diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index daa60406f..e4c237b2d 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "bd1d1f0f2bb243857908220b8f2fb25b09f58ad8", - "syncedAt": "2026-04-29T05:53:12.038Z" + "sha": "6186ed2c074be70928ca4351ca6fc2fb87e8a142", + "syncedAt": "2026-04-29T05:53:57.968Z" } diff --git a/docs/ci.md b/docs/ci.md index 66727c2f0..6ac911b7e 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -272,8 +272,9 @@ default workflow because the macOS build dominates runtime even when clean. The `CodeQL Critical Quality` workflow is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its -baseline job scans the same auth, secrets, sandbox, cron, and gateway surface -as the security workflow. The config-boundary +core-auth-secrets job scans auth, secrets, sandbox, cron, and gateway security +boundary code under the separate `/codeql-critical-quality/core-auth-secrets` +category. The config-boundary job scans config schema, migration, normalization, and IO contracts under the separate `/codeql-critical-quality/config-boundary` category. The gateway-runtime-boundary job scans gateway protocol schemas and server method