SqliteStore backend + annotation, audit, and query result cache tools

[data-douser]

Scope

Replace lowdb (JSON file persistence) with sql.js (SQLite compiled to asm.js) as the unified storage backend. Add annotation, audit, and query result cache tools gated by ENABLE_ANNOTATION_TOOLS.

Key Changes

Storage Backend

• New: server/src/lib/sqlite-store.ts — SqliteStore class with sessions, annotations, and query_result_cache tables
• New: server/src/types/sql-js.d.ts — type declarations for sql.js asm.js build
• Modified: server/src/lib/session-data-manager.ts — migrated from lowdb to SqliteStore
• Removed: lowdb dependency, replaced with sql.js (asm.js build bundles inline, zero externals)

Annotation Tools (6 tools, opt-in)

• annotation_{create,get,list,update,delete,search} — general-purpose notes/bookmarks
• New: server/src/tools/annotation-tools.ts

Audit Tools (4 tools, opt-in)

• audit_{store_findings,list_findings,add_notes,clear_repo} — repo-keyed finding management for MRVA
• New: server/src/tools/audit-tools.ts

Query Result Cache (4 tools, opt-in)

• query_results_cache_{lookup,retrieve,clear,compare} — cache with subset retrieval
• New: server/src/tools/cache-tools.ts
• Auto-cache in processQueryRunResults after SARIF interpretation

Performance (always-on)

• Dedup resolveQueryPath (pass result to processQueryRunResults)
• Cache resolveDatabasePath via module-level Map
• Cache extractQueryMetadata with mtime invalidation
• Track actual vs target CodeQL CLI version with mismatch warning

Refactoring

• Extracted database-resolver.ts, query-resolver.ts, result-processor.ts, codeql-version.ts from large files

Independence

⚠️ NOT independent — these changes are tightly coupled (SqliteStore → session manager → annotation/audit/cache tools → auto-cache pipeline → refactored modules). Should be reviewed as a single unit.

Tests

• 437 new lines in sqlite-store.test.ts
• Updated session-data-manager.test.ts and monitoring-tools.test.ts

Parent: #163