@evomap/evolver 1.87.0 → 1.87.2

package/src/atp/cli.js

@@ -118,6 +118,27 @@ function parseVerifyArgs(args) {
   return { ok: true, opts: { orderId, action } };
 }
 
+// `evolver atp <enable|disable|status>` — manage autoBuyer consent ack file.
+// Non-TTY users (daemon, CI, hooks) opt in here instead of the interactive
+// first-run prompt. Returns { ok, opts: { sub } } or { ok: false, error }.
+function parseAtpArgs(args) {
+  if (!Array.isArray(args) || args.length === 0) {
+    return { ok: false, error: 'atp requires <enable|disable|status>' };
+  }
+  let sub = null;
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (typeof a === 'string' && !a.startsWith('--')) {
+      sub = a.toLowerCase();
+      break;
+    }
+  }
+  if (!sub || !['enable', 'disable', 'status'].includes(sub)) {
+    return { ok: false, error: 'atp subcommand must be enable|disable|status (got: ' + sub + ')' };
+  }
+  return { ok: true, opts: { sub } };
+}
+
 async function runBuy(opts, deps) {
   const atp = (deps && deps.atp) || require('./index');
   const consumerAgent = atp.consumerAgent;
@@ -226,6 +247,80 @@ async function runVerify(opts, deps) {
   }
 }
 
+// Subcommand runner for `evolver atp enable|disable|status`. Writes the ack
+// file via autoBuyer.setConsent so subsequent daemon starts pick it up. Does
+// NOT mutate process.env — env override wins over the ack file by design,
+// and we don't want a transient CLI invocation to silently shadow operator
+// shell config.
+// Detect whether an EVOLVER_ATP_AUTOBUY env override is currently set AND
+// would supersede the ack we are about to write. Returns the effective env
+// boolean (true=on, false=off) or null if env is unset / whitespace-only.
+// Mirrors the trim-before-length-check rule from autoBuyer.getConsent so
+// the CLI and the runtime agree on what "set" means (Bugbot PR #141).
+function _envOverride() {
+  const raw = process.env.EVOLVER_ATP_AUTOBUY;
+  if (typeof raw !== 'string') return null;
+  const s = raw.trim().toLowerCase();
+  if (s.length === 0) return null;
+  return !(s === 'off' || s === '0' || s === 'false');
+}
+
+async function runAtp(opts, deps) {
+  const autoBuyer = (deps && deps.autoBuyer) || require('./autoBuyer');
+  const log = (deps && deps.log) || console.log;
+  const err = (deps && deps.err) || console.error;
+
+  try {
+    if (opts.sub === 'enable') {
+      const body = autoBuyer.setConsent(true);
+      log('[ATP] auto-spend ENABLED (consent recorded ' + body.acknowledged_at + ').');
+      log('      Caps: daily=' + (process.env.ATP_AUTOBUY_DAILY_CAP_CREDITS || '50') +
+          ', per-order=' + (process.env.ATP_AUTOBUY_PER_ORDER_CAP_CREDITS || '10') + ' credits.');
+      log('      Disable: evolver atp disable  (or  EVOLVER_ATP_AUTOBUY=off)');
+      // Loud warning if an env override will silently undo the ack at
+      // runtime. Bugbot PR #141 Medium: without this the user gets a
+      // false confirmation and real credits keep flowing the wrong way.
+      const envEnabled = _envOverride();
+      if (envEnabled === false) {
+        log('');
+        log('[ATP] WARNING: EVOLVER_ATP_AUTOBUY=' + process.env.EVOLVER_ATP_AUTOBUY +
+            ' is set in your environment and will OVERRIDE the ack file at runtime.');
+        log('      Auto-spend will stay OFF until you unset it (env wins over the ack file).');
+        return { exitCode: 0, data: body, envOverride: 'off' };
+      }
+      return { exitCode: 0, data: body };
+    }
+    if (opts.sub === 'disable') {
+      const body = autoBuyer.setConsent(false);
+      log('[ATP] auto-spend DISABLED (consent recorded ' + body.acknowledged_at + ').');
+      log('      Re-enable: evolver atp enable');
+      const envEnabled = _envOverride();
+      if (envEnabled === true) {
+        log('');
+        log('[ATP] WARNING: EVOLVER_ATP_AUTOBUY=' + process.env.EVOLVER_ATP_AUTOBUY +
+            ' is set in your environment and will OVERRIDE the ack file at runtime.');
+        log('      Auto-spend will stay ON (and continue charging credits) until you unset it.');
+        return { exitCode: 0, data: body, envOverride: 'on' };
+      }
+      return { exitCode: 0, data: body };
+    }
+    // status
+    const consent = autoBuyer.getConsent();
+    const ackPath = autoBuyer.getAckPath();
+    log('[ATP] auto-spend: ' + (consent.enabled ? 'ENABLED' : 'DISABLED') +
+        '  (source: ' + consent.source + ')');
+    log('      ack file: ' + ackPath);
+    if (consent.source === 'default') {
+      log('      Default policy (no ack file, no env override). Run `evolver atp disable`');
+      log('      to opt out, or `evolver atp enable` to record explicit opt-in.');
+    }
+    return { exitCode: 0, data: consent };
+  } catch (e) {
+    err('[ATP] atp command error: ' + (e && e.message || e));
+    return { exitCode: 1, error: String(e) };
+  }
+}
+
 function printUsage() {
   return [
     'ATP subcommands:',
@@ -234,6 +329,7 @@ function printUsage() {
     '  evolver orders [--role=consumer|merchant] [--status=pending|verified|disputed|settled]',
     '                 [--limit=N] [--json]',
     '  evolver verify <orderId> [--action=confirm|ai_judge]',
+    '  evolver atp <enable|disable|status>   -- manage auto-spend consent',
   ].join('\n');
 }
 
@@ -241,8 +337,10 @@ module.exports = {
   parseBuyArgs,
   parseOrdersArgs,
   parseVerifyArgs,
+  parseAtpArgs,
   runBuy,
   runOrders,
   runVerify,
+  runAtp,
   printUsage,
 };

package/src/atp/cliAutobuyPrompt.js

@@ -9,55 +9,34 @@
  *   - ack file memory/atp-autobuy-ack.json does not exist (already decided)
  *
  * Outcomes:
- *   - user answers y         -> enabled=true written, session opts in immediately
- *   - user answers n         -> enabled=false written, prompt never shown again
- *   - user answers later     -> no file written, prompt shown next time
+ *   - user answers y         -> autoBuyer.setConsent(true) — opts in for future sessions
+ *   - user answers n         -> autoBuyer.setConsent(false) — prompt never shown again
+ *   - user answers later     -> no ack written, prompt shown next session
  *   - any non-TTY/ack branch -> silent no-op
+ *
+ * setConsent failures (FS permission, disk full) are surfaced to the user
+ * via the output stream and returned as `reason: 'ack_write_failed'`; the
+ * decision field still reflects what the user typed.
  */
 
-const fs = require("fs");
-const path = require("path");
 const readline = require("readline");
+const autoBuyer = require("./autoBuyer");
 
-const ACK_FILE_NAME = "atp-autobuy-ack.json";
-
-function _getMemoryDir() {
-  try {
-    return require("../gep/paths").getMemoryDir();
-  } catch (_) {
-    return process.env.MEMORY_DIR || path.join(process.cwd(), "memory");
-  }
-}
+// All ack file plumbing is owned by autoBuyer: filename constant, path
+// resolution, read (strict validation), and write (atomic tmp+rename).
+// cliAutobuyPrompt delegates through the public API (not __internals) so
+// the two modules cannot diverge on schema or validation — pre-
+// consolidation drift bit us twice (Bugbot PR #141: duplicate writers +
+// lenient-vs-strict reader). Using public exports keeps the "test-only"
+// contract on __internals honest (Bugbot PR #141 R6).
+const ACK_FILE_NAME = autoBuyer.ACK_FILENAME;
 
 function _getAckPath() {
-  return path.join(_getMemoryDir(), ACK_FILE_NAME);
+  return autoBuyer.getAckPath();
 }
 
 function _readAck() {
-  try {
-    const raw = fs.readFileSync(_getAckPath(), "utf8");
-    const parsed = JSON.parse(raw);
-    if (!parsed || typeof parsed !== "object") return null;
-    return parsed;
-  } catch (_) {
-    return null;
-  }
-}
-
-function _writeAck(enabled) {
-  const p = _getAckPath();
-  try {
-    fs.mkdirSync(path.dirname(p), { recursive: true });
-    const body = {
-      enabled: !!enabled,
-      acknowledged_at: new Date().toISOString(),
-      version: 1,
-    };
-    fs.writeFileSync(p, JSON.stringify(body, null, 2) + "\n", "utf8");
-    return true;
-  } catch (_) {
-    return false;
-  }
+  return autoBuyer.readAck();
 }
 
 /**
@@ -116,11 +95,12 @@ async function runPrompt(opts) {
 
   try {
     output.write("\n");
-    output.write("[ATP-AutoBuyer] Your evolver can automatically place small-priced\n");
-    output.write("ATP orders when it detects a capability gap (default ON).\n");
-    output.write("  - daily hard cap:   ATP_AUTOBUY_DAILY_CAP_CREDITS (default applies)\n");
-    output.write("  - per-order cap:    ATP_AUTOBUY_PER_ORDER_CAP_CREDITS\n");
-    output.write("  - set EVOLVER_ATP_AUTOBUY=off and restart to disable at any time.\n");
+    output.write("[ATP-AutoBuyer] Your evolver will automatically place small-priced\n");
+    output.write("ATP orders when it detects a capability gap. This spends real\n");
+    output.write("credits on the EvoMap hub and is ON by default for new installs.\n");
+    output.write("  - daily hard cap:   ATP_AUTOBUY_DAILY_CAP_CREDITS (default 50)\n");
+    output.write("  - per-order cap:    ATP_AUTOBUY_PER_ORDER_CAP_CREDITS (default 10)\n");
+    output.write("  - change later:     evolver atp enable | evolver atp disable\n");
     output.write("\n");
   } catch (_) {
     return { prompted: false, decision: null, reason: "io_error" };
@@ -128,7 +108,7 @@ async function runPrompt(opts) {
 
   let answer;
   try {
-    answer = await ask("Keep autoBuyer enabled for this session? [y/n/later] ", {
+    answer = await ask("Keep ATP auto-spend ON for future sessions? [y=keep enabled / n=disable / later=ask again next session] ", {
       input,
       output,
     });
@@ -136,16 +116,44 @@ async function runPrompt(opts) {
     return { prompted: true, decision: null, reason: "ask_error" };
   }
 
+  // For y/n we persist via autoBuyer.setConsent (atomic tmp+rename, throws
+  // on FS failure). If the write fails we MUST tell the user — for the 'n'
+  // path especially, since auto-spend is default-ON and a failed disable
+  // means the user typed "off" but the runtime keeps charging credits
+  // (Bugbot PR #141 Medium: unchecked ack write). Do NOT mutate process.env
+  // on success: that would double-signal and shadow any explicit operator
+  // preference set later.
+  function _persistConsent(enabled, decision) {
+    try {
+      autoBuyer.setConsent(enabled);
+      return { prompted: true, decision, reason: enabled ? "user_accepted" : "user_declined" };
+    } catch (err) {
+      try {
+        output.write("[ATP-AutoBuyer] WARN: failed to persist consent: " + (err && err.message || err) + "\n");
+        if (enabled) {
+          output.write("                Auto-spend will keep using the default-on policy until\n");
+          output.write("                the ack is saved (capped at the configured caps).\n");
+        } else {
+          output.write("                Auto-spend will STAY ON (default policy) until your opt-out\n");
+          output.write("                can be saved — your decline was not persisted.\n");
+        }
+        output.write("                Check disk space and write permissions on the memory dir, then run\n");
+        output.write("                `evolver atp " + (enabled ? "enable" : "disable") + "` to retry.\n");
+      } catch (_) { /* output stream is broken too — nothing more we can do */ }
+      return { prompted: true, decision, reason: "ack_write_failed" };
+    }
+  }
+
   if (answer === "y" || answer === "yes") {
-    _writeAck(true);
-    env.EVOLVER_ATP_AUTOBUY = "on";
-    return { prompted: true, decision: "yes", reason: "user_accepted" };
+    return _persistConsent(true, "yes");
   }
   if (answer === "n" || answer === "no") {
-    _writeAck(false);
-    env.EVOLVER_ATP_AUTOBUY = "off";
-    return { prompted: true, decision: "no", reason: "user_declined" };
+    return _persistConsent(false, "no");
   }
+  // Postpone: no ack written, so autoBuyer.getConsent() returns
+  // {enabled: true, source: 'default'} this session. Auto-spend keeps
+  // running under the default policy with caps; the prompt will fire again
+  // next interactive session so the user can confirm or opt out.
   return { prompted: true, decision: "later", reason: "user_postponed" };
 }
 
@@ -155,7 +163,6 @@ module.exports = {
   __internals: {
     ACK_FILE_NAME,
     _readAck,
-    _writeAck,
     _getAckPath,
   },
 };