diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 54e53f789..200436e77 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "490e6d6dc590515135abe2f318283a0e4e8c6546", - "syncedAt": "2026-04-28T22:51:56.068Z" + "sha": "9c9dcd4d5d7cc5dc5099c3f513937294beb09882", + "syncedAt": "2026-04-28T23:19:36.497Z" } diff --git a/docs/ci.md b/docs/ci.md index d0b32917f..0729759b7 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -259,6 +259,9 @@ contracts under the separate `/codeql-critical-quality/gateway-runtime-boundary` category. The channel-runtime-boundary job scans core channel implementation contracts under the separate `/codeql-critical-quality/channel-runtime-boundary` category. The +agent-runtime-boundary job scans command execution, model/provider dispatch, +auto-reply dispatch and queues, and ACP control-plane runtime contracts under +the separate `/codeql-critical-quality/agent-runtime-boundary` category. The plugin-boundary job scans loader, registry, public-surface, and Plugin SDK entrypoint contracts under a separate `/codeql-critical-quality/plugin-boundary` category. Keep the workflow separate from security so quality findings can be