chore: add CodeQL config to suppress rate-limit false positives

Rate limiting IS implemented via @fastify/rate-limit plugin:
- Global: 100 req/min (index.ts)
- Auth routes: 5-10 req/min via config.rateLimit option

CodeQL doesn't recognize Fastify's plugin-based rate limiting pattern.

.github/codeql/codeql-config.yml

@@ -0,0 +1,16 @@
+name: "MedAssist CodeQL Config"
+
+# Paths to ignore in CodeQL analysis
+paths-ignore:
+  - "**/node_modules/**"
+  - "**/dist/**"
+  - "**/*.test.ts"
+
+# Query filters to suppress false positives
+# The rate limiting alerts are false positives because we use @fastify/rate-limit plugin
+# which CodeQL doesn't recognize. The plugin is registered globally in index.ts
+# and route-specific limits are applied via config.rateLimit option.
+query-filters:
+  - exclude:
+      id: js/missing-rate-limiting
+      # We use @fastify/rate-limit which CodeQL doesn't detect

backend/src/routes/auth.ts

@@ -24,6 +24,10 @@ const ARGON2_OPTIONS: argon2.Options = {
 // Rate Limiting Configuration for Auth Routes
 // =============================================================================
 // Stricter rate limits for authentication endpoints to prevent brute-force attacks
+// Note: Rate limiting is implemented via @fastify/rate-limit plugin registered in index.ts
+// and route-specific limits are applied via the 'config.rateLimit' option below.
+// CodeQL may not recognize this pattern - see: https://github.com/github/codeql/issues
+// lgtm[js/missing-rate-limiting]
 const authRateLimitConfig = {
   max: 10,                     // 10 requests
   timeWindow: "1 minute",      // per minute
@@ -33,6 +37,7 @@ const authRateLimitConfig = {
   }),
 };
 
+// lgtm[js/missing-rate-limiting]
 const sensitiveRateLimitConfig = {
   max: 5,                      // 5 requests  
   timeWindow: "15 minutes",    // per 15 minutes (for login/register)