fix: resolve all remaining CodeQL alerts and pin action SHAs

- ci.yml, codeql.yml, dependabot-auto-merge.yml: pin all actions to full
  commit SHA (Pinned-Dependencies fix)
- codeql.yml: add permissions: read-all at workflow level (Token-Permissions fix)
- locked-blackboard.ts: remove final existsSync+readFileSync TOCTOU race;
  read directly and handle ENOENT; remove unused statSync import
- security.ts: remove unused existsSync and writeFileSync imports
- check_permission.py: remove always-true word_count>0 ternary (line 142, 156)
- blackboard.py, swarm_guard.py, validate_token.py: add comments to bare
  empty-except blocks (py/empty-except fix)

315/315 tests pass

Author: jovanSAPFIONEER

.github/workflows/ci.yml

@@ -19,10 +19,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
 
       - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238  # v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
@@ -51,10 +51,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238  # v6
         with:
           node-version: 20
           cache: 'npm'

.github/workflows/codeql.yml

@@ -8,6 +8,8 @@ name: CodeQL Security Analysis
   schedule:
     - cron: '30 4 * * 1'  # Every Monday at 04:30 UTC
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
@@ -24,18 +26,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6  # v4
         with:
           languages: ${{ matrix.language }}
           queries: security-extended,security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6  # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6  # v4
         with:
           category: '/language:${{ matrix.language }}'

.github/workflows/dependabot-auto-merge.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: Fetch Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v2
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a  # v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 

CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to Network-AI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.2.9] - 2026-02-19
+
+### Fixed
+- **Pinned-Dependencies** -- all GitHub Actions in `ci.yml`, `codeql.yml`, and `dependabot-auto-merge.yml` pinned to full commit SHA (Scorecard supply-chain requirement)
+- **Token-Permissions** -- added `permissions: read-all` at workflow level in `codeql.yml`
+- **Remaining TOCTOU** -- removed final `existsSync` + `readFileSync` race in `locked-blackboard.ts`; now reads directly and handles `ENOENT`
+- **Unused imports** -- removed `existsSync`/`writeFileSync` from `security.ts` and `statSync` from `locked-blackboard.ts`
+- **py/redundant-comparison** -- removed always-true `word_count > 0` ternary in `check_permission.py` (guaranteed `>= 3` by earlier guard)
+- **py/empty-except** -- added explanatory comments to all bare `pass` except blocks in `blackboard.py`, `swarm_guard.py`, and `validate_token.py`
+
 ## [3.2.8] - 2026-02-19
 
 ### Fixed

README.md

@@ -4,7 +4,7 @@
 
 [![CI](https://github.com/jovanSAPFIONEER/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/jovanSAPFIONEER/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/jovanSAPFIONEER/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/jovanSAPFIONEER/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v3.2.8-blue.svg)](https://github.com/jovanSAPFIONEER/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v3.2.9-blue.svg)](https://github.com/jovanSAPFIONEER/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![ClawHub](https://img.shields.io/badge/ClawHub-network--ai-orange.svg)](https://clawhub.ai/skills/network-ai)
 [![Node.js](https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg)](https://nodejs.org)

SECURITY.md

@@ -37,7 +37,7 @@ Network-AI includes built-in security features:
 
 - **VirusTotal**: Benign (0/64 engines)
 - **OpenClaw Scanner**: Benign, HIGH CONFIDENCE
-- **CodeQL**: v3.2.8 -- all HIGH alerts resolved (TOCTOU race conditions, bad HTML regex, missing regex anchor, Token-Permissions)
+- **CodeQL**: v3.2.9 -- all remaining HIGH/WARNING alerts resolved; actions SHA-pinned; unused imports removed
 - **Snyk**: All High/Medium findings resolved in v3.0.3
 
 ## Disclosure Policy

lib/locked-blackboard.ts

@@ -25,7 +25,6 @@ import {
   openSync,
   closeSync,
   writeSync,
-  statSync,
   readdirSync
 } from 'fs';
 import { join, dirname } from 'path';
@@ -128,9 +127,8 @@ export class FileLock {
 
   private ensureDir(): void {
     const dir = dirname(this.lockPath);
-    if (!existsSync(dir)) {
-      mkdirSync(dir, { recursive: true });
-    }
+    // recursive: true is idempotent — no existsSync check needed
+    mkdirSync(dir, { recursive: true });
   }
 
   /**
@@ -143,25 +141,26 @@ export class FileLock {
     const startTime = Date.now();
 
     while (Date.now() - startTime < timeoutMs) {
-      // Check for stale lock
-      if (existsSync(this.lockPath)) {
-        try {
-          const lockData = JSON.parse(readFileSync(this.lockPath, 'utf-8'));
-          const lockAge = Date.now() - new Date(lockData.acquired_at).getTime();
-          
-          // If lock is stale, force release it
-          if (lockAge > CONFIG.staleLockThresholdMs) {
-            log.warn('Stale lock detected, force releasing', { lockAgeMs: lockAge });
-            this.forceRelease();
-          } else {
-            // Lock is held by someone else, wait and retry
-            this.sleep(CONFIG.lockRetryIntervalMs);
-            continue;
-          }
-        } catch {
+      // Check for stale lock — read directly to avoid existsSync+readFileSync TOCTOU
+      try {
+        const lockData = JSON.parse(readFileSync(this.lockPath, 'utf-8'));
+        const lockAge = Date.now() - new Date(lockData.acquired_at).getTime();
+        
+        // If lock is stale, force release it
+        if (lockAge > CONFIG.staleLockThresholdMs) {
+          log.warn('Stale lock detected, force releasing', { lockAgeMs: lockAge });
+          this.forceRelease();
+        } else {
+          // Lock is held by someone else, wait and retry
+          this.sleep(CONFIG.lockRetryIntervalMs);
+          continue;
+        }
+      } catch (e: any) {
+        if (e.code !== 'ENOENT') {
           // Corrupted lock file, remove it
           this.forceRelease();
         }
+        // ENOENT: no lock file yet, fall through to create
       }
 
       // Try to create lock file atomically

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "3.2.8",
+  "version": "3.2.9",
   "description": "AI agent orchestration framework for TypeScript/Node.js - plug-and-play multi-agent coordination with 12 frameworks (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw). Built-in security, swarm intelligence, and agentic workflow patterns.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package.json

@@ -54,7 +54,7 @@
     import fcntl as _fcntl_import
     _fcntl = _fcntl_import
 except ImportError:
-    pass
+    pass  # fcntl unavailable on Windows; file-based lock fallback is used instead
 
 # Default blackboard location
 BLACKBOARD_PATH = Path(__file__).parent.parent / "swarm-blackboard.md"
@@ -130,7 +130,7 @@ def release(self) -> None:
 
                 self.lock_file.close()
             except Exception:
-                pass
+                pass  # best-effort unlock; fd and marker cleaned up in finally
             finally:
                 self.lock_file = None
                 self.lock_marker = None