diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 4b4bab60b..055b5bb66 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "75ba8398f939d1793322fed78f70f06a031c36bf", - "syncedAt": "2026-04-28T10:58:36.304Z" + "sha": "e10f4931608eef4a797b3f0110944c213ff8f334", + "syncedAt": "2026-04-28T11:01:16.829Z" } diff --git a/docs/ci.md b/docs/ci.md index 7f57c3c8b..d0c05afaa 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -246,13 +246,16 @@ default workflow because the macOS build dominates runtime even when clean. The `CodeQL Critical Quality` workflow is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces. Its baseline job scans the same auth, secrets, -sandbox, cron, and gateway surface as the security workflow. The plugin-boundary -job scans loader, registry, public-surface, and Plugin SDK entrypoint contracts -under a separate `/codeql-critical-quality/plugin-boundary` category. Keep the -workflow separate from security so quality findings can be scheduled, measured, -disabled, or expanded without obscuring security signal. Swift, Python, UI, and -bundled-plugin CodeQL expansion should be added back as scoped or sharded -follow-up work only after the narrow profiles have stable runtime and signal. +sandbox, cron, and gateway surface as the security workflow. The config-boundary +job scans config schema, migration, normalization, and IO contracts under the +separate `/codeql-critical-quality/config-boundary` category. The +plugin-boundary job scans loader, registry, public-surface, and Plugin SDK +entrypoint contracts under a separate `/codeql-critical-quality/plugin-boundary` +category. Keep the workflow separate from security so quality findings can be +scheduled, measured, disabled, or expanded without obscuring security signal. +Swift, Python, UI, and bundled-plugin CodeQL expansion should be added back as +scoped or sharded follow-up work only after the narrow profiles have stable +runtime and signal. The `Docs Agent` workflow is an event-driven Codex maintenance lane for keeping existing docs aligned with recently landed changes. It has no pure schedule: a