Skip to content

netsuite-saved-search-mcp v0.1.3 — audit-driven README follow-up

Latest

Choose a tag to compare

@mohltbot mohltbot released this 23 May 18:12

External audit identified this repo as the weakest portfolio asset and recommended a README rewrite as the single highest-leverage improvement. v0.1.2 landed the community-file + worked-transcript half of that ask. v0.1.3 finishes the rest, narrowly scoped to additions that close credibility gaps without overstating shipped functionality.

What's in this release

  • Real-data worked transcript. The "What an auditable agent run looks like" section now reproduces the claude-eval-harness anomaly_zero_activity_june case from runs/baseline-sonnet-4-6.json instead of an illustrative one. The prior block invented a row_ids field the tool doesn't return and attributed the Sep 2024 spike to the wrong account; the verified transcript matches the actual response shape and the figures in examples/walkthrough.md.
  • Standalone Python usage section. Surfaces that NetSuiteExport is importable directly without the MCP transport — useful for notebooks, batch scripts, pytest fixtures. Import path verified against src/.
  • Security boundary section. Documents NSMCP_ROOT enforcement, the _resolve_under_root realpath-comparison symlink-escape check (hyperlinked to the implementation), and the no-writes / no-network / scoped-stderr-logs guarantees. Complements SECURITY.md, which remains the vulnerability-reporting channel.
  • Three new Limitations items, grounded in src/:
    • detect_anomalies only recognises three period-label formats (Jan 2024 / January 2024 / 2024-01).
    • The parsed-export cache is unbounded — long-running sessions hold every parsed export resident.
    • Coverage is tested against three synthesized fixtures, not a sweep of real-world saved-search column layouts.
  • Stale __version__ fixed. src/netsuite_saved_search_mcp/__init__.py was pinned at 0.1.0 since v0.1.1; now tracks pyproject.toml.

What was dropped from the original audit brief

The brief proposed splitting the Tools table into "Implemented" vs "In progress" and adding placeholders like "MCP stdio wrapper lands in v0.2". On inspection that wrapper already ships (FastMCP server in server.py, console script in pyproject.toml, PyPI v0.1.1) and the eval-harness exercises it end-to-end. Shipping the split would have introduced false claims rather than closing a credibility gap, so that edit was dropped.

Validation

117 tests pass. mypy --strict and ruff check both clean. No code changes.