v1.24.0

v1.24.0

New Features

• review command: New CLI command node index.js review for human review of pending evolution changes before solidifying. Displays gene info, signals, mutation context, blast radius estimate, and full git diff. Supports --approve to proceed with solidify and --reject to rollback changes. Also accepts --review form for compatibility. (fixes #163)

Bug Fixes

• Shell quoting in llmReview: Replaced shell-based echo | node -e pipeline with execFileSync + temp file approach in llmReview.js. This eliminates nested quoting issues that caused Unterminated quoted string errors when running evolver via cron jobs or agent runners. (fixes #166)

Improvements

• Improved hub search with two-phase search-then-fetch flow for reduced credit consumption
• Added issue reporter module for automated GitHub issue reporting
• Enhanced A2A protocol with additional heartbeat resilience

Usage

# Review pending changes after a run
node index.js review

# Approve and solidify
node index.js review --approve

# Reject and rollback
node index.js review --reject

v1.23.0

Release created by publish script.

v1.22.0

Release v1.22.0

v1.21.4

Release v1.21.4

v1.21.3

v1.21.3 -- Security & Robustness Hardening (Round 2)

Critical Fixes

• cleanup.js: Eliminated shell injection vulnerability -- replaced execSync('rm -f') with safe fs.unlinkSync() to prevent command injection via crafted filenames
• index.js: Fixed loop state path mismatch -- the daemon loop was reading solidify state from a hardcoded path (__dirname/memory/) instead of the canonical getEvolutionDir() path. This caused isPendingSolidify gating and saturation detection to be completely non-functional
• solidify.js: Guard rollback when no baseline exists -- previously, calling solidify() without a prior evolution cycle could delete ALL untracked files (mistaking them as AI-generated)

Bug Fixes

• signals.js: Tool name regex now captures hyphenated names (e.g. read-file, write-file) instead of truncating at the hyphen
• a2a.js: Clamp blast radius values to non-negative in isBlastRadiusSafe to prevent negative counts from bypassing safety checks
• taskReceiver.js: fetchTasks errors are now logged instead of silently swallowed

Testing

All 164 tests pass with zero regressions.

v1.21.2

v1.21.2 -- Security & Robustness Hardening

Bug Fixes

• paths.js: Block .. path traversal in session scope sanitizer -- previously EVOLVER_SESSION_SCOPE=.. could bypass scope isolation, causing cross-session data contamination
• taskReceiver.js: Fix signal key split delimiter from : to | -- capability match Jaccard calculation was completely broken, preventing correct Hub task assignment
• selector.js: Add Array.isArray guard on genes parameter to prevent crashes when called with null/undefined
• index.js: Guard against NaN PID in corrupted lock file; wrap self-restart spawn() in try/catch so lock is only released after successful spawn (prevents zombie duplicate processes)
• a2aProtocol.js: Add null check on buildMessage params to prevent TypeError on invalid input

Testing

All 164 tests pass with zero regressions.

v1.21.1

Bug Fix

• fix: Prevent rollback empty directory cleanup from deleting top-level structural directories like skills/. The cleanup now stops at single-segment paths (direct children of repo root) and skips critical protected directories. (fixes #154)

Full Changelog: v1.21.0...v1.21.1

v1.21.0

What's New

• feat: Git environment pre-check -- fail fast with clear message when not in a git repo; solidify also guards against non-git directories
• feat: Cross-language selector support -- signals_match now supports pipe-delimited multi-language aliases
• docs: Added git as a prerequisite in README and README.zh-CN

Full Changelog: v1.20.4...v1.21.0

v1.20.4

refactor: remove GEMINI_API_KEY dependency from skill distiller. Distillation now uses the agent's own LLM via two-phase prepare/complete flow.

v1.20.3

What's Changed

fix: persist node ID to prevent identity fragmentation

Previously, getNodeId() included process.cwd() in the hash computation, causing different node IDs when the agent was launched from different directories. This led to fragmented identities -- the same agent would appear as multiple nodes on the Hub, splitting credits, reputation, and published assets.

Now the node ID is persisted to ~/.evomap/node_id (or project-local .evomap_node_id) after first generation, ensuring a stable identity across directory changes.

Priority chain for node ID resolution

1. A2A_NODE_ID env var (explicit override, highest priority)
2. Persisted node ID file (~/.evomap/node_id or .evomap_node_id)
3. Computed from device ID + agent name + cwd (first run only, then persisted)