@seasonkoh/webaz 0.1.16 → 0.1.18

package/dist/pwa/routes/leaderboard.js

@@ -110,6 +110,10 @@ export function registerLeaderboardRoutes(app, deps) {
             // 2026-05-22 A3：仲裁员声誉排行
             // 从 dispute_cases 聚合 — 每个 arbitrator_id 的 case 数 + 公平评价
             // fairness_score = fairness_yes / (fairness_yes + fairness_no)（仅在有评价时）
+            //
+            // 2026-06-03 #1080 audit: ORDER BY 改为 case_count desc + u.id tie-breaker
+            // 移除 fairness_score 作为 secondary sort key — spec §3 禁 composite/multi-key
+            // ("display 4 separate dimensions, let user pick sort dimension")
             const rows = db.prepare(`
         SELECT u.id, u.handle, u.name,
           COUNT(dc.id) as cases_count,
@@ -124,13 +128,17 @@ export function registerLeaderboardRoutes(app, deps) {
         JOIN users u ON u.id = dc.arbitrator_id
         WHERE dc.arbitrator_id IS NOT NULL
         GROUP BY u.id
-        ORDER BY cases_count DESC, fairness_score DESC LIMIT ?
+        ORDER BY cases_count DESC, u.id DESC LIMIT ?
       `).all(limit);
             return void res.json({ kind, items: rows });
         }
         if (kind === 'verifiers') {
             // 2026-05-22 V1：移除 tasks_done >= 5 门槛 — 小协议早期阶段会卡死榜单
             // 新人有 tasks_done < 5 时前端打 "新人" badge 区分（仍能看到自己排名）
+            //
+            // 2026-06-03 #1080 audit: ORDER BY 改为 tasks_done desc(spec default case_count desc)
+            // + u.id tie-breaker。移除 tasks_correct/accuracy 作为 secondary sort key — 该排序奖励
+            // "活跃 + 准确" 隐含 composite,spec §3 明确"最活跃 first ≠ 最好 first"。
             const rows = db.prepare(`
         SELECT u.id, u.handle, u.name,
           vs.tasks_done, vs.tasks_correct, vs.tasks_wrong,
@@ -140,7 +148,7 @@ export function registerLeaderboardRoutes(app, deps) {
         JOIN users u ON u.id = vs.user_id
         LEFT JOIN verifier_whitelist vw ON vw.user_id = vs.user_id
         WHERE vs.tasks_done >= 1
-        ORDER BY vs.tasks_correct DESC, accuracy DESC, vs.tasks_done DESC LIMIT ?
+        ORDER BY vs.tasks_done DESC, u.id DESC LIMIT ?
       `).all(limit);
             return void res.json({ kind, items: rows });
         }

package/dist/pwa/routes/orders-action.js

@@ -120,7 +120,11 @@ export function registerOrdersActionRoutes(app, deps) {
         if (action === 'pickup' || action === 'transit' || action === 'deliver') {
             // pickup 时若订单尚无物流，允许领取（孤儿单兜底）
             const isOrphanPickup = action === 'pickup' && !logisticsId;
-            if (!isOrphanPickup && uid !== logisticsId) {
+            // Self-fulfill 兜底:logistics_id 为 null 时 seller 可驱动后续 transit/deliver
+            // 与 state machine VALID_TRANSITIONS allowedRoles=['seller','logistics'] 对齐
+            // (Phase 1: Logistics 市场尚未启用,seller 自履行是默认路径)
+            const isSelfFulfillTransition = !logisticsId && uid === sellerId;
+            if (!isOrphanPickup && !isSelfFulfillTransition && uid !== logisticsId) {
                 return void res.status(403).json({ error: '你不是本订单的物流方', error_code: 'NOT_ORDER_LOGISTICS' });
             }
         }

package/dist/pwa/routes/products-meta.js

@@ -133,6 +133,36 @@ export function registerProductsMetaRoutes(app, deps) {
         if (!user)
             return;
         const productId = req.params.id;
+        // RFC-002 §3.5 valuation-layer gate — share_link generation requires opt-in
+        const optIn = db.prepare("SELECT rewards_opted_in FROM users WHERE id = ?").get(user.id)?.rewards_opted_in ?? 0;
+        if (optIn !== 1) {
+            const getParam = (key, def) => {
+                const r = db.prepare("SELECT value FROM protocol_params WHERE key = ?").get(key);
+                return r ? Number(r.value) : def;
+            };
+            const minOrders = getParam('rewards_opt_in.min_completed_orders', 1);
+            const requirePasskey = getParam('rewards_opt_in.require_passkey', 1);
+            const totalCompleted = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'").get(user.id).n;
+            const passkeyCount = db.prepare("SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?").get(user.id).n;
+            const missing = [];
+            if (totalCompleted < minOrders)
+                missing.push(`completed_orders ${totalCompleted}/${minOrders}`);
+            if (requirePasskey === 1 && passkeyCount === 0)
+                missing.push('passkey_not_registered');
+            if (missing.length === 0)
+                missing.push('application_not_submitted');
+            return void res.status(403).json({
+                error: 'rewards_opt_in_required',
+                message_zh: '生成分享链接属于估值层操作 — 需先申请共建身份(RFC-002)',
+                message_en: 'Share-link generation is a valuation-layer action — requires builder-identity opt-in (RFC-002)',
+                missing_requirements: missing,
+                next_steps: [
+                    'Open PWA #me → tap "申请共建身份 / Apply for builder identity"',
+                    'Read the 8-second disclosure (cannot skip)',
+                    'Submit application — pre-checks run server-side',
+                ],
+            });
+        }
         const completed = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'").get(user.id, productId).n;
         if (completed === 0)
             return void res.json({ error: '需先完成该商品的购买才能分享', completed_orders: 0 });

package/dist/pwa/routes/profile-identity.js

@@ -86,7 +86,7 @@ export function registerProfileIdentityRoutes(app, deps) {
             if (sinceMs < COOLDOWN_MS) {
                 const remainDays = Math.ceil((COOLDOWN_MS - sinceMs) / (24 * 3600_000));
                 return void res.status(429).json({
-                    error: `region 切换 30 天仅 1 次，请 ${remainDays} 天后再试（防止规避 MLM 合规限制）`,
+                    error: `region 切换 30 天仅 1 次，请 ${remainDays} 天后再试（防止规避区域佣金规则）`,
                     retry_after_days: remainDays,
                 });
             }

package/dist/pwa/routes/public-utils.js

@@ -204,6 +204,50 @@ export function registerPublicUtilsRoutes(app, deps) {
     app.get('/api/manifest', (_req, res) => {
         res.json(generateManifest(db));
     });
+    // W3.5-B 治理上岗公开 stats(docs/GOVERNANCE-ONBOARDING.md)
+    // 无 auth — agent / 用户 / 第三方都可读;不暴露 PII
+    app.get('/api/governance/onboarding-stats', (_req, res) => {
+        res.setHeader('Cache-Control', 'public, max-age=300');
+        try {
+            // active counts(users.roles 含 arbitrator / verifier 的人数,fixture 也算)
+            const arbitratorCount = db.prepare(`SELECT COUNT(*) AS n FROM users WHERE roles LIKE '%arbitrator%' AND (deleted_at IS NULL OR deleted_at = '')`).get()?.n ?? 0;
+            const verifierCount = db.prepare(`SELECT COUNT(*) AS n FROM users WHERE roles LIKE '%verifier%' AND (deleted_at IS NULL OR deleted_at = '')`).get()?.n ?? 0;
+            // pending applications
+            const pendingCount = db.prepare(`SELECT COUNT(*) AS n FROM governance_applications WHERE status = 'pending_onboarding'`).get()?.n ?? 0;
+            // 资格门槛 snapshot(给前端 pre-check 显示)
+            // ⚠️ 2026-06-03 #4 修:此前这里 dump 装饰性 protocol_params.governance_onboarding.*,
+            //   与代码实际 enforce 的门槛不符(例 min_completed_orders param=5,但代码 arbitrator 要 50 /
+            //   verifier 要 20;arbitrator_min_reputation param=95,代码要 300)— 把错误数字当资格要求
+            //   显示给用户构成 #4 误导。改为返回【真实 enforced 门槛】,role-split。
+            // ⚠️ 必须与 server.ts checkArbitratorEligibility / checkVerifierEligibility 保持同步。
+            const eligibility = {
+                arbitrator: { registration_days: 90, completed_orders: 50, reputation: 300, balance_waz: 500, email_verified: true, zero_disputes_lost: true, never_suspended: true },
+                verifier: { registration_days: 60, completed_orders: 20, email_verified: true, zero_disputes_lost: true, never_suspended: true },
+            };
+            // quiz_pass_score 是真正被代码读取的 param(governance-onboarding.ts quiz-submit),保留。
+            const quizPassRow = db.prepare(`SELECT value FROM protocol_params WHERE key = 'governance_onboarding.quiz_pass_score'`).get();
+            const quizPassScore = Number(quizPassRow?.value ?? 80);
+            res.json({
+                phase: 'A',
+                compensation: 'none', // phase A 无报酬
+                observation_only: true, // leaderboard observation-only
+                active_arbitrators: arbitratorCount,
+                active_verifiers: verifierCount,
+                pending_applications: pendingCount,
+                eligibility,
+                quiz_pass_score: quizPassScore,
+                spec_urls: {
+                    onboarding: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/GOVERNANCE-ONBOARDING.md',
+                    playbook: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/ARBITRATION-PLAYBOOK.md',
+                    leaderboard: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/GOVERNANCE-LEADERBOARD-SPEC.md',
+                },
+            });
+        }
+        catch (e) {
+            logError('governance-onboarding-stats', e.message);
+            res.status(500).json({ error: 'internal_error' });
+        }
+    });
     const _errorReportLimiter = new Map();
     app.post('/api/error-report', (req, res) => {
         const ip = req.ip || 'unknown';

package/dist/pwa/routes/rewards-apply.js

@@ -0,0 +1,210 @@
+import { createHash } from 'node:crypto';
+function sha256_hex(s) {
+    return createHash('sha256').update(s).digest('hex');
+}
+export function registerRewardsApplyRoutes(app, deps) {
+    const { db, auth, errorRes, consumeGateToken, getProtocolParam } = deps;
+    function expectedApplyConsentHash(userId, consentVersion, pageLoadedAt) {
+        return sha256_hex(`rewards_apply|consent_version=${consentVersion}|user=${userId}|page_loaded_at=${pageLoadedAt}`);
+    }
+    // GET /api/rewards/status — current state + escrow tally
+    app.get('/api/rewards/status', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const userId = user.id;
+        const optIn = db.prepare("SELECT rewards_opted_in FROM users WHERE id = ?").get(userId)?.rewards_opted_in ?? 0;
+        const lastAction = db.prepare("SELECT action, created_at FROM rewards_applications WHERE user_id = ? ORDER BY created_at DESC LIMIT 1").get(userId);
+        const currentMajor = db.prepare("SELECT version, hash, change_class, effective_at, text_zh, text_en FROM rewards_consent_texts WHERE change_class='major' ORDER BY effective_at DESC LIMIT 1").get();
+        let state;
+        if (optIn === 1)
+            state = 'opted_in';
+        else if (lastAction?.action === 'deactivate')
+            state = 'deactivated';
+        else if (lastAction?.action === 'auto_downgrade')
+            state = 'auto_downgraded';
+        else
+            state = 'never_activated';
+        const completedOrders = db.prepare("SELECT COUNT(*) AS n FROM orders WHERE buyer_id = ? AND status = 'completed'").get(userId).n;
+        const passkeyCount = db.prepare("SELECT COUNT(*) AS n FROM webauthn_credentials WHERE user_id = ?").get(userId).n;
+        const minOrders = Number(getProtocolParam('rewards_opt_in.min_completed_orders', 1));
+        const requirePasskey = Number(getProtocolParam('rewards_opt_in.require_passkey', 1));
+        const delaySec = Number(getProtocolParam('rewards_opt_in.consent_delay_seconds', 8));
+        const missing = [];
+        if (completedOrders < minOrders)
+            missing.push(`completed_orders ${completedOrders}/${minOrders}`);
+        if (requirePasskey === 1 && passkeyCount === 0)
+            missing.push('passkey_not_registered');
+        const pending = db.prepare("SELECT COUNT(*) AS n, COALESCE(SUM(amount),0) AS total FROM pending_commission_escrow WHERE recipient_user_id = ? AND status = 'pending'").get(userId);
+        const expired = db.prepare("SELECT COUNT(*) AS n, COALESCE(SUM(amount),0) AS total FROM pending_commission_escrow WHERE recipient_user_id = ? AND status = 'expired'").get(userId);
+        res.json({
+            state,
+            opted_in: optIn === 1,
+            consent_version: currentMajor?.version || null,
+            consent_hash: currentMajor?.hash || null,
+            consent_effective_at: currentMajor?.effective_at || null,
+            consent_text_zh: currentMajor?.text_zh || null,
+            consent_text_en: currentMajor?.text_en || null,
+            eligibility: {
+                completed_orders: completedOrders,
+                min_completed_orders: minOrders,
+                passkey_count: passkeyCount,
+                require_passkey: requirePasskey === 1,
+                consent_delay_seconds: delaySec,
+                missing,
+                can_apply: optIn === 0 && missing.length === 0,
+            },
+            pending_escrow: { count: pending.n, total_amount: pending.total },
+            expired_to_charity: { count: expired.n, total_amount: expired.total },
+            last_action: lastAction ? { action: lastAction.action, at: lastAction.created_at } : null,
+        });
+    });
+    // POST /api/rewards/apply — activate (or reconfirm) opt-in + drain escrow
+    app.post('/api/rewards/apply', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const userId = user.id;
+        const body = req.body || {};
+        const consent_version = String(body.consent_version || '');
+        const consent_hash = String(body.consent_hash || '');
+        const page_loaded_at = Number(body.page_loaded_at || 0);
+        const webauthn_token = body.webauthn_token ? String(body.webauthn_token) : undefined;
+        // 1. Verify currently opted-out
+        const optIn = db.prepare("SELECT rewards_opted_in FROM users WHERE id = ?").get(userId)?.rewards_opted_in ?? 0;
+        if (optIn === 1)
+            return void errorRes(res, 409, 'ALREADY_OPTED_IN', '已 opted-in,无需重复申请');
+        // 2. Verify consent version matches current major
+        const currentMajor = db.prepare("SELECT version, hash FROM rewards_consent_texts WHERE change_class='major' ORDER BY effective_at DESC LIMIT 1").get();
+        if (!currentMajor)
+            return void errorRes(res, 500, 'NO_CONSENT_TEXT', 'rewards_consent_texts 未 seed,无法申请');
+        if (consent_version !== currentMajor.version) {
+            return void errorRes(res, 400, 'STALE_CONSENT_VERSION', `请重新加载披露页 — current=${currentMajor.version}, you sent=${consent_version}`);
+        }
+        // 3. Anti-induction 8s delay (with upper bound to defeat page_loaded_at=1 bypass)
+        const delaySec = Number(getProtocolParam('rewards_opt_in.consent_delay_seconds', 8));
+        const minDelayMs = delaySec * 1000;
+        const maxDelayMs = 60 * 60 * 1000; // 1h — session shouldn't be older than this
+        if (page_loaded_at <= 0)
+            return void errorRes(res, 400, 'MISSING_PAGE_LOADED_AT', 'page_loaded_at 缺失(反诱导校验)');
+        const elapsedMs = Date.now() - page_loaded_at;
+        if (elapsedMs < minDelayMs) {
+            const waitSec = Math.ceil((minDelayMs - elapsedMs) / 1000);
+            return void errorRes(res, 400, 'ANTI_INDUCTION_DELAY', `必须等待 ${waitSec}s 后才能提交(反诱导)`);
+        }
+        if (elapsedMs > maxDelayMs) {
+            return void errorRes(res, 400, 'STALE_PAGE_LOAD', '披露页过期(> 1h),请重新加载');
+        }
+        // 4. Verify consent_hash reconstructed from server-known fields
+        const expectedHash = expectedApplyConsentHash(userId, consent_version, page_loaded_at);
+        if (consent_hash !== expectedHash) {
+            return void errorRes(res, 400, 'BAD_CONSENT_HASH', 'consent_hash 不匹配 — 请重新加载披露页');
+        }
+        // 5. Pre-conditions (re-check inside server)
+        const minOrders = Number(getProtocolParam('rewards_opt_in.min_completed_orders', 1));
+        const completedOrders = db.prepare("SELECT COUNT(*) AS n FROM orders WHERE buyer_id = ? AND status = 'completed'").get(userId).n;
+        if (completedOrders < minOrders)
+            return void errorRes(res, 403, 'INSUFFICIENT_ORDERS', `需 ${minOrders} 笔已完成订单,目前 ${completedOrders}`);
+        const requirePasskey = Number(getProtocolParam('rewards_opt_in.require_passkey', 1));
+        const passkeyCount = db.prepare("SELECT COUNT(*) AS n FROM webauthn_credentials WHERE user_id = ?").get(userId).n;
+        if (requirePasskey === 1 && passkeyCount === 0)
+            return void errorRes(res, 403, 'PASSKEY_REQUIRED', '需先注册 Passkey');
+        // 6. Atomic: consume Passkey gate + insert audit + flip flag + drain escrow → wallet
+        // consumeGateToken is moved INSIDE the transaction so a downstream rollback
+        // also rolls back the consumed_at mark (user can retry without re-doing Passkey).
+        let drained = { count: 0, total: 0 };
+        let raceLost = false;
+        let gateFailReason = null;
+        try {
+            db.transaction(() => {
+                if (requirePasskey === 1) {
+                    const gate = consumeGateToken(userId, webauthn_token, 'rewards_apply', () => true);
+                    if (!gate.ok) {
+                        gateFailReason = gate.reason || 'Passkey 验证失败';
+                        throw new Error('gate_failed');
+                    }
+                }
+                const now = Date.now();
+                // Race guard: flip flag only if still 0. Concurrent tabs / replay would
+                // see changes=0 here and roll back the whole transaction.
+                const flip = db.prepare("UPDATE users SET rewards_opted_in = 1 WHERE id = ? AND rewards_opted_in = 0").run(userId);
+                if (flip.changes === 0) {
+                    raceLost = true;
+                    throw new Error('race_lost');
+                }
+                db.prepare(`INSERT INTO rewards_applications (user_id, action, consent_version, consent_hash, passkey_sig, verification_method, ip_hash, ua_hash, created_at)
+                    VALUES (?, 'activate', ?, ?, ?, ?, ?, ?, ?)`)
+                    .run(userId, consent_version, currentMajor.hash, webauthn_token || null, // store gate_token id as audit cross-ref to webauthn_gate_tokens
+                requirePasskey === 1 ? 'passkey' : 'password', sha256_hex(req.ip || '').slice(0, 16), sha256_hex(String(req.headers['user-agent'] || '')).slice(0, 16), now);
+                // Activate batch settle: drain pending escrow to wallet
+                const pending = db.prepare(`SELECT id, amount, attribution_path FROM pending_commission_escrow
+                                    WHERE recipient_user_id = ? AND status = 'pending' AND expires_at > ?`).all(userId, now);
+                let total = 0;
+                for (const p of pending) {
+                    const upd = db.prepare(`UPDATE pending_commission_escrow SET status='settled', settled_at=? WHERE id=? AND status='pending'`).run(now, p.id);
+                    if (upd.changes === 0)
+                        continue; // race: expire cron took it
+                    db.prepare(`UPDATE wallets SET balance = balance + ?, earned = earned + ? WHERE user_id = ?`).run(p.amount, p.amount, userId);
+                    // #1106：pv_pair escrow 的钱在结算时已从 pool 移入 pv_escrow_reserve，兑付从 reserve 出。
+                    // L1/L2/L3 commission escrow 的钱在下单结算时已从 seller 扣（不在任何池），兑付无需动池/reserve。
+                    if (p.attribution_path === 'pv_pair') {
+                        db.prepare(`UPDATE global_fund SET pv_escrow_reserve = pv_escrow_reserve - ? WHERE id = 1`).run(p.amount);
+                    }
+                    total += p.amount;
+                }
+                drained = { count: pending.length, total: Math.round(total * 100) / 100 };
+            })();
+        }
+        catch (e) {
+            if (gateFailReason)
+                return void errorRes(res, 403, 'PASSKEY_GATE_FAILED', gateFailReason);
+            if (raceLost)
+                return void errorRes(res, 409, 'CONCURRENT_APPLY', '已被另一并发请求 opt-in,无需重复');
+            return void errorRes(res, 500, 'APPLY_FAILED', e.message);
+        }
+        res.json({ ok: true, state: 'opted_in', drained_from_escrow: drained });
+    });
+    // POST /api/rewards/deactivate — flip off; subsequent commissions → charity
+    app.post('/api/rewards/deactivate', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const userId = user.id;
+        const body = req.body || {};
+        const webauthn_token = body.webauthn_token ? String(body.webauthn_token) : undefined;
+        const optIn = db.prepare("SELECT rewards_opted_in FROM users WHERE id = ?").get(userId)?.rewards_opted_in ?? 0;
+        if (optIn === 0)
+            return void errorRes(res, 409, 'ALREADY_OPTED_OUT', '本来就未 opted-in,无需关闭');
+        const requirePasskey = Number(getProtocolParam('rewards_opt_in.require_passkey', 1));
+        let raceLost = false;
+        let gateFailReason = null;
+        try {
+            db.transaction(() => {
+                if (requirePasskey === 1) {
+                    const gate = consumeGateToken(userId, webauthn_token, 'rewards_deactivate', () => true);
+                    if (!gate.ok) {
+                        gateFailReason = gate.reason || 'Passkey 验证失败';
+                        throw new Error('gate_failed');
+                    }
+                }
+                const now = Date.now();
+                const flip = db.prepare("UPDATE users SET rewards_opted_in = 0 WHERE id = ? AND rewards_opted_in = 1").run(userId);
+                if (flip.changes === 0) {
+                    raceLost = true;
+                    throw new Error('race_lost');
+                }
+                db.prepare(`INSERT INTO rewards_applications (user_id, action, passkey_sig, verification_method, ip_hash, ua_hash, created_at)
+                    VALUES (?, 'deactivate', ?, ?, ?, ?, ?)`)
+                    .run(userId, webauthn_token || null, requirePasskey === 1 ? 'passkey' : 'password', sha256_hex(req.ip || '').slice(0, 16), sha256_hex(String(req.headers['user-agent'] || '')).slice(0, 16), now);
+            })();
+        }
+        catch (e) {
+            if (gateFailReason)
+                return void errorRes(res, 403, 'PASSKEY_GATE_FAILED', gateFailReason);
+            if (raceLost)
+                return void errorRes(res, 409, 'CONCURRENT_DEACTIVATE', '已被另一并发请求 opt-out');
+            return void errorRes(res, 500, 'DEACTIVATE_FAILED', e.message);
+        }
+        res.json({ ok: true, state: 'deactivated' });
+    });
+}

package/dist/pwa/routes/rewards-auto-downgrade.js

@@ -0,0 +1,65 @@
+export function runAutoDowngradeSweep(deps) {
+    const { db, getProtocolParam } = deps;
+    // Current major consent
+    const currentMajor = db.prepare(`SELECT version, effective_at FROM rewards_consent_texts WHERE change_class='major' ORDER BY effective_at DESC LIMIT 1`).get();
+    if (!currentMajor)
+        return { scanned: 0, downgraded: [], skip_reason: 'no major consent text in rewards_consent_texts' };
+    const graceDays = Number(getProtocolParam('rewards_opt_in.reconfirm_grace_days', 14));
+    const now = Date.now();
+    const deadline = currentMajor.effective_at + graceDays * 86400 * 1000;
+    if (now < deadline)
+        return { scanned: 0, downgraded: [], skip_reason: `current_major ${currentMajor.version} grace not yet expired (deadline=${deadline})` };
+    // Candidates: opted-in users whose LATEST activate-or-reconfirm consent_version
+    // is older than the current major.
+    const candidates = db.prepare(`
+    SELECT u.id AS user_id, (
+      SELECT consent_version FROM rewards_applications
+      WHERE user_id = u.id AND action IN ('activate','reconfirm')
+      ORDER BY created_at DESC LIMIT 1
+    ) AS last_version
+    FROM users u WHERE u.rewards_opted_in = 1
+  `).all();
+    const downgraded = [];
+    for (const c of candidates) {
+        if (c.last_version === currentMajor.version)
+            continue;
+        db.transaction(() => {
+            // Re-verify inside the transaction. Between the SELECT and here, the
+            // user may have reconfirmed (PR-2 endpoint inserts a new row with
+            // consent_version=current_major). If so, flag stays 1 but our outer
+            // check would still flip it — wrongly. The transactional re-read
+            // closes this race window.
+            const fresh = db.prepare(`SELECT consent_version FROM rewards_applications WHERE user_id = ? AND action IN ('activate','reconfirm') ORDER BY created_at DESC LIMIT 1`).get(c.user_id);
+            if (fresh?.consent_version === currentMajor.version)
+                return; // user reconfirmed mid-flight
+            const upd = db.prepare(`UPDATE users SET rewards_opted_in = 0 WHERE id = ? AND rewards_opted_in = 1`).run(c.user_id);
+            if (upd.changes === 0)
+                return; // race: user already toggled out
+            db.prepare(`INSERT INTO rewards_applications (user_id, action, verification_method, created_at) VALUES (?, 'auto_downgrade', 'system_auto', ?)`).run(c.user_id, now);
+            // Notify user (PR-2b): tell them their consent expired + escrow accrual + how to recover.
+            // Failure here is non-fatal — notification is best-effort, downgrade itself is the source of truth.
+            try {
+                db.prepare(`INSERT INTO notifications (id, user_id, type, title, body) VALUES (?, ?, 'rewards_auto_downgrade', ?, ?)`)
+                    .run(`ntf_rwd_${c.user_id}_${now}`, c.user_id, '共建身份已自动降级 / Rewards auto-downgraded', `新 consent 版本 ${currentMajor.version} 未在 grace 期内重新确认。未来 commission 进入 escrow(30 天可激活领回)。前往 #rewards-me 重新申请。 / New consent ${currentMajor.version} not re-confirmed within grace window. Future commission flows to escrow (30d recovery window). Visit #rewards-me to re-apply.`);
+            }
+            catch { /* notifications schema diff between envs; best-effort */ }
+            downgraded.push({ user_id: c.user_id, last_version: c.last_version, current_major: currentMajor.version, effective_at: currentMajor.effective_at });
+        })();
+    }
+    return { scanned: candidates.length, downgraded };
+}
+export function startAutoDowngradeCron(deps) {
+    const ms = 24 * 60 * 60 * 1000; // 1d fixed
+    setInterval(() => {
+        try {
+            const r = runAutoDowngradeSweep(deps);
+            if (r.downgraded.length > 0) {
+                console.log(`[rewards-auto-downgrade] swept ${r.scanned}, downgraded ${r.downgraded.length}: ${r.downgraded.map(d => `${d.user_id} ${d.last_version || '(none)'}→${d.current_major}`).join(', ')}`);
+            }
+        }
+        catch (e) {
+            console.error('[rewards-auto-downgrade-cron]', e);
+        }
+    }, ms);
+    console.log('⏬ RFC-002 §3.10 auto-downgrade cron 已启动 (每 24h, anchor=consent_text major effective_at + grace_days)');
+}

package/dist/pwa/routes/rewards-escrow-expire.js

@@ -0,0 +1,48 @@
+export function runEscrowExpireSweep(deps) {
+    const { db, redirectToCommissionReserve } = deps;
+    const now = Date.now();
+    const rows = db.prepare(`
+    SELECT id, recipient_user_id, order_id, amount, attribution_path, expires_at
+    FROM pending_commission_escrow
+    WHERE status = 'pending' AND expires_at <= ?
+    ORDER BY expires_at ASC
+    LIMIT 1000
+  `).all(now);
+    const expired = [];
+    for (const r of rows) {
+        db.transaction(() => {
+            const upd = db.prepare(`UPDATE pending_commission_escrow SET status='expired', expired_to_charity_at=? WHERE id=? AND status='pending'`).run(now, r.id);
+            if (upd.changes === 0)
+                return; // race lost — another sweep already took it
+            if (r.attribution_path === 'pv_pair') {
+                // #1106：pv_pair escrow 的钱结算时已从 pool 移入 pv_escrow_reserve。到期未兑付 → 退回 pool。
+                db.prepare(`UPDATE global_fund SET pv_escrow_reserve = pv_escrow_reserve - ?, pool_balance = pool_balance + ? WHERE id = 1`).run(r.amount, r.amount);
+            }
+            else {
+                // L1/L2/L3 commission escrow：seller 已被扣，到期 materialize 入 commission_reserve。
+                redirectToCommissionReserve(r.amount, 'redirect_escrow_expired', {
+                    orderId: r.order_id,
+                    fromUserId: r.recipient_user_id,
+                    note: `escrow expired (${r.attribution_path}) — opted-out recipient never activated within grace window`,
+                });
+            }
+            expired.push({ id: r.id, recipient_user_id: r.recipient_user_id, order_id: r.order_id, amount: r.amount, attribution_path: r.attribution_path });
+        })();
+    }
+    return { scanned: rows.length, expired };
+}
+export function startEscrowExpireCron(deps) {
+    const ms = 60 * 60 * 1000; // 1h fixed (escrow_days is in days; sub-day granularity unnecessary)
+    setInterval(() => {
+        try {
+            const r = runEscrowExpireSweep(deps);
+            if (r.expired.length > 0) {
+                console.log(`[rewards-escrow-expire] swept ${r.scanned}, expired ${r.expired.length}: ${r.expired.map(e => `${e.recipient_user_id}/${e.attribution_path}/${e.amount}`).join(', ')}`);
+            }
+        }
+        catch (e) {
+            console.error('[rewards-escrow-expire-cron]', e);
+        }
+    }, ms);
+    console.log('💸 RFC-002 escrow expire cron 已启动 (每 1h, anchor=expires_at per §3.5b)');
+}

package/dist/pwa/routes/wallet-write.js

@@ -125,14 +125,21 @@ export function registerWalletWriteRoutes(app, deps) {
                 });
             }
         }
-        // WebAuthn gate
-        //   opt-in webauthn_required_for_withdraw → 所有金额都要 Passkey
-        //   #1009 大额自动强制 — 已注册 Passkey + 金额 > LARGE_WITHDRAW_THRESHOLD 一律走 Passkey
-        //   未注册 Passkey 的用户走原邮件确认路径（不强制注册，避免新用户卡死）
-        const hasPasskeyRow = db.prepare('SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?').get(user.id);
-        const hasPasskey = (hasPasskeyRow?.n || 0) > 0;
-        const forceWebauthnByAmount = amountNum > LARGE_WITHDRAW_THRESHOLD && hasPasskey;
-        if (user.webauthn_required_for_withdraw || forceWebauthnByAmount) {
+        // WebAuthn gate — #1115 全额对齐铁律:**所有**提现都要真人 Passkey 一次性 token。
+        //   资金转出 = 真人在场(spec §4 铁律,与 vote/arbitrate/agent_revoke 同档)。
+        //   email-OTP 在 agent 威胁模型下不足(agent 可读监护人收件箱);故弃用旧的"非 Passkey → email 兜底"路径。
+        //   未注册 Passkey 的账户:不能提现,先去「安全」绑 Passkey(pre-launch 0 真用户,推动资金操作 Passkey 化)。
+        const hpEnabled = Number(getProtocolParam('require_human_presence_for_withdraw', 1)) === 1;
+        if (hpEnabled) {
+            const hasPasskeyRow = db.prepare('SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?').get(user.id);
+            const hasPasskey = (hasPasskeyRow?.n || 0) > 0;
+            if (!hasPasskey) {
+                return void res.status(403).json({
+                    error: '提现需先绑定 Passkey（资金转出需真人在场，铁律）。请到「安全」页绑定后再试。',
+                    error_code: 'PASSKEY_REQUIRED_FOR_WITHDRAW',
+                    requires_passkey_setup: true,
+                });
+            }
             const token = req.headers['x-webauthn-token'];
             const gate = consumeGateToken(user.id, token, 'withdraw', (data) => {
                 const d = (data || {});
@@ -144,8 +151,7 @@ export function registerWalletWriteRoutes(app, deps) {
                     webauthn_required: true,
                     purpose: 'withdraw',
                     purpose_data: { to_address, amount: amountNum },
-                    force_reason: forceWebauthnByAmount && !user.webauthn_required_for_withdraw
-                        ? `large_withdraw_auto:${LARGE_WITHDRAW_THRESHOLD}` : 'user_opted_in',
+                    force_reason: 'iron_rule_withdraw',
                 });
             }
         }
@@ -167,27 +173,7 @@ export function registerWalletWriteRoutes(app, deps) {
             const mins = Math.ceil((new Date(wl.activates_at.replace(' ', 'T') + 'Z').getTime() - Date.now()) / 60_000);
             return void res.json({ error: `该地址在冷却期内，约 ${mins} 分钟后可用（添加后 24h 强制冷却）` });
         }
-        // 大额提现 → 强制邮件确认
-        const isLarge = amountNum > LARGE_WITHDRAW_THRESHOLD;
-        if (isLarge) {
-            if (!user.email_verified || !user.email) {
-                return void res.json({ error: `大额提现（> ${LARGE_WITHDRAW_THRESHOLD} WAZ）需先绑定邮箱用于二次确认` });
-            }
-            // 不立即扣款 + 不写入正式 pending — 进入 pending_email 阶段，待 confirm
-            const wid = generateId('wdr');
-            db.prepare(`INSERT INTO withdrawal_requests (id, user_id, to_address, amount, status, status_detail)
-                  VALUES (?,?,?,?,?,?)`)
-                .run(wid, user.id, to_address, amountNum, 'pending_email', 'awaiting_email_confirm');
-            issueCode(user.id, 'email', user.email, 'withdraw_confirm:' + wid);
-            return void res.json({
-                success: true,
-                request_id: wid,
-                requires_email_code: true,
-                email: maskEmail(user.email),
-                message: '已发送邮件验证码，请查收并输入 6 位数字以确认提现',
-            });
-        }
-        // 普通额度 → 即时扣款 + pending（admin 处理）
+        // Passkey 已过真人门 → 即时扣款 + pending（admin 处理）。各金额一致(大额二次邮件确认已被 Passkey 取代)。
         const wid = generateId('wdr');
         db.prepare(`INSERT INTO withdrawal_requests (id, user_id, to_address, amount) VALUES (?,?,?,?)`)
             .run(wid, user.id, to_address, amountNum);

package/dist/pwa/routes/webauthn.js

@@ -65,7 +65,7 @@ export function registerWebauthnRoutes(app, deps) {
         if (!user)
             return;
         const purpose = String(req.body?.purpose || '').trim();
-        const allowed = new Set(['withdraw', 'change-password', 'reveal-key', 'region', 'delete_passkey']);
+        const allowed = new Set(['withdraw', 'change-password', 'reveal-key', 'region', 'delete_passkey', 'governance_apply', 'governance_activate', 'governance_resign', 'governance_appeal_resolve', 'rewards_apply', 'rewards_deactivate']);
         if (!allowed.has(purpose))
             return void res.status(400).json({ error: 'invalid purpose' });
         const purpose_data = req.body?.purpose_data ?? null;