fix(codeql): tune Android pinning profile

Remove noisy missing-certificate-pinning query from the critical Android CodeQL profile; gateway TLS uses custom certificate fingerprint pinning.

.github/codeql/codeql-android-critical-security.yml

@@ -9,6 +9,10 @@ query-filters:
   # Android canvas intentionally runs trusted A2UI JavaScript; keep this profile focused on exploitable WebView edges.
   - exclude:
       id: java/android/websettings-javascript-enabled
+  # Gateway TLS already pins verified certificate SHA-256 fingerprints. OkHttp CertificatePinner pins SPKI hashes,
+  # so this query is noisy for OpenClaw's TOFU/local-gateway trust model and does not belong in the critical profile.
+  - exclude:
+      id: java/android/missing-certificate-pinning
 
 paths:
   - apps/android/app/src/main