Address PR #169 review comments

- Fix TOCTOU in query-results-evaluator (openSync/fstatSync/readFileSync(fd))
- Use datetime('now') consistently for annotation timestamps
- Debounce flush() with 200ms coalescing via scheduleFlush()
- Fix resultIndices to inclusive [start, end] range with clamping
- Fix WASM→asm.js comments in session-data-manager
- Fix audit-tools header comment (no separate ENABLE_AUDIT_TOOLS flag)
- Add separate maxResults parameter for SARIF in cache-tools
- Use createProjectTempDir() in all test files
- Fix monitoring-tools test init order (mock before initialize)
- Add store.close() in session-data-manager test afterEach

Author: data-douser

server/dist/codeql-development-mcp-server.js

@@ -184843,7 +184843,7 @@ import { createHash as createHash2 } from "crypto";
 // src/lib/query-results-evaluator.ts
 init_cli_executor();
 init_logger();
-import { writeFileSync, readFileSync as readFileSync4, statSync as statSync3 } from "fs";
+import { fstatSync, openSync, readFileSync as readFileSync4, writeFileSync } from "fs";
 import { dirname as dirname3, isAbsolute as isAbsolute3 } from "path";
 import { mkdirSync as mkdirSync4 } from "fs";
 var BUILT_IN_EVALUATORS = {
@@ -184854,13 +184854,13 @@ var BUILT_IN_EVALUATORS = {
 var metadataCache = /* @__PURE__ */ new Map();
 async function extractQueryMetadata(queryPath) {
   try {
-    const stat = statSync3(queryPath);
-    const mtime = stat.mtimeMs;
+    const fd = openSync(queryPath, "r");
+    const mtime = fstatSync(fd).mtimeMs;
     const cached2 = metadataCache.get(queryPath);
     if (cached2 && cached2.mtime === mtime) {
       return cached2.metadata;
     }
-    const queryContent = readFileSync4(queryPath, "utf-8");
+    const queryContent = readFileSync4(fd, "utf-8");
     const metadata = {};
     const kindMatch = queryContent.match(/@kind\s+([^\s]+)/);
     if (kindMatch) metadata.kind = kindMatch[1];
@@ -185119,11 +185119,14 @@ var import_sql_asm = __toESM(require_sql_asm(), 1);
 init_logger();
 import { existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
 import { join as join8 } from "path";
-var SqliteStore = class {
+var SqliteStore = class _SqliteStore {
   db = null;
   dbPath;
   storageDir;
   dirty = false;
+  flushTimer = null;
+  /** Debounce interval (ms) for automatic disk writes after mutations. */
+  static FLUSH_DEBOUNCE_MS = 200;
   constructor(storageDir) {
     this.storageDir = storageDir;
     this.dbPath = join8(storageDir, "ql-mcp.db");
@@ -185243,12 +185246,27 @@ var SqliteStore = class {
    * Write the in-memory database to disk.
    */
   flush() {
+    if (this.flushTimer) {
+      globalThis.clearTimeout(this.flushTimer);
+      this.flushTimer = null;
+    }
     if (!this.db) return;
     const data = this.db.export();
     const buffer = Buffer.from(data);
     writeFileSync2(this.dbPath, buffer);
     this.dirty = false;
   }
+  /**
+   * Schedule a debounced flush.  Multiple rapid writes are coalesced into
+   * a single disk write after `FLUSH_DEBOUNCE_MS` of inactivity.
+   */
+  scheduleFlush() {
+    if (this.flushTimer) globalThis.clearTimeout(this.flushTimer);
+    this.flushTimer = globalThis.setTimeout(() => {
+      this.flushTimer = null;
+      this.flushIfDirty();
+    }, _SqliteStore.FLUSH_DEBOUNCE_MS);
+  }
   /**
    * Flush only if there are pending writes.
    */
@@ -185277,7 +185295,7 @@ var SqliteStore = class {
       { $id: sessionId, $data: json2 }
     );
     this.dirty = true;
-    this.flush();
+    this.scheduleFlush();
   }
   /**
    * Retrieve a single session by ID, or null if not found.
@@ -185313,7 +185331,7 @@ var SqliteStore = class {
    */
   deleteSession(sessionId) {
     this.exec("DELETE FROM sessions WHERE session_id = $id", { $id: sessionId });
-    this.flush();
+    this.scheduleFlush();
   }
   /**
    * Count active sessions.
@@ -185334,24 +185352,21 @@ var SqliteStore = class {
    */
   createAnnotation(category, entityKey, content, label, metadata) {
     const db = this.ensureDb();
-    const now = (/* @__PURE__ */ new Date()).toISOString();
     db.run(
       `INSERT INTO annotations (category, entity_key, label, content, metadata, created_at, updated_at)
-       VALUES ($category, $entity_key, $label, $content, $metadata, $created_at, $updated_at)`,
+       VALUES ($category, $entity_key, $label, $content, $metadata, datetime('now'), datetime('now'))`,
       {
         $category: category,
         $entity_key: entityKey,
         $label: label ?? null,
         $content: content ?? null,
-        $metadata: metadata ?? null,
-        $created_at: now,
-        $updated_at: now
+        $metadata: metadata ?? null
       }
     );
     this.dirty = true;
     const result = db.exec("SELECT last_insert_rowid() as id");
     const id = result.length > 0 ? result[0].values[0][0] : 0;
-    this.flush();
+    this.scheduleFlush();
     return id;
   }
   /**
@@ -185441,7 +185456,7 @@ var SqliteStore = class {
     );
     const changed = this.getRowsModified();
     this.dirty = true;
-    this.flush();
+    this.scheduleFlush();
     return changed > 0;
   }
   /**
@@ -185474,7 +185489,7 @@ var SqliteStore = class {
     );
     const deleted = this.getRowsModified();
     this.dirty = true;
-    this.flush();
+    this.scheduleFlush();
     return deleted;
   }
   // ---------------------------------------------------------------------------
@@ -185511,7 +185526,7 @@ var SqliteStore = class {
       }
     );
     this.dirty = true;
-    this.flush();
+    this.scheduleFlush();
   }
   /**
    * Look up a cache entry by key. Returns metadata (no content) or null.
@@ -185610,8 +185625,15 @@ var SqliteStore = class {
         });
       }
       if (options.resultIndices) {
-        const [start, end] = options.resultIndices;
-        selected = selected.slice(start, end);
+        const [rawStart, rawEnd] = options.resultIndices;
+        const total = selected.length;
+        if (Number.isFinite(rawStart) && Number.isFinite(rawEnd) && total > 0) {
+          const start = Math.max(0, Math.min(total - 1, Math.floor(rawStart)));
+          const end = Math.max(0, Math.min(total - 1, Math.floor(rawEnd)));
+          selected = end >= start ? selected.slice(start, end + 1) : [];
+        } else {
+          selected = [];
+        }
       }
       const truncated = selected.length > maxResults;
       if (truncated) {
@@ -185693,7 +185715,7 @@ var SqliteStore = class {
     if (filter?.all) {
       this.exec("DELETE FROM query_result_cache");
       const deleted2 = this.getRowsModified();
-      this.flush();
+      this.scheduleFlush();
       return deleted2;
     }
     const conditions = [];
@@ -185718,7 +185740,7 @@ var SqliteStore = class {
     );
     const deleted = this.getRowsModified();
     this.dirty = true;
-    this.flush();
+    this.scheduleFlush();
     return deleted;
   }
 };
@@ -185870,7 +185892,7 @@ var SessionDataManager = class {
   }
   /**
    * Initialize the database and ensure it's properly set up.
-   * Must be awaited before any session operations (sql.js WASM init is async).
+   * Must be awaited before any session operations (sql.js init is async).
    */
   async initialize() {
     try {
@@ -190011,7 +190033,7 @@ var codeqlGenerateQueryHelpTool = {
 };
 
 // src/tools/codeql/list-databases.ts
-import { existsSync as existsSync9, readdirSync as readdirSync4, readFileSync as readFileSync8, statSync as statSync5 } from "fs";
+import { existsSync as existsSync9, readdirSync as readdirSync4, readFileSync as readFileSync8, statSync as statSync4 } from "fs";
 import { join as join12 } from "path";
 
 // src/lib/discovery-config.ts
@@ -190076,7 +190098,7 @@ async function discoverDatabases(baseDirs, language) {
     for (const entry of entries) {
       const entryPath = join12(baseDir, entry);
       try {
-        if (!statSync5(entryPath).isDirectory()) {
+        if (!statSync4(entryPath).isDirectory()) {
           continue;
         }
       } catch {
@@ -190165,7 +190187,7 @@ function registerListDatabasesTool(server) {
 }
 
 // src/tools/codeql/list-mrva-run-results.ts
-import { existsSync as existsSync10, readdirSync as readdirSync5, readFileSync as readFileSync9, statSync as statSync6 } from "fs";
+import { existsSync as existsSync10, readdirSync as readdirSync5, readFileSync as readFileSync9, statSync as statSync5 } from "fs";
 import { join as join13 } from "path";
 init_logger();
 var NUMERIC_DIR_PATTERN = /^\d+$/;
@@ -190185,7 +190207,7 @@ async function discoverMrvaRunResults(resultsDirs, runId) {
     for (const entry of entries) {
       const entryPath = join13(dir, entry);
       try {
-        if (!statSync6(entryPath).isDirectory()) {
+        if (!statSync5(entryPath).isDirectory()) {
           continue;
         }
       } catch {
@@ -190230,7 +190252,7 @@ function discoverRepoResults(runPath) {
     }
     const ownerPath = join13(runPath, ownerEntry);
     try {
-      if (!statSync6(ownerPath).isDirectory()) {
+      if (!statSync5(ownerPath).isDirectory()) {
         continue;
       }
     } catch {
@@ -190245,7 +190267,7 @@ function discoverRepoResults(runPath) {
     for (const repoEntry of repoEntries) {
       const repoPath = join13(ownerPath, repoEntry);
       try {
-        if (!statSync6(repoPath).isDirectory()) {
+        if (!statSync5(repoPath).isDirectory()) {
           continue;
         }
       } catch {
@@ -190352,7 +190374,7 @@ function registerListMrvaRunResultsTool(server) {
 }
 
 // src/tools/codeql/list-query-run-results.ts
-import { existsSync as existsSync11, readdirSync as readdirSync6, readFileSync as readFileSync10, statSync as statSync7 } from "fs";
+import { existsSync as existsSync11, readdirSync as readdirSync6, readFileSync as readFileSync10, statSync as statSync6 } from "fs";
 import { join as join14 } from "path";
 init_logger();
 var QUERY_RUN_DIR_PATTERN = /^(.+\.ql)-(.+)$/;
@@ -190401,7 +190423,7 @@ async function discoverQueryRunResults(resultsDirs, filter) {
     for (const entry of entries) {
       const entryPath = join14(dir, entry);
       try {
-        if (!statSync7(entryPath).isDirectory()) {
+        if (!statSync6(entryPath).isDirectory()) {
           continue;
         }
       } catch {
@@ -191541,7 +191563,7 @@ function registerQuickEvaluateTool(server) {
 
 // src/tools/codeql/read-database-source.ts
 var import_adm_zip = __toESM(require_adm_zip(), 1);
-import { existsSync as existsSync14, readdirSync as readdirSync7, readFileSync as readFileSync11, statSync as statSync8 } from "fs";
+import { existsSync as existsSync14, readdirSync as readdirSync7, readFileSync as readFileSync11, statSync as statSync7 } from "fs";
 import { join as join18, resolve as resolve7 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 init_logger();
@@ -191560,7 +191582,7 @@ function toFilesystemPath(uri) {
 function* walkDirectory(dir, base = dir) {
   for (const entry of readdirSync7(dir)) {
     const fullPath = join18(dir, entry);
-    if (statSync8(fullPath).isDirectory()) {
+    if (statSync7(fullPath).isDirectory()) {
       yield* walkDirectory(fullPath, base);
     } else {
       yield fullPath.slice(base.length).replace(/\\/g, "/").replace(/^\//, "");
@@ -192051,7 +192073,7 @@ var codeqlResolveTestsTool = {
 };
 
 // src/tools/codeql/search-ql-code.ts
-import { closeSync, createReadStream as createReadStream3, fstatSync, lstatSync, openSync, readdirSync as readdirSync8, readFileSync as readFileSync12, realpathSync } from "fs";
+import { closeSync, createReadStream as createReadStream3, fstatSync as fstatSync2, lstatSync, openSync as openSync2, readdirSync as readdirSync8, readFileSync as readFileSync12, realpathSync } from "fs";
 import { basename as basename8, extname as extname2, join as join19, resolve as resolve9 } from "path";
 import { createInterface as createInterface3 } from "readline";
 init_logger();
@@ -192108,13 +192130,13 @@ function collectFiles(paths, extensions, fileCount) {
 async function searchFile(filePath, regex, contextLines, maxCollect) {
   let fd;
   try {
-    fd = openSync(filePath, "r");
+    fd = openSync2(filePath, "r");
   } catch {
     return { matches: [], totalCount: 0 };
   }
   let size;
   try {
-    size = fstatSync(fd).size;
+    size = fstatSync2(fd).size;
   } catch {
     try {
       closeSync(fd);
@@ -195541,12 +195563,13 @@ function registerQueryResultsCacheRetrieveTool(server) {
     {
       cacheKey: external_exports.string().describe("The cache key of the result to retrieve."),
       lineRange: external_exports.tuple([external_exports.number(), external_exports.number()]).optional().describe("Line range [start, end] (1-indexed). For graphtext/CSV output."),
-      resultIndices: external_exports.tuple([external_exports.number(), external_exports.number()]).optional().describe("SARIF result index range [start, end] (0-indexed)."),
+      resultIndices: external_exports.tuple([external_exports.number(), external_exports.number()]).optional().describe("SARIF result index range [start, end] (0-indexed, inclusive)."),
       fileFilter: external_exports.string().optional().describe("For SARIF: only include results whose file path contains this string."),
       grep: external_exports.string().optional().describe("Text search filter: only include lines/results containing this term."),
-      maxLines: external_exports.number().optional().describe("Maximum number of lines to return (default: 500).")
+      maxLines: external_exports.number().optional().describe("Maximum number of lines to return for line-based formats (default: 500)."),
+      maxResults: external_exports.number().optional().describe("Maximum number of SARIF results to return (default: 100).")
     },
-    async ({ cacheKey: cacheKey2, lineRange, resultIndices, fileFilter, grep, maxLines }) => {
+    async ({ cacheKey: cacheKey2, lineRange, resultIndices, fileFilter, grep, maxLines, maxResults }) => {
       const store = sessionDataManager.getStore();
       const meta = store.getCacheEntryMeta(cacheKey2);
       if (!meta) {
@@ -195557,7 +195580,7 @@ function registerQueryResultsCacheRetrieveTool(server) {
         const subset2 = store.getCacheSarifSubset(cacheKey2, {
           resultIndices,
           fileFilter,
-          maxResults: maxLines
+          maxResults
         });
         if (!subset2) {
           return { content: [{ type: "text", text: `Cached content not available for key: ${cacheKey2}` }] };

server/dist/codeql-development-mcp-server.js.map

@@ -4,7 +4,7 @@
 
 import { executeCodeQLCommand } from './cli-executor';
 import { logger } from '../utils/logger';
-import { writeFileSync, readFileSync, statSync } from 'fs';
+import { fstatSync, openSync, readFileSync, writeFileSync } from 'fs';
 import { dirname, isAbsolute } from 'path';
 import { mkdirSync } from 'fs';
 
@@ -46,15 +46,15 @@ const metadataCache = new Map<string, { mtime: number; metadata: QueryMetadata }
  */
 export async function extractQueryMetadata(queryPath: string): Promise<QueryMetadata> {
   try {
-    // Check cache with mtime validation
-    const stat = statSync(queryPath);
-    const mtime = stat.mtimeMs;
+    // Open once, then fstat + read via the fd to avoid TOCTOU race (CWE-367).
+    const fd = openSync(queryPath, 'r');
+    const mtime = fstatSync(fd).mtimeMs;
     const cached = metadataCache.get(queryPath);
     if (cached && cached.mtime === mtime) {
       return cached.metadata;
     }
 
-    const queryContent = readFileSync(queryPath, 'utf-8');
+    const queryContent = readFileSync(fd, 'utf-8');
     const metadata: QueryMetadata = {};
 
     // Extract metadata from comments using regex patterns

server/src/lib/query-results-evaluator.ts

@@ -1,6 +1,6 @@
 /**
  * Session Data Management
- * Provides session lifecycle management backed by SqliteStore (sql.js WASM)
+ * Provides session lifecycle management backed by SqliteStore (sql.js asm.js)
  */
 
 import { mkdirSync, writeFileSync } from 'fs';
@@ -45,7 +45,7 @@ export class SessionDataManager {
 
   /**
    * Initialize the database and ensure it's properly set up.
-   * Must be awaited before any session operations (sql.js WASM init is async).
+   * Must be awaited before any session operations (sql.js init is async).
    */
   async initialize(): Promise<void> {
     try {