v3.2.9 — Full CodeQL alert resolution + supply chain hardening

[jovanSAPFIONEER]

What's Changed

Fixed

• Pinned-Dependencies — all GitHub Actions in ci.yml, codeql.yml, and dependabot-auto-merge.yml pinned to full commit SHA; prevents supply chain attacks via mutable version tags
• Token-Permissions — permissions: read-all added to CodeQL workflow; workflows no longer carry implicit write access
• File system race condition — final existsSync + readFileSync TOCTOU pattern removed from locked-blackboard.ts; now reads directly and handles ENOENT, closing the check-then-act window
• Unused imports — removed existsSync, writeFileSync from security.ts and statSync from locked-blackboard.ts
• py/redundant-comparison — removed always-true word_count > 0 ternary in check_permission.py (guaranteed >= 3 by earlier guard)
• py/empty-except — added explanatory comments to all bare pass except blocks across blackboard.py, swarm_guard.py, and validate_token.py

Release history

Version	Focus
v3.2.9	CodeQL remaining alerts + action SHA pinning
v3.2.8	CodeQL HIGH alerts — TOCTOU, bad HTML regex, missing regex anchor
v3.2.7	Remove eval() from distributed code — Socket score recovery

315/315 tests passing

Installation

npm install network-ai@3.2.9

<hr /><em>This discussion was created from the release <a href='https://github.com/jovanSAPFIONEER/Network-AI/releases/tag/v3.2.9'>v3.2.9 — Full CodeQL alert resolution + supply chain hardening</a>.</em>