From 1278f0bcc0041caa002da9aefd4a8b6ddf29c413 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 27 Apr 2026 23:04:16 -0700
Subject: [PATCH] fix(codeql): tune Android pinning profile

Remove noisy missing-certificate-pinning query from the critical Android CodeQL profile; gateway TLS uses custom certificate fingerprint pinning.
---
 .github/codeql/codeql-android-critical-security.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/codeql/codeql-android-critical-security.yml b/.github/codeql/codeql-android-critical-security.yml
index 30b1f7b5e03..00a1430dcb2 100644
--- a/.github/codeql/codeql-android-critical-security.yml
+++ b/.github/codeql/codeql-android-critical-security.yml
@@ -9,6 +9,10 @@ query-filters:
   # Android canvas intentionally runs trusted A2UI JavaScript; keep this profile focused on exploitable WebView edges.
   - exclude:
       id: java/android/websettings-javascript-enabled
+  # Gateway TLS already pins verified certificate SHA-256 fingerprints. OkHttp CertificatePinner pins SPKI hashes,
+  # so this query is noisy for OpenClaw's TOFU/local-gateway trust model and does not belong in the critical profile.
+  - exclude:
+      id: java/android/missing-certificate-pinning
 
 paths:
   - apps/android/app/src/main