diff --git a/.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml b/.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml
index 5d0df4bec02..1f8aeb2b754 100644
--- a/.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml
+++ b/.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml
@@ -18,6 +18,7 @@ paths:
   - src/agents/command
   - src/agents/cli-runner
   - src/agents/embedded-agent-runner
+  - src/agents/sessions
   - src/agents/tools
   - src/agents/*completion*.ts
   - src/agents/*transport*.ts
diff --git a/.github/codeql/codeql-core-auth-secrets-critical-quality.yml b/.github/codeql/codeql-core-auth-secrets-critical-quality.yml
index 90bf66d2db1..9aeeb51607a 100644
--- a/.github/codeql/codeql-core-auth-secrets-critical-quality.yml
+++ b/.github/codeql/codeql-core-auth-secrets-critical-quality.yml
@@ -22,6 +22,8 @@ paths:
   - src/agents/sandbox
   - src/agents/sandbox.ts
   - src/agents/sandbox-*.ts
+  - src/agents/sessions/*auth*.ts
+  - src/agents/sessions/**/*auth*.ts
   - src/cron/service/jobs.ts
   - src/cron/stagger.ts
   - src/gateway/*auth*.ts
diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml
index 36121a74282..ffb769e8fdf 100644
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -72,6 +72,7 @@ on:
       - "src/agents/cli-runner/**"
       - "src/agents/command/**"
       - "src/agents/embedded-agent-runner/**"
+      - "src/agents/sessions/**"
       - "src/agents/sessions/tools/**"
       - "src/agents/tools/**"
       - "src/agents/*completion*.ts"
@@ -227,7 +228,11 @@ jobs:
                   agent=true
                   mcp_process=true
                   ;;
-                src/acp/control-plane/*|src/agents/cli-runner/*|src/agents/command/*|src/agents/embedded-agent-runner/*|src/agents/tools/*|src/agents/*completion*.ts|src/agents/*transport*.ts|src/agents/model-*.ts|src/agents/openclaw-tools*.ts|src/agents/provider-*.ts|src/agents/session*.ts|src/agents/tool-call*.ts|src/auto-reply/reply/agent-runner*.ts|src/auto-reply/reply/commands*.ts|src/auto-reply/reply/directive-handling*.ts|src/auto-reply/reply/dispatch-*.ts|src/auto-reply/reply/get-reply-run*.ts|src/auto-reply/reply/provider-dispatcher*.ts|src/auto-reply/reply/queue*.ts|src/auto-reply/reply/reply-run-registry*.ts|src/auto-reply/reply/session*.ts)
+                src/agents/sessions/*auth*.ts|src/agents/sessions/**/*auth*.ts)
+                  agent=true
+                  core_auth_secrets=true
+                  ;;
+                src/acp/control-plane/*|src/agents/cli-runner/*|src/agents/command/*|src/agents/embedded-agent-runner/*|src/agents/sessions/*|src/agents/tools/*|src/agents/*completion*.ts|src/agents/*transport*.ts|src/agents/model-*.ts|src/agents/openclaw-tools*.ts|src/agents/provider-*.ts|src/agents/session*.ts|src/agents/tool-call*.ts|src/auto-reply/reply/agent-runner*.ts|src/auto-reply/reply/commands*.ts|src/auto-reply/reply/directive-handling*.ts|src/auto-reply/reply/dispatch-*.ts|src/auto-reply/reply/get-reply-run*.ts|src/auto-reply/reply/provider-dispatcher*.ts|src/auto-reply/reply/queue*.ts|src/auto-reply/reply/reply-run-registry*.ts|src/auto-reply/reply/session*.ts)
                   agent=true
                   ;;
                 src/auto-reply/reply/post-compaction-context.ts|src/auto-reply/reply/queue/*|src/auto-reply/reply/startup-context.ts|src/commands/doctor-session-*.ts|src/commands/session-store-targets.ts|src/commands/sessions*.ts|src/infra/diagnostic-*.ts|src/infra/diagnostics-timeline.ts|src/infra/session-delivery-queue*.ts|src/logging/diagnostic*.ts)