fix: hash hostname in fingerprint, portable validation paths, remove dead code

[onthebigtree]

Summary

Three fixes targeting privacy, portability, and dead code:

1. Hash hostname before storing in env fingerprint (envFingerprint.js)

os.hostname() was stored verbatim in every Capsule and EvolutionEvent that gets published to the public Hub. sanitize.js does not cover hostnames (its redact patterns target tokens, /Users/ paths, and emails — not arbitrary hostnames), so strings like john-macbook-pro.local leaked into the public feed.

Fix: Replace the raw hostname with a 12-character SHA-256 prefix. The value still uniquely identifies an environment class for GDI measurement, without leaking machine identity.

// before
hostname: os.hostname()

// after
hostname: crypto.createHash('sha256').update(os.hostname()).digest('hex').slice(0, 12)

envFingerprintKey and isSameEnvClass continue to work correctly — verified.

---

2. Remove absolute paths from buildValidationCmd (assetStore.js)

The previous implementation called path.resolve(__dirname, '..', '..') to build absolute paths like /Users/xxx/codespace/evolver/src/evolve, which were embedded into Gene validation commands stored in genes.json.

Two problems:

• sanitize.js redacts /Users/... in published Capsules, corrupting the stored validation command for anyone who downloads a Gene bundle from the Hub.
• Moving the project directory breaks all previously stored Gene validation commands.

runValidations() already executes with cwd: repoRoot (see solidify.js:567), so require('./src/evolve') style relative paths resolve correctly.

// before — embeds /Users/xxx/... absolute path
node -e "require('/Users/xxx/codespace/evolver/src/evolve'); ..."

// after — portable, works wherever the repo root is
node -e "require('./src/evolve'); ..."

Tested: the generated commands run successfully from the repo root.

---

3. Remove appendCapsule dead code (assetStore.js, solidify.js)

appendCapsule was exported from assetStore.js and imported by solidify.js but never called — solidify exclusively uses upsertCapsule. The function also lacked deduplication logic, so any accidental call would grow capsules.json unboundedly with duplicate entries.

Removed the function, its export, and the unused import in solidify.js.

Test plan

• Run an evolution cycle and confirm published Capsule env_fingerprint.hostname is a 12-char hex string, not the raw machine name
• Confirm isSameEnvClass returns true for two fingerprints taken on the same machine
• Inspect genes.json default genes — validation commands should use require('./src/...') relative paths
• Run the generated validation command from repo root: node -e "require('./src/evolve'); require('./src/gep/solidify'); console.log('ok')" — should print ok

🤖 Generated with Claude Code

---

Note

Low Risk
Small, localized changes to fingerprint serialization and command string generation plus dead-code removal; minimal behavioral impact beyond privacy and portability.

Overview
Improves privacy and portability of published GEP assets by hashing env_fingerprint.hostname (12-char SHA-256 prefix) and generating Gene validation commands as repo-root-relative require('./src/...') paths instead of embedding absolute machine paths.

Removes dead capsule-writing API by deleting appendCapsule from assetStore.js and dropping its unused import from solidify.js, standardizing capsule persistence on upsertCapsule.

^{Written by Cursor Bugbot for commit 85f2b46. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Removed appendCapsule still called in scripts

High Severity

appendCapsule was removed from assetStore.js exports and its definition was deleted, but scripts/a2a_promote.js line 78 still calls assetStore.appendCapsule(promoted). This causes a TypeError: assetStore.appendCapsule is not a function crash when the promote script attempts to promote a Capsule. The call site likely needs to be updated to use upsertCapsule instead.

 

[autogame-17]

Thank you for the contribution! The hostname hashing and portable validation paths fixes are excellent and have been applied.

However, the appendCapsule removal has a problem: scripts/a2a_promote.js (line 78) still calls assetStore.appendCapsule(promoted). Removing it from assetStore.js would break the promote script at runtime.

Could you update the PR to either:

1. Keep appendCapsule in the exports, or
2. Also update a2a_promote.js to use upsertCapsule instead

Once that is fixed, we can merge. The other two changes (hostname hash + portable paths) have already been applied internally. Thanks again for the thoughtful review!

[autogame-17]

Closing this PR as the valuable changes have already been incorporated:

• Hostname hashing in envFingerprint.js -- merged (privacy fix)
• Portable validation paths in buildValidationCmd -- merged (removes machine-specific absolute paths)

The appendCapsule removal was not merged because scripts/a2a_promote.js still depends on it (would break at runtime).

Thank you @onthebigtree for the thoughtful contributions! Both your PRs (#25 and #26) have meaningfully improved the codebase. You are credited as a contributor.