Summary
27 out of 53 core source files in src/gep/ are obfuscated using JavaScript obfuscator with hex-encoded variable names, string encoding, and anti-debugging patterns.
Obfuscated files (27)
a2aProtocol.js candidateEval.js candidates.js contentHash.js
crypto.js curriculum.js deviceId.js envFingerprint.js
explore.js hubReview.js hubSearch.js hubVerify.js
integrityCheck.js learningSignals.js memoryGraphAdapter.js memoryGraph.js
mutation.js narrativeMemory.js personality.js policyCheck.js
prompt.js reflection.js selector.js shield.js
skillDistiller.js solidify.js strategy.js
Clean files (26)
a2a.js analyzer.js assetCallLog.js assets.js
assetStore.js bridge.js claimNudge.js directoryClient.js
executionTrace.js featureFlags.js gitOps.js idleScheduler.js
issueReporter.js llmReview.js localStateAwareness.js mailboxTransport.js
paths.js privacyClient.js questionGenerator.js sanitize.js
selfPR.js signals.js skill2gep.js skillPublisher.js
taskReceiver.js validationReport.js
Obfuscation pattern
The obfuscated files use a JavaScript obfuscator with:
_0x hex variable names throughout- String array with rotation/shuffling (
_0x6439, _0x449e)
- RC4 string decryption at runtime
- Anti-debugging via
toString() checks and newState traps
- All
require() calls, string literals, and control flow obfuscated
Example from explore.js line 1:
const _0x5d80e6=_0x449e;(function(_0x1ce503,_0x52885e){const _0x417ea3=_0x449e...Concern
This project is licensed under GPL-3.0, which requires that the "preferred form of the work for making modifications" (i.e. source code) be made available. Obfuscated JavaScript is not source code in the GPL sense — it is a compiled/transformed artifact that cannot be reasonably read, understood, or modified.
The README states "Evolver has been fully open source since our first release" and the GEP protocol is described as providing "auditable evolution." However, 51% of the core engine files cannot be audited.
Questions
- Is there a build step that generates these files from readable source? If so, could the original source be included?
- Are these files intentionally obfuscated to protect IP? If so, this conflicts with the GPL-3.0 license.
- Given that files like
shield.js, integrityCheck.js, and policyCheck.js are obfuscated, how can users verify the security model described in the README?
Reproduction
# Count obfuscated files
grep -rl "_0x[0-9a-f]\{4\}" src/gep/*.js | wc -l
# → 27
# Count clean files
ls src/gep/*.js | wc -l
# → 53 total, 26 cleanFound via automated security scan.
Summary
27 out of 53 core source files in
src/gep/are obfuscated using JavaScript obfuscator with hex-encoded variable names, string encoding, and anti-debugging patterns.Obfuscated files (27)
Clean files (26)
Obfuscation pattern
The obfuscated files use a JavaScript obfuscator with:
_0xhex variable names throughout_0x6439,_0x449e)toString()checks andnewStatetrapsrequire()calls, string literals, and control flow obfuscatedExample from
explore.jsline 1:Concern
This project is licensed under GPL-3.0, which requires that the "preferred form of the work for making modifications" (i.e. source code) be made available. Obfuscated JavaScript is not source code in the GPL sense — it is a compiled/transformed artifact that cannot be reasonably read, understood, or modified.
The README states "Evolver has been fully open source since our first release" and the GEP protocol is described as providing "auditable evolution." However, 51% of the core engine files cannot be audited.
Questions
shield.js,integrityCheck.js, andpolicyCheck.jsare obfuscated, how can users verify the security model described in the README?Reproduction
Found via automated security scan.