@evomap/evolver 1.87.3 → 1.88.0

package/src/adapters/scripts/evolver-session-start.js

@@ -7,17 +7,170 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 
-const { findEvolverRoot, findMemoryGraph } = require('./_runtimePaths');
+const { findEvolverRoot, findMemoryGraph, resolveProjectDir, resolveWorkspaceId, isGitWorkspace } = require('./_runtimePaths');
 const { filterRelevantOutcomes } = require('./_memoryFiltering');
 
-function readLastN(filePath, n) {
+// Auto-restart guard: if the evolver daemon is not running when a new agent
+// session starts, attempt a background restart. This covers the "idle-death"
+// scenario: the user closed the machine (macOS sleep), the process died due to
+// event-loop exhaustion or OOM, and now the next agent session finds it gone.
+// We delegate to lifecycle.js restart() which is idempotent (no-op if already
+// running), detached (does not block session startup), and captures output in
+// the existing evolver log.
+//
+// Guard-rails:
+//   - Only runs when EVOLVER_SESSION_AUTO_RESTART is not "0" or "false".
+//   - Skips gracefully if lifecycle.js cannot be found (non-daemon setups,
+//     npx one-shot mode, etc.).
+//   - Execution errors are swallowed: this must never cause session-start to
+//     error out or delay the LLM context injection.
+function _maybeRestartDaemon(evolverRoot) {
   try {
-    const content = fs.readFileSync(filePath, 'utf8');
-    const lines = content.trim().split('\n').filter(Boolean);
-    return lines.slice(-n).map(line => {
-      try { return JSON.parse(line); } catch { return null; }
-    }).filter(Boolean);
+    var autoRestart = String(process.env.EVOLVER_SESSION_AUTO_RESTART || '1').toLowerCase().trim();
+    if (autoRestart === '0' || autoRestart === 'false') return;
+
+    var lifecyclePath = evolverRoot
+      ? path.join(evolverRoot, 'src', 'ops', 'lifecycle.js')
+      : null;
+    if (!lifecyclePath || !fs.existsSync(lifecyclePath)) return;
+
+    // Check if daemon is running by looking for the PID file / lock file.
+    // R12: index.js:getLockFilePath honors EVOLVER_LOCK_DIR. If that env is
+    // set the lock file lives at <EVOLVER_LOCK_DIR>/evolver.pid (basename
+    // differs from the default!); otherwise fall back to the canonical
+    // ~/.evomap/instance.lock. We replicate the logic inline rather than
+    // importing index.js, since pulling the daemon module into the hook
+    // would load far more than we need.
+    var lockFile = process.env.EVOLVER_LOCK_DIR
+      ? path.join(process.env.EVOLVER_LOCK_DIR, 'evolver.pid')
+      : path.join(os.homedir(), '.evomap', 'instance.lock');
+    // R1: PID-reuse defense. process.kill(pid, 0) only proves SOME process
+    // owns that PID -- after macOS sleep / OOM, the kernel may have reused
+    // the slain daemon's PID for an unrelated process (Chrome tab, shell).
+    // Mirror index.js:_lockIsStaleByLease (search for STALE_LOCK_TTL_MS
+    // around line 373): a lease-aware daemon refreshes the lock mtime on a
+    // timer, so if mtime is older than the TTL the daemon is dead/wedged
+    // regardless of kill(0). Constants inlined to keep index.js out of the
+    // hook's require graph.
+    var STALE_LOCK_TTL_MS = process.platform === 'win32' ? 3 * 60_000 : 5 * 60_000;
+    var daemonRunning = false;
+    try {
+      if (fs.existsSync(lockFile)) {
+        var raw = fs.readFileSync(lockFile, 'utf8').trim();
+        var payload = raw && raw[0] === '{' ? JSON.parse(raw) : { pid: parseInt(raw, 10) };
+        if (payload && payload.pid > 0) {
+          try { process.kill(payload.pid, 0); daemonRunning = true; } catch (e) {
+            // EPERM = process exists but owned by a different user; still a live daemon.
+            if (e && e.code === 'EPERM') daemonRunning = true;
+          }
+          // Lease staleness overrides kill(0)=alive. Only trust mtime when
+          // the payload came from a lease-aware daemon (matches index.js's
+          // _lockIsStaleByLease guard) so we never falsely steal an older
+          // pre-lease daemon's lock.
+          if (daemonRunning && payload.lease === true) {
+            try {
+              var ageMs = Date.now() - fs.statSync(lockFile).mtimeMs;
+              if (ageMs > STALE_LOCK_TTL_MS) daemonRunning = false;
+            } catch (_) { /* stat failed: leave running flag as-is */ }
+          }
+        }
+      }
+    } catch (_) { /* lock file unreadable or absent: assume not running */ }
+
+    if (daemonRunning) return; // already alive, nothing to do
+
+    // Daemon appears dead. Spawn lifecycle.js start in the background so
+    // this session-start script exits immediately (< 50 ms) and does not
+    // block the LLM from getting context.
+    var { spawn } = require('child_process');
+    var child = spawn(
+      process.execPath,
+      [lifecyclePath, 'start'],
+      {
+        detached: true,
+        stdio: 'ignore',
+        cwd: evolverRoot,
+        env: Object.assign({}, process.env),
+      }
+    );
+    child.unref();
+    // Best-effort: log a single-line note to stderr so the session transcript
+    // shows that a restart was attempted, without affecting stdout JSON output.
+    try {
+      process.stderr.write('[evolver-session-start] Daemon was not running; attempted background restart (PID ' + child.pid + ').\n');
+    } catch (_) {}
+  } catch (_) {
+    // Never let this helper block or crash the session-start script.
+  }
+}
+
+// One-line notice shown (throttled) when the workspace is not a git repo.
+// Evolver derives every outcome from the git diff, so in a non-git folder the
+// session-end hook records nothing — silently, unless we say so here. We surface
+// it in session-start's additionalContext (injected as opening context, which
+// does NOT trigger an extra inference round, unlike a stop-hook systemMessage).
+const NON_GIT_NOTICE =
+  '[Evolver] This folder is not a git repository, so evolution memory is inactive ' +
+  '(outcomes are derived from git diffs). Run `git init` here, or open a git project, ' +
+  'to enable recall and recording.';
+const NON_GIT_NOTICE_TTL_MS = 30 * 60 * 1000; // once per 30 min per folder
+
+// Return up to `n` of the current workspace's most-recent entries, in
+// chronological (oldest-first) order.
+//
+// Why scan from the end: a plain tail-N-then-filter read would let outcomes
+// from other projects (which share the user-level fallback graph on npm-global
+// installs) crowd this workspace's entries out of the window — we must scope
+// to the workspace BEFORE trimming. But parsing the ENTIRE file to do that is
+// wasteful: the graph can reach ~100 MB before rotation, and JSON-parsing every
+// line on each session start is real CPU/memory cost (Bugbot PR #555 round-3).
+//
+// So we read the file (cheap; the previous readLastN read it whole too) but
+// JSON-parse lines lazily from the newest end, keeping only workspace matches,
+// and stop as soon as we have `n`. Parse count is bounded by where this
+// workspace's n-th-most-recent entry sits, not by total file size.
+function readRecentWorkspaceEntries(filePath, currentId, currentDir, n) {
+  let lines;
+  try {
+    lines = fs.readFileSync(filePath, 'utf8').trim().split('\n');
   } catch { return []; }
+  const out = [];
+  for (let i = lines.length - 1; i >= 0 && out.length < n; i--) {
+    const line = lines[i];
+    if (!line) continue;
+    let entry;
+    try { entry = JSON.parse(line); } catch { continue; }
+    if (belongsToWorkspace(entry, currentId, currentDir)) out.push(entry);
+  }
+  return out.reverse(); // newest-collected-first -> chronological
+}
+
+// Does this memory-graph entry belong to the current workspace?
+//
+// The session-end writer stamps two tags: `workspace_id` (forge-resistant,
+// preferred) and `cwd` (backward-compat). We scope reads so that one project
+// never sees another's outcomes through the shared user-level fallback graph
+// (~/.evolver/memory/evolution/memory_graph.jsonl) — the cross-project
+// disclosure / prompt-injection surface Bugbot flagged on the writer side
+// (PR #105 round-2), which the reader never enforced until now.
+//
+// Rules, in order:
+//   - currentId known + entry.workspace_id present -> must match exactly.
+//   - currentId unknown OR entry has neither tag (pre-hardening / Hub-sourced
+//     entries) -> do NOT exclude; falling back to "show it" preserves prior
+//     behavior and avoids hiding all memory when ids can't be resolved.
+//   - As a softer fallback, when the entry has no workspace_id but does carry a
+//     cwd, match that against the current project dir.
+function belongsToWorkspace(entry, currentId, currentDir) {
+  if (entry && typeof entry.workspace_id === 'string' && entry.workspace_id) {
+    if (currentId) return entry.workspace_id === currentId;
+    return true; // can't compare — don't hide it
+  }
+  if (entry && typeof entry.cwd === 'string' && entry.cwd) {
+    if (currentDir) return entry.cwd === currentDir;
+    return true;
+  }
+  return true; // untagged (legacy / Hub) — never excluded
 }
 
 function formatOutcome(entry) {
@@ -46,18 +199,14 @@ function getDedupStatePath() {
   return path.join(dir, 'session-start-state.json');
 }
 
-function shouldSkipInjection() {
-  // Only apply dedup when explicitly enabled (set by Kiro adapter) OR when
-  // we detect a per-prompt-firing platform via PROMPT_SUBMIT heuristic in
-  // stdin. The stdin is drained in main(), so we rely on env flag here.
-  const dedupEnabled = String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === '1'
-    || String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === 'true';
-  if (!dedupEnabled) return false;
-
-  const ttlMs = Number(process.env.EVOLVER_SESSION_START_DEDUP_TTL_MS) || (30 * 60 * 1000);
-  const key = process.cwd();
+// TTL throttle keyed by an arbitrary string, persisted in session-start-state
+// .json. Returns true if `key` fired within the last `ttlMs` (caller should
+// suppress); otherwise records "now" for `key` and returns false. Best-effort:
+// a state read/write failure just means no throttling (fail open). Shared by
+// the Kiro per-prompt dedup and the non-git notice so both age out of the same
+// file (entries older than 24h are pruned on write).
+function throttled(key, ttlMs) {
   const statePath = getDedupStatePath();
-
   let state = {};
   try {
     if (fs.existsSync(statePath)) {
@@ -67,9 +216,7 @@ function shouldSkipInjection() {
 
   const now = Date.now();
   const last = state[key];
-  if (typeof last === 'number' && now - last < ttlMs) {
-    return true;
-  }
+  if (typeof last === 'number' && now - last < ttlMs) return true;
 
   state[key] = now;
   try {
@@ -82,47 +229,84 @@ function shouldSkipInjection() {
     fs.writeFileSync(tmp, JSON.stringify(state), 'utf8');
     fs.renameSync(tmp, statePath);
   } catch { /* best-effort */ }
-
   return false;
 }
 
+function shouldSkipInjection() {
+  // Only apply dedup when explicitly enabled (set by Kiro adapter) OR when
+  // we detect a per-prompt-firing platform via PROMPT_SUBMIT heuristic in
+  // stdin. The stdin is drained in main(), so we rely on env flag here.
+  const dedupEnabled = String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === '1'
+    || String(process.env.EVOLVER_SESSION_START_DEDUP || '').toLowerCase() === 'true';
+  if (!dedupEnabled) return false;
+
+  const ttlMs = Number(process.env.EVOLVER_SESSION_START_DEDUP_TTL_MS) || (30 * 60 * 1000);
+  return throttled(process.cwd(), ttlMs);
+}
+
 function main() {
   if (shouldSkipInjection()) {
     process.stdout.write(JSON.stringify({}));
     return;
   }
 
+  const currentDir = resolveProjectDir();
+
+  // Non-git notice: evolver records nothing in a non-git folder (outcomes come
+  // from git diffs), so tell the user — once per folder per TTL — instead of
+  // failing silently. Emitted regardless of whether any memory exists below.
+  const parts = [];
+  if (!isGitWorkspace(currentDir) && !throttled('nongit:' + currentDir, NON_GIT_NOTICE_TTL_MS)) {
+    parts.push(NON_GIT_NOTICE);
+  }
+
   const evolverRoot = findEvolverRoot();
+
+  // Attempt to restart the daemon in the background if it has died since the
+  // last session (idle-death / macOS sleep / OOM). Fire-and-forget: errors are
+  // swallowed and this never delays the JSON output below.
+  _maybeRestartDaemon(evolverRoot);
+
   const graphPath = findMemoryGraph(evolverRoot);
 
-  if (!graphPath) {
-    process.stdout.write(JSON.stringify({}));
-    return;
+  // Scope to the current workspace BEFORE trimming to the most-recent window,
+  // so other projects sharing the user-level fallback graph can't crowd this
+  // workspace's outcomes out of view. When the workspace id can't be resolved,
+  // belongsToWorkspace() falls back to "show it" — no regression vs. the old
+  // unscoped behavior.
+  if (graphPath) {
+    const currentId = resolveWorkspaceId(evolverRoot, currentDir);
+    const recent = readRecentWorkspaceEntries(graphPath, currentId, currentDir, 5);
+    const filtered = filterRelevantOutcomes(recent);
+    if (filtered.length > 0) {
+      const successCount = filtered.filter(e => e.outcome && e.outcome.status === 'success').length;
+      const failCount = filtered.filter(e => e.outcome && e.outcome.status === 'failed').length;
+      parts.push([
+        `[Evolution Memory] Recent ${filtered.length} outcomes (${successCount} success, ${failCount} failed):`,
+        ...filtered.map(formatOutcome),
+        '',
+        'Use successful approaches. Avoid repeating failed patterns.',
+      ].join('\n'));
+    }
   }
 
-  const entries = readLastN(graphPath, 5);
-  const filtered = filterRelevantOutcomes(entries);
-
-  if (filtered.length === 0) {
+  if (parts.length === 0) {
     process.stdout.write(JSON.stringify({}));
     return;
   }
 
-  const successCount = filtered.filter(e => e.outcome && e.outcome.status === 'success').length;
-  const failCount = filtered.filter(e => e.outcome && e.outcome.status === 'failed').length;
-
-  const lines = filtered.map(formatOutcome);
-  const summary = [
-    `[Evolution Memory] Recent ${filtered.length} outcomes (${successCount} success, ${failCount} failed):`,
-    ...lines,
-    '',
-    'Use successful approaches. Avoid repeating failed patterns.',
-  ].join('\n');
-
+  const out = parts.join('\n\n');
   process.stdout.write(JSON.stringify({
-    agent_message: summary,
-    additionalContext: summary,
+    agent_message: out,
+    additionalContext: out,
   }));
 }
 
-main();
+// Run as a hook when invoked directly; expose pure helpers for unit tests when
+// required as a module. Guarding on require.main keeps the direct-execution
+// behavior (the hosts run `node evolver-session-start.js`) unchanged.
+if (require.main === module) {
+  main();
+} else {
+  module.exports = { belongsToWorkspace };
+}

package/src/config.js

@@ -9,6 +9,35 @@ function envInt(key, fallback) {
   return isNaN(n) ? fallback : n;
 }
 
+// Strict variant for timing / timeout / interval values that must be
+// positive. Rejects: NaN (e.g. "5min" silently parses to 5 -- here 5 is
+// accepted but a suffix-only "ms" becomes NaN), 0 (which would turn an
+// interval into a hot loop or zero out a timeout signal), and negatives
+// (setTimeout clamps to 1 ms). Also rejects values >= 2^31 because
+// setTimeout silently downgrades those to 1 ms in Node. Misconfigured
+// values fall back to the default with a one-time warning so the user
+// is not silently running a broken setup.
+const _envPositiveIntWarned = new Set();
+function envPositiveInt(key, fallback) {
+  const v = process.env[key];
+  if (v === undefined || v === '') return fallback;
+  const n = parseInt(v, 10);
+  const valid = Number.isFinite(n) && n > 0 && n < 2 ** 31;
+  if (!valid) {
+    if (!_envPositiveIntWarned.has(key)) {
+      _envPositiveIntWarned.add(key);
+      try {
+        console.warn(
+          '[config] ' + key + '=' + JSON.stringify(v) + ' is not a positive integer; ' +
+          'falling back to ' + fallback + '. Set a value in (0, 2^31) ms.'
+        );
+      } catch (_) {}
+    }
+    return fallback;
+  }
+  return n;
+}
+
 function envFloat(key, fallback) {
   const v = process.env[key];
   if (v === undefined || v === '') return fallback;
@@ -23,14 +52,19 @@ function envStr(key, fallback) {
 
 // --- Network & A2A ---
 
-const HELLO_TIMEOUT_MS = envInt('EVOLVER_HELLO_TIMEOUT_MS', 15000);
-const HEARTBEAT_TIMEOUT_MS = envInt('EVOLVER_HEARTBEAT_TIMEOUT_MS', 10000);
-const HEARTBEAT_INTERVAL_MS = envInt('HEARTBEAT_INTERVAL_MS', 360000);
-const HEARTBEAT_FIRST_DELAY_MS = envInt('EVOLVER_HEARTBEAT_FIRST_DELAY_MS', 30000);
-const EVENT_POLL_TIMEOUT_MS = envInt('EVOLVER_EVENT_POLL_TIMEOUT_MS', 60000);
-const HTTP_TRANSPORT_TIMEOUT_MS = envInt('EVOLVER_HTTP_TRANSPORT_TIMEOUT_MS', 15000);
-const SECRET_CACHE_TTL_MS = envInt('EVOLVER_SECRET_CACHE_TTL_MS', 60000);
-const HUB_SEARCH_TIMEOUT_MS = envInt('EVOLVER_HUB_SEARCH_TIMEOUT_MS', 8000);
+// Hot-path timers / intervals use envPositiveInt: a misconfigured 0,
+// negative, or non-numeric value would otherwise turn the heartbeat
+// loop into a hot spin (setTimeout(0)) or zero out a timeout signal
+// (AbortSignal.timeout(0) immediately aborts every request). Falls back
+// to the default with a one-time warning when the env var is invalid.
+const HELLO_TIMEOUT_MS = envPositiveInt('EVOLVER_HELLO_TIMEOUT_MS', 15000);
+const HEARTBEAT_TIMEOUT_MS = envPositiveInt('EVOLVER_HEARTBEAT_TIMEOUT_MS', 10000);
+const HEARTBEAT_INTERVAL_MS = envPositiveInt('HEARTBEAT_INTERVAL_MS', 360000);
+const HEARTBEAT_FIRST_DELAY_MS = envPositiveInt('EVOLVER_HEARTBEAT_FIRST_DELAY_MS', 30000);
+const EVENT_POLL_TIMEOUT_MS = envPositiveInt('EVOLVER_EVENT_POLL_TIMEOUT_MS', 60000);
+const HTTP_TRANSPORT_TIMEOUT_MS = envPositiveInt('EVOLVER_HTTP_TRANSPORT_TIMEOUT_MS', 15000);
+const SECRET_CACHE_TTL_MS = envPositiveInt('EVOLVER_SECRET_CACHE_TTL_MS', 60000);
+const HUB_SEARCH_TIMEOUT_MS = envPositiveInt('EVOLVER_HUB_SEARCH_TIMEOUT_MS', 8000);
 
 // Hub URL resolution (since v1.69.7).
 //
@@ -234,6 +268,7 @@ module.exports = {
   VALIDATOR_BATCH_TIMEOUT_MS,
   // Helpers
   envInt,
+  envPositiveInt,
   envFloat,
   envStr,
 };