chore(ci): add MCP process CodeQL shard

Adds the focused MCP/process/tool-execution CodeQL security shard and documents it in CI docs.

Proof:
- Branch CodeQL security run https://github.com/openclaw/openclaw/actions/runs/25132942030 passed on 9d8ca2bae7.
- New mcp-process-tool-boundary analysis 1200250367 returned 0 results.
- Branch open CodeQL alerts: none.
- Workflow Sanity, Blacksmith Testbox, Blacksmith Build Artifacts Testbox, and OpenGrep PR Diff passed.

docs/ci.md

@@ -267,6 +267,11 @@ JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing,
 network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the
 `/codeql-critical-security/network-ssrf-boundary` category so network trust
 boundary signal stays separate from the broader JS/TS security baseline.
+The mcp-process-tool-boundary job scans MCP servers, process execution helpers,
+outbound delivery, and agent tool-execution gates under the
+`/codeql-critical-security/mcp-process-tool-boundary` category so command and
+tool boundary signal stays separate from both the general JS/TS baseline and
+the non-security MCP/process quality shard.
 
 The `CodeQL Android Critical Security` workflow is the scheduled Android
 security shard. It builds the Android app manually for CodeQL on the smallest