network-ai 5.13.0 → 5.13.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -9
- package/SKILL.md +7 -6
- package/package.json +3 -3
package/README.md
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
[](https://network-ai.org/)
|
|
6
6
|
[](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
|
|
7
7
|
[](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
|
|
8
|
-
[](https://github.com/Jovancoding/Network-AI/releases)
|
|
9
9
|
[](https://www.npmjs.com/package/network-ai)
|
|
10
10
|
[](#testing)
|
|
11
11
|
[](#adapter-system)
|
|
@@ -590,18 +590,18 @@ npm run test:phase12 # Context Throttler, Partition Planner, Coverage Gate,
|
|
|
590
590
|
| Doc | Contents |
|
|
591
591
|
|---|---|
|
|
592
592
|
| [QUICKSTART.md](QUICKSTART.md) | Installation, first run, CLI reference, PowerShell guide, Python scripts CLI |
|
|
593
|
-
| [ARCHITECTURE.md](ARCHITECTURE.md) | Race condition problem, FSM design, handoff protocol, module inventory, project structure |
|
|
593
|
+
| [ARCHITECTURE.md](ARCHITECTURE.md) | Race condition problem, FSM design, handoff protocol, model-interaction lifecycle governance, module inventory, project structure |
|
|
594
594
|
| [BENCHMARKS.md](BENCHMARKS.md) | Provider performance, rate limits, local GPU, `max_completion_tokens` guide |
|
|
595
|
-
| [SECURITY.md](SECURITY.md) | Security module, permission system, trust levels, audit trail, disclosure SLA, ClawHub scan findings |
|
|
595
|
+
| [SECURITY.md](SECURITY.md) | Security module, permission system, trust levels, audit trail, OWASP Agentic Top 10 coverage, disclosure SLA, ClawHub scan findings |
|
|
596
596
|
| [THREAT_MODEL.md](THREAT_MODEL.md) | Adversary profiles, trust boundaries, explicit non-goals, security controls summary |
|
|
597
597
|
| [DATA_LOCATIONS.md](DATA_LOCATIONS.md) | Every file Network-AI creates — path, purpose, data classification, operator responsibilities |
|
|
598
598
|
| [SUPPLY_CHAIN.md](SUPPLY_CHAIN.md) | Runtime dependencies, what runs at install, network surface, SLSA/npm provenance verification |
|
|
599
599
|
| [ENTERPRISE.md](ENTERPRISE.md) | Evaluation checklist, stability policy, security summary, integration entry points |
|
|
600
|
-
| [AUDIT_LOG_SCHEMA.md](AUDIT_LOG_SCHEMA.md) | Audit log field reference, all event types, scoring formula |
|
|
600
|
+
| [AUDIT_LOG_SCHEMA.md](AUDIT_LOG_SCHEMA.md) | Audit log field reference, all event types (including `model.refusal` / `model.attempt`), scoring formula |
|
|
601
601
|
| [ADOPTERS.md](ADOPTERS.md) | Known adopters — open a PR to add yourself |
|
|
602
|
-
| [INTEGRATION_GUIDE.md](INTEGRATION_GUIDE.md) | End-to-end integration walkthrough with v5.
|
|
603
|
-
| [SKILL.md](SKILL.md) | OpenClaw/ClawHub Python skill — setup, orchestrator protocol, security scan findings |
|
|
604
|
-
| [references/adapter-system.md](references/adapter-system.md) | Adapter architecture, all 29 adapters, writing custom adapters |
|
|
602
|
+
| [INTEGRATION_GUIDE.md](INTEGRATION_GUIDE.md) | End-to-end integration walkthrough with v5.13 modules |
|
|
603
|
+
| [SKILL.md](SKILL.md) | OpenClaw/ClawHub Python skill — setup, orchestrator protocol, OWASP engine coverage, security scan findings |
|
|
604
|
+
| [references/adapter-system.md](references/adapter-system.md) | Adapter architecture, all 29 adapters (incl. `AnthropicMessagesAdapter`), writing custom adapters |
|
|
605
605
|
| [references/auth-guardian.md](references/auth-guardian.md) | Permission scoring, resource types, `scoreRequest()`, IAuthValidator interface |
|
|
606
606
|
| [references/trust-levels.md](references/trust-levels.md) | Trust level configuration, APS delegation-chain mapping |
|
|
607
607
|
|
|
@@ -619,7 +619,7 @@ Three integration files are included in the repo root:
|
|
|
619
619
|
|---|---|
|
|
620
620
|
| [`claude-tools.json`](claude-tools.json) | Claude API tool use & OpenAI Codex — drop into the `tools` array |
|
|
621
621
|
| [`openapi.yaml`](openapi.yaml) | Custom GPT Actions — import directly in the GPT editor |
|
|
622
|
-
| [`claude-project-prompt.md`](claude-project-prompt.md) | Claude Projects — paste into Custom Instructions |
|
|
622
|
+
| [`claude-project-prompt.md`](claude-project-prompt.md) | Claude Projects — paste into Custom Instructions (includes lifecycle governance context) |
|
|
623
623
|
|
|
624
624
|
**Claude API / Codex:**
|
|
625
625
|
```js
|
|
@@ -656,7 +656,7 @@ MIT License — [LICENSE](LICENSE) · [CHANGELOG](CHANGELOG.md) &nbs
|
|
|
656
656
|
<details>
|
|
657
657
|
<summary>Keywords</summary>
|
|
658
658
|
|
|
659
|
-
multi-agent · agent orchestration · AI agents · agentic AI · agentic workflow · TypeScript · Node.js · LangGraph · CrewAI · AutoGen · MCP · model-context-protocol · LlamaIndex · Semantic Kernel · OpenAI Assistants · Haystack · DSPy · Agno · OpenClaw · ClawHub · shared state · blackboard pattern · atomic commits · guardrails · token budgets · permission gating · audit trail · agent coordination · agent handoffs · governance · cost-awareness
|
|
659
|
+
multi-agent · agent orchestration · AI agents · agentic AI · agentic workflow · TypeScript · Node.js · LangGraph · CrewAI · AutoGen · MCP · model-context-protocol · LlamaIndex · Semantic Kernel · OpenAI Assistants · Haystack · DSPy · Agno · OpenClaw · ClawHub · shared state · blackboard pattern · atomic commits · guardrails · token budgets · permission gating · audit trail · agent coordination · agent handoffs · governance · cost-awareness · refusal handling · fallback routing · model lifecycle · OWASP agentic AI · effort policy · thinking blocks
|
|
660
660
|
|
|
661
661
|
</details>
|
|
662
662
|
|
package/SKILL.md
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: network-ai
|
|
3
|
-
description: "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context.
|
|
3
|
+
description: "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context. The bundled Python scripts make no network calls and have zero third-party dependencies. The parent repository also contains a TypeScript engine (not included in this skill bundle)."
|
|
4
4
|
metadata:
|
|
5
5
|
openclaw:
|
|
6
6
|
emoji: "\U0001F41D"
|
|
7
7
|
homepage: https://network-ai.org
|
|
8
8
|
capabilities:
|
|
9
|
-
filesystem: "read/write — project root `swarm-blackboard.md` (blackboard state), `data/pending_changes/<id>.json` (WAL entries), `data/audit_log.jsonl`, `data/active_grants.json`, `data/.signing_key`, `data/project-context.json`, `data/task_tracking.json`, `data/agent_health.json`, `data/budget_tracking.json`. All paths are local;
|
|
9
|
+
filesystem: "read/write — project root `swarm-blackboard.md` (blackboard state), `data/pending_changes/<id>.json` (WAL entries), `data/audit_log.jsonl`, `data/active_grants.json`, `data/.signing_key`, `data/project-context.json`, `data/task_tracking.json`, `data/agent_health.json`, `data/budget_tracking.json`. All paths are local; no data leaves the local filesystem. When NETWORK_AI_ENV is set, data paths are rooted at `data/<env>/` instead of `data/`. The `--path` argument in blackboard.py is validated against the project root at runtime — paths outside the project directory are rejected (CWE-22)."
|
|
10
10
|
env_vars: "read — NETWORK_AI_ENV (environment routing), NETWORK_AI_MCP_SECRET (MCP bearer auth), NETWORK_AI_MINIMAL (minimal-mode flag). No env vars are written."
|
|
11
11
|
shell_exec: "optional — AgentRuntime (lib/agent-runtime.ts) with SandboxPolicy and ApprovalGate; disabled by default. Never auto-enabled by this skill. auto_approve must NOT be set in production (see auto_approve_warning below)."
|
|
12
12
|
tcp_port: "optional — MCP SSE server (bin/mcp-server.ts) binds 127.0.0.1 only when explicitly started by the operator. Requires a non-empty bearer-token secret. Never auto-started by this skill or any bundled Python script."
|
|
@@ -35,7 +35,7 @@ metadata:
|
|
|
35
35
|
path: data/
|
|
36
36
|
scope: local-only
|
|
37
37
|
files: ["audit_log.jsonl", "active_grants.json", ".signing_key", "project-context.json", "task_tracking.json", "agent_health.json", "budget_tracking.json", "pending_changes/<id>.json"]
|
|
38
|
-
description: "All persistent state is local-only. No
|
|
38
|
+
description: "All persistent state is local-only. No data leaves the local filesystem."
|
|
39
39
|
blackboard_file:
|
|
40
40
|
path: swarm-blackboard.md
|
|
41
41
|
scope: local-only
|
|
@@ -535,7 +535,7 @@ Sequential processing - output of one feeds into next.
|
|
|
535
535
|
|
|
536
536
|
**Every sensitive action MUST be logged to `data/audit_log.jsonl`** to maintain compliance and enable forensic analysis.
|
|
537
537
|
|
|
538
|
-
> **Privacy note:** Audit log entries contain agent-provided free-text fields (justifications, descriptions). These are stored locally in `data/audit_log.jsonl` and
|
|
538
|
+
> **Privacy note:** Audit log entries contain agent-provided free-text fields (justifications, descriptions). These are stored locally in `data/audit_log.jsonl` and kept on this machine only by this skill — no audit data leaves the local filesystem. However, **do not put PII, passwords, or API keys in justification strings** — they persist on disk. Consider periodic log rotation and restricting OS file permissions on the `data/` directory.
|
|
539
539
|
|
|
540
540
|
### What Gets Logged Automatically
|
|
541
541
|
|
|
@@ -753,7 +753,7 @@ The following findings are drawn from the **MAESTRO Agent Security Threat** fram
|
|
|
753
753
|
|
|
754
754
|
| Control | How Network-AI addresses it |
|
|
755
755
|
|---|---|
|
|
756
|
-
| **Zero network calls (Python scripts)** | All bundled Python scripts use Python stdlib only, spawn no subprocesses, and make no network calls — declared in `metadata.openclaw.network_calls` and `bundle_scope`. The optional MCP
|
|
756
|
+
| **Zero network calls (Python scripts)** | All bundled Python scripts use Python stdlib only, spawn no subprocesses, and make no network calls — declared in `metadata.openclaw.network_calls` and `bundle_scope`. The optional TypeScript MCP server (`bin/mcp-server.ts`) is not part of the ClawHub bundle; it must be explicitly started by the operator via `npx network-ai-server` and requires a non-empty bearer-token secret. |
|
|
757
757
|
| **AgentRuntime sandbox** | `ShellExecutor` enforces per-command timeout and output-size limits; `SandboxPolicy` allowlist/blocklist prevents unapproved shell commands from running at all |
|
|
758
758
|
| **ClaimVerifier (Tier 1 agent honesty)** | `AgentRuntime` issues HMAC-signed outcome-bound receipts (`ExecutionReceipt`) on every `exec()` and `writeFile()`; `ClaimVerifier` (`lib/claim-verifier.ts`) reconciles agent-declared manifests against the audit log — `UNSUPPORTED_CLAIM` and `UNDISCLOSED_ACTION` violations surface through `ComplianceMonitor`; repeated fabrication decays `AuthGuardian` trust and forces `ApprovalGate` supervision |
|
|
759
759
|
| **Source protection** | `SandboxPolicy.sourceProtection` constrains `FileAccessor.read/write/list` to `data/<env>/` only; any attempt to read outside that boundary throws `SourceProtectionError` — the agent receives `{success: false}`, no path details leak |
|
|
@@ -767,7 +767,7 @@ The following findings are drawn from the **MAESTRO Agent Security Threat** fram
|
|
|
767
767
|
|
|
768
768
|
| Control | How Network-AI addresses it |
|
|
769
769
|
|---|---|
|
|
770
|
-
| **Exact version pinning** | npm `package.json` uses exact `"version": "5.13.
|
|
770
|
+
| **Exact version pinning** | npm `package.json` uses exact `"version": "5.13.1"` — no semver range specifiers; `clawhub install network-ai` pins to a specific published version |
|
|
771
771
|
| **Zero transitive dependency drift** | All bundled Python scripts use Python stdlib only — `pip install` is never required; there are no third-party packages to drift, be compromised upstream, or introduce CVEs |
|
|
772
772
|
| **Signed, tagged releases** | Every release is committed with a signed Git tag (`v5.7.x`); commit hash is verifiable against CHANGELOG.md; GitHub releases link tag → diff → changelog entry |
|
|
773
773
|
| **Supply chain monitoring** | npm package continuously scored by Socket.dev (score A); any new dependency or permission change triggers an alert |
|
|
@@ -793,6 +793,7 @@ This skill is scanned on every publish. The following Notes are flagged by desig
|
|
|
793
793
|
| **SkillSpector** Context-Inappropriate Capability (MCP control surface breadth) | ~~Medium~~ Resolved | Same root cause — `comment.txt` enumerated the HTTP MCP server's 22 privileged tools (blackboard write, token ops, agent_spawn, fsm_transition, audit_query), which the scanner read as a broad remote-control surface inside a local skill. | Fixed in v5.12.7 — `comment.txt` excluded from the bundle (see row above) and enforced by the `clawhub:check` guard. The HTTP MCP server itself remains opt-in: it requires a non-empty bearer secret before `listen()` binds (fail-closed), runs only via `NETWORK_AI_MCP_SECRET=<secret> npx network-ai-server`, binds `127.0.0.1` by default, and is documented in `SUPPLY_CHAIN.md §5a`. |
|
|
794
794
|
| **SkillSpector** Context-Inappropriate Capability (`_load_signing_key()` token minting) | Medium, 92% | `scripts/check_permission.py` mints, HMAC-signs, persists, and lists grant tokens — a de facto local authorization artifact that downstream components may be tempted to treat as real credentials. | Token advisory-only warnings appear in source, SKILL.md, and SECURITY.md. Every grant response includes the advisory notice. Tokens are labeled `grant_{uuid4().hex}`; the HMAC signature only proves local origin, not external identity. Platform-level authentication is required before any destructive action (PAYMENTS, DATABASE, FILE_EXPORT). See ASI03 rows above. |
|
|
795
795
|
| **SkillSpector** Intent-Code Divergence (`FILE_EXPORT` missing from `HIGH_RISK_RESOURCES`) | ~~Low~~ Resolved | Comment stated `FILE_EXPORT` requires `--confirm-high-risk` but `HIGH_RISK_RESOURCES` only contained `PAYMENTS` and `DATABASE`; file export requests could receive advisory grants without the extra acknowledgment | Fixed in v5.11.0 — `FILE_EXPORT` added to `HIGH_RISK_RESOURCES` in `check_permission.py`; now requires `--confirm-high-risk` consistent with the documented policy |
|
|
796
|
+
| **SkillSpector** YARA `agent_skill_mcp_tool_poisoning_metadata` (MCP/tool metadata poisoning indicators) | ~~High~~ Resolved | SKILL.md frontmatter `description:` retained an older phrasing that referenced the optional TypeScript network server alongside "zero network calls" — a combination the YARA rule flags. A privacy-note sentence also used wording adjacent to file/data references that the exfiltration sub-rule flagged. | Fixed in v5.13.1 — frontmatter `description:` confirmed clean (server reference removed; TypeScript engine noted as parent repository only). Privacy note reworded to remove the flagged phrase. VirusTotal 64/64 clean throughout. |
|
|
796
797
|
| **SkillSpector** Description-Behavior Mismatch (`ensure_data_dir()` ignoring env scope) | ~~Medium~~ Resolved | `ensure_data_dir()` always created the fixed top-level `data/` directory instead of the active env-specific path, breaking environment isolation when `NETWORK_AI_ENV` is set | Fixed in v5.11.0 — `ensure_data_dir()` now delegates to `_resolve_data_dir()` so audit log and grant files are always written to the correct env-scoped directory |
|
|
797
798
|
|
|
798
799
|
## References
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "network-ai",
|
|
3
|
-
"version": "5.13.
|
|
3
|
+
"version": "5.13.1",
|
|
4
4
|
"description": "AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Computer Use, OpenAI Agents SDK, Vertex AI, Pydantic AI, Browser Agent, Hermes, Orchestrator, RLM + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
|
|
5
5
|
"homepage": "https://network-ai.org",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -126,9 +126,9 @@
|
|
|
126
126
|
"python": ">=3.9"
|
|
127
127
|
},
|
|
128
128
|
"devDependencies": {
|
|
129
|
-
"@types/node": "^
|
|
129
|
+
"@types/node": "^26.0.0",
|
|
130
130
|
"dotenv": "^17.4.2",
|
|
131
|
-
"openai": "^6.
|
|
131
|
+
"openai": "^6.44.0",
|
|
132
132
|
"ts-node": "^10.9.2",
|
|
133
133
|
"typescript": "^6.0.3"
|
|
134
134
|
},
|