advanced-security
diff --git a/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 1 addition & 1 deletion b/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 1 addition & 1 deletion b/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server/src/resources/server-tools.md‎
Lines changed: 44 additions & 0 deletions b/‎server/src/resources/server-tools.md‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎server/test/src/tools/sarif-tools.test.ts‎
Lines changed: 44 additions & 5 deletions b/‎server/test/src/tools/sarif-tools.test.ts‎
Lines changed: 44 additions & 5 deletions
@@ -68,6 +68,50 @@ This resource provides a complete reference of the default tools exposed by the
 | `sarif_compare_alerts`   | Compare code locations of two SARIF alerts for overlap (sink, source, any-location, full-path modes) |
 | `sarif_diff_runs`        | Diff two SARIF files to find added, removed, and changed rules/results across analysis runs          |
 
+### `sarif_list_rules` Response Format
+
+Returns a JSON object with per-rule result counts and metadata:
+
+```json
+{
+  "totalRules": 3,
+  "totalResults": 15,
+  "rules": [
+    {
+      "ruleId": "js/sql-injection",
+      "resultCount": 8,
+      "name": "Database query built from user-controlled sources",
+      "kind": "path-problem",
+      "precision": "high",
+      "severity": "8.8",
+      "tags": ["security", "external/cwe/cwe-089"],
+      "tool": "CodeQL",
+      "toolVersion": "2.20.4"
+    }
+  ]
+}
+```
+
+| Field          | Type   | Description                                      |
+| -------------- | ------ | ------------------------------------------------ |
+| `totalRules`   | number | Total number of distinct rules in the SARIF file |
+| `totalResults` | number | Sum of `resultCount` across all rules            |
+| `rules[]`      | array  | Per-rule summaries (see below)                   |
+
+Each rule object:
+
+| Field         | Type     | Required | Description                                                                  |
+| ------------- | -------- | -------- | ---------------------------------------------------------------------------- |
+| `ruleId`      | string   | yes      | Rule identifier (matches the CodeQL query `@id`)                             |
+| `resultCount` | number   | yes      | Number of results (findings) for this rule; `0` if defined but not triggered |
+| `name`        | string   | no       | Display name (from `shortDescription.text`, `name`, or `id`)                 |
+| `kind`        | string   | no       | Query kind (`path-problem`, `problem`, etc.)                                 |
+| `precision`   | string   | no       | Precision level (`high`, `medium`, `low`, `very-high`)                       |
+| `severity`    | string   | no       | Security severity score (from `security-severity` property)                  |
+| `tags`        | string[] | no       | Rule tags (e.g., `security`, `external/cwe/cwe-089`)                         |
+| `tool`        | string   | no       | Tool driver name (e.g., `CodeQL`)                                            |
+| `toolVersion` | string   | no       | Tool driver version                                                          |
+
 ## Common Tool Workflows
 
 ### Create and Test a Query
 
@@ -53,6 +53,12 @@ function createTestSarif() {
             { location: { physicalLocation: { artifactLocation: { uri: 'src/db.js' }, region: { startLine: 42 } }, message: { text: 'query(...)' } } },
           ] }] }],
         },
+        {
+          ruleId: 'js/sql-injection',
+          ruleIndex: 0,
+          message: { text: 'SQL injection from request body.' },
+          locations: [{ physicalLocation: { artifactLocation: { uri: 'src/api.js' }, region: { startLine: 15, startColumn: 3, endColumn: 40 } } }],
+        },
         {
           ruleId: 'js/xss',
           ruleIndex: 1,
@@ -64,6 +70,25 @@ function createTestSarif() {
   };
 }
 
+/** SARIF with a defined rule but zero results — validates resultCount: 0 */
+function createZeroResultsSarif() {
+  return {
+    version: '2.1.0',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'CodeQL',
+          version: '2.25.1',
+          rules: [
+            { id: 'js/unused-variable', shortDescription: { text: 'Unused variable' } },
+          ],
+        },
+      },
+      results: [],
+    }],
+  };
+}
+
 // ---------------------------------------------------------------------------
 // Tests
 // ---------------------------------------------------------------------------
@@ -170,7 +195,7 @@ describe('SARIF Tools', () => {
         const parsed = JSON.parse(result.content[0].text);
 
         expect(parsed.ruleId).toBe('js/sql-injection');
-        expect(parsed.resultCount).toBe(1);
+        expect(parsed.resultCount).toBe(2);
         expect(parsed.extractedSarif.runs[0].tool.driver.rules).toHaveLength(1);
       });
 
@@ -212,15 +237,29 @@ describe('SARIF Tools', () => {
     });
 
     describe('sarif_list_rules', () => {
-      it('should list all rules with result counts', async () => {
+      it('should list all rules with per-rule result counts', async () => {
         const result = await handlers.sarif_list_rules({ sarifPath: testSarifPath });
         const parsed = JSON.parse(result.content[0].text);
 
         expect(parsed.totalRules).toBe(2);
-        expect(parsed.totalResults).toBe(2);
+        expect(parsed.totalResults).toBe(3);
         expect(parsed.rules[0].ruleId).toBe('js/sql-injection');
-        expect(parsed.rules[0].resultCount).toBe(1);
+        expect(parsed.rules[0].resultCount).toBe(2);
         expect(parsed.rules[1].ruleId).toBe('js/xss');
+        expect(parsed.rules[1].resultCount).toBe(1);
+      });
+
+      it('should return resultCount 0 for rules with no results', async () => {
+        const noResultsPath = join(testStorageDir, 'no-results.sarif');
+        writeFileSync(noResultsPath, JSON.stringify(createZeroResultsSarif()));
+
+        const result = await handlers.sarif_list_rules({ sarifPath: noResultsPath });
+        const parsed = JSON.parse(result.content[0].text);
+
+        expect(parsed.totalRules).toBe(1);
+        expect(parsed.totalResults).toBe(0);
+        expect(parsed.rules[0].ruleId).toBe('js/unused-variable');
+        expect(parsed.rules[0].resultCount).toBe(0);
       });
     });
 
@@ -303,7 +342,7 @@ describe('SARIF Tools', () => {
 
       it('should detect changed result counts', async () => {
         const sarifB = createTestSarif();
-        sarifB.runs[0].results = [sarifB.runs[0].results[0]]; // remove XSS result
+        sarifB.runs[0].results = sarifB.runs[0].results.filter(r => r.ruleId !== 'js/xss');
         const pathB = join(testStorageDir, 'modified.sarif');
         writeFileSync(pathB, JSON.stringify(sarifB));