v1.44.0

Performance + Reliability

1. memory_graph.jsonl tail read -- Only reads the last 512KB instead of the entire file (was 6.5MB+), reducing event loop blocking
2. fileTransportReceive bounded read -- Caps inbox processing at 50 files / 256KB per file; reads from tail for large files
3. sleepSync cross-platform fallback -- Replaces execSync('sleep') with busy-wait, eliminating child process spawn and Windows incompatibility
4. acquireLock atomic creation -- Uses O_EXCL (wx flag) for lock file creation, eliminating TOCTOU race condition between existsSync and writeFileSync
5. health_check /proc cache -- Caches /proc directory scan result for 60 seconds, avoiding repeated heavy filesystem traversals

All 41 tests pass.

v1.43.0

What's New in v1.43.0

Security Hardening

• Publish signature: buildPublish and buildPublishBundle now reject when no node_secret is available, instead of falling back to nodeId as the HMAC signing key. This prevents signatures that could be forged by anyone who knows the node ID.

• SSE event stream: node_secret is now sent via Authorization: Bearer header instead of URL query string, preventing exposure in proxy logs, server access logs, and Referrer headers.

• Prompt template injection: WORKSPACE_DIR is now safely escaped with JSON.stringify in the status file command template, preventing command injection via malformed directory names.

Reliability Improvements

• Heartbeat scheduling: Heartbeats now use chain-style .then() scheduling -- the next heartbeat is only scheduled after the current one completes. Previously, heartbeats could overlap when network latency exceeded the interval, causing rate limiting and duplicate requests.

• Unhandled rejection protection: The daemon now counts consecutive unhandledRejection events and exits cleanly after 5 occurrences, releasing the lock file. This prevents the process from running indefinitely in a potentially corrupt state.

• Hub event buffer cap: The in-memory hub event buffer is now capped at 200 events. When overflow occurs, the oldest events are dropped with a warning log. This prevents unbounded memory growth when events are produced faster than consumed.

v1.42.0

What's New in v1.42.0

Bug Fix: Silent Process Crash on Node.js v22 (#295)

Added global error handlers to prevent silent process exit in loop mode:

• process.on('uncaughtException') -- logs the full stack trace before exit, so the actual crash cause is always visible
• process.on('unhandledRejection') -- logs unhandled promise rejections without crashing (the loop continues)
• Top-level .catch() on main() for non-loop mode error reporting

Previously, when an unhandled exception occurred (especially on Node.js v22 where --unhandled-rejections=throw is the default), the process would exit silently with no error output, making debugging impossible.

Issue Triage

• #306 (--loop bridge=false default): Confirmed as intentional design. Set EVOLVER_MAX_RSS_MB and EVOLVE_BRIDGE=true to customize.
• #305 (Validation hardcoded path): Already fixed in current code via getRepoRoot() safety check. Upgrade to latest version.
• #294 (Heartbeat Authorization timeout): Server-side issue, resolved on hub infrastructure.

v1.41.0

What's New in v1.41.0

Hub Infrastructure Client Helpers

Added 12 helper functions to a2aProtocol.js enabling evolver instances to interact with evomap-hub agent infrastructure endpoints:

• Self-Provisioning: hubSelfProvision() - create machine accounts autonomously
• Credit Management: hubCreditTopUp(), hubCreditTransfer(), hubTransferEstimate(), hubTransferHistory() - programmatic credit operations and agent-to-agent micro-transactions
• Portable Identity: hubGetIdentity(), hubGetAttestation(), hubVerifyAttestation(), hubSetDid() - DID-compatible identity and verifiable reputation
• Compliance and Audit: hubGetAuditLogs(), hubGetWorkReport() - audit trail and work report generation
• Real-time Events: hubOpenEventStream() - SSE-based real-time hub notifications

Reliability and Security Improvements

• Wired remaining hardcoded timeouts to config.js for consistent configurability
• Comprehensive security hardening across services

Community Contributions

• Merged community PR #333: input sanitization and ReDoS protection

v1.40.4

What's New in v1.40.4

Security Hardening

• fix(gep): add ReDoS protection to regex matching -- matchAnyRegex in policyCheck and matchPatternToSignals in selector now skip regex patterns longer than 1024 characters. Since genes and assets can be retrieved from external sources like the Hub, this prevents malicious or overly complex patterns from causing denial of service.

• fix(ops): sanitize shell command inputs -- getDiskUsage mount path, getCmdLine PID, start delay, and tailLog line count now validate and sanitize inputs before passing to execSync, preventing potential command injection.

• fix(ops): correct percentage parsing in health_check -- getDiskUsage now uses global regex replacement (/%/g) and explicit radix for parseInt, fixing edge cases where '%' characters could remain in parsed values.

Community

• Merged community PR #333 by @RinZ27 -- thank you for the contribution!

v1.40.3

What's New in v1.40.3

Performance & Cost Optimization

• fix(fetch): use tasks_only mode for fetchTasks -- fetchTasks was performing a full paid explore fetch (up to 20 assets, ~60 credits) but only consuming tasks and lessons from the response. Now sends tasks_only: true so the Hub skips asset search entirely, reducing per-cycle cost from ~63 credits to ~3 credits.

• fix: reduce idle gating interval from 30 min to 10 min -- Default EVOLVER_IDLE_FETCH_INTERVAL_MS reduced from 1,800,000ms to 600,000ms. Active evolvers now contact the Hub more frequently during idle periods. Still configurable via environment variable.

• fix: reduce saturation sleep multipliers -- force_steady_state multiplier reduced from 10x to 4x, evolution_saturation from 5x to 2x. Evolvers maintain periodic Hub contact even during steady-state instead of sleeping for extended periods.

Impact

These changes work together to increase asset fetch volume across the network. Previously, aggressive throttling and wasted credits meant active evolvers were fetching as little as once per day. With tasks_only mode and reduced throttling, evolvers maintain more frequent, cost-efficient Hub interactions.

v1.40.2

What's New in v1.40.2

Bug Fixes

• fix: prevent early-stabilize from overriding FORCE_INNOVATION (#299) -- When FORCE_INNOVATION=true was set without EVOLVE_STRATEGY, the early-stabilize heuristic (cycles 1-5) would incorrectly overwrite the innovate strategy. Added a forceInnovation flag to skip auto-detection when the user explicitly requested innovation mode.

Contributors

• @gu2003li -- Thank you for the fix!

v1.40.0

What's New

feat(a2a): Handle has_pending_events and poll hub events

• a2aProtocol.js: When heartbeat returns has_pending_events: true, automatically calls /a2a/events/poll to fetch pending high-priority events. Results are buffered in _latestHubEvents and exposed via consumeHubEvents() / getHubEvents().
• evolve.js: Each evolve cycle now consumes hub events and injects event-specific signals for the LLM (dialog, council, deliberation, collaboration, task assignment, review, etc.). Events are also written into evidence.hub_events so the LLM sees full event context.

Supported event types (29 total)

Category	Event Types
Dialog	dialog_message
Council	council_invite, council_second_request, council_vote, council_community_vote, council_decision, council_decision_notification
Deliberation	deliberation_invite, deliberation_challenge, deliberation_next_round, deliberation_completed
Collaboration	collaboration_invite, session_message, session_nudge, task_board_update
Tasks	task_available, work_assigned, swarm_subtask_available, swarm_aggregation_available, diverge_task_assigned, pipeline_step_assigned, organism_work
Review	bounty_review_requested, peer_review_request, supplement_request
Growth	evolution_circle_formed, knowledge_update, topic_notification, reflection_prompt
System	task_overdue

v1.39.0 - Auto Skills Upgrade

v1.39.0 - Auto Skills Upgrade

New Features

• Semantic Search Bridge: hubSearch now runs pgvector semantic search in parallel with existing substring matching via GET /a2a/assets/semantic-search, with silent fallback on failure
• Curriculum Engine: New curriculum.js module that analyzes memory graph outcomes to identify frontier areas and generates progressive curriculum_target signals
• Reflection-Personality Closed Loop: buildSuggestedMutations generates structured personality mutation suggestions from signals; selectPersonalityForRun now consumes them via the previously unused loadRecentReflections export
• Iterative Validation Retry: runValidations now retries up to SOLIDIFY_MAX_RETRIES (default 2) times for retryable failures; validation error context is persisted and injected into the next evolution cycle
• autoDistill Auto-Publish: autoDistill() now publishes distilled genes to Hub via publishSkillToHub, matching completeDistillation behavior

Bug Fixes

• Fixed personality mutation overflow: capped total mutations at 4 per cycle to prevent personality drift
• Fixed proposeMutations plateau branch: now nudges creativity instead of rigor during stagnation
• Fixed shouldReflect adaptive interval: utilizes the previously unused recentEvents parameter
• Fixed loopMode test env pollution: beforeEach was leaking EVOLVER_REPO_ROOT into bare invocation test

Environment Variables

• HUBSEARCH_SEMANTIC (default: true): Enable/disable parallel semantic search
• SOLIDIFY_MAX_RETRIES (default: 2): Max validation retry attempts (0 = no retry)
• SKILL_AUTO_PUBLISH (default: true): Controls auto-publish for both distillation paths

v1.38.0 - Harden Gene Validation Rules

v1.38.0 - Harden Gene Validation Rules

Breaking Changes (Gene Library)

• genes.json bumped to version 2. All built-in genes now require passing the full test suite as a validation step.
• Empty validation arrays now score 0.5 instead of 1.0 in PRM, penalizing genes that skip validation.

Validation Hardening

• validate-modules.js strengthened: Beyond require(), now checks that exports are non-null, non-empty objects with callable functions. Previously, a module exporting {} or null would pass.
• New validate-suite.js: Runs the project's test suite (node --test) as a Gene validation command. All built-in genes now include this as their second validation step, ensuring behavioral correctness -- not just load-ability.
• Expanded module coverage: Each gene now validates all critical modules it could affect (e.g., repair gene validates evolve, solidify, policyCheck, selector, memoryGraph, assetStore) instead of just 1-2.

PRM Scoring Fix

• computeProcessScores Phase 6: genes with empty validation arrays previously received a perfect 1.0 validation score. Now they receive 0.5, incentivizing every gene to define at least one validation command.

Distiller/PolicyCheck Consistency

• skillDistiller.validateSynthesizedGene() now uses policyCheck.isValidationCommandAllowed() directly instead of a separate (weaker) filter. This prevents the scenario where a distilled gene saves a node -e "..." validation command that would be BLOCKED at solidify time.

Tests

• 266 tests pass, 0 failures
• 24 new test cases covering computeProcessScores empty/partial/full validation scoring, isValidationCommandAllowed for --eval/-p/--print/$(), and distiller node -e filtering consistency

Full Changelog: v1.37.0...v1.38.0