From c57e3e7a504e33ddec1ee6e574b91ba64f08ba4b Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Tue, 28 Apr 2026 19:49:23 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@3ae69498e2f168e0e4f4de90608d13d9548a570f --- .openclaw-sync/source.json | 4 ++-- docs/ci.md | 7 ++++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 0323c4a94..4978637d8 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "0f3a9d812b40cbc8e545abcb80a1f12a93946cf6", - "syncedAt": "2026-04-28T19:41:23.616Z" + "sha": "3ae69498e2f168e0e4f4de90608d13d9548a570f", + "syncedAt": "2026-04-28T19:47:49.528Z" } diff --git a/docs/ci.md b/docs/ci.md index 1b99c4d21..d0b32917f 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -230,7 +230,12 @@ or overlapping changed hunks. The `CodeQL` workflow is intentionally a narrow first-pass security scanner, not the full repository sweep. Daily and manual runs scan Actions workflow code plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and -gateway surfaces with high-precision security queries. +gateway surfaces with high-precision security queries. The +channel-runtime-boundary job separately scans core channel implementation +contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and +audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary` +category so channel security signal can scale without broadening the baseline +JS/TS category. The `CodeQL Android Critical Security` workflow is the scheduled Android security shard. It builds the Android app manually for CodeQL on the smallest