@evomap/evolver 1.29.0

package/src/gep/candidates.js

@@ -0,0 +1,142 @@
+function stableHash(input) {
+  // Deterministic lightweight hash (not cryptographic).
+  const s = String(input || '');
+  let h = 2166136261;
+  for (let i = 0; i < s.length; i++) {
+    h ^= s.charCodeAt(i);
+    h = Math.imul(h, 16777619);
+  }
+  return (h >>> 0).toString(16).padStart(8, '0');
+}
+
+function clip(text, maxChars) {
+  const s = String(text || '');
+  if (!maxChars || s.length <= maxChars) return s;
+  return s.slice(0, Math.max(0, maxChars - 20)) + ' ...[TRUNCATED]';
+}
+
+function toLines(text) {
+  return String(text || '')
+    .split('\n')
+    .map(l => l.trimEnd())
+    .filter(Boolean);
+}
+
+function extractToolCalls(transcript) {
+  const lines = toLines(transcript);
+  const calls = [];
+  for (const line of lines) {
+    const m = line.match(/\[TOOL:\s*([^\]]+)\]/i);
+    if (m && m[1]) calls.push(m[1].trim());
+  }
+  return calls;
+}
+
+function countFreq(items) {
+  const map = new Map();
+  for (const it of items) map.set(it, (map.get(it) || 0) + 1);
+  return map;
+}
+
+function buildFiveQuestionsShape({ title, signals, evidence }) {
+  // Keep it short and structured; this is a template, not a perfect inference.
+  const input = 'Recent session transcript + memory snippets + user instructions';
+  const output = 'A safe, auditable evolution patch guided by GEP assets';
+  const invariants = 'Protocol order, small reversible patches, validation, append-only events';
+  const params = `Signals: ${Array.isArray(signals) ? signals.join(', ') : ''}`.trim();
+  const failurePoints = 'Missing signals, over-broad changes, skipped validation, missing knowledge solidification';
+  return {
+    title: String(title || '').slice(0, 120),
+    input,
+    output,
+    invariants,
+    params: params || 'Signals: (none)',
+    failure_points: failurePoints,
+    evidence: clip(evidence, 240),
+  };
+}
+
+function extractCapabilityCandidates({ recentSessionTranscript, signals }) {
+  const candidates = [];
+  const toolCalls = extractToolCalls(recentSessionTranscript);
+  const freq = countFreq(toolCalls);
+
+  for (const [tool, count] of freq.entries()) {
+    if (count < 2) continue;
+    const title = `Repeated tool usage: ${tool}`;
+    const evidence = `Observed ${count} occurrences of tool call marker for ${tool}.`;
+    const shape = buildFiveQuestionsShape({ title, signals, evidence });
+    candidates.push({
+      type: 'CapabilityCandidate',
+      id: `cand_${stableHash(title)}`,
+      title,
+      source: 'transcript',
+      created_at: new Date().toISOString(),
+      signals: Array.isArray(signals) ? signals : [],
+      shape,
+    });
+  }
+
+  // Signals-as-candidates: capture recurring pain points as reusable capability shapes.
+  const signalList = Array.isArray(signals) ? signals : [];
+  const signalCandidates = [
+    // Defensive signals
+    { signal: 'log_error', title: 'Repair recurring runtime errors' },
+    { signal: 'protocol_drift', title: 'Prevent protocol drift and enforce auditable outputs' },
+    { signal: 'windows_shell_incompatible', title: 'Avoid platform-specific shell assumptions (Windows compatibility)' },
+    { signal: 'session_logs_missing', title: 'Harden session log detection and fallback behavior' },
+    // Opportunity signals (innovation)
+    { signal: 'user_feature_request', title: 'Implement user-requested feature' },
+    { signal: 'user_improvement_suggestion', title: 'Apply user improvement suggestion' },
+    { signal: 'perf_bottleneck', title: 'Resolve performance bottleneck' },
+    { signal: 'capability_gap', title: 'Fill capability gap' },
+    { signal: 'stable_success_plateau', title: 'Explore new strategies during stability plateau' },
+    { signal: 'external_opportunity', title: 'Evaluate external A2A asset for local adoption' },
+  ];
+
+  for (const sc of signalCandidates) {
+    if (!signalList.some(s => s === sc.signal || s.startsWith(sc.signal + ':'))) continue;
+    const evidence = `Signal present: ${sc.signal}`;
+    const shape = buildFiveQuestionsShape({ title: sc.title, signals, evidence });
+    candidates.push({
+      type: 'CapabilityCandidate',
+      id: `cand_${stableHash(sc.signal)}`,
+      title: sc.title,
+      source: 'signals',
+      created_at: new Date().toISOString(),
+      signals: signalList,
+      shape,
+    });
+  }
+
+  // Dedup by id
+  const seen = new Set();
+  return candidates.filter(c => {
+    if (!c || !c.id) return false;
+    if (seen.has(c.id)) return false;
+    seen.add(c.id);
+    return true;
+  });
+}
+
+function renderCandidatesPreview(candidates, maxChars = 1400) {
+  const list = Array.isArray(candidates) ? candidates : [];
+  const lines = [];
+  for (const c of list) {
+    const s = c && c.shape ? c.shape : {};
+    lines.push(`- ${c.id}: ${c.title}`);
+    lines.push(`  - input: ${s.input || ''}`);
+    lines.push(`  - output: ${s.output || ''}`);
+    lines.push(`  - invariants: ${s.invariants || ''}`);
+    lines.push(`  - params: ${s.params || ''}`);
+    lines.push(`  - failure_points: ${s.failure_points || ''}`);
+    if (s.evidence) lines.push(`  - evidence: ${s.evidence}`);
+  }
+  return clip(lines.join('\n'), maxChars);
+}
+
+module.exports = {
+  extractCapabilityCandidates,
+  renderCandidatesPreview,
+};
+

package/src/gep/contentHash.js

@@ -0,0 +1,65 @@
+// Content-addressable hashing for GEP assets.
+// Provides canonical JSON serialization and SHA-256 based asset IDs.
+// This enables deduplication, tamper detection, and cross-node consistency.
+
+const crypto = require('crypto');
+
+// Schema version for all GEP asset types.
+// Bump MINOR for additive fields; MAJOR for breaking changes.
+const SCHEMA_VERSION = '1.6.0';
+
+// Canonical JSON: deterministic serialization with sorted keys at all levels.
+// Arrays preserve order; non-finite numbers become null; undefined becomes null.
+function canonicalize(obj) {
+  if (obj === null || obj === undefined) return 'null';
+  if (typeof obj === 'boolean') return obj ? 'true' : 'false';
+  if (typeof obj === 'number') {
+    if (!Number.isFinite(obj)) return 'null';
+    return String(obj);
+  }
+  if (typeof obj === 'string') return JSON.stringify(obj);
+  if (Array.isArray(obj)) {
+    return '[' + obj.map(canonicalize).join(',') + ']';
+  }
+  if (typeof obj === 'object') {
+    const keys = Object.keys(obj).sort();
+    const pairs = [];
+    for (const k of keys) {
+      pairs.push(JSON.stringify(k) + ':' + canonicalize(obj[k]));
+    }
+    return '{' + pairs.join(',') + '}';
+  }
+  return 'null';
+}
+
+// Compute a content-addressable asset ID.
+// Excludes self-referential fields (asset_id itself) from the hash input.
+// Returns "sha256:<hex>".
+function computeAssetId(obj, excludeFields) {
+  if (!obj || typeof obj !== 'object') return null;
+  const exclude = new Set(Array.isArray(excludeFields) ? excludeFields : ['asset_id']);
+  const clean = {};
+  for (const k of Object.keys(obj)) {
+    if (exclude.has(k)) continue;
+    clean[k] = obj[k];
+  }
+  const canonical = canonicalize(clean);
+  const hash = crypto.createHash('sha256').update(canonical, 'utf8').digest('hex');
+  return 'sha256:' + hash;
+}
+
+// Verify that an object's asset_id matches its content.
+function verifyAssetId(obj) {
+  if (!obj || typeof obj !== 'object') return false;
+  const claimed = obj.asset_id;
+  if (!claimed || typeof claimed !== 'string') return false;
+  const computed = computeAssetId(obj);
+  return claimed === computed;
+}
+
+module.exports = {
+  SCHEMA_VERSION,
+  canonicalize,
+  computeAssetId,
+  verifyAssetId,
+};

package/src/gep/deviceId.js

@@ -0,0 +1,209 @@
+// Stable device identifier for node identity.
+// Generates a hardware-based fingerprint that persists across directory changes,
+// reboots, and evolver upgrades. Used by getNodeId() and env_fingerprint.
+//
+// Priority chain:
+//   1. EVOMAP_DEVICE_ID env var        (explicit override, recommended for containers)
+//   2. ~/.evomap/device_id file        (persisted from previous run)
+//   3. <project>/.evomap_device_id     (fallback persist path for containers w/o $HOME)
+//   4. /etc/machine-id                 (Linux, set at OS install)
+//   5. IOPlatformUUID                  (macOS hardware UUID)
+//   6. Docker/OCI container ID         (from /proc/self/cgroup or /proc/self/mountinfo)
+//   7. hostname + MAC addresses        (network-based fallback)
+//   8. random 128-bit hex              (last resort, persisted immediately)
+
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const DEVICE_ID_DIR = path.join(os.homedir(), '.evomap');
+const DEVICE_ID_FILE = path.join(DEVICE_ID_DIR, 'device_id');
+const LOCAL_DEVICE_ID_FILE = path.resolve(__dirname, '..', '..', '.evomap_device_id');
+
+let _cachedDeviceId = null;
+
+const DEVICE_ID_RE = /^[a-f0-9]{16,64}$/;
+
+function isContainer() {
+  try {
+    if (fs.existsSync('/.dockerenv')) return true;
+  } catch {}
+  try {
+    const cgroup = fs.readFileSync('/proc/1/cgroup', 'utf8');
+    if (/docker|kubepods|containerd|cri-o|lxc|ecs/i.test(cgroup)) return true;
+  } catch {}
+  try {
+    if (fs.existsSync('/run/.containerenv')) return true;
+  } catch {}
+  return false;
+}
+
+function readMachineId() {
+  try {
+    const mid = fs.readFileSync('/etc/machine-id', 'utf8').trim();
+    if (mid && mid.length >= 16) return mid;
+  } catch {}
+
+  if (process.platform === 'darwin') {
+    try {
+      const { execFileSync } = require('child_process');
+      const raw = execFileSync('ioreg', ['-rd1', '-c', 'IOPlatformExpertDevice'], {
+        encoding: 'utf8',
+        timeout: 3000,
+        stdio: ['ignore', 'pipe', 'ignore'],
+      });
+      const match = raw.match(/"IOPlatformUUID"\s*=\s*"([^"]+)"/);
+      if (match && match[1]) return match[1];
+    } catch {}
+  }
+
+  return null;
+}
+
+// Extract Docker/OCI container ID from cgroup or mountinfo.
+// The container ID is 64-char hex and stable for the lifetime of the container.
+// Returns null on non-container hosts or if parsing fails.
+function readContainerId() {
+  // Method 1: /proc/self/cgroup (works for cgroup v1 and most Docker setups)
+  try {
+    const cgroup = fs.readFileSync('/proc/self/cgroup', 'utf8');
+    const match = cgroup.match(/[a-f0-9]{64}/);
+    if (match) return match[0];
+  } catch {}
+
+  // Method 2: /proc/self/mountinfo (works for cgroup v2 / containerd)
+  try {
+    const mountinfo = fs.readFileSync('/proc/self/mountinfo', 'utf8');
+    const match = mountinfo.match(/[a-f0-9]{64}/);
+    if (match) return match[0];
+  } catch {}
+
+  // Method 3: hostname in Docker defaults to short container ID (12 hex chars)
+  if (isContainer()) {
+    const hostname = os.hostname();
+    if (/^[a-f0-9]{12,64}$/.test(hostname)) return hostname;
+  }
+
+  return null;
+}
+
+function getMacAddresses() {
+  const ifaces = os.networkInterfaces();
+  const macs = [];
+  for (const name of Object.keys(ifaces)) {
+    for (const iface of ifaces[name]) {
+      if (!iface.internal && iface.mac && iface.mac !== '00:00:00:00:00:00') {
+        macs.push(iface.mac);
+      }
+    }
+  }
+  macs.sort();
+  return macs;
+}
+
+function generateDeviceId() {
+  const machineId = readMachineId();
+  if (machineId) {
+    return crypto.createHash('sha256').update('evomap:' + machineId).digest('hex').slice(0, 32);
+  }
+
+  // Container ID: stable for the container's lifetime, but changes on re-create.
+  // Still better than random for keeping identity within a single deployment.
+  const containerId = readContainerId();
+  if (containerId) {
+    return crypto.createHash('sha256').update('evomap:container:' + containerId).digest('hex').slice(0, 32);
+  }
+
+  const macs = getMacAddresses();
+  if (macs.length > 0) {
+    const raw = os.hostname() + '|' + macs.join(',');
+    return crypto.createHash('sha256').update('evomap:' + raw).digest('hex').slice(0, 32);
+  }
+
+  return crypto.randomBytes(16).toString('hex');
+}
+
+function persistDeviceId(id) {
+  // Try primary path (~/.evomap/device_id)
+  try {
+    if (!fs.existsSync(DEVICE_ID_DIR)) {
+      fs.mkdirSync(DEVICE_ID_DIR, { recursive: true, mode: 0o700 });
+    }
+    fs.writeFileSync(DEVICE_ID_FILE, id, { encoding: 'utf8', mode: 0o600 });
+    return;
+  } catch {}
+
+  // Fallback: project-local file (useful in containers where $HOME is ephemeral
+  // but the project directory is mounted as a volume)
+  try {
+    fs.writeFileSync(LOCAL_DEVICE_ID_FILE, id, { encoding: 'utf8', mode: 0o600 });
+    return;
+  } catch {}
+
+  console.error(
+    '[evolver] WARN: failed to persist device_id to ' + DEVICE_ID_FILE +
+    ' or ' + LOCAL_DEVICE_ID_FILE +
+    ' -- node identity may change on restart.' +
+    ' Set EVOMAP_DEVICE_ID env var for stable identity in containers.'
+  );
+}
+
+function loadPersistedDeviceId() {
+  // Try primary path
+  try {
+    if (fs.existsSync(DEVICE_ID_FILE)) {
+      const id = fs.readFileSync(DEVICE_ID_FILE, 'utf8').trim();
+      if (id && DEVICE_ID_RE.test(id)) return id;
+    }
+  } catch {}
+
+  // Try project-local fallback
+  try {
+    if (fs.existsSync(LOCAL_DEVICE_ID_FILE)) {
+      const id = fs.readFileSync(LOCAL_DEVICE_ID_FILE, 'utf8').trim();
+      if (id && DEVICE_ID_RE.test(id)) return id;
+    }
+  } catch {}
+
+  return null;
+}
+
+function getDeviceId() {
+  if (_cachedDeviceId) return _cachedDeviceId;
+
+  // 1. Env var override (validated)
+  if (process.env.EVOMAP_DEVICE_ID) {
+    const envId = String(process.env.EVOMAP_DEVICE_ID).trim().toLowerCase();
+    if (DEVICE_ID_RE.test(envId)) {
+      _cachedDeviceId = envId;
+      return _cachedDeviceId;
+    }
+  }
+
+  // 2. Previously persisted (checks both ~/.evomap/ and project-local)
+  const persisted = loadPersistedDeviceId();
+  if (persisted) {
+    _cachedDeviceId = persisted;
+    return _cachedDeviceId;
+  }
+
+  // 3. Generate from hardware / container metadata and persist
+  const inContainer = isContainer();
+  const generated = generateDeviceId();
+  persistDeviceId(generated);
+  _cachedDeviceId = generated;
+
+  if (inContainer && !process.env.EVOMAP_DEVICE_ID) {
+    console.error(
+      '[evolver] NOTE: running in a container without EVOMAP_DEVICE_ID.' +
+      ' A device_id was auto-generated and persisted, but for guaranteed' +
+      ' cross-restart stability, set EVOMAP_DEVICE_ID as an env var' +
+      ' or mount a persistent volume at ~/.evomap/'
+    );
+  }
+
+  return _cachedDeviceId;
+}
+
+module.exports = { getDeviceId, isContainer };

package/src/gep/envFingerprint.js

@@ -0,0 +1,68 @@
+// Environment fingerprint capture for GEP assets.
+// Records the runtime environment so that cross-environment diffusion
+// success rates (GDI) can be measured scientifically.
+
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const { getRepoRoot } = require('./paths');
+const { getDeviceId, isContainer } = require('./deviceId');
+
+// Capture a structured environment fingerprint.
+// This is embedded into Capsules, EvolutionEvents, and ValidationReports.
+function captureEnvFingerprint() {
+  const repoRoot = getRepoRoot();
+  let pkgVersion = null;
+  let pkgName = null;
+  try {
+    const raw = fs.readFileSync(path.join(repoRoot, 'package.json'), 'utf8');
+    const pkg = JSON.parse(raw);
+    pkgVersion = pkg && pkg.version ? String(pkg.version) : null;
+    pkgName = pkg && pkg.name ? String(pkg.name) : null;
+  } catch (e) {}
+
+  const region = (process.env.EVOLVER_REGION || '').trim().toLowerCase().slice(0, 5) || undefined;
+
+  return {
+    device_id: getDeviceId(),
+    node_version: process.version,
+    platform: process.platform,
+    arch: process.arch,
+    os_release: os.release(),
+    hostname: crypto.createHash('sha256').update(os.hostname()).digest('hex').slice(0, 12),
+    evolver_version: pkgVersion,
+    client: pkgName || 'evolver',
+    client_version: pkgVersion,
+    region: region,
+    cwd: crypto.createHash('sha256').update(process.cwd()).digest('hex').slice(0, 12),
+    container: isContainer(),
+  };
+}
+
+// Compute a short fingerprint key for comparison and grouping.
+// Two nodes with the same key are considered "same environment class".
+function envFingerprintKey(fp) {
+  if (!fp || typeof fp !== 'object') return 'unknown';
+  const parts = [
+    fp.device_id || '',
+    fp.node_version || '',
+    fp.platform || '',
+    fp.arch || '',
+    fp.hostname || '',
+    fp.client || fp.evolver_version || '',
+    fp.client_version || fp.evolver_version || '',
+  ].join('|');
+  return crypto.createHash('sha256').update(parts, 'utf8').digest('hex').slice(0, 16);
+}
+
+// Check if two fingerprints are from the same environment class.
+function isSameEnvClass(fpA, fpB) {
+  return envFingerprintKey(fpA) === envFingerprintKey(fpB);
+}
+
+module.exports = {
+  captureEnvFingerprint,
+  envFingerprintKey,
+  isSameEnvClass,
+};

package/src/gep/hubReview.js

@@ -0,0 +1,206 @@
+// Hub Asset Review: submit usage-verified reviews after solidify.
+//
+// When an evolution cycle reuses a Hub asset (source_type = 'reused' or 'reference'),
+// we submit a review to POST /a2a/assets/:assetId/reviews after solidify completes.
+// Rating is derived from outcome: success -> 4-5, failure -> 1-2.
+// Reviews are non-blocking; errors never affect the solidify result.
+// Duplicate prevention: a local file tracks reviewed assetIds to avoid re-reviewing.
+
+const fs = require('fs');
+const path = require('path');
+const { getNodeId, getHubNodeSecret } = require('./a2aProtocol');
+const { logAssetCall } = require('./assetCallLog');
+
+const REVIEW_HISTORY_FILE = path.join(
+  require('./paths').getEvolutionDir(),
+  'hub_review_history.json'
+);
+
+const REVIEW_HISTORY_MAX_ENTRIES = 500;
+
+function _loadReviewHistory() {
+  try {
+    if (!fs.existsSync(REVIEW_HISTORY_FILE)) return {};
+    const raw = fs.readFileSync(REVIEW_HISTORY_FILE, 'utf8');
+    if (!raw.trim()) return {};
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+
+function _saveReviewHistory(history) {
+  try {
+    const dir = path.dirname(REVIEW_HISTORY_FILE);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    const keys = Object.keys(history);
+    if (keys.length > REVIEW_HISTORY_MAX_ENTRIES) {
+      const sorted = keys
+        .map(k => ({ k, t: history[k].at || 0 }))
+        .sort((a, b) => a.t - b.t);
+      const toRemove = sorted.slice(0, keys.length - REVIEW_HISTORY_MAX_ENTRIES);
+      for (const entry of toRemove) delete history[entry.k];
+    }
+    const tmp = REVIEW_HISTORY_FILE + '.tmp';
+    fs.writeFileSync(tmp, JSON.stringify(history, null, 2) + '\n', 'utf8');
+    fs.renameSync(tmp, REVIEW_HISTORY_FILE);
+  } catch {}
+}
+
+function _alreadyReviewed(assetId) {
+  const history = _loadReviewHistory();
+  return !!history[assetId];
+}
+
+function _markReviewed(assetId, rating, success) {
+  const history = _loadReviewHistory();
+  history[assetId] = { at: Date.now(), rating, success };
+  _saveReviewHistory(history);
+}
+
+function _deriveRating(outcome, constraintCheck) {
+  if (outcome && outcome.status === 'success') {
+    const score = Number(outcome.score) || 0;
+    return score >= 0.85 ? 5 : 4;
+  }
+  const hasConstraintViolation =
+    constraintCheck &&
+    Array.isArray(constraintCheck.violations) &&
+    constraintCheck.violations.length > 0;
+  return hasConstraintViolation ? 1 : 2;
+}
+
+function _buildReviewContent({ outcome, gene, signals, blast, sourceType }) {
+  const parts = [];
+  const status = outcome && outcome.status ? outcome.status : 'unknown';
+  const score = outcome && Number.isFinite(Number(outcome.score))
+    ? Number(outcome.score).toFixed(2) : '?';
+
+  parts.push('Outcome: ' + status + ' (score: ' + score + ')');
+  parts.push('Reuse mode: ' + (sourceType || 'unknown'));
+
+  if (gene && gene.id) {
+    parts.push('Gene: ' + gene.id + ' (' + (gene.category || 'unknown') + ')');
+  }
+
+  if (Array.isArray(signals) && signals.length > 0) {
+    parts.push('Signals: ' + signals.slice(0, 6).join(', '));
+  }
+
+  if (blast) {
+    parts.push('Blast radius: ' + (blast.files || 0) + ' file(s), ' + (blast.lines || 0) + ' line(s)');
+  }
+
+  if (status === 'success') {
+    parts.push('The fetched asset was successfully applied and solidified.');
+  } else {
+    parts.push('The fetched asset did not lead to a successful evolution cycle.');
+  }
+
+  return parts.join('\n').slice(0, 2000);
+}
+
+function getHubUrl() {
+  return (process.env.A2A_HUB_URL || '').replace(/\/+$/, '');
+}
+
+async function submitHubReview({
+  reusedAssetId,
+  sourceType,
+  outcome,
+  gene,
+  signals,
+  blast,
+  constraintCheck,
+  runId,
+}) {
+  var hubUrl = getHubUrl();
+  if (!hubUrl) return { submitted: false, reason: 'no_hub_url' };
+
+  if (!reusedAssetId || typeof reusedAssetId !== 'string') {
+    return { submitted: false, reason: 'no_reused_asset_id' };
+  }
+
+  if (sourceType !== 'reused' && sourceType !== 'reference') {
+    return { submitted: false, reason: 'not_hub_sourced' };
+  }
+
+  if (_alreadyReviewed(reusedAssetId)) {
+    return { submitted: false, reason: 'already_reviewed' };
+  }
+
+  var rating = _deriveRating(outcome, constraintCheck);
+  var content = _buildReviewContent({ outcome, gene, signals, blast, sourceType });
+  var senderId = getNodeId();
+
+  var endpoint = hubUrl + '/a2a/assets/' + encodeURIComponent(reusedAssetId) + '/reviews';
+
+  var headers = { 'Content-Type': 'application/json', 'Accept': 'application/json' };
+  var secret = getHubNodeSecret();
+  if (secret) {
+    headers['Authorization'] = 'Bearer ' + secret;
+  }
+
+  var body = JSON.stringify({
+    sender_id: senderId,
+    rating: rating,
+    content: content,
+  });
+
+  try {
+    var controller = new AbortController();
+    var timer = setTimeout(function () { controller.abort('hub_review_timeout'); }, 10000);
+
+    var res = await fetch(endpoint, {
+      method: 'POST',
+      headers: headers,
+      body: body,
+      signal: controller.signal,
+    });
+    clearTimeout(timer);
+
+    if (res.ok) {
+      _markReviewed(reusedAssetId, rating, true);
+      console.log(
+        '[HubReview] Submitted review for ' + reusedAssetId + ': rating=' + rating + ', outcome=' + (outcome && outcome.status)
+      );
+      logAssetCall({
+        run_id: runId || null,
+        action: 'hub_review_submitted',
+        asset_id: reusedAssetId,
+        extra: { rating: rating, outcome_status: outcome && outcome.status },
+      });
+      return { submitted: true, rating: rating, asset_id: reusedAssetId };
+    }
+
+    var errData = await res.json().catch(function () { return {}; });
+    var errCode = errData.error || errData.code || ('http_' + res.status);
+
+    if (errCode === 'already_reviewed') {
+      _markReviewed(reusedAssetId, rating, false);
+    }
+
+    console.log('[HubReview] Hub rejected review for ' + reusedAssetId + ': ' + errCode);
+    logAssetCall({
+      run_id: runId || null,
+      action: 'hub_review_rejected',
+      asset_id: reusedAssetId,
+      extra: { rating: rating, error: errCode },
+    });
+    return { submitted: false, reason: errCode, rating: rating };
+  } catch (err) {
+    var reason = err.name === 'AbortError' ? 'timeout' : 'fetch_error';
+    console.log('[HubReview] Failed (non-fatal, ' + reason + '): ' + err.message);
+    logAssetCall({
+      run_id: runId || null,
+      action: 'hub_review_failed',
+      asset_id: reusedAssetId,
+      extra: { rating: rating, reason: reason, error: err.message },
+    });
+    return { submitted: false, reason: reason, error: err.message };
+  }
+}
+
+module.exports = {
+  submitHubReview,
+};