Release v1.89.11

Author: evolver-publish

README.ja-JP.md

@@ -1,6 +1,6 @@
 # 🧬 Evolver
 
-[![GitHub stars](https://img.shields.io/badge/Stars-8.6k-2b3137?logo=github&logoColor=white)](https://github.com/EvoMap/evolver/stargazers)
+[![GitHub stars](https://img.shields.io/badge/Stars-8.7k-2b3137?logo=github&logoColor=white)](https://github.com/EvoMap/evolver/stargazers)
 [![License: GPL-3.0](https://img.shields.io/badge/License-GPL--3.0-blue.svg)](https://opensource.org/licenses/GPL-3.0)
 [![Node.js >= 18](https://img.shields.io/badge/Node.js-%3E%3D%2018-green.svg)](https://nodejs.org/)
 [![npm downloads](https://img.shields.io/npm/dm/@evomap/evolver.svg)](https://www.npmjs.com/package/@evomap/evolver)

README.ko-KR.md

@@ -1,6 +1,6 @@
 # 🧬 Evolver
 
-[![GitHub stars](https://img.shields.io/badge/Stars-8.6k-2b3137?logo=github&logoColor=white)](https://github.com/EvoMap/evolver/stargazers)
+[![GitHub stars](https://img.shields.io/badge/Stars-8.7k-2b3137?logo=github&logoColor=white)](https://github.com/EvoMap/evolver/stargazers)
 [![License: GPL-3.0](https://img.shields.io/badge/License-GPL--3.0-blue.svg)](https://opensource.org/licenses/GPL-3.0)
 [![Node.js >= 18](https://img.shields.io/badge/Node.js-%3E%3D%2018-green.svg)](https://nodejs.org/)
 [![npm downloads](https://img.shields.io/npm/dm/@evomap/evolver.svg)](https://www.npmjs.com/package/@evomap/evolver)

README.md

@@ -1,6 +1,6 @@
 # 🧬 Evolver
 
-[![GitHub stars](https://img.shields.io/badge/Stars-8.6k-2b3137?logo=github&logoColor=white)](https://github.com/EvoMap/evolver/stargazers)
+[![GitHub stars](https://img.shields.io/badge/Stars-8.7k-2b3137?logo=github&logoColor=white)](https://github.com/EvoMap/evolver/stargazers)
 [![License: GPL-3.0](https://img.shields.io/badge/License-GPL--3.0-blue.svg)](https://opensource.org/licenses/GPL-3.0)
 [![Node.js >= 18](https://img.shields.io/badge/Node.js-%3E%3D%2018-green.svg)](https://nodejs.org/)
 [![npm downloads](https://img.shields.io/npm/dm/@evomap/evolver.svg)](https://www.npmjs.com/package/@evomap/evolver)
@@ -416,6 +416,7 @@ Evolver is designed to be **environment-agnostic**.
 | `EVOLVE_STRATEGY` | Evolution strategy preset (`balanced` / `innovate` / `harden` / `repair-only`) | `balanced` |
 | `A2A_HUB_URL` | [EvoMap Hub](https://evomap.ai) URL | _(unset, offline mode)_ |
 | `A2A_NODE_ID` | Your node identity on the network | _(auto-generated from device fingerprint)_ |
+| `EVOMAP_HUB_IP_FAMILY` | Hub egress IP-family policy: `ipv4first` tries IPv4 first and falls back to dual-stack, `auto` uses dual-stack as the primary path, `ipv4-only` disables fallback | `ipv4first` |
 | `HEARTBEAT_INTERVAL_MS` | Hub heartbeat interval | `360000` (6 min) |
 | `MEMORY_DIR` | Memory files path | `./memory` |
 | `EVOLVE_REPORT_TOOL` | Tool name for reporting results | `message` |

README.zh-CN.md

@@ -1,6 +1,6 @@
 # 🧬 Evolver
 
-[![GitHub stars](https://img.shields.io/badge/Stars-8.6k-2b3137?logo=github&logoColor=white)](https://github.com/EvoMap/evolver/stargazers)
+[![GitHub stars](https://img.shields.io/badge/Stars-8.7k-2b3137?logo=github&logoColor=white)](https://github.com/EvoMap/evolver/stargazers)
 [![License: GPL-3.0](https://img.shields.io/badge/License-GPL--3.0-blue.svg)](https://opensource.org/licenses/GPL-3.0)
 [![Node.js >= 18](https://img.shields.io/badge/Node.js-%3E%3D%2018-green.svg)](https://nodejs.org/)
 [![npm downloads](https://img.shields.io/npm/dm/@evomap/evolver.svg)](https://www.npmjs.com/package/@evomap/evolver)

assets/cover.png

@@ -2042,6 +2042,7 @@ async function main() {
     }
 
     const { getHubUrl, getNodeId, buildHubHeaders, sendHelloToHub, getHubNodeSecret } = require('./src/gep/a2aProtocol');
+    const { hubFetch } = require('./src/gep/hubFetch');
 
     const hubUrl = getHubUrl();
     if (!hubUrl) {
@@ -2071,7 +2072,7 @@ async function main() {
 
       console.log('[fetch] Downloading skill: ' + skillId);
 
-      const resp = await fetch(endpoint, {
+      const resp = await hubFetch(endpoint, {
         method: 'POST',
         headers: buildHubHeaders(),
         body: JSON.stringify({ sender_id: nodeId }),
@@ -2253,6 +2254,7 @@ async function main() {
 
   } else if (command === 'sync') {
     const { getHubUrl, getNodeId, buildHubHeaders, sendHelloToHub, getHubNodeSecret } = require('./src/gep/a2aProtocol');
+    const { hubFetch } = require('./src/gep/hubFetch');
     const { upsertGene, upsertCapsule, loadGenes, loadCapsules } = require('./src/gep/assetStore');
     const { getGepAssetsDir, getMemoryDir } = require('./src/gep/paths');
 
@@ -2321,7 +2323,7 @@ async function main() {
               if (v != null) url += '&' + k + '=' + encodeURIComponent(v);
             }
           }
-          const resp = await fetch(url, {
+          const resp = await hubFetch(url, {
             method: 'GET',
             headers: buildHubHeaders(),
             signal: AbortSignal.timeout(30000),
@@ -2438,7 +2440,7 @@ async function main() {
         try {
           let payload = asset.payload;
           if (!payload) {
-            const detailResp = await fetch(baseUrl + '/a2a/assets/' + encodeURIComponent(assetId) + '?detailed=true', {
+            const detailResp = await hubFetch(baseUrl + '/a2a/assets/' + encodeURIComponent(assetId) + '?detailed=true', {
               method: 'GET',
               headers: buildHubHeaders(),
               signal: AbortSignal.timeout(15000),

index.js

@@ -1,6 +1,6 @@
 {
   "name": "@evomap/evolver",
-  "version": "1.89.10",
+  "version": "1.89.11",
   "description": "A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.",
   "main": "index.js",
   "bin": {

package-lock.json

@@ -8,8 +8,6 @@
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
-const https = require('https');
-const http = require('http');
 const { spawnSync } = require('child_process');
 // 10 MB — prevents RangeError on large child process output (e.g. git log/diff
 // on large repos). See GHSA reports / issue #451.
@@ -113,15 +111,17 @@ function detectSignals(text) {
   return [...new Set(signals)];
 }
 
-function recordToHub(outcome) {
+function loadHubFetch() {
+  const evolverRoot = findEvolverRoot();
+  return require(path.join(evolverRoot, 'src', 'gep', 'hubFetch')).hubFetch;
+}
+
+async function recordToHub(outcome) {
   const hubUrl = process.env.EVOMAP_HUB_URL || process.env.A2A_HUB_URL;
   const apiKey = process.env.EVOMAP_API_KEY || process.env.A2A_NODE_SECRET;
   const nodeId = process.env.EVOMAP_NODE_ID || process.env.A2A_NODE_ID;
   if (!hubUrl || !apiKey) return false;
 
-  // Use Node.js built-in http/https instead of curl so this works on all
-  // platforms, including Windows where curl may not be available or may be
-  // an older, incompatible version bundled with some environments.
   try {
     const payload = JSON.stringify({
       gene_id: outcome.geneId || 'ad_hoc',
@@ -133,37 +133,18 @@ function recordToHub(outcome) {
     });
 
     const endpoint = hubUrl.replace(/\/+$/, '') + '/a2a/evolution/record';
-    let parsedUrl;
-    try { parsedUrl = new URL(endpoint); } catch { return false; }
-
-    const isHttps = parsedUrl.protocol === 'https:';
-    const transport = isHttps ? https : http;
-
-    return new Promise((resolve) => {
-      const req = transport.request(
-        {
-          hostname: parsedUrl.hostname,
-          port: parsedUrl.port || (isHttps ? 443 : 80),
-          path: parsedUrl.pathname + (parsedUrl.search || ''),
-          method: 'POST',
-          headers: {
-            'Content-Type': 'application/json',
-            'Authorization': `Bearer ${apiKey}`,
-            'Content-Length': Buffer.byteLength(payload),
-          },
-          timeout: 8000,
-        },
-        (res) => {
-          // Drain the response to free the socket; we only care about status.
-          res.resume();
-          resolve(res.statusCode >= 200 && res.statusCode < 300);
-        }
-      );
-      req.on('error', () => resolve(false));
-      req.on('timeout', () => { req.destroy(); resolve(false); });
-      req.write(payload);
-      req.end();
+    const hubFetch = loadHubFetch();
+    const res = await hubFetch(endpoint, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${apiKey}`,
+      },
+      body: payload,
+      signal: AbortSignal.timeout(8000),
     });
+    try { await res.text(); } catch (_) {}
+    return res.ok;
   } catch {
     return false;
   }
@@ -250,7 +231,7 @@ function main() {
   process.stdin.on('data', chunk => { inputData += chunk; });
   process.stdin.on('end', () => {
     if (handled) return;
-    // recordToHub is async (uses Node.js http/https); wrap the rest of the
+    // recordToHub is async (uses the shared Hub fetch transport); wrap the rest of the
     // handler in an immediately-invoked async function so we can await it
     // while still honouring the watchdog timeout and the `handled` guard.
     (async () => {

package.json

@@ -22,12 +22,10 @@
 // idempotent server-side).
 
 const fs = require('fs');
-const http = require('http');
-const https = require('https');
 const crypto = require('crypto');
 
 const { computeAssetId } = require('../gep/contentHash');
-const { enforceHubScheme, strictHttpsAgent } = require('../gep/hubFetch');
+const { hubFetch } = require('../gep/hubFetch');
 const {
   getNodeId,
   getHubUrl,
@@ -126,77 +124,35 @@ function _publishUrl() {
   return base + '/a2a/publish';
 }
 
-function _postJson(urlStr, body, timeoutMs) {
-  return new Promise(function (resolve) {
-    // Same TLS posture as hubFetch: refuse plain http:// unless
-    // EVOMAP_HUB_ALLOW_INSECURE=1. Before this guard the function
-    // silently fell back to `lib = http` for any non-https URL, so an
-    // operator override `A2A_HUB_URL=http://...` would send /a2a/publish
-    // and /a2a/task/complete in cleartext while hubFetch-routed calls
-    // (e.g. /a2a/verify-solidify) refused the same URL — inconsistent
-    // TLS enforcement across modules.
-    try {
-      enforceHubScheme(urlStr);
-    } catch (e) {
-      resolve({ ok: false, error: 'tls_refused: ' + (e && e.message) });
-      return;
-    }
-    let parsed;
-    try {
-      parsed = new URL(urlStr);
-    } catch (e) {
-      resolve({ ok: false, error: 'invalid_url: ' + (e && e.message) });
-      return;
-    }
-    const isHttps = parsed.protocol === 'https:';
-    const lib = isHttps ? https : http;
-    const payload = JSON.stringify(body || {});
-    const headers = Object.assign(
-      { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) },
-      buildHubHeaders() || {},
-    );
-    // Pin TLS cert verification for https calls so a globally-disabled
-    // NODE_TLS_REJECT_UNAUTHORIZED=0 cannot weaken the Hub channel
-    // (Cursor Security Reviewer #160 Medium). hubFetch enforces the
-    // same via its undici dispatcher; this is the Node-native-https
-    // equivalent.
-    //
-    // Skipped under EVOMAP_HUB_ALLOW_INSECURE=1 so local-dev / self-
-    // signed mock hubs that legitimately rely on
-    // NODE_TLS_REJECT_UNAUTHORIZED=0 still work.
-    const requestOpts = {
-      hostname: parsed.hostname,
-      port: parsed.port || (isHttps ? 443 : 80),
-      path: parsed.pathname + (parsed.search || ''),
+async function _postJson(urlStr, body, timeoutMs) {
+  const payload = JSON.stringify(body || {});
+  const headers = Object.assign(
+    { 'Content-Type': 'application/json' },
+    buildHubHeaders() || {},
+  );
+
+  try {
+    const res = await hubFetch(urlStr, {
       method: 'POST',
       headers: headers,
-      timeout: timeoutMs || PUBLISH_TIMEOUT_MS,
-    };
-    if (isHttps && process.env.EVOMAP_HUB_ALLOW_INSECURE !== '1') {
-      requestOpts.agent = strictHttpsAgent;
+      body: payload,
+      signal: AbortSignal.timeout(timeoutMs || PUBLISH_TIMEOUT_MS),
+    });
+    const text = await res.text();
+    let data = null;
+    try { data = text ? JSON.parse(text) : null; } catch (e) { data = { raw: text }; }
+    if (res.status >= 200 && res.status < 300) {
+      return { ok: true, status: res.status, data };
     }
-    const req = lib.request(
-      requestOpts,
-      function (res) {
-        const chunks = [];
-        res.on('data', function (c) { chunks.push(c); });
-        res.on('end', function () {
-          const text = Buffer.concat(chunks).toString('utf8');
-          let data = null;
-          try { data = text ? JSON.parse(text) : null; } catch (e) { data = { raw: text }; }
-          if (res.statusCode >= 200 && res.statusCode < 300) {
-            resolve({ ok: true, status: res.statusCode, data });
-          } else {
-            resolve({ ok: false, status: res.statusCode, data, error: 'http_' + res.statusCode });
-          }
-        });
-      },
-    );
-    req.on('timeout', function () { req.destroy(new Error('timeout')); });
-    req.on('error', function (err) { resolve({ ok: false, error: err.message }); });
-    req.write(payload);
-    req.end();
-  });
+    return { ok: false, status: res.status, data, error: 'http_' + res.status };
+  } catch (err) {
+    const msg = (err && err.message) || String(err);
+    if (msg.indexOf('[hubFetch]') !== -1) {
+      if (/not a valid URL/i.test(msg)) return { ok: false, error: 'invalid_url: ' + msg };
+      return { ok: false, error: 'tls_refused: ' + msg };
+    }
+    return { ok: false, error: msg };
+  }
 }
 
 async function _ensureNodeSecret() {