name: "CodeQL Config"

# Suppress false positives
query-filters:
  - exclude:
      id: js/missing-token-validation

# Justification:
# CSRF protection IS properly implemented in backend/app.js (lines 95-122):
# - Session-based auth: Protected by @dr.pogodin/csurf middleware
# - Bearer token auth: Exempted via error handler (doesn't use cookies)
# - Test environment: Exempted via error handler
#
# CodeQL cannot recognize this hybrid pattern via static analysis,
# but the implementation is secure and follows OWASP best practices.