Fix Snyk: replace hardcoded salt with random salt in DataEncryptor

Author: jovanSAPFIONEER

package.json

@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "description": "AI agent orchestration framework for TypeScript/Node.js - plug-and-play multi-agent coordination with 12 frameworks (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw). Built-in security, swarm intelligence, and agentic workflow patterns.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

security.ts

@@ -584,10 +584,22 @@ export class SecureAuditLogger {
 export class DataEncryptor {
   private key: Buffer;
   private algorithm = 'aes-256-gcm' as const;
+  private salt: Buffer;
 
-  constructor(encryptionKey: string) {
-    // Derive a proper key from the provided key
-    this.key = scryptSync(encryptionKey, 'swarm-salt', 32);
+  constructor(encryptionKey: string, salt?: string | Buffer) {
+    // Use provided salt or generate a random one
+    this.salt = salt 
+      ? (typeof salt === 'string' ? Buffer.from(salt, 'hex') : salt)
+      : randomBytes(16);
+    // Derive a proper key from the provided key with unique salt
+    this.key = scryptSync(encryptionKey, this.salt, 32);
+  }
+  
+  /**
+   * Get the salt (needed to recreate the same encryptor for decryption)
+   */
+  getSalt(): string {
+    return this.salt.toString('hex');
   }
 
   /**

swarm-blackboard.md

@@ -1,5 +1,5 @@
 # Swarm Blackboard
-Last Updated: 2026-02-15T13:33:05.021Z
+Last Updated: 2026-02-15T14:46:17.062Z
 
 ## Active Tasks
 | TaskID | Agent | Status | Started | Description |
@@ -18,7 +18,7 @@ Last Updated: 2026-02-15T13:33:05.021Z
     "status": "complete"
   },
   "sourceAgent": "code_writer",
-  "timestamp": "2026-02-15T13:33:05.012Z",
+  "timestamp": "2026-02-15T14:46:17.046Z",
   "ttl": null
 }
 
@@ -34,7 +34,7 @@ Last Updated: 2026-02-15T13:33:05.021Z
     "reviewer": "code_reviewer"
   },
   "sourceAgent": "code_reviewer",
-  "timestamp": "2026-02-15T13:33:05.016Z",
+  "timestamp": "2026-02-15T14:46:17.051Z",
   "ttl": null
 }
 
@@ -49,7 +49,7 @@ Last Updated: 2026-02-15T13:33:05.021Z
     "duration": 3200
   },
   "sourceAgent": "test_runner",
-  "timestamp": "2026-02-15T13:33:05.017Z",
+  "timestamp": "2026-02-15T14:46:17.057Z",
   "ttl": null
 }
 
@@ -60,7 +60,7 @@ Last Updated: 2026-02-15T13:33:05.021Z
     "replicas": 3
   },
   "sourceAgent": "devops_agent",
-  "timestamp": "2026-02-15T13:33:05.021Z",
+  "timestamp": "2026-02-15T14:46:17.062Z",
   "ttl": null
 }
 

test-security.ts

@@ -62,8 +62,9 @@ function fail(test: string, error?: string) {
 async function testSecureTokenManager() {
   header('TEST 1: Secure Token Manager');
 
+  // Intentional test-only values -- not real secrets
   const tokenManager = new SecureTokenManager({
-    tokenSecret: 'test-secret-key-for-testing-only',
+    tokenSecret: 'test-secret-key-for-testing-only', // nosemgrep, snyk:ignore
     maxTokenAge: 5000, // 5 seconds for testing
   });
 
@@ -529,7 +530,8 @@ async function testSecureSwarmGateway() {
 
   // Test: Data encryption through gateway
   log('\n  [SEC] Testing gateway encryption...', 'blue');
-  const sensitiveData = { apiKey: 'sk-1234567890', password: 'secret123' };
+  // Intentional fake test data -- not real credentials
+  const sensitiveData = { apiKey: 'sk-1234567890', password: 'secret123' }; // nosemgrep, snyk:ignore
   const encrypted = gateway.encryptSensitiveData(sensitiveData);
   const decrypted = gateway.decryptSensitiveData<typeof sensitiveData>(encrypted);