@evomap/evolver 1.70.0-beta.5 → 1.70.0

package/assets/gep/candidates.jsonl

@@ -1,3 +1,6 @@
-{"type":"CapabilityCandidate","id":"cand_b9a66a5c","title":"Harden session log detection and fallback behavior","source":"signals","created_at":"2026-04-27T05:31:51.337Z","signals":["memory_missing","user_missing","session_logs_missing"],"tags":["memory_missing","user_missing","session_logs_missing","area:memory"],"shape":{"title":"Harden session log detection and fallback behavior","input":"Recent session transcript + memory snippets + user instructions","output":"A safe, auditable evolution patch guided by GEP assets","invariants":"Protocol order, small reversible patches, validation, append-only events","params":"Signals: memory_missing, user_missing, session_logs_missing","failure_points":"Missing signals, over-broad changes, skipped validation, missing knowledge solidification","evidence":"Signal present: session_logs_missing"}}
-{"type":"CapabilityCandidate","id":"cand_b9a66a5c","title":"Harden session log detection and fallback behavior","source":"signals","created_at":"2026-04-27T05:31:53.506Z","signals":["memory_missing","user_missing","session_logs_missing"],"tags":["memory_missing","user_missing","session_logs_missing","area:memory"],"shape":{"title":"Harden session log detection and fallback behavior","input":"Recent session transcript + memory snippets + user instructions","output":"A safe, auditable evolution patch guided by GEP assets","invariants":"Protocol order, small reversible patches, validation, append-only events","params":"Signals: memory_missing, user_missing, session_logs_missing","failure_points":"Missing signals, over-broad changes, skipped validation, missing knowledge solidification","evidence":"Signal present: session_logs_missing"}}
-{"type":"CapabilityCandidate","id":"cand_b9a66a5c","title":"Harden session log detection and fallback behavior","source":"signals","created_at":"2026-04-27T05:31:55.280Z","signals":["memory_missing","user_missing","session_logs_missing"],"tags":["memory_missing","user_missing","session_logs_missing","area:memory"],"shape":{"title":"Harden session log detection and fallback behavior","input":"Recent session transcript + memory snippets + user instructions","output":"A safe, auditable evolution patch guided by GEP assets","invariants":"Protocol order, small reversible patches, validation, append-only events","params":"Signals: memory_missing, user_missing, session_logs_missing","failure_points":"Missing signals, over-broad changes, skipped validation, missing knowledge solidification","evidence":"Signal present: session_logs_missing"}}
+{"type":"CapabilityCandidate","id":"cand_b9a66a5c","title":"Harden session log detection and fallback behavior","source":"signals","created_at":"2026-04-27T05:47:45.106Z","signals":["memory_missing","user_missing","session_logs_missing"],"tags":["memory_missing","user_missing","session_logs_missing","area:memory"],"shape":{"title":"Harden session log detection and fallback behavior","input":"Recent session transcript + memory snippets + user instructions","output":"A safe, auditable evolution patch guided by GEP assets","invariants":"Protocol order, small reversible patches, validation, append-only events","params":"Signals: memory_missing, user_missing, session_logs_missing","failure_points":"Missing signals, over-broad changes, skipped validation, missing knowledge solidification","evidence":"Signal present: session_logs_missing"}}
+{"type":"CapabilityCandidate","id":"cand_b9a66a5c","title":"Harden session log detection and fallback behavior","source":"signals","created_at":"2026-04-27T05:47:47.051Z","signals":["bounty_task","external_task","seo","approaches","different","compare","comparison","note","within","optimization","keyword","red","xiaohongshu","xiaohongshu-ops","memory_missing","user_missing","session_logs_missing"],"tags":["bounty_task","external_task","seo","approaches","different","compare","comparison","note","within","optimization","keyword","red","xiaohongshu","xiaohongshu-ops","memory_missing","user_missing","session_logs_missing","area:orchestration","area:memory"],"shape":{"title":"Harden session log detection and fallback behavior","input":"Recent session transcript + memory snippets + user instructions","output":"A safe, auditable evolution patch guided by GEP assets","invariants":"Protocol order, small reversible patches, validation, append-only events","params":"Signals: bounty_task, external_task, seo, approaches, different, compare, comparison, note, within, optimization, keyword, red, xiaohongshu, xiaohongshu-ops, memory_missing, user_missing, session_logs_missing","failure_points":"Missing signals, over-broad changes, skipped validation, missing knowledge solidification","evidence":"Signal present: session_logs_missing"}}
+{"type":"CapabilityCandidate","id":"cand_b9a66a5c","title":"Harden session log detection and fallback behavior","source":"signals","created_at":"2026-04-27T05:47:48.939Z","signals":["bounty_task","external_task","seo","approaches","different","compare","comparison","note","within","optimization","keyword","red","xiaohongshu","xiaohongshu-ops","memory_missing","user_missing","session_logs_missing"],"tags":["bounty_task","external_task","seo","approaches","different","compare","comparison","note","within","optimization","keyword","red","xiaohongshu","xiaohongshu-ops","memory_missing","user_missing","session_logs_missing","area:orchestration","area:memory"],"shape":{"title":"Harden session log detection and fallback behavior","input":"Recent session transcript + memory snippets + user instructions","output":"A safe, auditable evolution patch guided by GEP assets","invariants":"Protocol order, small reversible patches, validation, append-only events","params":"Signals: bounty_task, external_task, seo, approaches, different, compare, comparison, note, within, optimization, keyword, red, xiaohongshu, xiaohongshu-ops, memory_missing, user_missing, session_logs_missing","failure_points":"Missing signals, over-broad changes, skipped validation, missing knowledge solidification","evidence":"Signal present: session_logs_missing"}}
+{"type":"CapabilityCandidate","id":"cand_b9a66a5c","title":"Harden session log detection and fallback behavior","source":"signals","created_at":"2026-04-27T05:49:00.343Z","signals":["bounty_task","external_task","seo","approaches","different","compare","comparison","note","within","optimization","keyword","red","xiaohongshu","xiaohongshu-ops","memory_missing","user_missing","session_logs_missing"],"tags":["bounty_task","external_task","seo","approaches","different","compare","comparison","note","within","optimization","keyword","red","xiaohongshu","xiaohongshu-ops","memory_missing","user_missing","session_logs_missing","area:orchestration","area:memory"],"shape":{"title":"Harden session log detection and fallback behavior","input":"Recent session transcript + memory snippets + user instructions","output":"A safe, auditable evolution patch guided by GEP assets","invariants":"Protocol order, small reversible patches, validation, append-only events","params":"Signals: bounty_task, external_task, seo, approaches, different, compare, comparison, note, within, optimization, keyword, red, xiaohongshu, xiaohongshu-ops, memory_missing, user_missing, session_logs_missing","failure_points":"Missing signals, over-broad changes, skipped validation, missing knowledge solidification","evidence":"Signal present: session_logs_missing"}}
+{"type":"CapabilityCandidate","id":"cand_b9a66a5c","title":"Harden session log detection and fallback behavior","source":"signals","created_at":"2026-04-27T05:49:02.561Z","signals":["bounty_task","external_task","skills","monetize","how","monetization","reduce","optimization","prompt","negative","image-generation","ai-art","ai-image-generation","memory_missing","user_missing","session_logs_missing"],"tags":["bounty_task","external_task","skills","monetize","how","monetization","reduce","optimization","prompt","negative","image-generation","ai-art","ai-image-generation","memory_missing","user_missing","session_logs_missing","problem:protocol","action:optimize","area:prompt","area:orchestration","area:memory","area:skills"],"shape":{"title":"Harden session log detection and fallback behavior","input":"Recent session transcript + memory snippets + user instructions","output":"A safe, auditable evolution patch guided by GEP assets","invariants":"Protocol order, small reversible patches, validation, append-only events","params":"Signals: bounty_task, external_task, skills, monetize, how, monetization, reduce, optimization, prompt, negative, image-generation, ai-art, ai-image-generation, memory_missing, user_missing, session_logs_missing","failure_points":"Missing signals, over-broad changes, skipped validation, missing knowledge solidification","evidence":"Signal present: session_logs_missing"}}
+{"type":"CapabilityCandidate","id":"cand_b9a66a5c","title":"Harden session log detection and fallback behavior","source":"signals","created_at":"2026-04-27T05:49:04.551Z","signals":["bounty_task","external_task","seo","approaches","different","compare","comparison","note","within","optimization","keyword","red","xiaohongshu","xiaohongshu-ops","memory_missing","user_missing","session_logs_missing"],"tags":["bounty_task","external_task","seo","approaches","different","compare","comparison","note","within","optimization","keyword","red","xiaohongshu","xiaohongshu-ops","memory_missing","user_missing","session_logs_missing","area:orchestration","area:memory"],"shape":{"title":"Harden session log detection and fallback behavior","input":"Recent session transcript + memory snippets + user instructions","output":"A safe, auditable evolution patch guided by GEP assets","invariants":"Protocol order, small reversible patches, validation, append-only events","params":"Signals: bounty_task, external_task, seo, approaches, different, compare, comparison, note, within, optimization, keyword, red, xiaohongshu, xiaohongshu-ops, memory_missing, user_missing, session_logs_missing","failure_points":"Missing signals, over-broad changes, skipped validation, missing knowledge solidification","evidence":"Signal present: session_logs_missing"}}

package/index.js

@@ -847,23 +847,6 @@ async function main() {
       const data = await resp.json();
       const outFlag = args.find(a => typeof a === 'string' && a.startsWith('--out='));
       const safeId = String(data.skill_id || skillId).replace(/[^a-zA-Z0-9_\-\.]/g, '_');
-      // Reject safeId values that would either stay inside cwd instead of
-      // descending into skills/, or escape cwd entirely. The sanitizing regex
-      // above permits `.`, so `..` / `.` / empty survive it; `path.join('.',
-      // 'skills', '..')` collapses to `.` which turns the download directory
-      // into the user's working directory and lets Hub-supplied bundled_files
-      // overwrite `index.js`, `package.json`, etc. See GHSA-cfcj-hqpf-hccf.
-      if (
-        safeId === '' ||
-        safeId === '.' ||
-        safeId === '..' ||
-        safeId.includes('/') ||
-        safeId.includes('\\') ||
-        safeId.includes('\0')
-      ) {
-        console.error('[fetch] Hub returned an invalid skill_id: ' + JSON.stringify(safeId));
-        process.exit(1);
-      }
       let outDir;
       if (outFlag) {
         const rawOut = outFlag.slice('--out='.length);
@@ -886,16 +869,7 @@ async function main() {
         }
         outDir = resolvedOut;
       } else {
-        // Defense in depth: apply the same traversal check to the default
-        // branch so any remaining path-smuggling shape in `safeId` is caught.
-        const candidate = path.resolve(process.cwd(), 'skills', safeId);
-        const skillsRoot = path.resolve(process.cwd(), 'skills');
-        const rel = path.relative(skillsRoot, candidate);
-        if (rel.startsWith('..') || path.isAbsolute(rel)) {
-          console.error('[fetch] Hub-provided skill_id escapes skills/ directory: ' + JSON.stringify(safeId));
-          process.exit(1);
-        }
-        outDir = candidate;
+        outDir = path.join('.', 'skills', safeId);
       }
 
       if (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });
@@ -911,24 +885,12 @@ async function main() {
         '.yml', '.yaml',
       ]);
       const MAX_SKILL_FILE_BYTES = 512 * 1024;
-      // Even with outDir locked to skills/, a legitimate-looking skill can
-      // ship a bundled file named `package.json`, `index.js`, or any other
-      // top-level project artifact whose name collides with something the
-      // user may later copy back up. Prefix-guard the resolved path so every
-      // write stays strictly within the resolved outDir (no trailing `/..`
-      // in basename, no absolute path smuggling) and never points at cwd.
-      const resolvedOutDir = path.resolve(outDir);
-      const resolvedCwd = path.resolve(process.cwd());
 
       const bundled = Array.isArray(data.bundled_files) ? data.bundled_files : [];
       const skippedFiles = [];
       for (const file of bundled) {
         if (!file || !file.name || typeof file.content !== 'string') continue;
         const safeName = path.basename(file.name);
-        if (!safeName || safeName === '.' || safeName === '..') {
-          skippedFiles.push(String(file.name));
-          continue;
-        }
         const ext = path.extname(safeName).toLowerCase();
         if (!ALLOWED_SKILL_EXTENSIONS.has(ext)) {
           console.warn('[fetch] Skipped skill file with disallowed extension: ' + safeName);
@@ -940,23 +902,7 @@ async function main() {
           skippedFiles.push(safeName);
           continue;
         }
-        const destPath = path.resolve(resolvedOutDir, safeName);
-        const relToOut = path.relative(resolvedOutDir, destPath);
-        if (relToOut.startsWith('..') || path.isAbsolute(relToOut)) {
-          console.warn('[fetch] Skipped bundled file whose resolved path escapes outDir: ' + safeName);
-          skippedFiles.push(safeName);
-          continue;
-        }
-        // Never let a bundled write touch the evolver's own cwd -- this is
-        // the concrete attack shape from GHSA-cfcj-hqpf-hccf (fetch default
-        // branch writing to `./index.js`). outDir should always be under
-        // skills/ now, but belt-and-braces keep the guarantee explicit.
-        if (path.dirname(destPath) === resolvedCwd) {
-          console.warn('[fetch] Skipped bundled file that would land in cwd: ' + safeName);
-          skippedFiles.push(safeName);
-          continue;
-        }
-        fs.writeFileSync(destPath, file.content, 'utf8');
+        fs.writeFileSync(path.join(outDir, safeName), file.content, 'utf8');
       }
 
       console.log('[fetch] Skill downloaded to: ' + outDir);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evomap/evolver",
-  "version": "1.70.0-beta.5",
+  "version": "1.70.0",
   "description": "A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.",
   "main": "index.js",
   "bin": {

package/scripts/validate-suite.js

@@ -1,8 +1,6 @@
-// Usage: node scripts/validate-suite.js [test-glob-pattern | test-file]
+// Usage: node scripts/validate-suite.js [test-glob-pattern]
 // Runs the evolver test suite -- repo root is derived from script location, no shell glob needed.
-// Accepts either a directory glob pattern (e.g. `test/*.test.js`) or a concrete test file path.
-// See community PR #514.
-const { execFileSync } = require('child_process');
+const { execSync } = require('child_process');
 const path = require('path');
 const fs = require('fs');
 
@@ -10,22 +8,10 @@ const EVOLVER_REPO_ROOT = path.join(__dirname, '..');
 const pattern = process.argv[2] || 'test/*.test.js';
 
 function expandTestGlob(repoRoot, pat) {
-  const fullPattern = path.isAbsolute(pat) ? pat : path.join(repoRoot, pat);
-  if (fs.existsSync(fullPattern) && fs.statSync(fullPattern).isFile()) {
-    return fullPattern.endsWith('.test.js') ? [fullPattern] : [];
-  }
-
-  const dir = path.dirname(pat);
-  const basenamePattern = path.basename(pat);
+  const dir = pat.replace(/\/\*\.test\.js$/, '');
   const fullDir = path.isAbsolute(dir) ? dir : path.join(repoRoot, dir);
-  if (!fs.existsSync(fullDir) || !fs.statSync(fullDir).isDirectory()) return [];
-
-  const escaped = basenamePattern
-    .replace(/[.+?^${}()|[\]\\]/g, '\\$&')
-    .replace(/\*/g, '.*');
-  const matcher = new RegExp('^' + escaped + '$');
   return fs.readdirSync(fullDir)
-    .filter(f => f.endsWith('.test.js') && matcher.test(f))
+    .filter(f => f.endsWith('.test.js'))
     .map(f => path.join(fullDir, f))
     .sort();
 }
@@ -36,6 +22,7 @@ if (files.length === 0) {
   process.exit(1);
 }
 
+const cmd = 'node --test ' + files.join(' ');
 const env = Object.assign({}, process.env, {
   NODE_ENV: 'test',
   EVOLVER_REPO_ROOT,
@@ -43,11 +30,9 @@ const env = Object.assign({}, process.env, {
 });
 delete env.EVOLVE_BRIDGE;
 delete env.OPENCLAW_WORKSPACE;
-// Clear NODE_TEST_CONTEXT so nested runs from within node --test work.
-delete env.NODE_TEST_CONTEXT;
 
 try {
-  const output = execFileSync(process.execPath, ['--test', ...files], {
+  const output = execSync(cmd, {
     cwd: EVOLVER_REPO_ROOT,
     stdio: ['pipe', 'pipe', 'pipe'],
     timeout: 180000,

package/src/adapters/hookAdapter.js

@@ -6,7 +6,6 @@ const PLATFORMS = {
   cursor: { name: 'Cursor', configDir: '.cursor', detector: '.cursor' },
   'claude-code': { name: 'Claude Code', configDir: '.claude', detector: '.claude' },
   codex: { name: 'Codex', configDir: '.codex', detector: '.codex' },
-  kiro: { name: 'Kiro', configDir: '.kiro', detector: '.kiro' },
 };
 
 function detectPlatform(cwd) {
@@ -36,7 +35,6 @@ function loadAdapter(platformId) {
     case 'cursor': return require('./cursor');
     case 'claude-code': return require('./claudeCode');
     case 'codex': return require('./codex');
-    case 'kiro': return require('./kiro');
     default: return null;
   }
 }
@@ -165,7 +163,7 @@ async function setupHooks({ platform, cwd, force, uninstall, evolverRoot } = {})
   const platformId = platform || detectPlatform(effectiveCwd);
 
   if (!platformId) {
-    console.error('[setup-hooks] Could not detect platform. Use --platform=cursor|claude-code|codex|kiro');
+    console.error('[setup-hooks] Could not detect platform. Use --platform=cursor|claude-code|codex');
     return { ok: false, error: 'platform_not_detected' };
   }
 

package/src/adapters/scripts/evolver-session-start.js

@@ -5,7 +5,6 @@
 
 const fs = require('fs');
 const path = require('path');
-const os = require('os');
 
 function findEvolverRoot() {
   const candidates = [
@@ -59,68 +58,7 @@ function formatOutcome(entry) {
   return `[${icon}] ${ts} score=${score} signals=[${signals}] ${note}`.slice(0, 200);
 }
 
-// Dedup guard: on platforms like Kiro, the sessionStart-equivalent event
-// (`promptSubmit`) fires on every user message in a session. Without this
-// guard, recent memory would be re-injected on every prompt. We key the
-// dedup on (platform, cwd) with a short TTL so a fresh agent session within
-// the same workspace still gets the injection, but mid-session prompts do
-// not. Cursor/Claude Code/Codex have true sessionStart events and should
-// bypass this check (controlled by EVOLVER_SESSION_START_DEDUP env var,
-// which the Kiro adapter sets on the hook command line implicitly via the
-// runtime environment, and other adapters leave unset).
-function getDedupStatePath() {
-  const dir = process.env.EVOLVER_SESSION_STATE_DIR
-    || path.join(os.homedir(), '.evolver');
-  try { fs.mkdirSync(dir, { recursive: true }); } catch { /* ignore */ }
-  return path.join(dir, 'session-start-state.json');
-}
-
-function shouldSkipInjection() {
-  // Only apply dedup when explicitly enabled (set by Kiro adapter) OR when
-  // we detect a per-prompt-firing platform via PROMPT_SUBMIT heuristic in
-  // stdin. The stdin is drained in main(), so we rely on env flag here.
-  const dedupEnabled = String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === '1'
-    || String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === 'true';
-  if (!dedupEnabled) return false;
-
-  const ttlMs = Number(process.env.EVOLVER_SESSION_START_DEDUP_TTL_MS) || (30 * 60 * 1000);
-  const key = process.cwd();
-  const statePath = getDedupStatePath();
-
-  let state = {};
-  try {
-    if (fs.existsSync(statePath)) {
-      state = JSON.parse(fs.readFileSync(statePath, 'utf8')) || {};
-    }
-  } catch { state = {}; }
-
-  const now = Date.now();
-  const last = state[key];
-  if (typeof last === 'number' && now - last < ttlMs) {
-    return true;
-  }
-
-  state[key] = now;
-  try {
-    for (const k of Object.keys(state)) {
-      if (typeof state[k] !== 'number' || now - state[k] > 24 * 60 * 60 * 1000) {
-        delete state[k];
-      }
-    }
-    const tmp = statePath + '.tmp';
-    fs.writeFileSync(tmp, JSON.stringify(state), 'utf8');
-    fs.renameSync(tmp, statePath);
-  } catch { /* best-effort */ }
-
-  return false;
-}
-
 function main() {
-  if (shouldSkipInjection()) {
-    process.stdout.write(JSON.stringify({}));
-    return;
-  }
-
   const evolverRoot = findEvolverRoot();
   const graphPath = findMemoryGraph(evolverRoot);