v4.0.14 — Accurate Python skill bundle documentation

[Jovancoding]

What changed

The OpenClaw scanner flagged that skill.json and SKILL.md overstated what the Python scripts actually do. The HMAC-signed tokens, AES-256-GCM encryption, and standalone MCP server are all features of the Node.js package (network-ai on npm) — they are not present in the Python skill bundle. This release corrects every affected document.

Fixed

• skill.json description — removed "enforces HMAC-gated AuthGuardian permissions"; now accurately describes UUID-based grant tokens and plain JSONL audit logging; added explicit callout that HMAC/AES-256 are Node.js-only
• skill.json env block — SWARM_TOKEN_SECRET and SWARM_ENCRYPTION_KEY marked "Node.js MCP server only — NOT used by the Python scripts"
• SKILL.md scope notice — tokens are grant_{uuid4().hex}; audit logging is plain JSONL append; HMAC-signed tokens / AES-256 encryption / standalone MCP server are Node.js package features
• SKILL.md env block — all three env vars corrected to match
• .github/SECURITY.md — "Security Measures" and "Audit Trail" sections split into two explicit layers:
  • Python skill bundle: UUID tokens, plain JSONL, weighted permission scoring, prompt-injection detection, path traversal protection
  • Node.js package: AES-256-GCM encryption, HMAC-SHA256 signed tokens, SecureAuditLogger
• README — keywords block restored; RSS feed badge added (links to releases Atom feed)

No breaking changes

No API, behaviour, or runtime changes. Documentation only.

---

npm: npm install network-ai@4.0.14
Full changelog: CHANGELOG.md

---

This discussion was created from the release v4.0.14 — Accurate Python skill bundle documentation.