diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 271683b38..a9617481f 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "0be8d127d670e0b3fc635e1190f5f40272418ddf", - "syncedAt": "2026-04-29T13:24:06.229Z" + "sha": "dda765c445846cf6ee479203d7a3de04cb37e4d9", + "syncedAt": "2026-04-29T13:34:20.914Z" } diff --git a/docs/ci.md b/docs/ci.md index 4ce43092a..86211af77 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -307,7 +307,10 @@ understanding, image-generation, and media-generation runtime contracts under the separate `/codeql-critical-quality/web-media-runtime-boundary` category. The plugin-boundary job scans loader, registry, public-surface, and Plugin SDK entrypoint contracts under a separate `/codeql-critical-quality/plugin-boundary` -category. Keep the workflow separate from security so quality findings can be +category. The plugin-sdk-package-contract job scans the published package-side +Plugin SDK source and plugin package contract helpers under the separate +`/codeql-critical-quality/plugin-sdk-package-contract` category. Keep the +workflow separate from security so quality findings can be scheduled, measured, disabled, or expanded without obscuring security signal. Swift, Python, and bundled-plugin CodeQL expansion should be added back as scoped or sharded follow-up work only after the narrow profiles have stable