v1.51.1

Release created by publish script.

v1.51.0

Release v1.51.0 -- batch audit fixes: drift control, outcome inference, SSE handler, error detection alignment, deploy macOS compat

v1.50.0

Release v1.50.0 -- require positive evidence for gene preference; relax ban thresholds

v1.48.0

Release created by publish script.

v1.47.0

v1.47.0

New Features

• Local State Awareness Hook: Prevents executor agent amnesia by injecting a structured summary of node identity, environment config, evolution state, memory, and skills into every GEP prompt. The agent now knows whether the node is already registered, secrets are present, and which skills are installed -- eliminating redundant registration and re-configuration.

• EvoMap-First Problem Resolution: New directive in the GEP prompt instructs the executor to prioritize searching the EvoMap Hub for existing ecosystem solutions before attempting to solve problems from scratch.

• Enhanced Hub Search for Problem Signals: When problem-class signals (log_error, recurring_error, capability_gap, perf_bottleneck, test_failure, deployment_issue) are detected, the Hub search threshold is lowered from 0.72 to 0.55 and timeout extended from 8s to 12s, maximizing the chance of finding proven solutions.

Files Changed

• src/gep/localStateAwareness.js (new)
• src/evolve.js (modified)
• src/gep/prompt.js (modified)
• test/localStateAwareness.test.js (new)

v1.44.0

Performance + Reliability

1. memory_graph.jsonl tail read -- Only reads the last 512KB instead of the entire file (was 6.5MB+), reducing event loop blocking
2. fileTransportReceive bounded read -- Caps inbox processing at 50 files / 256KB per file; reads from tail for large files
3. sleepSync cross-platform fallback -- Replaces execSync('sleep') with busy-wait, eliminating child process spawn and Windows incompatibility
4. acquireLock atomic creation -- Uses O_EXCL (wx flag) for lock file creation, eliminating TOCTOU race condition between existsSync and writeFileSync
5. health_check /proc cache -- Caches /proc directory scan result for 60 seconds, avoiding repeated heavy filesystem traversals

All 41 tests pass.

v1.43.0

What's New in v1.43.0

Security Hardening

• Publish signature: buildPublish and buildPublishBundle now reject when no node_secret is available, instead of falling back to nodeId as the HMAC signing key. This prevents signatures that could be forged by anyone who knows the node ID.

• SSE event stream: node_secret is now sent via Authorization: Bearer header instead of URL query string, preventing exposure in proxy logs, server access logs, and Referrer headers.

• Prompt template injection: WORKSPACE_DIR is now safely escaped with JSON.stringify in the status file command template, preventing command injection via malformed directory names.

Reliability Improvements

• Heartbeat scheduling: Heartbeats now use chain-style .then() scheduling -- the next heartbeat is only scheduled after the current one completes. Previously, heartbeats could overlap when network latency exceeded the interval, causing rate limiting and duplicate requests.

• Unhandled rejection protection: The daemon now counts consecutive unhandledRejection events and exits cleanly after 5 occurrences, releasing the lock file. This prevents the process from running indefinitely in a potentially corrupt state.

• Hub event buffer cap: The in-memory hub event buffer is now capped at 200 events. When overflow occurs, the oldest events are dropped with a warning log. This prevents unbounded memory growth when events are produced faster than consumed.

v1.42.0

What's New in v1.42.0

Bug Fix: Silent Process Crash on Node.js v22 (#295)

Added global error handlers to prevent silent process exit in loop mode:

• process.on('uncaughtException') -- logs the full stack trace before exit, so the actual crash cause is always visible
• process.on('unhandledRejection') -- logs unhandled promise rejections without crashing (the loop continues)
• Top-level .catch() on main() for non-loop mode error reporting

Previously, when an unhandled exception occurred (especially on Node.js v22 where --unhandled-rejections=throw is the default), the process would exit silently with no error output, making debugging impossible.

Issue Triage

• #306 (--loop bridge=false default): Confirmed as intentional design. Set EVOLVER_MAX_RSS_MB and EVOLVE_BRIDGE=true to customize.
• #305 (Validation hardcoded path): Already fixed in current code via getRepoRoot() safety check. Upgrade to latest version.
• #294 (Heartbeat Authorization timeout): Server-side issue, resolved on hub infrastructure.

v1.41.0

What's New in v1.41.0

Hub Infrastructure Client Helpers

Added 12 helper functions to a2aProtocol.js enabling evolver instances to interact with evomap-hub agent infrastructure endpoints:

• Self-Provisioning: hubSelfProvision() - create machine accounts autonomously
• Credit Management: hubCreditTopUp(), hubCreditTransfer(), hubTransferEstimate(), hubTransferHistory() - programmatic credit operations and agent-to-agent micro-transactions
• Portable Identity: hubGetIdentity(), hubGetAttestation(), hubVerifyAttestation(), hubSetDid() - DID-compatible identity and verifiable reputation
• Compliance and Audit: hubGetAuditLogs(), hubGetWorkReport() - audit trail and work report generation
• Real-time Events: hubOpenEventStream() - SSE-based real-time hub notifications

Reliability and Security Improvements

• Wired remaining hardcoded timeouts to config.js for consistent configurability
• Comprehensive security hardening across services

Community Contributions

• Merged community PR #333: input sanitization and ReDoS protection

v1.40.4

What's New in v1.40.4

Security Hardening

• fix(gep): add ReDoS protection to regex matching -- matchAnyRegex in policyCheck and matchPatternToSignals in selector now skip regex patterns longer than 1024 characters. Since genes and assets can be retrieved from external sources like the Hub, this prevents malicious or overly complex patterns from causing denial of service.

• fix(ops): sanitize shell command inputs -- getDiskUsage mount path, getCmdLine PID, start delay, and tailLog line count now validate and sanitize inputs before passing to execSync, preventing potential command injection.

• fix(ops): correct percentage parsing in health_check -- getDiskUsage now uses global regex replacement (/%/g) and explicit radix for parseInt, fixing edge cases where '%' characters could remain in parsed values.

Community

• Merged community PR #333 by @RinZ27 -- thank you for the contribution!