Convex Code Review

Security Checklist

1. Argument AND Return Validators

• All public query, mutation, action have args validators
• All functions have returns validators
• No v.any() for sensitive data
• HTTP actions validate request body (Zod recommended)

Search: query({, mutation({, action({ - check each has args: AND returns:

2. Error Handling

• Uses ConvexError for user-facing errors (not plain Error)
• Error codes are structured: { code: "NOT_FOUND", message: "..." }
• No sensitive info leaked in error messages

Search: throw new Error should be throw new ConvexError

3. Access Control

• All public functions check ctx.auth.getUserIdentity() where needed
• Uses auth helpers (requireAuth, requireRole)
• No client-provided email/username for authorization
• Row-level access verified (ownership checks)

Search: ctx.auth.getUserIdentity should appear in most public functions

4. Internal Functions

• ctx.runQuery, ctx.runMutation, ctx.runAction use internal.* not api.*
• ctx.scheduler.runAfter uses internal.* not api.*
• Crons in crons.ts use internal.* not api.*

Search: api. in convex directory - should not be used for scheduling/running

5. Table Names in DB Calls

• All ctx.db.get, patch, replace, delete include table name as first arg

Search: db.get(, db.patch( - first arg should be quoted string

Performance Checklist

6. Database Queries

• No .filter() on queries (use .withIndex() or filter in code)
• .collect() only with bounded results (<1000 docs)
• Pagination for large result sets

Search: \.filter\(\(?q, \.collect\(

7. Indexes

• No redundant indexes (by_foo + by_foo_and_bar)
• All filtered queries use .withIndex()
• Index names include all fields

Review: schema.ts index definitions

8. Date.now() in Queries

• No Date.now() in query functions
• Time filtering uses boolean fields or client-passed timestamps

9. Promise Handling

• All promises awaited (ctx.scheduler, ctx.db.*)

ESLint: no-floating-promises

Architecture Checklist

10. Action Usage

• Actions have "use node"; if using Node.js APIs
• ctx.runAction only when switching runtimes
• No sequential ctx.runMutation/ctx.runQuery (combine for consistency)

11. Code Organization

• Business logic in helper functions (convex/model/)
• Public API handlers are thin wrappers
• Auth helpers in convex/lib/auth.ts

12. Transaction Consistency

• Related reads in same query/mutation
• Batch operations in single mutation
• Mutations are idempotent

Quick Regex Searches

Issue	Regex	Fix
.filter()	\.filter\(\(?q	Use .withIndex()
Missing returns	handler:.*async without returns:	Add returns:
Plain Error	throw new Error\(	Use ConvexError
Missing table name	db\.(get|patch)\([^"']	Add table name
Date.now() in query	Date\.now\(\)	Remove from queries
api.* scheduling	api\.[a-z]	Use internal.*

Production Readiness

1. Security: Validators + ConvexError + Auth checks + Internal functions
2. Performance: Indexes + Bounded queries + No Date.now()
3. Architecture: Helper functions + Proper action usage + "use node"
4. Code Quality: Awaited promises + Table names + Return validators