Summary
PR #18 (Security fixes for TOCTOU & OS tmp files) introduced several cross-platform issues that were caught during code review. While those specific problems have been fixed, this issue tracks the broader effort to verify equivalent Windows support across the CodeQL Development MCP Server and prevent regressions through CI workflow improvements.
Background
The following categories of cross-platform bugs were found and fixed in PR #18:
| Category |
Example |
Fix Applied |
| Invalid file URI construction |
`file://${path}` produces broken URIs on Windows (backslashes, spaces) |
Use pathToFileURL() from node:url |
ESM __dirname unavailable |
__dirname is not defined in ESM modules, would throw ReferenceError |
Use fileURLToPath(import.meta.url) + dirname() |
| Hardcoded POSIX separators |
getProjectTmpDir('quickeval') + '/quickeval.bqrs' |
Use path.join() |
POSIX-only path.includes() |
__dirname.includes('src/utils') fails on Windows src\utils |
Normalize separators before checking |
POSIX-only split('/') |
tempDir.split('/').pop() fails on Windows paths |
Use path.basename() |
These patterns may exist elsewhere in the codebase and should be systematically audited.
Goals
1. Code changes for Windows compatibility
2. CI workflow improvements for multi-platform validation
Acceptance Criteria
- All existing unit tests pass on both
ubuntu-latest and windows-latest CI runners.
- All client integration tests pass on both
ubuntu-latest and windows-latest CI runners.
- No remaining hardcoded POSIX path separators or
file:// string concatenation in server source or test code.
Summary
PR #18 (Security fixes for TOCTOU & OS tmp files) introduced several cross-platform issues that were caught during code review. While those specific problems have been fixed, this issue tracks the broader effort to verify equivalent Windows support across the CodeQL Development MCP Server and prevent regressions through CI workflow improvements.
Background
The following categories of cross-platform bugs were found and fixed in PR #18:
`file://${path}`produces broken URIs on Windows (backslashes, spaces)pathToFileURL()fromnode:url__dirnameunavailable__dirnameis not defined in ESM modules, would throwReferenceErrorfileURLToPath(import.meta.url)+dirname()getProjectTmpDir('quickeval') + '/quickeval.bqrs'path.join()path.includes()__dirname.includes('src/utils')fails on Windowssrc\utilssplit('/')tempDir.split('/').pop()fails on Windows pathspath.basename()These patterns may exist elsewhere in the codebase and should be systematically audited.
Goals
1. Code changes for Windows compatibility
file://URI construction acrossserver/src/andserver/test/— replace any string concatenation withpathToFileURL().__dirnameand__filename— ensure ESM-safe equivalents (fileURLToPath+dirname) are used consistently./separators withpath.join(),path.sep, orpath.basename()as appropriate.string.includes()/string.split()calls on file paths — ensure they handle both\and/separators.client/src/JavaScript files for the same patterns.2. CI workflow improvements for multi-platform validation
.github/workflows/client-integration-tests.ymlto run on a matrix ofwindows-latestandubuntu-latestrunners for pushes and pull requests..github/workflows/*.ymlworkflows for opportunities to add Windows runner coverage.Acceptance Criteria
ubuntu-latestandwindows-latestCI runners.ubuntu-latestandwindows-latestCI runners.file://string concatenation in server source or test code.