advanced-security
diff --git a/‎docs/vscode/extension.md‎
Lines changed: 8 additions & 7 deletions b/‎docs/vscode/extension.md‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎extensions/vscode/package.json‎
Lines changed: 5 additions & 0 deletions b/‎extensions/vscode/package.json‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎extensions/vscode/src/codeql/cli-resolver.ts‎
Lines changed: 29 additions & 1 deletion b/‎extensions/vscode/src/codeql/cli-resolver.ts‎
Lines changed: 29 additions & 1 deletion
diff --git a/‎extensions/vscode/src/extension.ts‎
Lines changed: 2 additions & 1 deletion b/‎extensions/vscode/src/extension.ts‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎extensions/vscode/src/server/pack-installer.ts‎
Lines changed: 172 additions & 3 deletions b/‎extensions/vscode/src/server/pack-installer.ts‎
Lines changed: 172 additions & 3 deletions
@@ -71,13 +71,14 @@ On activation the extension:
 
 ## Settings
 
-| Setting                           | Default    | Description                                                    |
-| --------------------------------- | ---------- | -------------------------------------------------------------- |
-| `codeql-mcp.autoInstall`          | `true`     | Automatically install/update the MCP server on activation      |
-| `codeql-mcp.serverVersion`        | `"latest"` | npm version to install (`"latest"` or a specific version)      |
-| `codeql-mcp.serverCommand`        | `"node"`   | Command to launch the MCP server (override for local dev)      |
-| `codeql-mcp.watchCodeqlExtension` | `true`     | Discover databases and query results from the CodeQL extension |
-| `codeql-mcp.additionalEnv`        | `{}`       | Extra environment variables for the MCP server process         |
+| Setting                           | Default    | Description                                                                               |
+| --------------------------------- | ---------- | ----------------------------------------------------------------------------------------- |
+| `codeql-mcp.autoDownloadPacks`    | `true`     | Download pre-compiled tool query packs matching the detected CodeQL CLI version from GHCR |
+| `codeql-mcp.autoInstall`          | `true`     | Automatically install/update the MCP server on activation                                 |
+| `codeql-mcp.serverVersion`        | `"latest"` | npm version to install (`"latest"` or a specific version)                                 |
+| `codeql-mcp.serverCommand`        | `"node"`   | Command to launch the MCP server (override for local dev)                                 |
+| `codeql-mcp.watchCodeqlExtension` | `true`     | Discover databases and query results from the CodeQL extension                            |
+| `codeql-mcp.additionalEnv`        | `{}`       | Extra environment variables for the MCP server process                                    |
 
 ## Commands
 
 
@@ -80,6 +80,11 @@
           "default": [],
           "description": "Additional directories containing query run result subdirectories. Appended to CODEQL_QUERY_RUN_RESULTS_DIRS alongside the vscode-codeql query storage path."
         },
+        "codeql-mcp.autoDownloadPacks": {
+          "type": "boolean",
+          "default": true,
+          "markdownDescription": "Automatically download pre-compiled tool query packs from GHCR that match the detected CodeQL CLI version. When disabled, the extension uses only the VSIX-bundled packs via `codeql pack install` (which requires compilation against the local CLI). Disable this if you want strict use of the bundled packs for the same overall version of both CodeQL CLI and ql-mcp server."
+        },
         "codeql-mcp.autoInstall": {
           "type": "boolean",
           "default": true,
 
@@ -31,6 +31,7 @@ const KNOWN_LOCATIONS = [
  */
 export class CliResolver extends DisposableObject {
   private cachedPath: string | undefined | null = null; // null = not yet resolved
+  private cachedVersion: string | undefined;
 
   constructor(
     private readonly logger: Logger,
@@ -39,6 +40,17 @@ export class CliResolver extends DisposableObject {
     super();
   }
 
+  /**
+   * Get the CodeQL CLI version string (e.g. '2.25.1').
+   *
+   * Returns the cached version detected during the most recent `resolve()`,
+   * or `undefined` if no CLI has been resolved yet or the version could not
+   * be parsed.
+   */
+  getCliVersion(): string | undefined {
+    return this.cachedVersion;
+  }
+
   /** Resolve the CodeQL CLI path. Returns `undefined` if not found. */
   async resolve(): Promise<string | undefined> {
     if (this.cachedPath !== null) {
@@ -93,19 +105,35 @@ export class CliResolver extends DisposableObject {
   /** Clear the cached path so the next `resolve()` re-probes. */
   invalidateCache(): void {
     this.cachedPath = null;
+    this.cachedVersion = undefined;
   }
 
   /** Check if a path exists and responds to `--version`. */
   private async validateBinary(binaryPath: string): Promise<boolean> {
     try {
       await access(binaryPath, constants.X_OK);
-      await this.getVersion(binaryPath);
+      const versionOutput = await this.getVersion(binaryPath);
+      this.cachedVersion = CliResolver.parseVersionString(versionOutput);
       return true;
     } catch {
       return false;
     }
   }
 
+  /**
+   * Parse a version number from the `codeql --version` output.
+   *
+   * Recognises both legacy and current formats:
+   *  - "CodeQL command-line toolchain release 2.19.0."
+   *  - "CodeQL CLI 2.25.1"
+   *
+   * Returns the bare version (e.g. '2.25.1') or `undefined` if not parseable.
+   */
+  static parseVersionString(versionOutput: string): string | undefined {
+    const match = /(\d+\.\d+\.\d+)/.exec(versionOutput);
+    return match?.[1];
+  }
+
   /**
    * Discover the CodeQL CLI binary from the `vscode-codeql` extension's
    * managed distribution directory.
 
@@ -170,11 +170,12 @@ export async function activate(
     logger.info('Auto-install enabled — starting background setup...');
     logger.info(`Install directory: ${serverManager.getInstallDir?.() ?? 'unknown'}`);
     logger.info(`Server launch: ${serverManager.getDescription?.() ?? 'unknown'}`);
+    const autoDownloadPacks = config.get<boolean>('autoDownloadPacks', true);
     // Run in background — don't block activation
     void (async () => {
       try {
         await serverManager.ensureInstalled();
-        await packInstaller.installAll();
+        await packInstaller.installAll({ downloadForCliVersion: autoDownloadPacks });
         mcpProvider.fireDidChange();
         logger.info('✅ MCP server setup complete. Server is ready to be started.');
       } catch (err) {
 
@@ -25,6 +25,11 @@ export interface PackInstallOptions {
  * The bundled copy is always preferred so that the packs used by
  * `codeql pack install` match the server code running from the VSIX.
  *
+ * When the detected CodeQL CLI version differs from the version the
+ * VSIX was built against, the installer downloads pre-compiled packs
+ * from GHCR for the matching CLI version via `codeql pack download`.
+ * This ensures backwards compatibility across published CLI versions.
+ *
  * CodeQL library dependencies (e.g. `codeql/javascript-all`) must be
  * fetched from GHCR via `codeql pack install`. This class automates
  * the `codeql-development-mcp-server-setup-packs` step documented in
@@ -43,6 +48,28 @@ export class PackInstaller extends DisposableObject {
     'swift',
   ] as const;
 
+  /**
+   * Maps CodeQL CLI versions to the ql-mcp tools pack version published
+   * for that CLI release.  Each ql-mcp stable release is built against a
+   * specific CodeQL CLI version, and the published pack version matches
+   * the ql-mcp release version.
+   *
+   * Compatibility range: v2.24.0 (initial public release) through the
+   * current release.
+   */
+  static readonly CLI_VERSION_TO_PACK_VERSION: ReadonlyMap<string, string> =
+    new Map([
+      ['2.24.0', '2.24.0'],
+      ['2.24.1', '2.24.1'],
+      ['2.24.2', '2.24.2'],
+      ['2.24.3', '2.24.3'],
+      ['2.25.0', '2.25.0'],
+      ['2.25.1', '2.25.1'],
+    ]);
+
+  /** Pack scope/prefix for all ql-mcp tools packs on GHCR. */
+  static readonly PACK_SCOPE = 'advanced-security';
+
   constructor(
     private readonly cliResolver: CliResolver,
     private readonly serverManager: ServerManager,
@@ -74,11 +101,43 @@ export class PackInstaller extends DisposableObject {
     );
   }
 
+  /**
+   * Derive the target CodeQL CLI version from the extension's own
+   * package version.  The base version (X.Y.Z, stripping any
+   * pre-release suffix like `-next.1`) corresponds to the CodeQL CLI
+   * release the VSIX was built against.
+   */
+  getTargetCliVersion(): string {
+    const extensionVersion = this.serverManager.getExtensionVersion();
+    return PackInstaller.baseVersion(extensionVersion);
+  }
+
+  /**
+   * Look up the ql-mcp tools pack version to download for a given
+   * CodeQL CLI version.
+   *
+   * Returns the pack version string, or `undefined` if the CLI version
+   * has no known compatible pack release.
+   */
+  static getPackVersionForCli(cliVersion: string): string | undefined {
+    const base = PackInstaller.baseVersion(cliVersion);
+    return PackInstaller.CLI_VERSION_TO_PACK_VERSION.get(base);
+  }
+
   /**
    * Install CodeQL pack dependencies for all (or specified) languages.
-   * Requires the npm package to be installed locally first (via ServerManager).
+   *
+   * When `downloadForCliVersion` is `true` (the default), the installer
+   * detects the actual CodeQL CLI version and, if it differs from what
+   * the VSIX was built against, downloads pre-compiled packs from GHCR
+   * for the matching CLI version.  When the CLI version matches, or when
+   * downloading is disabled, falls back to `codeql pack install` on the
+   * bundled pack sources.
    */
-  async installAll(options?: PackInstallOptions): Promise<void> {
+  async installAll(options?: PackInstallOptions & {
+    /** Download packs matching the detected CLI version (default: true). */
+    downloadForCliVersion?: boolean;
+  }): Promise<void> {
     const codeqlPath = await this.cliResolver.resolve();
     if (!codeqlPath) {
       this.logger.warn(
@@ -87,10 +146,87 @@ export class PackInstaller extends DisposableObject {
       return;
     }
 
-    const qlRoot = this.getQlpackRoot();
     const languages =
       options?.languages ?? [...PackInstaller.SUPPORTED_LANGUAGES];
 
+    const downloadEnabled = options?.downloadForCliVersion ?? true;
+    const actualCliVersion = this.cliResolver.getCliVersion();
+    const targetCliVersion = this.getTargetCliVersion();
+
+    if (downloadEnabled && actualCliVersion && actualCliVersion !== targetCliVersion) {
+      this.logger.info(
+        `CodeQL CLI version ${actualCliVersion} differs from VSIX target ${targetCliVersion}. ` +
+        'Attempting to download compatible tool query packs...',
+      );
+      const downloaded = await this.downloadPacksForCliVersion(
+        codeqlPath, actualCliVersion, languages,
+      );
+      if (downloaded) {
+        return;
+      }
+      this.logger.info(
+        'Pack download did not succeed for all languages — falling back to bundled pack install.',
+      );
+    }
+
+    // Default path: install dependencies for bundled packs
+    await this.installBundledPacks(codeqlPath, languages);
+  }
+
+  /**
+   * Download pre-compiled tool query packs from GHCR for the specified
+   * CodeQL CLI version.
+   *
+   * Returns `true` if all requested languages were downloaded
+   * successfully, `false` otherwise.
+   */
+  async downloadPacksForCliVersion(
+    codeqlPath: string,
+    cliVersion: string,
+    languages: string[],
+  ): Promise<boolean> {
+    const packVersion = PackInstaller.getPackVersionForCli(cliVersion);
+    if (!packVersion) {
+      this.logger.warn(
+        `No known ql-mcp pack version for CodeQL CLI ${cliVersion}. ` +
+        'Falling back to bundled packs.',
+      );
+      return false;
+    }
+
+    this.logger.info(
+      `Downloading ql-mcp tool query packs v${packVersion} for CodeQL CLI ${cliVersion}...`,
+    );
+
+    let allSucceeded = true;
+    for (const lang of languages) {
+      const packRef =
+        `${PackInstaller.PACK_SCOPE}/ql-mcp-${lang}-tools-src@${packVersion}`;
+      this.logger.info(`Downloading ${packRef}...`);
+      try {
+        await this.runCodeqlPackDownload(codeqlPath, packRef);
+        this.logger.info(`Downloaded ${packRef}.`);
+      } catch (err) {
+        this.logger.error(
+          `Failed to download ${packRef}: ${err instanceof Error ? err.message : String(err)}`,
+        );
+        allSucceeded = false;
+      }
+    }
+    return allSucceeded;
+  }
+
+  /**
+   * Install pack dependencies for bundled packs using `codeql pack install`.
+   * This is the original behaviour and serves as the fallback when pack
+   * download is disabled or unavailable.
+   */
+  private async installBundledPacks(
+    codeqlPath: string,
+    languages: string[],
+  ): Promise<void> {
+    const qlRoot = this.getQlpackRoot();
+
     for (const lang of languages) {
       const packDir = join(qlRoot, 'ql', lang, 'tools', 'src');
 
@@ -136,4 +272,37 @@ export class PackInstaller extends DisposableObject {
       );
     });
   }
+
+  /** Run `codeql pack download` for a pack reference (e.g. scope/name@version). */
+  private runCodeqlPackDownload(
+    codeqlPath: string,
+    packRef: string,
+  ): Promise<void> {
+    return new Promise((resolve, reject) => {
+      execFile(
+        codeqlPath,
+        ['pack', 'download', packRef],
+        { timeout: 300_000 },
+        (err, _stdout, stderr) => {
+          if (err) {
+            reject(
+              new Error(`codeql pack download failed: ${stderr || err.message}`),
+            );
+            return;
+          }
+          resolve();
+        },
+      );
+    });
+  }
+
+  /**
+   * Strip any pre-release suffix from a semver string, returning
+   * only the `MAJOR.MINOR.PATCH` portion.
+   */
+  static baseVersion(version: string): string {
+    const stripped = version.startsWith('v') ? version.slice(1) : version;
+    const match = /^(\d+\.\d+\.\d+)/.exec(stripped);
+    return match ? match[1] : stripped;
+  }
 }