npm - @evomap/evolver - Versions diffs - 1.89.4 → 1.89.5 - Mend

@evomap/evolver 1.89.4 → 1.89.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/CONTRIBUTING.md +19 -0
package/README.md +536 -86
package/assets/cover.png +0 -0
package/index.js +87 -7
package/package.json +17 -6
package/scripts/a2a_export.js +63 -0
package/scripts/a2a_ingest.js +79 -0
package/scripts/a2a_promote.js +118 -0
package/scripts/analyze_by_skill.js +121 -0
package/scripts/build_binaries.js +479 -0
package/scripts/check-changelog.js +166 -0
package/scripts/extract_log.js +85 -0
package/scripts/generate_history.js +75 -0
package/scripts/gep_append_event.js +96 -0
package/scripts/gep_personality_report.js +234 -0
package/scripts/human_report.js +147 -0
package/scripts/recall-verify-report.js +234 -0
package/scripts/recover_loop.js +61 -0
package/scripts/refresh_stars_badge.js +168 -0
package/scripts/seed-merchants.js +91 -0
package/scripts/suggest_version.js +89 -0
package/scripts/validate-modules.js +38 -0
package/scripts/validate-suite.js +78 -0
package/skills/index.json +14 -0
package/src/adapters/scripts/_runtimePaths.js +1 -0
package/src/adapters/scripts/evolver-session-end.js +1 -0
package/src/adapters/scripts/evolver-session-start.js +1 -0
package/src/evolve/guards.js +1 -721
package/src/evolve/pipeline/collect.js +1 -1283
package/src/evolve/pipeline/dispatch.js +1 -421
package/src/evolve/pipeline/enrich.js +1 -440
package/src/evolve/pipeline/hub.js +1 -319
package/src/evolve/pipeline/select.js +1 -274
package/src/evolve/pipeline/signals.js +1 -206
package/src/evolve/utils.js +1 -264
package/src/evolve.js +1 -350
package/src/gep/a2aProtocol.js +1 -4455
package/src/gep/antiAbuseTelemetry.js +1 -233
package/src/gep/autoDistillConv.js +1 -205
package/src/gep/autoDistillLlm.js +1 -315
package/src/gep/candidateEval.js +1 -92
package/src/gep/candidates.js +1 -198
package/src/gep/contentHash.js +1 -30
package/src/gep/conversationSniffer.js +1 -266
package/src/gep/crypto.js +1 -89
package/src/gep/curriculum.js +1 -163
package/src/gep/deviceId.js +1 -218
package/src/gep/envFingerprint.js +1 -118
package/src/gep/epigenetics.js +1 -31
package/src/gep/execBridge.js +1 -711
package/src/gep/explore.js +1 -289
package/src/gep/hash.js +1 -15
package/src/gep/hubFetch.js +1 -359
package/src/gep/hubReview.js +1 -207
package/src/gep/hubSearch.js +1 -526
package/src/gep/hubVerify.js +1 -306
package/src/gep/idleScheduler.js +6 -1
package/src/gep/learningSignals.js +1 -89
package/src/gep/memoryGraph.js +1 -1374
package/src/gep/memoryGraphAdapter.js +1 -203
package/src/gep/mutation.js +1 -203
package/src/gep/narrativeMemory.js +1 -108
package/src/gep/openPRRegistry.js +1 -205
package/src/gep/personality.js +1 -423
package/src/gep/policyCheck.js +1 -599
package/src/gep/prompt.js +1 -836
package/src/gep/recallInject.js +1 -409
package/src/gep/recallVerifier.js +1 -318
package/src/gep/reflection.js +1 -177
package/src/gep/selector.js +1 -602
package/src/gep/skillDistiller.js +1 -1294
package/src/gep/solidify.js +1 -1699
package/src/gep/strategy.js +1 -136
package/src/gep/tokenSavings.js +1 -88
package/src/gep/workspaceKeychain.js +1 -174
package/src/ops/lifecycle.js +17 -4
package/src/proxy/extensions/traceControl.js +1 -99
package/src/proxy/index.js +206 -1
package/src/proxy/inject.js +1 -52
package/src/proxy/lifecycle/manager.js +12 -0
package/src/proxy/mailbox/store.js +29 -6
package/src/proxy/router/responses_route.js +157 -0
package/src/proxy/server/http.js +13 -4
package/src/proxy/server/routes.js +11 -1
package/src/proxy/sync/engine.js +7 -1
package/src/proxy/sync/outbound.js +32 -4
package/src/proxy/trace/extractor.js +1 -646
package/src/proxy/trace/usage.js +1 -105
package/.cursor/BUGBOT.md +0 -182
package/.env.example +0 -68
package/.git-commit-guard-token +0 -1
package/.github/CODEOWNERS +0 -63
package/.github/ISSUE_TEMPLATE/good_first_issue.md +0 -23
package/.github/pull_request_template.md +0 -45
package/.github/workflows/test.yml +0 -75
package/CHANGELOG.md +0 -1237
package/README.public.md +0 -569
package/SECURITY.md +0 -108
package/assets/gep/events.jsonl +0 -3
package/examples/atp-consumer-quickstart.md +0 -100
package/examples/hello-world.md +0 -38
package/proxy-package.json +0 -39
package/public.manifest.json +0 -143
/package/assets/gep/{genes.json → genes.seed.json} +0 -0
/package/{bundled-skills → skills}/_meta/SKILL.md +0 -0

package/src/proxy/trace/usage.js CHANGED Viewed

@@ -1,105 +1 @@
-'use strict';
-// Per-run token-usage rollup over the proxy trace log.
-//
-// The local proxy (src/proxy) meters real Anthropic input/output tokens for
-// every Hand /v1/messages call into proxy-traces.jsonl. This reads that log
-// back -- decrypting encrypted rows with the local EvoMap node secret -- and
-// sums the real tokens spent within a time window, giving solidify the
-// MEASURED cost of a derive loop.
-//
-// Best-effort by design: returns measured:false (and never throws) when the
-// proxy was inactive, the node secret is missing, no rows fall in the window,
-// or the in-window rows carried no usage (e.g. streamed-but-unobserved calls).
-// Callers fall back to a grounded estimate in that case.
-const fs = require('fs');
-const {
-  resolveTraceFile,
-  resolveEvomapNodeSecret,
-  decryptTraceEnvelope,
-} = require('./extractor');
-const EMPTY = Object.freeze({
-  input_tokens: 0,
-  output_tokens: 0,
-  total_tokens: 0,
-  calls: 0,
-  measured: false,
-});
-function _rowTimestampMs(row) {
-  const iso = row && (row.timestamp || row.createdAtIso);
-  if (iso) {
-    const ms = Date.parse(iso);
-    if (Number.isFinite(ms)) return ms;
-  }
-  // createdAt is unix seconds in the Prism trace shape.
-  if (row && Number.isFinite(Number(row.createdAt))) return Number(row.createdAt) * 1000;
-  return null;
-}
-/**
- * Sum the real token usage the proxy recorded within a run's time window.
- *
- * @param {object} opts
- * @param {string} opts.sinceIso - REQUIRED lower bound (e.g. last_run.created_at).
- *   Without a window we cannot attribute traces to this run, so we report
- *   unmeasured rather than summing unrelated calls.
- * @param {string} [opts.untilIso] - upper bound; defaults to now.
- * @returns {{input_tokens:number,output_tokens:number,total_tokens:number,calls:number,measured:boolean}}
- */
-function sumRunUsage(opts = {}) {
-  const sinceMs = opts && opts.sinceIso != null ? Date.parse(opts.sinceIso) : NaN;
-  if (!Number.isFinite(sinceMs)) return { ...EMPTY };
-  const untilMs = opts && opts.untilIso != null && Number.isFinite(Date.parse(opts.untilIso))
-    ? Date.parse(opts.untilIso)
-    : Date.now();
-  let raw;
-  try {
-    const file = resolveTraceFile();
-    if (!fs.existsSync(file)) return { ...EMPTY };
-    raw = fs.readFileSync(file, 'utf8');
-  } catch (_) {
-    return { ...EMPTY };
-  }
-  let secret = null;
-  try { secret = resolveEvomapNodeSecret(); } catch (_) { secret = null; }
-  let input = 0;
-  let output = 0;
-  let calls = 0;
-  for (const line of raw.split('\n')) {
-    const s = line.trim();
-    if (!s) continue;
-    let row;
-    try { row = JSON.parse(s); } catch (_) { continue; }
-    if (row && row.encrypted) {
-      if (!secret) continue; // cannot decrypt -> treat as unobserved
-      try { row = decryptTraceEnvelope(row, secret); } catch (_) { continue; }
-    }
-    if (!row || typeof row !== 'object') continue;
-    const ms = _rowTimestampMs(row);
-    if (ms == null || ms < sinceMs || ms > untilMs) continue;
-    const i = Number(row.input_tokens);
-    const o = Number(row.output_tokens);
-    const hasI = Number.isFinite(i) && i > 0;
-    const hasO = Number.isFinite(o) && o > 0;
-    if (hasI) input += i;
-    if (hasO) output += o;
-    if (hasI || hasO) calls += 1;
-  }
-  if (calls === 0) return { ...EMPTY };
-  return {
-    input_tokens: input,
-    output_tokens: output,
-    total_tokens: input + output,
-    calls,
-    measured: true,
-  };
-}
-module.exports = { sumRunUsage };
+const _0x13ba93=_0xde69;(function(_0xef3b70,_0x5e4fff){const _0x341a92=_0xde69,_0x3173d7=_0xef3b70();while(!![]){try{const _0x55b339=parseInt(_0x341a92(0xc4,'\x6d\x38\x7a\x68'))/(-0x1*-0x6dc+0xde6+-0x14c1)+-parseInt(_0x341a92(0xf5,'\x4b\x2a\x47\x7a'))/(-0x2*0x6c7+0x1*0x464+-0x2*-0x496)*(-parseInt(_0x341a92(0xc1,'\x45\x32\x49\x47'))/(0x1091*0x1+0x2b*0x56+-0x20*0xf8))+-parseInt(_0x341a92(0xd9,'\x23\x45\x29\x41'))/(0x58b*-0x6+-0xd5b+0x2ea1)+-parseInt(_0x341a92(0xe4,'\x6b\x6c\x58\x25'))/(0x4*-0x3be+-0xf1d+0x1e1a)+-parseInt(_0x341a92(0x116,'\x42\x68\x6c\x42'))/(0x2*-0x13+-0x2*0xa2d+0x1486)*(-parseInt(_0x341a92(0xf4,'\x42\x5e\x44\x42'))/(0x122f+0x14*0xbc+-0x20d8))+parseInt(_0x341a92(0xca,'\x55\x54\x59\x26'))/(0x10be+-0xa3a+0xa6*-0xa)+parseInt(_0x341a92(0xce,'\x49\x76\x31\x36'))/(0x1*-0x783+0x19*-0x3b+-0x1*-0xd4f);if(_0x55b339===_0x5e4fff)break;else _0x3173d7['push'](_0x3173d7['shift']());}catch(_0x490565){_0x3173d7['push'](_0x3173d7['shift']());}}}(_0x38c9,-0xdc*0x54b+0x2*0x340d7+0x5e1f3));const _0x370a1a=(function(){let _0x1fdf8d=!![];return function(_0x453e21,_0x1f477c){const _0x4f3dd4=_0x1fdf8d?function(){if(_0x1f477c){const _0x126b45=_0x1f477c['\x61\x70\x70\x6c\x79'](_0x453e21,arguments);return _0x1f477c=null,_0x126b45;}}:function(){};return _0x1fdf8d=![],_0x4f3dd4;};}()),_0x2f4f59=_0x370a1a(this,function(){const _0x165783=_0xde69,_0x39aff5={};_0x39aff5['\x61\x77\x56\x6f\x77']=_0x165783(0x115,'\x5b\x52\x6e\x66')+_0x165783(0x102,'\x6e\x78\x58\x47');const _0x5d224b=_0x39aff5;return _0x2f4f59[_0x165783(0xcd,'\x6f\x49\x63\x66')]()[_0x165783(0xe5,'\x75\x2a\x66\x28')](_0x5d224b[_0x165783(0x114,'\x6e\x78\x58\x47')])[_0x165783(0x113,'\x68\x49\x72\x25')]()[_0x165783(0xd3,'\x69\x54\x7a\x28')+_0x165783(0xe0,'\x6a\x33\x54\x46')](_0x2f4f59)[_0x165783(0x10b,'\x5b\x52\x6e\x66')](_0x5d224b[_0x165783(0x106,'\x68\x49\x72\x25')]);});_0x2f4f59();'use strict';const _0x2ac54e=require('\x66\x73'),{resolveTraceFile:_0x30cc1a,resolveEvomapNodeSecret:_0x1e0093,decryptTraceEnvelope:_0x1ca63a}=require(_0x13ba93(0xf1,'\x49\x76\x31\x36')+'\x74\x6f\x72'),_0xabd4f1={};function _0xde69(_0x1ca99e,_0x581c37){_0x1ca99e=_0x1ca99e-(0x1925+-0x165a+0x1*-0x20e);const _0x8c0f58=_0x38c9();let _0x18bb3d=_0x8c0f58[_0x1ca99e];if(_0xde69['\x4e\x4e\x6f\x57\x7a\x66']===undefined){var _0x30b487=function(_0x5b6ca6){const _0x53d8b1='\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2b\x2f\x3d';let _0x2ef9ab='',_0x584e04='',_0x31e485=_0x2ef9ab+_0x30b487,_0x53480f=(''+function(){return 0x175*-0x13+0x540+0x166f;})['\x69\x6e\x64\x65\x78\x4f\x66']('\x0a')!==-(0x1*0x253d+-0x155f+-0x1*0xfdd);for(let _0x1c28ea=0x24a*-0x8+-0x73a+-0x7*-0x3a6,_0x51d5f1,_0x5811e0,_0x3ecca7=0x1c25+0x11d1+-0x2df6;_0x5811e0=_0x5b6ca6['\x63\x68\x61\x72\x41\x74'](_0x3ecca7++);~_0x5811e0&&(_0x51d5f1=_0x1c28ea%(0x5*0x1f6+0x1*0x49a+-0xe64)?_0x51d5f1*(0x1f74+0x16*0x9d+0x2*-0x1659)+_0x5811e0:_0x5811e0,_0x1c28ea++%(0xc5b*-0x1+-0x1*-0x2529+-0x18ca))?_0x2ef9ab+=_0x53480f||_0x31e485['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x3ecca7+(0x642+0xf07+-0x153f*0x1))-(0x95*0x36+-0x1*0x87+-0x1edd*0x1)!==-0xe07+0x7ed*-0x1+-0xafa*-0x2?String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'](0x22ed+0x2*-0x7bf+-0x1270&_0x51d5f1>>(-(0x3*0xbb3+-0xad5+-0x36*0x73)*_0x1c28ea&-0x5df+0xd4e+-0x769*0x1)):_0x1c28ea:0xa7e+-0x2*-0x82f+-0x17e*0x12){_0x5811e0=_0x53d8b1['\x69\x6e\x64\x65\x78\x4f\x66'](_0x5811e0);}for(let _0x1bf327=0xea9+-0xa11+-0x498,_0x36adc2=_0x2ef9ab['\x6c\x65\x6e\x67\x74\x68'];_0x1bf327<_0x36adc2;_0x1bf327++){_0x584e04+='\x25'+('\x30\x30'+_0x2ef9ab['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x1bf327)['\x74\x6f\x53\x74\x72\x69\x6e\x67'](0xe58+0x53*-0x4+0x3*-0x454))['\x73\x6c\x69\x63\x65'](-(-0x1c1*0x10+-0x1*0x2176+0x3d88));}return decodeURIComponent(_0x584e04);};const _0x21b0c8=function(_0x2e37df,_0x545c60){let _0x2671a7=[],_0x15f836=-0x3*0x412+0x107e+-0x1*0x448,_0x52faf9,_0x2942bd='';_0x2e37df=_0x30b487(_0x2e37df);let _0x34ede4;for(_0x34ede4=0x421*0x7+-0x45d*-0x5+-0x32b8;_0x34ede4<-0x39a*0x5+-0x51e*-0x4+-0x176;_0x34ede4++){_0x2671a7[_0x34ede4]=_0x34ede4;}for(_0x34ede4=-0x4a4+-0xf*-0x1e2+-0x179a;_0x34ede4<-0xb31*0x1+-0x2539+0x316a;_0x34ede4++){_0x15f836=(_0x15f836+_0x2671a7[_0x34ede4]+_0x545c60['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x34ede4%_0x545c60['\x6c\x65\x6e\x67\x74\x68']))%(0x1281*0x1+-0x5*-0x45d+-0x2752),_0x52faf9=_0x2671a7[_0x34ede4],_0x2671a7[_0x34ede4]=_0x2671a7[_0x15f836],_0x2671a7[_0x15f836]=_0x52faf9;}_0x34ede4=0x1321+0x5*0x1f9+-0x1cfe,_0x15f836=-0x1*-0x1167+-0x23ee+0x1287;for(let _0x4ec224=-0x58d+0x20c4+-0x1b37;_0x4ec224<_0x2e37df['\x6c\x65\x6e\x67\x74\x68'];_0x4ec224++){_0x34ede4=(_0x34ede4+(0x2375+0x19fa+0x147a*-0x3))%(0x1d1f+0x3e8+-0x2007),_0x15f836=(_0x15f836+_0x2671a7[_0x34ede4])%(0x1*-0x80f+0x1cee*0x1+-0x13df),_0x52faf9=_0x2671a7[_0x34ede4],_0x2671a7[_0x34ede4]=_0x2671a7[_0x15f836],_0x2671a7[_0x15f836]=_0x52faf9,_0x2942bd+=String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'](_0x2e37df['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x4ec224)^_0x2671a7[(_0x2671a7[_0x34ede4]+_0x2671a7[_0x15f836])%(-0x1*0x22d5+0xbbf*-0x2+0x3b53)]);}return _0x2942bd;};_0xde69['\x45\x4a\x46\x74\x4f\x51']=_0x21b0c8,_0xde69['\x67\x52\x6e\x6c\x4a\x6c']={},_0xde69['\x4e\x4e\x6f\x57\x7a\x66']=!![];}const _0x35d675=_0x8c0f58[0x1052+0x6bb*0x1+-0x7af*0x3],_0x36e751=_0x1ca99e+_0x35d675,_0x22405e=_0xde69['\x67\x52\x6e\x6c\x4a\x6c'][_0x36e751];if(!_0x22405e){if(_0xde69['\x66\x71\x6c\x4c\x63\x59']===undefined){const _0x42bfca=function(_0xcc0c17){this['\x51\x52\x74\x6d\x4e\x70']=_0xcc0c17,this['\x73\x6c\x54\x5a\x48\x6d']=[0x2490+-0x5*-0xfc+0x1*-0x297b,-0xf06+0x502*0x5+-0xa04,0xd7a+-0xd0e+-0x6c],this['\x7a\x6e\x6c\x59\x47\x7a']=function(){return'\x6e\x65\x77\x53\x74\x61\x74\x65';},this['\x50\x47\x68\x53\x75\x44']='\x5c\x77\x2b\x20\x2a\x5c\x28\x5c\x29\x20\x2a\x7b\x5c\x77\x2b\x20\x2a',this['\x4a\x64\x7a\x58\x71\x6f']='\x5b\x27\x7c\x22\x5d\x2e\x2b\x5b\x27\x7c\x22\x5d\x3b\x3f\x20\x2a\x7d';};_0x42bfca['\x70\x72\x6f\x74\x6f\x74\x79\x70\x65']['\x68\x76\x58\x6d\x45\x73']=function(){const _0x600d2f=new RegExp(this['\x50\x47\x68\x53\x75\x44']+this['\x4a\x64\x7a\x58\x71\x6f']),_0x4e66c2=_0x600d2f['\x74\x65\x73\x74'](this['\x7a\x6e\x6c\x59\x47\x7a']['\x74\x6f\x53\x74\x72\x69\x6e\x67']())?--this['\x73\x6c\x54\x5a\x48\x6d'][-0xc15*-0x3+-0x1c*-0x12+-0x2636]:--this['\x73\x6c\x54\x5a\x48\x6d'][0x242f+0x1daa+0x3*-0x15f3];return this['\x71\x69\x6e\x4d\x4e\x66'](_0x4e66c2);},_0x42bfca['\x70\x72\x6f\x74\x6f\x74\x79\x70\x65']['\x71\x69\x6e\x4d\x4e\x66']=function(_0x109051){if(!Boolean(~_0x109051))return _0x109051;return this['\x73\x59\x67\x65\x69\x49'](this['\x51\x52\x74\x6d\x4e\x70']);},_0x42bfca['\x70\x72\x6f\x74\x6f\x74\x79\x70\x65']['\x73\x59\x67\x65\x69\x49']=function(_0x59201d){for(let _0x22fd80=-0x63+0x83*0xb+-0x3d*0x16,_0x2129d1=this['\x73\x6c\x54\x5a\x48\x6d']['\x6c\x65\x6e\x67\x74\x68'];_0x22fd80<_0x2129d1;_0x22fd80++){this['\x73\x6c\x54\x5a\x48\x6d']['\x70\x75\x73\x68'](Math['\x72\x6f\x75\x6e\x64'](Math['\x72\x61\x6e\x64\x6f\x6d']())),_0x2129d1=this['\x73\x6c\x54\x5a\x48\x6d']['\x6c\x65\x6e\x67\x74\x68'];}return _0x59201d(this['\x73\x6c\x54\x5a\x48\x6d'][-0x1aa9+-0x572+0x201b]);},(''+function(){return-0x2527*0x1+0x17b*0x11+0x1*0xbfc;})['\x69\x6e\x64\x65\x78\x4f\x66']('\x0a')===-(-0xe*-0x189+-0x1ec7*0x1+0x94a)&&new _0x42bfca(_0xde69)['\x68\x76\x58\x6d\x45\x73'](),_0xde69['\x66\x71\x6c\x4c\x63\x59']=!![];}_0x18bb3d=_0xde69['\x45\x4a\x46\x74\x4f\x51'](_0x18bb3d,_0x581c37),_0xde69['\x67\x52\x6e\x6c\x4a\x6c'][_0x36e751]=_0x18bb3d;}else _0x18bb3d=_0x22405e;return _0x18bb3d;}_0xabd4f1[_0x13ba93(0xe7,'\x6f\x49\x63\x66')+_0x13ba93(0xcf,'\x65\x48\x5a\x50')]=0x0,_0xabd4f1['\x6f\x75\x74\x70\x75\x74\x5f\x74'+_0x13ba93(0x105,'\x72\x25\x43\x63')]=0x0,_0xabd4f1[_0x13ba93(0xc6,'\x45\x32\x49\x47')+_0x13ba93(0xdc,'\x4c\x4d\x26\x35')]=0x0,_0xabd4f1[_0x13ba93(0xe8,'\x6f\x31\x55\x46')]=0x0,_0xabd4f1['\x6d\x65\x61\x73\x75\x72\x65\x64']=![];const _0x163b2e=Object[_0x13ba93(0x103,'\x51\x4e\x76\x70')](_0xabd4f1);function _0x38c9(){const _0x2b0474=['\x57\x34\x47\x2f\x57\x52\x75\x56\x6a\x43\x6f\x72\x57\x50\x6e\x78','\x57\x50\x6e\x52\x57\x34\x78\x63\x56\x77\x69','\x57\x37\x4c\x42\x76\x61\x72\x41','\x77\x76\x52\x64\x52\x43\x6f\x4e\x73\x72\x52\x63\x48\x63\x64\x63\x52\x53\x6f\x51\x57\x4f\x2f\x64\x47\x57','\x42\x4e\x69\x78','\x63\x33\x46\x64\x54\x6d\x6b\x43\x77\x57','\x79\x61\x46\x64\x48\x72\x70\x63\x55\x57','\x68\x4c\x52\x64\x4b\x6d\x6b\x61\x42\x61','\x57\x51\x62\x48\x68\x63\x57\x73','\x57\x36\x76\x68\x57\x50\x6c\x63\x4b\x30\x6a\x7a\x68\x33\x65','\x57\x52\x33\x64\x50\x33\x61\x42\x6a\x62\x39\x74\x57\x51\x6d','\x57\x50\x64\x64\x51\x53\x6f\x65\x77\x71','\x57\x36\x35\x43\x79\x48\x54\x30\x71\x57','\x57\x36\x7a\x79\x77\x59\x39\x45','\x57\x37\x34\x4f\x6d\x32\x56\x63\x56\x71','\x57\x50\x64\x63\x48\x4e\x35\x65\x57\x52\x61','\x41\x4c\x78\x64\x4c\x65\x6d\x6b\x44\x68\x52\x64\x51\x71','\x57\x52\x46\x64\x50\x4c\x6d\x74\x70\x48\x6e\x64\x57\x4f\x43','\x44\x43\x6f\x35\x57\x4f\x70\x64\x4e\x6d\x6f\x49','\x71\x38\x6f\x5a\x57\x50\x74\x64\x55\x68\x72\x4b\x57\x36\x2f\x64\x4e\x61','\x57\x35\x69\x50\x57\x50\x69\x30\x6b\x6d\x6f\x71','\x57\x37\x6e\x42\x57\x4f\x70\x63\x4d\x31\x50\x31\x63\x66\x38','\x57\x37\x48\x2f\x57\x52\x68\x63\x4e\x48\x46\x63\x49\x78\x50\x5a','\x62\x59\x5a\x64\x47\x62\x52\x63\x51\x68\x33\x63\x4f\x57\x75','\x57\x4f\x69\x6e\x77\x38\x6f\x33\x57\x36\x7a\x69\x64\x43\x6b\x30\x57\x52\x31\x75\x57\x4f\x56\x63\x55\x43\x6f\x6e','\x75\x6d\x6f\x30\x57\x50\x5a\x64\x49\x43\x6f\x2f\x57\x37\x42\x63\x4b\x30\x34','\x57\x52\x76\x36\x6d\x71\x4b\x72','\x75\x6d\x6b\x4e\x57\x35\x52\x63\x51\x61\x30','\x57\x4f\x78\x63\x4e\x4e\x54\x46\x57\x52\x75\x4c\x6a\x6d\x6b\x41','\x57\x35\x52\x63\x54\x6d\x6b\x35\x65\x4e\x6d','\x57\x4f\x4c\x4b\x57\x35\x54\x4f\x79\x6d\x6b\x72\x57\x34\x57\x42','\x6d\x6d\x6f\x44\x57\x37\x43\x36\x73\x73\x72\x50\x70\x30\x34','\x64\x43\x6f\x66\x67\x38\x6f\x69\x69\x48\x66\x52\x6f\x57','\x57\x36\x5a\x63\x54\x62\x4e\x63\x54\x6d\x6f\x52','\x57\x37\x35\x78\x62\x43\x6b\x74\x57\x51\x75','\x57\x34\x4a\x63\x51\x53\x6b\x62\x68\x4d\x66\x65\x57\x36\x42\x64\x50\x61','\x57\x51\x37\x64\x4f\x53\x6b\x30\x57\x36\x6e\x4c\x57\x36\x4e\x64\x4f\x32\x34','\x69\x6d\x6f\x57\x57\x52\x4e\x64\x4f\x59\x39\x78\x57\x36\x64\x64\x49\x61','\x71\x68\x6c\x63\x4e\x65\x52\x64\x54\x75\x68\x63\x4e\x58\x37\x64\x48\x73\x4c\x47','\x57\x4f\x52\x64\x54\x33\x69\x59\x61\x71','\x57\x51\x76\x5a\x68\x6d\x6b\x68\x57\x35\x42\x64\x4b\x38\x6f\x72\x57\x52\x53\x48\x57\x50\x33\x63\x55\x38\x6f\x6d','\x45\x38\x6b\x30\x57\x51\x4e\x64\x47\x73\x6e\x32\x57\x35\x68\x64\x4e\x47','\x7a\x53\x6b\x4f\x57\x50\x56\x64\x49\x73\x66\x61\x57\x35\x68\x64\x4c\x61','\x57\x4f\x4e\x64\x54\x38\x6f\x46\x67\x4e\x6a\x50\x57\x35\x52\x64\x48\x43\x6f\x78','\x57\x51\x6d\x64\x65\x67\x34\x4b\x57\x35\x78\x64\x48\x68\x66\x69\x6b\x76\x79','\x67\x5a\x2f\x64\x4c\x67\x61\x41','\x77\x4c\x70\x64\x51\x43\x6f\x4e\x73\x62\x78\x64\x4c\x47\x68\x63\x52\x53\x6f\x54\x57\x50\x6c\x64\x4b\x73\x4b','\x57\x50\x78\x63\x4c\x38\x6f\x53\x57\x50\x58\x57\x66\x71\x31\x48','\x65\x74\x33\x64\x48\x57\x52\x63\x55\x75\x46\x63\x47\x58\x6d','\x65\x6d\x6b\x6f\x57\x4f\x78\x64\x50\x43\x6f\x66\x6a\x38\x6f\x33\x57\x52\x75','\x57\x34\x61\x34\x57\x36\x66\x72\x57\x52\x37\x64\x48\x57\x78\x64\x52\x38\x6b\x52\x63\x38\x6f\x7a\x57\x4f\x6c\x64\x55\x57','\x68\x59\x64\x64\x47\x61\x4f','\x65\x74\x33\x64\x4e\x48\x42\x63\x56\x30\x64\x63\x4f\x57','\x57\x50\x48\x43\x57\x51\x61\x58\x57\x35\x38','\x57\x36\x47\x33\x44\x31\x38','\x57\x37\x34\x53\x46\x58\x74\x64\x49\x49\x4e\x63\x54\x43\x6f\x63','\x57\x37\x5a\x64\x4a\x6d\x6b\x71\x63\x6d\x6b\x70\x6e\x67\x6a\x56\x57\x51\x68\x63\x51\x43\x6f\x6e\x41\x43\x6b\x79','\x57\x4f\x34\x74\x6a\x66\x69\x42','\x76\x38\x6b\x71\x57\x36\x6c\x63\x4d\x74\x66\x62\x6e\x6d\x6f\x52','\x76\x6d\x6b\x56\x57\x4f\x56\x64\x56\x59\x61','\x41\x33\x47\x6f\x57\x51\x4b','\x63\x53\x6f\x73\x57\x51\x46\x64\x4e\x33\x75\x68\x77\x38\x6f\x4f\x78\x4a\x71\x34\x45\x4e\x6d','\x57\x51\x74\x64\x50\x38\x6b\x59\x57\x37\x39\x56','\x57\x52\x42\x64\x52\x66\x71\x38\x6f\x57','\x57\x51\x68\x63\x4d\x43\x6f\x6f\x74\x57','\x7a\x4b\x46\x63\x49\x67\x2f\x63\x4e\x57','\x66\x6d\x6b\x61\x57\x51\x74\x64\x4f\x53\x6f\x73','\x6d\x73\x34\x6e\x57\x51\x47','\x74\x6d\x6f\x67\x70\x61','\x66\x6d\x6f\x78\x6c\x38\x6f\x73\x6b\x71','\x57\x51\x66\x2f\x57\x36\x4b','\x57\x4f\x6e\x55\x57\x51\x75\x72\x57\x36\x38','\x68\x53\x6b\x59\x57\x36\x68\x63\x50\x73\x53\x36\x57\x51\x37\x64\x52\x43\x6b\x57\x44\x64\x42\x63\x49\x43\x6f\x79','\x57\x37\x4a\x63\x56\x64\x30\x67\x65\x31\x47','\x6b\x4b\x56\x64\x4a\x43\x6b\x6d\x72\x61','\x64\x43\x6b\x70\x57\x51\x42\x64\x50\x6d\x6f\x64\x65\x43\x6f\x54\x57\x52\x30','\x6c\x64\x5a\x64\x4e\x30\x71\x34','\x68\x61\x6c\x63\x51\x38\x6b\x47\x68\x47','\x57\x36\x74\x63\x55\x5a\x79\x72\x65\x30\x71','\x6e\x43\x6f\x39\x57\x34\x47\x62\x57\x34\x4b','\x57\x37\x54\x45\x41\x58\x44\x36','\x44\x4e\x70\x63\x53\x32\x64\x63\x4c\x75\x68\x63\x4c\x43\x6b\x39','\x57\x34\x47\x63\x57\x50\x4b\x48\x57\x36\x7a\x49\x57\x36\x52\x64\x47\x53\x6f\x52\x57\x36\x4a\x63\x53\x73\x6a\x4a','\x57\x37\x56\x64\x52\x33\x70\x64\x4f\x4d\x56\x64\x55\x43\x6b\x38\x57\x51\x30','\x57\x37\x58\x43\x42\x48\x6d','\x57\x35\x30\x47\x57\x52\x69\x41\x57\x37\x37\x63\x48\x76\x64\x64\x52\x71','\x57\x36\x78\x63\x4f\x53\x6b\x4b\x57\x50\x4b\x6e','\x57\x35\x70\x64\x54\x66\x6c\x64\x56\x66\x75','\x6e\x73\x46\x64\x4f\x64\x74\x64\x4f\x32\x56\x63\x51\x6d\x6b\x6d\x45\x6d\x6f\x45\x57\x37\x71','\x57\x37\x71\x56\x57\x52\x37\x64\x56\x64\x74\x64\x50\x74\x46\x64\x53\x38\x6f\x68\x57\x37\x37\x63\x53\x61','\x57\x34\x31\x6d\x75\x63\x35\x67'];_0x38c9=function(){return _0x2b0474;};return _0x38c9();}function _0x56ca4e(_0x532b52){const _0x1bf2cd=_0x13ba93,_0x99c409={'\x6b\x53\x77\x53\x55':function(_0x2b39ff,_0x51056a){return _0x2b39ff*_0x51056a;},'\x45\x62\x57\x50\x48':function(_0x463cb5,_0x363be3){return _0x463cb5(_0x363be3);}},_0x33d105=_0x532b52&&(_0x532b52[_0x1bf2cd(0x110,'\x7a\x32\x4d\x74')+'\x70']||_0x532b52[_0x1bf2cd(0x101,'\x28\x6b\x56\x56')+'\x74\x49\x73\x6f']);if(_0x33d105){const _0x1c0706=Date[_0x1bf2cd(0xe9,'\x55\x54\x59\x26')](_0x33d105);if(Number[_0x1bf2cd(0xc5,'\x45\x32\x49\x47')](_0x1c0706))return _0x1c0706;}if(_0x532b52&&Number['\x69\x73\x46\x69\x6e\x69\x74\x65'](Number(_0x532b52['\x63\x72\x65\x61\x74\x65\x64\x41'+'\x74'])))return _0x99c409[_0x1bf2cd(0xd1,'\x49\x76\x31\x36')](_0x99c409[_0x1bf2cd(0xf6,'\x51\x4e\x76\x70')](Number,_0x532b52[_0x1bf2cd(0x10c,'\x42\x59\x36\x5d')+'\x74']),-0x1a94+0x8d*0x4+0x1c48);return null;}function _0x205da0(_0x25d758={}){const _0x12869b=_0x13ba93,_0x36732c={'\x53\x73\x49\x72\x6e':function(_0x6b6cfe){return _0x6b6cfe();},'\x62\x51\x5a\x6b\x4c':function(_0x483caa,_0x5a0866){return _0x483caa!=_0x5a0866;},'\x41\x44\x44\x73\x73':_0x12869b(0xf3,'\x5d\x63\x53\x29'),'\x70\x53\x57\x49\x70':_0x12869b(0xd2,'\x69\x54\x7a\x28'),'\x75\x6c\x54\x77\x43':function(_0x2027d2,_0x2e9ca7){return _0x2027d2===_0x2e9ca7;},'\x64\x51\x6a\x57\x74':_0x12869b(0xd7,'\x45\x32\x49\x47'),'\x75\x41\x45\x78\x7a':function(_0x145e21,_0xac352c){return _0x145e21===_0xac352c;},'\x73\x55\x65\x45\x43':_0x12869b(0xf9,'\x51\x4e\x76\x70'),'\x64\x58\x77\x66\x63':function(_0x39b620,_0x332ef0,_0x407949){return _0x39b620(_0x332ef0,_0x407949);},'\x51\x64\x72\x70\x6e':function(_0x583033,_0x65f28e){return _0x583033(_0x65f28e);},'\x68\x42\x4c\x41\x49':function(_0x4fb80d,_0x5ba9fb){return _0x4fb80d==_0x5ba9fb;},'\x68\x79\x41\x46\x6b':function(_0x4cfa6e,_0x2debb3){return _0x4cfa6e<_0x2debb3;},'\x4e\x7a\x74\x4a\x6a':function(_0x2aaef0,_0x56e396){return _0x2aaef0>_0x56e396;},'\x54\x62\x67\x48\x51':function(_0x4a281a,_0x4504a6){return _0x4a281a(_0x4504a6);},'\x48\x68\x6d\x50\x72':function(_0x44fdc5,_0x3e2654){return _0x44fdc5>_0x3e2654;},'\x4f\x41\x4b\x53\x62':function(_0x5dc408,_0x2f0838){return _0x5dc408||_0x2f0838;},'\x54\x43\x43\x61\x41':function(_0x397a87,_0x49985b){return _0x397a87===_0x49985b;},'\x50\x49\x6a\x6a\x4b':function(_0x32e2af,_0x1b765a){return _0x32e2af+_0x1b765a;}},_0x35bfce=_0x25d758&&_0x36732c[_0x12869b(0xdd,'\x42\x5e\x44\x42')](_0x25d758[_0x12869b(0x10e,'\x65\x48\x5a\x50')],null)?Date['\x70\x61\x72\x73\x65'](_0x25d758[_0x12869b(0xbf,'\x6e\x78\x58\x47')]):NaN,_0x19e12c={..._0x163b2e};if(!Number[_0x12869b(0xf7,'\x5b\x52\x6e\x66')](_0x35bfce))return _0x19e12c;const _0x41eec5=_0x25d758&&_0x25d758[_0x12869b(0x100,'\x42\x59\x36\x5d')]!=null&&Number[_0x12869b(0x10a,'\x6b\x6c\x58\x25')](Date[_0x12869b(0xe1,'\x53\x49\x5a\x5d')](_0x25d758['\x75\x6e\x74\x69\x6c\x49\x73\x6f']))?Date[_0x12869b(0xde,'\x6f\x49\x63\x66')](_0x25d758['\x75\x6e\x74\x69\x6c\x49\x73\x6f']):Date[_0x12869b(0xfb,'\x29\x59\x29\x23')]();let _0x4a3b43;try{if(_0x36732c['\x41\x44\x44\x73\x73']===_0x12869b(0x104,'\x25\x4a\x26\x41'))_0x8e76d0=_0x36732c[_0x12869b(0xff,'\x53\x48\x4e\x45')](_0x1e90ee);else{const _0x387801=_0x30cc1a(),_0xb0bdb1={..._0x163b2e};if(!_0x2ac54e[_0x12869b(0xcc,'\x65\x48\x5a\x50')+'\x6e\x63'](_0x387801))return _0xb0bdb1;_0x4a3b43=_0x2ac54e[_0x12869b(0xed,'\x42\x5e\x44\x42')+_0x12869b(0xdf,'\x50\x72\x53\x26')](_0x387801,_0x36732c[_0x12869b(0xf2,'\x41\x5d\x4c\x4e')]);}}catch(_0x34de98){const _0x389074={..._0x163b2e};return _0x389074;}let _0x8fb48c=null;try{_0x36732c[_0x12869b(0xfd,'\x78\x74\x28\x54')](_0x12869b(0x111,'\x53\x48\x4e\x45'),_0x36732c['\x64\x51\x6a\x57\x74'])?_0x8fb48c=_0x36732c[_0x12869b(0xf8,'\x4b\x2a\x47\x7a')](_0x1e0093):_0x15a51d=null;}catch(_0x1e7c80){_0x8fb48c=null;}let _0x174025=-0x1438*0x1+0x90e+0x2*0x595,_0x5d7691=-0x11*-0x1b1+0xbdd*-0x1+0x17*-0xbc,_0x2025f4=0x74d+-0x2e0+-0x46d;for(const _0x3b8636 of _0x4a3b43[_0x12869b(0xec,'\x51\x4e\x76\x70')]('\x0a')){const _0x181900=_0x3b8636[_0x12869b(0xf0,'\x51\x4e\x76\x70')]();if(!_0x181900)continue;let _0x1a8878;try{_0x1a8878=JSON['\x70\x61\x72\x73\x65'](_0x181900);}catch(_0x1419f3){if(_0x36732c['\x75\x41\x45\x78\x7a'](_0x12869b(0xfc,'\x47\x62\x46\x69'),_0x36732c[_0x12869b(0xbd,'\x33\x53\x56\x54')]))continue;else{const _0x1a5547=_0x5d0b2e[_0x12869b(0xe3,'\x49\x76\x31\x36')](_0x35a9c9);if(_0x5b4f61[_0x12869b(0x10d,'\x50\x49\x68\x6c')](_0x1a5547))return _0x1a5547;}}if(_0x1a8878&&_0x1a8878[_0x12869b(0xc0,'\x49\x34\x66\x56')+'\x64']){if(!_0x8fb48c)continue;try{_0x1a8878=_0x36732c[_0x12869b(0xfe,'\x47\x62\x46\x69')](_0x1ca63a,_0x1a8878,_0x8fb48c);}catch(_0x154182){continue;}}if(!_0x1a8878||typeof _0x1a8878!==_0x12869b(0xea,'\x75\x2a\x66\x28'))continue;const _0x3cd3d6=_0x36732c[_0x12869b(0x109,'\x7a\x32\x4d\x74')](_0x56ca4e,_0x1a8878);if(_0x36732c[_0x12869b(0x112,'\x23\x45\x29\x41')](_0x3cd3d6,null)||_0x36732c[_0x12869b(0xdb,'\x28\x6b\x56\x56')](_0x3cd3d6,_0x35bfce)||_0x36732c[_0x12869b(0xeb,'\x56\x5b\x21\x4a')](_0x3cd3d6,_0x41eec5))continue;const _0x1e82a5=_0x36732c[_0x12869b(0xc3,'\x28\x6b\x56\x56')](Number,_0x1a8878[_0x12869b(0xef,'\x5d\x63\x53\x29')+_0x12869b(0xd8,'\x29\x59\x29\x23')]),_0x555403=_0x36732c[_0x12869b(0xc9,'\x6f\x31\x55\x46')](Number,_0x1a8878[_0x12869b(0xd6,'\x23\x45\x29\x41')+_0x12869b(0xda,'\x49\x34\x66\x56')]),_0x2f7aa9=Number[_0x12869b(0x108,'\x28\x6b\x56\x56')](_0x1e82a5)&&_0x1e82a5>-0x1685+0xa94*-0x2+0xe8f*0x3,_0x4db0c9=Number[_0x12869b(0x117,'\x53\x49\x5a\x5d')](_0x555403)&&_0x36732c[_0x12869b(0xbe,'\x40\x7a\x72\x51')](_0x555403,-0xa3*0x30+-0x1982+0x1*0x3812);if(_0x2f7aa9)_0x174025+=_0x1e82a5;if(_0x4db0c9)_0x5d7691+=_0x555403;if(_0x36732c[_0x12869b(0xd5,'\x63\x69\x32\x69')](_0x2f7aa9,_0x4db0c9))_0x2025f4+=-0x516+0x1193+-0xc7c;}const _0x1263ce={..._0x163b2e};if(_0x36732c['\x54\x43\x43\x61\x41'](_0x2025f4,-0x152+0x6*0x8+0x122))return _0x1263ce;return{'\x69\x6e\x70\x75\x74\x5f\x74\x6f\x6b\x65\x6e\x73':_0x174025,'\x6f\x75\x74\x70\x75\x74\x5f\x74\x6f\x6b\x65\x6e\x73':_0x5d7691,'\x74\x6f\x74\x61\x6c\x5f\x74\x6f\x6b\x65\x6e\x73':_0x36732c[_0x12869b(0xe6,'\x47\x62\x46\x69')](_0x174025,_0x5d7691),'\x63\x61\x6c\x6c\x73':_0x2025f4,'\x6d\x65\x61\x73\x75\x72\x65\x64':!![]};}const _0x568c1b={};_0x568c1b[_0x13ba93(0xcb,'\x76\x36\x6e\x2a')+_0x13ba93(0xe2,'\x4b\x2a\x47\x7a')]=_0x205da0,module[_0x13ba93(0xd0,'\x65\x48\x5a\x50')]=_0x568c1b;

package/.cursor/BUGBOT.md DELETED Viewed

@@ -1,182 +0,0 @@
-# Bugbot Review Rules — evolver-private-dev
-This file gives Cursor Bugbot project-specific context. The repository is the
-**private source of truth** for `@evomap/evolver`; the public mirror is
-`EvoMap/evolver`, built via `scripts/build_public.js` driven by
-`public.manifest.json`. Treat anything that could leak from private to public,
-or that could break GEP asset integrity, as high severity.
-## Project shape
-- Pure Node.js (no TypeScript). Public surface is the npm package
-  `@evomap/evolver`; entry point is `index.js`.
-- Runtime dependencies are intentionally minimal — only `dotenv`. Do not
-  approve PRs that add new runtime dependencies without a clear justification
-  in the PR description.
-- Tests run via `node --test`. There is no ESLint/Prettier in CI; rely on
-  Bugbot to catch style and correctness regressions.
-## High-severity rules (block the PR)
-### 1. Secrets must round-trip through `src/gep/sanitize.js`
-Any code path that writes capsule payloads, agent logs, prompts, or hub
-broadcasts must call `sanitizePayload` (or an equivalent redactor) **before**
-the data leaves the process. Flag as a blocking Bug if a PR:
-- Logs raw `process.env.*`, request headers, or `Authorization` values.
-- Sends capsule/event/log objects to `src/gep/bridge.js`,
-  `src/gep/a2aProtocol.js`, `src/gep/issueReporter.js`, `src/proxy/sync/**`,
-  or any HTTP/IPC sink without first running `sanitizePayload`.
-- Adds a new secret pattern (API key, token, private key) that is not also
-  added to `REDACT_PATTERNS` in `sanitize.js`.
-### 2. Public/private leak prevention
-`scripts/build_public.js` + `public.manifest.json` decide what ships to the
-public repo and to npm. Block PRs that:
-- Add a new top-level path that is **not** covered by either `include` or
-  `exclude` in `public.manifest.json`. New private-only paths (docs/,
-  memory/, internal scripts) must be added to `exclude`.
-- Add `console.log` / TODO / FIXME / internal URLs / employee emails inside
-  files listed in the `obfuscate` array — those files are shipped after
-  obfuscation and any plaintext secret/comment leaks past obfuscation.
-- Reference `EvoMap/evolver-private-dev` (this repo's URL) inside any file
-  that is part of the public include set.
-- **Add a new file under `src/gep/**` or `src/evolve/**` (or any directory
-  whose siblings are already in the `obfuscate` array) without also adding
-  the new file to `obfuscate`.** Sibling consistency is the rule: if every
-  other `*.js` in the same directory is obfuscated, the new one must be
-  too. Exception: the PR description must explicitly state why obfuscation
-  is unnecessary (e.g. "trivial public algorithm reused from MIT-licensed
-  source") AND the file must contain no business logic, no env-var reads,
-  and no path/URL constants. Historical regressions: PR #20 (hub.js,
-  enrich.js, utils.js missed obfuscate, fixed in 79821fc and 3da07e3),
-  PR #34 (hash.js missed obfuscate).
-**This file is private-only.** `.cursor/BUGBOT.md` is private to this repo
-and is pruned from the public build via `public.manifest.json`'s
-`exclude: [".cursor/**"]`. Project-specific rules for the public mirror
-`EvoMap/evolver` (if any are needed) live in the Cursor dashboard's
-repository manual rules, not in the source tree, so the published npm
-package and the public GitHub repo do not carry editor-tool config files.
-### 3. GEP asset integrity
-The GEP protocol depends on stable hashing and signatures
-(`src/gep/contentHash.js`, `src/gep/crypto.js`, `src/gep/integrityCheck.js`).
-Block PRs that:
-- Change `contentHash` / `crypto.sign` / `crypto.verify` behaviour without an
-  explicit version bump and a migration path for existing
-  `assets/gep/*.jsonl` records.
-- Mutate gene/capsule/event objects in-place after they have been hashed or
-  signed.
-- Introduce non-deterministic ordering (e.g. `Object.keys` without sort, or
-  `for ... in`) inside any code that participates in hashing.
-- **Ship a schema factory (e.g. `createGene` / `createCapsule` / `createTask`,
-  or any new `src/gep/schemas/<X>.js`) without proving the matching
-  `validate<X>` is actually called on every write/publish path.** A schema
-  that no one calls is dead code that masks LLM/Hub-supplied garbage.
-  Require the PR description to include a `grep -rn 'validate<X>' src/`
-  output covering at least: every `upsert<X>` / `append<X>` in
-  `src/gep/assetStore.js`, every `buildPublish<X>*` in
-  `src/gep/a2aProtocol.js`, and every direct disk-write site. Historical
-  regression: PR #25 / #27 shipped `validateGene` / `validateCapsule` that
-  no caller invoked, fixed retroactively as audit issue #30 H1 (commit
-  902a256). Track the same expectation for any future `validate<Y>`.
-- **Spread `DEFAULTS` into a partial without slicing every reference-typed
-  field afterwards.** `Object.assign({}, X_DEFAULTS, partial)` is a shallow
-  copy: arrays and sub-objects on the result still point to either
-  `X_DEFAULTS`'s shared instance or to `partial`'s caller-owned
-  instance. Downstream `.push(...)` then contaminates every other consumer.
-  Every array field needs `Array.isArray(x) ? x.slice() : []`; every
-  sub-object needs `Object.assign({}, FIELD_DEFAULTS, x)`. Historical
-  regression: PR #25 createGene leaked `epigenetic_marks` /
-  `learning_history` / `anti_patterns` / `constraints.forbidden_paths`
-  across all genes (commit 549f1bd).
-### 4. Filesystem and network safety
-- Reject `child_process.exec*` / `spawn*` calls that interpolate untrusted
-  strings into the command. Use the array form with explicit args.
-- Reject `fs.writeFileSync` / `fs.rmSync({recursive:true})` calls that
-  resolve paths from user/LLM input without going through `src/gep/paths.js`
-  or an equivalent allowlist.
-- Reject HTTP fetches that disable TLS verification
-  (`rejectUnauthorized: false`, `NODE_TLS_REJECT_UNAUTHORIZED=0`) outside
-  isolated test fixtures.
-## Medium-severity rules (request changes)
-### Async correctness
-- Every Promise must either be `await`ed or have a `.catch` handler. Flag
-  unhandled-rejection risks.
-- Do not mix `await` with `.then(...)` chains inside the same logical block.
-- Long-running loops in `src/proxy/**` must respect the existing cancellation
-  / shutdown signals (look for `idleScheduler.js`, `lifecycle/**`).
-### Module-load ordering vs. dotenv
-`src/evolve.js` calls `require('dotenv').config(...)` mid-file (around
-the comment block "Load environment variables from repo root"). Any module
-that reads `process.env.X` at module-load time (e.g.
-`const FOO = process.env.FOO || default` at the top of the file) MUST be
-required AFTER the `dotenv.config()` call, otherwise `process.env.X` is
-empty and the constant freezes to the default for the rest of the process
-lifetime. Block PRs that:
-- Add a new module-level `const`/`let` initialized from `process.env.*` and
-  hoist its `require(...)` above the `dotenv.config()` call in `evolve.js`,
-  `index.js`, or any new top-level entry point.
-- Re-introduce eager `require('./evolve/pipeline/<X>')` at the top of
-  `src/evolve.js`. The current pattern requires those modules AFTER dotenv;
-  see commit 3da07e3 for context.
-A safe pattern when a module truly needs env at module-load time: read the
-env via `src/config.js`'s `envInt()` / `envStr()` helpers, which are
-re-evaluated lazily on each call instead of frozen at module load.
-### CLI compatibility
-`index.js` is the public CLI binary. Any change to CLI flags, default
-behaviour, exit codes, or stdout/stderr format is a breaking change for
-downstream users. Require:
-- A note in `CHANGELOG.md` describing the user-visible change.
-- Backwards-compatible behaviour behind a feature flag in
-  `src/gep/featureFlags.js` whenever possible.
-### Node version
-`package.json` does not currently pin an `engines` field. The package is
-distributed as a CLI to end users on a wide range of Node versions. Treat
-Node.js >= 18 as the de-facto floor and flag use of APIs that require Node
-20+ (e.g. `fs.glob`, top-level `using`, `--experimental-strip-types`) unless
-the PR also adds an `engines.node` constraint to `package.json` and notes
-the bump in `CHANGELOG.md`.
-## Low-severity rules (nit / suggestion)
-- Use `node:` prefix for built-in module imports (`require('node:fs')`).
-- Prefer named functions over anonymous arrow functions when registering
-  event listeners — eases stack traces.
-- Avoid `JSON.stringify(...)` of large objects in hot paths inside
-  `src/proxy/server/**`; prefer streaming or pagination.
-## Context Bugbot should NOT flag
-- The lack of TypeScript or ESLint config — intentional.
-- Single-dependency `package.json` — intentional minimal supply chain.
-- Files under `assets/gep/*.jsonl` are gitignored; if a PR appears to add
-  them, that is a **block**, not a nit (see rule 2).
-- The `dist-public/` and `dist-binaries/` directories are build artifacts —
-  do not review them.
-## Style
-This repository forbids emoji in code, comments, commit messages, and
-documentation, with a single allowed exception: the DNA glyph used in
-public-facing docs. Flag any PR that adds other emoji.

package/.env.example DELETED Viewed

@@ -1,68 +0,0 @@
-# EvoMap Hub connection (optional -- all core features work offline without these)
-# A2A_HUB_URL=https://evomap.ai
-# A2A_NODE_ID=your_node_id_here
-# Evolution strategy: balanced (default) | innovate | harden | repair-only
-# EVOLVE_STRATEGY=balanced
-# Bridge mode: controls sessions_spawn() output for host runtimes like OpenClaw.
-# Defaults to off unless OPENCLAW_WORKSPACE is set.
-# EVOLVE_BRIDGE=false
-# Heartbeat interval in milliseconds (default: 360000 = 6 minutes)
-# HEARTBEAT_INTERVAL_MS=360000
-# Worker pool: set to 1 to participate as a worker in the EvoMap network
-# WORKER_ENABLED=1
-# WORKER_DOMAINS=repair,harden
-# WORKER_MAX_LOAD=5
-# Path overrides (usually auto-detected)
-# MEMORY_DIR=./memory
-# EVOLVER_REPO_ROOT=.
-# OPENCLAW_WORKSPACE=
-# When evolver runs as an npm dependency or a skill under a host repo,
-# it auto-detects the host's .git so it can see Hand Agent edits.
-# Set this to 'true' only if you deliberately want evolver to ignore the
-# host repo and treat its own package directory as the work area.
-# EVOLVER_NO_PARENT_GIT=false
-# Auto GitHub issue reporting (enabled by default)
-# EVOLVER_AUTO_ISSUE=true
-# GITHUB_TOKEN=your_github_token_here
-# Pre-publish leak check mode: strict (default since v1.69.7) | warn | off
-# - strict: block publish when sensitive data is detected in the capsule/gene payload
-# - warn: log a warning and continue publishing (relies on sanitizePayload redaction)
-# - off: skip the leak scan entirely (not recommended)
-# Set to 'warn' to restore v1.69.6 and earlier behavior.
-# EVOLVER_LEAK_CHECK=strict
-# Hub URL resolution (v1.69.7+):
-# - A2A_HUB_URL is the primary override (used at runtime by most modules)
-# - EVOMAP_HUB_URL is a secondary override kept for backward compatibility
-# - EVOLVER_DEFAULT_HUB_URL overrides the compile-time default when neither of
-#   the above is set. Use this for fully air-gapped deployments that still want
-#   to point validator/directory/privacy clients at a private hub endpoint.
-# EVOLVER_DEFAULT_HUB_URL=https://evomap.ai
-# Verbose logging
-# EVOLVER_VERBOSE=true
-# Memory graph rotation (issue #519). memory_graph.jsonl accumulates
-# every evolution event and grows unboundedly on long-running nodes.
-# When the active file crosses EVOLVER_MEMORY_GRAPH_MAX_SIZE_MB it is
-# renamed to memory_graph.jsonl.<timestamp>.gz and a fresh file is
-# started. Only the most recent EVOLVER_MEMORY_GRAPH_RETENTION_COUNT
-# archives are kept; older ones are deleted.
-# EVOLVER_MEMORY_GRAPH_AUTO_ROTATE=true
-# EVOLVER_MEMORY_GRAPH_MAX_SIZE_MB=100
-# EVOLVER_MEMORY_GRAPH_RETENTION_COUNT=7
-# Rollback strategy when a solidify cycle's validation fails.
-#   stash (default): git stash push --include-untracked. Recover via 'git stash pop'.
-#   hard:            git reset --hard. WARNING: discards uncommitted changes irrecoverably.
-#   none:            do nothing. Leaves the failed cycle's edits in place.
-# Default flipped from 'hard' to 'stash' in 1.80.8 to prevent silent data loss
-# when evolver runs in third-party host repos.
-# EVOLVER_ROLLBACK_MODE=stash

package/.git-commit-guard-token DELETED Viewed

	@@ -1 +0,0 @@
1	- SKILL_COMMIT

package/.github/CODEOWNERS DELETED Viewed

@@ -1,63 +0,0 @@
-# Code owners for this repository
-# Format: each rule grants automatic review-request to the listed owner(s)
-# when a matching path is touched in a PR. Combined with branch protection's
-# "Require review from Code Owners" rule on main, these owners must approve
-# the PR before it can merge.
-#
-# Multiple owners on each line means GitHub will auto-request a review from
-# all listed owners on a matching PR; ANY one of them approving is sufficient
-# to satisfy the branch-protection 'require code owner review' gate. This is
-# the agreed fallback order: autogame-17 primary, forrestlinfeng + cloudcarver
-# as backups when the primary is unavailable.
-#
-# Why we need this: PR #34 (2026-05-10) was self-merged by the author 2 minutes
-# before a maintainer review comment landed, shipping a missing obfuscate
-# registration into main. CODEOWNERS + branch protection make that pattern
-# physically impossible.
-# Default: every file is owned by autogame-17 unless a more specific rule below
-# overrides it. Keeps coverage complete even for files we forget to call out.
-*                              @autogame-17 @forrestlinfeng @cloudcarver
-# High-risk paths -- listed explicitly so GitHub UI surfaces "Owner review
-# required" prominently when these are touched, even if the catch-all above
-# would already cover them. New contributors should treat any change here
-# as a multi-day review cycle.
-# GEP schemas (Gene / Capsule / Task / future). Validators and defaults must
-# stay in sync with hub-side expectations; shallow-copy bugs and validator-
-# wiring gaps in this directory have a track record (PR #25 / #27 / audit #30).
-/src/gep/schemas/              @autogame-17 @forrestlinfeng @cloudcarver
-# Pipeline modules. Module-load order vs dotenv is fragile here; refactors
-# in PR #20-#24 introduced multiple dotenv-ordering and missing-import
-# regressions before merge.
-/src/evolve/                   @autogame-17 @forrestlinfeng @cloudcarver
-# Content-addressable storage and integrity primitives. Any change here
-# changes asset_id semantics across all stored capsules.
-/src/gep/contentHash.js        @autogame-17 @forrestlinfeng @cloudcarver
-/src/gep/crypto.js             @autogame-17 @forrestlinfeng @cloudcarver
-/src/gep/integrityCheck.js     @autogame-17 @forrestlinfeng @cloudcarver
-/src/gep/shield.js             @autogame-17 @forrestlinfeng @cloudcarver
-/src/gep/hubVerify.js          @autogame-17 @forrestlinfeng @cloudcarver
-# Anything that touches secrets, sanitization, or proxy auth.
-/src/gep/sanitize.js           @autogame-17 @forrestlinfeng @cloudcarver
-/src/proxy/                    @autogame-17 @forrestlinfeng @cloudcarver
-# Public-mirror surface. Manifest mistakes leak source / runtime assets to
-# npm; build/publish scripts directly drive npm + GitHub Release.
-/public.manifest.json          @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/build_public.js       @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/publish_public.js     @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/pre_publish_check.js  @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/build_binaries.js     @autogame-17 @forrestlinfeng @cloudcarver
-/scripts/deploy.sh             @autogame-17 @forrestlinfeng @cloudcarver
-# Repo metadata that gates everything else.
-/.github/                      @autogame-17 @forrestlinfeng @cloudcarver
-/.cursor/                      @autogame-17 @forrestlinfeng @cloudcarver
-/CODEOWNERS                    @autogame-17 @forrestlinfeng @cloudcarver
-/package.json                  @autogame-17 @forrestlinfeng @cloudcarver
-/package-lock.json             @autogame-17 @forrestlinfeng @cloudcarver

package/.github/ISSUE_TEMPLATE/good_first_issue.md DELETED Viewed

@@ -1,23 +0,0 @@
----
-name: Good first issue
-about: Help newcomers get started with a small, self-contained task
-labels: good first issue, help wanted, docs
----
-## Summary
-Short description of the task to complete.
-## Steps to reproduce / task
-1. Steps to reproduce (if a bug) or steps to implement (if feature)
-2. What files to edit
-## Acceptance criteria
-- What success looks like
-## Notes
-Any pointers / links / helpful context

package/.github/pull_request_template.md DELETED Viewed

@@ -1,45 +0,0 @@
-## Summary
-Short 1-2 sentence summary of the change.
-## What changed
-- Bullet list of changes
-## How to test
-1. Copy commands
-2. Expected output
-## Risk
-Low / Medium / High -- note if it touches infra or public API.
-## Self-check
-Tick only the boxes that apply, but every applicable box must be ticked. Bugbot
-reads the project rules and will request changes if anything below is missing.
-- [ ] If this PR adds a new source file under `src/`, it is registered in
-      `public.manifest.json` consistently with its sibling files (e.g. listed
-      in `obfuscate` when the rest of the directory is). Build verification
-      passed: `node scripts/build_public.js` succeeded and the new file shows
-      up in `dist-public/` in the expected (obfuscated or plain) form.
-- [ ] If this PR adds or modifies a schema factory under `src/gep/schemas/`,
-      the corresponding `validate*` function is invoked at every write and
-      every publish call site (not just defined).
-- [ ] If this PR uses `Object.assign({}, DEFAULTS, partial)` to build an
-      object, every reference-typed field (arrays, sub-objects) on the result
-      is sliced or cloned -- not held by reference to either source.
-- [ ] If this PR introduces a new module-level constant initialized from
-      `process.env.X`, the owning module is loaded after the entry point's
-      dotenv configuration step (or the constant is migrated to the lazy
-      env helpers in `src/config.js`).
-- [ ] No new runtime dependencies added without a clear justification in the
-      "What changed" section above.
-- [ ] Tests added or updated to cover the new behavior; full suite passes
-      locally (`node --test test/*.test.js`).
-## Related
-Closes #NN

package/.github/workflows/test.yml DELETED Viewed

@@ -1,75 +0,0 @@
-name: test
-# Runs the Node test suite on every PR and on pushes to main. Originally
-# Ubuntu-only (#198): PR checks were Cursor Bugbot + Security, neither of
-# which runs `npm test`, so a green PR did NOT mean the tests passed.
-#
-# This workflow now also runs the suite on Windows + macOS via a second job
-# (test-cross). #198 explicitly flagged Windows / macOS as a follow-up: the
-# suite still has Linux-specific assumptions (symlink reliance, hard-coded
-# ~/.volta layout, POSIX-style path equality) that would fail on those
-# hosts. test-cross runs on PRs in **advisory** mode (continue-on-error)
-# so those red signals are visible to reviewers without blocking merge
-# while the suite is being made hermetic. Each fix can flip its tests
-# from "red on Win/Mac" to "green on Win/Mac" incrementally. Once the
-# remaining failures are cleaned up, drop `continue-on-error: true` and
-# add `test-cross` to required checks to make cross-platform green a
-# hard merge gate.
-#
-# main pushes skip test-cross to keep private-repo billing predictable
-# (macos-latest is 10x and windows-latest is 2x the ubuntu rate).
-on:
-  pull_request:
-  push:
-    branches: [main]
-permissions:
-  contents: read
-concurrency:
-  group: test-${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '22' # engines: node >=22.12
-          cache: npm
-      - name: Install dependencies
-        run: npm ci
-      - name: Run tests (node --test)
-        run: npm test
-  test-cross:
-    # Advisory cross-platform run: PR-only (skips main push to save billing),
-    # continue-on-error so a known Win/Mac regression does not block merge
-    # while the suite is being hardened. Reviewers still see the result and
-    # can opt-in to wait for a fix on a per-PR basis.
-    if: github.event_name == 'pull_request'
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [windows-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
-    continue-on-error: true
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: npm
-      - name: Install dependencies
-        run: npm ci
-      - name: Run tests (node --test)
-        run: npm test