This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
ReleasePort's take
Light signalIn v5.8.5 justification strings are truncated to 200 characters in audit logs and fully redacted from JSON summary output.
Why it matters: Audit log entries now limit justification text to 200 characters, appending '[truncated]', and the JSON summary omits justification fields entirely; this reduces exposure of sensitive rationale data in logged outputs.
Summary
AI summaryJustification strings truncated to 200 characters in audit logs and redacted from JSON summary output.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Truncates justification strings to 200 characters before audit log write, appending '[truncated]' suffix. Truncates justification strings to 200 characters before audit log write, appending '[truncated]' suffix. Source: llm_adapter@2026-05-24 Confidence: high |
— |
| Security | Medium |
Redacts justification field from JSON audit summary output, removing raw log entries' justification details. Redacts justification field from JSON audit summary output, removing raw log entries' justification details. Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Security | Medium |
Redacts the 'justification' key from JSON audit summary entries via _redact_entry(), leaving human-readable output unchanged. Redacts the 'justification' key from JSON audit summary entries via _redact_entry(), leaving human-readable output unchanged. Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
Full changelog
## Network-AI v5.8.5 — Audit log justification data minimisation (Ssd3)
Security
Three related SkillSpector Ssd3 findings (98%/99%/99%) addressed in scripts/check_permission.py.
Justification truncation before audit log write (Ssd3, 99%)
Justification strings are now truncated to 200 characters before being written to audit_log.jsonl. Content beyond that limit is dropped and a [truncated] suffix is appended. The full in-memory string is still used for score_justification() scoring. A named constant _JUSTIFICATION_MAX_LOG_LEN = 200 controls the limit.
Justification redacted from audit summary JSON output (Ssd3, 99%)
--audit-summary --json previously included raw log entries in the recent array, creating a secondary retrieval path for earlier justification text. The justification key is now stripped from each entry's details dict in JSON output via an inline _redact_entry() helper. Human-readable (non-JSON) output is unaffected.
Header comment updated (Ssd3, 98%)
The script header now describes truncation and summary redaction rather than saying justifications are logged verbatim. SKILL.md privacy.audit_log.pii_warning updated to match.
Files changed
scripts/check_permission.py, SKILL.md, CHANGELOG.md, package.json, skill.json, openapi.yaml, README.md, and all version-bearing doc files.
Security Fixes
- Truncate justification strings to 200 characters in `audit_log.jsonl` with `[truncated]` suffix (Ssd3, 99%).
- Redact `justification` field from JSON audit summary output via `_redact_entry()` helper (Ssd3, 99%).
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Jovancoding/Network-AI
Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.
Related context
Beta — feedback welcome: [email protected]