External audit identified this repo as the weakest portfolio asset and recommended a README rewrite as the single highest-leverage improvement. v0.1.2 landed the community-file + worked-transcript half of that ask. v0.1.3 finishes the rest, narrowly scoped to additions that close credibility gaps without overstating shipped functionality.
What's in this release
- Real-data worked transcript. The "What an auditable agent run looks like" section now reproduces the
claude-eval-harnessanomaly_zero_activity_junecase fromruns/baseline-sonnet-4-6.jsoninstead of an illustrative one. The prior block invented arow_idsfield the tool doesn't return and attributed the Sep 2024 spike to the wrong account; the verified transcript matches the actual response shape and the figures inexamples/walkthrough.md. - Standalone Python usage section. Surfaces that
NetSuiteExportis importable directly without the MCP transport — useful for notebooks, batch scripts, pytest fixtures. Import path verified againstsrc/. - Security boundary section. Documents
NSMCP_ROOTenforcement, the_resolve_under_rootrealpath-comparison symlink-escape check (hyperlinked to the implementation), and the no-writes / no-network / scoped-stderr-logs guarantees. ComplementsSECURITY.md, which remains the vulnerability-reporting channel. - Three new Limitations items, grounded in
src/:detect_anomaliesonly recognises three period-label formats (Jan 2024/January 2024/2024-01).- The parsed-export cache is unbounded — long-running sessions hold every parsed export resident.
- Coverage is tested against three synthesized fixtures, not a sweep of real-world saved-search column layouts.
- Stale
__version__fixed.src/netsuite_saved_search_mcp/__init__.pywas pinned at0.1.0since v0.1.1; now trackspyproject.toml.
What was dropped from the original audit brief
The brief proposed splitting the Tools table into "Implemented" vs "In progress" and adding placeholders like "MCP stdio wrapper lands in v0.2". On inspection that wrapper already ships (FastMCP server in server.py, console script in pyproject.toml, PyPI v0.1.1) and the eval-harness exercises it end-to-end. Shipping the split would have introduced false claims rather than closing a credibility gap, so that edit was dropped.
Validation
117 tests pass. mypy --strict and ruff check both clean. No code changes.