Audit My App for Missing CSRF Protection

Review my app for endpoints that change state but might be missing CSRF protection.

Here is my route list / URL config:
[paste your routes, urls.py, or route file here]

For each endpoint, tell me:
1. Does it change state (POST, PUT, PATCH, DELETE, or a state-changing GET)?
2. Does it rely on a session cookie for auth? (If yes, CSRF applies. If it is a bearer-token API only, CSRF does not apply.)
3. Is CSRF middleware covering it? Or has someone @csrf_exempt-ed it? (flag every exemption)
4. For endpoints that should be protected but are not, show me exactly what to add.

Framework: [your framework here]

I am learning, so explain each finding simply, and be blunt about anything that looks risky.