[UPDATE PRIMITIVE] Fix codeql_database_analyze additionalArgs pass-through (#188)

* Initial plan

* fix: extract additionalArgs as raw CLI arguments instead of --additionalArgs=value

Previously, `additionalArgs` (e.g., `["--sarif-include-query-help=always"]`)
stayed in the options object and was processed by `buildCodeQLArgs` into
`--additionalArgs=--sarif-include-query-help=always`, which is invalid.

Now `additionalArgs` is extracted from options before CLI arg building and
appended as raw arguments after positional args, so args like
`--sarif-include-query-help=always` and `--no-sarif-minify` are passed
through correctly to the `codeql` CLI.

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/ff382e0c-2894-422a-a9c8-22c431c9a77a

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* fix: filter managed CLI flags from additionalArgs to prevent conflicts with post-processing

For tools with post-execution processing (query run, test run, database
analyze), flags like --logdir, --evaluator-log, --output, --verbosity,
and --tuple-counting are set internally and read back after execution.
If these appear in additionalArgs, they would create conflicting
duplicates and break post-processing. Now they are filtered out with a
warning directing the user to use the corresponding named parameter.

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/dd017a82-a805-40c8-bb2f-4eae0678766d

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* Sync server/dist/**

* fix: handle space-separated managed flags in additionalArgs filtering

Replace .filter() with a for-loop that also skips the following value
token when a managed flag is supplied in space-separated form
(e.g. ['--output', '/override.sarif']) instead of inline form
(e.g. ['--output=/override.sarif']).  This prevents stray positional
arguments from leaking into the CLI invocation.

Add test coverage for the space-separated form.

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/fb3b1eea-290e-4eaa-bf2b-26b1521e5a58

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

* Sync package-lock.json && server/dist/**

* Update .vscodeignore

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
Co-authored-by: Nathan Randall <data-douser@github.com>

Author: Copilot

extensions/vscode/.vscodeignore

@@ -16,12 +16,13 @@ esbuild.config.js
 coverage/**
 
 # Build artifacts that shouldn't be in the VSIX
-.tmp/**
+**/.codeql/**
+**/.tmp/**
 **/*.test.ts
 **/*.test.js
 **/*.test.cjs
 **/*.map
-dist/test/**
+**/dist/test/**
 
 # Bundled server: exclude test/examples content
 server/ql/*/tools/test/**

package-lock.json

@@ -58042,6 +58042,34 @@ function registerCLITool(server, definition) {
             mkdirSync5(outputDir, { recursive: true });
           }
         }
+        const rawAdditionalArgs = Array.isArray(options.additionalArgs) ? options.additionalArgs : [];
+        delete options.additionalArgs;
+        const managedFlagNames = /* @__PURE__ */ new Set([
+          "evaluator-log",
+          "logdir",
+          "output",
+          "tuple-counting",
+          "verbosity"
+        ]);
+        const userAdditionalArgs = queryLogDir ? (() => {
+          const filteredAdditionalArgs = [];
+          for (let i = 0; i < rawAdditionalArgs.length; i += 1) {
+            const arg = rawAdditionalArgs[i];
+            const m = arg.match(/^--(?:no-)?([^=]+)(?:=.*)?$/);
+            if (m && managedFlagNames.has(m[1])) {
+              logger.warn(
+                `Ignoring "${arg}" from additionalArgs for ${name}: this flag is managed internally. Use the corresponding named parameter instead.`
+              );
+              const hasInlineValue = arg.includes("=");
+              if (!hasInlineValue && i + 1 < rawAdditionalArgs.length) {
+                i += 1;
+              }
+              continue;
+            }
+            filteredAdditionalArgs.push(arg);
+          }
+          return filteredAdditionalArgs;
+        })() : rawAdditionalArgs;
         let result;
         if (command === "codeql") {
           let cwd;
@@ -58058,9 +58086,9 @@ function registerCLITool(server, definition) {
           if (name === "codeql_test_run") {
             options["keep-databases"] = true;
           }
-          result = await executeCodeQLCommand(subcommand, options, positionalArgs, cwd);
+          result = await executeCodeQLCommand(subcommand, options, [...positionalArgs, ...userAdditionalArgs], cwd);
         } else if (command === "qlt") {
-          result = await executeQLTCommand(subcommand, options, positionalArgs);
+          result = await executeQLTCommand(subcommand, options, [...positionalArgs, ...userAdditionalArgs]);
         } else {
           throw new Error(`Unsupported command: ${command}`);
         }

server/dist/codeql-development-mcp-server.js

@@ -474,6 +474,62 @@ export function registerCLITool(server: McpServer, definition: CLIToolDefinition
           }
         }
 
+        // Extract additionalArgs from options so they are passed as raw CLI
+        // arguments instead of being transformed into --additionalArgs=value
+        // by buildCodeQLArgs.
+        const rawAdditionalArgs = Array.isArray(options.additionalArgs)
+          ? options.additionalArgs as string[]
+          : [];
+        delete options.additionalArgs;
+
+        // For tools with post-execution processing (query run, test run,
+        // database analyze), certain CLI flags are set internally and their
+        // values are read back after execution (e.g. --evaluator-log for log
+        // summary generation, --output for SARIF interpretation).  If a user
+        // passes these flags via additionalArgs the CLI would receive
+        // conflicting duplicates and the post-processing would use stale
+        // values from the options object.  Filter them out and log a warning
+        // directing the user to the corresponding named parameter instead.
+        const managedFlagNames = new Set([
+          'evaluator-log',
+          'logdir',
+          'output',
+          'tuple-counting',
+          'verbosity',
+        ]);
+        const userAdditionalArgs = queryLogDir
+          ? (() => {
+              const filteredAdditionalArgs: string[] = [];
+
+              for (let i = 0; i < rawAdditionalArgs.length; i += 1) {
+                const arg = rawAdditionalArgs[i];
+                const m = arg.match(/^--(?:no-)?([^=]+)(?:=.*)?$/);
+
+                if (m && managedFlagNames.has(m[1])) {
+                  logger.warn(
+                    `Ignoring "${arg}" from additionalArgs for ${name}: ` +
+                    'this flag is managed internally. Use the corresponding named parameter instead.'
+                  );
+
+                  // Always skip the managed flag itself. If it is provided in
+                  // space-separated form (e.g. ["--output", "file.sarif"]),
+                  // also skip the following token as its value so it does not
+                  // become a stray positional argument.
+                  const hasInlineValue = arg.includes('=');
+                  if (!hasInlineValue && i + 1 < rawAdditionalArgs.length) {
+                    i += 1;
+                  }
+
+                  continue;
+                }
+
+                filteredAdditionalArgs.push(arg);
+              }
+
+              return filteredAdditionalArgs;
+            })()
+          : rawAdditionalArgs;
+
         let result: CLIExecutionResult;
 
         if (command === 'codeql') {
@@ -507,9 +563,9 @@ export function registerCLITool(server: McpServer, definition: CLIToolDefinition
             options['keep-databases'] = true;
           }
 
-          result = await executeCodeQLCommand(subcommand, options, positionalArgs, cwd);
+          result = await executeCodeQLCommand(subcommand, options, [...positionalArgs, ...userAdditionalArgs], cwd);
         } else if (command === 'qlt') {
-          result = await executeQLTCommand(subcommand, options, positionalArgs);
+          result = await executeQLTCommand(subcommand, options, [...positionalArgs, ...userAdditionalArgs]);
         } else {
           throw new Error(`Unsupported command: ${command}`);
         }