diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 8fcffb60b..24b96f4fc 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "9b6670d5c924e2889e288c028588dbfab39e855d", - "syncedAt": "2026-04-29T19:32:28.119Z" + "sha": "c9156cd9a87a00b1099dd65b6b97b21a246f9114", + "syncedAt": "2026-04-29T20:09:52.073Z" } diff --git a/docs/ci.md b/docs/ci.md index 38dae71b6..63dab5a3f 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -263,7 +263,10 @@ channel-runtime-boundary job separately scans core channel implementation contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary` category so channel security signal can scale without broadening the baseline -JS/TS category. +JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing, +network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the +`/codeql-critical-security/network-ssrf-boundary` category so network trust +boundary signal stays separate from the broader JS/TS security baseline. The `CodeQL Android Critical Security` workflow is the scheduled Android security shard. It builds the Android app manually for CodeQL on the smallest