v2.25.2

What's Changed

• SqliteStore backend + annotation, audit, and query result cache tools by @data-douser in #169
• Add support for rust language by @Copilot in #195
• fix: ql-mcp server must handle vscode workspace folder changes by @data-douser in #196
• Updated versions & CHANGELOG.md for v2.25.1-next.1 release by @data-douser in #197
• Updates for v2.25.1-next.2 prerelease by @data-douser in #204
• Build(deps): bump the all-npm-dependencies group across 4 directories with 6 updates by @dependabot[bot] in #205
• Add missing Cargo.lock files and ext/ crate for Rust QL tools test fixtures by @Copilot in #210
• Document and test sarif_list_rules per-rule resultCount field by @Copilot in #219
• [UPDATE PRIMITIVE] Normalize camelCase params to kebab-case with actionable error messages for CLI tools by @Copilot in #224
• Fix minimal default scope in extract-test-databases.sh for efficient running of client integration tests by @data-douser in #228
• [UPDATE PRIMITIVE] Report all validation errors at once instead of one-at-a-time by @Copilot in #227
• Improve ql-mcp VS Code extension UX by @Copilot in #230
• Update NodeJS dependencies for security patches by @data-douser in #245
• Prep for v2.25.2 release of codeql-development-mcp-server by @data-douser in #251

Full Changelog: v2.25.1...v2.25.2

v2.25.2-rc1

What's Changed

• Build(deps): bump the all-npm-dependencies group across 4 directories with 6 updates by @dependabot[bot] in #205
• Add missing Cargo.lock files and ext/ crate for Rust QL tools test fixtures by @Copilot in #210
• Document and test sarif_list_rules per-rule resultCount field by @Copilot in #219
• [UPDATE PRIMITIVE] Normalize camelCase params to kebab-case with actionable error messages for CLI tools by @Copilot in #224
• Fix minimal default scope in extract-test-databases.sh for efficient running of client integration tests by @data-douser in #228
• [UPDATE PRIMITIVE] Report all validation errors at once instead of one-at-a-time by @Copilot in #227
• Improve ql-mcp VS Code extension UX by @Copilot in #230
• Update NodeJS dependencies for security patches by @data-douser in #245

Full Changelog: v2.25.1-next.2...v2.25.2-rc1

v2.25.1-next.3

Overview

This prerelease contains the last expected improvements for v2.25.1-next.* release train, which will form the bulk of changes between the full v2.25.1 release and the to-be-released v2.25.2 release (pending upstream CodeQL release).

This v2.25.1-next.3 prerelease is focused on bug fixes and usability improvements for the ql-mcp server and its wrapping VSIX-installed (e.g. VS Code) extension.

v2.25.1-next.2

What's Changed

• Updates for v2.25.1-next.2 prerelease by @data-douser in #204

Full Changelog: v2.25.1-next.1...v2.25.1-next.2

v2.25.1-next.1

v2.25.1-next.1 — 2026-03-30

Highlights

• Ready for multi-query and/or multi-repository variant analysis (aka MRVA) -- An improved sql.js backend and new MCP server primitives (i.e. prompts, resources & tools) are designed to support analysis of large codebases and/or MRVA results and/or results across multiple query runs.
• Prepped for drop-in to GitHubSecurityLab/seclab-taskflow-agent -- This next release is intended to be a drop-in replacement for the CodeQL MCP server currently bundled with the GitHubSecurityLab/seclab-taskflow-agent -- where additional work is required to complete this integration on the seclab-taskflow-agent side, but where the codeql-development-mcp-server is fully prepped to go "Yes, and ..." on the ideas pioneered by the seclab-taskflow-agent. Where the previously bundled CodeQL MCP server provided some "tools" queries for a couple of languages, the codeql-development-mcp-server standardizes and extends PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, and CallGraphFromTo "tools" queries for all currently supported languages, including:
  • actions ## only supports PrintAST and PrintCFG
  • cpp
  • csharp
  • go
  • java
  • javascript
  • python
  • ruby
  • rust
  • swift
• SqliteStore backend + 14 new opt-in tools — Replaced lowdb with sql.js (SQLite compiled to asm.js) as the unified storage backend. Introduced annotation (6 tools), audit (4 tools), and query result cache (4 tools) suites, gated by ENABLE_ANNOTATION_TOOLS. (#169)
• Rust language support — Added first-class Rust support with all standard tool queries (PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, CallGraphFromTo) plus a new rust_ast.md language resource, bringing the total supported languages to 10. (#195)
• VS Code workspace folder change fix — The ql-mcp server now correctly restarts with a fresh environment when workspace folders are added or removed, fixing a bug where the server was left in a broken state. (#196)

Added

MCP Server Tools

Enabling the new MCP tools (below) requires setting the ENABLE_MONITORING_TOOLS and MONITORING_STORAGE_LOCATION env vars, like:

export ENABLE_ANNOTATION_TOOLS=true
export MONITORING_STORAGE_LOCATION=".codeql/.ql-mcp-tracking"

NOTE: A future (e.g. v2.25.1-next.2 release will ensure that these ^ env vars are automatically set for a VSIX-installed ql-mcp server and wrapping VS Code extension. For this v2.25.1-next.1 release, the above env vars need to be manually set in the extension's settings.

Tool	Description
annotation_create	Create general-purpose notes and bookmarks on any entity. (#169)
annotation_get	Retrieve a specific annotation by ID. (#169)
annotation_list	List all annotations, optionally filtered. (#169)
annotation_update	Update an existing annotation. (#169)
annotation_delete	Delete an annotation by ID. (#169)
annotation_search	Full-text search across annotations. (#169)
audit_store_findings	Store repo-keyed findings for MRVA triage workflows. (#169)
audit_list_findings	List audit findings for a repository. (#169)
audit_add_notes	Add notes to audit findings. (#169)
audit_clear_repo	Clear all findings for a repository. (#169)
query_results_cache_lookup	Look up cached query results with subset retrieval. (#169)
query_results_cache_retrieve	Retrieve cached query results with line range, grep, and SARIF filters. (#169)
query_results_cache_clear	Clear the query result cache. (#169)
query_results_cache_compare	Compare query results across databases. (#169)

CodeQL Query Packs

Pack	Description
Rust tool queries	PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, CallGraphFromTo for Rust, using entity-based function resolution via getResolvedTarget(). (#195)

MCP Server Resources

URI	Description
codeql://languages/rust/ast	Comprehensive Rust AST class reference for CodeQL query development, with verified accessor predicates. (#195)

Infrastructure & CI/CD

• Added Rust to all CI/CD workflows: query-unit-tests.yml, release.yml, release-codeql.yml. (#195)
• Added client integration tests for Rust PrintAST and CallGraphFrom. (#195)
• Added client integration tests for all 14 new annotation/audit/cache tools and an MRVA triage workflow end-to-end test. (#169)
• Added .prettierignore entries for *.ql, *.qll, and query documentation .md files to prevent prettier from overriding CodeQL formatting. (#195)

What's Changed

MCP Server Tools

Tool	Change
codeql_query_run	Results are now auto-cached in the SqliteStore after SARIF interpretation. (#169)
extractQueryMetadata	LRU in-memory cache with mtime-based invalidation for improved performance. (#169)
resolveDatabasePath	Module-level Map cache to avoid redundant filesystem scans. (#169)

VS Code Extension

• McpProvider.requestRestart() now atomically invalidates the environment cache and bumps a +rN revision suffix, ensuring VS Code reliably detects version changes and restarts the server. (#196)
• Extension version is cached once at construction time instead of reading package.json synchronously on every definition query. (#196)

Infrastructure & CI/CD

• Extracted database-resolver.ts, query-resolver.ts, result-processor.ts, and codeql-version.ts from monolithic files, reducing cli-tool-registry.ts by ~375 lines. (#169)
• CodeQL CLI actual-vs-target version mismatch detection at startup with logged warnings. (#169)

Fixed

• VS Code workspace folder changes left server in broken state — fireDidChange() was called with an identical version string after folder add/remove, causing VS Code to stop but not restart the server. requestRestart() now invalidates the environment cache and uses a monotonically increasing +rN revision suffix. (#196)
• requestRestart() did not invalidate environment cache — Callers had to manually invalidate the env cache before calling requestRestart(), which was undocumented. Now handled internally. (#196)

Dependencies

• Replaced lowdb with sql.js (asm.js build, zero native dependencies). (#169)
• Added codeql/rust-all: 0.2.10 as a CodeQL pack dependency for Rust tool queries. (#195)

New Contributors

• @Copilot made their first contribution in #195...

v2.25.1

What's Changed

• Add CHANGELOG.md and maintenance agent skill by @data-douser in #193
• Upgrade CodeQL CLI dependency to v2.25.1 by @github-actions[bot] in #192

Full Changelog: v2.25.0...v2.25.1

v2.25.0

What's Changed

• Build(deps-dev): bump @vitest/coverage-v8 from 4.0.18 to 4.1.0 by @dependabot[bot] in #141
• Update copilot-setup-steps and NodeJS dependencies by @data-douser in #142
• Apply npm audit fix for NodeJS dependencies by @data-douser in #144
• Implement duplicated code detection prompts, supported by tools. by @MichaelRFairhurst in #109
• Upgrade NodeJS dependencies to latest by @data-douser in #156
• Build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by @dependabot[bot] in #146
• Update action versions and fix build-and-test step in update-codeql workflow by @data-douser in #158
• Support target upgrade version in update-codeql.yml workflow by @data-douser in #160
• Improve prompt error handling and relative path support by @data-douser in #153
• Upgrade CodeQL CLI dependency to v2.25.0 by @github-actions[bot] in #161
• Pin actions to full-length commit SHAs by @data-douser in #190
• Update dependabot config to group PRs by @data-douser in #191
• Upgrade NodeJS dependencies and rebuild server/dist/** by @data-douser in #189
• Add CallGraphFromTo queries for all supported languages by @data-douser in #168
• [UPDATE PRIMITIVE] Fix codeql_database_analyze additionalArgs pass-through by @Copilot in #188

Full Changelog: v2.24.3...v2.25.0

What's Changed

• Build(deps-dev): bump @vitest/coverage-v8 from 4.0.18 to 4.1.0 by @dependabot[bot] in #141
• Update copilot-setup-steps and NodeJS dependencies by @data-douser in #142
• Apply npm audit fix for NodeJS dependencies by @data-douser in #144
• Implement duplicated code detection prompts, supported by tools. by @MichaelRFairhurst in #109
• Upgrade NodeJS dependencies to latest by @data-douser in #156
• Build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by @dependabot[bot] in #146
• Update action versions and fix build-and-test step in update-codeql workflow by @data-douser in #158
• Support target upgrade version in update-codeql.yml workflow by @data-douser in #160
• Improve prompt error handling and relative path support by @data-douser in #153
• Upgrade CodeQL CLI dependency to v2.25.0 by @github-actions[bot] in #161
• Pin actions to full-length commit SHAs by @data-douser in #190
• Update dependabot config to group PRs by @data-douser in #191
• Upgrade NodeJS dependencies and rebuild server/dist/** by @data-douser in #189
• Add CallGraphFromTo queries for all supported languages by @data-douser in #168
• [UPDATE PRIMITIVE] Fix codeql_database_analyze additionalArgs pass-through by @Copilot in #188

Full Changelog: v2.24.3...v2.25.0

v2.25.0-rc1

What's Changed

• Build(deps-dev): bump @vitest/coverage-v8 from 4.0.18 to 4.1.0 by @dependabot[bot] in #141
• Update copilot-setup-steps and NodeJS dependencies by @data-douser in #142
• Apply npm audit fix for NodeJS dependencies by @data-douser in #144
• Implement duplicated code detection prompts, supported by tools. by @MichaelRFairhurst in #109
• Upgrade NodeJS dependencies to latest by @data-douser in #156
• Build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by @dependabot[bot] in #146
• Update action versions and fix build-and-test step in update-codeql workflow by @data-douser in #158
• Support target upgrade version in update-codeql.yml workflow by @data-douser in #160
• Improve prompt error handling and relative path support by @data-douser in #153
• Upgrade CodeQL CLI dependency to v2.25.0 by @github-actions[bot] in #161

Full Changelog: v2.24.3...v2.25.0-rc1

v2.24.3

v2.24.3

Highlights

🔓 Database Lock Contention Fix & New CodeQL Search/Discovery Tools

This release resolves a critical compatibility issue where databases locked by the GitHub.vscode-codeql extension prevented the MCP server from running CLI commands. A new DatabaseCopier syncs databases into a managed, lock-free directory under the extension's globalStorage. Two new tools — search_ql_code and codeql_resolve_files — eliminate the need for LLMs to use grep or shell access for QL code search and file discovery.

🔍 Automatic CodeQL CLI Discovery

The MCP server now automatically finds the CodeQL CLI binary installed by the GitHub.vscode-codeql extension, which stores it off-PATH. Discovery uses distribution.json (folder index hint) with a fallback to scanning distribution* directories. This works at two layers: the VS Code extension CliResolver and the server-side cli-executor.

📚 Rewritten MCP Resources as Actionable LLM-Oriented Guides

All static MCP resources have been rewritten as actionable, LLM-oriented guides. Resources are now registered under clearer URIs (e.g., codeql://server/overview, codeql://server/queries, codeql://server/tools, codeql://server/prompts) and include new resources for learning query basics, test-driven development, and language-specific security query guides.

New MCP Server Tools

search_ql_code	Searches QL source code by text or regex pattern across resolved CodeQL packs and workspace folders, returning matched lines with surrounding context. Eliminates the need for LLMs to use grep or shell access.
codeql_resolve_files	Discovers files by extension or glob pattern within CodeQL databases and packs, enabling LLMs to find source files without CLI dependencies.

New MCP Server Resources

codeql://server/overview	MCP server orientation guide (replaces getting-started.md)
codeql://server/queries	PrintAST, PrintCFG, CallGraphFrom, CallGraphTo overview
codeql://server/tools	Complete default tool reference
codeql://server/prompts	Complete prompt reference
codeql://learning/query-basics	Practical query writing reference
codeql://learning/test-driven-development	TDD theory overview with cross-links
codeql://learning/security-queries/*	Language-specific security query guides (migrated from .github/skills/)

Changed MCP Server Prompts & Resources

All existing workflow prompts and resources have been updated to remove grep/CLI references in favor of the new search_ql_code and codeql_resolve_files tools.

Changed MCP Server Tools

profile_codeql_query_from_logs	Rewritten with two-tier design: compact inline JSON + line-indexed detail file for targeted read_file access. Parser now captures RA operations and pipeline-stage tuple progressions. Output is deterministic (no timestamps). Uses streaming async generators instead of readFileSync for large evaluator logs.
codeql_query_run	resolveDatabasePath helper auto-resolves multi-language database roots and throws on ambiguity instead of silently picking the first candidate.
codeql_database_analyze	Same resolveDatabasePath helper applied for consistent database path resolution.
codeql_resolve_database	Now probes child directories for databases; uses resolveDatabasePath for ambiguity detection.

Bug Fixes

• Database lock contention with vscode-codeql — Fixed a critical issue where .lock files created by the vscode-codeql query server prevented codeql_query_run and codeql_database_analyze from executing. A new DatabaseCopier syncs databases into a managed lock-free directory. (#119)
• Version-bearing files not updated during release — The update-release-version.sh script now tracks server/src/codeql-development-mcp-server.ts (const VERSION) alongside all other version files. (#90)
• MCP resource content missing at runtime in VSIX — Embedded MCP resource content at build time via esbuild loader for VSIX compatibility. (#111)
• CODEQL_PATH tests failing on Windows CI — Fixed robust binary search and MSYS2 FIFO skip for windows-latest. (#115)
• TOCTOU race condition in search_ql_code — Eliminated filesystem race (read-then-check instead of stat-then-read); added symlink cycle detection. (#119)
• OOM risk with large files in search_ql_code — Large files (>5 MB) are now streamed line-by-line instead of loaded into memory. (#119)
• Transient HTTP 503 in install-packs.sh — Added exponential backoff retry (3 attempts, 10s/20s/40s) for codeql pack install to handle GHCR.io rate limits. (#121)

Infrastructure & CI/CD

• Added CODEQL_MCP_TMP_DIR and CODEQL_MCP_WORKSPACE_FOLDERS environment variables for workspace-local scratch directories. (#119)
• Added query-file-finder contextual hints for missing tests, documentation, and expected results. (#119)
• Set ENABLE_MONITORING_TOOLS=false for client integration tests to avoid CI interference. (#115)

Dependency Updates

• Upgraded CodeQL CLI dependency to v2.24.3. (#114)
• Upgraded NodeJS dependencies to latest available versions. (#108, #114)
• Bumped actions/download-artifact from 7 to 8. (#94)
• Bumped actions/upload-artifact from 6 to 7. (#93)

What's Changed (PRs)

• Fix release update of version-bearing files from 2.24.2-rc3 to 2.24.2 by @data-douser in #90
• Support automatic discovery of codeql CLI distributions installed off-PATH by VS Code extension by @data-douser in #91
• Build(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #93
• Build(deps): bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #94
• Upgrade NodeJS dependencies to latest available versions by @data-douser in [#108](https://github.com/advanced-security/...

v2.24.3-rc2

What's Changed

• Fix release update of version-bearing files from 2.24.2-rc3 to 2.24.2 by @data-douser in #90
• Build(deps): bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #93
• Upgrade NodeJS dependencies to latest available versions by @data-douser in #108
• Build(deps): bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #94
• Embed MCP resource content at build time for VSIX compatibility by @Copilot in #111
• Support automatic discovery of codeql CLI distributions installed off-PATH by VS Code extension by @data-douser in #91
• Upgrade CodeQL to v2.24.3 and upgrade NodeJS dependencies to latest by @data-douser in #114
• Fix CODEQL_PATH Tests (windows-latest) CI failure by @Copilot in #115
• [UPDATE PRIMITIVE] Rewrite static MCP resources as actionable LLM-oriented guides by @Copilot in #113
• Fixes for extension .lock database contention and tool improvements to avoid LLM use of grep by @data-douser in #119

Full Changelog: v2.24.2...v2.24.3-rc2