advanced-security · data-douser · Mar 25, 2026 · Mar 26, 2026
@@ -1,6 +1,7 @@
 import { build } from 'esbuild';
 import { chmod, mkdir } from 'fs/promises';
 import { existsSync } from 'fs';
+import { fileURLToPath } from 'url';
 
 const distDir = 'dist';
 const entryFile = 'src/codeql-development-mcp-server.ts';
@@ -33,6 +34,14 @@ const config = {
       'const require = __bundled_createRequire__(import.meta.url);',
     ].join('\n'),
   },
+  // sql.js ships a `./dist/*` wildcard subpath export that esbuild 0.x
+  // cannot resolve. Map the specifier to its absolute on-disk path so
+  // esbuild bundles the asm.js build inline into the single output file.
+  alias: {
+    'sql.js/dist/sql-asm.js': fileURLToPath(
+      import.meta.resolve('sql.js/dist/sql-asm.js'),
+    ),
+  },
   // Only generate the bundled JS file and source map
   write: true,
   metafile: false,

@@ -61,7 +61,7 @@
     "dotenv": "^17.3.1",
     "express": "^5.2.1",
     "js-yaml": "^4.1.1",
-    "lowdb": "^7.0.1",
+    "sql.js": "^1.14.1",
     "zod": "^3.25.76"
   },
   "devDependencies": {

@@ -17,6 +17,9 @@ import { registerLSPTools } from './tools/lsp';
 import { registerLanguageResources } from './resources/language-resources';
 import { registerWorkflowPrompts } from './prompts/workflow-prompts';
 import { registerMonitoringTools } from './tools/monitoring-tools';
+import { registerAnnotationTools } from './tools/annotation-tools';
+import { registerAuditTools } from './tools/audit-tools';
+import { registerCacheTools } from './tools/cache-tools';
 import { sessionDataManager } from './lib/session-data-manager';
 import { resolveCodeQLBinary, validateCodeQLBinaryReachable } from './lib/cli-executor';
 import { initServerManager, shutdownServerManager } from './lib/server-manager';
@@ -74,6 +77,15 @@ export async function startServer(mode: 'stdio' | 'http' = 'stdio'): Promise<Mcp
   // Register monitoring and reporting tools
   registerMonitoringTools(server);
 
+  // Register annotation tools (general-purpose notes/bookmarks)
+  registerAnnotationTools(server);
+
+  // Register audit tools (security audit state tracking)
+  registerAuditTools(server);
+
+  // Register query results cache tools
+  registerCacheTools(server);
+
   // Initialize session data manager
   await sessionDataManager.initialize();
 

@@ -8,6 +8,10 @@ import { basename, delimiter, dirname, isAbsolute, join } from 'path';
 import { homedir } from 'os';
 import { promisify } from 'util';
 import { logger } from '../utils/logger';
+import { setActualCodeqlVersion, warnOnVersionMismatch } from './codeql-version';
+
+// Re-export version functions so existing callers don't break
+export { getActualCodeqlVersion, getTargetCodeqlVersion } from './codeql-version';
 
 const execFileAsync = promisify(execFile);
 
@@ -370,9 +374,9 @@ export function resetResolvedCodeQLBinary(): void {
  * Validate that the resolved CodeQL binary is actually callable.
  *
  * Runs `codeql version --format=terse` and verifies the process exits
- * successfully. This catches the case where `CODEQL_PATH` is unset and
- * `codeql` is not on PATH — the server would otherwise start normally
- * but every tool invocation would fail.
+ * successfully. Stores the actual version for later retrieval via
+ * getActualCodeqlVersion(). Warns (but does not fail) if the actual
+ * version differs from the target version in .codeql-version.
  *
  * @returns The version string reported by the CodeQL CLI.
  * @throws Error if the binary is not reachable or returns a non-zero exit code.
@@ -389,7 +393,15 @@ export async function validateCodeQLBinaryReachable(): Promise<string> {
       env,
       timeout: 15_000,
     });
-    return stdout.trim();
+    const version = stdout.trim();
+
+    // Store the actual CLI version for cache keys and diagnostics
+    setActualCodeqlVersion(version);
+
+    // Compare with target version and warn on mismatch
+    warnOnVersionMismatch(version);
+
+    return version;
   } catch (err: unknown) {
     const message = err instanceof Error ? err.message : String(err);
     throw new Error(