Context
Sub-issue of #207 — Phase 3(B): Code Scanning lifecycle management, SARIF server enhancements, and gh extension packaging.
Depends on: #217 (Phase 2 — Go binary and integration test runner)
Related: #208 (MCP tool usability improvements — SARIF enhancements from sub-issues feed into this phase)
Reference branch: origin/dd/ql-mcp-client/1
Summary
Complete the remaining ql-mcp-client features from #207 that go beyond the core CLI and test runner delivered in Phase 2. This phase adds Code Scanning API subcommands, SARIF delegation subcommands, GitHub API client integration, and server-side SARIF tool enhancements — reaching (and potentially exceeding) the state of origin/dd/ql-mcp-client/1. CHANGELOG updates target a v2.25.2-next.1 prerelease.
Scope
Go client: Code Scanning subcommands
Go client: SARIF subcommands (MCP tool delegation)
Go client: GitHub API integration
Go client: gh extension packaging
Server: SARIF tool enhancements
These changes enhance existing ql-mcp server SARIF tools to support the client's Code Scanning workflows, and address SARIF-related improvements from #208 sub-issues:
Server: Build artifacts
CHANGELOG.md
Acceptance criteria
gh-ql-mcp-client code-scanning list-analyses, list-alerts, and download-analysis work against a real GitHub repo with Code Scanning enabledgh-ql-mcp-client sarif compare-alerts and sarif compare-analyses successfully delegate to MCP server tools- GitHub API client authenticates via
go-gh (respects GH_TOKEN, gh auth session)
sarif_compare_alerts supports fingerprint overlap mode with automatic fallbacksarif_list_rules includes resultCount per rule- All new Go code has unit tests;
go test ./... passes
- All server SARIF changes have unit tests;
npm test passes in server/
npm run build-and-test passes end-to-endCHANGELOG.md documents Phase 3 changes targeting v2.25.2-next.1
Files changed (reference: origin/dd/ql-mcp-client/1)
Added
client/cmd/code_scanning.go
client/cmd/code_scanning_list_analyses.go
client/cmd/code_scanning_list_alerts.go
client/cmd/code_scanning_download_analysis.go
client/cmd/sarif.go
client/internal/github/client.go
client/internal/github/client_test.go
client/internal/github/types.go
server/test/src/lib/sarif-utils.test.ts (new tests)
Modified
server/src/lib/sarif-utils.ts
server/src/tools/sarif-tools.ts
server/test/src/tools/sarif-tools.test.ts
server/dist/codeql-development-mcp-server.js
server/dist/codeql-development-mcp-server.js.map
CHANGELOG.md
Context
Sub-issue of #207 — Phase 3(B): Code Scanning lifecycle management, SARIF server enhancements, and
ghextension packaging.Depends on: #217 (Phase 2 — Go binary and integration test runner)
Related: #208 (MCP tool usability improvements — SARIF enhancements from sub-issues feed into this phase)
Reference branch:
origin/dd/ql-mcp-client/1Summary
Complete the remaining
ql-mcp-clientfeatures from #207 that go beyond the core CLI and test runner delivered in Phase 2. This phase adds Code Scanning API subcommands, SARIF delegation subcommands, GitHub API client integration, and server-side SARIF tool enhancements — reaching (and potentially exceeding) the state oforigin/dd/ql-mcp-client/1. CHANGELOG updates target av2.25.2-next.1prerelease.Scope
Go client: Code Scanning subcommands
client/cmd/code_scanning.go—code-scanningparent subcommandclient/cmd/code_scanning_list_analyses.go—code-scanning list-analysessubcommand: list SARIF analyses for a repo via GitHub REST APIclient/cmd/code_scanning_list_alerts.go—code-scanning list-alertssubcommand: list alerts with state/severity/tool filtersclient/cmd/code_scanning_download_analysis.go—code-scanning download-analysissubcommand: download SARIF viaAccept: application/sarif+jsonGo client: SARIF subcommands (MCP tool delegation)
client/cmd/sarif.go—sarifparent subcommand wiring to MCP server SARIF tools:sarif compare-alerts→sarif_compare_alerts(including fingerprint mode)sarif compare-analyses→sarif_diff_runsGo client: GitHub API integration
client/internal/github/client.go— GitHub REST API client usinggo-ghfor authentication:GET /repos/{owner}/{repo}/code-scanning/analyses)GET /repos/{owner}/{repo}/code-scanning/alerts)GET /repos/{owner}/{repo}/code-scanning/analyses/{id}withAccept: application/sarif+json)client/internal/github/client_test.go— Unit tests for GitHub API clientclient/internal/github/types.go— Go types for Code Scanning API responses (Analysis, Alert, AlertInstance, etc.)Go client:
ghextension packagingdarwin/amd64,darwin/arm64,linux/amd64,windows/amd64gh extension installfrom release artifactsServer: SARIF tool enhancements
These changes enhance existing
ql-mcpserver SARIF tools to support the client's Code Scanning workflows, and address SARIF-related improvements from #208 sub-issues:server/src/lib/sarif-utils.ts— Enhance SARIF utility functions:sarif_list_rules: add per-ruleresultCountfield #214 —sarif_list_rulesper-ruleresultCount)server/src/tools/sarif-tools.ts— Enhance SARIF tools:sarif_compare_alerts: addpartialFingerprintsoverlap mode with automatic fallback to full-path modesarif_list_rules: addresultCountfield per rule (sarif_list_rules: add per-ruleresultCountfield #214)sarif_store: ingest SARIF content into session cache, returncacheKeyfor downstream tools (Rewriteql-mcp-clientin Go as aghCLI extension for Code Scanning SARIF management #207)sarif_deduplicate_rules: pairwise rule comparison across SARIF files using fingerprint-first overlap analysis (Rewriteql-mcp-clientin Go as aghCLI extension for Code Scanning SARIF management #207)sarif_diff_by_commitsfor git-diff correlation (MCP tool usability improvements: validation errors, parameter naming, and SARIF enhancements #208 area 5)server/test/src/lib/sarif-utils.test.ts— Unit tests for enhanced SARIF utilitiesserver/test/src/tools/sarif-tools.test.ts— Unit tests for enhanced SARIF toolsServer: Build artifacts
server/dist/codeql-development-mcp-server.js— Rebuild with SARIF enhancementsserver/dist/codeql-development-mcp-server.js.map— Updated source mapCHANGELOG.md
CHANGELOG.mdforv2.25.2-next.1(prerelease) with Phase 3 changes:gh-ql-mcp-clientresultCount,sarif_store,sarif_deduplicate_rules)ghextension packaging supportAcceptance criteria
gh-ql-mcp-client code-scanning list-analyses,list-alerts, anddownload-analysiswork against a real GitHub repo with Code Scanning enabledgh-ql-mcp-client sarif compare-alertsandsarif compare-analysessuccessfully delegate to MCP server toolsgo-gh(respectsGH_TOKEN,gh authsession)sarif_compare_alertssupports fingerprint overlap mode with automatic fallbacksarif_list_rulesincludesresultCountper rulego test ./...passesnpm testpasses inserver/npm run build-and-testpasses end-to-endCHANGELOG.mddocuments Phase 3 changes targetingv2.25.2-next.1Files changed (reference:
origin/dd/ql-mcp-client/1)Added
Modified