From 1a18e1719ced8e382182a793aaee7e39ceb79772 Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Wed, 29 Apr 2026 20:51:43 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@cd6efd1a42acbdbdff90f37f96f114323e701dfa --- .openclaw-sync/source.json | 4 ++-- docs/ci.md | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 0a7a644c1..beaecded5 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "2fa5590a93468c83d323ac3d5312276ad8bf2c46", - "syncedAt": "2026-04-29T20:43:26.780Z" + "sha": "cd6efd1a42acbdbdff90f37f96f114323e701dfa", + "syncedAt": "2026-04-29T20:50:02.103Z" } diff --git a/docs/ci.md b/docs/ci.md index 63dab5a3f..d1e98e675 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -267,6 +267,11 @@ JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing, network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the `/codeql-critical-security/network-ssrf-boundary` category so network trust boundary signal stays separate from the broader JS/TS security baseline. +The mcp-process-tool-boundary job scans MCP servers, process execution helpers, +outbound delivery, and agent tool-execution gates under the +`/codeql-critical-security/mcp-process-tool-boundary` category so command and +tool boundary signal stays separate from both the general JS/TS baseline and +the non-security MCP/process quality shard. The `CodeQL Android Critical Security` workflow is the scheduled Android security shard. It builds the Android app manually for CodeQL on the smallest