feat(taskflows): adopt codeql_ql_mcp toolbox and add ql-mcp guidance to JS/TS audit & triage flows

[data-douser]

Summary

Companion to PR GitHubSecurityLab/seclab-taskflow-agent#224 for agent-side codeql_ql_mcp toolbox and ql-mcp server backend integration.

Switches the JS/TS audit and triage taskflows (and the shared web-app-security personality) over to the new codeql_ql_mcp toolbox, and adds inline prompt guidance directing the agent to use the CodeQL Development MCP server (list_codeql_databases, register_database, read_database_source, and the bundled PrintAST.ql / PrintCFG.ql / CallGraphTo.ql / CallGraphFrom.ql tools queries) for authoritative AST / call-graph / source inspection, falling back to gh_file_viewer only when no local database is available.

Summary of Changes

• personalities/web_application_security_expert.yaml: codeql → codeql_ql_mcp.
• taskflows/audit/js_ts_endpoint_access_checks.yaml: codeql → codeql_ql_mcp; add ql-mcp guidance for route-handler call graphs and middleware/decorator AST inspection.
• taskflows/alert_triage_examples/triage_taskflows/triage_js_ts_client_side_xss.yaml: add codeql_ql_mcp toolbox; instruct local AST inspection at the alert location.
• taskflows/alert_triage_examples/triage_taskflows/triage_js_ts_path_injection.yaml: codeql → codeql_ql_mcp; instruct AST inspection plus optional CallGraphTo.ql to confirm route-handler reachability.
• taskflows/alert_triage_examples/triage_common/reachability_analysis.yaml: add codeql_ql_mcp; instruct iterative CallGraphTo.ql / CallGraphFrom.ql walks from the alert location to a remote entry point.

Outline of Changes

Tooling and Infrastructure Updates:

• Replaced all uses of seclab_taskflow_agent.toolboxes.codeql with seclab_taskflow_agent.toolboxes.codeql_ql_mcp across all relevant taskflows and toolboxes, ensuring use of the MCP server for more reliable CodeQL queries. [1] [2] [3] [4] [5] [6]

Taskflow Guidance Improvements:

• Updated analysis instructions in reachability and triage taskflows to require use of the CodeQL MCP server for call graph and AST queries (CallGraphTo.ql, CallGraphFrom.ql, PrintAST.ql, PrintCFG.ql), and to fall back to text-based viewers only when databases are unavailable. [1] [2] [3]

• Enhanced the audit taskflow for JS/TS endpoint access checks to prefer the local CodeQL MCP server for database access, and to use specific CodeQL queries for enumerating callers and inspecting middleware chains. [1] [2]

Repository Selection Improvements:

• Added a repo global to relevant triage taskflows (triage_js_ts_client_side_xss.yaml and triage_js_ts_path_injection.yaml) and updated the repo list creation logic to use this variable, making it easier to specify the target repository via command-line arguments. [1] [2] [3] [4]

These changes collectively make the analysis more robust and configurable, and ensure that all taskflows leverage the most accurate and up-to-date CodeQL analysis capabilities.

[Copilot]

Pull request overview

This PR updates the JS/TS audit and alert-triage taskflows (plus the shared web-app-security personality) to use the new codeql_ql_mcp toolbox and adds prompt guidance to prefer the CodeQL Development MCP server for authoritative AST/source/call-graph inspection.

Changes:

• Replace seclab_taskflow_agent.toolboxes.codeql with seclab_taskflow_agent.toolboxes.codeql_ql_mcp across relevant taskflows/personality.
• Add inline guidance to use MCP server tools/queries (e.g., list_codeql_databases, register_database, PrintAST.ql, CallGraphTo.ql, CallGraphFrom.ql) with gh_file_viewer as fallback.
• Make two JS/TS triage taskflows accept a CLI-provided globals.repo and use it when constructing the repo list.

Show a summary per file

File	Description
src/seclab_taskflows/personalities/web_application_security_expert.yaml	Switch personality toolbox from legacy CodeQL to codeql_ql_mcp.
src/seclab_taskflows/taskflows/audit/js_ts_endpoint_access_checks.yaml	Prefer MCP DB discovery/registration and add AST/call-graph guidance for endpoint auditing.
src/seclab_taskflows/taskflows/alert_triage_examples/triage_taskflows/triage_js_ts_client_side_xss.yaml	Add codeql_ql_mcp toolbox and MCP-based local AST inspection guidance; add globals.repo usage for repo list.
src/seclab_taskflows/taskflows/alert_triage_examples/triage_taskflows/triage_js_ts_path_injection.yaml	Switch to codeql_ql_mcp and add MCP AST guidance; add globals.repo usage for repo list.
src/seclab_taskflows/taskflows/alert_triage_examples/triage_common/reachability_analysis.yaml	Add codeql_ql_mcp toolbox and guidance for iterative call-graph analysis via MCP queries.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/5 changed files
• Comments generated: 2

[Copilot]

globals.repo is declared without a value, which makes it YAML null. When interpolated into the JSON repo list ("{{ globals.repo }}"), many templaters render null as the string "None"/"null" rather than an empty string, which would break fetch_code_scanning_alerts and contradict the comment claiming an empty default. Set repo to an explicit empty string default (or apply a template default filter) so the generated repo list is valid when --global repo=... isn’t provided.

[Copilot]

globals.repo is currently YAML null (no value provided). Because it is embedded inside a JSON string in the repo list, this can render as "None"/"null" instead of "" and lead to API calls against an invalid repo name. Use an explicit empty-string default for repo (or a template default filter) to match the documented behavior.