advanced-security
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎client/cmd/integration_tests.go‎
Lines changed: 9 additions & 0 deletions b/‎client/cmd/integration_tests.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎client/scripts/run-integration-tests.sh‎
Lines changed: 9 additions & 17 deletions b/‎client/scripts/run-integration-tests.sh‎
Lines changed: 9 additions & 17 deletions
diff --git a/‎extensions/vscode/src/bridge/environment-builder.ts‎
Lines changed: 6 additions & 13 deletions b/‎extensions/vscode/src/bridge/environment-builder.ts‎
Lines changed: 6 additions & 13 deletions
diff --git a/‎extensions/vscode/test/bridge/environment-builder.test.ts‎
Lines changed: 6 additions & 52 deletions b/‎extensions/vscode/test/bridge/environment-builder.test.ts‎
Lines changed: 6 additions & 52 deletions
diff --git a/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 1 addition & 29 deletions b/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 1 addition & 29 deletions
diff --git a/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 3 additions & 3 deletions b/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎server/src/lib/session-data-manager.ts‎
Lines changed: 1 addition & 1 deletion b/‎server/src/lib/session-data-manager.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server/src/tools/annotation-tools.ts‎
Lines changed: 1 addition & 10 deletions b/‎server/src/tools/annotation-tools.ts‎
Lines changed: 1 addition & 10 deletions
diff --git a/‎server/src/tools/audit-tools.ts‎
Lines changed: 1 addition & 11 deletions b/‎server/src/tools/audit-tools.ts‎
Lines changed: 1 addition & 11 deletions
@@ -18,7 +18,9 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 
 ### Highlights
 
-- **Persistent MRVA workflow state and caching** — Introduced a new `SqliteStore` backend plus opt-in annotation, audit, and query result cache tools to support the next phase of MCP-assisted CodeQL development and `seclab-taskflow-agent` integration. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))
+- **Annotation, audit, cache, and SARIF tools are now always enabled** — Removed the `ENABLE_ANNOTATION_TOOLS` opt-in gate; all annotation, audit, query result cache, and SARIF analysis tools are registered by default. The `ENABLE_ANNOTATION_TOOLS` environment variable is still respected (set to `false` to disable) but defaults to `true`. ([#223](https://github.com/advanced-security/codeql-development-mcp-server/pull/223))
+- **Go-based `ql-mcp-client` rewrite** — Replaced the Node.js `ql-mcp-client.js` integration test runner with a Go CLI (`gh-ql-mcp-client`) built with Cobra and `mcp-go`. Adds `list tools/prompts/resources` commands and assertion-based integration test validation. ([#223](https://github.com/advanced-security/codeql-development-mcp-server/pull/223))
+- **Persistent MRVA workflow state and caching** — Introduced a new `SqliteStore` backend plus annotation, audit, and query result cache tools to support the next phase of MCP-assisted CodeQL development and `seclab-taskflow-agent` integration. ([#169](https://github.com/advanced-security/codeql-development-mcp-server/pull/169))
 - **Rust language support** — Added first-class Rust support with `PrintAST`, `PrintCFG`, `CallGraphFrom`, `CallGraphTo`, and `CallGraphFromTo` queries, bringing the total supported languages to 10. ([#195](https://github.com/advanced-security/codeql-development-mcp-server/pull/195))
 - **Bug fixes and design improvements from recent evaluation sessions** — Fixed 5 bugs across `bqrs_interpret`, `bqrs_info`, `annotation_search`, `audit_add_notes`, and `query_results_cache_compare`; added `database_analyze` auto-caching and per-database mutex serialization; auto-enabled annotation tools in VS Code extension. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
 - **SARIF analysis tools and cache model improvements** — Added `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, and `sarif_diff_runs` tools for rule-level SARIF extraction, Mermaid dataflow visualization, alert overlap analysis, and cross-run behavioral comparison. Extended cache model with `rule_id` and `run_id` columns; added `ruleId` filter to all cache tools; auto-decompose `database_analyze` SARIF into per-rule cache entries. Added `compare_overlapping_alerts` prompt and updated all SARIF-related prompts with tool recommendations. Extracted shared libraries for database metadata and SARIF rule name resolution. ([#204](https://github.com/advanced-security/codeql-development-mcp-server/pull/204))
@@ -77,6 +79,7 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 - `McpProvider.requestRestart()` now invalidates the environment cache and bumps a `+rN` revision suffix so VS Code reliably restarts the MCP server after configuration changes. ([#196](https://github.com/advanced-security/codeql-development-mcp-server/pull/196))
 - Cached the extension version in the provider constructor to avoid repeated synchronous reads of `package.json`. ([#196](https://github.com/advanced-security/codeql-development-mcp-server/pull/196))
 - New `codeql-mcp.enableAnnotationTools` setting (default: `true`) auto-sets `ENABLE_ANNOTATION_TOOLS` and `MONITORING_STORAGE_LOCATION` environment variables; `additionalEnv` overrides for advanced users. ([#199](https://github.com/advanced-security/codeql-development-mcp-server/pull/199))
+- Simplified annotation tool environment: the extension no longer explicitly sets `ENABLE_ANNOTATION_TOOLS` since the server now defaults to `true`. ([#223](https://github.com/advanced-security/codeql-development-mcp-server/pull/223))
 
 #### Infrastructure & CI/CD
 
 
@@ -99,6 +99,15 @@ func runIntegrationTests(cmd *cobra.Command, _ []string) error {
 	}
 	fmt.Printf("Working directory: %s\n", repoRoot)
 
+	// Set CODEQL_MCP_TMP_DIR so the MCP server subprocess uses the same
+	// tmp base as the Go runner's {{tmpdir}} placeholder (<repoRoot>/.tmp).
+	// Without this, the server defaults to <serverPkgRoot>/.tmp (i.e.
+	// server/.tmp/) which causes log directory validation failures.
+	tmpBase := filepath.Join(repoRoot, ".tmp")
+	if os.Getenv("CODEQL_MCP_TMP_DIR") == "" {
+		os.Setenv("CODEQL_MCP_TMP_DIR", tmpBase)
+	}
+
 	// Connect to MCP server
 	client := mcpclient.NewClient(mcpclient.Config{
 		Mode: MCPMode(),
 
@@ -3,9 +3,8 @@
 # Run integration tests - orchestrates the complete test workflow
 # This script mimics the GitHub Actions workflow for local execution
 #
-# By default, this script runs integration tests in TWO modes:
-#   1. Default mode (standard tools) - tests the user experience
-#   2. Annotation mode (annotation_*, audit_*, query_results_cache_* tools)
+# By default, this script runs integration tests in DEFAULT mode, which
+# includes all annotation, audit, cache, and SARIF tools (always enabled).
 #
 # Monitoring mode (session_* tools) is disabled by default as those tools
 # are deprecated. Set ENABLE_MONITORING_TOOLS=true to also run monitoring tests.
@@ -20,8 +19,8 @@
 #                             unset   = skip monitoring mode (default)
 #
 # Usage:
-#   ./run-integration-tests.sh                              # Default + annotation modes
-#   ENABLE_MONITORING_TOOLS=true ./run-integration-tests.sh # Default + annotation + monitoring
+#   ./run-integration-tests.sh                              # Default mode (all tools)
+#   ENABLE_MONITORING_TOOLS=true ./run-integration-tests.sh # Default + monitoring
 #   MCP_MODE=http ./run-integration-tests.sh                # Run using HTTP transport
 #   ./run-integration-tests.sh --tools session_end          # Filter to specific tools
 
@@ -39,21 +38,21 @@ export TIMEOUT_SECONDS="${TIMEOUT_SECONDS:-30}"
 export URL_SCHEME="${URL_SCHEME:-http}"
 
 # Determine which modes to run.
-# By default, run default + annotation modes (monitoring is deprecated).
+# Annotation/audit/cache/SARIF tools are always enabled by default.
+# Monitoring mode is disabled by default (deprecated).
 # Use ENABLE_MONITORING_TOOLS=true to also run monitoring mode.
 RUN_DEFAULT_MODE=true
 RUN_MONITORING_MODE=false
-RUN_ANNOTATION_MODE=true
 
 if [ -n "${ENABLE_MONITORING_TOOLS+x}" ]; then
     if [ "$ENABLE_MONITORING_TOOLS" = "true" ]; then
         RUN_MONITORING_MODE=true
-        echo "🔧 Mode: Default + annotation + monitoring (ENABLE_MONITORING_TOOLS=true)"
+        echo "🔧 Mode: Default + monitoring (ENABLE_MONITORING_TOOLS=true)"
     else
-        echo "🔧 Mode: Default + annotation (monitoring explicitly disabled)"
+        echo "🔧 Mode: Default (monitoring explicitly disabled)"
     fi
 else
-    echo "🔧 Mode: Default + annotation (monitoring disabled by default)"
+    echo "🔧 Mode: Default (all tools except deprecated monitoring)"
 fi
 
 # Check if --no-install-packs was passed
@@ -165,13 +164,6 @@ if [ "$RUN_MONITORING_MODE" = true ]; then
     run_tests_in_mode "MONITORING MODE (session_* tools)" "true" "${EXTRA_ARGS[@]}"
 fi
 
-if [ "$RUN_ANNOTATION_MODE" = true ]; then
-    # Annotation mode enables annotation, audit, and cache tools
-    export ENABLE_ANNOTATION_TOOLS="true"
-    run_tests_in_mode "ANNOTATION MODE (annotation_*, audit_*, query_results_cache_* tools)" "false" "${EXTRA_ARGS[@]}"
-    unset ENABLE_ANNOTATION_TOOLS
-fi
-
 echo ""
 echo "═══════════════════════════════════════════════════════════════"
 echo "✅ All integration tests completed successfully!"
 
@@ -147,22 +147,15 @@ export class EnvironmentBuilder extends DisposableObject {
     queryDirs.push(...userQueryDirs);
     env.CODEQL_QUERY_RUN_RESULTS_DIRS = queryDirs.join(delimiter);
 
-    // Annotation, audit, and cache tools — enabled by default (Design 5).
-    // The setting controls ENABLE_ANNOTATION_TOOLS and defaults
-    // MONITORING_STORAGE_LOCATION to the scratch directory so tools work
-    // out-of-the-box without manual env var configuration.
+    // Annotation, audit, cache, and SARIF tools are enabled by default on
+    // the server. The MONITORING_STORAGE_LOCATION env var tells the server
+    // where to place its SQLite store; default to the scratch directory so
+    // tools work out-of-the-box without manual env var configuration.
     // Respect values inherited from the extension host process environment;
-    // only apply defaults when not already defined there. The additionalEnv
-    // block below still overrides everything for advanced users.
-    const enableAnnotations = config.get<boolean>('enableAnnotationTools', true);
-    if (typeof process.env.ENABLE_ANNOTATION_TOOLS === 'string') {
-      env.ENABLE_ANNOTATION_TOOLS = process.env.ENABLE_ANNOTATION_TOOLS;
-    } else {
-      env.ENABLE_ANNOTATION_TOOLS = enableAnnotations ? 'true' : 'false';
-    }
+    // the additionalEnv block below still overrides everything for advanced users.
     if (typeof process.env.MONITORING_STORAGE_LOCATION === 'string') {
       env.MONITORING_STORAGE_LOCATION = process.env.MONITORING_STORAGE_LOCATION;
-    } else if (enableAnnotations && env.CODEQL_MCP_SCRATCH_DIR) {
+    } else if (env.CODEQL_MCP_SCRATCH_DIR) {
       env.MONITORING_STORAGE_LOCATION = env.CODEQL_MCP_SCRATCH_DIR;
     }
 
 
@@ -273,9 +273,9 @@ describe('EnvironmentBuilder', () => {
     expect(() => builder.dispose()).not.toThrow();
   });
 
-  it('should set ENABLE_ANNOTATION_TOOLS=true by default', async () => {
+  it('should not set ENABLE_ANNOTATION_TOOLS (server defaults to true)', async () => {
     const env = await builder.build();
-    expect(env.ENABLE_ANNOTATION_TOOLS).toBe('true');
+    expect(env.ENABLE_ANNOTATION_TOOLS).toBeUndefined();
   });
 
   it('should not overwrite MONITORING_STORAGE_LOCATION if already set in parent env', async () => {
@@ -304,33 +304,7 @@ describe('EnvironmentBuilder', () => {
     }
   });
 
-  it('should set ENABLE_ANNOTATION_TOOLS=false when setting is disabled', async () => {
-    const vscode = await import('vscode');
-    const originalGetConfig = vscode.workspace.getConfiguration;
-
-    try {
-      vscode.workspace.getConfiguration = () => ({
-        get: (_key: string, defaultVal?: any) => {
-          if (_key === 'enableAnnotationTools') return false;
-          if (_key === 'additionalDatabaseDirs') return [];
-          if (_key === 'additionalQueryRunResultsDirs') return [];
-          if (_key === 'additionalMrvaRunResultsDirs') return [];
-          return defaultVal;
-        },
-        has: () => false,
-        inspect: () => undefined as any,
-        update: () => Promise.resolve(),
-      }) as any;
-
-      builder.invalidate();
-      const env = await builder.build();
-      expect(env.ENABLE_ANNOTATION_TOOLS).toBe('false');
-    } finally {
-      vscode.workspace.getConfiguration = originalGetConfig;
-    }
-  });
-
-  it('should set MONITORING_STORAGE_LOCATION to scratch dir when annotations enabled with workspace', async () => {
+  it('should set MONITORING_STORAGE_LOCATION to scratch dir when workspace is open', async () => {
     const vscode = await import('vscode');
     const origFolders = vscode.workspace.workspaceFolders;
 
@@ -347,14 +321,14 @@ describe('EnvironmentBuilder', () => {
     }
   });
 
-  it('should allow additionalEnv to override ENABLE_ANNOTATION_TOOLS', async () => {
+  it('should allow additionalEnv to set custom environment variables', async () => {
     const vscode = await import('vscode');
     const originalGetConfig = vscode.workspace.getConfiguration;
 
     try {
       vscode.workspace.getConfiguration = () => ({
         get: (_key: string, defaultVal?: any) => {
-          if (_key === 'additionalEnv') return { ENABLE_ANNOTATION_TOOLS: 'false' };
+          if (_key === 'additionalEnv') return { MY_CUSTOM_VAR: 'custom-value' };
           if (_key === 'additionalDatabaseDirs') return [];
           if (_key === 'additionalQueryRunResultsDirs') return [];
           if (_key === 'additionalMrvaRunResultsDirs') return [];
@@ -367,29 +341,9 @@ describe('EnvironmentBuilder', () => {
 
       builder.invalidate();
       const env = await builder.build();
-      // additionalEnv comes after the default, so it should override
-      expect(env.ENABLE_ANNOTATION_TOOLS).toBe('false');
+      expect(env.MY_CUSTOM_VAR).toBe('custom-value');
     } finally {
       vscode.workspace.getConfiguration = originalGetConfig;
     }
   });
-
-  it('should preserve ENABLE_ANNOTATION_TOOLS from parent process environment', async () => {
-    const origValue = process.env.ENABLE_ANNOTATION_TOOLS;
-
-    try {
-      process.env.ENABLE_ANNOTATION_TOOLS = 'false';
-
-      builder.invalidate();
-      const env = await builder.build();
-      // Inherited process.env value should be preserved
-      expect(env.ENABLE_ANNOTATION_TOOLS).toBe('false');
-    } finally {
-      if (origValue === undefined) {
-        delete process.env.ENABLE_ANNOTATION_TOOLS;
-      } else {
-        process.env.ENABLE_ANNOTATION_TOOLS = origValue;
-      }
-    }
-  });
 });
@@ -190522,7 +190522,7 @@ function parseBoolEnv(envVar, defaultValue) {
 var sessionDataManager = new SessionDataManager({
   storageLocation: process.env.MONITORING_STORAGE_LOCATION || join9(getProjectTmpBase(), ".ql-mcp-tracking"),
   enableMonitoringTools: parseBoolEnv(process.env.ENABLE_MONITORING_TOOLS, false),
-  enableAnnotationTools: parseBoolEnv(process.env.ENABLE_ANNOTATION_TOOLS, false)
+  enableAnnotationTools: parseBoolEnv(process.env.ENABLE_ANNOTATION_TOOLS, true)
 });
 
 // src/lib/result-processor.ts
@@ -199822,13 +199822,6 @@ function generateListRecommendations(sessions) {
 // src/tools/annotation-tools.ts
 init_logger();
 function registerAnnotationTools(server) {
-  const config2 = sessionDataManager.getConfig();
-  if (!config2.enableAnnotationTools) {
-    logger.info(
-      "Annotation tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable annotation_* tools."
-    );
-    return;
-  }
   registerAnnotationCreateTool(server);
   registerAnnotationGetTool(server);
   registerAnnotationListTool(server);
@@ -199963,13 +199956,6 @@ function registerAnnotationSearchTool(server) {
 init_logger();
 var AUDIT_CATEGORY = "audit-finding";
 function registerAuditTools(server) {
-  const config2 = sessionDataManager.getConfig();
-  if (!config2.enableAnnotationTools) {
-    logger.info(
-      "Audit tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable audit_* and annotation_* tools."
-    );
-    return;
-  }
   registerAuditStoreFindingsTool(server);
   registerAuditListFindingsTool(server);
   registerAuditAddNotesTool(server);
@@ -200137,13 +200123,6 @@ function registerAuditClearRepoTool(server) {
 // src/tools/cache-tools.ts
 init_logger();
 function registerCacheTools(server) {
-  const config2 = sessionDataManager.getConfig();
-  if (!config2.enableAnnotationTools) {
-    logger.info(
-      "Cache tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable query_results_cache_* tools."
-    );
-    return;
-  }
   registerQueryResultsCacheLookupTool(server);
   registerQueryResultsCacheRetrieveTool(server);
   registerQueryResultsCacheClearTool(server);
@@ -200333,13 +200312,6 @@ function registerQueryResultsCacheCompareTool(server) {
 import { readFileSync as readFileSync13 } from "fs";
 init_logger();
 function registerSarifTools(server) {
-  const config2 = sessionDataManager.getConfig();
-  if (!config2.enableAnnotationTools) {
-    logger.info(
-      "SARIF tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable sarif_* tools."
-    );
-    return;
-  }
   registerSarifExtractRuleTool(server);
   registerSarifListRulesTool(server);
   registerSarifRuleToMarkdownTool(server);
 
@@ -387,5 +387,5 @@ function parseBoolEnv(envVar: string | undefined, defaultValue: boolean): boolea
 export const sessionDataManager = new SessionDataManager({
   storageLocation: process.env.MONITORING_STORAGE_LOCATION || join(getProjectTmpBase(), '.ql-mcp-tracking'),
   enableMonitoringTools: parseBoolEnv(process.env.ENABLE_MONITORING_TOOLS, false),
-  enableAnnotationTools: parseBoolEnv(process.env.ENABLE_ANNOTATION_TOOLS, false),
+  enableAnnotationTools: parseBoolEnv(process.env.ENABLE_ANNOTATION_TOOLS, true),
 });
@@ -1,7 +1,7 @@
 /**
  * Annotation Tools — general-purpose notes and bookmarks on any entity.
  *
- * Opt-in via ENABLE_ANNOTATION_TOOLS=true (disabled by default).
+ * Enabled by default. Can be disabled via ENABLE_ANNOTATION_TOOLS=false.
  * Uses the shared SqliteStore from the session data manager.
  */
 
@@ -14,15 +14,6 @@ import { logger } from '../utils/logger';
  * Register all annotation tools with the MCP server.
  */
 export function registerAnnotationTools(server: McpServer): void {
-  const config = sessionDataManager.getConfig();
-
-  if (!config.enableAnnotationTools) {
-    logger.info(
-      'Annotation tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable annotation_* tools.',
-    );
-    return;
-  }
-
   registerAnnotationCreateTool(server);
   registerAnnotationGetTool(server);
   registerAnnotationListTool(server);
 
@@ -5,8 +5,7 @@
  * findings with notes, mirroring the seclab codeql_python MCP server's
  * SQLite-backed source tracking — but now backed by the shared SqliteStore.
  *
- * Enabled when ENABLE_ANNOTATION_TOOLS=true (disabled by default when annotation tools are off).
- * Audit tools are layered on annotations; there is no separate ENABLE_AUDIT_TOOLS flag.
+ * Enabled by default alongside annotation tools.
  */
 
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
@@ -20,15 +19,6 @@ const AUDIT_CATEGORY = 'audit-finding';
  * Register all audit tools with the MCP server.
  */
 export function registerAuditTools(server: McpServer): void {
-  const config = sessionDataManager.getConfig();
-
-  if (!config.enableAnnotationTools) {
-    logger.info(
-      'Audit tools are disabled (opt-in). Set ENABLE_ANNOTATION_TOOLS=true to enable audit_* and annotation_* tools.',
-    );
-    return;
-  }
-
   registerAuditStoreFindingsTool(server);
   registerAuditListFindingsTool(server);
   registerAuditAddNotesTool(server);