@seasonkoh/webaz 0.1.25 → 0.1.26

package/dist/pwa/routes/share-redirects.js

@@ -155,14 +155,15 @@ export function registerShareRedirectsRoutes(app, deps) {
     `, [s.owner_id, s.id, expiresAt, s.id, s.related_product_id, user.id]);
         res.json({ ok: true, attributed: true, refreshed: true, sharer_id: s.owner_id });
     });
-    // 邀请短链 /i/CODE — invite-code ONLY (permanent_code with optional -L/-R). usr_xxx / @handle / 裸 handle
-    // 一律 404(不再做 handle 解析)。/i/CODE → /?ref=CODE ; /i/CODE-L → /?ref=CODE&side=left ; -R → side=right.
+    // 邀请短链 /i/CODE — invite-code ONLY (permanent_code, 兼容旧的 -L/-R 后缀). usr_xxx / @handle / 裸 handle
+    // 一律 404(不再做 handle 解析)。pre-public 去左右码:/i/CODE 与旧 /i/CODE-L、/i/CODE-R 一律
+    // 规范化重定向到 /?ref=CODE(丢弃 side;放置侧别由注册时系统自动决定),旧链接/二维码仍可用。
     // 不受 invite_rotation_enabled 影响:已有用户分享出的 /i/CODE 链接和二维码必须始终可用。
     app.get('/i/:code', (req, res) => {
         const ref = resolveInviteCodeRef(String(req.params.code || ''));
         if (!ref)
             return void res.status(404).send('Invitation link not found.');
-        const target = `/?ref=${encodeURIComponent(ref.code)}${ref.side ? `&side=${ref.side}` : ''}`;
+        const target = `/?ref=${encodeURIComponent(ref.code)}`;
         res.redirect(302, target);
     });
 }

package/dist/pwa/routes/shop-referral.js

@@ -6,18 +6,19 @@ export function registerShopReferralRoutes(app, deps) {
         if (!user)
             return;
         const recipientId = user.id;
-        const { seller_identifier, ref_code, side } = req.body || {};
+        const { seller_identifier, ref_code } = req.body || {};
         if (!seller_identifier || typeof seller_identifier !== 'string')
             return void errorRes(res, 400, 'SELLER_REQUIRED', 'seller_identifier required');
         if (!ref_code || typeof ref_code !== 'string')
             return void errorRes(res, 400, 'REF_REQUIRED', 'ref_code required');
-        // referrer = invite code ONLY (permanent_code [+ -L/-R]); usr_xxx / @handle / handle rejected.
+        // referrer = invite code ONLY (permanent_code); usr_xxx / @handle / handle rejected.
+        // pre-public 去左右码:旧 -L/-R 后缀仍被接受但归一化为基础码(ref.code),side 一律忽略。
         const ref = resolveInviteCodeRef(ref_code);
         if (!ref)
-            return void errorRes(res, 400, 'INVALID_REF_CODE', '邀请码无效（仅 6-7 位永久码，可带 -L/-R）');
+            return void errorRes(res, 400, 'INVALID_REF_CODE', '邀请码无效（仅 6-7 位永久码）');
         const referrerId = ref.userId;
-        // ref_code 自带的 -L/-R 优先,否则用 body.side
-        const finalSide = ref.side || ((side === 'left' || side === 'right') ? side : null);
+        // pre-public 去左右码:不再按 side 归属(忽略 body.side 与邀请码 -L/-R),统一存 null
+        const finalSide = null;
         // seller 定位:个人页多形态(usr_xxx / @handle / handle / permanent_code)。
         // 必须是真实 seller 店铺 —— 普通 buyer / admin / 其它角色不能被写成 shop_referral_attribution.seller_id。
         const sellerId = resolveUserRef(seller_identifier);

package/dist/pwa/routes/shops.js

@@ -26,8 +26,11 @@ export function registerShopsRoutes(app, deps) {
       ORDER BY sales_count DESC, p.created_at DESC
       LIMIT 50
     `, [sellerId]);
+        // 双盲铁律(店铺主页公开面):rating agg + 最近评价只算/只展示已揭晓的评价。
+        // 揭晓 = 双方都评过(buyer_ratings 存在) OR 无盲评窗口 OR 盲评期已过 —— 与 /products|sellers/:id/ratings 同条件。
+        const blindOpen = `(EXISTS (SELECT 1 FROM buyer_ratings br WHERE br.order_id = r.order_id) OR r.hidden_until IS NULL OR datetime(r.hidden_until) <= datetime('now'))`;
         const ratingsAgg = (await dbOne(`
-      SELECT COUNT(*) as cnt, COALESCE(AVG(stars), 0) as avg_stars FROM order_ratings WHERE seller_id = ?
+      SELECT COUNT(*) as cnt, COALESCE(AVG(stars), 0) as avg_stars FROM order_ratings r WHERE r.seller_id = ? AND ${blindOpen}
     `, [sellerId]));
         const followers = (await dbOne(`SELECT COUNT(*) as n FROM follows WHERE followee_id = ?`, [sellerId])).n;
         const completedOrders = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE seller_id = ? AND status = 'completed'`, [sellerId])).n;
@@ -48,7 +51,7 @@ export function registerShopsRoutes(app, deps) {
       FROM order_ratings r
       JOIN users u ON u.id = r.buyer_id
       JOIN products p ON p.id = r.product_id
-      WHERE r.seller_id = ?
+      WHERE r.seller_id = ? AND ${blindOpen}
       ORDER BY r.created_at DESC LIMIT 5
     `, [sellerId]);
         res.json({

package/dist/pwa/routes/task-proposals.js

@@ -1,6 +1,9 @@
 import { validateProposalInput, insertTaskProposal, listTaskProposals, reviewTaskProposal } from '../../layer2-business/L2-9-contribution/task-proposal-store.js';
 import { withUncommittedValueBoundary } from '../../layer2-business/L2-9-contribution/contribution-display-envelope.js';
 import { getCanonicalContributionTarget } from '../../layer2-business/L2-9-contribution/canonical-contribution-target.js';
+import { createDraftFromProposal, listDraftBuildTasks, publishDraftBuildTask } from '../../layer2-business/L2-9-contribution/task-proposal-draft.js';
+import { recommendForProposal, insertAiSuggestion, listAiSuggestions, getProposalLite } from '../../layer2-business/L2-9-contribution/task-proposal-ai-store.js';
+const AI_NOTICE = 'AI suggestion — assistant only, NOT a decision. A human maintainer must explicitly create / publish / reject the formal task. AI never auto-publishes, auto-rejects, hides proposals, or assigns reward / credit.';
 const PROPOSAL_NOTICE = 'A task proposal is a SUGGESTION in the maintainer review inbox. It is NOT a contribution fact, formal participation, or any reward / payout / score, and it never appears on the public task board until a maintainer reviews and (manually) converts it. source_ref is a reference only; the canonical contribution target is fixed by trusted config.';
 function withProposalEnvelope(payload) {
     return withUncommittedValueBoundary({ ...payload, proposal_notice: PROPOSAL_NOTICE, canonical_contribution_target: getCanonicalContributionTarget() });
@@ -42,4 +45,77 @@ export function registerTaskProposalsRoutes(app, deps) {
         }
         res.json(withProposalEnvelope({ proposal: result }));
     });
+    // ── AI-assist (ASSISTANT ONLY) ─────────────────────────────────────────────
+    // Classify + suggest draft fields; stored as recommendation/evidence with accountability metadata.
+    // NEVER a decision: no auto-publish / auto-reject / hide / reward. A human admin must act explicitly.
+    app.post('/api/admin/task-proposals/:id/ai-assist', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        const p = getProposalLite(db, String(req.params.id));
+        if (!p)
+            return void errorRes(res, 404, 'NOT_FOUND', 'proposal not found');
+        const { recommendation, model, provider } = recommendForProposal(db, p);
+        const stored = insertAiSuggestion(db, { proposalId: p.id, reviewerType: 'ai', model, provider,
+            inputSummary: `${p.title}\n${p.summary}`, outputJson: JSON.stringify(recommendation) });
+        res.json(withProposalEnvelope({ ai_suggestion: recommendation, model, provider, suggestion_id: stored.id, requested_by: admin.id, ai_notice: AI_NOTICE }));
+    });
+    // stored AI suggestions (evidence) for a proposal
+    app.get('/api/admin/task-proposals/:id/ai-suggestions', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        res.json(withProposalEnvelope({ suggestions: listAiSuggestions(db, String(req.params.id)), ai_notice: AI_NOTICE }));
+    });
+    // ── create an UNPUBLISHED formal task draft from a proposal — explicit maintainer action ──
+    // No auto-publish (draft is internal/unclaimable until an explicit publish); no reward/credit side effect.
+    app.post('/api/admin/task-proposals/:id/create-task-draft', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        const b = (req.body ?? {});
+        if (!b.title || String(b.title).trim().length < 3)
+            return void errorRes(res, 400, 'TITLE_REQUIRED', 'title is required (>=3 chars) — the maintainer must review/confirm the formal title');
+        const r = createDraftFromProposal(db, {
+            proposalId: String(req.params.id), adminId: admin.id,
+            title: String(b.title), area: b.area ?? null, description: b.description ?? null,
+            sourceRef: b.source_ref ?? null,
+            acceptanceCriteria: Array.isArray(b.acceptance_criteria) ? b.acceptance_criteria : [],
+            verificationCommands: Array.isArray(b.verification_commands) ? b.verification_commands : [],
+            deliverables: Array.isArray(b.deliverables) ? b.deliverables : [],
+            allowedPaths: Array.isArray(b.allowed_paths) ? b.allowed_paths : [],
+            forbiddenPaths: Array.isArray(b.forbidden_paths) ? b.forbidden_paths : [],
+            forbiddenActions: Array.isArray(b.forbidden_actions) ? b.forbidden_actions : [],
+            requiredCapabilities: Array.isArray(b.required_capabilities) ? b.required_capabilities : [],
+            definitionOfDone: b.definition_of_done ?? null,
+            expectedResults: b.expected_results ?? null,
+            autoClaimable: b.auto_claimable === false ? false : undefined,
+            riskLevel: b.risk_level, taskType: b.task_type, note: b.note ?? null,
+        });
+        if ('error' in r) {
+            const code = r.error_code === 'PROPOSAL_NOT_FOUND' ? 404 : r.error_code === 'PROPOSAL_TERMINAL' ? 409 : r.error_code === 'RATE_LIMITED' ? 429 : 400;
+            return void errorRes(res, code, r.error_code, r.error);
+        }
+        res.json(withProposalEnvelope({ draft: { draft_task_id: r.draft_task_id, status: 'draft', audience: 'internal', published: false }, created_by: admin.id }));
+    });
+    // admin list of UNPUBLISHED drafts (internal, open) + source proposal id
+    app.get('/api/admin/build-task-drafts', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        res.json(withProposalEnvelope({ drafts: listDraftBuildTasks(db) }));
+    });
+    // PUBLISH a draft → public open task — explicit human/admin action; records the acting admin
+    app.post('/api/admin/build-task-drafts/:id/publish', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        const r = publishDraftBuildTask(db, String(req.params.id), admin.id);
+        if ('error' in r) {
+            const code = r.error_code === 'NOT_FOUND' ? 404
+                : (r.error_code === 'PROPOSAL_REJECTED' || r.error_code === 'PROPOSAL_CONVERTED_ELSEWHERE') ? 409 : 400;
+            return void errorRes(res, code, r.error_code, r.error, r.missing ? { missing: r.missing } : undefined);
+        }
+        res.json(withProposalEnvelope({ published: { task_id: r.task_id, published: true }, published_by: admin.id }));
+    });
 }

package/dist/pwa/routes/trial.js

@@ -114,7 +114,7 @@ export async function evaluateTrialClaims(db, generateId) {
     return { evaluated, refunded, expired };
 }
 export function registerTrialRoutes(app, deps) {
-    const { db, generateId, auth, clientIpHash, clientUaHash, requireProtocolAdmin } = deps;
+    const { db, generateId, auth, clientIpHash, clientUaHash, requireProtocolAdmin, logAdminAction } = deps;
     // 卖家：开/更新活动
     app.post('/api/products/:product_id/trial-campaign', async (req, res) => {
         const user = auth(req, res);
@@ -346,6 +346,8 @@ export function registerTrialRoutes(app, deps) {
         const admin = requireProtocolAdmin(req, res);
         if (!admin)
             return;
-        res.json(await evaluateTrialClaims(db, generateId));
+        const result = await evaluateTrialClaims(db, generateId);
+        logAdminAction(admin.id, 'trial_run_eval', 'protocol', null, { result });
+        res.json(result);
     });
 }

package/dist/pwa/routes/users-public.js

@@ -60,16 +60,10 @@ export function registerUsersPublicRoutes(app, deps) {
         const placementName = u.placement_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [u.placement_id]))?.name : null;
         const leftChildName = u.left_child_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [u.left_child_id]))?.name : null;
         const rightChildName = u.right_child_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [u.right_child_id]))?.name : null;
-        const score = (await dbOne(`
-      SELECT
-        COALESCE(SUM(CASE WHEN settled_at IS NULL THEN score ELSE 0 END),0) AS pending_score,
-        COALESCE(SUM(CASE WHEN settled_at IS NOT NULL THEN waz_amount ELSE 0 END),0) AS settled_waz,
-        COUNT(*) AS total_hits
-      FROM binary_score_records WHERE user_id = ?
-    `, [targetId]));
         const leftPv = Number(u.total_left_pv ?? 0);
         const rightPv = Number(u.total_right_pv ?? 0);
-        const weak = Math.min(leftPv, rightPv);
+        // pre-public de-MLM: PV 对碰为 pre-launch、未启用 —— public 端口不再暴露弱腿 / 对碰收益指标
+        // (weak_leg_pv / pending_score / settled_waz / total_hits)。位置 + 左右区 PV 仅作为参与记录保留。
         res.json({
             id: u.id,
             name: u.name,
@@ -80,10 +74,6 @@ export function registerUsersPublicRoutes(app, deps) {
             right_child: u.right_child_id ? { id: u.right_child_id, name: rightChildName } : null,
             total_left_pv: leftPv,
             total_right_pv: rightPv,
-            weak_leg_pv: weak,
-            pending_score: Number(score.pending_score),
-            settled_waz: Number(score.settled_waz),
-            total_hits: Number(score.total_hits),
             joined_at: u.created_at,
         });
     });

package/dist/pwa/routes/wallet-read.js

@@ -160,7 +160,7 @@ export function registerWalletReadRoutes(app, deps) {
         });
         res.json(enriched);
     });
-    // 收入构成：分享 / 双轨对碰 / 销售
+    // 收入构成：销售 / 分享归因 / PV 记录(pre-launch,若适用)
     app.get('/api/wallet/income', async (req, res) => {
         const user = auth(req, res);
         if (!user)

package/dist/pwa/server.js

@@ -47,6 +47,7 @@ import { createPublicClient, createWalletClient, http, parseAbiItem, parseAbi, p
 import { baseSepolia, base } from 'viem/chains';
 import { createHmac, createHash, randomBytes, scryptSync, timingSafeEqual } from 'node:crypto';
 import { safeFetch } from './security/ssrf.js';
+import { deliverVerificationCode, emailDeliveryNotConfigured, isVerificationEmailReady, } from './email-delivery.js';
 // @simplewebauthn/server 已迁出到 src/pwa/routes/webauthn.ts (#1013 Phase 1)
 import { registerWebauthnRoutes } from './routes/webauthn.js';
 import { createHumanPresence } from './human-presence.js';
@@ -201,6 +202,7 @@ import { registerAdminEventsRoutes } from './routes/admin-events.js';
 import { registerAdminModerationRoutes } from './routes/admin-moderation.js';
 // Admin 钱包运维 (#1013 Phase 69) — hot-wallet 2 + withdrawals 2 = 4 endpoints
 import { registerAdminWalletOpsRoutes } from './routes/admin-wallet-ops.js';
+import { resolveBearerProtocolAdmin } from './admin-bearer-auth.js';
 // Admin Catalog (#1013 Phase 70) — categories 2 + products 2 = 4 endpoints
 import { registerAdminCatalogRoutes } from './routes/admin-catalog.js';
 // Reputation 公开查询 (#1013 Phase 71) — 2 endpoints
@@ -310,6 +312,8 @@ import { registerPublicBuildTasksRoutes } from './routes/public-build-tasks.js';
 import { initBuildTasksSchema } from '../layer2-business/L2-9-contribution/build-tasks-engine.js';
 import { initBuildTaskAgentMetadataSchema } from '../layer2-business/L2-9-contribution/build-task-agent-metadata-store.js';
 import { initTaskProposalSchema } from '../layer2-business/L2-9-contribution/task-proposal-store.js';
+import { initTaskProposalAiSchema } from '../layer2-business/L2-9-contribution/task-proposal-ai-store.js';
+import { initTaskProposalDraftLinkSchema } from '../layer2-business/L2-9-contribution/task-proposal-draft.js';
 import { registerTaskProposalsRoutes } from './routes/task-proposals.js';
 import { createSlidingWindowLimiter } from './rate-limit.js';
 import { registerBuildReputationRoutes } from './routes/build-reputation.js';
@@ -375,6 +379,8 @@ initBuildFeedbackSchema(db); // RFC-004 build_feedback
 initBuildTasksSchema(db); // RFC-006 build_tasks(协调层)
 initBuildTaskAgentMetadataSchema(db); // PR9B — agent-ready task metadata satellite(schema only;FUTURE-TASK-BOARD-V1-DESIGN #326)
 initTaskProposalSchema(db); // Task Proposal Inbox v1 — suggestion inbox(maintainer review;never auto build_task)
+initTaskProposalAiSchema(db); // Task Proposal AI-assist — assistant-only recommendation/evidence(human decides)
+initTaskProposalDraftLinkSchema(db); // Task Proposal draft links — source proposal ↔ draft task(converted at publish)
 initBuildReputationSchema(db); // RFC-006 build_reputation(独立池 + 贡献者看板)
 initGithubCredentialStoreSchema(db); // PR 3B-3a — GitHub credential store + RFC-017 fact layer (schema only)
 initIdentityBindingSchema(db); // PR 4a — GitHub identity → WebAZ account binding (append-only events + active projection)
@@ -5850,6 +5856,12 @@ registerAuthRegisterRoutes(app, {
     pickPreferredSide, joinPowerLeg,
     get INVITE_ROTATION_HANDLES() { return INVITE_ROTATION_HANDLES; },
     inviteRotationLookup,
+    // 邮箱验证优先注册 — issueCode/findActiveCode 是 hoisted 函数声明、isVerificationEmailReady/
+    // emailDeliveryNotConfigured 是 import,均可在此安全引用;CODE_TTL_MIN/MAX_CODE_ATTEMPTS 是后置 const,
+    // 走 getter 延迟读避免 TDZ。
+    issueCode, findActiveCode, canDeliverCodes: isVerificationEmailReady, emailDeliveryNotConfigured,
+    get CODE_TTL_MIN() { return CODE_TTL_MIN; },
+    get MAX_CODE_ATTEMPTS() { return MAX_CODE_ATTEMPTS; },
     recordSession, broadcastSystemEvent,
 });
 // #1013 Phase 116: me + profile 已迁出
@@ -6027,23 +6039,30 @@ registerAuthLoginRoutes(app, {
 const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 const CODE_TTL_MIN = 10;
 const MAX_CODE_ATTEMPTS = 5;
-const IS_DEV = process.env.NODE_ENV !== 'production';
 function genCode() {
     return String(Math.floor(100000 + Math.random() * 900000));
 }
-function deliverCode(target, code, purpose) {
-    // dev: console；prod: 接 SMTP / SMS（P3）
-    console.log(`[verify] ${purpose} → ${target}  code=${code}  (expires ${CODE_TTL_MIN}min)`);
+async function deliverCode(target, code, purpose) {
+    return deliverVerificationCode({ target, code, purpose, ttlMin: CODE_TTL_MIN });
 }
-function issueCode(userId, channel, target, purpose) {
+async function issueCode(userId, channel, target, purpose) {
+    if (channel === 'email' && !isVerificationEmailReady())
+        return emailDeliveryNotConfigured();
     const id = generateId('vcode');
     const code = genCode();
     const expiresAt = new Date(Date.now() + CODE_TTL_MIN * 60_000).toISOString();
     db.prepare(`INSERT INTO verification_codes (id, user_id, channel, target, code, purpose, expires_at)
               VALUES (?,?,?,?,?,?,?)`)
         .run(id, userId, channel, target, code, purpose, expiresAt);
-    deliverCode(target, code, purpose);
-    return { code, expires_at: expiresAt };
+    const delivered = await deliverCode(target, code, purpose);
+    if (!delivered.ok) {
+        try {
+            db.prepare("UPDATE verification_codes SET used_at = datetime('now') WHERE id = ?").run(id);
+        }
+        catch { }
+        return delivered;
+    }
+    return { ok: true, code, expires_at: expiresAt, provider: delivered.provider };
 }
 function findActiveCode(channel, target, purpose) {
     return db.prepare(`
@@ -6056,12 +6075,13 @@ function findActiveCode(channel, target, purpose) {
 // #1013 Phase 49: 3 recover-key endpoints 已迁出到 routes/recover-key.ts
 registerRecoverKeyRoutes(app, {
     db, internalAuditorId: INTERNAL_AUDITOR_ID,
-    issueCode, findActiveCode, CODE_TTL_MIN, MAX_CODE_ATTEMPTS,
+    issueCode, findActiveCode, canDeliverCodes: isVerificationEmailReady,
+    emailDeliveryNotConfigured, hashPassword, CODE_TTL_MIN, MAX_CODE_ATTEMPTS,
 });
 // #1013 Phase 55: 5 profile-credentials endpoints 已迁出到 routes/profile-credentials.ts
 registerProfileCredentialsRoutes(app, {
     db, auth, verifyPassword, hashPassword,
-    issueCode, findActiveCode, IS_DEV, MAX_CODE_ATTEMPTS,
+    issueCode, findActiveCode, MAX_CODE_ATTEMPTS,
 });
 // 搜索商品（声誉权重排序）
 // 构建 agent_summary：一句话决策摘要
@@ -6292,6 +6312,7 @@ registerFlashSalesRoutes(app, { db, generateId, auth, broadcastSystemEvent });
 registerTrialRoutes(app, {
     db, generateId, auth, clientIpHash, clientUaHash,
     requireProtocolAdmin: (req, res) => requireAdminPermission(req, res, 'protocol'),
+    logAdminAction,
 });
 // ─── Wave B-2: 预售 / waitlist ─────────────────────────────
 // #1013 Phase 24: 5 endpoints 已迁出到 routes/waitlist.ts
@@ -6713,6 +6734,7 @@ registerAdminOpsRoutes(app, {
     hasAdminPermission,
     INTERNAL_AUDITOR_ID, ADMIN_EXPORT_LIMIT, csvEscapeAdmin,
     anthropic, applyDecayIfDue, computeValueBadges,
+    logAdminAction,
 });
 // AI 2 endpoints — Phase 100 已迁出
 registerAiRoutes(app, { db, auth, anthropic });
@@ -6742,6 +6764,7 @@ registerAdminModerationRoutes(app, {
     db, generateId,
     requireUsersAdmin: (req, res) => requireAdminPermission(req, res, 'users'),
     authFailures, INTERNAL_AUDITOR_ID, broadcastSystemEvent,
+    logAdminAction,
 });
 // 邀请码 3 endpoints — Phase 98 已迁出
 registerReferralRoutes(app, {
@@ -7239,6 +7262,7 @@ setInterval(() => {
 registerAdminAtomicRoutes(app, {
     requireProtocolAdmin: (req, res) => requireAdminPermission(req, res, 'protocol'),
     processPvLedger, runBinarySettlement, executeSafeSettlementCron,
+    logAdminAction,
 });
 // #1013 Phase 110: tokenomics/status + shares/dashboard 已迁出
 registerDashboardsRoutes(app, { db, auth });
@@ -7274,6 +7298,7 @@ registerAdminUsersQueryRoutes(app, {
     adminCanOperateOn, isRootAdmin, isAllowedSponsor,
     maskApiKey, computeLightTags, getAdminScope, getSellerDailyLimit, todayStartISO,
     broadcastSystemEvent, INTERNAL_AUDITOR_ID,
+    logAdminAction,
 });
 function getSellerDailyLimit(user) {
     const id = String(user.id ?? '');
@@ -8130,6 +8155,7 @@ registerAuctionRoutes(app, {
     RFQ_MAX_QTY, RFQ_MAX_PRICE,
     LISTING_CATEGORIES, isListingCategoryKey,
     requireProtocolAdmin: (req, res) => requireAdminPermission(req, res, 'protocol'),
+    logAdminAction,
 });
 // AUC 结算 helper：到期 → 最高 active bid → 建单（或流拍）
 // P0 audit fix #2：顶层 try/catch 兜底，意外抛错时 status='error' 防 cron 死循环
@@ -9851,6 +9877,23 @@ registerAdminWalletOpsRoutes(app, {
     getIsMainnet: () => IS_MAINNET,
     getNetwork: () => NETWORK,
     executeWithdrawal: (id) => executeWithdrawal(id),
+    logAdminAction,
+    // dual-accept transition for attribution(非最终安全收紧):只读、不响应地解析登录的 protocol-admin。
+    // 用 resolveBearerProtocolAdmin(钱路强校验):仅认 Authorization: Bearer(不认 req.body.api_key)、
+    // 拒暂停用户、拒已吊销会话;角色+protocol 权限用中央 hasAdminPermission(防漂移)。null → 回落共享 ADMIN_KEY。
+    // 最终弃用 x-admin-key 留后续 PR。
+    resolveProtocolAdminSoft: (req) => resolveBearerProtocolAdmin(db, req, (u) => {
+        let rolesList = [];
+        try {
+            rolesList = JSON.parse(u.roles || '[]');
+        }
+        catch {
+            rolesList = [];
+        }
+        if (u.role !== 'admin' && !rolesList.includes('admin'))
+            return false;
+        return hasAdminPermission(u, 'protocol');
+    }),
 });
 // #1013 Phase 80: 10 wallet read endpoints 已迁出
 registerWalletReadRoutes(app, {
@@ -10336,6 +10379,21 @@ db.exec(`
               VALUES (?, ?, 'major', ?, ?, ?, ?)`)
         .run('1.0', hash, Date.now(), textZh, textEn, 'Initial v1.0 lock — placeholder canonical text pointing to RFC-002');
 })();
+(function seedConsentV11() {
+    const existing = db.prepare("SELECT version FROM rewards_consent_texts WHERE version = '1.1'").get();
+    if (existing)
+        return;
+    const textZh = 'WebAZ 分享分润开通(rewards opt-in) v1.1 — 由 RFC-002 §3.3 / §3.10 定义。本同意仅用于记录分享分润相关的经济关系:Passkey 真人签名、推荐关系/左右区位置、佣金/PV/escrow 结算规则。本流程不是购物流程,也不是共建贡献资格;不影响贡献任务、GitHub 贡献认领或普通下单。佣金层级按地区合规配置生效;当前预发布期全局上限为 1 级,“三级”仅为协议最大设计。你可以随时退出,退出不影响已下单或未来订单;已发生的订单和结算按当时有效规则处理。';
+    const textEn = 'WebAZ share-commission opt-in (rewards opt-in) v1.1 — defined by RFC-002 §3.3 / §3.10. This consent only records the economic relationship for share commission: Passkey-signed proof of personhood, referral relationship / left-right placement, and commission / PV / escrow settlement rules. This is not a shopping flow and not contribution eligibility; it does not affect contribution tasks, GitHub contribution claims, or normal orders. Commission levels follow per-region compliance configuration; during pre-launch the global cap is 1 level, and “three tiers” is only the protocol maximum design. You may leave at any time without affecting past or future orders; already-created orders and settlements follow the rules effective at that time.';
+    const hash = createHash('sha256').update(textZh + '\n---\n' + textEn).digest('hex');
+    // effective_at must be strictly later than v1.0's so "latest major" deterministically resolves to v1.1
+    // even on a fresh DB that seeds both rows in the same boot (avoids a same-ms ORDER BY tie).
+    const v10 = db.prepare("SELECT effective_at FROM rewards_consent_texts WHERE version = '1.0'").get();
+    const effectiveAt = Math.max(Date.now(), (v10?.effective_at ?? 0) + 1);
+    db.prepare(`INSERT INTO rewards_consent_texts (version, hash, change_class, effective_at, text_zh, text_en, changelog)
+              VALUES (?, ?, 'major', ?, ?, ?, ?)`)
+        .run('1.1', hash, effectiveAt, textZh, textEn, 'v1.1 clarification — share-commission opt-in framing (not 共建身份/Builder Identity, not contribution eligibility) + current commission-level reality boundary (pre-launch cap 1 level); v1.0 left frozen');
+})();
 // 4. rewards_applications:申请留痕表(append-only audit;action='activate'|'deactivate'|'auto_downgrade'|'reconfirm')
 db.exec(`
   CREATE TABLE IF NOT EXISTS rewards_applications (

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seasonkoh/webaz",
-  "version": "0.1.25",
+  "version": "0.1.26",
   "description": "[PRE-LAUNCH] Agent-native decentralized commerce protocol. Humans and AI agents trade on the same protocol via MCP tools. ⚠️ Repository currently private until W8 public launch — GitHub links may return 404. See https://webaz.xyz for status.",
   "main": "dist/mcp.js",
   "bin": {
@@ -8,7 +8,9 @@
   },
   "mcpName": "io.github.seasonsagents-art/webaz",
   "scripts": {
-    "build": "tsc && cp -r src/pwa/public dist/pwa/",
+    "build": "npm run build:whitepaper && tsc && cp -r src/pwa/public dist/pwa/",
+    "build:whitepaper": "tsx scripts/build-whitepaper-html.ts",
+    "check:whitepaper-fresh": "tsx scripts/build-whitepaper-html.ts && git diff --exit-code -- src/pwa/public/whitepaper",
     "prepare": "npm run build",
     "dev": "tsx src/index.ts",
     "mcp": "tsx src/mcp.ts",
@@ -66,7 +68,33 @@
     "check:pwa-syntax": "node --check src/pwa/public/app.js && node --check src/pwa/public/i18n.js && node --check src/pwa/public/sw.js",
     "test:rewards-vs-contribution-copy": "tsx scripts/test-rewards-vs-contribution-copy.ts",
     "test:invite-code-narrowing": "tsx scripts/test-invite-code-narrowing.ts",
-    "test:shop-referral-attribution": "tsx scripts/test-shop-referral-attribution.ts"
+    "test:shop-referral-attribution": "tsx scripts/test-shop-referral-attribution.ts",
+    "test:money-units": "tsx scripts/test-money-units.ts",
+    "test:identity-claim-ui": "tsx scripts/test-identity-claim-ui.ts",
+    "test:identity-claim-discovery": "tsx scripts/test-identity-claim-discovery.ts",
+    "test:operator-ingest-guards": "tsx scripts/test-operator-ingest-guards.ts",
+    "test:rewards-consent-text": "tsx scripts/test-rewards-consent-text.ts",
+    "test:mcp-apikey-fallback": "tsx scripts/test-mcp-apikey-fallback.ts",
+    "test:email-delivery": "tsx scripts/test-email-delivery-resend.ts",
+    "test:seller-order-actions": "tsx scripts/test-seller-order-actions.ts",
+    "test:decline-action": "tsx tests/test-decline-action.ts",
+    "test:recover-key-password-reset": "tsx scripts/test-recover-key-password-reset.ts",
+    "test:register-email-verify": "tsx scripts/test-register-email-verify.ts",
+    "test:recovery-onboarding-ui": "tsx scripts/test-recovery-onboarding-ui.ts",
+    "test:welcome-signup-button": "tsx scripts/test-welcome-signup-button.ts",
+    "test:auto-accept-risk-copy": "tsx scripts/test-auto-accept-risk-copy.ts",
+    "test:order-detail-return-inline": "tsx scripts/test-order-detail-return-inline.ts",
+    "test:seller-store-reviews": "tsx scripts/test-seller-store-reviews.ts",
+    "test:seller-ratings-double-blind": "tsx scripts/test-seller-ratings-double-blind.ts",
+    "test:seller-self-fulfill-ship": "tsx scripts/test-seller-self-fulfill-ship.ts",
+    "test:public-ratings-double-blind": "tsx scripts/test-public-ratings-double-blind.ts",
+    "test:admin-security-panel": "tsx scripts/test-admin-security-panel.ts",
+    "test:admin-economic-trigger-audit": "tsx scripts/test-admin-economic-trigger-audit.ts",
+    "test:admin-audit-slice1": "tsx scripts/test-admin-audit-slice1.ts",
+    "test:admin-withdrawal-approve-attribution": "tsx scripts/test-admin-withdrawal-approve-attribution.ts",
+    "test:admin-bearer-auth": "tsx scripts/test-admin-bearer-auth.ts",
+    "test:admin-reputation-decay-audit": "tsx scripts/test-admin-reputation-decay-audit.ts",
+    "test:task-proposal-draft-flow": "tsx scripts/test-task-proposal-draft-flow.ts"
   },
   "keywords": [
     "mcp",