@seasonkoh/webaz 0.1.16 → 0.1.18

package/dist/pwa/server.js

@@ -1,7 +1,19 @@
 /**
- * PWA HTTP Server
- * 把 WebAZ暴露给手机浏览器
- * 端口：3000
+ * PWA HTTP Server — WebAZ 的人类入口 + 生产 HTTP API（端口 3000）
+ *
+ * 作用 / What:
+ *   - 服务 PWA 静态前端(src/pwa/public/*)给手机/桌面浏览器(人类)
+ *   - 暴露 /api/* HTTP API —— **人 + agent 共用的生产端点**(MCP NETWORK 模式也打这里,见 RFC-003)
+ *
+ * 本文件做什么 / Structure(这是最大的文件,改动前先定位区块):
+ *   - 启动:initDatabase() + 各 initXxxSchema(db) + 内联 CREATE TABLE(部分表直接建在这里)
+ *   - 鉴权:auth()/getUser()(统一 `Authorization: Bearer <api_key>`)、requireAdmin/requireAdminPermission
+ *   - 中间件:api_key 速率/封禁 + agent 声明 scope 门(getDeclaredActions/getAgentRiskInfo)
+ *   - 路由:大部分按主题拆到 src/pwa/routes/*,在文件下半部 registerXxxRoutes(app, deps) 接线;
+ *           少数端点仍内联在本文件
+ *
+ * 关联 / Related: AGENTS.md(项目地图) · 元规则 #2 代码即规则 / #3 不偷数据 / #6 不滥用 ·
+ *   RFC-003(MCP NETWORK 共用这些端点) · CHARTER §3.2(改动审批分档)
  */
 import express from 'express';
 import path from 'path';
@@ -126,6 +138,12 @@ import { registerExternalAnchorsRoutes } from './routes/external-anchors.js';
 import { registerAnchorsRoutes } from './routes/anchors.js';
 // 仲裁员申请 (#1013 Phase 44) — 4 user + 3 admin endpoints
 import { registerArbitratorRoutes } from './routes/arbitrator.js';
+// Governance onboarding (W3.5-B 实施 #1093 阶段 1) — 2 user endpoints
+import { registerGovernanceOnboardingRoutes } from './routes/governance-onboarding.js';
+import { startAutoDeactivateCron, runAutoDeactivateSweep } from './routes/governance-auto-deactivate.js';
+import { startEscrowExpireCron } from './routes/rewards-escrow-expire.js';
+import { startAutoDowngradeCron } from './routes/rewards-auto-downgrade.js';
+import { registerRewardsApplyRoutes } from './routes/rewards-apply.js';
 // 卖家配额 + 数据中心 (#1013 Phase 45) — 4 user + 3 admin
 import { registerSellerQuotaRoutes } from './routes/seller-quota.js';
 // 验证员用户侧 (#1013 Phase 46) — 5 endpoints
@@ -276,6 +294,12 @@ import { registerAuthReadRoutes } from './routes/auth-read.js';
 import { registerAuthLoginRoutes } from './routes/auth-login.js';
 // Auth register (#1013 Phase 118) — 1 endpoint
 import { registerAuthRegisterRoutes } from './routes/auth-register.js';
+import { registerBuildFeedbackRoutes } from './routes/build-feedback.js';
+import { initBuildFeedbackSchema } from '../layer2-business/L2-8-feedback/build-feedback-engine.js';
+import { registerBuildTasksRoutes } from './routes/build-tasks.js';
+import { initBuildTasksSchema } from '../layer2-business/L2-9-contribution/build-tasks-engine.js';
+import { registerBuildReputationRoutes } from './routes/build-reputation.js';
+import { initBuildReputationSchema } from '../layer2-business/L2-9-contribution/build-reputation-engine.js';
 const anthropic = new Anthropic({ apiKey: process.env.ANTHROPIC_API_KEY });
 // ─── 链上地址派生 ──────────────────────────────────────────────
 const MASTER_SEED = process.env.WALLET_MASTER_SEED ?? 'webaz-dev-seed-changeme';
@@ -327,6 +351,9 @@ initSkillSchema(db);
 initSkillMarketSchema(db);
 initReputationSchema(db);
 initOrderChainSchema(db);
+initBuildFeedbackSchema(db); // RFC-004 build_feedback
+initBuildTasksSchema(db); // RFC-006 build_tasks(协调层)
+initBuildReputationSchema(db); // RFC-006 build_reputation(独立池 + 贡献者看板)
 initSnfSchema(db);
 initExternalAnchorSchema(db);
 // 启动时检查月衰减（last_decay_at ≥25 天才触发，重启幂等）
@@ -609,9 +636,10 @@ function getProductShareChain(productId, buyerId, depth = 3) {
 db.exec(`
   CREATE TABLE IF NOT EXISTS region_config (
     region          TEXT PRIMARY KEY,
-    max_levels      INTEGER NOT NULL,   -- 0=完全禁 MLM / 1=仅 L1 / 2=L1+L2 / 3=全三级
+    max_levels      INTEGER NOT NULL,   -- 0=完全禁 MLM / 1=仅 L1 / 2=L1+L2 / 3=全三级（仅控佣金层级）
     active          INTEGER DEFAULT 1,
-    mlm_ui_visible  INTEGER DEFAULT 1   -- 0=UI 全面隐藏推土机/分润链/佣金展示
+    mlm_ui_visible  INTEGER DEFAULT 1,  -- 0=UI 全面隐藏推土机/分润链/佣金展示
+    pv_enabled      INTEGER DEFAULT 0   -- 2026-06-04 解耦：PV 双轨/对碰系统是否开启（独立于 max_levels）。默认 0=全关
   )
 `);
 // Phase B 迁移：加 mlm_ui_visible 列
@@ -619,6 +647,11 @@ try {
     db.exec('ALTER TABLE region_config ADD COLUMN mlm_ui_visible INTEGER DEFAULT 1');
 }
 catch { /* 已存在 */ }
+// 2026-06-04 解耦迁移：加 pv_enabled 列（PV 双轨独立开关，与佣金层级 max_levels 分离）
+try {
+    db.exec('ALTER TABLE region_config ADD COLUMN pv_enabled INTEGER DEFAULT 0');
+}
+catch { /* 已存在 */ }
 // Phase B 初始值：max_levels=0 或 =1 的地区同时隐藏 MLM UI
 // 目前所有已配置地区 ≥2，不自动降为 0（由 admin 手动配置真正禁 MLM 的地区）
 // mlm_ui_visible=1 保持默认，只有 max_levels=0 时前端才完全隐藏
@@ -724,7 +757,7 @@ db.exec(`
     old_value   TEXT,
     new_value   TEXT,
     changed_by  TEXT,
-    action      TEXT,                  -- 'update' | 'reset'
+    action      TEXT,                  -- 'update' | 'reset' | 'constitutional_reject_patch' | 'constitutional_reject_reset'
     created_at  TEXT DEFAULT (datetime('now'))
   )
 `);
@@ -766,6 +799,21 @@ const DEFAULT_PARAMS = [
     { key: 'require_human_presence_for_arbitrate', value: '1', type: 'number', description: 'Arbitrator 仲裁需 WebAuthn 一次性 token（1=强制 / 0=不强制）— spec §4 铁律', category: 'security', min: 0, max: 1 },
     { key: 'require_human_presence_for_agent_revoke', value: '1', type: 'number', description: '用户撤销 agent 需 WebAuthn 一次性 token — spec §4 铁律', category: 'security', min: 0, max: 1 },
     { key: 'require_human_presence_for_delete_passkey', value: '1', type: 'number', description: '删除 Passkey 自身需 WebAuthn 一次性 token — 防失窃 Passkey 不需 Passkey 就可删它,堵死自我无效化漏洞', category: 'security', min: 0, max: 1 },
+    { key: 'require_human_presence_for_governance_apply', value: '1', type: 'number', description: '治理岗位申请(apply)需 WebAuthn 一次性 token — spec §3.1 Iron-Rule 反诱导 + 真人门', category: 'security', min: 0, max: 1 },
+    { key: 'require_human_presence_for_governance_activate', value: '1', type: 'number', description: 'maintainer 激活治理岗位(activate)需 WebAuthn 一次性 token — spec §4.4 Iron-Rule 真人签发', category: 'security', min: 0, max: 1 },
+    { key: 'require_human_presence_for_governance_resign', value: '1', type: 'number', description: '主动卸任治理岗位(resign)需 WebAuthn 一次性 token — spec §6.1 二次验证', category: 'security', min: 0, max: 1 },
+    { key: 'require_human_presence_for_governance_appeal_resolve', value: '1', type: 'number', description: 'maintainer 裁决申诉(resolve appeal)需 WebAuthn 一次性 token — spec §7.2 Iron-Rule', category: 'security', min: 0, max: 1 },
+    { key: 'require_human_presence_for_withdraw', value: '1', type: 'number', description: '提现(资金转出)需 WebAuthn 一次性 token — 资金转出=真人在场铁律,email-OTP 在 agent 威胁模型下不足(agent 可读收件箱);#1115 全额对齐', category: 'security', min: 0, max: 1 },
+    { key: 'governance_resign_cooldown_days', value: '30', type: 'number', description: '主动卸任后冷却期(天)— 防止 farming 切换洗票 / 误操作反复', category: 'governance', min: 7, max: 365 },
+    { key: 'governance_appeal_window_days', value: '14', type: 'number', description: '收到 auto_deactivate 通知后申诉窗口(天)— spec §7.2', category: 'governance', min: 7, max: 90 },
+    { key: 'governance_appeal_min_reason_chars', value: '100', type: 'number', description: '申诉理由最少字符数(防空 appeal)', category: 'governance', min: 30, max: 2000 },
+    // 2026-06-02 task #1093 阶段 5:auto-deactivate cron(per playbook §6.2 anchor=confirmed_wrong,not outlier)
+    { key: 'governance_auto_deactivate_threshold_count', value: '5', type: 'number', description: '被复核确认判错累计次数阈值(触发 auto_deactivate)— playbook §6.2', category: 'governance', min: 1, max: 100 },
+    { key: 'governance_auto_deactivate_threshold_pct', value: '0.3', type: 'number', description: '被确认判错比例阈值(0.3 = 30% 案件被推翻)— playbook §6.2', category: 'governance', min: 0.05, max: 1.0 },
+    { key: 'governance_auto_deactivate_min_sample', value: '10', type: 'number', description: '最小样本数(tasks_done ≥ N 才参与判定)— 防小样本误杀', category: 'governance', min: 3, max: 1000 },
+    { key: 'governance_auto_deactivate_cron_hours', value: '24', type: 'number', description: 'auto-deactivate cron 扫描间隔(小时)', category: 'governance', min: 1, max: 168 },
+    // 2026-06-02 task #1093 stage 6:arbitrator pause/resume auto-judge clock(playbook §2.1)
+    { key: 'arbitration_max_pause_hours', value: '168', type: 'number', description: 'arbitrator 暂停自动判定时钟的最大窗口(小时)— playbook §2.1 防无限拖延', category: 'governance', min: 24, max: 720 },
     // 2026-05-23 Agent 治理 — Trust 阶梯 rate limit（per minute）
     // 默认值偏宽松（人类正常浏览也走 /api/*）；DAO 治理可逐档收紧
     { key: 'agent_rate_new_per_min', value: '120', type: 'number', description: 'new 级 agent 速率：每分钟最多调用次数', category: 'limit', min: 10, max: 1000 },
@@ -776,6 +824,24 @@ const DEFAULT_PARAMS = [
     // cell_precision_deg: 经纬度截断精度（0.1° ≈ 11km × 11km；0.05° ≈ 5.5km；0.5° ≈ 55km）
     { key: 'nearby_cell_precision_deg', value: '0.1', type: 'number', description: '雷达扫描 cell 精度（度）— 越小越精细但匹配人数变少。0.1=11km / 0.05=5.5km / 0.5=55km', category: 'privacy', min: 0.05, max: 1.0 },
     { key: 'nearby_k_anonymity', value: '3', type: 'number', description: '雷达扫描 k-匿名阈值（≥ N 人才显示聚合数据）', category: 'privacy', min: 3, max: 50 },
+    // 2026-06-02 W3.5-B:治理岗位上岗参数（docs/GOVERNANCE-ONBOARDING.md §2 + §6）
+    { key: 'governance_onboarding.min_registration_days', value: '30', type: 'number', description: '申请治理岗位前最少注册天数', category: 'governance', min: 0, max: 365 },
+    { key: 'governance_onboarding.min_completed_orders', value: '5', type: 'number', description: '申请前最少完成订单数', category: 'governance', min: 0, max: 100 },
+    { key: 'governance_onboarding.arbitrator_min_reputation', value: '95', type: 'number', description: '申请 arbitrator 最低 reputation', category: 'governance', min: 0, max: 100 },
+    { key: 'governance_onboarding.verifier_min_reputation', value: '90', type: 'number', description: '申请 verifier 最低 reputation', category: 'governance', min: 0, max: 100 },
+    { key: 'governance_onboarding.role_switch_cooldown_days', value: '30', type: 'number', description: '卸任后再申请同角色冷却天数', category: 'governance', min: 0, max: 365 },
+    { key: 'governance_onboarding.consent_delay_seconds', value: '8', type: 'number', description: '同意勾选反诱导延迟秒数（借鉴 RFC-002 §3.3）', category: 'governance', min: 0, max: 60 },
+    { key: 'governance_onboarding.quiz_pass_score', value: '80', type: 'number', description: 'onboarding 题目合格分数线（百分制）', category: 'governance', min: 50, max: 100 },
+    // 2026-06-02 #1094 audit: arbitration.outlier_threshold_count/pct DELETED — playbook §6.2 明确
+    // "outlier 标记仅作信号,无触发,无 protocol_params"。两个 key 直接违反 spec(stage 5 阶段已用
+    // governance_auto_deactivate_* 取代,锚 confirmed_wrong 而非 outlier)。完整 audit 见
+    // docs/PROTOCOL-PARAMS-AUDIT.md。
+    { key: 'arbitration.escalation_amount_threshold', value: '1000', type: 'number', description: '触发多 arbitrator 联审的 dispute_amount 阈值（WAZ）— phase B 实施,phase A 装饰', category: 'governance', min: 100, max: 100000 },
+    // 2026-06-03 task #1095:CHARTER §4 I-4 宪法级修改保护(去人格化)
+    // category='constitutional' 的 param 触发 only-increase 锁(防"先松保护再改一切")
+    // 假设:这两个 param 都满足"increase = more protection"语义(见 admin-protocol-params.ts 头部注释)
+    { key: 'constitutional_supermajority_ratio', value: '0.667', type: 'number', description: 'CHARTER §4 I-4:宪法级修改超级多数比例(phase A: user solo 1-of-1;phase B+: maintainer 多签 ratio)— only-increase 防绕过', category: 'constitutional', min: 0.5, max: 1.0 },
+    { key: 'constitutional_notice_days', value: '60', type: 'number', description: 'CHARTER §4 I-4:宪法级修改 RFC 公示期(天)— only-increase 防绕过', category: 'constitutional', min: 30, max: 365 },
 ];
 for (const p of DEFAULT_PARAMS) {
     try {
@@ -790,6 +856,27 @@ for (const p of DEFAULT_PARAMS) {
     }
     catch { }
 }
+// 2026-06-02 #1094 audit:清除 spec violation 的遗留 keys(stage 5 用 governance_auto_deactivate_* 取代)
+// playbook §6.2:"outlier 标记仅作信号,无触发,无 protocol_params"
+try {
+    db.prepare(`DELETE FROM protocol_params WHERE key IN ('arbitration.outlier_threshold_count', 'arbitration.outlier_threshold_pct')`).run();
+}
+catch { }
+// 2026-06-03 task #1097: boot guard — 所有 category='constitutional' 的 param 必须 type='number'
+// 理由:admin-protocol-params.ts only-increase hook 假设 "increase = more protection",
+// 当前仅对 type='number' 生效。若有 bool 或 string constitutional param 被加入但未显式 override,
+// only-increase 锁会**静默失效**,导致 CHARTER §4 I-4 防绕过被绕过。
+// 这里 boot 时主动 assert,迫使加 param 的人 evaluate semantics 或显式扩展 hook。
+;
+(() => {
+    const offenders = DEFAULT_PARAMS.filter(p => p.category === 'constitutional' && p.type !== 'number');
+    if (offenders.length > 0) {
+        const list = offenders.map(p => `${p.key}(type=${p.type})`).join(', ');
+        throw new Error(`[#1097 boot guard] constitutional params must be type='number' for only-increase hook to apply. ` +
+            `Offenders: ${list}. ` +
+            `Either change type to 'number', or move to a non-constitutional category, or extend the hook in admin-protocol-params.ts to cover this type.`);
+    }
+})();
 // 2026-05-25 #1006：三个铁律节点默认值从 0 升级到 1（spec §4）
 // 幂等迁移：仅对 admin 未显式调整过的行（updated_by IS NULL）启用强制
 // 已有 admin 显式设置 0 的不覆盖（防意外覆写明确的关闭决策）
@@ -2265,12 +2352,12 @@ db.exec(`
   )
 `);
 // 慈善基金（单例 id='main'）
-// 科目化（Phase A 2026-05-21）：未发出的佣金按"来源科目"分账，治理委员会按科目决定用途
+// 2026-06-04 起【纯净】：仅服务慈善许愿板块（捐款/还愿/拨款），不再承接任何佣金兜底。
 //   total_donated         — 用户主动捐款
 //   total_redirected      — 还愿转入（原义保留）
-//   total_chain_gap       — 自发现订单 commission L2/L3 空缺兜底（"无人引流→公益"）
-//   total_orphan_sponsor  — 孤儿注册 sponsor 链兜底（"无推荐人→公益"）
 //   total_disbursed       — 累计已 disburse（出金）
+//   total_chain_gap / total_orphan_sponsor / total_region_cap 三列为历史遗留（解耦前佣金兜底曾入此），
+//   现已停写、仅作历史审计；新佣金兜底全部入 commission_reserve（三级公池，见下）。
 db.exec(`
   CREATE TABLE IF NOT EXISTS charity_fund (
     id              TEXT PRIMARY KEY,
@@ -2293,12 +2380,9 @@ for (const stmt of [
     }
     catch { /* 已存在 */ }
 }
-// 资金流水
-// kind 全集（Phase A 扩展）：
+// 资金流水（2026-06-04 起 charity 纯净，仅以下 3 类；redirect_* 历史 kind 不再新写）：
 //   donation              — 用户主动捐款
 //   repay_redirect        — 还愿转入（不可达原施善人或主动选 fund）
-//   redirect_chain_gap    — 自发现订单 commission 兜底（L2/L3 缺失）
-//   redirect_orphan_sponsor — 孤儿注册兜底
 //   disburse              — 出金（拨付/还愿 grant 等）
 db.exec(`
   CREATE TABLE IF NOT EXISTS charity_fund_txns (
@@ -2330,6 +2414,46 @@ try {
     db.exec("CREATE INDEX IF NOT EXISTS idx_cft_order ON charity_fund_txns(related_order_id)");
 }
 catch { }
+// ─── 三级公池 / 佣金储备（commission_reserve，单例 id='main'）─────────────
+// 2026-06-04：佣金兜底科目从 charity_fund 拆出，慈善科目自此【纯净】只服务慈善许愿板块。
+// 三级佣金中【无资格人 / 无资格 / 区域档位截断 / max=0 整池 / opt-out 放弃 / escrow 到期】
+// 的部分，统一入此【独立科目】。定位 = 协议储备，**只进不出**，用途由治理(DAO/创始人)决定。
+// 与 global_fund(PV 资金，由 1% base 注资发对碰) 互不流通 —— 三套科目彻底独立。
+// 命名注意：本表是【持久储备科目】，区别于每单的 commission_pool/commissionPool（= total×rate 预算变量）。
+//   total_chain_gap        — L2/L3 空缺（自发现/上家断链）
+//   total_orphan_sponsor   — sponsor 被封/无资格 + opt-out 主动放弃 + escrow 到期（无合格受益人桶）
+//   total_region_cap       — level>maxLevels 区域档位截断 + max_levels=0 整池
+db.exec(`
+  CREATE TABLE IF NOT EXISTS commission_reserve (
+    id                   TEXT PRIMARY KEY,
+    balance              REAL DEFAULT 0,
+    total_chain_gap      REAL DEFAULT 0,
+    total_orphan_sponsor REAL DEFAULT 0,
+    total_region_cap     REAL DEFAULT 0,
+    total_disbursed      REAL DEFAULT 0,
+    updated_at           TEXT NOT NULL DEFAULT (datetime('now'))
+  )
+`);
+db.prepare("INSERT OR IGNORE INTO commission_reserve (id) VALUES ('main')").run();
+db.exec(`
+  CREATE TABLE IF NOT EXISTS commission_reserve_txns (
+    id                   TEXT PRIMARY KEY,
+    kind                 TEXT NOT NULL,
+    from_user_id         TEXT,
+    amount               REAL NOT NULL,
+    related_order_id     TEXT,
+    note                 TEXT,
+    created_at           TEXT NOT NULL DEFAULT (datetime('now'))
+  )
+`);
+try {
+    db.exec("CREATE INDEX IF NOT EXISTS idx_crt_kind ON commission_reserve_txns(kind, created_at DESC)");
+}
+catch { }
+try {
+    db.exec("CREATE INDEX IF NOT EXISTS idx_crt_order ON commission_reserve_txns(related_order_id)");
+}
+catch { }
 // 还愿记录
 db.exec(`
   CREATE TABLE IF NOT EXISTS wish_repayments (
@@ -2484,6 +2608,9 @@ for (const stmt of [
     'ALTER TABLE users ADD COLUMN total_left_pv   REAL DEFAULT 0',
     'ALTER TABLE users ADD COLUMN total_right_pv  REAL DEFAULT 0',
     'ALTER TABLE users ADD COLUMN pv_dirty_at     TEXT',
+    // 二叉树左右【整棵子树】人数 — 增量维护(joinPowerLeg 上溯 +1), pickPreferredSide team_count O(1) 读
+    'ALTER TABLE users ADD COLUMN left_count      INTEGER DEFAULT 0',
+    'ALTER TABLE users ADD COLUMN right_count     INTEGER DEFAULT 0',
     // V3 用户成长等级（基于历史累积 score = 历史累积 WAZ 收益）
     'ALTER TABLE users ADD COLUMN lifetime_score  REAL DEFAULT 0',
 ]) {
@@ -2562,6 +2689,13 @@ try {
     db.prepare('INSERT OR IGNORE INTO global_fund (id) VALUES (1)').run();
 }
 catch { }
+// 2026-06-04 (#1106)：PV escrow 隔离负债账。结算时给"已承诺但 opt-out 待激活"的 PV 奖励
+// 从 pool_balance 移入此列（不再留在可分配池中被后续周期发给别人）；
+// 兑付(opt-in)从此列出，到期退回 pool_balance。守恒：pool + pv_escrow_reserve + wallets = 常量。
+try {
+    db.exec('ALTER TABLE global_fund ADD COLUMN pv_escrow_reserve REAL DEFAULT 0');
+}
+catch { /* 已存在 */ }
 db.exec(`
   CREATE TABLE IF NOT EXISTS management_bonus_pool (
     id INTEGER PRIMARY KEY CHECK(id=1),
@@ -3040,6 +3174,38 @@ try {
     db.prepare("UPDATE users SET placement_pref = 'team_count' WHERE placement_pref IN ('left','right')").run();
 }
 catch { }
+// 增量计数 backfill（一次性，幂等）：从现有 placement 树重算 left_count/right_count。
+// 新装 / 空树 = no-op。有历史 placement 的库（local/已运行）首次启动重算一次。
+// 2026-06-04 引入 left_count/right_count 增量字段时的迁移。
+try {
+    const done = db.prepare("SELECT value FROM system_state WHERE key = 'placement_count_backfilled'").get()?.value === '1';
+    if (!done) {
+        const placed = db.prepare("SELECT id, placement_id, placement_side FROM users WHERE placement_id IS NOT NULL").all();
+        const bf = db.transaction(() => {
+            db.exec("UPDATE users SET left_count = 0, right_count = 0");
+            for (const p of placed) {
+                let upParent = p.placement_id;
+                let upSide = p.placement_side;
+                let safety = 10_000;
+                while (upParent && safety-- > 0) {
+                    const col = upSide === 'left' ? 'left_count' : 'right_count';
+                    db.prepare(`UPDATE users SET ${col} = ${col} + 1 WHERE id = ?`).run(upParent);
+                    const pr = db.prepare("SELECT placement_id, placement_side FROM users WHERE id = ?").get(upParent);
+                    if (!pr?.placement_id)
+                        break;
+                    upSide = pr.placement_side || 'left';
+                    upParent = pr.placement_id;
+                }
+            }
+        });
+        bf();
+        db.prepare("INSERT OR REPLACE INTO system_state (key, value) VALUES ('placement_count_backfilled', '1')").run();
+        console.log(`[placement_count] backfill 完成,重算 ${placed.length} 个已挂载节点`);
+    }
+}
+catch (e) {
+    console.error('[placement_count backfill]', e.message);
+}
 // ─── 身份码派生 helpers ─────────────────────────────────
 // permanent_code：6 位 Crockford base32（去歧义字符 I L O U），永久唯一，不可改
 // 32 字母表：0-9 + ABCDEFGHJKMNPQRSTVWXYZ
@@ -3279,6 +3445,23 @@ catch { }
     }
     catch { }
 });
+// ─── P0-2 PRE-LAUNCH 全局 clamp:max_levels ≤ 1（2026-06-03 user decision B）───
+// 上方按辖区分档的 seed(0/1/2/3)是【知识/基础设施】,保留不删。
+// 但 pre-launch 阶段【未请律师】,operator 明确"max_levels ≤ 1 everywhere 是不请律师
+// 也安全的唯一前提"。因此强制把所有地区压到 ≤ 1(0 保持 0,更严不动)。
+// 这是【唯一的 pre-launch 合规闸门】—— 单点可逆:
+//   re-trigger(见 docs/LEGAL-DISCLOSURES.md §7):真实用户 > 100 / GMV > $10k /
+//   首次监管 inquiry / 进入新辖区 / Phase D 上线 —— 届时【请律师背书后】删除本块,
+//   即按上方 seed 的辖区分档自动放开。
+// display == enforcement:clamp DB 值(而非仅运行时 cap),admin/UI 显示值 = 实际生效值。
+try {
+    db.exec("UPDATE region_config SET max_levels = 1 WHERE max_levels > 1");
+}
+catch { }
+try {
+    db.exec("UPDATE region_config SET mlm_ui_visible = 0 WHERE max_levels = 0");
+}
+catch { }
 // 卖家发新品配额（模块 A）
 for (const stmt of [
     'ALTER TABLE users ADD COLUMN max_products      INTEGER DEFAULT 200',
@@ -5064,7 +5247,63 @@ function endpointToAction(method, path) {
         return 'rfq';
     if (method === 'POST' && /^\/api\/auctions\/[^/]+\/bid/.test(path))
         return 'bid';
-    return null; // 未映射的写操作不约束（避免误伤现有功能；spec 后续按需扩展）
+    // 权限审计 #1115 P0:花钱/价值写纳入问责门(与 place_order 同档:无 Passkey 须声明 scope)。
+    // 之前这些漏在 default-allow 之外,无声明无 Passkey 的 agent 可花掉账户余额 —— 补齐一致性。
+    if (method === 'POST' && /^\/api\/skill-market\/[^/]+\/purchase/.test(path))
+        return 'purchase';
+    if (method === 'POST' && /^\/api\/secondhand\/[^/]+\/order/.test(path))
+        return 'buy_secondhand';
+    if (method === 'POST' && /^\/api\/group-buys\/[^/]+\/join/.test(path))
+        return 'group_buy_join';
+    // #1115 P1:写 PII(收货地址)也需问责。含 addresses 增删改 + profile 默认地址。
+    if (method !== 'GET' && (/^\/api\/addresses(\/|$)/.test(path) || path === '/api/profile/default-address'))
+        return 'set_address';
+    // #1115 P2:钱包写(转出/充值/白名单/连接)统一纳入 'wallet' 问责门。
+    // 之前 wallet/* 整段在 SAFE 放行 → api_key agent 可直达 withdraw,小额零真人门分批盗刷;
+    // 现要求声明 'wallet' scope(或 '*' / Passkey)。withdraw 另在 handler 内强制 Passkey 真人门(铁律,见 wallet-write.ts)。
+    if (method !== 'GET' && /^\/api\/wallet\//.test(path))
+        return 'wallet';
+    // #1115 P2:profile **PII/身份/接管向量**写纳入 'set_profile' —— 仅这一子集需问责。
+    //   改恢复邮箱(bind/confirm-email)=账户接管;改 handle/name=身份;set/clear-location=地理 PII。
+    //   ⚠️ 不一刀切整段 profile/*:role/region/placement/password/verify 是"无 Passkey 也要能用"的
+    //   自助操作(见原则:没身份验证也要解决的问题不要求身份),它们留在下方 SAFE。
+    //   default-address 已在上面归 set_address(更具体,优先)。
+    if (method !== 'GET' && /^\/api\/profile\/(bind-email|confirm-email|change-handle|change-name|set-location|clear-location)$/.test(path))
+        return 'set_profile';
+    // ── #1115 B4 结构性:default-deny ──────────────────────────────
+    // 上面是细粒度命名 token;下面 safe-list 放行(返回 null),其余一切写 → 'write'(需 Passkey 或声明 scope)。
+    // 目的:新增的敏感写默认就被门控,不会因"忘了加映射"而裸奔(把 default-allow 翻成 default-deny)。
+    // safe-list 三类必须放行(否则误伤 / 死锁):
+    //   (a) 脱困入口:绑 Passkey(webauthn)/ 声明 scope(me/agents)/ 登录注册/找回 —— 若门控则永远无法获得通行资格
+    //   (b) 自带门:build-feedback(分级门)/ admin(requireAdmin)。
+    //       注意:wallet / profile 不再 SAFE —— #1115 P2 移到上方命名 token(wallet / set_profile / set_address)。
+    //   (c) 公开 + 低值自我状态写(管理自己的 cart/wishlist/通知/关注 等,登录即可)
+    const SAFE = [
+        // (a) 脱困 / 鉴权 / 身份(bootstrap 通行资格所必需 —— wallet 与 profile 的 PII 子集不在此列,见上方命名 token)
+        /^\/api\/(login|register)$/, /^\/api\/recover-key/, /^\/api\/webauthn\//,
+        /^\/api\/me\/agents\//,
+        // profile 自助子集(无 Passkey 真人也要能用:切角色/选地区/PV 配置/改密码/二次确认)。
+        // PII/身份子集(bind-email/change-handle/set-location 等)已在上方归 set_profile,不在此放行。
+        /^\/api\/profile\/(switch-role|add-role|region|placement-pref|bind-placement|feed-visible|verify-password|set-password|remove-password)$/,
+        // (b) 自带门(build-feedback=分级门;build-tasks=协调层登录即可;admin=requireAdmin。wallet/profile 已移到上方命名 token #1115 P2)
+        /^\/api\/build-feedback/, /^\/api\/build-tasks/, /^\/api\/admin\//,
+        // (c) 公开 / 无需登录
+        /^\/api\/(public-ideas|error-report|mcp-telemetry|email-subscriptions|search-by-link|feedback)(\/|$)/,
+        // (c) 低值自我状态
+        /^\/api\/cart$/, /^\/api\/cart\/(?!checkout)[^/]+$/,
+        /^\/api\/wishlist/, /^\/api\/products\/[^/]+\/waitlist$/,
+        /^\/api\/notifications\/read$/, /^\/api\/announcements\/[^/]+\/read$/,
+        /^\/api\/follows\//, /^\/api\/blocklist\//,
+        /^\/api\/checkin$/, /^\/api\/growth\/tasks\//, /^\/api\/tasks\/[^/]+\/claim$/,
+        /^\/api\/push\//, /^\/api\/auth\//,
+        /^\/api\/me\/(delete-cancel|notify-claim-tasks)/,
+        /^\/api\/peers\//, /^\/api\/signaling\//,
+        /^\/api\/product-share\/touch$/, /^\/api\/anchor\/[^/]+\/touch$/,
+        /^\/api\/reviews\//,
+    ];
+    if (SAFE.some(r => r.test(path)))
+        return null;
+    return 'write'; // 默认拒绝:其余写需问责
 }
 // Phase 3b（B1）：敏感读 → read-scope token 映射。只挑「跨用户聚合 / 批量扫描」这类剽窃向读取，
 // 普通读（自己的 profile / products 列表 / 订单等）一律 null 不约束，避免误伤声明 agent 的日常读。
@@ -5522,6 +5761,18 @@ registerAgentReputationRoutes(app, {
 });
 // #1013 Phase 47: 6 公开用户主页 endpoints 已迁出到 routes/users-public.ts
 registerUsersPublicRoutes(app, { db, auth, noteAuthenticityBadges });
+// RFC-004 build_feedback — agent-native "use → build" 反馈管道
+registerBuildFeedbackRoutes(app, {
+    db, auth,
+    requireSupportAdmin: (req, res) => requireAdminPermission(req, res, 'support'),
+});
+// RFC-006 Gap 1:协调层(build_tasks "谁在做什么")
+registerBuildTasksRoutes(app, {
+    db, auth,
+    requireSupportAdmin: (req, res) => requireAdminPermission(req, res, 'support'),
+});
+// RFC-006 Gap 2:贡献者自查看板(build_reputation 独立池)
+registerBuildReputationRoutes(app, { db, auth });
 // #1013 Phase 48: 3 auth/sessions endpoints 已迁出到 routes/auth-sessions.ts
 registerAuthSessionsRoutes(app, { db, auth, verifyPassword, recordSession, generateSecureKey });
 // 个人资料：查看 API Key + 联系方式
@@ -6438,27 +6689,13 @@ registerAdminReportsRoutes(app, {
 });
 // ─── 原子能轨道（Phase 2）：双轨树挂靠 ───────────────────────
 const PV_PROPAGATION_DEPTH_LIMIT = 5000; // PV 累积深度上限（admin 可调，存 system_state 之后）
-// 数子树用户数（沿 X_child 链向下，O(depth)；用于 team_count 偏好）
-function countSubtreeUsers(rootId, side) {
-    const childField = side === 'left' ? 'left_child_id' : 'right_child_id';
-    let count = 0;
-    let current = rootId;
-    let safety = 10_000;
-    while (safety-- > 0) {
-        const row = db.prepare(`SELECT ${childField} FROM users WHERE id = ?`).get(current);
-        const next = row?.[childField];
-        if (!next)
-            break;
-        count++;
-        current = next;
-    }
-    return count;
-}
+// (2026-06-04 移除 countSubtreeUsers — 旧实现只数单条脊链, 名实不符;
+//  team_count 改读增量维护的 users.left_count/right_count, 见 pickPreferredSide + joinPowerLeg)
 // 根据 inviter 偏好自动选边（链接不带 side 时用）
 // 支持 2 档：team_count（默认，下线人数少）/ pv_count（近 90 天 PV 累计少）
 // 兼容 legacy: left/right 视为 team_count（启动时会被静默迁移；这里防御性兜底）
 function pickPreferredSide(inviterId) {
-    const u = db.prepare("SELECT placement_pref, total_left_pv, total_right_pv FROM users WHERE id = ?")
+    const u = db.prepare("SELECT placement_pref, total_left_pv, total_right_pv, left_count, right_count FROM users WHERE id = ?")
         .get(inviterId);
     const pref = u?.placement_pref || 'team_count';
     if (pref === 'pv_count') {
@@ -6471,9 +6708,11 @@ function pickPreferredSide(inviterId) {
         const rightPv = Number(u?.total_right_pv ?? 0) + Number(w.r);
         return leftPv <= rightPv ? 'left' : 'right';
     }
-    // team_count（默认）：数左右链下线人数，少的一边
-    const lCount = countSubtreeUsers(inviterId, 'left');
-    const rCount = countSubtreeUsers(inviterId, 'right');
+    // team_count（默认）：左右【整棵子树】人数，挂少的一边。
+    // 读增量维护的 left_count/right_count（O(1)）。2026-06-04 修：旧实现 countSubtreeUsers
+    // 只数单条脊链（不含旁支子树），名实不符 → 病毒增长下选边失真。改为增量全子树计数。
+    const lCount = Number(u?.left_count ?? 0);
+    const rCount = Number(u?.right_count ?? 0);
     return lCount <= rCount ? 'left' : 'right';
 }
 /**
@@ -6501,6 +6740,20 @@ function joinPowerLeg(inviterId, side, newUserId) {
         db.prepare(`UPDATE users SET ${childField} = ? WHERE id = ?`).run(newUserId, current);
         db.prepare(`UPDATE users SET placement_id = ?, placement_side = ?, placement_path = ?, placement_depth = ? WHERE id = ?`)
             .run(current, side, newPath, newDepth, newUserId);
+        // 增量维护 left_count/right_count：从新人上溯，每个祖先的对应腿 +1（整棵子树计数，与 total_*_pv 同模式）。
+        // 首轮：current 的 [side] 腿 +1（新人直接落在 current 的 side 侧）；逐级上溯，按各节点 placement_side 归边。
+        let upParent = current;
+        let upSide = side;
+        let safety = 10_000;
+        while (upParent && safety-- > 0) {
+            const col = upSide === 'left' ? 'left_count' : 'right_count';
+            db.prepare(`UPDATE users SET ${col} = ${col} + 1 WHERE id = ?`).run(upParent);
+            const pr = db.prepare("SELECT placement_id, placement_side FROM users WHERE id = ?").get(upParent);
+            if (!pr?.placement_id)
+                break;
+            upSide = pr.placement_side || 'left';
+            upParent = pr.placement_id;
+        }
         return { tail: current, depth: newDepth };
     });
     return place();
@@ -6585,6 +6838,9 @@ function runBinarySettlement() {
     const now = new Date().toISOString();
     const periodStart = new Date(Date.now() - 7 * 86400_000).toISOString();
     for (const u of dirty) {
+        // 注：对碰【分数照常计算累积】，不在此 gate region。PV 经济闸在【兑付】层
+        // （score → WAZ 时按 region pv_enabled 决定是否真实发放；未开启则分数挂账，
+        //  待辖区开启 / 用户迁移到可用辖区再兑现）。2026-06-04 解耦设计。
         // 周期内已得 Score（paranoia 封顶）
         const weekScore = db.prepare(`SELECT COALESCE(SUM(score),0) as s FROM binary_score_records WHERE user_id = ? AND created_at > ?`).get(u.id, periodStart).s;
         if (weekScore >= SINGLE_USER_PERIOD_CAP) {
@@ -6620,7 +6876,14 @@ function executeSafeSettlementCron() {
             return;
         }
         // 2. 全网当期 pending Score 汇总
-        const pending = db.prepare(`SELECT id, user_id, score FROM binary_score_records WHERE settled_at IS NULL`).all();
+        // 2026-06-04 解耦：PV 隐藏不关闭 —— 分数照常计算累积。兑付层按 earner【当前 region】
+        // 的 pv_enabled 过滤：未开启的 earner 分数【保留 pending（不入本期分配、不稀释合格者单价）】，
+        // 待辖区开启 / 用户迁移到可用辖区，下期自动兑现。挂账的钱按实际发放扣减(见步骤7)自然留池。
+        const allPending = db.prepare(`SELECT id, user_id, score FROM binary_score_records WHERE settled_at IS NULL`).all();
+        const pending = allPending.filter(r => {
+            const reg = db.prepare("SELECT region FROM users WHERE id = ?").get(r.user_id)?.region || 'global';
+            return regionPvEnabled(reg);
+        });
         if (pending.length === 0) {
             result.status = 'no_pending';
             return;
@@ -6705,6 +6968,37 @@ function executeSafeSettlementCron() {
             }
             // V1：1 WAZ = 1 元（场景 B 杠杆延后）
             const wazAmount = cashDue;
+            // RFC-002 §3.5 PV-pair opt-in gate (PR-1c-b) — symmetric to settleCommission L1/L2/L3 gate
+            //   opted-in        → normal wallet credit
+            //   opted-out + 'deactivate' → 不发放，waz 留在 PV 资金池（forfeit，非慈善）
+            //   opted-out + other → escrow（pv_pair），金额从 pool 移入 pv_escrow_reserve（#1106 隔离负债）
+            // 2026-06-04 修双计 bug：deactivate 旧版 redirectToCharity 新增慈善余额，但 waz 因不计入
+            //   cashDistributed 已留在 pool → 钱印了两份。现 deactivate 仅标记 settled，钱留 PV 资金池。
+            const optIn = db.prepare("SELECT rewards_opted_in FROM users WHERE id = ?").get(r.user_id)?.rewards_opted_in ?? 0;
+            if (optIn !== 1) {
+                const lastAction = db.prepare("SELECT action FROM rewards_applications WHERE user_id = ? ORDER BY created_at DESC LIMIT 1").get(r.user_id)?.action;
+                const isEscrow = lastAction !== 'deactivate';
+                db.transaction(() => {
+                    if (isEscrow) {
+                        // never_activated / auto_downgrade → escrow（pv_pair）。
+                        // #1106：把 waz 从可分配池移入 pv_escrow_reserve（隔离负债），避免后续周期把这笔预留发给别人、
+                        // 到兑付时池里没钱却仍给钱包加钱（凭空印钱）。兑付从 reserve 出、到期退回 pool。
+                        const escrowDays = Number(db.prepare("SELECT value FROM protocol_params WHERE key = 'rewards_opt_in.escrow_days'").get()?.value ?? 30);
+                        const nowMs = Date.now();
+                        db.prepare(`INSERT INTO pending_commission_escrow (recipient_user_id, order_id, amount, attribution_path, status, created_at, expires_at) VALUES (?, NULL, ?, 'pv_pair', 'pending', ?, ?)`)
+                            .run(r.user_id, wazAmount, nowMs, nowMs + escrowDays * 86400 * 1000);
+                        db.prepare("UPDATE global_fund SET pv_escrow_reserve = pv_escrow_reserve + ? WHERE id = 1").run(wazAmount);
+                    }
+                    // deactivate：什么都不转，waz 自然留在 pool（cashRetained）
+                    db.prepare("UPDATE binary_score_records SET settled_at = datetime('now'), waz_amount = 0 WHERE id = ?").run(r.id);
+                })();
+                // escrow 分支：计入 cashDistributed → 末尾 cashRetained 会把这笔从 pool 扣掉（已移入 reserve）。
+                // deactivate 分支：不计入 → 留在 pool。
+                if (isEscrow)
+                    cashDistributed += cashDue;
+                // Do NOT credit wallet, lifetime_score, or count as settledUser — opt-out path
+                continue;
+            }
             db.prepare("UPDATE wallets SET balance = balance + ?, earned = earned + ? WHERE user_id = ?").run(wazAmount, wazAmount, r.user_id);
             db.prepare("UPDATE binary_score_records SET settled_at = datetime('now'), waz_amount = ? WHERE id = ?").run(wazAmount, r.id);
             // V3 用户成长等级：累加 lifetime_score（实际兑现的 WAZ 金额，不是 pending score）
@@ -7109,6 +7403,36 @@ registerArbitratorRoutes(app, {
     checkArbitratorEligibility, getArbitratorState, errorRes, logAdminAction,
     ARB_STAKE_REQUIRED, ARB_APP_REJECT_COOLDOWN_DAYS,
 });
+// Governance onboarding (W3.5-B #1093) — apply + quiz + cases + admin activation + resign/appeal + auto_deactivate audit
+registerGovernanceOnboardingRoutes(app, {
+    db, generateId, auth, errorRes,
+    checkArbitratorEligibility, checkVerifierEligibility,
+    consumeGateToken, getProtocolParam,
+    requireGovernanceAdmin: (req, res) => requireAdminPermission(req, res, 'arbitration'),
+    logAdminAction,
+});
+// #1090 RFC-002 PR-2a: rewards apply/deactivate/status endpoints
+registerRewardsApplyRoutes(app, {
+    db, auth, errorRes, consumeGateToken, getProtocolParam,
+});
+// task #1093 stage 5: admin manual auto-deactivate sweep trigger
+// Useful for ops + testing. The scheduled cron also runs every N hours.
+app.post('/api/admin/governance/run-auto-deactivate', (req, res) => {
+    const admin = requireAdminPermission(req, res, 'arbitration');
+    if (!admin)
+        return;
+    try {
+        const result = runAutoDeactivateSweep({ db, generateId, getProtocolParam });
+        logAdminAction(admin.id, 'governance_auto_deactivate_sweep', null, null, {
+            scanned: result.scanned,
+            deactivated_count: result.deactivated.length,
+        });
+        res.json({ success: true, ...result });
+    }
+    catch (e) {
+        res.status(500).json({ error: e.message });
+    }
+});
 // link-challenges/verify — Phase 113 已迁出
 // 2026-05-24 价格下降时通知 wishlist 中开启了价格提醒的用户
 function notifyWishlistPriceDrop(productId, productTitle, oldPrice, newPrice) {
@@ -7287,6 +7611,7 @@ registerDisputesWriteRoutes(app, {
     FUND_BASE_RATE: () => FUND_BASE_RATE(),
     settleCommission, depositToFund, calculatePv,
     recordDisputeReputation, issueAgentStrike, publishDisputeCase, logAdminAction, snfSend,
+    getProtocolParam,
 });
 // lightAuthGuard：轻量 Authorization 头守门（在 raw 解析之前挡掉无 auth 请求）
 // 被 Phase 13 shareables（视频上传）+ Phase 87 disputes evidence-blob 共享
@@ -8374,6 +8699,12 @@ function getRegionMaxLevels(region) {
     // 已显式审计且合规允许的地区在 region_config 表里设 2 或 3
     return row?.max_levels ?? 1;
 }
+// 2026-06-04 解耦：PV 双轨/对碰系统是否在该 region 开启 —— 与 max_levels（佣金层级）独立。
+// 未配置 / 未知地区一律 false（保守默认 PV 全关，需治理显式开 pv_enabled=1）。
+function regionPvEnabled(region) {
+    const row = db.prepare("SELECT pv_enabled FROM region_config WHERE region = ?").get(region);
+    return Number(row?.pv_enabled ?? 0) === 1;
+}
 // effectiveBase 可选 — partial_refund / liability_split 时按实际成交金额发放
 // 默认 undefined → 用 order.total_amount（正常完成 / release_seller）
 function settleCommission(orderId, effectiveBase) {
@@ -8394,11 +8725,13 @@ function settleCommission(orderId, effectiveBase) {
     }
     const maxLevels = getRegionMaxLevels(region);
     const pool = Math.round(total * rate * 100) / 100;
-    // Phase B：max_levels=0 → 完全禁 MLM，整个 commission pool 入 charity_fund
+    // max_levels=0 → 完全禁 MLM，整个 commission pool 入 commission_reserve（三级公池，只进不出）
+    // 2026-06-04 修双计 bug：旧版既 redirectToCharity 又 return redirected:pool 让 depositToFund 再入 global_fund → 印钱。
+    // 现统一入 commission_reserve 一次，return redirected:0（depositToFund 只拿 1% base）。
     if (maxLevels === 0) {
-        redirectToCharity(pool, 'redirect_region_cap', { orderId, note: '区域禁 MLM — max_levels=0，整池入公益' });
+        redirectToCommissionReserve(pool, 'redirect_region_cap', { orderId, note: '区域禁 MLM — max_levels=0，整池入三级公池' });
         db.prepare("UPDATE orders SET settled_commission_at = datetime('now') WHERE id = ?").run(orderId);
-        return { pool, redirected: pool, source: 'static' };
+        return { pool, redirected: 0, source: 'static' };
     }
     // 100% per-product attribution：L1/L2/L3 已在订单创建期由 getProductShareChain() 写入
     const l1Uid = order.l1_uid;
@@ -8427,31 +8760,54 @@ function settleCommission(orderId, effectiveBase) {
             return 'sponsor';
         return sh.type === 'note' ? 'note' : 'link';
     }
-    let redirected = 0; // → global_fund (PV 经济池，region cap 部分)
-    let charityRedirected = 0; // → charity_fund (chain gap + 无效 sponsor，治理决定用途)
+    // 2026-06-04：所有兜底统一入 commission_reserve（三级公池，独立科目，只进不出）。
+    // commission 不再回流 global_fund（PV 资金）—— 三套科目解耦，redirected 始终 0。
+    let toCommissionReserve = 0; // → commission_reserve（仅作日志/返回信息用）
     for (const { level, beneficiary } of recipients) {
         const amount = Math.round(pool * LEVEL_RATES[level] * 100) / 100;
         if (amount <= 0)
             continue;
-        // ① region 截断 → global_fund (经济引擎，PV 系统自动再分配)
+        // ① region 截断 (level>maxLevels) → 三级公池
         if (level > maxLevels) {
-            redirected += amount;
+            redirectToCommissionReserve(amount, 'redirect_region_cap', { orderId, fromUserId: order.buyer_id, note: `L${level} > maxLevels=${maxLevels} 区域截断` });
+            toCommissionReserve += amount;
             continue;
         }
-        // ② chain 缺失 (自发现 / 上家断链) → charity_fund (治理决定)
-        // Phase A 2026-05-21：原 sys_protocol 兜底改入 charity_fund，统一公益化
+        // ② chain 缺失 (自发现 / 上家断链) → 三级公池
         if (!beneficiary) {
-            redirectToCharity(amount, 'redirect_chain_gap', { orderId, fromUserId: order.buyer_id, note: `L${level} 空缺` });
-            charityRedirected += amount;
+            redirectToCommissionReserve(amount, 'redirect_chain_gap', { orderId, fromUserId: order.buyer_id, note: `L${level} 空缺` });
+            toCommissionReserve += amount;
             continue;
         }
-        // ③ sponsor 资格无效 (被封 / 无 verify) → charity_fund
+        // ③ sponsor 资格无效 (被封 / 无 verify) → 三级公池
         if (!isAllowedSponsor(beneficiary)) {
-            redirectToCharity(amount, 'redirect_orphan_sponsor', { orderId, fromUserId: order.buyer_id, note: `L${level} sponsor 不合规: ${beneficiary}` });
-            charityRedirected += amount;
+            redirectToCommissionReserve(amount, 'redirect_orphan_sponsor', { orderId, fromUserId: order.buyer_id, note: `L${level} sponsor 不合规: ${beneficiary}` });
+            toCommissionReserve += amount;
+            continue;
+        }
+        // ④ RFC-002 §3.5 opt-in gate (PR-1c-a)
+        //   opted-in        → normal credit (⑤)
+        //   opted-out + last action 'deactivate' → directly 三级公池 (主动放弃)
+        //   opted-out + other (never_activated | auto_downgrade) → pending_commission_escrow
+        const optIn = db.prepare("SELECT rewards_opted_in FROM users WHERE id = ?").get(beneficiary)?.rewards_opted_in ?? 0;
+        if (optIn !== 1) {
+            const lastAction = db.prepare("SELECT action FROM rewards_applications WHERE user_id = ? ORDER BY created_at DESC LIMIT 1").get(beneficiary)?.action;
+            if (lastAction === 'deactivate') {
+                redirectToCommissionReserve(amount, 'redirect_opt_out_deactivated', { orderId, fromUserId: order.buyer_id, note: `L${level} ${beneficiary} actively deactivated rewards` });
+                toCommissionReserve += amount;
+                continue;
+            }
+            // never_activated OR auto_downgrade → escrow (30d window per protocol_params.rewards_opt_in.escrow_days)
+            const escrowDays = Number(db.prepare("SELECT value FROM protocol_params WHERE key = 'rewards_opt_in.escrow_days'").get()?.value ?? 30);
+            const now = Date.now();
+            try {
+                db.prepare(`INSERT INTO pending_commission_escrow (recipient_user_id, order_id, amount, attribution_path, status, created_at, expires_at) VALUES (?,?,?,?,'pending',?,?)`)
+                    .run(beneficiary, orderId, amount, `L${level}`, now, now + escrowDays * 86400 * 1000);
+            }
+            catch (e) { /* UNIQUE 冲突 — settleCommission 重入幂等 */ }
             continue;
         }
-        // ④ 正常分账
+        // ⑤ 正常分账
         try {
             const srcType = resolveSourceType(beneficiary);
             db.prepare(`INSERT INTO commission_records (id, order_id, beneficiary_id, source_buyer_id, level, amount, rate, region, source, source_type)
@@ -8463,9 +8819,10 @@ function settleCommission(orderId, effectiveBase) {
         catch (e) { /* UNIQUE 冲突 */ }
     }
     db.prepare("UPDATE orders SET settled_commission_at = datetime('now') WHERE id = ?").run(orderId);
-    // 返回值 redirected 兼容旧调用 (仍是入 global_fund 的金额，给 depositToFund 用)
-    // charityRedirected 是新分支 — 不参与 global_fund，已在循环里直接落 charity_fund
-    return { pool, redirected: Math.round(redirected * 100) / 100, source: routeSource };
+    // redirected 恒为 0：commission 兜底全部入 commission_reserve，不再回流 global_fund(PV 资金)。
+    // toCommissionReserve 仅作日志参考（实际入账已在循环里逐笔落 commission_reserve_txns）。
+    void toCommissionReserve;
+    return { pool, redirected: 0, source: routeSource };
 }
 // ─── 原子能：基金池入金 (depositToFund) ──────────────────────────
 // 1% 永远入池（默认）；commission 端回流由 settleCommission 返回，作为 extraFromCommission 传入
@@ -8541,17 +8898,21 @@ function depositToFund(orderId, extraFromCommission = 0, effectiveBase) {
     }
     return { base: amountBase, redirect: amountRedirect, total: totalDeposit };
 }
-function redirectToCharity(amount, kind, args = {}) {
+function redirectToCommissionReserve(amount, kind, args = {}) {
     if (!Number.isFinite(amount) || amount <= 0)
         return;
     const a = Math.round(amount * 100) / 100;
+    // Aggregate column mapping (commission_reserve_txns.kind records exact kind):
+    //   chain_gap → total_chain_gap
+    //   orphan_sponsor / opt_out_deactivated / escrow_expired → total_orphan_sponsor (no-eligible-recipient bucket)
+    //   region_cap → total_region_cap
     const totalCol = kind === 'redirect_chain_gap' ? 'total_chain_gap'
-        : kind === 'redirect_orphan_sponsor' ? 'total_orphan_sponsor'
-            : 'total_region_cap';
+        : kind === 'redirect_region_cap' ? 'total_region_cap'
+            : 'total_orphan_sponsor';
     db.transaction(() => {
-        db.prepare(`UPDATE charity_fund SET balance = balance + ?, ${totalCol} = ${totalCol} + ?, updated_at = datetime('now') WHERE id = 'main'`).run(a, a);
-        db.prepare(`INSERT INTO charity_fund_txns (id, kind, from_user_id, amount, related_order_id, note)
-                VALUES (?,?,?,?,?,?)`).run(generateId('cft'), kind, args.fromUserId || null, a, args.orderId || null, args.note || null);
+        db.prepare(`UPDATE commission_reserve SET balance = balance + ?, ${totalCol} = ${totalCol} + ?, updated_at = datetime('now') WHERE id = 'main'`).run(a, a);
+        db.prepare(`INSERT INTO commission_reserve_txns (id, kind, from_user_id, amount, related_order_id, note)
+                VALUES (?,?,?,?,?,?)`).run(generateId('crt'), kind, args.fromUserId || null, a, args.orderId || null, args.note || null);
     })();
 }
 function settleOrder(orderId) {
@@ -8610,10 +8971,10 @@ function settleOrder(orderId) {
             db.prepare("UPDATE management_bonus_pool SET balance = balance + ? WHERE id = 1").run(protocolToBonus);
         if (protocolToOps > 0)
             db.prepare("UPDATE wallets SET balance = balance + ? WHERE user_id = 'sys_protocol'").run(protocolToOps);
-        // 推土机分享分润（按区域 max_levels 裁决 + 全员 verified gate + dynamic L1 路由）→ 返回回流金额
-        const { redirected } = settleCommission(orderId);
-        // 原子能：基金池入金（1% + commission 端回流，幂等）
-        depositToFund(orderId, redirected);
+        // 推土机分享分润：正常分账 → 钱包；兜底 → commission_reserve（三级公池，独立科目）
+        settleCommission(orderId);
+        // 原子能：PV 资金池入金 = 仅 1% base（2026-06-04 起 commission 不再回流此池，三科目解耦）
+        depositToFund(orderId);
         // P-Distrib β：若 buyer 是经 pinner 传输内容才看到本商品 → settlePinRewards 从 basin 拨 0.5%
         try {
             const pr = settlePinRewards(orderId);
@@ -9434,8 +9795,18 @@ registerPublicUtilsRoutes(app, {
     issuerAddress: () => privateKeyToAddress(derivePrivKey('platform-hot-wallet')),
 });
 // ─── 静态文件 + SPA 回退（必须在所有 API 路由之后）────────────
-app.use(express.static(path.join(__dirname, 'public')));
+// PWA 壳文件必须 no-cache(否则 CF/浏览器 4h 缓存挡新版本)；
+// 其他静态资产(图标/字体)走 CF 默认。
+app.use(express.static(path.join(__dirname, 'public'), {
+    setHeaders: (res, filePath) => {
+        const base = path.basename(filePath);
+        if (base === 'app.js' || base === 'sw.js' || base === 'i18n.js' || base === 'index.html' || base === 'manifest.json') {
+            res.setHeader('Cache-Control', 'no-cache, must-revalidate');
+        }
+    },
+}));
 app.get('/{*path}', (_req, res) => {
+    res.setHeader('Cache-Control', 'no-cache, must-revalidate');
     res.sendFile(path.join(__dirname, 'public', 'index.html'));
 });
 // POST /api/orders/:id/force-timeout-check — Phase 84 已迁出
@@ -9802,6 +10173,199 @@ try {
     db.exec('CREATE INDEX IF NOT EXISTS idx_error_log_created ON error_log(created_at)');
 }
 catch { }
+// ─── 治理岗位上岗(W3.5-B,2026-06-02)──────────────────────────
+// docs/GOVERNANCE-ONBOARDING.md — arbitrator + verifier 申请 / 上岗 / 卸任 / 申诉
+// 1 表:governance_applications(append-only,记录 apply/activate/resign/auto_deactivate/appeal)
+db.exec(`
+  CREATE TABLE IF NOT EXISTS governance_applications (
+    id                  TEXT PRIMARY KEY,
+    user_id             TEXT NOT NULL REFERENCES users(id),
+    role                TEXT NOT NULL,           -- 'arbitrator' | 'verifier'
+    action              TEXT NOT NULL,           -- 'apply' | 'activate' | 'resign' | 'auto_deactivate' | 'appeal' | 'reconfirm'
+    status              TEXT NOT NULL,           -- 'pending_onboarding' | 'active' | 'inactive' | 'rejected' | 'cooldown'
+    consent_hash        TEXT,                    -- apply 时披露文本 hash
+    passkey_sig         TEXT,                    -- apply / activate / resign Passkey 签发证据
+    iron_rule_method    TEXT,                    -- 'passkey' | 'password' | 'system_auto'
+    quiz_score          INTEGER,                 -- 0-100(activate 时)
+    case_review_text    TEXT,                    -- onboarding §4.2 案例分析(摘要)
+    cooldown_until      INTEGER,                 -- resign / auto_deactivate 后到期 timestamp
+    appeal_reason       TEXT,                    -- appeal 时填
+    appeal_resolution   TEXT,                    -- maintainer 处置 + 理由
+    ip_hash             TEXT,
+    ua_hash             TEXT,
+    created_at          INTEGER NOT NULL DEFAULT (strftime('%s','now'))
+  )
+`);
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_gov_apps_user ON governance_applications(user_id, created_at DESC)');
+}
+catch { }
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_gov_apps_role_status ON governance_applications(role, status, created_at DESC)');
+}
+catch { }
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_gov_apps_cooldown ON governance_applications(user_id, role, cooldown_until)');
+}
+catch { }
+// 2026-06-02 PR #22 review fix P1-3:quiz pass 推进状态时间戳(spec §4.3 onboarding 题目环节完成标记)
+try {
+    db.exec('ALTER TABLE governance_applications ADD COLUMN quiz_passed_at INTEGER');
+}
+catch { }
+// 2026-06-02 task #1093 阶段 4:appeal 行指向被申诉的 auto_deactivate 原行(链接审计 + 防重复 appeal)
+try {
+    db.exec('ALTER TABLE governance_applications ADD COLUMN source_application_id TEXT');
+}
+catch { }
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_gov_apps_source ON governance_applications(source_application_id) WHERE source_application_id IS NOT NULL');
+}
+catch { }
+// ─── RFC-002 PR-1a schema(task #1090,2026-06-03)/ rewards opt-in 基础设施 ──────
+// spec: docs/rfcs/RFC-002-rewards-opt-in.md §3.6
+// scope:本 PR 仅 schema(3 新表 + 2 ALTER + 5 新 protocol_params)。
+//        所有表为空,无 code 读 — 零行为变化。后续 PR-1b/1c 接入估值层 gate + escrow 逻辑。
+// 1. users 加列(rewards_opt_in flag,默认 0 = opt-out)
+try {
+    db.exec('ALTER TABLE users ADD COLUMN rewards_opted_in INTEGER DEFAULT 0');
+}
+catch { }
+// 2. protocol_params 加 requires_meta_rule_change 列(P0-4 闭环 — 把声明保护转为执行保护)
+try {
+    db.exec('ALTER TABLE protocol_params ADD COLUMN requires_meta_rule_change INTEGER DEFAULT 0');
+}
+catch { }
+// 3. rewards_consent_texts:同意文本版本化(§3.10),先建,被 rewards_applications FK 引用
+db.exec(`
+  CREATE TABLE IF NOT EXISTS rewards_consent_texts (
+    version       TEXT PRIMARY KEY,            -- e.g. '1.0', '1.1', '2.0'
+    hash          TEXT NOT NULL,               -- sha256 of canonical text
+    change_class  TEXT NOT NULL,               -- 'major' | 'minor'
+    effective_at  INTEGER NOT NULL,
+    text_zh       TEXT NOT NULL,
+    text_en       TEXT NOT NULL,
+    changelog     TEXT                         -- human-readable diff summary
+  )
+`);
+(function seedConsentV1() {
+    const existing = db.prepare("SELECT version FROM rewards_consent_texts WHERE version = '1.0'").get();
+    if (existing)
+        return;
+    const textZh = 'WebAZ 共建身份(rewards opt-in)v1.0 — 由 RFC-002 §3.3 / §3.10 定义。本同意涉及经济关系登记 + Passkey 真人签名 + 三级佣金 + 二元配对树参与。详见 RFC-002 全文。本流程与购物无关,可随时退出,不影响订单。';
+    const textEn = 'WebAZ Builder Identity (rewards opt-in) v1.0 — defined by RFC-002 §3.3 / §3.10. This consent records an economic relationship with Passkey-signed proof of personhood + participation in 3-tier commission + binary PV matching tree. See full RFC-002. This flow is not part of shopping; you may leave anytime without affecting orders.';
+    const hash = createHash('sha256').update(textZh + '\n---\n' + textEn).digest('hex');
+    db.prepare(`INSERT INTO rewards_consent_texts (version, hash, change_class, effective_at, text_zh, text_en, changelog)
+              VALUES (?, ?, 'major', ?, ?, ?, ?)`)
+        .run('1.0', hash, Date.now(), textZh, textEn, 'Initial v1.0 lock — placeholder canonical text pointing to RFC-002');
+})();
+// 4. rewards_applications:申请留痕表(append-only audit;action='activate'|'deactivate'|'auto_downgrade'|'reconfirm')
+db.exec(`
+  CREATE TABLE IF NOT EXISTS rewards_applications (
+    id                   INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id              TEXT NOT NULL,
+    action               TEXT NOT NULL,        -- 'activate' | 'deactivate' | 'auto_downgrade' | 'reconfirm'
+    consent_version      TEXT,                 -- FK rewards_consent_texts(version); activate/reconfirm 必填
+    consent_hash         TEXT,                 -- sha256 of versioned disclosure; activate/reconfirm 必填
+    passkey_sig          TEXT,                 -- WebAuthn sig blob; activate/reconfirm required; auto_downgrade 系统侧无签名
+    verification_method  TEXT NOT NULL,        -- 'passkey' | 'password' | 'system_auto'
+    ip_hash              TEXT,                 -- anonymized IP audit
+    ua_hash              TEXT,
+    created_at           INTEGER NOT NULL,
+    FOREIGN KEY (user_id) REFERENCES users(id),
+    FOREIGN KEY (consent_version) REFERENCES rewards_consent_texts(version)
+  )
+`);
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_rewards_apps_user ON rewards_applications(user_id, created_at DESC)');
+}
+catch { }
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_rewards_apps_action ON rewards_applications(user_id, action, created_at DESC)');
+}
+catch { }
+// 5. pending_commission_escrow:opt-out promoter 待激活领取队列(§3.5b)
+// PR-1c-b: order_id is NULLable so attribution_path='pv_pair' rows (which accrue
+// across many orders) can record amount without inventing a fake order_id.
+// L1/L2/L3 rows still carry a real order_id, enforced by the gate code path
+// in settleCommission (not by NOT NULL constraint).
+db.exec(`
+  CREATE TABLE IF NOT EXISTS pending_commission_escrow (
+    id                       INTEGER PRIMARY KEY AUTOINCREMENT,
+    recipient_user_id        TEXT NOT NULL,
+    order_id                 TEXT,                                 -- NULL for pv_pair (PR-1c-b)
+    amount                   REAL NOT NULL,    -- WAZ amount
+    attribution_path         TEXT NOT NULL,    -- 'L1' | 'L2' | 'L3' | 'pv_pair' | etc.
+    status                   TEXT NOT NULL DEFAULT 'pending',  -- 'pending' | 'settled' | 'expired'
+    created_at               INTEGER NOT NULL,
+    expires_at               INTEGER NOT NULL,
+    settled_at               INTEGER,
+    expired_to_charity_at    INTEGER,
+    FOREIGN KEY (recipient_user_id) REFERENCES users(id),
+    FOREIGN KEY (order_id) REFERENCES orders(id)
+  )
+`);
+(function migrateEscrowOrderIdNullable() {
+    const cols = db.prepare("PRAGMA table_info(pending_commission_escrow)").all();
+    const orderIdCol = cols.find(c => c.name === 'order_id');
+    if (!orderIdCol || orderIdCol.notnull === 0)
+        return; // already nullable (or table missing entirely)
+    console.log('[pc-escrow-migrate] order_id is NOT NULL — recreating table to allow NULL for pv_pair');
+    db.exec('PRAGMA foreign_keys = OFF');
+    db.transaction(() => {
+        db.exec(`
+      CREATE TABLE pending_commission_escrow_new (
+        id                       INTEGER PRIMARY KEY AUTOINCREMENT,
+        recipient_user_id        TEXT NOT NULL,
+        order_id                 TEXT,
+        amount                   REAL NOT NULL,
+        attribution_path         TEXT NOT NULL,
+        status                   TEXT NOT NULL DEFAULT 'pending',
+        created_at               INTEGER NOT NULL,
+        expires_at               INTEGER NOT NULL,
+        settled_at               INTEGER,
+        expired_to_charity_at    INTEGER,
+        FOREIGN KEY (recipient_user_id) REFERENCES users(id),
+        FOREIGN KEY (order_id) REFERENCES orders(id)
+      )
+    `);
+        db.exec('INSERT INTO pending_commission_escrow_new SELECT * FROM pending_commission_escrow');
+        db.exec('DROP TABLE pending_commission_escrow');
+        db.exec('ALTER TABLE pending_commission_escrow_new RENAME TO pending_commission_escrow');
+    })();
+    db.exec('PRAGMA foreign_keys = ON');
+})();
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_escrow_recipient ON pending_commission_escrow(recipient_user_id, status, expires_at)');
+}
+catch { }
+try {
+    db.exec('CREATE INDEX IF NOT EXISTS idx_escrow_expiry ON pending_commission_escrow(status, expires_at)');
+}
+catch { }
+// PR-1c-a: UNIQUE (recipient, order, path) defends against double-insert if settleCommission ever retries
+// Note: NULL order_id (PR-1c-b pv_pair) is distinct in SQLite UNIQUE — idempotency for pv_pair relies
+// on binary_score_records.settled_at instead (source-side dedup).
+try {
+    db.exec('CREATE UNIQUE INDEX IF NOT EXISTS uniq_escrow_recipient_order_path ON pending_commission_escrow(recipient_user_id, order_id, attribution_path)');
+}
+catch { }
+// 6. INSERT 5 个 RFC-002 protocol_params(独立 INSERT,不动 DEFAULT_PARAMS array)
+// 两个标 requires_meta_rule_change=1:require_passkey + consent_delay_seconds(P0-4 闭环)
+const RFC002_PARAMS = [
+    { key: 'rewards_opt_in.min_completed_orders', value: '1', type: 'number', description: 'RFC-002 §3.2:申请 rewards opt-in 的最小已完成订单数', category: 'rewards', min: 0, max: 100, metaRuleLocked: false },
+    { key: 'rewards_opt_in.require_passkey', value: '1', type: 'number', description: 'RFC-002 §3.3:申请 / 关闭是否需 Passkey(1=必须,0=允许 password)— META-RULE LOCKED,降低需 60d meta-rule track', category: 'rewards', min: 0, max: 1, metaRuleLocked: true },
+    { key: 'rewards_opt_in.escrow_days', value: '30', type: 'number', description: 'RFC-002 §3.5b:pending commission escrow 过期天数(过期后流入 charity_fund)', category: 'rewards', min: 7, max: 180, metaRuleLocked: false },
+    { key: 'rewards_opt_in.consent_delay_seconds', value: '8', type: 'number', description: 'RFC-002 §3.3:server-side 8s 反诱导延迟 — META-RULE LOCKED,降低需 60d meta-rule track', category: 'rewards', min: 0, max: 60, metaRuleLocked: true },
+    { key: 'rewards_opt_in.reconfirm_grace_days', value: '14', type: 'number', description: 'RFC-002 §3.10:major consent 变更后用户重新确认 grace 期(过期 auto_downgrade)', category: 'rewards', min: 3, max: 90, metaRuleLocked: false },
+];
+for (const p of RFC002_PARAMS) {
+    try {
+        db.prepare(`INSERT OR IGNORE INTO protocol_params (key, value, type, description, category, default_value, min_value, max_value, requires_meta_rule_change) VALUES (?,?,?,?,?,?,?,?,?)`)
+            .run(p.key, p.value, p.type, p.description, p.category, p.value, p.min ?? null, p.max ?? null, p.metaRuleLocked ? 1 : 0);
+    }
+    catch { }
+}
 function logError(source, message, extra = {}) {
     try {
         db.prepare(`INSERT INTO error_log (source, message, stack, url, user_agent, user_id) VALUES (?, ?, ?, ?, ?, ?)`)
@@ -9874,4 +10438,17 @@ app.listen(PORT, () => {
     };
     setInterval(cleanWebAuthnExpired, 6 * 60 * 60 * 1000); // 每 6h 跑一次
     console.log(`🧹 webauthn 过期清理 cron 已启动（每 6h 清 >1d 残留）`);
+    // task #1093 stage 5: governance auto-deactivate cron
+    // Spec docs/ARBITRATION-PLAYBOOK.md §6.2 + GOVERNANCE-ONBOARDING.md §6.2
+    // Anchor: confirmed_wrong (NOT outlier). Phase A: verifier only.
+    startAutoDeactivateCron({ db, generateId, getProtocolParam });
+    // #1090 RFC-002 PR-1c-a: escrow expire cron (every 1h)
+    startEscrowExpireCron({ db, redirectToCommissionReserve });
+    // #1090 RFC-002 PR-3 slice 2: auto_downgrade cron (every 24h)
+    // Triggered when a new major consent text is published; opted-in users
+    // who don't reconfirm within reconfirm_grace_days (14d default) get
+    // rewards_opted_in flipped to 0 with action='auto_downgrade'. Per
+    // PR-1c-a settleCommission gate, future commissions then route to
+    // escrow (not charity) for re-activation recovery.
+    startAutoDowngradeCron({ db, getProtocolParam });
 });