Integration tests for annotation, audit, cache, and CallGraphFromTo tools (#170)

* feat: SqliteStore backend with annotation, audit, and cache tools

Replace lowdb with sql.js (asm.js build) for zero-dependency SQLite persistence.
Bundle inline with esbuild — no native modules, no external deps at runtime.

SqliteStore provides three tables:
- sessions: session tracking (migrated from lowdb)
- annotations: key-value annotation store with categories and metadata
- query_result_cache: BQRS/SARIF result caching with subset retrieval

New tools (gated by ENABLE_ANNOTATION_TOOLS env var):
- annotation_create, annotation_list, annotation_search, annotation_delete
- audit_store_findings, audit_list_findings, audit_add_notes, audit_clear_repo
- query_results_cache_lookup, query_results_cache_retrieve,
  query_results_cache_clear, query_results_cache_compare

Code refactoring for maintainability:
- Extract database-resolver.ts from cli-tool-registry.ts
- Extract query-resolver.ts from cli-tool-registry.ts
- Extract result-processor.ts from cli-tool-registry.ts
- Extract codeql-version.ts from cli-executor.ts

Bug fixes:
- Fix params.output not propagated to proce- Fix params.output not propagated to proce- Fix params.output not propagated txternal predicate conditions for direct query paths

Closes #165

* Add integration tests for annotation, audit, cache, and CallGraphFromTo tools

Client integration test fixtures:
- annotation_create, annotation_delete, annotation_list, annotation_search
- audit_store_findings, audit_list_findings, audit_add_notes, audit_clear_repo
- query_results_cache_lookup, query_results_cache_retrieve,
  query_results_cache_clear, query_results_cache_compare
- codeql_query_run CallGraphFromTo for cpp, javascript, python

Workflow integration test:
- mrva_finding_triage end-to-end workflow

Extension integration tests:
- mcp-tool-e2e: tool availability and MRVA workflow validation

Updated client/scripts/run-integration-tests.sh with annotation mode support.

Closes #166

* Fix server build

* Remove grep from cache tools; fix annotation_search API to FTS semantics; always apply SARIF path for SARIF format

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/219712ee-4c28-4b51-9da5-961020112e6e

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* Sync server src/test/dist to dd/sqlite-annotation-cache tip

Brings in all review feedback fixes (FTS safety, offset-only LIMIT,
cache limit param, int/positive Zod schemas, store lifecycle fix)
and the rebuilt dist.

* Fix extension integration tests

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

Author: data-douser

client/integration-tests/primitives/tools/annotation_create/basic_create/after/monitoring-state.json

@@ -0,0 +1,12 @@
+{
+  "toolName": "annotation_create",
+  "parameters": {
+    "category": "note",
+    "entityKey": "file:test/Example1.ql:L10",
+    "content": "Potential SQL injection via string concatenation",
+    "label": "sql-injection-candidate",
+    "metadata": "{\"severity\":\"high\",\"cwe\":\"CWE-89\"}"
+  },
+  "success": true,
+  "description": "Successfully created a note annotation with content, label, and structured metadata"
+}

client/integration-tests/primitives/tools/annotation_create/basic_create/before/monitoring-state.json

@@ -0,0 +1,12 @@
+{
+  "toolName": "annotation_create",
+  "parameters": {
+    "category": "note",
+    "entityKey": "file:test/Example1.ql:L10",
+    "content": "Potential SQL injection via string concatenation",
+    "label": "sql-injection-candidate",
+    "metadata": "{\"severity\":\"high\",\"cwe\":\"CWE-89\"}"
+  },
+  "expectedSuccess": true,
+  "description": "Test annotation_create tool creates a note annotation with content, label, and metadata"
+}

client/integration-tests/primitives/tools/annotation_create/basic_create/test-config.json

@@ -0,0 +1,10 @@
+{
+  "toolName": "annotation_create",
+  "arguments": {
+    "category": "note",
+    "entityKey": "file:test/Example1.ql:L10",
+    "content": "Potential SQL injection via string concatenation",
+    "label": "sql-injection-candidate",
+    "metadata": "{\"severity\":\"high\",\"cwe\":\"CWE-89\"}"
+  }
+}

client/integration-tests/primitives/tools/annotation_delete/delete_by_prefix/after/monitoring-state.json

@@ -0,0 +1,8 @@
+{
+  "toolName": "annotation_delete",
+  "parameters": {
+    "entityKeyPrefix": "file:test/"
+  },
+  "success": true,
+  "description": "Successfully deleted annotations matching the entity key prefix"
+}

client/integration-tests/primitives/tools/annotation_delete/delete_by_prefix/before/monitoring-state.json

@@ -0,0 +1,8 @@
+{
+  "toolName": "annotation_delete",
+  "parameters": {
+    "entityKeyPrefix": "file:test/"
+  },
+  "expectedSuccess": true,
+  "description": "Test annotation_delete tool deletes annotations matching an entity key prefix"
+}

client/integration-tests/primitives/tools/annotation_delete/delete_by_prefix/test-config.json

@@ -0,0 +1,6 @@
+{
+  "toolName": "annotation_delete",
+  "arguments": {
+    "entityKeyPrefix": "file:test/"
+  }
+}

client/integration-tests/primitives/tools/annotation_list/filter_by_category_and_prefix/after/monitoring-state.json

@@ -0,0 +1,10 @@
+{
+  "toolName": "annotation_list",
+  "parameters": {
+    "category": "note",
+    "entityKeyPrefix": "file:test/",
+    "limit": 10
+  },
+  "success": true,
+  "description": "Successfully listed annotations filtered by category and entity key prefix"
+}

client/integration-tests/primitives/tools/annotation_list/filter_by_category_and_prefix/before/monitoring-state.json

@@ -0,0 +1,10 @@
+{
+  "toolName": "annotation_list",
+  "parameters": {
+    "category": "note",
+    "entityKeyPrefix": "file:test/",
+    "limit": 10
+  },
+  "expectedSuccess": true,
+  "description": "Test annotation_list tool filters annotations by category and entity key prefix"
+}

client/integration-tests/primitives/tools/annotation_list/filter_by_category_and_prefix/test-config.json

@@ -0,0 +1,8 @@
+{
+  "toolName": "annotation_list",
+  "arguments": {
+    "category": "note",
+    "entityKeyPrefix": "file:test/",
+    "limit": 10
+  }
+}

client/integration-tests/primitives/tools/annotation_search/full_text_search/after/monitoring-state.json

@@ -0,0 +1,9 @@
+{
+  "toolName": "annotation_search",
+  "parameters": {
+    "query": "SQL injection",
+    "limit": 20
+  },
+  "success": true,
+  "description": "Successfully searched annotations by content text"
+}