More fixes for PR review feedback

Author: data-douser

client/Makefile

@@ -2,6 +2,10 @@ BINARY_NAME := gh-ql-mcp-client
 MODULE := github.com/advanced-security/codeql-development-mcp-server/client
 VERSION := $(shell grep 'Version = ' cmd/root.go | head -1 | sed 's/.*"\(.*\)"/\1/')
 
+# Use bash as the Make recipe shell (required on Windows where the default
+# shell cannot execute .sh scripts).
+SHELL := bash
+
 # Disable CGO to avoid Xcode/C compiler dependency
 export CGO_ENABLED = 0
 

client/scripts/start-server.sh

@@ -36,11 +36,17 @@ fi
 # Change to root directory
 cd "$ROOT_DIR"
 
+# Align the server's tmp base with the Go client's {{tmpdir}} placeholder
+# so that log-directory validation passes in HTTP mode (where the server
+# is a separate process that doesn't inherit the Go client's env).
+CODEQL_MCP_TMP_DIR="${CODEQL_MCP_TMP_DIR:-$ROOT_DIR/.tmp}"
+
 # Start server in background and capture PID
 HTTP_HOST="$HTTP_HOST" \
 HTTP_PORT="$HTTP_PORT" \
 TRANSPORT_MODE="$TRANSPORT_MODE" \
 ENABLE_MONITORING_TOOLS="$ENABLE_MONITORING_TOOLS" \
+CODEQL_MCP_TMP_DIR="$CODEQL_MCP_TMP_DIR" \
 node server/dist/codeql-development-mcp-server.js > "$CLIENT_DIR/server.log" 2>&1 &
 
 SERVER_PID=$!

server/dist/codeql-development-mcp-server.js

@@ -38735,7 +38735,7 @@ var require_send = __commonJS({
     var join22 = path3.join;
     var normalize2 = path3.normalize;
     var resolve15 = path3.resolve;
-    var sep3 = path3.sep;
+    var sep4 = path3.sep;
     var BYTES_RANGE_REGEXP = /^ *bytes=/;
     var MAX_MAXAGE = 60 * 60 * 24 * 365 * 1e3;
     var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
@@ -38896,22 +38896,22 @@ var require_send = __commonJS({
       var parts;
       if (root !== null) {
         if (path4) {
-          path4 = normalize2("." + sep3 + path4);
+          path4 = normalize2("." + sep4 + path4);
         }
         if (UP_PATH_REGEXP.test(path4)) {
           debug('malicious path "%s"', path4);
           this.error(403);
           return res;
         }
-        parts = path4.split(sep3);
+        parts = path4.split(sep4);
         path4 = normalize2(join22(root, path4));
       } else {
         if (UP_PATH_REGEXP.test(path4)) {
           debug('malicious path "%s"', path4);
           this.error(403);
           return res;
         }
-        parts = normalize2(path4).split(sep3);
+        parts = normalize2(path4).split(sep4);
         path4 = resolve15(path4);
       }
       if (containsDotFile(parts)) {
@@ -39005,7 +39005,7 @@ var require_send = __commonJS({
       var self2 = this;
       debug('stat "%s"', path4);
       fs3.stat(path4, function onstat(err, stat) {
-        var pathEndsWithSep = path4[path4.length - 1] === sep3;
+        var pathEndsWithSep = path4[path4.length - 1] === sep4;
         if (err && err.code === "ENOENT" && !extname3(path4) && !pathEndsWithSep) {
           return next(err);
         }
@@ -172214,8 +172214,8 @@ var require_adm_zip = __commonJS({
         return null;
       }
       function fixPath(zipPath) {
-        const { join: join22, normalize: normalize2, sep: sep3 } = pth.posix;
-        return join22(pth.isAbsolute(zipPath) ? "/" : ".", normalize2(sep3 + zipPath.split("\\").join(sep3) + sep3));
+        const { join: join22, normalize: normalize2, sep: sep4 } = pth.posix;
+        return join22(pth.isAbsolute(zipPath) ? "/" : ".", normalize2(sep4 + zipPath.split("\\").join(sep4) + sep4));
       }
       function filenameFilter(filterfn) {
         if (filterfn instanceof RegExp) {
@@ -188554,12 +188554,12 @@ init_logger();
 // src/lib/log-directory-manager.ts
 init_temp_dir();
 import { mkdirSync as mkdirSync3, existsSync as existsSync5 } from "fs";
-import { join as join7, resolve as resolve3 } from "path";
+import { join as join7, resolve as resolve3, sep } from "path";
 import { randomBytes } from "crypto";
 function ensurePathWithinBase(baseDir, targetPath) {
   const absBase = resolve3(baseDir);
   const absTarget = resolve3(targetPath);
-  if (!absTarget.startsWith(absBase + "/") && absTarget !== absBase) {
+  if (!absTarget.startsWith(absBase + sep) && absTarget !== absBase) {
     throw new Error(`Provided log directory is outside the allowed base directory: ${absBase}`);
   }
   return absTarget;
@@ -198038,7 +198038,7 @@ function registerLanguageResources(server) {
 
 // src/prompts/workflow-prompts.ts
 import { access as access2 } from "fs/promises";
-import { basename as basename9, isAbsolute as isAbsolute7, normalize, relative, resolve as resolve13, sep as sep2 } from "path";
+import { basename as basename9, isAbsolute as isAbsolute7, normalize, relative, resolve as resolve13, sep as sep3 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 
 // src/prompts/check-for-duplicated-code.prompt.md
@@ -198190,7 +198190,7 @@ async function resolvePromptFilePath(filePath, workspaceRoot) {
   const absolutePath = inputWasAbsolute ? normalizedPath : resolve13(effectiveRoot, normalizedPath);
   if (!inputWasAbsolute) {
     const rel = relative(effectiveRoot, absolutePath);
-    if (rel === ".." || rel.startsWith(`..${sep2}`) || isAbsolute7(rel)) {
+    if (rel === ".." || rel.startsWith(`..${sep3}`) || isAbsolute7(rel)) {
       return {
         blocked: true,
         resolvedPath: "",

server/dist/codeql-development-mcp-server.js.map

@@ -3,7 +3,7 @@
  */
 
 import { mkdirSync, existsSync } from 'fs';
-import { join, resolve } from 'path';
+import { join, resolve, sep } from 'path';
 import { randomBytes } from 'crypto';
 import { getProjectTmpDir } from '../utils/temp-dir';
 
@@ -14,7 +14,7 @@ import { getProjectTmpDir } from '../utils/temp-dir';
 function ensurePathWithinBase(baseDir: string, targetPath: string): string {
   const absBase = resolve(baseDir);
   const absTarget = resolve(targetPath);
-  if (!absTarget.startsWith(absBase + '/') && absTarget !== absBase) {
+  if (!absTarget.startsWith(absBase + sep) && absTarget !== absBase) {
     throw new Error(`Provided log directory is outside the allowed base directory: ${absBase}`);
   }
   return absTarget;