Releases: Jovancoding/Network-AI
v5.1.2 — Zero innerHTML Sinks, Full CodeQL Remediation
What's Changed
Security — CodeQL Alert Remediation
- Zero \innerHTML\ sinks in \work-tree-dashboard.html\ — all 5 panel functions (\showTreeDetail, \updateAgentsPanel, \updateAgentDetailPanel, \updateSupervisorPanel, narrative log) now use pure DOM APIs (\createElement\ + \ extContent\ + \�ppendChild)
- *Converted \�gentMap\ to \Map* (31 occurrences) — eliminates remote property injection via dynamic bracket notation
- JSON round-trip sanitization at WebSocket ingestion for \diagnostics, \orchestratorLogs, and \stats\ — breaks taint chain at the source
- Removed dead code — \escapeHtml\ and \safeSetHTML\ functions no longer needed after DOM API conversion
Stats
- 2,691 tests passing across 26 suites
- 27 adapters — all green
- 0 TypeScript errors
Full Changelog: v5.1.1...v5.1.2
v5.1.1 — CodeQL Security Fixes
Security Fixes
Resolved all 23 open CodeQL code scanning alerts:
XSS (7 alerts fixed)
- All dynamic values in \control-plane.html\ now pass through \esc()\ sanitizer
- All dynamic values in \work-tree-dashboard.html\ now pass through \escapeHtml()\ sanitizer
Remote Property Injection (8 alerts fixed)
- State maps (
odes, \�gentMap, \�bEntries) use \Object.create(null)\ instead of plain objects - WebSocket data copied via \safeObj()\ which filters _proto_, \constructor, \prototype\ keys
Prototype-Polluting Assignment (5 alerts fixed)
- Incoming WebSocket objects sanitized through null-prototype copies
- \deriveAgentsFromTree()\ resets to \Object.create(null)\
Unused Variables (2 alerts fixed)
- Removed unused \elapsed\ in \orchestrator-adapter.ts\ catch block
- Removed unused \�gentsFitted\ in \work-tree-dashboard.html\
Other
- Security policy updated: 5.1.x is now current supported version
- All 2,691 tests passing across 26 suites
v5.1.0 — OrchestratorAdapter, WorkTree Dashboard, CodeQL Fixes
What's New in v5.1.0
Added
- OrchestratorAdapter — hierarchical multi-orchestrator coordination: wrap child SwarmOrchestrators as agents for parent orchestration, query child states, timeout guards
- WorkTree Dashboard — 3-tab layout (Tree, Agents, Supervisor), clickable agent sidebar with expandable logs, supervisor diagnostics panel with health banner and activity narrative
- SystemDiagnostic / SystemHealth types and
computeDiagnostics()for real-time orchestrator health monitoring
Fixed (CodeQL High Severity)
- #109 Polynomial ReDoS in
security.ts— replaced unbounded\s*regex with line-split + bounded\s{0,10}to prevent DoS on prompt-injection heuristic - #110 Remote property injection in
lib/dashboard.html— replaced plain object withMapto prevent prototype pollution
Fixed (CodeQL Notes)
- #111 Removed unused imports
writeFileSync,appendFileSyncfromlib/auth-guardian.ts - #112 Removed unused import
statfromlib/coverage-reporter.ts - #113 Removed unused variable
taskMapfromlib/goal-dsl.ts
Fixed (Testing)
- Restored 8 deleted adapter test suites (LlamaIndex, SemanticKernel, OpenAI Assistants, Haystack, DSPy, Agno, APS, full registry)
BaseAdapter.ensureReady()now throwsAdapterNotInitializedErrorinstead of plainError
Stats
- 27 adapters (was 26)
- 2,691 tests passing across 26 suites (was 2,531)
- All documentation updated across 13 files
Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md
npm: npm install network-ai@5.1.0
v5.0.0 — Multi-Agent Orchestrator Major Release
Network-AI v5.0.0
26 adapters · 2,531 tests · 65+ modules · zero runtime dependencies
Highlights
9 New Adapters (17 → 26)
- CopilotAdapter — GitHub Copilot code generate/review/explain/fix/test/refactor
- LangGraphAdapter — compiled StateGraph execution
- AnthropicComputerUseAdapter — screenshot/click/type/scroll browser automation
- OpenAIAgentsAdapter — tool use, handoffs, guardrails
- VertexAIAdapter — Google Gemini with function calling + multi-modal
- PydanticAIAdapter — structured output with validation + dependency injection
- BrowserAgentAdapter — Playwright/Puppeteer/CDP browser control
- LangChainStreamingAdapter / CustomStreamingAdapter —
AsyncIterablepartial results
New Core Modules
- Goal DSL — YAML/JSON goal definitions compiled to TaskDAG
- Agent VCR — record and replay agent interactions for deterministic testing
- Comparison Runner — side-by-side adapter evaluation with scoring
- Coverage Reporter — adapter capability coverage analysis
- Job Queue — persistent priority FIFO with crash recovery and retry
- Approval Inbox — web-accessible human approval queue for sensitive operations
- Transport Layer — JSON-RPC 2.0 over WebSocket/HTTP with HMAC authentication
- Playground REPL — interactive multi-adapter experimentation console
- Adapter Test Harness — automated conformance testing for adapters
- ConsoleUI — interactive terminal dashboard with ANSI TUI
Architecture Improvements
- IAuthValidator interface — decoupled authorization contract; swap AuthGuardian for NoOpAuthValidator in tests or plug in external auth (LDAP, OAuth)
- StreamingBaseAdapter — base class for adapters yielding partial results via
AsyncIterable - APS delegation-chain trust — trust attenuation across agent delegation hops
Install
npm install network-ai@5.0.0Full Changelog
See CHANGELOG.md for the complete history.
v4.15.3 — CodeQL #108 Bad HTML Filter Regexp
Fixed
- CodeQL #108 -- Bad HTML filtering regexp (
security.ts): Changed closing script tag regex to match all browser-accepted variants including</script foo="bar">and tags with tabs/newlines.
Full test suite: 2,357 tests across 25 suites, all passing.
v4.15.2 — CodeQL Alerts #99-#107 + ClawHub Clean Scan
Fixed
- CodeQL #107 — Bad HTML filtering regexp (\security.ts): Changed </script>\ to </script\s*>\ to match browser-accepted variants like </script >\ per HTML spec.
- *CodeQL #99 — Unused variable \startTime* (\lib/agent-runtime.ts): Removed.
- *CodeQL #100/#104 — Unused loop variable \ arget* (\lib/strategy-agent.ts): Renamed to _target.
- *CodeQL #101 — Unused imports \AgentPool, \WorkloadPartitioner* (\ est-phase9.ts): Removed.
- *CodeQL #102 — Unused function \�ssertThrows* (\ est-phase9.ts): Removed.
- *CodeQL #103 — Unused variable \echoCmd* (\ est-phase9.ts): Removed.
- ClawHub suspicious flag — Excluded \scripts/postinstall.js\ from Python skill bundle via .clawhubignore; updated \skill.json\ description to acknowledge TypeScript engine.
Full test suite: 2,357 tests across 25 suites, all passing.
v4.15.1 — CodeQL Security Fixes
Fixed
- *CodeQL #105 — ReDoS in \parsePlanJSON()* (\lib/goal-decomposer.ts): Replaced ambiguous regex with indexOf-based code-fence stripping to eliminate polynomial backtracking.
- CodeQL #106 — TOCTOU race in postinstall (\scripts/postinstall.js): Replaced \existsSync\ →
eadFileSync\ → \writeFileSync\ with \openSync('r+')\ +
eadFileSync(fd)\ + \truncateSync\ + \writeSync\ to eliminate time-of-check-to-time-of-use race. - ReDoS in InputSanitizer (\security.ts): Replaced <script[\s\S]?>[\s\S]?</script>\ (nested quantifiers) with <script\b[^>]>[\s\S]?</script>\ (unambiguous).
- Shell injection risk in NemoClawAdapter (\�dapters/nemoclaw-adapter.ts): Replaced \command.split(' ')\ with \ okenizeCommand()\ helper respecting quoted arguments.
Full test suite: 2,357 tests across 25 suites, all passing.
v4.15.0 — Goal Decomposer: LLM-powered goal → task DAG → parallel execution
What's New
Goal Decomposer (Phase 10)
One line to go from goal to results:
\\ ypescript
import { runTeam, createLLMPlanner } from 'network-ai';
const result = await runTeam(
'Build a REST API for user management',
[
{ id: 'architect', role: 'System design and API specification' },
{ id: 'coder', role: 'Write TypeScript code' },
{ id: 'reviewer', role: 'Code review and quality checks' },
],
{ planner: createLLMPlanner(executor, 'gpt-4'), executor }
);
console.log(result.summary);
// Goal: "Build a REST API..." — 3/3 tasks completed in 4200ms
\\
New features
- *\GoalDecomposer* — LLM-powered goal decomposition into a validated \TaskDAG\ with cycle detection (Kahn's algorithm), dependency validation, and retry logic
- *\TeamRunner* — DAG execution engine with topological-layer parallel scheduling, concurrency limits, per-task and total timeouts, priority ordering, and dependency result injection (_dependencyResults)
unTeam()\ one-liner — single function call: goal in, \TeamResult\ out. Optional approval gate, planner retries, and full event emission- *\createLLMPlanner()* — built-in planner factory that sends structured prompts to any LLM via the adapter system; handles code fences, preamble text, and nested response shapes ({ tasks }, { text }, { content })
- DAG utilities — \�alidateDAG(), \ opologicalLayers(), \parsePlanJSON()\
- TypeScript 6.0 — upgraded from 5.9.3 to 6.0.2
Testing
- 153 new tests in \ est-phase10.ts\ (12 sections: DAG validation, topological layers, JSON parsing, decomposer, runner, failure handling, concurrency/timeouts, events, runTeam one-liner, dependency injection, LLM planner, edge cases)
- 2,357 total tests across 25 suites — all passing
Full Changelog
https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md#4150---2026-04-04
v4.14.0 — Phase 9: Agent Runtime, Console, Pipe Mode & Strategy Agent
Phase 9 — Agent Runtime, Interactive Console & Strategy Agent
Agent Runtime (Phase 9a)
- SandboxPolicy: Command allowlists/blocklists, path scoping with traversal protection, risk assessment (low/medium/high)
- ShellExecutor: Sandboxed child_process.spawn with timeout, output limits, concurrency tracking
- FileAccessor: Scoped read/write/list with traversal protection
- ApprovalGate: Human or callback approval for high-risk operations, full history with audit trail
Console UI (Phase 9b)
- Interactive TUI: ANSI-colored terminal dashboard with readline-based command input
- 20+ commands: status, exec, read, ls, approve, deny, audit, policy, agents, spawn, stop, bb (CRUD + propose/validate/commit), budget, fsm, health
- Live status bar: Agents, budget, FSM state, pending approvals
- Shared orchestrator: Console controls the same LockedBlackboard, FederatedBudget, JourneyFSM, and AdapterRegistry as the MCP server
Pipe Mode (Phase 9d)
- JSON stdin/stdout protocol:
px network-ai-console --pipe\ for AI-to-orchestrator control - 18 commands: status, exec, bb_read, bb_write, bb_list, bb_delete, bb_propose, bb_validate, bb_commit, budget, budget_spend, budget_reset, fsm, fsm_transition, agents, spawn, health, policy
- Structured JSON responses with success/error handling
Strategy Agent (Phase 9f)
- AgentPool: Elastic agent spawn/recycle with capacity enforcement
- WorkloadPartitioner: Task chunking with priority routing and weighted distribution
- Adaptive scaling: Auto-scale up/down based on utilization thresholds, budget reallocation, cooldown periods
- Designed for 1K–1M agent coordination
Testing
- 280 new tests across 9 sections (9a–9i)
- 2,204 total tests across 24 suites — all passing
- Zero external dependencies — Node.js builtins only
Documentation
- Updated 17 files: README, SECURITY.md (x2), CHANGELOG, ARCHITECTURE, QUICKSTART, CONTRIBUTING, ENTERPRISE, INTEGRATION_GUIDE, SKILL.md, CLAUDE.md, CODEX.md, copilot-instructions.md, references/adapter-system.md, package.json, skill.json, openapi.yaml
v4.13.1 — Documentation Update
Changed
- Updated all documentation for v4.13.0 Phase 8 features:
- SECURITY.md (root + .github): version table → 4.13.x current; added Phase 8 security entries (matcher-based hook filtering, approval gates, confidence-based filtering)
- README.md: ''What''s Included'' table with 4 Phase 8 rows; test table with \ est-phase8.ts\ row; 1,924 / 23 suites
- ARCHITECTURE.md: project structure tree with Phase 7 + Phase 8 lib/ modules
- references/adapter-system.md: 4 new sections with code examples (Matcher Filtering, Phase Pipeline, Confidence Filter, Fan-Out/Fan-In)
- SKILL.md: TypeScript engine note linking parallel strategies to Phase 8 modules
- CLAUDE.md, CODEX.md: version + project structure
- CONTRIBUTING.md: test count
- copilot-instructions.md: Key Files with Phase 8 modules
Full Changelog: v4.13.0...v4.13.1