v2.25.1-next.1

v2.25.1-next.1 — 2026-03-30

Highlights

• Ready for multi-query and/or multi-repository variant analysis (aka MRVA) -- An improved sql.js backend and new MCP server primitives (i.e. prompts, resources & tools) are designed to support analysis of large codebases and/or MRVA results and/or results across multiple query runs.
• Prepped for drop-in to GitHubSecurityLab/seclab-taskflow-agent -- This next release is intended to be a drop-in replacement for the CodeQL MCP server currently bundled with the GitHubSecurityLab/seclab-taskflow-agent -- where additional work is required to complete this integration on the seclab-taskflow-agent side, but where the codeql-development-mcp-server is fully prepped to go "Yes, and ..." on the ideas pioneered by the seclab-taskflow-agent. Where the previously bundled CodeQL MCP server provided some "tools" queries for a couple of languages, the codeql-development-mcp-server standardizes and extends PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, and CallGraphFromTo "tools" queries for all currently supported languages, including:
  • actions ## only supports PrintAST and PrintCFG
  • cpp
  • csharp
  • go
  • java
  • javascript
  • python
  • ruby
  • rust
  • swift
• SqliteStore backend + 14 new opt-in tools — Replaced lowdb with sql.js (SQLite compiled to asm.js) as the unified storage backend. Introduced annotation (6 tools), audit (4 tools), and query result cache (4 tools) suites, gated by ENABLE_ANNOTATION_TOOLS. (#169)
• Rust language support — Added first-class Rust support with all standard tool queries (PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, CallGraphFromTo) plus a new rust_ast.md language resource, bringing the total supported languages to 10. (#195)
• VS Code workspace folder change fix — The ql-mcp server now correctly restarts with a fresh environment when workspace folders are added or removed, fixing a bug where the server was left in a broken state. (#196)

Added

MCP Server Tools

Enabling the new MCP tools (below) requires setting the ENABLE_MONITORING_TOOLS and MONITORING_STORAGE_LOCATION env vars, like:

export ENABLE_ANNOTATION_TOOLS=true
export MONITORING_STORAGE_LOCATION=".codeql/.ql-mcp-tracking"

NOTE: A future (e.g. v2.25.1-next.2 release will ensure that these ^ env vars are automatically set for a VSIX-installed ql-mcp server and wrapping VS Code extension. For this v2.25.1-next.1 release, the above env vars need to be manually set in the extension's settings.

Tool	Description
annotation_create	Create general-purpose notes and bookmarks on any entity. (#169)
annotation_get	Retrieve a specific annotation by ID. (#169)
annotation_list	List all annotations, optionally filtered. (#169)
annotation_update	Update an existing annotation. (#169)
annotation_delete	Delete an annotation by ID. (#169)
annotation_search	Full-text search across annotations. (#169)
audit_store_findings	Store repo-keyed findings for MRVA triage workflows. (#169)
audit_list_findings	List audit findings for a repository. (#169)
audit_add_notes	Add notes to audit findings. (#169)
audit_clear_repo	Clear all findings for a repository. (#169)
query_results_cache_lookup	Look up cached query results with subset retrieval. (#169)
query_results_cache_retrieve	Retrieve cached query results with line range, grep, and SARIF filters. (#169)
query_results_cache_clear	Clear the query result cache. (#169)
query_results_cache_compare	Compare query results across databases. (#169)

CodeQL Query Packs

Pack	Description
Rust tool queries	PrintAST, PrintCFG, CallGraphFrom, CallGraphTo, CallGraphFromTo for Rust, using entity-based function resolution via getResolvedTarget(). (#195)

MCP Server Resources

URI	Description
codeql://languages/rust/ast	Comprehensive Rust AST class reference for CodeQL query development, with verified accessor predicates. (#195)

Infrastructure & CI/CD

• Added Rust to all CI/CD workflows: query-unit-tests.yml, release.yml, release-codeql.yml. (#195)
• Added client integration tests for Rust PrintAST and CallGraphFrom. (#195)
• Added client integration tests for all 14 new annotation/audit/cache tools and an MRVA triage workflow end-to-end test. (#169)
• Added .prettierignore entries for *.ql, *.qll, and query documentation .md files to prevent prettier from overriding CodeQL formatting. (#195)

What's Changed

MCP Server Tools

Tool	Change
codeql_query_run	Results are now auto-cached in the SqliteStore after SARIF interpretation. (#169)
extractQueryMetadata	LRU in-memory cache with mtime-based invalidation for improved performance. (#169)
resolveDatabasePath	Module-level Map cache to avoid redundant filesystem scans. (#169)

VS Code Extension

• McpProvider.requestRestart() now atomically invalidates the environment cache and bumps a +rN revision suffix, ensuring VS Code reliably detects version changes and restarts the server. (#196)
• Extension version is cached once at construction time instead of reading package.json synchronously on every definition query. (#196)

Infrastructure & CI/CD

• Extracted database-resolver.ts, query-resolver.ts, result-processor.ts, and codeql-version.ts from monolithic files, reducing cli-tool-registry.ts by ~375 lines. (#169)
• CodeQL CLI actual-vs-target version mismatch detection at startup with logged warnings. (#169)

Fixed

• VS Code workspace folder changes left server in broken state — fireDidChange() was called with an identical version string after folder add/remove, causing VS Code to stop but not restart the server. requestRestart() now invalidates the environment cache and uses a monotonically increasing +rN revision suffix. (#196)
• requestRestart() did not invalidate environment cache — Callers had to manually invalidate the env cache before calling requestRestart(), which was undocumented. Now handled internally. (#196)

Dependencies

• Replaced lowdb with sql.js (asm.js build, zero native dependencies). (#169)
• Added codeql/rust-all: 0.2.10 as a CodeQL pack dependency for Rust tool queries. (#195)

New Contributors

• @Copilot made their first contribution in #195

Full Changelog: v2.25.1...v2.25.1-next.1