advanced-security
diff --git a/‎package-lock.json‎
Lines changed: 7 additions & 28 deletions b/‎package-lock.json‎
Lines changed: 7 additions & 28 deletions
diff --git a/‎server/package.json‎
Lines changed: 1 addition & 1 deletion b/‎server/package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server/src/codeql-development-mcp-server.ts‎
Lines changed: 12 additions & 0 deletions b/‎server/src/codeql-development-mcp-server.ts‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎server/src/lib/cli-executor.ts‎
Lines changed: 16 additions & 4 deletions b/‎server/src/lib/cli-executor.ts‎
Lines changed: 16 additions & 4 deletions
@@ -61,7 +61,7 @@
     "dotenv": "^17.3.1",
     "express": "^5.2.1",
     "js-yaml": "^4.1.1",
-    "lowdb": "^7.0.1",
+    "sql.js": "^1.14.1",
     "zod": "^3.25.76"
   },
   "devDependencies": {
 
@@ -17,6 +17,9 @@ import { registerLSPTools } from './tools/lsp';
 import { registerLanguageResources } from './resources/language-resources';
 import { registerWorkflowPrompts } from './prompts/workflow-prompts';
 import { registerMonitoringTools } from './tools/monitoring-tools';
+import { registerAnnotationTools } from './tools/annotation-tools';
+import { registerAuditTools } from './tools/audit-tools';
+import { registerCacheTools } from './tools/cache-tools';
 import { sessionDataManager } from './lib/session-data-manager';
 import { resolveCodeQLBinary, validateCodeQLBinaryReachable } from './lib/cli-executor';
 import { initServerManager, shutdownServerManager } from './lib/server-manager';
@@ -74,6 +77,15 @@ export async function startServer(mode: 'stdio' | 'http' = 'stdio'): Promise<Mcp
   // Register monitoring and reporting tools
   registerMonitoringTools(server);
 
+  // Register annotation tools (general-purpose notes/bookmarks)
+  registerAnnotationTools(server);
+
+  // Register audit tools (security audit state tracking)
+  registerAuditTools(server);
+
+  // Register query results cache tools
+  registerCacheTools(server);
+
   // Initialize session data manager
   await sessionDataManager.initialize();
 
 
@@ -8,6 +8,10 @@ import { basename, delimiter, dirname, isAbsolute, join } from 'path';
 import { homedir } from 'os';
 import { promisify } from 'util';
 import { logger } from '../utils/logger';
+import { setActualCodeqlVersion, warnOnVersionMismatch } from './codeql-version';
+
+// Re-export version functions so existing callers don't break
+export { getActualCodeqlVersion, getTargetCodeqlVersion } from './codeql-version';
 
 const execFileAsync = promisify(execFile);
 
@@ -370,9 +374,9 @@ export function resetResolvedCodeQLBinary(): void {
  * Validate that the resolved CodeQL binary is actually callable.
  *
  * Runs `codeql version --format=terse` and verifies the process exits
- * successfully. This catches the case where `CODEQL_PATH` is unset and
- * `codeql` is not on PATH — the server would otherwise start normally
- * but every tool invocation would fail.
+ * successfully. Stores the actual version for later retrieval via
+ * getActualCodeqlVersion(). Warns (but does not fail) if the actual
+ * version differs from the target version in .codeql-version.
  *
  * @returns The version string reported by the CodeQL CLI.
  * @throws Error if the binary is not reachable or returns a non-zero exit code.
@@ -389,7 +393,15 @@ export async function validateCodeQLBinaryReachable(): Promise<string> {
       env,
       timeout: 15_000,
     });
-    return stdout.trim();
+    const version = stdout.trim();
+
+    // Store the actual CLI version for cache keys and diagnostics
+    setActualCodeqlVersion(version);
+
+    // Compare with target version and warn on mismatch
+    warnOnVersionMismatch(version);
+
+    return version;
   } catch (err: unknown) {
     const message = err instanceof Error ? err.message : String(err);
     throw new Error(