@evomap/evolver 1.87.4 → 1.88.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evomap/evolver",
-  "version": "1.87.4",
+  "version": "1.88.1",
   "description": "A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.",
   "main": "index.js",
   "bin": {

package/scripts/build_binaries.js

@@ -249,8 +249,18 @@ if (!OPTS.skipObfuscate) {
     };
 
     const MAX_OBF_ATTEMPTS_RAW = process.env.OBF_MAX_ATTEMPTS;
+    // Default 12 (was 4). The obfuscator's new.target -> #target mangling is
+    // non-deterministic ACROSS PROCESSES, not just across seeds: the same seed
+    // + same input can pass in one node process and fail in another (Set
+    // iteration / internal-state timing). So perturbing the seed per attempt is
+    // not the real lever — re-running the obfuscate call is. The v1.87.4 deploy
+    // hit 4/4 consecutive failures with the default of 4 and aborted the npm
+    // publish + binary upload. At an observed per-attempt failure rate that can
+    // run well above the historical ~5% for some bundles, 4 retries is too few;
+    // 12 drives the all-fail probability to negligible while costing only extra
+    // attempts on the rare unlucky run. Override with OBF_MAX_ATTEMPTS.
     const MAX_OBF_ATTEMPTS = MAX_OBF_ATTEMPTS_RAW === undefined
-      ? 4
+      ? 12
       : parseInt(MAX_OBF_ATTEMPTS_RAW, 10);
     if (!Number.isInteger(MAX_OBF_ATTEMPTS) || MAX_OBF_ATTEMPTS < 1) {
       console.error(`  ERROR: OBF_MAX_ATTEMPTS must be a positive integer; got ${JSON.stringify(MAX_OBF_ATTEMPTS_RAW)}.`);

package/src/adapters/hookAdapter.js

@@ -189,7 +189,9 @@ function copyHookScripts(destDir, evolverRoot) {
     // closes the per-file hole.
     assertNotSymlink(dest, `hook destination ${name}`);
     fs.copyFileSync(src, dest);
-    try { fs.chmodSync(dest, 0o755); } catch { /* windows */ }
+    // NOTE(windows): fs.chmodSync is a no-op on Windows; hook scripts remain
+    // executable via file extension association (.js), not Unix mode bits.
+    try { fs.chmodSync(dest, 0o755); } catch { /* best-effort; no-op on Windows */ }
     copied.push(dest);
   }
   return copied;

package/src/adapters/scripts/_runtimePaths.js

@@ -59,12 +59,36 @@ function findEvolverRoot() {
   // `evolver-session-start.js`'s `additionalContext`. Restrict to trusted,
   // user/system-scoped install roots.
   try {
+    // Windows: `npm install -g` puts packages under %APPDATA%\npm\node_modules
+    // (most common), %ProgramFiles%\nodejs\node_modules (system-wide installer),
+    // or %ProgramFiles(x86)%\nodejs\node_modules. Build the extra Windows paths
+    // conditionally so the POSIX base list stays intact.
+    const _winPaths = process.platform === 'win32'
+      ? [
+          path.join(
+            process.env.APPDATA || path.join(os.homedir(), 'AppData', 'Roaming'),
+            'npm', 'node_modules'
+          ),
+          ...(process.env.ProgramFiles
+            ? [path.join(process.env.ProgramFiles, 'nodejs', 'node_modules')]
+            : []),
+          ...(process.env['ProgramFiles(x86)']
+            ? [path.join(process.env['ProgramFiles(x86)'], 'nodejs', 'node_modules')]
+            : []),
+        ]
+      : [];
+
     const pkgJson = require.resolve('@evomap/evolver/package.json', {
+      // Do NOT include process.cwd() — a hostile workspace can plant its own
+      // node_modules/@evomap/evolver to gain control over the memory graph path
+      // (prompt-injection surface: evolver-session-start.js additionalContext).
+      // Only trust user/system-scoped install roots.
       paths: [
         path.join(os.homedir(), '.npm-global', 'lib', 'node_modules'),
         path.join(os.homedir(), '.local', 'lib', 'node_modules'),
         '/usr/lib/node_modules',
         '/usr/local/lib/node_modules',
+        ..._winPaths,
       ],
     });
     if (pkgJson && isEvolverPackageJson(pkgJson)) {

package/src/adapters/scripts/evolver-session-end.js

@@ -8,6 +8,8 @@
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const https = require('https');
+const http = require('http');
 const { spawnSync } = require('child_process');
 // 10 MB — prevents RangeError on large child process output (e.g. git log/diff
 // on large repos). See GHSA reports / issue #451.
@@ -116,6 +118,9 @@ function recordToHub(outcome) {
   const nodeId = process.env.EVOMAP_NODE_ID || process.env.A2A_NODE_ID;
   if (!hubUrl || !apiKey) return false;
 
+  // Use Node.js built-in http/https instead of curl so this works on all
+  // platforms, including Windows where curl may not be available or may be
+  // an older, incompatible version bundled with some environments.
   try {
     const payload = JSON.stringify({
       gene_id: outcome.geneId || 'ad_hoc',
@@ -125,22 +130,39 @@ function recordToHub(outcome) {
       summary: outcome.summary,
       sender_id: nodeId || undefined,
     });
-    // Argv-array form avoids shell interpretation of apiKey, payload, or the
-    // hub URL. Values cannot break out through shell metacharacters.
-    const res = spawnSync('curl', [
-      '-s', '-m', '8', '-X', 'POST',
-      '-H', 'Content-Type: application/json',
-      '-H', `Authorization: Bearer ${apiKey}`,
-      '-d', payload,
-      `${hubUrl.replace(/\/+$/, '')}/a2a/evolution/record`,
-    ], {
-      timeout: 10000,
-      stdio: ['pipe', 'pipe', 'pipe'],
-      maxBuffer: MAX_EXEC_BUFFER,
-      shell: false,
+
+    const endpoint = hubUrl.replace(/\/+$/, '') + '/a2a/evolution/record';
+    let parsedUrl;
+    try { parsedUrl = new URL(endpoint); } catch { return false; }
+
+    const isHttps = parsedUrl.protocol === 'https:';
+    const transport = isHttps ? https : http;
+
+    return new Promise((resolve) => {
+      const req = transport.request(
+        {
+          hostname: parsedUrl.hostname,
+          port: parsedUrl.port || (isHttps ? 443 : 80),
+          path: parsedUrl.pathname + (parsedUrl.search || ''),
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Bearer ${apiKey}`,
+            'Content-Length': Buffer.byteLength(payload),
+          },
+          timeout: 8000,
+        },
+        (res) => {
+          // Drain the response to free the socket; we only care about status.
+          res.resume();
+          resolve(res.statusCode >= 200 && res.statusCode < 300);
+        }
+      );
+      req.on('error', () => resolve(false));
+      req.on('timeout', () => { req.destroy(); resolve(false); });
+      req.write(payload);
+      req.end();
     });
-    if (res.status !== 0 || res.error) return false;
-    return true;
   } catch {
     return false;
   }
@@ -227,78 +249,88 @@ function main() {
   process.stdin.on('data', chunk => { inputData += chunk; });
   process.stdin.on('end', () => {
     if (handled) return;
-    try {
-      const diffInfo = getGitDiffStats();
+    // recordToHub is async (uses Node.js http/https); wrap the rest of the
+    // handler in an immediately-invoked async function so we can await it
+    // while still honouring the watchdog timeout and the `handled` guard.
+    (async () => {
+      try {
+        const diffInfo = getGitDiffStats();
 
-      if (!diffInfo.hasChanges) {
-        // No git diff means no signal source — session-end derives the
-        // outcome (status/score/signals/summary) entirely from the diff, so
-        // there is nothing meaningful to record. This is expected in a
-        // non-git workspace or a repo with no changes this session. Rather
-        // than fabricate an empty outcome (which would pollute the memory
-        // graph), record nothing — but leave a log breadcrumb so the user
-        // can tell "evolver ran but had nothing to record" apart from
-        // "evolver never fired". (Previously this branch was fully silent.)
-        const reason = diffInfo.isRepo
-          ? 'no changes detected this session'
-          : 'not a git workspace';
-        appendEvolutionLog(`[Evolution] Session end: nothing recorded (${reason}).`);
-        finish({});
-        return;
-      }
+        if (!diffInfo.hasChanges) {
+          // No git diff means no signal source — session-end derives the
+          // outcome (status/score/signals/summary) entirely from the diff, so
+          // there is nothing meaningful to record. This is expected in a
+          // non-git workspace or a repo with no changes this session. Rather
+          // than fabricate an empty outcome (which would pollute the memory
+          // graph), record nothing — but leave a log breadcrumb so the user
+          // can tell "evolver ran but had nothing to record" apart from
+          // "evolver never fired".
+          const reason = diffInfo.isRepo
+            ? 'no changes detected this session'
+            : 'not a git workspace';
+          appendEvolutionLog(`[Evolution] Session end: nothing recorded (${reason}).`);
+          finish({});
+          return;
+        }
 
-      const signals = detectSignals(diffInfo.diffSnippet);
-      if (signals.length === 0) signals.push('stable_success_plateau');
+        const signals = detectSignals(diffInfo.diffSnippet);
+        if (signals.length === 0) signals.push('stable_success_plateau');
 
-      const hasErrors = signals.includes('log_error') || signals.includes('test_failure');
-      const status = hasErrors ? 'failed' : 'success';
-      const score = hasErrors ? 0.3 : 0.8;
+        const hasErrors = signals.includes('log_error') || signals.includes('test_failure');
+        const status = hasErrors ? 'failed' : 'success';
+        const score = hasErrors ? 0.3 : 0.8;
 
-      const outcome = {
-        geneId: 'ad_hoc',
-        signals,
-        status,
-        score,
-        summary: `Session end: ${diffInfo.summary}. Signals: [${signals.join(', ')}]`,
-      };
+        const outcome = {
+          geneId: 'ad_hoc',
+          signals,
+          status,
+          score,
+          summary: `Session end: ${diffInfo.summary}. Signals: [${signals.join(', ')}]`,
+        };
 
-      const evolverRoot = findEvolverRoot();
-      const graphPath = findMemoryGraph(evolverRoot);
+        const evolverRoot = findEvolverRoot();
+        const graphPath = findMemoryGraph(evolverRoot);
 
-      const hubOk = recordToHub(outcome);
-      const localOk = graphPath ? recordToLocal(graphPath, outcome) : false;
+        // Local first: recordToHub is async with an 8s socket timeout, but
+        // the 7s watchdog (setTimeout below) will process.exit(0) before a
+        // slow hub returns — so anything sequenced after `await recordToHub`
+        // can be silently skipped. recordToLocal is the reliable offline
+        // fallback and must run regardless of hub latency.
+        const localOk = graphPath ? recordToLocal(graphPath, outcome) : false;
+        const hubOk = await recordToHub(outcome);
 
-      const target = hubOk ? 'Hub' : localOk ? 'local memory' : 'nowhere (no Hub or local path)';
-      const msg = `[Evolution] Session outcome recorded to ${target}: ${outcome.summary}`;
+        const target = hubOk ? 'Hub' : localOk ? 'local memory' : 'nowhere (no Hub or local path)';
+        const msg = `[Evolution] Session outcome recorded to ${target}: ${outcome.summary}`;
 
-      // Stop hook output schema (per Claude Code docs):
-      //   - decision: "approve" | "block"
-      //   - reason: string (shown when decision is set)
-      //   - systemMessage: string (notification displayed to user)
-      //   - continue: boolean
-      //   - stopReason: string
-      //
-      // Earlier versions emitted `followup_message`, `stopMessage`, and
-      // `additionalContext` together. `followup_message` is the field that
-      // re-injects the receipt into Claude's next inference round, which
-      // caused the agent to "respond" to its own evolution log line —
-      // visible to users as an unexplained extra reasoning turn after
-      // every task. The evolver is supposed to be observational, so we
-      // now use `systemMessage` only — that surfaces the receipt to the
-      // user without forcing another inference round.
-      //
-      // Cursor compatibility: Cursor's Claude Code-compatible runtime
-      // currently treats `systemMessage` as a user prompt for the next
-      // inference round. When we detect Cursor, omit systemMessage too.
-      // The receipt is always appended to ~/.evolver/logs/evolution.log
-      // so it is never silently lost; users can opt back in to the inline
-      // notification with EVOLVER_HOOK_VERBOSE=1.
-      appendEvolutionLog(msg);
+        // Stop hook output schema (per Claude Code docs):
+        //   - decision: "approve" | "block"
+        //   - reason: string (shown when decision is set)
+        //   - systemMessage: string (notification displayed to user)
+        //   - continue: boolean
+        //   - stopReason: string
+        //
+        // Earlier versions emitted `followup_message`, `stopMessage`, and
+        // `additionalContext` together. `followup_message` is the field that
+        // re-injects the receipt into Claude's next inference round, which
+        // caused the agent to "respond" to its own evolution log line —
+        // visible to users as an unexplained extra reasoning turn after
+        // every task. The evolver is supposed to be observational, so we
+        // now use `systemMessage` only — that surfaces the receipt to the
+        // user without forcing another inference round.
+        //
+        // Cursor compatibility: Cursor's Claude Code-compatible runtime
+        // currently treats `systemMessage` as a user prompt for the next
+        // inference round. When we detect Cursor, omit systemMessage too.
+        // The receipt is always appended to ~/.evolver/logs/evolution.log
+        // so it is never silently lost; users can opt back in to the inline
+        // notification with EVOLVER_HOOK_VERBOSE=1.
+        appendEvolutionLog(msg);
 
-      finish(isCursorHost() ? {} : { systemMessage: msg });
-    } catch (e) {
-      finish({});
-    }
+        finish(isCursorHost() ? {} : { systemMessage: msg });
+      } catch (e) {
+        finish({});
+      }
+    })();
   });
 
   watchdog = setTimeout(() => finish({}), 7000);

package/src/adapters/scripts/evolver-session-start.js

@@ -10,6 +10,100 @@ const os = require('os');
 const { findEvolverRoot, findMemoryGraph, resolveProjectDir, resolveWorkspaceId, isGitWorkspace } = require('./_runtimePaths');
 const { filterRelevantOutcomes } = require('./_memoryFiltering');
 
+// Auto-restart guard: if the evolver daemon is not running when a new agent
+// session starts, attempt a background restart. This covers the "idle-death"
+// scenario: the user closed the machine (macOS sleep), the process died due to
+// event-loop exhaustion or OOM, and now the next agent session finds it gone.
+// We delegate to lifecycle.js restart() which is idempotent (no-op if already
+// running), detached (does not block session startup), and captures output in
+// the existing evolver log.
+//
+// Guard-rails:
+//   - Only runs when EVOLVER_SESSION_AUTO_RESTART is not "0" or "false".
+//   - Skips gracefully if lifecycle.js cannot be found (non-daemon setups,
+//     npx one-shot mode, etc.).
+//   - Execution errors are swallowed: this must never cause session-start to
+//     error out or delay the LLM context injection.
+function _maybeRestartDaemon(evolverRoot) {
+  try {
+    var autoRestart = String(process.env.EVOLVER_SESSION_AUTO_RESTART || '1').toLowerCase().trim();
+    if (autoRestart === '0' || autoRestart === 'false') return;
+
+    var lifecyclePath = evolverRoot
+      ? path.join(evolverRoot, 'src', 'ops', 'lifecycle.js')
+      : null;
+    if (!lifecyclePath || !fs.existsSync(lifecyclePath)) return;
+
+    // Check if daemon is running by looking for the PID file / lock file.
+    // R12: index.js:getLockFilePath honors EVOLVER_LOCK_DIR. If that env is
+    // set the lock file lives at <EVOLVER_LOCK_DIR>/evolver.pid (basename
+    // differs from the default!); otherwise fall back to the canonical
+    // ~/.evomap/instance.lock. We replicate the logic inline rather than
+    // importing index.js, since pulling the daemon module into the hook
+    // would load far more than we need.
+    var lockFile = process.env.EVOLVER_LOCK_DIR
+      ? path.join(process.env.EVOLVER_LOCK_DIR, 'evolver.pid')
+      : path.join(os.homedir(), '.evomap', 'instance.lock');
+    // R1: PID-reuse defense. process.kill(pid, 0) only proves SOME process
+    // owns that PID -- after macOS sleep / OOM, the kernel may have reused
+    // the slain daemon's PID for an unrelated process (Chrome tab, shell).
+    // Mirror index.js:_lockIsStaleByLease (search for STALE_LOCK_TTL_MS
+    // around line 373): a lease-aware daemon refreshes the lock mtime on a
+    // timer, so if mtime is older than the TTL the daemon is dead/wedged
+    // regardless of kill(0). Constants inlined to keep index.js out of the
+    // hook's require graph.
+    var STALE_LOCK_TTL_MS = process.platform === 'win32' ? 3 * 60_000 : 5 * 60_000;
+    var daemonRunning = false;
+    try {
+      if (fs.existsSync(lockFile)) {
+        var raw = fs.readFileSync(lockFile, 'utf8').trim();
+        var payload = raw && raw[0] === '{' ? JSON.parse(raw) : { pid: parseInt(raw, 10) };
+        if (payload && payload.pid > 0) {
+          try { process.kill(payload.pid, 0); daemonRunning = true; } catch (e) {
+            // EPERM = process exists but owned by a different user; still a live daemon.
+            if (e && e.code === 'EPERM') daemonRunning = true;
+          }
+          // Lease staleness overrides kill(0)=alive. Only trust mtime when
+          // the payload came from a lease-aware daemon (matches index.js's
+          // _lockIsStaleByLease guard) so we never falsely steal an older
+          // pre-lease daemon's lock.
+          if (daemonRunning && payload.lease === true) {
+            try {
+              var ageMs = Date.now() - fs.statSync(lockFile).mtimeMs;
+              if (ageMs > STALE_LOCK_TTL_MS) daemonRunning = false;
+            } catch (_) { /* stat failed: leave running flag as-is */ }
+          }
+        }
+      }
+    } catch (_) { /* lock file unreadable or absent: assume not running */ }
+
+    if (daemonRunning) return; // already alive, nothing to do
+
+    // Daemon appears dead. Spawn lifecycle.js start in the background so
+    // this session-start script exits immediately (< 50 ms) and does not
+    // block the LLM from getting context.
+    var { spawn } = require('child_process');
+    var child = spawn(
+      process.execPath,
+      [lifecyclePath, 'start'],
+      {
+        detached: true,
+        stdio: 'ignore',
+        cwd: evolverRoot,
+        env: Object.assign({}, process.env),
+      }
+    );
+    child.unref();
+    // Best-effort: log a single-line note to stderr so the session transcript
+    // shows that a restart was attempted, without affecting stdout JSON output.
+    try {
+      process.stderr.write('[evolver-session-start] Daemon was not running; attempted background restart (PID ' + child.pid + ').\n');
+    } catch (_) {}
+  } catch (_) {
+    // Never let this helper block or crash the session-start script.
+  }
+}
+
 // One-line notice shown (throttled) when the workspace is not a git repo.
 // Evolver derives every outcome from the git diff, so in a non-git folder the
 // session-end hook records nothing — silently, unless we say so here. We surface
@@ -167,6 +261,12 @@ function main() {
   }
 
   const evolverRoot = findEvolverRoot();
+
+  // Attempt to restart the daemon in the background if it has died since the
+  // last session (idle-death / macOS sleep / OOM). Fire-and-forget: errors are
+  // swallowed and this never delays the JSON output below.
+  _maybeRestartDaemon(evolverRoot);
+
   const graphPath = findMemoryGraph(evolverRoot);
 
   // Scope to the current workspace BEFORE trimming to the most-recent window,

package/src/config.js

@@ -9,6 +9,35 @@ function envInt(key, fallback) {
   return isNaN(n) ? fallback : n;
 }
 
+// Strict variant for timing / timeout / interval values that must be
+// positive. Rejects: NaN (e.g. "5min" silently parses to 5 -- here 5 is
+// accepted but a suffix-only "ms" becomes NaN), 0 (which would turn an
+// interval into a hot loop or zero out a timeout signal), and negatives
+// (setTimeout clamps to 1 ms). Also rejects values >= 2^31 because
+// setTimeout silently downgrades those to 1 ms in Node. Misconfigured
+// values fall back to the default with a one-time warning so the user
+// is not silently running a broken setup.
+const _envPositiveIntWarned = new Set();
+function envPositiveInt(key, fallback) {
+  const v = process.env[key];
+  if (v === undefined || v === '') return fallback;
+  const n = parseInt(v, 10);
+  const valid = Number.isFinite(n) && n > 0 && n < 2 ** 31;
+  if (!valid) {
+    if (!_envPositiveIntWarned.has(key)) {
+      _envPositiveIntWarned.add(key);
+      try {
+        console.warn(
+          '[config] ' + key + '=' + JSON.stringify(v) + ' is not a positive integer; ' +
+          'falling back to ' + fallback + '. Set a value in (0, 2^31) ms.'
+        );
+      } catch (_) {}
+    }
+    return fallback;
+  }
+  return n;
+}
+
 function envFloat(key, fallback) {
   const v = process.env[key];
   if (v === undefined || v === '') return fallback;
@@ -23,14 +52,19 @@ function envStr(key, fallback) {
 
 // --- Network & A2A ---
 
-const HELLO_TIMEOUT_MS = envInt('EVOLVER_HELLO_TIMEOUT_MS', 15000);
-const HEARTBEAT_TIMEOUT_MS = envInt('EVOLVER_HEARTBEAT_TIMEOUT_MS', 10000);
-const HEARTBEAT_INTERVAL_MS = envInt('HEARTBEAT_INTERVAL_MS', 360000);
-const HEARTBEAT_FIRST_DELAY_MS = envInt('EVOLVER_HEARTBEAT_FIRST_DELAY_MS', 30000);
-const EVENT_POLL_TIMEOUT_MS = envInt('EVOLVER_EVENT_POLL_TIMEOUT_MS', 60000);
-const HTTP_TRANSPORT_TIMEOUT_MS = envInt('EVOLVER_HTTP_TRANSPORT_TIMEOUT_MS', 15000);
-const SECRET_CACHE_TTL_MS = envInt('EVOLVER_SECRET_CACHE_TTL_MS', 60000);
-const HUB_SEARCH_TIMEOUT_MS = envInt('EVOLVER_HUB_SEARCH_TIMEOUT_MS', 8000);
+// Hot-path timers / intervals use envPositiveInt: a misconfigured 0,
+// negative, or non-numeric value would otherwise turn the heartbeat
+// loop into a hot spin (setTimeout(0)) or zero out a timeout signal
+// (AbortSignal.timeout(0) immediately aborts every request). Falls back
+// to the default with a one-time warning when the env var is invalid.
+const HELLO_TIMEOUT_MS = envPositiveInt('EVOLVER_HELLO_TIMEOUT_MS', 15000);
+const HEARTBEAT_TIMEOUT_MS = envPositiveInt('EVOLVER_HEARTBEAT_TIMEOUT_MS', 10000);
+const HEARTBEAT_INTERVAL_MS = envPositiveInt('HEARTBEAT_INTERVAL_MS', 360000);
+const HEARTBEAT_FIRST_DELAY_MS = envPositiveInt('EVOLVER_HEARTBEAT_FIRST_DELAY_MS', 30000);
+const EVENT_POLL_TIMEOUT_MS = envPositiveInt('EVOLVER_EVENT_POLL_TIMEOUT_MS', 60000);
+const HTTP_TRANSPORT_TIMEOUT_MS = envPositiveInt('EVOLVER_HTTP_TRANSPORT_TIMEOUT_MS', 15000);
+const SECRET_CACHE_TTL_MS = envPositiveInt('EVOLVER_SECRET_CACHE_TTL_MS', 60000);
+const HUB_SEARCH_TIMEOUT_MS = envPositiveInt('EVOLVER_HUB_SEARCH_TIMEOUT_MS', 8000);
 
 // Hub URL resolution (since v1.69.7).
 //
@@ -234,6 +268,7 @@ module.exports = {
   VALIDATOR_BATCH_TIMEOUT_MS,
   // Helpers
   envInt,
+  envPositiveInt,
   envFloat,
   envStr,
 };