[NEW PRIMITIVE] sarif_diff_by_commits — SARIF-to-git-diff correlation tool (#236)

* Initial plan

* feat: add sarif_diff_by_commits tool for SARIF-to-git-diff correlation

Implements a new MCP tool that accepts a SARIF file path and git ref range,
partitions SARIF results into "new" vs "pre-existing" based on file-level
or line-level overlap with the git diff, and returns structured output for
triage workflows.

- Add diffSarifByCommits() pure utility in sarif-utils.ts with types
- Register sarif_diff_by_commits tool in sarif-tools.ts
- Add parseGitDiffOutput() helper for unified diff parsing
- Add 14 unit tests for diffSarifByCommits() utility
- Add 5 unit tests for sarif_diff_by_commits tool handler
- Update server-tools.md documentation
- Update tool registration count from 7 to 8

Closes #209

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/8abb21bb-8877-4628-90da-36ffc8eeb742

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* feat: add client integration test for sarif_diff_by_commits

- Add sarif_diff_by_commits case to Go params.go test runner
- Add Go unit test for param resolution (params_test.go)
- Create file_level_classification integration test fixture with:
  - SARIF with 3 results across 2 rules
  - HEAD..HEAD ref range (empty diff → all pre-existing)
  - Assertions validating totalNew=0, totalPreExisting=3
  - before/after directories with SARIF and monitoring state

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/edb1fae4-1f49-44f9-af31-71483b674da7

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* Apply lint/format & rebuild server/dist/

* [UPDATE PRIMITIVE] `sarif_diff_by_commits` — refRange validation, file path improvement, test mock fix (#242)

* Initial plan

* Fix PR #236 review comments: refRange validation, ClassifiedResult.file, test mocking

1. Validate refRange in sarif_diff_by_commits to reject strings starting
   with '-' or containing whitespace (prevents git option injection).

2. Use matchingDiff.path for ClassifiedResult.file when a diff match exists,
   falling back to normalizeUri(uri) only for unmatched results (produces
   repo-relative paths instead of long file:// URI paths).

3. Replace vi.doMock with module-scope vi.mock + shared mockExecuteCLICommand
   to prevent module-cache flakiness in sarif_diff_by_commits handler tests.

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/1960960b-9658-44b5-87d8-bc29cc55a5ef

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* Extend client tests -> sarif_diff_by_commits tool

* fix: address unresolved PR review comments

- Fix deletion-only hunk misclassification in line-level granularity by
  adding hunksParsed flag to DiffFileEntry; parseGitDiffOutput sets it
  when @@ headers are seen, and diffSarifByCommits uses it to distinguish
  "no hunk info" from "deletion-only" diffs
- Precompute normalized diff paths once before the results loop, removing
  the unused diffPathMatchesSarifUri wrapper
- Migrate all params_test.go from t.TempDir() to project-local .tmp/
- Add regression tests for deletion-only diffs in unit and handler tests

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Co-authored-by: Nathan Randall <data-douser@github.com>

Author: Copilot

client/integration-tests/primitives/tools/sarif_diff_by_commits/file_level_classification/README.md

@@ -0,0 +1,19 @@
+# Integration Test: sarif_diff_by_commits - file_level_classification
+
+## Purpose
+
+Validates that the `sarif_diff_by_commits` tool correctly partitions
+SARIF results into "new" vs "pre-existing" based on file-level overlap
+with a git diff. Uses `HEAD..HEAD` (empty diff) so all results are
+classified as pre-existing.
+
+## Inputs
+
+- `results.sarif`: SARIF with 3 results across 2 rules in 3 files
+- `refRange`: `HEAD..HEAD` (produces an empty diff)
+- `granularity`: `file`
+
+## Expected Behavior
+
+Returns structured output with all 3 results in `preExistingResults`
+and 0 results in `newResults`, since the empty diff has no changed files.

client/integration-tests/primitives/tools/sarif_diff_by_commits/file_level_classification/after/monitoring-state.json

@@ -0,0 +1,5 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "success": true,
+  "description": "Successfully classified all results as pre-existing with empty diff"
+}

client/integration-tests/primitives/tools/sarif_diff_by_commits/file_level_classification/after/results.sarif

@@ -0,0 +1,107 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "version": "2.20.4",
+          "rules": [
+            {
+              "id": "js/sql-injection",
+              "name": "js/sql-injection",
+              "shortDescription": {
+                "text": "Database query built from user-controlled sources"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "8.8"
+              }
+            },
+            {
+              "id": "js/xss",
+              "name": "js/xss",
+              "shortDescription": {
+                "text": "Cross-site scripting"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "6.1"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from user input."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/db.js"
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 5,
+                  "endColumn": 38
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from request body."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/api.js"
+                },
+                "region": {
+                  "startLine": 15,
+                  "startColumn": 3,
+                  "endColumn": 40
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/xss",
+          "ruleIndex": 1,
+          "message": {
+            "text": "XSS vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/views.js"
+                },
+                "region": {
+                  "startLine": 30,
+                  "startColumn": 10,
+                  "endColumn": 50
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

client/integration-tests/primitives/tools/sarif_diff_by_commits/file_level_classification/before/monitoring-state.json

@@ -0,0 +1,5 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "expectedSuccess": true,
+  "description": "Test sarif_diff_by_commits classifies all results as pre-existing with empty diff"
+}

client/integration-tests/primitives/tools/sarif_diff_by_commits/file_level_classification/before/results.sarif

@@ -0,0 +1,107 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "version": "2.20.4",
+          "rules": [
+            {
+              "id": "js/sql-injection",
+              "name": "js/sql-injection",
+              "shortDescription": {
+                "text": "Database query built from user-controlled sources"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "8.8"
+              }
+            },
+            {
+              "id": "js/xss",
+              "name": "js/xss",
+              "shortDescription": {
+                "text": "Cross-site scripting"
+              },
+              "properties": {
+                "tags": ["security"],
+                "kind": "path-problem",
+                "precision": "high",
+                "security-severity": "6.1"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from user input."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/db.js"
+                },
+                "region": {
+                  "startLine": 42,
+                  "startColumn": 5,
+                  "endColumn": 38
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/sql-injection",
+          "ruleIndex": 0,
+          "message": {
+            "text": "SQL injection from request body."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/api.js"
+                },
+                "region": {
+                  "startLine": 15,
+                  "startColumn": 3,
+                  "endColumn": 40
+                }
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "js/xss",
+          "ruleIndex": 1,
+          "message": {
+            "text": "XSS vulnerability."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "src/views.js"
+                },
+                "region": {
+                  "startLine": 30,
+                  "startColumn": 10,
+                  "endColumn": 50
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

client/integration-tests/primitives/tools/sarif_diff_by_commits/file_level_classification/test-config.json

@@ -0,0 +1,17 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "arguments": {
+    "refRange": "HEAD..HEAD",
+    "granularity": "file"
+  },
+  "assertions": {
+    "responseContains": [
+      "\"granularity\": \"file\"",
+      "\"preExistingResults\"",
+      "\"newResults\"",
+      "\"totalPreExisting\": 3",
+      "\"totalNew\": 0",
+      "\"totalResults\": 3"
+    ]
+  }
+}

client/integration-tests/primitives/tools/sarif_diff_by_commits/line_level_classification/README.md

@@ -0,0 +1,20 @@
+# Integration Test: sarif_diff_by_commits - line_level_classification
+
+## Purpose
+
+Validates that the `sarif_diff_by_commits` tool correctly handles
+line-level granularity classification. Uses `HEAD..HEAD` (empty diff)
+so all results are classified as pre-existing regardless of their
+line positions.
+
+## Inputs
+
+- `results.sarif`: SARIF with 3 results across 2 rules in 3 files
+- `refRange`: `HEAD..HEAD` (produces an empty diff)
+- `granularity`: `line`
+
+## Expected Behavior
+
+Returns structured output with `"granularity": "line"`, all 3 results
+in `preExistingResults`, and 0 results in `newResults`, since the
+empty diff has no changed files or hunks to match against.

client/integration-tests/primitives/tools/sarif_diff_by_commits/line_level_classification/after/monitoring-state.json

@@ -0,0 +1,5 @@
+{
+  "toolName": "sarif_diff_by_commits",
+  "success": true,
+  "description": "Successfully classified all results as pre-existing with empty diff (line granularity)"
+}