client: 3-phase Code Scanning alert lifecycle mgmt

[data-douser]

Closes #246.

Summary of Changes

Add report, assess, and apply subcommands to gh-ql-mcp-client for managing Code Scanning alerts across their full lifecycle.

Phase 1 — code-scanning report:

• Fetches alerts across all states (open, dismissed, fixed) to capture the complete alert lifecycle picture
• Preserves dismissal metadata (reason, comment, by, at) for anti-churn
• Groups alerts by rule with per-state counts
• Output: <owner>_<repo>.cs-report.json

Phase 2 — code-scanning assess:

• Detects overlapping alerts across different rules at the same file:line
• Flags churn risk when open alerts overlap dismissed ones
• Recommends keep / keep-dismissed / keep-fixed / review / discard
• Output: <owner>_<repo>.cs-assess.json

Phase 3 — code-scanning apply:

• Builds dismiss plan from assess report, executes via GitHub API
• Supports --dry-run, --accept-all-changes, --accept-change-for-rule
• Per-rule authorization when explicit rule filters are provided
• Output: <owner>_<repo>.cs-apply.json

Server changes:

• Extract normalizedUrisMatch() from urisMatch() for precomputed paths (addresses unresolved PR [NEW PRIMITIVE] sarif_diff_by_commits — SARIF-to-git-diff correlation tool #236 review comment)
• Rebuild server dist with sarif-utils refactor

Outline of Changes

---

New Command: Assess (Phase 2)

• Adds the assess command (code_scanning_assess.go) to analyze code scanning alerts for overlapping locations across different rules, flagging potential duplicates and churn risk, and generating an assessment report for downstream processing.
• Implements the assessAlerts pure function to produce recommendations per alert, and buildAssessReport to summarize and serialize results.

New Command: Apply (Phase 3)

• Adds the apply command (code_scanning_apply.go) to read a Phase 2 assessment report, plan and (optionally) apply dismissals to alerts via the GitHub API, supporting dry-run and per-rule/blanket acceptance flags.
• Implements the buildApplyPlan pure function to translate recommendations into actionable dismissals, with fine-grained authorization controls and summary output.

Testing

• Introduces comprehensive unit tests for both assessment and apply planning logic, covering overlap detection, recommendation preservation, authorization controls, and JSON round-tripping (code_scanning_assess_test.go, code_scanning_apply_test.go). [1] [2]

[Copilot]

Pull request overview

Adds end-to-end “3-phase” Code Scanning alert lifecycle management to the Go CLI (gh-ql-mcp-client) and makes a small SARIF utils refactor in the server to support pre-normalized URI comparisons.

Changes:

• Client: add code-scanning report, code-scanning assess, and code-scanning apply subcommands with JSON outputs for each phase.
• Client: add unit tests for report grouping/serialization, overlap assessment, and apply-plan authorization behavior.
• Server: extract normalizedUrisMatch() from urisMatch() and rebuild server/dist output.

Show a summary per file

File	Description
client/cmd/code_scanning_report.go	New Phase 1 command to fetch analyses/alerts and generate a lifecycle snapshot report (optionally downloads SARIF).
client/cmd/code_scanning_report_test.go	Unit tests for report summary aggregation + JSON round-tripping + dismissal metadata preservation.
client/cmd/code_scanning_assess.go	New Phase 2 command to detect overlap/churn risk and emit an assessment report with recommendations.
client/cmd/code_scanning_assess_test.go	Unit tests for overlap detection, lifecycle preservation, and assess-report summary.
client/cmd/code_scanning_apply.go	New Phase 3 command to translate assessment into a dismiss plan and (optionally) apply via GitHub API.
client/cmd/code_scanning_apply_test.go	Unit tests for apply-plan construction, authorization rules, and JSON round-tripping.
server/src/lib/sarif-utils.ts	Refactor to reuse URI suffix-matching logic for pre-normalized values.
server/dist/codeql-development-mcp-server.js	Rebuilt distribution bundle reflecting the SARIF utils refactor.
.gitignore	Ignore SARIF download directory and generated *.cs-*.json artifacts.

Copilot's findings

• Files reviewed: 7/10 changed files
• Comments generated: 6

[Copilot]

Pull request overview

Adds Phase 1–3 Code Scanning alert lifecycle management to the Go CLI (gh-ql-mcp-client) and refactors SARIF URI matching in the server to support pre-normalized comparisons.

Changes:

• Server: extract normalizedUrisMatch() and reuse it in diffSarifByCommits matching logic.
• Client: add code-scanning report, code-scanning assess, and code-scanning apply subcommands (with JSON outputs).
• Client: add unit tests for report building, assessment, and apply planning.

Show a summary per file

File	Description
server/src/lib/sarif-utils.ts	Extracts normalizedUrisMatch() and reuses it for diff-by-commits URI matching.
server/dist/codeql-development-mcp-server.js	Rebuilt dist output reflecting the sarif-utils refactor.
client/cmd/helpers_test.go	Adds strPtr test helper for pointer fields in JSON fixtures.
client/cmd/code_scanning_report.go	Implements Phase 1 report command (analyses + alerts snapshot; optional SARIF download).
client/cmd/code_scanning_report_test.go	Tests report grouping/summaries and JSON round-tripping.
client/cmd/code_scanning_assess.go	Implements Phase 2 assess command (overlap + churn-risk detection; recommendations).
client/cmd/code_scanning_assess_test.go	Tests overlap detection, recommendation preservation, and report summary.
client/cmd/code_scanning_apply.go	Implements Phase 3 apply command (build plan + optionally dismiss via API).
client/cmd/code_scanning_apply_test.go	Tests apply planning, authorization behavior, and JSON round-tripping.
.gitignore	Ignores SARIF download directory and generated *.cs-*.json outputs.

Copilot's findings

Comments suppressed due to low confidence (2)

client/cmd/code_scanning_apply.go:235

• The derived default output filename is based on repo (from either --repo or the assess report). Because parseRepo currently permits / and .. in the repo component, this can create unintended nested paths or directory traversal when writing the default outPath. Consider validating/sanitizing repository components before using them to form filenames.

	// Write output
	outPath := applyFlags.output
	if outPath == "" {
		// Derive from repository name: owner_repo.cs-apply.json
		if o, r, err := parseRepo(repo); err == nil {
			outPath = fmt.Sprintf("%s_%s.cs-apply.json", o, r)
		} else {
			outPath = "cs-apply.json"
		}
	}

client/cmd/code_scanning_assess.go:257

• The derived default output filename is based on assessReport.Repository, which ultimately comes from user-provided --repo in phase 1. Because parseRepo currently permits / and .. in the repo component, this can create unintended nested paths or directory traversal when writing the default outPath. Consider validating/sanitizing repository components before using them to form filenames.

	// Write output
	outPath := assessFlags.output
	if outPath == "" {
		// Derive from repository name: owner_repo.cs-assess.json
		repo := assessReport.Repository
		if o, r, err := parseRepo(repo); err == nil {
			outPath = fmt.Sprintf("%s_%s.cs-assess.json", o, r)
		} else {
			outPath = "cs-assess.json"
		}
	}

• Files reviewed: 8/11 changed files
• Comments generated: 4