SqliteStore backend + annotation, audit, and query result cache tools

[data-douser]

Resolves #165.

Relates to:

• seclab-taskflow-integration: Multi-repo CodeQL analysis, annotation store, and query result caching #163
• Add CallGraphFromTo query for all supported languages #164
• Integration tests for annotation, audit, cache, and CallGraphFromTo tools #166
• Extended integration test playground with real CodeQL databases #167

Purpose

Replace lowdb (JSON file persistence) with sql.js (SQLite compiled to asm.js) as the unified storage backend, and introduce three new opt-in tool suites — annotation, audit, and query result cache — gated by ENABLE_ANNOTATION_TOOLS. The sql.js backend bundles inline with zero external native dependencies, eliminating the portability and corruption issues inherent to the previous JSON-file approach while enabling structured querying, full-text search, and transactional writes across all persisted state.

Additionally, extract performance-critical resolution and processing logic into dedicated modules (database-resolver, query-resolver, result-processor, codeql-version) to reduce the size of monolithic files, add in-memory caching with mtime-based invalidation, and track actual-vs-target CodeQL CLI version mismatches at startup.

Summary of Changes

Storage backend migration — New SqliteStore class (server/src/lib/sqlite-store.ts) backed by sql.js with sessions, annotations, and query_result_cache tables. SessionDataManager migrated from lowdb to SqliteStore; the lowdb dependency is removed and replaced with sql.js in server/package.json.

Annotation tools (6, opt-in) — annotation_{create,get,list,update,delete,search} for general-purpose notes and bookmarks (server/src/tools/annotation-tools.ts).

Audit tools (4, opt-in) — audit_{store_findings,list_findings,add_notes,clear_repo} for repo-keyed finding management during MRVA triage (server/src/tools/audit-tools.ts).

Query result cache tools (4, opt-in) — query_results_cache_{lookup,retrieve,clear,compare} with subset retrieval and cross-database comparison (server/src/tools/cache-tools.ts). Results are auto-cached in processQueryRunResults after SARIF interpretation.

Performance improvements (always-on) — LRU cache for extractQueryMetadata with mtime invalidation; module-level Map cache for resolveDatabasePath; deduplicated resolveQueryPath calls by passing resolved paths through the pipeline.

Refactored modules — Extracted database-resolver.ts, query-resolver.ts, result-processor.ts, and codeql-version.ts from cli-tool-registry.ts and query-results-evaluator.ts, reducing cli-tool-registry.ts by ~375 lines.

Build configuration — Updated server/esbuild.config.js to handle sql.js bundling (wasm exclusion, asm.js inlining).

Tests — 500-line sqlite-store.test.ts, plus dedicated test suites for annotation-tools (307 lines), audit-tools (287 lines), and cache-tools (354 lines). Updated session-data-manager.test.ts and monitoring-tools.test.ts for the new backend. Integration test primitives added for all 14 new tools plus an MRVA triage workflow end-to-end test. VS Code extension e2e test coverage added (mcp-tool-e2e.integration.test.ts).

Outline of Changes

Core infrastructure improvements:

• Added a new codeql-version module to track both the actual CodeQL CLI version detected at runtime and the target version from .codeql-version, with warnings logged on mismatches. This supports better diagnostics and cache key management. (server/src/lib/codeql-version.ts, server/src/lib/cli-executor.ts) [1] [2] [3] [4]
• Implemented a new database-resolver utility for resolving database paths, including support for multi-language database roots and in-memory caching to avoid redundant filesystem scans. (server/src/lib/database-resolver.ts)
• Added a query-resolver module that resolves query names and languages to file paths using the CodeQL CLI, with robust error handling and logging. (server/src/lib/query-resolver.ts)

Performance and caching:

• Introduced an LRU in-memory cache for extracted query metadata in extractQueryMetadata, keyed by file path and file modification time, to avoid unnecessary file reads and improve performance. (server/src/lib/query-results-evaluator.ts) [1] [2]
• Enhanced file reading for metadata extraction to use file descriptors and modification time checks, reducing race conditions and improving cache invalidation. (server/src/lib/query-results-evaluator.ts) [1] [2]

Server extensibility:

• Registered new tool modules for annotation, audit, and cache management in the MCP server, enabling new features for notes, bookmarks, security audit state tracking, and query results caching. (server/src/codeql-development-mcp-server.ts) [1] [2]

Build and dependency updates:

• Updated the build configuration to address issues with bundling sql.js and switched from lowdb to sql.js as a dependency for improved storage support. (server/esbuild.config.js, server/package.json) [1] [2] [3]

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 2f9969a.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

server/package.json

Package	Version	License	Issue Type
sql.js	^1.14.1	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
npm/sql.js	1.14.1	🟢 3.4	Details Check Score Reason Code-Review ⚠️ 2 Found 6/30 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 4 3 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 4 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/sql.js	^1.14.1	Unknown	Unknown

Scanned Files

• package-lock.json
• server/package.json

[Copilot]

Pull request overview

This PR migrates the server’s persistence layer from lowdb to a unified sql.js-backed SqliteStore, and introduces opt-in MCP tools for annotations, audit workflows, and query result caching while refactoring CLI-related logic into smaller modules.

Changes:

• Replace lowdb session persistence with SqliteStore (sessions + annotations + query result cache tables).
• Add new opt-in MCP tools: annotation_*, audit_*, and query_results_cache_*.
• Refactor query/database resolution and query-result processing (interpretation + auto-caching) into dedicated modules.

Reviewed changes

Copilot reviewed 18 out of 20 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
server/test/src/tools/monitoring-tools.test.ts	Updates monitoring-tool tests to account for async store initialization and new config flag.
server/test/src/lib/sqlite-store.test.ts	Adds unit tests for SqliteStore sessions, annotations, persistence, and cache behaviors.
server/test/src/lib/session-data-manager.test.ts	Updates tests to await async initialization after migrating persistence backend.
server/src/types/sql-js.d.ts	Adds minimal typings for sql.js asm.js import + core DB surface.
server/src/types/monitoring.ts	Adds enableAnnotationTools config flag (default false).
server/src/tools/cache-tools.ts	Introduces query_results_cache_* tools (lookup/retrieve/clear/compare).
server/src/tools/audit-tools.ts	Introduces audit_* tools layered on annotations.
server/src/tools/annotation-tools.ts	Introduces annotation_* tools for CRUD + search.
server/src/lib/sqlite-store.ts	Implements the new unified SQLite persistence backend + cache subset retrieval.
server/src/lib/session-data-manager.ts	Migrates session persistence from lowdb to SqliteStore; adds getStore().
server/src/lib/result-processor.ts	Extracts query result interpretation/evaluation and auto-cache pipeline.
server/src/lib/query-results-evaluator.ts	Adds query metadata caching with mtime-based invalidation.
server/src/lib/query-resolver.ts	Extracts query-path resolution via codeql resolve queries.
server/src/lib/database-resolver.ts	Extracts database-path resolution and caches results in-memory.
server/src/lib/codeql-version.ts	Adds target/actual CodeQL version tracking and mismatch warning.
server/src/lib/cli-tool-registry.ts	Integrates extracted resolvers/result processor and fixes output propagation + predicate handling.
server/src/lib/cli-executor.ts	Wires version detection into startup validation; re-exports version helpers.
server/src/codeql-development-mcp-server.ts	Registers new annotation/audit/cache tools at startup and initializes session manager.
server/package.json	Removes lowdb, adds sql.js.
package-lock.json	Updates lockfile to reflect dependency swap (remove lowdb/steno, add sql.js).

Comments suppressed due to low confidence (2)

server/src/lib/sqlite-store.ts:425

• updateAnnotation sets updated_at = datetime('now'), which produces a different string format than the ISO timestamps written in createAnnotation. This can cause incorrect ordering when sorting by updated_at. Consider updating this to use the same format as inserts.

    setClauses.push("updated_at = datetime('now')");

    const db = this.ensureDb();
    db.run(
      `UPDATE annotations SET ${setClauses.join(', ')} WHERE id = $id`,
      params as Record<string, string | number | null>,
    );

server/src/lib/session-data-manager.ts:49

• Docstring says “sql.js WASM init is async”, but this store uses the asm.js build. Please adjust the wording so it’s accurate (async init is still true, but it’s not specifically WASM).

  /**
   * Initialize the database and ensure it's properly set up.
   * Must be awaited before any session operations (sql.js WASM init is async).
   */

[Copilot]

Pull request overview

Copilot reviewed 19 out of 23 changed files in this pull request and generated 6 comments.

[Copilot]

Pull request overview

Copilot reviewed 19 out of 23 changed files in this pull request and generated 5 comments.

[data-douser]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

All changes from that review thread have been applied in commit 5e57b03:

• FD leak — extractQueryMetadata now uses try/finally with closeSync(fd) to ensure the fd is always released.
• Duplicate fs imports — merged into a single alphabetically-ordered import.
• Windows renameSync — flush now catches rename errors and falls back to writeFileSync directly on the target.
• FTS4 for annotations — full-text search replaces LIKE (see other reply).
• JSON.parse fallback — query_results_cache_retrieve wraps JSON.parse in try/catch and returns raw text when the content is not valid JSON.

[Copilot]

Pull request overview

Copilot reviewed 19 out of 23 changed files in this pull request and generated 2 comments.

[data-douser]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied in commit 6fbfa7e:

• annotation_search: renamed query → search, updated description to FTS semantics (token-based MATCH, * prefix matching, case-insensitive via unicode61 tokenizer).
• query_results_cache_retrieve: removed grep entirely; SARIF format now always routes through getCacheSarifSubset (with maxResults) regardless of whether resultIndices/fileFilter are provided.

[Copilot]

Pull request overview

Copilot reviewed 19 out of 23 changed files in this pull request and generated 10 comments.

Comments suppressed due to low confidence (1)

server/src/tools/annotation-tools.ts:123

• annotation_update accepts any number for id, including non-integers and negatives, but annotations.id is an integer primary key. Tighten the schema to an integer (and typically positive) to avoid confusing “not found” behavior for invalid inputs.

      id: z.number().describe('The annotation ID to update.'),
      content: z.string().optional().describe('New content (replaces existing).'),
      label: z.string().optional().describe('New label (replaces existing).'),

[Copilot]

Pull request overview

Copilot reviewed 22 out of 26 changed files in this pull request and generated 10 comments.

Comments suppressed due to low confidence (1)

server/test/src/tools/monitoring-tools.test.ts:227

• This test mocks sessionDataManager.getConfig() to set storageLocation: testStorageDir, but the singleton SessionDataManager’s underlying SqliteStore is created from its constructor config and won’t follow the mocked storage location. That makes the test directory setup/cleanup ineffective and risks cross-test pollution. Prefer stubbing sessionDataManager.getStore() to a per-test SqliteStore(testStorageDir) instance (initialized in the test), or refactor SessionDataManager.initialize() to build the store from config.

      // Mock config BEFORE initializing so the store uses the test directory
      vi.spyOn(sessionDataManager, 'getConfig').mockReturnValue({
        storageLocation: testStorageDir,
        autoTrackSessions: true,
        retentionDays: 90,

[Copilot]

Pull request overview

Copilot reviewed 72 out of 76 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 72 out of 76 changed files in this pull request and generated no new comments.