diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml
index f3e9f710bb4..2c70f4e2be9 100644
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -74,6 +74,7 @@ jobs:
       mcp_process: ${{ steps.detect.outputs.mcp_process }}
       plugin: ${{ steps.detect.outputs.plugin }}
       plugin_sdk_package: ${{ steps.detect.outputs.plugin_sdk_package }}
+      plugin_sdk_reply: ${{ steps.detect.outputs.plugin_sdk_reply }}
       provider: ${{ steps.detect.outputs.provider }}
       session_diagnostics: ${{ steps.detect.outputs.session_diagnostics }}
     steps:
@@ -92,6 +93,7 @@ jobs:
           mcp_process=false
           plugin=false
           plugin_sdk_package=false
+          plugin_sdk_reply=false
           provider=false
           session_diagnostics=false
 
@@ -101,6 +103,7 @@ jobs:
             mcp_process=true
             plugin=true
             plugin_sdk_package=true
+            plugin_sdk_reply=true
             provider=true
             session_diagnostics=true
           else
@@ -112,6 +115,7 @@ jobs:
                   mcp_process=true
                   plugin=true
                   plugin_sdk_package=true
+                  plugin_sdk_reply=true
                   provider=true
                   session_diagnostics=true
                   ;;
@@ -131,6 +135,11 @@ jobs:
                 src/infra/outbound/*|src/mcp/*|src/process/*)
                   mcp_process=true
                   ;;
+                src/plugin-sdk/inbound-envelope.ts|src/plugin-sdk/inbound-reply-dispatch.ts|src/plugin-sdk/reply-*.ts|src/plugin-sdk/channel-reply-*.ts|src/plugin-sdk/delivery-queue-runtime.ts|src/plugin-sdk/outbound-runtime.ts|src/plugin-sdk/outbound-send-deps.ts|src/plugin-sdk/model-session-runtime.ts|src/plugin-sdk/session-*.ts|src/plugin-sdk/thread-bindings-runtime.ts|src/plugin-sdk/thread-bindings-session-runtime.ts|src/plugin-sdk/conversation-binding-runtime.ts)
+                  plugin=true
+                  plugin_sdk_package=true
+                  plugin_sdk_reply=true
+                  ;;
                 src/plugin-sdk/*)
                   plugin=true
                   plugin_sdk_package=true
@@ -158,6 +167,7 @@ jobs:
             echo "mcp_process=${mcp_process}"
             echo "plugin=${plugin}"
             echo "plugin_sdk_package=${plugin_sdk_package}"
+            echo "plugin_sdk_reply=${plugin_sdk_reply}"
             echo "provider=${provider}"
             echo "session_diagnostics=${session_diagnostics}"
           } >> "${GITHUB_OUTPUT}"
@@ -344,7 +354,8 @@ jobs:
 
   plugin-sdk-reply-runtime:
     name: Critical Quality (plugin-sdk-reply-runtime)
-    if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime') }}
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.plugin_sdk_reply == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime') }}
     runs-on: blacksmith-4vcpu-ubuntu-2404
     timeout-minutes: 25
     steps:
diff --git a/docs/ci.md b/docs/ci.md
index 474b95bda51..355af424ba0 100644
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -335,7 +335,7 @@ The pull request guard stays light: it only starts for changes under `.github/ac
 
 ### Critical Quality categories
 
-`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `channel-runtime-boundary`, `gateway-runtime-boundary`, `mcp-process-runtime-boundary`, `provider-runtime-boundary`, `session-diagnostics-boundary`, `plugin-boundary`, and `plugin-sdk-package-contract` shards for channel runtime, gateway protocol/server-method, MCP/process/outbound delivery, provider runtime/model catalog, session diagnostics/delivery queues, plugin loader, Plugin SDK, or package-contract changes. CodeQL config and quality workflow changes run all seven PR quality shards.
+`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `channel-runtime-boundary`, `gateway-runtime-boundary`, `mcp-process-runtime-boundary`, `provider-runtime-boundary`, `session-diagnostics-boundary`, `plugin-boundary`, `plugin-sdk-package-contract`, and `plugin-sdk-reply-runtime` shards for channel runtime, gateway protocol/server-method, MCP/process/outbound delivery, provider runtime/model catalog, session diagnostics/delivery queues, plugin loader, Plugin SDK/package-contract, or Plugin SDK reply runtime changes. CodeQL config and quality workflow changes run all eight PR quality shards.
 
 Manual dispatch accepts: