codeql-development-mcp-server 2.25.1-next.3 → 2.25.2-next.1

package/dist/codeql-development-mcp-server.js

@@ -3600,49 +3600,49 @@ var require_fast_uri = __commonJS({
       schemelessOptions.skipEscape = true;
       return serialize(resolved, schemelessOptions);
     }
-    function resolveComponent(base, relative3, options, skipNormalization) {
+    function resolveComponent(base, relative4, options, skipNormalization) {
       const target = {};
       if (!skipNormalization) {
         base = parse4(serialize(base, options), options);
-        relative3 = parse4(serialize(relative3, options), options);
+        relative4 = parse4(serialize(relative4, options), options);
       }
       options = options || {};
-      if (!options.tolerant && relative3.scheme) {
-        target.scheme = relative3.scheme;
-        target.userinfo = relative3.userinfo;
-        target.host = relative3.host;
-        target.port = relative3.port;
-        target.path = removeDotSegments(relative3.path || "");
-        target.query = relative3.query;
+      if (!options.tolerant && relative4.scheme) {
+        target.scheme = relative4.scheme;
+        target.userinfo = relative4.userinfo;
+        target.host = relative4.host;
+        target.port = relative4.port;
+        target.path = removeDotSegments(relative4.path || "");
+        target.query = relative4.query;
       } else {
-        if (relative3.userinfo !== void 0 || relative3.host !== void 0 || relative3.port !== void 0) {
-          target.userinfo = relative3.userinfo;
-          target.host = relative3.host;
-          target.port = relative3.port;
-          target.path = removeDotSegments(relative3.path || "");
-          target.query = relative3.query;
+        if (relative4.userinfo !== void 0 || relative4.host !== void 0 || relative4.port !== void 0) {
+          target.userinfo = relative4.userinfo;
+          target.host = relative4.host;
+          target.port = relative4.port;
+          target.path = removeDotSegments(relative4.path || "");
+          target.query = relative4.query;
         } else {
-          if (!relative3.path) {
+          if (!relative4.path) {
             target.path = base.path;
-            if (relative3.query !== void 0) {
-              target.query = relative3.query;
+            if (relative4.query !== void 0) {
+              target.query = relative4.query;
             } else {
               target.query = base.query;
             }
           } else {
-            if (relative3.path[0] === "/") {
-              target.path = removeDotSegments(relative3.path);
+            if (relative4.path[0] === "/") {
+              target.path = removeDotSegments(relative4.path);
             } else {
               if ((base.userinfo !== void 0 || base.host !== void 0 || base.port !== void 0) && !base.path) {
-                target.path = "/" + relative3.path;
+                target.path = "/" + relative4.path;
               } else if (!base.path) {
-                target.path = relative3.path;
+                target.path = relative4.path;
               } else {
-                target.path = base.path.slice(0, base.path.lastIndexOf("/") + 1) + relative3.path;
+                target.path = base.path.slice(0, base.path.lastIndexOf("/") + 1) + relative4.path;
               }
               target.path = removeDotSegments(target.path);
             }
-            target.query = relative3.query;
+            target.query = relative4.query;
           }
           target.userinfo = base.userinfo;
           target.host = base.host;
@@ -3650,7 +3650,7 @@ var require_fast_uri = __commonJS({
         }
         target.scheme = base.scheme;
       }
-      target.fragment = relative3.fragment;
+      target.fragment = relative4.fragment;
       return target;
     }
     function equal(uriA, uriB, options) {
@@ -13305,7 +13305,7 @@ var require_src = __commonJS({
 // ../node_modules/depd/index.js
 var require_depd = __commonJS({
   "../node_modules/depd/index.js"(exports, module) {
-    var relative3 = __require("path").relative;
+    var relative4 = __require("path").relative;
     module.exports = depd;
     var basePath = process.cwd();
     function containsNamespace(str2, namespace) {
@@ -13497,7 +13497,7 @@ var require_depd = __commonJS({
       return formatted;
     }
     function formatLocation(callSite) {
-      return relative3(basePath, callSite[0]) + ":" + callSite[1] + ":" + callSite[2];
+      return relative4(basePath, callSite[0]) + ":" + callSite[1] + ":" + callSite[2];
     }
     function getStack() {
       var limit = Error.stackTraceLimit;
@@ -32676,9 +32676,8 @@ var require_side_channel_list = __commonJS({
           }
         },
         "delete": function(key) {
-          var root = $o && $o.next;
           var deletedNode = listDelete($o, key);
-          if (deletedNode && root && root === deletedNode) {
+          if (deletedNode && $o && !$o.next) {
             $o = void 0;
           }
           return !!deletedNode;
@@ -34321,9 +34320,9 @@ var require_parse = __commonJS({
       var limit = options.parameterLimit === Infinity ? void 0 : options.parameterLimit;
       var parts = cleanStr.split(
         options.delimiter,
-        options.throwOnLimitExceeded ? limit + 1 : limit
+        options.throwOnLimitExceeded && typeof limit !== "undefined" ? limit + 1 : limit
       );
-      if (options.throwOnLimitExceeded && parts.length > limit) {
+      if (options.throwOnLimitExceeded && typeof limit !== "undefined" && parts.length > limit) {
         throw new RangeError("Parameter limit exceeded. Only " + limit + " parameter" + (limit === 1 ? "" : "s") + " allowed.");
       }
       var skipIndex = -1;
@@ -35004,7 +35003,7 @@ var require_view = __commonJS({
     var path3 = __require("node:path");
     var fs3 = __require("node:fs");
     var dirname10 = path3.dirname;
-    var basename10 = path3.basename;
+    var basename11 = path3.basename;
     var extname3 = path3.extname;
     var join23 = path3.join;
     var resolve15 = path3.resolve;
@@ -35043,7 +35042,7 @@ var require_view = __commonJS({
         var root = roots[i];
         var loc = resolve15(root, name);
         var dir = dirname10(loc);
-        var file = basename10(loc);
+        var file = basename11(loc);
         path4 = this.resolve(dir, file);
       }
       return path4;
@@ -35073,7 +35072,7 @@ var require_view = __commonJS({
       if (stat && stat.isFile()) {
         return path4;
       }
-      path4 = join23(dir, basename10(file, ext), "index" + ext);
+      path4 = join23(dir, basename11(file, ext), "index" + ext);
       stat = tryStat(path4);
       if (stat && stat.isFile()) {
         return path4;
@@ -38371,10 +38370,8 @@ var require_content_disposition = __commonJS({
     "use strict";
     module.exports = contentDisposition;
     module.exports.parse = parse4;
-    var basename10 = __require("path").basename;
+    var utf8Decoder = new TextDecoder("utf-8");
     var ENCODE_URL_ATTR_CHAR_REGEXP = /[\x00-\x20"'()*,/:;<=>?@[\\\]{}\x7f]/g;
-    var HEX_ESCAPE_REGEXP = /%[0-9A-Fa-f]{2}/;
-    var HEX_ESCAPE_REPLACE_REGEXP = /%([0-9A-Fa-f]{2})/g;
     var NON_LATIN1_REGEXP = /[^\x20-\x7e\xa0-\xff]/g;
     var QESC_REGEXP = /\\([\u0000-\u007f])/g;
     var QUOTE_REGEXP = /([\\"])/g;
@@ -38406,11 +38403,11 @@ var require_content_disposition = __commonJS({
       if (typeof fallback === "string" && NON_LATIN1_REGEXP.test(fallback)) {
         throw new TypeError("fallback must be ISO-8859-1 string");
       }
-      var name = basename10(filename);
+      var name = basename11(filename);
       var isQuotedString = TEXT_REGEXP.test(name);
-      var fallbackName = typeof fallback !== "string" ? fallback && getlatin1(name) : basename10(fallback);
+      var fallbackName = typeof fallback !== "string" ? fallback && getlatin1(name) : basename11(fallback);
       var hasFallback = typeof fallbackName === "string" && fallbackName !== name;
-      if (hasFallback || !isQuotedString || HEX_ESCAPE_REGEXP.test(name)) {
+      if (hasFallback || !isQuotedString || hasHexEscape(name)) {
         params["filename*"] = name;
       }
       if (isQuotedString || hasFallback) {
@@ -38437,26 +38434,32 @@ var require_content_disposition = __commonJS({
       return string3;
     }
     function decodefield(str2) {
-      var match = EXT_VALUE_REGEXP.exec(str2);
+      const match = EXT_VALUE_REGEXP.exec(str2);
       if (!match) {
         throw new TypeError("invalid extended field value");
       }
-      var charset = match[1].toLowerCase();
-      var encoded = match[2];
-      var value;
-      var binary2 = encoded.replace(HEX_ESCAPE_REPLACE_REGEXP, pdecode);
+      const charset = match[1].toLowerCase();
+      const encoded = match[2];
       switch (charset) {
-        case "iso-8859-1":
-          value = getlatin1(binary2);
-          break;
+        case "iso-8859-1": {
+          const binary2 = decodeHexEscapes(encoded);
+          return getlatin1(binary2);
+        }
         case "utf-8":
-        case "utf8":
-          value = Buffer.from(binary2, "binary").toString("utf8");
-          break;
-        default:
-          throw new TypeError("unsupported charset in extended field");
+        case "utf8": {
+          try {
+            return decodeURIComponent(encoded);
+          } catch {
+            const binary2 = decodeHexEscapes(encoded);
+            const bytes = new Uint8Array(binary2.length);
+            for (let idx = 0; idx < binary2.length; idx++) {
+              bytes[idx] = binary2.charCodeAt(idx);
+            }
+            return utf8Decoder.decode(bytes);
+          }
+        }
       }
-      return value;
+      throw new TypeError("unsupported charset in extended field");
     }
     function getlatin1(val) {
       return String(val).replace(NON_LATIN1_REGEXP, "?");
@@ -38506,9 +38509,6 @@ var require_content_disposition = __commonJS({
       }
       return new ContentDisposition(type2, params);
     }
-    function pdecode(str2, hex) {
-      return String.fromCharCode(parseInt(hex, 16));
-    }
     function pencode(char) {
       return "%" + String(char).charCodeAt(0).toString(16).toUpperCase();
     }
@@ -38525,6 +38525,51 @@ var require_content_disposition = __commonJS({
       this.type = type2;
       this.parameters = parameters;
     }
+    function basename11(path3) {
+      const normalized = path3.replaceAll("\\", "/");
+      let end = normalized.length;
+      while (end > 0 && normalized[end - 1] === "/") {
+        end--;
+      }
+      if (end === 0) {
+        return "";
+      }
+      let start = end - 1;
+      while (start >= 0 && normalized[start] !== "/") {
+        start--;
+      }
+      return normalized.slice(start + 1, end);
+    }
+    function isHexDigit(char) {
+      const code = char.charCodeAt(0);
+      return code >= 48 && code <= 57 || // 0-9
+      code >= 65 && code <= 70 || // A-F
+      code >= 97 && code <= 102;
+    }
+    function hasHexEscape(str2) {
+      const maxIndex = str2.length - 3;
+      let lastIndex = -1;
+      while ((lastIndex = str2.indexOf("%", lastIndex + 1)) !== -1 && lastIndex <= maxIndex) {
+        if (isHexDigit(str2[lastIndex + 1]) && isHexDigit(str2[lastIndex + 2])) {
+          return true;
+        }
+      }
+      return false;
+    }
+    function decodeHexEscapes(str2) {
+      const firstEscape = str2.indexOf("%");
+      if (firstEscape === -1) return str2;
+      let result = str2.slice(0, firstEscape);
+      for (let idx = firstEscape; idx < str2.length; idx++) {
+        if (str2[idx] === "%" && idx + 2 < str2.length && isHexDigit(str2[idx + 1]) && isHexDigit(str2[idx + 2])) {
+          result += String.fromCharCode(Number.parseInt(str2[idx + 1] + str2[idx + 2], 16));
+          idx += 2;
+        } else {
+          result += str2[idx];
+        }
+      }
+      return result;
+    }
   }
 });
 
@@ -38735,7 +38780,7 @@ var require_send = __commonJS({
     var join23 = path3.join;
     var normalize2 = path3.normalize;
     var resolve15 = path3.resolve;
-    var sep4 = path3.sep;
+    var sep5 = path3.sep;
     var BYTES_RANGE_REGEXP = /^ *bytes=/;
     var MAX_MAXAGE = 60 * 60 * 24 * 365 * 1e3;
     var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
@@ -38896,14 +38941,14 @@ var require_send = __commonJS({
       var parts;
       if (root !== null) {
         if (path4) {
-          path4 = normalize2("." + sep4 + path4);
+          path4 = normalize2("." + sep5 + path4);
         }
         if (UP_PATH_REGEXP.test(path4)) {
           debug('malicious path "%s"', path4);
           this.error(403);
           return res;
         }
-        parts = path4.split(sep4);
+        parts = path4.split(sep5);
         path4 = normalize2(join23(root, path4));
       } else {
         if (UP_PATH_REGEXP.test(path4)) {
@@ -38911,7 +38956,7 @@ var require_send = __commonJS({
           this.error(403);
           return res;
         }
-        parts = normalize2(path4).split(sep4);
+        parts = normalize2(path4).split(sep5);
         path4 = resolve15(path4);
       }
       if (containsDotFile(parts)) {
@@ -39005,7 +39050,7 @@ var require_send = __commonJS({
       var self2 = this;
       debug('stat "%s"', path4);
       fs3.stat(path4, function onstat(err, stat) {
-        var pathEndsWithSep = path4[path4.length - 1] === sep4;
+        var pathEndsWithSep = path4[path4.length - 1] === sep5;
         if (err && err.code === "ENOENT" && !extname3(path4) && !pathEndsWithSep) {
           return next(err);
         }
@@ -40383,8 +40428,8 @@ var require_main = __commonJS({
         const shortPaths = [];
         for (const filePath of optionPaths) {
           try {
-            const relative3 = path3.relative(process.cwd(), filePath);
-            shortPaths.push(relative3);
+            const relative4 = path3.relative(process.cwd(), filePath);
+            shortPaths.push(relative4);
           } catch (e) {
             if (debug) {
               _debug(`failed to load ${filePath} ${e.message}`);
@@ -40392,7 +40437,7 @@ var require_main = __commonJS({
             lastError = e;
           }
         }
-        _log(`injecting env (${keysCount}) from ${shortPaths.join(",")} ${dim(`// tip: ${_getRandomTip()}`)}`);
+        _log(`injected env (${keysCount}) from ${shortPaths.join(",")} ${dim(`// tip: ${_getRandomTip()}`)}`);
       }
       if (lastError) {
         return { parsed: parsedAll, error: lastError };
@@ -172214,8 +172259,8 @@ var require_adm_zip = __commonJS({
         return null;
       }
       function fixPath(zipPath) {
-        const { join: join23, normalize: normalize2, sep: sep4 } = pth.posix;
-        return join23(pth.isAbsolute(zipPath) ? "/" : ".", normalize2(sep4 + zipPath.split("\\").join(sep4) + sep4));
+        const { join: join23, normalize: normalize2, sep: sep5 } = pth.posix;
+        return join23(pth.isAbsolute(zipPath) ? "/" : ".", normalize2(sep5 + zipPath.split("\\").join(sep5) + sep5));
       }
       function filenameFilter(filterfn) {
         if (filterfn instanceof RegExp) {
@@ -187313,6 +187358,17 @@ var requestPrototype = {
     }
   });
 });
+Object.defineProperty(requestPrototype, /* @__PURE__ */ Symbol.for("nodejs.util.inspect.custom"), {
+  value: function(depth, options, inspectFn) {
+    const props = {
+      method: this.method,
+      url: this.url,
+      headers: this.headers,
+      nativeRequest: this[requestCache]
+    };
+    return `Request (lightweight) ${inspectFn(props, { ...options, depth: depth == null ? null : depth - 1 })}`;
+  }
+});
 Object.setPrototypeOf(requestPrototype, Request.prototype);
 var newRequest = (incoming, defaultHostname) => {
   const req = Object.create(requestPrototype);
@@ -187417,6 +187473,17 @@ var Response2 = class _Response {
     }
   });
 });
+Object.defineProperty(Response2.prototype, /* @__PURE__ */ Symbol.for("nodejs.util.inspect.custom"), {
+  value: function(depth, options, inspectFn) {
+    const props = {
+      status: this.status,
+      headers: this.headers,
+      ok: this.ok,
+      nativeResponse: this[responseCache]
+    };
+    return `Response (lightweight) ${inspectFn(props, { ...options, depth: depth == null ? null : depth - 1 })}`;
+  }
+});
 Object.setPrototypeOf(Response2, GlobalResponse);
 Object.setPrototypeOf(Response2.prototype, GlobalResponse.prototype);
 async function readWithoutBlocking(readPromise) {
@@ -188563,12 +188630,13 @@ init_logger();
 // src/lib/log-directory-manager.ts
 init_temp_dir();
 import { mkdirSync as mkdirSync3, existsSync as existsSync5 } from "fs";
-import { join as join7, resolve as resolve3 } from "path";
+import { join as join7, resolve as resolve3, sep, relative } from "path";
 import { randomBytes } from "crypto";
 function ensurePathWithinBase(baseDir, targetPath) {
   const absBase = resolve3(baseDir);
   const absTarget = resolve3(targetPath);
-  if (!absTarget.startsWith(absBase + "/") && absTarget !== absBase) {
+  const rel = relative(absBase, absTarget);
+  if (rel === ".." || rel.startsWith(".." + sep)) {
     throw new Error(`Provided log directory is outside the allowed base directory: ${absBase}`);
   }
   return absTarget;
@@ -189374,10 +189442,43 @@ function diffSarifRules(sarifA, sarifB) {
     unchangedRules
   };
 }
+function computeFingerprintOverlap(resultA, resultB) {
+  const fpA = resultA.partialFingerprints;
+  const fpB = resultB.partialFingerprints;
+  if (!fpA || !fpB || Object.keys(fpA).length === 0 || Object.keys(fpB).length === 0) {
+    return {
+      fingerprintMatch: false,
+      overlaps: false,
+      overlapMode: "fingerprint",
+      sharedLocations: []
+    };
+  }
+  const matchedFingerprints = {};
+  for (const key of Object.keys(fpA)) {
+    if (key in fpB && fpA[key] === fpB[key]) {
+      matchedFingerprints[key] = fpA[key];
+    }
+  }
+  const hasMatch = Object.keys(matchedFingerprints).length > 0;
+  return {
+    fingerprintMatch: hasMatch,
+    matchedFingerprints: hasMatch ? matchedFingerprints : void 0,
+    overlaps: hasMatch,
+    overlapMode: "fingerprint",
+    sharedLocations: []
+  };
+}
 function computeLocationOverlap(resultA, resultB, mode = "sink") {
   let locsA;
   let locsB;
   switch (mode) {
+    case "fingerprint": {
+      const fpResult = computeFingerprintOverlap(resultA, resultB);
+      if (fpResult.fingerprintMatch) {
+        return fpResult;
+      }
+      return computeLocationOverlap(resultA, resultB, "full-path");
+    }
     case "sink":
       locsA = extractPrimaryLocations(resultA);
       locsB = extractPrimaryLocations(resultB);
@@ -189417,6 +189518,99 @@ function computeLocationOverlap(resultA, resultB, mode = "sink") {
     sharedLocations: shared
   };
 }
+function findOverlappingAlerts(resultsA, ruleA, resultsB, ruleB, mode = "sink") {
+  const overlaps = [];
+  for (let i = 0; i < resultsA.length; i++) {
+    for (let j = 0; j < resultsB.length; j++) {
+      const overlapDetails = computeLocationOverlap(resultsA[i], resultsB[j], mode);
+      if (overlapDetails.overlaps) {
+        overlaps.push({
+          overlapDetails,
+          resultA: resultsA[i],
+          resultAIndex: i,
+          resultB: resultsB[j],
+          resultBIndex: j,
+          ruleIdA: ruleA.id,
+          ruleIdB: ruleB.id
+        });
+      }
+    }
+  }
+  return overlaps;
+}
+function lineInHunks(line, hunks) {
+  for (const hunk of hunks) {
+    const hunkEnd = hunk.startLine + Math.max(hunk.lineCount - 1, 0);
+    if (line >= hunk.startLine && line <= hunkEnd) {
+      return true;
+    }
+  }
+  return false;
+}
+function diffSarifByCommits(sarif, diffFiles, refRange, granularity = "file") {
+  const results = sarif.runs[0]?.results ?? [];
+  const newResults = [];
+  const preExistingResults = [];
+  const normalizedDiffEntries = diffFiles.map((df) => ({
+    entry: df,
+    normalized: normalizeUri(df.path)
+  }));
+  for (let i = 0; i < results.length; i++) {
+    const result = results[i];
+    const primaryLoc = result.locations?.[0]?.physicalLocation;
+    const uri = primaryLoc?.artifactLocation?.uri;
+    if (!uri) {
+      preExistingResults.push({
+        file: "<unknown>",
+        resultIndex: i,
+        ruleId: result.ruleId
+      });
+      continue;
+    }
+    const startLine = primaryLoc?.region?.startLine;
+    const normalizedUri = normalizeUri(uri);
+    let matchingDiff;
+    for (const { entry, normalized } of normalizedDiffEntries) {
+      if (normalized === normalizedUri || normalized.endsWith(normalizedUri) || normalizedUri.endsWith(normalized)) {
+        matchingDiff = entry;
+        break;
+      }
+    }
+    let isNew = false;
+    if (matchingDiff) {
+      if (granularity === "file") {
+        isNew = true;
+      } else if (startLine !== void 0 && matchingDiff.hunks.length > 0) {
+        isNew = lineInHunks(startLine, matchingDiff.hunks);
+      } else if (matchingDiff.hunks.length === 0 && !matchingDiff.hunksParsed) {
+        isNew = true;
+      }
+    }
+    const classified = {
+      file: matchingDiff ? matchingDiff.path : normalizedUri,
+      line: startLine,
+      resultIndex: i,
+      ruleId: result.ruleId
+    };
+    if (isNew) {
+      newResults.push(classified);
+    } else {
+      preExistingResults.push(classified);
+    }
+  }
+  return {
+    granularity,
+    newResults,
+    preExistingResults,
+    summary: {
+      diffFileCount: diffFiles.length,
+      refRange,
+      totalNew: newResults.length,
+      totalPreExisting: preExistingResults.length,
+      totalResults: results.length
+    }
+  };
+}
 
 // src/lib/session-data-manager.ts
 init_temp_dir();
@@ -190292,8 +190486,8 @@ var MonitoringConfigSchema = external_exports.object({
   enableRecommendations: external_exports.boolean().default(true),
   enableMonitoringTools: external_exports.boolean().default(false),
   // Opt-in: session_* tools disabled by default for end-users
-  enableAnnotationTools: external_exports.boolean().default(false)
-  // Opt-in: annotation_* and audit_* tools disabled by default
+  enableAnnotationTools: external_exports.boolean().default(true)
+  // Controls auto-caching behaviour in result-processor; tools are always registered
 });
 
 // src/lib/session-data-manager.ts
@@ -190580,7 +190774,7 @@ function parseBoolEnv(envVar, defaultValue) {
 var sessionDataManager = new SessionDataManager({
   storageLocation: process.env.MONITORING_STORAGE_LOCATION || join9(getProjectTmpBase(), ".ql-mcp-tracking"),
   enableMonitoringTools: parseBoolEnv(process.env.ENABLE_MONITORING_TOOLS, false),
-  enableAnnotationTools: parseBoolEnv(process.env.ENABLE_ANNOTATION_TOOLS, false)
+  enableAnnotationTools: parseBoolEnv(process.env.ENABLE_ANNOTATION_TOOLS, true)
 });
 
 // src/lib/result-processor.ts
@@ -190910,7 +191104,7 @@ function cacheDatabaseAnalyzeResults(params, logger2) {
 // src/lib/cli-tool-registry.ts
 init_package_paths();
 import { existsSync as existsSync6, mkdirSync as mkdirSync8, realpathSync, rmSync, writeFileSync as writeFileSync4 } from "fs";
-import { delimiter as delimiter5, dirname as dirname5, isAbsolute as isAbsolute4, join as join10, resolve as resolve4 } from "path";
+import { basename as basename5, delimiter as delimiter5, dirname as dirname5, isAbsolute as isAbsolute4, join as join10, resolve as resolve4 } from "path";
 
 // ../node_modules/js-yaml/dist/js-yaml.mjs
 function isNothing(subject) {
@@ -193814,6 +194008,19 @@ function registerCLITool(server, definition) {
             break;
           }
           case "codeql_query_compile":
+            if (query) {
+              positionalArgs = [...positionalArgs, query];
+            }
+            if (options["dump-dil"] === void 0) {
+              const pending = Array.isArray(options.additionalArgs) ? options.additionalArgs : [];
+              const hasDilOverride = pending.some(
+                (arg) => arg === "--no-dump-dil" || arg === "--dump-dil"
+              );
+              if (!hasDilOverride) {
+                options["dump-dil"] = true;
+              }
+            }
+            break;
           case "codeql_resolve_metadata":
             if (query) {
               positionalArgs = [...positionalArgs, query];
@@ -193863,8 +194070,25 @@ function registerCLITool(server, definition) {
             mkdirSync8(outputDir, { recursive: true });
           }
         }
-        const rawAdditionalArgs = Array.isArray(options.additionalArgs) ? options.additionalArgs : [];
+        let effectiveDumpDilEnabled = false;
+        let rawAdditionalArgs = Array.isArray(options.additionalArgs) ? options.additionalArgs : [];
         delete options.additionalArgs;
+        if (name === "codeql_query_compile") {
+          const lastDumpDilFlag = [...rawAdditionalArgs].reverse().find(
+            (arg) => arg === "--dump-dil" || arg === "--no-dump-dil"
+          );
+          if (lastDumpDilFlag === "--dump-dil") {
+            options["dump-dil"] = true;
+          } else if (lastDumpDilFlag === "--no-dump-dil") {
+            options["dump-dil"] = false;
+          }
+          if (lastDumpDilFlag !== void 0) {
+            rawAdditionalArgs = rawAdditionalArgs.filter(
+              (arg) => arg !== "--dump-dil" && arg !== "--no-dump-dil"
+            );
+          }
+          effectiveDumpDilEnabled = options["dump-dil"] !== false;
+        }
         const managedFlagNames = /* @__PURE__ */ new Set([
           "evaluator-log",
           "logdir",
@@ -193958,7 +194182,26 @@ function registerCLITool(server, definition) {
           const resolvedDb = typeof params.database === "string" ? resolveDatabasePath(params.database) : params.database;
           cacheDatabaseAnalyzeResults({ ...params, database: resolvedDb, output: options.output, format: options.format }, logger);
         }
-        const processedResult = resultProcessor(result, params);
+        let dilFilePath;
+        if (name === "codeql_query_compile" && result.success && effectiveDumpDilEnabled && result.stdout) {
+          try {
+            const compileLogDir = getOrCreateLogDirectory(customLogDir);
+            logger.info(`Using log directory for ${name}: ${compileLogDir}`);
+            const queryBaseName = query ? basename5(query, ".ql") : "query";
+            dilFilePath = join10(compileLogDir, `${queryBaseName}.dil`);
+            writeFileSync4(dilFilePath, result.stdout, "utf8");
+            logger.info(`Saved DIL output to ${dilFilePath}`);
+          } catch (dilError) {
+            logger.warn(`Failed to save DIL output: ${dilError}`);
+            dilFilePath = void 0;
+          }
+        }
+        let processedResult = resultProcessor(result, params);
+        if (dilFilePath) {
+          processedResult += `
+
+DIL file: ${dilFilePath}`;
+        }
         return {
           content: [{
             type: "text",
@@ -195230,7 +195473,7 @@ var codeqlPackLsTool = {
 
 // src/tools/codeql/profile-codeql-query-from-logs.ts
 import { existsSync as existsSync11, mkdirSync as mkdirSync9, writeFileSync as writeFileSync5 } from "fs";
-import { basename as basename6, dirname as dirname7, join as join15 } from "path";
+import { basename as basename7, dirname as dirname7, join as join15 } from "path";
 
 // src/lib/evaluator-log-parser.ts
 init_logger();
@@ -195562,7 +195805,7 @@ function buildDetailFile(profile, topN) {
   lines.push("");
   for (let qIdx = 0; qIdx < profile.queries.length; qIdx++) {
     const query = profile.queries[qIdx];
-    const qName = basename6(query.queryName);
+    const qName = basename7(query.queryName);
     lines.push(`== Query: ${qName} ==`);
     lines.push(`   Total: ${query.totalDurationMs.toFixed(2)}ms | Predicates evaluated: ${query.predicateCount} | Cache hits: ${query.cacheHits}`);
     lines.push("");
@@ -195721,7 +195964,7 @@ init_cli_executor();
 init_logger();
 import { writeFileSync as writeFileSync6, existsSync as existsSync12 } from "fs";
 import { createReadStream as createReadStream2 } from "fs";
-import { join as join16, dirname as dirname8, basename as basename7 } from "path";
+import { join as join16, dirname as dirname8, basename as basename8 } from "path";
 import { mkdirSync as mkdirSync10 } from "fs";
 import { createInterface as createInterface2 } from "readline";
 async function parseEvaluatorLog2(logPath) {
@@ -195847,7 +196090,7 @@ function formatAsMermaid(profile) {
   lines.push("```mermaid");
   lines.push("graph TD");
   lines.push("");
-  lines.push(`  QUERY["${basename7(profile.queryName)}<br/>Total: ${profile.totalDuration.toFixed(2)}ms"]`);
+  lines.push(`  QUERY["${basename8(profile.queryName)}<br/>Total: ${profile.totalDuration.toFixed(2)}ms"]`);
   lines.push("");
   profile.pipelines.forEach((pipeline) => {
     const nodeId = `P${pipeline.eventId}`;
@@ -195978,7 +196221,7 @@ function registerProfileCodeQLQueryTool(server) {
           ...outputFiles.map((f) => `  - ${f}`),
           "",
           "Profile Summary:",
-          `  - Query: ${basename7(profile.queryName)}`,
+          `  - Query: ${basename8(profile.queryName)}`,
           `  - Total Duration: ${profile.totalDuration.toFixed(2)} ms`,
           `  - Total Pipelines: ${profile.pipelines.length}`,
           `  - Total Events: ${profile.totalEvents}`,
@@ -196015,13 +196258,15 @@ function registerProfileCodeQLQueryTool(server) {
 // src/tools/codeql/query-compile.ts
 var codeqlQueryCompileTool = {
   name: "codeql_query_compile",
-  description: "Compile and validate CodeQL queries",
+  description: "Compile and validate CodeQL queries. By default, produces a .dil file containing the optimized DIL intermediate representation alongside the compilation output.",
   command: "codeql",
   subcommand: "query compile",
   inputSchema: {
     query: external_exports.string().describe("Path to the CodeQL query file (.ql)"),
     database: external_exports.string().optional().describe("Path to the CodeQL database"),
+    "dump-dil": external_exports.boolean().optional().describe("Print the optimized DIL intermediate representation to standard output while compiling. Enabled by default; pass false or --no-dump-dil to disable."),
     library: external_exports.string().optional().describe("Path to query library"),
+    logDir: external_exports.string().optional().describe("Custom directory for compilation DIL output (overrides CODEQL_QUERY_LOG_DIR environment variable). If not provided, uses CODEQL_QUERY_LOG_DIR or defaults to .tmp/query-logs/<unique-id>"),
     output: external_exports.string().optional().describe("Output file path"),
     warnings: external_exports.enum(["hide", "show", "error"]).optional().describe("How to handle compilation warnings"),
     verbose: external_exports.boolean().optional().describe("Enable verbose output"),
@@ -196029,6 +196274,7 @@ var codeqlQueryCompileTool = {
   },
   examples: [
     "codeql query compile --database=/path/to/db MyQuery.ql",
+    "codeql query compile --dump-dil --database=/path/to/db MyQuery.ql",
     "codeql query compile --library=/path/to/lib --output=compiled.qlo MyQuery.ql"
   ]
 };
@@ -196677,7 +196923,7 @@ var codeqlResolveTestsTool = {
 
 // src/tools/codeql/search-ql-code.ts
 import { closeSync as closeSync2, createReadStream as createReadStream3, fstatSync as fstatSync2, lstatSync, openSync as openSync2, readdirSync as readdirSync8, readFileSync as readFileSync12, realpathSync as realpathSync2 } from "fs";
-import { basename as basename8, extname as extname2, join as join19, resolve as resolve9 } from "path";
+import { basename as basename9, extname as extname2, join as join19, resolve as resolve9 } from "path";
 import { createInterface as createInterface3 } from "readline";
 
 // src/lib/scan-exclude.ts
@@ -196725,10 +196971,13 @@ var MAX_FILE_SIZE_BYTES = 5 * 1024 * 1024;
 var MAX_FILES_TRAVERSED = 1e4;
 var MAX_CONTEXT_LINES = 50;
 var MAX_MAX_RESULTS = 1e4;
-var SKIP_DIRS2 = getScanExcludeDirs();
+function getSkipDirs() {
+  return getScanExcludeDirs();
+}
 function collectFiles(paths, extensions, fileCount) {
   const files = [];
   const visitedDirs = /* @__PURE__ */ new Set();
+  const skipDirs = getSkipDirs();
   function walk(p) {
     if (fileCount.value >= MAX_FILES_TRAVERSED) return;
     let stat;
@@ -196744,7 +196993,7 @@ function collectFiles(paths, extensions, fileCount) {
       }
       fileCount.value++;
     } else if (stat.isDirectory()) {
-      if (SKIP_DIRS2.has(basename8(p))) return;
+      if (skipDirs.has(basename9(p))) return;
       let realPath;
       try {
         realPath = realpathSync2(p);
@@ -197288,7 +197537,7 @@ var server_prompts_default = "# MCP Server Prompts\n\nThis resource provides a c
 var server_queries_default = '# MCP Server Bundled Queries\n\nThis resource describes the tools queries bundled with the CodeQL Development MCP Server. These queries run via `codeql_query_run` and provide structural insight into how source code is represented in a CodeQL database. Use them to understand code structure before writing detection queries.\n\nFor general QL query writing guidance (syntax, metadata, `from`/`where`/`select`, testing conventions), see `codeql://learning/query-basics`.\n\n## Bundled Tools Queries\n\nThe server bundles five tools queries that operate on CodeQL databases:\n\n| Query             | Purpose                                                 | Output Format             |\n| ----------------- | ------------------------------------------------------- | ------------------------- |\n| `PrintAST`        | Visualize the Abstract Syntax Tree of source code       | `@kind graph` (graphtext) |\n| `PrintCFG`        | Visualize the Control Flow Graph of a function          | `@kind graph` (graphtext) |\n| `CallGraphFrom`   | Show all functions called FROM a given function         | `@kind graph` (graphtext) |\n| `CallGraphTo`     | Show all call sites that call TO a given function       | `@kind graph` (graphtext) |\n| `CallGraphFromTo` | Show calls FROM one function TO another (bidirectional) | `@kind graph` (graphtext) |\n\nAll five queries use `@kind graph` metadata and produce output in graphtext format.\n\n## PrintAST\n\n**Purpose**: Outputs a hierarchical representation of the Abstract Syntax Tree showing parent-child relationships between declarations, statements, and expressions.\n\n**When to use**: Before writing any CodeQL query, run `PrintAST` on your test source code to understand which QL classes represent which source constructs and which predicates are available for matching.\n\n**How to run**:\n\n```text\nTool: codeql_query_run\nParameters:\n  queryName: "PrintAST"\n  queryLanguage: "<language>"\n  database: "<path-to-database>"\n  sourceFiles: "<comma-separated-filenames>"   (optional \u2014 filter to specific files)\n  format: "graphtext"\n  interpretedOutput: "<output-directory>"\n```\n\n**Output**: A tree showing each AST node with its QL class name, properties, and position in the hierarchy. This reveals exactly which QL classes and predicates to use in `from`/`where`/`select` clauses.\n\n## PrintCFG\n\n**Purpose**: Produces a Control Flow Graph representation showing the order in which statements and expressions execute, including branching paths.\n\n**When to use**: When writing queries that reason about execution order, reachability, or branching logic (e.g., "is this check always performed before this call?").\n\n**How to run**:\n\n```text\nTool: codeql_query_run\nParameters:\n  queryName: "PrintCFG"\n  queryLanguage: "<language>"\n  database: "<path-to-database>"\n  sourceFunction: "<function-name>"   (optional \u2014 target a specific function)\n  format: "graphtext"\n  interpretedOutput: "<output-directory>"\n```\n\n**Output**: Nodes representing CFG basic blocks and edges representing possible execution transitions (successor relationships).\n\n## CallGraphFrom\n\n**Purpose**: Shows all functions called FROM a specified source function \u2014 the outbound call dependencies.\n\n**When to use**: When analyzing what a function does by tracing the functions it invokes. Useful for understanding call chains and identifying potential data flow paths.\n\n**How to run**:\n\n```text\nTool: codeql_query_run\nParameters:\n  queryName: "CallGraphFrom"\n  queryLanguage: "<language>"\n  database: "<path-to-database>"\n  sourceFunction: "<function-name>"\n  format: "graphtext"\n  interpretedOutput: "<output-directory>"\n```\n\n**Output**: A graph showing each call site within the source function and the target function being called.\n\n## CallGraphTo\n\n**Purpose**: Shows all call sites that invoke a specified target function \u2014 the inbound callers.\n\n**When to use**: When performing impact analysis to understand where a function is used, or when identifying all locations that pass data to a particular sink function.\n\n**How to run**:\n\n```text\nTool: codeql_query_run\nParameters:\n  queryName: "CallGraphTo"\n  queryLanguage: "<language>"\n  database: "<path-to-database>"\n  targetFunction: "<function-name>"\n  format: "graphtext"\n  interpretedOutput: "<output-directory>"\n```\n\n**Output**: A graph showing each caller function and the specific call site where the target function is invoked.\n\n## CallGraphFromTo\n\n**Purpose**: Shows the call relationship between two specific functions \u2014 whether function A calls function B (directly or transitively) and what the call path looks like.\n\n**When to use**: When investigating whether a specific source function can reach a specific sink function through the call graph. Useful for validating dataflow hypotheses before writing taint-tracking queries.\n\n**How to run**:\n\n```text\nTool: codeql_query_run\nParameters:\n  queryName: "CallGraphFromTo"\n  queryLanguage: "<language>"\n  database: "<path-to-database>"\n  sourceFunction: "<calling-function-name>"\n  targetFunction: "<called-function-name>"\n  format: "graphtext"\n  interpretedOutput: "<output-directory>"\n```\n\n**Output**: A graph showing the call path from the source function to the target function, including intermediate call sites.\n\n## Language Support\n\n| Language   | PrintAST | PrintCFG | CallGraphFrom | CallGraphTo | CallGraphFromTo |\n| ---------- | :------: | :------: | :-----------: | :---------: | :-------------: |\n| actions    |    \u2713     |    \u2713     |               |             |                 |\n| cpp        |    \u2713     |    \u2713     |       \u2713       |      \u2713      |        \u2713        |\n| csharp     |    \u2713     |    \u2713     |       \u2713       |      \u2713      |        \u2713        |\n| go         |    \u2713     |    \u2713     |       \u2713       |      \u2713      |        \u2713        |\n| java       |    \u2713     |    \u2713     |       \u2713       |      \u2713      |        \u2713        |\n| javascript |    \u2713     |    \u2713     |       \u2713       |      \u2713      |        \u2713        |\n| python     |    \u2713     |    \u2713     |       \u2713       |      \u2713      |        \u2713        |\n| ruby       |    \u2713     |    \u2713     |       \u2713       |      \u2713      |        \u2713        |\n| rust       |    \u2713     |    \u2713     |       \u2713       |      \u2713      |        \u2713        |\n| swift      |    \u2713     |    \u2713     |       \u2713       |      \u2713      |        \u2713        |\n\nNote: The `actions` language supports PrintAST and PrintCFG only (no call graph queries).\n\n## Recommended Workflow\n\nUse the `tools_query_workflow` prompt for a guided step-by-step workflow:\n\n1. **Identify or create a database**: Use `list_codeql_databases` or `codeql_database_create`\n2. **Run PrintAST**: Understand how the source code maps to QL classes\n3. **Run PrintCFG**: Understand control flow for the functions of interest\n4. **Run CallGraphFrom / CallGraphTo**: Trace call relationships to identify sources and sinks\n5. **Run CallGraphFromTo**: Verify specific source-to-sink call paths\n6. **Write detection queries**: Use the insights from steps 2\u20135 to select the right QL classes and predicates\n\n## Related Resources\n\n- `codeql://learning/query-basics` \u2014 QL query writing reference (syntax, metadata, patterns, testing)\n- `codeql://server/overview` \u2014 MCP server orientation guide\n- `codeql://server/tools` \u2014 Complete tool reference\n- `codeql://learning/test-driven-development` \u2014 TDD workflow for CodeQL queries\n- `codeql://languages/{language}/ast` \u2014 Language-specific AST class reference\n';
 
 // src/resources/server-tools.md
-var server_tools_default = '# MCP Server Tools\n\nThis resource provides a complete reference of the default tools exposed by the CodeQL Development MCP Server. These tools wrap the CodeQL CLI and supporting utilities, enabling an LLM to develop, test, and analyze CodeQL queries programmatically.\n\n## CodeQL CLI Tools\n\n| Tool                          | Description                                                                                                                  |\n| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |\n| `codeql_bqrs_decode`          | Decode BQRS result files to human-readable formats (text, csv, json). Supports `--result-set` and `--rows` for pagination    |\n| `codeql_bqrs_info`            | Get metadata about BQRS result files: result sets, column types, row counts                                                  |\n| `codeql_bqrs_interpret`       | Interpret BQRS result files according to query metadata and generate output in specified formats (CSV, SARIF, graph formats) |\n| `codeql_database_analyze`     | Run queries or query suites against CodeQL databases. Produces evaluator logs, BQRS, and SARIF output                        |\n| `codeql_database_create`      | Create a CodeQL database from source code                                                                                    |\n| `codeql_generate_log-summary` | Create a summary of a structured JSON evaluator event log file                                                               |\n| `codeql_generate_query-help`  | Generate query help documentation from QLDoc comments                                                                        |\n| `codeql_pack_install`         | Install CodeQL pack dependencies                                                                                             |\n| `codeql_pack_ls`              | List CodeQL packs under a local directory path                                                                               |\n| `codeql_query_compile`        | Compile and validate CodeQL queries                                                                                          |\n| `codeql_query_format`         | Automatically format CodeQL source code files                                                                                |\n| `codeql_query_run`            | Execute a CodeQL query against a database                                                                                    |\n| `codeql_resolve_database`     | Resolve database path and validate database structure                                                                        |\n| `codeql_resolve_files`        | Find files in a directory tree, filtered by extension and glob patterns. Useful for discovering QL library files             |\n| `codeql_resolve_languages`    | List installed CodeQL extractor packs                                                                                        |\n| `codeql_resolve_library-path` | Resolve library path for CodeQL queries and libraries                                                                        |\n| `codeql_resolve_metadata`     | Resolve and return key-value metadata pairs from a CodeQL query source file                                                  |\n| `codeql_resolve_qlref`        | Resolve `.qlref` files to their corresponding query files                                                                    |\n| `codeql_resolve_queries`      | List available CodeQL queries found on the local filesystem                                                                  |\n| `codeql_resolve_tests`        | Resolve the local filesystem paths of unit tests and/or queries under a base directory                                       |\n| `codeql_test_accept`          | Accept new test results as the expected baseline                                                                             |\n| `codeql_test_extract`         | Extract test databases for CodeQL query tests                                                                                |\n| `codeql_test_run`             | Run CodeQL query tests                                                                                                       |\n\n## Language Server Protocol (LSP) Tools\n\n| Tool                     | Description                                                                                                                                                                  |\n| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `codeql_lsp_completion`  | Get code completions at a cursor position in a CodeQL file                                                                                                                   |\n| `codeql_lsp_definition`  | Go to the definition of a CodeQL symbol at a given position                                                                                                                  |\n| `codeql_lsp_diagnostics` | Syntax and semantic validation of CodeQL code via the Language Server. Note: inline `ql_code` cannot resolve pack imports; use `codeql_query_compile` for files with imports |\n| `codeql_lsp_references`  | Find all references to a CodeQL symbol at a given position                                                                                                                   |\n\n## Query Development Tools\n\n| Tool                             | Description                                                                                                  |\n| -------------------------------- | ------------------------------------------------------------------------------------------------------------ |\n| `create_codeql_query`            | Create directory structure and files for a new CodeQL query with tests                                       |\n| `find_class_position`            | Find the start/end line and column of a class for quick evaluation                                           |\n| `find_codeql_query_files`        | Find and track all files and directories related to a CodeQL query, including resolved metadata              |\n| `find_predicate_position`        | Find the start/end line and column of a predicate for quick evaluation                                       |\n| `list_codeql_databases`          | List CodeQL databases discovered in configured base directories                                              |\n| `list_mrva_run_results`          | List MRVA (Multi-Repository Variant Analysis) run results with per-repo details                              |\n| `list_query_run_results`         | List query run result directories with artifact inventory. Filter by `queryName`, `language`, or `queryPath` |\n| `profile_codeql_query`           | Profile the performance of a CodeQL query run against a specific database by analyzing the evaluator log     |\n| `profile_codeql_query_from_logs` | Parse evaluator logs into a compact profile with line-indexed detail file for targeted read_file access      |\n| `quick_evaluate`                 | Quick evaluate either a class or a predicate in a CodeQL query for debugging                                 |\n| `read_database_source`           | Read source file contents from a CodeQL database source archive. Omit `filePath` to list all files           |\n| `register_database`              | Register a CodeQL database given a local path to the database directory                                      |\n| `search_ql_code`                 | Search QL source files for text or regex patterns with structured results (replaces grep for QL code)        |\n| `validate_codeql_query`          | Quick heuristic validation for CodeQL query structure (does not compile the query)                           |\n\n## SARIF Analysis Tools\n\n| Tool                     | Description                                                                                          |\n| ------------------------ | ---------------------------------------------------------------------------------------------------- |\n| `sarif_extract_rule`     | Extract all data for a specific rule from multi-rule SARIF. Returns a valid SARIF JSON subset        |\n| `sarif_list_rules`       | List all rules in a SARIF file with result counts, severity, precision, and tags                     |\n| `sarif_rule_to_markdown` | Convert per-rule SARIF data to markdown with Mermaid dataflow diagrams                               |\n| `sarif_compare_alerts`   | Compare code locations of two SARIF alerts for overlap (sink, source, any-location, full-path modes) |\n| `sarif_diff_runs`        | Diff two SARIF files to find added, removed, and changed rules/results across analysis runs          |\n\n### `sarif_list_rules` Response Format\n\nReturns a JSON object with per-rule result counts and metadata:\n\n```json\n{\n  "totalRules": 3,\n  "totalResults": 15,\n  "rules": [\n    {\n      "ruleId": "js/sql-injection",\n      "resultCount": 8,\n      "name": "Database query built from user-controlled sources",\n      "kind": "path-problem",\n      "precision": "high",\n      "severity": "8.8",\n      "tags": ["security", "external/cwe/cwe-089"],\n      "tool": "CodeQL",\n      "toolVersion": "2.20.4"\n    }\n  ]\n}\n```\n\n| Field          | Type   | Description                                      |\n| -------------- | ------ | ------------------------------------------------ |\n| `totalRules`   | number | Total number of distinct rules in the SARIF file |\n| `totalResults` | number | Sum of `resultCount` across all rules            |\n| `rules[]`      | array  | Per-rule summaries (see below)                   |\n\nEach rule object:\n\n| Field         | Type     | Required | Description                                                                  |\n| ------------- | -------- | -------- | ---------------------------------------------------------------------------- |\n| `ruleId`      | string   | yes      | Rule identifier (matches the CodeQL query `@id`)                             |\n| `resultCount` | number   | yes      | Number of results (findings) for this rule; `0` if defined but not triggered |\n| `name`        | string   | no       | Display name (from `shortDescription.text`, `name`, or `id`)                 |\n| `kind`        | string   | no       | Query kind (`path-problem`, `problem`, etc.)                                 |\n| `precision`   | string   | no       | Precision level (`high`, `medium`, `low`, `very-high`)                       |\n| `severity`    | string   | no       | Security severity score (from `security-severity` property)                  |\n| `tags`        | string[] | no       | Rule tags (e.g., `security`, `external/cwe/cwe-089`)                         |\n| `tool`        | string   | no       | Tool driver name (e.g., `CodeQL`)                                            |\n| `toolVersion` | string   | no       | Tool driver version                                                          |\n\n## Common Tool Workflows\n\n### Create and Test a Query\n\n1. `create_codeql_query` \u2014 scaffold files\n2. `codeql_pack_install` \u2014 install dependencies\n3. `codeql_query_compile` \u2014 validate syntax\n4. `codeql_test_run` \u2014 run tests\n5. `codeql_test_accept` \u2014 accept correct results\n\n### Understand Code Structure\n\n1. `codeql_query_run` with `queryName="PrintAST"` \u2014 visualize the AST\n2. `codeql_query_run` with `queryName="PrintCFG"` \u2014 visualize control flow\n3. `codeql_query_run` with `queryName="CallGraphFrom"` / `"CallGraphTo"` \u2014 trace call relationships\n4. `codeql_query_run` with `queryName="CallGraphFromTo"` \u2014 verify source-to-sink call paths\n\n### Profile Query Performance\n\n1. `codeql_query_run` with `evaluationOutput` \u2014 run query and capture evaluator logs\n2. `profile_codeql_query_from_logs` \u2014 analyze evaluator logs: slowest predicates, RA operations, tuple count progressions, dependencies\n\n### Discover and Search QL Code\n\n1. `codeql_resolve_files` \u2014 find QL files by extension and glob patterns in library packs\n2. `search_ql_code` \u2014 search QL source files for classes, predicates, or patterns by text/regex\n3. `codeql_lsp_definition` \u2014 navigate to the definition of a discovered symbol\n4. `codeql_lsp_references` \u2014 find all usages of a symbol across a pack\n\n### Interactive Development\n\n1. `codeql_lsp_completion` \u2014 get QL code completions\n2. `codeql_lsp_definition` \u2014 navigate to definitions\n3. `codeql_lsp_references` \u2014 find all references\n4. `codeql_lsp_diagnostics` \u2014 real-time validation\n\n### Analyze and Compare Results\n\n1. `codeql_database_analyze` \u2014 run query packs and produce SARIF\n2. `sarif_list_rules` \u2014 discover rules and result counts in the SARIF\n3. `query_results_cache_lookup` with `ruleId` \u2014 find cached results by CodeQL query `@id`\n4. `sarif_extract_rule` \u2014 extract results for a specific rule from multi-rule SARIF\n5. `sarif_rule_to_markdown` \u2014 generate markdown report with Mermaid dataflow diagrams\n6. `sarif_compare_alerts` \u2014 compare two alerts for location overlap\n7. `sarif_diff_runs` \u2014 diff two SARIF files to detect behavioral changes across runs\n8. `query_results_cache_compare` with `ruleId` \u2014 compare results across databases\n\n## Tool Input Conventions\n\n- **LSP tools** use **0-based** line and column positions for input. Output uses 1-based `startLine`/`endLine`.\n- **`find_predicate_position`** and **`find_class_position`** return **1-based** positions.\n- **`workspace_uri`** for LSP tools must be a **plain directory path** to the pack root containing `codeql-pack.yml`, not a `file://` URI.\n\n## Related Resources\n\n- `codeql://server/overview` \u2014 MCP server orientation guide\n- `codeql://server/prompts` \u2014 Complete prompt reference\n- `codeql://learning/query-basics` \u2014 Query writing reference\n- `codeql://patterns/performance` \u2014 Performance profiling guide\n';
+var server_tools_default = '# MCP Server Tools\n\nThis resource provides a complete reference of the default tools exposed by the CodeQL Development MCP Server. These tools wrap the CodeQL CLI and supporting utilities, enabling an LLM to develop, test, and analyze CodeQL queries programmatically.\n\n## CodeQL CLI Tools\n\n| Tool                          | Description                                                                                                                  |\n| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |\n| `codeql_bqrs_decode`          | Decode BQRS result files to human-readable formats (text, csv, json). Supports `--result-set` and `--rows` for pagination    |\n| `codeql_bqrs_info`            | Get metadata about BQRS result files: result sets, column types, row counts                                                  |\n| `codeql_bqrs_interpret`       | Interpret BQRS result files according to query metadata and generate output in specified formats (CSV, SARIF, graph formats) |\n| `codeql_database_analyze`     | Run queries or query suites against CodeQL databases. Produces evaluator logs, BQRS, and SARIF output                        |\n| `codeql_database_create`      | Create a CodeQL database from source code                                                                                    |\n| `codeql_generate_log-summary` | Create a summary of a structured JSON evaluator event log file                                                               |\n| `codeql_generate_query-help`  | Generate query help documentation from QLDoc comments                                                                        |\n| `codeql_pack_install`         | Install CodeQL pack dependencies                                                                                             |\n| `codeql_pack_ls`              | List CodeQL packs under a local directory path                                                                               |\n| `codeql_query_compile`        | Compile and validate CodeQL queries                                                                                          |\n| `codeql_query_format`         | Automatically format CodeQL source code files                                                                                |\n| `codeql_query_run`            | Execute a CodeQL query against a database                                                                                    |\n| `codeql_resolve_database`     | Resolve database path and validate database structure                                                                        |\n| `codeql_resolve_files`        | Find files in a directory tree, filtered by extension and glob patterns. Useful for discovering QL library files             |\n| `codeql_resolve_languages`    | List installed CodeQL extractor packs                                                                                        |\n| `codeql_resolve_library-path` | Resolve library path for CodeQL queries and libraries                                                                        |\n| `codeql_resolve_metadata`     | Resolve and return key-value metadata pairs from a CodeQL query source file                                                  |\n| `codeql_resolve_qlref`        | Resolve `.qlref` files to their corresponding query files                                                                    |\n| `codeql_resolve_queries`      | List available CodeQL queries found on the local filesystem                                                                  |\n| `codeql_resolve_tests`        | Resolve the local filesystem paths of unit tests and/or queries under a base directory                                       |\n| `codeql_test_accept`          | Accept new test results as the expected baseline                                                                             |\n| `codeql_test_extract`         | Extract test databases for CodeQL query tests                                                                                |\n| `codeql_test_run`             | Run CodeQL query tests                                                                                                       |\n\n## Language Server Protocol (LSP) Tools\n\n| Tool                     | Description                                                                                                                                                                  |\n| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `codeql_lsp_completion`  | Get code completions at a cursor position in a CodeQL file                                                                                                                   |\n| `codeql_lsp_definition`  | Go to the definition of a CodeQL symbol at a given position                                                                                                                  |\n| `codeql_lsp_diagnostics` | Syntax and semantic validation of CodeQL code via the Language Server. Note: inline `ql_code` cannot resolve pack imports; use `codeql_query_compile` for files with imports |\n| `codeql_lsp_references`  | Find all references to a CodeQL symbol at a given position                                                                                                                   |\n\n## Query Development Tools\n\n| Tool                             | Description                                                                                                  |\n| -------------------------------- | ------------------------------------------------------------------------------------------------------------ |\n| `create_codeql_query`            | Create directory structure and files for a new CodeQL query with tests                                       |\n| `find_class_position`            | Find the start/end line and column of a class for quick evaluation                                           |\n| `find_codeql_query_files`        | Find and track all files and directories related to a CodeQL query, including resolved metadata              |\n| `find_predicate_position`        | Find the start/end line and column of a predicate for quick evaluation                                       |\n| `list_codeql_databases`          | List CodeQL databases discovered in configured base directories                                              |\n| `list_mrva_run_results`          | List MRVA (Multi-Repository Variant Analysis) run results with per-repo details                              |\n| `list_query_run_results`         | List query run result directories with artifact inventory. Filter by `queryName`, `language`, or `queryPath` |\n| `profile_codeql_query`           | Profile the performance of a CodeQL query run against a specific database by analyzing the evaluator log     |\n| `profile_codeql_query_from_logs` | Parse evaluator logs into a compact profile with line-indexed detail file for targeted read_file access      |\n| `quick_evaluate`                 | Quick evaluate either a class or a predicate in a CodeQL query for debugging                                 |\n| `read_database_source`           | Read source file contents from a CodeQL database source archive. Omit `filePath` to list all files           |\n| `register_database`              | Register a CodeQL database given a local path to the database directory                                      |\n| `search_ql_code`                 | Search QL source files for text or regex patterns with structured results (replaces grep for QL code)        |\n| `validate_codeql_query`          | Quick heuristic validation for CodeQL query structure (does not compile the query)                           |\n\n## SARIF Analysis Tools\n\n| Tool                      | Description                                                                                          |\n| ------------------------- | ---------------------------------------------------------------------------------------------------- |\n| `sarif_compare_alerts`    | Compare code locations of two SARIF alerts for overlap (sink, source, any-location, full-path modes) |\n| `sarif_deduplicate_rules` | Find duplicate rules across two SARIF files using fingerprint-first, full-path-fallback overlap      |\n| `sarif_diff_by_commits`   | Correlate SARIF results with a git diff to classify findings as "new" or "pre-existing"              |\n| `sarif_diff_runs`         | Diff two SARIF files to find added, removed, and changed rules/results across analysis runs          |\n| `sarif_extract_rule`      | Extract all data for a specific rule from multi-rule SARIF. Returns a valid SARIF JSON subset        |\n| `sarif_list_rules`        | List all rules in a SARIF file with result counts, severity, precision, and tags                     |\n| `sarif_rule_to_markdown`  | Convert per-rule SARIF data to markdown with Mermaid dataflow diagrams                               |\n| `sarif_store`             | Cache SARIF content in the session store and return a cache key for use by downstream SARIF tools    |\n\n### `sarif_list_rules` Response Format\n\nReturns a JSON object with per-rule result counts and metadata:\n\n```json\n{\n  "totalRules": 3,\n  "totalResults": 15,\n  "rules": [\n    {\n      "ruleId": "js/sql-injection",\n      "resultCount": 8,\n      "name": "Database query built from user-controlled sources",\n      "kind": "path-problem",\n      "precision": "high",\n      "severity": "8.8",\n      "tags": ["security", "external/cwe/cwe-089"],\n      "tool": "CodeQL",\n      "toolVersion": "2.20.4"\n    }\n  ]\n}\n```\n\n| Field          | Type   | Description                                      |\n| -------------- | ------ | ------------------------------------------------ |\n| `totalRules`   | number | Total number of distinct rules in the SARIF file |\n| `totalResults` | number | Sum of `resultCount` across all rules            |\n| `rules[]`      | array  | Per-rule summaries (see below)                   |\n\nEach rule object:\n\n| Field         | Type     | Required | Description                                                                  |\n| ------------- | -------- | -------- | ---------------------------------------------------------------------------- |\n| `ruleId`      | string   | yes      | Rule identifier (matches the CodeQL query `@id`)                             |\n| `resultCount` | number   | yes      | Number of results (findings) for this rule; `0` if defined but not triggered |\n| `name`        | string   | no       | Display name (from `shortDescription.text`, `name`, or `id`)                 |\n| `kind`        | string   | no       | Query kind (`path-problem`, `problem`, etc.)                                 |\n| `precision`   | string   | no       | Precision level (`high`, `medium`, `low`, `very-high`)                       |\n| `severity`    | string   | no       | Security severity score (from `security-severity` property)                  |\n| `tags`        | string[] | no       | Rule tags (e.g., `security`, `external/cwe/cwe-089`)                         |\n| `tool`        | string   | no       | Tool driver name (e.g., `CodeQL`)                                            |\n| `toolVersion` | string   | no       | Tool driver version                                                          |\n\n## Common Tool Workflows\n\n### Create and Test a Query\n\n1. `create_codeql_query` \u2014 scaffold files\n2. `codeql_pack_install` \u2014 install dependencies\n3. `codeql_query_compile` \u2014 validate syntax\n4. `codeql_test_run` \u2014 run tests\n5. `codeql_test_accept` \u2014 accept correct results\n\n### Understand Code Structure\n\n1. `codeql_query_run` with `queryName="PrintAST"` \u2014 visualize the AST\n2. `codeql_query_run` with `queryName="PrintCFG"` \u2014 visualize control flow\n3. `codeql_query_run` with `queryName="CallGraphFrom"` / `"CallGraphTo"` \u2014 trace call relationships\n4. `codeql_query_run` with `queryName="CallGraphFromTo"` \u2014 verify source-to-sink call paths\n\n### Profile Query Performance\n\n1. `codeql_query_run` with `evaluationOutput` \u2014 run query and capture evaluator logs\n2. `profile_codeql_query_from_logs` \u2014 analyze evaluator logs: slowest predicates, RA operations, tuple count progressions, dependencies\n\n### Discover and Search QL Code\n\n1. `codeql_resolve_files` \u2014 find QL files by extension and glob patterns in library packs\n2. `search_ql_code` \u2014 search QL source files for classes, predicates, or patterns by text/regex\n3. `codeql_lsp_definition` \u2014 navigate to the definition of a discovered symbol\n4. `codeql_lsp_references` \u2014 find all usages of a symbol across a pack\n\n### Interactive Development\n\n1. `codeql_lsp_completion` \u2014 get QL code completions\n2. `codeql_lsp_definition` \u2014 navigate to definitions\n3. `codeql_lsp_references` \u2014 find all references\n4. `codeql_lsp_diagnostics` \u2014 real-time validation\n\n### Analyze and Compare Results\n\n1. `codeql_database_analyze` \u2014 run query packs and produce SARIF\n2. `sarif_list_rules` \u2014 discover rules and result counts in the SARIF\n3. `query_results_cache_lookup` with `ruleId` \u2014 find cached results by CodeQL query `@id`\n4. `sarif_extract_rule` \u2014 extract results for a specific rule from multi-rule SARIF\n5. `sarif_rule_to_markdown` \u2014 generate markdown report with Mermaid dataflow diagrams\n6. `sarif_compare_alerts` \u2014 compare two alerts for location overlap\n7. `sarif_diff_runs` \u2014 diff two SARIF files to detect behavioral changes across runs\n8. `sarif_diff_by_commits` \u2014 correlate SARIF results with git diff to triage new vs pre-existing\n9. `query_results_cache_compare` with `ruleId` \u2014 compare results across databases\n\n## Tool Input Conventions\n\n- **LSP tools** use **0-based** line and column positions for input. Output uses 1-based `startLine`/`endLine`.\n- **`find_predicate_position`** and **`find_class_position`** return **1-based** positions.\n- **`workspace_uri`** for LSP tools must be a **plain directory path** to the pack root containing `codeql-pack.yml`, not a `file://` URI.\n\n## Related Resources\n\n- `codeql://server/overview` \u2014 MCP server orientation guide\n- `codeql://server/prompts` \u2014 Complete prompt reference\n- `codeql://learning/query-basics` \u2014 Query writing reference\n- `codeql://patterns/performance` \u2014 Performance profiling guide\n';
 
 // src/lib/resources.ts
 function getLearningQueryBasics() {
@@ -198145,7 +198394,7 @@ function registerLanguageResources(server) {
 
 // src/prompts/workflow-prompts.ts
 import { access as access2 } from "fs/promises";
-import { basename as basename9, isAbsolute as isAbsolute7, normalize, relative as relative2, resolve as resolve13, sep as sep3 } from "path";
+import { basename as basename10, isAbsolute as isAbsolute7, normalize, relative as relative3, resolve as resolve13, sep as sep4 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 
 // src/prompts/constants.ts
@@ -198165,13 +198414,13 @@ var SUPPORTED_LANGUAGES = [
 // src/prompts/prompt-completions.ts
 import { readdir, readFile as readFile4 } from "fs/promises";
 import { homedir as homedir2 } from "os";
-import { dirname as dirname9, join as join22, relative, sep as sep2 } from "path";
+import { dirname as dirname9, join as join22, relative as relative2, sep as sep3 } from "path";
 init_logger();
 init_package_paths();
 var MAX_FILE_COMPLETIONS = 50;
 var MAX_SCAN_DEPTH = 8;
 var CACHE_TTL_MS = 5e3;
-var SKIP_DIRS3 = getScanExcludeDirs();
+var SKIP_DIRS2 = getScanExcludeDirs();
 var scanCache = /* @__PURE__ */ new Map();
 function getCachedResults(cacheKey2) {
   const entry = scanCache.get(cacheKey2);
@@ -198199,14 +198448,14 @@ async function findFilesByExtension(dir, baseDir, extensions, maxDepth, results)
     if (results.length >= MAX_FILE_COMPLETIONS) break;
     const fullPath = join22(dir, entry.name);
     if (entry.isDirectory()) {
-      if (SKIP_DIRS3.has(entry.name)) {
+      if (SKIP_DIRS2.has(entry.name)) {
         continue;
       }
       await findFilesByExtension(fullPath, baseDir, extensions, maxDepth - 1, results);
     } else if (entry.isFile()) {
       const lower = entry.name.toLowerCase();
       if (extensions.some((ext) => lower.endsWith(ext))) {
-        results.push(relative(baseDir, fullPath));
+        results.push(relative2(baseDir, fullPath));
       }
     }
   }
@@ -198290,7 +198539,7 @@ async function completeDatabasePath(value) {
   }
   const lower = (value || "").toLowerCase();
   const filtered = allResults.filter((p) => {
-    const lastSeg = p.split(sep2).pop() ?? "";
+    const lastSeg = p.split(sep3).pop() ?? "";
     return p.toLowerCase().includes(lower) || lastSeg.toLowerCase().includes(lower);
   }).sort();
   return filtered.slice(0, MAX_FILE_COMPLETIONS);
@@ -198312,7 +198561,7 @@ async function findDatabaseDirs(dir, _baseDir, maxDepth, results) {
   }
   for (const entry of entries) {
     if (results.length >= MAX_FILE_COMPLETIONS) break;
-    if (entry.isDirectory() && !SKIP_DIRS3.has(entry.name)) {
+    if (entry.isDirectory() && !SKIP_DIRS2.has(entry.name)) {
       await findDatabaseDirs(join22(dir, entry.name), _baseDir, maxDepth - 1, results);
     }
   }
@@ -198335,11 +198584,11 @@ async function completePackRoot(value) {
         (e) => e.isFile() && e.name === "codeql-pack.yml"
       );
       if (hasPackYml) {
-        results.push(relative(workspace, dir) || ".");
+        results.push(relative2(workspace, dir) || ".");
       }
       for (const entry of entries) {
         if (results.length >= MAX_FILE_COMPLETIONS) break;
-        if (entry.isDirectory() && !SKIP_DIRS3.has(entry.name)) {
+        if (entry.isDirectory() && !SKIP_DIRS2.has(entry.name)) {
           await scan(join22(dir, entry.name), depth - 1);
         }
       }
@@ -198580,8 +198829,8 @@ async function resolvePromptFilePath(filePath, workspaceRoot) {
   const inputWasAbsolute = isAbsolute7(normalizedPath);
   const absolutePath = inputWasAbsolute ? normalizedPath : resolve13(effectiveRoot, normalizedPath);
   if (!inputWasAbsolute) {
-    const rel = relative2(effectiveRoot, absolutePath);
-    if (rel === ".." || rel.startsWith(`..${sep3}`) || isAbsolute7(rel)) {
+    const rel = relative3(effectiveRoot, absolutePath);
+    if (rel === ".." || rel.startsWith(`..${sep4}`) || isAbsolute7(rel)) {
       return {
         blocked: true,
         resolvedPath: "",
@@ -198851,7 +199100,7 @@ ${content}`
         const langResult = await getEffectiveLanguage("workshop_creation_workflow", language, resolvedQueryPath);
         const effectiveLanguage = langResult.language;
         if (langResult.warning) warnings.push(langResult.warning);
-        const derivedName = workshopName || basename9(resolvedQueryPath).replace(/\.(ql|qlref)$/, "").toLowerCase().replace(/[^a-z0-9]+/g, "-") || "codeql-workshop";
+        const derivedName = workshopName || basename10(resolvedQueryPath).replace(/\.(ql|qlref)$/, "").toLowerCase().replace(/[^a-z0-9]+/g, "-") || "codeql-workshop";
         const contextSection = buildWorkshopContext(
           resolvedQueryPath,
           effectiveLanguage ?? "unknown",
@@ -200225,13 +200474,6 @@ function generateListRecommendations(sessions) {
 // src/tools/annotation-tools.ts
 init_logger();
 function registerAnnotationTools(server) {
-  const config2 = sessionDataManager.getConfig();
-  if (!config2.enableAnnotationTools) {
-    logger.info(
-      "Annotation tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable annotation_* tools."
-    );
-    return;
-  }
   registerAnnotationCreateTool(server);
   registerAnnotationGetTool(server);
   registerAnnotationListTool(server);
@@ -200366,13 +200608,6 @@ function registerAnnotationSearchTool(server) {
 init_logger();
 var AUDIT_CATEGORY = "audit-finding";
 function registerAuditTools(server) {
-  const config2 = sessionDataManager.getConfig();
-  if (!config2.enableAnnotationTools) {
-    logger.info(
-      "Audit tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable audit_* and annotation_* tools."
-    );
-    return;
-  }
   registerAuditStoreFindingsTool(server);
   registerAuditListFindingsTool(server);
   registerAuditAddNotesTool(server);
@@ -200540,13 +200775,6 @@ function registerAuditClearRepoTool(server) {
 // src/tools/cache-tools.ts
 init_logger();
 function registerCacheTools(server) {
-  const config2 = sessionDataManager.getConfig();
-  if (!config2.enableAnnotationTools) {
-    logger.info(
-      "Cache tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable query_results_cache_* tools."
-    );
-    return;
-  }
   registerQueryResultsCacheLookupTool(server);
   registerQueryResultsCacheRetrieveTool(server);
   registerQueryResultsCacheClearTool(server);
@@ -200736,26 +200964,25 @@ function registerQueryResultsCacheCompareTool(server) {
 import { readFileSync as readFileSync13 } from "fs";
 init_logger();
 function registerSarifTools(server) {
-  const config2 = sessionDataManager.getConfig();
-  if (!config2.enableAnnotationTools) {
-    logger.info(
-      "SARIF tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable sarif_* tools."
-    );
-    return;
-  }
+  registerSarifCompareAlertsTool(server);
+  registerSarifDeduplicateRulesTool(server);
+  registerSarifDiffByCommitsTool(server);
+  registerSarifDiffRunsTool(server);
   registerSarifExtractRuleTool(server);
   registerSarifListRulesTool(server);
   registerSarifRuleToMarkdownTool(server);
-  registerSarifCompareAlertsTool(server);
-  registerSarifDiffRunsTool(server);
+  registerSarifStoreTool(server);
   logger.info("Registered SARIF analysis tools");
 }
-function loadSarif(sarifPath, cacheKey2) {
-  if (!sarifPath && !cacheKey2) {
-    return { error: "Either sarifPath or cacheKey is required." };
+function loadSarif(opts) {
+  const { cacheKey: cacheKey2, inlineContent, sarifPath } = opts;
+  if (!sarifPath && !cacheKey2 && !inlineContent) {
+    return { error: "No SARIF source provided." };
   }
   let content;
-  if (cacheKey2) {
+  if (inlineContent) {
+    content = inlineContent;
+  } else if (cacheKey2) {
     const store = sessionDataManager.getStore();
     const cached2 = store.getCacheContent(cacheKey2);
     if (!cached2) {
@@ -200799,7 +201026,7 @@ function registerSarifExtractRuleTool(server) {
       sarifPath: external_exports.string().optional().describe("Path to the SARIF file.")
     },
     async ({ sarifPath, cacheKey: cacheKey2, ruleId }) => {
-      const loaded = loadSarif(sarifPath, cacheKey2);
+      const loaded = loadSarif({ sarifPath, cacheKey: cacheKey2 });
       if (loaded.error) {
         return { content: [{ type: "text", text: loaded.error }] };
       }
@@ -200836,7 +201063,7 @@ function registerSarifListRulesTool(server) {
       sarifPath: external_exports.string().optional().describe("Path to the SARIF file.")
     },
     async ({ sarifPath, cacheKey: cacheKey2 }) => {
-      const loaded = loadSarif(sarifPath, cacheKey2);
+      const loaded = loadSarif({ sarifPath, cacheKey: cacheKey2 });
       if (loaded.error) {
         return { content: [{ type: "text", text: loaded.error }] };
       }
@@ -200864,7 +201091,7 @@ function registerSarifRuleToMarkdownTool(server) {
       sarifPath: external_exports.string().optional().describe("Path to the SARIF file.")
     },
     async ({ sarifPath, cacheKey: cacheKey2, ruleId }) => {
-      const loaded = loadSarif(sarifPath, cacheKey2);
+      const loaded = loadSarif({ sarifPath, cacheKey: cacheKey2 });
       if (loaded.error) {
         return { content: [{ type: "text", text: loaded.error }] };
       }
@@ -200895,18 +201122,18 @@ function registerSarifCompareAlertsTool(server) {
   });
   server.tool(
     "sarif_compare_alerts",
-    "Compare code locations of two SARIF alerts to detect overlap. Supports sink, source, any-location, and full-path comparison modes.",
+    "Compare code locations of two SARIF alerts to detect overlap. Supports sink, source, any-location, full-path, and fingerprint comparison modes.",
     {
       alertA: alertSpecSchema.describe("First alert to compare."),
       alertB: alertSpecSchema.describe("Second alert to compare."),
-      overlapMode: external_exports.enum(["sink", "source", "any-location", "full-path"]).optional().default("sink").describe('Comparison mode: "sink" (primary locations), "source" (first dataflow step), "any-location" (all locations), "full-path" (structural path similarity).')
+      overlapMode: external_exports.enum(["sink", "source", "any-location", "full-path", "fingerprint"]).optional().default("sink").describe('Comparison mode: "sink" (primary locations), "source" (first dataflow step), "any-location" (all locations), "full-path" (structural path similarity), "fingerprint" (partialFingerprints match, falls back to full-path).')
     },
     async ({ alertA, alertB, overlapMode }) => {
-      const loadedA = loadSarif(alertA.sarifPath, alertA.cacheKey);
+      const loadedA = loadSarif({ sarifPath: alertA.sarifPath, cacheKey: alertA.cacheKey });
       if (loadedA.error) {
         return { content: [{ type: "text", text: `Alert A: ${loadedA.error}` }] };
       }
-      const loadedB = loadSarif(alertB.sarifPath, alertB.cacheKey);
+      const loadedB = loadSarif({ sarifPath: alertB.sarifPath, cacheKey: alertB.cacheKey });
       if (loadedB.error) {
         return { content: [{ type: "text", text: `Alert B: ${loadedB.error}` }] };
       }
@@ -200945,6 +201172,12 @@ function registerSarifCompareAlertsTool(server) {
       if (overlap.pathSimilarity !== void 0) {
         response.pathSimilarity = overlap.pathSimilarity;
       }
+      if (overlap.fingerprintMatch !== void 0) {
+        response.fingerprintMatch = overlap.fingerprintMatch;
+      }
+      if (overlap.matchedFingerprints !== void 0) {
+        response.matchedFingerprints = overlap.matchedFingerprints;
+      }
       return {
         content: [{
           type: "text",
@@ -200954,6 +201187,81 @@ function registerSarifCompareAlertsTool(server) {
     }
   );
 }
+function parseGitDiffOutput(diffOutput) {
+  const files = [];
+  let currentFile = null;
+  for (const line of diffOutput.split(/\r?\n/)) {
+    if (line.startsWith("+++ b/")) {
+      if (currentFile) files.push(currentFile);
+      currentFile = { hunks: [], path: line.substring(6) };
+      continue;
+    }
+    if (currentFile && line.startsWith("@@")) {
+      const match = line.match(/@@ [^ ]+ \+(\d+)(?:,(\d+))? @@/);
+      if (match) {
+        currentFile.hunksParsed = true;
+        const startLine = parseInt(match[1], 10);
+        const lineCount = match[2] !== void 0 ? parseInt(match[2], 10) : 1;
+        if (lineCount > 0) {
+          currentFile.hunks.push({ startLine, lineCount });
+        }
+      }
+    }
+  }
+  if (currentFile) files.push(currentFile);
+  return files;
+}
+function registerSarifDiffByCommitsTool(server) {
+  server.tool(
+    "sarif_diff_by_commits",
+    'Correlate SARIF results with a git diff to classify findings as "new" (introduced in the diff) or "pre-existing". Accepts a SARIF file and a git ref range (e.g. "main..HEAD"). Supports file-level or line-level granularity.',
+    {
+      cacheKey: external_exports.string().optional().describe("Cache key to read SARIF from (alternative to sarifPath)."),
+      granularity: external_exports.enum(["file", "line"]).optional().default("file").describe('Matching granularity: "file" classifies any result in a changed file as new; "line" additionally checks that the result line falls within a changed hunk. Default: "file".'),
+      refRange: external_exports.string().describe('Git ref range for the diff (e.g. "main..HEAD", "abc123..def456"). Passed directly to `git diff`.'),
+      repoPath: external_exports.string().optional().describe("Path to the git repository. Defaults to the current working directory."),
+      sarifPath: external_exports.string().optional().describe("Path to the SARIF file.")
+    },
+    async ({ sarifPath, cacheKey: cacheKey2, refRange, repoPath, granularity }) => {
+      if (/^\s*-/.test(refRange) || /\s/.test(refRange)) {
+        return {
+          content: [{
+            type: "text",
+            text: 'Invalid refRange: must not start with "-" or contain whitespace.'
+          }]
+        };
+      }
+      const loaded = loadSarif({ sarifPath, cacheKey: cacheKey2 });
+      if (loaded.error) {
+        return { content: [{ type: "text", text: loaded.error }] };
+      }
+      const { executeCLICommand: executeCLICommand2 } = await Promise.resolve().then(() => (init_cli_executor(), cli_executor_exports));
+      const gitArgs = ["diff", "--unified=0", "--diff-filter=ACMR", "--no-color", refRange];
+      const gitResult = await executeCLICommand2({
+        args: gitArgs,
+        command: "git",
+        cwd: repoPath
+      });
+      if (!gitResult.success) {
+        return {
+          content: [{
+            type: "text",
+            text: `git diff failed: ${gitResult.error ?? gitResult.stderr}`
+          }]
+        };
+      }
+      const diffFiles = parseGitDiffOutput(gitResult.stdout);
+      const g = granularity;
+      const result = diffSarifByCommits(loaded.sarif, diffFiles, refRange, g);
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify(result, null, 2)
+        }]
+      };
+    }
+  );
+}
 function registerSarifDiffRunsTool(server) {
   server.tool(
     "sarif_diff_runs",
@@ -200967,11 +201275,11 @@ function registerSarifDiffRunsTool(server) {
       sarifPathB: external_exports.string().optional().describe("Path to the second (comparison) SARIF file.")
     },
     async ({ sarifPathA, sarifPathB, cacheKeyA, cacheKeyB, labelA, labelB }) => {
-      const loadedA = loadSarif(sarifPathA, cacheKeyA);
+      const loadedA = loadSarif({ sarifPath: sarifPathA, cacheKey: cacheKeyA });
       if (loadedA.error) {
         return { content: [{ type: "text", text: `Run A: ${loadedA.error}` }] };
       }
-      const loadedB = loadSarif(sarifPathB, cacheKeyB);
+      const loadedB = loadSarif({ sarifPath: sarifPathB, cacheKey: cacheKeyB });
       if (loadedB.error) {
         return { content: [{ type: "text", text: `Run B: ${loadedB.error}` }] };
       }
@@ -200989,6 +201297,165 @@ function registerSarifDiffRunsTool(server) {
     }
   );
 }
+function registerSarifStoreTool(server) {
+  server.tool(
+    "sarif_store",
+    "Store SARIF content in the session cache for use by other sarif_* tools. Returns a cache key that can be passed to sarifPath/cacheKey parameters of other tools.",
+    {
+      label: external_exports.string().optional().describe('Human-readable label for this SARIF (e.g. "dubbo-java-2025-03").'),
+      sarifContent: external_exports.string().optional().describe("SARIF JSON content as a string (alternative to sarifPath)."),
+      sarifPath: external_exports.string().optional().describe("Path to a SARIF file on disk.")
+    },
+    async ({ sarifContent, sarifPath, label }) => {
+      if (!sarifContent && !sarifPath) {
+        return { content: [{ type: "text", text: "Either sarifContent or sarifPath is required." }] };
+      }
+      let content;
+      if (sarifPath) {
+        try {
+          content = readFileSync13(sarifPath, "utf8");
+        } catch {
+          return { content: [{ type: "text", text: `Failed to read SARIF file: ${sarifPath}` }] };
+        }
+      } else {
+        content = sarifContent;
+      }
+      const loaded = loadSarif({ inlineContent: content });
+      if (loaded.error) {
+        return { content: [{ type: "text", text: loaded.error }] };
+      }
+      const { createHash: createHash3 } = await import("crypto");
+      const hash = createHash3("sha256").update(content).digest("hex").slice(0, 16);
+      const cacheKey2 = `sarif-store-${hash}`;
+      const sarif = loaded.sarif;
+      const resultCount = sarif.runs[0]?.results?.length ?? 0;
+      const ruleCount = sarif.runs[0]?.tool.driver.rules?.length ?? 0;
+      const toolName = sarif.runs[0]?.tool.driver.name ?? "unknown";
+      const store = sessionDataManager.getStore();
+      store.putCacheEntry({
+        cacheKey: cacheKey2,
+        codeqlVersion: sarif.runs[0]?.tool.driver.version ?? "unknown",
+        databasePath: sarifPath ?? "inline",
+        language: "sarif",
+        outputFormat: "sarif",
+        queryName: "sarif_store",
+        queryPath: sarifPath ?? "inline",
+        resultContent: content,
+        resultCount
+      });
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            cacheKey: cacheKey2,
+            label: label ?? null,
+            resultCount,
+            ruleCount,
+            source: sarifPath ? "file" : "inline",
+            toolName
+          }, null, 2)
+        }]
+      };
+    }
+  );
+}
+function registerSarifDeduplicateRulesTool(server) {
+  server.tool(
+    "sarif_deduplicate_rules",
+    "Identify duplicate alerts across two SARIF files by comparing rules pairwise. Uses fingerprint matching first, then full-path location overlap as fallback. Useful for cleanup after query changes or pack upgrades.",
+    {
+      cacheKeyA: external_exports.string().optional().describe("Cache key for the first SARIF."),
+      cacheKeyB: external_exports.string().optional().describe("Cache key for the second SARIF."),
+      overlapThreshold: external_exports.number().min(0).max(1).optional().default(0.8).describe("Minimum overlap score (0-1) to consider a rule pair as duplicates. Default: 0.8."),
+      sarifPathA: external_exports.string().optional().describe("Path to the first SARIF file."),
+      sarifPathB: external_exports.string().optional().describe("Path to the second SARIF file.")
+    },
+    async ({ sarifPathA, sarifPathB, cacheKeyA, cacheKeyB, overlapThreshold }) => {
+      const loadedA = loadSarif({ sarifPath: sarifPathA, cacheKey: cacheKeyA });
+      if (loadedA.error) {
+        return { content: [{ type: "text", text: `SARIF A: ${loadedA.error}` }] };
+      }
+      const loadedB = loadSarif({ sarifPath: sarifPathB, cacheKey: cacheKeyB });
+      if (loadedB.error) {
+        return { content: [{ type: "text", text: `SARIF B: ${loadedB.error}` }] };
+      }
+      const rulesA = listSarifRules(loadedA.sarif);
+      const rulesB = listSarifRules(loadedB.sarif);
+      const duplicateGroups = [];
+      const ruleDataA = /* @__PURE__ */ new Map();
+      for (const rA of rulesA) {
+        if (rA.resultCount === 0) continue;
+        const extracted = extractRuleFromSarif(loadedA.sarif, rA.ruleId);
+        ruleDataA.set(rA.ruleId, {
+          results: extracted.runs[0]?.results ?? [],
+          ruleObj: extracted.runs[0]?.tool.driver.rules?.[0] ?? { id: rA.ruleId }
+        });
+      }
+      const ruleDataB = /* @__PURE__ */ new Map();
+      for (const rB of rulesB) {
+        if (rB.resultCount === 0) continue;
+        const extracted = extractRuleFromSarif(loadedB.sarif, rB.ruleId);
+        ruleDataB.set(rB.ruleId, {
+          results: extracted.runs[0]?.results ?? [],
+          ruleObj: extracted.runs[0]?.tool.driver.rules?.[0] ?? { id: rB.ruleId }
+        });
+      }
+      for (const rA of rulesA) {
+        const dataA = ruleDataA.get(rA.ruleId);
+        if (!dataA) continue;
+        for (const rB of rulesB) {
+          const dataB = ruleDataB.get(rB.ruleId);
+          if (!dataB) continue;
+          const { results: resultsA, ruleObj: ruleObjA } = dataA;
+          const { results: resultsB, ruleObj: ruleObjB } = dataB;
+          const overlaps = findOverlappingAlerts(resultsA, ruleObjA, resultsB, ruleObjB, "full-path");
+          const matchedAIndices = /* @__PURE__ */ new Set();
+          for (let ai = 0; ai < resultsA.length; ai++) {
+            for (const rResultB of resultsB) {
+              const fpResult = computeFingerprintOverlap(resultsA[ai], rResultB);
+              if (fpResult.fingerprintMatch) {
+                matchedAIndices.add(ai);
+                break;
+              }
+            }
+          }
+          const matchedAlerts = Math.max(overlaps.length, matchedAIndices.size);
+          const minResults = Math.min(resultsA.length, resultsB.length);
+          const cappedMatched = Math.min(matchedAlerts, minResults);
+          const totalUnique = resultsA.length + resultsB.length - cappedMatched;
+          const overlapScore = totalUnique > 0 ? cappedMatched / totalUnique : 0;
+          if (overlapScore >= (overlapThreshold ?? 0.8)) {
+            duplicateGroups.push({
+              matchedAlerts: cappedMatched,
+              overlapScore: Math.round(overlapScore * 1e3) / 1e3,
+              ruleIdA: rA.ruleId,
+              ruleIdB: rB.ruleId,
+              totalA: resultsA.length,
+              totalB: resultsB.length,
+              unmatchedA: Math.max(0, resultsA.length - cappedMatched),
+              unmatchedB: Math.max(0, resultsB.length - cappedMatched)
+            });
+          }
+        }
+      }
+      duplicateGroups.sort((a, b) => b.overlapScore - a.overlapScore);
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            duplicateGroups,
+            summary: {
+              duplicatePairsFound: duplicateGroups.length,
+              overlapThreshold: overlapThreshold ?? 0.8,
+              totalRulesA: rulesA.length,
+              totalRulesB: rulesB.length
+            }
+          }, null, 2)
+        }]
+      };
+    }
+  );
+}
 
 // src/lib/tool-validation.ts
 function formatAllValidationErrors(error2) {
@@ -201057,7 +201524,7 @@ init_package_paths();
 init_logger();
 import_dotenv.default.config({ path: resolve14(packageRootDir, ".env"), quiet: true });
 var PACKAGE_NAME = "codeql-development-mcp-server";
-var VERSION = "2.25.1-next.3";
+var VERSION = "2.25.2-next.1";
 async function startServer(mode = "stdio") {
   logger.info(`Starting CodeQL Development MCP McpServer v${VERSION} in ${mode} mode`);
   const codeqlBinary = resolveCodeQLBinary();