Address PR #169 review #4024692955

- annotation_list/annotation_search limit: z.number().int().positive()
- annotation_list offset: z.number().int().nonnegative()
- audit_list_findings limit: z.number().int().positive().max(1000)
- query_results_cache_lookup: add limit param (default 50, max 500)
- listAnnotations: wrap FTS MATCH in try/catch; return [] on syntax error
- listAnnotations: emit LIMIT -1 when only offset is provided (SQLite requirement)
- listCacheEntries: add limit filter support
- SessionDataManager.initialize(): recreate SqliteStore when storageLocation
  changed since construction (fixes test isolation and runtime config updates)
- sqlite-store tests: 3 new cases for FTS error, offset-only, cache limit

Author: data-douser

server/dist/codeql-development-mcp-server.js

@@ -183597,17 +183597,29 @@ var SqliteStore = class _SqliteStore {
       params.$limit = filter.limit;
     }
     if (filter?.offset !== void 0) {
+      if (filter?.limit === void 0) {
+        sql += " LIMIT -1";
+      }
       sql += " OFFSET $offset";
       params.$offset = filter.offset;
     }
     const stmt = db.prepare(sql);
-    stmt.bind(params);
-    const results = [];
-    while (stmt.step()) {
-      results.push(stmt.getAsObject());
+    try {
+      stmt.bind(params);
+      const results = [];
+      while (stmt.step()) {
+        results.push(stmt.getAsObject());
+      }
+      return results;
+    } catch (err) {
+      if (filter?.search) {
+        logger.warn("FTS MATCH query failed (invalid syntax?); returning empty results:", err);
+        return [];
+      }
+      throw err;
+    } finally {
+      stmt.free();
     }
-    stmt.free();
-    return results;
   }
   /**
    * Update an annotation's content, label, and/or metadata.
@@ -183866,6 +183878,10 @@ var SqliteStore = class _SqliteStore {
       sql += " WHERE " + conditions.join(" AND ");
     }
     sql += " ORDER BY created_at DESC";
+    if (filter?.limit !== void 0) {
+      sql += " LIMIT $limit";
+      params.$limit = filter.limit;
+    }
     const stmt = db.prepare(sql);
     stmt.bind(params);
     const results = [];
@@ -184073,6 +184089,12 @@ var SessionDataManager = class {
    */
   async initialize() {
     try {
+      const storageDir = this.getConfig().storageLocation;
+      if (storageDir !== this.storageDir) {
+        this.store.close();
+        this.storageDir = storageDir;
+        this.store = new SqliteStore(this.storageDir);
+      }
       await this.store.initialize();
       const count = this.store.countSessions();
       logger.info(`Session data manager initialized with ${count} sessions`);
@@ -193455,8 +193477,8 @@ function registerAnnotationListTool(server) {
       category: external_exports.string().optional().describe("Filter by annotation category."),
       entityKey: external_exports.string().optional().describe("Filter by exact entity key."),
       entityKeyPrefix: external_exports.string().optional().describe('Filter by entity key prefix (e.g. "repo:owner/name").'),
-      limit: external_exports.number().optional().describe("Maximum number of results (default: 100)."),
-      offset: external_exports.number().optional().describe("Number of results to skip.")
+      limit: external_exports.number().int().positive().optional().describe("Maximum number of results (default: 100)."),
+      offset: external_exports.number().int().nonnegative().optional().describe("Number of results to skip.")
     },
     async ({ category, entityKey, entityKeyPrefix, limit, offset }) => {
       const store = sessionDataManager.getStore();
@@ -193518,7 +193540,7 @@ function registerAnnotationSearchTool(server) {
     {
       search: external_exports.string().describe("Full-text search query matched against annotation content, metadata, and label (SQLite FTS MATCH syntax; use * for prefix matching)."),
       category: external_exports.string().optional().describe("Restrict search to a specific category."),
-      limit: external_exports.number().optional().describe("Maximum number of results (default: 50).")
+      limit: external_exports.number().int().positive().optional().describe("Maximum number of results (default: 50).")
     },
     async ({ search, category, limit }) => {
       const store = sessionDataManager.getStore();
@@ -193603,7 +193625,7 @@ function registerAuditListFindingsTool(server) {
     {
       owner: external_exports.string().describe("Repository owner."),
       repo: external_exports.string().describe("Repository name."),
-      limit: external_exports.number().optional().describe("Maximum number of results.")
+      limit: external_exports.number().int().positive().max(1e3).optional().describe("Maximum number of results (1\u20131000).")
     },
     async ({ owner, repo, limit }) => {
       const store = sessionDataManager.getStore();
@@ -193712,9 +193734,10 @@ function registerQueryResultsCacheLookupTool(server) {
       cacheKey: external_exports.string().optional().describe("Look up by exact cache key (if known)."),
       queryName: external_exports.string().optional().describe('Query name to search for (e.g. "PrintAST", "CallGraphFrom").'),
       databasePath: external_exports.string().optional().describe("Database path to search for."),
-      language: external_exports.string().optional().describe('Filter by language (e.g. "cpp", "javascript").')
+      language: external_exports.string().optional().describe('Filter by language (e.g. "cpp", "javascript").'),
+      limit: external_exports.number().int().positive().max(500).optional().describe("Maximum number of cache entries to return when listing by filter (default: 50, max: 500).")
     },
-    async ({ cacheKey: cacheKey2, queryName, databasePath, language }) => {
+    async ({ cacheKey: cacheKey2, queryName, databasePath, language, limit }) => {
       const store = sessionDataManager.getStore();
       if (cacheKey2) {
         const meta = store.getCacheEntryMeta(cacheKey2);
@@ -193723,7 +193746,7 @@ function registerQueryResultsCacheLookupTool(server) {
         }
         return { content: [{ type: "text", text: JSON.stringify({ cached: false, cacheKey: cacheKey2 }) }] };
       }
-      const entries = store.listCacheEntries({ queryName, databasePath, language });
+      const entries = store.listCacheEntries({ queryName, databasePath, language, limit: limit ?? 50 });
       if (entries.length === 0) {
         return { content: [{ type: "text", text: JSON.stringify({ cached: false, queryName, databasePath, language }) }] };
       }

server/dist/codeql-development-mcp-server.js.map

@@ -49,6 +49,14 @@ export class SessionDataManager {
    */
   async initialize(): Promise<void> {
     try {
+      // (Re)create the store if storageLocation changed since construction
+      // (e.g. via updateConfig or test mocks), closing the previous store first.
+      const storageDir = this.getConfig().storageLocation;
+      if (storageDir !== this.storageDir) {
+        this.store.close();
+        this.storageDir = storageDir;
+        this.store = new SqliteStore(this.storageDir);
+      }
       await this.store.initialize();
       const count = this.store.countSessions();
       logger.info(`Session data manager initialized with ${count} sessions`);

server/src/lib/session-data-manager.ts

@@ -472,19 +472,33 @@ export class SqliteStore {
       params.$limit = filter.limit;
     }
     if (filter?.offset !== undefined) {
+      if (filter?.limit === undefined) {
+        // SQLite requires LIMIT when OFFSET is used; -1 means unlimited.
+        sql += ' LIMIT -1';
+      }
       sql += ' OFFSET $offset';
       params.$offset = filter.offset;
     }
 
     const stmt = db.prepare(sql);
-    stmt.bind(params);
-
-    const results: Annotation[] = [];
-    while (stmt.step()) {
-      results.push(stmt.getAsObject() as unknown as Annotation);
+    try {
+      stmt.bind(params);
+      const results: Annotation[] = [];
+      while (stmt.step()) {
+        results.push(stmt.getAsObject() as unknown as Annotation);
+      }
+      return results;
+    } catch (err) {
+      if (filter?.search) {
+        // Invalid FTS MATCH syntax (e.g. trailing operator) — return an empty
+        // result set rather than propagating the parse error to callers.
+        logger.warn('FTS MATCH query failed (invalid syntax?); returning empty results:', err);
+        return [];
+      }
+      throw err;
+    } finally {
+      stmt.free();
     }
-    stmt.free();
-    return results;
   }
 
   /**
@@ -793,6 +807,7 @@ export class SqliteStore {
     queryName?: string;
     databasePath?: string;
     language?: string;
+    limit?: number;
   }): Array<{
     cacheKey: string;
     queryName: string;
@@ -805,7 +820,7 @@ export class SqliteStore {
   }> {
     const db = this.ensureDb();
     const conditions: string[] = [];
-    const params: Record<string, string> = {};
+    const params: Record<string, string | number> = {};
 
     if (filter?.queryName) {
       conditions.push('query_name = $query_name');
@@ -828,6 +843,11 @@ export class SqliteStore {
     }
     sql += ' ORDER BY created_at DESC';
 
+    if (filter?.limit !== undefined) {
+      sql += ' LIMIT $limit';
+      params.$limit = filter.limit;
+    }
+
     const stmt = db.prepare(sql);
     stmt.bind(params);
 

server/src/lib/sqlite-store.ts

@@ -92,8 +92,8 @@ function registerAnnotationListTool(server: McpServer): void {
       category: z.string().optional().describe('Filter by annotation category.'),
       entityKey: z.string().optional().describe('Filter by exact entity key.'),
       entityKeyPrefix: z.string().optional().describe('Filter by entity key prefix (e.g. "repo:owner/name").'),
-      limit: z.number().optional().describe('Maximum number of results (default: 100).'),
-      offset: z.number().optional().describe('Number of results to skip.'),
+      limit: z.number().int().positive().optional().describe('Maximum number of results (default: 100).'),
+      offset: z.number().int().nonnegative().optional().describe('Number of results to skip.'),
     },
     async ({ category, entityKey, entityKeyPrefix, limit, offset }) => {
       const store = sessionDataManager.getStore();
@@ -170,7 +170,7 @@ function registerAnnotationSearchTool(server: McpServer): void {
     {
       search: z.string().describe('Full-text search query matched against annotation content, metadata, and label (SQLite FTS MATCH syntax; use * for prefix matching).'),
       category: z.string().optional().describe('Restrict search to a specific category.'),
-      limit: z.number().optional().describe('Maximum number of results (default: 50).'),
+      limit: z.number().int().positive().optional().describe('Maximum number of results (default: 50).'),
     },
     async ({ search, category, limit }) => {
       const store = sessionDataManager.getStore();

server/src/tools/annotation-tools.ts

@@ -109,7 +109,7 @@ function registerAuditListFindingsTool(server: McpServer): void {
     {
       owner: z.string().describe('Repository owner.'),
       repo: z.string().describe('Repository name.'),
-      limit: z.number().optional().describe('Maximum number of results.'),
+      limit: z.number().int().positive().max(1000).optional().describe('Maximum number of results (1–1000).'),
     },
     async ({ owner, repo, limit }) => {
       const store = sessionDataManager.getStore();

server/src/tools/audit-tools.ts

@@ -44,8 +44,9 @@ function registerQueryResultsCacheLookupTool(server: McpServer): void {
       queryName: z.string().optional().describe('Query name to search for (e.g. "PrintAST", "CallGraphFrom").'),
       databasePath: z.string().optional().describe('Database path to search for.'),
       language: z.string().optional().describe('Filter by language (e.g. "cpp", "javascript").'),
+      limit: z.number().int().positive().max(500).optional().describe('Maximum number of cache entries to return when listing by filter (default: 50, max: 500).'),
     },
-    async ({ cacheKey, queryName, databasePath, language }) => {
+    async ({ cacheKey, queryName, databasePath, language, limit }) => {
       const store = sessionDataManager.getStore();
 
       // Exact lookup by cache key
@@ -58,7 +59,7 @@ function registerQueryResultsCacheLookupTool(server: McpServer): void {
       }
 
       // List matching entries
-      const entries = store.listCacheEntries({ queryName, databasePath, language });
+      const entries = store.listCacheEntries({ queryName, databasePath, language, limit: limit ?? 50 });
       if (entries.length === 0) {
         return { content: [{ type: 'text' as const, text: JSON.stringify({ cached: false, queryName, databasePath, language }) }] };
       }

server/src/tools/cache-tools.ts

@@ -197,6 +197,23 @@ describe('SqliteStore', () => {
     it('should throw when deleting without a filter', () => {
       expect(() => store.deleteAnnotations({})).toThrow('at least one filter');
     });
+
+    it('should return empty results for invalid FTS MATCH syntax', () => {
+      store.createAnnotation('note', 'key', 'hello world');
+      // Trailing operator is invalid FTS syntax and would normally throw.
+      // listAnnotations should catch it and return [] instead.
+      const results = store.listAnnotations({ search: 'hello AND' });
+      expect(results).toEqual([]);
+    });
+
+    it('should support offset without explicit limit', () => {
+      for (let i = 0; i < 5; i++) {
+        store.createAnnotation('note', `key-${i}`, `content ${i}`);
+      }
+      // Offset only — previously would cause a SQLite syntax error.
+      const results = store.listAnnotations({ offset: 2 });
+      expect(results).toHaveLength(3);
+    });
   });
 
   describe('Persistence', () => {
@@ -412,6 +429,18 @@ describe('SqliteStore', () => {
       expect(store.listCacheEntries({ language: 'java' })).toHaveLength(1);
     });
 
+    it('should limit cache entries returned when limit filter is set', () => {
+      for (let i = 0; i < 5; i++) {
+        store.putCacheEntry({
+          cacheKey: `k${i}`, queryName: 'Q', queryPath: '/q.ql',
+          databasePath: '/db', language: 'cpp', codeqlVersion: '2.25.0',
+          outputFormat: 'csv', resultContent: `c${i}`,
+        });
+      }
+      const limited = store.listCacheEntries({ limit: 3 });
+      expect(limited).toHaveLength(3);
+    });
+
     it('should clear cache entries by filter', () => {
       store.putCacheEntry({
         cacheKey: 'x', queryName: 'Q', queryPath: '/q.ql',