network-ai 5.8.2 → 5.8.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/INTEGRATION_GUIDE.md +1 -1
- package/README.md +1 -1
- package/SKILL.md +8 -4
- package/package.json +1 -1
package/INTEGRATION_GUIDE.md
CHANGED
package/README.md
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
[](https://network-ai.org/)
|
|
6
6
|
[](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
|
|
7
7
|
[](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
|
|
8
|
-
[](https://github.com/Jovancoding/Network-AI/releases)
|
|
9
9
|
[](https://www.npmjs.com/package/network-ai)
|
|
10
10
|
[](#testing)
|
|
11
11
|
[](#adapter-system)
|
package/SKILL.md
CHANGED
|
@@ -6,12 +6,12 @@ metadata:
|
|
|
6
6
|
emoji: "\U0001F41D"
|
|
7
7
|
homepage: https://network-ai.org
|
|
8
8
|
capabilities:
|
|
9
|
-
filesystem: "read/write —
|
|
9
|
+
filesystem: "read/write — project root `swarm-blackboard.md` (blackboard state), `data/pending_changes/<id>.json` (WAL entries), `data/audit_log.jsonl`, `data/active_grants.json`, `data/.signing_key`, `data/project-context.json`, `data/task_tracking.json`, `data/agent_health.json`, `data/budget_tracking.json`. All paths are local; nothing is transmitted over the network. When NETWORK_AI_ENV is set, data paths are rooted at `data/<env>/` instead of `data/`."
|
|
10
10
|
env_vars: "read — NETWORK_AI_ENV (environment routing), NETWORK_AI_MCP_SECRET (MCP bearer auth), NETWORK_AI_MINIMAL (minimal-mode flag). No env vars are written."
|
|
11
11
|
shell_exec: "optional — AgentRuntime (lib/agent-runtime.ts) with SandboxPolicy and ApprovalGate; disabled by default. Never auto-enabled by this skill. auto_approve must NOT be set in production (see auto_approve_warning below)."
|
|
12
12
|
tcp_port: "optional — MCP SSE server (bin/mcp-server.ts) binds 127.0.0.1 only when explicitly started by the operator. Requires a non-empty bearer-token secret. Never auto-started by this skill or any bundled Python script."
|
|
13
13
|
bundle_scope:
|
|
14
|
-
clawhub_python_scripts: "Python stdlib only — scripts/*.py (blackboard.py, check_permission.py, context_manager.py, swarm_guard.py,
|
|
14
|
+
clawhub_python_scripts: "Python stdlib only — scripts/*.py (blackboard.py, check_permission.py, context_manager.py, swarm_guard.py, validate_token.py, revoke_token.py). Zero network calls, zero subprocesses, zero third-party packages. This is the scope scanned by SkillSpector."
|
|
15
15
|
npm_full_package: "The npm package (npm install network-ai) adds: TypeScript library modules, CLI (bin/cli.ts), and optional MCP SSE server (bin/mcp-server.ts). The MCP SSE server exposes a TCP port and is NOT activated by installing or importing the package — it must be explicitly started by the operator."
|
|
16
16
|
network_calls:
|
|
17
17
|
python_scripts: none
|
|
@@ -34,8 +34,12 @@ metadata:
|
|
|
34
34
|
data_directory:
|
|
35
35
|
path: data/
|
|
36
36
|
scope: local-only
|
|
37
|
-
files: ["audit_log.jsonl", "active_grants.json", "project-context.json"]
|
|
37
|
+
files: ["audit_log.jsonl", "active_grants.json", ".signing_key", "project-context.json", "task_tracking.json", "agent_health.json", "budget_tracking.json", "pending_changes/<id>.json"]
|
|
38
38
|
description: "All persistent state is local-only. No files are transmitted over the network."
|
|
39
|
+
blackboard_file:
|
|
40
|
+
path: swarm-blackboard.md
|
|
41
|
+
scope: local-only
|
|
42
|
+
description: "Shared coordination state written by scripts/blackboard.py (project root). Contains task results, grant tokens, status flags, and TTL-scoped cache entries. Access should be restricted to the local user running the swarm."
|
|
39
43
|
auto_approve_warning: "ApprovalGate.auto_approve (lib/agent-runtime.ts) must NOT be enabled in production or untrusted environments. It is only appropriate in explicitly isolated CI/dev sandboxes where all commands executed by the runtime are known and trusted in advance."
|
|
40
44
|
---
|
|
41
45
|
|
|
@@ -750,7 +754,7 @@ The following findings are drawn from the **MAESTRO Agent Security Threat** fram
|
|
|
750
754
|
|
|
751
755
|
| Control | How Network-AI addresses it |
|
|
752
756
|
|---|---|
|
|
753
|
-
| **Exact version pinning** | npm `package.json` uses exact `"version": "5.8.
|
|
757
|
+
| **Exact version pinning** | npm `package.json` uses exact `"version": "5.8.3"` — no semver range specifiers; `clawhub install network-ai` pins to a specific published version |
|
|
754
758
|
| **Zero transitive dependency drift** | All bundled Python scripts use Python stdlib only — `pip install` is never required; there are no third-party packages to drift, be compromised upstream, or introduce CVEs |
|
|
755
759
|
| **Signed, tagged releases** | Every release is committed with a signed Git tag (`v5.7.x`); commit hash is verifiable against CHANGELOG.md; GitHub releases link tag → diff → changelog entry |
|
|
756
760
|
| **Supply chain monitoring** | npm package continuously scored by Socket.dev (score A); any new dependency or permission change triggers an alert |
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "network-ai",
|
|
3
|
-
"version": "5.8.
|
|
3
|
+
"version": "5.8.3",
|
|
4
4
|
"description": "AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Computer Use, OpenAI Agents SDK, Vertex AI, Pydantic AI, Browser Agent, Hermes, Orchestrator, RLM + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
|
|
5
5
|
"homepage": "https://network-ai.org",
|
|
6
6
|
"main": "dist/index.js",
|