v3.2.8 — Security hardening (CodeQL HIGH alerts resolved)

[Jovancoding]

What's Changed

Fixed

• TOCTOU race conditions — replaced existsSync + writeFileSync patterns with appendFileSync, flag:'wx', and writeSync via fd across security.ts, locked-blackboard.ts, and swarm-utils.ts; eliminates the window between file existence check and write where another process could intervene
• Bad HTML filtering regexp — changed .*? to [\s\S]*? in the XSS script tag pattern; . doesn't match newlines in JS so multi-line <script> blocks would previously bypass the sanitizer
• Missing regex anchor — added \b word boundary to /example\.com/ in blackboard-validator.ts; without it strings like notexample.com would incorrectly match
• Token-Permissions — added permissions: contents: read to CI workflow; workflows no longer carry implicit write access they don't need

Also in this release cycle

• eval() removed from distributed code (v3.2.7) — Socket supply chain score recovery
• Dependabot auto-merge workflow added — future dependency PRs merge automatically when CI passes
• CodeQL security scanning enabled on every push

315/315 tests passing

Installation

npm install network-ai@3.2.8

<hr /><em>This discussion was created from the release <a href='https://github.com/jovanSAPFIONEER/Network-AI/releases/tag/v3.2.8'>v3.2.8 — Security hardening (CodeQL HIGH alerts resolved)</a>.</em>