From cdf77cd972980c51bdbc996aea03308e2e60d920 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Tue, 26 May 2026 22:45:02 +0100
Subject: [PATCH] ci: include session tools in critical codeql scans

---
 .../codeql-mcp-process-tool-boundary-critical-security.yml    | 1 +
 .github/workflows/codeql-critical-quality.yml                 | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml b/.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
index eab6f460181..0c536000df0 100644
--- a/.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
+++ b/.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
@@ -29,6 +29,7 @@ paths:
   - src/agents/agent-tools.before-tool-call*.ts
   - src/agents/agent-tools.read.ts
   - src/agents/agent-tools-parameter-schema.ts
+  - src/agents/sessions/tools/**
   - src/agents/embedded-agent-runner/effective-tool-policy.ts
   - src/agents/embedded-agent-runner/tool-name-allowlist.ts
   - src/agents/embedded-agent-runner/tool-schema-runtime.ts
diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml
index e2568c77ad5..a618da2feae 100644
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -222,6 +222,10 @@ jobs:
                   network_runtime=true
                   session_diagnostics=true
                   ;;
+                src/agents/sessions/tools/*)
+                  agent=true
+                  mcp_process=true
+                  ;;
                 src/acp/control-plane/*|src/agents/cli-runner/*|src/agents/command/*|src/agents/embedded-agent-runner/*|src/agents/tools/*|src/agents/*completion*.ts|src/agents/*transport*.ts|src/agents/model-*.ts|src/agents/openclaw-tools*.ts|src/agents/provider-*.ts|src/agents/session*.ts|src/agents/tool-call*.ts|src/auto-reply/reply/agent-runner*.ts|src/auto-reply/reply/commands*.ts|src/auto-reply/reply/directive-handling*.ts|src/auto-reply/reply/dispatch-*.ts|src/auto-reply/reply/get-reply-run*.ts|src/auto-reply/reply/provider-dispatcher*.ts|src/auto-reply/reply/queue*.ts|src/auto-reply/reply/reply-run-registry*.ts|src/auto-reply/reply/session*.ts)
                   agent=true
                   ;;