diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index f9dbd10f2..a1bf33eea 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "542821cd1e60e34caec7df84f8583007b5b98f63", - "syncedAt": "2026-04-29T14:31:21.958Z" + "sha": "71084140090f9ace1ab587a076d4a3d8f81ac1c8", + "syncedAt": "2026-04-29T14:40:59.313Z" } diff --git a/docs/ci.md b/docs/ci.md index 86211af77..38dae71b6 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -279,6 +279,10 @@ default workflow because the macOS build dominates runtime even when clean. The `CodeQL Critical Quality` workflow is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its +manual dispatch accepts `profile=all|plugin-sdk-package-contract`; the narrow +profile is the first teaching/iteration hook for running one quality shard in +isolation without dispatching the rest of the workflow. +Its core-auth-secrets job scans auth, secrets, sandbox, cron, and gateway security boundary code under the separate `/codeql-critical-quality/core-auth-secrets` category. The config-boundary