@evomap/evolver 1.84.0 → 1.84.2

package/src/adapters/hookAdapter.js

@@ -51,7 +51,7 @@ function mergeJsonFile(filePath, patch, { markerKey = '_evolver_managed' } = {})
       if (raw) existing = JSON.parse(raw);
     }
   } catch { /* start fresh */ }
-  const merged = deepMerge(existing, patch);
+  const merged = mergeWithHooksUnion(existing, patch);
   merged[markerKey] = true;
   const tmp = filePath + '.tmp';
   fs.writeFileSync(tmp, JSON.stringify(merged, null, 2) + '\n', 'utf8');
@@ -59,6 +59,48 @@ function mergeJsonFile(filePath, patch, { markerKey = '_evolver_managed' } = {})
   return merged;
 }
 
+// Like deepMerge, but for `hooks.<event>` arrays specifically: instead of
+// replacing the user's existing entries, keep them and append/refresh evolver-
+// owned entries (matched by command containing `evolver-session/-signal`).
+// This preserves user-installed Stop/SessionStart hooks (#539) while still
+// updating evolver hooks across reinstalls.
+function mergeWithHooksUnion(target, source) {
+  const result = deepMerge(target, source);
+  if (
+    target && target.hooks && typeof target.hooks === 'object' &&
+    source && source.hooks && typeof source.hooks === 'object'
+  ) {
+    for (const event of Object.keys(source.hooks)) {
+      const tArr = Array.isArray(target.hooks[event]) ? target.hooks[event] : null;
+      const sArr = Array.isArray(source.hooks[event]) ? source.hooks[event] : null;
+      if (tArr && sArr) {
+        const isEvolverOwned = (entry) => {
+          const cmds = collectCommands(entry);
+          return cmds.some(c => c.includes('evolver-session') || c.includes('evolver-signal'));
+        };
+        const userEntries = tArr.filter(e => !isEvolverOwned(e));
+        result.hooks[event] = [...userEntries, ...sArr];
+      }
+    }
+  }
+  return result;
+}
+
+// Pull all `command` strings out of an event entry, supporting both flat
+// shape (Codex: `{type, command}`) and Claude Code matcher shape
+// (`{matcher, hooks: [{type, command}]}`). Returns [] when neither applies.
+function collectCommands(entry) {
+  if (!entry || typeof entry !== 'object') return [];
+  const out = [];
+  if (typeof entry.command === 'string') out.push(entry.command);
+  if (Array.isArray(entry.hooks)) {
+    for (const h of entry.hooks) {
+      if (h && typeof h.command === 'string') out.push(h.command);
+    }
+  }
+  return out;
+}
+
 function deepMerge(target, source) {
   const result = { ...target };
   for (const key of Object.keys(source)) {
@@ -74,9 +116,49 @@ function deepMerge(target, source) {
   return result;
 }
 
+// Refuse to write/read through a symbolic link at the adapter's
+// platform config dir (`<root>/.codex`, `<root>/.claude`, …) or any
+// nested adapter-owned subdir (`hooks/`, `plugins/`, …). A
+// repository-controlled symlink at any of these paths would let
+// install/uninstall writes land on attacker-chosen files outside the
+// workspace (PR #94 round-4 surfaced the top-level case; round-5
+// surfaced that a hostile repo can keep `.codex` real and only
+// symlink `.codex/hooks`). Missing dirs are fine — install will
+// create them.
+function assertSafeConfigDir(dir, label, { subdirs = [] } = {}) {
+  assertNotSymlink(dir, label || 'config dir');
+  for (const sub of subdirs) {
+    assertNotSymlink(path.join(dir, sub), `${label || 'config dir'}/${sub}`);
+  }
+}
+
+function assertNotSymlink(p, label) {
+  let st;
+  try {
+    st = fs.lstatSync(p);
+  } catch (e) {
+    if (e && e.code === 'ENOENT') return;
+    throw e;
+  }
+  if (st.isSymbolicLink()) {
+    throw new Error(
+      `[setup-hooks] Refusing to operate: ${label} ${p} is a ` +
+      `symbolic link. evolver will not follow symlinks for ` +
+      `adapter-owned dirs — a hostile workspace could redirect ` +
+      `writes/unlinks outside the project root. Replace it with a ` +
+      `real directory and rerun.`
+    );
+  }
+}
+
 function copyHookScripts(destDir, evolverRoot) {
   const scriptsDir = path.join(evolverRoot || __dirname, 'scripts');
+  // _runtimePaths.js is required by the two session-* scripts via
+  // `require('./_runtimePaths')`, which resolves relative to the *destination*
+  // (__dirname after copy). It MUST be copied alongside or both hooks crash
+  // with MODULE_NOT_FOUND at runtime. Caught in PR #94 review.
   const scripts = [
+    '_runtimePaths.js',
     'evolver-session-start.js',
     'evolver-signal-detect.js',
     'evolver-session-end.js',
@@ -90,6 +172,13 @@ function copyHookScripts(destDir, evolverRoot) {
       console.warn(`[setup-hooks] Warning: script not found: ${src}`);
       continue;
     }
+    // PR #94 round-6 HIGH: reject if the destination is a pre-planted
+    // symlink. fs.copyFileSync follows symlinks at the destination, so
+    // a hostile repo that pre-creates `.codex/hooks/evolver-session-end.js`
+    // pointing at e.g. `~/.bashrc` would have its target overwritten with
+    // evolver script content. Round-5 closed the directory hole; this
+    // closes the per-file hole.
+    assertNotSymlink(dest, `hook destination ${name}`);
     fs.copyFileSync(src, dest);
     try { fs.chmodSync(dest, 0o755); } catch { /* windows */ }
     copied.push(dest);
@@ -147,6 +236,7 @@ function removeEvolverHooks(filePath, { markerKey = '_evolver_managed' } = {}) {
 
 function removeHookScripts(hooksDir) {
   const scripts = [
+    '_runtimePaths.js',
     'evolver-session-start.js',
     'evolver-signal-detect.js',
     'evolver-session-end.js',
@@ -156,11 +246,56 @@ function removeHookScripts(hooksDir) {
     const p = path.join(hooksDir, name);
     try {
       if (fs.existsSync(p)) { fs.unlinkSync(p); removed++; }
-    } catch { /* ignore */ }
+    } catch (e) {
+      // Surface unlink failures so users can see why a "successful"
+      // uninstall left files behind (Windows file-locking, perms, …).
+      console.warn(`[setup-hooks] Failed to remove ${p}: ${e.message || e}`);
+    }
   }
   return removed;
 }
 
+// Remove a marker-bracketed section from a markdown file. Used by adapter
+// uninstall to clean up CLAUDE.md / AGENTS.md without nuking surrounding
+// user content.
+//
+// The previous inline implementations (codex/claude/kiro/opencode) searched
+// for the *next* `\n## ` after the marker, which matched evolver's own
+// `## Evolution Memory` heading and left the entire injected section in
+// place (#538). This helper skips any `## ` heading on the same line as the
+// marker, then looks for the next H2 to know where the user's content
+// resumes.
+function removeMarkedSection(filePath, marker) {
+  try {
+    if (!fs.existsSync(filePath)) return false;
+    const raw = fs.readFileSync(filePath, 'utf8');
+    const idx = raw.indexOf(marker);
+    if (idx === -1) return false;
+
+    // Skip past the marker line (and any heading on the same line).
+    let scanFrom = idx + marker.length;
+    const eol = raw.indexOf('\n', scanFrom);
+    if (eol !== -1) scanFrom = eol + 1;
+
+    // Skip past evolver's own `## ...` heading line if present.
+    if (raw.startsWith('## ', scanFrom)) {
+      const eol2 = raw.indexOf('\n', scanFrom);
+      scanFrom = eol2 !== -1 ? eol2 + 1 : raw.length;
+    }
+
+    const nextSection = raw.indexOf('\n## ', scanFrom);
+    const endIdx = nextSection !== -1 ? nextSection : raw.length;
+    const before = raw.slice(0, idx).trimEnd();
+    const after = nextSection !== -1 ? raw.slice(endIdx) : '';
+    const next = (before ? before + (after.startsWith('\n') ? '' : '\n') : '') + after;
+    fs.writeFileSync(filePath, next.trimEnd() + '\n', 'utf8');
+    return true;
+  } catch (e) {
+    console.warn(`[setup-hooks] Failed to clean section in ${filePath}: ${e.message || e}`);
+    return false;
+  }
+}
+
 async function setupHooks({ platform, cwd, force, uninstall, evolverRoot } = {}) {
   const effectiveCwd = cwd || process.cwd();
   const effectiveEvolverRoot = evolverRoot || path.resolve(__dirname, '..');
@@ -200,10 +335,15 @@ module.exports = {
   loadAdapter,
   mergeJsonFile,
   deepMerge,
+  mergeWithHooksUnion,
+  collectCommands,
   copyHookScripts,
   appendSectionToFile,
+  assertSafeConfigDir,
+  assertNotSymlink,
   removeEvolverHooks,
   removeHookScripts,
+  removeMarkedSection,
   setupHooks,
   PLATFORMS,
 };

package/src/adapters/kiro.js

@@ -1,6 +1,6 @@
 const fs = require('fs');
 const path = require('path');
-const { copyHookScripts, removeHookScripts } = require('./hookAdapter');
+const { copyHookScripts, removeHookScripts, removeMarkedSection, assertSafeConfigDir } = require('./hookAdapter');
 
 const HOOK_SCRIPTS_DIR_NAME = 'hooks';
 const EVOLVER_MARKER = '<!-- evolver-evolution-memory -->';
@@ -110,6 +110,7 @@ function install({ configRoot, evolverRoot, force }) {
   const hooksDir = path.join(kiroDir, HOOK_SCRIPTS_DIR_NAME);
   const agentsMdPath = path.join(configRoot, 'AGENTS.md');
   const scriptsBase = '.kiro/hooks';
+  assertSafeConfigDir(kiroDir, '.kiro', { subdirs: [HOOK_SCRIPTS_DIR_NAME] });
 
   const hookPaths = Object.values(HOOK_FILES).map(name => path.join(hooksDir, name));
 
@@ -153,6 +154,7 @@ function uninstall({ configRoot }) {
   const kiroDir = path.join(configRoot, '.kiro');
   const hooksDir = path.join(kiroDir, HOOK_SCRIPTS_DIR_NAME);
   const agentsMdPath = path.join(configRoot, 'AGENTS.md');
+  assertSafeConfigDir(kiroDir, '.kiro', { subdirs: [HOOK_SCRIPTS_DIR_NAME] });
 
   let changed = false;
   let removedCount = 0;
@@ -173,19 +175,9 @@ function uninstall({ configRoot }) {
   const scripts = removeHookScripts(hooksDir);
   if (scripts > 0) changed = true;
 
-  try {
-    if (fs.existsSync(agentsMdPath)) {
-      let content = fs.readFileSync(agentsMdPath, 'utf8');
-      if (content.includes(EVOLVER_MARKER)) {
-        const idx = content.indexOf(EVOLVER_MARKER);
-        const nextSection = content.indexOf('\n## ', idx + EVOLVER_MARKER.length);
-        const endIdx = nextSection !== -1 ? nextSection : content.length;
-        content = content.slice(0, idx).trimEnd() + (nextSection !== -1 ? content.slice(endIdx) : '');
-        fs.writeFileSync(agentsMdPath, content.trimEnd() + '\n', 'utf8');
-        changed = true;
-      }
-    }
-  } catch { /* ignore */ }
+  if (removeMarkedSection(agentsMdPath, EVOLVER_MARKER)) {
+    changed = true;
+  }
 
   console.log(changed
     ? `[kiro] Uninstalled evolver hooks (${removedCount} hook files + ${scripts} scripts removed).`

package/src/adapters/opencode.js

@@ -1,6 +1,6 @@
 const fs = require('fs');
 const path = require('path');
-const { copyHookScripts, removeHookScripts } = require('./hookAdapter');
+const { copyHookScripts, removeHookScripts, removeMarkedSection, assertSafeConfigDir } = require('./hookAdapter');
 
 const HOOK_SCRIPTS_DIR_NAME = 'hooks';
 const PLUGINS_DIR_NAME = 'plugins';
@@ -124,6 +124,7 @@ function install({ configRoot, evolverRoot, force }) {
   const pluginsDir = path.join(opencodeDir, PLUGINS_DIR_NAME);
   const pluginPath = path.join(pluginsDir, PLUGIN_FILE_NAME);
   const agentsMdPath = path.join(configRoot, 'AGENTS.md');
+  assertSafeConfigDir(opencodeDir, '.opencode', { subdirs: [HOOK_SCRIPTS_DIR_NAME, PLUGINS_DIR_NAME] });
 
   if (!force && isEvolverManagedPluginFile(pluginPath)) {
     console.log('[opencode] Evolver plugin already installed. Use --force to overwrite.');
@@ -292,6 +293,7 @@ function uninstall({ configRoot }) {
   const pluginsDir = path.join(opencodeDir, PLUGINS_DIR_NAME);
   const pluginPath = path.join(pluginsDir, PLUGIN_FILE_NAME);
   const agentsMdPath = path.join(configRoot, 'AGENTS.md');
+  assertSafeConfigDir(opencodeDir, '.opencode', { subdirs: [HOOK_SCRIPTS_DIR_NAME, PLUGINS_DIR_NAME] });
 
   let changed = false;
 
@@ -302,19 +304,9 @@ function uninstall({ configRoot }) {
   const scripts = removeHookScripts(hooksDir);
   if (scripts > 0) changed = true;
 
-  try {
-    if (fs.existsSync(agentsMdPath)) {
-      let content = fs.readFileSync(agentsMdPath, 'utf8');
-      if (content.includes(EVOLVER_MARKER)) {
-        const idx = content.indexOf(EVOLVER_MARKER);
-        const nextSection = content.indexOf('\n## ', idx + EVOLVER_MARKER.length);
-        const endIdx = nextSection !== -1 ? nextSection : content.length;
-        content = content.slice(0, idx).trimEnd() + (nextSection !== -1 ? content.slice(endIdx) : '');
-        fs.writeFileSync(agentsMdPath, content.trimEnd() + '\n', 'utf8');
-        changed = true;
-      }
-    }
-  } catch { /* ignore */ }
+  if (removeMarkedSection(agentsMdPath, EVOLVER_MARKER)) {
+    changed = true;
+  }
 
   console.log(changed
     ? '[opencode] Uninstalled evolver plugin and hooks.'

package/src/adapters/scripts/_runtimePaths.js

@@ -0,0 +1,114 @@
+// _runtimePaths.js
+// Shared path resolution for evolver hook scripts.
+//
+// Two responsibilities:
+//   1. Locate the evolver package root, supporting:
+//      - $EVOLVER_ROOT explicit override
+//      - The "scripts colocated with src" layout used during dev (../../..)
+//      - The npm-global install layout, where the hook script lives under
+//        `<prefix>/lib/node_modules/<host>/.../hooks/` and `..` walks lead
+//        somewhere outside the evolver package. We resolve via
+//        `require.resolve('@evomap/evolver/package.json')` instead.
+//      - The `~/skills/evolver` fallback (some users symlink there).
+//
+//   2. Locate (or pick a writable default for) the evolution memory graph,
+//      so that hook scripts in environments without an evolver-managed
+//      project directory still record outcomes somewhere instead of
+//      reporting "nowhere (no Hub or local path)" (#536).
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+function isEvolverPackageJson(filePath) {
+  try {
+    const raw = fs.readFileSync(filePath, 'utf8');
+    const pkg = JSON.parse(raw);
+    return pkg && (pkg.name === '@evomap/evolver' || pkg.name === 'evolver');
+  } catch {
+    return false;
+  }
+}
+
+function findEvolverRoot() {
+  if (process.env.EVOLVER_ROOT) {
+    const explicit = process.env.EVOLVER_ROOT;
+    if (fs.existsSync(path.join(explicit, 'package.json')) &&
+        isEvolverPackageJson(path.join(explicit, 'package.json'))) {
+      return explicit;
+    }
+  }
+
+  // Dev/repo layout: this file lives at src/adapters/scripts/_runtimePaths.js,
+  // so `../../..` is the package root.
+  const repoRoot = path.resolve(__dirname, '..', '..', '..');
+  if (fs.existsSync(path.join(repoRoot, 'package.json')) &&
+      isEvolverPackageJson(path.join(repoRoot, 'package.json'))) {
+    return repoRoot;
+  }
+
+  // npm-global / npm-local install layout. The hook script may have been
+  // copied out of the package into `.claude/hooks/` etc., breaking relative
+  // walks. Use require.resolve to find the installed package authoritatively.
+  //
+  // SECURITY: do NOT include `process.cwd()` here. A hostile workspace can
+  // place its own `node_modules/@evomap/evolver/package.json`, which would
+  // be selected here and control `findMemoryGraph()` -> the memory graph
+  // contents become attacker-controlled prompt-injection material in
+  // `evolver-session-start.js`'s `additionalContext`. Restrict to trusted,
+  // user/system-scoped install roots.
+  try {
+    const pkgJson = require.resolve('@evomap/evolver/package.json', {
+      paths: [
+        path.join(os.homedir(), '.npm-global', 'lib', 'node_modules'),
+        path.join(os.homedir(), '.local', 'lib', 'node_modules'),
+        '/usr/lib/node_modules',
+        '/usr/local/lib/node_modules',
+      ],
+    });
+    if (pkgJson && isEvolverPackageJson(pkgJson)) {
+      return path.dirname(pkgJson);
+    }
+  } catch { /* not installed via npm */ }
+
+  const homeSkills = path.join(os.homedir(), 'skills', 'evolver');
+  if (fs.existsSync(path.join(homeSkills, 'package.json')) &&
+      isEvolverPackageJson(path.join(homeSkills, 'package.json'))) {
+    return homeSkills;
+  }
+
+  return null;
+}
+
+// Returns a path to the evolution memory graph, or a fallback location that
+// is guaranteed to be writable. Never returns null — when no evolver root is
+// available, we fall back to `~/.evolver/memory/evolution/memory_graph.jsonl`
+// so npm-global installs without a project-local evolver still capture
+// outcomes (#536). Callers that need a "does the file already exist" check
+// should use `fs.existsSync()` separately.
+function findMemoryGraph(evolverRoot) {
+  if (process.env.MEMORY_GRAPH_PATH) {
+    return process.env.MEMORY_GRAPH_PATH;
+  }
+  if (evolverRoot) {
+    const lower = path.join(evolverRoot, 'memory', 'evolution', 'memory_graph.jsonl');
+    if (fs.existsSync(lower)) return lower;
+    const upper = path.join(evolverRoot, 'MEMORY', 'evolution', 'memory_graph.jsonl');
+    if (fs.existsSync(upper)) return upper;
+    // Neither exists yet — prefer lowercase under the evolver root if the
+    // root itself is writable (dev/local install case).
+    try {
+      fs.accessSync(evolverRoot, fs.constants.W_OK);
+      const dir = path.dirname(lower);
+      try { fs.mkdirSync(dir, { recursive: true }); } catch { /* fall through */ }
+      return lower;
+    } catch { /* not writable, fall through to user-level */ }
+  }
+
+  // User-level fallback. Always writable, consistent across platforms.
+  const userDir = path.join(os.homedir(), '.evolver', 'memory', 'evolution');
+  try { fs.mkdirSync(userDir, { recursive: true }); } catch { /* best-effort */ }
+  return path.join(userDir, 'memory_graph.jsonl');
+}
+
+module.exports = { findEvolverRoot, findMemoryGraph };

package/src/adapters/scripts/evolver-session-end.js

@@ -5,75 +5,51 @@
 // Input: stdin JSON. Output: stdout JSON with followup_message.
 
 const fs = require('fs');
-const path = require('path');
-const { execSync, spawnSync } = require('child_process');
+const { spawnSync } = require('child_process');
 // 10 MB — prevents RangeError on large child process output (e.g. git log/diff
 // on large repos). See GHSA reports / issue #451.
 const MAX_EXEC_BUFFER = 10 * 1024 * 1024;
 
-
-function findEvolverRoot() {
-  const candidates = [
-    process.env.EVOLVER_ROOT,
-    path.resolve(__dirname, '..', '..', '..'),
-  ];
-  for (const c of candidates) {
-    if (c && fs.existsSync(path.join(c, 'package.json'))) {
-      try {
-        const pkg = JSON.parse(fs.readFileSync(path.join(c, 'package.json'), 'utf8'));
-        if (pkg.name === '@evomap/evolver' || pkg.name === 'evolver') return c;
-      } catch { /* skip */ }
-    }
-  }
-  const homeSkills = path.join(require('os').homedir(), 'skills', 'evolver');
-  if (fs.existsSync(path.join(homeSkills, 'package.json'))) return homeSkills;
-  return null;
-}
-
-function findMemoryGraph(evolverRoot) {
-  if (process.env.MEMORY_GRAPH_PATH && fs.existsSync(process.env.MEMORY_GRAPH_PATH)) {
-    return process.env.MEMORY_GRAPH_PATH;
-  }
-  const candidates = [
-    evolverRoot && path.join(evolverRoot, 'memory', 'evolution', 'memory_graph.jsonl'),
-    evolverRoot && path.join(evolverRoot, 'MEMORY', 'evolution', 'memory_graph.jsonl'),
-  ];
-  for (const c of candidates) {
-    if (c && fs.existsSync(c)) return c;
-  }
-  if (evolverRoot) {
-    const defaultPath = path.join(evolverRoot, 'memory', 'evolution', 'memory_graph.jsonl');
-    fs.mkdirSync(path.dirname(defaultPath), { recursive: true });
-    return defaultPath;
+const { findEvolverRoot, findMemoryGraph } = require('./_runtimePaths');
+
+function runGit(args, cwd) {
+  // Argv-array form, no shell. Avoids POSIX `2>/dev/null` redirects that
+  // break on Windows cmd.exe (#537). Failures (e.g. no HEAD~1 in a fresh
+  // repo) are surfaced as a non-zero status; callers distinguish them
+  // from successful empty output via the `ok` flag (PR #94 round-6 LOW).
+  const res = spawnSync('git', args, {
+    cwd,
+    encoding: 'utf8',
+    timeout: 5000,
+    maxBuffer: MAX_EXEC_BUFFER,
+    stdio: ['ignore', 'pipe', 'pipe'],
+    shell: false,
+  });
+  if (res.status === 0 && typeof res.stdout === 'string') {
+    return { ok: true, out: res.stdout.trim() };
   }
-  return null;
+  return { ok: false, out: '' };
 }
 
 function getGitDiffStats() {
-  try {
-    const cwd = process.cwd();
-    const stat = execSync('git diff --stat HEAD~1 2>/dev/null || git diff --stat 2>/dev/null || echo ""', {
-      cwd,
-      encoding: 'utf8',
-      timeout: 5000, maxBuffer: MAX_EXEC_BUFFER
-    }).trim();
-    const diffContent = execSync('git diff HEAD~1 --no-color 2>/dev/null || git diff --no-color 2>/dev/null || echo ""', {
-      cwd,
-      encoding: 'utf8',
-      timeout: 5000, maxBuffer: MAX_EXEC_BUFFER
-    }).trim();
-    const filesChanged = (stat.match(/\d+ files? changed/) || ['0'])[0];
-    const insertions = (stat.match(/(\d+) insertions?/) || [null, '0'])[1];
-    const deletions = (stat.match(/(\d+) deletions?/) || [null, '0'])[1];
-    return {
-      stat,
-      summary: `${filesChanged}, +${insertions}/-${deletions}`,
-      diffSnippet: diffContent.slice(0, 2000),
-      hasChanges: stat.length > 0,
-    };
-  } catch {
-    return { stat: '', summary: 'unknown', diffSnippet: '', hasChanges: false };
-  }
+  const cwd = process.cwd();
+  // Distinguish "git failed (no HEAD~1, etc.)" from "git succeeded with
+  // empty output (e.g. empty merge)". The previous `||` chain treated
+  // both as falsy and fell through to the working-tree diff, which can
+  // surface unrelated unstaged changes as the session outcome.
+  const statHead1 = runGit(['diff', '--stat', 'HEAD~1'], cwd);
+  const stat = statHead1.ok ? statHead1.out : runGit(['diff', '--stat'], cwd).out;
+  const diffHead1 = runGit(['diff', '--no-color', 'HEAD~1'], cwd);
+  const diffContent = diffHead1.ok ? diffHead1.out : runGit(['diff', '--no-color'], cwd).out;
+  const filesChanged = (stat.match(/\d+ files? changed/) || ['0'])[0];
+  const insertions = (stat.match(/(\d+) insertions?/) || [null, '0'])[1];
+  const deletions = (stat.match(/(\d+) deletions?/) || [null, '0'])[1];
+  return {
+    stat,
+    summary: `${filesChanged}, +${insertions}/-${deletions}`,
+    diffSnippet: diffContent.slice(0, 2000),
+    hasChanges: stat.length > 0,
+  };
 }
 
 function detectSignals(text) {

package/src/adapters/scripts/evolver-session-start.js

@@ -7,37 +7,7 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 
-function findEvolverRoot() {
-  const candidates = [
-    process.env.EVOLVER_ROOT,
-    path.resolve(__dirname, '..', '..', '..'),
-  ];
-  for (const c of candidates) {
-    if (c && fs.existsSync(path.join(c, 'package.json'))) {
-      try {
-        const pkg = JSON.parse(fs.readFileSync(path.join(c, 'package.json'), 'utf8'));
-        if (pkg.name === '@evomap/evolver' || pkg.name === 'evolver') return c;
-      } catch { /* skip */ }
-    }
-  }
-  const homeSkills = path.join(require('os').homedir(), 'skills', 'evolver');
-  if (fs.existsSync(path.join(homeSkills, 'package.json'))) return homeSkills;
-  return null;
-}
-
-function findMemoryGraph(evolverRoot) {
-  if (process.env.MEMORY_GRAPH_PATH && fs.existsSync(process.env.MEMORY_GRAPH_PATH)) {
-    return process.env.MEMORY_GRAPH_PATH;
-  }
-  const candidates = [
-    evolverRoot && path.join(evolverRoot, 'memory', 'evolution', 'memory_graph.jsonl'),
-    evolverRoot && path.join(evolverRoot, 'MEMORY', 'evolution', 'memory_graph.jsonl'),
-  ];
-  for (const c of candidates) {
-    if (c && fs.existsSync(c)) return c;
-  }
-  return null;
-}
+const { findEvolverRoot, findMemoryGraph } = require('./_runtimePaths');
 
 function readLastN(filePath, n) {
   try {

package/src/atp/hubClient.js

@@ -16,7 +16,7 @@
 
 const http = require('http');
 const { getHubUrl, buildHubHeaders, getNodeId } = require('../gep/a2aProtocol');
-const { getProxyUrl } = require('../proxy/server/settings');
+const { getProxyUrl, getProxyToken } = require('../proxy/server/settings');
 
 function _isProxyMode() {
   if (process.env.EVOMAP_PROXY === '1') return true;
@@ -35,6 +35,8 @@ function _proxyRequest(method, path, body, timeoutMs) {
     const payload = body ? JSON.stringify(body) : '';
     const headers = { 'Content-Type': 'application/json' };
     if (payload) headers['Content-Length'] = Buffer.byteLength(payload);
+    const proxyToken = getProxyToken();
+    if (proxyToken) headers['Authorization'] = 'Bearer ' + proxyToken;
 
     const req = http.request(
       {

package/src/config.js

@@ -51,10 +51,29 @@ const HUB_SEARCH_TIMEOUT_MS = envInt('EVOLVER_HUB_SEARCH_TIMEOUT_MS', 8000);
 const PUBLIC_DEFAULT_HUB_URL = 'https://evomap.ai';
 
 function resolveHubUrl() {
-  return process.env.A2A_HUB_URL
+  const raw = process.env.A2A_HUB_URL
     || process.env.EVOMAP_HUB_URL
     || process.env.EVOLVER_DEFAULT_HUB_URL
     || PUBLIC_DEFAULT_HUB_URL;
+
+  if (process.env.EVOMAP_HUB_ALLOW_INSECURE !== '1') {
+    let parsed;
+    try {
+      parsed = new URL(raw);
+    } catch {
+      throw new Error(
+        '[config] Hub URL is not a valid URL: ' + JSON.stringify(raw) + '. ' +
+        'Set EVOMAP_HUB_ALLOW_INSECURE=1 to bypass (local dev / mock hub only).'
+      );
+    }
+    if (parsed.protocol !== 'https:') {
+      throw new Error(
+        '[config] Hub URL must use https:// — got ' + JSON.stringify(raw) + '. ' +
+        'Set EVOMAP_HUB_ALLOW_INSECURE=1 to bypass (local dev / mock hub only).'
+      );
+    }
+  }
+  return raw;
 }
 
 // --- Solidify & Validation ---