e89dd5dc3c
The previous comment implied CSRF was disabled as a temporary dev convenience. Replaced it with an explanation of why it is safe with the current Authorization-header-based auth scheme, and added a clear note on when it must be re-enabled. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>