@evomap/evolver 1.89.0 → 1.89.2

package/src/proxy/trace/usage.js

@@ -1,105 +1 @@
-'use strict';
-
-// Per-run token-usage rollup over the proxy trace log.
-//
-// The local proxy (src/proxy) meters real Anthropic input/output tokens for
-// every Hand /v1/messages call into proxy-traces.jsonl. This reads that log
-// back -- decrypting encrypted rows with the local EvoMap node secret -- and
-// sums the real tokens spent within a time window, giving solidify the
-// MEASURED cost of a derive loop.
-//
-// Best-effort by design: returns measured:false (and never throws) when the
-// proxy was inactive, the node secret is missing, no rows fall in the window,
-// or the in-window rows carried no usage (e.g. streamed-but-unobserved calls).
-// Callers fall back to a grounded estimate in that case.
-
-const fs = require('fs');
-const {
-  resolveTraceFile,
-  resolveEvomapNodeSecret,
-  decryptTraceEnvelope,
-} = require('./extractor');
-
-const EMPTY = Object.freeze({
-  input_tokens: 0,
-  output_tokens: 0,
-  total_tokens: 0,
-  calls: 0,
-  measured: false,
-});
-
-function _rowTimestampMs(row) {
-  const iso = row && (row.timestamp || row.createdAtIso);
-  if (iso) {
-    const ms = Date.parse(iso);
-    if (Number.isFinite(ms)) return ms;
-  }
-  // createdAt is unix seconds in the Prism trace shape.
-  if (row && Number.isFinite(Number(row.createdAt))) return Number(row.createdAt) * 1000;
-  return null;
-}
-
-/**
- * Sum the real token usage the proxy recorded within a run's time window.
- *
- * @param {object} opts
- * @param {string} opts.sinceIso - REQUIRED lower bound (e.g. last_run.created_at).
- *   Without a window we cannot attribute traces to this run, so we report
- *   unmeasured rather than summing unrelated calls.
- * @param {string} [opts.untilIso] - upper bound; defaults to now.
- * @returns {{input_tokens:number,output_tokens:number,total_tokens:number,calls:number,measured:boolean}}
- */
-function sumRunUsage(opts = {}) {
-  const sinceMs = opts && opts.sinceIso != null ? Date.parse(opts.sinceIso) : NaN;
-  if (!Number.isFinite(sinceMs)) return { ...EMPTY };
-  const untilMs = opts && opts.untilIso != null && Number.isFinite(Date.parse(opts.untilIso))
-    ? Date.parse(opts.untilIso)
-    : Date.now();
-
-  let raw;
-  try {
-    const file = resolveTraceFile();
-    if (!fs.existsSync(file)) return { ...EMPTY };
-    raw = fs.readFileSync(file, 'utf8');
-  } catch (_) {
-    return { ...EMPTY };
-  }
-
-  let secret = null;
-  try { secret = resolveEvomapNodeSecret(); } catch (_) { secret = null; }
-
-  let input = 0;
-  let output = 0;
-  let calls = 0;
-  for (const line of raw.split('\n')) {
-    const s = line.trim();
-    if (!s) continue;
-    let row;
-    try { row = JSON.parse(s); } catch (_) { continue; }
-    if (row && row.encrypted) {
-      if (!secret) continue; // cannot decrypt -> treat as unobserved
-      try { row = decryptTraceEnvelope(row, secret); } catch (_) { continue; }
-    }
-    if (!row || typeof row !== 'object') continue;
-    const ms = _rowTimestampMs(row);
-    if (ms == null || ms < sinceMs || ms > untilMs) continue;
-    const i = Number(row.input_tokens);
-    const o = Number(row.output_tokens);
-    const hasI = Number.isFinite(i) && i > 0;
-    const hasO = Number.isFinite(o) && o > 0;
-    if (hasI) input += i;
-    if (hasO) output += o;
-    if (hasI || hasO) calls += 1;
-  }
-
-  if (calls === 0) return { ...EMPTY };
-  return {
-    input_tokens: input,
-    output_tokens: output,
-    total_tokens: input + output,
-    calls,
-    measured: true,
-  };
-}
-
-module.exports = { sumRunUsage };
+const _0x28f474=_0x2c06;(function(_0x43e92d,_0x1c7e6a){const _0x3c9e19=_0x2c06,_0x5f0eea=_0x43e92d();while(!![]){try{const _0x3d94e2=parseInt(_0x3c9e19(0x222,'\x45\x41\x59\x72'))/(0x16f7+-0x847+-0xeaf)*(-parseInt(_0x3c9e19(0x218,'\x40\x35\x23\x76'))/(0x1*-0xdc7+-0x4*-0x516+-0x68f))+parseInt(_0x3c9e19(0x1ec,'\x32\x42\x2a\x44'))/(0x2*0x8d+0x66d*-0x6+0x1*0x2577)*(parseInt(_0x3c9e19(0x253,'\x5d\x29\x37\x34'))/(0x287*0x1+0x331*-0x6+0x10a3))+parseInt(_0x3c9e19(0x209,'\x32\x42\x2a\x44'))/(-0x1965+-0x7ae*0x5+0x3fd0)+parseInt(_0x3c9e19(0x203,'\x69\x28\x45\x5b'))/(0x22b0+-0x1d2b+-0x57f)+parseInt(_0x3c9e19(0x231,'\x31\x65\x2a\x49'))/(0x1*-0x235f+-0x263f+0x49a5)+parseInt(_0x3c9e19(0x1fe,'\x34\x50\x61\x65'))/(-0xd43+-0x62*0x43+0x3*0xcfb)*(-parseInt(_0x3c9e19(0x20a,'\x71\x72\x2a\x40'))/(-0x3b*0x5d+0x6ef*-0x3+0x2a45))+-parseInt(_0x3c9e19(0x21b,'\x51\x37\x6e\x39'))/(0x2c*-0x32+0x2*0x79d+0x34c*-0x2);if(_0x3d94e2===_0x1c7e6a)break;else _0x5f0eea['push'](_0x5f0eea['shift']());}catch(_0x202450){_0x5f0eea['push'](_0x5f0eea['shift']());}}}(_0x3c70,0x20d40+0x1*-0x6ceb6+0x94875));const _0x17389a=(function(){const _0x57b490=_0x2c06,_0x32d187={};_0x32d187[_0x57b490(0x1ff,'\x74\x72\x58\x42')]=function(_0x3b53bf,_0x267d6f){return _0x3b53bf===_0x267d6f;},_0x32d187[_0x57b490(0x205,'\x39\x5e\x44\x49')]='\x59\x6c\x6e\x50\x64';const _0x4c2de3=_0x32d187;let _0x421f0a=!![];return function(_0xdbd152,_0x1cdee7){const _0x460201=_0x57b490;if(_0x4c2de3[_0x460201(0x1f5,'\x71\x72\x2a\x40')](_0x4c2de3[_0x460201(0x216,'\x74\x72\x58\x42')],_0x4c2de3['\x74\x69\x45\x71\x48'])){const _0x2b6747=_0x421f0a?function(){const _0x4fbd16=_0x460201;if(_0x1cdee7){const _0x41cabd=_0x1cdee7[_0x4fbd16(0x1eb,'\x39\x5e\x44\x49')](_0xdbd152,arguments);return _0x1cdee7=null,_0x41cabd;}}:function(){};return _0x421f0a=![],_0x2b6747;}else _0x1fe7f5=_0x3eb75d();};}()),_0x48ff12=_0x17389a(this,function(){const _0x48106d=_0x2c06,_0x31c781={};_0x31c781[_0x48106d(0x234,'\x33\x69\x5d\x78')]='\x28\x28\x28\x2e\x2b\x29\x2b\x29'+'\x2b\x29\x2b\x24';const _0x2d5d2a=_0x31c781;return _0x48ff12[_0x48106d(0x1ed,'\x74\x23\x4e\x57')]()[_0x48106d(0x220,'\x36\x69\x21\x40')](_0x2d5d2a['\x55\x77\x57\x50\x78'])[_0x48106d(0x1ef,'\x39\x5e\x44\x49')]()[_0x48106d(0x20b,'\x33\x69\x5d\x78')+_0x48106d(0x1f8,'\x54\x53\x34\x71')](_0x48ff12)[_0x48106d(0x251,'\x79\x61\x77\x54')](_0x2d5d2a[_0x48106d(0x232,'\x54\x53\x34\x71')]);});_0x48ff12();'use strict';const _0x3234c5=require('\x66\x73'),{resolveTraceFile:_0x4babcd,resolveEvomapNodeSecret:_0x4160e3,decryptTraceEnvelope:_0x4c9550}=require('\x2e\x2f\x65\x78\x74\x72\x61\x63'+_0x28f474(0x242,'\x61\x40\x4a\x32')),_0xd87bda={};_0xd87bda[_0x28f474(0x1ea,'\x45\x41\x59\x72')+_0x28f474(0x202,'\x56\x4c\x6b\x63')]=0x0,_0xd87bda[_0x28f474(0x249,'\x40\x35\x23\x76')+_0x28f474(0x225,'\x61\x40\x4a\x32')]=0x0,_0xd87bda[_0x28f474(0x1f7,'\x49\x21\x39\x64')+_0x28f474(0x23d,'\x4d\x49\x4d\x72')]=0x0,_0xd87bda[_0x28f474(0x22b,'\x31\x65\x2a\x49')]=0x0,_0xd87bda[_0x28f474(0x24f,'\x74\x32\x75\x5b')]=![];function _0x2c06(_0x5259d1,_0x4d6708){_0x5259d1=_0x5259d1-(-0x1974+-0xd68+0x15*0x1f1);const _0x1c6bb7=_0x3c70();let _0x489063=_0x1c6bb7[_0x5259d1];if(_0x2c06['\x4b\x66\x59\x48\x6c\x4d']===undefined){var _0x590938=function(_0x5c4255){const _0x577247='\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2b\x2f\x3d';let _0x563664='',_0x54ce96='',_0x43c357=_0x563664+_0x590938,_0x306b57=(''+function(){return 0x6*-0x80+-0x1*0xcd+0x3cd;})['\x69\x6e\x64\x65\x78\x4f\x66']('\x0a')!==-(-0x1*0x209c+0x2239*-0x1+-0xd5e*-0x5);for(let _0xd1b3a3=0x22fe+0x3b*-0x1+-0x22c3,_0x13dd9a,_0x44d714,_0x5e369b=-0x3ce*0x3+-0x10a5*-0x1+-0x67*0xd;_0x44d714=_0x5c4255['\x63\x68\x61\x72\x41\x74'](_0x5e369b++);~_0x44d714&&(_0x13dd9a=_0xd1b3a3%(0x722*0x4+-0x21fa+0x576)?_0x13dd9a*(-0x1d*0xbf+-0x83e+-0x1e21*-0x1)+_0x44d714:_0x44d714,_0xd1b3a3++%(-0x1277+-0x2b4*-0x1+0x1*0xfc7))?_0x563664+=_0x306b57||_0x43c357['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x5e369b+(0x823*0x1+0x14a9+-0x1cc2))-(0xb01+-0x3*0x75a+-0xb17*-0x1)!==-0x23ee+0x1e2d+0x5c1?String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'](-0x135c+-0xfd*0x9+-0x3*-0x9c0&_0x13dd9a>>(-(-0x121+0x1*-0x147a+0x159d)*_0xd1b3a3&0x5*-0x49a+-0x4a*-0x24+0xca0)):_0xd1b3a3:-0x1*-0x176e+-0x21f2+0xa84){_0x44d714=_0x577247['\x69\x6e\x64\x65\x78\x4f\x66'](_0x44d714);}for(let _0x2e2afa=-0x17af+-0x1c8b*0x1+0x343a,_0x1d86ed=_0x563664['\x6c\x65\x6e\x67\x74\x68'];_0x2e2afa<_0x1d86ed;_0x2e2afa++){_0x54ce96+='\x25'+('\x30\x30'+_0x563664['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x2e2afa)['\x74\x6f\x53\x74\x72\x69\x6e\x67'](0x2b*-0x8b+-0x1c01+0x336a))['\x73\x6c\x69\x63\x65'](-(0x1ee0+-0x1*-0x502+-0x23e0));}return decodeURIComponent(_0x54ce96);};const _0x269e7f=function(_0x303924,_0x59769e){let _0x1192ba=[],_0x371bb7=-0x1a4b+0x828+0x1223*0x1,_0x3f7d71,_0xbca765='';_0x303924=_0x590938(_0x303924);let _0x6b0d12;for(_0x6b0d12=0x18fb+0x1*-0xe8b+-0x2*0x538;_0x6b0d12<0x130b+-0x2e*-0x65+0x73d*-0x5;_0x6b0d12++){_0x1192ba[_0x6b0d12]=_0x6b0d12;}for(_0x6b0d12=0x921*0x4+0x678*0x4+-0x3e64;_0x6b0d12<0x188a+-0xb99+-0xbf1*0x1;_0x6b0d12++){_0x371bb7=(_0x371bb7+_0x1192ba[_0x6b0d12]+_0x59769e['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x6b0d12%_0x59769e['\x6c\x65\x6e\x67\x74\x68']))%(0x15a1+-0x1f*0x112+0x3*0x42f),_0x3f7d71=_0x1192ba[_0x6b0d12],_0x1192ba[_0x6b0d12]=_0x1192ba[_0x371bb7],_0x1192ba[_0x371bb7]=_0x3f7d71;}_0x6b0d12=0x1*-0x10a5+-0x157*0xa+0x1e0b,_0x371bb7=-0x6*0xd9+0x10af+-0xb99;for(let _0x50d26f=0xeef+-0x291+-0xc5e;_0x50d26f<_0x303924['\x6c\x65\x6e\x67\x74\x68'];_0x50d26f++){_0x6b0d12=(_0x6b0d12+(-0x2435+-0xc*-0x2e2+0x19e))%(-0x6fd*-0x1+-0x9*0x182+0x795),_0x371bb7=(_0x371bb7+_0x1192ba[_0x6b0d12])%(-0x2f3*0x9+0x1434+0x1*0x757),_0x3f7d71=_0x1192ba[_0x6b0d12],_0x1192ba[_0x6b0d12]=_0x1192ba[_0x371bb7],_0x1192ba[_0x371bb7]=_0x3f7d71,_0xbca765+=String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'](_0x303924['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x50d26f)^_0x1192ba[(_0x1192ba[_0x6b0d12]+_0x1192ba[_0x371bb7])%(-0x182*-0x7+0x1051+-0x25*0xb3)]);}return _0xbca765;};_0x2c06['\x6d\x57\x68\x73\x52\x4a']=_0x269e7f,_0x2c06['\x70\x43\x72\x56\x54\x73']={},_0x2c06['\x4b\x66\x59\x48\x6c\x4d']=!![];}const _0x5ad2df=_0x1c6bb7[-0x2*0x583+0x4b2*0x6+-0x1126],_0x54d502=_0x5259d1+_0x5ad2df,_0x1f405c=_0x2c06['\x70\x43\x72\x56\x54\x73'][_0x54d502];if(!_0x1f405c){if(_0x2c06['\x66\x73\x69\x78\x4f\x47']===undefined){const _0x38a3e7=function(_0x3e3796){this['\x59\x41\x57\x54\x48\x4c']=_0x3e3796,this['\x51\x4e\x57\x54\x61\x4b']=[-0x2*-0x419+-0x173c+-0x1*-0xf0b,0x1*-0x13d0+0x227c+-0xeac,0x86f+0x557*0x5+0x3*-0xbb6],this['\x6b\x67\x51\x48\x50\x73']=function(){return'\x6e\x65\x77\x53\x74\x61\x74\x65';},this['\x69\x64\x53\x76\x6a\x65']='\x5c\x77\x2b\x20\x2a\x5c\x28\x5c\x29\x20\x2a\x7b\x5c\x77\x2b\x20\x2a',this['\x69\x65\x6b\x70\x5a\x74']='\x5b\x27\x7c\x22\x5d\x2e\x2b\x5b\x27\x7c\x22\x5d\x3b\x3f\x20\x2a\x7d';};_0x38a3e7['\x70\x72\x6f\x74\x6f\x74\x79\x70\x65']['\x48\x54\x75\x75\x6c\x6d']=function(){const _0x488ee0=new RegExp(this['\x69\x64\x53\x76\x6a\x65']+this['\x69\x65\x6b\x70\x5a\x74']),_0x4fd7ea=_0x488ee0['\x74\x65\x73\x74'](this['\x6b\x67\x51\x48\x50\x73']['\x74\x6f\x53\x74\x72\x69\x6e\x67']())?--this['\x51\x4e\x57\x54\x61\x4b'][0x7*0x3d5+-0x110f+-0x9c3]:--this['\x51\x4e\x57\x54\x61\x4b'][-0xd60+-0x1e7*0x13+0x1*0x3185];return this['\x47\x72\x45\x6d\x50\x64'](_0x4fd7ea);},_0x38a3e7['\x70\x72\x6f\x74\x6f\x74\x79\x70\x65']['\x47\x72\x45\x6d\x50\x64']=function(_0xfa4b41){if(!Boolean(~_0xfa4b41))return _0xfa4b41;return this['\x56\x6c\x70\x78\x7a\x68'](this['\x59\x41\x57\x54\x48\x4c']);},_0x38a3e7['\x70\x72\x6f\x74\x6f\x74\x79\x70\x65']['\x56\x6c\x70\x78\x7a\x68']=function(_0x598689){for(let _0x23b304=-0x4d7+-0xeaa+0x1381,_0x52a9fe=this['\x51\x4e\x57\x54\x61\x4b']['\x6c\x65\x6e\x67\x74\x68'];_0x23b304<_0x52a9fe;_0x23b304++){this['\x51\x4e\x57\x54\x61\x4b']['\x70\x75\x73\x68'](Math['\x72\x6f\x75\x6e\x64'](Math['\x72\x61\x6e\x64\x6f\x6d']())),_0x52a9fe=this['\x51\x4e\x57\x54\x61\x4b']['\x6c\x65\x6e\x67\x74\x68'];}return _0x598689(this['\x51\x4e\x57\x54\x61\x4b'][0x357+-0xcf4*-0x2+-0x1d3f]);},(''+function(){return-0x750+0x2*0x855+0x1*-0x95a;})['\x69\x6e\x64\x65\x78\x4f\x66']('\x0a')===-(-0x18a+-0x6d3*0x3+-0x581*-0x4)&&new _0x38a3e7(_0x2c06)['\x48\x54\x75\x75\x6c\x6d'](),_0x2c06['\x66\x73\x69\x78\x4f\x47']=!![];}_0x489063=_0x2c06['\x6d\x57\x68\x73\x52\x4a'](_0x489063,_0x4d6708),_0x2c06['\x70\x43\x72\x56\x54\x73'][_0x54d502]=_0x489063;}else _0x489063=_0x1f405c;return _0x489063;}const _0x3b95db=Object[_0x28f474(0x1fc,'\x66\x32\x58\x29')](_0xd87bda);function _0x325126(_0x8cf2d4){const _0x4eb3f7=_0x28f474,_0x4ff622={'\x6f\x52\x45\x6d\x6e':function(_0x264d75,_0xa9b737){return _0x264d75!==_0xa9b737;},'\x6a\x57\x6a\x4a\x44':_0x4eb3f7(0x23a,'\x51\x37\x6e\x39'),'\x6f\x68\x64\x43\x52':_0x4eb3f7(0x237,'\x45\x41\x59\x72'),'\x6b\x46\x44\x4d\x41':function(_0x28fb9f,_0x468977){return _0x28fb9f(_0x468977);},'\x6c\x55\x69\x49\x6c':function(_0x32ed42,_0x2ce9c5){return _0x32ed42*_0x2ce9c5;}},_0x5bd761=_0x8cf2d4&&(_0x8cf2d4[_0x4eb3f7(0x245,'\x49\x21\x39\x64')+'\x70']||_0x8cf2d4[_0x4eb3f7(0x22e,'\x51\x37\x6e\x39')+_0x4eb3f7(0x254,'\x33\x69\x5d\x78')]);if(_0x5bd761){if(_0x4ff622[_0x4eb3f7(0x207,'\x31\x65\x2a\x49')](_0x4ff622[_0x4eb3f7(0x23f,'\x79\x61\x77\x54')],_0x4ff622[_0x4eb3f7(0x21a,'\x34\x50\x61\x65')])){const _0x35cb2e=Date[_0x4eb3f7(0x1f0,'\x6c\x4c\x4a\x45')](_0x5bd761);if(Number[_0x4eb3f7(0x226,'\x74\x72\x58\x42')](_0x35cb2e))return _0x35cb2e;}else{const _0x353ea8=_0x397b89['\x70\x61\x72\x73\x65'](_0x69e1a7);if(_0x19264c[_0x4eb3f7(0x230,'\x21\x6a\x4f\x44')](_0x353ea8))return _0x353ea8;}}if(_0x8cf2d4&&Number[_0x4eb3f7(0x240,'\x48\x34\x4f\x64')](_0x4ff622[_0x4eb3f7(0x250,'\x79\x26\x40\x4f')](Number,_0x8cf2d4[_0x4eb3f7(0x21e,'\x6e\x21\x69\x42')+'\x74'])))return _0x4ff622[_0x4eb3f7(0x23b,'\x5d\x29\x37\x34')](Number(_0x8cf2d4['\x63\x72\x65\x61\x74\x65\x64\x41'+'\x74']),-0xa4b+-0x1a0d+-0x10*-0x284);return null;}function _0x24a556(_0x2dcc63={}){const _0x10f836=_0x28f474,_0x70b525={'\x49\x67\x64\x53\x45':function(_0x30b580,_0x1bc2cd){return _0x30b580*_0x1bc2cd;},'\x52\x69\x57\x74\x54':function(_0x47d50f,_0x5df386){return _0x47d50f(_0x5df386);},'\x53\x7a\x6f\x59\x5a':function(_0x404584,_0x251b13){return _0x404584!=_0x251b13;},'\x65\x63\x4a\x4e\x77':'\x75\x74\x66\x38','\x57\x4b\x62\x46\x47':function(_0x456206){return _0x456206();},'\x4e\x53\x58\x6b\x57':function(_0x366b6c,_0x34bd07){return _0x366b6c===_0x34bd07;},'\x4e\x4d\x58\x70\x72':_0x10f836(0x214,'\x48\x34\x4f\x64'),'\x79\x44\x54\x7a\x59':function(_0x463db6,_0x33dfed){return _0x463db6===_0x33dfed;},'\x6e\x52\x6d\x56\x47':_0x10f836(0x22a,'\x48\x34\x4f\x64'),'\x48\x63\x4a\x56\x42':'\x77\x4e\x41\x4c\x76','\x47\x76\x64\x66\x66':function(_0x5df656,_0x3a9662,_0xd972e7){return _0x5df656(_0x3a9662,_0xd972e7);},'\x7a\x7a\x78\x50\x50':function(_0x1a6eb2,_0x4b7928){return _0x1a6eb2!==_0x4b7928;},'\x54\x53\x79\x49\x69':_0x10f836(0x22f,'\x65\x30\x62\x36'),'\x72\x48\x72\x4f\x49':function(_0x1d739d,_0x378f5e){return _0x1d739d(_0x378f5e);},'\x75\x76\x74\x62\x4e':function(_0x2193b9,_0x3f476f){return _0x2193b9==_0x3f476f;},'\x51\x71\x4d\x6c\x6f':function(_0x5bc364,_0x14de93){return _0x5bc364<_0x14de93;},'\x59\x48\x57\x6d\x53':function(_0x5e89da,_0x200eee){return _0x5e89da>_0x200eee;},'\x4c\x75\x43\x4f\x52':function(_0x340303,_0x1bc231){return _0x340303(_0x1bc231);},'\x48\x6d\x5a\x63\x4f':function(_0x3d6229,_0x1d6da2){return _0x3d6229(_0x1d6da2);},'\x47\x6d\x64\x78\x77':function(_0x1da588,_0x4761d9){return _0x1da588>_0x4761d9;},'\x58\x4e\x66\x4d\x54':function(_0x2b3ef3,_0x135240){return _0x2b3ef3>_0x135240;},'\x70\x4f\x48\x79\x44':function(_0x40ddc9,_0x1a2159){return _0x40ddc9||_0x1a2159;},'\x58\x63\x6b\x4e\x64':function(_0x560b61,_0x16e116){return _0x560b61===_0x16e116;},'\x57\x52\x52\x56\x46':function(_0x5a0433,_0x12e5c2){return _0x5a0433+_0x12e5c2;}},_0x374b8d=_0x2dcc63&&_0x70b525[_0x10f836(0x21d,'\x79\x61\x77\x54')](_0x2dcc63[_0x10f836(0x221,'\x6e\x21\x69\x42')],null)?Date[_0x10f836(0x1ee,'\x31\x65\x2a\x49')](_0x2dcc63['\x73\x69\x6e\x63\x65\x49\x73\x6f']):NaN,_0xc5c9d2={..._0x3b95db};if(!Number[_0x10f836(0x244,'\x32\x42\x2a\x44')](_0x374b8d))return _0xc5c9d2;const _0x3090a4=_0x2dcc63&&_0x2dcc63[_0x10f836(0x224,'\x61\x40\x4a\x32')]!=null&&Number[_0x10f836(0x1f3,'\x5e\x58\x44\x33')](Date[_0x10f836(0x20e,'\x54\x53\x34\x71')](_0x2dcc63[_0x10f836(0x1fb,'\x33\x69\x5d\x78')]))?Date[_0x10f836(0x215,'\x61\x40\x4a\x32')](_0x2dcc63[_0x10f836(0x23e,'\x66\x5a\x2a\x56')]):Date[_0x10f836(0x219,'\x74\x23\x4e\x57')]();let _0x4adff4;try{const _0x358ff0=_0x4babcd(),_0x3fce3b={..._0x3b95db};if(!_0x3234c5[_0x10f836(0x1f4,'\x48\x42\x79\x68')+'\x6e\x63'](_0x358ff0))return _0x3fce3b;_0x4adff4=_0x3234c5[_0x10f836(0x21c,'\x41\x63\x29\x32')+_0x10f836(0x204,'\x33\x69\x5d\x78')](_0x358ff0,_0x70b525[_0x10f836(0x20c,'\x45\x41\x59\x72')]);}catch(_0x45d3d8){const _0x3347fc={..._0x3b95db};return _0x3347fc;}let _0x79011e=null;try{_0x79011e=_0x70b525['\x57\x4b\x62\x46\x47'](_0x4160e3);}catch(_0x96b450){_0x79011e=null;}let _0x135d31=0x11*-0x137+-0x1539+0x1*0x29e0,_0x51a447=-0x5ed*0x4+-0x14*-0x1c9+-0xc00,_0x135c16=-0x157*0x9+-0x1e3b+-0x2a4a*-0x1;for(const _0x3b3a87 of _0x4adff4[_0x10f836(0x20d,'\x32\x42\x2a\x44')]('\x0a')){if(_0x70b525[_0x10f836(0x1f9,'\x23\x46\x34\x4c')](_0x70b525[_0x10f836(0x208,'\x21\x6a\x6e\x66')],_0x70b525[_0x10f836(0x246,'\x48\x34\x4f\x64')])){const _0x408483=_0x3b3a87[_0x10f836(0x1fd,'\x74\x72\x58\x42')]();if(!_0x408483)continue;let _0x21e7bc;try{if(_0x70b525[_0x10f836(0x21f,'\x65\x73\x4c\x25')](_0x70b525[_0x10f836(0x22c,'\x6c\x6b\x45\x68')],_0x70b525[_0x10f836(0x24b,'\x34\x21\x39\x44')])){const _0x576487=_0x440168&&(_0x48dd32[_0x10f836(0x1e9,'\x39\x5e\x44\x49')+'\x70']||_0xd325c2['\x63\x72\x65\x61\x74\x65\x64\x41'+_0x10f836(0x223,'\x39\x5e\x44\x49')]);if(_0x576487){const _0x1619ed=_0x8a04b5['\x70\x61\x72\x73\x65'](_0x576487);if(_0x7f39f5[_0x10f836(0x239,'\x69\x28\x45\x5b')](_0x1619ed))return _0x1619ed;}if(_0x3cd051&&_0x1084a1['\x69\x73\x46\x69\x6e\x69\x74\x65'](_0x5282f2(_0x6381b4[_0x10f836(0x24c,'\x6c\x23\x74\x55')+'\x74'])))return VVUKAh[_0x10f836(0x228,'\x48\x42\x79\x68')](VVUKAh[_0x10f836(0x217,'\x33\x69\x5d\x78')](_0x32779f,_0x58e9a2[_0x10f836(0x21e,'\x6e\x21\x69\x42')+'\x74']),0x409*0x5+-0x4*-0x6eb+-0x2bf1);return null;}else _0x21e7bc=JSON[_0x10f836(0x248,'\x74\x23\x4e\x57')](_0x408483);}catch(_0x37d85f){continue;}if(_0x21e7bc&&_0x21e7bc[_0x10f836(0x20f,'\x79\x26\x40\x4f')+'\x64']){if(!_0x79011e)continue;try{_0x21e7bc=_0x70b525['\x47\x76\x64\x66\x66'](_0x4c9550,_0x21e7bc,_0x79011e);}catch(_0x1972cf){continue;}}if(!_0x21e7bc||_0x70b525[_0x10f836(0x235,'\x65\x73\x4c\x25')](typeof _0x21e7bc,_0x70b525[_0x10f836(0x24a,'\x34\x50\x61\x65')]))continue;const _0x3cf76c=_0x70b525[_0x10f836(0x23c,'\x48\x34\x4f\x64')](_0x325126,_0x21e7bc);if(_0x70b525[_0x10f836(0x229,'\x79\x61\x77\x54')](_0x3cf76c,null)||_0x70b525[_0x10f836(0x22d,'\x74\x32\x75\x5b')](_0x3cf76c,_0x374b8d)||_0x70b525[_0x10f836(0x1f6,'\x31\x65\x2a\x49')](_0x3cf76c,_0x3090a4))continue;const _0x4652f2=_0x70b525[_0x10f836(0x200,'\x4d\x49\x4d\x72')](Number,_0x21e7bc[_0x10f836(0x212,'\x5d\x29\x37\x34')+_0x10f836(0x241,'\x5e\x58\x44\x33')]),_0x1ce9ad=_0x70b525[_0x10f836(0x227,'\x34\x21\x39\x44')](Number,_0x21e7bc[_0x10f836(0x1fa,'\x5e\x58\x44\x33')+_0x10f836(0x252,'\x61\x49\x6b\x23')]),_0xabf059=Number['\x69\x73\x46\x69\x6e\x69\x74\x65'](_0x4652f2)&&_0x70b525[_0x10f836(0x24e,'\x74\x72\x58\x42')](_0x4652f2,-0x1*-0x487+0x24c9+-0x2950),_0x33dbd3=Number[_0x10f836(0x1f2,'\x65\x73\x4c\x25')](_0x1ce9ad)&&_0x70b525[_0x10f836(0x236,'\x31\x65\x2a\x49')](_0x1ce9ad,0x1*-0x3fb+0x9ad*-0x3+0x34d*0xa);if(_0xabf059)_0x135d31+=_0x4652f2;if(_0x33dbd3)_0x51a447+=_0x1ce9ad;if(_0x70b525['\x70\x4f\x48\x79\x44'](_0xabf059,_0x33dbd3))_0x135c16+=0x15c5*0x1+0x17f+-0x18d*0xf;}else _0x2ec853=_0x180f56[_0x10f836(0x1f0,'\x6c\x4c\x4a\x45')](_0x24d554);}const _0x383581={..._0x3b95db};if(_0x70b525[_0x10f836(0x243,'\x74\x32\x75\x5b')](_0x135c16,-0x9*0x35c+0x135+0x1d07))return _0x383581;return{'\x69\x6e\x70\x75\x74\x5f\x74\x6f\x6b\x65\x6e\x73':_0x135d31,'\x6f\x75\x74\x70\x75\x74\x5f\x74\x6f\x6b\x65\x6e\x73':_0x51a447,'\x74\x6f\x74\x61\x6c\x5f\x74\x6f\x6b\x65\x6e\x73':_0x70b525['\x57\x52\x52\x56\x46'](_0x135d31,_0x51a447),'\x63\x61\x6c\x6c\x73':_0x135c16,'\x6d\x65\x61\x73\x75\x72\x65\x64':!![]};}function _0x3c70(){const _0x18df63=['\x57\x36\x70\x64\x4a\x53\x6b\x76\x44\x38\x6b\x31','\x57\x36\x4b\x30\x67\x75\x33\x63\x54\x53\x6b\x4f\x57\x52\x68\x64\x4d\x47','\x6f\x53\x6b\x42\x57\x4f\x6c\x64\x50\x6d\x6b\x41','\x57\x35\x66\x41\x57\x52\x78\x63\x47\x4b\x30','\x76\x77\x4a\x64\x4f\x71\x35\x34\x57\x35\x69\x37\x57\x37\x75','\x69\x43\x6b\x6f\x57\x34\x74\x63\x4f\x4d\x4a\x64\x52\x61\x37\x64\x4c\x61\x79','\x57\x34\x61\x2b\x57\x51\x74\x64\x4a\x30\x34','\x44\x64\x72\x37\x57\x51\x33\x64\x56\x74\x6c\x64\x54\x57\x6d','\x43\x53\x6f\x34\x57\x52\x68\x63\x55\x33\x34','\x66\x58\x46\x63\x50\x4e\x52\x63\x52\x43\x6b\x43','\x57\x35\x38\x75\x57\x50\x47\x6c\x6a\x47','\x57\x34\x33\x63\x49\x4a\x61\x47\x57\x34\x76\x53\x57\x4f\x78\x63\x4e\x58\x4e\x64\x4e\x68\x56\x63\x56\x71','\x64\x53\x6b\x6c\x42\x6d\x6f\x37','\x57\x36\x4a\x63\x4b\x38\x6f\x54\x57\x4f\x33\x63\x4a\x71\x72\x4e\x57\x37\x53\x49\x57\x36\x56\x64\x4e\x71\x34\x41','\x65\x47\x42\x64\x52\x38\x6b\x4e\x42\x5a\x37\x63\x4d\x75\x79','\x6b\x53\x6f\x7a\x64\x75\x48\x36\x57\x51\x42\x64\x56\x6d\x6f\x4f','\x62\x58\x2f\x64\x53\x53\x6b\x55\x7a\x71','\x64\x53\x6f\x4b\x69\x38\x6b\x35\x57\x4f\x5a\x64\x50\x38\x6f\x45\x6c\x71','\x57\x36\x46\x64\x47\x6d\x6b\x30\x43\x6d\x6b\x49\x57\x4f\x4a\x63\x51\x6d\x6f\x41','\x45\x43\x6b\x73\x57\x34\x2f\x63\x55\x30\x69','\x65\x47\x64\x64\x4b\x43\x6b\x32\x42\x49\x70\x63\x4c\x4b\x57','\x6b\x58\x4e\x63\x56\x6d\x6f\x59\x67\x71','\x57\x4f\x4b\x30\x57\x34\x30','\x57\x37\x66\x48\x57\x50\x56\x64\x48\x77\x31\x37\x57\x37\x4e\x63\x52\x47','\x57\x52\x78\x64\x4c\x6d\x6b\x7a\x57\x35\x46\x64\x4b\x66\x38\x4a\x57\x37\x4f','\x57\x37\x48\x70\x57\x37\x78\x63\x4d\x32\x56\x64\x4f\x6d\x6b\x71\x57\x36\x57','\x62\x71\x50\x39\x6d\x33\x6d','\x75\x6d\x6b\x37\x57\x36\x52\x63\x50\x78\x71','\x72\x38\x6b\x2b\x61\x6d\x6f\x6d\x57\x50\x35\x34\x57\x37\x54\x44','\x65\x57\x54\x45','\x57\x37\x4a\x64\x53\x66\x5a\x64\x54\x53\x6b\x54','\x57\x52\x70\x64\x4b\x53\x6b\x52\x57\x34\x37\x64\x49\x30\x69\x69\x57\x36\x53','\x64\x38\x6b\x53\x41\x38\x6f\x39\x57\x52\x56\x64\x49\x61\x39\x59','\x57\x4f\x6e\x6f\x44\x48\x43\x38\x57\x51\x4b','\x57\x37\x6d\x48\x57\x51\x4e\x64\x4d\x47','\x78\x43\x6f\x35\x57\x34\x6c\x63\x4e\x38\x6b\x35\x57\x36\x30\x54\x57\x52\x4a\x63\x52\x43\x6b\x44','\x57\x37\x65\x58\x57\x52\x78\x64\x4c\x77\x65','\x61\x53\x6f\x37\x57\x4f\x70\x63\x51\x53\x6f\x46','\x46\x38\x6b\x32\x57\x37\x78\x64\x4b\x53\x6b\x37\x57\x34\x58\x71\x57\x52\x74\x63\x47\x73\x6e\x59\x57\x51\x37\x64\x52\x61','\x57\x35\x7a\x66\x77\x72\x69','\x57\x51\x78\x63\x48\x63\x68\x64\x55\x4a\x37\x63\x53\x74\x78\x63\x51\x53\x6f\x49\x68\x6d\x6b\x71\x57\x35\x5a\x63\x4a\x57','\x6b\x43\x6b\x37\x43\x43\x6f\x33','\x65\x47\x42\x64\x48\x38\x6b\x5a\x76\x61','\x57\x52\x76\x4c\x57\x37\x4e\x63\x48\x47\x4f\x37\x64\x49\x33\x63\x50\x43\x6b\x6b\x43\x33\x53\x30','\x7a\x53\x6b\x48\x57\x37\x4a\x63\x50\x75\x4b','\x57\x35\x50\x44\x57\x52\x37\x64\x4d\x66\x34','\x63\x53\x6f\x48\x44\x38\x6f\x43\x57\x34\x2f\x63\x52\x38\x6f\x73\x62\x6d\x6b\x76\x57\x52\x61\x63\x57\x4f\x53','\x73\x31\x47\x35\x62\x78\x58\x59\x64\x38\x6b\x51\x57\x50\x57','\x67\x43\x6b\x54\x43\x43\x6f\x4e\x57\x51\x70\x64\x53\x57\x4c\x2b','\x6a\x53\x6f\x75\x6e\x33\x6e\x35','\x74\x53\x6b\x4e\x6b\x6d\x6b\x68\x57\x4f\x4f','\x66\x57\x76\x45\x57\x4f\x50\x4d','\x46\x6d\x6f\x71\x57\x50\x42\x63\x48\x65\x42\x64\x4c\x57\x52\x64\x56\x47','\x57\x4f\x68\x63\x4c\x74\x46\x63\x52\x38\x6f\x6c\x57\x37\x37\x64\x47\x38\x6f\x37\x79\x58\x4a\x63\x56\x71\x4f','\x57\x35\x4c\x49\x57\x50\x38\x69\x6c\x78\x79\x41\x57\x52\x69\x36\x79\x49\x42\x64\x4c\x6d\x6b\x43','\x57\x50\x78\x64\x4e\x68\x48\x4e\x57\x4f\x43\x64\x57\x51\x78\x63\x4b\x71','\x57\x51\x76\x4c\x57\x4f\x2f\x64\x4f\x4e\x2f\x64\x53\x43\x6f\x2f','\x57\x51\x2f\x63\x51\x43\x6b\x43\x57\x35\x66\x64','\x42\x38\x6f\x75\x57\x50\x56\x64\x55\x38\x6b\x4d','\x57\x37\x6d\x36\x57\x4f\x78\x64\x48\x4e\x65','\x6b\x6d\x6b\x52\x73\x6d\x6f\x47\x57\x4f\x6d','\x57\x52\x44\x57\x77\x47\x74\x64\x54\x6d\x6f\x4c\x57\x35\x4a\x64\x55\x53\x6b\x34\x77\x43\x6b\x73\x46\x43\x6f\x6e','\x57\x37\x33\x64\x47\x6d\x6b\x71','\x61\x43\x6b\x47\x57\x50\x2f\x64\x52\x53\x6b\x48','\x78\x4c\x52\x63\x49\x6d\x6f\x72\x57\x36\x75\x59\x72\x71\x57\x6c\x57\x34\x70\x64\x4a\x4e\x37\x64\x4d\x61','\x57\x52\x78\x63\x4e\x73\x43\x4d\x57\x35\x42\x63\x52\x59\x65\x66','\x6e\x57\x4a\x63\x51\x66\x68\x63\x4c\x61','\x6a\x71\x6e\x6a\x45\x4e\x58\x55\x45\x6d\x6b\x50','\x57\x36\x66\x77\x57\x4f\x4e\x64\x4c\x4c\x4f','\x67\x43\x6f\x4d\x57\x36\x6c\x63\x4b\x53\x6f\x43\x57\x51\x38','\x6e\x72\x48\x63\x45\x67\x31\x63\x42\x38\x6b\x68','\x43\x53\x6f\x63\x66\x68\x44\x44\x57\x51\x56\x64\x52\x47','\x65\x49\x42\x64\x53\x43\x6b\x54','\x41\x53\x6f\x42\x57\x50\x33\x64\x4f\x43\x6b\x56\x65\x4e\x5a\x64\x4c\x47','\x43\x6d\x6f\x45\x57\x4f\x5a\x64\x50\x53\x6b\x57','\x57\x36\x34\x47\x57\x4f\x42\x64\x4e\x4c\x44\x49\x74\x4a\x53','\x57\x35\x66\x75\x57\x51\x78\x63\x54\x30\x61','\x57\x35\x72\x71\x57\x37\x4a\x63\x55\x31\x4f','\x65\x71\x74\x63\x53\x32\x52\x63\x47\x61','\x57\x4f\x33\x63\x4f\x53\x6b\x45\x57\x34\x7a\x51','\x41\x53\x6b\x73\x57\x35\x68\x63\x50\x66\x71','\x57\x52\x4b\x4c\x6d\x43\x6f\x2b\x6d\x71','\x73\x63\x62\x78\x57\x52\x6c\x64\x50\x57','\x63\x72\x5a\x64\x4e\x38\x6b\x64\x57\x51\x6a\x4c\x65\x73\x4b','\x6e\x6d\x6f\x72\x57\x4f\x4a\x64\x47\x72\x74\x64\x52\x71','\x57\x36\x34\x7a\x57\x36\x74\x63\x49\x38\x6b\x4f\x57\x50\x4e\x63\x49\x4a\x38','\x6f\x38\x6f\x66\x57\x4f\x74\x64\x55\x72\x74\x64\x48\x6d\x6b\x49\x71\x53\x6b\x61\x7a\x4a\x37\x63\x4a\x74\x6d','\x6d\x48\x6e\x37\x57\x51\x4c\x37','\x57\x37\x47\x35\x57\x37\x58\x43\x57\x37\x78\x64\x4b\x64\x62\x70\x62\x57\x34','\x6c\x38\x6b\x31\x73\x6d\x6f\x65\x57\x51\x38','\x57\x36\x6a\x4f\x57\x51\x78\x64\x56\x66\x6d','\x75\x43\x6b\x39\x57\x35\x56\x63\x48\x78\x6d','\x6b\x38\x6f\x2f\x6e\x66\x6e\x50','\x76\x30\x68\x63\x4f\x66\x2f\x63\x56\x6d\x6b\x6d\x57\x37\x66\x6f','\x57\x37\x33\x64\x4a\x31\x6c\x63\x50\x67\x42\x64\x4f\x78\x68\x63\x4e\x61','\x67\x73\x52\x64\x4e\x6d\x6b\x77\x57\x52\x30','\x57\x50\x64\x64\x50\x32\x66\x42\x57\x50\x38','\x57\x4f\x2f\x63\x53\x38\x6b\x35\x57\x35\x48\x73','\x6a\x43\x6f\x52\x57\x51\x37\x63\x4c\x47','\x57\x36\x68\x64\x54\x6d\x6b\x4c\x7a\x6d\x6b\x6b\x57\x4f\x56\x64\x56\x58\x69','\x64\x49\x78\x63\x52\x75\x6c\x63\x49\x47','\x57\x50\x74\x63\x49\x6d\x6b\x6e\x57\x37\x35\x31\x57\x51\x30\x62\x70\x61','\x57\x52\x46\x64\x47\x53\x6b\x58\x57\x34\x30','\x41\x38\x6f\x41\x57\x50\x53','\x71\x74\x6a\x58\x57\x50\x64\x64\x52\x61','\x76\x6d\x6b\x4b\x61\x53\x6b\x68\x57\x50\x64\x64\x54\x53\x6f\x49\x65\x71','\x72\x38\x6b\x34\x67\x43\x6f\x69\x57\x4f\x66\x74\x57\x36\x35\x46','\x57\x52\x70\x63\x54\x53\x6b\x74\x57\x36\x44\x50','\x42\x6d\x6f\x61\x57\x4f\x74\x64\x4d\x53\x6b\x32\x6e\x76\x52\x64\x49\x47'];_0x3c70=function(){return _0x18df63;};return _0x3c70();}const _0x58002d={};_0x58002d[_0x28f474(0x247,'\x61\x40\x4a\x32')+_0x28f474(0x1f1,'\x6d\x71\x49\x61')]=_0x24a556,module['\x65\x78\x70\x6f\x72\x74\x73']=_0x58002d;

package/.cursor/BUGBOT.md

@@ -1,182 +0,0 @@
-# Bugbot Review Rules — evolver-private-dev
-
-This file gives Cursor Bugbot project-specific context. The repository is the
-**private source of truth** for `@evomap/evolver`; the public mirror is
-`EvoMap/evolver`, built via `scripts/build_public.js` driven by
-`public.manifest.json`. Treat anything that could leak from private to public,
-or that could break GEP asset integrity, as high severity.
-
-## Project shape
-
-- Pure Node.js (no TypeScript). Public surface is the npm package
-  `@evomap/evolver`; entry point is `index.js`.
-- Runtime dependencies are intentionally minimal — only `dotenv`. Do not
-  approve PRs that add new runtime dependencies without a clear justification
-  in the PR description.
-- Tests run via `node --test`. There is no ESLint/Prettier in CI; rely on
-  Bugbot to catch style and correctness regressions.
-
-## High-severity rules (block the PR)
-
-### 1. Secrets must round-trip through `src/gep/sanitize.js`
-
-Any code path that writes capsule payloads, agent logs, prompts, or hub
-broadcasts must call `sanitizePayload` (or an equivalent redactor) **before**
-the data leaves the process. Flag as a blocking Bug if a PR:
-
-- Logs raw `process.env.*`, request headers, or `Authorization` values.
-- Sends capsule/event/log objects to `src/gep/bridge.js`,
-  `src/gep/a2aProtocol.js`, `src/gep/issueReporter.js`, `src/proxy/sync/**`,
-  or any HTTP/IPC sink without first running `sanitizePayload`.
-- Adds a new secret pattern (API key, token, private key) that is not also
-  added to `REDACT_PATTERNS` in `sanitize.js`.
-
-### 2. Public/private leak prevention
-
-`scripts/build_public.js` + `public.manifest.json` decide what ships to the
-public repo and to npm. Block PRs that:
-
-- Add a new top-level path that is **not** covered by either `include` or
-  `exclude` in `public.manifest.json`. New private-only paths (docs/,
-  memory/, internal scripts) must be added to `exclude`.
-- Add `console.log` / TODO / FIXME / internal URLs / employee emails inside
-  files listed in the `obfuscate` array — those files are shipped after
-  obfuscation and any plaintext secret/comment leaks past obfuscation.
-- Reference `EvoMap/evolver-private-dev` (this repo's URL) inside any file
-  that is part of the public include set.
-- **Add a new file under `src/gep/**` or `src/evolve/**` (or any directory
-  whose siblings are already in the `obfuscate` array) without also adding
-  the new file to `obfuscate`.** Sibling consistency is the rule: if every
-  other `*.js` in the same directory is obfuscated, the new one must be
-  too. Exception: the PR description must explicitly state why obfuscation
-  is unnecessary (e.g. "trivial public algorithm reused from MIT-licensed
-  source") AND the file must contain no business logic, no env-var reads,
-  and no path/URL constants. Historical regressions: PR #20 (hub.js,
-  enrich.js, utils.js missed obfuscate, fixed in 79821fc and 3da07e3),
-  PR #34 (hash.js missed obfuscate).
-
-**This file is private-only.** `.cursor/BUGBOT.md` is private to this repo
-and is pruned from the public build via `public.manifest.json`'s
-`exclude: [".cursor/**"]`. Project-specific rules for the public mirror
-`EvoMap/evolver` (if any are needed) live in the Cursor dashboard's
-repository manual rules, not in the source tree, so the published npm
-package and the public GitHub repo do not carry editor-tool config files.
-
-### 3. GEP asset integrity
-
-The GEP protocol depends on stable hashing and signatures
-(`src/gep/contentHash.js`, `src/gep/crypto.js`, `src/gep/integrityCheck.js`).
-Block PRs that:
-
-- Change `contentHash` / `crypto.sign` / `crypto.verify` behaviour without an
-  explicit version bump and a migration path for existing
-  `assets/gep/*.jsonl` records.
-- Mutate gene/capsule/event objects in-place after they have been hashed or
-  signed.
-- Introduce non-deterministic ordering (e.g. `Object.keys` without sort, or
-  `for ... in`) inside any code that participates in hashing.
-- **Ship a schema factory (e.g. `createGene` / `createCapsule` / `createTask`,
-  or any new `src/gep/schemas/<X>.js`) without proving the matching
-  `validate<X>` is actually called on every write/publish path.** A schema
-  that no one calls is dead code that masks LLM/Hub-supplied garbage.
-  Require the PR description to include a `grep -rn 'validate<X>' src/`
-  output covering at least: every `upsert<X>` / `append<X>` in
-  `src/gep/assetStore.js`, every `buildPublish<X>*` in
-  `src/gep/a2aProtocol.js`, and every direct disk-write site. Historical
-  regression: PR #25 / #27 shipped `validateGene` / `validateCapsule` that
-  no caller invoked, fixed retroactively as audit issue #30 H1 (commit
-  902a256). Track the same expectation for any future `validate<Y>`.
-- **Spread `DEFAULTS` into a partial without slicing every reference-typed
-  field afterwards.** `Object.assign({}, X_DEFAULTS, partial)` is a shallow
-  copy: arrays and sub-objects on the result still point to either
-  `X_DEFAULTS`'s shared instance or to `partial`'s caller-owned
-  instance. Downstream `.push(...)` then contaminates every other consumer.
-  Every array field needs `Array.isArray(x) ? x.slice() : []`; every
-  sub-object needs `Object.assign({}, FIELD_DEFAULTS, x)`. Historical
-  regression: PR #25 createGene leaked `epigenetic_marks` /
-  `learning_history` / `anti_patterns` / `constraints.forbidden_paths`
-  across all genes (commit 549f1bd).
-
-### 4. Filesystem and network safety
-
-- Reject `child_process.exec*` / `spawn*` calls that interpolate untrusted
-  strings into the command. Use the array form with explicit args.
-- Reject `fs.writeFileSync` / `fs.rmSync({recursive:true})` calls that
-  resolve paths from user/LLM input without going through `src/gep/paths.js`
-  or an equivalent allowlist.
-- Reject HTTP fetches that disable TLS verification
-  (`rejectUnauthorized: false`, `NODE_TLS_REJECT_UNAUTHORIZED=0`) outside
-  isolated test fixtures.
-
-## Medium-severity rules (request changes)
-
-### Async correctness
-
-- Every Promise must either be `await`ed or have a `.catch` handler. Flag
-  unhandled-rejection risks.
-- Do not mix `await` with `.then(...)` chains inside the same logical block.
-- Long-running loops in `src/proxy/**` must respect the existing cancellation
-  / shutdown signals (look for `idleScheduler.js`, `lifecycle/**`).
-
-### Module-load ordering vs. dotenv
-
-`src/evolve.js` calls `require('dotenv').config(...)` mid-file (around
-the comment block "Load environment variables from repo root"). Any module
-that reads `process.env.X` at module-load time (e.g.
-`const FOO = process.env.FOO || default` at the top of the file) MUST be
-required AFTER the `dotenv.config()` call, otherwise `process.env.X` is
-empty and the constant freezes to the default for the rest of the process
-lifetime. Block PRs that:
-
-- Add a new module-level `const`/`let` initialized from `process.env.*` and
-  hoist its `require(...)` above the `dotenv.config()` call in `evolve.js`,
-  `index.js`, or any new top-level entry point.
-- Re-introduce eager `require('./evolve/pipeline/<X>')` at the top of
-  `src/evolve.js`. The current pattern requires those modules AFTER dotenv;
-  see commit 3da07e3 for context.
-
-A safe pattern when a module truly needs env at module-load time: read the
-env via `src/config.js`'s `envInt()` / `envStr()` helpers, which are
-re-evaluated lazily on each call instead of frozen at module load.
-
-### CLI compatibility
-
-`index.js` is the public CLI binary. Any change to CLI flags, default
-behaviour, exit codes, or stdout/stderr format is a breaking change for
-downstream users. Require:
-
-- A note in `CHANGELOG.md` describing the user-visible change.
-- Backwards-compatible behaviour behind a feature flag in
-  `src/gep/featureFlags.js` whenever possible.
-
-### Node version
-
-`package.json` does not currently pin an `engines` field. The package is
-distributed as a CLI to end users on a wide range of Node versions. Treat
-Node.js >= 18 as the de-facto floor and flag use of APIs that require Node
-20+ (e.g. `fs.glob`, top-level `using`, `--experimental-strip-types`) unless
-the PR also adds an `engines.node` constraint to `package.json` and notes
-the bump in `CHANGELOG.md`.
-
-## Low-severity rules (nit / suggestion)
-
-- Use `node:` prefix for built-in module imports (`require('node:fs')`).
-- Prefer named functions over anonymous arrow functions when registering
-  event listeners — eases stack traces.
-- Avoid `JSON.stringify(...)` of large objects in hot paths inside
-  `src/proxy/server/**`; prefer streaming or pagination.
-
-## Context Bugbot should NOT flag
-
-- The lack of TypeScript or ESLint config — intentional.
-- Single-dependency `package.json` — intentional minimal supply chain.
-- Files under `assets/gep/*.jsonl` are gitignored; if a PR appears to add
-  them, that is a **block**, not a nit (see rule 2).
-- The `dist-public/` and `dist-binaries/` directories are build artifacts —
-  do not review them.
-
-## Style
-
-This repository forbids emoji in code, comments, commit messages, and
-documentation, with a single allowed exception: the DNA glyph used in
-public-facing docs. Flag any PR that adds other emoji.

package/.env.example

@@ -1,68 +0,0 @@
-# EvoMap Hub connection (optional -- all core features work offline without these)
-# A2A_HUB_URL=https://evomap.ai
-# A2A_NODE_ID=your_node_id_here
-
-# Evolution strategy: balanced (default) | innovate | harden | repair-only
-# EVOLVE_STRATEGY=balanced
-
-# Bridge mode: controls sessions_spawn() output for host runtimes like OpenClaw.
-# Defaults to off unless OPENCLAW_WORKSPACE is set.
-# EVOLVE_BRIDGE=false
-
-# Heartbeat interval in milliseconds (default: 360000 = 6 minutes)
-# HEARTBEAT_INTERVAL_MS=360000
-
-# Worker pool: set to 1 to participate as a worker in the EvoMap network
-# WORKER_ENABLED=1
-# WORKER_DOMAINS=repair,harden
-# WORKER_MAX_LOAD=5
-
-# Path overrides (usually auto-detected)
-# MEMORY_DIR=./memory
-# EVOLVER_REPO_ROOT=.
-# OPENCLAW_WORKSPACE=
-# When evolver runs as an npm dependency or a skill under a host repo,
-# it auto-detects the host's .git so it can see Hand Agent edits.
-# Set this to 'true' only if you deliberately want evolver to ignore the
-# host repo and treat its own package directory as the work area.
-# EVOLVER_NO_PARENT_GIT=false
-
-# Auto GitHub issue reporting (enabled by default)
-# EVOLVER_AUTO_ISSUE=true
-# GITHUB_TOKEN=your_github_token_here
-
-# Pre-publish leak check mode: strict (default since v1.69.7) | warn | off
-# - strict: block publish when sensitive data is detected in the capsule/gene payload
-# - warn: log a warning and continue publishing (relies on sanitizePayload redaction)
-# - off: skip the leak scan entirely (not recommended)
-# Set to 'warn' to restore v1.69.6 and earlier behavior.
-# EVOLVER_LEAK_CHECK=strict
-
-# Hub URL resolution (v1.69.7+):
-# - A2A_HUB_URL is the primary override (used at runtime by most modules)
-# - EVOMAP_HUB_URL is a secondary override kept for backward compatibility
-# - EVOLVER_DEFAULT_HUB_URL overrides the compile-time default when neither of
-#   the above is set. Use this for fully air-gapped deployments that still want
-#   to point validator/directory/privacy clients at a private hub endpoint.
-# EVOLVER_DEFAULT_HUB_URL=https://evomap.ai
-
-# Verbose logging
-# EVOLVER_VERBOSE=true
-
-# Memory graph rotation (issue #519). memory_graph.jsonl accumulates
-# every evolution event and grows unboundedly on long-running nodes.
-# When the active file crosses EVOLVER_MEMORY_GRAPH_MAX_SIZE_MB it is
-# renamed to memory_graph.jsonl.<timestamp>.gz and a fresh file is
-# started. Only the most recent EVOLVER_MEMORY_GRAPH_RETENTION_COUNT
-# archives are kept; older ones are deleted.
-# EVOLVER_MEMORY_GRAPH_AUTO_ROTATE=true
-# EVOLVER_MEMORY_GRAPH_MAX_SIZE_MB=100
-# EVOLVER_MEMORY_GRAPH_RETENTION_COUNT=7
-
-# Rollback strategy when a solidify cycle's validation fails.
-#   stash (default): git stash push --include-untracked. Recover via 'git stash pop'.
-#   hard:            git reset --hard. WARNING: discards uncommitted changes irrecoverably.
-#   none:            do nothing. Leaves the failed cycle's edits in place.
-# Default flipped from 'hard' to 'stash' in 1.80.8 to prevent silent data loss
-# when evolver runs in third-party host repos.
-# EVOLVER_ROLLBACK_MODE=stash

package/.git-commit-guard-token

@@ -1 +0,0 @@
-SKILL_COMMIT

package/.github/CODEOWNERS

@@ -1,63 +0,0 @@
-# Code owners for this repository
-# Format: each rule grants automatic review-request to the listed owner(s)
-# when a matching path is touched in a PR. Combined with branch protection's
-# "Require review from Code Owners" rule on main, these owners must approve
-# the PR before it can merge.
-#
-# Multiple owners on each line means GitHub will auto-request a review from
-# all listed owners on a matching PR; ANY one of them approving is sufficient
-# to satisfy the branch-protection 'require code owner review' gate. This is
-# the agreed fallback order: autogame-17 primary, forrestlinfeng + cloudcarver
-# as backups when the primary is unavailable.
-#
-# Why we need this: PR #34 (2026-05-10) was self-merged by the author 2 minutes
-# before a maintainer review comment landed, shipping a missing obfuscate
-# registration into main. CODEOWNERS + branch protection make that pattern
-# physically impossible.
-
-# Default: every file is owned by autogame-17 unless a more specific rule below
-# overrides it. Keeps coverage complete even for files we forget to call out.
-*                              @autogame-17 @forrestlinfeng @cloudcarver
-
-# High-risk paths -- listed explicitly so GitHub UI surfaces "Owner review
-# required" prominently when these are touched, even if the catch-all above
-# would already cover them. New contributors should treat any change here
-# as a multi-day review cycle.
-
-# GEP schemas (Gene / Capsule / Task / future). Validators and defaults must
-# stay in sync with hub-side expectations; shallow-copy bugs and validator-
-# wiring gaps in this directory have a track record (PR #25 / #27 / audit #30).
-/src/gep/schemas/              @autogame-17 @forrestlinfeng @cloudcarver
-
-# Pipeline modules. Module-load order vs dotenv is fragile here; refactors
-# in PR #20-#24 introduced multiple dotenv-ordering and missing-import
-# regressions before merge.
-/src/evolve/                   @autogame-17 @forrestlinfeng @cloudcarver
-
-# Content-addressable storage and integrity primitives. Any change here
-# changes asset_id semantics across all stored capsules.
-/src/gep/contentHash.js        @autogame-17 @forrestlinfeng @cloudcarver
-/src/gep/crypto.js             @autogame-17 @forrestlinfeng @cloudcarver
-/src/gep/integrityCheck.js     @autogame-17 @forrestlinfeng @cloudcarver
-/src/gep/shield.js             @autogame-17 @forrestlinfeng @cloudcarver
-/src/gep/hubVerify.js          @autogame-17 @forrestlinfeng @cloudcarver
-
-# Anything that touches secrets, sanitization, or proxy auth.
-/src/gep/sanitize.js           @autogame-17 @forrestlinfeng @cloudcarver
-/src/proxy/                    @autogame-17 @forrestlinfeng @cloudcarver
-
-# Public-mirror surface. Manifest mistakes leak source / runtime assets to
-# npm; build/publish scripts directly drive npm + GitHub Release.
-/public.manifest.json          @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/build_public.js       @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/publish_public.js     @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/pre_publish_check.js  @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/build_binaries.js     @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/deploy.sh             @autogame-17 @forrestlinfeng @cloudcarver
-
-# Repo metadata that gates everything else.
-/.github/                      @autogame-17 @forrestlinfeng @cloudcarver
-/.cursor/                      @autogame-17 @forrestlinfeng @cloudcarver
-/CODEOWNERS                    @autogame-17 @forrestlinfeng @cloudcarver
-/package.json                  @autogame-17 @forrestlinfeng @cloudcarver
-/package-lock.json             @autogame-17 @forrestlinfeng @cloudcarver

package/.github/ISSUE_TEMPLATE/good_first_issue.md

@@ -1,23 +0,0 @@
----
-name: Good first issue
-about: Help newcomers get started with a small, self-contained task
-labels: good first issue, help wanted, docs
-
----
-
-## Summary
-
-Short description of the task to complete.
-
-## Steps to reproduce / task
-
-1. Steps to reproduce (if a bug) or steps to implement (if feature)
-2. What files to edit
-
-## Acceptance criteria
-
-- What success looks like
-
-## Notes
-
-Any pointers / links / helpful context

package/.github/pull_request_template.md

@@ -1,45 +0,0 @@
-## Summary
-
-Short 1-2 sentence summary of the change.
-
-## What changed
-
-- Bullet list of changes
-
-## How to test
-
-1. Copy commands
-2. Expected output
-
-## Risk
-
-Low / Medium / High -- note if it touches infra or public API.
-
-## Self-check
-
-Tick only the boxes that apply, but every applicable box must be ticked. Bugbot
-reads the project rules and will request changes if anything below is missing.
-
-- [ ] If this PR adds a new source file under `src/`, it is registered in
-      `public.manifest.json` consistently with its sibling files (e.g. listed
-      in `obfuscate` when the rest of the directory is). Build verification
-      passed: `node scripts/build_public.js` succeeded and the new file shows
-      up in `dist-public/` in the expected (obfuscated or plain) form.
-- [ ] If this PR adds or modifies a schema factory under `src/gep/schemas/`,
-      the corresponding `validate*` function is invoked at every write and
-      every publish call site (not just defined).
-- [ ] If this PR uses `Object.assign({}, DEFAULTS, partial)` to build an
-      object, every reference-typed field (arrays, sub-objects) on the result
-      is sliced or cloned -- not held by reference to either source.
-- [ ] If this PR introduces a new module-level constant initialized from
-      `process.env.X`, the owning module is loaded after the entry point's
-      dotenv configuration step (or the constant is migrated to the lazy
-      env helpers in `src/config.js`).
-- [ ] No new runtime dependencies added without a clear justification in the
-      "What changed" section above.
-- [ ] Tests added or updated to cover the new behavior; full suite passes
-      locally (`node --test test/*.test.js`).
-
-## Related
-
-Closes #NN

package/.github/workflows/test.yml

@@ -1,75 +0,0 @@
-name: test
-
-# Runs the Node test suite on every PR and on pushes to main. Originally
-# Ubuntu-only (#198): PR checks were Cursor Bugbot + Security, neither of
-# which runs `npm test`, so a green PR did NOT mean the tests passed.
-#
-# This workflow now also runs the suite on Windows + macOS via a second job
-# (test-cross). #198 explicitly flagged Windows / macOS as a follow-up: the
-# suite still has Linux-specific assumptions (symlink reliance, hard-coded
-# ~/.volta layout, POSIX-style path equality) that would fail on those
-# hosts. test-cross runs on PRs in **advisory** mode (continue-on-error)
-# so those red signals are visible to reviewers without blocking merge
-# while the suite is being made hermetic. Each fix can flip its tests
-# from "red on Win/Mac" to "green on Win/Mac" incrementally. Once the
-# remaining failures are cleaned up, drop `continue-on-error: true` and
-# add `test-cross` to required checks to make cross-platform green a
-# hard merge gate.
-#
-# main pushes skip test-cross to keep private-repo billing predictable
-# (macos-latest is 10x and windows-latest is 2x the ubuntu rate).
-
-on:
-  pull_request:
-  push:
-    branches: [main]
-
-permissions:
-  contents: read
-
-concurrency:
-  group: test-${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '22' # engines: node >=22.12
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests (node --test)
-        run: npm test
-
-  test-cross:
-    # Advisory cross-platform run: PR-only (skips main push to save billing),
-    # continue-on-error so a known Win/Mac regression does not block merge
-    # while the suite is being hardened. Reviewers still see the result and
-    # can opt-in to wait for a fix on a per-PR basis.
-    if: github.event_name == 'pull_request'
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [windows-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests (node --test)
-        run: npm test