Cleanup OS tmp dir client integration tests

Author: data-douser

.github/agents/ql-mcp-tool-tester.md

@@ -25,6 +25,7 @@ My `ql-mcp-tool-tester` agent:
 - NEVER makes anything up about CodeQL CLI behavior or MCP protocol.
 - NEVER modifies the MCP server or client code; focuses solely on testing and validating the tools/primitives.
 - NEVER "pipes" or redirects `npm test` or `npm run test*` command outputs in any way. Just observe the raw output and use exit codes to determine success/failure.
+- **NEVER uses `os.tmpdir()`, `/tmp`, or any OS-level temporary directory** in test code, fixtures, or tool invocations. The OS temp directory is world-readable and triggers CWE-377/CWE-378 vulnerabilities. All temporary files MUST use the project-local `<repoRoot>/.tmp/` directory. In integration test fixtures the `{{tmpdir}}` placeholder resolves to this project-local directory at runtime — it does NOT resolve to the OS temp directory.
 
 ## Related Skills
 

.github/instructions/server_test_ts.instructions.md

@@ -35,3 +35,4 @@ This file contains instructions for working with TypeScript test files in the `s
 - NEVER write tests that depend on external resources or network calls without proper mocking.
 - NEVER write overly complex tests that test multiple concerns in a single test case.
 - NEVER skip writing tests for new functionality or bug fixes.
+- **NEVER use `os.tmpdir()`, `/tmp`, or any OS-level temporary directory** in test code or test fixtures. The OS temp directory is world-readable and triggers CWE-377/CWE-378 vulnerabilities. Instead, ALWAYS use the project-local `.tmp/` directory via `getProjectTmpDir()`, `createProjectTempDir()`, or `getProjectTmpBase()` from `server/src/utils/temp-dir.ts`. For integration test fixtures, use the `{{tmpdir}}` placeholder which resolves at runtime to `<repoRoot>/.tmp/`.

client/integration-tests/README.md

@@ -38,15 +38,15 @@ Common mistakes to avoid:
 - ❌ **DO NOT** commit files like `evaluator-log.json`, `query-results.bqrs`, `*.bqrs` files to the repository root
 - ❌ **DO NOT** commit temporary files created during integration test development to the repository root
 - ✅ **DO** place all test output files in the appropriate `client/integration-tests/primitives/tools/<tool_name>/<test_name>/after/` directory
-- ✅ **DO** use `/tmp/` paths for temporary files during development and testing
+- ✅ **DO** use `{{tmpdir}}` as a placeholder for the project-local temporary directory in test fixture paths (resolved at runtime to `<repoRoot>/.tmp/`)
 
 **File generation best practices:**
 
 1. **Generate test files correctly**: When creating integration tests that involve file generation (e.g., BQRS files, evaluator logs):
    - Run the actual tool command to generate authentic files
    - Copy the generated files from their temporary location to the correct `after/` directory
    - Never fabricate or "make up" binary file contents
-2. **Use proper paths**: Always use absolute paths or `/tmp/` paths when running commands that generate files during development
+2. **Use proper paths**: Always use `{{tmpdir}}/` as a placeholder for the project-local temp directory in test fixture JSON files (e.g., `"output": "{{tmpdir}}/results.sarif"`). This resolves at runtime to `<repoRoot>/.tmp/`, **not** the OS temp directory, to avoid CWE-377/CWE-378 (world-readable temp files).
 3. **Verify placement**: Before committing, verify that generated files are in the correct `after/` directory, not in the repository root
 
 The `.gitignore` file has been updated to help prevent accidental commits of common integration test output files in the root directory.

client/integration-tests/primitives/tools/codeql_database_analyze/analyze_javascript_database/before/monitoring-state.json

@@ -4,6 +4,6 @@
     "database": "server/ql/javascript/examples/test/ExampleQuery1/ExampleQuery1.testproj",
     "queries": "server/ql/javascript/examples/src/ExampleQuery1/ExampleQuery1.ql",
     "format": "sarif-latest",
-    "output": "/tmp/integration-test-analyze-results.sarif"
+    "output": "{{tmpdir}}/integration-test-analyze-results.sarif"
   }
 }

client/integration-tests/primitives/tools/codeql_database_create/create_javascript_database/before/monitoring-state.json

@@ -1,7 +1,7 @@
 {
   "sessions": [],
   "parameters": {
-    "database": "/tmp/codeql-integration-test-db",
+    "database": "{{tmpdir}}/codeql-integration-test-db",
     "language": "javascript",
     "source-root": "server/ql/javascript/examples/test/ExampleQuery1",
     "overwrite": true

client/integration-tests/primitives/tools/codeql_query_run/evaluator_logging_with_tuple_counting/after/monitoring-state.json

@@ -10,17 +10,17 @@
           "arguments": {
             "query": "client/integration-tests/static/javascript/src/ExampleQuery1/ExampleQuery1.ql",
             "database": "client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.testproj",
-            "output": "/tmp/test-query-results.bqrs",
-            "evaluator-log": "/tmp/test-evaluator-log.json",
+            "output": "{{tmpdir}}/test-query-results.bqrs",
+            "evaluator-log": "{{tmpdir}}/test-evaluator-log.json",
             "evaluator-log-level": 5,
             "tuple-counting": true
           },
           "response": {
             "stdout": "Evaluation completed successfully",
             "stderr": "WARNING: Ignoring local version because local version support is off.",
             "filesGenerated": [
-              "/tmp/test-query-results.bqrs",
-              "/tmp/test-evaluator-log.json"
+              "{{tmpdir}}/test-query-results.bqrs",
+              "{{tmpdir}}/test-evaluator-log.json"
             ]
           }
         }

client/integration-tests/primitives/tools/codeql_query_run/evaluator_logging_with_tuple_counting/test-config.json

@@ -3,8 +3,8 @@
   "arguments": {
     "query": "client/integration-tests/static/javascript/src/ExampleQuery1/ExampleQuery1.ql",
     "database": "client/integration-tests/static/javascript/test/ExampleQuery1/ExampleQuery1.testproj",
-    "output": "/tmp/test-query-results.bqrs",
-    "evaluator-log": "/tmp/test-evaluator-log.json",
+    "output": "{{tmpdir}}/test-query-results.bqrs",
+    "evaluator-log": "{{tmpdir}}/test-evaluator-log.json",
     "evaluator-log-level": 5,
     "tuple-counting": true
   }

client/integration-tests/primitives/tools/create_codeql_query/create_javascript_query/before/monitoring-state.json

@@ -1,7 +1,7 @@
 {
   "sessions": [],
   "parameters": {
-    "basePath": "/tmp/codeql-test-query",
+    "basePath": "{{tmpdir}}/codeql-test-query",
     "queryName": "TestQuery",
     "language": "javascript",
     "description": "Integration test query"

client/src/lib/integration-test-runner.js

@@ -3,7 +3,6 @@
  */
 
 import fs from "fs";
-import os from "os";
 import path from "path";
 import { fileURLToPath } from "url";
 import {
@@ -13,6 +12,44 @@ import {
   removeDirectory
 } from "./file-utils.js";
 
+/**
+ * Repository root, calculated once at module load.
+ * Mirrors `server/src/utils/temp-dir.ts`.
+ */
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const repoRoot = path.resolve(__dirname, "..", "..", "..");
+
+/**
+ * Project-local temporary directory (`<repoRoot>/.tmp`).
+ * All temporary files are kept here instead of the OS temp directory
+ * to avoid CWE-377/CWE-378 (world-readable temp files).
+ */
+const PROJECT_TMP_BASE = path.join(repoRoot, ".tmp");
+
+/**
+ * Resolve `{{tmpdir}}` placeholders in string values of a parameters object.
+ * Test fixtures use `{{tmpdir}}` as a cross-platform placeholder for the
+ * project-local temporary directory (`<repoRoot>/.tmp`), which avoids
+ * writing to the world-readable OS temp directory (CWE-377 / CWE-378).
+ *
+ * @param {Record<string, unknown>} params - Tool parameters object (mutated in place)
+ * @param {object} [logger] - Optional logger for diagnostics
+ * @returns {Record<string, unknown>} The same object, with placeholders resolved
+ */
+export function resolvePathPlaceholders(params, logger) {
+  fs.mkdirSync(PROJECT_TMP_BASE, { recursive: true });
+  for (const [key, value] of Object.entries(params)) {
+    if (typeof value === "string" && value.includes("{{tmpdir}}")) {
+      params[key] = value.replace(/\{\{tmpdir\}\}/g, PROJECT_TMP_BASE);
+      if (logger) {
+        logger.log(`  Resolved ${key}: {{tmpdir}} → ${params[key]}`);
+      }
+    }
+  }
+  return params;
+}
+
 /**
  * Integration test runner class
  */
@@ -208,8 +245,11 @@ export class IntegrationTestRunner {
         return;
       }
 
-      // Create temp directory for test execution
-      const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), `mcp-test-${toolName}-${testCase}-`));
+      // Create temp directory for test execution under project .tmp/
+      fs.mkdirSync(PROJECT_TMP_BASE, { recursive: true });
+      const tempDir = fs.mkdtempSync(
+        path.join(PROJECT_TMP_BASE, `mcp-test-${toolName}-${testCase}-`)
+      );
 
       try {
         // Copy before files to temp directory
@@ -414,7 +454,10 @@ export class IntegrationTestRunner {
    * Run a file-based test with custom configuration
    */
   async runFileBasedConfigurableTest(toolName, testCase, testConfig, beforeDir, afterDir) {
-    const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), `mcp-test-${toolName}-${testCase}-`));
+    fs.mkdirSync(PROJECT_TMP_BASE, { recursive: true });
+    const tempDir = fs.mkdtempSync(
+      path.join(PROJECT_TMP_BASE, `mcp-test-${toolName}-${testCase}-`)
+    );
 
     try {
       // Copy before files to temp directory
@@ -630,6 +673,7 @@ export class IntegrationTestRunner {
         if (monitoringState.parameters) {
           params = monitoringState.parameters;
           this.logger.log(`Using parameters from monitoring-state.json`);
+          resolvePathPlaceholders(params, this.logger);
 
           // Helper function to ensure database is extracted
           const ensureDatabaseExtracted = async (dbPath) => {