network-ai 5.3.0 → 5.3.1

package/QUICKSTART.md

@@ -18,7 +18,7 @@ npm install
 npx ts-node setup.ts --check
 ```
 
-**Zero external AI dependencies.** All 28 adapters are self-contained — add framework SDKs only when you need them.
+**Zero external AI dependencies.** All 29 adapters are self-contained — add framework SDKs only when you need them.
 
 ---
 
@@ -254,7 +254,7 @@ export class MyFrameworkAdapter extends BaseAdapter {
 ```bash
 npx ts-node test-standalone.ts    # 88 core tests
 npx ts-node test-security.ts      # 34 security tests
-npx ts-node test-adapters.ts      # 218 adapter tests (all 28 frameworks)
+npx ts-node test-adapters.ts      # 218 adapter tests (all 29 frameworks)
  npx ts-node test-cli.ts           # 65 CLI tests
 npx ts-node test-qa.ts             # 67 QA orchestrator tests
 ```
@@ -265,7 +265,7 @@ npx ts-node test-qa.ts             # 67 QA orchestrator tests
 
 ```bash
 npx ts-node setup.ts --check      # Verify installation
-npx ts-node setup.ts --list       # List all 28 adapters
+npx ts-node setup.ts --list       # List all 29 adapters
 npx ts-node setup.ts --example    # Generate example.ts
 ```
 

package/README.md

@@ -5,7 +5,7 @@
 [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
 [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v5.3.0-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v5.3.1-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![Tests](https://img.shields.io/badge/tests-2899%20passing-brightgreen.svg)](#testing)
 [![Adapters](https://img.shields.io/badge/frameworks-29%20supported-blueviolet.svg)](#adapter-system)

package/SKILL.md

@@ -1,13 +1,14 @@
 ---
 name: network-ai
-description: "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context. The bundled Python scripts make no network calls and have zero third-party dependencies. Workflow delegations via the host platform's sessions_send may invoke external model APIs."
+description: "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context. All bundled scripts run locally with zero network calls and zero third-party dependencies."
 metadata:
   openclaw:
     emoji: "\U0001F41D"
     homepage: https://network-ai.org
     bundle_scope: "Python scripts only (scripts/*.py). All execution is local. Only Python stdlib — no other runtimes, adapters, or CLI tools are included."
-    network_calls: "none — bundled scripts make zero network calls. The host platform's sessions_send (not part of this skill) may invoke external models."
-    sessions_send: "NOT implemented or invoked by this skill. sessions_send is a host-platform built-in. This skill only provides budget guards that run before the platform delegates."
+    network_calls: "none — bundled scripts make zero network calls and spawn no subprocesses."
+    inter_agent_comms: "none — this skill does not implement, invoke, or control inter-agent messaging or sessions_send. All coordination is via local file-based blackboard only."
+    sessions_send: "NOT implemented or invoked by this skill. sessions_send is a host-platform built-in entirely outside this skill's control. See data-flow notice below."
     sessions_ops: "platform-provided — outside this skill's control"
     requires:
       bins:
@@ -31,7 +32,11 @@ metadata:
 
 > **Scope:** The bundled Python scripts (`scripts/*.py`) make **no network calls**, use only the Python standard library, and have **zero third-party dependencies**. Tokens are UUID-based (`grant_{uuid4().hex}`) stored in `data/active_grants.json`. Audit logging is plain JSONL (`data/audit_log.jsonl`).
 
-> **Data-flow notice:** This skill does NOT implement, invoke, or control `sessions_send`. That is a host-platform built-in (OpenClaw runtime). The orchestration instructions below describe *when* to call the platform's `sessions_send` after budget checks pass — but the actual network call, model endpoint, and data transmission are entirely the host platform's responsibility. If you need to prevent external network calls, disable or reroute `sessions_send` in your platform settings before installing this skill.
+> **Advisory tokens notice:** Grant tokens issued by `check_permission.py` are **advisory scoring outputs only** — the caller-supplied `--agent` identity is not cryptographically verified. Downstream systems must not treat these tokens as authenticated credentials without adding a separate identity-verification step or human approval gate, especially for PAYMENTS, DATABASE, and FILE_EXPORT resources.
+
+> **Data-flow notice (host platform — not this skill):** This skill does NOT implement, invoke, or control `sessions_send`. That is a host-platform built-in (OpenClaw runtime). The orchestration instructions below describe *when* to call the platform’s `sessions_send` after budget checks pass — but the actual network call, model endpoint, and data transmission are entirely the **host platform’s** responsibility. If you need to prevent external network calls, disable or reroute `sessions_send` in your **platform settings** before installing this skill. This skill has no access to that configuration.
+
+> **Context file integrity:** The `context_manager.py inject` command now validates `data/project-context.json` for injection patterns and oversized fields before printing the context block. Review any warnings printed to stderr before passing the output to an agent system prompt.
 
 > **PII / sensitive-data warning:** The `justification` field in permission requests and the audit log (`data/audit_log.jsonl`) store free-text strings provided by agents. **Do not include PII, secrets, or credentials in justification text.** Consider restricting file permissions on `data/` or running this skill in an isolated workspace.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "5.3.0",
+  "version": "5.3.1",
   "description": "AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Computer Use, OpenAI Agents SDK, Vertex AI, Pydantic AI, Browser Agent, Hermes, Orchestrator, RLM + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
   "homepage": "https://network-ai.org",
   "main": "dist/index.js",

package/scripts/check_permission.py

@@ -41,6 +41,17 @@ GRANT_TOKEN_TTL_MINUTES = 5
 GRANTS_FILE = Path(__file__).parent.parent / "data" / "active_grants.json"
 AUDIT_LOG = Path(__file__).parent.parent / "data" / "audit_log.jsonl"
 
+# ADVISORY TOKENS — IMPORTANT
+# Grant tokens produced by this script are ADVISORY scoring outputs only.
+# They are NOT authenticated credentials. The agent_id supplied via --agent
+# is accepted as-is from the caller and is NOT verified against an identity
+# provider. Downstream systems MUST treat these tokens as hints, not proof
+# of identity, and SHOULD require a separate authenticated session or human
+# approval before honouring access to sensitive resources.
+#
+# For PAYMENTS, DATABASE (write), and FILE_EXPORT the caller must also pass
+# --confirm-high-risk to acknowledge the advisory-only nature of the grant.
+
 # Default trust levels for known agents
 DEFAULT_TRUST_LEVELS = {
     "orchestrator": 0.9,
@@ -49,6 +60,13 @@ DEFAULT_TRUST_LEVELS = {
     "risk_assessor": 0.85,
 }
 
+# Agents whose identity is pre-registered. Any agent_id NOT in this set
+# receives a reduced trust score (0.3) and triggers an advisory warning.
+KNOWN_AGENTS: set[str] = set(DEFAULT_TRUST_LEVELS.keys())
+
+# Resource types that require --confirm-high-risk before a grant is issued
+HIGH_RISK_RESOURCES: set[str] = {"PAYMENTS", "DATABASE"}
+
 # Base risk scores for resource types
 BASE_RISKS = {
     "DATABASE": 0.5,      # Internal database access
@@ -258,48 +276,88 @@ def save_grant(grant: dict[str, Any]) -> None:
     GRANTS_FILE.write_text(json.dumps(grants, indent=2))
 
 
-def evaluate_permission(agent_id: str, resource_type: str, 
-                       justification: str, scope: Optional[str] = None) -> dict[str, Any]:
+def evaluate_permission(
+    agent_id: str,
+    resource_type: str,
+    justification: str,
+    scope: Optional[str] = None,
+    confirm_high_risk: bool = False,
+) -> dict[str, Any]:
     """
     Evaluate a permission request using weighted scoring.
-    
+
+    NOTE: These tokens are ADVISORY ONLY — the caller supplies their own
+    agent_id and it is not authenticated. Downstream systems must not treat
+    the resulting token as proof of identity without additional verification.
+
     Weights:
     - Justification Quality: 40%
     - Agent Trust Level: 30%
     - Risk Assessment: 30%
     """
+    # Warn if agent_id is not in the pre-registered known-agents list
+    unknown_agent = agent_id not in KNOWN_AGENTS
+
     # Log the request
     log_audit("permission_request", {
         "agent_id": agent_id,
         "resource_type": resource_type,
         "justification": justification,
-        "scope": scope
+        "scope": scope,
+        "unknown_agent": unknown_agent,
     })
-    
+
+    # Require explicit acknowledgement for high-risk resources
+    needs_confirmation = (
+        resource_type in HIGH_RISK_RESOURCES
+        or (resource_type == "DATABASE" and scope and re.search(
+            r'\b(write|delete|update|modify|create)\b', scope, re.IGNORECASE
+        ))
+    )
+    if needs_confirmation and not confirm_high_risk:
+        return {
+            "granted": False,
+            "advisory": True,
+            "reason": (
+                f"{resource_type} is a high-risk resource. Re-run with --confirm-high-risk "
+                "to acknowledge that this token is advisory only and does not authenticate "
+                "the supplied agent identity."
+            ),
+            "scores": {"justification": None, "trust": None, "risk": None},
+        }
+
     # 1. Justification Quality (40% weight)
     justification_score = score_justification(justification)
     if justification_score < 0.3:
         return {
             "granted": False,
+            "advisory": True,
             "reason": "Justification is insufficient. Please provide specific task context.",
             "scores": {
                 "justification": justification_score,
                 "trust": None,
-                "risk": None
-            }
+                "risk": None,
+            },
         }
-    
+
     # 2. Agent Trust Level (30% weight)
-    trust_level = DEFAULT_TRUST_LEVELS.get(agent_id, 0.5)
+    # Unknown agents receive a reduced base trust score (0.3) — their identity
+    # has not been pre-registered and cannot be verified by this script.
+    trust_level = DEFAULT_TRUST_LEVELS.get(agent_id, 0.3) if not unknown_agent \
+        else 0.3
     if trust_level < 0.4:
         return {
             "granted": False,
-            "reason": "Agent trust level is below threshold. Escalate to human operator.",
+            "advisory": True,
+            "reason": (
+                "Agent trust level is below threshold. Escalate to human operator."
+                + (" (unrecognized agent_id — identity not pre-registered)" if unknown_agent else "")
+            ),
             "scores": {
                 "justification": justification_score,
                 "trust": trust_level,
-                "risk": None
-            }
+                "risk": None,
+            },
         }
     
     # 3. Risk Assessment (30% weight)
@@ -307,12 +365,13 @@ def evaluate_permission(agent_id: str, resource_type: str,
     if risk_score > 0.8:
         return {
             "granted": False,
+            "advisory": True,
             "reason": "Risk assessment exceeds acceptable threshold. Narrow the requested scope.",
             "scores": {
                 "justification": justification_score,
                 "trust": trust_level,
-                "risk": risk_score
-            }
+                "risk": risk_score,
+            },
         }
     
     # Calculate weighted approval score
@@ -325,13 +384,14 @@ def evaluate_permission(agent_id: str, resource_type: str,
     if weighted_score < 0.5:
         return {
             "granted": False,
+            "advisory": True,
             "reason": f"Combined evaluation score ({weighted_score:.2f}) below threshold (0.5).",
             "scores": {
                 "justification": justification_score,
                 "trust": trust_level,
                 "risk": risk_score,
-                "weighted": weighted_score
-            }
+                "weighted": weighted_score,
+            },
         }
     
     # Generate grant
@@ -346,15 +406,19 @@ def evaluate_permission(agent_id: str, resource_type: str,
         "scope": scope,
         "expires_at": expires_at,
         "restrictions": restrictions,
-        "granted_at": datetime.now(timezone.utc).isoformat()
+        "granted_at": datetime.now(timezone.utc).isoformat(),
+        "advisory": True,           # Always advisory — not an authenticated credential
+        "unknown_agent": unknown_agent,
     }
-    
+
     # Save grant and log
     save_grant(grant)
     log_audit("permission_granted", grant)
-    
+
     return {
         "granted": True,
+        "advisory": True,           # Token is advisory — agent identity was not verified
+        "unknown_agent": unknown_agent,
         "token": token,
         "expires_at": expires_at,
         "restrictions": restrictions,
@@ -362,8 +426,14 @@ def evaluate_permission(agent_id: str, resource_type: str,
             "justification": justification_score,
             "trust": trust_level,
             "risk": risk_score,
-            "weighted": weighted_score
-        }
+            "weighted": weighted_score,
+        },
+        "notice": (
+            "This token was issued based on local scoring only. "
+            "The agent identity supplied via --agent was NOT cryptographically verified. "
+            "Treat this token as advisory and require human approval before granting "
+            "access to sensitive systems."
+        ),
     }
 
 
@@ -649,6 +719,16 @@ Examples:
         action="store_true",
         help="Output result as JSON"
     )
+    parser.add_argument(
+        "--confirm-high-risk",
+        action="store_true",
+        dest="confirm_high_risk",
+        help=(
+            "Required for PAYMENTS and DATABASE resources. Acknowledges that the issued "
+            "token is advisory only and that the caller-supplied agent identity was not "
+            "cryptographically verified."
+        ),
+    )
 
     args = parser.parse_args()
 
@@ -672,17 +752,21 @@ Examples:
         agent_id=args.agent,
         resource_type=args.resource,
         justification=args.justification,
-        scope=args.scope
+        scope=args.scope,
+        confirm_high_risk=getattr(args, "confirm_high_risk", False),
     )
 
     if args.json:
         print(json.dumps(result, indent=2))
     else:
         if result["granted"]:
-            print("GRANTED")
-            print(f"Token: {result['token']}")
-            print(f"Expires: {result['expires_at']}")
+            print("GRANTED  [ADVISORY — agent identity was NOT verified]")
+            print(f"Token:        {result['token']}")
+            print(f"Expires:      {result['expires_at']}")
             print(f"Restrictions: {', '.join(result['restrictions'])}")
+            if result.get("unknown_agent"):
+                print("WARNING: agent_id is not in the pre-registered known-agents list.")
+            print(f"\nNOTICE: {result.get('notice', '')}")
         else:
             print("DENIED")
             print(f"Reason: {result['reason']}")

package/scripts/context_manager.py

@@ -74,6 +74,72 @@ def _now_iso() -> str:
     return datetime.now(timezone.utc).isoformat()
 
 
+def _validate_context(ctx: dict[str, Any]) -> list[str]:
+    """
+    Validate the project context file against the expected schema.
+
+    Returns a list of warning strings (empty = clean).
+    Checks:
+    - Required top-level keys are present
+    - String fields are not excessively long (injection/poisoning guard)
+    - List entries are strings or dicts, not executable-looking content
+    - No obvious prompt-injection patterns in goals, decisions, or banned entries
+    """
+    import re as _re
+    warnings: list[str] = []
+
+    REQUIRED_KEYS = {"project", "goals", "stack", "milestones", "decisions",
+                     "banned_approaches", "updated_at"}
+    missing = REQUIRED_KEYS - set(ctx.keys())
+    if missing:
+        warnings.append(f"Missing keys in context file: {', '.join(sorted(missing))}")
+
+    # Field length caps
+    project = ctx.get("project", {})
+    for field in ("name", "description", "version"):
+        val = project.get(field, "")
+        if isinstance(val, str) and len(val) > 500:
+            warnings.append(f"project.{field} exceeds 500 characters \u2014 consider shortening.")
+
+    # Injection pattern check on free-text list fields
+    INJECTION_RE = _re.compile(
+        r'ignore\s+(previous|above|prior|all)|override\s+(policy|restriction|rule)|'
+        r'system\s*prompt|you\s+are\s+(now|a)|act\s+as\s+(if|a|an)|'
+        r'pretend\s+(to|that|you)|bypass\s+(security|check|restriction)|'
+        r'disregard\s+(policy|rule)|admin\s+(mode|access|override)|'
+        r'\bsudo\b|\bjailbreak\b',
+        _re.IGNORECASE,
+    )
+
+    def _check_text(label: str, text: str) -> None:
+        if INJECTION_RE.search(text):
+            warnings.append(
+                f"Possible injection pattern detected in {label}: {text[:80]!r}"
+            )
+        if len(text) > 2000:
+            warnings.append(f"{label} entry exceeds 2000 characters \u2014 review before injecting.")
+
+    for i, goal in enumerate(ctx.get("goals", [])):
+        if isinstance(goal, str):
+            _check_text(f"goals[{i}]", goal)
+
+    for i, dec in enumerate(ctx.get("decisions", [])):
+        if isinstance(dec, dict):
+            dec_dict = cast(dict[str, object], dec)
+            for fld in ("decision", "rationale"):
+                fld_val = dec_dict.get(fld)
+                if isinstance(fld_val, str):
+                    _check_text(f"decisions[{i}].{fld}", fld_val)
+        elif isinstance(dec, str):
+            _check_text(f"decisions[{i}]", dec)
+
+    for i, banned in enumerate(ctx.get("banned_approaches", [])):
+        if isinstance(banned, str):
+            _check_text(f"banned_approaches[{i}]", banned)
+
+    return warnings
+
+
 def _load() -> dict[str, Any]:
     if not CONTEXT_PATH.exists():
         print(
@@ -127,6 +193,11 @@ def cmd_init(args: argparse.Namespace) -> int:
 
 def cmd_show(args: argparse.Namespace) -> int:  # noqa: ARG001
     ctx = _load()
+    warnings = _validate_context(ctx)
+    if warnings:
+        print("[context_manager] VALIDATION WARNINGS — review before injecting:", file=sys.stderr)
+        for w in warnings:
+            print(f"  ! {w}", file=sys.stderr)
     print(json.dumps(ctx, indent=2))
     return 0
 
@@ -134,6 +205,12 @@ def cmd_show(args: argparse.Namespace) -> int:  # noqa: ARG001
 def cmd_inject(args: argparse.Namespace) -> int:  # noqa: ARG001
     """Print a formatted block suitable for injection into an agent system prompt."""
     ctx = _load()
+    warnings = _validate_context(ctx)
+    if warnings:
+        print("[context_manager] VALIDATION WARNINGS \u2014 context has potential issues:", file=sys.stderr)
+        for w in warnings:
+            print(f"  ! {w}", file=sys.stderr)
+        print("[context_manager] Proceeding with inject, but review warnings above.", file=sys.stderr)
     p = ctx.get("project", {})
 
     lines: list[str] = []