What's Changed
Security
- CodeQL #177 resolved — Indirect command injection (Medium): scripts/socket-check.js used execSync() with a shell template string containing the user-supplied --version argument. Replaced with spawnSync() + explicit arg array (shell: false) so no shell interpolation occurs. Added SEMVER_RE validation to reject non-semver input early. Windows
px.cmd detection included. - CodeQL #176 resolved — Unused import (Note): removed unused
esolve\ from \import { join, resolve } from 'path'\ in \ est-phase13.ts:11. - CodeQL #175 resolved — Unused import (Note): removed unused \join\ from \import { join, dirname, resolve } from 'path'\ in \lib/phase-pipeline.ts:15.
Added
- *\scripts/codeql-check.js* — GitHub Code Scanning alert monitor. Queries the GitHub API via \gh api, categorises alerts as blocking (\error/\warning) or informational (
ote), exits 1 if any blocking alert is open. Run via
pm run codeql:check. - *
pm run codeql:check* — wired into \package.json\ scripts.
Changed
- \SKILL.md\ Security Scan Findings — 3 new SkillSpector by-design entries: McpStreamableServer Description-Behavior Mismatch (Medium 94%), MCP control surface Context-Inappropriate Capability (Medium 90%), _load_signing_key()\ token minting Context-Inappropriate Capability (Medium 92%). All documented with disclosed controls.
- *\RELEASING.md* (local-only) — new Step 7:
pm run codeql:check\ gate before publishing; Step 9 updated with correct \clawhub publish\ syntax + SkillSpector review guidance.
QA loop — how it works now
\
Push feature → CI runs CodeQL (~2 min)
→ npm run codeql:check # exits 1 if any error/warning alert open
→ npm run socket:check # exits 1 if gptSecurity/debugAccess present
→ clawhub publish # triggers SkillSpector re-scan (NVIDIA)
→ check Versions tab # new findings → triage into SKILL.md table
\\
Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md