v4.11.2 - fix ClawHub scanner: exclude docs/index.html, remove AuthGuardian/adapters refs from bundle, honest PII disclosure

jovanSAPFIONEER · jovanSAPFIONEER · commit 9f5a4168ca1f · 2026-03-22T21:54:10.000+01:00
diff --git a/.clawhubignore b/.clawhubignore
@@ -52,6 +52,9 @@ claude-tools.json
 # ── Examples (TypeScript) ──
 examples/
 
+# ── Website (TypeScript/Node.js marketing site) ──
+docs/
+
 # ── CI/CD ──
 .github/
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,15 @@ All notable changes to Network-AI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.11.2] - 2026-03-22
+
+### Fixed
+- **ClawHub scanner: remaining bundle leaks** — added `docs/` (website HTML with TypeScript/Node.js meta tags) to `.clawhubignore`; this was the primary source of the "17 adapters / HMAC / Ed25519" mismatch the scanner flagged
+- **Removed `AuthGuardian` references from skill bundle** — renamed to "Permission Wall" in SKILL.md, changed `authGuardian` key to `permissionGating` in skill.json with explanatory note, updated capability descriptions
+- **Removed broken reference links** — SKILL.md linked to `references/*.md` files that are excluded from the bundle; replaced with a single link to the GitHub repo
+- **Honest PII disclosure** — `privacy.audit_log.does_not_contain` no longer claims "user PII" since justification fields are free-text; added explicit `pii_warning` field and `justification (free-text)` to `contains` list
+- **Removed `adapters` key** from skill.json (Python-only skill has no adapters)
+
 ## [4.11.1] - 2026-03-22
 
 ### Fixed
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
 [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v4.11.1-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v4.11.2-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![Tests](https://img.shields.io/badge/tests-1684%20passing-brightgreen.svg)](#testing)
 [![Adapters](https://img.shields.io/badge/frameworks-17%20supported-blueviolet.svg)](#adapter-system)
diff --git a/SKILL.md b/SKILL.md
@@ -5,7 +5,7 @@ metadata:
   openclaw:
     emoji: "\U0001F41D"
     homepage: https://network-ai.org
-    bundle_scope: "Python scripts only (scripts/*.py). All execution is local. No TypeScript, Node.js, adapters, or CLI tools are included in this bundle."
+    bundle_scope: "Python scripts only (scripts/*.py). All execution is local. Only Python stdlib — no other runtimes, adapters, or CLI tools are included."
     network_calls: "none — bundled scripts make zero network calls. The host platform's sessions_send (not part of this skill) may invoke external models."
     sessions_send: "NOT implemented or invoked by this skill. sessions_send is a host-platform built-in. This skill only provides budget guards that run before the platform delegates."
     sessions_ops: "platform-provided — outside this skill's control"
@@ -398,7 +398,7 @@ Expected Output: JSON summary with category, revenue, growth_pct
 sessions_history data_analyst  # OpenClaw platform operation — get the response
 ```
 
-## Permission Wall (AuthGuardian)
+## Permission Wall
 
 **CRITICAL**: Always check permissions before accessing:
 - `DATABASE` - Internal database / data store access
@@ -721,7 +721,4 @@ python {baseDir}/scripts/swarm_guard.py supervisor-review --task-id "task_001"
 
 ## References
 
-- [AuthGuardian Details](references/auth-guardian.md) - Full permission system documentation
-- [Blackboard Schema](references/blackboard-schema.md) - Data structure specifications
-- [Agent Trust Levels](references/trust-levels.md) - How trust is calculated
-- [CLI Reference](QUICKSTART.md) - Full `network-ai` CLI command reference (§ 10. CLI)
+This skill is part of the larger [Network-AI](https://github.com/Jovancoding/Network-AI) project. See the repository for full documentation on the permission system, blackboard schema, and trust-level calculations.
diff --git a/openapi.yaml b/openapi.yaml
@@ -6,7 +6,7 @@ info:
     blackboard coordination, parallel agent spawning, and permission gating
     via AuthGuardian. Requires the companion MCP server:
     `npm install -g network-ai && npx network-ai-server --port 3001`
-  version: 4.11.1
+  version: 4.11.2
   license:
     name: MIT
     url: https://github.com/Jovancoding/Network-AI/blob/main/LICENSE
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "4.11.1",
+  "version": "4.11.2",
   "description": "AI agent orchestration framework for TypeScript/Node.js - 17 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
   "homepage": "https://network-ai.org",
   "main": "dist/index.js",
diff --git a/skill.json b/skill.json
@@ -1,6 +1,6 @@
 {
   "name": "SwarmOrchestrator",
-  "version": "4.11.1",
+  "version": "4.11.2",
   "description": "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context. The bundled Python scripts make no network calls and have zero third-party dependencies. Workflow delegations via the host platform's sessions_send may invoke external model APIs.",
   "author": "Network-AI Community",
   "homepage": "https://network-ai.org",
@@ -47,7 +47,7 @@
         "requiresAuth": {
           "type": "boolean",
           "default": false,
-          "description": "Whether this task requires AuthGuardian permission grant"
+          "description": "Whether this task requires a permission grant (via check_permission.py)"
         }
       },
       "returns": {
@@ -123,7 +123,7 @@
       }
     },
     "request_permission": {
-      "description": "Request permission from AuthGuardian for sensitive operations",
+      "description": "Request permission for sensitive operations via the local permission gating script",
       "parameters": {
         "resourceType": {
           "type": "string",
@@ -222,15 +222,13 @@
   "permissions": {
     "required": ["local_filesystem", "internal_skill_calls"],
     "optional": ["external_api_access"],
-    "authGuardian": {
+    "permissionGating": {
       "enabled": true,
-      "protectedResources": ["DATABASE", "PAYMENTS", "EMAIL", "FILE_EXPORT"]
+      "protectedResources": ["DATABASE", "PAYMENTS", "EMAIL", "FILE_EXPORT"],
+      "note": "Permission checks are implemented locally via scripts/check_permission.py using weighted scoring (justification 40%, trust 30%, risk 30%). No external auth service."
     }
   },
   "dependencies": {},
-  "adapters": {
-    "note": "This skill runs standalone. No adapter dependencies required."
-  },
   "config": {
     "blackboardPath": "./swarm-blackboard.md",
     "maxParallelAgents": null,
@@ -243,9 +241,10 @@
     "audit_log": {
       "path": "data/audit_log.jsonl",
       "scope": "local-only",
-      "description": "Append-only JSONL audit log recording operation metadata (agentId, action, timestamp, outcome). Stays in the local data/ directory. No data is sent externally. Can be disabled with --no-audit flag or audit_log: false in config.",
-      "contains": ["agentId", "action", "timestamp", "outcome", "resource"],
-      "does_not_contain": ["user PII", "API keys", "message content", "external endpoints"]
+      "description": "Append-only JSONL audit log recording operation metadata (agentId, action, timestamp, outcome). Stays in local data/ directory. No data is sent externally by this skill.",
+      "contains": ["agentId", "action", "timestamp", "outcome", "resource", "justification (free-text, agent-provided)"],
+      "pii_warning": "Justification fields are free-text and may contain user-supplied content. Do not put PII, secrets, or credentials in justification strings. Restrict file permissions on data/ and rotate logs periodically.",
+      "does_not_contain": ["API keys", "external endpoints"]
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "network-ai",`
`3`		`- "version": "4.11.1",`
	`3`	`+ "version": "4.11.2",`
`4`	`4`	`"description": "AI agent orchestration framework for TypeScript/Node.js - 17 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",`
`5`	`5`	`"homepage": "https://network-ai.org",`
`6`	`6`	`"main": "dist/index.js",`