Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

@@ -1,6 +1,6 @@
 # Architecture
 
-Network-AI v5.4.4 — TypeScript/Node.js multi-agent orchestrator with 29 adapters, 2,976 tests, 66+ modules.
+Network-AI v5.4.5 — TypeScript/Node.js multi-agent orchestrator with 29 adapters, 2,976 tests, 66+ modules.
 
 ## The Multi-Agent Race Condition Problem
 

@@ -1,4 +1,4 @@
-# Audit Log Schema — Network-AI v5.4.4
+# Audit Log Schema — Network-AI v5.4.5
 
 Network-AI writes a JSONL audit trail during permission management and swarm execution. This document describes every field and event type.
 

@@ -1,6 +1,6 @@
 # Benchmarks & Performance
 
-> Performance data for Network-AI v5.4.4 deployments. Your swarm is only as fast as the backend it calls — this page helps you choose the right setup.
+> Performance data for Network-AI v5.4.5 deployments. Your swarm is only as fast as the backend it calls — this page helps you choose the right setup.
 
 ## BlackboardValidator Throughput
 

@@ -299,14 +299,15 @@ async function main(): Promise<void> {
   }
 
   // SSE/HTTP mode
-  const isLoopback = args.host === '127.0.0.1' || args.host === 'localhost' || args.host === '::1';
-  if (!isLoopback && !args.secret) {
-    console.warn(
-      '\n[network-ai-server] WARNING: Binding to ' + args.host +
-      ' with no --secret set. Any network-reachable client can access all' +
-      ' 22 MCP tools, including config_set and agent_spawn. Pass' +
-      ' --secret <token> or set NETWORK_AI_MCP_SECRET to require authentication.\n'
+  if (!args.secret) {
+    process.stderr.write(
+      '[network-ai-server] ERROR: --secret <token> or NETWORK_AI_MCP_SECRET must be set for SSE mode.\n' +
+      '  Without a secret every request is accepted, including cross-origin browser requests\n' +
+      '  that can invoke all MCP tools (config_set, agent_spawn, blackboard_write, …) without credentials.\n' +
+      '  Set a secret: --secret <token>  or  export NETWORK_AI_MCP_SECRET=<token>\n' +
+      '  For local stdio use (Claude Desktop / Cursor / Glama) run with --stdio instead.\n'
     );
+    process.exit(1);
   }
 
   const server = new McpSseServer(combined, {

@@ -5,6 +5,18 @@ All notable changes to Network-AI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.4.5] - 2026-05-16
+
+### Security
+- **GHSA-j3vx-cx2r-pvg8** (CWE-346, High, CVSS 7.6) — Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret.
+  - `bin/mcp-server.ts`: SSE mode now hard-exits at startup with a clear error if no `--secret` / `NETWORK_AI_MCP_SECRET` is set. Empty-string default no longer allows open access.
+  - `lib/mcp-transport-sse.ts`: CORS `Access-Control-Allow-Origin` changed from unconditional `*` to an allowlist restricted to `localhost` and `127.0.0.1` origins only. Non-local origins receive no ACAO header. Removed duplicate CORS block. `Vary: Origin` header added.
+  - Reported by 232-323 and min8282.
+
+### Stats
+- **29 test suites, 2,976 passing assertions** (unchanged)
+- Zero TypeScript compile errors (`npx tsc --noEmit`)
+
 ## [5.4.4] - 2026-05-13
 
 ### Fixed

@@ -25,7 +25,7 @@ This document exists so an engineer or architect can evaluate Network-AI in unde
 
 ## What It Does (One Paragraph)
 
-Network-AI is a TypeScript/Node.js orchestration layer that sits between your agents and your shared state. It enforces: atomic blackboard writes (no race conditions when two agents write simultaneously), permission gating (agents must request access to sensitive resources and provide a scored justification), budget ceilings (per-agent token limits; rogue agents get cut off mid-task), FSM-based workflow governance (agents are blocked from skipping pipeline stages), and real-time compliance monitoring (tool abuse, turn-taking violations, response timeouts). v5.0 adds: approval inbox (web-accessible approval queue), job queue (persistent priority FIFO with crash recovery), transport layer (JSON-RPC 2.0 with HMAC auth), agent VCR (record/replay for testing), comparison runner (side-by-side adapter evaluation), and 9 new adapters. v5.1.4 adds: RLMAdapter (recursive language model / any RLM-compatible HTTP endpoint), FederatedBudget child spending, blackboard metadata API, PhasePipeline compaction, semaphore-based fan-out, HookContext depth, and sub-goal recursion. v5.3.x adds: Context Throttler (prune blackboard keys per-agent scope), Route Classifier (goal routing + FACTUAL_LOOKUP short-circuit), Partition Planner (non-overlapping agent focus areas), Coverage Gate (recursive completeness refinement), advisory token enforcement in the permission system, and context injection validation in the project context manager. v5.4.0 adds: EnvironmentManager (full promotion chain with backup/rollback), LockedBlackboard env routing (NETWORK_AI_ENV), source protection (FileAccessor scope enforcement), Python NETWORK_AI_ENV support across all five scripts, and 29 CLI env subcommands. v5.4.1 adds: TOCTOU race condition fixes in `_touchJson`/`_touchFile` (CWE-367, CodeQL #149–#150) via `openSync(O_CREAT|O_EXCL)`; unused imports and dead function removed (CodeQL #151–#153). v5.4.2 adds: improved MCP tool descriptions across all 22 tools (behavior on error, return shapes, usage guidelines); ClawHub ASI01/ASI03/ASI06/ASI07 Notes documented as by-design mitigated patterns in SECURITY.md. v5.4.3 adds: ClawHub ASI01/03/06/07 Notes security-findings table added to SKILL.md; README documentation table updated with SKILL.md entry and Code of Conduct/Security Policy footer links; UTF-8 BOM stripped from package.json/skill.json/openapi.yaml (fixed CI ts-node parse failure). v5.4.4 adds: fixed missing `import os` in `scripts/swarm_guard.py` (ClawHub ASI08 — budget/health guard was crashing on startup); SKILL.md findings table updated to mark ASI08 resolved. It ships as an npm package with a companion Python skill bundle for OpenClaw/ClawHub environments.
+Network-AI is a TypeScript/Node.js orchestration layer that sits between your agents and your shared state. It enforces: atomic blackboard writes (no race conditions when two agents write simultaneously), permission gating (agents must request access to sensitive resources and provide a scored justification), budget ceilings (per-agent token limits; rogue agents get cut off mid-task), FSM-based workflow governance (agents are blocked from skipping pipeline stages), and real-time compliance monitoring (tool abuse, turn-taking violations, response timeouts). v5.0 adds: approval inbox (web-accessible approval queue), job queue (persistent priority FIFO with crash recovery), transport layer (JSON-RPC 2.0 with HMAC auth), agent VCR (record/replay for testing), comparison runner (side-by-side adapter evaluation), and 9 new adapters. v5.1.4 adds: RLMAdapter (recursive language model / any RLM-compatible HTTP endpoint), FederatedBudget child spending, blackboard metadata API, PhasePipeline compaction, semaphore-based fan-out, HookContext depth, and sub-goal recursion. v5.3.x adds: Context Throttler (prune blackboard keys per-agent scope), Route Classifier (goal routing + FACTUAL_LOOKUP short-circuit), Partition Planner (non-overlapping agent focus areas), Coverage Gate (recursive completeness refinement), advisory token enforcement in the permission system, and context injection validation in the project context manager. v5.4.0 adds: EnvironmentManager (full promotion chain with backup/rollback), LockedBlackboard env routing (NETWORK_AI_ENV), source protection (FileAccessor scope enforcement), Python NETWORK_AI_ENV support across all five scripts, and 29 CLI env subcommands. v5.4.1 adds: TOCTOU race condition fixes in `_touchJson`/`_touchFile` (CWE-367, CodeQL #149–#150) via `openSync(O_CREAT|O_EXCL)`; unused imports and dead function removed (CodeQL #151–#153). v5.4.2 adds: improved MCP tool descriptions across all 22 tools (behavior on error, return shapes, usage guidelines); ClawHub ASI01/ASI03/ASI06/ASI07 Notes documented as by-design mitigated patterns in SECURITY.md. v5.4.3 adds: ClawHub ASI01/03/06/07 Notes security-findings table added to SKILL.md; README documentation table updated with SKILL.md entry and Code of Conduct/Security Policy footer links; UTF-8 BOM stripped from package.json/skill.json/openapi.yaml (fixed CI ts-node parse failure). v5.4.4 adds: fixed missing `import os` in `scripts/swarm_guard.py` (ClawHub ASI08). v5.4.5 adds: security fix for GHSA-j3vx-cx2r-pvg8 (CWE-346, High) — SSE server now requires a non-empty secret at startup; CORS restricted to localhost origins only (no longer wildcard `*`). It ships as an npm package with a companion Python skill bundle for OpenClaw/ClawHub environments.
 
 ---
 

@@ -2,7 +2,7 @@
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v5.4.4). 2,976 tests across 29 suites.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v5.4.5). 2,976 tests across 29 suites.
 
 ## Architecture
 

@@ -4,7 +4,7 @@
 
 | Version | Supported |
 |---------|-----------|
-| 5.4.x   | ✅ Yes — full support (current, latest: 5.4.4) |
+| 5.4.x   | ✅ Yes — full support (current, latest: 5.4.5) |
 | 5.3.x   | ✅ Security fixes only |
 | 5.2.x   | ✅ Security fixes only |
 | 5.1.x   | ✅ Security fixes only |
@@ -69,7 +69,8 @@ Network-AI includes built-in security features:
 
 - **VirusTotal**: Benign (0/64 engines)
 - **OpenClaw Scanner**: Benign, HIGH CONFIDENCE
-- **ClawHub Security Scanner** (v5.4.4): 4 Notes acknowledged and mitigated — ASI01 (agent goal hijack, by design: Orchestrator skill decomposes into 3 sub-tasks; SKILL.md documents when to enable/disable), ASI03 (advisory token identity, by design: tokens explicitly marked advisory, separate platform auth required), ASI06 (persistent context poisoning, by design: `_validate_context()` injection detection, SKILL.md warns against storing secrets, clear `data/` between projects), ASI07 (inter-agent communication boundary, by design: all inter-agent messaging is host platform's responsibility, documented in SKILL.md). These Notes reflect inherent design characteristics and will recur on future scans; the documented controls are the mitigation.
+- **GHSA-j3vx-cx2r-pvg8** (CWE-346, High, CVSS 7.6) — Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret — **Fixed in v5.4.5**. SSE server now requires a non-empty secret at startup; CORS restricted to localhost origins only. Reported by 232-323 and min8282.
+- **ClawHub Security Scanner** (v5.4.5): 4 Notes acknowledged and mitigated — ASI01 (agent goal hijack, by design: Orchestrator skill decomposes into 3 sub-tasks; SKILL.md documents when to enable/disable), ASI03 (advisory token identity, by design: tokens explicitly marked advisory, separate platform auth required), ASI06 (persistent context poisoning, by design: `_validate_context()` injection detection, SKILL.md warns against storing secrets, clear `data/` between projects), ASI07 (inter-agent communication boundary, by design: all inter-agent messaging is host platform's responsibility, documented in SKILL.md). These Notes reflect inherent design characteristics and will recur on future scans; the documented controls are the mitigation.
 - **CodeQL**: v4.3.2 clean — A2A bearer tokens transmitted only via `Authorization` header; no URL embedding; streaming paths carry no credential material; `AbortController` guards prevent hanging fetch calls; CLI layer adds no new network surface (fully in-process); CWE-367 TOCTOU alerts #86/#87 resolved — `audit tail` and CLI test now open fd first and use `fs.fstatSync(fd)` instead of `fs.statSync(filename)`
 - **CodeQL** (historical): v3.3.0 — all fixable alerts resolved; unused imports cleaned; false-positive detection patterns dismissed; v3.4.0 clean; v3.4.1 — #65–#68 HIGH (insecure temporary file) resolved via `path.resolve()` sanitization and `mode: 0o700` directory permissions
 - **Snyk**: All High/Medium findings resolved in v3.0.3

@@ -564,4 +564,4 @@ Run these before declaring the integration production-ready:
 
 ---
 
-*Network-AI v5.4.4 · MIT License · https://github.com/Jovancoding/Network-AI*
+*Network-AI v5.4.5 · MIT License · https://github.com/Jovancoding/Network-AI*

@@ -279,7 +279,7 @@ export class McpSseServer {
   /** Start listening. Resolves when the server is ready. */
   listen(): Promise<void> {
     this._server = requireHttp().createServer((req, res) => this._handleRequest(req, res));
-    // Warn when binding to a non-loopback address without authentication
+    // Warn when binding to a non-loopback address — defense-in-depth notice
     const isLoopback = this._opts.host === '127.0.0.1' || this._opts.host === 'localhost' || this._opts.host === '::1';
     if (!isLoopback && !this._opts.secret) {
       process.stderr.write(
@@ -348,17 +348,6 @@ export class McpSseServer {
   // --------------------------------------------------------------------------
 
   private _handleRequest(req: http.IncomingMessage, res: http.ServerResponse): void {
-    // CORS — allow any MCP client to connect
-    res.setHeader('Access-Control-Allow-Origin', '*');
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
-
-    if (req.method === 'OPTIONS') {
-      res.writeHead(204);
-      res.end();
-      return;
-    }
-
     const base = `http://${req.headers.host ?? `localhost:${this._opts.port}`}`;
     let parsed: URL;
     try {
@@ -371,10 +360,16 @@ export class McpSseServer {
 
     const path = parsed.pathname;
 
-    // CORS — allow Cursor / Claude Desktop / browser clients
-    res.setHeader('Access-Control-Allow-Origin', '*');
+    // CORS — restrict to localhost origins only (prevents cross-origin browser attacks)
+    const origin = req.headers['origin'] ?? '';
+    const isLocalOrigin = /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin);
+    if (isLocalOrigin) {
+      res.setHeader('Access-Control-Allow-Origin', origin);
+      res.setHeader('Vary', 'Origin');
+    }
     res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
     res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+
     if (req.method === 'OPTIONS') {
       res.writeHead(204);
       res.end();

@@ -6,7 +6,7 @@ info:
     blackboard coordination, parallel agent spawning, and permission gating
     via AuthGuardian. Requires the companion MCP server:
     `npm install -g network-ai && npx network-ai-server --port 3001`
-  version: 5.4.4
+  version: 5.4.5
   license:
     name: MIT
     url: https://github.com/Jovancoding/Network-AI/blob/main/LICENSE

@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "5.4.4",
+  "version": "5.4.5",
   "description": "AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Computer Use, OpenAI Agents SDK, Vertex AI, Pydantic AI, Browser Agent, Hermes, Orchestrator, RLM + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
   "homepage": "https://network-ai.org",
   "main": "dist/index.js",

@@ -5,7 +5,7 @@
 [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
 [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v5.4.4-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v5.4.5-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![Tests](https://img.shields.io/badge/tests-2976%20passing-brightgreen.svg)](#testing)
 [![Adapters](https://img.shields.io/badge/frameworks-29%20supported-blueviolet.svg)](#adapter-system)

@@ -2,7 +2,7 @@
 
 ## Overview
 
-The SwarmOrchestrator uses an **adapter pattern** to work with any agent framework. Instead of being locked to one system, you bring your own agents — from any framework — and the orchestrator handles coordination, shared state, permissions, and parallel execution. As of v5.4.4, 29 adapters are included.
+The SwarmOrchestrator uses an **adapter pattern** to work with any agent framework. Instead of being locked to one system, you bring your own agents — from any framework — and the orchestrator handles coordination, shared state, permissions, and parallel execution. As of v5.4.5, 29 adapters are included.
 
 ```
 ┌─────────────────────────────────────────────────────────────┐

@@ -4,7 +4,7 @@
 
 | Version | Supported |
 |---------|-----------||
-| 5.4.x   | ✅ Yes — full support (current, latest: 5.4.4) |
+| 5.4.x   | ✅ Yes — full support (current, latest: 5.4.5) |
 | 5.3.x   | ✅ Security fixes only |
 | 5.2.x   | ✅ Security fixes only |
 | 5.1.x   | ✅ Security fixes only |
@@ -76,7 +76,8 @@ Network-AI includes built-in security features:
 
 - **VirusTotal**: Benign (0/64 engines)
 - **OpenClaw Scanner**: Benign, HIGH CONFIDENCE
-- **ClawHub Security Scanner** (v5.4.4): 4 Notes acknowledged and mitigated with documented controls — ASI01 (agent goal hijack: Orchestrator skill forces 3-subtask decomposition by design; SKILL.md documents when to enable/disable it), ASI03 (advisory token identity: tokens explicitly marked advisory; separate platform auth and human approval required for sensitive resources), ASI06 (persistent context poisoning: `_validate_context()` runs injection-pattern detection before every inject; `data/project-context.json` must not store secrets; clear `data/` between projects), and ASI07 (inter-agent communication boundary: SKILL.md explicitly states all inter-agent messaging is the host platform's responsibility; users must configure host platform network settings). These Notes reflect by-design characteristics of the skill and will recur on future scans; the documented controls are the mitigation, not an elimination of the pattern.
+- **ClawHub Security Scanner** (v5.4.5): 4 Notes acknowledged and mitigated with documented controls — ASI01 (agent goal hijack: Orchestrator skill forces 3-subtask decomposition by design; SKILL.md documents when to enable/disable it), ASI03 (advisory token identity: tokens explicitly marked advisory; separate platform auth and human approval required for sensitive resources), ASI06 (persistent context poisoning: `_validate_context()` runs injection-pattern detection before every inject; `data/project-context.json` must not store secrets; clear `data/` between projects), and ASI07 (inter-agent communication boundary: SKILL.md explicitly states all inter-agent messaging is the host platform's responsibility; users must configure host platform network settings). These Notes reflect by-design characteristics of the skill and will recur on future scans; the documented controls are the mitigation, not an elimination of the pattern.
+- **GHSA-j3vx-cx2r-pvg8** (CWE-346, High, CVSS 7.6) — Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret — **Fixed in v5.4.5**. SSE server now requires a non-empty secret at startup; CORS restricted to localhost origins only. Reported by 232-323 and min8282.
 - **CodeQL** (v5.4.1): All alerts resolved — CWE-367 TOCTOU (#149, #150) fixed via `O_CREAT|O_EXCL` open; unused imports/function (#151–#153) removed
 - **CodeQL**: v4.3.2 clean — A2A bearer tokens transmitted only via `Authorization` header; no URL embedding; streaming paths carry no credential material; `AbortController` guards prevent hanging fetch calls; CLI layer adds no new network surface (fully in-process); CWE-367 TOCTOU alerts #86/#87 resolved — `audit tail` and CLI test now open fd first and use `fs.fstatSync(fd)` instead of `fs.statSync(filename)`
 - **CodeQL** (historical): v3.3.0 — all fixable alerts resolved; unused imports cleaned; false-positive detection patterns dismissed; v3.4.0 clean; v3.4.1 — #65–#68 HIGH (insecure temporary file) resolved via `path.resolve()` sanitization and `mode: 0o700` directory permissions

@@ -1,6 +1,6 @@
 {
   "name": "SwarmOrchestrator",
-  "version": "5.4.4",
+  "version": "5.4.5",
   "description": "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context. The bundled Python scripts make no network calls and have zero third-party dependencies. The parent repository also contains a TypeScript engine (not included in this skill bundle). Workflow delegations via the host platform's sessions_send may invoke external model APIs.",
   "author": "Network-AI Community",
   "homepage": "https://network-ai.org",