Merge branch 'dd/no-grep-or-bust' into copilot/fix-github-actions-integration-tests

Author: data-douser

extensions/vscode/package.json

@@ -108,6 +108,11 @@
           "default": "latest",
           "description": "The npm version of codeql-development-mcp-server to install. Use 'latest' for the most recent release."
         },
+        "codeql-mcp.scratchDir": {
+          "type": "string",
+          "default": ".codeql/ql-mcp",
+          "markdownDescription": "Workspace-relative path for the ql-mcp scratch directory used for temporary files (query logs, external predicates, etc). The `.codeql/` parent is shared with other CodeQL CLI commands like `codeql pack bundle`. Set to an absolute path to override workspace-relative resolution."
+        },
         "codeql-mcp.watchCodeqlExtension": {
           "type": "boolean",
           "default": true,

extensions/vscode/src/bridge/database-copier.ts

@@ -1,5 +1,5 @@
 import { existsSync } from 'fs';
-import { cp, mkdir, readdir, rm, stat, unlink } from 'fs/promises';
+import { cp, lstat, mkdir, readdir, rm, stat, unlink } from 'fs/promises';
 import { join } from 'path';
 import type { Logger } from '../common/logger';
 
@@ -34,10 +34,10 @@ export class DatabaseCopier {
     try {
       await mkdir(this.destinationBase, { recursive: true });
     } catch (err) {
-      this.logger.error(
-        `Failed to create managed database directory ${this.destinationBase}: ${err instanceof Error ? err.message : String(err)}`,
-      );
-      return [];
+      const msg =
+        `Failed to create managed database directory ${this.destinationBase}: ${err instanceof Error ? err.message : String(err)}`;
+      this.logger.error(msg);
+      throw new Error(msg, { cause: err });
     }
 
     const copied: string[] = [];
@@ -137,8 +137,8 @@ async function isCodeQLDatabase(dirPath: string): Promise<boolean> {
 
 /**
  * Recursively remove all `.lock` files under the given directory.
- * These are empty sentinel files created by the CodeQL query server in
- * `<dataset>/default/cache/.lock`.
+ * Uses lstat to avoid following symlinks, keeping deletion scoped to
+ * the copied database tree.
  */
 async function removeLockFiles(dir: string): Promise<void> {
   let entries: string[];
@@ -151,7 +151,11 @@ async function removeLockFiles(dir: string): Promise<void> {
   for (const entry of entries) {
     const fullPath = join(dir, entry);
     try {
-      const st = await stat(fullPath);
+      const st = await lstat(fullPath);
+      // Skip symlinks to avoid traversing outside the database directory
+      if (st.isSymbolicLink()) {
+        continue;
+      }
       if (st.isDirectory()) {
         await removeLockFiles(fullPath);
       } else if (entry === '.lock') {

extensions/vscode/src/bridge/environment-builder.ts

@@ -1,5 +1,5 @@
 import * as vscode from 'vscode';
-import { delimiter, join } from 'path';
+import { delimiter, isAbsolute, join } from 'path';
 import { DisposableObject } from '../common/disposable';
 import type { Logger } from '../common/logger';
 import type { CliResolver } from '../codeql/cli-resolver';
@@ -64,17 +64,34 @@ export class EnvironmentBuilder extends DisposableObject {
       env.CODEQL_PATH = cliPath;
     }
 
-    // Workspace root
+    // Workspace root and all workspace folders
     const workspaceFolders = vscode.workspace.workspaceFolders;
     if (workspaceFolders && workspaceFolders.length > 0) {
       env.CODEQL_MCP_WORKSPACE = workspaceFolders[0].uri.fsPath;
+      env.CODEQL_MCP_WORKSPACE_FOLDERS = workspaceFolders
+        .map((f) => f.uri.fsPath)
+        .join(delimiter);
     }
 
-    // Temp directory for MCP server scratch files
-    env.CODEQL_MCP_TMP_DIR = join(
-      this.context.globalStorageUri.fsPath,
-      'tmp',
-    );
+    // Workspace-local scratch directory for tool output (query logs, etc.)
+    // Defaults to `.codeql/ql-mcp` within the first workspace folder.
+    // This is also used as CODEQL_MCP_TMP_DIR so that the server writes
+    // all temporary output (query logs, external predicate CSVs) inside
+    // the workspace, avoiding out-of-workspace file access prompts.
+    const scratchRelative = config.get<string>('scratchDir', '.codeql/ql-mcp');
+    if (workspaceFolders && workspaceFolders.length > 0) {
+      const scratchDir = isAbsolute(scratchRelative)
+        ? scratchRelative
+        : join(workspaceFolders[0].uri.fsPath, scratchRelative);
+      env.CODEQL_MCP_SCRATCH_DIR = scratchDir;
+      env.CODEQL_MCP_TMP_DIR = scratchDir;
+    } else {
+      // No workspace — fall back to extension globalStorage
+      env.CODEQL_MCP_TMP_DIR = join(
+        this.context.globalStorageUri.fsPath,
+        'tmp',
+      );
+    }
 
     // Additional packs path — include vscode-codeql's database storage
     // so the MCP server can discover databases registered there

extensions/vscode/test/bridge/environment-builder.test.ts

@@ -87,11 +87,42 @@ describe('EnvironmentBuilder', () => {
     expect(env.TRANSPORT_MODE).toBe('stdio');
   });
 
-  it('should include CODEQL_MCP_TMP_DIR under global storage', async () => {
+  it('should include CODEQL_MCP_TMP_DIR under global storage when no workspace', async () => {
     const env = await builder.build();
     expect(env.CODEQL_MCP_TMP_DIR).toBe('/mock/global-storage/codeql-mcp/tmp');
   });
 
+  it('should set CODEQL_MCP_TMP_DIR to workspace scratch dir when workspace folders exist', async () => {
+    const vscode = await import('vscode');
+    const origFolders = vscode.workspace.workspaceFolders;
+    (vscode.workspace.workspaceFolders as any) = [
+      { uri: { fsPath: '/mock/workspace' }, name: 'ws', index: 0 },
+    ];
+
+    builder.invalidate();
+    const env = await builder.build();
+    expect(env.CODEQL_MCP_TMP_DIR).toBe('/mock/workspace/.codeql/ql-mcp');
+    expect(env.CODEQL_MCP_SCRATCH_DIR).toBe('/mock/workspace/.codeql/ql-mcp');
+
+    (vscode.workspace.workspaceFolders as any) = origFolders;
+  });
+
+  it('should set CODEQL_MCP_WORKSPACE_FOLDERS with all workspace folder paths', async () => {
+    const vscode = await import('vscode');
+    const { delimiter } = await import('path');
+    const origFolders = vscode.workspace.workspaceFolders;
+    (vscode.workspace.workspaceFolders as any) = [
+      { uri: { fsPath: '/mock/ws-a' }, name: 'a', index: 0 },
+      { uri: { fsPath: '/mock/ws-b' }, name: 'b', index: 1 },
+    ];
+
+    builder.invalidate();
+    const env = await builder.build();
+    expect(env.CODEQL_MCP_WORKSPACE_FOLDERS).toBe(['/mock/ws-a', '/mock/ws-b'].join(delimiter));
+
+    (vscode.workspace.workspaceFolders as any) = origFolders;
+  });
+
   it('should include CODEQL_ADDITIONAL_PACKS with database storage path', async () => {
     const env = await builder.build();
     expect(env.CODEQL_ADDITIONAL_PACKS).toBeDefined();
@@ -206,6 +237,15 @@ describe('EnvironmentBuilder', () => {
     vscode.workspace.getConfiguration = originalGetConfig;
   });
 
+  it('should fall back to source dirs when syncAll throws', async () => {
+    mockCopier.syncAll.mockRejectedValue(new Error('Failed to create managed database directory'));
+    builder.invalidate();
+    const env = await builder.build();
+    expect(env.CODEQL_DATABASES_BASE_DIRS).toBe(
+      ['/mock/global-storage/GitHub.vscode-codeql', '/mock/workspace-storage/ws-123/GitHub.vscode-codeql'].join(delimiter),
+    );
+  });
+
   it('should append user-configured dirs to CODEQL_QUERY_RUN_RESULTS_DIRS', async () => {
     const vscode = await import('vscode');
     const originalGetConfig = vscode.workspace.getConfiguration;