v5.1.4 - HermesAdapter (#28), postinstall removed

What's new

Added

• HermesAdapter (adapters/hermes-adapter.ts) — adapter #28, wrapping NousResearch Hermes and any OpenAI-compatible endpoint (Ollama, Together AI, Fireworks, llama.cpp). BYOC client path (HermesChatClient) or built-in fetch; API key from HERMES_API_KEY env var; per-request AbortController timeout.
• 12 new tests in test-adapters.ts — total 2,711 passing across 26 suites.

Removed

• scripts/postinstall.js — was patching node_modules/openai/src/tsconfig.json on install to suppress a TS 6.x moduleResolution deprecation warning. TypeScript now compiles cleanly without it. Removing the postinstall script eliminates the Socket.dev install-scripts supply-chain alert.

Fixed

• tsconfig.json: add noEmit: true — prevents VS Code language server from emitting to dist/ and showing false TS5055 "would overwrite input file" errors.
• tsconfig.build.json: override noEmit: false so npm run build still emits; exclude examples/output/ to prevent stale demo-generated files from breaking CI builds.

Upgrade

npm install network-ai@5.1.4

No breaking changes. Drop-in upgrade from v5.1.3.

Adapter count: 28

New	Description
HermesAdapter	NousResearch Hermes / any OpenAI-compatible endpoint — Ollama, Together AI, Fireworks, llama.cpp

Full adapter list: references/adapter-system.md

v5.1.3 — MCP Authentication & Security Hardening

Security (HIGH — CWE-306)

MCP HTTP Transport Authentication

The MCP HTTP server (POST /mcp, GET /sse) previously had no authentication, allowing any network-reachable client to read and mutate live orchestrator state. This release fixes that.

Changes:

• McpSseServer now enforces Authorization: Bearer on POST /mcp and GET /sse when McpSseServerOptions.secret is set
• Unauthenticated or wrong-token requests receive HTTP 401 with WWW-Authenticate: Bearer header
• Default bind address changed **

v5.1.2 — Zero innerHTML Sinks, Full CodeQL Remediation

What's Changed

Security — CodeQL Alert Remediation

• Zero \innerHTML\ sinks in \work-tree-dashboard.html\ — all 5 panel functions (\showTreeDetail, \updateAgentsPanel, \updateAgentDetailPanel, \updateSupervisorPanel, narrative log) now use pure DOM APIs (\createElement\ + \ extContent\ + \�ppendChild)
• *Converted \�gentMap\ to \Map* (31 occurrences) — eliminates remote property injection via dynamic bracket notation
• JSON round-trip sanitization at WebSocket ingestion for \diagnostics, \orchestratorLogs, and \stats\ — breaks taint chain at the source
• Removed dead code — \escapeHtml\ and \safeSetHTML\ functions no longer needed after DOM API conversion

Stats

• 2,691 tests passing across 26 suites
• 27 adapters — all green
• 0 TypeScript errors

Full Changelog: v5.1.1...v5.1.2

v5.1.1 — CodeQL Security Fixes

Security Fixes

Resolved all 23 open CodeQL code scanning alerts:

XSS (7 alerts fixed)

• All dynamic values in \control-plane.html\ now pass through \esc()\ sanitizer
• All dynamic values in \work-tree-dashboard.html\ now pass through \escapeHtml()\ sanitizer

Remote Property Injection (8 alerts fixed)

• State maps (
  odes, \�gentMap, \�bEntries) use \Object.create(null)\ instead of plain objects
• WebSocket data copied via \safeObj()\ which filters _proto_, \constructor, \prototype\ keys

Prototype-Polluting Assignment (5 alerts fixed)

• Incoming WebSocket objects sanitized through null-prototype copies
• \deriveAgentsFromTree()\ resets to \Object.create(null)\

Unused Variables (2 alerts fixed)

• Removed unused \elapsed\ in \orchestrator-adapter.ts\ catch block
• Removed unused \�gentsFitted\ in \work-tree-dashboard.html\

Other

• Security policy updated: 5.1.x is now current supported version
• All 2,691 tests passing across 26 suites

v5.1.0 — OrchestratorAdapter, WorkTree Dashboard, CodeQL Fixes

What's New in v5.1.0

Added

• OrchestratorAdapter — hierarchical multi-orchestrator coordination: wrap child SwarmOrchestrators as agents for parent orchestration, query child states, timeout guards
• WorkTree Dashboard — 3-tab layout (Tree, Agents, Supervisor), clickable agent sidebar with expandable logs, supervisor diagnostics panel with health banner and activity narrative
• SystemDiagnostic / SystemHealth types and computeDiagnostics() for real-time orchestrator health monitoring

Fixed (CodeQL High Severity)

• #109 Polynomial ReDoS in security.ts — replaced unbounded \s* regex with line-split + bounded \s{0,10} to prevent DoS on prompt-injection heuristic
• #110 Remote property injection in lib/dashboard.html — replaced plain object with Map to prevent prototype pollution

Fixed (CodeQL Notes)

• #111 Removed unused imports writeFileSync, appendFileSync from lib/auth-guardian.ts
• #112 Removed unused import stat from lib/coverage-reporter.ts
• #113 Removed unused variable taskMap from lib/goal-dsl.ts

Fixed (Testing)

• Restored 8 deleted adapter test suites (LlamaIndex, SemanticKernel, OpenAI Assistants, Haystack, DSPy, Agno, APS, full registry)
• BaseAdapter.ensureReady() now throws AdapterNotInitializedError instead of plain Error

Stats

• 27 adapters (was 26)
• 2,691 tests passing across 26 suites (was 2,531)
• All documentation updated across 13 files

---

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md
npm: npm install network-ai@5.1.0

v5.0.0 — Multi-Agent Orchestrator Major Release

Network-AI v5.0.0

26 adapters · 2,531 tests · 65+ modules · zero runtime dependencies

Highlights

9 New Adapters (17 → 26)

• CopilotAdapter — GitHub Copilot code generate/review/explain/fix/test/refactor
• LangGraphAdapter — compiled StateGraph execution
• AnthropicComputerUseAdapter — screenshot/click/type/scroll browser automation
• OpenAIAgentsAdapter — tool use, handoffs, guardrails
• VertexAIAdapter — Google Gemini with function calling + multi-modal
• PydanticAIAdapter — structured output with validation + dependency injection
• BrowserAgentAdapter — Playwright/Puppeteer/CDP browser control
• LangChainStreamingAdapter / CustomStreamingAdapter — AsyncIterable partial results

New Core Modules

• Goal DSL — YAML/JSON goal definitions compiled to TaskDAG
• Agent VCR — record and replay agent interactions for deterministic testing
• Comparison Runner — side-by-side adapter evaluation with scoring
• Coverage Reporter — adapter capability coverage analysis
• Job Queue — persistent priority FIFO with crash recovery and retry
• Approval Inbox — web-accessible human approval queue for sensitive operations
• Transport Layer — JSON-RPC 2.0 over WebSocket/HTTP with HMAC authentication
• Playground REPL — interactive multi-adapter experimentation console
• Adapter Test Harness — automated conformance testing for adapters
• ConsoleUI — interactive terminal dashboard with ANSI TUI

Architecture Improvements

• IAuthValidator interface — decoupled authorization contract; swap AuthGuardian for NoOpAuthValidator in tests or plug in external auth (LDAP, OAuth)
• StreamingBaseAdapter — base class for adapters yielding partial results via AsyncIterable
• APS delegation-chain trust — trust attenuation across agent delegation hops

Install

npm install network-ai@5.0.0

Full Changelog

See CHANGELOG.md for the complete history.

v4.15.3 — CodeQL #108 Bad HTML Filter Regexp

Fixed

• CodeQL #108 -- Bad HTML filtering regexp (security.ts): Changed closing script tag regex to match all browser-accepted variants including </script foo="bar"> and tags with tabs/newlines.

Full test suite: 2,357 tests across 25 suites, all passing.

v4.15.2 — CodeQL Alerts #99-#107 + ClawHub Clean Scan

Fixed

• CodeQL #107 — Bad HTML filtering regexp (\security.ts): Changed </script>\ to </script\s*>\ to match browser-accepted variants like </script >\ per HTML spec.
• *CodeQL #99 — Unused variable \startTime* (\lib/agent-runtime.ts): Removed.
• *CodeQL #100/#104 — Unused loop variable \ arget* (\lib/strategy-agent.ts): Renamed to _target.
• *CodeQL #101 — Unused imports \AgentPool, \WorkloadPartitioner* (\ est-phase9.ts): Removed.
• *CodeQL #102 — Unused function \�ssertThrows* (\ est-phase9.ts): Removed.
• *CodeQL #103 — Unused variable \echoCmd* (\ est-phase9.ts): Removed.
• ClawHub suspicious flag — Excluded \scripts/postinstall.js\ from Python skill bundle via .clawhubignore; updated \skill.json\ description to acknowledge TypeScript engine.

Full test suite: 2,357 tests across 25 suites, all passing.

v4.15.1 — CodeQL Security Fixes

Fixed

• *CodeQL #105 — ReDoS in \parsePlanJSON()* (\lib/goal-decomposer.ts): Replaced ambiguous regex with indexOf-based code-fence stripping to eliminate polynomial backtracking.
• CodeQL #106 — TOCTOU race in postinstall (\scripts/postinstall.js): Replaced \existsSync\ →
  eadFileSync\ → \writeFileSync\ with \openSync('r+')\ +
  eadFileSync(fd)\ + \truncateSync\ + \writeSync\ to eliminate time-of-check-to-time-of-use race.
• ReDoS in InputSanitizer (\security.ts): Replaced <script[\s\S]?>[\s\S]?</script>\ (nested quantifiers) with <script\b[^>]>[\s\S]?</script>\ (unambiguous).
• Shell injection risk in NemoClawAdapter (\�dapters/nemoclaw-adapter.ts): Replaced \command.split(' ')\ with \ okenizeCommand()\ helper respecting quoted arguments.

Full test suite: 2,357 tests across 25 suites, all passing.

v4.15.0 — Goal Decomposer: LLM-powered goal → task DAG → parallel execution

What's New

Goal Decomposer (Phase 10)

One line to go from goal to results:

\\ ypescript
import { runTeam, createLLMPlanner } from 'network-ai';

const result = await runTeam(
'Build a REST API for user management',
[
{ id: 'architect', role: 'System design and API specification' },
{ id: 'coder', role: 'Write TypeScript code' },
{ id: 'reviewer', role: 'Code review and quality checks' },
],
{ planner: createLLMPlanner(executor, 'gpt-4'), executor }
);

console.log(result.summary);
// Goal: "Build a REST API..." — 3/3 tasks completed in 4200ms
\\

New features

• *\GoalDecomposer* — LLM-powered goal decomposition into a validated \TaskDAG\ with cycle detection (Kahn's algorithm), dependency validation, and retry logic
• *\TeamRunner* — DAG execution engine with topological-layer parallel scheduling, concurrency limits, per-task and total timeouts, priority ordering, and dependency result injection (_dependencyResults)
• 
  unTeam()\ one-liner — single function call: goal in, \TeamResult\ out. Optional approval gate, planner retries, and full event emission
• *\createLLMPlanner()* — built-in planner factory that sends structured prompts to any LLM via the adapter system; handles code fences, preamble text, and nested response shapes ({ tasks }, { text }, { content })
• DAG utilities — \�alidateDAG(), \ opologicalLayers(), \parsePlanJSON()\
• TypeScript 6.0 — upgraded from 5.9.3 to 6.0.2

Testing

• 153 new tests in \ est-phase10.ts\ (12 sections: DAG validation, topological layers, JSON parsing, decomposer, runner, failure handling, concurrency/timeouts, events, runTeam one-liner, dependency injection, LLM planner, edge cases)
• 2,357 total tests across 25 suites — all passing

Full Changelog

https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md#4150---2026-04-04