📝 Update Information

Primitive Details

• Type: Tool
• Name: bqrs_interpret, bqrs_info, annotation_search, audit_add_notes, query_results_cache_compare, query_results_cache_lookup, database_analyze, VSIX extension env config
• Update Category: Bug Fix, Feature Enhancement

⚠️ CRITICAL: PR SCOPE VALIDATION

• Server implementation files and VS Code extension files are included
• NO temporary or output files are included
• NO unrelated configuration files are included
• ALL existing tests continue to pass
• NEW functionality is properly tested

• Impact Scope: Moderate — touches 7 tool/lib files, 3 extension files, 6 server test files, 1 extension test file, 2 client integration test runner files, 1 integration test fixture

Update Metadata

• Breaking Changes: Yes — bqrs_info parameter renamed files → file (array → string); audit_add_notes parameters owner/repo/sourceLocation/line now optional when findingId is provided
• API Compatibility: Enhanced (additive parameters, one rename)
• Performance Impact: Neutral

🎯 Changes Description

During a thorough evaluation of the ql-mcp server against 3 JS databases, 4 query packs, and 1,101 findings, 5 bugs and several design gaps were identified. This PR addresses all 5 bugs and 3 of the 5 design improvements, plus two additional issues discovered during follow-up evaluation.

Bug Fixes

Bug 1 — bqrs_interpret unusable through MCP interface:

• Added database optional parameter, mapped to --source-archive for SARIF source context
• Source archive resolution prefers src.zip over src/ directory (matching typical CodeQL database layout); throws clear error if neither exists
• Auto-resolves --source-location-prefix from codeql-database.yml metadata when database parameter is provided; does not override caller-supplied --source-archive or --source-location-prefix
• The database key is always deleted from options regardless of value to prevent it from being forwarded as an unsupported CLI flag; empty/whitespace-only strings fail fast with a clear error
• Defensive coercion for file parameter: checks file !== undefined (not truthiness) so empty strings are caught by validation; handles JSON-encoded array strings ('["/path/to/file.bqrs"]') and actual arrays passed by MCP clients; validates with trim() to also catch whitespace-only strings
• Improved -t parameter description with explicit KEY=VALUE format documentation

Bug 2 — query_results_cache_compare reports totalResultCount: 0:

• Root cause: resultCount was never populated when caching from processQueryRunResults
• Fix: compute count from SARIF runs[0].results.length at cache time (using ?? 0 to distinguish empty results from unknown counts); compare tool falls back to parsing cached content when resultCount is null, gated on SARIF format to avoid unnecessary JSON parsing for graphtext/csv

Bug 3 — annotation_search ignores category field:

• Extended FTS search condition: (id IN (SELECT rowid FROM annotations_fts WHERE MATCH $search) OR category = $search_cat COLLATE NOCASE)
• Category match uses COLLATE NOCASE for case-insensitive behavior consistent with the FTS unicode61 tokenizer

Bug 4 — audit_add_notes ignores findingId:

• Added findingId as preferred lookup (direct annotation ID) with explicit != null check
• Made composite key fields (owner/repo/sourceLocation/line) optional fallback

Bug 5 — bqrs_info files array causes CLI error:

• Changed files: z.array(z.string()) → file: z.string() to match codeql bqrs info which accepts exactly one file
• Updated client integration test runners and test fixture to use file (string) instead of files (array)

Design Improvements

Design 1 — database_analyze populates query results cache:

• Added cacheDatabaseAnalyzeResults() — after successful database_analyze with SARIF output, stores results in the cache so cache_compare/cache_retrieve work without re-running queries individually
• Uses resolveDatabasePath() for canonical database paths in cache keys to avoid divergence from positional args
• Log message shows "result count unknown" instead of "0 results" when resultCount is null, avoiding misleading operational logs

Design 2 — Serialize concurrent database_analyze on same database:

• Per-database promise-chain mutex prevents "cache directory is already locked" CLI errors
• Mutex map entries are cleaned up on release to prevent unbounded memory growth in long-running servers
• Lock key is normalized via resolve() for consistent path representation

Design 3 — query_results_cache_lookup verified with TDD:

• TDD tests confirm cacheKey (exact lookup via getCacheEntryMeta), queryName, language, databasePath, and limit parameters all work correctly in query_results_cache_lookup
• Added 5 comprehensive tests: exact cacheKey lookup with metadata, non-existent cacheKey, language filter, databasePath filter, and limit parameter

Design 5 — Auto-enable annotation/audit/cache tools in VSIX:

• New codeql-mcp.enableAnnotationTools setting (default: true)
• Extension auto-sets ENABLE_ANNOTATION_TOOLS and MONITORING_STORAGE_LOCATION env vars
• Checks process.env for inherited values from the extension host process to avoid overwriting pre-existing env values (the freshly-constructed env object is always empty, so in env checks would always pass)
• additionalEnv still overrides for advanced users

🔄 Before vs. After Comparison

API Changes

// Bug 5 — bqrs_info parameter
// BEFORE:
files: z.array(z.string()).describe('BQRS file(s) to examine')
// AFTER:
file: z.string().describe('BQRS file to examine')

// Bug 4 — audit_add_notes schema
// BEFORE: all fields required
{ owner: z.string(), repo: z.string(), sourceLocation: z.string(),
  line: z.number().int().min(1), notes: z.string() }
// AFTER: findingId preferred, composite key optional fallback
{ findingId: z.number().int().positive().optional(),
  owner: z.string().optional(), repo: z.string().optional(),
  sourceLocation: z.string().optional(), line: z.number().int().min(1).optional(),
  notes: z.string() }

// Bug 1 — bqrs_interpret database parameter
// BEFORE: no database parameter
// AFTER: database auto-resolves --source-archive AND --source-location-prefix
database: z.string().optional()
  .describe('Path to the CodeQL database. When provided, auto-resolves --source-archive ' +
    '(for file contents/snippets) and --source-location-prefix (from codeql-database.yml ' +
    'metadata) so SARIF results include full source context')

🧪 Testing & Validation

Test Results

• Unit Tests: 1156/1156 server tests pass, 137/137 VS Code extension tests pass
• New Test Cases: 24 new tests total — 5 cache lookup TDD tests (cacheKey/queryName/language/databasePath/limit), 9 bqrs-interpret definition tests, 2 bqrs-interpret handler behavior tests, 2 file parameter coercion regression tests, 1 SARIF result count derivation test, 1 environment builder MONITORING_STORAGE_LOCATION preservation test, 1 environment builder ENABLE_ANNOTATION_TOOLS process.env preservation test, 1 empty string file parameter test, 1 whitespace-only file parameter test, 1 empty string database parameter test
• Integration Tests: Fixed codeql_bqrs_info/basic_info and codeql_bqrs_info/json_format integration tests by updating test runners and fixtures to use file (string) parameter
• Lint + Format: All checks pass

📋 Implementation Details

Files Modified

• server/src/tools/codeql/bqrs-interpret.ts — added database param with updated description, improved -t docs
• server/src/tools/codeql/bqrs-info.ts — files → file
• server/src/lib/sqlite-store.ts — category match in FTS search with COLLATE NOCASE
• server/src/tools/audit-tools.ts — findingId primary lookup with explicit != null check
• server/src/tools/cache-tools.ts — SARIF content fallback for result count, gated on SARIF format
• server/src/lib/result-processor.ts — resultCount computation with ?? 0 + cacheDatabaseAnalyzeResults() with clear log messaging ("result count unknown" when null)
• server/src/lib/cli-tool-registry.ts — per-database mutex with cleanup, bqrs_interpret database→source-archive+source-location-prefix mapping (always deletes database key, fails fast on empty string, preferring src.zip, guarding against overwrite of explicit options), file parameter defensive coercion with !== undefined check and trim() validation, analyze cache call with resolved DB path, alphabetically sorted fs imports
• extensions/vscode/package.json — enableAnnotationTools setting
• extensions/vscode/src/bridge/environment-builder.ts — auto-set annotation env vars checking process.env for inherited values from the extension host process
• extensions/vscode/README.md — document new setting
• CHANGELOG.md — corrected version reference (v2.25.1-next.1 → v2.25.1-next.2)
• server/test/src/tools/codeql/bqrs-interpret.test.ts — 9 definition tests (schema validation, Zod array rejection), 2 handler behavior tests
• server/test/src/lib/cli-tool-registry.test.ts — 4 handler behavior tests (source-location-prefix auto-resolution, file param defensive coercion), 3 empty/whitespace edge case tests (empty string file, whitespace-only file, empty database param)
• server/test/src/lib/sqlite-store.test.ts — category search test
• server/test/src/tools/audit-tools.test.ts — findingId tests
• server/test/src/tools/cache-tools.test.ts — SARIF count derivation test, 5 new TDD tests for cache lookup (cacheKey/queryName/language/databasePath/limit)
• server/test/src/tools/codeql/bqrs-info.test.ts — updated for file param
• extensions/vscode/test/bridge/environment-builder.test.ts — annotation setting tests with try/finally cleanup, MONITORING_STORAGE_LOCATION process.env preservation test, ENABLE_ANNOTATION_TOOLS process.env preservation test
• client/src/lib/integration-test-runner.js — files → file for codeql_bqrs_info
• client/src/lib/monitoring-integration-test-runner.js — bqrs → file for codeql_bqrs_info
• client/integration-tests/primitives/tools/codeql_bqrs_info/json_format/test-config.json — files array → file string

Dependencies

• No New Dependencies

🚀 Compatibility & Migration

Backward Compatibility

• Deprecation Warnings: None
• Breaking Changes: Two parameter changes detailed below

Breaking Changes

codeql_bqrs_info: files (array) → file (string). Callers passing files: ["/path/to/file.bqrs"] must change to file: "/path/to/file.bqrs".

audit_add_notes: Previously required owner+repo+sourceLocation+line. Now accepts findingId as alternative. Existing calls with composite key still work unchanged.

API Evolution

• Enhanced Parameters: bqrs_interpret.database, audit_add_notes.findingId
• Maintained Contracts: All existing tool contracts preserved (except bqrs_info.files)

🔗 References

Related Issues/PRs

• Design 4 (profiling prompts): Deferred to follow-up