@seasonkoh/webaz 0.1.26 → 0.1.28

package/dist/pwa/pv-kill-switch.js

@@ -0,0 +1,31 @@
+/** Participation recording switch (default ON — only an explicit '0' disables). */
+export const PARTICIPATION_RECORDING_KEY = 'participation_recording_active';
+/** Matching-rewards operational on-switch + legal/governance clearance marker (both required, default OFF). */
+export const MATCHING_REWARDS_ACTIVE_KEY = 'matching_rewards_active';
+export const MATCHING_REWARDS_CLEARED_KEY = 'matching_rewards_activation_cleared';
+const readParam = (db, k) => db.prepare('SELECT value FROM protocol_params WHERE key = ?').get(k)?.value;
+/**
+ * DEFAULT ON. Neutral participation/contribution recording (PV ledger + PV aggregation) is allowed unless
+ * explicitly turned off. Absent param / query error → ON (recording is safe + neutral; not a payout).
+ */
+export function participationRecordingActive(db) {
+    try {
+        return readParam(db, PARTICIPATION_RECORDING_KEY) !== '0'; // default ON; only an explicit '0' disables
+    }
+    catch {
+        return true; // recording is neutral/no-payout — failing to ON preserves the visible-participation principle
+    }
+}
+/**
+ * DEFAULT OFF. Matching-rewards settlement + payout + any reward distribution. True ONLY when the
+ * operational on-switch AND the legal/governance-clearance marker are BOTH '1'. FAIL-CLOSED on any
+ * missing param / query error → false (never pay on uncertainty; never break the order-settlement hot path).
+ */
+export function matchingRewardsActive(db) {
+    try {
+        return readParam(db, MATCHING_REWARDS_ACTIVE_KEY) === '1' && readParam(db, MATCHING_REWARDS_CLEARED_KEY) === '1';
+    }
+    catch {
+        return false;
+    }
+}

package/dist/pwa/routes/admin-admins.js

@@ -140,11 +140,58 @@ export function registerAdminAdminsRoutes(app, deps) {
             catch { }
             rolesArr = rolesArr.filter(r => r !== 'admin');
             const newRole = rolesArr[0] || 'buyer';
-            db.prepare(`UPDATE users SET role = ?, roles = ?, admin_type = NULL, admin_scope = NULL, updated_at = datetime('now') WHERE id = ?`)
+            db.prepare(`UPDATE users SET role = ?, roles = ?, admin_type = NULL, admin_scope = NULL, admin_permissions = NULL, updated_at = datetime('now') WHERE id = ?`)
                 .run(newRole, JSON.stringify(rolesArr), targetId);
             db.prepare(`INSERT INTO admin_audit_log (id, admin_id, action, target_type, target_id, detail) VALUES (?,?,?,?,?,?)`)
                 .run(generateId('audit'), root.id, 'admin_revoke', 'user', targetId, JSON.stringify({ revoked_type: target.admin_type, new_role: newRole }));
         })();
         res.json({ ok: true });
     });
+    // ── ROOT-only emergency freeze of an admin: suspend + strip ALL admin capability + revoke sessions ──
+    // For incident response (e.g. a compromised / rogue admin). Atomic. Cannot freeze self or the last root.
+    app.post('/api/admin/admins/:id/emergency-freeze', async (req, res) => {
+        const root = requireRootAdmin(req, res);
+        if (!root)
+            return;
+        const targetId = req.params.id;
+        if (targetId === root.id)
+            return void res.json({ error: '不能冻结自己' });
+        const reason = (req.body?.reason ? String(req.body.reason).slice(0, 200) : '') || 'emergency admin freeze';
+        const target = await dbOne(`SELECT id, role, roles, admin_type FROM users WHERE id = ?`, [targetId]);
+        if (!target)
+            return void res.json({ error: '用户不存在' });
+        if (!target.admin_type)
+            return void res.json({ error: '目标必须是 admin 账号' });
+        if (target.admin_type === 'root') {
+            const rootCount = (await dbOne(`SELECT COUNT(1) as n FROM users WHERE admin_type = 'root'`, [])).n;
+            if (rootCount <= 1)
+                return void res.json({ error: '不能冻结最后一个 root admin' });
+        }
+        let sessionsRevoked = 0;
+        db.transaction(() => {
+            let rolesArr = [];
+            try {
+                rolesArr = JSON.parse(target.roles || '[]');
+            }
+            catch { }
+            const oldRoles = [...rolesArr];
+            rolesArr = rolesArr.filter(r => r !== 'admin');
+            const newRole = rolesArr[0] || 'buyer';
+            // 1) suspend
+            db.prepare(`INSERT INTO user_moderation (user_id, suspended, reason, suspended_by, suspended_at)
+        VALUES (?, 1, ?, ?, datetime('now'))
+        ON CONFLICT(user_id) DO UPDATE SET suspended = 1, reason = excluded.reason, suspended_by = excluded.suspended_by, suspended_at = excluded.suspended_at`)
+                .run(targetId, reason, root.id);
+            // 2) strip ALL admin capability
+            db.prepare(`UPDATE users SET role = ?, roles = ?, admin_type = NULL, admin_scope = NULL, admin_permissions = NULL, updated_at = datetime('now') WHERE id = ?`)
+                .run(newRole, JSON.stringify(rolesArr), targetId);
+            // 3) revoke all active sessions
+            const r = db.prepare(`UPDATE user_sessions SET revoked_at = datetime('now') WHERE user_id = ? AND revoked_at IS NULL`).run(targetId);
+            sessionsRevoked = r.changes;
+            // 4) audit
+            db.prepare(`INSERT INTO admin_audit_log (id, admin_id, action, target_type, target_id, detail) VALUES (?,?,?,?,?,?)`)
+                .run(generateId('audit'), root.id, 'admin_emergency_freeze', 'user', targetId, JSON.stringify({ old_admin_type: target.admin_type, old_roles: oldRoles, sessions_revoked: sessionsRevoked, reason }));
+        })();
+        res.json({ ok: true, frozen: targetId, sessions_revoked: sessionsRevoked });
+    });
 }

package/dist/pwa/routes/admin-analytics.js

@@ -215,24 +215,15 @@ export function registerAdminAnalyticsRoutes(app, deps) {
         AND (vs.suspended_until IS NULL OR vs.suspended_until < datetime('now'))
     `));
         const tokenomics = await (async () => {
-            const gf = await dbOne("SELECT pool_balance, total_scores_pending, current_n, last_settled_at FROM global_fund WHERE id=1");
-            const mb = await dbOne("SELECT balance FROM management_bonus_pool WHERE id=1");
+            // matching-rewards admin metrics (pool / scores / mgmt-bonus / binary payout) removed — engine excised (#401).
             const pendingLedger = (await dbOne("SELECT COUNT(*) as n FROM pv_ledger WHERE processed = 0")).n;
             const commCount = (await dbOne("SELECT COUNT(*) as n, COALESCE(SUM(amount),0) as t FROM commission_records"));
             const dirtyUsers = (await dbOne("SELECT COUNT(*) as n FROM users WHERE pv_dirty_at IS NOT NULL")).n;
-            const matchedTotal = (await dbOne("SELECT COUNT(*) as n, COALESCE(SUM(waz_amount),0) as w FROM binary_score_records WHERE settled_at IS NOT NULL"));
             return {
-                pool_balance: Number(gf?.pool_balance ?? 0),
-                scores_pending: Number(gf?.total_scores_pending ?? 0),
-                current_n: Number(gf?.current_n ?? 0),
-                last_settled_at: gf?.last_settled_at,
-                management_bonus: Number(mb?.balance ?? 0),
                 ledger_pending: pendingLedger,
                 dirty_users: dirtyUsers,
                 commission_records: commCount.n,
                 commission_total: commCount.t,
-                binary_settled: matchedTotal.n,
-                binary_waz_total: matchedTotal.w,
             };
         })();
         res.json({

package/dist/pwa/routes/admin-atomic.js

@@ -1,5 +1,8 @@
 export function registerAdminAtomicRoutes(app, deps) {
-    const { requireProtocolAdmin, processPvLedger, runBinarySettlement, executeSafeSettlementCron, logAdminAction } = deps;
+    // matching settlement / payout endpoints removed — engine excised (#401). Only neutral
+    // participation-recording (process-ledger) remains. (runBinarySettlement / executeSafeSettlementCron
+    // are still injected by the server but no longer wired to any endpoint here.)
+    const { requireProtocolAdmin, processPvLedger, logAdminAction } = deps;
     app.post('/api/admin/atomic/process-ledger', (req, res) => {
         const admin = requireProtocolAdmin(req, res);
         if (!admin)
@@ -8,20 +11,4 @@ export function registerAdminAtomicRoutes(app, deps) {
         logAdminAction(admin.id, 'atomic_process_ledger', 'protocol', null, { processed });
         res.json({ processed });
     });
-    app.post('/api/admin/atomic/run-settlement', (req, res) => {
-        const admin = requireProtocolAdmin(req, res);
-        if (!admin)
-            return;
-        const settled = runBinarySettlement();
-        logAdminAction(admin.id, 'atomic_run_settlement', 'protocol', null, { settled });
-        res.json({ settled });
-    });
-    app.post('/api/admin/atomic/distribute', (req, res) => {
-        const admin = requireProtocolAdmin(req, res);
-        if (!admin)
-            return;
-        const result = executeSafeSettlementCron();
-        logAdminAction(admin.id, 'atomic_distribute', 'protocol', null, { result });
-        res.json(result);
-    });
 }

package/dist/pwa/routes/admin-operator-claims.js

@@ -0,0 +1,280 @@
+import { logAdminAction } from '../admin-audit.js';
+import { proposeClaim, confirmClaim, approveClaim, rejectClaim, revokeApprovedClaim, deriveClaimState, listClaimsForSeat, listPendingConfirmationsForContributor, listAllClaims, emitClaimNotifications, claimedEventIdOfApproved, requestUnlink, approveUnlink, rejectUnlink, pendingUnlinkForApproved, listContributorRelationships, listPendingUnlinkRequests, } from '../../layer2-business/L2-9-contribution/admin-operator-claim-workflow.js';
+function httpFor(code) {
+    switch (code) {
+        case 'claim_not_found':
+        case 'approved_not_found':
+        case 'request_not_found': return 404;
+        case 'not_admin':
+        case 'not_root':
+        case 'not_contributor':
+        case 'not_party':
+        case 'gate_failed': return 403;
+        case 'bad_state':
+        case 'not_confirmed':
+        case 'contributor_rejected':
+        case 'already_pending': return 409;
+        default: return 400; // invalid_input / contributor_not_found / self_link_* / self_related_* / dishonest_marking
+    }
+}
+/* eslint-disable @typescript-eslint/no-explicit-any */
+function shape(v) {
+    if (!v)
+        return null;
+    return {
+        claimed_event_id: v.claimed.event_id,
+        admin_account_id: v.claimed.admin_account_id,
+        contributor_account_id: v.claimed.contributor_account_id,
+        status: v.status,
+        proposed_at: v.claimed.created_at,
+        confirmation: v.confirmation ? { decision: v.confirmation.decision, decided_by: v.confirmation.decided_by, at: v.confirmation.created_at } : null,
+        approved: v.approved ? { event_id: v.approved.event_id, at: v.approved.created_at } : null,
+    };
+}
+export function registerAdminOperatorClaimRoutes(app, deps) {
+    const { db, errorRes, auth, requireAdmin, requireRootAdmin, consumeGateToken } = deps;
+    // Best-effort: a notify failure must never roll back / fail the claim mutation.
+    const notify = (kind, claimedEventId) => { try {
+        emitClaimNotifications(db, kind, claimedEventId);
+    }
+    catch { /* notifications are degradable */ } };
+    // shape + surface whether an ACTIVE approved claim has a pending unlink request (drives the UI).
+    const shapeClaim = (v) => {
+        const base = shape(v);
+        if (base && v?.status === 'approved' && v.approved) {
+            const pu = pendingUnlinkForApproved(db, v.approved.event_id);
+            base.unlink_pending = pu ? { request_event_id: pu.request_event_id, requested_by: pu.requested_by, requester_role: pu.requester_role, at: pu.created_at } : null;
+        }
+        return base;
+    };
+    // ── admin proposes linking THEIR OWN seat to a contributor account ──
+    app.post('/api/admin/operator-claims', (req, res) => {
+        const admin = requireAdmin(req, res);
+        if (!admin)
+            return;
+        const contributorAccountId = String((req.body?.contributor_account_id ?? '')).trim();
+        const rationale = req.body?.rationale ? String(req.body.rationale) : undefined;
+        if (!contributorAccountId)
+            return errorRes(res, 400, 'invalid_input', 'contributor_account_id required');
+        try {
+            const out = db.transaction(() => {
+                const r = proposeClaim(db, { actorAdminId: admin.id, contributorAccountId, rationale });
+                if (!r.ok)
+                    return r;
+                logAdminAction(db, { adminId: admin.id, action: 'operator_claim.propose', targetType: 'user', targetId: contributorAccountId, detail: { claimed_event_id: r.claimedEventId }, context: { actorType: 'admin_account', agentMode: 'human_direct' } });
+                return r;
+            })();
+            if (!out.ok)
+                return errorRes(res, httpFor(out.code), out.code, out.message);
+            notify('proposed', out.claimedEventId); // → tell the contributor to confirm
+            res.json({ ok: true, claim: shape(deriveClaimState(db, out.claimedEventId)) });
+        }
+        catch (e) {
+            errorRes(res, 500, 'internal', e.message);
+        }
+    });
+    // ── the calling admin's own seat: its claims + states (shapeClaim → carries unlink_pending so the
+    //    admin-seat owner can request/track unlink on their own active claims) ──
+    app.get('/api/admin/operator-claims/me', (req, res) => {
+        const admin = requireAdmin(req, res);
+        if (!admin)
+            return;
+        res.json({ seat: admin.id, claims: listClaimsForSeat(db, admin.id).map(shapeClaim) });
+    });
+    // ── contributor: claims pointing at ME awaiting my confirmation ──
+    app.get('/api/me/operator-claim-confirmations', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        res.json({ pending: listPendingConfirmationsForContributor(db, user.id).map(shape) });
+    });
+    // ── contributor accepts/rejects a claim pointing at them ──
+    app.post('/api/me/operator-claim-confirmations/:claimedEventId', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const decision = String(req.body?.decision ?? '');
+        const rationale = req.body?.rationale ? String(req.body.rationale) : undefined;
+        try {
+            const out = db.transaction(() => {
+                const r = confirmClaim(db, { claimedEventId: String(req.params.claimedEventId), deciderId: user.id, decision: decision, rationale });
+                if (!r.ok)
+                    return r;
+                logAdminAction(db, { adminId: user.id, action: 'operator_claim.confirm', targetType: 'operator_claim', targetId: String(req.params.claimedEventId), detail: { decision }, context: { actorType: 'human', agentMode: 'human_direct' } });
+                return r;
+            })();
+            if (!out.ok)
+                return errorRes(res, httpFor(out.code), out.code, out.message);
+            notify(decision === 'accepted' ? 'accepted' : 'rejected_by_contributor', String(req.params.claimedEventId)); // → root to approve, or admin that it was declined
+            res.json({ ok: true, claim: shape(deriveClaimState(db, String(req.params.claimedEventId))) });
+        }
+        catch (e) {
+            errorRes(res, 500, 'internal', e.message);
+        }
+    });
+    // ── ROOT: review queue (all claims, optional ?status=) ──
+    app.get('/api/admin/operator-claims', (req, res) => {
+        const root = requireRootAdmin(req, res);
+        if (!root)
+            return;
+        const status = req.query.status ? String(req.query.status) : undefined;
+        res.json({ claims: listAllClaims(db, status).map(shape) });
+    });
+    // ── ROOT: claim detail ──
+    app.get('/api/admin/operator-claims/:claimedEventId', (req, res) => {
+        const root = requireRootAdmin(req, res);
+        if (!root)
+            return;
+        const v = deriveClaimState(db, String(req.params.claimedEventId));
+        if (!v)
+            return errorRes(res, 404, 'claim_not_found', 'no such claim');
+        res.json({ claim: shape(v) });
+    });
+    // Shared tx + audit + error boilerplate. Each ROOT route below inlines requireRootAdmin(req, res)
+    // FIRST (so the api-docs/OpenAPI generator detects the auth gate) then delegates here.
+    const runRootMutation = (res, root, req, action, targetId, fn, notifyKind, notifyClaimedEventId) => {
+        try {
+            const out = db.transaction(() => {
+                const r = fn();
+                if (!r.ok)
+                    return r;
+                logAdminAction(db, { adminId: root.id, action, targetType: 'operator_claim', targetId, detail: { result: r }, context: { actorType: 'admin_account', agentMode: 'human_direct', approvalKind: req.body?.approval_kind, conflictDisclosure: req.body?.conflict_disclosure } });
+                return r;
+            })();
+            if (!out.ok)
+                return errorRes(res, httpFor(out.code), out.code, out.message);
+            if (notifyKind && notifyClaimedEventId)
+                notify(notifyKind, notifyClaimedEventId); // → tell contributor + proposing admin
+            res.json({ ok: true, result: out });
+        }
+        catch (e) {
+            errorRes(res, 500, 'internal', e.message);
+        }
+    };
+    // ── ROOT: approve a proposed-or-confirmed claim ──
+    app.post('/api/admin/operator-claims/:claimedEventId/approve', (req, res) => {
+        const root = requireRootAdmin(req, res);
+        if (!root)
+            return;
+        const id = String(req.params.claimedEventId);
+        runRootMutation(res, root, req, 'operator_claim.approve', id, () => approveClaim(db, { claimedEventId: id, approverId: root.id, approvalKind: String(req.body?.approval_kind ?? ''), conflictDisclosure: String(req.body?.conflict_disclosure ?? ''), rationale: req.body?.rationale ? String(req.body.rationale) : undefined }), 'approved', id);
+    });
+    // ── ROOT: reject a still-proposed/confirmed claim ──
+    app.post('/api/admin/operator-claims/:claimedEventId/reject', (req, res) => {
+        const root = requireRootAdmin(req, res);
+        if (!root)
+            return;
+        const id = String(req.params.claimedEventId);
+        runRootMutation(res, root, req, 'operator_claim.reject', id, () => rejectClaim(db, { claimedEventId: id, approverId: root.id, rationale: req.body?.rationale ? String(req.body.rationale) : undefined }), 'rejected_by_root', id);
+    });
+    // ── ROOT: revoke an APPROVED (active) claim ──
+    app.post('/api/admin/operator-claims/:approvedEventId/revoke', (req, res) => {
+        const root = requireRootAdmin(req, res);
+        if (!root)
+            return;
+        const id = String(req.params.approvedEventId);
+        const claimedId = claimedEventIdOfApproved(db, id) ?? undefined; // resolve the claim behind the approval for notifications
+        runRootMutation(res, root, req, 'operator_claim.revoke', id, () => revokeApprovedClaim(db, { approvedEventId: id, revokerId: root.id, rationale: req.body?.rationale ? String(req.body.rationale) : undefined }), 'revoked', claimedId);
+    });
+    // ── contributor self-view: ALL relationships pointing at me (pending/confirmed/approved/history) ──
+    app.get('/api/me/operator-claims', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        res.json({ relationships: listContributorRelationships(db, user.id).map(shapeClaim) });
+    });
+    // ── EITHER PARTY requests UNLINK of an active approved claim — passkey-gated (not just a UI confirm) ──
+    app.post('/api/me/operator-claims/:approvedEventId/request-unlink', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const approvedEventId = String(req.params.approvedEventId);
+        const webauthnToken = req.body?.webauthn_token ? String(req.body.webauthn_token) : undefined;
+        const reason = req.body?.reason ? String(req.body.reason) : undefined;
+        // fresh passkey gate bound to THIS approved claim (purpose 'operator_claim_unlink'). TODO: could be
+        // promoted to the typed requireHumanPresence iron-rule purpose; consumeGateToken is the same token store.
+        const gate = consumeGateToken(user.id, webauthnToken, 'operator_claim_unlink', (data) => !!data && typeof data === 'object' && data.approved_event_id === approvedEventId);
+        if (!gate.ok)
+            return errorRes(res, 403, 'gate_failed', gate.reason || '需要 Passkey 验证（重新发起解除申请）');
+        try {
+            const out = db.transaction(() => {
+                const r = requestUnlink(db, { approvedEventId, requesterId: user.id, reason, humanAuthRef: webauthnToken });
+                if (!r.ok)
+                    return r;
+                logAdminAction(db, { adminId: user.id, action: 'operator_claim.unlink_request', targetType: 'operator_claim', targetId: approvedEventId, detail: { request_event_id: r.requestEventId, requester_role: r.requesterRole, reason: reason ?? null, human_auth_ref: webauthnToken ?? null }, context: { actorType: 'human', agentMode: 'human_direct', humanAuthorizationId: webauthnToken } });
+                return r;
+            })();
+            if (!out.ok)
+                return errorRes(res, httpFor(out.code), out.code, out.message);
+            notify('unlink_requested', claimedEventIdOfApproved(db, approvedEventId) ?? ''); // → root review queue
+            res.json({ ok: true, request_event_id: out.requestEventId, requester_role: out.requesterRole });
+        }
+        catch (e) {
+            errorRes(res, 500, 'internal', e.message);
+        }
+    });
+    // ── ROOT: pending unlink requests (review queue). Path under /unlink/ to avoid the /:claimedEventId match.
+    //    self_or_related flags each request the viewing root is a party to → the UI then REQUIRES honest marking. ──
+    app.get('/api/admin/operator-claims/unlink/requests', (req, res) => {
+        const root = requireRootAdmin(req, res);
+        if (!root)
+            return;
+        const rid = root.id;
+        const requests = listPendingUnlinkRequests(db).map((r) => ({
+            ...r,
+            self_or_related: rid === r.admin_account_id || rid === r.contributor_account_id || rid === r.requested_by,
+        }));
+        res.json({ requests });
+    });
+    // ── ROOT: approve an unlink request → revokes the claim. When root is self-or-related to the
+    //    relationship/request, approval_kind + conflict_disclosure are required (governance honesty). ──
+    app.post('/api/admin/operator-claims/unlink/:requestEventId/approve', (req, res) => {
+        const root = requireRootAdmin(req, res);
+        if (!root)
+            return;
+        const id = String(req.params.requestEventId);
+        const approvalKind = req.body?.approval_kind ? String(req.body.approval_kind) : undefined;
+        const conflictDisclosure = req.body?.conflict_disclosure ? String(req.body.conflict_disclosure) : undefined;
+        try {
+            const out = db.transaction(() => {
+                const r = approveUnlink(db, { requestEventId: id, approverId: root.id, approvalKind, conflictDisclosure });
+                if (!r.ok)
+                    return r;
+                logAdminAction(db, { adminId: root.id, action: 'operator_claim.unlink_approve', targetType: 'operator_claim', targetId: id, detail: { result: r }, context: { actorType: 'admin_account', agentMode: 'human_direct', approvalKind: r.approvalKind, conflictDisclosure: r.conflictDisclosure } });
+                return r;
+            })();
+            if (!out.ok)
+                return errorRes(res, httpFor(out.code), out.code, out.message);
+            notify('unlink_approved', out.claimedEventId);
+            res.json({ ok: true, result: out });
+        }
+        catch (e) {
+            errorRes(res, 500, 'internal', e.message);
+        }
+    });
+    // ── ROOT: reject an unlink request → claim stays active. Same self-or-related marking discipline. ──
+    app.post('/api/admin/operator-claims/unlink/:requestEventId/reject', (req, res) => {
+        const root = requireRootAdmin(req, res);
+        if (!root)
+            return;
+        const id = String(req.params.requestEventId);
+        const approvalKind = req.body?.approval_kind ? String(req.body.approval_kind) : undefined;
+        const conflictDisclosure = req.body?.conflict_disclosure ? String(req.body.conflict_disclosure) : undefined;
+        try {
+            const out = db.transaction(() => {
+                const r = rejectUnlink(db, { requestEventId: id, approverId: root.id, approvalKind, conflictDisclosure });
+                if (!r.ok)
+                    return r;
+                logAdminAction(db, { adminId: root.id, action: 'operator_claim.unlink_reject', targetType: 'operator_claim', targetId: id, detail: { result: r }, context: { actorType: 'admin_account', agentMode: 'human_direct', approvalKind: r.approvalKind, conflictDisclosure: r.conflictDisclosure } });
+                return r;
+            })();
+            if (!out.ok)
+                return errorRes(res, httpFor(out.code), out.code, out.message);
+            notify('unlink_rejected', out.claimedEventId);
+            res.json({ ok: true, result: out });
+        }
+        catch (e) {
+            errorRes(res, 500, 'internal', e.message);
+        }
+    });
+}

package/dist/pwa/routes/admin-reports.js

@@ -61,9 +61,8 @@ export function registerAdminReportsRoutes(app, deps) {
         sql += ` ORDER BY vt.created_at DESC LIMIT 100`;
         res.json({ tasks: await dbAll(sql, params) });
     });
-    // 双引擎收入治理视图 — 三级奖励(推土机) vs PV 对碰(原子能) 协议级聚合
-    // 治理依据：根据两引擎实际拨付量决定费率/阈值/拨出率等调参方案
-    // 隐私第一：运营财务，仅 protocol admin 可见（详见 docs/REWARD-ENGINES-DECOUPLING.md）
+    // 收入治理视图 — 联盟佣金(按真实成交)协议级聚合。匹配奖励引擎已切除(#401),不再聚合其指标。
+    // 隐私第一：运营财务，仅 protocol admin 可见。
     app.get('/api/admin/economic-summary', async (req, res) => {
         const admin = requireProtocolAdmin(req, res);
         if (!admin)
@@ -87,12 +86,7 @@ export function registerAdminReportsRoutes(app, deps) {
         // charity_fund 自此纯净（仅捐款/还愿/拨款），不再承接佣金兜底。
         const charity = await dbOne(`SELECT balance, total_donated, total_disbursed, total_redirected FROM charity_fund WHERE id='main'`);
         const cpool = await dbOne(`SELECT balance, total_chain_gap, total_orphan_sponsor, total_region_cap FROM commission_reserve WHERE id='main'`);
-        // 引擎 B：PV 对碰（binary_score_records 现金拨付 + 待拨 Score）
-        const binarySettled = (await dbOne(`SELECT COUNT(*) AS cnt, COALESCE(SUM(waz_amount),0) AS waz FROM binary_score_records WHERE settled_at IS NOT NULL`));
-        const binaryPending = (await dbOne(`SELECT COUNT(*) AS cnt, COALESCE(SUM(score),0) AS score FROM binary_score_records WHERE settled_at IS NULL`));
-        const periods = (await dbOne(`SELECT COUNT(*) AS cnt, COALESCE(SUM(cash_distributed),0) AS dist, COALESCE(SUM(cash_retained),0) AS retained FROM settlement_periods WHERE status='completed'`));
-        const gfund = await dbOne(`SELECT pool_balance, total_scores_pending, current_n, pv_escrow_reserve FROM global_fund WHERE id=1`);
-        // 资金管道：global_fund 蓄水来源（fund_base 1% + commission region_cap redirect）
+        // 资金管道：fund_base 1% 累计 + commission region_cap redirect（历史，新订单恒 0）
         const pipe = (await dbOne(`SELECT COALESCE(SUM(amount_base),0) AS base, COALESCE(SUM(amount_l3),0) AS redirect FROM fund_deposits`));
         res.json({
             engine_a_commission: {
@@ -105,22 +99,6 @@ export function registerAdminReportsRoutes(app, deps) {
                 legacy_global_fund_redirect: r2(pipe.redirect), // 历史：解耦前曾入 global_fund（fund_deposits.amount_l3），新订单恒 0
                 note: '即时分账；兜底全部入 commission_reserve（独立科目，只进不出，治理决定用途），不再污染 charity / global_fund。',
             },
-            engine_b_pv_matching: {
-                cash_distributed_total: r2(binarySettled.waz),
-                settled_match_count: binarySettled.cnt,
-                pending_score: r2(binaryPending.score),
-                pending_match_count: binaryPending.cnt,
-                settlement_periods_completed: periods.cnt,
-                periods_cash_distributed: r2(periods.dist),
-                periods_cash_retained: r2(periods.retained),
-                note: 'Score → 现金经安全阀拨付，源自 global_fund，永不透支。',
-            },
-            global_fund: {
-                pool_balance: r2(Number(gfund?.pool_balance || 0)),
-                pv_escrow_reserve: r2(Number(gfund?.pv_escrow_reserve || 0)), // #1106 已承诺未兑付的 PV 负债（隔离于可分配池）
-                total_scores_pending: r2(Number(gfund?.total_scores_pending || 0)),
-                current_n: r2(Number(gfund?.current_n || 0)),
-            },
             funding_pipe: {
                 fund_base_1pct_accumulated: r2(pipe.base),
                 commission_redirect_accumulated: r2(pipe.redirect),
@@ -131,7 +109,7 @@ export function registerAdminReportsRoutes(app, deps) {
                 total_donated: r2(Number(charity?.total_donated || 0)),
                 total_disbursed: r2(Number(charity?.total_disbursed || 0)),
             },
-            governance_hint: '引擎A=消费即时奖励(分账→钱包，兜底→commission_reserve)；引擎B=团队对碰(global_fund 安全阀)。两者解耦，调参互不影响。详见 docs/REWARD-ENGINES-DECOUPLING.md',
+            governance_hint: '联盟佣金=消费即时分账→钱包，兜底→commission_reserve(独立科目,只进不出)。匹配奖励引擎已切除(#401)。',
             generated_at: new Date().toISOString(),
         });
     });

package/dist/pwa/routes/admin-tokenomics.js

@@ -7,23 +7,14 @@ export function registerAdminTokenomicsRoutes(app, deps) {
         const admin = requireProtocolAdmin(req, res);
         if (!admin)
             return;
-        const tiers = await dbAll("SELECT * FROM binary_tier_config ORDER BY tier ASC");
+        // matching-rewards admin views (tier config / binary leaderboard / mgmt-bonus / pool injection) removed —
+        // engine excised (#401). Only neutral participation-record + affiliate-commission stats remain.
         const topComm = await dbAll(`
       SELECT cr.beneficiary_id, u.name, COUNT(*) as records, COALESCE(SUM(cr.amount),0) as earned
       FROM commission_records cr LEFT JOIN users u ON u.id = cr.beneficiary_id
       WHERE cr.beneficiary_id != 'sys_protocol'
       GROUP BY cr.beneficiary_id ORDER BY earned DESC LIMIT 10
     `);
-        const topBinary = await dbAll(`
-      SELECT bsr.user_id, u.name,
-        COUNT(*) as hits,
-        COALESCE(SUM(CASE WHEN settled_at IS NOT NULL THEN waz_amount ELSE 0 END),0) as waz_total,
-        COALESCE(SUM(score),0) as score_total
-      FROM binary_score_records bsr LEFT JOIN users u ON u.id = bsr.user_id
-      GROUP BY bsr.user_id ORDER BY waz_total DESC LIMIT 10
-    `);
-        const gf = await dbOne("SELECT * FROM global_fund WHERE id=1");
-        const mb = await dbOne("SELECT balance FROM management_bonus_pool WHERE id=1");
         const pvLedger = await dbOne(`
       SELECT COUNT(*) as total,
         SUM(CASE WHEN processed=0 THEN 1 ELSE 0 END) as pending,
@@ -31,43 +22,10 @@ export function registerAdminTokenomicsRoutes(app, deps) {
       FROM pv_ledger
     `);
         res.json({
-            global_fund: gf,
-            management_bonus_pool: mb,
-            tier_config: tiers,
             pv_ledger: pvLedger,
             top_commission: topComm,
-            top_binary: topBinary,
         });
     });
-    // 调整 Tier 配置
-    app.post('/api/admin/tokenomics/tier', async (req, res) => {
-        const admin = requireProtocolAdmin(req, res);
-        if (!admin)
-            return;
-        const { tier, pv_threshold, score_per_hit, active } = req.body;
-        if (!Number.isInteger(tier) || tier < 1 || tier > 10)
-            return void res.json({ error: 'tier 无效' });
-        if (Number(pv_threshold) <= 0 || Number(score_per_hit) <= 0)
-            return void res.json({ error: '阈值/分数必须 > 0' });
-        await dbRun(`INSERT OR REPLACE INTO binary_tier_config (tier, pv_threshold, score_per_hit, active) VALUES (?,?,?,?)`, [tier, Number(pv_threshold), Number(score_per_hit), active ? 1 : 0]);
-        logAdminAction(admin.id, 'tokenomics_tier_update', 'tier', String(tier), { pv_threshold, score_per_hit, active });
-        res.json({ success: true });
-    });
-    // 管理津贴资格列表 + 开关
-    app.get('/api/admin/tokenomics/mgmt-bonus', async (req, res) => {
-        const admin = requireProtocolAdmin(req, res);
-        if (!admin)
-            return;
-        const enabled = (await dbOne("SELECT value FROM system_state WHERE key='mgmt_bonus_enabled'"))?.value === '1';
-        const eligible = await dbAll(`
-      SELECT u.id, u.name, u.created_at,
-        (SELECT COUNT(*) FROM users WHERE sponsor_id = u.id) as l1_count,
-        COALESCE((SELECT SUM(amount) FROM commission_records WHERE beneficiary_id = u.id),0) as total_commission
-      FROM users u WHERE u.mgmt_bonus_eligible = 1
-      ORDER BY u.created_at DESC LIMIT 100
-    `);
-        res.json({ enabled, eligible_users: eligible, eligible_count: eligible.length });
-    });
     // 注册必须 ref 开关
     app.post('/api/admin/tokenomics/require-ref/toggle', async (req, res) => {
         const admin = requireProtocolAdmin(req, res);
@@ -79,36 +37,4 @@ export function registerAdminTokenomicsRoutes(app, deps) {
         logAdminAction(admin.id, 'require_ref_toggle', 'system', 'require_ref_to_register', { value: v });
         res.json({ success: true, enabled: !!enabled });
     });
-    // 管理津贴池开关
-    app.post('/api/admin/tokenomics/mgmt-bonus/toggle', async (req, res) => {
-        const admin = requireProtocolAdmin(req, res);
-        if (!admin)
-            return;
-        const { enabled } = req.body;
-        const v = enabled ? '1' : '0';
-        await dbRun("INSERT OR REPLACE INTO system_state (key, value) VALUES ('mgmt_bonus_enabled', ?)", [v]);
-        logAdminAction(admin.id, 'mgmt_bonus_toggle', 'system', 'mgmt_bonus_enabled', { value: v });
-        res.json({ success: true, enabled: !!enabled });
-    });
-    // 池注资
-    app.post('/api/admin/tokenomics/inject', async (req, res) => {
-        const admin = requireProtocolAdmin(req, res);
-        if (!admin)
-            return;
-        const { pool, amount } = req.body;
-        const n = Number(amount);
-        if (!(n > 0))
-            return void res.json({ error: '金额必须 > 0' });
-        if (pool === 'global_fund') {
-            await dbRun("UPDATE global_fund SET pool_balance = pool_balance + ? WHERE id=1", [n]);
-        }
-        else if (pool === 'management_bonus') {
-            await dbRun("UPDATE management_bonus_pool SET balance = balance + ? WHERE id=1", [n]);
-        }
-        else {
-            return void res.json({ error: 'pool 名称无效（global_fund / management_bonus）' });
-        }
-        logAdminAction(admin.id, 'tokenomics_pool_inject', 'pool', pool, { amount: n });
-        res.json({ success: true });
-    });
 }

package/dist/pwa/routes/admin-users-lifecycle.js

@@ -20,20 +20,7 @@ export function registerAdminUsersLifecycleRoutes(app, deps) {
         logAdminAction(admin.id, 'l1_share_override', 'user', req.params.id, { value: v, note: note || null });
         res.json({ success: true, value: v });
     });
-    app.post('/api/admin/users/:id/mgmt-bonus-eligible', async (req, res) => {
-        const admin = requireProtocolAdmin(req, res);
-        if (!admin)
-            return;
-        if (!adminCanOperateOn(admin, req.params.id, res))
-            return;
-        const { eligible, note } = req.body;
-        const target = await dbOne("SELECT id, name FROM users WHERE id = ?", [req.params.id]);
-        if (!target)
-            return void res.json({ error: '用户不存在' });
-        await dbRun("UPDATE users SET mgmt_bonus_eligible = ?, updated_at = datetime('now') WHERE id = ?", [eligible ? 1 : 0, req.params.id]);
-        logAdminAction(admin.id, eligible ? 'mgmt_bonus_grant' : 'mgmt_bonus_revoke', 'user', req.params.id, { note: note || null });
-        res.json({ success: true });
-    });
+    // 解除账号登录锁定：清零失败次数 + 解锁
     app.post('/api/admin/users/:id/reset-failed-attempts', async (req, res) => {
         const admin = requireUsersAdmin(req, res);
         if (!admin)