fix: hash hostname in fingerprint, use relative validation paths, remove dead code

onthebigtree · claude · onthebigtree · commit 85f2b46d1ef9 · 2026-02-20T20:12:36.000+08:00
Three independent improvements:

1. Hash hostname before storing in envFingerprint (envFingerprint.js)
   os.hostname() was stored verbatim in every Capsule and EvolutionEvent,
   which are published to the public Hub. sanitize.js does not redact
   hostnames (no matching pattern), so strings like 'john-macbook-pro.local'
   leaked into the public feed. Replace with a 12-char SHA-256 prefix so
   the value still uniquely identifies the environment class without
   revealing the machine name.

2. Remove absolute paths from buildValidationCmd (assetStore.js)
   The previous implementation resolved modules via path.resolve(__dirname)
   at call time, embedding the current machine's absolute path (e.g.
   /Users/xxx/codespace/evolver/src/evolve) into Gene validation commands
   stored in genes.json. Two consequences:
   - sanitize.js redacts /Users/... in published capsules, corrupting the
     stored validation command for any consumer.
   - Moving the project directory breaks all previously stored Gene
     validation commands.
   runValidations() already executes with cwd=repoRoot, so switching to
   require('./src/evolve') style relative paths is correct and portable.

3. Remove appendCapsule dead code (assetStore.js, solidify.js)
   appendCapsule was exported and imported by solidify.js but never called
   (solidify uses upsertCapsule exclusively). It also lacked deduplication,
   so any accidental call would grow capsules.json unboundedly. Removed the
   function, its export, and the unused import in solidify.js.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/gep/assetStore.js b/src/gep/assetStore.js
@@ -26,14 +26,11 @@ function writeJsonAtomic(filePath, obj) {
   fs.renameSync(tmp, filePath);
 }
 
-// Build a robust validation command that works regardless of CWD.
-// Resolves module paths relative to the skill root (skills/evolver/).
+// Build a validation command using repo-root-relative paths.
+// runValidations() executes with cwd=repoRoot, so require('./src/...')
+// resolves correctly without embedding machine-specific absolute paths.
 function buildValidationCmd(relModules) {
-  const skillRoot = path.resolve(__dirname, '..', '..');
-  const checks = relModules.map(m => {
-    const abs = path.join(skillRoot, m).replace(/\\/g, '/');
-    return `require('${abs}')`;
-  });
+  const checks = relModules.map(m => `require('./${m}')`);
   return `node -e "${checks.join('; ')}; console.log('ok')"`;
 }
 
@@ -216,14 +213,6 @@ function upsertGene(geneObj) {
   writeJsonAtomic(genesPath(), { version: current.version || 1, genes });
 }
 
-function appendCapsule(capsuleObj) {
-  ensureSchemaFields(capsuleObj);
-  const current = readJsonIfExists(capsulesPath(), getDefaultCapsules());
-  const capsules = Array.isArray(current.capsules) ? current.capsules : [];
-  capsules.push(capsuleObj);
-  writeJsonAtomic(capsulesPath(), { version: current.version || 1, capsules });
-}
-
 function upsertCapsule(capsuleObj) {
   if (!capsuleObj || capsuleObj.type !== 'Capsule' || !capsuleObj.id) return;
   ensureSchemaFields(capsuleObj);
@@ -263,7 +252,7 @@ module.exports = {
   loadGenes, loadCapsules, readAllEvents, getLastEventId,
   appendEventJsonl, appendCandidateJsonl, appendExternalCandidateJsonl,
   readRecentCandidates, readRecentExternalCandidates,
-  upsertGene, appendCapsule, upsertCapsule,
+  upsertGene, upsertCapsule,
   genesPath, capsulesPath, eventsPath, candidatesPath, externalCandidatesPath,
   ensureAssetFiles, buildValidationCmd,
 };
diff --git a/src/gep/envFingerprint.js b/src/gep/envFingerprint.js
@@ -26,7 +26,7 @@ function captureEnvFingerprint() {
     platform: process.platform,
     arch: process.arch,
     os_release: os.release(),
-    hostname: os.hostname(),
+    hostname: crypto.createHash('sha256').update(os.hostname()).digest('hex').slice(0, 12),
     evolver_version: pkgVersion,
     cwd: process.cwd(),
     container: isContainer(),
diff --git a/src/gep/solidify.js b/src/gep/solidify.js
@@ -1,7 +1,7 @@
 const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
-const { loadGenes, upsertGene, appendEventJsonl, appendCapsule, upsertCapsule, getLastEventId } = require('./assetStore');
+const { loadGenes, upsertGene, appendEventJsonl, upsertCapsule, getLastEventId } = require('./assetStore');
 const { computeSignalKey, memoryGraphPath } = require('./memoryGraph');
 const { computeCapsuleSuccessStreak, isBlastRadiusSafe } = require('./a2a');
 const { getRepoRoot, getMemoryDir, getEvolutionDir, getWorkspaceRoot } = require('./paths');
