Address PR #153 review comments

- resolvePromptFilePath: only enforce workspace-root boundary for
  relative path inputs; absolute paths pass through since users
  legitimately reference databases/queries outside the workspace
- download-vscode.js: use fileURLToPath() instead of URL.pathname
  for cross-platform compatibility
- integration-test-runner.js: track execution counts separately
  from pass/fail; runWorkflowIntegrationTests and
  runPromptIntegrationTests return { executed, passed } objects
- Add test for absolute paths outside workspace being allowed

Author: data-douser

client/src/lib/integration-test-runner.js

@@ -225,11 +225,17 @@ export class IntegrationTestRunner {
       }
 
       this.logger.log(`Completed ${totalIntegrationTests} tool-specific integration tests`);
-      const toolIntegrationSucceeded = totalIntegrationTests > 0;
+
+      // Track execution counts and pass/fail separately.
+      // *Count* tracks whether the suite discovered & ran tests.
+      // *Succeeded* tracks whether those tests passed.
+      const toolTestsExecuted = totalIntegrationTests;
+      const toolTestsPassed = totalIntegrationTests > 0;
 
       // Also run workflow integration tests
-      const workflowIntegrationSucceeded = await this.runWorkflowIntegrationTests(baseDir);
-      if (!workflowIntegrationSucceeded) {
+      const { executed: workflowTestsExecuted, passed: workflowTestsPassed } =
+        await this.runWorkflowIntegrationTests(baseDir);
+      if (!workflowTestsPassed) {
         this.logger.logTest(
           "Workflow integration tests",
           false,
@@ -238,27 +244,27 @@ export class IntegrationTestRunner {
       }
 
       // Also run prompt integration tests
-      const promptIntegrationSucceeded = await this.runPromptIntegrationTests(baseDir);
-      if (!promptIntegrationSucceeded) {
+      const { executed: promptTestsExecuted, passed: promptTestsPassed } =
+        await this.runPromptIntegrationTests(baseDir);
+      if (!promptTestsPassed) {
         this.logger.logTest(
           "Prompt integration tests",
           false,
           new Error("Prompt integration tests did not complete successfully")
         );
       }
 
-      const anyTestsExecuted =
-        toolIntegrationSucceeded || workflowIntegrationSucceeded || promptIntegrationSucceeded;
+      const totalTestsExecuted = toolTestsExecuted + workflowTestsExecuted + promptTestsExecuted;
 
-      if (!anyTestsExecuted) {
+      if (totalTestsExecuted === 0) {
         this.logger.log(
-          "No integration tests completed successfully across tool, workflow, or prompt suites.",
+          "No integration tests were executed across tool, workflow, or prompt suites.",
           "ERROR"
         );
         return false;
       }
 
-      return toolIntegrationSucceeded && workflowIntegrationSucceeded && promptIntegrationSucceeded;
+      return toolTestsPassed && workflowTestsPassed && promptTestsPassed;
     } catch (error) {
       this.logger.log(`Error running integration tests: ${error.message}`, "ERROR");
       return false;
@@ -1183,10 +1189,13 @@ export class IntegrationTestRunner {
       }
 
       this.logger.log(`Total prompt integration tests executed: ${totalPromptTests}`);
-      return totalPromptTests > 0 ? allPromptTestsPassed : true;
+      return {
+        executed: totalPromptTests,
+        passed: totalPromptTests > 0 ? allPromptTestsPassed : true
+      };
     } catch (error) {
       this.logger.log(`Error running prompt integration tests: ${error.message}`, "ERROR");
-      return false;
+      return { executed: 0, passed: false };
     }
   }
 
@@ -1285,7 +1294,7 @@ export class IntegrationTestRunner {
 
       if (!fs.existsSync(workflowTestsDir)) {
         this.logger.log("No workflow integration tests directory found", "INFO");
-        return true;
+        return { executed: 0, passed: true };
       }
 
       // Discover workflow test directories
@@ -1296,7 +1305,7 @@ export class IntegrationTestRunner {
 
       if (workflowDirs.length === 0) {
         this.logger.log("No workflow test directories found", "INFO");
-        return true;
+        return { executed: 0, passed: true };
       }
 
       this.logger.log(`Found ${workflowDirs.length} workflow test(s): ${workflowDirs.join(", ")}`);
@@ -1309,10 +1318,10 @@ export class IntegrationTestRunner {
       }
 
       this.logger.log(`Total workflow integration tests executed: ${totalWorkflowTests}`);
-      return true;
+      return { executed: totalWorkflowTests, passed: true };
     } catch (error) {
       this.logger.log(`Error running workflow integration tests: ${error.message}`, "ERROR");
-      return false;
+      return { executed: 0, passed: false };
     }
   }
 

extensions/vscode/scripts/download-vscode.js

@@ -14,6 +14,7 @@
 
 import { existsSync, rmSync } from 'node:fs';
 import { join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import { downloadAndUnzipVSCode } from '@vscode/test-electron';
 
 const MAX_RETRIES = 3;
@@ -34,7 +35,7 @@ process.on('unhandledRejection', (reason) => {
  * fresh instead of hitting a checksum mismatch on a truncated archive.
  */
 function cleanPartialDownload() {
-  const cacheDir = join(new URL('..', import.meta.url).pathname, '.vscode-test');
+  const cacheDir = join(fileURLToPath(new URL('..', import.meta.url)), '.vscode-test');
   if (existsSync(cacheDir)) {
     console.log('   Cleaning .vscode-test/ to remove partial downloads...');
     rmSync(cacheDir, { recursive: true, force: true });

server/dist/codeql-development-mcp-server.js

@@ -64506,14 +64506,17 @@ async function resolvePromptFilePath(filePath, workspaceRoot) {
   }
   const effectiveRoot = workspaceRoot ?? getUserWorkspaceDir();
   const normalizedPath = normalize(effectivePath);
-  const absolutePath = isAbsolute7(normalizedPath) ? normalizedPath : resolve13(effectiveRoot, normalizedPath);
-  const rel = relative(effectiveRoot, absolutePath);
-  if (rel === ".." || rel.startsWith(`..${sep2}`) || isAbsolute7(rel)) {
-    return {
-      blocked: true,
-      resolvedPath: "",
-      warning: "\u26A0 **File path resolves outside the workspace root.** The path has been blocked for security."
-    };
+  const inputWasAbsolute = isAbsolute7(normalizedPath);
+  const absolutePath = inputWasAbsolute ? normalizedPath : resolve13(effectiveRoot, normalizedPath);
+  if (!inputWasAbsolute) {
+    const rel = relative(effectiveRoot, absolutePath);
+    if (rel === ".." || rel.startsWith(`..${sep2}`) || isAbsolute7(rel)) {
+      return {
+        blocked: true,
+        resolvedPath: "",
+        warning: "\u26A0 **File path resolves outside the workspace root.** The path has been blocked for security."
+      };
+    }
   }
   try {
     await access2(absolutePath);

server/dist/codeql-development-mcp-server.js.map

@@ -128,20 +128,23 @@ export async function resolvePromptFilePath(
   const normalizedPath = normalize(effectivePath);
 
   // Resolve to absolute path.
-  const absolutePath = isAbsolute(normalizedPath)
+  const inputWasAbsolute = isAbsolute(normalizedPath);
+  const absolutePath = inputWasAbsolute
     ? normalizedPath
     : resolve(effectiveRoot, normalizedPath);
 
-  // Verify the resolved path stays within the workspace root.
-  // This catches path traversal (e.g. "../../etc/passwd") after full
-  // resolution rather than relying on a fragile substring check.
-  const rel = relative(effectiveRoot, absolutePath);
-  if (rel === '..' || rel.startsWith(`..${sep}`) || isAbsolute(rel)) {
-    return {
-      blocked: true,
-      resolvedPath: '',
-      warning: '⚠ **File path resolves outside the workspace root.** The path has been blocked for security.',
-    };
+  // Only enforce the workspace-root boundary for relative inputs.
+  // Absolute paths are allowed through — users legitimately reference
+  // databases, queries, and pack roots outside the workspace.
+  if (!inputWasAbsolute) {
+    const rel = relative(effectiveRoot, absolutePath);
+    if (rel === '..' || rel.startsWith(`..${sep}`) || isAbsolute(rel)) {
+      return {
+        blocked: true,
+        resolvedPath: '',
+        warning: '⚠ **File path resolves outside the workspace root.** The path has been blocked for security.',
+      };
+    }
   }
 
   // Check existence on disk (advisory only — the resolved path is always

server/src/prompts/workflow-prompts.ts

@@ -1787,6 +1787,14 @@ describe('Workflow Prompts', () => {
       expect(result.warning).toContain('resolves outside the workspace root');
     });
 
+    it('should allow absolute paths outside the workspace root', async () => {
+      const result = await resolvePromptFilePath('/tmp/external-db', testDir);
+      expect(result.blocked).toBeUndefined();
+      expect(result.resolvedPath).toBe('/tmp/external-db');
+      // The file likely does not exist, so a warning is expected.
+      expect(result.warning).toContain('does not exist');
+    });
+
     it('should not flag filenames containing consecutive dots as traversal', async () => {
       const filePath = 'my..query.ql';
       writeFileSync(join(testDir, filePath), 'select 1');