@evomap/evolver 1.89.3 → 1.89.4

package/CHANGELOG.md

@@ -0,0 +1,1237 @@
+# Changelog
+
+All notable changes to `@evomap/evolver` are tracked here.
+
+## [Unreleased]
+
+## [1.89.4] - 2026-06-11
+
+### Fixed
+
+- **Proxy traces now queue for outbound Hub sync (#232).** Encrypted proxy trace
+  rows are written to the mailbox as `proxy_trace` outbound messages and wake the
+  outbound sync loop, so trace capture no longer stops at the local JSONL file.
+  Upload preflight now caps pending trace messages by type, reports skipped
+  uploads with bounded warnings, and keeps plaintext trace upload disabled unless
+  `EVOMAP_PROXY_TRACE_UPLOAD_PLAINTEXT=danger` is explicitly set.
+- **Fresh proxy installs default to the canonical Hub URL (#230).**
+  `EvoMapProxy` now uses `resolveHubUrl()` instead of an empty fallback, so
+  `evolver login` leaves the proxy Hub-connected out of the box while still
+  respecting explicit `opts.hubUrl` and local insecure-Hub overrides.
+- **Release-commit test runs no longer trip their own release-window guard
+  (#229).** The evolve guard test disables `EVOLVE_RELEASE_WINDOW_MS` in its
+  "normal conditions" fixture, keeping required CI green on release bump commits.
+- **Reverse leak scanning skips path/URL-shaped environment values (#233).**
+  CI workspace paths such as `GITHUB_WORKSPACE`, `RUNNER_WORKSPACE`, and npm
+  local-prefix values no longer trigger false secret-leak failures, while
+  non-path secret values remain reverse-detected.
+
+## [1.89.3] - 2026-06-10
+
+### Changed
+
+- **Daemon lock path + lease staleness extracted into a shared helper (#176).**
+  The session-start hook's auto-restart guard used to replicate the daemon's
+  lock resolution (`EVOLVER_LOCK_DIR` override, `~/.evomap/instance.lock`
+  default, lease TTLs, mtime staleness) inline, which could silently diverge
+  whenever `index.js` changed. Both now import
+  `src/adapters/scripts/_lockPaths.js` (fs/os/path-only, so the daemon module
+  still stays out of the hook's require graph). The helper ships in the hook
+  copy list and the hook requires it at load time, so a broken deployment
+  fails loud instead of silently disabling daemon auto-restart. No behavior
+  change for correctly-deployed installs.
+
+### Added
+
+- **Anti-abuse heartbeat telemetry (default on, explicit opt-out).** Hub
+  heartbeats (both the canonical client heartbeat and the proxy lifecycle
+  heartbeat) now attach a privacy-preserving `meta.anti_abuse` envelope:
+  schema/source-confidence labels, HMAC-based device/workspace pseudonyms
+  (only when an anti-abuse salt is configured — raw ids never leave the
+  node), integrity hashes of `package.json` / the CLI entry / lockfiles, a
+  local security-boundary summary, and explicit placeholders for fields the
+  Hub must observe server-side instead of trusting the client. Opt out with
+  `EVOLVER_ANTI_ABUSE_TELEMETRY=off` (an empty/blank value counts as unset
+  and keeps the default on). The Hub currently accepts the envelope under
+  heartbeat `meta` without persisting it.
+- **Structured force-update failure reporting.** `executeForceUpdate` now
+  returns a structured `{ ok, code, detail }` on every failure branch instead
+  of a bare `false`, and `reportForceUpdateOutcome` encodes it into the existing
+  `last_update.error` field as `"code: detail"`. `EvolverUpgradeAttempt` rows now
+  distinguish `degit_failed`, `npx_not_found`, `degit_timeout`,
+  `download_incomplete`, `downloaded_version_mismatch`, `delete_failed`,
+  `copy_failed`, `current_version_unparsable`, `bad_required_version`,
+  `install_guard_name_mismatch`, `install_guard_unreadable`, and
+  `all_channels_exhausted` instead of all reading "executeForceUpdate returned
+  false" — queryable via `GROUP BY split_part(error, ':', 1)` with no hub schema
+  or DB migration. Backward compatible: success stays `true`, no-op/busy stay
+  sentinels.
+
+### Fixed
+
+- **Force-update no longer wedges a node on a mid-copy failure.** The Channel-1
+  install path deleted the old install (including `package.json`) in place
+  before copying the new tree, so a `cpSync` failure part-way through (ENOSPC, a
+  Windows lock outlasting the retries, a kill) left `INSTALL_ROOT` with no
+  `package.json`. The install-guard then refused every subsequent attempt with
+  `install_guard_unreadable` and never re-copied it — a permanent, self-
+  perpetuating wedge. `package.json` is now the install's atomic commit marker:
+  kept in place through the whole delete+copy and swapped in last via
+  tmp+rename, so a partial failure leaves the old `package.json` intact and the
+  node self-heals on the next tick.
+- **Force-update commit marker recovery covers Windows and delete failures.**
+  Windows commits now keep a recoverable old-`package.json` backup while swapping
+  the new manifest, so a rename failure or interrupted commit can restore the
+  old marker instead of wedging the install guard. Delete failures for old
+  install entries now abort the update before the new manifest is committed,
+  preventing stale old files from being hidden behind a successful version bump.
+
+## [1.89.2] - 2026-06-08
+
+### Added
+
+- **OAuth token auto-refresh in `evolver run`.** When a device-flow OAuth token
+  is present, a background timer refreshes it ~2min before expiry (and reschedules
+  after each refresh), so long-running agent loops never hit an expired `a2a`
+  token mid-request. The timer is `unref`'d so it never blocks process exit, and
+  it is a no-op for `node_secret`-only nodes (which have no refresh token).
+
+## [1.89.1] - 2026-06-08
+
+### Changed
+
+- **License declared as GPL-3.0-or-later (corrected from a stale MIT notice).** The README
+  (and localized `zh-CN` / `ja-JP` / `ko-KR` variants) and `SKILL.md` now state
+  GPL-3.0-or-later, matching the project's copyleft + obfuscated-core distribution. No code or
+  runtime behavior changes.
+- **Public README cleanup.** Documented the `EVOLVER_ISSUE_REPO` default as `EvoMap/evolver`
+  (matches `src/config.js`) and fixed the matching `index.js` issue hint and skillPublisher
+  attribution footer; normalized `evolver run` → `evolver` in examples; rewrote the Roadmap
+  into directional items pointing at GitHub Issues; removed a maintainer-only "Public Release"
+  section that referenced non-existent npm scripts and internal publish env vars; excluded
+  `.github/CODEOWNERS` from the public mirror so internal owner handles stay out.
+
+### Fixed
+
+- **Force-update no longer downgrades newer installs.** `required_version` is
+  treated as a minimum version floor for the no-op check, so a node already on a
+  newer `@evomap/evolver` release skips stale force-update directives instead
+  of reinstalling an older exact tag.
+
+## [1.88.3] - 2026-06-06
+
+### Fixed
+
+- **Gene selection no longer self-reinforces a do-nothing gene (#562).** A `stable_no_error`
+  outcome (no error before/after, no parseable EvolutionEvent — i.e. the cycle did nothing
+  measurable) was tallied as a Bayesian "success" (score 0.6). Combined with the selector's
+  drift only diversifying when >1 gene matches a signal, a sole-matching auto-gene was
+  re-selected every `--loop` cycle, climbed edge confidence p → ~1.0, and was never banned
+  (the failure-streak ban never trips on "successes") — dominating selection ~99.7% of the
+  time while producing zero artifacts (reproduced against the published 1.88.2 binary).
+  `aggregateEdges` now tallies these zero-work outcomes as `inert`, apart from real
+  successes, so they build no confidence and do not count toward attempts; `getMemoryAdvice`
+  bans a gene after `GENE_INERT_BAN_STREAK` (default 8, env `EVOLVER_GENE_INERT_BAN_STREAK`)
+  consecutive inert outcomes with no real success on a signal, so the selector falls through
+  to mutation (null → fresh gene) and diversity is restored. Consecutive-trailing (reset by
+  any real success/failure), so a gene that ever does real work is never punished for idle
+  cycles.
+- **Self-evolution validation commands no longer fail a cycle in user projects (#562).** Seed
+  genes (e.g. `gene_gep_repair_from_errors`) ship validation commands that target evolver's
+  own tree (`node scripts/validate-modules.js ./src/gep/...`). When evolver runs in a user's
+  project, `repoRoot` is that project and the script is absent, so the command could only fail
+  with "Cannot find module" — wrongly tanking the gene's `validation_pass_rate` on an
+  environment mismatch. `runValidationsOnce` now skips a `node <script>` validation command
+  whose (relative) script does not exist in `repoRoot`, excluding it from the pass/fail tally
+  instead of failing the cycle; a clear `[Solidify] Skipping validation command (script not in
+  repoRoot)` line replaces the confusing module-not-found error. Commands whose script is
+  present run unchanged.
+
+## [1.88.2] - 2026-06-05
+
+### Added
+
+- **Runtime asset injection — general agents auto-use GEP assets (P4-c, #183).** Recall now injects relevant genes/capsules into the runtime context so a general agent picks them up without an explicit `gep_recall` call.
+- **Cross-harness auto-exec recipes for Codex + OpenCode (P4-b, #184).** The Brain→Hand exec bridge gains Codex and OpenCode recipes, bringing cross-harness parity to the Claude Code bridge shipped in 1.88.1.
+- **Reuse attribution reporting (P4-a Slice A, #186, default off).** Evolver can report which prior assets a successful cycle reused. Opt-in; no behavior change at default.
+- **Heartbeat reports `force_update` outcome via the `last_update` field (#188).** The heartbeat loop now surfaces the result of a force-update so the Hub can observe update propagation.
+- **Evolver recipe CLI — build/reuse (P4-c, #173).** New `recipe` subcommand for building and reusing recipes.
+
+### Changed
+
+- **ATP now consumes `@evomap/atp-sdk` for protocol enum constants (#185).** Protocol enums come from the shared SDK singleton instead of local literals, removing a drift source.
+
+### Fixed
+
+- **Release gate regressions (#192, #193).** `pre_publish_check.js` now runs the project's real test runner (`npm test` → `node --test`) instead of the no-longer-installed `npx vitest run`, and fails closed on a non-zero exit (the old `0-failures-but-nonzero-exit ⇒ pass` escape hatch is gone). The `npm test` script also no longer hard-codes the stable `--test-isolation=process` flag (Node >=22.23 only); process isolation is Node's default, so `npm test` runs on Node 22.12+ again. Plus: `normalizeWorkspaceIdentity` canonicalizes transcript paths via `realpath` (macOS `/var` vs `/private/var`) before provenance comparison, and session-start Kiro dedup vs. non-git-notice throttling now use separate state files.
+- **ATP order/task association persisted + delivered bundle made GEP-valid (#187).**
+- **Proxy forwards asset search as `GET /a2a/assets/search` (#189).**
+
+## [1.88.1] - 2026-06-03
+
+### Added
+
+- **Conversation capability -> distilled gene (P2, `EVOLVER_CONV_DISTILL_ENABLED`).** The conversation sniffer's capability candidates (slug + transcript snippet) are now enqueued and, when enabled, run through a conversation-brief distillation (reusing the P3 claude-distill recipe + quality gate) to synthesize a candidate gene — closing discover->distill. **Shadow-only v1**: it logs a candidate gene for human review and NEVER upserts (conversation-snippet material is too thin to auto-upsert; run-green proves the validation command exits 0, not that the strategy is correct). New module `src/gep/autoDistillConv.js`; P2-owned `conv_distill.{by_hash,by_slug}` state (never the shared P3 scalars). New env: `EVOLVER_CONV_DISTILL_ENABLED` (off default), `CONV_SLUG_COOLDOWN_MS`, `EVOLVER_CONV_DISTILL_DUP_JACCARD`.
+
+### Added
+
+- **Autonomous LLM gene distillation (P3, `EVOLVER_AUTO_DISTILL_LLM`).** evolver can now
+  run the distillation prompt through a light read-only headless `claude` (reusing the P1
+  exec bridge) and turn a recurring success pattern into an LLM-quality Gene with no human in
+  the loop. New module `src/gep/autoDistillLlm.js`. Shadow-first: `off` (default) | `shadow`
+  (log candidate, no upsert) | `enforce` (upsert after a REAL quality gate). The gate:
+  structural validation + canonicalization, a Jaccard near-duplicate check, validation
+  normalization (strips policy-blocked + heavy test-suite commands, injects `node --version`),
+  and a run-green check (the gene's own validation must exit 0) BEFORE upsert. Never
+  auto-publishes (opt-in `EVOLVER_AUTO_DISTILL_LLM_PUBLISH=true`). New env:
+  `EVOLVE_DISTILL_MODEL`, `EVOLVE_DISTILL_MAX_TURNS`, `EVOLVE_DISTILL_TIMEOUT_MS`,
+  `EVOLVE_DISTILL_VALIDATION_TIMEOUT_MS`, `EVOLVER_AUTO_DISTILL_LLM_DUP_JACCARD`. Wired into
+  the daemon idle (OMLS) distill window next to the failure distiller; no behavior change at `off`.
+
+### Added
+
+- **Claude Code auto-exec bridge (`exec` subcommand).** `node index.js exec
+  --harness=claude-code [--once] [--max-cycles N]` closes the Brain→Hand loop on
+  Claude Code: it runs the Brain (`node index.js run`, bridge mode), scrapes the
+  emitted `sessions_spawn(...)`, and spawns a headless `claude -p` Hand to apply
+  the patch and run `solidify`, gated by a status file. Opt-in and shadow-first:
+  refuses unless `EVOLVE_EXEC_BRIDGE=true`. New module `src/gep/execBridge.js`
+  with a per-Hand hard timeout + process-group kill (a hung/permission-broken
+  Hand is killed and counts as a retry, never loops). The `exec` command exits
+  non-zero on any non-success outcome. New env: `EVOLVE_EXEC_BRIDGE`,
+  `EVOLVE_HAND_TIMEOUT_MS`, `EVOLVE_BRAIN_TIMEOUT_MS`, `EVOLVE_HAND_KILL_GRACE_MS`,
+  `EVOLVE_IDLE_SLEEP_MS`, `EVOLVE_HAND_MAX_BUF_BYTES`, `EVOLVE_HAND_MODEL`,
+  `EVOLVE_HAND_MAX_TURNS`, `EVOLVE_HAND_DANGEROUS`, `EVOLVE_EXEC_FALLBACKS`,
+  `CLAUDE_BIN`.
+
+## [1.88.0] - 2026-06-03
+
+### Added
+
+- **Three-platform daemon autostart templates (#163).** The repo now ships
+  install helpers so the evolver daemon auto-starts on login with
+  restart-on-failure on every supported OS, matching the existing Linux
+  `scripts/evolver.service`: a macOS launchd agent
+  (`scripts/com.evomap.evolver.plist`, `KeepAlive.SuccessfulExit=false` +
+  `ThrottleInterval=5` mirroring `Restart=on-failure`/`RestartSec=5`) and a
+  Windows Task Scheduler installer (`scripts/install-evolver-windows.ps1`,
+  `-Install`/`-Uninstall`). The Windows shape launches via a generated
+  `%LOCALAPPDATA%\EvoMap\evolver-task-launcher.vbs` with the node/index paths
+  baked into VBScript literals and a single quoted task argument — `wscript`
+  is a Windows-subsystem host so no console window appears on logon, and
+  `WScript.Quit rc` propagates the exit code so restart-on-failure still
+  observes failures. All three platforms verified live through a real reboot.
+
+- **Explicit signal injection channel (#172).** A new fifth injection point in
+  the signal-extraction stage reads user-declared signals from
+  `<gep-assets-dir>/pending_signals.json` (default `.evolver/gep`) and merges
+  them into a cycle's signal set, **bypassing the closed 20-entry
+  `OPPORTUNITY_SIGNALS` vocabulary**. This lets a human-verified, deterministic
+  capability whose intent no extractor can name still surface as a first-class
+  signal (previously it collapsed to a generic `capability_gap` and the
+  dedicated gene could never win selection). File-locked read-once semantics
+  (`consumePendingSignals()` empties the file after consuming), entries trimmed
+  and length-capped (≤200), non-fatal on error.
+
+### Fixed
+
+- **Heartbeat / daemon-survival resilience overhaul (#163).** A nine-round
+  hardening pass on the keep-alive path, addressing failure modes that left the
+  daemon silently dead after sleep/wake, idle windows, or concurrent startup:
+  - **Singleton-lock takeover is now atomic** — `linkSync` + `EEXIST` guard
+    (with a `renameSync` fallback for link-less filesystems), replacing a
+    non-atomic `unlinkSync`-before-write that could let two daemons both
+    "own" the lock and rotate `node_secret` against each other into mutual
+    401 backoff. Lock carries a `lease: true` marker + mtime refreshed every
+    `LOCK_REFRESH_MS` (60s Win / 120s POSIX); takeover honors both dead-PID
+    (`kill -0` ESRCH) and lease-expiry (mtime older than `STALE_LOCK_TTL_MS`,
+    3min Win / 5min POSIX).
+  - **sd_notify watchdog actually fires under systemd** — shells out to
+    `systemd-notify(1)` (with `NotifyAccess=all`) instead of the broken
+    `dgram` `unix_dgram` socket, which threw synchronously on node ≥22 and
+    swallowed `READY=1`/`WATCHDOG=1`.
+  - **Sleep/wake recovery** — a wall-clock drift detector (samples `Date.now()`
+    every 30s, treats a >90s jump as a wake; `cpuUsage`-vs-wall-clock delta
+    distinguishes CPU throttling from true sleep), a stuck-tick watchdog, and a
+    wake ritual that drains dead undici connections + restarts SSE.
+  - **Event-loop anchor + process survival** — a ref'd 10-min keepalive tick
+    keeps the loop alive and leaves a disk heartbeat for `checkHealth`; EPIPE is
+    swallowed without killing the process while non-EPIPE stream errors are
+    still surfaced; `unhandledRejection` consults live heartbeat stats rather
+    than killing a process mid-recovery.
+  - **Hostile-hub clamps** — 429 backoff capped at 30min so a malicious/buggy
+    `retry_after_ms: 86_400_000` can't silence the heartbeat for a day;
+    `unknown_node` anti-cache-poisoning backoff with an absolute deadline.
+  - Removed a dead wake hook in `evolver-signal-detect.js` whose relative
+    `require` was `MODULE_NOT_FOUND` in the deployed `.claude/hooks/` layout
+    (no in-proc consumer exists, so it was a no-op that cost a 3000-line
+    `require` on every IDE edit).
+
+- **Standalone-binary obfuscation retries (#171).** Default `OBF_MAX_ATTEMPTS`
+  raised 4 → 12 in `scripts/build_binaries.js`. The obfuscation step
+  occasionally mangles `new.target` into an illegal `#target` token,
+  non-deterministically across node processes; the seed-perturbation retry is
+  the right mechanism but 4 attempts wasn't enough (the v1.87.4 deploy hit 4/4
+  and aborted before npm publish + binary upload). No behavior change on
+  first-attempt success; env override unchanged.
+
+## [1.87.4] - 2026-06-02
+
+### Fixed
+
+- **Cursor hook compatibility: project-dir resolution, workspace-scoped
+  recall, FS workspace-id, and a non-git notice.** The session hooks assumed
+  `process.cwd()` was the user's project, but Cursor invokes some hook events
+  with cwd set to the plugin install dir — so `git diff` collection found
+  nothing and the session-end hook silently recorded every task as empty.
+  Hooks now resolve the workspace from `CURSOR_PROJECT_DIR` /
+  `CLAUDE_PROJECT_DIR` (falling back to cwd, a no-op on Codex/opencode/Kiro/CLI).
+  Session-start recall is now scoped to the current workspace *before* the
+  most-recent-N window (a shared user-level memory graph no longer leaks one
+  project's outcomes into another), with a bounded scan instead of parsing the
+  whole graph. `workspace_id` now resolves via an FS-only fallback when the
+  evolver package isn't reachable (plugin-only installs), writing the same
+  `<workspaceRoot>/.evolver/workspace-id` secret `paths.getWorkspaceId()` uses
+  so installing the package later is seamless. And a non-git folder now gets a
+  throttled one-line notice that evolution memory is inactive, instead of
+  failing silently. (Ported from public PRs #554/#555/#557/#558, each
+  Bugbot-reviewed; private-dev #169/#170.)
+
+## [1.87.3] - 2026-06-01
+
+### Changed
+
+- **Router surfaces degenerate tier config + README defaults corrected
+  (#152).** The shipped `DEFAULT_TIER_MODELS` pins all three tiers to
+  `opus-4-7` on purpose (operators run tier-uniform while tuning tier
+  mapping, so the no-downgrade guard stays inert and 5xx retries replay one
+  model — PR #135). The trap is a user who flips `EVOMAP_ROUTER_ENABLED=1`
+  expecting the cost savings the README advertised but leaves the per-tier
+  `EVOMAP_MODEL_*` overrides unset: every turn resolves to the same model,
+  so routing is a silent no-op (and a cost *increase* for anyone previously
+  on a cheaper model). The proxy now emits a one-time `router_degenerate_tiers`
+  WARN at startup when the router is enabled and all three tiers resolve to a
+  single model. The README tier table previously documented `haiku-4-5` /
+  `sonnet-4-6` / `opus-4-7` as the defaults — that was the pre-#135 mapping
+  and never matched the shipped binary; it now states the real all-`opus-4-7`
+  defaults and how to set the overrides to get tier-based saving.
+
+### Fixed
+
+- **Heartbeat loop resilience (#544).** The heartbeat loop in
+  `LifecycleManager` had two coupled defects: (1) `heartbeat()` called
+  `store.countPending`, `getTaskMeta`, `_getEnvFingerprint`, and
+  `hello()` *before* its `try` block, so a single throw from any
+  helper (e.g. corrupt store, sandboxed `os.userInfo()`) escaped as a
+  rejected promise; (2) `tick()` had no try/catch around
+  `await this.heartbeat()`, so that rejection cancelled the next
+  `setTimeout` and silently killed the loop until the process
+  restarted. Reporter saw "first heartbeat fine, then evolver dead
+  after machine sleep — restart required". Fix wraps the entire
+  `heartbeat()` body in try/catch, defensively wraps the awaited call
+  in `_heartbeatTick()`, lowers the consecutive-failure backoff cap
+  from 30min → 15min (must stay above the 6min default interval or
+  exponential backoff inverts), and adds a generation counter so
+  `pokeHeartbeatLoop()` can't fork the loop when called while a tick
+  is mid-await. New `pokeHeartbeatLoop()` resets the schedule on
+  demand for callers that want wake-on-event semantics.
+
+## [1.87.2] - 2026-05-27
+
+### Added
+
+- **ATP autoBuyer explicit consent surface (#141).** New
+  `evolver atp <enable|disable|status>` subcommands, an ack file at
+  `<memory>/atp-autobuy-ack.json`, and an env override
+  `EVOLVER_ATP_AUTOBUY=on|off`. Resolution order at runtime:
+  env > ack > default. `setConsent` writes are atomic (tmp + rename);
+  ack reads strictly validate `enabled: boolean` so a corrupted ack
+  cannot park a user in a "prompt suppressed + autoBuyer off" dead
+  zone. CLI enable/disable surfaces a loud WARN when an
+  `EVOLVER_ATP_AUTOBUY` env value would silently override the ack at
+  runtime. The cold-start `no_consent` daemon WARN sanitizes the hub
+  URL via `URL.origin` so basic-auth credentials in
+  `A2A_HUB_URL`/`EVOMAP_HUB_URL` are never written to logs.
+
+### Changed
+
+- **ATP autoBuyer default ON for new installs (#145, follow-up to
+  #141).** With no env override and no ack, `getConsent()` returns
+  `{enabled: true, source: 'default'}` and autoBuyer starts under the
+  daily/per-order caps (50/day, 10/order; cold-start half-cap for the
+  first 5 min). The first-run TTY prompt and `evolver atp disable` are
+  the explicit opt-out paths; ack='disable' continues to win over the
+  default. Daemon/hook/CI cold-start emits a one-time WARN naming the
+  hub origin, the active caps, and the `evolver atp disable` command,
+  so the policy is never silent.
+
+- **`recallVerifier` default off (#136).** Client-side publish→recall
+  round-trip verification is no longer enabled by default. The Hub
+  `/a2a/fetch` contract is strict (unknown asset_id → empty results,
+  0 cost; verified against current Hub via random-hash smoke). The
+  round-trip check was redundant as a default safety net. Operators
+  who want end-to-end SLA observability can opt in with
+  `EVOLVE_RECALL_VERIFY=1`. No code paths removed; only the default
+  changed. (Already shipped in 1.87.1; promoted here for the
+  main-line changelog.)
+
+### Fixed
+
+- **Proxy router: canonicalize Bedrock model IDs + skip alias-only
+  5xx retry (#135) and defense-in-depth canonicalize at proxy
+  boundary (#139).** Resolves model alias drift between Anthropic-
+  shaped requests and Bedrock model IDs at both the router selection
+  layer and the inbound proxy boundary so a 5xx that originated from
+  an unresolvable alias is not retried as a different alias of the
+  same family.
+
+- **`forceUpdate` preserves `.env`, `.env.local`, `USER.md`, and
+  `.evolver/` (#142).** Force-update no longer wipes operator
+  configuration or workspace identity files when overlaying a new
+  release on top of an existing install; the preserve-list is now
+  explicit and tested.
+
+- **`evolver setup-hooks` ships `_memoryFiltering.js` alongside
+  generated session hooks (#547, #140, #143).** A fresh
+  `setup-hooks --platform=codex` against `@evomap/evolver@1.87.0`
+  left `.codex/hooks/` without `_memoryFiltering.js`, so the
+  generated `evolver-session-start.js` crashed immediately with
+  `Error: Cannot find module './_memoryFiltering'`.
+  `copyHookScripts`/`removeHookScripts` now include the helper, and
+  a regression suite scans every `require('./_*')` in the source
+  adapter scripts to assert install + uninstall cover them.
+  Reproduced by @rendigua on Windows; community PR
+  EvoMap/evolver#550 from @mvanhorn arrived independently with the
+  same diagnosis on the same day. (Already shipped in 1.87.1;
+  promoted here for the main-line changelog.)
+
+### Docs
+
+- **Backfill 1.87.0 proxy track + publish-gate entries
+  (#122/#123/#127/#128/#131/#132) into the changelog (#138).**
+
+## [1.87.1] - 2026-05-27
+
+Released from `release/1.87.1`; superseded by 1.87.2. Contains
+#136 and #547/#140 (see above).
+
+## [1.87.0] - 2026-05-26
+
+### Added
+
+- **AWS Bedrock as a second upstream for `/v1/messages` (#122).** Selected
+  per-request via `EVOMAP_UPSTREAM=bedrock` (default `anthropic`,
+  byte-for-byte unchanged). The Bedrock path pulls `body.model` →
+  `modelId`, injects `anthropic_version: bedrock-2023-05-31`, strips
+  top-level `model` / `stream` (Bedrock 400s on unknown fields, infers
+  stream from the command type), and re-emits Bedrock chunks as standard
+  SSE `data: <json>\n\n` so SDK callers don't need to know which upstream
+  served the request; the SDK owns SigV4 + AWS event-stream decoding.
+  `messages_route.js` softens the Anthropic-shaped credential check under
+  `EVOMAP_UPSTREAM=bedrock` (proxy's real gate is still the Bearer
+  `proxy_token` enforced in `ProxyHttpServer`; with SigV4 + AWS_* env in
+  place, inbound `x-api-key` is meaningless on the Bedrock path). This
+  unblocks Phase C cheap%-verification for deployments that don't have an
+  Anthropic-account upstream available — see PR #127 for the CC v2.1.150
+  body-shape compatibility patch that lands on top.
+
+- **Optional OS-keychain backing for `workspace-id` (issue #111 Phase 1).**
+  `getWorkspaceId()` can now persist the per-workspace secret in the OS
+  keychain (`@napi-rs/keyring` optional dep — macOS Keychain Services /
+  libsecret on Linux / Windows Credential Manager) instead of leaving it
+  readable to any same-uid process via `<workspace>/.evolver/workspace-id`.
+  Mode is controlled by `EVOLVER_WORKSPACE_KEYCHAIN`:
+  - `auto` (default) — try keychain, fall back to FS on any failure.
+    Behaviour stays IDENTICAL to v1.85.x for any deployment that
+    doesn't install the optional addon.
+  - `force` — keychain only; throws if `@napi-rs/keyring` isn't loaded.
+    Use in CI to assert the addon is present.
+  - `off` — skip keychain; FS only.
+  When the addon is available, an existing FS secret is migrated into
+  the keychain on first call and the FS file is INTENTIONALLY retained
+  so bun-compiled binaries (which don't sideload the `.node` addon yet
+  — Phase 2) keep agreeing with node-CLI sessions on the same id.
+  `EVOLVER_WORKSPACE_ID` env override is unchanged and still wins.
+
+### Fixed
+
+- **Codex / Claude transcript directories are auto-discovered without
+  the `EVOLVER_CURSOR_TRANSCRIPTS_DIR` env (issue #543, PR #130 + #133).**
+  Before this release, `readCursorTranscripts()` returned empty unless
+  the operator had manually exported `EVOLVER_CURSOR_TRANSCRIPTS_DIR`,
+  so a fresh Codex install reported `[NO SESSION LOGS FOUND]` on every
+  cycle even though Codex was writing rollouts to `~/.codex/sessions/`.
+  `resolveTranscriptDirs()` now picks up `~/.codex/sessions/` and
+  `~/.claude/projects/` by default. Cross-project transcripts are
+  filtered against the current workspace so a session recorded in a
+  different repo can't leak into this review (Bugbot PR #130 Security
+  MEDIUM, fail-closed when `session_meta.cwd` is missing). PR #133
+  follow-up accepts multiple workspace identities (`WORKSPACE_ROOT`,
+  `process.cwd()`, `EVOLVER_REPO_ROOT`) so the auto-discovery still
+  works in a workspace whose cwd has no `.git` and `getRepoRoot()`
+  would otherwise fall back to the evolver install dir. Together with
+  the entry below, this closes the second half of issue #540 (#543's
+  half).
+
+- **`user_missing` and `session_logs_missing` advisories now quiet down
+  on a Codex install whose `memory_graph.jsonl` is accumulating but has
+  no `outcome` records yet (issue #540 follow-up).** The original #540
+  fix landed a three-tier fallback for the memory snippet
+  (`MEMORY.md` → AGENTS.md marker section → memory_graph outcome tail),
+  but `readUserSnippet` and `_sessionLogFallback` still required
+  `_isOutcomeEntry`-shaped records to suppress their advisories. On a
+  fresh Codex install the first few cycles only write `signal` /
+  `hypothesis` / `attempt` / `epoch_boundary` entries — no
+  `outcome.status` — so both advisories kept firing on every cycle
+  even though the graph was visibly accumulating. Reported by
+  @rendigua on issue #540 with a 1.86.0 fresh-install reproduction.
+  The fix adds `readMemoryGraphAnyTail()` as a tier-2 fallback under
+  the existing outcome-tail tier, so any parseable graph entry is
+  enough to displace the legacy `[USER.md MISSING]` /
+  `[NO SESSION LOGS FOUND]` placeholders that `gep/signals.js`
+  (line 348-351) keys on. `readMemorySnippet`'s contract is unchanged
+  (AGENTS.md marker still wins over the graph for the memory tier).
+  PR #108 round-3 hardening (cross-workspace entries from the
+  user-level shared graph must pass the `workspace_id` / `cwd` filter)
+  applies to the new tier too.
+
+- **Lifecycle `hello` no longer mints a fresh `node_id` when MailboxStore
+  is empty but `~/.evomap/node_id` still exists.** The legacy GEP path
+  (`src/gep/a2aProtocol.js`) writes the node_id as a bare hex file at
+  `~/.evomap/node_id`. Lifecycle's hello previously consulted only
+  `MailboxStore.getState('node_id')` and fell straight through to
+  `crypto.randomBytes(6)` when the store was unprimed. Any install whose
+  `state.json` was created (or wiped) after the legacy file existed —
+  e.g. an upgrade from a pre-lifecycle version, or a partial recovery
+  flow — therefore registered a brand-new A2ANode under the same owner
+  on the very next daemon boot, abandoning the original record (with
+  its stake / reputation / aliases) as an orphan in the web UI.
+  Reading `~/.evomap/node_id` between the store lookup and the random
+  fallback keeps both paths agreeing on a single identity.
+
+- **Router refuses silent intra-family generational downgrades, and the
+  default tier IDs are now Bedrock-resolvable (#132).** Two related
+  router fixes that closed the same misconfiguration class. First, the
+  `/v1/messages` rewrite path now refuses moves where the chosen tier
+  model is strictly older than the caller's original within the same
+  Claude family (opus / sonnet / haiku) — cross-family rewrites (the
+  router's core cheap-tier behaviour, opus → haiku) stay allowed.
+  Triggered by the 2026-05-25 `/compact` stall on Aurora, where
+  `EVOMAP_MODEL_EXPENSIVE` was still pinned to `opus-4-1` while live
+  traffic had moved to `opus-4-7`: every planning turn silently
+  rewrote 4-7 → 4-1, hit Bedrock 5xx on the older endpoint, and
+  absorbed the cost via the upstream-5xx retry path. The guard makes
+  this **loud** (`router_fallback` with `reason: downgrade_blocked`)
+  instead of silent. Second, `DEFAULT_TIER_MODELS` previously used
+  short aliases that Bedrock rejects with `ValidationException: invalid
+  model identifier`. Defaults are now:
+  - `cheap     = global.anthropic.claude-haiku-4-5-20251001-v1:0`
+  - `mid       = global.anthropic.claude-sonnet-4-6` (only `global.*`
+    sonnet on Bedrock today)
+  - `expensive = global.anthropic.claude-opus-4-7`
+  The `mid = sonnet-4-6` choice is exactly the case the no-downgrade
+  guard protects: a caller pinned to `sonnet-4-7` does not silently
+  drop to 4-6 — the request stays on 4-7 and `downgrade_blocked` shows
+  up in telemetry, so when Bedrock adds a `global.*` `sonnet-4-7`
+  alias the regression becomes visible instead of invisible.
+
+- **Claude Code v2.1.150+ body shapes accepted by the Bedrock upstream
+  (#127).** Three top-level fields CC v2.1.150 sends are accepted by
+  Anthropic's public API but rejected by Bedrock InvokeModel with HTTP
+  400 — `thinking: { type: "adaptive" }` (Bedrock only takes
+  `"enabled"` / `"disabled"`), `output_config: { effort }`, and
+  `context_management: { ... }` (both rejected as extra inputs). Without
+  this fix every CC v2.1.150 request through the proxy in Bedrock mode
+  400s, so the Phase C `EVOMAP_UPSTREAM=bedrock` data window introduced
+  by #122 could not actually log completed `router_decision` events.
+  `_proxyBedrock` now folds `thinking.type: "adaptive"` → `"enabled"`
+  (defaulting `budget_tokens` to `max_tokens / 2` with a 1024 floor when
+  CC omits it — adaptive mode lets the model pick, but Bedrock's
+  `"enabled"` requires the field) and strips `output_config` and
+  `context_management` before forwarding. The strip site sits next to
+  the existing `body.stream` strip and carries an explicit comment that
+  future CC schema additions will surface the same way (whole-request
+  400) and need to be added to the same list.
+
+- **`proxy.token` reuses across daemon restarts instead of rotating on
+  every boot (#128).** `ProxyHttpServer.start()` previously called
+  `crypto.randomBytes(32)` unconditionally, so any long-lived shell that
+  had sourced `client-env.sh` once and was still exporting
+  `ANTHROPIC_AUTH_TOKEN` 401'd against the proxy as soon as the daemon
+  restarted. Aurora's typical mix (6+ `claude` processes across 4
+  Cursor terminal panes spawned hours before the most recent restart)
+  hit this on every daemon respawn. `start()` now reads `settings.json`
+  *before* `clearIfStale()` wipes the prior `proxy` block: if a token is
+  on disk, it's reused; a new one is minted only on first launch or
+  after a clean `stop()` (which still calls `clearSettings`). The trust
+  boundary is unchanged — the file remains mode 0600, the local
+  `127.0.0.1` socket is still reachable by any same-uid process, and
+  compromise recovery is `evox proxy stop` + `rm
+  ~/.evolver/settings.json` + restart.
+
+- **Grace-token list survives daemon restart (#131).** `_handleRequest`
+  now reads `proxy.previous_tokens` directly from `settings.json`
+  (constant-time compare against the primary plus the extras) and
+  `start()` preserves `previous_tokens` across restart instead of having
+  the shallow `writeSettings({proxy:{...}})` merge silently drop the
+  list. This replaces an earlier env-shim design
+  (`EVOMAP_PROXY_EXTRA_TOKENS` populated by a python3 block in
+  `evolver-daemon-start.sh`) that had three places to keep in sync.
+  Recovery path: when `~/.evolver/settings.json` is wiped externally
+  (logout / manual `rm`) while long-lived CC sessions still hold the
+  pre-wipe bearer in their fork-time env, the operator pastes the lost
+  token into `previous_tokens` and the proxy keeps accepting it until
+  those sessions die naturally. Clean `stop()` still calls
+  `clearSettings`, which intentionally drops the whole proxy block
+  including `previous_tokens` — clean shutdown wipes grace state by
+  design.
+
+### Refactored
+
+- **Lifecycle's legacy node_id reader now routes through
+  `paths.getEvomapPath()`** so `EVOLVER_HOME` honours both reader and
+  writer in lockstep (the writer in `src/gep/a2aProtocol.js` was
+  consolidated onto the same helper in #114). No behaviour change
+  beyond unifying the override semantics.
+
+- **Seed genes opt three task classes into EvoX's
+  `GeneRoutingHint`.** PR #384 on the EvoX side wired
+  `Gene.routing_hint` through to the multi-tier router and reasoning
+  selector, but the bundled defaults shipped with `routing_hint: null`
+  for every gene — so `RouterDecision.reason="gene_hint"` never fired
+  in production telemetry (0 of 131 turns in the first reduction logged
+  in `evox/docs/concepts/router-lessons-learned-2026-05-18.md` §3).
+  This release bumps three seed genes off the default per the guidance
+  baked into the LLM prompt template (`src/gep/prompt.js:179-194`):
+  `gene_tool_integrity` and `gene_distilled_s2g-env-vars` go to
+  `cheap` + `low` (deterministic, mostly string/JSON manipulation), and
+  `gene_gep_optimize_tool_usage` goes to `mid` + `medium` (light
+  reasoning, no deep multi-step planning). The broader `repair` /
+  `innovate` genes are intentionally left null so the router's
+  classifier picks per-turn — matches the prompt's "Omit when the gene
+  applies broadly across complexities" rule. Fully additive; installs
+  whose local `genes.json` already overrides any of these IDs are not
+  touched (the asset_id-respecting load path in `loadGenes()` keeps
+  user customisations intact).
+
+### Internal
+
+- **End-to-end test for the issue #540 advisory-signal fix and a new
+  CHANGELOG release-section integrity guard (#113 / #115).** PR #105
+  added function-level tests for `readMemorySnippet` /
+  `readUserSnippet` / `readRealSessionLog`, but the user-visible bug
+  was the three advisory signals firing on every Codex review cycle
+  end-to-end. New tests run `collect.js` outputs through
+  `gep/signals.js` to lock in that pipeline so a future refactor
+  breaking the chain at either end fails loudly. The new
+  `scripts/check-changelog.js` + `pre_publish_check.js` integration
+  catches the #540 / PR #107 misattribution pattern (an entry filed
+  under `## [X.Y.Z]` after vX.Y.Z was already published). `extractSection`
+  is line-anchored so fenced code samples don't trigger false drift,
+  and `EVOLVER_CHANGELOG_GUARD_SOFT=1` is available as an interim
+  escape hatch while private-dev still relies on public-mirror tags.
+
+- **Publish-time enforcement for the #542 duplicate-import regression
+  class (#123).** The regression test shipped with PR #118 (#542 hotfix)
+  was claimed to keep duplicate `const path = require('path')` from
+  reaching npm again. Auditing the gate showed the claim was incomplete:
+  `pre_publish_check.js` Check #1 (`npx vitest run`) is non-functional on
+  this project — every test file uses `require('node:test')`, so vitest
+  exits non-zero with `No test suite found` regardless of whether the
+  in-file tests pass, and publishers therefore set `SKIP_TESTS=1`. The
+  duplicate-import class would silently slip through that path. This
+  release adds `checkEntryPointScriptsParse`, a new pre-publish step
+  that runs `node --check` directly on every `.js` in
+  `src/adapters/scripts/` and on `index.js` (parse-only, ~50 ms per
+  file, independent of the test-suite check, names the offending file
+  and line in the failure message). It also collapses
+  `test/adaptersSyntax.test.js`'s dynamic per-file `it()` loop into one
+  static `it()` that iterates targets internally and reports every
+  failing file in a single assertion message — now statically
+  discoverable by both `node --test` and vitest's node:test compat
+  layer. Scoped narrowly to making the #542 class unpublishable; the
+  broader vitest-vs-node:test runner question is intentionally left
+  alone.
+
+## [1.85.3] - 2026-05-23
+
+### Fixed
+
+- **Codex `session-end` hook no longer crashes with `SyntaxError: Identifier 'path' has already been declared` on fresh install.** A previous
+  change added a top-of-file import block (`fs` / `path` / `os`) without
+  noticing that an existing `const path = require('path')` further down
+  the file was still in place. Both v1.85.1 AND v1.85.2 shipped to npm
+  with this regression — every fresh `npm install -g @evomap/evolver`
+  followed by `evolver setup-hooks --platform=codex` produced a
+  parse-broken hook, blocking Codex `session-end` entirely with no
+  user-side workaround (issue #542). The duplicate is removed and a
+  `node --check` regression guard now runs against every file in
+  `src/adapters/scripts/` and the CLI entry as part of the test suite,
+  so this class of regression (parse-time failure in entry-point scripts
+  that the existing vitest suite never loads) cannot reach npm again.
+
+- **`getRepoRoot()` no longer escapes `node_modules` to pick up an
+  unrelated outer `.git` (#541).** When `@evomap/evolver` is installed
+  globally (e.g. `npm install -g @evomap/evolver` on macOS Homebrew), the
+  package lives at `/opt/homebrew/lib/node_modules/@evomap/evolver` and
+  Homebrew itself is a git repository, so `/opt/homebrew/.git` exists.
+  Whenever the user ran `evolver` from a directory that did *not* have a
+  `.git` in any ancestor (a fresh project before `git init`, a generic
+  `~/` shell, an OpenClaw workspace, etc.), the upward walk from the
+  install location escaped the package's own `node_modules` and resolved
+  `repoRoot` to `/opt/homebrew` — silently sending `workspaceRoot` /
+  `memoryDir` / `evolutionDir` to a directory that doesn't belong to the
+  user, scanning the wrong session logs, and producing evolution
+  proposals for the wrong codebase. No crash; the only signal was that
+  the output looked subtly wrong. The walk now stops at the parent of
+  the nearest `node_modules` ancestor: for a local install
+  (`<project>/node_modules/@evomap/evolver`) the boundary still includes
+  `<project>` so the user's `.git` is found correctly; for a global
+  install the boundary is `/opt/homebrew/lib`, which has no `.git`, so
+  the walk falls back to the install dir instead of escaping. Dev
+  clones (not inside any `node_modules`) keep the original unbounded
+  walk. `EVOLVER_REPO_ROOT` remains the explicit override and is
+  unaffected.
+
+## [1.85.2] - 2026-05-22
+
+### Fixed
+
+- **Daemon restart no longer overwrites the hub-rotated `node_secret` with a
+  stale shell `A2A_NODE_SECRET`.** When a previous run rotated the secret
+  via `/a2a/hello`, the hub-recognised value was persisted in
+  `~/.evomap/mailbox/state.json`. On the next daemon boot, the parent shell
+  still exported the *old* value of `A2A_NODE_SECRET` (a child process
+  cannot mutate its parent's env). The `_resolveNodeSecret` env-vs-store
+  reconciliation treated this as a conflict and let env win, silently
+  overwriting the rotated secret. Subsequent heartbeats 403'd, rotation
+  was correctly refused by the hub (issue #320 requires proof of current
+  ownership), and the daemon entered a 30-minute backoff that could not
+  be self-recovered. The store now carries a `node_secret_source` tag
+  (`'hub_rotate'` for hub-issued values, `'env_seed'` otherwise);
+  hub_rotate values win over a differing env, while #529's original
+  case (env-fresh, store-stale, no source tag) still falls back to env.
+
+- **Re-auth backoff escalates exponentially.** Consecutive `reAuthenticate`
+  failures now back off 30min → 60min → 2h, capped at ~4h, instead of
+  resetting to a flat 30 minutes every time. A daemon stuck on a bad
+  secret no longer gets re-poked twice an hour by inbound auth errors,
+  drowning the log without surfacing the manual-recovery requirement.
+
+### Added
+
+- **`evolver reset-local-secret` CLI helper.** Wipes the three local
+  `node_secret` stores (MailboxStore, legacy `~/.evomap/node_secret`,
+  and prints an unset hint for the shell `A2A_NODE_SECRET`) so a daemon
+  whose hub side has been web-reset (`https://evomap.ai/account` →
+  Reset Secret) can boot clean. New `docs/secret-recovery.md` documents
+  the env-vs-store decision tree and the recovery flow.
+
+## [1.85.1] - 2026-05-22
+
+### Fixed
+
+- **Stop hook no longer re-injects the evolution receipt as a user prompt.**
+  `evolver-session-end.js` previously emitted `followup_message`,
+  `stopMessage`, and `additionalContext` on every session end. The
+  `followup_message` field tells Claude Code to feed the receipt back into
+  the next inference round, which caused agents to "respond" to their own
+  evolution log line — visible to users as an unexplained extra reasoning
+  turn after every task. The hook now emits only `systemMessage`, a
+  UI-only notification that does not influence the next turn.
+
+- **Cursor compatibility for the Stop hook.** Cursor's Claude Code-compatible
+  runtime currently treats `systemMessage` as a user prompt as well. The
+  hook now detects Cursor (via `TERM_PROGRAM=cursor`, `CURSOR_TRACE_ID`,
+  `CURSOR_SESSION_ID`, or the manual override `EVOLVER_HOOK_HOST=cursor`)
+  and omits `systemMessage` there. The receipt is always appended to
+  `~/.evolver/logs/evolution.log` (override path with
+  `EVOLVER_HOOK_LOG_DIR`) so it is never silently lost. Set
+  `EVOLVER_HOOK_VERBOSE=1` to force the inline notification on under
+  Cursor for debugging.
+
+- **Stop hook process now exits promptly.** The hook held the event loop
+  open for ~7 s on every session end because its watchdog `setTimeout`
+  was never cleared after stdin closed. The watchdog is now cancelled and
+  the process exits explicitly when the response is written.
+
+- **`evolver --review` no longer raises `memory_missing` / `user_missing` /
+  `session_logs_missing` on every cycle when running on Codex (#540).**
+  Codex doesn't generate a workspace-root `MEMORY.md` / `USER.md` and
+  doesn't expose readable session-transcript files, so the review
+  pipeline used to keep flagging those three advisory signals on every
+  cycle. `src/evolve/pipeline/collect.js` now falls back, in order:
+  `MEMORY.md` / `USER.md` → the `<!-- evolver-evolution-memory -->`
+  section that `setup-hooks` injects into the workspace's `AGENTS.md` /
+  `CLAUDE.md` → the tail of `memory_graph.jsonl` (last 5 outcomes).
+  `readRealSessionLog()` reuses the same memory-graph tail when no
+  platform session source has any data. Real markdown still wins, the
+  marked-section fallback is gated on the evolver marker (a
+  user-authored `AGENTS.md` without it is ignored), and the legacy
+  `[MEMORY.md MISSING]` / `[USER.md MISSING]` / `[NO SESSION LOGS
+  FOUND]` placeholders are still returned when nothing is available —
+  which transitively suppresses the three advisory signals that
+  `gep/signals.js` triggers on those literal strings. README adds a
+  "Codex caveats" subsection documenting the platform limitation.
+
+### Security
+
+- **Per-workspace random secret replaces plain-text `cwd` self-tag in
+  `memory_graph.jsonl` (#109).** PR #108 introduced a `cwd` field on
+  every memory-graph entry and used it to scope reads at the user-level
+  fallback path (`~/.evolver/memory/evolution/memory_graph.jsonl`),
+  closing the cross-workspace leak. The Cursor Bugbot round-3 advisory
+  pointed out that `cwd` is a self-report — any process under the same
+  uid could write entries claiming a different workspace's `cwd` and
+  poison its reads. This release adds `paths.getWorkspaceId()`, which
+  lazily creates `<workspace>/.evolver/workspace-id` (mode 0600,
+  32-hex random) and stamps every new entry with `workspace_id`. The
+  reader uses a three-tier policy: prefer `workspace_id` matching when
+  the current workspace has a secret, fall back to legacy `cwd`-only
+  matching when it doesn't (clean upgrade for pre-existing entries),
+  drop entries that have neither. The writer lazy-loads the canonical
+  resolver from the project-local evolver install so writer + reader
+  resolve from the same path. The secret file is created with
+  `O_WRONLY | O_CREAT | O_EXCL | O_NOFOLLOW` after an `lstat`
+  pre-check, so a pre-placed symlink can't redirect the write outside
+  the workspace. `EVOLVER_WORKSPACE_ID` env var remains as an explicit
+  override / escape hatch. Note: in the co-uid threat model, any
+  process under the same uid can still *read* the FS secret —
+  migrating to an OS keychain is tracked in #111.
+
+## [1.85.0] - 2026-05-22
+
+### Fixed
+
+- **Hook scripts now record outcomes to a writable location even when no
+  evolver-managed project directory is present (#536).** Previously,
+  npm-global installs of evolver had no `memory/evolution/` directory under
+  the install root, so `evolver-session-end.js` reported "nowhere (no Hub
+  or local path)" when neither `EVOMAP_HUB_URL` nor a project-local
+  evolver was configured. The shared `_runtimePaths.js` helper now falls
+  back to `~/.evolver/memory/evolution/memory_graph.jsonl`, creating the
+  directory on first write. The same helper teaches both
+  `evolver-session-start.js` and `evolver-session-end.js` to resolve the
+  package root via `require.resolve('@evomap/evolver/package.json')`,
+  which works for npm-global installs where the relative `../../..` walk
+  used to escape the package.
+
+- **`evolver-session-end.js` no longer prints "system cannot find the
+  path" noise on Windows (#537).** The script now invokes git via
+  `spawnSync('git', [...], { shell: false })` with an argv array, which
+  avoids the POSIX `2>/dev/null` redirection that cmd.exe rejected. Failed
+  invocations (e.g. `HEAD~1` in a fresh repo) are detected by reading
+  `res.status` explicitly instead of relying on stderr suppression.
+
+- **`setup-hooks --uninstall` now cleans up everything it installed
+  (#538).** Three regressions fixed:
+  - The Codex adapter now removes the `codex_hooks = true` line from
+    `~/.codex/config.toml` and drops the surrounding `[features]` block
+    when it becomes empty. Other unrelated entries under `[features]` are
+    preserved.
+  - All four markdown-injecting adapters (Claude Code, Codex, Kiro,
+    opencode) share a new `removeMarkedSection()` helper that correctly
+    skips the evolver-owned `## Evolution Memory` heading before searching
+    for the next H2. The previous inline implementations matched evolver's
+    own heading and left the entire injected section in CLAUDE.md /
+    AGENTS.md.
+  - `removeHookScripts()` now `console.warn`s when an `unlink` fails so
+    Windows file-locking and permission failures stop being silent.
+  - The Claude Code and Codex `uninstall` paths filter evolver-owned
+    entries by command match even when the `_evolver_managed` marker is
+    missing (older installs, hand-edited files), preventing stale
+    `evolver-session-*` entries from being stranded.
+
+- **`setup-hooks` no longer overwrites existing user hooks under the same
+  event (#539).** The new `mergeWithHooksUnion()` keeps the user's own
+  Stop / SessionStart / PostToolUse entries while adding (or refreshing)
+  evolver-owned entries, identified by the command containing
+  `evolver-session` or `evolver-signal`. Reinstalls refresh the evolver
+  entry instead of duplicating it. This applies to both the matcher shape
+  used by Claude Code (`{matcher, hooks: [{type, command}]}`) and the
+  flat shape used by Codex (`{type, command}`).
+
+### Removed
+
+- **`FEISHU_EVOLVER_INTERVAL` env fallback for `pendingSleepMs` is no longer
+  read.** Part of removing all Feishu-specific naming from evolver core (#65).
+  Users who relied on this variable to override the pending-sleep interval
+  must switch to `EVOLVE_PENDING_SLEEP_MS` (or its older alias
+  `EVOLVE_MIN_INTERVAL`); both are still honored and have been the
+  documented names for this knob. Without an override, `pendingSleepMs`
+  now falls back to its existing 120000 ms default.
+
+### Security
+
+- **All Hub-facing HTTP calls now go through `hubFetch()`, a single
+  chokepoint that enforces both `https://` schema and TLS certificate
+  verification (C1 PR-2 Step 2).** `src/gep/hubFetch.js` rejects any URL
+  that does not parse as `https://` and passes an explicit
+  `undici.Agent({ connect: { rejectUnauthorized: true } })` as the request
+  dispatcher, making certificate verification immune to
+  `NODE_TLS_REJECT_UNAUTHORIZED=0`. Schema validation lives in `hubFetch`
+  itself (not only in `resolveHubUrl()`) because several hot paths —
+  `httpTransportSend`, `getHubUrl()`, per-call `opts.hubUrl`, proxy
+  `this.hubUrl` — bypass `resolveHubUrl()` and read env vars directly;
+  putting the check in the fetch wrapper means it cannot be bypassed.
+  Affected modules: `a2aProtocol`, `hubVerify`, `directoryClient`,
+  `hubReview`, `hubSearch`, `taskReceiver`, `skillPublisher`,
+  `validator/index`, `validator/reporter`, `validator/stakeBootstrap`,
+  `memoryGraph`, `proxy/lifecycle/manager`, `proxy/sync/inbound`,
+  `proxy/sync/outbound` (14 modules, 22 call sites). New runtime
+  dependency: `undici` (Node bundles it internally but its `Agent` is
+  not interface-compatible with the global `fetch` — both must come from
+  the same package, hence the explicit dep). Set
+  `EVOMAP_HUB_ALLOW_INSECURE=1` to bypass BOTH protections (local dev /
+  mock hub on http:// or self-signed cert; same gate as Step 1).
+  Integration test in `test/hubFetch.test.js` spins up a real HTTPS
+  server with a self-signed cert and asserts `hubFetch` rejects even
+  when `NODE_TLS_REJECT_UNAUTHORIZED=0` is set globally — proving the
+  documented attack is blocked end-to-end.
+
+- **`resolveHubUrl()` now rejects non-`https://` Hub URLs (C1 PR-2 Step 1).**
+  Passing an `http://`, `ws://`, or unparseable string as `A2A_HUB_URL` /
+  `EVOMAP_HUB_URL` / `EVOLVER_DEFAULT_HUB_URL` now throws at call time rather
+  than silently returning a plaintext URL. This prevents a misconfigured or
+  attacker-controlled env var from downgrading heartbeat + capsule-publish
+  traffic to cleartext (MITM → arbitrary code injection via hub directives).
+  Local dev and mock-hub integration tests that need a non-TLS endpoint must
+  set `EVOMAP_HUB_ALLOW_INSECURE=1`; any value other than exactly `"1"` is
+  treated as absent. Do **not** use `NODE_ENV` for this gate — it is not stable
+  in `npm`-global installs.
+
+### Changed
+
+- **`--loop` daemon now defaults `EVOLVE_BRIDGE` to `'true'` (#96).**
+  The previous default of `'false'` made the daemon observe-only by
+  default: every cycle hit `rejectPendingRun(reason=loop_bridge_disabled_autoreject_no_rollback)`
+  and produced no `EvolutionEvent`. On Aurora this manifested as 33 days
+  of empty cycling. With the new default, the daemon actually applies
+  pending runs to the working tree. Failed cycles still recover safely
+  via `rollbackTracked` (mode=stash by default since v1.81.0): the
+  partial diff gets pushed to a stash entry the user can recover with
+  `git stash list | grep evolver-rollback` followed by `git stash pop`.
+  The daemon prints a safety banner on start documenting both the new
+  default and the recovery breadcrumb. Set `EVOLVE_BRIDGE=false`
+  explicitly to opt back into observe-only mode (the banner reflects
+  this choice as well). Operators upgrading should be aware that
+  `--loop` is no longer side-effect-free by default.
+- **Daemon-mode `unhandledRejection` handler uses a sliding window (5
+  rejections within 5 minutes) instead of a cumulative process-lifetime
+  counter (#70).** Previously, four harmless rejections spread over days
+  plus a fifth unrelated one would terminate a long-running daemon for
+  noise; a cluster within a short window is the actual failure-cascade
+  signal. The stderr format also changed: each rejection log now reads
+  `Unhandled promise rejection (N in window):` and the exit line reads
+  `N unhandled rejections within 300s. Exiting...` — operators parsing
+  these lines should update their match patterns.
+- **First-run `getNodeId()` fallback now generates a random ID instead of
+  hashing the device fingerprint (#71).** Previously, two installs cloned
+  from the same VM image before either had run evolver would compute
+  identical node IDs (same hostname / MAC / agent name / cwd → same
+  SHA-256). The new fallback emits 12 random hex characters; format and
+  persistence behaviour are unchanged. Existing installs already have a
+  persisted node ID from a prior run and never re-enter this path, so this
+  is not a migration. The startup warning text changed accordingly — any
+  log scraper matching `"Computing node ID from device fingerprint"`
+  should switch to `"Generating a fresh node ID"`.
+- **`engines.node` tightened from `>=22` to `>=22.12`.** This release switches
+  `src/gep/contentHash.js` from an inlined SHA-256/canonicalize implementation
+  to a thin facade that `require()`s `@evomap/gep-sdk` (an ESM-only package).
+  `require()` of synchronous ESM was only unflagged in Node 22.12.0 (Dec
+  2024); on 22.0–22.11 the call throws `ERR_REQUIRE_ESM` without
+  `--experimental-require-module`. Users on those versions must upgrade Node
+  before installing `@evomap/evolver` 1.84.0+.
+- **New runtime dependency: `@evomap/gep-sdk@^1.2.0`.** This package now owns
+  the GEP protocol surface (schemas, spec, `SCHEMA_VERSION`, `canonicalize`,
+  `computeAssetId`, `verifyAssetId`) for every implementation in the
+  ecosystem. Replaces four hand-maintained copies that drove the v1.80.8
+  `"explore"` enum drift incident. The 13 internal callsites that
+  `require('./contentHash')` keep working unchanged via a re-export facade.
+- **`EVOLVER_ROLLBACK_MODE` default is now `stash` (was `hard`).** Previously a
+  failed solidify cycle ran `git reset --hard`, silently discarding uncommitted
+  work in the host repo. The `stash` branch always existed and was the safer
+  choice; only the default needed flipping. To restore the prior destructive
+  behaviour explicitly, set `EVOLVER_ROLLBACK_MODE=hard`.
+
+### Fixed
+
+- **`buildAutoGene` no longer emits evolver-internal validation commands when
+  running in non-evolver host repos.** Auto-generated genes used to embed
+  `node scripts/validate-modules.js …` and `node scripts/validate-suite.js`,
+  paths that only exist inside the evolver repo itself. In any third-party host
+  those scripts are missing, so validation always failed → soft-failure →
+  rollback discarded the user's working tree. New helper
+  `isInsideEvolverRepo(repoRoot)` (detected via `package.json` name
+  `@evomap/evolver`) gates this behaviour; in foreign repos validation falls
+  back to the portable `git diff --check`.
+- **`rollbackNewUntrackedFiles` now skips files whose mtime predates the cycle
+  start.** The previous baseline-only filter could delete files the user
+  created in a parallel editor between baseline capture and rollback.
+  `cycleStartedAt` (sourced from `last_run.created_at`) is now passed through
+  from the solidify call site as an mtime guard. Behaviour is unchanged when
+  the parameter is omitted (legacy callers, unit tests).
+
+## [1.80.7] - 2026-05-15
+
+### Added
+
+- **Formally declare Node.js >=22 engine requirement (`package.json`).** The
+  test suite uses `--test-isolation=process` (Node 22+). This field makes the
+  constraint explicit to package managers and CI environments so they surface
+  a clear error instead of a cryptic flag-not-found failure.
+
+### Fixed
+
+- **A2A inbound integrity filter: restore symmetric `asset_id` verification.**
+  `httpTransportReceive` was excluding the `a2a` field when recomputing the
+  `asset_id` of received assets, creating an asymmetry with the publish path
+  where `solidify` sets `capsule.a2a` *before* `buildPublishBundle` hashes the
+  asset. This caused every legitimately published capsule to fail the integrity
+  check and be silently discarded. The filter now calls `computeAssetId(asset)`
+  with only `asset_id` excluded (matching the publish-side default), and the
+  comment clarifies that `lowerConfidence` annotations are applied client-side
+  *after* verification, not by the Hub on stored assets.
+
+- **GEP test isolation: scope `--test-isolation=process` to
+  `solidifyIntegration.test.js` only.** Previously the flag ran across all
+  test files, which doubled wall-clock time on CI for no benefit. Other test
+  files run in the same process and share setup cleanly.
+
+- **HUB_DRY_RUN single source of truth.** Extracted `_isDryRun()` helper in
+  `a2aProtocol.js`; `publishSkillChannel` in `skill2gep.js` now delegates to
+  `a2a._isDryRun()` instead of duplicating the env-var check inline.
+
+## [1.80.1] - 2026-05-07
+
+### Fixed
+
+- **Validator: stop flooding the Hub with `env_fail` reports when the local
+  toolchain cannot run `node <script>` (issues #11, #15).** The validator
+  daemon now runs a one-shot preflight self-test on startup
+  (`runPreflight()` in `sandboxExecutor.js`) that writes a trivial script to
+  the sandbox and confirms `spawn('node', [...])` exits with code 0. If the
+  preflight fails (no `node` on PATH for headless invocations, missing exec
+  perm, unwritable TMPDIR, ...) the validator role is **skipped** instead of
+  posting `commands_passed=0, duration_ms=1` reports for every Hub-issued
+  task. A user-visible warning is printed once with the diagnostic stderr
+  tail so the operator can fix the host. Restart `evolver` after fixing PATH
+  to re-enable the validator role. Validator preflight result is exposed via
+  `getValidatorDaemonStats().preflight`.
+
+### Added
+
+- **Validator report diagnostics: per-command summaries + `failure_class`
+  on every `ValidationReport` (issues #11, #15).** Each report now carries
+  a top-level `failure_class` (one of `ok`, `parse_failed`,
+  `executable_not_allowed`, `sandbox_block_node_flag`, `spawn_failed`,
+  `timeout`, `exit_nonzero`, `unknown`) and a bounded `commands` array
+  (capped at 8 entries) where each entry has `cmd`, `ok`, `exit_code`,
+  `duration_ms`, `timed_out`, `failure_class`, and a 240-char `stderr_tail`.
+  This lets the Hub-side classifier distinguish "Gene shipped legacy
+  `node -e \"...\"` and the hardened sandbox rejected it" (a Hub/Gene
+  incompatibility, route via `sandbox_block_node_flag`) from "validator
+  host has no `node` binary" (genuine `env_fail`) instead of lumping both
+  together. Older Hubs that ignore unknown payload fields keep working
+  unchanged.
+
+## [1.80.0] - 2026-05-07
+
+### Added
+
+- **First-party opencode adapter (issue #523).** `evolver setup-hooks
+  --platform=opencode` now installs a managed plugin at
+  `.opencode/plugins/evolver.js` plus the three evolver hook scripts in
+  `.opencode/hooks/`. The plugin wires opencode's `session.created`,
+  `session.idle`, and `tool.execute.after` events to the existing
+  `evolver-session-start.js` / `evolver-session-end.js` /
+  `evolver-signal-detect.js` filters, so the runtime behavior matches
+  Cursor / Claude Code / Codex / Kiro.
+
+  Works with both project-level (`./.opencode/`) and user-level
+  (`~/.opencode/`) installs. The plugin file is marked
+  `_evolver_managed: true` on the first line so `--uninstall` only
+  removes evolver-managed files and leaves user-authored plugins in
+  `.opencode/plugins/` alone. Restart opencode after install to load
+  the plugin.
+
+  See README for the platform table.
+
+## [1.79.1] - 2026-05-06
+
+### Fixed
+
+- **Windows cmd-popup loop on suicide-respawn (issue #528).** On Windows,
+  `child_process.spawn(detached: true, windowsHide: true)` allocates a new
+  conhost (cmd) window every time -- `windowsHide` is silently ignored in
+  detached mode, see Node.js child_process docs. So every time the daemon
+  hit `EVOLVER_MAX_CYCLES` (default 100) or `EVOLVER_MAX_RSS_MB` (default
+  500) and ran the suicide-respawn, Windows users saw a new cmd popup.
+  v1.79.0 made this worse by adding a third spawn site for the cycle
+  hard-timeout, copying the same buggy options.
+
+  The two in-process spawn sites are now consolidated into one helper
+  `spawnReplacementProcess()` that, on Windows, defaults to *not*
+  spawning. Instead the daemon `process.exit(1)`s and lets an external
+  supervisor restart it. Compatible supervisors:
+
+  - NSSM (Non-Sucking Service Manager).
+  - pm2-windows-startup.
+  - Windows Task Scheduler with "On failure: restart" rule.
+
+  Users who explicitly want the in-process respawn (and accept the cmd
+  popups) can opt back in with `EVOLVER_SUICIDE_WINDOWS=true`.
+
+  No behavior change on macOS/Linux.
+
+### Notes on the original report
+
+The reporter's auto-generated diagnosis attributed a separate symptom
+("`evolver buy/orders/publish` subcommands break the daemon") to lock
+contention on `evolver.pid`. That hypothesis is incorrect: subcommands
+do not call `acquireLock()` -- only `--loop` does. What the reporter
+observed was the same suicide-respawn cycle ending exactly when a
+subcommand happened to run, and the new conhost popup made it look like
+the subcommand caused it. Fixing the popup also fixes the perceived
+"daemon got killed" symptom.
+
+## [1.79.0] - 2026-05-06
+
+### Fixed
+
+- **Cycle hard-timeout watchdog (issue #19).** The daemon main loop in
+  `index.js` previously called `await evolve.run()` with no upper bound,
+  so a single hung cycle (unclosed socket, stalled LLM call, etc.) could
+  freeze the process indefinitely. One reporter observed cycle #5372
+  stuck for 22 days at 0% CPU.
+
+  `evolve.run()` is now wrapped in `Promise.race(evolvePromise,
+  cycleTimeoutPromise)`. When the timeout fires, the daemon emits a
+  `[Daemon] Cycle hard-timeout exceeded after Nms (cycle=N, phase=Y)`
+  diagnostic, force-spawns a replacement process, and exits with code 1
+  so a host wrapper observes the dead pid.
+
+  New environment variables (both opt-out, default-on):
+
+  - `EVOLVER_CYCLE_TIMEOUT_ENABLED` (default `true`).
+  - `EVOLVER_CYCLE_TIMEOUT_MS` (default `2700000`, i.e. 45 minutes).
+  - `EVOLVER_PROGRESS_UPDATE_MS` (default `60000`).
+
+### Added
+
+- **`memory/evolution/cycle_progress.json` heartbeat.** The daemon now
+  atomically writes a small JSON heartbeat at cycle start, every 60s
+  while `evolve.run()` is in flight, and again at sleep entry. External
+  watchdogs can poll `updated_at` to detect a true freeze (the file
+  stays stale for >30 minutes only when the inner event loop is
+  genuinely hung; normal long LLM cycles still refresh it via the
+  60-second ticker).
+
+  Schema:
+
+  ```json
+  { "pid": 12345, "outer_cycle": 5372, "inner_cycle": 17,
+    "started_at": 1746543112000, "phase": "evolve.run|sleep|cycle_timeout_respawn",
+    "updated_at": 1746543210000 }
+  ```
+
+  Regression tests: `test/cycleHardTimeout.test.js` (11 cases) and
+  `test/cycleProgressFile.test.js` (4 cases).
+
+
+## [1.78.9] - 2026-05-04
+
+### Fixed
+
+- **`AGENT_SESSIONS_DIR` override silently ignored (issue #527).**
+  `src/evolve.js` resolved the OpenClaw sessions directory at module
+  load time with a hard-coded `os.homedir()/.openclaw/agents/<name>/sessions`
+  path, bypassing `process.env.AGENT_SESSIONS_DIR` and
+  `EVOLVER_SESSION_SCOPE`. On Windows and any non-standard OpenClaw
+  layout (including `D:\openclaw\data\.openclaw\agents\...`), session
+  logs were never read and every cycle surfaced
+  `[NO SESSION LOGS FOUND]`, forcing the LLM to fall back to its own
+  memory and appear to "cycle emptily".
+
+  The module-level `AGENT_SESSIONS_DIR` now delegates to
+  `getAgentSessionsDir()` from `src/gep/paths.js`, which was already the
+  intended single source of truth. `diagnoseSessionSourceEmpty()` reuses
+  the same resolution when the caller does not inject a custom
+  `homedir` / `agentName` pair, so diagnostic output now matches what
+  the runtime actually reads.
+
+  `getAgentSessionsDir()` precedence, unchanged:
+  1. `process.env.AGENT_SESSIONS_DIR` (explicit override)
+  2. `workspace-<agent>` prefix in `EVOLVER_SESSION_SCOPE`
+  3. `AGENT_NAME` (defaults to `main`)
+
+  Regression test: `test/evolveSessionsDir.test.js` (8 cases).
+
+
+## [1.78.8] - 2026-05-04
+
+### Added
+
+- **Built-in memory_graph.jsonl rotation (issue #519).** Long-running
+  nodes previously accumulated multi-GB `memory/evolution/memory_graph.jsonl`
+  files; one reporter observed 1.8 GB / 378k lines after 48h. Evolver now
+  rotates the active file when it crosses a size threshold:
+  - `EVOLVER_MEMORY_GRAPH_AUTO_ROTATE` (default `true`) enables rotation.
+  - `EVOLVER_MEMORY_GRAPH_MAX_SIZE_MB` (default `100`) triggers rotation.
+  - `EVOLVER_MEMORY_GRAPH_RETENTION_COUNT` (default `7`) caps how many
+    rotated `memory_graph.jsonl.<ts>.gz` archives are kept on disk.
+  - A startup pass rotates an already-oversized file on the next evolver
+    start, so pre-existing giant files are handled automatically.
+  - Rotation checks are throttled (once every ~30s or every 100 writes)
+    so the write path stays cheap. Pruning and gzip compression run
+    best-effort and never block the write path.
+  - Regression test at `test/memoryGraphRotation.test.js`.
+
+
+## [1.78.7] - 2026-05-03
+
+### Fixed
+
+- **`EVOLVER_REPO_ROOT` set in `.env` is now honored (chicken-and-egg fix).**
+  `index.js` previously called `getRepoRoot()` to locate the `.env` file
+  before `dotenv` had a chance to populate `EVOLVER_REPO_ROOT` from that
+  very file, and `getRepoRoot()` cached the `.git`-walk result on first
+  call -- so any `EVOLVER_REPO_ROOT` declared in `.env` was silently
+  ignored and evolver ran against the wrong repository (often
+  `node_modules/@evomap/evolver` itself on local npm installs). Fix:
+  - Bootstrap now loads `.env` from `process.cwd()` first (independent
+    of any cache) so an `EVOLVER_REPO_ROOT` declared there takes effect
+    immediately.
+  - `getRepoRoot()` re-reads `process.env.EVOLVER_REPO_ROOT` on every
+    call and overrides the cache when the env var is set, so any
+    override populated by a later `.env` load propagates cleanly.
+  - Regression test at `test/paths.test.js` covers the "env set AFTER
+    first getRepoRoot call" path. Reported in #526.
+
+
+## [1.78.1] - 2026-05-02
+
+### Fixed
+
+- **Capsule publish payloads now attach a hub-shape `execution_trace` array**
+  (`src/gep/solidify.js`). Previously the trace object was only written onto
+  the sibling `EvolutionEvent`; the `Capsule` itself went out with no trace,
+  so every Capsule on the hub was flagged `trace_empty` and triggered the
+  `capsule-trace-enforce] would-reject` alert stream (~530 rejects / 15 min
+  in prod). The array form is synthesized from the existing
+  `validation.results`, `blast` and `canary` data -- no new data capture --
+  with each step carrying `stage` + `cmd` + `exit` to satisfy
+  `capsuleTraceQualityService`'s shape check. Anti-pattern publishes
+  (`EVOLVER_PUBLISH_ANTI_PATTERNS=true`) get the same treatment.
+
+### Internal
+
+- New exported helper `buildCapsuleTraceSteps(...)` in `src/gep/solidify.js`
+  with a regression test at `test/capsuleExecutionTrace.test.js` that
+  replicates the hub's shape gates, so a drift on either end breaks CI before
+  it inflates production alerts.
+
+## [1.78.0] - earlier
+
+- `evolver sync --scope` and `--export .gepx` for full-account asset
+  downloads. See `618e451`.