@seasonkoh/webaz 0.1.26 → 0.1.27

package/dist/pwa/routes/admin-users-query.js

@@ -89,12 +89,35 @@ export function registerAdminUsersQueryRoutes(app, deps) {
             return void res.status(400).json({ error: 'action 必须 suspend/unsuspend' });
         const reasonStr = action === 'suspend' ? (reason ? String(reason).slice(0, 200) : 'admin 批量暂停') : null;
         const results = [];
+        // Per-uid authorization boundary (res-free, so one bad uid never aborts the whole batch). Mirrors
+        // adminCanOperateOn but stricter for admin targets: an admin target is ROOT-only regardless of scope.
+        const actingRoot = isRootAdmin(admin);
+        const actingScope = admin.admin_scope || 'global';
+        const canOperate = (t) => {
+            if (t.admin_type)
+                return actingRoot ? { ok: true } : { ok: false, reason: '仅 root 可操作 admin 账号' };
+            if (actingRoot || actingScope === 'global')
+                return { ok: true };
+            if (t.region && t.region !== actingScope)
+                return { ok: false, reason: `跨区用户(${t.region})仅本区/全局 admin 可操作` };
+            return { ok: true };
+        };
         for (const uid of user_ids) {
             try {
                 if (uid === 'sys_protocol' || uid === admin.id) {
                     results.push({ user_id: uid, status: 'skipped', reason: '保留账户或自己' });
                     continue;
                 }
+                const target = await dbOne('SELECT admin_type, region FROM users WHERE id = ?', [uid]);
+                if (!target) {
+                    results.push({ user_id: uid, status: 'skipped', reason: '用户不存在' });
+                    continue;
+                }
+                const gate = canOperate(target);
+                if (!gate.ok) {
+                    results.push({ user_id: uid, status: 'skipped', reason: gate.reason });
+                    continue;
+                }
                 if (action === 'suspend') {
                     await dbRun(`INSERT INTO user_moderation (user_id, suspended, reason, suspended_by, suspended_at)
             VALUES (?, 1, ?, ?, datetime('now'))
@@ -386,7 +409,6 @@ export function registerAdminUsersQueryRoutes(app, deps) {
                 reputation: user.reputation,
                 failed_attempts: user.failed_attempts ?? 0,
                 locked_until: user.locked_until,
-                mgmt_bonus_eligible: !!user.mgmt_bonus_eligible,
                 l1_share_override: Number(user.l1_share_override ?? 0),
                 can_l1_share: isAllowedSponsor(user.id),
             },

package/dist/pwa/routes/admin-wallet-ops.js

@@ -58,7 +58,7 @@ export function registerAdminWalletOpsRoutes(app, deps) {
         res.json(list);
     });
     app.post('/api/admin/withdrawals/:id/approve', async (req, res) => {
-        // 双轨过渡鉴权:优先认登录的 protocol-admin(Bearer)→ 记其真实 admin id;
+        // 双重受理过渡鉴权:优先认登录的 protocol-admin(Bearer)→ 记其真实 admin id;
         // 否则回落到共享 ADMIN_KEY(adminAuth,既有运维路径,行为不变)→ actor 记中性标记 'admin_key'。
         // 仅认 protocol 权限的 admin;非 protocol 的 Bearer 不放行(soft 解析返回 null),不扩大访问面,只精确归属。
         let actorId = 'admin_key';

package/dist/pwa/routes/auth-read.js

@@ -1,7 +1,7 @@
 import { dbOne } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAuthReadRoutes(app, deps) {
     // db 已全量走 RFC-016 异步 seam(dbOne),不再直接用 deps.db
-    const { auth, safeRoles, getRegionMaxLevels, userMlmGate, getUserLevel } = deps;
+    const { auth, safeRoles, getRegionMaxLevels, userMlmGate } = deps;
     app.get('/api/me', async (req, res) => {
         const user = auth(req, res);
         if (!user)
@@ -34,7 +34,6 @@ export function registerAuthReadRoutes(app, deps) {
         const wallet = await dbOne('SELECT balance, staked, escrowed, earned FROM wallets WHERE user_id = ?', [user.id]);
         const roles = safeRoles(user);
         const pv = await dbOne("SELECT total_left_pv, total_right_pv FROM users WHERE id = ?", [user.id]);
-        const pendingScore = (await dbOne("SELECT COALESCE(SUM(score),0) as s FROM binary_score_records WHERE user_id = ? AND settled_at IS NULL", [user.id])).s;
         res.json({
             id: user.id, name: user.name, role: user.role, roles, api_key: user.api_key, wallet: wallet || null,
             permanent_code: user.permanent_code ?? null,
@@ -69,11 +68,8 @@ export function registerAuthReadRoutes(app, deps) {
                     return null;
                 }
             })(),
-            pending_score: Number(pendingScore),
             total_left_pv: Number(pv?.total_left_pv ?? 0),
             total_right_pv: Number(pv?.total_right_pv ?? 0),
-            lifetime_score: Number(user.lifetime_score ?? 0),
-            user_level: getUserLevel(Number(user.lifetime_score ?? 0)),
         });
     });
 }

package/dist/pwa/routes/auth-register.js

@@ -1,8 +1,8 @@
 import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAuthRegisterRoutes(app, deps) {
-    // VALID_REGIONS + INVITE_ROTATION_HANDLES 通过 deps.X 在 handler 内延迟读
-    // （server.ts 用 getter 注入；destructure at register-time would trigger TDZ 因为它们在下方 const）
-    const { db, errorRes, INTERNAL_AUDITOR_ID, isAllowedSponsor, resolveInviteCodeRef, generateId, generateSecureKey, generatePermanentCode, deriveHandle, clientIpHash, clientUaHash, pickPreferredSide, joinPowerLeg, inviteRotationLookup, issueCode, findActiveCode, canDeliverCodes, emailDeliveryNotConfigured, recordSession, broadcastSystemEvent } = deps;
+    // VALID_REGIONS 通过 deps.X 在 handler 内延迟读
+    // （server.ts 用 getter 注入；destructure at register-time would trigger TDZ 因为它在下方 const）
+    const { db, errorRes, INTERNAL_AUDITOR_ID, isAllowedSponsor, resolveInviteCodeRef, generateId, generateSecureKey, generatePermanentCode, deriveHandle, clientIpHash, clientUaHash, pickPreferredSide, joinPowerLeg, issueCode, findActiveCode, canDeliverCodes, emailDeliveryNotConfigured, recordSession, broadcastSystemEvent } = deps;
     // CODE_TTL_MIN / MAX_CODE_ATTEMPTS 通过 deps.X 在 handler 内延迟读(它们在 server.ts 是后置 const,
     // register-time destructure 会触发 TDZ)。
     const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
@@ -205,16 +205,6 @@ export function registerAuthRegisterRoutes(app, deps) {
                     }
                 }
             }
-            const rotationEnabled = db.prepare("SELECT value FROM system_state WHERE key='invite_rotation_enabled'").get()?.value === '1';
-            if (rotationEnabled && sponsorId) {
-                for (let i = 0; i < deps.INVITE_ROTATION_HANDLES.length; i++) {
-                    const u = inviteRotationLookup(i);
-                    if (u && u.id === sponsorId) {
-                        db.prepare("UPDATE invite_rotation_stats SET registered_count = registered_count + 1 WHERE slot = ?").run(i);
-                        break;
-                    }
-                }
-            }
             return { placement, effectiveInviter, effectiveSide };
         });
         let txResult;

package/dist/pwa/routes/build-task-quota.js

@@ -0,0 +1,113 @@
+import { createQuotaRequest, listMyQuotaRequests, listQuotaRequests, getQuotaRequest, approveQuotaRequest, rejectQuotaRequest, revokeQuotaRequest, requesterUsage24h, remainingQuota, isQuotaError, } from '../../layer2-business/L2-9-contribution/build-task-quota.js';
+// map a store error_code to an HTTP status
+function httpFor(code) {
+    if (code === 'NOT_FOUND')
+        return 404;
+    if (code === 'ALREADY_PENDING' || code === 'BAD_STATE')
+        return 409;
+    if (code === 'SELF_DECISION')
+        return 403;
+    return 400;
+}
+// parse the stored linked_refs JSON + surface a derived remaining count for approved grants
+function shapeRequest(r) {
+    let linked = [];
+    try {
+        linked = JSON.parse(String(r.linked_refs ?? '[]'));
+    }
+    catch {
+        linked = [];
+    }
+    const granted = r.granted_count == null ? null : Number(r.granted_count);
+    const consumed = Number(r.consumed_count ?? 0);
+    return { ...r, linked_refs: linked, remaining: granted == null ? null : Math.max(0, granted - consumed) };
+}
+export function registerBuildTaskQuotaRoutes(app, deps) {
+    const { db, errorRes, auth, requireRootAdmin } = deps;
+    // ── requester surface ─────────────────────────────────────────────────────
+    // submit a quota-increase request
+    app.post('/api/me/quota-requests', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const b = (req.body ?? {});
+        const r = createQuotaRequest(db, {
+            requesterId: String(user.id),
+            requestedExtraCount: Number(b.requested_extra_count),
+            reason: String(b.reason ?? ''),
+            linkedRefs: b.linked_refs,
+            urgency: b.urgency,
+            requestedDurationHours: b.requested_duration_hours == null ? null : Number(b.requested_duration_hours),
+            quotaType: b.quota_type,
+        });
+        if (isQuotaError(r))
+            return void errorRes(res, httpFor(r.error_code), r.error_code, r.error);
+        res.json({ request: r });
+    });
+    // list my own requests + current remaining temporary quota
+    app.get('/api/me/quota-requests', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const requests = listMyQuotaRequests(db, String(user.id)).map(shapeRequest);
+        res.json({ requests, remaining_quota: remainingQuota(db, String(user.id)) });
+    });
+    // ── ROOT admin review surface ─────────────────────────────────────────────
+    // list quota requests (optional ?status=)
+    app.get('/api/admin/quota-requests', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const status = typeof req.query.status === 'string' ? req.query.status : undefined;
+        const requests = listQuotaRequests(db, { status }).map(shapeRequest);
+        res.json({ requests });
+    });
+    // detail of one request + the requester's live 24h create usage (reviewer context)
+    app.get('/api/admin/quota-requests/:id', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const r = getQuotaRequest(db, String(req.params.id));
+        if (!r)
+            return void errorRes(res, 404, 'NOT_FOUND', 'quota request not found');
+        res.json({ request: shapeRequest(r), requester_usage_24h: requesterUsage24h(db, String(r.requester_user_id)) });
+    });
+    // approve → time-boxed counted grant (self-approval rejected in the store)
+    app.post('/api/admin/quota-requests/:id/approve', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const b = (req.body ?? {});
+        const r = approveQuotaRequest(db, String(req.params.id), String(admin.id), {
+            grantedCount: b.extra_count == null ? undefined : Number(b.extra_count),
+            durationHours: b.duration_hours == null ? undefined : Number(b.duration_hours),
+            expiresAt: typeof b.expires_at === 'string' ? b.expires_at : undefined,
+            decisionNote: typeof b.approval_note === 'string' ? b.approval_note : undefined,
+        });
+        if (isQuotaError(r))
+            return void errorRes(res, httpFor(r.error_code), r.error_code, r.error);
+        res.json({ approved: r });
+    });
+    // reject (self-rejection also blocked by the store's SELF_DECISION guard)
+    app.post('/api/admin/quota-requests/:id/reject', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const b = (req.body ?? {});
+        const r = rejectQuotaRequest(db, String(req.params.id), String(admin.id), { decisionNote: typeof b.rejection_note === 'string' ? b.rejection_note : undefined });
+        if (isQuotaError(r))
+            return void errorRes(res, httpFor(r.error_code), r.error_code, r.error);
+        res.json({ rejected: r });
+    });
+    // revoke an already-approved grant (root)
+    app.post('/api/admin/quota-requests/:id/revoke', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const b = (req.body ?? {});
+        const r = revokeQuotaRequest(db, String(req.params.id), String(admin.id), { decisionNote: typeof b.revocation_note === 'string' ? b.revocation_note : undefined });
+        if (isQuotaError(r))
+            return void errorRes(res, httpFor(r.error_code), r.error_code, r.error);
+        res.json({ revoked: r });
+    });
+}

package/dist/pwa/routes/claim-verify.js

@@ -1,4 +1,6 @@
 import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js';
+// #420 P1-3 — verifier outlier 阈值改由 governance-adjustable protocol_params 驱动
+import { readAntiAbuseThresholds, verifierOutlierBand } from '../anti-abuse-thresholds.js';
 // RFC-016 Phase 1 — 仅端点纯校验读/列表/公开查询/读回 + 单语句标记/字段写 + 写后通知 → async seam。
 // 全部保持同步(Phase 3 再用 pg tx/行锁):
 //   - 模块级 helper(settleClaimTask 三路径结算 / distributePool / checkAndApplyOutlierStrike /
@@ -23,11 +25,10 @@ const CLAIM_VALID_VOTES = new Set(['pass', 'fail', 'no_fault', 'abstain']);
 // V3：abstain 不计入 3-vote 共识、不参与 majority、不触发 outlier
 const CLAIM_SELLER_FINE_RATE = 0.10; // pass 时扣 product.stake_amount × 10%
 const CLAIM_NO_FAULT_SUBSIDY = 1; // no_fault 路径协议池补贴每个 verifier 1 WAZ
-// 跨域共用（server.ts checkVerifierOutlier 跨 6 套 vote table 聚合也用同一阈值）
-export const CLAIM_SUSPEND_THRESHOLD = 3; // 180d 内 ≥3 次 outlier → 30d 冻结
-export const CLAIM_REVOKE_THRESHOLD = 5; // 180d 内 ≥5 次 outlier → 永封
-export const CLAIM_SUSPEND_DAYS = 30;
-export const CLAIM_OUTLIER_WINDOW_DAYS = 180;
+// #420 P1-3:verifier outlier 阈值（暂停/撤销/窗口/暂停时长）已抽到 governance-adjustable
+// protocol_params,单一真相源在 ../anti-abuse-thresholds.ts(DEFAULT_ANTI_ABUSE_THRESHOLDS:
+// outlierSuspendCount=3 / outlierRevokeCount=5 / outlierSuspendDays=30 / outlierWindowDays=180)。
+// checkAndApplyOutlierStrike + server.ts checkVerifierOutlier 通过 readAntiAbuseThresholds(db) 读取。
 // ─── helpers (module-level, db 通过参数传) ───────────────────
 // 2026-05-22 V2：通知所有资格内 verifier 有新 claim 任务
 export function notifyEligibleVerifiers(db, generateId, args) {
@@ -99,28 +100,31 @@ export function activeClaimTaskCountForVerifier(db, userId) {
 }
 // M7.3b：单个 outlier 处罚检查
 function checkAndApplyOutlierStrike(db, generateId, userId) {
+    // #420 P1-3:窗口/暂停/撤销阈值由 protocol_params 驱动(默认 = 原 180d/≥5/≥3/30d)
+    const t = readAntiAbuseThresholds(db);
     const cnt = db.prepare(`
     SELECT COUNT(*) as n FROM claim_verification_votes cvv
     JOIN claim_verification_tasks cvt ON cvt.id = cvv.task_id
     WHERE cvv.verifier_id = ?
       AND cvv.was_majority = 0
       AND cvt.resolved_at IS NOT NULL
-      AND cvt.resolved_at >= datetime('now', '-${CLAIM_OUTLIER_WINDOW_DAYS} days')
+      AND cvt.resolved_at >= datetime('now', '-${t.outlierWindowDays} days')
   `).get(userId).n;
     const existing = db.prepare(`SELECT type, outlier_count FROM claim_verifier_suspensions
     WHERE user_id = ? AND (type = 'revoked' OR until_at > datetime('now'))
     ORDER BY created_at DESC LIMIT 1`).get(userId);
     if (existing?.type === 'revoked')
         return { strikes_180d: cnt };
-    if (cnt >= CLAIM_REVOKE_THRESHOLD && (!existing || existing.outlier_count < CLAIM_REVOKE_THRESHOLD)) {
+    const band = verifierOutlierBand(cnt, t);
+    if (band === 'revoke' && (!existing || existing.outlier_count < t.outlierRevokeCount)) {
         db.prepare(`INSERT INTO claim_verifier_suspensions (id, user_id, type, reason, outlier_count)
-      VALUES (?,?, 'revoked', ?, ?)`).run(generateId('cvs'), userId, `180d 内累计 ${cnt} 次 outlier`, cnt);
+      VALUES (?,?, 'revoked', ?, ?)`).run(generateId('cvs'), userId, `${t.outlierWindowDays}d 内累计 ${cnt} 次 outlier`, cnt);
         return { strikes_180d: cnt, suspension: { type: 'revoked', until_at: null } };
     }
-    if (cnt >= CLAIM_SUSPEND_THRESHOLD && !existing) {
-        const until = new Date(Date.now() + CLAIM_SUSPEND_DAYS * 86400_000).toISOString();
+    if (band === 'suspend' && !existing) {
+        const until = new Date(Date.now() + t.outlierSuspendDays * 86400_000).toISOString();
         db.prepare(`INSERT INTO claim_verifier_suspensions (id, user_id, type, until_at, reason, outlier_count)
-      VALUES (?,?, 'suspended', ?, ?, ?)`).run(generateId('cvs'), userId, until, `180d 内累计 ${cnt} 次 outlier`, cnt);
+      VALUES (?,?, 'suspended', ?, ?, ?)`).run(generateId('cvs'), userId, until, `${t.outlierWindowDays}d 内累计 ${cnt} 次 outlier`, cnt);
         return { strikes_180d: cnt, suspension: { type: 'suspended', until_at: until } };
     }
     return { strikes_180d: cnt };

package/dist/pwa/routes/contribution-facts.js

@@ -0,0 +1,18 @@
+import { getMyContributionFacts } from '../../layer2-business/L2-9-contribution/contribution-facts-read.js';
+import { withUncommittedValueBoundary } from '../../layer2-business/L2-9-contribution/contribution-display-envelope.js';
+export function registerContributionFactsRoutes(app, deps) {
+    const { db, auth, errorRes } = deps;
+    // ── READ-ONLY: the caller's OWN attributable contribution facts (GitHub + admin coordination) ──
+    app.get('/api/contribution-facts/me', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        try {
+            const surface = getMyContributionFacts(db, user.id);
+            res.json(withUncommittedValueBoundary(surface));
+        }
+        catch {
+            return void errorRes(res, 500, 'INTERNAL', '内部错误'); // never leak a stack / query
+        }
+    });
+}

package/dist/pwa/routes/dispute-cases.js

@@ -1,4 +1,5 @@
 import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { genuineSalePredicate } from '../../layer0-foundation/L0-2-state-machine/genuine-sale.js'; // 真实成交单一真相源
 export function registerDisputeCasesRoutes(app, deps) {
     const { db, auth, getUser, generateId, piiSanitize, detectFraud, commentBlocklistHit, llmModerateComment } = deps;
     // 公共发言门槛 — 防新号/小号刷评论/投票
@@ -7,7 +8,7 @@ export function registerDisputeCasesRoutes(app, deps) {
         const lifetime = Number(user.lifetime_score || 0);
         if (lifetime >= 5)
             return { ok: true };
-        const completed = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE (buyer_id = ? OR seller_id = ?) AND status = 'completed'`, [user.id, user.id])).n;
+        const completed = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE (buyer_id = ? OR seller_id = ?) AND ${genuineSalePredicate('orders')}`, [user.id, user.id])).n; // 真实成交,排除退款/违约
         if (completed >= 1)
             return { ok: true };
         const created = user.created_at ? new Date(String(user.created_at).replace(' ', 'T') + 'Z').getTime() : 0;
@@ -93,9 +94,9 @@ export function registerDisputeCasesRoutes(app, deps) {
         };
         // 评论 + 自动身份标签
         const rawComments = await dbAll(`
-      SELECT dc.*, u.handle, u.name, u.role, u.lifetime_score,
+      SELECT dc.*, u.handle, u.name, u.role,
         (SELECT COUNT(*) FROM orders o
-         WHERE o.buyer_id = dc.commenter_id AND o.product_id = ? AND o.status = 'completed') as bought_count,
+         WHERE o.buyer_id = dc.commenter_id AND o.product_id = ? AND ${genuineSalePredicate('o')}) as bought_count,
         (SELECT COUNT(*) FROM products p
          WHERE p.seller_id = dc.commenter_id AND p.category = (SELECT category FROM products WHERE id = ?) AND p.status = 'active') as same_cat_seller_count
       FROM dispute_comments dc
@@ -118,7 +119,7 @@ export function registerDisputeCasesRoutes(app, deps) {
         // W5: 取所有子回复，按 parent_comment_id 分组挂在 comments 下
         const commentIds = rawComments.map(r => r.id);
         const rawReplies = commentIds.length > 0 ? await dbAll(`
-      SELECT r.*, u.handle, u.name, u.role, u.lifetime_score
+      SELECT r.*, u.handle, u.name, u.role
       FROM dispute_comment_replies r LEFT JOIN users u ON u.id = r.replier_id
       WHERE r.parent_comment_id IN (${commentIds.map(() => '?').join(',')})
       ORDER BY r.created_at ASC

package/dist/pwa/routes/growth.js

@@ -49,7 +49,7 @@ const GROWTH_TASK_CATALOG = [
     { id: 'tier1_match', chapter: 3,
         title_zh: '持续贡献阶段 1', title_en: 'Contribution stage 1',
         desc_zh: '推荐网络贡献达到第一阶段标准', desc_en: 'Referral-network contribution reaches stage-1 threshold',
-        evaluate: c => c.weak_leg_pv >= 30000 },
+        evaluate: c => c.min_leg_pv >= 30000 },
     // 第 4 关：分享达人
     { id: 'monthly_100', chapter: 4,
         title_zh: '月度推荐收益 100 WAZ', title_en: 'Monthly referral income 100 WAZ',
@@ -83,7 +83,7 @@ async function buildGrowthTaskCtx(_db, userId) {
     const sCount = (await dbOne("SELECT COUNT(*) AS n FROM shareables WHERE owner_id = ? AND status = 'active'", [userId])).n;
     const mCount = (await dbOne("SELECT COUNT(*) AS n FROM manifest_registry WHERE owner_id = ? AND status = 'active'", [userId])).n;
     const pv = await dbOne("SELECT total_left_pv, total_right_pv FROM users WHERE id = ?", [userId]);
-    const weakLeg = Math.min(Number(pv?.total_left_pv || 0), Number(pv?.total_right_pv || 0));
+    const minLeg = Math.min(Number(pv?.total_left_pv || 0), Number(pv?.total_right_pv || 0));
     const comm30 = (await dbOne(`SELECT COALESCE(SUM(amount),0) AS s FROM commission_records WHERE beneficiary_id = ? AND created_at >= datetime('now','-30 days')`, [userId])).s;
     const waz30 = (await dbOne(`SELECT COALESCE(SUM(waz_amount),0) AS s FROM binary_score_records WHERE user_id = ? AND settled_at >= datetime('now','-30 days')`, [userId])).s;
     return {
@@ -97,7 +97,7 @@ async function buildGrowthTaskCtx(_db, userId) {
         earnings_grand: grand,
         shareables_count: sCount,
         manifests_count: mCount,
-        weak_leg_pv: weakLeg,
+        min_leg_pv: minLeg,
         last_30_total: comm30 + waz30,
     };
 }

package/dist/pwa/routes/orders-action.js

@@ -320,12 +320,27 @@ export function registerOrdersActionRoutes(app, deps) {
                         commissionDistributed += Number(r.amount);
                     }
                     const commissionRedirected = round2(commissionPool - commissionDistributed);
-                    // QA 轮 14.b P2：redirected_total 拆 chain_gap(→charity) vs region_cap(→global_fund)
-                    // 之前单一数字让 agent 无法分辨钱去哪（global region L2/L3 进 global_fund，不是 charity）
-                    const charityRow = (await dbOne("SELECT COALESCE(SUM(amount),0) AS s FROM charity_fund_txns WHERE related_order_id = ?", [req.params.id]));
-                    const redirectedToCharity = round2(Number(charityRow.s));
-                    const fundDepRow = (await dbOne("SELECT COALESCE(SUM(amount_l3),0) AS s FROM fund_deposits WHERE order_id = ?", [req.params.id]));
-                    const redirectedToGlobalFund = round2(Number(fundDepRow.s));
+                    // 2026-06-04 三科目解耦后：未发出的 commission 不再进 charity_fund / global_fund。
+                    //   region_cap / chain_gap / orphan_sponsor / opt_out_deactivated → commission_reserve（按 kind）
+                    //   opt-out 未激活（never_activated / auto_downgrade）         → pending_commission_escrow（30 天内 recipient opt-in 可恢复）
+                    // 此处只读汇总本单去向，让 agent 看清 redirected_total 实际落点（settleOrder 已完成，无写、无原子性要求）。
+                    const crRows = await dbAll("SELECT kind, COALESCE(SUM(amount),0) AS s FROM commission_reserve_txns WHERE related_order_id = ? GROUP BY kind", [req.params.id]);
+                    const reserveByKind = { region_cap: 0, chain_gap: 0, orphan_sponsor: 0, opt_out_deactivated: 0, escrow_expired: 0 };
+                    for (const r of crRows) {
+                        if (r.kind === 'redirect_region_cap')
+                            reserveByKind.region_cap = round2(Number(r.s));
+                        else if (r.kind === 'redirect_chain_gap')
+                            reserveByKind.chain_gap = round2(Number(r.s));
+                        else if (r.kind === 'redirect_orphan_sponsor')
+                            reserveByKind.orphan_sponsor = round2(Number(r.s));
+                        else if (r.kind === 'redirect_opt_out_deactivated')
+                            reserveByKind.opt_out_deactivated = round2(Number(r.s));
+                        else if (r.kind === 'redirect_escrow_expired')
+                            reserveByKind.escrow_expired = round2(Number(r.s));
+                    }
+                    const redirectedToCommissionReserve = round2(reserveByKind.region_cap + reserveByKind.chain_gap + reserveByKind.orphan_sponsor + reserveByKind.opt_out_deactivated + reserveByKind.escrow_expired);
+                    const escrowRow = (await dbOne("SELECT COALESCE(SUM(amount),0) AS s FROM pending_commission_escrow WHERE order_id = ? AND status = 'pending'", [req.params.id]));
+                    const heldInOptOutEscrow = round2(Number(escrowRow.s));
                     // QA 轮 9.5 P2：payouts 表只 MCP legacy 写，PWA settleOrder 直更 wallet.balance 不写 payouts
                     // 改用公式推算 sellerAmount（跟 PWA settleOrder 内部计算一致），更可靠
                     const fundBase1pct = round2(total * 0.01);
@@ -336,7 +351,7 @@ export function registerOrdersActionRoutes(app, deps) {
                         order_amount: total,
                         distribution: {
                             seller_net: { amount: sellerAmountComputed, to: ord.seller_id, note: '不含可能的首销 stake 锁定（settleOrder 内 stake_locked_at 首次锁，从 sellerAmount 划出）' },
-                            protocol_fund_2pct: { amount: protocolFee, split: { management_bonus_pool: round2(protocolFee / 2), sys_protocol_ops: round2(protocolFee / 2) } },
+                            protocol_fund_2pct: { amount: protocolFee, split: { protocol_reserve_pool: round2(protocolFee / 2), sys_protocol_ops: round2(protocolFee / 2) } },
                             logistics_fee: { amount: logisticsActual, rate: isInPerson ? 'N/A in_person' : (ord.logistics_id ? '5%' : 'N/A self-fulfill') },
                             commission_pool: { total: commissionPool, rate: `${(commissionRate * 100).toFixed(1)}%` },
                             commission_distribution_7_2_1: {
@@ -345,9 +360,11 @@ export function registerOrdersActionRoutes(app, deps) {
                                 l3: commByLevel[3],
                                 distributed_total: round2(commissionDistributed),
                                 redirected_total: commissionRedirected,
-                                redirected_to_charity: redirectedToCharity, // chain_gap (无 L / sponsor 无效)
-                                redirected_to_global_fund: redirectedToGlobalFund, // region cap (level > region max_levels)
-                                redirect_note: 'chain_gap (无 L) → charity_fund; region cap (level > max_levels) → global_fund',
+                                redirected_to_commission_reserve: redirectedToCommissionReserve,
+                                reserve_by_kind: reserveByKind, // region_cap / chain_gap / orphan_sponsor / opt_out_deactivated / escrow_expired
+                                held_in_opt_out_escrow: heldInOptOutEscrow, // never_activated / auto_downgrade — recipient opt-in 可恢复
+                                redirect_accounted_ok: Math.abs(commissionRedirected - round2(redirectedToCommissionReserve + heldInOptOutEscrow)) < 0.01,
+                                redirect_note: '未发出佣金 → commission_reserve（region_cap / chain_gap / orphan_sponsor / opt_out_deactivated）；opt-out 未激活（never_activated / auto_downgrade）暂存 pending_commission_escrow（30 天内 opt-in 可恢复），逾期未恢复则转入 commission_reserve（escrow_expired）。2026-06-04 起不再进 charity_fund / global_fund。',
                             },
                             fund_base_1pct: fundBase1pct,
                         },

package/dist/pwa/routes/orders-create.js

@@ -371,7 +371,7 @@ export function registerOrdersCreateRoutes(app, deps) {
                 }
                 transition(db, orderId, 'paid', user.id, [], '模拟支付完成');
                 notifyTransition(db, orderId, 'created', 'paid');
-                // 里程碑 3-C：双轨同支检测（监测+审计；不阻断）
+                // 里程碑 3-C：放置同支检测（监测+审计；不阻断）
                 try {
                     auditSponsorChainCross(orderId, user.id, String(product.seller_uid), buyer.sponsor_path);
                 }

package/dist/pwa/routes/products-meta.js

@@ -1,4 +1,17 @@
 import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { genuineSalePredicate } from '../../layer0-foundation/L0-2-state-machine/genuine-sale.js'; // 真实成交单一真相源
+/**
+ * 真实收货完成的订单数(分享资格判据)。
+ * 关键:status='completed' 是状态机的通用终态 — 不只「无争议自然完成」(confirmed→completed),
+ * 还包括 fault_seller / fault_logistics / fault_buyer / declined_nofault / disputed → completed
+ * 这些退款 / 违约 / 争议处置终态。单看 status='completed' 会把「被退款的失败交易」当成有效成交,
+ * 错误授予分享(进而分享分润)资格。
+ * 真实收货 = 该订单曾进入过 confirmed(买家确认收货,或送达后 72h 自动确认)— 仅 happy path 经过,
+ * 所有 fault/争议/退款终态都不经过 confirmed,据此排除。
+ */
+async function genuineReceiptCount(buyerId, productId) {
+    return (await dbOne(`SELECT COUNT(*) AS n FROM orders WHERE buyer_id = ? AND product_id = ? AND ${genuineSalePredicate('orders')}`, [buyerId, productId])).n;
+}
 export function registerProductsMetaRoutes(app, deps) {
     const { db, auth, generateId, rateLimitOk, flagNewAccountShareable, refreshProductSharerCount } = deps;
     void db; // RFC-016: 本文件已全量走异步 seam;db 仍在 deps 由调用方注入,此处不直接使用
@@ -117,16 +130,16 @@ export function registerProductsMetaRoutes(app, deps) {
             return void res.status(404).json({ error: 'not_found' });
         res.json(row);
     });
-    // 分享许可：是否对该商品有 completed 订单
+    // 分享许可：是否真实收货完成该商品(经过 confirmed,排除退款/违约/争议终态)
     app.get('/api/products/:id/can-share', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const completed = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'", [user.id, req.params.id])).n;
+        const completed = await genuineReceiptCount(user.id, req.params.id);
         res.json({
             can_share: completed > 0,
             completed_orders: completed,
-            reason: completed > 0 ? 'verified_buyer_of_product' : 'need_completed_order_of_this_product',
+            reason: completed > 0 ? 'genuine_receipt_of_product' : 'need_genuine_receipt_of_this_product',
         });
     });
     // 获取或创建商品 shareable（被 sharePromoLink 用，走 /s/<id> 短链）
@@ -144,7 +157,7 @@ export function registerProductsMetaRoutes(app, deps) {
             };
             const minOrders = await getParam('rewards_opt_in.min_completed_orders', 1);
             const requirePasskey = await getParam('rewards_opt_in.require_passkey', 1);
-            const totalCompleted = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [user.id])).n;
+            const totalCompleted = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')}`, [user.id])).n; // 真实成交,排除退款/违约
             const passkeyCount = (await dbOne("SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?", [user.id])).n;
             const missing = [];
             if (totalCompleted < minOrders)
@@ -165,9 +178,9 @@ export function registerProductsMetaRoutes(app, deps) {
                 ],
             });
         }
-        const completed = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'", [user.id, productId])).n;
+        const completed = await genuineReceiptCount(user.id, productId);
         if (completed === 0)
-            return void res.json({ error: '需先完成该商品的购买才能分享', completed_orders: 0 });
+            return void res.json({ error: '需先真实收货完成该商品的购买才能分享(退款 / 违约 / 争议订单不算)', completed_orders: 0 });
         // 优先复用现有 active shareable
         const existing = await dbOne(`SELECT id, owner_code FROM shareables WHERE owner_id = ? AND related_product_id = ? AND status = 'active' LIMIT 1`, [user.id, productId]);
         if (existing) {

package/dist/pwa/routes/profile-placement.js

@@ -35,7 +35,7 @@ export function registerProfilePlacementRoutes(app, deps) {
             return void res.json({ error: '不能挂靠到自己' });
         const u = await dbOne("SELECT placement_id, left_child_id, right_child_id FROM users WHERE id = ?", [user.id]);
         if (u?.placement_id)
-            return void res.json({ error: '你已在双轨树中（永久第一触点，不可改）' });
+            return void res.json({ error: '你已在放置树中（永久第一触点，不可改）' });
         if (u?.left_child_id || u?.right_child_id)
             return void res.json({ error: '你已有下线，不可补绑（防破坏树结构）' });
         const inviter = await dbOne("SELECT id, placement_path FROM users WHERE id = ? AND id NOT IN ('sys_protocol', ?)", [resolvedInviterId, internalAuditorId]);

package/dist/pwa/routes/promoter.js

@@ -1,6 +1,7 @@
 import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { genuineSalePredicate } from '../../layer0-foundation/L0-2-state-machine/genuine-sale.js'; // 真实成交单一真相源
 export function registerPromoterRoutes(app, deps) {
-    const { db, auth, isAllowedSponsor } = deps;
+    const { db, auth, isAllowedSponsor, participationRecordingActive } = deps;
     void db; // RFC-016: 本文件已全量走异步 seam;db 仍在 deps 由调用方注入,此处不直接使用
     app.get('/api/promoter/dashboard', async (req, res) => {
         const user = auth(req, res);
@@ -41,21 +42,9 @@ export function registerPromoterRoutes(app, deps) {
         const leftChildName = myUser?.left_child_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [myUser.left_child_id]))?.name : null;
         const rightChildName = myUser?.right_child_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [myUser.right_child_id]))?.name : null;
         const myPlacementName = myUser?.placement_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [myUser.placement_id]))?.name : null;
-        const scoreAgg = (await dbOne(`
-      SELECT
-        COALESCE(SUM(CASE WHEN settled_at IS NULL THEN score ELSE 0 END),0) as pending_score,
-        COALESCE(SUM(CASE WHEN settled_at IS NOT NULL THEN waz_amount ELSE 0 END),0) as settled_waz,
-        COUNT(*) as total_hits
-      FROM binary_score_records WHERE user_id = ?
-    `, [userId]));
-        const recentBinary = await dbAll(`
-      SELECT id, tier, score, settled_at, waz_amount, created_at
-      FROM binary_score_records WHERE user_id = ?
-      ORDER BY created_at DESC LIMIT 10
-    `, [userId]);
-        const tiers = await dbAll("SELECT tier, pv_threshold, score_per_hit FROM binary_tier_config WHERE active=1 ORDER BY tier ASC");
+        // matching-rewards reads (score / recent matches / tier config) removed — engine excised (#401).
         const canL1Share = isAllowedSponsor(userId);
-        const completedOrders = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [userId])).n;
+        const completedOrders = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')}`, [userId])).n; // 真实成交,排除退款/违约
         const overrideRow = await dbOne("SELECT l1_share_override FROM users WHERE id = ?", [userId]);
         const shareableProducts = await dbAll(`
       SELECT p.id, p.title, p.price, p.category, p.commission_rate,
@@ -64,7 +53,7 @@ export function registerPromoterRoutes(app, deps) {
                   JOIN orders o2 ON o2.id = cr.order_id
                   WHERE cr.beneficiary_id = ? AND o2.product_id = p.id), 0) as my_earned
       FROM products p
-      WHERE p.id IN (SELECT DISTINCT product_id FROM orders WHERE buyer_id = ? AND status = 'completed')
+      WHERE p.id IN (SELECT DISTINCT product_id FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')})
         AND p.commission_rate IS NOT NULL AND p.commission_rate > 0
         AND p.status = 'active'
       ORDER BY my_earned DESC, total_sales DESC LIMIT 20
@@ -77,21 +66,15 @@ export function registerPromoterRoutes(app, deps) {
       SELECT COALESCE(SUM(amount),0) as total FROM commission_records
       WHERE beneficiary_id = ? AND created_at >= datetime('now','-60 days')
         AND created_at < datetime('now','-30 days')
-    `, [userId])).total;
-        const wazLast30 = (await dbOne(`
-      SELECT COALESCE(SUM(waz_amount),0) as total FROM binary_score_records
-      WHERE user_id = ? AND settled_at >= datetime('now','-30 days')
     `, [userId])).total;
         const projection = {
             last_30_commission: earnedLast30,
             prev_30_commission: earnedPrev30,
-            last_30_atomic_waz: wazLast30,
             growth_rate: earnedPrev30 > 0 ? earnedLast30 / earnedPrev30 - 1 : null,
-            next_30_estimate: earnedLast30 + wazLast30,
+            next_30_estimate: earnedLast30,
         };
         const insights = [];
-        // pre-public de-MLM:移除弱腿 / pairing / PV-tier 经营建议 —— PV 对碰为 pre-launch、未对用户启用,
-        // 不在用户面 surface 营销主推弱腿 / pairing 公式 / PV-tier 进度等玩法。位置 / PV 仅为参与记录,非收益路径。
+        // 匹配奖励引擎已切除(#401):不展示任何奖励经营建议;位置 / PV 仅为参与记录,非收益路径。
         const lastInvite = (await dbOne(`SELECT MAX(created_at) as t FROM users WHERE sponsor_id = ?`, [userId]));
         if (lastInvite.t) {
             const days = Math.floor((Date.now() - new Date(lastInvite.t).getTime()) / 86400_000);
@@ -167,17 +150,15 @@ export function registerPromoterRoutes(app, deps) {
             shareable_products: shareableProducts,
             projection,
             insights,
+            gates: { participation_recording_active: participationRecordingActive() },
+            // Neutral participation record only — placement position + per-leg PV. No rewards (matching engine excised #401).
+            // (response keys `atomic` / `binary_tree` kept as the placement structure's stable shape — frontend reads them)
             atomic: {
-                left_invite_url: codeForLink ? `${host}/i/${codeForLink}-L` : null,
-                right_invite_url: codeForLink ? `${host}/i/${codeForLink}-R` : null,
                 total_left_pv: Number(myUser?.total_left_pv ?? 0),
                 total_right_pv: Number(myUser?.total_right_pv ?? 0),
                 left_child: myUser?.left_child_id ? { id: myUser.left_child_id, name: leftChildName } : null,
                 right_child: myUser?.right_child_id ? { id: myUser.right_child_id, name: rightChildName } : null,
                 my_placement: myUser?.placement_id ? { id: myUser.placement_id, name: myPlacementName, side: myUser.placement_side } : null,
-                score: scoreAgg,
-                recent_binary: recentBinary,
-                tier_config: tiers,
                 binary_tree: binaryTree,
             },
         });

package/dist/pwa/routes/public-build-tasks.js

@@ -1,4 +1,5 @@
 import { listBuildTasksWithAgentMetadata, getBuildTaskWithAgentMetadata, validateTaskFilters, withContributionReadEnvelope } from '../../layer2-business/L2-9-contribution/build-task-read.js';
+import { caseIdForTask } from '../../layer2-business/L2-9-contribution/task-proposal-draft.js';
 export function registerPublicBuildTasksRoutes(app, deps) {
     const { db, errorRes } = deps;
     app.get('/api/public/build-tasks', (req, res) => {
@@ -14,6 +15,9 @@ export function registerPublicBuildTasksRoutes(app, deps) {
         const task = getBuildTaskWithAgentMetadata(db, String(req.params.id), 'public');
         if (!task)
             return void errorRes(res, 404, 'NOT_FOUND', '任务不存在');
-        res.json(withContributionReadEnvelope({ task }));
+        // case_id threads proposal → task → PR (= source proposal id if converted from a proposal, else the task id),
+        // so the proposer, the contributor, and the PR all quote one id. (Helper lives in the store — keeps this
+        // route off the RFC-016 raw-db seam.)
+        res.json(withContributionReadEnvelope({ task: { ...task, case_id: caseIdForTask(db, String(req.params.id)) } }));
     });
 }