@evomap/evolver 1.87.2 → 1.87.4

package/src/adapters/scripts/evolver-session-start.js

@@ -7,17 +7,76 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 
-const { findEvolverRoot, findMemoryGraph } = require('./_runtimePaths');
+const { findEvolverRoot, findMemoryGraph, resolveProjectDir, resolveWorkspaceId, isGitWorkspace } = require('./_runtimePaths');
 const { filterRelevantOutcomes } = require('./_memoryFiltering');
 
-function readLastN(filePath, n) {
+// One-line notice shown (throttled) when the workspace is not a git repo.
+// Evolver derives every outcome from the git diff, so in a non-git folder the
+// session-end hook records nothing — silently, unless we say so here. We surface
+// it in session-start's additionalContext (injected as opening context, which
+// does NOT trigger an extra inference round, unlike a stop-hook systemMessage).
+const NON_GIT_NOTICE =
+  '[Evolver] This folder is not a git repository, so evolution memory is inactive ' +
+  '(outcomes are derived from git diffs). Run `git init` here, or open a git project, ' +
+  'to enable recall and recording.';
+const NON_GIT_NOTICE_TTL_MS = 30 * 60 * 1000; // once per 30 min per folder
+
+// Return up to `n` of the current workspace's most-recent entries, in
+// chronological (oldest-first) order.
+//
+// Why scan from the end: a plain tail-N-then-filter read would let outcomes
+// from other projects (which share the user-level fallback graph on npm-global
+// installs) crowd this workspace's entries out of the window — we must scope
+// to the workspace BEFORE trimming. But parsing the ENTIRE file to do that is
+// wasteful: the graph can reach ~100 MB before rotation, and JSON-parsing every
+// line on each session start is real CPU/memory cost (Bugbot PR #555 round-3).
+//
+// So we read the file (cheap; the previous readLastN read it whole too) but
+// JSON-parse lines lazily from the newest end, keeping only workspace matches,
+// and stop as soon as we have `n`. Parse count is bounded by where this
+// workspace's n-th-most-recent entry sits, not by total file size.
+function readRecentWorkspaceEntries(filePath, currentId, currentDir, n) {
+  let lines;
   try {
-    const content = fs.readFileSync(filePath, 'utf8');
-    const lines = content.trim().split('\n').filter(Boolean);
-    return lines.slice(-n).map(line => {
-      try { return JSON.parse(line); } catch { return null; }
-    }).filter(Boolean);
+    lines = fs.readFileSync(filePath, 'utf8').trim().split('\n');
   } catch { return []; }
+  const out = [];
+  for (let i = lines.length - 1; i >= 0 && out.length < n; i--) {
+    const line = lines[i];
+    if (!line) continue;
+    let entry;
+    try { entry = JSON.parse(line); } catch { continue; }
+    if (belongsToWorkspace(entry, currentId, currentDir)) out.push(entry);
+  }
+  return out.reverse(); // newest-collected-first -> chronological
+}
+
+// Does this memory-graph entry belong to the current workspace?
+//
+// The session-end writer stamps two tags: `workspace_id` (forge-resistant,
+// preferred) and `cwd` (backward-compat). We scope reads so that one project
+// never sees another's outcomes through the shared user-level fallback graph
+// (~/.evolver/memory/evolution/memory_graph.jsonl) — the cross-project
+// disclosure / prompt-injection surface Bugbot flagged on the writer side
+// (PR #105 round-2), which the reader never enforced until now.
+//
+// Rules, in order:
+//   - currentId known + entry.workspace_id present -> must match exactly.
+//   - currentId unknown OR entry has neither tag (pre-hardening / Hub-sourced
+//     entries) -> do NOT exclude; falling back to "show it" preserves prior
+//     behavior and avoids hiding all memory when ids can't be resolved.
+//   - As a softer fallback, when the entry has no workspace_id but does carry a
+//     cwd, match that against the current project dir.
+function belongsToWorkspace(entry, currentId, currentDir) {
+  if (entry && typeof entry.workspace_id === 'string' && entry.workspace_id) {
+    if (currentId) return entry.workspace_id === currentId;
+    return true; // can't compare — don't hide it
+  }
+  if (entry && typeof entry.cwd === 'string' && entry.cwd) {
+    if (currentDir) return entry.cwd === currentDir;
+    return true;
+  }
+  return true; // untagged (legacy / Hub) — never excluded
 }
 
 function formatOutcome(entry) {
@@ -46,18 +105,14 @@ function getDedupStatePath() {
   return path.join(dir, 'session-start-state.json');
 }
 
-function shouldSkipInjection() {
-  // Only apply dedup when explicitly enabled (set by Kiro adapter) OR when
-  // we detect a per-prompt-firing platform via PROMPT_SUBMIT heuristic in
-  // stdin. The stdin is drained in main(), so we rely on env flag here.
-  const dedupEnabled = String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === '1'
-    || String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === 'true';
-  if (!dedupEnabled) return false;
-
-  const ttlMs = Number(process.env.EVOLVER_SESSION_START_DEDUP_TTL_MS) || (30 * 60 * 1000);
-  const key = process.cwd();
+// TTL throttle keyed by an arbitrary string, persisted in session-start-state
+// .json. Returns true if `key` fired within the last `ttlMs` (caller should
+// suppress); otherwise records "now" for `key` and returns false. Best-effort:
+// a state read/write failure just means no throttling (fail open). Shared by
+// the Kiro per-prompt dedup and the non-git notice so both age out of the same
+// file (entries older than 24h are pruned on write).
+function throttled(key, ttlMs) {
   const statePath = getDedupStatePath();
-
   let state = {};
   try {
     if (fs.existsSync(statePath)) {
@@ -67,9 +122,7 @@ function shouldSkipInjection() {
 
   const now = Date.now();
   const last = state[key];
-  if (typeof last === 'number' && now - last < ttlMs) {
-    return true;
-  }
+  if (typeof last === 'number' && now - last < ttlMs) return true;
 
   state[key] = now;
   try {
@@ -82,47 +135,78 @@ function shouldSkipInjection() {
     fs.writeFileSync(tmp, JSON.stringify(state), 'utf8');
     fs.renameSync(tmp, statePath);
   } catch { /* best-effort */ }
-
   return false;
 }
 
+function shouldSkipInjection() {
+  // Only apply dedup when explicitly enabled (set by Kiro adapter) OR when
+  // we detect a per-prompt-firing platform via PROMPT_SUBMIT heuristic in
+  // stdin. The stdin is drained in main(), so we rely on env flag here.
+  const dedupEnabled = String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === '1'
+    || String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === 'true';
+  if (!dedupEnabled) return false;
+
+  const ttlMs = Number(process.env.EVOLVER_SESSION_START_DEDUP_TTL_MS) || (30 * 60 * 1000);
+  return throttled(process.cwd(), ttlMs);
+}
+
 function main() {
   if (shouldSkipInjection()) {
     process.stdout.write(JSON.stringify({}));
     return;
   }
 
+  const currentDir = resolveProjectDir();
+
+  // Non-git notice: evolver records nothing in a non-git folder (outcomes come
+  // from git diffs), so tell the user — once per folder per TTL — instead of
+  // failing silently. Emitted regardless of whether any memory exists below.
+  const parts = [];
+  if (!isGitWorkspace(currentDir) && !throttled('nongit:' + currentDir, NON_GIT_NOTICE_TTL_MS)) {
+    parts.push(NON_GIT_NOTICE);
+  }
+
   const evolverRoot = findEvolverRoot();
   const graphPath = findMemoryGraph(evolverRoot);
 
-  if (!graphPath) {
-    process.stdout.write(JSON.stringify({}));
-    return;
+  // Scope to the current workspace BEFORE trimming to the most-recent window,
+  // so other projects sharing the user-level fallback graph can't crowd this
+  // workspace's outcomes out of view. When the workspace id can't be resolved,
+  // belongsToWorkspace() falls back to "show it" — no regression vs. the old
+  // unscoped behavior.
+  if (graphPath) {
+    const currentId = resolveWorkspaceId(evolverRoot, currentDir);
+    const recent = readRecentWorkspaceEntries(graphPath, currentId, currentDir, 5);
+    const filtered = filterRelevantOutcomes(recent);
+    if (filtered.length > 0) {
+      const successCount = filtered.filter(e => e.outcome && e.outcome.status === 'success').length;
+      const failCount = filtered.filter(e => e.outcome && e.outcome.status === 'failed').length;
+      parts.push([
+        `[Evolution Memory] Recent ${filtered.length} outcomes (${successCount} success, ${failCount} failed):`,
+        ...filtered.map(formatOutcome),
+        '',
+        'Use successful approaches. Avoid repeating failed patterns.',
+      ].join('\n'));
+    }
   }
 
-  const entries = readLastN(graphPath, 5);
-  const filtered = filterRelevantOutcomes(entries);
-
-  if (filtered.length === 0) {
+  if (parts.length === 0) {
     process.stdout.write(JSON.stringify({}));
     return;
   }
 
-  const successCount = filtered.filter(e => e.outcome && e.outcome.status === 'success').length;
-  const failCount = filtered.filter(e => e.outcome && e.outcome.status === 'failed').length;
-
-  const lines = filtered.map(formatOutcome);
-  const summary = [
-    `[Evolution Memory] Recent ${filtered.length} outcomes (${successCount} success, ${failCount} failed):`,
-    ...lines,
-    '',
-    'Use successful approaches. Avoid repeating failed patterns.',
-  ].join('\n');
-
+  const out = parts.join('\n\n');
   process.stdout.write(JSON.stringify({
-    agent_message: summary,
-    additionalContext: summary,
+    agent_message: out,
+    additionalContext: out,
   }));
 }
 
-main();
+// Run as a hook when invoked directly; expose pure helpers for unit tests when
+// required as a module. Guarding on require.main keeps the direct-execution
+// behavior (the hosts run `node evolver-session-start.js`) unchanged.
+if (require.main === module) {
+  main();
+} else {
+  module.exports = { belongsToWorkspace };
+}

package/src/atp/atpExecute.js

@@ -27,6 +27,7 @@ const https = require('https');
 const crypto = require('crypto');
 
 const { computeAssetId } = require('../gep/contentHash');
+const { enforceHubScheme, strictHttpsAgent } = require('../gep/hubFetch');
 const {
   getNodeId,
   getHubUrl,
@@ -114,6 +115,19 @@ function _publishUrl() {
 
 function _postJson(urlStr, body, timeoutMs) {
   return new Promise(function (resolve) {
+    // Same TLS posture as hubFetch: refuse plain http:// unless
+    // EVOMAP_HUB_ALLOW_INSECURE=1. Before this guard the function
+    // silently fell back to `lib = http` for any non-https URL, so an
+    // operator override `A2A_HUB_URL=http://...` would send /a2a/publish
+    // and /a2a/task/complete in cleartext while hubFetch-routed calls
+    // (e.g. /a2a/verify-solidify) refused the same URL — inconsistent
+    // TLS enforcement across modules.
+    try {
+      enforceHubScheme(urlStr);
+    } catch (e) {
+      resolve({ ok: false, error: 'tls_refused: ' + (e && e.message) });
+      return;
+    }
     let parsed;
     try {
       parsed = new URL(urlStr);
@@ -128,15 +142,28 @@ function _postJson(urlStr, body, timeoutMs) {
       { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) },
       buildHubHeaders() || {},
     );
+    // Pin TLS cert verification for https calls so a globally-disabled
+    // NODE_TLS_REJECT_UNAUTHORIZED=0 cannot weaken the Hub channel
+    // (Cursor Security Reviewer #160 Medium). hubFetch enforces the
+    // same via its undici dispatcher; this is the Node-native-https
+    // equivalent.
+    //
+    // Skipped under EVOMAP_HUB_ALLOW_INSECURE=1 so local-dev / self-
+    // signed mock hubs that legitimately rely on
+    // NODE_TLS_REJECT_UNAUTHORIZED=0 still work.
+    const requestOpts = {
+      hostname: parsed.hostname,
+      port: parsed.port || (isHttps ? 443 : 80),
+      path: parsed.pathname + (parsed.search || ''),
+      method: 'POST',
+      headers: headers,
+      timeout: timeoutMs || PUBLISH_TIMEOUT_MS,
+    };
+    if (isHttps && process.env.EVOMAP_HUB_ALLOW_INSECURE !== '1') {
+      requestOpts.agent = strictHttpsAgent;
+    }
     const req = lib.request(
-      {
-        hostname: parsed.hostname,
-        port: parsed.port || (isHttps ? 443 : 80),
-        path: parsed.pathname + (parsed.search || ''),
-        method: 'POST',
-        headers: headers,
-        timeout: timeoutMs || PUBLISH_TIMEOUT_MS,
-      },
+      requestOpts,
       function (res) {
         const chunks = [];
         res.on('data', function (c) { chunks.push(c); });

package/src/atp/autoBuyer.js

@@ -36,7 +36,13 @@ const DEFAULT_DAILY_CAP = 50;
 const DEFAULT_PER_ORDER_CAP = 10;
 const DEFAULT_ORDER_TIMEOUT_MS = 3000;
 const COLD_START_WINDOW_MS = 5 * 60 * 1000;
+// Successful orders dedup for 24h so the same capability gap is only paid for
+// once per day. Failed orders dedup for 5 minutes only — long enough to
+// absorb tight retry loops (the original goal of "don't hammer the hub")
+// without making the user wait 24h to retry a question after a transient
+// 503/network blip.
 const DEDUP_TTL_MS = 24 * 60 * 60 * 1000;
+const DEDUP_FAILURE_TTL_MS = 5 * 60 * 1000;
 const LEDGER_FILENAME = 'atp-autobuyer-ledger.json';
 const ACK_FILENAME = 'atp-autobuy-ack.json';
 
@@ -145,13 +151,22 @@ function _rotateIfNewDay(ledger, now) {
 }
 
 function _pruneDedup(ledger, now) {
-  const cutoff = (typeof now === 'number' ? now : Date.now()) - DEDUP_TTL_MS;
+  const nowMs = typeof now === 'number' ? now : Date.now();
   const out = {};
   const src = ledger.dedup || {};
   const keys = Object.keys(src);
   for (let i = 0; i < keys.length; i++) {
     const k = keys[i];
-    if (typeof src[k] === 'number' && src[k] >= cutoff) out[k] = src[k];
+    const entry = src[k];
+    // Legacy ledgers written by older versions stored plain timestamps; treat
+    // them as successful orders (the original behaviour) so an upgrade does
+    // not suddenly forget recent dedups.
+    if (typeof entry === 'number') {
+      if (entry >= nowMs - DEDUP_TTL_MS) out[k] = entry;
+    } else if (entry && typeof entry.ts === 'number') {
+      const ttl = entry.failed ? DEDUP_FAILURE_TTL_MS : DEDUP_TTL_MS;
+      if (entry.ts >= nowMs - ttl) out[k] = entry;
+    }
   }
   ledger.dedup = out;
   return ledger;
@@ -205,11 +220,36 @@ function _withTimeout(promise, timeoutMs) {
   ]);
 }
 
-async function considerOrder(opts) {
-  if (!_started) return { ok: false, skipped: true, reason: 'not_started' };
+// Single-flight queue: serialize the read → cap-check → placeOrder → write
+// pipeline so two concurrent considerOrder() calls cannot both pass the cap
+// check on the same ledger snapshot and silently double-spend.
+//
+// Without this, two parallel calls (e.g. user runs Claude Code in two tabs
+// through the same proxy, or two capability gaps fire in the same tick) both
+// read spent=40, both compute remaining=10, both await placeOrder, both
+// increment to spent=50, and write — silently exceeding the daily cap by one
+// full order each. autoBuyer is single-process so an in-memory queue is
+// sufficient; a file lock would only be needed if multiple OS processes
+// shared the same ledger file (not the current deployment model).
+let _orderQueue = Promise.resolve();
+
+function considerOrder(opts) {
+  if (!_started) return Promise.resolve({ ok: false, skipped: true, reason: 'not_started' });
   if (!opts || !Array.isArray(opts.capabilities) || opts.capabilities.length === 0) {
-    return { ok: false, skipped: true, reason: 'no_capabilities' };
+    return Promise.resolve({ ok: false, skipped: true, reason: 'no_capabilities' });
   }
+  const next = _orderQueue.then(
+    () => _considerOrderSerialized(opts),
+    () => _considerOrderSerialized(opts), // never let a prior rejection break the chain
+  );
+  // Swallow rejection on the queue tail so a single thrown error here does
+  // not poison every subsequent call; the original `next` promise still
+  // surfaces the error to the caller.
+  _orderQueue = next.then(() => {}, () => {});
+  return next;
+}
+
+async function _considerOrderSerialized(opts) {
   const now = Date.now();
   let ledger = _readLedger();
   ledger = _rotateIfNewDay(ledger, now);
@@ -248,15 +288,17 @@ async function considerOrder(opts) {
 
   if (result && result.ok) {
     ledger.spent = (ledger.spent || 0) + budget;
-    ledger.dedup[hash] = now;
+    ledger.dedup[hash] = { ts: now, failed: false };
     _writeLedger(ledger);
     console.log('[ATP-AutoBuyer] Order placed: ' + (result.data && result.data.order_id) + ' budget=' + budget + ' remaining_today=' + Math.max(0, dailyCap - ledger.spent));
     return { ok: true, data: result.data, spent: budget };
   }
 
-  // On failure still record dedup so we don't hammer the hub for the same
-  // capability gap within the TTL window (but do NOT charge the spend).
-  ledger.dedup[hash] = now;
+  // On failure record a SHORT-TTL dedup entry (5 min) so we don't hammer the
+  // hub for the same capability gap inside a tight retry loop, but the user
+  // can retry the same question once the transient error clears — far better
+  // than the previous 24h block for a single 503.
+  ledger.dedup[hash] = { ts: now, failed: true };
   _writeLedger(ledger);
   return { ok: false, error: (result && result.error) || 'unknown_error' };
 }
@@ -267,15 +309,25 @@ async function considerOrder(opts) {
 // via .tmp + rename so a crash mid-write never produces a corrupt ack file.
 function setConsent(enabled) {
   const dir = getMemoryDir();
-  try { if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true }); } catch (_) {}
   const body = {
     enabled: !!enabled,
     acknowledged_at: new Date().toISOString(),
     version: 1,
   };
   const tmp = _ackPath() + '.tmp';
-  fs.writeFileSync(tmp, JSON.stringify(body, null, 2) + '\n', 'utf8');
-  fs.renameSync(tmp, _ackPath());
+  // Single try/catch over the whole pipeline. Previously the mkdirSync was
+  // wrapped in its own swallowing try/catch, so an EACCES on the parent dir
+  // would surface to the caller as a confusing ENOENT from writeFileSync.
+  // Surface the original error verbatim and best-effort clean up any
+  // partial .tmp file so a retry from a TTY prompt sees a clean slate.
+  try {
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(tmp, JSON.stringify(body, null, 2) + '\n', 'utf8');
+    fs.renameSync(tmp, _ackPath());
+  } catch (err) {
+    try { fs.unlinkSync(tmp); } catch (_) {}
+    throw err;
+  }
   return body;
 }
 
@@ -288,6 +340,7 @@ function _resetForTests() {
     perOrderCap: DEFAULT_PER_ORDER_CAP,
     timeoutMs: DEFAULT_ORDER_TIMEOUT_MS,
   };
+  _orderQueue = Promise.resolve();
 }
 
 module.exports = {
@@ -306,22 +359,24 @@ module.exports = {
   readAck: _readAck,
   ACK_FILENAME,
   // Exposed for tests and diagnostics only; callers should not depend on
-  // these internals in production code paths.
+  // these internals in production code paths. Ack-file helpers
+  // (getAckPath / readAck / ACK_FILENAME) are intentionally NOT mirrored
+  // here — production and tests both go through the public surface above,
+  // so a single source of truth survives schema changes (Bugbot PR #141 R6
+  // follow-up: keep "test-only" honest, no production caller may reach in).
   __internals: {
     readLedger: _readLedger,
     writeLedger: _writeLedger,
     questionHash: _questionHash,
     effectiveCap: _effectiveCap,
     resetForTests: _resetForTests,
-    ackPath: _ackPath,
-    readAck: _readAck,
     constants: {
       DEFAULT_DAILY_CAP,
       DEFAULT_PER_ORDER_CAP,
       COLD_START_WINDOW_MS,
       DEDUP_TTL_MS,
+      DEDUP_FAILURE_TTL_MS,
       LEDGER_FILENAME,
-      ACK_FILENAME,
     },
   },
 };

package/src/atp/autoDeliver.js

@@ -155,6 +155,18 @@ function start(opts) {
   _pollInterval = setInterval(function () {
     _tick().catch(function () { /* swallowed in _tick */ });
   }, _pollMs);
+  // .unref() so this background poller does NOT keep the Node event
+  // loop alive on its own. `evolver run` (single-shot) writes its
+  // artifacts and expects to exit — without unref, the setInterval
+  // handle pins the process and the run sits as a residual `node`
+  // process until manually killed (public issue #553). `evolver --loop`
+  // (daemon) keeps the foreground evolve loop alive on its own
+  // schedule, so an unref'd poller still polls — unref only changes
+  // whether THIS handle alone keeps the loop alive, not whether the
+  // handle fires.
+  if (_pollInterval && typeof _pollInterval.unref === 'function') {
+    _pollInterval.unref();
+  }
   // Do not await -- fire the first tick asynchronously so start() returns
   // immediately. This matches the autoBuyer start() semantics.
   _tick().catch(function () { /* swallowed in _tick */ });
@@ -189,6 +201,10 @@ module.exports = {
     writeLedger: _writeLedger,
     buildProofPayload: _buildProofPayload,
     resetForTests: _resetForTests,
+    // Test-only accessor for the active poll Timeout. Used to assert
+    // the timer was `.unref()`ed so it does not pin the Node event
+    // loop (regression guard for public issue #553).
+    getPollIntervalForTest: () => _pollInterval,
     constants: {
       DEFAULT_POLL_MS,
       MIN_POLL_MS,

package/src/atp/cliAutobuyPrompt.js

@@ -22,22 +22,13 @@
 const readline = require("readline");
 const autoBuyer = require("./autoBuyer");
 
-// All ack file plumbing is owned by autoBuyer: filename constant, path
-// resolution, read (strict validation), and write (atomic tmp+rename).
-// cliAutobuyPrompt delegates through the public API (not __internals) so
-// the two modules cannot diverge on schema or validation — pre-
-// consolidation drift bit us twice (Bugbot PR #141: duplicate writers +
-// lenient-vs-strict reader). Using public exports keeps the "test-only"
-// contract on __internals honest (Bugbot PR #141 R6).
-const ACK_FILE_NAME = autoBuyer.ACK_FILENAME;
-
-function _getAckPath() {
-  return autoBuyer.getAckPath();
-}
-
-function _readAck() {
-  return autoBuyer.readAck();
-}
+// All ack file plumbing lives on autoBuyer (filename constant, path
+// resolution, read with strict validation, atomic write via tmp+rename).
+// cliAutobuyPrompt always reaches it through the public surface so the
+// two modules cannot diverge on schema or validation — pre-consolidation
+// drift bit us twice (Bugbot PR #141: duplicate writers + lenient-vs-
+// strict reader). No __internals re-export here either: tests import
+// autoBuyer directly so a future rename trips a single set of asserts.
 
 /**
  * @returns {"ack_present"|"env_set"|"non_tty"|"eligible"}
@@ -50,7 +41,7 @@ function classify(env, stdin) {
   if (!stdin || !stdin.isTTY) {
     return "non_tty";
   }
-  if (_readAck()) {
+  if (autoBuyer.readAck()) {
     return "ack_present";
   }
   return "eligible";
@@ -160,9 +151,4 @@ async function runPrompt(opts) {
 module.exports = {
   runPrompt,
   classify,
-  __internals: {
-    ACK_FILE_NAME,
-    _readAck,
-    _getAckPath,
-  },
 };

package/src/atp/hubClient.js

@@ -16,6 +16,7 @@
 
 const http = require('http');
 const { getHubUrl, buildHubHeaders, getNodeId } = require('../gep/a2aProtocol');
+const { hubFetch } = require('../gep/hubFetch');
 const { getProxyUrl, getProxyToken } = require('../proxy/server/settings');
 
 function _isProxyMode() {
@@ -68,12 +69,33 @@ function _proxyRequest(method, path, body, timeoutMs) {
   });
 }
 
+// Route through hubFetch() rather than the global `fetch()` for two
+// reasons (both flagged by Cursor reviewers on PR #160):
+//
+//   1. Dispatcher mixing (Bugbot HIGH): `strictUndiciAgent` is an Agent
+//      from the *installed* `undici` package, but `global.fetch` is
+//      backed by Node's *internal* undici. Passing one to the other
+//      throws `UND_ERR_INVALID_ARG: invalid onRequestStart method` at
+//      request time — exactly the failure mode the comment at the top
+//      of hubFetch.js calls out. hubFetch already routes through
+//      `undici.fetch` from the same package as its Agent, so all calls
+//      that go through hubFetch are immune.
+//
+//   2. Case-sensitive scheme check (Security Reviewer MEDIUM): a hand-
+//      rolled `endpoint.startsWith('https:')` would skip the strict
+//      dispatcher for `HTTPS://...`. hubFetch's `_validateHubUrl` uses
+//      `new URL(url).protocol`, which normalises to lowercase, so
+//      routing through it eliminates the bug class.
+//
+// Routing through hubFetch also inherits the URL-scheme enforcement and
+// the EVOMAP_HUB_ALLOW_INSECURE escape hatch automatically; we no
+// longer need the explicit `enforceHubScheme` guard here.
 function _hubPost(pathSuffix, body, timeoutMs) {
   const hubUrl = getHubUrl();
   if (!hubUrl) return Promise.resolve({ ok: false, error: 'no_hub_url' });
   const endpoint = hubUrl.replace(/\/+$/, '') + pathSuffix;
   const timeout = timeoutMs || require('../config').HTTP_TRANSPORT_TIMEOUT_MS;
-  return fetch(endpoint, {
+  return hubFetch(endpoint, {
     method: 'POST',
     headers: buildHubHeaders(),
     body: JSON.stringify(body),
@@ -83,7 +105,17 @@ function _hubPost(pathSuffix, body, timeoutMs) {
       if (!res.ok) return res.text().then(function (t) { return { ok: false, status: res.status, error: t.slice(0, 400) }; });
       return res.json().then(function (data) { return { ok: true, data: data }; });
     })
-    .catch(function (err) { return { ok: false, error: err.message }; });
+    .catch(function (err) {
+      // hubFetch throws synchronously (rejected Promise) when the URL
+      // fails scheme validation in secure mode. Translate to the same
+      // structured envelope the previous in-line guard produced so the
+      // caller contract is unchanged.
+      const msg = (err && err.message) || String(err);
+      if (msg.indexOf('[hubFetch]') !== -1) {
+        return { ok: false, error: 'tls_refused: ' + msg };
+      }
+      return { ok: false, error: msg };
+    });
 }
 
 function _hubGet(pathSuffix, timeoutMs) {
@@ -91,7 +123,7 @@ function _hubGet(pathSuffix, timeoutMs) {
   if (!hubUrl) return Promise.resolve({ ok: false, error: 'no_hub_url' });
   const endpoint = hubUrl.replace(/\/+$/, '') + pathSuffix;
   const timeout = timeoutMs || require('../config').HTTP_TRANSPORT_TIMEOUT_MS;
-  return fetch(endpoint, {
+  return hubFetch(endpoint, {
     method: 'GET',
     headers: buildHubHeaders(),
     signal: AbortSignal.timeout(timeout),
@@ -100,7 +132,13 @@ function _hubGet(pathSuffix, timeoutMs) {
       if (!res.ok) return res.text().then(function (t) { return { ok: false, status: res.status, error: t.slice(0, 400) }; });
       return res.json().then(function (data) { return { ok: true, data: data }; });
     })
-    .catch(function (err) { return { ok: false, error: err.message }; });
+    .catch(function (err) {
+      const msg = (err && err.message) || String(err);
+      if (msg.indexOf('[hubFetch]') !== -1) {
+        return { ok: false, error: 'tls_refused: ' + msg };
+      }
+      return { ok: false, error: msg };
+    });
 }
 
 // Dispatcher: choose proxy or direct hub based on env + proxy availability.