@evomap/evolver 1.87.1 → 1.87.3

package/README.ja-JP.md

@@ -32,7 +32,7 @@
 >
 > Evolver はこの結論を実装に落とし込んだオープンソースエンジンです。GEP プロトコルの下で、エージェントの経験を場当たり的なプロンプトやスキルドキュメントではなく、Gene と Capsule として符号化します。*なぜ* Evolver が長いスキルドキュメントではなく Gene にこだわるのか疑問に思ったことがあるなら、読むべきはこの論文です。
 >
-> 応用事例を見たい方へ：[OpenClaw x EvoMap：CritPt 評価レポート](https://evomap.ai/blog/openclaw-critpt-report) では、OpenClaw エージェントが CritPt Physics Solver 上の 5 バージョン（Beta → v2.2）にわたって、同じ Gene ベース進化ループによってスコアを 0.00% から 18.57% まで押し上げる全過程を、トークンコストの軌跡、遺伝子活性化マップ、そして推論が再利用可能な Gene に圧縮されるときに現れる「トークンが上昇してから下降する」シグネチャとともに詳述しています。
+> 応用事例を見たい方へ：[OpenClaw x EvoMap：CritPt 評価レポート](https://evomap.ai/blog/openclaw-critpt-report) では、OpenClaw エージェントが CritPt Physics Solver 上の 5 バージョン（Beta → v2.2）にわたって、同じ Gene ベース進化ループによってスコアを 9.1% から 18.57% まで押し上げる全過程を、トークンコストの軌跡、遺伝子活性化マップ、そして推論が再利用可能な Gene に圧縮されるときに現れる「トークンが上昇してから下降する」シグネチャとともに詳述しています。
 
 ---
 

package/README.ko-KR.md

@@ -32,7 +32,7 @@
 >
 > Evolver는 이 결과를 실제로 구현하는 오픈소스 엔진입니다. GEP 프로토콜 아래 에이전트의 경험을 임시 프롬프트나 스킬 문서가 아니라 Gene과 Capsule로 인코딩합니다. *왜* Evolver가 더 긴 스킬 문서 대신 Gene을 고집하는지 궁금했다면, 바로 이 논문을 읽어야 합니다.
 >
-> 적용 사례가 궁금하신가요? [OpenClaw x EvoMap: CritPt 평가 보고서](https://evomap.ai/blog/openclaw-critpt-report)는 동일한 Gene 기반 진화 루프가 OpenClaw 에이전트를 CritPt Physics Solver의 5개 버전(Beta → v2.2)에 걸쳐 0.00%에서 18.57%까지 끌어올리는 과정을, 전체 토큰 비용 궤적, 유전자 활성화 매핑, 그리고 추론이 재사용 가능한 Gene으로 압축될 때 나타나는 "토큰이 먼저 상승한 뒤 하강하는" 시그니처와 함께 단계별로 보여줍니다.
+> 적용 사례가 궁금하신가요? [OpenClaw x EvoMap: CritPt 평가 보고서](https://evomap.ai/blog/openclaw-critpt-report)는 동일한 Gene 기반 진화 루프가 OpenClaw 에이전트를 CritPt Physics Solver의 5개 버전(Beta → v2.2)에 걸쳐 9.1%에서 18.57%까지 끌어올리는 과정을, 전체 토큰 비용 궤적, 유전자 활성화 매핑, 그리고 추론이 재사용 가능한 Gene으로 압축될 때 나타나는 "토큰이 먼저 상승한 뒤 하강하는" 시그니처와 함께 단계별로 보여줍니다.
 
 ---
 

package/README.md

@@ -32,7 +32,7 @@
 >
 > Evolver is the open-source engine that puts this result into practice: it encodes agent experience as Genes and Capsules under the GEP protocol, not as ad hoc prompts or skill docs. If you've ever wondered *why* Evolver insists on Genes instead of longer skill docs, this is the paper to read.
 >
-> Want the applied version? [OpenClaw x EvoMap: CritPt Evaluation Report](https://evomap.ai/blog/openclaw-critpt-report) walks through how the same Gene-based evolution loop drives an OpenClaw agent from 0.00% to 18.57% on CritPt Physics Solver across five versions (Beta -> v2.2), with full token-cost trajectories, gene activation mapping, and the "tokens rise then fall" signature of reasoning getting compressed into reusable genes.
+> Want the applied version? [OpenClaw x EvoMap: CritPt Evaluation Report](https://evomap.ai/blog/openclaw-critpt-report) walks through how the same Gene-based evolution loop drives an OpenClaw agent from 9.1% to 18.57% on CritPt Physics Solver across five versions (Beta -> v2.2), with full token-cost trajectories, gene activation mapping, and the "tokens rise then fall" signature of reasoning getting compressed into reusable genes.
 
 ---
 
@@ -184,7 +184,7 @@ Every `evolver <flag>` invocation in the rest of this README maps 1:1 to `node i
 **Evolver is a prompt generator, not a code patcher.** Each evolution cycle:
 
 1. Scans your `memory/` directory for runtime logs, error patterns, and signals.
-2. Selects the best-matching [Gene or Capsule](https://evomap.ai/wiki) from `assets/gep/`.
+2. Selects the best-matching [Gene or Capsule](https://evomap.ai/wiki) from the local GEP asset store.
 3. Emits a strict, protocol-bound GEP prompt that guides the next evolution step.
 4. Records an auditable [EvolutionEvent](https://evomap.ai/wiki) for traceability.
 
@@ -377,16 +377,17 @@ The [evomap.ai](https://evomap.ai) dashboard has a "Worker" toggle on the node d
 
 This repo includes a protocol-constrained prompt mode based on [GEP (Genome Evolution Protocol)](https://evomap.ai/wiki).
 
-- **Structured assets** live in `assets/gep/`:
-  - `assets/gep/genes.json`
-  - `assets/gep/capsules.json`
-  - `assets/gep/events.jsonl`
+- **Structured runtime assets** live in `<workspace>/.evolver/gep/` by default:
+  - `<workspace>/.evolver/gep/genes.json`
+  - `<workspace>/.evolver/gep/capsules.json`
+  - `<workspace>/.evolver/gep/events.jsonl`
+- Set `GEP_ASSETS_DIR` to place the runtime asset store elsewhere.
 - **Selector** logic uses extracted signals to prefer existing Genes/Capsules and emits a JSON selector decision in the prompt.
 - **Constraints**: Only the DNA emoji is allowed in documentation; all other emoji are disallowed.
 
 ### Your local asset store is never overwritten by upgrades
 
-`assets/gep/genes.json`, `assets/gep/capsules.json`, and `assets/gep/events.jsonl` are owned by your runtime. Starting with 1.78.3, the npm tarball no longer contains these files, so `npm i -g @evomap/evolver` (or `git pull` of the public repo) never clobbers your accumulated Genes, Capsules, or EvolutionEvents. New installs still receive the curated starter Genes through `assets/gep/genes.seed.json`, which is applied only when `genes.json` is absent.
+`<workspace>/.evolver/gep/genes.json`, `<workspace>/.evolver/gep/capsules.json`, and `<workspace>/.evolver/gep/events.jsonl` are owned by your runtime and ignored by git. `assets/gep/` is reserved for bundled starter assets. On first run, evolver copies any legacy runtime files from `assets/gep/` into `.evolver/gep/` without deleting the originals, then seeds `genes.json` from the bundled starter genes only when no local `genes.json` exists.
 
 If you ran an older evolver version that wiped your local assets, pull back everything you Promoted or published to the Hub with a single command:
 
@@ -396,7 +397,7 @@ A2A_HUB_URL=https://evomap.ai evolver sync --scope=all --export=backup.gepx
 
 This hits `/a2a/assets/purchased` (Promoted-to-you plus self-purchased) and `/a2a/assets/published-by-me` (your own drafts and published assets), re-materializes the full payloads into `genes.json` / `capsules.json`, and packs a portable `.gepx` bundle. Previously-purchased payloads re-fetch at zero cost.
 
-Purely local assets that were never uploaded to the Hub have no remote copy -- recover them from your git history (for example `git show <old_tag>:assets/gep/genes.json > restored.json`) or from disk snapshots.
+Purely local assets that were never uploaded to the Hub have no remote copy -- recover them from `.evolver/gep/`, from an older `assets/gep/` checkout, or from disk snapshots.
 
 ## Configuration & Decoupling
 

package/README.zh-CN.md

@@ -32,7 +32,7 @@
 >
 > Evolver 正是把这一结论落地的开源引擎：它基于 GEP 协议，把 Agent 的经验沉淀为 Gene 与 Capsule，而不是散落的 prompt 或技能文档。如果你想知道 *为什么* Evolver 坚持使用 Gene 而不是更长的 skill 文档，这就是那篇该读的论文。
 >
-> 想看应用落地的样本？[OpenClaw x EvoMap：CritPt 评测报告](https://evomap.ai/blog/openclaw-critpt-report) 以 OpenClaw Agent 在 CritPt Physics Solver 上的五个版本演进（Beta → v2.2）为例，完整拆解了同一套 Gene 进化闭环如何把得分从 0.00% 推到 18.57%，并给出 token 成本轨迹、基因激活映射，以及推理被压缩成可复用基因后所呈现的「token 先升后降」特征。
+> 想看应用落地的样本？[OpenClaw x EvoMap：CritPt 评测报告](https://evomap.ai/blog/openclaw-critpt-report) 以 OpenClaw Agent 在 CritPt Physics Solver 上的五个版本演进（Beta → v2.2）为例，完整拆解了同一套 Gene 进化闭环如何把得分从 9.1% 推到 18.57%，并给出 token 成本轨迹、基因激活映射，以及推理被压缩成可复用基因后所呈现的「token 先升后降」特征。
 
 ---
 
@@ -159,7 +159,7 @@ evolver --loop
 **Evolver 是一个提示词生成器，不是代码修改器。** 每个进化周期：
 
 1. 扫描 `memory/` 目录中的运行日志、错误模式和信号。
-2. 从 `assets/gep/` 中选择最匹配的 [Gene 或 Capsule](https://evomap.ai/wiki)。
+2. 从本地 GEP 资产库中选择最匹配的 [Gene 或 Capsule](https://evomap.ai/wiki)。
 3. 输出一份严格的、受协议约束的 GEP 提示词来引导下一步进化。
 4. 记录可审计的 [EvolutionEvent](https://evomap.ai/wiki) 以便追溯。
 
@@ -351,16 +351,17 @@ WORKER_ENABLED=1 WORKER_DOMAINS=repair,harden WORKER_MAX_LOAD=3 evolver --loop
 
 本仓库内置基于 [GEP（基因组进化协议）](https://evomap.ai/wiki)的协议受限提示词模式。
 
-- **结构化资产目录**：`assets/gep/`
-  - `assets/gep/genes.json`
-  - `assets/gep/capsules.json`
-  - `assets/gep/events.jsonl`
+- **结构化运行时资产目录**：默认位于 `<workspace>/.evolver/gep/`
+  - `<workspace>/.evolver/gep/genes.json`
+  - `<workspace>/.evolver/gep/capsules.json`
+  - `<workspace>/.evolver/gep/events.jsonl`
+- 可通过 `GEP_ASSETS_DIR` 把运行时资产库放到其他位置。
 - **Selector 选择器**：根据日志提取 signals，优先复用已有 Gene/Capsule，并在提示词中输出可审计的 Selector 决策 JSON。
 - **约束**：除 🧬 外，禁止使用其他 emoji。
 
 ### 升级不再覆盖你的本地资产库
 
-`assets/gep/genes.json`、`assets/gep/capsules.json`、`assets/gep/events.jsonl` 属于你本地运行时。从 1.78.3 起，npm 发行包不再包含这三个文件，`npm i -g @evomap/evolver`（或公共仓库的 `git pull`）不会再覆盖你累积的 Gene、Capsule 和 EvolutionEvent。新装用户依然会通过 `assets/gep/genes.seed.json` 拿到引擎维护的 starter Gene —— 只有在本地 `genes.json` 不存在时才会应用一次。
+`<workspace>/.evolver/gep/genes.json`、`<workspace>/.evolver/gep/capsules.json`、`<workspace>/.evolver/gep/events.jsonl` 属于你本地运行时，并被 git 忽略。`assets/gep/` 保留给随包发布的 starter 资产。首次运行时，evolver 会把旧版遗留在 `assets/gep/` 的运行时文件复制到 `.evolver/gep/`，不会删除原文件；只有在本地 `genes.json` 不存在时，才会从随包 starter Gene 初始化。
 
 如果你之前用老版本被覆盖过，现在可以一键把所有被 Promoted 给你、以及你自己上传到 Hub 的资产拉回来：
 
@@ -370,7 +371,7 @@ A2A_HUB_URL=https://evomap.ai evolver sync --scope=all --export=backup.gepx
 
 它会去 `/a2a/assets/purchased`（被 Promoted 给你 + 自购）和 `/a2a/assets/published-by-me`（你自己发布的，含 draft）拉回完整 payload，直接回写 `genes.json` / `capsules.json`，并顺便打成 `.gepx` 整包备份。已购买过的 payload 这次重新拉取不收费。
 
-纯本地、从未上传过的资产 Hub 没有副本，只能从 git 历史恢复（例如 `git show <老tag>:assets/gep/genes.json > restored.json`）或从磁盘快照找回。
+纯本地、从未上传过的资产 Hub 没有副本，只能从 `.evolver/gep/`、旧版 `assets/gep/` checkout 或磁盘快照找回。
 
 ## 配置与解耦
 

package/index.js

@@ -491,10 +491,11 @@ async function main() {
           console.warn('[ATP] Auto-init failed: ' + (atpInitErr && atpInitErr.message || atpInitErr));
         }
 
-        // ATP: capability-gap auto-buyer. Default ON as of ATP liquidity
-        // unlock; disable with EVOLVER_ATP_AUTOBUY=off. Also starts the
-        // merchant-side auto-deliver daemon so claimed ATP tasks actually
-        // call submitDelivery and settle instead of expiring.
+        // ATP: capability-gap auto-buyer. OPT-IN as of consent-required
+        // change — new installs do not auto-spend until the user explicitly
+        // runs `evolver atp enable` or answers `y` at the first-run prompt.
+        // Also starts the merchant-side auto-deliver daemon so claimed ATP
+        // tasks actually call submitDelivery and settle instead of expiring.
         try {
           try {
             const { runPrompt } = require('./src/atp/cliAutobuyPrompt');
@@ -502,16 +503,31 @@ async function main() {
           } catch (promptErr) {
             console.warn('[ATP-AutoBuyer] first-run prompt failed: ' + (promptErr && promptErr.message || promptErr));
           }
-          const autoBuyRaw = (process.env.EVOLVER_ATP_AUTOBUY || 'on').toLowerCase().trim();
-          const autoBuyOn = autoBuyRaw !== 'off' && autoBuyRaw !== '0' && autoBuyRaw !== 'false';
-          if (autoBuyOn) {
+          const { autoBuyer } = require('./src/atp');
+          const consent = autoBuyer.getConsent();
+          if (consent.enabled) {
             const hubUrl = process.env.A2A_HUB_URL || process.env.EVOMAP_HUB_URL || '';
             if (hubUrl) {
-              const { autoBuyer } = require('./src/atp');
               autoBuyer.start({
                 dailyCap: Number(process.env.ATP_AUTOBUY_DAILY_CAP_CREDITS) || undefined,
                 perOrderCap: Number(process.env.ATP_AUTOBUY_PER_ORDER_CAP_CREDITS) || undefined,
               });
+              if (consent.source === 'default') {
+                // First-run on a non-TTY (daemon, hook, CI) where the prompt
+                // could not fire AND no env override + no ack file. autoBuyer
+                // is starting with the default-on policy — surface a single
+                // WARN per process so users see what is happening and how to
+                // opt out, instead of discovering it via a credit balance dip.
+                let safeHubUrl;
+                try { safeHubUrl = new URL(hubUrl).origin; }
+                catch { safeHubUrl = '(configured)'; }
+                console.warn('[ATP-AutoBuyer] ATP auto-spend is ON (default for new installs).');
+                console.warn('               Hub: ' + safeHubUrl + '  Caps: ' +
+                  (process.env.ATP_AUTOBUY_DAILY_CAP_CREDITS || '50') + ' credits/day, ' +
+                  (process.env.ATP_AUTOBUY_PER_ORDER_CAP_CREDITS || '10') + '/order' +
+                  ' (cold-start half-cap for the first 5 min).');
+                console.warn('               To opt out: evolver atp disable  (or EVOLVER_ATP_AUTOBUY=off)');
+              }
             } else {
               console.warn('[ATP-AutoBuyer] autobuy enabled but no hub URL configured, skipping.');
             }
@@ -1815,7 +1831,7 @@ async function main() {
       process.exit(1);
     }
 
-  } else if (command === 'buy' || command === 'orders' || command === 'verify') {
+  } else if (command === 'buy' || command === 'orders' || command === 'verify' || command === 'atp') {
     try {
       const atpCli = require('./src/atp/cli');
       const subArgs = args.slice(1); // drop the command token (e.g. "buy") itself
@@ -1827,9 +1843,12 @@ async function main() {
       } else if (command === 'orders') {
         parsed = atpCli.parseOrdersArgs(subArgs);
         runner = atpCli.runOrders;
-      } else {
+      } else if (command === 'verify') {
         parsed = atpCli.parseVerifyArgs(subArgs);
         runner = atpCli.runVerify;
+      } else {
+        parsed = atpCli.parseAtpArgs(subArgs);
+        runner = atpCli.runAtp;
       }
       if (!parsed.ok) {
         console.error('[ATP] ' + parsed.error);
@@ -1844,7 +1863,7 @@ async function main() {
     }
 
   } else {
-    console.log(`Usage: node index.js [run|/evolve|solidify|review|distill|fetch|sync|asset-log|webui|setup-hooks|buy|orders|verify|atp-complete] [--loop]
+    console.log(`Usage: node index.js [run|/evolve|solidify|review|distill|fetch|sync|asset-log|webui|setup-hooks|buy|orders|verify|atp|atp-complete] [--loop]
   - fetch flags:
     - --skill=<id> | -s <id>   (skill ID to download)
     - --out=<dir>              (output directory, default: ./skills/<skill_id>)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evomap/evolver",
-  "version": "1.87.1",
+  "version": "1.87.3",
   "description": "A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.",
   "main": "index.js",
   "bin": {

package/scripts/build_binaries.js

@@ -192,7 +192,14 @@ step('Stage 1 — bun bundle (resolve require tree to one file)');
 ensureDir(STAGE_DIR);
 const BUNDLED_JS = path.join(STAGE_DIR, 'bundled.js');
 
-run('bun', ['build', ENTRY, '--target=node', `--outfile=${BUNDLED_JS}`]);
+// `--external '@napi-rs/keyring'`: keyring is an optional dep loaded via
+// dynamic require() in workspace-id; bun otherwise tries to bundle the
+// platform-specific `.node` file as a second output asset, which makes
+// `bun build … --outfile=…` fail with "cannot write multiple output files
+// without an output directory". Treating it as external preserves the
+// existing optional-fallback behaviour (require throws → FS path used) in
+// the standalone binaries.
+run('bun', ['build', ENTRY, '--target=node', `--outfile=${BUNDLED_JS}`, '--external', '@napi-rs/keyring']);
 
 const bundleSize = OPTS.dryRun ? 0 : fs.statSync(BUNDLED_JS).size;
 console.log(`  bundled.js: ${(bundleSize / 1024 / 1024).toFixed(2)} MB`);
@@ -266,13 +273,30 @@ if (!OPTS.skipObfuscate) {
       const obfSecs = ((Date.now() - t0) / 1000).toFixed(1);
 
       const check = spawnSync('node', ['--check', OBF_JS], { encoding: 'utf8' });
-      if (check.status === 0) {
-        console.log(`  obfuscation: ${obfSecs}s, output ${(obfSize / 1024 / 1024).toFixed(2)} MB (attempt ${attempt}/${MAX_OBF_ATTEMPTS}, seed=0x${usedSeed.toString(16)})`);
-        succeeded = true;
-        break;
+      if (check.status !== 0) {
+        lastValidationErr = (check.stderr || check.stdout || '').split('\n').slice(0, 3).join(' | ');
+        console.warn(`  attempt ${attempt}/${MAX_OBF_ATTEMPTS}: obfuscator output failed node --check (${lastValidationErr.slice(0, 200)}); retrying with perturbed seed...`);
+        continue;
       }
-      lastValidationErr = (check.stderr || check.stdout || '').split('\n').slice(0, 3).join(' | ');
-      console.warn(`  attempt ${attempt}/${MAX_OBF_ATTEMPTS}: obfuscator output failed node --check (${lastValidationErr.slice(0, 200)}); retrying with perturbed seed...`);
+      // Second gate: bun's compile-time parser is stricter than node's.
+      // 1.87.x (post `@napi-rs/keyring` dep) revealed that ~5% of obfuscator
+      // outputs that pass `node --check` still trip bun with errors like
+      // `Expected "in" but found ","`. Probe with a cheap bundle-only call
+      // (no --compile, native target) to fail fast and feed back into the
+      // seed-perturbation loop instead of dying in stage 3.
+      const bunProbe = spawnSync('bun', [
+        'build', OBF_JS,
+        '--target=bun',
+        `--outfile=${path.join(STAGE_DIR, 'bundled.obf.bunprobe.js')}`,
+      ], { encoding: 'utf8' });
+      if (bunProbe.status !== 0) {
+        lastValidationErr = (bunProbe.stderr || bunProbe.stdout || '').split('\n').slice(0, 3).join(' | ');
+        console.warn(`  attempt ${attempt}/${MAX_OBF_ATTEMPTS}: obfuscator output rejected by bun parser (${lastValidationErr.slice(0, 200)}); retrying with perturbed seed...`);
+        continue;
+      }
+      console.log(`  obfuscation: ${obfSecs}s, output ${(obfSize / 1024 / 1024).toFixed(2)} MB (attempt ${attempt}/${MAX_OBF_ATTEMPTS}, seed=0x${usedSeed.toString(16)})`);
+      succeeded = true;
+      break;
     }
     if (!succeeded) {
       console.error(`  ERROR: javascript-obfuscator produced syntactically invalid output in ${MAX_OBF_ATTEMPTS} attempts.`);

package/src/atp/atpExecute.js

@@ -27,6 +27,7 @@ const https = require('https');
 const crypto = require('crypto');
 
 const { computeAssetId } = require('../gep/contentHash');
+const { enforceHubScheme, strictHttpsAgent } = require('../gep/hubFetch');
 const {
   getNodeId,
   getHubUrl,
@@ -114,6 +115,19 @@ function _publishUrl() {
 
 function _postJson(urlStr, body, timeoutMs) {
   return new Promise(function (resolve) {
+    // Same TLS posture as hubFetch: refuse plain http:// unless
+    // EVOMAP_HUB_ALLOW_INSECURE=1. Before this guard the function
+    // silently fell back to `lib = http` for any non-https URL, so an
+    // operator override `A2A_HUB_URL=http://...` would send /a2a/publish
+    // and /a2a/task/complete in cleartext while hubFetch-routed calls
+    // (e.g. /a2a/verify-solidify) refused the same URL — inconsistent
+    // TLS enforcement across modules.
+    try {
+      enforceHubScheme(urlStr);
+    } catch (e) {
+      resolve({ ok: false, error: 'tls_refused: ' + (e && e.message) });
+      return;
+    }
     let parsed;
     try {
       parsed = new URL(urlStr);
@@ -128,15 +142,28 @@ function _postJson(urlStr, body, timeoutMs) {
       { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) },
       buildHubHeaders() || {},
     );
+    // Pin TLS cert verification for https calls so a globally-disabled
+    // NODE_TLS_REJECT_UNAUTHORIZED=0 cannot weaken the Hub channel
+    // (Cursor Security Reviewer #160 Medium). hubFetch enforces the
+    // same via its undici dispatcher; this is the Node-native-https
+    // equivalent.
+    //
+    // Skipped under EVOMAP_HUB_ALLOW_INSECURE=1 so local-dev / self-
+    // signed mock hubs that legitimately rely on
+    // NODE_TLS_REJECT_UNAUTHORIZED=0 still work.
+    const requestOpts = {
+      hostname: parsed.hostname,
+      port: parsed.port || (isHttps ? 443 : 80),
+      path: parsed.pathname + (parsed.search || ''),
+      method: 'POST',
+      headers: headers,
+      timeout: timeoutMs || PUBLISH_TIMEOUT_MS,
+    };
+    if (isHttps && process.env.EVOMAP_HUB_ALLOW_INSECURE !== '1') {
+      requestOpts.agent = strictHttpsAgent;
+    }
     const req = lib.request(
-      {
-        hostname: parsed.hostname,
-        port: parsed.port || (isHttps ? 443 : 80),
-        path: parsed.pathname + (parsed.search || ''),
-        method: 'POST',
-        headers: headers,
-        timeout: timeoutMs || PUBLISH_TIMEOUT_MS,
-      },
+      requestOpts,
       function (res) {
         const chunks = [];
         res.on('data', function (c) { chunks.push(c); });

package/src/atp/autoBuyer.js

@@ -1,12 +1,19 @@
-// ATP Auto-Buyer (opt-out, default ON as of ATP liquidity unlock)
+// ATP Auto-Buyer (opt-in: requires explicit consent before auto-spending)
 // Converts capability gaps into ATP orders with strict budget caps and
-// 24h question-level deduplication. Disable by setting
-// EVOLVER_ATP_AUTOBUY=off. Budget caps:
+// 24h question-level deduplication. Budget caps:
 //   ATP_AUTOBUY_DAILY_CAP_CREDITS     (default 50)
 //   ATP_AUTOBUY_PER_ORDER_CAP_CREDITS (default 10)
 // Cold-start safety: the first 5 minutes after process start use a half-cap
 // to protect against misconfiguration loops on restart storms.
 //
+// Consent resolution (in order):
+//   1. EVOLVER_ATP_AUTOBUY=on|off env — explicit operator override wins.
+//   2. ack file at <memory>/atp-autobuy-ack.json with `{enabled: bool}` —
+//      written by first-run prompt (cliAutobuyPrompt) or `evolver atp
+//      enable|disable`.
+//   3. No signal → OFF. New installs never auto-spend before the user has
+//      explicitly opted in (consumer protection: ATP spends real credits).
+//
 // Integration contract:
 //   1) Call start({ dailyCap, perOrderCap }) once at Evolver boot. The
 //      evolve loop does this at the top of every cycle; start() is
@@ -29,8 +36,15 @@ const DEFAULT_DAILY_CAP = 50;
 const DEFAULT_PER_ORDER_CAP = 10;
 const DEFAULT_ORDER_TIMEOUT_MS = 3000;
 const COLD_START_WINDOW_MS = 5 * 60 * 1000;
+// Successful orders dedup for 24h so the same capability gap is only paid for
+// once per day. Failed orders dedup for 5 minutes only — long enough to
+// absorb tight retry loops (the original goal of "don't hammer the hub")
+// without making the user wait 24h to retry a question after a transient
+// 503/network blip.
 const DEDUP_TTL_MS = 24 * 60 * 60 * 1000;
+const DEDUP_FAILURE_TTL_MS = 5 * 60 * 1000;
 const LEDGER_FILENAME = 'atp-autobuyer-ledger.json';
+const ACK_FILENAME = 'atp-autobuy-ack.json';
 
 let _started = false;
 let _startedAt = 0;
@@ -44,18 +58,57 @@ function _ledgerPath() {
   return path.join(getMemoryDir(), LEDGER_FILENAME);
 }
 
+function _ackPath() {
+  return path.join(getMemoryDir(), ACK_FILENAME);
+}
+
 function _todayKey(now) {
   const d = new Date(typeof now === 'number' ? now : Date.now());
   return d.toISOString().slice(0, 10); // UTC YYYY-MM-DD
 }
 
-function _isEnabled() {
-  // Default ON: the evolve loop starts autoBuyer at the top of every cycle
-  // so new users get ATP buyer routing out of the box. Disable by setting
-  // EVOLVER_ATP_AUTOBUY=off. Budget caps (DAILY_CAP + PER_ORDER_CAP) keep
-  // the downside bounded even when this is on.
-  const raw = (process.env.EVOLVER_ATP_AUTOBUY || 'on').toLowerCase().trim();
-  return raw !== 'off' && raw !== '0' && raw !== 'false';
+function _readAck() {
+  try {
+    const p = _ackPath();
+    if (!fs.existsSync(p)) return null;
+    const parsed = JSON.parse(fs.readFileSync(p, 'utf8'));
+    if (!parsed || typeof parsed !== 'object') return null;
+    if (typeof parsed.enabled !== 'boolean') return null;
+    return parsed;
+  } catch (_) {
+    return null;
+  }
+}
+
+// Resolve consent. Returns:
+//   { enabled: true,  source: 'env'|'ack'|'default' }
+//   { enabled: false, source: 'env'|'ack' }
+// The `default` case is the new-install path (no env override, no ack file):
+// auto-spend defaults ON, gated by the daily/per-order caps and the cold-start
+// half-cap window. The first-run prompt and `evolver atp disable` remain the
+// opt-out paths for users who do not want auto-spend; once an explicit ack is
+// recorded the source flips to 'ack' and the user's choice (either way) wins
+// over this default.
+function getConsent() {
+  const envRaw = process.env.EVOLVER_ATP_AUTOBUY;
+  if (typeof envRaw === 'string') {
+    // Trim BEFORE the length check so whitespace-only values
+    // (e.g. EVOLVER_ATP_AUTOBUY=" ") count as unset, matching the
+    // classify() helper in cliAutobuyPrompt.js. Without this alignment a
+    // whitespace value would skip the prompt in classify (treats as unset
+    // → 'eligible') but still enter this env branch, trim to "", fail to
+    // match 'off'/'0'/'false', and silently return enabled=true.
+    const s = envRaw.trim().toLowerCase();
+    if (s.length > 0) {
+      const enabled = s !== 'off' && s !== '0' && s !== 'false';
+      return { enabled, source: 'env' };
+    }
+  }
+  const ack = _readAck();
+  if (ack) {
+    return { enabled: ack.enabled === true, source: 'ack' };
+  }
+  return { enabled: true, source: 'default' };
 }
 
 function _emptyLedger() {
@@ -98,13 +151,22 @@ function _rotateIfNewDay(ledger, now) {
 }
 
 function _pruneDedup(ledger, now) {
-  const cutoff = (typeof now === 'number' ? now : Date.now()) - DEDUP_TTL_MS;
+  const nowMs = typeof now === 'number' ? now : Date.now();
   const out = {};
   const src = ledger.dedup || {};
   const keys = Object.keys(src);
   for (let i = 0; i < keys.length; i++) {
     const k = keys[i];
-    if (typeof src[k] === 'number' && src[k] >= cutoff) out[k] = src[k];
+    const entry = src[k];
+    // Legacy ledgers written by older versions stored plain timestamps; treat
+    // them as successful orders (the original behaviour) so an upgrade does
+    // not suddenly forget recent dedups.
+    if (typeof entry === 'number') {
+      if (entry >= nowMs - DEDUP_TTL_MS) out[k] = entry;
+    } else if (entry && typeof entry.ts === 'number') {
+      const ttl = entry.failed ? DEDUP_FAILURE_TTL_MS : DEDUP_TTL_MS;
+      if (entry.ts >= nowMs - ttl) out[k] = entry;
+    }
   }
   ledger.dedup = out;
   return ledger;
@@ -125,7 +187,8 @@ function _effectiveCap(value, now) {
 
 function start(opts) {
   if (_started) return;
-  if (!_isEnabled()) return;
+  const consent = getConsent();
+  if (!consent.enabled) return;
   _started = true;
   _startedAt = Date.now();
   const dailyCap = Math.max(0, Math.floor(Number((opts && opts.dailyCap) || process.env.ATP_AUTOBUY_DAILY_CAP_CREDITS) || DEFAULT_DAILY_CAP));
@@ -157,11 +220,36 @@ function _withTimeout(promise, timeoutMs) {
   ]);
 }
 
-async function considerOrder(opts) {
-  if (!_started) return { ok: false, skipped: true, reason: 'not_started' };
+// Single-flight queue: serialize the read → cap-check → placeOrder → write
+// pipeline so two concurrent considerOrder() calls cannot both pass the cap
+// check on the same ledger snapshot and silently double-spend.
+//
+// Without this, two parallel calls (e.g. user runs Claude Code in two tabs
+// through the same proxy, or two capability gaps fire in the same tick) both
+// read spent=40, both compute remaining=10, both await placeOrder, both
+// increment to spent=50, and write — silently exceeding the daily cap by one
+// full order each. autoBuyer is single-process so an in-memory queue is
+// sufficient; a file lock would only be needed if multiple OS processes
+// shared the same ledger file (not the current deployment model).
+let _orderQueue = Promise.resolve();
+
+function considerOrder(opts) {
+  if (!_started) return Promise.resolve({ ok: false, skipped: true, reason: 'not_started' });
   if (!opts || !Array.isArray(opts.capabilities) || opts.capabilities.length === 0) {
-    return { ok: false, skipped: true, reason: 'no_capabilities' };
+    return Promise.resolve({ ok: false, skipped: true, reason: 'no_capabilities' });
   }
+  const next = _orderQueue.then(
+    () => _considerOrderSerialized(opts),
+    () => _considerOrderSerialized(opts), // never let a prior rejection break the chain
+  );
+  // Swallow rejection on the queue tail so a single thrown error here does
+  // not poison every subsequent call; the original `next` promise still
+  // surfaces the error to the caller.
+  _orderQueue = next.then(() => {}, () => {});
+  return next;
+}
+
+async function _considerOrderSerialized(opts) {
   const now = Date.now();
   let ledger = _readLedger();
   ledger = _rotateIfNewDay(ledger, now);
@@ -200,19 +288,49 @@ async function considerOrder(opts) {
 
   if (result && result.ok) {
     ledger.spent = (ledger.spent || 0) + budget;
-    ledger.dedup[hash] = now;
+    ledger.dedup[hash] = { ts: now, failed: false };
     _writeLedger(ledger);
     console.log('[ATP-AutoBuyer] Order placed: ' + (result.data && result.data.order_id) + ' budget=' + budget + ' remaining_today=' + Math.max(0, dailyCap - ledger.spent));
     return { ok: true, data: result.data, spent: budget };
   }
 
-  // On failure still record dedup so we don't hammer the hub for the same
-  // capability gap within the TTL window (but do NOT charge the spend).
-  ledger.dedup[hash] = now;
+  // On failure record a SHORT-TTL dedup entry (5 min) so we don't hammer the
+  // hub for the same capability gap inside a tight retry loop, but the user
+  // can retry the same question once the transient error clears — far better
+  // than the previous 24h block for a single 503.
+  ledger.dedup[hash] = { ts: now, failed: true };
   _writeLedger(ledger);
   return { ok: false, error: (result && result.error) || 'unknown_error' };
 }
 
+// Write the consent ack file. Used by `evolver atp enable|disable` and the
+// first-run prompt. `enabled=true` persists opt-in; `enabled=false` persists
+// explicit opt-out so the prompt does not re-ask next session. Atomic write
+// via .tmp + rename so a crash mid-write never produces a corrupt ack file.
+function setConsent(enabled) {
+  const dir = getMemoryDir();
+  const body = {
+    enabled: !!enabled,
+    acknowledged_at: new Date().toISOString(),
+    version: 1,
+  };
+  const tmp = _ackPath() + '.tmp';
+  // Single try/catch over the whole pipeline. Previously the mkdirSync was
+  // wrapped in its own swallowing try/catch, so an EACCES on the parent dir
+  // would surface to the caller as a confusing ENOENT from writeFileSync.
+  // Surface the original error verbatim and best-effort clean up any
+  // partial .tmp file so a retry from a TTY prompt sees a clean slate.
+  try {
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(tmp, JSON.stringify(body, null, 2) + '\n', 'utf8');
+    fs.renameSync(tmp, _ackPath());
+  } catch (err) {
+    try { fs.unlinkSync(tmp); } catch (_) {}
+    throw err;
+  }
+  return body;
+}
+
 // Test-only reset, not exported by default.
 function _resetForTests() {
   _started = false;
@@ -222,15 +340,30 @@ function _resetForTests() {
     perOrderCap: DEFAULT_PER_ORDER_CAP,
     timeoutMs: DEFAULT_ORDER_TIMEOUT_MS,
   };
+  _orderQueue = Promise.resolve();
 }
 
 module.exports = {
+  // Lifecycle.
   start,
   stop,
   isStarted,
   considerOrder,
+  // Consent surface — public API. Production callers (CLI runAtp,
+  // cliAutobuyPrompt, the daemon run loop) MUST use these, not the
+  // __internals duplicates below, so the "test-only" contract on
+  // __internals stays honest (Bugbot PR #141 R6).
+  getConsent,
+  setConsent,
+  getAckPath: _ackPath,
+  readAck: _readAck,
+  ACK_FILENAME,
   // Exposed for tests and diagnostics only; callers should not depend on
-  // these internals in production code paths.
+  // these internals in production code paths. Ack-file helpers
+  // (getAckPath / readAck / ACK_FILENAME) are intentionally NOT mirrored
+  // here — production and tests both go through the public surface above,
+  // so a single source of truth survives schema changes (Bugbot PR #141 R6
+  // follow-up: keep "test-only" honest, no production caller may reach in).
   __internals: {
     readLedger: _readLedger,
     writeLedger: _writeLedger,
@@ -242,6 +375,7 @@ module.exports = {
       DEFAULT_PER_ORDER_CAP,
       COLD_START_WINDOW_MS,
       DEDUP_TTL_MS,
+      DEDUP_FAILURE_TTL_MS,
       LEDGER_FILENAME,
     },
   },

package/src/atp/autoDeliver.js

@@ -155,6 +155,18 @@ function start(opts) {
   _pollInterval = setInterval(function () {
     _tick().catch(function () { /* swallowed in _tick */ });
   }, _pollMs);
+  // .unref() so this background poller does NOT keep the Node event
+  // loop alive on its own. `evolver run` (single-shot) writes its
+  // artifacts and expects to exit — without unref, the setInterval
+  // handle pins the process and the run sits as a residual `node`
+  // process until manually killed (public issue #553). `evolver --loop`
+  // (daemon) keeps the foreground evolve loop alive on its own
+  // schedule, so an unref'd poller still polls — unref only changes
+  // whether THIS handle alone keeps the loop alive, not whether the
+  // handle fires.
+  if (_pollInterval && typeof _pollInterval.unref === 'function') {
+    _pollInterval.unref();
+  }
   // Do not await -- fire the first tick asynchronously so start() returns
   // immediately. This matches the autoBuyer start() semantics.
   _tick().catch(function () { /* swallowed in _tick */ });
@@ -189,6 +201,10 @@ module.exports = {
     writeLedger: _writeLedger,
     buildProofPayload: _buildProofPayload,
     resetForTests: _resetForTests,
+    // Test-only accessor for the active poll Timeout. Used to assert
+    // the timer was `.unref()`ed so it does not pin the Node event
+    // loop (regression guard for public issue #553).
+    getPollIntervalForTest: () => _pollInterval,
     constants: {
       DEFAULT_POLL_MS,
       MIN_POLL_MS,