fix: resolve CodeQL alerts #99-#104, #107 + ClawHub suspicious flag

- security.ts: fix bad HTML filter regex — </script\s*> handles browser variants (#107)
- agent-runtime.ts: remove unused startTime variable (#99)
- strategy-agent.ts: rename unused loop variable target → _target (#100/#104)
- test-phase9.ts: remove unused imports AgentPool/WorkloadPartitioner (#101),
  unused function assertThrows (#102), unused variable echoCmd (#103)
- .clawhubignore: exclude scripts/postinstall.js from Python skill bundle
- skill.json: clarify TypeScript engine exists alongside Python scripts

Bump to v4.15.2. All 2,357 tests pass across 25 suites.

Author: jovanSAPFIONEER

.clawhubignore

@@ -16,6 +16,7 @@ package.json
 package-lock.json
 node_modules/
 setup.ts
+scripts/postinstall.js
 
 # ── Tests ──
 test.ts

.github/copilot-instructions.md

@@ -2,7 +2,7 @@
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v4.15.1). 2,357 tests across 25 suites.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v4.15.2). 2,357 tests across 25 suites.
 
 ## Architecture
 

CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to Network-AI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.15.2] - 2026-04-04
+
+### Fixed
+- **CodeQL #107 — Bad HTML filtering regexp** (`security.ts`): Changed `<\/script>` to `<\/script\s*>` to match browser-accepted variants like `</script >` per HTML spec.
+- **CodeQL #99 — Unused variable `startTime`** (`lib/agent-runtime.ts`): Removed unused local.
+- **CodeQL #100/#104 — Unused loop variable `target`** (`lib/strategy-agent.ts`): Renamed to `_target`.
+- **CodeQL #101 — Unused imports `AgentPool`, `WorkloadPartitioner`** (`test-phase9.ts`): Removed.
+- **CodeQL #102 — Unused function `assertThrows`** (`test-phase9.ts`): Removed.
+- **CodeQL #103 — Unused variable `echoCmd`** (`test-phase9.ts`): Removed.
+- **ClawHub suspicious flag** — Added `scripts/postinstall.js` to `.clawhubignore` so Node-only dev tooling is excluded from the Python skill bundle; updated `skill.json` description to acknowledge the TypeScript engine.
+
 ## [4.15.1] - 2026-04-04
 
 ### Fixed

CLAUDE.md

@@ -4,7 +4,7 @@ This file is read automatically by Claude Code when working in this repository.
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.1.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.2.
 
 ## Build & Test Commands
 

CODEX.md

@@ -4,7 +4,7 @@ This file is read automatically by OpenAI Codex CLI when working in this reposit
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.1.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.2.
 
 ## Build & Test Commands
 

INTEGRATION_GUIDE.md

@@ -477,4 +477,4 @@ Run these before declaring the integration production-ready:
 
 ---
 
-*Network-AI v4.15.1 · MIT License · https://github.com/Jovancoding/Network-AI*
+*Network-AI v4.15.2 · MIT License · https://github.com/Jovancoding/Network-AI*

README.md

@@ -5,7 +5,7 @@
 [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
 [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v4.15.1-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v4.15.2-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![Tests](https://img.shields.io/badge/tests-2357%20passing-brightgreen.svg)](#testing)
 [![Adapters](https://img.shields.io/badge/frameworks-17%20supported-blueviolet.svg)](#adapter-system)

lib/agent-runtime.ts

@@ -369,7 +369,6 @@ export class ShellExecutor {
     const maxBytes = opts.maxOutputBytes ?? this.policy.defaultMaxOutputBytes;
 
     this.activeProcesses++;
-    const startTime = Date.now();
 
     try {
       return await this.spawnCommand(command, cwd, timeoutMs, maxBytes, opts.env);

lib/strategy-agent.ts

@@ -689,7 +689,7 @@ export class StrategyAgent extends EventEmitter {
     }
 
     // Scale down: mark excess agents for recycling
-    for (const [poolId, target] of plan.scaleDown) {
+    for (const [poolId, _target] of plan.scaleDown) {
       const pool = this.pools.get(poolId);
       if (!pool) continue;
       const before = pool.active;

openapi.yaml

@@ -6,7 +6,7 @@ info:
     blackboard coordination, parallel agent spawning, and permission gating
     via AuthGuardian. Requires the companion MCP server:
     `npm install -g network-ai && npx network-ai-server --port 3001`
-  version: 4.15.1
+  version: 4.15.2
   license:
     name: MIT
     url: https://github.com/Jovancoding/Network-AI/blob/main/LICENSE