diff --git a/.github/codeql/codeql-javascript-typescript-critical-quality.yml b/.github/codeql/codeql-core-auth-secrets-critical-quality.yml
similarity index 94%
rename from .github/codeql/codeql-javascript-typescript-critical-quality.yml
rename to .github/codeql/codeql-core-auth-secrets-critical-quality.yml
index cf17351a745..90bf66d2db1 100644
--- a/.github/codeql/codeql-javascript-typescript-critical-quality.yml
+++ b/.github/codeql/codeql-core-auth-secrets-critical-quality.yml
@@ -1,4 +1,4 @@
-name: openclaw-codeql-javascript-typescript-critical-quality
+name: openclaw-codeql-core-auth-secrets-critical-quality
 
 disable-default-queries: true
 
diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml
index 6b5bd1dec23..23234b3c413 100644
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -18,8 +18,8 @@ permissions:
   security-events: write
 
 jobs:
-  javascript-typescript:
-    name: Critical Quality (javascript-typescript)
+  core-auth-secrets:
+    name: Critical Quality (core-auth-secrets)
     runs-on: blacksmith-4vcpu-ubuntu-2404
     timeout-minutes: 25
     steps:
@@ -32,12 +32,12 @@ jobs:
         uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-javascript-typescript-critical-quality.yml
+          config-file: ./.github/codeql/codeql-core-auth-secrets-critical-quality.yml
 
       - name: Analyze
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
-          category: "/codeql-critical-quality/javascript-typescript"
+          category: "/codeql-critical-quality/core-auth-secrets"
 
   config-boundary:
     name: Critical Quality (config-boundary)
diff --git a/docs/ci.md b/docs/ci.md
index 66727c2f045..6ac911b7e1a 100644
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -272,8 +272,9 @@ default workflow because the macOS build dominates runtime even when clean.
 The `CodeQL Critical Quality` workflow is the matching non-security shard. It
 runs only error-severity, non-security JavaScript/TypeScript quality queries
 over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its
-baseline job scans the same auth, secrets, sandbox, cron, and gateway surface
-as the security workflow. The config-boundary
+core-auth-secrets job scans auth, secrets, sandbox, cron, and gateway security
+boundary code under the separate `/codeql-critical-quality/core-auth-secrets`
+category. The config-boundary
 job scans config schema, migration, normalization, and IO contracts under the
 separate `/codeql-critical-quality/config-boundary` category. The
 gateway-runtime-boundary job scans gateway protocol schemas and server method