v2.25.0-rc1

What's Changed

• Build(deps-dev): bump @vitest/coverage-v8 from 4.0.18 to 4.1.0 by @dependabot[bot] in #141
• Update copilot-setup-steps and NodeJS dependencies by @data-douser in #142
• Apply npm audit fix for NodeJS dependencies by @data-douser in #144
• Implement duplicated code detection prompts, supported by tools. by @MichaelRFairhurst in #109
• Upgrade NodeJS dependencies to latest by @data-douser in #156
• Build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by @dependabot[bot] in #146
• Update action versions and fix build-and-test step in update-codeql workflow by @data-douser in #158
• Support target upgrade version in update-codeql.yml workflow by @data-douser in #160
• Improve prompt error handling and relative path support by @data-douser in #153
• Upgrade CodeQL CLI dependency to v2.25.0 by @github-actions[bot] in #161

Full Changelog: v2.24.3...v2.25.0-rc1

v2.24.3

v2.24.3

Highlights

🔓 Database Lock Contention Fix & New CodeQL Search/Discovery Tools

This release resolves a critical compatibility issue where databases locked by the GitHub.vscode-codeql extension prevented the MCP server from running CLI commands. A new DatabaseCopier syncs databases into a managed, lock-free directory under the extension's globalStorage. Two new tools — search_ql_code and codeql_resolve_files — eliminate the need for LLMs to use grep or shell access for QL code search and file discovery.

🔍 Automatic CodeQL CLI Discovery

The MCP server now automatically finds the CodeQL CLI binary installed by the GitHub.vscode-codeql extension, which stores it off-PATH. Discovery uses distribution.json (folder index hint) with a fallback to scanning distribution* directories. This works at two layers: the VS Code extension CliResolver and the server-side cli-executor.

📚 Rewritten MCP Resources as Actionable LLM-Oriented Guides

All static MCP resources have been rewritten as actionable, LLM-oriented guides. Resources are now registered under clearer URIs (e.g., codeql://server/overview, codeql://server/queries, codeql://server/tools, codeql://server/prompts) and include new resources for learning query basics, test-driven development, and language-specific security query guides.

New MCP Server Tools

search_ql_code	Searches QL source code by text or regex pattern across resolved CodeQL packs and workspace folders, returning matched lines with surrounding context. Eliminates the need for LLMs to use grep or shell access.
codeql_resolve_files	Discovers files by extension or glob pattern within CodeQL databases and packs, enabling LLMs to find source files without CLI dependencies.

New MCP Server Resources

codeql://server/overview	MCP server orientation guide (replaces getting-started.md)
codeql://server/queries	PrintAST, PrintCFG, CallGraphFrom, CallGraphTo overview
codeql://server/tools	Complete default tool reference
codeql://server/prompts	Complete prompt reference
codeql://learning/query-basics	Practical query writing reference
codeql://learning/test-driven-development	TDD theory overview with cross-links
codeql://learning/security-queries/*	Language-specific security query guides (migrated from .github/skills/)

Changed MCP Server Prompts & Resources

All existing workflow prompts and resources have been updated to remove grep/CLI references in favor of the new search_ql_code and codeql_resolve_files tools.

Changed MCP Server Tools

profile_codeql_query_from_logs	Rewritten with two-tier design: compact inline JSON + line-indexed detail file for targeted read_file access. Parser now captures RA operations and pipeline-stage tuple progressions. Output is deterministic (no timestamps). Uses streaming async generators instead of readFileSync for large evaluator logs.
codeql_query_run	resolveDatabasePath helper auto-resolves multi-language database roots and throws on ambiguity instead of silently picking the first candidate.
codeql_database_analyze	Same resolveDatabasePath helper applied for consistent database path resolution.
codeql_resolve_database	Now probes child directories for databases; uses resolveDatabasePath for ambiguity detection.

Bug Fixes

• Database lock contention with vscode-codeql — Fixed a critical issue where .lock files created by the vscode-codeql query server prevented codeql_query_run and codeql_database_analyze from executing. A new DatabaseCopier syncs databases into a managed lock-free directory. (#119)
• Version-bearing files not updated during release — The update-release-version.sh script now tracks server/src/codeql-development-mcp-server.ts (const VERSION) alongside all other version files. (#90)
• MCP resource content missing at runtime in VSIX — Embedded MCP resource content at build time via esbuild loader for VSIX compatibility. (#111)
• CODEQL_PATH tests failing on Windows CI — Fixed robust binary search and MSYS2 FIFO skip for windows-latest. (#115)
• TOCTOU race condition in search_ql_code — Eliminated filesystem race (read-then-check instead of stat-then-read); added symlink cycle detection. (#119)
• OOM risk with large files in search_ql_code — Large files (>5 MB) are now streamed line-by-line instead of loaded into memory. (#119)
• Transient HTTP 503 in install-packs.sh — Added exponential backoff retry (3 attempts, 10s/20s/40s) for codeql pack install to handle GHCR.io rate limits. (#121)

Infrastructure & CI/CD

• Added CODEQL_MCP_TMP_DIR and CODEQL_MCP_WORKSPACE_FOLDERS environment variables for workspace-local scratch directories. (#119)
• Added query-file-finder contextual hints for missing tests, documentation, and expected results. (#119)
• Set ENABLE_MONITORING_TOOLS=false for client integration tests to avoid CI interference. (#115)

Dependency Updates

• Upgraded CodeQL CLI dependency to v2.24.3. (#114)
• Upgraded NodeJS dependencies to latest available versions. (#108, #114)
• Bumped actions/download-artifact from 7 to 8. (#94)
• Bumped actions/upload-artifact from 6 to 7. (#93)

What's Changed (PRs)

• Fix release update of version-bearing files from 2.24.2-rc3 to 2.24.2 by @data-douser in #90
• Support automatic discovery of codeql CLI distributions installed off-PATH by VS Code extension by @data-douser in #91
• Build(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #93
• Build(deps): bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #94
• Upgrade NodeJS dependencies to latest available versions by @data-douser in [#108](https://github.com/advanced-security/...

v2.24.3-rc2

What's Changed

• Fix release update of version-bearing files from 2.24.2-rc3 to 2.24.2 by @data-douser in #90
• Build(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #93
• Upgrade NodeJS dependencies to latest available versions by @data-douser in #108
• Build(deps): bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #94
• Embed MCP resource content at build time for VSIX compatibility by @Copilot in #111
• Support automatic discovery of codeql CLI distributions installed off-PATH by VS Code extension by @data-douser in #91
• Upgrade CodeQL to v2.24.3 and upgrade NodeJS dependencies to latest by @data-douser in #114
• Fix CODEQL_PATH Tests (windows-latest) CI failure by @Copilot in #115
• [UPDATE PRIMITIVE] Rewrite static MCP resources as actionable LLM-oriented guides by @Copilot in #113
• Fixes for extension .lock database contention and tool improvements to avoid LLM use of grep by @data-douser in #119

Full Changelog: v2.24.2...v2.24.3-rc2

v2.24.3-rc1

What's Changed

• Fix release update of version-bearing files from 2.24.2-rc3 to 2.24.2 by @data-douser in #90
• Build(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #93
• Upgrade NodeJS dependencies to latest available versions by @data-douser in #108
• Build(deps): bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #94
• Embed MCP resource content at build time for VSIX compatibility by @Copilot in #111
• Support automatic discovery of codeql CLI distributions installed off-PATH by VS Code extension by @data-douser in #91
• Upgrade CodeQL to v2.24.3 and upgrade NodeJS dependencies to latest by @data-douser in #114
• Fix CODEQL_PATH Tests (windows-latest) CI failure by @Copilot in #115
• [UPDATE PRIMITIVE] Rewrite static MCP resources as actionable LLM-oriented guides by @Copilot in #113

Full Changelog: v2.24.2...v2.24.3-rc1

What's Changed

• Prep for v2.24.1 release by @data-douser in #38
• Refactor release into separate child workflows with isolated deployment environments by @data-douser in #45
• Build(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #49
• Build(deps): bump dotenv from 17.2.4 to 17.3.0 by @dependabot[bot] in #54
• Add nightly CodeQL CLI update workflow by @data-douser in #58
• Add vscode-codeql-development-mcp-server.vsix extension for "bridge" to GitHub.vscode-codeql extension's databases, query results, and MRVA results by @data-douser in #61
• Fixes and integration tests for MCP-provided prompts and VSIX bundle by @data-douser in #71
• Avoid timeouts in client integration test fixtures by @data-douser in #74
• Add a new prompt & tool for diagnosing FPs/FNs from query runs. by @MichaelRFairhurst in #70
• Upgrade CodeQL CLI dependency to v2.24.2 by @github-actions[bot] in #65
• Fixes for v2.24.2 release prep by @data-douser in #75
• Add stdio transport support to client integration test runner by @Copilot in #77
• Prep for v2.24.2 release by @data-douser in #81
• Fix release-tag workflow for releases created from v* tag on main branch by @data-douser in #85
• Fix release-tag workflow to push only annotated tags to main by @data-douser in #87
• Fix release update of version-bearing files from 2.24.2-rc3 to 2.24.2 by @data-douser in #90
• Build(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #93
• Upgrade NodeJS dependencies to latest available versions by @data-douser in #108
• Build(deps): bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #94
• Embed MCP resource content at build time for VSIX compatibility by @Copilot in #111
• Support automatic discovery of codeql CLI distributions installed off-PATH by VS Code extension by @data-douser in #91
• Upgrade CodeQL to v2.24.3 and upgrade NodeJS dependencies to latest by @data-douser in #114
• Fix CODEQL_PATH Tests (windows-latest) CI failure by @Copilot in #115
• [UPDATE PRIMITIVE] Rewrite static MCP resources as actionable LLM-oriented guides by @Copilot in #113

New Contributors

• @dependabot[bot] made their first contribution in #49
• @MichaelRFairhurst made their first contribution in #70
• @github-actions[bot] made their first contribution in #65

Full Changelog: v2.24.0...v2.24.3-rc1

v2.24.2

v2.24.2

Highlights

🚢 New VS Code Extension: advanced-security.vscode-codeql-development-mcp-server 🚀

This release introduces a new VS Code extension distributed as a VSIX archive (codeql-development-mcp-server-v2.24.2.vsix) that acts as a "bridge" between the GitHub CodeQL extension and the CodeQL Development MCP Server. When installed, the extension:

• Automatically discovers CodeQL databases, query run results, and MRVA (Multi-Repository Variant Analysis) results managed by the GitHub.vscode-codeql extension, and exposes them to MCP-connected AI agents via environment variables.
• Bundles the MCP server and all CodeQL tool packs inside the VSIX, so that installation is self-contained — no separate npm install required.
• Manages the MCP server lifecycle (start/stop/restart) from within VS Code, with configurable settings for the server command, arguments, and npm version.
• Registers an MCP Server Definition Provider, enabling VS Code's built-in MCP support to discover and connect to the server automatically.

Download: The VSIX is attached as a release asset. Install it via code --install-extension codeql-development-mcp-server-v2.24.2.vsix or through the VS Code Extensions sidebar ("Install from VSIX…").

---

New MCP Server Tools

Tool	Description
list_codeql_databases	Discovers CodeQL databases in configured base directories. Returns path, language, CLI version, and creation time for each database.
list_query_run_results	Lists discovered query run result directories. Returns path, query name, timestamp, language, and available artifacts (evaluator-log, BQRS, SARIF, query.log, summary). Supports filtering by queryName, language, or queryPath.
list_mrva_run_results	Lists discovered MRVA run results. Returns run ID, timestamp, repositories scanned, analysis status, and available artifacts.
profile_codeql_query_from_logs	Parses CodeQL query evaluation logs into a performance profile without re-running the query. Works with logs from codeql query run, codeql database analyze, or vscode-codeql query history.
read_database_source	Reads source file contents directly from a CodeQL database's source archive (src.zip) or extracted source directory (src/), enabling agents to inspect code at alert locations without the original source tree.

New MCP Server Prompts

Prompt	Description
run_query_and_summarize_false_positives	Guides an agent through running a CodeQL query, reading source code from the database archive via read_database_source, and diagnosing false positives / false negatives to improve query precision.

Changed MCP Server Tools

Tool	Change
codeql_bqrs_decode	Added text and bqrs output formats, --result-set selection, --sort-key / --sort-direction sorting, --no-titles flag, --entities column display control, and --rows pagination. Improved description to document the typical decode workflow.
codeql_bqrs_info	Enhanced description with cross-references to related tools and workflow guidance.
codeql_database_analyze	Improved logging and error messages; auto-creates output directories.
codeql_query_run	Minor logging improvements.
register_database	Error objects now chain the original cause for better debugging.

Changed MCP Server Prompts

All existing workflow prompts have been updated to use #tool_name hashtag references (instead of backtick formatting) for tool mentions, improving consistency when rendered in VS Code Copilot Chat. Additionally, prompt templates are now embedded at build time via esbuild's loader: { '.md': 'text' }, fixing a critical bug where prompts were missing at runtime in VSIX and npm-installed deployments.

---

Bug Fixes

• VSIX bundle missing server dependencies — Fixed a packaging bug where the esbuild external configuration excluded required Node.js dependencies (express, cors, zod, etc.) from the bundled VSIX extension, causing runtime failures. (#71)
• Prompt templates not found at runtime — Refactored prompt loading from filesystem reads (readFileSync) to build-time static imports, ensuring prompt templates are available in all deployment scenarios (monorepo, npm, VSIX). (#71)
• Client integration test timeouts — Resolved timeout issues in client integration test fixtures that caused flaky CI runs. (#74)
• VS Code extension version not tracked in release scripts — The update-release-version.sh script and nightly CodeQL CLI update workflow now correctly detect and update the version in extensions/vscode/package.json alongside other version-bearing files. (#75)
• VSIX-bundled server pack installation — The extension now prefers the bundled server/ directory inside the VSIX for CodeQL pack resolution, falling back to npm-installed packages only if necessary. (#81)
• Error chaining in register_database — All error paths now preserve the original cause, making debugging registration failures easier. (#61)

Infrastructure & CI/CD

• Refactored the release workflow into separate child workflows with isolated deployment environments. (#45)
• Added a nightly CodeQL CLI update workflow that automates version bumps across all packages. (#58)
• Added dedicated GitHub Actions workflows for building, testing (with coverage), linting, bundling, and packaging the VS Code extension. (#61)
• Added stdio transport support to the client integration test runner alongside SSE. (#77)
• Release artifacts now include version strings in filenames (e.g., codeql-development-mcp-server-v2.24.2.vsix, codeql-development-mcp-server-v2.24.2.tar.gz). (#81)
• Release workflow uses a concurrency group keyed by version, preventing overlapping releases. (#81)
• Added .md documentation enforcement for all .ql tool queries. (#81)

Dependency Updates

• Upgraded CodeQL CLI dependency to v2.24.2. (#65)
• Bumped actions/download-artifact from 6 to 7. (#49)
• Bumped dotenv from 17.2.4 to 17.3.0. (#54)
• Bumped eslint from ^10.0.0 to ^10.0.1 across all packages. (#75)

---

What's Changed (PRs)

• Refactor release into separate child workflows with isolated deployment environments by @data-douser in #45
• Build(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #49
• Build(deps): bump dotenv from 17.2.4 to 17.3.0 by @dependabot[bot] in #54
• Add nightly CodeQL CLI update workflow by @data-douser in #58
• Add vscode-codeql-development-mcp-server.vsix extension for "bridge" to GitHub.vscode-codeql extension's databases, query results, and MRVA results by @data-douser in #61
• Upgrade CodeQL CLI dependency to v2.24.2 by @github-actions[bot] in #65
• Add a new...

v2.24.2-rc3

What's Changed

• Add .md docs for all .ql tools queries (#78) by @data-douser in #79

Full Changelog: v2.24.2-rc2...v2.24.2-rc3

v2.24.2-rc2

What's Changed

• Prep for v2.24.1 release by @data-douser in #38
• Refactor release into separate child workflows with isolated deployment environments by @data-douser in #45
• Build(deps): bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #49
• Build(deps): bump dotenv from 17.2.4 to 17.3.0 by @dependabot[bot] in #54
• Add nightly CodeQL CLI update workflow by @data-douser in #58
• Add vscode-codeql-development-mcp-server.vsix extension for "bridge" to GitHub.vscode-codeql extension's databases, query results, and MRVA results by @data-douser in #61
• Fixes and integration tests for MCP-provided prompts and VSIX bundle by @data-douser in #71
• Avoid timeouts in client integration test fixtures by @data-douser in #74
• Add a new prompt & tool for diagnosing FPs/FNs from query runs. by @MichaelRFairhurst in #70
• Upgrade CodeQL CLI dependency to v2.24.2 by @github-actions[bot] in #65
• Fixes for v2.24.2 release prep by @data-douser in #75

New Contributors

• @dependabot[bot] made their first contribution in #49
• @MichaelRFairhurst made their first contribution in #70
• @github-actions[bot] made their first contribution in #65

Full Changelog: v2.24.0...v2.24.2-rc2

v2.24.1

What's Changed

• Prep for v2.24.1 release by @data-douser in #38

Full Changelog: v2.24.0...v2.24.1

v2.24.0 -- Initial public release

The v2.24.0 release is the initial public release of the advanced-security/codeql-development-mcp-server repository.
This release is meant to be used with, and has been tested against, v2.24.0 of the codeql CLI.

What's Changed

• Update README.md and **/package.json files to prepare for open-source release by @data-douser in #14
• Security fixes for TOCTOU & OS tmp files by @data-douser in #18
• Ensure cross-platform support via client integration tests run on ubuntu-latest and windows-latest by @data-douser in #22
• Exclude exit nodes from Java PrintCFG query for deterministic test ou… by @data-douser in #23
• More prep for initial public release readiness by @data-douser in #24
• Use dynamic package version and respect CODEQL_MCP_TMP_DIR env var by @data-douser in #27
• Improve MCP server integrations with codeql execute *-server servers by @data-douser in #29
• Restructure docs: replace tools-reference.md with ql-mcp/ primitives docs and add testing strategy by @Copilot in #33
• Upgrade codeql CLI and dependencies to v2.24.0 by @Copilot in #31

Full Changelog: v2.23.9...v2.24.0