From 6a3310bbdab062cffebf9875d80c976fb6c284dc Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Wed, 29 Apr 2026 00:18:30 -0700
Subject: [PATCH] chore(ci): add memory CodeQL quality shard

Adds a narrow CodeQL Critical Quality shard for the memory host/runtime boundary.
---
 ...mory-runtime-boundary-critical-quality.yml | 41 +++++++++++++++++++
 .github/workflows/codeql-critical-quality.yml | 21 ++++++++++
 docs/ci.md                                    |  4 ++
 3 files changed, 66 insertions(+)
 create mode 100644 .github/codeql/codeql-memory-runtime-boundary-critical-quality.yml

diff --git a/.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml b/.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml
new file mode 100644
index 00000000000..3d4f0ec3703
--- /dev/null
+++ b/.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml
@@ -0,0 +1,41 @@
+name: openclaw-codeql-memory-runtime-boundary-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - packages/memory-host-sdk/src
+  - src/memory
+  - src/memory-host-sdk
+  - src/plugin-sdk/memory-*.ts
+  - src/plugin-sdk/memory-core-host-*.ts
+  - src/plugins/memory-*.ts
+  - src/gateway/server-startup-memory.ts
+  - src/commands/doctor-memory-search.ts
+  - src/commands/doctor-cron-dreaming-payload-migration.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"
diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml
index 36ad5bb868a..db248da26b2 100644
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -144,6 +144,27 @@ jobs:
         with:
           category: "/codeql-critical-quality/mcp-process-runtime-boundary"
 
+  memory-runtime-boundary:
+    name: Critical Quality (memory-runtime-boundary)
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/memory-runtime-boundary"
+
   ui-control-plane:
     name: Critical Quality (ui-control-plane)
     runs-on: blacksmith-4vcpu-ubuntu-2404
diff --git a/docs/ci.md b/docs/ci.md
index 5b3a688cc41..acacc7e6680 100644
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -288,6 +288,10 @@ the separate `/codeql-critical-quality/agent-runtime-boundary` category. The
 mcp-process-runtime-boundary job scans MCP servers and tool bridges, process
 supervision helpers, and outbound delivery contracts under the separate
 `/codeql-critical-quality/mcp-process-runtime-boundary` category. The
+memory-runtime-boundary job scans the memory host SDK, memory runtime facades,
+memory Plugin SDK aliases, memory runtime activation glue, and memory doctor
+commands under the separate `/codeql-critical-quality/memory-runtime-boundary`
+category. The
 ui-control-plane job scans Control UI bootstrap, local persistence, gateway
 control flows, and task control-plane runtime contracts under the separate
 `/codeql-critical-quality/ui-control-plane` category. The