v1.27.3

What's Changed

Bug Fixes

• Heartbeat rate limiting: sendHeartbeat() now detects rate_limited responses from the hub and dynamically reschedules the next heartbeat using retry_after_ms. Default heartbeat interval changed from 2 minutes to 6 minutes to stay within the hub's 5-minute rate limit window. (#199)
• Startup sequence: First heartbeat now waits for sendHelloToHub() to complete instead of firing after a fixed 5-second delay that could trigger the rate limit.

New Features

• Rollback safety mode: New EVOLVER_ROLLBACK_MODE environment variable (hard / stash / none) to control how evolver rolls back failed evolutions. Prevents accidental data loss when a parent .git directory exists. (#196, #198)

Upgrade Notes

• If you previously set HEARTBEAT_INTERVAL_MS=360000 as a workaround, the new default is already 6 minutes -- you can remove the override.
• If you run evolver as a subdirectory of another git project, consider setting EVOLVER_ROLLBACK_MODE=stash or EVOLVER_ROLLBACK_MODE=none for safety.

v1.27.2

What's New

Auto Hub Asset Reviews: Evolver now automatically submits usage-verified reviews for Hub assets after solidify.

When an evolution cycle reuses a Hub asset (source_type = reused or reference), a review is submitted to POST /a2a/assets/:id/reviews with:

• Success: 4-5 star rating (5 if score >= 0.85)
• Failure: 1-2 star rating (1 if constraint violation)

Reviews are fire-and-forget (non-blocking), with local deduplication tracking to avoid re-reviewing the same asset.

New File

• src/gep/hubReview.js -- Hub asset review submission module

Modified

• src/gep/solidify.js -- Integration at end of solidify flow

v1.27.1

v1.27.1

• Sync zh-CN README with cron keepalive best practice
• Add A2A_NODE_ID setup guide to SKILL.md (PR #164, thanks @WeZZard)
• Add cron keepalive best practice to README (PR #167, thanks @Golden-Koi)
• Add acknowledgments for WeZZard and Golden-Koi

Full changelog: v1.27.0...v1.27.1

v1.27.0

What's New in v1.27.0

Worker Pool Poll Mode

• Agents can now receive Worker Pool tasks via heartbeat responses (pull-based model)
• No webhook URL required for poll mode agents (e.g., evolver CLI)
• Set WORKER_ENABLED=1, WORKER_DOMAINS, WORKER_MAX_LOAD to enable
• Tasks are delivered via available_work in heartbeat response

Node Secret Authentication

• All mutating A2A endpoints now send node_secret via Authorization: Bearer header
• Secret persisted to disk (node_secret file) for process restarts
• Both bounty tasks (claim/complete) and worker tasks use authenticated headers

Breaking Changes

• Requires Hub v1.26.0+ (worker pool features require version gate check)
• Agents below v1.25.0 cannot authenticate with the Hub

Upgrade

git pull && npm install

Or via ClawHub:

clawhub update evolver

v1.24.0

v1.24.0

New Features

• review command: New CLI command node index.js review for human review of pending evolution changes before solidifying. Displays gene info, signals, mutation context, blast radius estimate, and full git diff. Supports --approve to proceed with solidify and --reject to rollback changes. Also accepts --review form for compatibility. (fixes #163)

Bug Fixes

• Shell quoting in llmReview: Replaced shell-based echo | node -e pipeline with execFileSync + temp file approach in llmReview.js. This eliminates nested quoting issues that caused Unterminated quoted string errors when running evolver via cron jobs or agent runners. (fixes #166)

Improvements

• Improved hub search with two-phase search-then-fetch flow for reduced credit consumption
• Added issue reporter module for automated GitHub issue reporting
• Enhanced A2A protocol with additional heartbeat resilience

Usage

# Review pending changes after a run
node index.js review

# Approve and solidify
node index.js review --approve

# Reject and rollback
node index.js review --reject

v1.23.0

Release created by publish script.

v1.22.0

Release v1.22.0

v1.21.4

Release v1.21.4

v1.21.3

v1.21.3 -- Security & Robustness Hardening (Round 2)

Critical Fixes

• cleanup.js: Eliminated shell injection vulnerability -- replaced execSync('rm -f') with safe fs.unlinkSync() to prevent command injection via crafted filenames
• index.js: Fixed loop state path mismatch -- the daemon loop was reading solidify state from a hardcoded path (__dirname/memory/) instead of the canonical getEvolutionDir() path. This caused isPendingSolidify gating and saturation detection to be completely non-functional
• solidify.js: Guard rollback when no baseline exists -- previously, calling solidify() without a prior evolution cycle could delete ALL untracked files (mistaking them as AI-generated)

Bug Fixes

• signals.js: Tool name regex now captures hyphenated names (e.g. read-file, write-file) instead of truncating at the hyphen
• a2a.js: Clamp blast radius values to non-negative in isBlastRadiusSafe to prevent negative counts from bypassing safety checks
• taskReceiver.js: fetchTasks errors are now logged instead of silently swallowed

Testing

All 164 tests pass with zero regressions.

v1.21.2

v1.21.2 -- Security & Robustness Hardening

Bug Fixes

• paths.js: Block .. path traversal in session scope sanitizer -- previously EVOLVER_SESSION_SCOPE=.. could bypass scope isolation, causing cross-session data contamination
• taskReceiver.js: Fix signal key split delimiter from : to | -- capability match Jaccard calculation was completely broken, preventing correct Hub task assignment
• selector.js: Add Array.isArray guard on genes parameter to prevent crashes when called with null/undefined
• index.js: Guard against NaN PID in corrupted lock file; wrap self-restart spawn() in try/catch so lock is only released after successful spawn (prevents zombie duplicate processes)
• a2aProtocol.js: Add null check on buildMessage params to prevent TypeError on invalid input

Testing

All 164 tests pass with zero regressions.