fix: address automated review feedback — error message, fingerprint response, dedup perf, changelog links

1. loadSarif error message updated to source-agnostic "No SARIF source provided"
2. sarif_compare_alerts response now includes fingerprintMatch/matchedFingerprints in fingerprint mode
3. sarif_deduplicate_rules precomputes per-rule extracted results before pairwise loop
4. CHANGELOG entries corrected: partialFingerprints → fingerprint, added PR #234 links

Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/85233122-a70c-49a6-a247-fb01f4da6946

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

Author: Copilot

CHANGELOG.md

@@ -20,7 +20,7 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 
 - **Annotation, audit, cache, and SARIF tools are now always enabled** — Removed the `ENABLE_ANNOTATION_TOOLS` opt-in gate; all annotation, audit, query result cache, and SARIF analysis tools are registered by default. The `ENABLE_ANNOTATION_TOOLS` environment variable no longer controls tool availability; when set to `false`, it only disables the related auto-caching behaviour in result processing. ([#223](https://github.com/advanced-security/codeql-development-mcp-server/pull/223))
 - **Go-based `ql-mcp-client` rewrite** — Replaced the Node.js `ql-mcp-client.js` integration test runner with a Go CLI (`gh-ql-mcp-client`) built with Cobra and `mcp-go`. Adds `list tools/prompts/resources` commands and assertion-based integration test validation. ([#223](https://github.com/advanced-security/codeql-development-mcp-server/pull/223))
-- **Code Scanning lifecycle management** — Added `code-scanning list-analyses`, `list-alerts`, and `download-analysis` subcommands to `gh-ql-mcp-client` with GitHub REST API integration via `go-gh`. Added `sarif` parent subcommand for SARIF delegation workflows. Enhanced SARIF tools with `sarif_store` (session cache ingest), `sarif_deduplicate_rules` (cross-file rule deduplication), and `partialFingerprints` overlap mode with automatic fallback.
+- **Code Scanning lifecycle management** — Added `code-scanning list-analyses`, `list-alerts`, and `download-analysis` subcommands to `gh-ql-mcp-client` with GitHub REST API integration via `go-gh`. Added `sarif` parent subcommand for SARIF delegation workflows. Enhanced SARIF tools with `sarif_store` (session cache ingest), `sarif_deduplicate_rules` (cross-file rule deduplication), and `fingerprint` overlap mode with automatic fallback. ([#234](https://github.com/advanced-security/codeql-development-mcp-server/pull/234))
 - **Persistent MRVA workflow state and caching** — Introduced a new `SqliteStore` backend plus annotation, audit, and query result cache tools to support the next phase of MCP-assisted CodeQL development and `seclab-taskflow-agent` integration. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))
 - **Rust language support** — Added first-class Rust support with `PrintAST`, `PrintCFG`, `CallGraphFrom`, `CallGraphTo`, and `CallGraphFromTo` queries, bringing the total supported languages to 10. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
 - **Bug fixes and design improvements from recent evaluation sessions** — Fixed 5 bugs across `bqrs_interpret`, `bqrs_info`, `annotation_search`, `audit_add_notes`, and `query_results_cache_compare`; added `database_analyze` auto-caching and per-database mutex serialization; auto-enabled annotation tools in VS Code extension. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
@@ -30,13 +30,13 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 
 #### MCP Server Tools
 
-| Tool                                                                                                                     | Description                                                                                                                                                                                                                                     |
-| ------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `annotation_create`, `annotation_get`, `annotation_list`, `annotation_update`, `annotation_delete`, `annotation_search`  | General-purpose annotation tools for creating, managing, and searching notes and bookmarks on analysis entities. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                          |
-| `audit_store_findings`, `audit_list_findings`, `audit_add_notes`, `audit_clear_repo`                                     | Repo-keyed audit tools for MRVA finding management and triage workflows. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                                                  |
-| `query_results_cache_lookup`, `query_results_cache_retrieve`, `query_results_cache_clear`, `query_results_cache_compare` | Query result cache tools for lookup, subset retrieval, cache clearing, and cross-database comparison. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                     |
-| `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, `sarif_diff_runs`            | SARIF analysis tools for rule discovery, per-rule extraction, Mermaid dataflow visualization, alert overlap comparison, and cross-run behavioral diffing. ([#204](https://github.com/advanced-security/codeql-development-mcp-server/pull/204)) |
-| `sarif_store`, `sarif_deduplicate_rules`                                                                                 | SARIF session cache ingest and cross-file rule deduplication tools. `sarif_compare_alerts` enhanced with `partialFingerprints` overlap mode with automatic fallback to full-path comparison.                                                    |
+| Tool                                                                                                                     | Description                                                                                                                                                                                                                                                                |
+| ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `annotation_create`, `annotation_get`, `annotation_list`, `annotation_update`, `annotation_delete`, `annotation_search`  | General-purpose annotation tools for creating, managing, and searching notes and bookmarks on analysis entities. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                                     |
+| `audit_store_findings`, `audit_list_findings`, `audit_add_notes`, `audit_clear_repo`                                     | Repo-keyed audit tools for MRVA finding management and triage workflows. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                                                                             |
+| `query_results_cache_lookup`, `query_results_cache_retrieve`, `query_results_cache_clear`, `query_results_cache_compare` | Query result cache tools for lookup, subset retrieval, cache clearing, and cross-database comparison. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))                                                                                |
+| `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, `sarif_diff_runs`            | SARIF analysis tools for rule discovery, per-rule extraction, Mermaid dataflow visualization, alert overlap comparison, and cross-run behavioral diffing. ([#204](https://github.com/advanced-security/codeql-development-mcp-server/pull/204))                            |
+| `sarif_store`, `sarif_deduplicate_rules`                                                                                 | SARIF session cache ingest and cross-file rule deduplication tools. `sarif_compare_alerts` enhanced with `fingerprint` overlap mode with automatic fallback to full-path comparison. ([#234](https://github.com/advanced-security/codeql-development-mcp-server/pull/234)) |
 
 #### MCP Server Resources
 
@@ -60,8 +60,8 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 
 - Added Rust coverage to CI and release workflows, including query unit tests and VSIX bundling. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
 - Added client integration tests for the new Rust queries and for the annotation, audit, and cache tool suites, including an MRVA triage workflow end-to-end test. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169), [#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
-- Added `code-scanning` and `sarif` subcommand groups to `gh-ql-mcp-client` with GitHub REST API client integration via `go-gh` for Code Scanning alert lifecycle management.
-- Added `gh` extension packaging support with cross-compilation targets for `darwin/amd64`, `darwin/arm64`, `linux/amd64`, `linux/arm64`, `windows/amd64`.
+- Added `code-scanning` and `sarif` subcommand groups to `gh-ql-mcp-client` with GitHub REST API client integration via `go-gh` for Code Scanning alert lifecycle management. ([#234](https://github.com/advanced-security/codeql-development-mcp-server/pull/234))
+- Added `gh` extension packaging support with cross-compilation targets for `darwin/amd64`, `darwin/arm64`, `linux/amd64`, `linux/arm64`, `windows/amd64`. ([#234](https://github.com/advanced-security/codeql-development-mcp-server/pull/234))
 
 ### Changed
 

server/dist/codeql-development-mcp-server.js

@@ -200435,7 +200435,7 @@ function registerSarifTools(server) {
 function loadSarif(opts) {
   const { cacheKey: cacheKey2, inlineContent, sarifPath } = opts;
   if (!sarifPath && !cacheKey2 && !inlineContent) {
-    return { error: "Either sarifPath or cacheKey is required." };
+    return { error: "No SARIF source provided." };
   }
   let content;
   if (inlineContent) {
@@ -200630,6 +200630,12 @@ function registerSarifCompareAlertsTool(server) {
       if (overlap.pathSimilarity !== void 0) {
         response.pathSimilarity = overlap.pathSimilarity;
       }
+      if (overlap.fingerprintMatch !== void 0) {
+        response.fingerprintMatch = overlap.fingerprintMatch;
+      }
+      if (overlap.matchedFingerprints !== void 0) {
+        response.matchedFingerprints = overlap.matchedFingerprints;
+      }
       return {
         content: [{
           type: "text",
@@ -200759,15 +200765,32 @@ function registerSarifDeduplicateRulesTool(server) {
       const rulesA = listSarifRules(loadedA.sarif);
       const rulesB = listSarifRules(loadedB.sarif);
       const duplicateGroups = [];
+      const ruleDataA = /* @__PURE__ */ new Map();
+      for (const rA of rulesA) {
+        if (rA.resultCount === 0) continue;
+        const extracted = extractRuleFromSarif(loadedA.sarif, rA.ruleId);
+        ruleDataA.set(rA.ruleId, {
+          results: extracted.runs[0]?.results ?? [],
+          ruleObj: extracted.runs[0]?.tool.driver.rules?.[0] ?? { id: rA.ruleId }
+        });
+      }
+      const ruleDataB = /* @__PURE__ */ new Map();
+      for (const rB of rulesB) {
+        if (rB.resultCount === 0) continue;
+        const extracted = extractRuleFromSarif(loadedB.sarif, rB.ruleId);
+        ruleDataB.set(rB.ruleId, {
+          results: extracted.runs[0]?.results ?? [],
+          ruleObj: extracted.runs[0]?.tool.driver.rules?.[0] ?? { id: rB.ruleId }
+        });
+      }
       for (const rA of rulesA) {
+        const dataA = ruleDataA.get(rA.ruleId);
+        if (!dataA) continue;
         for (const rB of rulesB) {
-          if (rA.resultCount === 0 || rB.resultCount === 0) continue;
-          const extractedA = extractRuleFromSarif(loadedA.sarif, rA.ruleId);
-          const extractedB = extractRuleFromSarif(loadedB.sarif, rB.ruleId);
-          const resultsA = extractedA.runs[0]?.results ?? [];
-          const resultsB = extractedB.runs[0]?.results ?? [];
-          const ruleObjA = extractedA.runs[0]?.tool.driver.rules?.[0] ?? { id: rA.ruleId };
-          const ruleObjB = extractedB.runs[0]?.tool.driver.rules?.[0] ?? { id: rB.ruleId };
+          const dataB = ruleDataB.get(rB.ruleId);
+          if (!dataB) continue;
+          const { results: resultsA, ruleObj: ruleObjA } = dataA;
+          const { results: resultsB, ruleObj: ruleObjB } = dataB;
           const overlaps = findOverlappingAlerts(resultsA, ruleObjA, resultsB, ruleObjB, "full-path");
           const matchedAIndices = /* @__PURE__ */ new Set();
           for (let ai = 0; ai < resultsA.length; ai++) {

server/dist/codeql-development-mcp-server.js.map

@@ -18,6 +18,7 @@ import {
   sarifRuleToMarkdown,
 } from '../lib/sarif-utils';
 import { sessionDataManager } from '../lib/session-data-manager';
+import type { SarifResult, SarifRule } from '../types/sarif';
 import type { SarifDocument } from '../types/sarif';
 import { logger } from '../utils/logger';
 
@@ -56,7 +57,7 @@ function loadSarif(
   const { cacheKey, inlineContent, sarifPath } = opts;
 
   if (!sarifPath && !cacheKey && !inlineContent) {
-    return { error: 'Either sarifPath or cacheKey is required.' };
+    return { error: 'No SARIF source provided.' };
   }
 
   let content: string;
@@ -298,6 +299,12 @@ function registerSarifCompareAlertsTool(server: McpServer): void {
       if (overlap.pathSimilarity !== undefined) {
         response.pathSimilarity = overlap.pathSimilarity;
       }
+      if (overlap.fingerprintMatch !== undefined) {
+        response.fingerprintMatch = overlap.fingerprintMatch;
+      }
+      if (overlap.matchedFingerprints !== undefined) {
+        response.matchedFingerprints = overlap.matchedFingerprints;
+      }
 
       return {
         content: [{
@@ -468,17 +475,40 @@ function registerSarifDeduplicateRulesTool(server: McpServer): void {
         unmatchedB: number;
       }> = [];
 
+      // Precompute per-rule extracted results to avoid redundant filtering in the pairwise loop
+      type RuleData = {
+        results: SarifResult[];
+        ruleObj: SarifRule | { id: string };
+      };
+      const ruleDataA = new Map<string, RuleData>();
+      for (const rA of rulesA) {
+        if (rA.resultCount === 0) continue;
+        const extracted = extractRuleFromSarif(loadedA.sarif!, rA.ruleId);
+        ruleDataA.set(rA.ruleId, {
+          results: extracted.runs[0]?.results ?? [],
+          ruleObj: extracted.runs[0]?.tool.driver.rules?.[0] ?? { id: rA.ruleId },
+        });
+      }
+      const ruleDataB = new Map<string, RuleData>();
+      for (const rB of rulesB) {
+        if (rB.resultCount === 0) continue;
+        const extracted = extractRuleFromSarif(loadedB.sarif!, rB.ruleId);
+        ruleDataB.set(rB.ruleId, {
+          results: extracted.runs[0]?.results ?? [],
+          ruleObj: extracted.runs[0]?.tool.driver.rules?.[0] ?? { id: rB.ruleId },
+        });
+      }
+
       // Compare each rule in A against each rule in B
       for (const rA of rulesA) {
+        const dataA = ruleDataA.get(rA.ruleId);
+        if (!dataA) continue;
         for (const rB of rulesB) {
-          if (rA.resultCount === 0 || rB.resultCount === 0) continue;
-
-          const extractedA = extractRuleFromSarif(loadedA.sarif!, rA.ruleId);
-          const extractedB = extractRuleFromSarif(loadedB.sarif!, rB.ruleId);
-          const resultsA = extractedA.runs[0]?.results ?? [];
-          const resultsB = extractedB.runs[0]?.results ?? [];
-          const ruleObjA = extractedA.runs[0]?.tool.driver.rules?.[0] ?? { id: rA.ruleId };
-          const ruleObjB = extractedB.runs[0]?.tool.driver.rules?.[0] ?? { id: rB.ruleId };
+          const dataB = ruleDataB.get(rB.ruleId);
+          if (!dataB) continue;
+
+          const { results: resultsA, ruleObj: ruleObjA } = dataA;
+          const { results: resultsB, ruleObj: ruleObjB } = dataB;
 
           // Full-path location overlap
           const overlaps = findOverlappingAlerts(resultsA, ruleObjA, resultsB, ruleObjB, 'full-path');

server/src/tools/sarif-tools.ts

@@ -189,7 +189,7 @@ describe('SARIF Tools', () => {
 
       it('should return error when no sarifPath or cacheKey provided', async () => {
         const result = await handlers.sarif_extract_rule({ ruleId: 'js/sql-injection' });
-        expect(result.content[0].text).toContain('Either sarifPath or cacheKey is required');
+        expect(result.content[0].text).toContain('No SARIF source provided');
       });
 
       it('should return error for invalid file path', async () => {
@@ -344,7 +344,7 @@ describe('SARIF Tools', () => {
         const result = await handlers.sarif_diff_runs({
           sarifPathB: testSarifPath,
         });
-        expect(result.content[0].text).toContain('Either sarifPath or cacheKey is required');
+        expect(result.content[0].text).toContain('No SARIF source provided');
       });
     });
 
@@ -500,7 +500,7 @@ describe('SARIF Tools', () => {
         const result = await handlers.sarif_deduplicate_rules({
           sarifPathB: testSarifPath,
         });
-        expect(result.content[0].text).toContain('Either sarifPath or cacheKey is required');
+        expect(result.content[0].text).toContain('No SARIF source provided');
       });
     });
   });