name: openclaw-codeql-agent-runtime-boundary-critical-quality

disable-default-queries: true

queries:
  - uses: security-and-quality

query-filters:
  - include:
      problem.severity:
        - error
  - exclude:
      tags:
        - security

paths:
  - src/acp/control-plane
  - src/agents/command
  - src/agents/cli-runner
  - src/agents/pi-embedded-runner
  - src/agents/tools
  - src/agents/*completion*.ts
  - src/agents/*transport*.ts
  - src/agents/model-*.ts
  - src/agents/openclaw-tools*.ts
  - src/agents/provider-*.ts
  - src/agents/session*.ts
  - src/agents/tool-call*.ts
  - src/auto-reply/reply/agent-runner*.ts
  - src/auto-reply/reply/commands*.ts
  - src/auto-reply/reply/directive-handling*.ts
  - src/auto-reply/reply/dispatch-*.ts
  - src/auto-reply/reply/get-reply-run*.ts
  - src/auto-reply/reply/provider-dispatcher*.ts
  - src/auto-reply/reply/queue*.ts
  - src/auto-reply/reply/reply-run-registry*.ts
  - src/auto-reply/reply/session*.ts

paths-ignore:
  - "**/node_modules"
  - "**/coverage"
  - "**/*.generated.ts"
  - "**/*.bundle.js"
  - "**/*-runtime.js"
  - "**/*.test.ts"
  - "**/*.test.tsx"
  - "**/*.e2e.test.ts"
  - "**/*.e2e.test.tsx"
  - "**/*test-support*"
  - "**/*test-helper*"
  - "**/*mock*"
  - "**/*fixture*"
  - "**/*bench*"