[bandit]
# Bandit security scanning configuration
# Scan only production code - tests are excluded
exclude_dirs = /tests,/.venv,/__pycache__,/.pytest_cache

# B101 (assert_used) is NOT skipped - use explicit error handling in production code:
#   Bad:  assert user.is_active
#   Good: if not user.is_active: raise ValueError("User must be active")
# Assertions are acceptable in tests (which are excluded above)
