ci: shard config codeql quality

Split config quality CodeQL results into a separate category while keeping the default quality bucket narrow.

docs/ci.md

@@ -246,13 +246,16 @@ default workflow because the macOS build dominates runtime even when clean.
 The `CodeQL Critical Quality` workflow is the matching non-security shard. It
 runs only error-severity, non-security JavaScript/TypeScript quality queries
 over narrow high-value surfaces. Its baseline job scans the same auth, secrets,
-sandbox, cron, and gateway surface as the security workflow. The plugin-boundary
-job scans loader, registry, public-surface, and Plugin SDK entrypoint contracts
-under a separate `/codeql-critical-quality/plugin-boundary` category. Keep the
-workflow separate from security so quality findings can be scheduled, measured,
-disabled, or expanded without obscuring security signal. Swift, Python, UI, and
-bundled-plugin CodeQL expansion should be added back as scoped or sharded
-follow-up work only after the narrow profiles have stable runtime and signal.
+sandbox, cron, and gateway surface as the security workflow. The config-boundary
+job scans config schema, migration, normalization, and IO contracts under the
+separate `/codeql-critical-quality/config-boundary` category. The
+plugin-boundary job scans loader, registry, public-surface, and Plugin SDK
+entrypoint contracts under a separate `/codeql-critical-quality/plugin-boundary`
+category. Keep the workflow separate from security so quality findings can be
+scheduled, measured, disabled, or expanded without obscuring security signal.
+Swift, Python, UI, and bundled-plugin CodeQL expansion should be added back as
+scoped or sharded follow-up work only after the narrow profiles have stable
+runtime and signal.
 
 The `Docs Agent` workflow is an event-driven Codex maintenance lane for keeping
 existing docs aligned with recently landed changes. It has no pure schedule: a