Yes currently ACO are always resources. Folders will be ACOs also. Maybe we will introduce more ACOs in the future (reports, files, etc.).
Long story short the resource from the perspective of the user that do not have access to the folder will not be seen as being in a folder. They will be able to move them in one of their own folders. The people who have access will be able to see the folder and the resource in it. It works similarly than google doc (with some differences on how we will handle the numerous edge cases). This is why this feature is taking a lot of time for us to develop.
The CSRF token is to prevent an attacker from sending the user from a third party domain to passbolt and perform an unwanted action. It’s not needed for the login, because the user is not authenticated at that time, so there is no “unwanted action” with meaningful consequences that an attacker can perform.
Yes it’s the session. It’s not mentioned in the doc but it should. We expect the client to behave like a web browser and manage the session / cookies itself, but it should be more explicit I agree.
You can do a GET /auth/logout.