diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 4c0ae5164..f32e8da2b 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "fac116cfa42682bf20636c1e165b513e19ca5240", - "syncedAt": "2026-04-28T09:19:13.832Z" + "sha": "5820a48fcaca5a94aa6a20a87fc5f273b2208030", + "syncedAt": "2026-04-28T09:31:41.559Z" } diff --git a/docs/ci.md b/docs/ci.md index 1f5fa9448..edde7c58a 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -240,12 +240,14 @@ under the `/codeql-critical-security/android` category. The `CodeQL Critical Quality` workflow is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries -over the same narrow auth, secrets, sandbox, cron, and gateway surface. Keep it -separate from the security workflow so quality findings can be scheduled, -measured, disabled, or expanded without obscuring security signal. Swift, -Python, UI, and bundled-plugin CodeQL expansion should be added back as scoped -or sharded follow-up work only after the narrow profiles have stable runtime and -signal. +over narrow high-value surfaces. Its baseline job scans the same auth, secrets, +sandbox, cron, and gateway surface as the security workflow. The plugin-boundary +job scans loader, registry, public-surface, and Plugin SDK entrypoint contracts +under a separate `/codeql-critical-quality/plugin-boundary` category. Keep the +workflow separate from security so quality findings can be scheduled, measured, +disabled, or expanded without obscuring security signal. Swift, Python, UI, and +bundled-plugin CodeQL expansion should be added back as scoped or sharded +follow-up work only after the narrow profiles have stable runtime and signal. The `Docs Agent` workflow is an event-driven Codex maintenance lane for keeping existing docs aligned with recently landed changes. It has no pure schedule: a