diff --git a/.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml b/.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
new file mode 100644
index 00000000000..14268aeaf85
--- /dev/null
+++ b/.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
@@ -0,0 +1,58 @@
+name: openclaw-codeql-mcp-process-tool-boundary-critical-security
+
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - include:
+      precision:
+        - high
+        - very-high
+  - exclude:
+      problem.severity:
+        - recommendation
+        - warning
+
+paths:
+  - src/mcp
+  - src/process
+  - src/infra/outbound
+  - src/agents/bash-tools.exec*.ts
+  - src/agents/bash-tools.process*.ts
+  - src/agents/exec-*.ts
+  - src/agents/execution-contract.ts
+  - src/agents/openclaw-plugin-tools.ts
+  - src/agents/openclaw-tools.runtime.ts
+  - src/agents/openclaw-tools.registration.ts
+  - src/agents/pi-tool-definition-adapter.ts
+  - src/agents/pi-tools.abort.ts
+  - src/agents/pi-tools.before-tool-call*.ts
+  - src/agents/pi-tools.host-edit.ts
+  - src/agents/pi-tools-parameter-schema.ts
+  - src/agents/pi-embedded-runner/effective-tool-policy.ts
+  - src/agents/pi-embedded-runner/tool-name-allowlist.ts
+  - src/agents/pi-embedded-runner/tool-schema-runtime.ts
+  - src/agents/tools/gateway-tool.ts
+  - src/agents/tools/message-tool.ts
+  - src/agents/tools/sessions-send-tool.ts
+  - src/agents/tools/sessions-spawn-tool.ts
+  - src/agents/tools/subagents-tool.ts
+  - src/agents/tools/tool-runtime.helpers.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5d53f212a91..6f9170444b3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -51,6 +51,11 @@ jobs:
             runs_on: blacksmith-4vcpu-ubuntu-2404
             timeout_minutes: 25
             config_file: ./.github/codeql/codeql-network-ssrf-boundary-critical-security.yml
+          - language: javascript-typescript
+            category: mcp-process-tool-boundary
+            runs_on: blacksmith-4vcpu-ubuntu-2404
+            timeout_minutes: 25
+            config_file: ./.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml
           - language: actions
             category: actions
             runs_on: blacksmith-8vcpu-ubuntu-2404
diff --git a/docs/ci.md b/docs/ci.md
index 63dab5a3fb8..d1e98e675d1 100644
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -267,6 +267,11 @@ JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing,
 network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the
 `/codeql-critical-security/network-ssrf-boundary` category so network trust
 boundary signal stays separate from the broader JS/TS security baseline.
+The mcp-process-tool-boundary job scans MCP servers, process execution helpers,
+outbound delivery, and agent tool-execution gates under the
+`/codeql-critical-security/mcp-process-tool-boundary` category so command and
+tool boundary signal stays separate from both the general JS/TS baseline and
+the non-security MCP/process quality shard.
 
 The `CodeQL Android Critical Security` workflow is the scheduled Android
 security shard. It builds the Android app manually for CodeQL on the smallest