You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Prep for v2.25.2 release of codeql-development-mcp-server (#251)
* Upgrade .codeql-version and packs -> v2.25.2
Upgrades the .codeql-version to v2.25.2 in preparation for same
release version of the codeql-development-mcp-server repository.
Fixes a bug in the server/upgrade-packs.sh script so that packs
for Rust language are part of update-codeql.yml actions workflow
automation.
Updates package.json and other static references to old versions
in order to synchronize versions in preparation for repo release.
* Update CHANGELOG.md for pending v2.25.2 release
* Apply suggestions from code review
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>
* Update CHANGELOG.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>
---------
Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copy file name to clipboardExpand all lines: CHANGELOG.md
+31-6Lines changed: 31 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,14 +14,14 @@ release cadence.
14
14
15
15
_Changes on `main` since the latest tagged release that have not yet been included in a stable release._
16
16
17
-
> Preview theme: the **next** phase of MCP-assisted CodeQL query development, incorporating and extending ideas for [`GitHubSecurityLab/seclab-taskflow-agent`](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and `seclab-taskflows` for multi-repository variant analysis workflows.
17
+
## [v2.25.2] — 2026-04-15
18
18
19
19
### Highlights
20
20
21
-
-**Persistent MRVA workflow state and caching** — Introduced a new `SqliteStore` backend plus opt-in annotation, audit, and query result cache tools to support the next phase of MCP-assisted CodeQL development and `seclab-taskflow-agent` integration. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))
22
-
-**Rust language support** — Added first-class Rust support with `PrintAST`, `PrintCFG`, `CallGraphFrom`, `CallGraphTo`, and `CallGraphFromTo` queries, bringing the total supported languages to 10. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
23
-
-**Bug fixes and design improvements from recent evaluation sessions** — Fixed 5 bugs across `bqrs_interpret`, `bqrs_info`, `annotation_search`, `audit_add_notes`, and `query_results_cache_compare`; added `database_analyze` auto-caching and per-database mutex serialization; auto-enabled annotation tools in VS Code extension. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
24
-
-**SARIF analysis tools and cache model improvements** — Added `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, and `sarif_diff_runs` tools for rule-level SARIF extraction, Mermaid dataflow visualization, alert overlap analysis, and cross-run behavioral comparison. Extended cache model with `rule_id` and `run_id` columns; added `ruleId` filter to all cache tools; auto-decompose `database_analyze` SARIF into per-rule cache entries. Added `compare_overlapping_alerts` prompt and updated all SARIF-related prompts with tool recommendations. Extracted shared libraries for database metadata and SARIF rule name resolution. ([#204](https://github.com/advanced-security/codeql-development-mcp-server/pull/204))
21
+
-**Prompt auto-completions and optional language derivation** — All 14 workflow prompts now provide auto-complete suggestions for parameters like `queryPath`, `database`, `language`, and `sarifPath` via the MCP SDK's `completable()` function. Several prompts no longer require the `language` parameter, automatically deriving it from the nearest `codeql-pack.yml`. ([#230](https://github.com/advanced-security/codeql-development-mcp-server/pull/230))
22
+
-**LLM-friendly tool input validation** — CLI tools now silently normalize camelCase and snake_case parameter names to kebab-case, and report all validation errors at once instead of one-at-a-time, reducing failed tool invocations. ([#224](https://github.com/advanced-security/codeql-development-mcp-server/pull/224), [#227](https://github.com/advanced-security/codeql-development-mcp-server/pull/227))
23
+
-**SARIF analysis tools and persistent workflow state** — Added 5 SARIF analysis tools, annotation/audit/cache tools backed by a new `SqliteStore`, and first-class Rust language support with 10 languages now covered. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169), [#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195), [#204](https://github.com/advanced-security/codeql-development-mcp-server/pull/204))
24
+
-**Upgraded CodeQL CLI to v2.25.2** — Full compatibility with the latest CodeQL CLI release, including upgraded QL pack dependencies for all supported languages. Fixed `upgrade-packs.sh`to include Rust packs in the all-languages upgrade loop. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
25
25
26
26
### Added
27
27
@@ -56,13 +56,16 @@ _Changes on `main` since the latest tagged release that have not yet been includ
56
56
57
57
- Added Rust coverage to CI and release workflows, including query unit tests and VSIX bundling. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
58
58
- Added client integration tests for the new Rust queries and for the annotation, audit, and cache tool suites, including an MRVA triage workflow end-to-end test. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169), [#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
59
+
- Added missing `Cargo.lock` files and `ext/` crate scaffolding for Rust query test fixtures (`CallGraphFromTo`, `CallGraphTo`, `PrintCFG`). ([#210](https://github.com/advanced-security/codeql-development-mcp-server/pull/210))
| All CLI tools | camelCase and snake_case parameter names are now silently normalized to kebab-case; unknown properties are rejected with the property name and a "did you mean?" suggestion. ([#224](https://github.com/advanced-security/codeql-development-mcp-server/pull/224)) |
68
+
| All tools (validation) | Validation errors are now reported all-at-once instead of one-at-a-time, reducing iterative trial-and-error tool invocations. ([#227](https://github.com/advanced-security/codeql-development-mcp-server/pull/227)) |
66
69
|`codeql_query_run`| Query results are now auto-cached after SARIF interpretation, enabling later lookup and comparison workflows. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169)) |
67
70
| query metadata and database resolution | Added in-memory caching with mtime-based invalidation and deduplicated resolution logic for better performance. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169)) |
68
71
|`codeql_bqrs_interpret`| Added optional `database` parameter mapped to `--source-archive` for SARIF source context; validates that `src.zip` or `src` exists. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199)) |
@@ -71,16 +74,27 @@ _Changes on `main` since the latest tagged release that have not yet been includ
71
74
|`audit_add_notes`| Added `findingId` as preferred lookup; `owner`/`repo`/`sourceLocation`/`line` are now optional fallback fields. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199)) |
72
75
|`annotation_search`| Category field is now matched with case-insensitive `COLLATE NOCASE` alongside the existing FTS index. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199)) |
73
76
|`query_results_cache_compare`| SARIF content fallback for result count is now gated on SARIF output format, avoiding unnecessary JSON parsing of non-SARIF cache entries. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199)) |
77
+
|`sarif_list_rules`| Documented per-rule `resultCount` field in the `server-tools.md` MCP resource with JSON response schema and field reference table. ([#219](https://github.com/advanced-security/codeql-development-mcp-server/pull/219)) |
78
+
79
+
#### MCP Server Prompts
80
+
81
+
- All 14 workflow prompts now provide auto-complete suggestions for `queryPath`, `database`, `language`, `sarifPath`, `workspaceUri`, and `packRoot` parameters via `completable()`. ([#230](https://github.com/advanced-security/codeql-development-mcp-server/pull/230))
82
+
-`language` parameter is now optional on `workshop_creation_workflow`, `explain_codeql_query`, `document_codeql_query`, and `ql_lsp_iterative_development` prompts, with auto-derivation from `codeql-pack.yml`. ([#230](https://github.com/advanced-security/codeql-development-mcp-server/pull/230))
74
83
75
84
#### VS Code Extension
76
85
77
86
-`McpProvider.requestRestart()` now invalidates the environment cache and bumps a `+rN` revision suffix so VS Code reliably restarts the MCP server after configuration changes. ([#196](https://github.com/advanced-security/codeql-development-mcp-server/pull/196))
78
87
- Cached the extension version in the provider constructor to avoid repeated synchronous reads of `package.json`. ([#196](https://github.com/advanced-security/codeql-development-mcp-server/pull/196))
79
88
- New `codeql-mcp.enableAnnotationTools` setting (default: `true`) auto-sets `ENABLE_ANNOTATION_TOOLS` and `MONITORING_STORAGE_LOCATION` environment variables; `additionalEnv` overrides for advanced users. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
89
+
-`CliResolver` ensures only one resolution runs at a time, validates PATH-discovered binaries, and uses generation tokens to prevent stale cache writes after invalidation. ([#230](https://github.com/advanced-security/codeql-development-mcp-server/pull/230))
90
+
-`PackInstaller` uses consistent "download" terminology for `codeql pack download` operations with detailed per-language logging. ([#230](https://github.com/advanced-security/codeql-development-mcp-server/pull/230))
91
+
-`McpProvider.fireDidChange` debounces rapid-fire notifications and clears pending timers on dispose/restart. ([#230](https://github.com/advanced-security/codeql-development-mcp-server/pull/230))
92
+
- File watchers use relative paths in log messages and no longer trigger MCP definition changes for content-only file events. ([#230](https://github.com/advanced-security/codeql-development-mcp-server/pull/230))
80
93
81
94
#### Infrastructure & CI/CD
82
95
83
96
- Refactored monolithic server logic into focused `database-resolver`, `query-resolver`, `result-processor`, and `codeql-version` modules for maintainability and reuse. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))
97
+
-`extract-test-databases.sh` now defaults to `--scope integration` for efficient CI runs; `--language` implies `--scope all`. ([#228](https://github.com/advanced-security/codeql-development-mcp-server/pull/228))
84
98
85
99
### Fixed
86
100
@@ -91,16 +105,26 @@ _Changes on `main` since the latest tagged release that have not yet been includ
91
105
-**`audit_add_notes` ignored `findingId`** — Added `findingId` as preferred direct-lookup alternative to the composite key fields. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
92
106
-**`codeql_bqrs_info``files` array caused CLI error** — Changed parameter from `files` (array) to `file` (string) to match the CLI expectation. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
93
107
-**Per-database mutex lock key not normalized** — Database lock key now uses `realpath` to prevent bypassing serialization with relative paths, symlinks, or different casing. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
108
+
-**`upgrade-packs.sh` missing Rust from all-languages upgrade loop** — Added `upgrade_packs "server/ql/rust/tools"` to the script, fixing CI failures where `codeql/rust-all` was not found in the pack download cache during CodeQL CLI upgrades. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
109
+
-**Stale `interpretedOutput` directories in integration tests** — The integration test runner now cleans up stale output before running directory comparison tests. ([#228](https://github.com/advanced-security/codeql-development-mcp-server/pull/228))
94
110
95
111
### Dependencies
96
112
113
+
- Upgraded CodeQL CLI dependency to v2.25.2.
114
+
- Upgraded all `ql-mcp-*` pack dependencies and regenerated lock files for all supported languages.
97
115
- Replaced `lowdb` with `sql.js` as the persistence backend, removing the previous JSON-file storage dependency. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))
98
116
- Added `codeql/rust-all` support for the new Rust tool queries. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
117
+
- Bumped `typescript` from 5.9.3 to 6.0.2, `esbuild` from 0.27.4 to 0.28.0, `@modelcontextprotocol/sdk` to 1.29.0, `dotenv` to 17.4.0, `typescript-eslint` to 8.58.0, and `adm-zip` to 0.5.17. ([#205](https://github.com/advanced-security/codeql-development-mcp-server/pull/205))
118
+
- Updated `eslint`, `prettier`, `@types/node`, `@types/vscode`, `@vitest/coverage-v8`, and `vitest` to latest compatible versions. ([#245](https://github.com/advanced-security/codeql-development-mcp-server/pull/245))
99
119
100
120
### New Contributors
101
121
102
122
-[@Copilot](https://github.com/apps/copilot-swe-agent) made their first contribution in [#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195)
0 commit comments