v5.8.7 — CodeQL CWE-367 fixes + SkillSpector comment fix

165, 166, 167 — CWE-367 TOCTOU (test-phase11.ts)

What's changed

Fixed — CodeQL alerts #165–#168

#165, #166, #167 — CWE-367 TOCTOU (test-phase11.ts) Three writeFileSync(path, data) calls in the new testLockOwnership() and testAtomicSnapshot() test helpers were flagged as potential file-system race conditions (js/file-system-race). The path-then-write pattern has a window where the file could change between resolution and the write. Replaced all three with fd-based writes (openSync → writeSync → closeSync), consistent with how production code in lib/locked-blackboard.ts handles the same pattern.

#168 — Unused variable staleRelease (test-phase11.ts) The return value of lock2.release() was assigned to staleRelease but never read. Removed the assignment; the existsSync assertion that follows is the actual correctness check.

Fixed — SkillSpector Intent-Code Divergence (94% confidence)

scripts/blackboard.py — --path scope comment The header comment described --path as "accepted for environment routing" and "validated against the project root", which SkillSpector flagged because it implies full state isolation. In reality, only the main blackboard file path is derived from --path; lock files and pending-change files always resolve from the global data/ directory. The comment has been rewritten to accurately state the actual scope, preventing operator confusion in multi-project environments.

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md