name: openclaw-codeql-plugin-boundary-critical-quality disable-default-queries: true queries: - uses: security-and-quality query-filters: - include: problem.severity: - error - exclude: tags: - security paths: - src/plugins/activation-planner.ts - src/plugins/api-builder.ts - src/plugins/bundled-compat.ts - src/plugins/bundled-dir.ts - src/plugins/bundled-plugin-metadata.ts - src/plugins/bundled-public-surface-runtime-root.ts - src/plugins/plugin-sdk-dist-alias.ts - src/plugins/captured-registration.ts - src/plugins/config-activation-shared.ts - src/plugins/config-contracts.ts - src/plugins/config-normalization-shared.ts - src/plugins/config-policy.ts - src/plugins/config-schema.ts - src/plugins/config-state.ts - src/plugins/discovery.ts - src/plugins/effective-plugin-ids.ts - src/plugins/externalized-bundled-plugins.ts - src/plugins/installed-plugin-index*.ts - src/plugins/loader*.ts - src/plugins/manifest*.ts - src/plugins/module-export.ts - src/plugins/package-entrypoints.ts - src/plugins/plugin-registry*.ts - src/plugins/provider-contract-public-artifacts.ts - src/plugins/provider-public-artifacts.ts - src/plugins/public-surface*.ts - src/plugins/registry.ts - src/plugins/registry-types.ts - src/plugins/runtime - src/plugins/runtime-state.ts - src/plugins/runtime.ts - src/plugins/sdk-alias.ts - src/plugins/source-loader.ts - src/plugins/types.ts - src/plugins/validation-diagnostics.ts - src/plugins/web-provider-public-artifacts*.ts - src/plugin-sdk/*entry*.ts - src/plugin-sdk/*facade*.ts - src/plugin-sdk/api-baseline.ts - src/plugin-sdk/config-schema.ts - src/plugin-sdk/config-types.ts - src/plugin-sdk/core.ts - src/plugin-sdk/extension-shared.ts paths-ignore: - "**/node_modules" - "**/coverage" - "**/*.generated.ts" - "**/*.bundle.js" - "**/*-runtime.js" - "**/*.test.ts" - "**/*.test.tsx" - "**/*.e2e.test.ts" - "**/*.e2e.test.tsx" - "**/*test-support*" - "**/*test-helper*" - "**/*mock*" - "**/*fixture*" - "**/*bench*"