feat: SqliteStore backend with annotation, audit, and cache tools

Replace lowdb with sql.js (asm.js build) for zero-dependency SQLite persistence.
Bundle inline with esbuild — no native modules, no external deps at runtime.

SqliteStore provides three tables:
- sessions: session tracking (migrated from lowdb)
- annotations: key-value annotation store with categories and metadata
- query_result_cache: BQRS/SARIF result caching with subset retrieval

New tools (gated by ENABLE_ANNOTATION_TOOLS env var):
- annotation_create, annotation_list, annotation_search, annotation_delete
- audit_store_findings, audit_list_findings, audit_add_notes, audit_clear_repo
- query_results_cache_lookup, query_results_cache_retrieve,
  query_results_cache_clear, query_results_cache_compare

Code refactoring for maintainability:
- Extract database-resolver.ts from cli-tool-registry.ts
- Extract query-resolver.ts from cli-tool-registry.ts
- Extract result-processor.ts from cli-tool-registry.ts
- Extract codeql-version.ts from cli-executor.ts

Bug fixes:
- Fix params.output not propagated to proce- Fix params.output not propagated to proce- Fix params.output not propagated txternal predicate conditions for direct query paths

Closes #165

Author: data-douser

server/src/lib/cli-tool-registry.ts

@@ -4,8 +4,9 @@
 
 import { executeCodeQLCommand } from './cli-executor';
 import { logger } from '../utils/logger';
-import { closeSync, fstatSync, mkdirSync, openSync, readFileSync, writeFileSync } from 'fs';
+import { writeFileSync, readFileSync, statSync } from 'fs';
 import { dirname, isAbsolute } from 'path';
+import { mkdirSync } from 'fs';
 
 export interface QueryEvaluationResult {
   success: boolean;
@@ -36,11 +37,7 @@ export type BuiltInEvaluator = keyof typeof BUILT_IN_EVALUATORS;
 /**
  * In-memory cache for extracted query metadata, keyed by file path.
  * Stores the file modification time to invalidate when the file changes.
- * Bounded to {@link METADATA_CACHE_MAX} entries; least-recently-used entries
- * (by access) are evicted when the limit is reached. Entries are refreshed
- * on cache hits via delete+set, so Map iteration order reflects LRU state.
  */
-const METADATA_CACHE_MAX = 256;
 const metadataCache = new Map<string, { mtime: number; metadata: QueryMetadata }>();
 
 /**
@@ -49,23 +46,15 @@ const metadataCache = new Map<string, { mtime: number; metadata: QueryMetadata }
  */
 export async function extractQueryMetadata(queryPath: string): Promise<QueryMetadata> {
   try {
-    // Open once, then fstat + read via the fd to avoid TOCTOU race (CWE-367).
-    const fd = openSync(queryPath, 'r');
-    let queryContent: string;
-    let mtime: number;
-    try {
-      mtime = fstatSync(fd).mtimeMs;
-      const cached = metadataCache.get(queryPath);
-      if (cached && cached.mtime === mtime) {
-        // Refresh position in Map to implement true LRU behavior.
-        metadataCache.delete(queryPath);
-        metadataCache.set(queryPath, cached);
-        return cached.metadata;
-      }
-      queryContent = readFileSync(fd, 'utf-8');
-    } finally {
-      closeSync(fd);
+    // Check cache with mtime validation
+    const stat = statSync(queryPath);
+    const mtime = stat.mtimeMs;
+    const cached = metadataCache.get(queryPath);
+    if (cached && cached.mtime === mtime) {
+      return cached.metadata;
     }
+
+    const queryContent = readFileSync(queryPath, 'utf-8');
     const metadata: QueryMetadata = {};
 
     // Extract metadata from comments using regex patterns
@@ -86,11 +75,6 @@ export async function extractQueryMetadata(queryPath: string): Promise<QueryMeta
       metadata.tags = tagsMatch[1].split(/\s+/).filter(t => t.length > 0);
     }
 
-    // Evict oldest entries when the cache exceeds the size limit.
-    if (metadataCache.size >= METADATA_CACHE_MAX) {
-      const firstKey = metadataCache.keys().next().value;
-      if (firstKey !== undefined) metadataCache.delete(firstKey);
-    }
     metadataCache.set(queryPath, { mtime, metadata });
     return metadata;
   } catch (error) {

server/src/lib/query-results-evaluator.ts

@@ -9,7 +9,8 @@
 import { basename, dirname } from 'path';
 import { mkdirSync, readFileSync } from 'fs';
 import { createHash } from 'crypto';
-import { CLIExecutionResult, executeCodeQLCommand, getActualCodeqlVersion } from './cli-executor';
+import { executeCodeQLCommand, CLIExecutionResult } from './cli-executor';
+import { getActualCodeqlVersion } from './cli-executor';
 import { evaluateQueryResults, extractQueryMetadata, QueryEvaluationResult } from './query-results-evaluator';
 import { resolveQueryPath } from './query-resolver';
 import { sessionDataManager } from './session-data-manager';

server/src/lib/result-processor.ts

@@ -1,6 +1,6 @@
 /**
  * Session Data Management
- * Provides session lifecycle management backed by SqliteStore (sql.js asm.js)
+ * Provides session lifecycle management backed by SqliteStore (sql.js WASM)
  */
 
 import { mkdirSync, writeFileSync } from 'fs';
@@ -45,18 +45,10 @@ export class SessionDataManager {
 
   /**
    * Initialize the database and ensure it's properly set up.
-   * Must be awaited before any session operations (sql.js init is async).
+   * Must be awaited before any session operations (sql.js WASM init is async).
    */
   async initialize(): Promise<void> {
     try {
-      // (Re)create the store if storageLocation changed since construction
-      // (e.g. via updateConfig or test mocks), closing the previous store first.
-      const storageDir = this.getConfig().storageLocation;
-      if (storageDir !== this.storageDir) {
-        this.store.close();
-        this.storageDir = storageDir;
-        this.store = new SqliteStore(this.storageDir);
-      }
       await this.store.initialize();
       const count = this.store.countSessions();
       logger.info(`Session data manager initialized with ${count} sessions`);