From 64ccc502190aff6e296a2e05ff82037ca0fac78f Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Wed, 29 Apr 2026 20:11:19 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@c9156cd9a87a00b1099dd65b6b97b21a246f9114 --- .openclaw-sync/source.json | 4 ++-- docs/ci.md | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 8fcffb60b..24b96f4fc 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "9b6670d5c924e2889e288c028588dbfab39e855d", - "syncedAt": "2026-04-29T19:32:28.119Z" + "sha": "c9156cd9a87a00b1099dd65b6b97b21a246f9114", + "syncedAt": "2026-04-29T20:09:52.073Z" } diff --git a/docs/ci.md b/docs/ci.md index 38dae71b6..63dab5a3f 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -263,7 +263,10 @@ channel-runtime-boundary job separately scans core channel implementation contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary` category so channel security signal can scale without broadening the baseline -JS/TS category. +JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing, +network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the +`/codeql-critical-security/network-ssrf-boundary` category so network trust +boundary signal stays separate from the broader JS/TS security baseline. The `CodeQL Android Critical Security` workflow is the scheduled Android security shard. It builds the Android app manually for CodeQL on the smallest