v5.4.4 — Fix missing import os in swarm_guard.py (ASI08)

Network-AI v5.4.4 — Fix missing import os in swarm_guard.py (ClawHub ASI08)

Fixed

• import os missing in scripts/swarm_guard.py — os.environ.get("NETWORK_AI_ENV", "") was called before os was imported, causing a NameError on startup and silently disabling all budget and health-check guards. This was flagged as ClawHub ASI08 (Cascading Failures).

Notes (by design — will always recur on scan)

• ASI03 Advisory token identity — grant tokens are advisory only, not authenticated credentials. Use real platform auth + human approval for sensitive resources.
• ASI06 Persistent context poisoning — _validate_context() runs injection detection before inject; do not store secrets in data/; clear between projects.
• ASI07 Inter-agent communication boundary — blackboard is local file-based; run in a trusted workspace with restricted data/ permissions.

Stats

• 29 test suites, 2,976 passing assertions (unchanged)
• Zero TypeScript compile errors

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

v5.4.3 — SKILL.md security findings, README doc table, BOM fix

Network-AI v5.4.3 — SKILL.md security findings + README doc table + BOM fix

Added

• SKILL.md security scan findings table — new section documents all 4 ClawHub Notes (ASI01, ASI03, ASI06, ASI07) with confidence level, why each recurs by design, and the documented control.
• README documentation table — SKILL.md row added (OpenClaw/ClawHub Python skill — setup, orchestrator protocol, security scan findings).
• README footer — Code of Conduct and Security Policy links added.

Fixed

• UTF-8 BOM stripped from package.json, skill.json, and openapi.yaml — PowerShell Out-File -Encoding utf8 was inserting a BOM that caused ts-node to crash with SyntaxError: Unexpected token in CI.

Stats

• 29 test suites, 2,976 passing assertions (unchanged)
• Zero TypeScript compile errors

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

v5.4.2 — MCP tool quality + security doc accuracy

Network-AI v5.4.2 — MCP Tool Quality + Security Doc Accuracy

Patch release improving Glama Tool Definition Quality scores and fixing inaccurate ClawHub security documentation.

Improved

• MCP tool descriptions — all 22 tool definitions now include explicit return shapes, error/edge-case behavior, and usage guidelines (when to call this tool vs. a related one, recommended ordering). Targets Glama behavior and usage sub-score improvements across fsm_transition, config_get, config_set, token_create, budget_spend, audit_query, and all blackboard tools.

Fixed

• ClawHub security documentation — SECURITY.md, .github/SECURITY.md, and ENTERPRISE.md now accurately describe the 3 ClawHub Notes (ASI03 advisory-token identity, ASI06 persistent-context and audit-log PII) as by-design patterns with documented controls, rather than "resolved". Notes will recur on future scans by design; the documented controls are the mitigation.

Stats

• 29 test suites, 2,976 passing assertions (unchanged)
• Zero TypeScript compile errors (npx tsc --noEmit)

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

v5.4.1 — Security patch (CodeQL TOCTOU + dead code)

Network-AI v5.4.1 — Security Patch

Patch release resolving 4 CodeQL alerts surfaced after v5.4.0.

Security

• TOCTOU race condition fix (lib/env-manager.ts) — _touchJson() and _touchFile() now use openSync(O_CREAT | O_EXCL | O_WRONLY, 0o600) instead of existsSync + writeFileSync. Eliminates the window between the existence check and the write where another process could create the same file. CWE-367. (CodeQL #149, #150)

Fixed

• Removed unused basename import from lib/env-manager.ts (CodeQL #152)
• Removed unused SourceProtectionError import from test-env-manager.ts (CodeQL #153)
• Removed unused resolveEnvData function from bin/cli.ts (CodeQL #151)
• Fixed README comparison table: adapter count 28 -> 29
• Fixed QUICKSTART.md: garbled nemoclaw / aps table rows (literal \n in source)
• Bumped version string to v5.4.1 across all docs and metadata files

Stats

• 29 test suites, 2,976 passing assertions (unchanged)
• Zero TypeScript compile errors (npx tsc --noEmit)

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

v5.4.0 — Multi-Environment Isolation, Source Protection, Promotion Chain

What's New

Multi-Environment Isolation

• EnvironmentManager (lib/env-manager.ts): full promotion chain dev → st → sit → qa → preprod → prod with a dead-end sandbox tier. Gate types: auto (dev/st/sit/qa/sandbox), confirm (preprod), approval (prod).
• Promotes only config files (trust_levels.json, budget_ceilings.json, validation_rules.json); live state (audit_log.jsonl, active_grants.json, pending_changes/) never promotes.
• Auto-backs-up destination environment before every overwrite.

Backup / Rollback

• backup(env), restore(env, backupId), listBackups(env), pruneBackups(env, keep).
• Stored under data/<env>/.backups/. Default retention: 10. Auto-pruned after each backup.

LockedBlackboard Env Routing

• New env? option in LockedBlackboardOptions; falls back to NETWORK_AI_ENV env var.
• All paths (swarm-blackboard.md, .blackboard.lock, pending_changes/) scoped under data/<env>/.

Source Protection

• SourceProtectionError class exported from lib/agent-runtime.ts.
• SandboxPolicy.sourceProtection?: boolean — when enabled, FileAccessor.read/write/list blocks any path outside data/<env>/, returning {success: false} (no path leak).

Python NETWORK_AI_ENV Support

• All 5 Python scripts read NETWORK_AI_ENV at startup and accept --env <name> CLI argument.
• Uses globals() pattern to avoid Pyright reportConstantRedefinition errors.

CLI env Command Group

npx network-ai env init --all
npx network-ai env list
npx network-ai env chain
npx network-ai env diff --from dev --to prod
npx network-ai env promote --from dev --to st
npx network-ai env promote --from preprod --to prod --approved-by security-board
npx network-ai env backup create --env prod
npx network-ai env backup restore --env prod --latest

Stats

• 29 test suites, 2,976 passing assertions (+77 vs 5.3.2)

v5.3.2 — SKILL.md: remove sessions_send instructional framing (ClawHub scanner fix)

What's Changed

Security / ClawHub Scanner

Addresses ClawHub finding #2 — Insecure Inter-Agent Communication (the scanner quoted our own data-flow notice text and instructional session-send steps as evidence of inter-agent communication).

• Budget Check Protocol (was: Budget-Aware Handoff Protocol) — removed \BEFORE sessions_send\ language throughout
• Agent-to-Agent Handoff Protocol — Steps 5 & 6 (\sessions_send\ / \sessions_history) replaced with a blackboard read step
• Example Parallel Workflow — replaced \sessions_send to \ code blocks with neutral delegation language
• Data-flow notice — removed sentence 'the orchestration instructions below describe when to call sessions_send'\
• Permission Scoring (was: Permission Wall) — renamed section; advisory-token warning added at section level
• Remaining \sessions_send\ mentions in SKILL.md are denial-declarations only (YAML frontmatter + data-flow notice), not instructional

Full test suite: 2,899 / 2,899 passing (28 suites) — unchanged.

v5.3.1 — Security hardening: advisory tokens, context injection validation, Pyright fixes

What's Changed

Security fixes

• Advisory token enforcement (scripts/check_permission.py) — all grant tokens now explicitly marked �dvisory: true; unknown agent identities receive reduced trust (0.3) and an unknown_agent: true warning flag; CLI shows [ADVISORY — agent identity was NOT verified]
• High-risk resource gating (scripts/check_permission.py) — PAYMENTS and DATABASE resources require --confirm-high-risk flag or request is denied
• KNOWN_AGENTS allowlist (scripts/check_permission.py) — agents not in the allowlist are flagged and down-scored
• Context injection validation (scripts/context_manager.py) — _validate_context() runs schema checks + 16-pattern injection detection on all free-text fields before inject/show commands run
• SKILL.md hardening — removed sessions_send mention; added inter_agent_comms: none to OpenClaw metadata; separated advisory-token and data-flow notices
• Pyright type safety (scripts/context_manager.py) — resolved
  eportUnknownMemberType /
  eportUnknownArgumentType in _validate_context()

Docs pass

• ARCHITECTURE.md, BENCHMARKS.md, AUDIT_LOG_SCHEMA.md updated to v5.3.1
• ENTERPRISE.md: ClawHub scanner findings resolved row + updated What It Does paragraph
• references/auth-guardian.md: unknown agent trust 0.3, advisory token notice, --confirm-high-risk in resource table and CLI examples
• QUICKSTART.md: 29 adapters count

Full test suite: 2,899 / 2,899 passing (28 suites) — unchanged.

v5.3.0 — Context Throttler, Partition Planner, Coverage Gate, Route Classifier

What's new in v5.3.0

Four new Phase 12 orchestration modules — all dependency-free, fully pluggable, and wired into runTeam().

Context Throttler (lib/context-throttler.ts)

Prune blackboard keys before LLM calls based on per-agent scope metadata tags. Prevents context pollution when agents only need a subset of shared state.

• filterState() pure function + ContextThrottler class
• Wildcard ["*"] pass-through, exactMatch, maxKeys options
• registerScope / deregisterScope / filterAll

Partition Planner (lib/partition-planner.ts)

Assign non-overlapping focus areas to agents before DAG execution. Eliminates redundant research across parallel agents.

• Pluggable PartitionPlannerFunction + built-in createLexicalOverlapChecker() (zero cost)
• parsePartitionJSON() with markdown-fence stripping
• PartitionPlanner.injectConstraint() injects _partitionConstraint into task params
• strictOverlap mode throws on detected overlap

Coverage Gate (lib/coverage-gate.ts)

Recursive refinement loop — evaluates completeness and re-runs GoalDecomposer for gaps until coverage score >= threshold.

• CoverageGate class: configurable threshold (default 90) and maxRefinements (default 3)
• Built-in createKeywordEvaluator() + createLLMEvaluator() for LLM-backed scoring
• Fail-open when max refinements reached; full history + gapsRequeued tracking

Route Classifier (lib/route-classifier.ts)

Short-circuit routing — classify goals before DAG planning and bypass the blackboard entirely for FACTUAL_LOOKUP goals.

• RouteClassifier class with pluggable ClassifierFunction
• Built-in createHeuristicClassifier() (keyword + length heuristic, zero cost)
• createLLMClassifier() for LLM-backed classification
• route() short-circuits to a lookup agent and surfaces executor errors

FSM: WORKFLOW_STATES.EVALUATING

New state in JourneyFSM for the Coverage Gate refinement loop — orchestrator is re-evaluating completeness.

runTeam() — 4-phase execution

All four modules integrate into runTeam() via new optional RunTeamOptions fields:

1. Route classification → short-circuit if FACTUAL_LOOKUP
2. Partition schema + context throttler → filtered per-agent context + _partitionConstraint injected into task params
3. Normal DAG execution
4. Coverage gate → recursive gap decomposition until threshold met

Fully backward-compatible — all new fields are optional.

Stats

• 28 test suites, 2,899 passing assertions (up from 27 / 2,834)
• test-phase12.ts — 65 new deterministic tests (no LLM/network/I/O)

---

Full changelog: CHANGELOG.md

v5.2.2 — Socket.dev alert suppressions

What's Changed

Fixed

• socket.json: Added
  etworkAccess\ ignore entries for all Socket.dev-flagged files:
  • 3 adapters with direct fetch use: HermesAdapter, PydanticAIAdapter, RLMAdapter
  • 2 lib modules with direct fetch use: SwarmTransport, McpToolConsumer
  • 1 false-positive: AuthGuardian (word \etch\ appears only in comments/regex, no HTTP calls)
  • ~16 files flagged via Socket.dev transitive import-graph analysis (no direct fetch calls)
• socket.json: Added \shellExec\ ignore entries for:
  • \AgentRuntime\ — ShellExecutor uses \child_process.spawn\ for sandboxed command execution under an explicit \SandboxPolicy\
  • \McpToolConsumer\ — uses \child_process.spawn\ to launch stdio MCP server subprocesses

No functional changes. 2834 tests pass.

v5.2.1 — CodeQL unused variable fixes

What's changed

Fixed

• CodeQL #147 — removed unused \�ssertThrowsAsync\ function from \ est-rlm-phases.ts\ (dead code, no callers).
• CodeQL #148 — renamed unused destructured \commit\ to _commit\ in \ est-rlm-phases.ts\ (conventional signal for intentionally unused binding).

No functional changes. All 2,834 tests pass.

---

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md