npm - @evomap/evolver - Versions diffs - 1.89.4 → 1.89.5 - Mend

@evomap/evolver 1.89.4 → 1.89.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/CONTRIBUTING.md +19 -0
package/README.md +536 -86
package/assets/cover.png +0 -0
package/index.js +87 -7
package/package.json +17 -6
package/scripts/a2a_export.js +63 -0
package/scripts/a2a_ingest.js +79 -0
package/scripts/a2a_promote.js +118 -0
package/scripts/analyze_by_skill.js +121 -0
package/scripts/build_binaries.js +479 -0
package/scripts/check-changelog.js +166 -0
package/scripts/extract_log.js +85 -0
package/scripts/generate_history.js +75 -0
package/scripts/gep_append_event.js +96 -0
package/scripts/gep_personality_report.js +234 -0
package/scripts/human_report.js +147 -0
package/scripts/recall-verify-report.js +234 -0
package/scripts/recover_loop.js +61 -0
package/scripts/refresh_stars_badge.js +168 -0
package/scripts/seed-merchants.js +91 -0
package/scripts/suggest_version.js +89 -0
package/scripts/validate-modules.js +38 -0
package/scripts/validate-suite.js +78 -0
package/skills/index.json +14 -0
package/src/adapters/scripts/_runtimePaths.js +1 -0
package/src/adapters/scripts/evolver-session-end.js +1 -0
package/src/adapters/scripts/evolver-session-start.js +1 -0
package/src/evolve/guards.js +1 -721
package/src/evolve/pipeline/collect.js +1 -1283
package/src/evolve/pipeline/dispatch.js +1 -421
package/src/evolve/pipeline/enrich.js +1 -440
package/src/evolve/pipeline/hub.js +1 -319
package/src/evolve/pipeline/select.js +1 -274
package/src/evolve/pipeline/signals.js +1 -206
package/src/evolve/utils.js +1 -264
package/src/evolve.js +1 -350
package/src/gep/a2aProtocol.js +1 -4455
package/src/gep/antiAbuseTelemetry.js +1 -233
package/src/gep/autoDistillConv.js +1 -205
package/src/gep/autoDistillLlm.js +1 -315
package/src/gep/candidateEval.js +1 -92
package/src/gep/candidates.js +1 -198
package/src/gep/contentHash.js +1 -30
package/src/gep/conversationSniffer.js +1 -266
package/src/gep/crypto.js +1 -89
package/src/gep/curriculum.js +1 -163
package/src/gep/deviceId.js +1 -218
package/src/gep/envFingerprint.js +1 -118
package/src/gep/epigenetics.js +1 -31
package/src/gep/execBridge.js +1 -711
package/src/gep/explore.js +1 -289
package/src/gep/hash.js +1 -15
package/src/gep/hubFetch.js +1 -359
package/src/gep/hubReview.js +1 -207
package/src/gep/hubSearch.js +1 -526
package/src/gep/hubVerify.js +1 -306
package/src/gep/idleScheduler.js +6 -1
package/src/gep/learningSignals.js +1 -89
package/src/gep/memoryGraph.js +1 -1374
package/src/gep/memoryGraphAdapter.js +1 -203
package/src/gep/mutation.js +1 -203
package/src/gep/narrativeMemory.js +1 -108
package/src/gep/openPRRegistry.js +1 -205
package/src/gep/personality.js +1 -423
package/src/gep/policyCheck.js +1 -599
package/src/gep/prompt.js +1 -836
package/src/gep/recallInject.js +1 -409
package/src/gep/recallVerifier.js +1 -318
package/src/gep/reflection.js +1 -177
package/src/gep/selector.js +1 -602
package/src/gep/skillDistiller.js +1 -1294
package/src/gep/solidify.js +1 -1699
package/src/gep/strategy.js +1 -136
package/src/gep/tokenSavings.js +1 -88
package/src/gep/workspaceKeychain.js +1 -174
package/src/ops/lifecycle.js +17 -4
package/src/proxy/extensions/traceControl.js +1 -99
package/src/proxy/index.js +206 -1
package/src/proxy/inject.js +1 -52
package/src/proxy/lifecycle/manager.js +12 -0
package/src/proxy/mailbox/store.js +29 -6
package/src/proxy/router/responses_route.js +157 -0
package/src/proxy/server/http.js +13 -4
package/src/proxy/server/routes.js +11 -1
package/src/proxy/sync/engine.js +7 -1
package/src/proxy/sync/outbound.js +32 -4
package/src/proxy/trace/extractor.js +1 -646
package/src/proxy/trace/usage.js +1 -105
package/.cursor/BUGBOT.md +0 -182
package/.env.example +0 -68
package/.git-commit-guard-token +0 -1
package/.github/CODEOWNERS +0 -63
package/.github/ISSUE_TEMPLATE/good_first_issue.md +0 -23
package/.github/pull_request_template.md +0 -45
package/.github/workflows/test.yml +0 -75
package/CHANGELOG.md +0 -1237
package/README.public.md +0 -569
package/SECURITY.md +0 -108
package/assets/gep/events.jsonl +0 -3
package/examples/atp-consumer-quickstart.md +0 -100
package/examples/hello-world.md +0 -38
package/proxy-package.json +0 -39
package/public.manifest.json +0 -143
/package/assets/gep/{genes.json → genes.seed.json} +0 -0
/package/{bundled-skills → skills}/_meta/SKILL.md +0 -0

package/src/proxy/mailbox/store.js CHANGED Viewed

@@ -7,6 +7,24 @@ const crypto = require('crypto');
 const DEFAULT_CHANNEL = 'evomap-hub';
 const SCHEMA_VERSION = 1;
 const PROXY_PROTOCOL_VERSION = '0.1.0';
+const PRIVATE_DIR_MODE = 0o700;
+const PRIVATE_FILE_MODE = 0o600;
+function bestEffortChmod(filePath, mode) {
+  try { fs.chmodSync(filePath, mode); } catch { /* best effort; no-op on Windows */ }
+}
+function ensurePrivateDir(dir) {
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true, mode: PRIVATE_DIR_MODE });
+  }
+  bestEffortChmod(dir, PRIVATE_DIR_MODE);
+}
+function writePrivateFile(filePath, content) {
+  fs.writeFileSync(filePath, content, { encoding: 'utf8', mode: PRIVATE_FILE_MODE });
+  bestEffortChmod(filePath, PRIVATE_FILE_MODE);
+}
 // Merge `fields` into `target` while stripping keys that can mutate the
 // prototype chain. Mailbox rows are persisted as JSONL and rebuilt on
@@ -90,8 +108,8 @@ function safeParse(payload) {
 // regular files that POSIX local filesystems do, so the removal above is
 // equally valid on Windows. No platform-specific code is needed here.
 function appendLine(filePath, obj) {
-  fs.appendFileSync(filePath, JSON.stringify(obj) + '\n', 'utf8');
-  try { fs.chmodSync(filePath, 0o600); } catch { /* best effort */ }
+  fs.appendFileSync(filePath, JSON.stringify(obj) + '\n', { encoding: 'utf8', mode: PRIVATE_FILE_MODE });
+  bestEffortChmod(filePath, PRIVATE_FILE_MODE);
 }
 function readLines(filePath) {
@@ -112,11 +130,13 @@ function readLines(filePath) {
 class MailboxStore {
   constructor(dataDir) {
     if (!dataDir) throw new Error('dataDir is required');
-    if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
+    ensurePrivateDir(dataDir);
     this.dataDir = dataDir;
     this._messagesFile = path.join(dataDir, 'messages.jsonl');
     this._stateFile = path.join(dataDir, 'state.json');
+    bestEffortChmod(this._messagesFile, PRIVATE_FILE_MODE);
+    bestEffortChmod(this._stateFile, PRIVATE_FILE_MODE);
     // in-memory indexes
     this._messages = new Map();          // id -> message object
@@ -156,7 +176,7 @@ class MailboxStore {
   _persistState() {
     const dir = path.dirname(this._stateFile);
-    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    ensurePrivateDir(dir);
     // Round-7 (§20.5): per-PID tmp path. Two evolver processes (daemon +
     // ad-hoc CLI / proxy + loop) writing to the same `${stateFile}.tmp`
     // would otherwise interleave: process B's writeFileSync truncates
@@ -167,7 +187,7 @@ class MailboxStore {
     // for 30 min..4 h" symptom this branch targets. Matches the
     // precedent set by _persistNodeSecret in src/gep/a2aProtocol.js.
     const tmp = `${this._stateFile}.${process.pid}.tmp`;
-    fs.writeFileSync(tmp, JSON.stringify(this._state, null, 2) + '\n', 'utf8');
+    writePrivateFile(tmp, JSON.stringify(this._state, null, 2) + '\n');
     // Windows: fs.renameSync throws EPERM when the destination file already
     // exists, unlike POSIX where rename(2) atomically replaces the target.
     // Remove the destination first so the rename succeeds on all platforms.
@@ -179,6 +199,7 @@ class MailboxStore {
       }
     }
     fs.renameSync(tmp, this._stateFile);
+    bestEffortChmod(this._stateFile, PRIVATE_FILE_MODE);
   }
   _rebuildIndex() {
@@ -436,11 +457,12 @@ class MailboxStore {
     }
     entries.sort((a, b) => a.created_at - b.created_at);
-    const fd = fs.openSync(tmpFile, 'w');
+    const fd = fs.openSync(tmpFile, 'w', PRIVATE_FILE_MODE);
     for (const msg of entries) {
       fs.writeSync(fd, JSON.stringify(msg) + '\n');
     }
     fs.closeSync(fd);
+    bestEffortChmod(tmpFile, PRIVATE_FILE_MODE);
     // Windows: renameSync throws EPERM when the destination already exists.
     // Remove it first so the swap succeeds on all platforms.
     if (process.platform === 'win32') {
@@ -449,6 +471,7 @@ class MailboxStore {
       }
     }
     fs.renameSync(tmpFile, this._messagesFile);
+    bestEffortChmod(this._messagesFile, PRIVATE_FILE_MODE);
     this._rebuildIndex();
   }

package/src/proxy/router/responses_route.js ADDED Viewed

@@ -0,0 +1,157 @@
+'use strict';
+const { createProxyTrace } = require('../trace/extractor');
+const OPENAI_RESPONSE_HEADER_ALLOWLIST = new Set([
+  'openai-processing-ms',
+  'openai-version',
+  'retry-after',
+  'x-request-id',
+]);
+function hasOpenAIUpstreamCredential() {
+  if (process.env.EVOMAP_OPENAI_API_KEY || process.env.OPENAI_API_KEY) return true;
+  return false;
+}
+function upstreamStatus(err, fallback = 502) {
+  const status = Number(err && err.statusCode);
+  return Number.isFinite(status) ? status : fallback;
+}
+function safeOpenAIConfigDiagnostic(err) {
+  const message = err && typeof err.message === 'string' ? err.message : '';
+  if (message.startsWith('[proxy] EVOMAP_OPENAI_BASE_URL ')) return message;
+  return '';
+}
+function asUpstreamError(err, fallback = 502) {
+  if (err && err.statusCode && /^openai upstream /.test(err.message || '')) return err;
+  const diagnostic = safeOpenAIConfigDiagnostic(err);
+  const message = diagnostic
+    ? `openai upstream request failed: ${diagnostic}`
+    : 'openai upstream request failed';
+  const out = new Error(message);
+  out.statusCode = upstreamStatus(err, fallback);
+  out.cause = err;
+  return out;
+}
+function responseToBody(raw, status, headers, log) {
+  if (!raw) return {};
+  try {
+    return JSON.parse(raw);
+  } catch {
+    log.warn?.(JSON.stringify({
+      event: 'openai_responses_fallback',
+      reason: 'upstream_non_json',
+      upstream_status: status,
+      content_type: headers && headers['content-type'] || '',
+      response_bytes: Buffer.byteLength(raw),
+    }));
+    return { error: raw };
+  }
+}
+function copyOpenAIResponseHeaders(headers = {}) {
+  const out = {};
+  for (const [name, value] of Object.entries(headers || {})) {
+    const lower = String(name || '').toLowerCase();
+    if (!OPENAI_RESPONSE_HEADER_ALLOWLIST.has(lower) && !lower.startsWith('x-ratelimit-')) continue;
+    if (value === undefined || value === null) continue;
+    const headerValue = Array.isArray(value) ? value.join(', ') : String(value);
+    if (/[\r\n]/.test(headerValue)) continue;
+    out[lower] = headerValue;
+  }
+  return out;
+}
+function buildResponsesHandler({ openAIProxy, logger, traceStore, onTraceQueued } = {}) {
+  if (typeof openAIProxy !== 'function') {
+    throw new Error('buildResponsesHandler requires openAIProxy(path, body, opts)');
+  }
+  const log = logger || console;
+  return async ({ body, headers }) => {
+    const inboundHeaders = headers || {};
+    if (!hasOpenAIUpstreamCredential()) {
+      throw Object.assign(new Error('openai api key required'), { statusCode: 401 });
+    }
+    const originalModel = body && typeof body.model === 'string' ? body.model : null;
+    let trace = null;
+    try {
+      trace = createProxyTrace({
+        route: 'POST /v1/responses',
+        headers: inboundHeaders,
+        body,
+        upstreamMode: 'openai',
+        originalModel,
+        chosenModel: originalModel,
+        store: traceStore,
+        logger: traceStore ? log : null,
+        onTraceQueued,
+      });
+    } catch (_) { /* best-effort trace; never break the request */ }
+    let upstream;
+    try {
+      upstream = await openAIProxy('/responses', body, {
+        inboundHeaders,
+        upstreamMode: 'openai',
+      });
+    } catch (err) {
+      const wrapped = asUpstreamError(err, upstreamStatus(err));
+      trace?.record({ status: wrapped.statusCode, error: wrapped, upstreamMode: 'openai', model: originalModel });
+      throw wrapped;
+    }
+    if (upstream.stream) {
+      const forwardHeaders = copyOpenAIResponseHeaders(upstream.headers);
+      const ct = upstream.headers && upstream.headers['content-type'];
+      if (ct) forwardHeaders['Content-Type'] = ct;
+      trace?.recordStreamStart({
+        status: upstream.status,
+        upstreamMode: 'openai',
+        model: originalModel,
+        headers: forwardHeaders,
+      });
+      return {
+        status: upstream.status,
+        stream: upstream.stream,
+        headers: forwardHeaders,
+      };
+    }
+    let raw = '';
+    if (upstream.text) {
+      try {
+        raw = await upstream.text();
+      } catch (err) {
+        const wrapped = asUpstreamError(err, upstreamStatus(err));
+        trace?.record({ status: wrapped.statusCode, error: wrapped, upstreamMode: 'openai', model: originalModel });
+        throw wrapped;
+      }
+    }
+    const respBody = responseToBody(raw, upstream.status, upstream.headers, log);
+    trace?.record({
+      status: upstream.status,
+      responseBody: respBody,
+      upstreamMode: 'openai',
+      model: originalModel,
+      headers: upstream.headers,
+    });
+    return {
+      status: upstream.status,
+      body: respBody,
+      headers: copyOpenAIResponseHeaders(upstream.headers),
+    };
+  };
+}
+module.exports = {
+  buildResponsesHandler,
+  copyOpenAIResponseHeaders,
+  hasOpenAIUpstreamCredential,
+  responseToBody,
+};

package/src/proxy/server/http.js CHANGED Viewed

@@ -64,12 +64,21 @@ function parseBody(req, opts) {
   });
 }
-function sendJson(res, status, body) {
+function sendJson(res, status, body, extraHeaders = {}) {
   const payload = JSON.stringify(body);
-  res.writeHead(status, {
+  const headers = {
     'Content-Type': 'application/json',
     'Content-Length': Buffer.byteLength(payload),
-  });
+  };
+  for (const [name, value] of Object.entries(extraHeaders || {})) {
+    if (value === undefined || value === null) continue;
+    const lower = String(name).toLowerCase();
+    if (lower === 'content-length' || lower === 'transfer-encoding' || lower === 'connection') continue;
+    const headerValue = Array.isArray(value) ? value.join(', ') : String(value);
+    if (/[\r\n]/.test(headerValue)) continue;
+    headers[name] = headerValue;
+  }
+  res.writeHead(status, headers);
   res.end(payload);
 }
@@ -196,7 +205,7 @@ class ProxyHttpServer {
       if (result && result.stream) {
         await this._streamResponse(res, result);
       } else {
-        sendJson(res, result.status || 200, result.body || result);
+        sendJson(res, result.status || 200, result.body || result, result.headers);
       }
     } catch (err) {
       this.logger.error(`[proxy] ${routeKey} error:`, err.message);

package/src/proxy/server/routes.js CHANGED Viewed

@@ -3,7 +3,14 @@
 const { PROXY_PROTOCOL_VERSION, SCHEMA_VERSION } = require('../mailbox/store');
 function buildRoutes(store, proxyHandlers, taskMonitor, extensions) {
-  const { dmHandler, skillUpdater, getHubMailboxStatus, sessionHandler, messagesHandler } = extensions || {};
+  const {
+    dmHandler,
+    skillUpdater,
+    getHubMailboxStatus,
+    sessionHandler,
+    messagesHandler,
+    responsesHandler,
+  } = extensions || {};
   const routes = {
     // -- Mailbox --
     'POST /mailbox/send': async ({ body }) => {
@@ -466,6 +473,9 @@ function buildRoutes(store, proxyHandlers, taskMonitor, extensions) {
   if (messagesHandler) {
     routes['POST /v1/messages'] = messagesHandler;
   }
+  if (responsesHandler) {
+    routes['POST /v1/responses'] = responsesHandler;
+  }
   return routes;
 }

package/src/proxy/sync/engine.js CHANGED Viewed

@@ -8,13 +8,14 @@ const DEFAULT_OUTBOUND_INTERVAL = 5_000;
 const IDLE_THRESHOLD = 5 * 60_000;
 class SyncEngine {
-  constructor({ store, hubUrl, getHeaders, logger, onInboundReceived, onAuthError }) {
+  constructor({ store, hubUrl, getHeaders, logger, onInboundReceived, onAuthError, onOutboundFlushed }) {
     this.store = store;
     this.hubUrl = hubUrl;
     this.logger = logger || console;
     this.getHeaders = getHeaders;
     this.onInboundReceived = onInboundReceived || null;
     this.onAuthError = onAuthError || null;
+    this.onOutboundFlushed = onOutboundFlushed || null;
     this.outbound = new OutboundSync({ store, hubUrl, getHeaders, logger });
     this.inbound = new InboundSync({ store, hubUrl, getHeaders, logger });
@@ -82,6 +83,11 @@ class SyncEngine {
         try {
           const result = await this.outbound.flush();
           if (result.sent > 0) this._lastActivity = Date.now();
+          if ((result.sent > 0 || result.dropped > 0) && typeof this.onOutboundFlushed === 'function') {
+            try { this.onOutboundFlushed(result); } catch (e) {
+              this.logger.warn?.('[sync] onOutboundFlushed callback failed:', e.message);
+            }
+          }
         } catch (err) {
           if (err instanceof AuthError) {
             await this._handleAuthError('outbound');

package/src/proxy/sync/outbound.js CHANGED Viewed

@@ -2,6 +2,7 @@
 const { PROXY_PROTOCOL_VERSION } = require('../mailbox/store');
 const { AuthError } = require('../lifecycle/manager');
+const { isProxyTraceUploadPayloadAllowed, resolveTraceMode } = require('../trace/extractor');
 const { hubFetch } = require('../../gep/hubFetch');
 const MAX_BATCH = 50;
@@ -16,8 +17,31 @@ class OutboundSync {
   }
   async flush(channel = 'evomap-hub') {
-    const pending = this.store.pollOutbound({ channel, limit: MAX_BATCH });
-    if (pending.length === 0) return { sent: 0 };
+    const pendingBatch = this.store.pollOutbound({ channel, limit: MAX_BATCH });
+    if (pendingBatch.length === 0) return { sent: 0 };
+    let pending = pendingBatch;
+    const rejectedTraceUploads = [];
+    const traceUploadEnabled = resolveTraceMode(process.env, { store: this.store });
+    for (const m of pendingBatch) {
+      if (m.type !== 'proxy_trace') continue;
+      if (!traceUploadEnabled) {
+        rejectedTraceUploads.push({ id: m.id, error: 'proxy trace upload disabled' });
+      } else if (!isProxyTraceUploadPayloadAllowed(m.payload, process.env)) {
+        rejectedTraceUploads.push({ id: m.id, error: 'proxy trace payload rejected' });
+      }
+    }
+    if (rejectedTraceUploads.length > 0) {
+      this.store.updateStatusBatch(rejectedTraceUploads.map(m => ({
+        id: m.id,
+        status: 'rejected',
+        error: m.error,
+      })));
+      const rejectedIds = new Set(rejectedTraceUploads.map(m => m.id));
+      pending = pendingBatch.filter(m => !rejectedIds.has(m.id));
+      if (pending.length === 0) return { sent: 0, dropped: rejectedTraceUploads.length };
+    }
+    const dropped = rejectedTraceUploads.length;
     const endpoint = `${this.hubUrl}/a2a/mailbox/outbound`;
@@ -83,14 +107,18 @@ class OutboundSync {
       if (inboundMessages.length > 0) this.store.writeInboundBatch(inboundMessages);
       this.store.setState('last_sync_at', new Date().toISOString());
-      return { sent: pending.length, synced: updates.length, responses: inboundMessages.length };
+      const result = { sent: pending.length, synced: updates.length, responses: inboundMessages.length };
+      if (dropped > 0) result.dropped = dropped;
+      return result;
     } catch (err) {
       if (err instanceof AuthError) throw err;
       this.logger.error(`[outbound] flush failed: ${err.message}`);
       for (const m of pending) {
         this.store.incrementRetry(m.id, err.message);
       }
-      return { sent: 0, error: err.message };
+      const result = { sent: 0, error: err.message };
+      if (dropped > 0) result.dropped = dropped;
+      return result;
     }
   }
 }