From 5820a48fcaca5a94aa6a20a87fc5f273b2208030 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Tue, 28 Apr 2026 02:30:33 -0700
Subject: [PATCH] ci: add plugin boundary codeql quality shard (#73447)

---
 ...odeql-plugin-boundary-critical-quality.yml | 76 +++++++++++++++++++
 .github/workflows/codeql-critical-quality.yml | 21 +++++
 docs/ci.md                                    | 14 ++--
 3 files changed, 105 insertions(+), 6 deletions(-)
 create mode 100644 .github/codeql/codeql-plugin-boundary-critical-quality.yml

diff --git a/.github/codeql/codeql-plugin-boundary-critical-quality.yml b/.github/codeql/codeql-plugin-boundary-critical-quality.yml
new file mode 100644
index 00000000000..0c97da8f67f
--- /dev/null
+++ b/.github/codeql/codeql-plugin-boundary-critical-quality.yml
@@ -0,0 +1,76 @@
+name: openclaw-codeql-plugin-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/plugins/activation-planner.ts
+  - src/plugins/api-builder.ts
+  - src/plugins/bundled-compat.ts
+  - src/plugins/bundled-dir.ts
+  - src/plugins/bundled-plugin-metadata.ts
+  - src/plugins/bundled-public-surface-runtime-root.ts
+  - src/plugins/bundled-runtime-deps.ts
+  - src/plugins/bundled-runtime-root.ts
+  - src/plugins/captured-registration.ts
+  - src/plugins/config-activation-shared.ts
+  - src/plugins/config-contracts.ts
+  - src/plugins/config-normalization-shared.ts
+  - src/plugins/config-policy.ts
+  - src/plugins/config-schema.ts
+  - src/plugins/config-state.ts
+  - src/plugins/discovery.ts
+  - src/plugins/effective-plugin-ids.ts
+  - src/plugins/externalized-bundled-plugins.ts
+  - src/plugins/installed-plugin-index*.ts
+  - src/plugins/loader*.ts
+  - src/plugins/manifest*.ts
+  - src/plugins/module-export.ts
+  - src/plugins/package-entrypoints.ts
+  - src/plugins/plugin-registry*.ts
+  - src/plugins/provider-contract-public-artifacts.ts
+  - src/plugins/provider-public-artifacts.ts
+  - src/plugins/public-surface*.ts
+  - src/plugins/registry.ts
+  - src/plugins/registry-types.ts
+  - src/plugins/runtime
+  - src/plugins/runtime-state.ts
+  - src/plugins/runtime.ts
+  - src/plugins/sdk-alias.ts
+  - src/plugins/source-loader.ts
+  - src/plugins/types.ts
+  - src/plugins/validation-diagnostics.ts
+  - src/plugins/web-provider-public-artifacts*.ts
+  - src/plugin-sdk/*entry*.ts
+  - src/plugin-sdk/*facade*.ts
+  - src/plugin-sdk/api-baseline.ts
+  - src/plugin-sdk/config-schema.ts
+  - src/plugin-sdk/config-types.ts
+  - src/plugin-sdk/core.ts
+  - src/plugin-sdk/extension-shared.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"
diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml
index a7a2e3aeca2..d11e3b33cb8 100644
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -38,3 +38,24 @@ jobs:
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           category: "/codeql-critical-quality/javascript-typescript"
+
+  plugin-boundary:
+    name: Critical Quality (plugin-boundary)
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-plugin-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/plugin-boundary"
diff --git a/docs/ci.md b/docs/ci.md
index 1f5fa94488b..edde7c58a7d 100644
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -240,12 +240,14 @@ under the `/codeql-critical-security/android` category.
 
 The `CodeQL Critical Quality` workflow is the matching non-security shard. It
 runs only error-severity, non-security JavaScript/TypeScript quality queries
-over the same narrow auth, secrets, sandbox, cron, and gateway surface. Keep it
-separate from the security workflow so quality findings can be scheduled,
-measured, disabled, or expanded without obscuring security signal. Swift,
-Python, UI, and bundled-plugin CodeQL expansion should be added back as scoped
-or sharded follow-up work only after the narrow profiles have stable runtime and
-signal.
+over narrow high-value surfaces. Its baseline job scans the same auth, secrets,
+sandbox, cron, and gateway surface as the security workflow. The plugin-boundary
+job scans loader, registry, public-surface, and Plugin SDK entrypoint contracts
+under a separate `/codeql-critical-quality/plugin-boundary` category. Keep the
+workflow separate from security so quality findings can be scheduled, measured,
+disabled, or expanded without obscuring security signal. Swift, Python, UI, and
+bundled-plugin CodeQL expansion should be added back as scoped or sharded
+follow-up work only after the narrow profiles have stable runtime and signal.
 
 The `Docs Agent` workflow is an event-driven Codex maintenance lane for keeping
 existing docs aligned with recently landed changes. It has no pure schedule: a