diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 0a7a644c1..beaecded5 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "2fa5590a93468c83d323ac3d5312276ad8bf2c46", - "syncedAt": "2026-04-29T20:43:26.780Z" + "sha": "cd6efd1a42acbdbdff90f37f96f114323e701dfa", + "syncedAt": "2026-04-29T20:50:02.103Z" } diff --git a/docs/ci.md b/docs/ci.md index 63dab5a3f..d1e98e675 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -267,6 +267,11 @@ JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing, network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the `/codeql-critical-security/network-ssrf-boundary` category so network trust boundary signal stays separate from the broader JS/TS security baseline. +The mcp-process-tool-boundary job scans MCP servers, process execution helpers, +outbound delivery, and agent tool-execution gates under the +`/codeql-critical-security/mcp-process-tool-boundary` category so command and +tool boundary signal stays separate from both the general JS/TS baseline and +the non-security MCP/process quality shard. The `CodeQL Android Critical Security` workflow is the scheduled Android security shard. It builds the Android app manually for CodeQL on the smallest