network-ai 5.5.0 → 5.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/INTEGRATION_GUIDE.md +1 -1
  2. package/README.md +1 -1
  3. package/SKILL.md +2 -1
  4. package/package.json +1 -1
  5. package/scripts/revoke_token.py +32 -7
package/INTEGRATION_GUIDE.md CHANGED
@@ -564,4 +564,4 @@ Run these before declaring the integration production-ready:
564
564
 
565
565
  ---
566
566
 
567
- *Network-AI v5.5.0 · MIT License · https://github.com/Jovancoding/Network-AI*
567
+ *Network-AI v5.5.1 · MIT License · https://github.com/Jovancoding/Network-AI*
package/README.md CHANGED
@@ -5,7 +5,7 @@
5
5
  [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
6
6
  [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
7
7
  [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
8
- [![Release](https://img.shields.io/badge/release-v5.5.0-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
8
+ [![Release](https://img.shields.io/badge/release-v5.5.1-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
9
9
  [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
10
10
  [![Tests](https://img.shields.io/badge/tests-3093%20passing-brightgreen.svg)](#testing)
11
11
  [![Adapters](https://img.shields.io/badge/frameworks-29%20supported-blueviolet.svg)](#adapter-system)
package/SKILL.md CHANGED
@@ -710,7 +710,8 @@ This skill is scanned on every publish. The following Notes are flagged by desig
710
710
  | Finding | Confidence | Why it recurs | Documented control |
711
711
  |---------|------------|---------------|--------------------|
712
712
  | **ASI01** Agent Goal Hijack | High | Orchestrator skill forces 3-sub-task decomposition by design | Use this skill only when multi-agent orchestration is desired; disable for simple one-shot tasks |
713
- | **ASI03** Identity and Privilege Abuse | High | Grant tokens are advisory only — caller identity is not cryptographically verified | Tokens are explicitly marked advisory in SKILL.md and source; require separate platform auth and human approval before any real database, payment, email, or export action |
713
+ | **ASI03** Identity and Privilege Abuse (advisory tokens) | High | Grant tokens are advisory only — caller identity is not cryptographically verified | Tokens are explicitly marked advisory in SKILL.md and source; require separate platform auth and human approval before any real database, payment, email, or export action |
714
+ | **ASI03** Identity and Privilege Abuse (env-scoped paths) | ~~High~~ Resolved | `revoke_token.py` resolved `GRANTS_FILE`/`AUDIT_LOG` at module load from root `data/`, ignoring `NETWORK_AI_ENV` — revoking tokens in one env could silently miss env-specific grant files | Fixed in v5.5.1 — `_resolve_data_dir()` added, `--env` CLI argument introduced, paths re-resolved in `main()` before file I/O; consistent with `check_permission.py` and `validate_token.py` |
714
715
  | **ASI06** Memory and Context Poisoning | High | Persistent `data/project-context.json` is injected into agent sessions by design | `_validate_context()` runs injection-pattern detection before every inject; do not store secrets/credentials; review `data/project-context.json` before use; clear `data/` between projects |
715
716
  | **ASI07** Insecure Inter-Agent Communication | High | Blackboard is local file-based; origin/identity depends on local file access, not authenticated messaging | Run in a trusted workspace; restrict file permissions on `data/`; review blackboard changes before relying on them for important decisions |
716
717
  | **ASI08** Cascading Failures | ~~High~~ Resolved | `os` was referenced before import in `swarm_guard.py` — fixed in v5.4.4; `import os` now present | Fixed — `swarm_guard.py` now imports `os` at module level; budget/health guard starts correctly |
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "network-ai",
3
- "version": "5.5.0",
3
+ "version": "5.5.1",
4
4
  "description": "AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Computer Use, OpenAI Agents SDK, Vertex AI, Pydantic AI, Browser Agent, Hermes, Orchestrator, RLM + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
5
5
  "homepage": "https://network-ai.org",
6
6
  "main": "dist/index.js",
package/scripts/revoke_token.py CHANGED
@@ -1,9 +1,9 @@
1
1
  #!/usr/bin/env python3
2
2
  # SECURITY: This script makes NO network calls and spawns NO subprocesses.
3
3
  # All I/O is local file operations only:
4
- # READS: data/active_grants.json, data/audit_log.jsonl
5
- # WRITES: data/active_grants.json, data/audit_log.jsonl
6
- # Imports used: argparse, json, sys, datetime, pathlib, typing
4
+ # READS: data[/<env>]/active_grants.json, data[/<env>]/audit_log.jsonl
5
+ # WRITES: data[/<env>]/active_grants.json, data[/<env>]/audit_log.jsonl
6
+ # Imports used: argparse, json, os, re, sys, datetime, pathlib, typing
7
7
  # No imports of: requests, socket, subprocess, urllib, http, ssl, ftplib, smtplib
8
8
  """
9
9
  Revoke Grant Token & TTL Enforcement
@@ -22,13 +22,27 @@ Example:
22
22
 
23
23
  import argparse
24
24
  import json
25
+ import os
26
+ import re
25
27
  import sys
26
28
  from datetime import datetime, timezone
27
29
  from pathlib import Path
28
30
  from typing import Any
29
31
 
30
- GRANTS_FILE = Path(__file__).parent.parent / "data" / "active_grants.json"
31
- AUDIT_LOG = Path(__file__).parent.parent / "data" / "audit_log.jsonl"
32
+
33
+ def _resolve_data_dir(env: str = "") -> Path:
34
+ """Return the active data directory, scoped to <env> when set."""
35
+ _env = env or os.environ.get("NETWORK_AI_ENV", "")
36
+ base = Path(__file__).parent.parent / "data"
37
+ if _env:
38
+ if not re.match(r'^[a-zA-Z0-9_-]+$', _env):
39
+ raise ValueError(f"Invalid NETWORK_AI_ENV value: {_env!r}")
40
+ return base / _env
41
+ return base
42
+
43
+
44
+ GRANTS_FILE = _resolve_data_dir() / "active_grants.json"
45
+ AUDIT_LOG = _resolve_data_dir() / "audit_log.jsonl"
32
46
 
33
47
 
34
48
  def log_audit(action: str, details: dict[str, Any]) -> None:
@@ -186,9 +200,20 @@ def main():
186
200
  parser.add_argument("--list-expired", action="store_true",
187
201
  help="List expired tokens without removing")
188
202
  parser.add_argument("--json", action="store_true", help="Output as JSON")
189
-
203
+ parser.add_argument(
204
+ "--env",
205
+ default="",
206
+ help="Target environment (dev|st|sit|qa|sandbox|preprod|prod). Overrides NETWORK_AI_ENV."
207
+ )
208
+
190
209
  args = parser.parse_args()
191
-
210
+
211
+ # Re-resolve data paths if --env was provided explicitly
212
+ global GRANTS_FILE, AUDIT_LOG
213
+ if args.env:
214
+ GRANTS_FILE = _resolve_data_dir(args.env) / "active_grants.json"
215
+ AUDIT_LOG = _resolve_data_dir(args.env) / "audit_log.jsonl"
216
+
192
217
  # Handle --list-expired
193
218
  if args.list_expired:
194
219
  result = list_expired_tokens()