Rewrite `ql-mcp-client` in Go as a `gh` CLI extension for Code Scanning SARIF management

[data-douser]

Problem

The current ql-mcp-client is a JavaScript/Node.js implementation (client/src/ql-mcp-client.js) that serves primarily as an integration testing harness for the MCP server. It has several limitations:

1. No GitHub API integration — cannot authenticate to GitHub or call REST APIs (Code Scanning, etc.) without external tooling
2. Not distributable as a gh extension — requires Node.js runtime and npm workspace setup to run
3. No SARIF download/upload capability — cannot fetch Code Scanning analyses or alerts from GitHub, making it impossible to use ql-mcp server SARIF tools against production data
4. No LLM integration path — cannot leverage the Copilot SDK for alert validation workflows
5. Tightly coupled to npm workspaces — the client/ directory is an npm workspace with its own package.json, eslint.config.mjs, and JS-specific tooling

Desired State

Go CLI binary (gh-ql-mcp-client)

Replace the JS client with a Go binary that serves as both a standalone CLI and a gh CLI extension:

• Go module at client/ with Cobra CLI framework, go-gh for GitHub API auth, mcp-go for MCP server communication, and copilot-sdk/go for LLM sessions
• code-scanning subcommands for interacting with the GitHub Code Scanning REST API:
  • list-analyses — list SARIF analyses for a repo
  • list-alerts — list alerts with state/severity/tool filters
  • download-analysis — download SARIF via Accept: application/sarif+json
  • download-alerts — download alert details with instances
  • dismiss alerts — batch dismiss with --from-file manifest support
  • reopen alerts — batch reopen dismissed alerts
• sarif subcommands that delegate to ql-mcp server tools:
  • compare alerts — call sarif_compare_alerts including fingerprint mode
  • compare analyses — call sarif_diff_runs
  • deduplicate — orchestrate multi-step dedup workflow producing a dismiss manifest
  • validate alert — LLM-driven TP/FP assessment via Copilot SDK
  • validate analysis — batch validation across all alerts
• Integration test runner — Go port of the JS test runner that discovers and runs all fixtures in client/integration-tests/, calls MCP tools via stdio or HTTP transport, and checks tool availability at runtime
• gh extension packaging — cross-compiled binaries for darwin/linux/windows, installable via gh extension install

Server enhancements

New and enhanced ql-mcp server tools to support the client's Code Scanning workflows:

• sarif_store tool — ingest SARIF content (from file or inline JSON string) into the session cache; return a cacheKey for consumption by existing sarif_* tools
• sarif_deduplicate_rules tool — pairwise rule comparison across two SARIF files using fingerprint-first, full-path-fallback overlap analysis
• fingerprint overlap mode in sarif_compare_alerts — compare partialFingerprints hashes with automatic fallback to full-path mode when fingerprints are absent (the partialFingerprints field is already parsed in SarifResultSchema but unused today)

Infrastructure

• Remove client/ from npm workspaces; root package.json scripts invoke make -C client targets (build, test, lint, clean)
• client-integration-tests.yml workflow needs actions/setup-go, annotation tools enabled by default, and make-based test invocation
• lint-and-format.yml workflow needs actions/setup-go since npm run lint will invoke go vet
• run-integration-tests.sh builds the Go binary, extracts test databases, and runs the Go integration test runner
• npm run build-and-test must pass end-to-end across server, client, and VS Code extension

Testing approach

• TDD methodology throughout — write Go unit tests before implementing each subcommand and internal package
• Client integration tests — all 82+ existing fixtures in client/integration-tests/primitives/tools/ must pass with the Go runner
• Annotation tools enabled by default — audit, annotation, SARIF, and cache tools are core to the client's workflows and must be exercised in CI
• Monitoring/session tools deprecated — skip session_* and sessions_* tool tests
• Tool availability enforcement — if a non-deprecated tool's test fixture exists but the tool is not registered on the server, the test must fail (not silently skip)

Use cases enabled

1. Alert deduplication after query changes — download SARIF from two analyses (before/after a CodeQL query pack upgrade), use sarif_deduplicate_rules to identify overlapping alerts, produce a dismiss manifest, and bulk-dismiss duplicates
2. LLM-driven alert triage — download alerts and source code, create a Copilot SDK session with MCP tools as custom tools, send assessment prompts, and produce structured TP/FP verdicts with confidence scores
3. Cross-analysis comparison — download SARIF from different branches, CodeQL versions, or repos, and use sarif_diff_runs and sarif_compare_alerts to detect behavioral regressions or new coverage
4. Alert lifecycle management — read, assess, clean up, and restore the approved set of Code Scanning alerts for a repository