Ensure cross-platform support via client integration tests run on ubuntu-latest and windows-latest (#22)

* Initial plan

* fix: cross-platform support for Windows compatibility

- Use pathToFileURL() instead of file:// string concatenation in:
  - server/src/ql-mcp-server.ts (entrypoint check)
  - server/src/tools/codeql/language-server-eval.ts (workspace URI)
  - client/src/ql-mcp-client.js (entrypoint check)
- Fix path.includes() to normalize separators in cli-tool-registry.ts
- Replace .split('/').pop() with path.basename() for cross-platform path handling
- Update client-integration-tests.yml to run on matrix of ubuntu-latest and windows-latest
- Add platform-specific CI steps for process cleanup and OS dependencies
- Update setup-codeql-environment action with Windows cache paths

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* refactor: improve path normalization performance using replace() instead of split/join

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* Bash on Windows as an actions workflow fix...

* Initial plan

* Fix Windows integration test: use bash shell for CodeQL CLI check

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* fix: create Windows-compatible codeql.cmd wrapper

On Windows, gh codeql install-stub creates a bash script (codeql) which
is not discoverable by Node.js child_process.spawn(). This causes
'spawn codeql ENOENT' errors in integration tests.

Add a step that creates a codeql.cmd wrapper delegating to 'gh codeql'
so that spawn('codeql', ...) resolves correctly on Windows.

Aligns with github/gh-codeql#21 which adds native Windows support to
install-stub. This workaround can be removed once that PR is merged.

* Another attempted fix for client-integration-tests on Windows

* Yet another attempted fix on Windows

* Cleanup OS tmp dir client integration tests

* Fixes for PR review comments

* More fixes for latest PR review comments

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: data-douser

.github/actions/setup-codeql-environment/action.yml

@@ -75,8 +75,9 @@ runs:
         echo "  CodeQL Version: $CODEQL_VERSION"
         echo "  Cache Key: $CODEQL_CACHE_KEY"
 
-    - name: Cache `gh-codeql` extension and CodeQL packages
-      id: cache-codeql
+    - name: Cache `gh-codeql` extension and CodeQL packages (Unix)
+      id: cache-codeql-unix
+      if: runner.os != 'Windows'
       uses: actions/cache@v4
       with:
         path: |
@@ -86,6 +87,18 @@ runs:
         restore-keys: |
           gh-codeql-${{ runner.os }}-${{ steps.codeql-version.outputs.codeql-version }}-
 
+    - name: Cache `gh-codeql` extension and CodeQL packages (Windows)
+      id: cache-codeql-windows
+      if: runner.os == 'Windows'
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~\AppData\Local\GitHub\gh-codeql
+          ~\.codeql\packages
+        key: ${{ steps.codeql-version.outputs.codeql-cache-key }}
+        restore-keys: |
+          gh-codeql-${{ runner.os }}-${{ steps.codeql-version.outputs.codeql-version }}-
+
     # Install GitHub CLI CodeQL extension and set `codeql` CLI version
     - name: Install GitHub CLI CodeQL extension and set version
       id: install-gh-codeql
@@ -136,6 +149,49 @@ runs:
 
         echo "✅ GitHub CLI CodeQL extension installed successfully"
 
+    # On Windows, gh codeql install-stub creates a bash script which is not
+    # discoverable by Node.js child_process.spawn() or execFile(), since
+    # these functions only resolve real executables (.exe), not scripts.
+    # Find the actual codeql.exe binary from the gh-codeql distribution
+    # and add its directory to PATH so that spawn('codeql', ...) works.
+    # This workaround can be removed once github/gh-codeql#21 is merged,
+    # which adds native Windows support to install-stub.
+    - name: Add CodeQL binary directory to PATH (Windows)
+      if: runner.os == 'Windows'
+      shell: bash
+      run: |
+        echo "🔧 Locating actual codeql.exe binary for Windows compatibility..."
+
+        # The gh-codeql extension stores the CodeQL CLI binary under the
+        # GitHub CLI extensions directory. On Windows runners this is:
+        #   $LOCALAPPDATA/GitHub CLI/extensions/gh-codeql/dist/release/<version>/
+        GH_EXTENSIONS_DIR="${LOCALAPPDATA:-$HOME/AppData/Local}/GitHub CLI/extensions/gh-codeql"
+
+        if [ ! -d "$GH_EXTENSIONS_DIR" ]; then
+          echo "⚠️ gh-codeql extensions directory not found at: $GH_EXTENSIONS_DIR"
+          echo "Searching more broadly under LOCALAPPDATA..."
+          GH_EXTENSIONS_DIR="${LOCALAPPDATA:-$HOME/AppData/Local}"
+        fi
+
+        # Find the codeql.exe binary in the gh-codeql distribution
+        CODEQL_EXE=$(find "$GH_EXTENSIONS_DIR" -name "codeql.exe" -type f 2>/dev/null | head -1)
+
+        if [ -z "$CODEQL_EXE" ]; then
+          echo "❌ Error: codeql.exe not found under $GH_EXTENSIONS_DIR"
+          echo "Directory listing (top 30 files):"
+          find "$GH_EXTENSIONS_DIR" -maxdepth 5 -type f 2>/dev/null | head -30
+          exit 1
+        fi
+
+        CODEQL_BIN_DIR=$(dirname "$CODEQL_EXE")
+        echo "Found codeql.exe at: $CODEQL_EXE"
+        echo "Adding $CODEQL_BIN_DIR to PATH"
+
+        # Prepend the directory containing codeql.exe to PATH
+        echo "$CODEQL_BIN_DIR" >> "$GITHUB_PATH"
+
+        echo "✅ Added CodeQL binary directory to PATH for Windows"
+
     - name: Setup CodeQL environment variables
       id: setup-codeql-env
       shell: bash

.github/agents/ql-mcp-tool-tester.md

@@ -25,6 +25,7 @@ My `ql-mcp-tool-tester` agent:
 - NEVER makes anything up about CodeQL CLI behavior or MCP protocol.
 - NEVER modifies the MCP server or client code; focuses solely on testing and validating the tools/primitives.
 - NEVER "pipes" or redirects `npm test` or `npm run test*` command outputs in any way. Just observe the raw output and use exit codes to determine success/failure.
+- **NEVER uses `os.tmpdir()`, `/tmp`, or any OS-level temporary directory** in test code, fixtures, or tool invocations. The OS temp directory is world-readable and triggers CWE-377/CWE-378 vulnerabilities. All temporary files MUST use the project-local `<repoRoot>/.tmp/` directory. In integration test fixtures the `{{tmpdir}}` placeholder resolves to this project-local directory at runtime — it does NOT resolve to the OS temp directory.
 
 ## Related Skills
 

.github/instructions/server_test_ts.instructions.md

@@ -35,3 +35,4 @@ This file contains instructions for working with TypeScript test files in the `s
 - NEVER write tests that depend on external resources or network calls without proper mocking.
 - NEVER write overly complex tests that test multiple concerns in a single test case.
 - NEVER skip writing tests for new functionality or bug fixes.
+- **NEVER use `os.tmpdir()`, `/tmp`, or any OS-level temporary directory** in test code or test fixtures. The OS temp directory is world-readable and triggers CWE-377/CWE-378 vulnerabilities. Instead, ALWAYS use the project-local `.tmp/` directory via `getProjectTmpDir()`, `createProjectTempDir()`, or `getProjectTmpBase()` from `server/src/utils/temp-dir.ts`. For integration test fixtures, use the `{{tmpdir}}` placeholder which resolves at runtime to `<repoRoot>/.tmp/`.

.github/workflows/client-integration-tests.yml

@@ -6,17 +6,17 @@ on:
     paths:
       - '.github/actions/setup-codeql-environment/action.yml'
       - '.github/workflows/client-integration-tests.yml'
-      - '.node-version'
       - '.codeql-version'
+      - '.node-version'
       - 'client/**'
       - 'server/**'
   pull_request:
     branches: [main]
     paths:
       - '.github/actions/setup-codeql-environment/action.yml'
       - '.github/workflows/client-integration-tests.yml'
-      - '.node-version'
       - '.codeql-version'
+      - '.node-version'
       - 'client/**'
       - 'server/**'
   workflow_dispatch:
@@ -26,7 +26,13 @@ permissions:
 
 jobs:
   integration-tests:
-    runs-on: ubuntu-latest
+    name: Integration Tests (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
 
     env:
       HTTP_HOST: 'localhost'
@@ -44,9 +50,14 @@ jobs:
           cache: 'npm'
           node-version-file: '.node-version'
 
-      - name: MCP Integration Tests - Install OS dependencies
+      - name: MCP Integration Tests - Install OS dependencies (Ubuntu)
+        if: runner.os == 'Linux'
         run: sudo apt-get install -y jq
 
+      - name: MCP Integration Tests - Install OS dependencies (Windows)
+        if: runner.os == 'Windows'
+        run: choco install jq -y
+
       - name: MCP Integration Tests - Install node dependencies for client and server workspaces
         run: npm ci --workspace=client && npm ci --workspace=server
 
@@ -55,44 +66,80 @@ jobs:
         with:
           install-language-runtimes: false
 
+      ## Verify that the CodeQL CLI is spawnable from Node.js, not just from
+      ## bash. On Windows, Node.js spawn()/execFile() require a real .exe
+      ## binary on PATH, not a bash stub or .cmd wrapper. Fail fast here
+      ## instead of waiting for integration tests to time out.
+      - name: MCP Integration Tests - Verify CodeQL CLI is spawnable from Node.js
+        shell: bash
+        run: |
+          node -e "
+            const { execFile } = require('child_process');
+            execFile('codeql', ['version', '--format=terse'], (err, stdout) => {
+              if (err) {
+                console.error('❌ CodeQL CLI is not spawnable from Node.js:', err.message);
+                console.error('This typically means codeql.exe is not on PATH (Windows).');
+                process.exit(1);
+              }
+              console.log('✅ CodeQL CLI is spawnable from Node.js, version:', stdout.trim());
+            });
+          "
+
       ## Install packs used in the integration tests.
       - name: MCP Integration Tests - Install CodeQL packs
+        shell: bash
         run: ./server/scripts/install-packs.sh
 
       ## Extract test databases used in the integration tests.
       - name: MCP Integration Tests - Extract test databases
+        shell: bash
         run: ./server/scripts/extract-test-databases.sh
 
+      ## Configure npm to use bash for running scripts on Windows, since the
+      ## integration test scripts are bash scripts that cmd.exe cannot execute.
+      - name: MCP Integration Tests - Configure npm script shell (Windows)
+        if: runner.os == 'Windows'
+        shell: bash
+        run: npm config set script-shell "$(which bash)"
+
       ## Run integration tests. This script builds the server bundle and runs tests.
       ## We do NOT use 'npm run build-and-test' as it runs query unit tests which
       ## have a dedicated workflow (query-unit-tests.yml).
       - name: MCP Integration Tests - Run integration tests
+        shell: bash
         run: npm run test:integration --workspace=client
 
       - name: MCP Integration Tests - Stop the background MCP server process
         if: always()
+        shell: bash
         run: |
           if [ -f server.pid ]; then
             PID=$(cat server.pid)
             echo "Stopping server with PID $PID"
-            if kill -0 $PID 2>/dev/null; then
-              kill $PID || true
+            if kill -0 "$PID" 2>/dev/null; then
+              kill "$PID" || true
               sleep 2
               # Force kill if still running
-              if kill -0 $PID 2>/dev/null; then
+              if kill -0 "$PID" 2>/dev/null; then
                 echo "Force killing server process"
-                kill -9 $PID || true
+                kill -9 "$PID" || true
               fi
             else
               echo "Server process was not running"
             fi
-            rm server.pid
+            rm -f server.pid
           else
             echo "No server.pid file found"
           fi
 
           # Clean up log files
           if [ -f server.log ]; then
             echo "Removing server.log"
-            rm server.log
+            rm -f server.log
           fi
+
+      - name: MCP Integration Tests - Summary
+        shell: bash
+        run: |
+          echo "## Integration Tests Summary (${{ matrix.os }})" >> $GITHUB_STEP_SUMMARY
+          echo "✅ MCP server integration tests passed on ${{ matrix.os }}" >> $GITHUB_STEP_SUMMARY

client/integration-tests/README.md

@@ -38,15 +38,15 @@ Common mistakes to avoid:
 - ❌ **DO NOT** commit files like `evaluator-log.json`, `query-results.bqrs`, `*.bqrs` files to the repository root
 - ❌ **DO NOT** commit temporary files created during integration test development to the repository root
 - ✅ **DO** place all test output files in the appropriate `client/integration-tests/primitives/tools/<tool_name>/<test_name>/after/` directory
-- ✅ **DO** use `/tmp/` paths for temporary files during development and testing
+- ✅ **DO** use `{{tmpdir}}` as a placeholder for the project-local temporary directory in test fixture paths (resolved at runtime to `<repoRoot>/.tmp/`)
 
 **File generation best practices:**
 
 1. **Generate test files correctly**: When creating integration tests that involve file generation (e.g., BQRS files, evaluator logs):
    - Run the actual tool command to generate authentic files
    - Copy the generated files from their temporary location to the correct `after/` directory
    - Never fabricate or "make up" binary file contents
-2. **Use proper paths**: Always use absolute paths or `/tmp/` paths when running commands that generate files during development
+2. **Use proper paths**: Always use `{{tmpdir}}/` as a placeholder for the project-local temp directory in test fixture JSON files (e.g., `"output": "{{tmpdir}}/results.sarif"`). This resolves at runtime to `<repoRoot>/.tmp/`, **not** the OS temp directory, to avoid CWE-377/CWE-378 (world-readable temp files).
 3. **Verify placement**: Before committing, verify that generated files are in the correct `after/` directory, not in the repository root
 
 The `.gitignore` file has been updated to help prevent accidental commits of common integration test output files in the root directory.

client/integration-tests/primitives/tools/codeql_database_analyze/analyze_javascript_database/before/monitoring-state.json

@@ -4,6 +4,6 @@
     "database": "server/ql/javascript/examples/test/ExampleQuery1/ExampleQuery1.testproj",
     "queries": "server/ql/javascript/examples/src/ExampleQuery1/ExampleQuery1.ql",
     "format": "sarif-latest",
-    "output": "/tmp/integration-test-analyze-results.sarif"
+    "output": "{{tmpdir}}/integration-test-analyze-results.sarif"
   }
 }

client/integration-tests/primitives/tools/codeql_database_create/create_javascript_database/before/monitoring-state.json

@@ -1,7 +1,7 @@
 {
   "sessions": [],
   "parameters": {
-    "database": "/tmp/codeql-integration-test-db",
+    "database": "{{tmpdir}}/codeql-integration-test-db",
     "language": "javascript",
     "source-root": "server/ql/javascript/examples/test/ExampleQuery1",
     "overwrite": true

client/integration-tests/primitives/tools/codeql_query_run/evaluator_logging_with_tuple_counting/after/monitoring-state.json

@@ -10,17 +10,17 @@
           "arguments": {
             "query": "client/integration-tests/static/javascript/src/ExampleQuery1/ExampleQuery1.ql",
             "database": "client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.testproj",
-            "output": "/tmp/test-query-results.bqrs",
-            "evaluator-log": "/tmp/test-evaluator-log.json",
+            "output": "{{tmpdir}}/test-query-results.bqrs",
+            "evaluator-log": "{{tmpdir}}/test-evaluator-log.json",
             "evaluator-log-level": 5,
             "tuple-counting": true
           },
           "response": {
             "stdout": "Evaluation completed successfully",
             "stderr": "WARNING: Ignoring local version because local version support is off.",
             "filesGenerated": [
-              "/tmp/test-query-results.bqrs",
-              "/tmp/test-evaluator-log.json"
+              "{{tmpdir}}/test-query-results.bqrs",
+              "{{tmpdir}}/test-evaluator-log.json"
             ]
           }
         }

client/integration-tests/primitives/tools/codeql_query_run/evaluator_logging_with_tuple_counting/test-config.json

@@ -1,7 +1,7 @@
 {
   "sessions": [],
   "parameters": {
-    "basePath": "/tmp/codeql-test-query",
+    "basePath": "{{tmpdir}}/codeql-test-query",
     "queryName": "TestQuery",
     "language": "javascript",
     "description": "Integration test query"