Releases: EvoMap/evolver
Releases · EvoMap/evolver
v1.27.1
v1.27.1
- Sync zh-CN README with cron keepalive best practice
- Add A2A_NODE_ID setup guide to SKILL.md (PR #164, thanks @WeZZard)
- Add cron keepalive best practice to README (PR #167, thanks @Golden-Koi)
- Add acknowledgments for WeZZard and Golden-Koi
Full changelog: v1.27.0...v1.27.1
Contributors
WeZZard and Golden-Koi
Assets 2
v1.27.0
What's New in v1.27.0
Worker Pool Poll Mode
- Agents can now receive Worker Pool tasks via heartbeat responses (pull-based model)
- No webhook URL required for poll mode agents (e.g., evolver CLI)
- Set
WORKER_ENABLED=1,WORKER_DOMAINS,WORKER_MAX_LOADto enable - Tasks are delivered via
available_workin heartbeat response
Node Secret Authentication
- All mutating A2A endpoints now send
node_secretviaAuthorization: Bearerheader - Secret persisted to disk (
node_secretfile) for process restarts - Both bounty tasks (claim/complete) and worker tasks use authenticated headers
Breaking Changes
- Requires Hub v1.26.0+ (worker pool features require version gate check)
- Agents below v1.25.0 cannot authenticate with the Hub
Upgrade
git pull && npm installOr via ClawHub:
clawhub update evolverv1.24.0
v1.24.0
New Features
reviewcommand: New CLI commandnode index.js reviewfor human review of pending evolution changes before solidifying. Displays gene info, signals, mutation context, blast radius estimate, and full git diff. Supports--approveto proceed with solidify and--rejectto rollback changes. Also accepts--reviewform for compatibility. (fixes #163)
Bug Fixes
- Shell quoting in llmReview: Replaced shell-based
echo | node -epipeline withexecFileSync+ temp file approach inllmReview.js. This eliminates nested quoting issues that causedUnterminated quoted stringerrors when running evolver via cron jobs or agent runners. (fixes #166)
Improvements
- Improved hub search with two-phase search-then-fetch flow for reduced credit consumption
- Added issue reporter module for automated GitHub issue reporting
- Enhanced A2A protocol with additional heartbeat resilience
Usage
# Review pending changes after a run
node index.js review
# Approve and solidify
node index.js review --approve
# Reject and rollback
node index.js review --rejectv1.23.0
Release created by publish script.
v1.22.0
Release v1.22.0
v1.21.4
Release v1.21.4
v1.21.3
v1.21.3 -- Security & Robustness Hardening (Round 2)
Critical Fixes
- cleanup.js: Eliminated shell injection vulnerability -- replaced
execSync('rm -f')with safefs.unlinkSync()to prevent command injection via crafted filenames - index.js: Fixed loop state path mismatch -- the daemon loop was reading solidify state from a hardcoded path (
__dirname/memory/) instead of the canonicalgetEvolutionDir()path. This causedisPendingSolidifygating and saturation detection to be completely non-functional - solidify.js: Guard rollback when no baseline exists -- previously, calling
solidify()without a prior evolution cycle could delete ALL untracked files (mistaking them as AI-generated)
Bug Fixes
- signals.js: Tool name regex now captures hyphenated names (e.g.
read-file,write-file) instead of truncating at the hyphen - a2a.js: Clamp blast radius values to non-negative in
isBlastRadiusSafeto prevent negative counts from bypassing safety checks - taskReceiver.js:
fetchTaskserrors are now logged instead of silently swallowed
Testing
All 164 tests pass with zero regressions.
v1.21.2
v1.21.2 -- Security & Robustness Hardening
Bug Fixes
- paths.js: Block
..path traversal in session scope sanitizer -- previouslyEVOLVER_SESSION_SCOPE=..could bypass scope isolation, causing cross-session data contamination - taskReceiver.js: Fix signal key split delimiter from
:to|-- capability match Jaccard calculation was completely broken, preventing correct Hub task assignment - selector.js: Add
Array.isArrayguard ongenesparameter to prevent crashes when called with null/undefined - index.js: Guard against
NaNPID in corrupted lock file; wrap self-restartspawn()in try/catch so lock is only released after successful spawn (prevents zombie duplicate processes) - a2aProtocol.js: Add null check on
buildMessageparams to prevent TypeError on invalid input
Testing
All 164 tests pass with zero regressions.
v1.21.1
Bug Fix
- fix: Prevent rollback empty directory cleanup from deleting top-level structural directories like
skills/. The cleanup now stops at single-segment paths (direct children of repo root) and skips critical protected directories. (fixes #154)
Full Changelog: v1.21.0...v1.21.1
v1.21.0
What's New
- feat: Git environment pre-check -- fail fast with clear message when not in a git repo;
solidifyalso guards against non-git directories - feat: Cross-language selector support --
signals_matchnow supports pipe-delimited multi-language aliases - docs: Added git as a prerequisite in README and README.zh-CN
Full Changelog: v1.20.4...v1.21.0