What Network-AI installs, what it executes, what it writes to disk, and what it calls over the network — so operators can make informed trust decisions.
Network-AI has one production runtime dependency:
| Package | Version | Purpose | Network access | Writes to disk |
|---|---|---|---|---|
commander |
^14.0.3 | CLI argument parsing | None | None |
That's it. The core library, all 32 adapters, the MCP server, and the blackboard are implemented with Node.js built-ins only.
BYOC design principle: Adapters are "Bring Your Own Client". They declare interfaces
and types but import no LLM SDK, no HTTP library, and no vector store at require-time.
The operator passes a pre-constructed client in. This means installing network-ai does
not install OpenAI, LangChain, AutoGen, or any other framework SDK.
| Package | Version | Purpose |
|---|---|---|
typescript |
^6.0.3 | Compiler |
ts-node |
^10.9.2 | Test runner / local execution |
@types/node |
^25.9.0 | Node.js type declarations |
dotenv |
^17.4.2 | Load .env files in tests |
openai |
^6.38.0 | Used in test suites (MCP SSE integration tests) |
devDependencies are not included in the published npm package.
| Script | Trigger | Action |
|---|---|---|
| None | npm install |
No preinstall or postinstall scripts |
There are no install-time scripts. npm install network-ai only downloads and unpacks
the package; no code runs.
The prepublishOnly script (npm run build && npm run test:all) runs only when the
maintainer publishes a new version. It is not executed on the operator's machine.
| Component | What it writes | Where |
|---|---|---|
LockedBlackboard |
Blackboard state, WAL entries, lock files | data/ |
SecureAuditLogger |
Event log lines (JSONL) | data/audit_log.jsonl |
EnvironmentManager |
Per-env data directories, backup snapshots | data/<env>/, data/backups/ |
check_permission.py |
HMAC signing key (on first run) | data[/<env>]/.signing_key |
LockedBlackboard |
Filesystem mutex | data/.lock |
PhasePipeline |
DAG checkpoint JSON (when checkpointPath is set) |
operator-configured path |
SemanticMemory |
Persisted vector index JSON (when persistPath is set) |
operator-configured path |
All writes are confined to the configured data directory. Path traversal is blocked: all file operations resolve the final path and assert it is within the data root before I/O.
The core library (index.ts, lib/, security.ts) makes no outbound network calls.
All network I/O is performed by:
- The operator's BYOC client (passed in by the operator at runtime)
lib/mcp-transport-sse.ts, which receives inbound HTTP/SSE connections — it does not initiate outbound connections- The Streamable HTTP MCP transport (
lib/mcp-transport-http.ts), which also receives inbound connections — no outbound calls
The 32 adapters (adapters/) may make outbound HTTP calls, but only to endpoints
explicitly provided by the operator at runtime (BYOC — Bring Your Own Client). No
adapter hard-codes a URL that is called automatically at import or on first use.
The helper scripts (scripts/blackboard.py, scripts/check_permission.py,
scripts/validate_token.py, scripts/revoke_token.py) make no network calls. They read
and write local files only.
| File | Network call | Purpose |
|---|---|---|
test-phase6.ts |
localhost:<port> |
MCP SSE integration test (loopback only) |
test-a2a.ts |
localhost:<port> |
A2A protocol integration test (loopback only) |
Network-AI's AgentRuntime (lib/agent-runtime.ts) provides a sandboxed shell executor
as an explicit, opt-in product feature. It is not activated by importing the library
or starting the MCP server — it requires the operator to construct an AgentRuntime
instance with an explicit allowedCommands allowlist.
How it is protected:
| Control | Implementation |
|---|---|
| Command allowlist | SandboxPolicy.allowedCommands — deny-all by default; operator must explicitly add patterns |
| Shell metacharacter rejection | parseCommandLine() rejects any command containing ;, &, |, $, backtick, or redirection outside of quotes |
shell: false |
child_process.spawn() is called with shell: false — no shell interpreter is ever invoked |
| Argument arrays | Commands are tokenized into [file, ...args] before spawn() — no string concatenation passed to a shell |
| Approval gate | Commands matching approvalRequired patterns (e.g. rm *, git push*) are held for human confirmation before spawning |
| Concurrency limit | Maximum 5 concurrent processes by default |
| Audit log | Every spawn, denial, and approval decision is written to data/audit_log.jsonl |
The shellAccess and shellExec alerts shown on the Socket.dev package page are
expected and intentional for this class of tool. They reflect the presence of the
shell sandbox, not a security defect.
Network-AI's telemetry system (lib/telemetry-provider.ts) uses a Bring Your Own
Telemetry (BYOT) design. The default provider is NullTelemetryProvider, which
discards all spans and metrics without making any network calls.
Zero telemetry is emitted by default. No data is sent anywhere unless the operator
explicitly constructs and registers an ITelemetryProvider implementation that forwards
spans to their own OTel collector.
Every release is published via GitHub Actions CI with:
- name: Publish to npm
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}The --provenance flag publishes a signed SLSA Build Level 2 attestation to the
Sigstore transparency log. This attestation links the
published package to the exact Git commit and CI workflow run that built it.
Verifying provenance:
npm audit signatures
# or
npm install network-ai
npx sigstore verify node_modules/network-aiThe provenance statement includes:
- Source repository:
https://github.com/Jovancoding/Network-AI - Builder: GitHub Actions (
ubuntu-latest) - Build workflow:
.github/workflows/ci.yml - Git ref:
refs/tags/v<version>
All release tags are pushed from CI and correspond to a signed commit on main. The tag
format is v<semver> (e.g. v5.7.2).
Every push and pull request to main triggers CodeQL analysis (JavaScript/TypeScript).
Results are published to the GitHub Security tab. Open alerts are tracked and resolved
before each release.
The published npm package includes:
dist/ compiled JavaScript + declaration files (CJS, CommonJS target ES2022)
dist/esm/ ESM build (module: Node16, for bundlers and native ESM consumers)
bin/ CLI entry points (TypeScript source)
types/ additional .d.ts declarations
scripts/ Python helper scripts
socket.json MCP socket configuration
README.md
QUICKSTART.md
INTEGRATION_GUIDE.md
SKILL.md
LICENSE
Notably excluded from the published package:
test-*.tsfilesdata/directory.github/node_modules/- TypeScript source files (other than
bin/)
- Dependabot is enabled for npm (weekly PRs for patch/minor updates).
- All dependency update PRs run the full test suite (3,603 tests) before merge.
- Major version bumps require manual review and a CHANGELOG entry.
- New runtime dependencies require explicit approval and an update to this file.