name: "MLSysBook CodeQL config" # Paths excluded from analysis. Each entry below is code that operates on # trusted local artifacts or is vendored from upstream — out of scope for # the web-facing security analyses CodeQL applies by default. paths-ignore: # Vendored third-party widget bundle (minified output from upstream # socratiQ collaborative-widget-bridge build). Not hand-edited; alerts # here should be reported upstream, not patched in-tree. - "book/quarto/tools/scripts/socratiQ/collaborative-widget-bridge.js" - "book/quarto/tools/scripts/socratiQ/collaborative-widget-bridge.umd.cjs" # Shadow copy of socratiq client source — parallel to socratiq/js/, kept # for the shadow-DOM rendering path. Not part of the live web surface. - "socratiq/src_shadow/**" # Local audit/maintenance scripts that operate on the user's own Quarto # build output. Not web-facing; regex-based HTML strip is intentional # for speed and is safe given trusted input. - "tools/audit/**"