v5.1.2 — Zero innerHTML Sinks, Full CodeQL Remediation

What's Changed

Security — CodeQL Alert Remediation

• Zero \innerHTML\ sinks in \work-tree-dashboard.html\ — all 5 panel functions (\showTreeDetail, \updateAgentsPanel, \updateAgentDetailPanel, \updateSupervisorPanel, narrative log) now use pure DOM APIs (\createElement\ + \ extContent\ + \�ppendChild)
• *Converted \�gentMap\ to \Map* (31 occurrences) — eliminates remote property injection via dynamic bracket notation
• JSON round-trip sanitization at WebSocket ingestion for \diagnostics, \orchestratorLogs, and \stats\ — breaks taint chain at the source
• Removed dead code — \escapeHtml\ and \safeSetHTML\ functions no longer needed after DOM API conversion

Stats

• 2,691 tests passing across 26 suites
• 27 adapters — all green
• 0 TypeScript errors

Full Changelog: v5.1.1...v5.1.2

v5.1.1 — CodeQL Security Fixes

Security Fixes

Resolved all 23 open CodeQL code scanning alerts:

XSS (7 alerts fixed)

• All dynamic values in \control-plane.html\ now pass through \esc()\ sanitizer
• All dynamic values in \work-tree-dashboard.html\ now pass through \escapeHtml()\ sanitizer

Remote Property Injection (8 alerts fixed)

• State maps (
  odes, \�gentMap, \�bEntries) use \Object.create(null)\ instead of plain objects
• WebSocket data copied via \safeObj()\ which filters _proto_, \constructor, \prototype\ keys

Prototype-Polluting Assignment (5 alerts fixed)

• Incoming WebSocket objects sanitized through null-prototype copies
• \deriveAgentsFromTree()\ resets to \Object.create(null)\

Unused Variables (2 alerts fixed)

• Removed unused \elapsed\ in \orchestrator-adapter.ts\ catch block
• Removed unused \�gentsFitted\ in \work-tree-dashboard.html\

Other

• Security policy updated: 5.1.x is now current supported version
• All 2,691 tests passing across 26 suites

v5.1.0 — OrchestratorAdapter, WorkTree Dashboard, CodeQL Fixes

What's New in v5.1.0

Added

• OrchestratorAdapter — hierarchical multi-orchestrator coordination: wrap child SwarmOrchestrators as agents for parent orchestration, query child states, timeout guards
• WorkTree Dashboard — 3-tab layout (Tree, Agents, Supervisor), clickable agent sidebar with expandable logs, supervisor diagnostics panel with health banner and activity narrative
• SystemDiagnostic / SystemHealth types and computeDiagnostics() for real-time orchestrator health monitoring

Fixed (CodeQL High Severity)

• #109 Polynomial ReDoS in security.ts — replaced unbounded \s* regex with line-split + bounded \s{0,10} to prevent DoS on prompt-injection heuristic
• #110 Remote property injection in lib/dashboard.html — replaced plain object with Map to prevent prototype pollution

Fixed (CodeQL Notes)

• #111 Removed unused imports writeFileSync, appendFileSync from lib/auth-guardian.ts
• #112 Removed unused import stat from lib/coverage-reporter.ts
• #113 Removed unused variable taskMap from lib/goal-dsl.ts

Fixed (Testing)

• Restored 8 deleted adapter test suites (LlamaIndex, SemanticKernel, OpenAI Assistants, Haystack, DSPy, Agno, APS, full registry)
• BaseAdapter.ensureReady() now throws AdapterNotInitializedError instead of plain Error

Stats

• 27 adapters (was 26)
• 2,691 tests passing across 26 suites (was 2,531)
• All documentation updated across 13 files

---

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md
npm: npm install network-ai@5.1.0

v5.0.0 — Multi-Agent Orchestrator Major Release

Network-AI v5.0.0

26 adapters · 2,531 tests · 65+ modules · zero runtime dependencies

Highlights

9 New Adapters (17 → 26)

• CopilotAdapter — GitHub Copilot code generate/review/explain/fix/test/refactor
• LangGraphAdapter — compiled StateGraph execution
• AnthropicComputerUseAdapter — screenshot/click/type/scroll browser automation
• OpenAIAgentsAdapter — tool use, handoffs, guardrails
• VertexAIAdapter — Google Gemini with function calling + multi-modal
• PydanticAIAdapter — structured output with validation + dependency injection
• BrowserAgentAdapter — Playwright/Puppeteer/CDP browser control
• LangChainStreamingAdapter / CustomStreamingAdapter — AsyncIterable partial results

New Core Modules

• Goal DSL — YAML/JSON goal definitions compiled to TaskDAG
• Agent VCR — record and replay agent interactions for deterministic testing
• Comparison Runner — side-by-side adapter evaluation with scoring
• Coverage Reporter — adapter capability coverage analysis
• Job Queue — persistent priority FIFO with crash recovery and retry
• Approval Inbox — web-accessible human approval queue for sensitive operations
• Transport Layer — JSON-RPC 2.0 over WebSocket/HTTP with HMAC authentication
• Playground REPL — interactive multi-adapter experimentation console
• Adapter Test Harness — automated conformance testing for adapters
• ConsoleUI — interactive terminal dashboard with ANSI TUI

Architecture Improvements

• IAuthValidator interface — decoupled authorization contract; swap AuthGuardian for NoOpAuthValidator in tests or plug in external auth (LDAP, OAuth)
• StreamingBaseAdapter — base class for adapters yielding partial results via AsyncIterable
• APS delegation-chain trust — trust attenuation across agent delegation hops

Install

npm install network-ai@5.0.0

Full Changelog

See CHANGELOG.md for the complete history.

v4.15.3 — CodeQL #108 Bad HTML Filter Regexp

Fixed

• CodeQL #108 -- Bad HTML filtering regexp (security.ts): Changed closing script tag regex to match all browser-accepted variants including </script foo="bar"> and tags with tabs/newlines.

Full test suite: 2,357 tests across 25 suites, all passing.

v4.15.2 — CodeQL Alerts #99-#107 + ClawHub Clean Scan

Fixed

• CodeQL #107 — Bad HTML filtering regexp (\security.ts): Changed </script>\ to </script\s*>\ to match browser-accepted variants like </script >\ per HTML spec.
• *CodeQL #99 — Unused variable \startTime* (\lib/agent-runtime.ts): Removed.
• *CodeQL #100/#104 — Unused loop variable \ arget* (\lib/strategy-agent.ts): Renamed to _target.
• *CodeQL #101 — Unused imports \AgentPool, \WorkloadPartitioner* (\ est-phase9.ts): Removed.
• *CodeQL #102 — Unused function \�ssertThrows* (\ est-phase9.ts): Removed.
• *CodeQL #103 — Unused variable \echoCmd* (\ est-phase9.ts): Removed.
• ClawHub suspicious flag — Excluded \scripts/postinstall.js\ from Python skill bundle via .clawhubignore; updated \skill.json\ description to acknowledge TypeScript engine.

Full test suite: 2,357 tests across 25 suites, all passing.

v4.15.1 — CodeQL Security Fixes

Fixed

• *CodeQL #105 — ReDoS in \parsePlanJSON()* (\lib/goal-decomposer.ts): Replaced ambiguous regex with indexOf-based code-fence stripping to eliminate polynomial backtracking.
• CodeQL #106 — TOCTOU race in postinstall (\scripts/postinstall.js): Replaced \existsSync\ →
  eadFileSync\ → \writeFileSync\ with \openSync('r+')\ +
  eadFileSync(fd)\ + \truncateSync\ + \writeSync\ to eliminate time-of-check-to-time-of-use race.
• ReDoS in InputSanitizer (\security.ts): Replaced <script[\s\S]?>[\s\S]?</script>\ (nested quantifiers) with <script\b[^>]>[\s\S]?</script>\ (unambiguous).
• Shell injection risk in NemoClawAdapter (\�dapters/nemoclaw-adapter.ts): Replaced \command.split(' ')\ with \ okenizeCommand()\ helper respecting quoted arguments.

Full test suite: 2,357 tests across 25 suites, all passing.

v4.15.0 — Goal Decomposer: LLM-powered goal → task DAG → parallel execution

What's New

Goal Decomposer (Phase 10)

One line to go from goal to results:

\\ ypescript
import { runTeam, createLLMPlanner } from 'network-ai';

const result = await runTeam(
'Build a REST API for user management',
[
{ id: 'architect', role: 'System design and API specification' },
{ id: 'coder', role: 'Write TypeScript code' },
{ id: 'reviewer', role: 'Code review and quality checks' },
],
{ planner: createLLMPlanner(executor, 'gpt-4'), executor }
);

console.log(result.summary);
// Goal: "Build a REST API..." — 3/3 tasks completed in 4200ms
\\

New features

• *\GoalDecomposer* — LLM-powered goal decomposition into a validated \TaskDAG\ with cycle detection (Kahn's algorithm), dependency validation, and retry logic
• *\TeamRunner* — DAG execution engine with topological-layer parallel scheduling, concurrency limits, per-task and total timeouts, priority ordering, and dependency result injection (_dependencyResults)
• 
  unTeam()\ one-liner — single function call: goal in, \TeamResult\ out. Optional approval gate, planner retries, and full event emission
• *\createLLMPlanner()* — built-in planner factory that sends structured prompts to any LLM via the adapter system; handles code fences, preamble text, and nested response shapes ({ tasks }, { text }, { content })
• DAG utilities — \�alidateDAG(), \ opologicalLayers(), \parsePlanJSON()\
• TypeScript 6.0 — upgraded from 5.9.3 to 6.0.2

Testing

• 153 new tests in \ est-phase10.ts\ (12 sections: DAG validation, topological layers, JSON parsing, decomposer, runner, failure handling, concurrency/timeouts, events, runTeam one-liner, dependency injection, LLM planner, edge cases)
• 2,357 total tests across 25 suites — all passing

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md#4150---2026-04-04

v4.14.0 — Phase 9: Agent Runtime, Console, Pipe Mode & Strategy Agent

Phase 9 — Agent Runtime, Interactive Console & Strategy Agent

Agent Runtime (Phase 9a)

• SandboxPolicy: Command allowlists/blocklists, path scoping with traversal protection, risk assessment (low/medium/high)
• ShellExecutor: Sandboxed child_process.spawn with timeout, output limits, concurrency tracking
• FileAccessor: Scoped read/write/list with traversal protection
• ApprovalGate: Human or callback approval for high-risk operations, full history with audit trail

Console UI (Phase 9b)

• Interactive TUI: ANSI-colored terminal dashboard with readline-based command input
• 20+ commands: status, exec, read, ls, approve, deny, audit, policy, agents, spawn, stop, bb (CRUD + propose/validate/commit), budget, fsm, health
• Live status bar: Agents, budget, FSM state, pending approvals
• Shared orchestrator: Console controls the same LockedBlackboard, FederatedBudget, JourneyFSM, and AdapterRegistry as the MCP server

Pipe Mode (Phase 9d)

• JSON stdin/stdout protocol:
  px network-ai-console --pipe\ for AI-to-orchestrator control
• 18 commands: status, exec, bb_read, bb_write, bb_list, bb_delete, bb_propose, bb_validate, bb_commit, budget, budget_spend, budget_reset, fsm, fsm_transition, agents, spawn, health, policy
• Structured JSON responses with success/error handling

Strategy Agent (Phase 9f)

• AgentPool: Elastic agent spawn/recycle with capacity enforcement
• WorkloadPartitioner: Task chunking with priority routing and weighted distribution
• Adaptive scaling: Auto-scale up/down based on utilization thresholds, budget reallocation, cooldown periods
• Designed for 1K–1M agent coordination

Testing

• 280 new tests across 9 sections (9a–9i)
• 2,204 total tests across 24 suites — all passing
• Zero external dependencies — Node.js builtins only

Documentation

• Updated 17 files: README, SECURITY.md (x2), CHANGELOG, ARCHITECTURE, QUICKSTART, CONTRIBUTING, ENTERPRISE, INTEGRATION_GUIDE, SKILL.md, CLAUDE.md, CODEX.md, copilot-instructions.md, references/adapter-system.md, package.json, skill.json, openapi.yaml

v4.13.1 — Documentation Update

Changed

• Updated all documentation for v4.13.0 Phase 8 features:
  • SECURITY.md (root + .github): version table → 4.13.x current; added Phase 8 security entries (matcher-based hook filtering, approval gates, confidence-based filtering)
  • README.md: ''What''s Included'' table with 4 Phase 8 rows; test table with \ est-phase8.ts\ row; 1,924 / 23 suites
  • ARCHITECTURE.md: project structure tree with Phase 7 + Phase 8 lib/ modules
  • references/adapter-system.md: 4 new sections with code examples (Matcher Filtering, Phase Pipeline, Confidence Filter, Fan-Out/Fan-In)
  • SKILL.md: TypeScript engine note linking parallel strategies to Phase 8 modules
  • CLAUDE.md, CODEX.md: version + project structure
  • CONTRIBUTING.md: test count
  • copilot-instructions.md: Key Files with Phase 8 modules

Full Changelog: v4.13.0...v4.13.1