From 7cdc0e2fe040c82780d2efcbe9c3b16e27021676 Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Wed, 29 Apr 2026 21:35:13 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@71ab341f460e421fde6a3653ace5a44f25acce0b --- .openclaw-sync/source.json | 4 ++-- docs/ci.md | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 15d9a8cf0..5fc65aa2c 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "d51af16fab1633695cf964082f0c4918f4704c7f", - "syncedAt": "2026-04-29T21:29:56.187Z" + "sha": "71ab341f460e421fde6a3653ace5a44f25acce0b", + "syncedAt": "2026-04-29T21:33:45.893Z" } diff --git a/docs/ci.md b/docs/ci.md index b55136c6d..29850b106 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -258,19 +258,20 @@ or overlapping changed hunks. The `CodeQL` workflow is intentionally a narrow first-pass security scanner, not the full repository sweep. Daily and manual runs scan Actions workflow code plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and -gateway surfaces with high-precision security queries. The +gateway surfaces with high-precision security queries under the +`/codeql-critical-security/core-auth-secrets` category. The channel-runtime-boundary job separately scans core channel implementation contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary` category so channel security signal can scale without broadening the baseline -JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing, +auth/secrets category. The network-ssrf-boundary job scans core SSRF, IP parsing, network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the `/codeql-critical-security/network-ssrf-boundary` category so network trust -boundary signal stays separate from the broader JS/TS security baseline. +boundary signal stays separate from the auth/secrets security baseline. The mcp-process-tool-boundary job scans MCP servers, process execution helpers, outbound delivery, and agent tool-execution gates under the `/codeql-critical-security/mcp-process-tool-boundary` category so command and -tool boundary signal stays separate from both the general JS/TS baseline and +tool boundary signal stays separate from both the auth/secrets baseline and the non-security MCP/process quality shard. The `CodeQL Android Critical Security` workflow is the scheduled Android