| Version | Supported |
|---------|-----------||
| 4.11.x | ✅ Yes — full support (current) |
| 4.10.x | ✅ Security fixes only |
| 4.9.x | ✅ Security fixes only |
| 4.8.x | ✅ Security fixes only |
| 4.7.x | ✅ Security fixes only |
| 4.6.x | ✅ Security fixes only |
| 4.5.x | ✅ Security fixes only |
| 4.4.x | ✅ Security fixes only |
| 4.3.x | ✅ Security fixes only |
| 4.0.x – 4.2.x |
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues privately:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Provide a clear description, reproduction steps, and impact assessment
You will receive an acknowledgment within 48 hours and a detailed response within 7 days.
Network-AI includes built-in security features:
- AES-256-GCM encryption for blackboard data at rest
- HMAC-SHA256 / Ed25519 signed tokens via AuthGuardian with trust levels and scope restrictions
- Rate limiting to prevent abuse
- Path traversal protection in the Python blackboard (regex + resolved-path boundary checks)
- Input validation on all public API entry points
- Secure audit logging with tamper-resistant event trails
- Justification hardening (v3.2.1) -- prompt-injection detection (16 patterns), keyword-stuffing defense, repetition/padding detection, structural coherence validation
- FSM Behavioral Control Plane (v3.3.0) -- state-scoped agent and tool authorization via
JourneyFSMandToolAuthorizationMatrix; unauthorized actions blocked withComplianceViolationError - ComplianceMonitor (v3.3.0) -- real-time agent behavior surveillance with configurable violation policies, severity classification, and async audit loop
- Named Multi-Blackboard API (v3.4.0) -- isolated
SharedBlackboardinstances per name with independent namespaces, validation configs, and agent scoping; prevents cross-task data leakage - QA Orchestrator Agent (v4.11.0) -- scenario replay through quality gates, cross-agent contradiction detection, feedback loop with retry limits, and regression tracking with historical snapshots
- VirusTotal: Benign (0/64 engines)
- OpenClaw Scanner: Benign, HIGH CONFIDENCE
- CodeQL: v4.3.2 clean — A2A bearer tokens transmitted only via
Authorizationheader; no URL embedding; streaming paths carry no credential material;AbortControllerguards prevent hanging fetch calls; CLI layer adds no new network surface (fully in-process); CWE-367 TOCTOU alerts #86/#87 resolved —audit tailand CLI test now open fd first and usefs.fstatSync(fd)instead offs.statSync(filename) - CodeQL (historical): v3.3.0 — all fixable alerts resolved; unused imports cleaned; false-positive detection patterns dismissed; v3.4.0 clean; v3.4.1 — #65–#68 HIGH (insecure temporary file) resolved via
path.resolve()sanitization andmode: 0o700directory permissions - Snyk: All High/Medium findings resolved in v3.0.3
We follow coordinated disclosure. We will:
- Confirm the vulnerability and determine its impact
- Develop and test a fix
- Release a patched version
- Credit the reporter (unless anonymity is requested)
We ask that you give us reasonable time to address the issue before any public disclosure.
The security module (security.ts) provides defense-in-depth protections:
| Component | Class | Purpose |
|---|---|---|
| Token Manager | SecureTokenManager |
HMAC / Ed25519-signed tokens with expiration |
| Input Sanitizer | InputSanitizer |
XSS, injection, path traversal prevention |
| Rate Limiter | RateLimiter |
Per-agent request throttling + lockout |
| Encryptor | DataEncryptor |
AES-256-GCM encryption for sensitive data |
| Permission Hardener | PermissionHardener |
Trust-ceiling & privilege escalation prevention |
| Audit Logger | SecureAuditLogger |
Cryptographically signed audit entries |
| Gateway | SecureSwarmGateway |
Integrated security layer wrapping all ops |
The AuthGuardian evaluates permission requests using weighted scoring:
| Factor | Weight | Description |
|---|---|---|
| Justification quality | 40% | Business reason (hardened against prompt injection) |
| Agent trust level | 30% | Agent's established trust score |
| Resource risk | 30% | Resource sensitivity + scope |
Approval threshold: 0.5
| Resource | Base Risk | Default Restrictions |
|---|---|---|
DATABASE |
0.5 | read_only, max_records:100 |
PAYMENTS |
0.7 | read_only, no_pii_fields, audit_required |
EMAIL |
0.4 | rate_limit:10_per_minute |
FILE_EXPORT |
0.6 | anonymize_pii, local_only |
python scripts/check_permission.py \
--agent data_analyst \
--resource DATABASE \
--justification "Need customer order history for sales report"
# View all active grants
python scripts/check_permission.py --active-grants
# Audit summary
python scripts/check_permission.py --audit-summary --last 50The SecureAuditLogger produces HMAC / Ed25519-signed entries in data/audit_log.jsonl.
Logged events: permission_granted, permission_denied, permission_revoked, ttl_cleanup, result_validated, and all blackboard writes.
Each entry contains: agentId, action, timestamp, outcome, resource. No PII, no API keys, no message content.
To disable: pass --no-audit flag to network-ai-server, or set auditLogPath: undefined in createSwarmOrchestrator config.
Token revocation and TTL cleanup:
python scripts/revoke_token.py --list-expired
python scripts/revoke_token.py --cleanupThe audit log can also be queried and live-streamed via the CLI (no server required):
network-ai audit log --limit 50 # print recent entries
network-ai audit tail # live-stream as new events arrive
network-ai audit clear # reset the log