advanced-security · data-douser · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026
@@ -17,6 +17,7 @@ coverage
 extensions/vscode/.vscode-test
 extensions/vscode/test/fixtures/
 node_modules
+perf-reports/
 query-results*
 server/dist/
 server/ql/*/tools/src/*.md

@@ -18,9 +18,23 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 
 - **Second supply-chain hardening pass for release workflows** — All release-generating workflows now opt out of every cache step, pin runners, strictly validate version inputs, and refuse mid-publish cancellation. See **Security** below for the full inventory. ([#279](https://github.com/advanced-security/codeql-development-mcp-server/pull/279))
 - **First-class Rust toolchain support in CI** — `setup-codeql-environment` now installs a pinned Rust toolchain (default `1.80.0`, via a pinned `dtolnay/rust-toolchain` action with `rust-src`) for any matrix entry that includes `rust`, so the CodeQL rust extractor can expand `format!` / `println!` / `vec!` macros against the standard library on Linux runners. The `query-unit-tests.yml` workflow now passes `languages: ${{ matrix.language }}` so each matrix entry only installs its own runtime. ([#279](https://github.com/advanced-security/codeql-development-mcp-server/pull/279))
+- **Diff-informed analysis & overlay database support** — New MCP primitives help developers make data-flow queries diff-informed (incremental) and build/evaluate overlay databases. A new `diff_informed_analysis_workflow` prompt and two reference resources walk through the query-side opt-in (`observeDiffInformedIncrementalMode`, `getASelectedSourceLocation`, `getASelectedSinkLocation`) and validation via `codeql test run --check-diff-informed`, while `codeql_database_create`, `codeql_database_analyze`, `codeql_query_run`, and `codeql_test_run` gained the corresponding advanced/experimental CLI parameters. ([#304](https://github.com/advanced-security/codeql-development-mcp-server/pull/304))
 
 ### Added
 
+#### MCP Server Prompts
+
+| Prompt                            | Description                                                                                                                                                                                                                                        |
+| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `diff_informed_analysis_workflow` | End-to-end workflow to make a data-flow query diff-informed, validate it with `codeql test run --check-diff-informed`, and build/evaluate overlay databases for changed files. Requires `language`; optionally accepts `queryPath` and `database`. |
+
+#### MCP Server Resources
+
+| Resource                                   | Description                                                                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- |
+| `codeql://learning/diff-informed-analysis` | How to make data-flow queries diff-informed (incremental) and validate them locally with `--check-diff-informed`.                |
+| `codeql://guides/overlay-databases`        | How to build and evaluate overlay databases (`overlay-base`, `overlay-changes`, `cache-cleanup=overlay`, `evaluate-as-overlay`). |
+
 #### VS Code Extension
 
 - **Built-in portable custom agents** — The extension now ships two `.agent.md` custom agents (`ql-mcp-ext-query-developer`, `ql-mcp-ext-workshop-author`) bundled inside the VSIX and contributed declaratively via `contributes.chatAgents`, so both agents are discoverable in VS Code Copilot Chat without any manual configuration. The `ql-mcp-ext-` prefix distinguishes extension-shipped customizations from repo-native `.github/agents/` definitions. No specific model is required — users choose their own. To add personal or team agents, set [`chat.agentFilesLocations`](https://code.visualstudio.com/docs/copilot/customization/custom-agents) to a workspace-relative path directly (VS Code rejects absolute paths there, so the extension does not write to that setting). ([#281](https://github.com/advanced-security/codeql-development-mcp-server/pull/281))
@@ -30,6 +44,19 @@ _Changes on `main` since the latest tagged release that have not yet been includ
 
 ### Changed
 
+#### MCP Server Tools
+
+| Tool                      | Change                                                                                                                                                                                                                                                                                                                                                                                                           |
+| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `codeql_database_create`  | Added overlay-database parameters `overlay-base` (build a database usable as an overlay base), `overlay-changes` (build an overlay from a JSON changes file), and `cache-cleanup` (`clear`/`trim`/`fit`/`overlay`). Added an `extractorEnv` parameter for passing extractor environment variables (keys restricted to `LGTM_`/`CODEQL_EXTRACTOR_`), e.g. `LGTM_INDEX_XML_MODE=ALL` to extract SAP UI5 XML views. |
+| `codeql_database_analyze` | Added overlay-evaluation parameters `evaluate-as-overlay` and `cache-at-frontier`. Now defaults `--rerun` on when model packs are requested, so model-pack changes are not masked by a stale cached BQRS (pass `rerun: false` to opt out).                                                                                                                                                                       |
+| `codeql_query_run`        | Added overlay-evaluation parameters `evaluate-as-overlay` and `cache-at-frontier`.                                                                                                                                                                                                                                                                                                                               |
+| `codeql_test_run`         | Added `check-diff-informed` (validate diff-informed query filtering) and `evaluate-as-overlay`.                                                                                                                                                                                                                                                                                                                  |
+
+#### MCP Server Resources & Prompts
+
+- **Diff-informed analysis docs now describe local diff-range injection** — The `codeql://learning/diff-informed-analysis` resource and the `diff_informed_analysis_workflow` prompt document the local mechanism used by Code Scanning: populate the `restrictAlertsTo` extensible predicate (`codeql/util`) via a data-extension pack and activate it with `--model-packs` (placing it only on `--additional-packs` resolves but does not apply it).
+
 #### VS Code Extension
 
 - **Workflow prompts now come exclusively from the `ql-mcp` MCP server** — Previously the extension also bundled four `.prompt.md` files (`ql-mcp-ext-tdd-basic`, `ql-mcp-ext-tdd-advanced`, `ql-mcp-ext-tools-query-workflow`, `ql-mcp-ext-workshop-creation-workflow`) as `contributes.chatPromptFiles`. Those were byte-for-byte renamed copies of prompts the MCP server already serves via `prompts/list`, which Copilot Chat surfaces as slash commands (`/ql_tdd_basic`, etc.). The duplicate `chatPromptFiles` contributions have been removed; the two shipped agents now reference an expanded set of canonical MCP slash IDs (`/ql_tdd_basic`, `/ql_tdd_advanced`, `/ql_lsp_iterative_development`, `/tools_query_workflow`, `/explain_codeql_query`, `/document_codeql_query`, `/data_extension_development`, `/workshop_creation_workflow`) so users get a richer workflow palette without the duplicate-slash-command UX. ([#281](https://github.com/advanced-security/codeql-development-mcp-server/pull/281))

@@ -21,6 +21,8 @@ The server exposes **11 static resources** and a set of **dynamic per-language r
 | CodeQL Security Templates      | `codeql://templates/security`                 | Security query templates for multiple languages and vulnerability classes         |
 | CodeQL Query Unit Testing      | `codeql://guides/query-unit-testing`          | Guide for creating and running unit tests for CodeQL queries                      |
 | CodeQL Dataflow Migration      | `codeql://guides/dataflow-migration-v1-to-v2` | Guide for migrating from legacy v1 dataflow API to modern v2 module-based API     |
+| CodeQL Diff-Informed Analysis  | `codeql://learning/diff-informed-analysis`    | Make data-flow queries diff-informed and validate with `--check-diff-informed`    |
+| CodeQL Overlay Databases       | `codeql://guides/overlay-databases`           | Build and evaluate overlay databases for incremental analysis                     |
 
 ## Language-Specific Resources