





















@@ -246,13 +246,16 @@ default workflow because the macOS build dominates runtime even when clean.
246246The `CodeQL Critical Quality` workflow is the matching non-security shard. It
247247runs only error-severity, non-security JavaScript/TypeScript quality queries
248248over narrow high-value surfaces. Its baseline job scans the same auth, secrets,
249-sandbox, cron, and gateway surface as the security workflow. The plugin-boundary
250-job scans loader, registry, public-surface, and Plugin SDK entrypoint contracts
251-under a separate `/codeql-critical-quality/plugin-boundary` category. Keep the
252-workflow separate from security so quality findings can be scheduled, measured,
253-disabled, or expanded without obscuring security signal. Swift, Python, UI, and
254-bundled-plugin CodeQL expansion should be added back as scoped or sharded
255-follow-up work only after the narrow profiles have stable runtime and signal.
249+sandbox, cron, and gateway surface as the security workflow. The config-boundary
250+job scans config schema, migration, normalization, and IO contracts under the
251+separate `/codeql-critical-quality/config-boundary` category. The
252+plugin-boundary job scans loader, registry, public-surface, and Plugin SDK
253+entrypoint contracts under a separate `/codeql-critical-quality/plugin-boundary`
254+category. Keep the workflow separate from security so quality findings can be
255+scheduled, measured, disabled, or expanded without obscuring security signal.
256+Swift, Python, UI, and bundled-plugin CodeQL expansion should be added back as
257+scoped or sharded follow-up work only after the narrow profiles have stable
258+runtime and signal.
256259257260The `Docs Agent` workflow is an event-driven Codex maintenance lane for keeping
258261existing docs aligned with recently landed changes. It has no pure schedule: a
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。