From 208fe0e7e3e3cc1408c70bbb27e0d3b282b84037 Mon Sep 17 00:00:00 2001
From: Kelsi <kelsihates2fa@gmail.com>
Date: Thu, 19 Feb 2026 17:49:49 -0800
Subject: [PATCH] Suppress cpp/weak-cryptographic-algorithm via query-filter
 (protocol-mandated RC4)

---
 .github/codeql/codeql-config.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
index fff791d3..9695e17d 100644
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -1,8 +1,11 @@
 name: wowee-codeql-config
 
-# Warden stream crypto must remain RC4 for protocol compatibility.
-# Keep weak-crypto detection enabled project-wide, but exclude this one file
-# so CodeQL doesn't raise an unfixable compatibility alert.
-paths-ignore:
-  - src/game/warden_crypto.cpp
-  - src/game/warden_module.cpp
+# The WoW client protocol (world-socket header cipher) and Warden anti-cheat
+# module protocol both mandate RC4. There is no way to replace RC4 with a
+# stronger algorithm without breaking compatibility with all supported servers.
+# All RC4 uses in this codebase are protocol-layer obligations, not choices.
+# Exclude the weak-crypto query rather than leaving unfixable high-severity
+# alerts that mislead triage.
+query-filters:
+  - exclude:
+      id: cpp/weak-cryptographic-algorithm