From 0c11436604bd5c6757e9fde95896cf2e05b7ceab Mon Sep 17 00:00:00 2001
From: Aaron Stainback <aaron_bond@yahoo.com>
Date: Tue, 28 Apr 2026 05:21:39 -0400
Subject: [PATCH] fix(codeql): exclude obj/ and bin/ build artifacts from
 CodeQL analysis (B-0073)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CodeQL was scanning .NET build artifacts under obj/ and bin/,
including auto-generated xunit test entry points
(`XunitAutoGeneratedEntry*.cs`). Findings on those files ask
us to fix MSBuild's output, not source — wrong dependency
direction.

Empirically discovered 2026-04-28 while diagnosing why all 6
LFG PRs were BLOCKED with all-green CI: two open
`cs/missed-ternary-operator` alerts on
`obj/Release/net10.0/XunitAutoGenerated*.cs` were among 13
total Code Scanning alerts gating the LFG
`code_quality:severity=all` ruleset on every PR.

This config change drops 2 of 13 alerts via a single
structural change with zero source-code risk. Composes with
B-0073 (which covers the remaining 10 source alerts +
1 Scorecard meta-finding) and task #306 (the original
'Analyze (csharp) on PR' workflow-cost concern, which this
helps reduce by limiting scan scope).

Verification: next CodeQL run on main should report 11 (or
fewer) open alerts instead of 13.

Agency-Signature-Version: 1
Agent: otto
Agent-Runtime: claude-code
Agent-Model: claude-opus-4-7
Credential-Identity: AceHack-shared
Credential-Mode: shared-with-aaron
Human-Review: not-implied-by-credential
Human-Review-Evidence: aaron-explicit-ask
Action-Mode: autonomous-fail-open
Task: B-0073-step-1-codeql-exclude-build-artifacts
---
 .github/codeql/codeql-config.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
index bf54c670..12876372 100644
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -39,6 +39,18 @@ paths-ignore:
   # fix a generator, not the file.
   - "**/*.generated.cs"
 
+  # .NET build artifacts. The `obj/` and `bin/` trees contain
+  # generated test scaffolding (xunit auto-generated entry
+  # points: `XunitAutoGeneratedEntry*.cs`) and compiler
+  # intermediates that aren't authored source. CodeQL findings
+  # here ask us to fix MSBuild's output, not the source —
+  # which is the wrong dependency direction. Empirically
+  # discovered 2026-04-28 (B-0073): two open csharp alerts on
+  # `obj/Release/net10.0/XunitAutoGenerated*.cs` were gating
+  # the LFG `code_quality:severity=all` ruleset on every PR.
+  - "**/obj/**"
+  - "**/bin/**"
+
 # Custom query packs — reserved for the follow-up round that
 # ships Zeta-specific taint / CWE rules. The formal-
 # verification-expert (Soraya) routes the rule authoring