fix: CodeQL #108 — bad HTML filter regexp closing tag

security.ts: </script\s*> → </script\b[^>]*> to match all browser-accepted
closing tag variants (e.g. </script foo=bar>, </script\t\n>).

Bump to v4.15.3. All 2,357 tests pass.

Author: jovanSAPFIONEER

.github/copilot-instructions.md

@@ -2,7 +2,7 @@
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v4.15.2). 2,357 tests across 25 suites.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v4.15.3). 2,357 tests across 25 suites.
 
 ## Architecture
 

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to Network-AI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.15.3] - 2026-04-04
+
+### Fixed
+- **CodeQL #108 — Bad HTML filtering regexp** (`security.ts`): Changed `<\/script\s*>` to `<\/script\b[^>]*>` to match all browser-accepted closing tag variants including `</script\t\n bar>` and `</script foo="bar">`.
+
 ## [4.15.2] - 2026-04-04
 
 ### Fixed

CLAUDE.md

@@ -4,7 +4,7 @@ This file is read automatically by Claude Code when working in this repository.
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.2.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.3.
 
 ## Build & Test Commands
 

CODEX.md

@@ -4,7 +4,7 @@ This file is read automatically by OpenAI Codex CLI when working in this reposit
 
 ## Project Overview
 
-Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.2.
+Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.3.
 
 ## Build & Test Commands
 

INTEGRATION_GUIDE.md

@@ -477,4 +477,4 @@ Run these before declaring the integration production-ready:
 
 ---
 
-*Network-AI v4.15.2 · MIT License · https://github.com/Jovancoding/Network-AI*
+*Network-AI v4.15.3 · MIT License · https://github.com/Jovancoding/Network-AI*

README.md

@@ -5,7 +5,7 @@
 [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
 [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v4.15.2-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v4.15.3-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![Tests](https://img.shields.io/badge/tests-2357%20passing-brightgreen.svg)](#testing)
 [![Adapters](https://img.shields.io/badge/frameworks-17%20supported-blueviolet.svg)](#adapter-system)

openapi.yaml

@@ -6,7 +6,7 @@ info:
     blackboard coordination, parallel agent spawning, and permission gating
     via AuthGuardian. Requires the companion MCP server:
     `npm install -g network-ai && npx network-ai-server --port 3001`
-  version: 4.15.2
+  version: 4.15.3
   license:
     name: MIT
     url: https://github.com/Jovancoding/Network-AI/blob/main/LICENSE

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "4.15.2",
+  "version": "4.15.3",
   "description": "AI agent orchestration framework for TypeScript/Node.js - 17 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
   "homepage": "https://network-ai.org",
   "main": "dist/index.js",

package.json

@@ -201,7 +201,7 @@ export class InputSanitizer {
   // Dangerous patterns that could indicate injection attempts
   private static DANGEROUS_PATTERNS = [
     /\$\{.*\}/g,           // Template injection
-    /<script\b[^>]*>[\s\S]*?<\/script\s*>/gi, // XSS (handles </script > variants)
+    /<script\b[^>]*>[\s\S]*?<\/script\b[^>]*>/gi, // XSS (handles </script foo="bar"> etc.)
     /javascript:/gi,        // JavaScript protocol
     /on\w+\s*=/gi,         // Event handlers
     /\.\.\//g,             // Path traversal