- Remove global py/path-injection exclusion from CodeQL config
- Add lgtm[py/path-injection] inline comment to specific line
- Keeps CodeQL active for rest of codebase
Enhanced CodeQL configuration documentation to address code review feedback:
- Document the specific security controls in place
- Explain why query-filters is used instead of inline suppressions
- Note that this is the only intentional user-controlled path in codebase
- Reference codebase audit verification
This addresses AI reviewer concern about query exclusion being "too broad"
by clearly documenting that this is a deliberate, security-reviewed decision
for a core feature with proper safeguards.
The local file indexing feature in rag_routes.py intentionally allows
users to index their own filesystem with proper system directory
protection. This is a core feature requirement, not a vulnerability.
Using query-filters instead of paths-ignore to properly exclude this
specific security alert while maintaining scanning on the rest of the file.
- Add CodeQL config to exclude py/path-injection for rag_routes.py
- This is intentional behavior - users index their own filesystem
- System directories are validated and blocked after construction
- Update workflow to use config file
- Add CodeQL configuration to exclude file_write_verifier.py from clear-text storage alerts
- This is a security-verified utility that only writes after authorization checks
- Update CodeQL workflow to use the configuration file
