v5.5.5 — MAESTRO/OWASP AST Framework Assessment

v5.5.5 — MAESTRO / OWASP AST Framework Assessment

Type: Documentation
Date: 2026-05-17

What changed

Added a new Security Framework Assessment (MAESTRO / OWASP AST) section to SKILL.md documenting Network-AI's architectural mitigations for three MAESTRO Agent Security Threat findings:

AST03 — Over-Privileged Skills (High)

Mitigations documented: permission manifest in frontmatter (bundle_scope, network_calls: none); least-privilege resource gating with --confirm-high-risk for PAYMENTS/FILE_EXPORT; abstract-only resource labels (no external credentials); HMAC-signed grant tokens (v5.5.2); SandboxPolicy + FileAccessor path scoping; advisory-only token enforcement.

AST06 — Weak Isolation (High)

Mitigations documented: zero subprocesses / zero network calls declared in frontmatter; AgentRuntime ShellExecutor allowlist/timeout; SourceProtectionError on out-of-scope paths; NETWORK_AI_ENV environment isolation; ApprovalGate for high-risk ops; no hot-reload surface.

AST07 — Update Drift (Medium)

Mitigations documented: exact version pinning in package.json; zero transitive dependencies (Python stdlib only); signed tagged releases; Socket.dev supply chain monitoring; no auto-update mechanism; CHANGELOG.md audit trail.

Files changed

• SKILL.md — new MAESTRO/OWASP AST section added (before ClawHub findings table)
• Version bumped to 5.5.5 in package.json, skill.json, openapi.yaml, README.md, CLAUDE.md, CODEX.md, ARCHITECTURE.md, BENCHMARKS.md, AUDIT_LOG_SCHEMA.md, INTEGRATION_GUIDE.md, references/adapter-system.md, .github/copilot-instructions.md, SECURITY.md, .github/SECURITY.md, ENTERPRISE.md, CHANGELOG.md

No code changes. All tests continue to pass.

v5.5.4 — ClawHub scan findings documented (ASI03/ASI06 severity update + 2 new Low)

What's changed

Documentation — ClawHub scan findings

Updated SKILL.md Security Scan Findings table to reflect the v5.5.3 ClawHub scan results:

• Column renamed: Confidence → Severity (matches ClawHub UI terminology)
• ASI03 advisory tokens: severity High → Medium
• ASI06 project context: severity High → Medium
• New — Low ASI03 local grant state: the .signing_key and active_grants.json files introduced in v5.5.2 are security-relevant local state; mitigation: keep data/ private, restrict OS-level permissions on shared machines
• New — Low ASI06 audit log free text: justification fields and data/audit_log.jsonl store agent-provided free text locally — do not include PII, secrets, or credentials; restrict data/ directory on shared machines

All four remaining findings are by design. The documented controls in SKILL.md are the mitigations — not an elimination of the patterns.

SECURITY.md ClawHub scanner entry updated to summarise the v5.5.3 scan state (2 Medium, 2 Low, all acknowledged).

---

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

Documentation-only release. No code changes.

v5.5.3 — CodeQL alerts resolved (#154-#159)

What's changed

Fixed — CodeQL alerts #154–#159

• lib/transport-agent.ts — useless-assignment-to-local (#155–#158)

  The initial let status = updateStatus({startedAt: now()}) and three intermediate status = updateStatus({...}) calls (at drain, promote, and canary phases) were dead stores — the assigned value was always overwritten before being read. Fixed by separating the side-effect blackboard write from the status declaration and dropping the three intermediate assignments. All return status paths retain their preceding assignments. TypeScript strict-mode definite-assignment analysis passes; 116/116 transport tests still pass.

• test-transport.ts — unused variable origGet (#154)

  origGet was saved to preserve the original getViolations binding but was never used after patching. Removed.

• scripts/check_permission.py — empty-except (#159)

  The except OSError: pass block in _load_signing_key() had no explanatory comment, triggering py/empty-except. Added a comment: chmod 0o600 is unsupported on Windows NTFS and restricted filesystems but the key remains functional — caller must protect the data directory.

---

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

No breaking changes. Patch release — code quality and CodeQL compliance only.

v5.5.2 — HMAC-SHA256 grant token integrity (ClawScan ASI03)

What's changed

Fixed

• scripts/check_permission.py + scripts/validate_token.py — HMAC-SHA256 grant token integrity (ClawScan ASI03)

  Grant tokens previously had no integrity protection. Anyone with local file access could edit data/active_grants.json to forge elevated permissions (e.g. change resource_type from EMAIL to PAYMENTS).

  v5.5.2 fix:

  • check_permission.py generates a 32-byte signing key at data[/<env>]/.signing_key (chmod 0o600, auto-created on first run) and computes an HMAC-SHA256 signature over each grant's canonical fields — stored as _sig in the grant record
  • validate_token.py verifies _sig before returning valid: true; a tampered record returns {"valid": false, "reason": "Token signature invalid"}
  • Pre-v5.5.2 tokens (no _sig) remain backward-compatible and return "sig_verified": false
  • Uses Python stdlib hmac + hashlib only — zero new dependencies

  The advisory-identity note (caller-supplied identity is not externally authenticated) is by design and explained in the ClawHub publisher note.

Documentation

• references/auth-guardian.md: token structure updated with _sig field, lifecycle step added, advisory note updated
• All version references bumped 5.5.1 -> 5.5.2 across 12 files
• SECURITY.md, SKILL.md (new ASI03 token-integrity row), ENTERPRISE.md, CHANGELOG updated

---

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

No breaking changes. Pre-existing tokens continue to validate. Patch release.

v5.5.1 — ClawScan ASI03 fix: env-scoped token revocation

What's changed

Fixed

• scripts/revoke_token.py — env-scoped paths (ClawScan ASI03)

evoke_token.py previously resolved GRANTS_FILE and AUDIT_LOG at module load time from the root data/ directory, ignoring NETWORK_AI_ENV at runtime. When running multi-environment deployments, token revocation and TTL cleanup silently targeted the wrong grant file.

Fixed: _resolve_data_dir() helper added; --env CLI argument introduced; paths are re-resolved inside main() before any file I/O — matching the behaviour of check_permission.py and �alidate_token.py.

`�ash

Now works correctly in multi-env setups:

python scripts/revoke_token.py grant_abc123 --env dev
python scripts/revoke_token.py --cleanup --env prod
NETWORK_AI_ENV=staging python scripts/revoke_token.py --list-expired
`

Documentation

• All version references bumped 5.5.0 → 5.5.1 across 14 files
• SECURITY.md / .github/SECURITY.md: ClawHub v5.5.1 ASI03 fix note added
• SKILL.md: ASI03 row split — advisory-token (by design) vs env-scoped path (resolved)
• ENTERPRISE.md: v5.5.1 entry added to version history paragraph
• CLAUDE.md / CODEX.md: version updated to 5.5.1

---

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

No new features. No breaking changes. Patch release.

v5.5.0 — Basis Transport Tier

What's New

Basis Transport Tier (SAP-inspired)

Network-AI v5.5.0 ships a full configuration-transport layer modelled on the SAP Basis transport system — bringing safe, gated promotion of configuration artefacts across your deployment chain (dev → st → sit → qa → preprod → prod).

TransportAgent (lib/transport-agent.ts)

• Full state machine: pending → draining → promoting → canary → complete (or
  olled_back\ / \ailed)
• Enforces AuthGuardian permission gate (\ENVIRONMENT_PROMOTE\ resource profile, baseRisk 0.95)
• Fleet draining — pauses dispatch on all \AgentPool\ instances tagged for the destination env before touching config; waits for in-flight agents to complete
• Prerequisite chaining — TRs can declare prior TR IDs that must be \complete\ before proceeding
• Advisory locking — prevents two concurrent promotions to the same environment via blackboard keys
• Canary window — re-opens a configurable percentage of pool capacity, waits for the canary window, counts new \ComplianceMonitor\ violations; rolls back automatically on spike
• Automatic rollback — calls \EnvironmentManager.restore()\ with the pre-promote backup on canary failure
• Audit trail — every state transition appended to \data/audit_log.jsonl\
• Static \TransportAgent.submitRequest(blackboard, request)\ — any agent can queue a TR

LandscapeAgent (lib/landscape-agent.ts)

• Slow-poll tracker (configurable interval, default 30 s)
• Writes \landscape:health:\ records to the blackboard for every known environment
• Status: \healthy\ / \degraded\ / \missing\ — marks \degraded\ after a \ailed\ or
  olled_back\ transport
• \lastTransportId\ + \lastTransportStatus\ fields for quick diagnosis

AgentPool.setDispatchPause() (lib/strategy-agent.ts)

• \setDispatchPause(paused, { percent? })\ — fully pause or partially resume dispatch
• \isDispatchPaused\ and \dispatchAllowedPercent\ read-only getters
• \canSpawn\ getter updated to respect pause state and partial-capacity limits

Auth & trust

• \ENVIRONMENT_PROMOTE\ resource profile added to \DEFAULT_RESOURCE_PROFILES\ (baseRisk 0.95, restrictions: \�asis_tier_only, \�udit_required, \�pproval_required)
• \�asis:transport\ (trustLevel 0.95) and \�asis:landscape\ (trustLevel 0.9) entries added to \DEFAULT_AGENT_TRUST\

---

Testing

• 30 test suites, 3,093 passing assertions (+117 vs v5.4.5)
• New: \ est-transport.ts\ — 117 assertions covering happy-path lifecycle, prerequisites, advisory lock exclusion, auth denial, promote failure, canary pass/fail + rollback, \AgentPool\ pause mechanics, \LandscapeAgent\ health tracking, and multi-pool fleet coordination

---

Exports

\TransportAgent, \LandscapeAgent, and all their types are exported from the package root.

---

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

v5.4.5 — Security fix: GHSA-j3vx-cx2r-pvg8 (CWE-346 High — empty secret + wildcard CORS)

Network-AI v5.4.5 — Security fix: GHSA-j3vx-cx2r-pvg8

Severity: High (CWE-346, CVSS 7.6)
Reported by: 232-323, min8282

What was wrong

The MCP SSE server defaulted to an empty secret (process.env['NETWORK_AI_MCP_SECRET'] ?? ''), which caused _isAuthorized to return true unconditionally for every request. Combined with an unconditional Access-Control-Allow-Origin: * header, any cross-origin web page could silently invoke all 22 MCP tools (including config_set, agent_spawn, blackboard_write) against a default-configured localhost server — with no credentials required.

Fixes

• bin/mcp-server.ts — SSE mode now hard-exits at startup if no --secret / NETWORK_AI_MCP_SECRET is provided. Empty-string default no longer allows open access.
• lib/mcp-transport-sse.ts — Access-Control-Allow-Origin changed from unconditional * to an allowlist restricted to localhost and 127.0.0.1 origins only. Non-local origins receive no ACAO header. Vary: Origin added. Duplicate CORS block removed.

Migration

If you run the SSE server (npx network-ai-server), you must now pass a secret:

npx network-ai-server --secret <your-token> --port 3001
# or
export NETWORK_AI_MCP_SECRET=<your-token>
npx network-ai-server --port 3001

Stdio mode (--stdio) is unaffected — no secret required for local pipe-based clients.

Stats

• 29 test suites, 2,976 passing assertions (unchanged)
• Zero TypeScript compile errors

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

v5.4.4 — Fix missing import os in swarm_guard.py (ASI08)

Network-AI v5.4.4 — Fix missing import os in swarm_guard.py (ClawHub ASI08)

Fixed

• import os missing in scripts/swarm_guard.py — os.environ.get("NETWORK_AI_ENV", "") was called before os was imported, causing a NameError on startup and silently disabling all budget and health-check guards. This was flagged as ClawHub ASI08 (Cascading Failures).

Notes (by design — will always recur on scan)

• ASI03 Advisory token identity — grant tokens are advisory only, not authenticated credentials. Use real platform auth + human approval for sensitive resources.
• ASI06 Persistent context poisoning — _validate_context() runs injection detection before inject; do not store secrets in data/; clear between projects.
• ASI07 Inter-agent communication boundary — blackboard is local file-based; run in a trusted workspace with restricted data/ permissions.

Stats

• 29 test suites, 2,976 passing assertions (unchanged)
• Zero TypeScript compile errors

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

v5.4.3 — SKILL.md security findings, README doc table, BOM fix

Network-AI v5.4.3 — SKILL.md security findings + README doc table + BOM fix

Added

• SKILL.md security scan findings table — new section documents all 4 ClawHub Notes (ASI01, ASI03, ASI06, ASI07) with confidence level, why each recurs by design, and the documented control.
• README documentation table — SKILL.md row added (OpenClaw/ClawHub Python skill — setup, orchestrator protocol, security scan findings).
• README footer — Code of Conduct and Security Policy links added.

Fixed

• UTF-8 BOM stripped from package.json, skill.json, and openapi.yaml — PowerShell Out-File -Encoding utf8 was inserting a BOM that caused ts-node to crash with SyntaxError: Unexpected token in CI.

Stats

• 29 test suites, 2,976 passing assertions (unchanged)
• Zero TypeScript compile errors

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md

v5.4.2 — MCP tool quality + security doc accuracy

Network-AI v5.4.2 — MCP Tool Quality + Security Doc Accuracy

Patch release improving Glama Tool Definition Quality scores and fixing inaccurate ClawHub security documentation.

Improved

• MCP tool descriptions — all 22 tool definitions now include explicit return shapes, error/edge-case behavior, and usage guidelines (when to call this tool vs. a related one, recommended ordering). Targets Glama behavior and usage sub-score improvements across fsm_transition, config_get, config_set, token_create, budget_spend, audit_query, and all blackboard tools.

Fixed

• ClawHub security documentation — SECURITY.md, .github/SECURITY.md, and ENTERPRISE.md now accurately describe the 3 ClawHub Notes (ASI03 advisory-token identity, ASI06 persistent-context and audit-log PII) as by-design patterns with documented controls, rather than "resolved". Notes will recur on future scans by design; the documented controls are the mitigation.

Stats

• 29 test suites, 2,976 passing assertions (unchanged)
• Zero TypeScript compile errors (npx tsc --noEmit)

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md