























@@ -258,19 +258,20 @@ or overlapping changed hunks.
258258The `CodeQL` workflow is intentionally a narrow first-pass security scanner,
259259not the full repository sweep. Daily and manual runs scan Actions workflow code
260260plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and
261-gateway surfaces with high-precision security queries. The
261+gateway surfaces with high-precision security queries under the
262+`/codeql-critical-security/core-auth-secrets` category. The
262263channel-runtime-boundary job separately scans core channel implementation
263264contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and
264265audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary`
265266category so channel security signal can scale without broadening the baseline
266-JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing,
267+auth/secrets category. The network-ssrf-boundary job scans core SSRF, IP parsing,
267268network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the
268269`/codeql-critical-security/network-ssrf-boundary` category so network trust
269-boundary signal stays separate from the broader JS/TS security baseline.
270+boundary signal stays separate from the auth/secrets security baseline.
270271The mcp-process-tool-boundary job scans MCP servers, process execution helpers,
271272outbound delivery, and agent tool-execution gates under the
272273`/codeql-critical-security/mcp-process-tool-boundary` category so command and
273-tool boundary signal stays separate from both the general JS/TS baseline and
274+tool boundary signal stays separate from both the auth/secrets baseline and
274275the non-security MCP/process quality shard.
275276276277The `CodeQL Android Critical Security` workflow is the scheduled Android
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。