Release v1.89.5

Author: evolver-publish

README.md

@@ -146,6 +146,14 @@ how `setup-hooks --platform=codex` wires Evolver in), but it does **not**
 emit a session transcript file the way Cursor / Claude Code / opencode do.
 That means `evolver --review` cannot read raw session logs on Codex.
 
+`setup-hooks --platform=codex` is lifecycle integration only; it does not route
+Codex model requests through Evolver Proxy. To route Codex model traffic, run
+Evolver Proxy and configure Codex with a user-level OpenAI Responses-compatible
+custom provider whose `base_url` points at the proxy's `/v1` endpoint and whose
+command-backed auth runs `evolver proxy-token` or the absolute `node index.js
+proxy-token --settings ...` helper emitted by `scripts/internal-proxy-env.sh
+--codex-config` from a source checkout.
+
 Evolver compensates by reading, in order:
 
 1. `MEMORY.md` / `USER.md` in the workspace root (if you maintain them);

index.js

@@ -1,4 +1,65 @@
 #!/usr/bin/env node
+function _printProxyTokenUsage(out = process.stderr) {
+  out.write('Usage: node index.js proxy-token [--settings FILE]\n');
+}
+
+function _readProxyTokenFromSettingsFile(fs, settingsFile) {
+  try {
+    const parsed = JSON.parse(fs.readFileSync(settingsFile, 'utf8'));
+    return parsed && parsed.proxy && typeof parsed.proxy.token === 'string'
+      ? parsed.proxy.token
+      : '';
+  } catch {
+    return '';
+  }
+}
+
+// `proxy-token` is a credential helper for Codex. Handle it before loading any
+// project .env so a workspace cannot change EVOLVER_SETTINGS_DIR or other local
+// state used to find the proxy token.
+if (process.argv[2] === 'proxy-token') {
+  try {
+    const _fs = require('fs');
+    const _os = require('os');
+    const _path = require('path');
+    let settingsFile = '';
+    for (let i = 3; i < process.argv.length; i++) {
+      const arg = process.argv[i];
+      if (arg === '-h' || arg === '--help') {
+        _printProxyTokenUsage(process.stdout);
+        process.exit(0);
+      }
+      if (arg === '--settings') {
+        if (!process.argv[i + 1]) {
+          _printProxyTokenUsage();
+          console.error('[proxy-token] missing value for --settings');
+          process.exit(2);
+        }
+        settingsFile = process.argv[i + 1];
+        i++;
+        continue;
+      }
+      _printProxyTokenUsage();
+      console.error('[proxy-token] unknown argument');
+      process.exit(2);
+    }
+    const defaultSettingsFile = _path.join(
+      process.env.EVOLVER_SETTINGS_DIR || _path.join(_os.homedir(), '.evolver'),
+      'settings.json',
+    );
+    const token = _readProxyTokenFromSettingsFile(_fs, settingsFile || defaultSettingsFile);
+    if (!token) {
+      console.error('[proxy-token] no active proxy token found; start evolver with EVOMAP_PROXY=1 first');
+      process.exit(1);
+    }
+    process.stdout.write(token + '\n');
+    process.exit(0);
+  } catch (e) {
+    console.error('[proxy-token] Failed:', e && e.message || e);
+    process.exit(1);
+  }
+}
+
 // Load .env BEFORE any internal require so that a2aProtocol and ATP
 // modules see A2A_NODE_SECRET / A2A_NODE_ID / A2A_HUB_URL at first
 // access and never fall back to a stale persisted/cached secret.
@@ -625,7 +686,7 @@ async function main() {
     // failure mode obvious.
     try {
       const { execSync } = require('child_process');
-      execSync('git --version', { stdio: 'ignore', timeout: 5000 });
+      execSync('git --version', { stdio: 'ignore', timeout: 5000, windowsHide: true });
     } catch (_gitErr) {
       console.error('');
       console.error('[Preflight] Could not run "git --version". Evolver requires git to be installed and available on PATH.');
@@ -1166,6 +1227,24 @@ async function main() {
             const { registerMailboxTransport } = require('./src/gep/mailboxTransport');
             registerMailboxTransport();
             process.env.A2A_TRANSPORT = 'mailbox';
+            try {
+              const a2a = require('./src/gep/a2aProtocol');
+              a2a.startSystemdNotifyWatchdog(function () {
+                try {
+                  const proxy = proxyInfo && proxyInfo.proxy;
+                  const lifecycle = proxy && proxy.lifecycle;
+                  if (lifecycle && typeof lifecycle.getHeartbeatStats === 'function') {
+                    const stats = lifecycle.getHeartbeatStats();
+                    // Hub-backed lifecycle stats are authoritative even when stopped;
+                    // systemd should starve and restart instead of seeing a false ping.
+                    if (stats && (stats.running || proxy.hubUrl)) return stats;
+                  }
+                } catch (_) {}
+                return { running: true, consecutiveFailures: 0, lastTickAt: Date.now() };
+              });
+            } catch (sdErr) {
+              console.warn('[Heartbeat] systemd notify/watchdog setup failed: ' + (sdErr && sdErr.message || sdErr));
+            }
           } else {
             const a2a = require('./src/gep/a2aProtocol');
             try { a2a.startHeartbeat(); }
@@ -1825,9 +1904,9 @@ async function main() {
     const repoRoot = getRepoRoot();
     let diff = '';
     try {
-      const unstaged = execSync('git diff', { cwd: repoRoot, encoding: 'utf8', timeout: 30000, maxBuffer: MAX_EXEC_BUFFER }).trim();
-      const staged = execSync('git diff --cached', { cwd: repoRoot, encoding: 'utf8', timeout: 30000, maxBuffer: MAX_EXEC_BUFFER }).trim();
-      const untracked = execSync('git ls-files --others --exclude-standard', { cwd: repoRoot, encoding: 'utf8', timeout: 10000, maxBuffer: MAX_EXEC_BUFFER }).trim();
+      const unstaged = execSync('git diff', { cwd: repoRoot, encoding: 'utf8', timeout: 30000, maxBuffer: MAX_EXEC_BUFFER, windowsHide: true }).trim();
+      const staged = execSync('git diff --cached', { cwd: repoRoot, encoding: 'utf8', timeout: 30000, maxBuffer: MAX_EXEC_BUFFER, windowsHide: true }).trim();
+      const untracked = execSync('git ls-files --others --exclude-standard', { cwd: repoRoot, encoding: 'utf8', timeout: 10000, maxBuffer: MAX_EXEC_BUFFER, windowsHide: true }).trim();
       if (staged) diff += '=== Staged Changes ===\n' + staged + '\n\n';
       if (unstaged) diff += '=== Unstaged Changes ===\n' + unstaged + '\n\n';
       if (untracked) diff += '=== Untracked Files ===\n' + untracked + '\n';
@@ -1909,13 +1988,13 @@ async function main() {
     } else if (args.includes('--reject')) {
       console.log('\n[Review] Rejected. Rolling back changes...');
       try {
-        execSync('git checkout -- .', { cwd: repoRoot, encoding: 'utf8', timeout: 30000, maxBuffer: MAX_EXEC_BUFFER });
+        execSync('git checkout -- .', { cwd: repoRoot, encoding: 'utf8', timeout: 30000, maxBuffer: MAX_EXEC_BUFFER, windowsHide: true });
         // Preserve user state on reject: .env files, node_modules, runtime
         // PID files, and a dedicated workspace/ dir (if one exists) MUST NOT
         // be wiped by an automated rollback. Users have reported losing
         // secrets and runtime caches to an aggressive git clean.
         execSync('git clean -fd -e node_modules -e workspace -e .env -e ".env.*" -e "*.pid"', {
-          cwd: repoRoot, encoding: 'utf8', timeout: 30000, maxBuffer: MAX_EXEC_BUFFER,
+          cwd: repoRoot, encoding: 'utf8', timeout: 30000, maxBuffer: MAX_EXEC_BUFFER, windowsHide: true,
         });
         const evolDir = getEvolutionDir();
         const sp = path.join(evolDir, 'evolution_solidify_state.json');
@@ -2922,10 +3001,40 @@ async function main() {
       process.exit(1);
     }
 
+  } else if (command === 'experiment') {
+    // Comparative experiment runner: run the SAME task twice -- a baseline arm
+    // and a variant arm that reuses a gene's strategy -- via a headless agent
+    // CLI, collect duration/rounds/tokens/pass-rate, and print a comparison
+    // JSON to stdout. Consumed by EvoMap Desktop's ExperimentsAPI.Run, which
+    // spawns `node index.js experiment --request-file=<json>` and parses stdout.
+    try {
+      const expCli = require('./src/experiment/cli');
+      const parsed = expCli.parseExperimentArgs(args.slice(1));
+      if (!parsed.ok) {
+        console.error('[Experiment] ' + parsed.error);
+        console.error(expCli.printExperimentUsage());
+        process.exit(2);
+      }
+      const res = await expCli.runExperiment(parsed.opts, { err: (...a) => console.error(...a) });
+      // stdout carries ONLY the structured JSON so the Go caller can JSON.parse
+      // it without log contamination; all logging above went to stderr. res.data
+      // is already secret-redacted by runExperiment (sanitizePayload).
+      if (res && res.data) process.stdout.write(JSON.stringify(res.data) + '\n');
+      process.exit(res && typeof res.exitCode === 'number' ? res.exitCode : (res && res.ok ? 0 : 1));
+    } catch (expErr) {
+      console.error('[Experiment] CLI error:', expErr && expErr.message || expErr);
+      process.exit(1);
+    }
+
   } else {
-    console.log(`Usage: node index.js [run|/evolve|login|logout|solidify|review|distill|fetch|sync|asset-log|webui|setup-hooks|recipe|buy|orders|verify|atp|atp-complete] [--loop]
+    console.log(`Usage: node index.js [run|/evolve|login|logout|proxy-token|solidify|review|distill|fetch|sync|asset-log|webui|setup-hooks|recipe|buy|orders|verify|atp|atp-complete|experiment] [--loop]
   - login                      (authorize this device via the hub, gh-auth-login style; stores an OAuth token used instead of node_secret)
   - logout                     (remove the stored OAuth token)
+  - proxy-token                (print the local proxy bearer token for command-backed client auth)
+  - experiment flags:
+    - --task="..." --metric="..."              (required; same task, baseline vs variant)
+    - --gene=<geneId>                          (variant arm reuses this gene's strategy)
+    - --baseline="..." --variant="..." --validation="c1;;c2" --request-file=<json>
   - recipe flags:
     - build --title="..." --genes=<asset_id,...> [--description] [--price=N] [--publish]
                               (builds a DRAFT DNA blueprint; --publish is opt-in)