Replace JS ql-mcp-client with Go implementation

Rewrite the ql-mcp-client CLI in Go, replacing the Node.js/JavaScript
implementation with a compiled binary that serves as both a standalone
CLI and a gh CLI extension (gh-ql-mcp-client).

Client (Go):
- Cobra-based CLI with code-scanning and sarif command groups
- code-scanning list-analyses, list-alerts, download-analysis
  subcommands using go-gh for GitHub API auth
- sarif subcommand group for MCP-backed SARIF analysis workflows
- MCP connection layer via mcp-go with stdio and HTTP transports
- Integration test runner ported from JS with full tool parameter
  extraction for 30+ MCP tools, tool availability checking, and
  deprecated session tool skipping
- 82/82 client integration tests passing with annotation tools
  enabled by default
- Makefile with build, test, lint, and cross-compile targets

Server (TypeScript):
- New sarif_store tool for ingesting SARIF into session cache
- New sarif_deduplicate_rules tool for pairwise rule comparison
  across two SARIF files using fingerprint and location overlap
- New fingerprint overlap mode in sarif_compare_alerts using
  partialFingerprints with full-path fallback
- computeFingerprintOverlap() utility in sarif-utils
- 89 SARIF-related server tests passing (62 utils + 27 tools)

Infrastructure:
- Remove client from npm workspaces; root package.json scripts
  invoke make -C client for build, test, lint, and clean
- Update client-integration-tests.yml workflow with setup-go,
  ENABLE_ANNOTATION_TOOLS=true, and make-based test invocation
- Update lint-and-format.yml workflow with setup-go for go vet
- run-integration-tests.sh builds Go binary, extracts test
  databases, and runs gh-ql-mcp-client integration-tests
- Fix custom_log_directory test fixtures to use server-allowed
  log paths

Author: data-douser

.github/workflows/client-integration-tests.yml

@@ -36,6 +36,7 @@ jobs:
         os: [ubuntu-latest, windows-latest]
 
     env:
+      ENABLE_ANNOTATION_TOOLS: 'true'
       HTTP_HOST: 'localhost'
       HTTP_PORT: '3000'
       MCP_MODE: ${{ matrix.mcp-mode }}
@@ -52,6 +53,12 @@ jobs:
           cache: 'npm'
           node-version-file: '.node-version'
 
+      - name: MCP Integration Tests - Setup Go environment
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: 'client/go.mod'
+          cache-dependency-path: 'client/go.sum'
+
       - name: MCP Integration Tests - Install OS dependencies (Ubuntu)
         if: runner.os == 'Linux'
         run: sudo apt-get install -y jq
@@ -60,8 +67,8 @@ jobs:
         if: runner.os == 'Windows'
         run: choco install jq -y
 
-      - name: MCP Integration Tests - Install node dependencies for client and server workspaces
-        run: npm ci --workspace=client && npm ci --workspace=server
+      - name: MCP Integration Tests - Install node dependencies for server workspace
+        run: npm ci --workspace=server
 
       - name: MCP Integration Tests - Setup CodeQL environment
         uses: ./.github/actions/setup-codeql-environment
@@ -109,7 +116,7 @@ jobs:
       ## have a dedicated workflow (query-unit-tests.yml).
       - name: MCP Integration Tests - Run integration tests
         shell: bash
-        run: npm run test:integration --workspace=client
+        run: make -C client test-integration
 
       - name: MCP Integration Tests - Stop the background MCP server process
         if: always() && matrix.mcp-mode == 'http'

.github/workflows/lint-and-format.yml

@@ -25,6 +25,12 @@ jobs:
           cache: 'npm'
           node-version-file: '.node-version'
 
+      - name: Lint and Format - Setup Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version-file: 'client/go.mod'
+          cache-dependency-path: 'client/go.sum'
+
       - name: Lint and Format - Install node dependencies for all workspaces
         run: npm ci
 

client/.gitignore

@@ -1,8 +1,13 @@
-dist/
+# Go build artifacts
+gh-ql-mcp-client
+gh-ql-mcp-client-*
+coverage.out
+coverage.html
+
+# Downloaded SARIF files
+sarif-downloads/
+
+# Legacy JS artifacts
 node_modules/
+dist/
 *.log
-.coverage/
-coverage/
-.nyc_output/
-scratch/*
-!scratch/.gitkeep

client/Makefile

@@ -0,0 +1,71 @@
+BINARY_NAME := gh-ql-mcp-client
+MODULE := github.com/advanced-security/codeql-development-mcp-server/client
+VERSION := $(shell grep 'Version = ' cmd/root.go | head -1 | sed 's/.*"\(.*\)"/\1/')
+
+# Disable CGO to avoid Xcode/C compiler dependency
+export CGO_ENABLED = 0
+
+# Build flags
+LDFLAGS := -s -w
+
+.PHONY: all build test test-unit test-integration lint clean install build-all
+
+all: lint test build
+
+## build: Build the binary for the current platform
+build:
+	go build -ldflags "$(LDFLAGS)" -o $(BINARY_NAME) .
+
+## test: Run unit tests and integration tests
+test: test-unit test-integration
+
+## test-unit: Run Go unit tests only
+test-unit:
+	go test ./...
+
+## test-integration: Build binary and run integration tests via run-integration-tests.sh
+test-integration: build
+	ENABLE_ANNOTATION_TOOLS=true scripts/run-integration-tests.sh --no-install-packs
+
+## test-verbose: Run all unit tests with verbose output
+test-verbose:
+	go test -v ./...
+
+## test-coverage: Run tests with coverage
+test-coverage:
+	go test -coverprofile=coverage.out ./...
+	go tool cover -html=coverage.out -o coverage.html
+
+## lint: Run linters
+lint:
+	@if command -v golangci-lint > /dev/null 2>&1; then \
+		golangci-lint run ./...; \
+	else \
+		echo "golangci-lint not found, running go vet only"; \
+		go vet ./...; \
+	fi
+
+## clean: Remove build artifacts
+clean:
+	rm -f $(BINARY_NAME) $(BINARY_NAME)-* coverage.out coverage.html
+
+## install: Install the binary to GOPATH/bin
+install:
+	go install -ldflags "$(LDFLAGS)" .
+
+## build-all: Cross-compile for all supported platforms
+build-all:
+	GOOS=darwin  GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o $(BINARY_NAME)-darwin-amd64 .
+	GOOS=darwin  GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o $(BINARY_NAME)-darwin-arm64 .
+	GOOS=linux   GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o $(BINARY_NAME)-linux-amd64 .
+	GOOS=linux   GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o $(BINARY_NAME)-linux-arm64 .
+	GOOS=windows GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o $(BINARY_NAME)-windows-amd64.exe .
+
+## tidy: Tidy go.mod
+tidy:
+	go mod tidy
+
+## help: Show this help
+help:
+	@echo "Available targets:"
+	@grep -E '^## ' $(MAKEFILE_LIST) | sed 's/## /  /'

client/cmd/code_scanning.go

@@ -0,0 +1,17 @@
+package cmd
+
+import "github.com/spf13/cobra"
+
+var codeScanningCmd = &cobra.Command{
+	Use:     "code-scanning",
+	Aliases: []string{"cs"},
+	Short:   "Manage Code Scanning analyses and alerts",
+	Long:    "Commands for listing, downloading, dismissing, and reopening Code Scanning analyses and alerts via the GitHub REST API.",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return cmd.Help()
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(codeScanningCmd)
+}

client/cmd/code_scanning_download_analysis.go

@@ -0,0 +1,81 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	gh "github.com/advanced-security/codeql-development-mcp-server/client/internal/github"
+	"github.com/spf13/cobra"
+)
+
+var downloadAnalysisCmd = &cobra.Command{
+	Use:   "download-analysis",
+	Short: "Download a Code Scanning analysis as SARIF",
+	RunE:  runDownloadAnalysis,
+}
+
+var downloadAnalysisFlags struct {
+	repo       string
+	analysisID int
+	output     string
+}
+
+func init() {
+	codeScanningCmd.AddCommand(downloadAnalysisCmd)
+
+	f := downloadAnalysisCmd.Flags()
+	f.StringVar(&downloadAnalysisFlags.repo, "repo", "", "Repository in owner/repo format (required)")
+	f.IntVar(&downloadAnalysisFlags.analysisID, "analysis-id", 0, "Analysis ID to download (required)")
+	f.StringVar(&downloadAnalysisFlags.output, "output", "", "Output file path (default: sarif-downloads/<repo>/<id>.sarif)")
+
+	_ = downloadAnalysisCmd.MarkFlagRequired("repo")
+	_ = downloadAnalysisCmd.MarkFlagRequired("analysis-id")
+}
+
+func runDownloadAnalysis(cmd *cobra.Command, _ []string) error {
+	owner, repo, err := parseRepo(downloadAnalysisFlags.repo)
+	if err != nil {
+		return err
+	}
+
+	client, err := gh.NewClient()
+	if err != nil {
+		return err
+	}
+
+	sarif, err := client.GetAnalysisSARIF(owner, repo, downloadAnalysisFlags.analysisID)
+	if err != nil {
+		return err
+	}
+
+	// Determine output path
+	outPath := downloadAnalysisFlags.output
+	if outPath == "" {
+		outPath = filepath.Join("sarif-downloads", fmt.Sprintf("%s_%s", owner, repo),
+			fmt.Sprintf("%d.sarif", downloadAnalysisFlags.analysisID))
+	}
+
+	// Ensure directory exists
+	if err := os.MkdirAll(filepath.Dir(outPath), 0o750); err != nil {
+		return fmt.Errorf("create output directory: %w", err)
+	}
+
+	// Pretty-print the JSON
+	var pretty json.RawMessage
+	if err := json.Unmarshal(sarif, &pretty); err != nil {
+		// If not valid JSON, write as-is
+		if writeErr := os.WriteFile(outPath, sarif, 0o600); writeErr != nil {
+			return fmt.Errorf("write SARIF file: %w", writeErr)
+		}
+	} else {
+		formatted, _ := json.MarshalIndent(pretty, "", "  ")
+		if err := os.WriteFile(outPath, formatted, 0o600); err != nil {
+			return fmt.Errorf("write SARIF file: %w", err)
+		}
+	}
+
+	fmt.Fprintf(cmd.OutOrStdout(), "Downloaded SARIF to %s (%d bytes)\n", outPath, len(sarif))
+	return nil
+}

client/cmd/code_scanning_list_alerts.go

@@ -0,0 +1,86 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"text/tabwriter"
+
+	gh "github.com/advanced-security/codeql-development-mcp-server/client/internal/github"
+	"github.com/spf13/cobra"
+)
+
+var listAlertsCmd = &cobra.Command{
+	Use:   "list-alerts",
+	Short: "List Code Scanning alerts for a repository",
+	RunE:  runListAlerts,
+}
+
+var listAlertsFlags struct {
+	repo      string
+	ref       string
+	state     string
+	severity  string
+	toolName  string
+	sort      string
+	direction string
+	perPage   int
+}
+
+func init() {
+	codeScanningCmd.AddCommand(listAlertsCmd)
+
+	f := listAlertsCmd.Flags()
+	f.StringVar(&listAlertsFlags.repo, "repo", "", "Repository in owner/repo format (required)")
+	f.StringVar(&listAlertsFlags.ref, "ref", "", "Git ref to filter by")
+	f.StringVar(&listAlertsFlags.state, "state", "", "Alert state: open, closed, dismissed, fixed")
+	f.StringVar(&listAlertsFlags.severity, "severity", "", "Severity: critical, high, medium, low, warning, note, error")
+	f.StringVar(&listAlertsFlags.toolName, "tool-name", "", "Tool name to filter by")
+	f.StringVar(&listAlertsFlags.sort, "sort", "", "Sort by (created, updated)")
+	f.StringVar(&listAlertsFlags.direction, "direction", "", "Sort direction (asc, desc)")
+	f.IntVar(&listAlertsFlags.perPage, "per-page", 30, "Results per page (max 100)")
+
+	_ = listAlertsCmd.MarkFlagRequired("repo")
+}
+
+func runListAlerts(cmd *cobra.Command, _ []string) error {
+	owner, repo, err := parseRepo(listAlertsFlags.repo)
+	if err != nil {
+		return err
+	}
+
+	client, err := gh.NewClient()
+	if err != nil {
+		return err
+	}
+
+	alerts, err := client.ListAlerts(gh.ListAlertsOptions{
+		Owner:     owner,
+		Repo:      repo,
+		Ref:       listAlertsFlags.ref,
+		State:     listAlertsFlags.state,
+		Severity:  listAlertsFlags.severity,
+		ToolName:  listAlertsFlags.toolName,
+		Sort:      listAlertsFlags.sort,
+		Direction: listAlertsFlags.direction,
+		PerPage:   listAlertsFlags.perPage,
+	})
+	if err != nil {
+		return err
+	}
+
+	if OutputFormat() == "json" {
+		enc := json.NewEncoder(cmd.OutOrStdout())
+		enc.SetIndent("", "  ")
+		return enc.Encode(alerts)
+	}
+
+	w := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 4, 2, ' ', 0)
+	fmt.Fprintln(w, "NUM\tSTATE\tRULE\tSEVERITY\tFILE:LINE\tCREATED")
+	for _, a := range alerts {
+		loc := a.MostRecentInstance.Location
+		locStr := fmt.Sprintf("%s:%d", loc.Path, loc.StartLine)
+		fmt.Fprintf(w, "%d\t%s\t%s\t%s\t%s\t%s\n",
+			a.Number, a.State, a.Rule.ID, a.Rule.Severity, locStr, a.CreatedAt)
+	}
+	return w.Flush()
+}