advanced-security
diff --git a/‎CHANGELOG.md‎
Lines changed: 13 additions & 5 deletions b/‎CHANGELOG.md‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 7 additions & 7 deletions b/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 1 addition & 1 deletion b/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server/src/prompts/compare-overlapping-alerts.prompt.md‎
Lines changed: 14 additions & 14 deletions b/‎server/src/prompts/compare-overlapping-alerts.prompt.md‎
Lines changed: 14 additions & 14 deletions
diff --git a/‎server/src/prompts/run-query-and-summarize-false-positives.prompt.md‎
Lines changed: 10 additions & 7 deletions b/‎server/src/prompts/run-query-and-summarize-false-positives.prompt.md‎
Lines changed: 10 additions & 7 deletions
diff --git a/‎server/src/prompts/sarif-rank-false-positives.prompt.md‎
Lines changed: 12 additions & 0 deletions b/‎server/src/prompts/sarif-rank-false-positives.prompt.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎server/src/prompts/sarif-rank-true-positives.prompt.md‎
Lines changed: 12 additions & 0 deletions b/‎server/src/prompts/sarif-rank-true-positives.prompt.md‎
Lines changed: 12 additions & 0 deletions
@@ -21,23 +21,31 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 - **Persistent MRVA workflow state and caching** — Introduced a new `SqliteStore` backend plus opt-in annotation, audit, and query result cache tools to support the next phase of MCP-assisted CodeQL development and `seclab-taskflow-agent` integration. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))
 - **Rust language support** — Added first-class Rust support with `PrintAST`, `PrintCFG`, `CallGraphFrom`, `CallGraphTo`, and `CallGraphFromTo` queries, bringing the total supported languages to 10. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
 - **Bug fixes and design improvements from v2.25.1-next.2 evaluation** — Fixed 5 bugs across `bqrs_interpret`, `bqrs_info`, `annotation_search`, `audit_add_notes`, and `query_results_cache_compare`; added `database_analyze` auto-caching and per-database mutex serialization; auto-enabled annotation tools in VS Code extension. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
+- **SARIF analysis tools and cache model improvements** — Added `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, and `sarif_diff_runs` tools for rule-level SARIF extraction, Mermaid dataflow visualization, alert overlap analysis, and cross-run behavioral comparison. Extended cache model with `rule_id` and `run_id` columns; added `ruleId` filter to all cache tools; auto-decompose `database_analyze` SARIF into per-rule cache entries. Added `compare_overlapping_alerts` prompt and updated all SARIF-related prompts with tool recommendations. Extracted shared libraries for database metadata and SARIF rule name resolution. ([#201](https://github.com/advanced-security/codeql-development-mcp-server/issues/201))
 
 ### Added
 
 #### MCP Server Tools
 
-| Tool                                                                                                                     | Description                                                                                                                                                                                            |
-| ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `annotation_create`, `annotation_get`, `annotation_list`, `annotation_update`, `annotation_delete`, `annotation_search`  | General-purpose annotation tools for creating, managing, and searching notes and bookmarks on analysis entities. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169)) |
-| `audit_store_findings`, `audit_list_findings`, `audit_add_notes`, `audit_clear_repo`                                     | Repo-keyed audit tools for MRVA finding management and triage workflows. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                         |
-| `query_results_cache_lookup`, `query_results_cache_retrieve`, `query_results_cache_clear`, `query_results_cache_compare` | Query result cache tools for lookup, subset retrieval, cache clearing, and cross-database comparison. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))            |
+| Tool                                                                                                                     | Description                                                                                                                                                                                                                                       |
+| ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `annotation_create`, `annotation_get`, `annotation_list`, `annotation_update`, `annotation_delete`, `annotation_search`  | General-purpose annotation tools for creating, managing, and searching notes and bookmarks on analysis entities. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                            |
+| `audit_store_findings`, `audit_list_findings`, `audit_add_notes`, `audit_clear_repo`                                     | Repo-keyed audit tools for MRVA finding management and triage workflows. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                                                    |
+| `query_results_cache_lookup`, `query_results_cache_retrieve`, `query_results_cache_clear`, `query_results_cache_compare` | Query result cache tools for lookup, subset retrieval, cache clearing, and cross-database comparison. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                       |
+| `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, `sarif_diff_runs`            | SARIF analysis tools for rule discovery, per-rule extraction, Mermaid dataflow visualization, alert overlap comparison, and cross-run behavioral diffing. ([#201](https://github.com/advanced-security/codeql-development-mcp-server/issues/201)) |
 
 #### MCP Server Resources
 
 | URI                           | Description                                                                                                                                                                       |
 | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `codeql://languages/rust/ast` | Rust AST reference resource with verified accessor predicates for CodeQL query development. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195)) |
 
+#### MCP Server Prompts
+
+| Prompt                       | Description                                                                                                                                                                                                                                            |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `compare_overlapping_alerts` | Multi-SARIF alert comparison workflow: compares alerts across rules, files, runs, databases, or CodeQL versions with 8-step guided analysis using SARIF tools. ([#201](https://github.com/advanced-security/codeql-development-mcp-server/issues/201)) |
+
 #### CodeQL Query Packs
 
 | Pack            | Description                                                                                                                                                                                 |
 
@@ -19,7 +19,7 @@ This workflow supports:
 
 ### Step 1: Discover available rules
 
-Use `sarif_list_rules` on each SARIF source to understand what rules and result counts are present:
+Use #sarif_list_rules on each SARIF source to understand what rules and result counts are present:
 
 ```
 sarif_list_rules(sarifPath="{{sarifPathA}}")
@@ -34,18 +34,18 @@ Depending on the use case, choose the appropriate strategy:
 
 **Same-file, different rules** (custom vs standard overlap):
 
-- Use `sarif_extract_rule` to extract each rule's results from the same file
-- Use `sarif_compare_alerts` to compare individual alert pairs
+- Use #sarif_extract_rule to extract each rule's results from the same file
+- Use #sarif_compare_alerts to compare individual alert pairs
 
 **Different files, same rule** (behavioral deviation across runs):
 
-- Use `sarif_diff_runs` to get a high-level diff of added/removed/changed rules
-- For changed rules, use `sarif_extract_rule` on both files and compare results
+- Use #sarif_diff_runs to get a high-level diff of added/removed/changed rules
+- For changed rules, use #sarif_extract_rule on both files and compare results
 
 **Different files, different rules** (cross-pack overlap):
 
-- Use `sarif_extract_rule` on each file with the respective rule IDs
-- Use `sarif_compare_alerts` with different `sarifPath` values for alertA and alertB
+- Use #sarif_extract_rule on each file with the respective rule IDs
+- Use #sarif_compare_alerts with different `sarifPath` values for alertA and alertB
 
 ### Step 3: Diff runs (for cross-run comparison)
 
@@ -80,7 +80,7 @@ The markdown report includes:
 
 ### Step 5: Compare specific alerts for overlap
 
-Use `sarif_compare_alerts` to compare individual results between rules or files. Each alert specifier can reference a **different SARIF file**:
+Use #sarif_compare_alerts to compare individual results between rules or files. Each alert specifier can reference a **different SARIF file**:
 
 ```
 sarif_compare_alerts(
@@ -99,7 +99,7 @@ If sink overlap is found, re-check with `source` and `full-path` modes:
 
 ### Step 6: Read source code context
 
-For each overlapping pair, use `read_database_source` to read the relevant source file from the CodeQL database. **Note**: the `filePath` parameter uses the URI from the SARIF alert location, not an absolute path:
+For each overlapping pair, use #read_database_source to read the relevant source file from the CodeQL database. **Note**: the `filePath` parameter uses the URI from the SARIF alert location, not an absolute path:
 
 ```
 read_database_source(database="{{databasePath}}", filePath="<uri-from-alert>")
@@ -120,7 +120,7 @@ For each overlapping or divergent pair, classify as:
 3. **False overlap** — Same file and line but semantically different issues (different arguments, different properties).
    - **Action**: no change needed
 
-4. **Behavioral regression** — A rule that previously found N results now finds fewer (or zero). Visible via `sarif_diff_runs` `changedRules`.
+4. **Behavioral regression** — A rule that previously found N results now finds fewer (or zero). Visible via #sarif_diff_runs `changedRules`.
    - **Action**: investigate query or library changes between CodeQL versions
 
 5. **New coverage** — A rule appears in `addedRules` or has increased results. Indicates improved detection.
@@ -139,9 +139,9 @@ Create a structured summary with:
 ## Notes
 
 - `ruleId` values correspond to CodeQL query `@id` metadata (e.g., `js/sql-injection`)
-- `sarif_compare_alerts` supports **cross-file** comparison: `alertA.sarifPath` and `alertB.sarifPath` can be different files
-- `sarif_diff_runs` compares by rule ID, not by result content — use it for high-level structural comparison, then drill into individual alerts
-- `read_database_source` requires the database path — pass via the `databasePath` parameter or resolve it with `list_codeql_databases`
+- #sarif_compare_alerts supports **cross-file** comparison: `alertA.sarifPath` and `alertB.sarifPath` can be different files
+- #sarif_diff_runs compares by rule ID, not by result content — use it for high-level structural comparison, then drill into individual alerts
+- #read_database_source requires the database path — pass via the `databasePath` parameter or resolve it with #list_codeql_databases
 - When working from cached results, substitute `cacheKey` for `sarifPath` in all tool calls
 - Path similarity above 0.7 usually indicates redundancy; below 0.3 indicates complementary coverage
-- For cross-version comparison, run `codeql database analyze` with two different CodeQL CLI versions against the same database, save both SARIF files, and use `sarif_diff_runs` to compare
+- For cross-version comparison, run `codeql database analyze` with two different CodeQL CLI versions against the same database, save both SARIF files, and use #sarif_diff_runs to compare
@@ -12,15 +12,18 @@ Help a developer discover what kinds of false positives are produced by their cu
 
 1. Read the provided CodeQL query to understand what patterns it is designed to detect.
 2. Discover the results of this query on a real database, by:
-   - Running the tool #list_query_run_results to find existing runs for this query
-   - If no existing runs are found, run the query on a relevant database using #codeql_query_run tool
-3. Analyze and group the results into what appear to be similar types of results. This may mean:
+   - Using #query_results_cache_lookup with `ruleId` (the query's `@id` metadata) to find previously cached results
+   - Running #list_query_run_results to find existing run artifacts
+   - If no existing results are found, run the query using #codeql_query_run with `format: "sarif-latest"` to produce SARIF output (results are auto-cached with `ruleId` for later lookup)
+3. Use #sarif_list_rules on the SARIF output to confirm rule metadata and result counts. For multi-rule SARIF, use #sarif_extract_rule to isolate the specific query's results.
+4. Use #sarif_rule_to_markdown to generate a structured overview with a results table and Mermaid dataflow diagrams for path-problem results. This gives an immediate visual summary of all findings.
+5. Analyze and group the results into what appear to be similar types of results. This may mean:
    - Grouping results in the same file
    - Grouping results that reference the same elements
    - Grouping results with similar messages
-4. For each group, explore the actual code for a sample of alerts in that group, using the #read_database_source tool to triage the results and determine which groups appear to be false positives
-5. For each false positive case discovered in this exploration, group them into categories of similar root causes. For example, a query might not properly account for unreachable code, or there may be a commonly used library that violates the query's assumptions but is actually safe.
-6. Explain these results to the user in order of most common to least common, so they can understand where their query may need improvement to reduce false positives.
+6. For each group, explore the actual code for a sample of alerts using #read_database_source with the `filePath` from the SARIF alert URI and 10–20 lines of context around the flagged location.
+7. For each false positive case discovered, group them into categories of similar root causes.
+8. Explain these results to the user in order of most common to least common.
 
 ## Input Context
 
@@ -32,7 +35,7 @@ You will be provided with:
 
 ### Exploring code paths
 
-The tool #read_database_source can be used to read the code of a particular finding. A good strategy to explore the code paths of a finding is:
+Use #read_database_source with the `filePath` from the SARIF alert's `physicalLocation.artifactLocation.uri` and the `databasePath` of the CodeQL database. Read 10–20 lines around the flagged location:
 
 1. Read in the immediate context of the violation.
    - Some queries may depend on later context (e.g., an "unused variable" may only be used after its declaration)
 
@@ -18,6 +18,18 @@ You will be provided with:
 - **SARIF Results**: Array of results to analyze
 - **Code Snippets**: When available, code snippets from SARIF physical locations
 
+## Recommended Tool Usage
+
+Use these tools to gather context for each result:
+
+1. **#sarif_list_rules** — Discover all rules and result counts in the SARIF data. Helps scope the analysis.
+2. **#sarif_extract_rule** — Extract results for the specific query `@id` from multi-rule SARIF. Returns a clean SARIF subset.
+3. **#sarif_rule_to_markdown** — Generate a structured markdown report with results table and Mermaid dataflow diagrams. Provides an immediate visual overview of all findings.
+4. **#read_database_source** — Read source code from the CodeQL database using the `filePath` from the SARIF alert URI. Read 10–20 lines around each flagged location for context.
+5. **#query_results_cache_lookup** with `ruleId` — Check if results for this query are already cached from previous runs.
+6. **#sarif_compare_alerts** — When the same codebase has results from both standard and custom queries, compare alert locations to distinguish unique findings from overlapping ones.
+7. **#sarif_diff_runs** — Compare against a baseline SARIF run to identify new results vs previously known findings.
+
 ## Analysis Guidelines
 
 ### What Makes a Result Likely to be a False Positive?
 
@@ -18,6 +18,18 @@ You will be provided with:
 - **SARIF Results**: Array of results to analyze
 - **Code Snippets**: When available, code snippets from SARIF physical locations
 
+## Recommended Tool Usage
+
+Use these tools to gather context for each result:
+
+1. **#sarif_list_rules** — Discover all rules and result counts in the SARIF data. Helps scope the analysis.
+2. **#sarif_extract_rule** — Extract results for the specific query `@id` from multi-rule SARIF. Returns a clean SARIF subset.
+3. **#sarif_rule_to_markdown** — Generate a structured markdown report with results table and Mermaid dataflow diagrams. Provides quick visual triage of dataflow paths.
+4. **#read_database_source** — Read source code from the CodeQL database using the `filePath` from the SARIF alert URI. Read 10–20 lines around each flagged location to verify vulnerability patterns.
+5. **#query_results_cache_lookup** with `ruleId` — Check if results for this query are already cached from previous runs.
+6. **#sarif_compare_alerts** — Compare results across different SARIF files (e.g., standard vs custom query packs) to identify which findings are unique to the query under analysis.
+7. **#sarif_diff_runs** — Compare against a baseline SARIF run to distinguish new findings from regressions.
+
 ## Analysis Guidelines
 
 ### What Makes a Result Likely to be a True Positive?