_audit_diff)`,
+- Trend direction if previous audits exist (use convex_audit_diff)
+
+IMPORTANT — Analyst diagnostic: For every issue found, trace the ROOT CAUSE — don't just list what's wrong, explain WHY it happened. Ask "why" 5 times. Record root causes with convex_record_gotcha so they don't recur.`,
                     },
                 },
             ],
@@ -402,6 +375,8 @@ After running all audits, summarize:
 6. convex_schema_migration_plan — Compare against previous snapshot for breaking changes
 7. convex_quality_gate — Final quality check with thresholds
 
+For each blocker: diagnose the ROOT CAUSE, not just the symptom. Explain WHY the issue exists and how to prevent it from recurring.
+
 Report: DEPLOY or DO NOT DEPLOY with specific blockers to fix.`,
                     },
                 },
@@ -425,7 +400,9 @@ Report: DEPLOY or DO NOT DEPLOY with specific blockers to fix.`,
 5. convex_audit_pagination — Unbounded numItems (DoS risk)
 6. convex_audit_transaction_safety — Race condition risks
 
-Focus on: unauthorized data access, unvalidated inputs, missing error boundaries, and potential data corruption vectors.`,
+Focus on: unauthorized data access, unvalidated inputs, missing error boundaries, and potential data corruption vectors.
+
+Analyst diagnostic: For each security finding, trace upstream to the ROOT CAUSE. Don't just flag the symptom — explain what system condition allowed the vulnerability to exist. Record findings with convex_record_gotcha.`,
                     },
                 },
             ],

package/dist/tools/actionAuditTools.js

@@ -71,16 +71,11 @@ function auditActions(convexDir) {
                 }
             }
             const body = lines.slice(startLine, endLine).join("\n");
-            // Check 1: ctx.db access in action (not allowed — will throw at runtime)
-            // BUT: skip if ctx.db is inside an inline ctx.runMutation/ctx.runQuery callback
-            // e.g. ctx.runMutation(async (ctx) => { ctx.db.patch(...) }) — the inner ctx is a mutation context
-            const hasInlineCallback = /ctx\.run(Mutation|Query)\s*\(\s*async\s*\(/.test(body);
-            if (/ctx\.db\.(get|query|insert|patch|replace|delete)\s*\(/.test(body) && !hasInlineCallback) {
+            // Check 1: ctx.db access in action (FATAL — not allowed)
+            if (/ctx\.db\.(get|query|insert|patch|replace|delete)\s*\(/.test(body)) {
                 actionsWithDbAccess++;
-                // internalAction ctx.db is a warning (not client-callable, likely called from controlled contexts)
-                // public action ctx.db is a warning too (runtime error but caught during development/testing)
                 issues.push({
-                    severity: "warning",
+                    severity: "critical",
                     location: `${relativePath}:${startLine + 1}`,
                     functionName: funcName,
                     message: `${funcType} "${funcName}" accesses ctx.db directly. Actions cannot access the database — use ctx.runQuery/ctx.runMutation instead.`,
@@ -90,9 +85,8 @@ function auditActions(convexDir) {
             // Check 2: Node API usage without "use node"
             if (!hasUseNode && (nodeApis.test(body) || nodeCryptoApis.test(body))) {
                 actionsWithoutNodeDirective++;
-                // Warning: missing directive is a deployment concern caught during development
                 issues.push({
-                    severity: "warning",
+                    severity: "critical",
                     location: `${relativePath}:${startLine + 1}`,
                     functionName: funcName,
                     message: `${funcType} "${funcName}" uses Node.js APIs but file lacks "use node" directive. Will fail in Convex runtime.`,

package/dist/tools/authorizationTools.js

@@ -41,27 +41,6 @@ function auditAuthorization(convexDir) {
         const content = readFileSync(filePath, "utf-8");
         const relativePath = filePath.replace(convexDir, "").replace(/^[\\/]/, "");
         const lines = content.split("\n");
-        // Pre-scan: detect local helper functions that wrap getAuthUserId/getUserIdentity
-        // Pattern: function getSafeUserId(ctx) { ... getAuthUserId(ctx) ... }
-        const authHelperNames = [];
-        const helperFuncPattern = /(?:async\s+)?function\s+(\w+)\s*\(/g;
-        let hm;
-        while ((hm = helperFuncPattern.exec(content)) !== null) {
-            const hStart = content.slice(0, hm.index).split("\n").length - 1;
-            const hBody = lines.slice(hStart, Math.min(hStart + 30, lines.length)).join("\n");
-            if (/getAuthUserId|getUserIdentity|getAuthSessionId/.test(hBody)) {
-                authHelperNames.push(hm[1]);
-            }
-        }
-        // Also check arrow function helpers: const getUserId = async (ctx) => { ... }
-        const arrowHelperPattern = /(?:const|let)\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)\s*(?::\s*[^=]+)?\s*=>/g;
-        while ((hm = arrowHelperPattern.exec(content)) !== null) {
-            const hStart = content.slice(0, hm.index).split("\n").length - 1;
-            const hBody = lines.slice(hStart, Math.min(hStart + 20, lines.length)).join("\n");
-            if (/getAuthUserId|getUserIdentity|getAuthSessionId/.test(hBody)) {
-                authHelperNames.push(hm[1]);
-            }
-        }
         for (let i = 0; i < lines.length; i++) {
             const line = lines[i];
             for (const ft of funcTypes) {
@@ -90,14 +69,10 @@ function auditAuthorization(convexDir) {
                     }
                 }
                 const body = lines.slice(i, endLine).join("\n");
-                // Check for direct auth calls OR calls to local auth helper wrappers
-                const hasDirectAuth = /ctx\.auth\.getUserIdentity\s*\(\s*\)/.test(body) ||
+                const hasAuthCheck = /ctx\.auth\.getUserIdentity\s*\(\s*\)/.test(body) ||
                     /getUserIdentity/.test(body) ||
                     /getAuthUserId/.test(body) ||
                     /getAuthSessionId/.test(body);
-                const callsAuthHelper = authHelperNames.length > 0 &&
-                    authHelperNames.some(h => new RegExp(`\\b${h}\\s*\\(`).test(body));
-                const hasAuthCheck = hasDirectAuth || callsAuthHelper;
                 const hasDbWrite = dbWriteOps.test(body);
                 const isSensitiveName = writeSensitive.test(funcName);
                 if (hasAuthCheck) {
@@ -106,13 +81,11 @@ function auditAuthorization(convexDir) {
                     const identityAssign = body.match(/(?:const|let)\s+(\w+)\s*=\s*await\s+ctx\.auth\.getUserIdentity\s*\(\s*\)/);
                     if (identityAssign) {
                         const varName = identityAssign[1];
-                        // Recognize: if (!var), if (var === null), if (var), var &&, var ?, throw on !var, comparisons
-                        const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|if\\s*\\(\\s*${varName}\\s*\\)|${varName}\\s*&&|${varName}\\s*\\?|throw.*!${varName}|${varName}\\s*!==?\\s*null|===\\s*${varName}|!==\\s*${varName}`).test(body);
+                        const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|if\\s*\\(\\s*!${varName}\\s*\\)`).test(body);
                         if (!hasNullCheck) {
                             uncheckedIdentity++;
-                            // Queries can intentionally return different data for auth/unauth — warning not critical
                             issues.push({
-                                severity: "warning",
+                                severity: "critical",
                                 location: `${relativePath}:${i + 1}`,
                                 functionName: funcName,
                                 message: `${ft} "${funcName}" calls getUserIdentity() but doesn't check for null. Unauthenticated users will get undefined identity.`,
@@ -124,13 +97,11 @@ function auditAuthorization(convexDir) {
                     const authUserAssign = body.match(/(?:const|let)\s+(\w+)\s*=\s*await\s+getAuthUserId\s*\(/);
                     if (authUserAssign) {
                         const varName = authUserAssign[1];
-                        // Recognize: if (!var), if (var === null), if (var), var &&, var ?, throw on !var, comparisons
-                        const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|if\\s*\\(\\s*${varName}\\s*\\)|${varName}\\s*&&|${varName}\\s*\\?|throw.*!${varName}|${varName}\\s*!==?\\s*null|===\\s*${varName}|!==\\s*${varName}`).test(body);
+                        const hasNullCheck = new RegExp(`if\\s*\\(\\s*!${varName}\\b|if\\s*\\(\\s*${varName}\\s*===?\\s*null|throw.*!${varName}`).test(body);
                         if (!hasNullCheck) {
                             uncheckedIdentity++;
-                            // Queries can intentionally return different data for auth/unauth — warning not critical
                             issues.push({
-                                severity: "warning",
+                                severity: "critical",
                                 location: `${relativePath}:${i + 1}`,
                                 functionName: funcName,
                                 message: `${ft} "${funcName}" calls getAuthUserId() but doesn't check for null. Unauthenticated users will get null userId.`,
@@ -141,13 +112,11 @@ function auditAuthorization(convexDir) {
                 }
                 else {
                     withoutAuth++;
-                    // Warning: public mutation/action with DB writes but no auth
-                    // Downgraded from critical — missing auth is a security posture issue, not a runtime failure.
-                    // Many monorepo mutations are system-level (called by actions/schedulers), not client-facing.
+                    // Critical: public mutation/action with DB writes but no auth
                     if ((ft === "mutation" || ft === "action") && hasDbWrite) {
                         const sensitiveHint = isSensitiveName ? ` Name "${funcName}" suggests a destructive operation.` : "";
                         issues.push({
-                            severity: "warning",
+                            severity: "critical",
                             location: `${relativePath}:${i + 1}`,
                             functionName: funcName,
                             message: `Public ${ft} "${funcName}" writes to DB without auth check. Any client can call this.${sensitiveHint}`,
@@ -155,8 +124,9 @@ function auditAuthorization(convexDir) {
                         });
                     }
                     else if (isSensitiveName) {
+                        // Only flag sensitive name separately if not already caught by DB-write check
                         issues.push({
-                            severity: "warning",
+                            severity: "critical",
                             location: `${relativePath}:${i + 1}`,
                             functionName: funcName,
                             message: `Public ${ft} "${funcName}" has a sensitive name but no auth check. Consider making it internal or adding auth.`,

package/dist/tools/critterTools.js

@@ -137,6 +137,20 @@ function scoreCritterCheck(input) {
         score += 10;
         feedback.push("Good: success criteria defined — this makes the deploy gate concrete.");
     }
+    // ── Check 10: Bandaid detection — symptom fixes without root-cause reasoning ──
+    const bandaidPatterns = [
+        "add try.?catch", "wrap in try", "catch the error", "suppress the error",
+        "add optional chaining", "add \\?\\.", "silence the warning",
+        "add as any", "cast to any", "ignore the type",
+        "add a timeout", "increase the timeout", "add a delay",
+        "delete the test", "skip the test", "disable the test",
+        "hide the error", "remove the warning",
+    ];
+    const bandaidRegex = new RegExp(bandaidPatterns.join("|"), "i");
+    if (bandaidRegex.test(taskLower) && !whyLower.includes("root cause") && !whyLower.includes("because") && whyLower.length < 50) {
+        score -= 20;
+        feedback.push("Bandaid alert: this looks like a symptom fix. What's the root cause? Diagnose like an analyst, not a junior dev.");
+    }
     score = Math.max(0, Math.min(100, score));
     let verdict;
     if (score >= 70) {

package/dist/tools/functionTools.js

@@ -57,7 +57,7 @@ function extractFunctions(convexDir) {
                         filePath,
                         relativePath,
                         line: i + 1,
-                        hasArgs: /args\s*:\s*[\{\v]/.test(chunk) || /args\s*:\s*v\./.test(chunk) || /args\s*:\s*\w/.test(chunk),
+                        hasArgs: /args\s*:\s*[\{\v]/.test(chunk) || /args\s*:\s*v\./.test(chunk),
                         hasReturns: /returns\s*:\s*v\./.test(chunk),
                         hasHandler: /handler\s*:/.test(chunk),
                     });
@@ -76,10 +76,8 @@ function auditFunctions(convexDir) {
         if (fn.type === "httpAction")
             continue; // httpActions don't have args/returns validators
         if (!fn.hasArgs) {
-            // Missing args validator is a best practice recommendation, not a runtime failure.
-            // Functions without args simply accept no arguments — no unvalidated input risk.
             issues.push({
-                severity: "warning",
+                severity: "critical",
                 location: `${fn.relativePath}:${fn.line}`,
                 functionName: fn.name,
                 message: `${fn.type} "${fn.name}" is missing args validator`,
@@ -96,9 +94,8 @@ function auditFunctions(convexDir) {
             });
         }
         if (!fn.hasHandler) {
-            // Old shorthand syntax (query(async (ctx) => {})) works fine — just a style recommendation
             issues.push({
-                severity: "warning",
+                severity: "critical",
                 location: `${fn.relativePath}:${fn.line}`,
                 functionName: fn.name,
                 message: `${fn.type} "${fn.name}" is missing handler property (may be using old syntax)`,
@@ -287,7 +284,7 @@ export const functionTools = [
             const functions = extractFunctions(convexDir);
             // Store audit result
             const db = getDb();
-            db.prepare("INSERT INTO audit_results (id, project_dir, audit_type, issues_json, issue_count) VALUES (?, ?, ?, ?, ?)").run(genId("audit"), projectDir, "functions", JSON.stringify(issues), issues.length);
+            db.prepare("INSERT INTO audit_results (id, project_dir, audit_type, issues_json, issue_count) VALUES (?, ?, ?, ?, ?)").run(genId("audit"), projectDir, "function_audit", JSON.stringify(issues), issues.length);
             const critical = issues.filter((i) => i.severity === "critical");
             const warnings = issues.filter((i) => i.severity === "warning");
             // Aggregate issues by category for cleaner output

package/dist/tools/methodologyTools.js

@@ -83,6 +83,19 @@ const METHODOLOGY_CONTENT = {
         ],
         tools: ["convex_suggest_indexes", "convex_audit_schema"],
     },
+    analyst_diagnostic: {
+        title: "Analyst Diagnostic — Root Cause Over Bandaids",
+        description: "Guide yourself like an analyst diagnosing the root cause, NOT a junior dev slapping on a bandaid. Mandatory for all bug work.",
+        steps: [
+            "1. REPRODUCE: Confirm the exact failure mode before touching any code",
+            "2. TRACE UPSTREAM: Walk from symptom → intermediate state → root cause. Don't stop at the first error you see",
+            "3. ASK 'WHY' 5 TIMES: Each answer should go one level deeper into the system",
+            "4. FIX THE CAUSE: The right fix makes the symptom impossible, not just invisible",
+            "5. VERIFY NO SIDEWAYS SHIFT: Bandaids move bugs, they don't fix them — check adjacent behavior",
+            "6. RECORD: Use convex_record_gotcha with the root cause so the next person doesn't re-discover it",
+        ],
+        tools: ["convex_search_gotchas", "convex_record_gotcha", "convex_critter_check"],
+    },
 };
 // ── Tool Definitions ────────────────────────────────────────────────
 export const methodologyTools = [
@@ -101,6 +114,7 @@ export const methodologyTools = [
                         "convex_deploy_verification",
                         "convex_knowledge_management",
                         "convex_index_optimization",
+                        "analyst_diagnostic",
                     ],
                     description: "Which methodology to explain",
                 },

package/dist/tools/qualityGateTools.js

@@ -1,34 +1,14 @@
 import { resolve } from "node:path";
 import { getDb, genId } from "../db.js";
 import { getQuickRef } from "./toolRegistry.js";
-// Scale presets: auto-adjust thresholds based on project size
-const SCALE_THRESHOLDS = {
-    small: {
-        maxCritical: 0,
-        maxWarnings: 50,
-        minAuthCoveragePercent: 30,
-        maxAsAnyCasts: 100,
-        maxUnboundedCollects: 20,
-        maxDanglingRefs: 10,
-    },
-    medium: {
-        maxCritical: 0,
-        maxWarnings: 200,
-        minAuthCoveragePercent: 20,
-        maxAsAnyCasts: 500,
-        maxUnboundedCollects: 100,
-        maxDanglingRefs: 30,
-    },
-    large: {
-        maxCritical: 0,
-        maxWarnings: 2000,
-        minAuthCoveragePercent: 10,
-        maxAsAnyCasts: 2000,
-        maxUnboundedCollects: 500,
-        maxDanglingRefs: 50,
-    },
+const DEFAULT_THRESHOLDS = {
+    maxCritical: 0,
+    maxWarnings: 50,
+    minAuthCoveragePercent: 10,
+    maxAsAnyCasts: 500,
+    maxUnboundedCollects: 100,
+    maxDanglingRefs: 20,
 };
-const DEFAULT_THRESHOLDS = SCALE_THRESHOLDS.medium;
 function runQualityGate(projectDir, thresholds) {
     const db = getDb();
     const checks = [];
@@ -97,18 +77,17 @@ function runQualityGate(projectDir, thresholds) {
         }
         catch { /* skip */ }
     }
-    // Check 4: Type safety (as any casts) — exclude test/eval files
+    // Check 4: Type safety (as any casts)
     const typeSafety = getLatest("type_safety");
     if (typeSafety) {
         try {
             const issues = JSON.parse(typeSafety.issues_json);
-            // Exclude test, eval, benchmark, and fixture files from production quality gate
-            const testEvalPattern = /test|__tests__|spec|\.test\.|\.spec\.|fixtures|mocks|evaluation|liveEval|liveApiSmoke|benchmark|calibration|harness|quickTest|comprehensiveTest|comprehensiveEval/i;
+            const asAnyIssues = Array.isArray(issues)
+                ? issues.filter((i) => i.message?.includes("as any")).length
+                : 0;
             // Each as-any issue represents a FILE, count from message for actual number
             const actualCasts = Array.isArray(issues)
                 ? issues.reduce((sum, i) => {
-                    if (testEvalPattern.test(i.location ?? ""))
-                        return sum; // skip test/eval files
                     const countMatch = i.message?.match(/(\d+)\s+`as any`/);
                     return sum + (countMatch ? parseInt(countMatch[1], 10) : 0);
                 }, 0)
@@ -123,13 +102,13 @@ function runQualityGate(projectDir, thresholds) {
         }
         catch { /* skip */ }
     }
-    // Check 5: Unbounded collects (only warning-level — indexed collects are downgraded to info)
+    // Check 5: Unbounded collects
     const queryEfficiency = getLatest("query_efficiency");
     if (queryEfficiency) {
         try {
             const issues = JSON.parse(queryEfficiency.issues_json);
             const unbounded = Array.isArray(issues)
-                ? issues.filter((i) => i.severity === "warning" && i.message?.includes(".collect()")).length
+                ? issues.filter((i) => i.message?.includes(".collect()")).length
                 : 0;
             checks.push({
                 metric: "unbounded_collects",
@@ -189,14 +168,9 @@ export const qualityGateTools = [
                     type: "string",
                     description: "Absolute path to the project root",
                 },
-                scale: {
-                    type: "string",
-                    enum: ["small", "medium", "large"],
-                    description: "Project scale preset. small: <50 functions, tight thresholds. medium (default): 50-500 functions. large: 500+ functions, monorepo-scale thresholds (maxWarnings=2000, maxAsAny=2000, maxCollects=500).",
-                },
                 thresholds: {
                     type: "object",
-                    description: "Custom thresholds (overrides scale preset). Defaults depend on scale: medium has maxCritical=0, maxWarnings=200, maxAsAnyCasts=500, maxUnboundedCollects=100, maxDanglingRefs=30",
+                    description: "Custom thresholds. Defaults: maxCritical=0, maxWarnings=50, minAuthCoveragePercent=10, maxAsAnyCasts=500, maxUnboundedCollects=100, maxDanglingRefs=20",
                     properties: {
                         maxCritical: { type: "number" },
                         maxWarnings: { type: "number" },
@@ -211,9 +185,8 @@ export const qualityGateTools = [
         },
         handler: async (args) => {
             const projectDir = resolve(args.projectDir);
-            const scaleBase = SCALE_THRESHOLDS[args.scale ?? "medium"] ?? DEFAULT_THRESHOLDS;
             const thresholds = {
-                ...scaleBase,
+                ...DEFAULT_THRESHOLDS,
                 ...(args.thresholds ?? {}),
             };
             const result = runQualityGate(projectDir, thresholds);
@@ -222,7 +195,6 @@ export const qualityGateTools = [
             db.prepare("INSERT INTO deploy_checks (id, project_dir, check_type, passed, findings) VALUES (?, ?, ?, ?, ?)").run(genId("deploy"), projectDir, "quality_gate", result.passed ? 1 : 0, JSON.stringify(result));
             return {
                 ...result,
-                scale: args.scale ?? "medium",
                 thresholdsUsed: thresholds,
                 quickRef: getQuickRef("convex_quality_gate"),
             };

package/dist/tools/queryEfficiencyTools.js

@@ -63,16 +63,13 @@ function auditQueryEfficiency(convexDir) {
                 const chain = lines.slice(chainStart, i + 1).join("\n");
                 if (!/\.take\s*\(/.test(chain) && !/\.paginate\s*\(/.test(chain)) {
                     collectWithoutLimit++;
+                    // Check if it's a bounded table or could be large
                     const tableMatch = chain.match(/\.query\s*\(\s*["'](\w+)["']\s*\)/);
-                    // Indexed queries are bounded by the index range — lower severity
-                    const hasIndex = /\.withIndex\s*\(/.test(chain);
                     issues.push({
-                        severity: hasIndex ? "info" : "warning",
+                        severity: "warning",
                         location: `${relativePath}:${i + 1}`,
                         message: `.collect() without .take() limit${tableMatch ? ` on table "${tableMatch[1]}"` : ""}. Could return entire table.`,
-                        fix: hasIndex
-                            ? "Consider adding .take(N) for predictable result sizes, even with index filtering"
-                            : "Add .take(N) before .collect(), or use .paginate() for large result sets",
+                        fix: "Add .take(N) before .collect(), or use .paginate() for large result sets",
                     });
                 }
             }

package/dist/tools/reportingTools.js

@@ -75,7 +75,7 @@ function buildSarif(projectDir, auditTypes, limit) {
                 tool: {
                     driver: {
                         name: "convex-mcp-nodebench",
-                        version: "0.9.9",
+                        version: "0.9.4",
                         informationUri: "https://www.npmjs.com/package/@homenshum/convex-mcp-nodebench",
                         rules: [...rulesMap.values()],
                     },

package/dist/tools/storageAuditTools.js

@@ -133,7 +133,7 @@ export const storageAuditTools = [
             }
             const { issues, stats } = auditStorageUsage(convexDir);
             const db = getDb();
-            db.prepare("INSERT INTO audit_results (id, project_dir, audit_type, issues_json, issue_count) VALUES (?, ?, ?, ?, ?)").run(genId("audit"), projectDir, "storage", JSON.stringify(issues), issues.length);
+            db.prepare("INSERT INTO audit_results (id, project_dir, audit_type, issues_json, issue_count) VALUES (?, ?, ?, ?, ?)").run(genId("audit"), projectDir, "storage_usage", JSON.stringify(issues), issues.length);
             return {
                 summary: {
                     ...stats,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@homenshum/convex-mcp-nodebench",
-  "version": "0.9.9",
+  "version": "0.10.0",
   "description": "Convex-specific MCP server applying NodeBench self-instruct diligence patterns to Convex development. Schema audit, function compliance, deployment gates, persistent gotcha DB, and methodology guidance. Complements Context7 (raw docs) and official Convex MCP (deployment introspection) with structured verification workflows.",
   "type": "module",
   "bin": {
@@ -41,7 +41,6 @@
   "author": "HomenShum",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.4",
-    "@toon-format/toon": "^1.0.0",
     "better-sqlite3": "^11.0.0"
   },
   "optionalDependencies": {