Upgrade codeql CLI and dependencies to v2.24.0

.codeql-version

@@ -1 +1 @@
-v2.23.9
+v2.24.0

.github/actions/setup-codeql-environment/action.yml

@@ -2,6 +2,10 @@ name: 'Setup CodeQL Environment with Languages'
 description: 'Install and configure CodeQL CLI via GitHub CLI extension and language-specific tools with optimized caching'
 
 inputs:
+  add-to-path:
+    description: 'Whether to install the CodeQL stub to PATH and set CODEQL_HOME/CODEQL_PATH environment variables. Set to false when you need only the gh-codeql extension installed (e.g. for CODEQL_PATH tests that manage PATH themselves).'
+    required: false
+    default: 'true'
   install-language-runtimes:
     description: 'Whether to install language-specific runtimes and build tools'
     required: false
@@ -136,7 +140,13 @@ runs:
           exit 1
         fi
 
-        # Create a directory for the CodeQL stub and install it there
+        echo "✅ GitHub CLI CodeQL extension installed successfully"
+
+    # Install the CodeQL stub to PATH (skipped when add-to-path is false)
+    - name: Install CodeQL stub to PATH
+      if: inputs.add-to-path == 'true'
+      shell: bash
+      run: |
         CODEQL_STUB_DIR="$HOME/.local/bin"
         mkdir -p "$CODEQL_STUB_DIR"
 
@@ -147,7 +157,7 @@ runs:
         export PATH="$CODEQL_STUB_DIR:$PATH"
         echo "PATH=$PATH" >> "$GITHUB_ENV"
 
-        echo "✅ GitHub CLI CodeQL extension installed successfully"
+        echo "✅ CodeQL stub installed to PATH"
 
     # On Windows, gh codeql install-stub creates a bash script which is not
     # discoverable by Node.js child_process.spawn() or execFile(), since
@@ -157,7 +167,7 @@ runs:
     # This workaround can be removed once github/gh-codeql#21 is merged,
     # which adds native Windows support to install-stub.
     - name: Add CodeQL binary directory to PATH (Windows)
-      if: runner.os == 'Windows'
+      if: runner.os == 'Windows' && inputs.add-to-path == 'true'
       shell: bash
       run: |
         echo "🔧 Locating actual codeql.exe binary for Windows compatibility..."
@@ -193,6 +203,7 @@ runs:
         echo "✅ Added CodeQL binary directory to PATH for Windows"
 
     - name: Setup CodeQL environment variables
+      if: inputs.add-to-path == 'true'
       id: setup-codeql-env
       shell: bash
       run: |
@@ -243,6 +254,7 @@ runs:
 
     # Verify CodeQL installation
     - name: Verify `codeql` CLI installation
+      if: inputs.add-to-path == 'true'
       shell: bash
       run: |
         echo "=== CodeQL Installation Verification ==="

.github/skills/upgrade-codeql-cli-and-packs/SKILL.md

@@ -24,9 +24,9 @@ This skill guides you through upgrading the CodeQL CLI version used by the MCP s
 
 This repository uses a **CLI-aligned versioning strategy** across all version-bearing files:
 
-1. **`.codeql-version`**: Contains the target CLI version (e.g., `v2.23.9`)
-2. **`package.json` versions**: All `package.json` files (root, client, server) use the CLI version number without the "v" prefix (e.g., `2.23.9`)
-3. **`ql-mcp-*` pack versions**: Use the CLI version number without the "v" prefix (e.g., `2.23.9`)
+1. **`.codeql-version`**: Contains the target CLI version (e.g., `v2.24.0`)
+2. **`package.json` versions**: All `package.json` files (root, client, server) use the CLI version number without the "v" prefix (e.g., `2.24.0`)
+3. **`ql-mcp-*` pack versions**: Use the CLI version number without the "v" prefix (e.g., `2.24.0`)
 4. **`codeql/*-all` dependencies**: Must have `cliVersion <= target CLI version`
 
 ### Why Database Compatibility Matters
@@ -79,7 +79,7 @@ All `package.json` files must have their `version` field set to match the CLI ve
 | `client/package.json` | `version`       |
 | `server/package.json` | `version`       |
 
-Example: If `.codeql-version` is `v2.23.9`, set all `package.json` versions to `"version": "2.23.9"`.
+Example: If `.codeql-version` is `v2.24.0`, set all `package.json` versions to `"version": "2.24.0"`.
 
 After updating, regenerate the lock file:
 

.github/workflows/client-integration-tests.yml

@@ -169,40 +169,11 @@ jobs:
       - name: CODEQL_PATH Tests - Build server bundle
         run: npm run bundle -w server
 
-      - name: CODEQL_PATH Tests - Cache gh-codeql extension (Unix)
-        if: runner.os != 'Windows'
-        uses: actions/cache@v4
-        with:
-          path: ~/.local/share/gh-codeql
-          key: codeql-path-tests-${{ runner.os }}-${{ hashFiles('.codeql-version') }}
-
-      - name: CODEQL_PATH Tests - Cache gh-codeql extension (Windows)
-        if: runner.os == 'Windows'
-        uses: actions/cache@v4
+      - name: CODEQL_PATH Tests - Setup CodeQL environment
+        uses: ./.github/actions/setup-codeql-environment
         with:
-          path: ~\AppData\Local\GitHub\gh-codeql
-          key: codeql-path-tests-${{ runner.os }}-${{ hashFiles('.codeql-version') }}
-
-      - name: CODEQL_PATH Tests - Install CodeQL CLI via gh codeql
-        id: install-codeql
-        shell: bash
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          CODEQL_VERSION=$(tr -d '[:space:]' < .codeql-version | sed 's/^v//')
-          echo "Installing CodeQL CLI version: $CODEQL_VERSION"
-
-          gh extension install github/gh-codeql 2>/dev/null || true
-          gh codeql set-version "$CODEQL_VERSION"
-
-          INSTALLED=$(gh codeql version --format=terse)
-          if [[ "$INSTALLED" != "$CODEQL_VERSION" ]]; then
-            echo "::error::Version mismatch: installed=$INSTALLED expected=$CODEQL_VERSION"
-            exit 1
-          fi
-
-          echo "✅ CodeQL CLI $INSTALLED installed via gh-codeql"
-          echo "codeql-version=$CODEQL_VERSION" >> "$GITHUB_OUTPUT"
+          add-to-path: false
+          install-language-runtimes: false
 
       ## Locate the real CodeQL binary (not the gh-codeql bash stub).
       ## The stub delegates to `gh codeql` and works from bash, but Node.js
@@ -237,13 +208,14 @@ jobs:
 
           # Verify the binary works and reports the expected version
           ACTUAL=$("$CODEQL_BINARY" version --format=terse 2>/dev/null)
-          EXPECTED="${{ steps.install-codeql.outputs.codeql-version }}"
+          EXPECTED=$(gh codeql version --format=terse 2>/dev/null)
           if [[ "$ACTUAL" != "$EXPECTED" ]]; then
             echo "::error::Binary version mismatch: got '$ACTUAL', expected '$EXPECTED'"
             exit 1
           fi
 
           echo "✅ CodeQL binary verified: $CODEQL_BINARY (version $ACTUAL)"
+          echo "codeql-version=$ACTUAL" >> "$GITHUB_OUTPUT"
           echo "codeql-binary=$CODEQL_BINARY" >> "$GITHUB_OUTPUT"
 
       ## Build a PATH that excludes every directory containing 'codeql'.
@@ -303,6 +275,6 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "| Detail | Value |" >> $GITHUB_STEP_SUMMARY
           echo "| ------ | ----- |" >> $GITHUB_STEP_SUMMARY
-          echo "| CodeQL Version | ${{ steps.install-codeql.outputs.codeql-version }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| CodeQL Version | ${{ steps.locate-codeql.outputs.codeql-version }} |" >> $GITHUB_STEP_SUMMARY
           echo "| CodeQL Binary | \`${{ steps.locate-codeql.outputs.codeql-binary }}\` |" >> $GITHUB_STEP_SUMMARY
           echo "| OS | ${{ matrix.os }} |" >> $GITHUB_STEP_SUMMARY

client/integration-tests/primitives/tools/codeql_bqrs_interpret/sarif_format/after/results.sarif

@@ -1 +1 @@
-{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.23.9","rules":[{"id":"test/query","name":"test/query","shortDescription":{"text":"ExampleQuery1"},"fullDescription":{"text":"Example query for integration testing of the codeql_test_extract MCP server tool."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n","markdown":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n"},"properties":{"tags":["mcp-integration-tests"],"description":"Example query for integration testing of the codeql_test_extract MCP server tool.","id":"test/query","kind":"problem","name":"ExampleQuery1","precision":"medium","problem.severity":"warning"}}]},"extensions":[{"name":"mcp-client-integration-tests-static-javascript-src","semanticVersion":"0.0.1+fe0e7d2a7059ebb6c6075ff8eaea04f382747656","locations":[{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.11+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.31+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"artifacts":[{"location":{"uri":"file:/home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}],"results":[{"ruleId":"test/query","ruleIndex":0,"rule":{"id":"test/query","index":0},"message":{"text":"Example test code file found for codeql_test_extract example query."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"file:/home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}}]}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest"}}]}
+{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.24.0","rules":[{"id":"test/query","name":"test/query","shortDescription":{"text":"ExampleQuery1"},"fullDescription":{"text":"Example query for integration testing of the codeql_test_extract MCP server tool."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n","markdown":"# Query Help for JavaScript ExampleQuery1\n\nTODO\n"},"properties":{"tags":["mcp-integration-tests"],"description":"Example query for integration testing of the codeql_test_extract MCP server tool.","id":"test/query","kind":"problem","name":"ExampleQuery1","precision":"medium","problem.severity":"warning"}}]},"extensions":[{"name":"mcp-client-integration-tests-static-javascript-src","semanticVersion":"0.0.1+fe0e7d2a7059ebb6c6075ff8eaea04f382747656","locations":[{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/src/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.11+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/javascript-all/2.6.11/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.31+ce9c8e6e9fd41ef0967b13849bb6ae2183caf9ad","locations":[{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/.codeql/packages/codeql/threat-models/1.0.31/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"artifacts":[{"location":{"uri":"file:/home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}],"results":[{"ruleId":"test/query","ruleIndex":0,"rule":{"id":"test/query","index":0},"message":{"text":"Example test code file found for codeql_test_extract example query."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"file:/home/runner/work/codeql-development-mcp-server/codeql-development-mcp-server/client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.js","index":0}}}]}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest"}}]}

client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-development-mcp-server_client",
-  "version": "2.23.9",
+  "version": "2.24.0",
   "description": "MCP client for integration testing of the CodeQL development MCP server",
   "main": "src/ql-mcp-client.js",
   "type": "module",

docs/public.md

@@ -69,7 +69,7 @@ codeql pack download advanced-security/ql-mcp-swift-tools-src
 To pin a version, append `@<version>`:
 
 ```bash
-codeql pack download advanced-security/ql-mcp-javascript-tools-src@2.23.9
+codeql pack download advanced-security/ql-mcp-javascript-tools-src@2.24.0
 ```
 
 Each tool query pack provides AST printing, control-flow graph printing, and call-graph queries used by the MCP server to give AI assistants structural insight into CodeQL databases.
@@ -236,10 +236,10 @@ Published to the GitHub Container Registry under the `advanced-security` scope.
 ```yaml
 # Example: server/ql/javascript/tools/src/codeql-pack.yml
 name: advanced-security/ql-mcp-javascript-tools-src
-version: 2.23.9
+version: 2.24.0
 library: false
 dependencies:
-  codeql/javascript-all: 2.6.19
+  codeql/javascript-all: 2.6.20
 ```
 
 ## Troubleshooting

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-development-mcp-server_repo",
-  "version": "2.23.9",
+  "version": "2.24.0",
   "description": "An MCP server supporting LLM requests for CodeQL development tools and resources.",
   "private": true,
   "type": "module",

server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@advanced-security/codeql-development-mcp-server",
-  "version": "2.23.9",
+  "version": "2.24.0",
   "description": "An MCP server supporting LLM requests for CodeQL development tools and resources.",
   "main": "dist/codeql-development-mcp-server.js",
   "type": "module",

server/ql/actions/tools/src/codeql-pack.lock.yml

@@ -2,31 +2,31 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/actions-all:
-    version: 0.4.25
+    version: 0.4.26
   codeql/concepts:
-    version: 0.0.13
+    version: 0.0.14
   codeql/controlflow:
-    version: 2.0.23
+    version: 2.0.24
   codeql/dataflow:
-    version: 2.0.23
+    version: 2.0.24
   codeql/javascript-all:
-    version: 2.6.19
+    version: 2.6.20
   codeql/mad:
-    version: 1.0.39
+    version: 1.0.40
   codeql/regex:
-    version: 1.0.39
+    version: 1.0.40
   codeql/ssa:
-    version: 2.0.15
+    version: 2.0.16
   codeql/threat-models:
-    version: 1.0.39
+    version: 1.0.40
   codeql/tutorial:
-    version: 1.0.39
+    version: 1.0.40
   codeql/typetracking:
-    version: 2.0.23
+    version: 2.0.24
   codeql/util:
-    version: 2.0.26
+    version: 2.0.27
   codeql/xml:
-    version: 1.0.39
+    version: 1.0.40
   codeql/yaml:
-    version: 1.0.39
+    version: 1.0.40
 compiled: false

server/ql/actions/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-actions-tools-src
-version: 2.23.9
+version: 2.24.0
 description: 'Queries for codeql-development-mcp-server tools for actions language'
 library: false
 dependencies:
-  codeql/actions-all: 0.4.25
+  codeql/actions-all: 0.4.26

server/ql/actions/tools/test/codeql-pack.lock.yml

@@ -2,31 +2,31 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/actions-all:
-    version: 0.4.25
+    version: 0.4.26
   codeql/concepts:
-    version: 0.0.13
+    version: 0.0.14
   codeql/controlflow:
-    version: 2.0.23
+    version: 2.0.24
   codeql/dataflow:
-    version: 2.0.23
+    version: 2.0.24
   codeql/javascript-all:
-    version: 2.6.19
+    version: 2.6.20
   codeql/mad:
-    version: 1.0.39
+    version: 1.0.40
   codeql/regex:
-    version: 1.0.39
+    version: 1.0.40
   codeql/ssa:
-    version: 2.0.15
+    version: 2.0.16
   codeql/threat-models:
-    version: 1.0.39
+    version: 1.0.40
   codeql/tutorial:
-    version: 1.0.39
+    version: 1.0.40
   codeql/typetracking:
-    version: 2.0.23
+    version: 2.0.24
   codeql/util:
-    version: 2.0.26
+    version: 2.0.27
   codeql/xml:
-    version: 1.0.39
+    version: 1.0.40
   codeql/yaml:
-    version: 1.0.39
+    version: 1.0.40
 compiled: false

server/ql/actions/tools/test/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-actions-tools-test
-version: 2.23.9
+version: 2.24.0
 dependencies:
   advanced-security/ql-mcp-actions-tools-src: ${workspace}
 extractor: actions

server/ql/cpp/tools/src/codeql-pack.lock.yml

@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 2.0.23
+    version: 2.0.24
   codeql/cpp-all:
-    version: 6.1.4
+    version: 7.0.0
   codeql/dataflow:
-    version: 2.0.23
+    version: 2.0.24
   codeql/mad:
-    version: 1.0.39
+    version: 1.0.40
   codeql/quantum:
-    version: 0.0.17
+    version: 0.0.18
   codeql/rangeanalysis:
-    version: 1.0.39
+    version: 1.0.40
   codeql/ssa:
-    version: 2.0.15
+    version: 2.0.16
   codeql/tutorial:
-    version: 1.0.39
+    version: 1.0.40
   codeql/typeflow:
-    version: 1.0.39
+    version: 1.0.40
   codeql/typetracking:
-    version: 2.0.23
+    version: 2.0.24
   codeql/util:
-    version: 2.0.26
+    version: 2.0.27
   codeql/xml:
-    version: 1.0.39
+    version: 1.0.40
 compiled: false