Problem
The current ql-mcp-client is a JavaScript/Node.js implementation (client/src/ql-mcp-client.js) that serves primarily as an integration testing harness for the MCP server. It has several limitations:
- No GitHub API integration — cannot authenticate to GitHub or call REST APIs (Code Scanning, etc.) without external tooling
- Not distributable as a
gh extension — requires Node.js runtime and npm workspace setup to run
- No SARIF download/upload capability — cannot fetch Code Scanning analyses or alerts from GitHub, making it impossible to use
ql-mcp server SARIF tools against production data
- No LLM integration path — cannot leverage the Copilot SDK for alert validation workflows
- Tightly coupled to npm workspaces — the
client/ directory is an npm workspace with its own package.json, eslint.config.mjs, and JS-specific tooling
Desired State
Go CLI binary (gh-ql-mcp-client)
Replace the JS client with a Go binary that serves as both a standalone CLI and a gh CLI extension:
- Go module at
client/ with Cobra CLI framework, go-gh for GitHub API auth, mcp-go for MCP server communication, and copilot-sdk/go for LLM sessions
code-scanning subcommands for interacting with the GitHub Code Scanning REST API:
list-analyses — list SARIF analyses for a repolist-alerts — list alerts with state/severity/tool filtersdownload-analysis — download SARIF via Accept: application/sarif+jsondownload-alerts — download alert details with instancesdismiss alerts — batch dismiss with --from-file manifest supportreopen alerts — batch reopen dismissed alerts
sarif subcommands that delegate to ql-mcp server tools:
compare alerts — call sarif_compare_alerts including fingerprint modecompare analyses — call sarif_diff_runsdeduplicate — orchestrate multi-step dedup workflow producing a dismiss manifestvalidate alert — LLM-driven TP/FP assessment via Copilot SDKvalidate analysis — batch validation across all alerts
- Integration test runner — Go port of the JS test runner that discovers and runs all fixtures in
client/integration-tests/, calls MCP tools via stdio or HTTP transport, and checks tool availability at runtime
gh extension packaging — cross-compiled binaries for darwin/linux/windows, installable via gh extension install
Server enhancements
New and enhanced ql-mcp server tools to support the client's Code Scanning workflows:
sarif_store tool — ingest SARIF content (from file or inline JSON string) into the session cache; return a cacheKey for consumption by existing sarif_* toolssarif_deduplicate_rules tool — pairwise rule comparison across two SARIF files using fingerprint-first, full-path-fallback overlap analysisfingerprint overlap mode in sarif_compare_alerts — compare partialFingerprints hashes with automatic fallback to full-path mode when fingerprints are absent (the partialFingerprints field is already parsed in SarifResultSchema but unused today)
Infrastructure
- Remove
client/ from npm workspaces; root package.json scripts invoke make -C client targets (build, test, lint, clean)
client-integration-tests.yml workflow needs actions/setup-go, annotation tools enabled by default, and make-based test invocationlint-and-format.yml workflow needs actions/setup-go since npm run lint will invoke go vetrun-integration-tests.sh builds the Go binary, extracts test databases, and runs the Go integration test runnernpm run build-and-test must pass end-to-end across server, client, and VS Code extension
Testing approach
- TDD methodology throughout — write Go unit tests before implementing each subcommand and internal package
- Client integration tests — all 82+ existing fixtures in
client/integration-tests/primitives/tools/ must pass with the Go runner
- Annotation tools enabled by default — audit, annotation, SARIF, and cache tools are core to the client's workflows and must be exercised in CI
- Monitoring/session tools deprecated — skip
session_* and sessions_* tool tests
- Tool availability enforcement — if a non-deprecated tool's test fixture exists but the tool is not registered on the server, the test must fail (not silently skip)
Use cases enabled
- Alert deduplication after query changes — download SARIF from two analyses (before/after a CodeQL query pack upgrade), use
sarif_deduplicate_rules to identify overlapping alerts, produce a dismiss manifest, and bulk-dismiss duplicates
- LLM-driven alert triage — download alerts and source code, create a Copilot SDK session with MCP tools as custom tools, send assessment prompts, and produce structured TP/FP verdicts with confidence scores
- Cross-analysis comparison — download SARIF from different branches, CodeQL versions, or repos, and use
sarif_diff_runs and sarif_compare_alerts to detect behavioral regressions or new coverage
- Alert lifecycle management — read, assess, clean up, and restore the approved set of Code Scanning alerts for a repository
Problem
The current
ql-mcp-clientis a JavaScript/Node.js implementation (client/src/ql-mcp-client.js) that serves primarily as an integration testing harness for the MCP server. It has several limitations:ghextension — requires Node.js runtime and npm workspace setup to runql-mcpserver SARIF tools against production dataclient/directory is an npm workspace with its ownpackage.json,eslint.config.mjs, and JS-specific toolingDesired State
Go CLI binary (
gh-ql-mcp-client)Replace the JS client with a Go binary that serves as both a standalone CLI and a
ghCLI extension:client/with Cobra CLI framework,go-ghfor GitHub API auth,mcp-gofor MCP server communication, andcopilot-sdk/gofor LLM sessionscode-scanningsubcommands for interacting with the GitHub Code Scanning REST API:list-analyses— list SARIF analyses for a repolist-alerts— list alerts with state/severity/tool filtersdownload-analysis— download SARIF viaAccept: application/sarif+jsondownload-alerts— download alert details with instancesdismiss alerts— batch dismiss with--from-filemanifest supportreopen alerts— batch reopen dismissed alertssarifsubcommands that delegate toql-mcpserver tools:compare alerts— callsarif_compare_alertsincluding fingerprint modecompare analyses— callsarif_diff_runsdeduplicate— orchestrate multi-step dedup workflow producing a dismiss manifestvalidate alert— LLM-driven TP/FP assessment via Copilot SDKvalidate analysis— batch validation across all alertsclient/integration-tests/, calls MCP tools via stdio or HTTP transport, and checks tool availability at runtimeghextension packaging — cross-compiled binaries for darwin/linux/windows, installable viagh extension installServer enhancements
New and enhanced
ql-mcpserver tools to support the client's Code Scanning workflows:sarif_storetool — ingest SARIF content (from file or inline JSON string) into the session cache; return acacheKeyfor consumption by existingsarif_*toolssarif_deduplicate_rulestool — pairwise rule comparison across two SARIF files using fingerprint-first, full-path-fallback overlap analysisfingerprintoverlap mode insarif_compare_alerts— comparepartialFingerprintshashes with automatic fallback tofull-pathmode when fingerprints are absent (thepartialFingerprintsfield is already parsed inSarifResultSchemabut unused today)Infrastructure
client/from npm workspaces; rootpackage.jsonscripts invokemake -C clienttargets (build, test, lint, clean)client-integration-tests.ymlworkflow needsactions/setup-go, annotation tools enabled by default, andmake-based test invocationlint-and-format.ymlworkflow needsactions/setup-gosincenpm run lintwill invokego vetrun-integration-tests.shbuilds the Go binary, extracts test databases, and runs the Go integration test runnernpm run build-and-testmust pass end-to-end across server, client, and VS Code extensionTesting approach
client/integration-tests/primitives/tools/must pass with the Go runnersession_*andsessions_*tool testsUse cases enabled
sarif_deduplicate_rulesto identify overlapping alerts, produce a dismiss manifest, and bulk-dismiss duplicatessarif_diff_runsandsarif_compare_alertsto detect behavioral regressions or new coverage