@seasonkoh/webaz 0.1.26 → 0.1.28

package/dist/pwa/routes/admin-users-query.js

@@ -89,12 +89,35 @@ export function registerAdminUsersQueryRoutes(app, deps) {
             return void res.status(400).json({ error: 'action 必须 suspend/unsuspend' });
         const reasonStr = action === 'suspend' ? (reason ? String(reason).slice(0, 200) : 'admin 批量暂停') : null;
         const results = [];
+        // Per-uid authorization boundary (res-free, so one bad uid never aborts the whole batch). Mirrors
+        // adminCanOperateOn but stricter for admin targets: an admin target is ROOT-only regardless of scope.
+        const actingRoot = isRootAdmin(admin);
+        const actingScope = admin.admin_scope || 'global';
+        const canOperate = (t) => {
+            if (t.admin_type)
+                return actingRoot ? { ok: true } : { ok: false, reason: '仅 root 可操作 admin 账号' };
+            if (actingRoot || actingScope === 'global')
+                return { ok: true };
+            if (t.region && t.region !== actingScope)
+                return { ok: false, reason: `跨区用户(${t.region})仅本区/全局 admin 可操作` };
+            return { ok: true };
+        };
         for (const uid of user_ids) {
             try {
                 if (uid === 'sys_protocol' || uid === admin.id) {
                     results.push({ user_id: uid, status: 'skipped', reason: '保留账户或自己' });
                     continue;
                 }
+                const target = await dbOne('SELECT admin_type, region FROM users WHERE id = ?', [uid]);
+                if (!target) {
+                    results.push({ user_id: uid, status: 'skipped', reason: '用户不存在' });
+                    continue;
+                }
+                const gate = canOperate(target);
+                if (!gate.ok) {
+                    results.push({ user_id: uid, status: 'skipped', reason: gate.reason });
+                    continue;
+                }
                 if (action === 'suspend') {
                     await dbRun(`INSERT INTO user_moderation (user_id, suspended, reason, suspended_by, suspended_at)
             VALUES (?, 1, ?, ?, datetime('now'))
@@ -386,7 +409,6 @@ export function registerAdminUsersQueryRoutes(app, deps) {
                 reputation: user.reputation,
                 failed_attempts: user.failed_attempts ?? 0,
                 locked_until: user.locked_until,
-                mgmt_bonus_eligible: !!user.mgmt_bonus_eligible,
                 l1_share_override: Number(user.l1_share_override ?? 0),
                 can_l1_share: isAllowedSponsor(user.id),
             },

package/dist/pwa/routes/admin-wallet-ops.js

@@ -58,7 +58,7 @@ export function registerAdminWalletOpsRoutes(app, deps) {
         res.json(list);
     });
     app.post('/api/admin/withdrawals/:id/approve', async (req, res) => {
-        // 双轨过渡鉴权:优先认登录的 protocol-admin(Bearer)→ 记其真实 admin id;
+        // 双重受理过渡鉴权:优先认登录的 protocol-admin(Bearer)→ 记其真实 admin id;
         // 否则回落到共享 ADMIN_KEY(adminAuth,既有运维路径,行为不变)→ actor 记中性标记 'admin_key'。
         // 仅认 protocol 权限的 admin;非 protocol 的 Bearer 不放行(soft 解析返回 null),不扩大访问面,只精确归属。
         let actorId = 'admin_key';

package/dist/pwa/routes/agent-grants.js

@@ -0,0 +1,255 @@
+import { createHash, randomBytes } from 'node:crypto';
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js';
+import { initAgentDelegationGrantsSchema, initAgentPairingSchema, initAgentGrantAuthLogSchema } from '../../runtime/webaz-schema-helpers.js';
+import { validateRequestedCapabilities, clampTtlSeconds, grantIsActive } from '../../runtime/agent-grant-scopes.js';
+import { generateUserCode, verifyPkceS256, clampPairingTtlSeconds, pairingApprovable, pairingRetrievable } from '../../runtime/agent-pairing.js';
+import { verifyGrantToken } from '../../runtime/agent-grant-verifier.js';
+// Bounds on a pairing request (anti-bloat for the anonymous start endpoint).
+const MAX_CAPABILITIES = 12;
+const MAX_CONSTRAINTS_JSON = 2000;
+function safeParseCaps(json) {
+    try {
+        return JSON.parse(String(json));
+    }
+    catch {
+        return [];
+    }
+}
+/** Server-generated consent view for a pairing — canonical scope labels only, no secrets. */
+function consentView(p) {
+    return {
+        pairing_id: p.pairing_id,
+        agent_label: p.agent_label || null,
+        reason: p.reason || null, // agent-supplied free text (display only)
+        capabilities: safeParseCaps(p.capabilities), // server-validated safe scopes
+        status: p.status,
+        expires_at: p.expires_at,
+        notice: 'Approving issues a scoped, short-lived, revocable delegation grant — NOT your api_key, NOT your funds. Safe (read/draft) scopes only; it can never move money, vote, arbitrate, or change keys.',
+    };
+}
+export function registerAgentGrantsRoutes(app, deps) {
+    const { db, auth, generateId, rateLimitOk } = deps;
+    // PWA runtime self-init (MCP gets the tables via applyWebazRuntimeSchema). Idempotent.
+    initAgentDelegationGrantsSchema(db);
+    initAgentPairingSchema(db);
+    initAgentGrantAuthLogSchema(db);
+    // ─────────────────────────── RFC-020 PR-C2a: opt-in grant-scope enforcement ───────────────────────────
+    // EXPLICIT, per-route, per-SAFE-scope. NOT global auth — a gtk_* token is accepted ONLY by routes that
+    // deliberately mount requireAgentGrantScope(scope); auth()/api_key is untouched and never accepts gtk_*.
+    // Risk / never-delegable scopes can never pass (the verifier hard-fails non-safe required scopes).
+    const requireAgentGrantScope = (scope) => async (req, res, next) => {
+        // Anti-abuse: throttle the grant-consumption path BEFORE any DB work (parity with pair/start).
+        // Bounds both anonymous probing and valid-grant spam, and caps audit-log growth.
+        if (!rateLimitOk(`agent_grant:${req.ip || 'anon'}`, 30, 60_000)) {
+            return void res.status(429).json({ error: 'too_many_grant_requests', error_code: 'GRANT_RATE_LIMITED', retry_after_s: 60 });
+        }
+        const bearer = (req.header('authorization') || '').replace(/^Bearer\s+/i, '');
+        const presentedGrant = bearer.startsWith('gtk_'); // a request that presents no grant bearer isn't "grant-authorized"
+        const r = await verifyGrantToken(bearer, scope);
+        // Append-only audit (RFC-020 §3.7 + invariant: every grant-authorized request is audited). Only audit
+        // requests that actually presented a grant bearer — a no-token request is pure noise (and an unauth
+        // bloat vector), not a grant-authorized request.
+        let audited = false;
+        if (presentedGrant) {
+            try {
+                await dbRun('INSERT INTO agent_grant_auth_log (grant_id, human_id, capability, outcome, error_code) VALUES (?,?,?,?,?)', [r.ok ? r.principal.grant_id : (r.grant_id ?? null), r.ok ? r.principal.human_id : (r.human_id ?? null), scope, r.ok ? 'allow' : 'deny', r.ok ? null : r.error_code]);
+                audited = true;
+            }
+            catch (e) {
+                console.error('[agent-grant] audit write failed:', e.message);
+            }
+        }
+        // Deny path: return the denial regardless of audit (no access is granted, so nothing to fail closed on).
+        if (!r.ok)
+            return void res.status(r.status).json({ error: r.error, error_code: r.error_code });
+        // Success path: FAIL CLOSED if the authorization could not be audited — a grant-authorized request
+        // must never proceed unaudited (RFC-020 invariant). Better to deny (503, retryable) than act unaccountably.
+        if (!audited)
+            return void res.status(503).json({ error: 'authorization audit unavailable; refusing to proceed unaudited', error_code: 'GRANT_AUDIT_FAILED' });
+        req.agentGrant = r.principal;
+        next();
+    };
+    // Vertical slice (zero-risk): grant principal introspection. Proves the verifier + opt-in middleware
+    // end-to-end on a brand-new read-only endpoint that touches NO existing route and NO money path.
+    app.get('/api/agent-grants/whoami', requireAgentGrantScope('read_public'), (req, res) => {
+        const p = req.agentGrant;
+        res.json({ grant: p, note: 'Authorized via delegation grant (safe scope read_public). This is a grant principal, not a human session.' });
+    });
+    // ─────────────────────────── RFC-020 PR-C1: pairing (device-flow + PKCE) ───────────────────────────
+    // C1 = pairing + credential delivery ONLY. No grant is consumed by any tool here (that is PR-C2).
+    // (pair 1) Agent starts a pairing — UNAUTHENTICATED (agent has no credential yet). Safe scopes only.
+    app.post('/api/agent-grants/pair/start', async (req, res) => {
+        // Rate-limit the anonymous write FIRST (anti-bloat: no DB row unless under the cap).
+        if (!rateLimitOk(`agent_pair_start:${req.ip || 'anon'}`, 10, 60_000)) {
+            return void res.status(429).json({ error: 'too_many_pairing_starts', retry_after_s: 60 });
+        }
+        const body = (req.body || {});
+        const codeChallenge = typeof body.code_challenge === 'string' ? body.code_challenge : '';
+        if (!codeChallenge || codeChallenge.length < 32 || codeChallenge.length > 256)
+            return void res.status(400).json({ error: 'code_challenge required (PKCE S256)' });
+        const caps = Array.isArray(body.capabilities) ? body.capabilities : [];
+        if (caps.length > MAX_CAPABILITIES)
+            return void res.status(400).json({ error: 'too_many_capabilities', max: MAX_CAPABILITIES });
+        const v = validateRequestedCapabilities(caps);
+        if (!v.ok)
+            return void res.status(403).json({ error: 'pairing_rejected', rejected: v.rejected }); // risk + never-delegable hard-reject
+        const pairingId = generateId('par');
+        const userCode = generateUserCode();
+        const ttl = clampPairingTtlSeconds(body.ttl_seconds);
+        const expiresAt = new Date(Date.now() + ttl * 1000).toISOString();
+        const label = typeof body.agent_label === 'string' ? body.agent_label.slice(0, 120) : null;
+        const reason = typeof body.reason === 'string' ? body.reason.slice(0, 280) : null; // agent free text only
+        const pubkey = typeof body.agent_pubkey === 'string' ? body.agent_pubkey.slice(0, 1000) : null; // RESERVED (PoP), not verified in C1
+        const capsJson = JSON.stringify(v.safe.map(c => ({ capability: c, constraints: (caps.find(x => x?.capability === c)?.constraints) || {} })));
+        if (capsJson.length > MAX_CONSTRAINTS_JSON)
+            return void res.status(400).json({ error: 'capabilities_too_large', max_bytes: MAX_CONSTRAINTS_JSON });
+        await dbRun('INSERT INTO agent_pairing_sessions (pairing_id, user_code, code_challenge, agent_label, agent_pubkey, reason, capabilities, status, expires_at) VALUES (?,?,?,?,?,?,?,?,?)', [pairingId, userCode, codeChallenge, label, pubkey, reason, capsJson, 'pending', expiresAt]);
+        res.status(201).json({
+            pairing_id: pairingId,
+            user_code: userCode,
+            approve_url: `/#pair?code=${userCode}`,
+            expires_at: expiresAt,
+            note: 'Ask the human to open approve_url at webaz.xyz (logged in) and approve. Then retrieve the credential with the PKCE verifier.',
+        });
+    });
+    // (pair 2) Human reviews the server-generated consent — human-authenticated.
+    app.get('/api/agent-grants/pair/:user_code', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const p = await dbOne('SELECT * FROM agent_pairing_sessions WHERE user_code = ?', [req.params.user_code]);
+        if (!p)
+            return void res.status(404).json({ error: 'pairing_not_found' });
+        if (!pairingApprovable(p, new Date().toISOString()))
+            return void res.status(409).json({ error: 'pairing_not_pending_or_expired', status: p.status });
+        res.json({ consent: consentView(p) });
+    });
+    // (pair 3) Human approves — human-authenticated. Issues the grant (token_hash filled at retrieve).
+    app.post('/api/agent-grants/pair/:user_code/approve', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const now = new Date().toISOString();
+        const p = await dbOne('SELECT * FROM agent_pairing_sessions WHERE user_code = ?', [req.params.user_code]);
+        if (!p)
+            return void res.status(404).json({ error: 'pairing_not_found' });
+        if (!pairingApprovable(p, now))
+            return void res.status(409).json({ error: 'pairing_not_pending_or_expired', status: p.status });
+        // Re-validate scopes at approval time (defense in depth) — must still be safe-only.
+        const caps = safeParseCaps(p.capabilities);
+        const v = validateRequestedCapabilities(caps);
+        if (!v.ok)
+            return void res.status(403).json({ error: 'pairing_rejected', rejected: v.rejected });
+        const grantId = generateId('grt');
+        const expiresAt = new Date(Date.now() + clampTtlSeconds(undefined) * 1000).toISOString();
+        // Grant created WITHOUT a token (token_hash NULL) — the bearer is minted only at retrieval.
+        await dbRun('INSERT INTO agent_delegation_grants (grant_id, human_id, agent_label, capabilities, token_hash, human_confirm_required, status, expires_at) VALUES (?,?,?,?,?,?,?,?)', [grantId, user.id, p.agent_label || null, JSON.stringify(caps), null, 0, 'active', expiresAt]);
+        await dbRun("UPDATE agent_pairing_sessions SET status='approved', human_id=?, grant_id=?, approved_at=? WHERE user_code=? AND status='pending'", [user.id, grantId, now, req.params.user_code]);
+        res.json({ success: true, grant_id: grantId, capabilities: caps });
+    });
+    // (pair 4) Agent retrieves the credential ONCE via PKCE verifier — UNAUTHENTICATED (PKCE-gated).
+    app.post('/api/agent-grants/pair/:pairing_id/retrieve', async (req, res) => {
+        const now = new Date().toISOString();
+        const verifier = typeof req.body?.code_verifier === 'string' ? req.body.code_verifier : '';
+        const p = await dbOne('SELECT * FROM agent_pairing_sessions WHERE pairing_id = ?', [req.params.pairing_id]);
+        if (!p)
+            return void res.status(404).json({ error: 'pairing_not_found' });
+        if (p.status === 'consumed' || p.consumed_at)
+            return void res.status(409).json({ error: 'pairing_already_consumed' });
+        if (!pairingRetrievable(p, now))
+            return void res.status(409).json({ error: 'pairing_not_approved_or_expired', status: p.status });
+        if (!verifyPkceS256(verifier, String(p.code_challenge)))
+            return void res.status(403).json({ error: 'pkce_mismatch' });
+        // Confirm the issued grant is still active (could have been revoked between approve and retrieve).
+        const grant = await dbOne('SELECT grant_id, status, capabilities, expires_at FROM agent_delegation_grants WHERE grant_id = ?', [String(p.grant_id)]);
+        if (!grant || grant.status !== 'active')
+            return void res.status(409).json({ error: 'grant_inactive' });
+        // Mint the bearer ONCE here; persist only its SHA-256 hash. Raw bearer is returned a single time.
+        const token = `gtk_${randomBytes(32).toString('hex')}`;
+        const tokenHash = createHash('sha256').update(token).digest('hex');
+        // One-time consume: only succeeds if still approved+unconsumed (guards against retrieval races/reuse).
+        const consumed = await dbRun("UPDATE agent_pairing_sessions SET status='consumed', consumed_at=? WHERE pairing_id=? AND status='approved' AND consumed_at IS NULL", [now, req.params.pairing_id]);
+        if (!consumed || consumed.changes !== 1)
+            return void res.status(409).json({ error: 'pairing_already_consumed' });
+        await dbRun('UPDATE agent_delegation_grants SET token_hash=? WHERE grant_id=?', [tokenHash, grant.grant_id]);
+        res.json({
+            grant_id: grant.grant_id,
+            token, // shown ONCE — agent stores it locally; server keeps only the hash
+            token_note: 'Shown once. Store in your OS secret store; the server keeps only a hash and cannot reissue it.',
+            capabilities: safeParseCaps(grant.capabilities),
+            expires_at: grant.expires_at,
+        });
+    });
+    // ── Issue a grant (human-authenticated). Safe scopes only; risk/never-delegable rejected. ──
+    app.post('/api/agent-grants', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const body = (req.body || {});
+        const caps = Array.isArray(body.capabilities) ? body.capabilities : [];
+        const v = validateRequestedCapabilities(caps);
+        if (!v.ok) {
+            // Fail-closed: any risk / never-delegable / unknown scope rejects the whole request.
+            return void res.status(403).json({ error: 'grant_rejected', rejected: v.rejected });
+        }
+        const ttl = clampTtlSeconds(body.ttl_seconds);
+        const grantId = generateId('grt');
+        const token = `gtk_${randomBytes(32).toString('hex')}`; // bearer — shown once
+        const tokenHash = createHash('sha256').update(token).digest('hex');
+        const expiresAt = new Date(Date.now() + ttl * 1000).toISOString();
+        const label = typeof body.agent_label === 'string' ? body.agent_label.slice(0, 120) : null;
+        const capsJson = JSON.stringify(v.safe.map(c => ({
+            capability: c,
+            constraints: (caps.find(x => x?.capability === c)?.constraints) || {},
+        })));
+        await dbRun('INSERT INTO agent_delegation_grants (grant_id, human_id, agent_label, capabilities, token_hash, human_confirm_required, status, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)', [grantId, user.id, label, capsJson, tokenHash, 0, 'active', expiresAt]);
+        res.status(201).json({
+            grant_id: grantId,
+            token,
+            token_note: 'Shown once — store securely. The server keeps only a hash; it cannot show this again.',
+            capabilities: JSON.parse(capsJson),
+            expires_at: expiresAt,
+            note: 'Bearer-first grant for safe scopes only. Risk scopes are not delegable until their route has a live-Passkey gate; PoP binding is required before any risk scope or longer-lived delegation (RFC-020).',
+        });
+    });
+    // ── Read: the human's connected agents (no secrets) + recent-use from the audit log (PR-D). ──
+    // last_used_at / use_count come from agent_grant_auth_log (RFC-020 §3.7) — the data the
+    // "Connected agents" UI shows so a human can spot stale/unused or busy agents before revoking.
+    app.get('/api/agent-grants', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rows = await dbAll(`SELECT g.grant_id, g.agent_label, g.capabilities, g.status, g.created_at, g.expires_at, g.revoked_at, g.revoked_reason,
+              MAX(CASE WHEN l.outcome = 'allow' THEN l.ts END) AS last_used_at,
+              COUNT(CASE WHEN l.outcome = 'allow' THEN 1 END) AS use_count
+         FROM agent_delegation_grants g
+         LEFT JOIN agent_grant_auth_log l ON l.grant_id = g.grant_id
+        WHERE g.human_id = ?
+        GROUP BY g.grant_id
+        ORDER BY g.created_at DESC`, [user.id]);
+        const now = new Date().toISOString();
+        res.json({
+            grants: rows.map(g => ({
+                ...g,
+                capabilities: safeParseCaps(g.capabilities),
+                use_count: Number(g.use_count) || 0,
+                active: grantIsActive(g, now),
+            })),
+        });
+    });
+    // ── Revoke (online, one-click). ──
+    app.post('/api/agent-grants/:grant_id/revoke', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const grantId = req.params.grant_id;
+        const g = await dbOne('SELECT grant_id, status FROM agent_delegation_grants WHERE grant_id = ? AND human_id = ?', [grantId, user.id]);
+        if (!g)
+            return void res.status(404).json({ error: 'grant_not_found' });
+        if (g.status === 'revoked')
+            return void res.json({ success: true, already_revoked: true, grant_id: grantId });
+        const reason = typeof req.body?.reason === 'string' ? req.body.reason.slice(0, 200) : null;
+        await dbRun("UPDATE agent_delegation_grants SET status = 'revoked', revoked_at = ?, revoked_reason = ? WHERE grant_id = ? AND human_id = ?", [new Date().toISOString(), reason, grantId, user.id]);
+        res.json({ success: true, grant_id: grantId });
+    });
+}

package/dist/pwa/routes/auth-read.js

@@ -1,7 +1,7 @@
 import { dbOne } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAuthReadRoutes(app, deps) {
     // db 已全量走 RFC-016 异步 seam(dbOne),不再直接用 deps.db
-    const { auth, safeRoles, getRegionMaxLevels, userMlmGate, getUserLevel } = deps;
+    const { auth, safeRoles, getRegionMaxLevels, userMlmGate } = deps;
     app.get('/api/me', async (req, res) => {
         const user = auth(req, res);
         if (!user)
@@ -34,7 +34,6 @@ export function registerAuthReadRoutes(app, deps) {
         const wallet = await dbOne('SELECT balance, staked, escrowed, earned FROM wallets WHERE user_id = ?', [user.id]);
         const roles = safeRoles(user);
         const pv = await dbOne("SELECT total_left_pv, total_right_pv FROM users WHERE id = ?", [user.id]);
-        const pendingScore = (await dbOne("SELECT COALESCE(SUM(score),0) as s FROM binary_score_records WHERE user_id = ? AND settled_at IS NULL", [user.id])).s;
         res.json({
             id: user.id, name: user.name, role: user.role, roles, api_key: user.api_key, wallet: wallet || null,
             permanent_code: user.permanent_code ?? null,
@@ -69,11 +68,8 @@ export function registerAuthReadRoutes(app, deps) {
                     return null;
                 }
             })(),
-            pending_score: Number(pendingScore),
             total_left_pv: Number(pv?.total_left_pv ?? 0),
             total_right_pv: Number(pv?.total_right_pv ?? 0),
-            lifetime_score: Number(user.lifetime_score ?? 0),
-            user_level: getUserLevel(Number(user.lifetime_score ?? 0)),
         });
     });
 }

package/dist/pwa/routes/auth-register.js

@@ -1,8 +1,8 @@
 import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAuthRegisterRoutes(app, deps) {
-    // VALID_REGIONS + INVITE_ROTATION_HANDLES 通过 deps.X 在 handler 内延迟读
-    // （server.ts 用 getter 注入；destructure at register-time would trigger TDZ 因为它们在下方 const）
-    const { db, errorRes, INTERNAL_AUDITOR_ID, isAllowedSponsor, resolveInviteCodeRef, generateId, generateSecureKey, generatePermanentCode, deriveHandle, clientIpHash, clientUaHash, pickPreferredSide, joinPowerLeg, inviteRotationLookup, issueCode, findActiveCode, canDeliverCodes, emailDeliveryNotConfigured, recordSession, broadcastSystemEvent } = deps;
+    // VALID_REGIONS 通过 deps.X 在 handler 内延迟读
+    // （server.ts 用 getter 注入；destructure at register-time would trigger TDZ 因为它在下方 const）
+    const { db, errorRes, INTERNAL_AUDITOR_ID, isAllowedSponsor, resolveInviteCodeRef, generateId, generateSecureKey, generatePermanentCode, deriveHandle, clientIpHash, clientUaHash, pickPreferredSide, joinPowerLeg, issueCode, findActiveCode, canDeliverCodes, emailDeliveryNotConfigured, recordSession, broadcastSystemEvent } = deps;
     // CODE_TTL_MIN / MAX_CODE_ATTEMPTS 通过 deps.X 在 handler 内延迟读(它们在 server.ts 是后置 const,
     // register-time destructure 会触发 TDZ)。
     const EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
@@ -205,16 +205,6 @@ export function registerAuthRegisterRoutes(app, deps) {
                     }
                 }
             }
-            const rotationEnabled = db.prepare("SELECT value FROM system_state WHERE key='invite_rotation_enabled'").get()?.value === '1';
-            if (rotationEnabled && sponsorId) {
-                for (let i = 0; i < deps.INVITE_ROTATION_HANDLES.length; i++) {
-                    const u = inviteRotationLookup(i);
-                    if (u && u.id === sponsorId) {
-                        db.prepare("UPDATE invite_rotation_stats SET registered_count = registered_count + 1 WHERE slot = ?").run(i);
-                        break;
-                    }
-                }
-            }
             return { placement, effectiveInviter, effectiveSide };
         });
         let txResult;

package/dist/pwa/routes/build-task-quota.js

@@ -0,0 +1,113 @@
+import { createQuotaRequest, listMyQuotaRequests, listQuotaRequests, getQuotaRequest, approveQuotaRequest, rejectQuotaRequest, revokeQuotaRequest, requesterUsage24h, remainingQuota, isQuotaError, } from '../../layer2-business/L2-9-contribution/build-task-quota.js';
+// map a store error_code to an HTTP status
+function httpFor(code) {
+    if (code === 'NOT_FOUND')
+        return 404;
+    if (code === 'ALREADY_PENDING' || code === 'BAD_STATE')
+        return 409;
+    if (code === 'SELF_DECISION')
+        return 403;
+    return 400;
+}
+// parse the stored linked_refs JSON + surface a derived remaining count for approved grants
+function shapeRequest(r) {
+    let linked = [];
+    try {
+        linked = JSON.parse(String(r.linked_refs ?? '[]'));
+    }
+    catch {
+        linked = [];
+    }
+    const granted = r.granted_count == null ? null : Number(r.granted_count);
+    const consumed = Number(r.consumed_count ?? 0);
+    return { ...r, linked_refs: linked, remaining: granted == null ? null : Math.max(0, granted - consumed) };
+}
+export function registerBuildTaskQuotaRoutes(app, deps) {
+    const { db, errorRes, auth, requireRootAdmin } = deps;
+    // ── requester surface ─────────────────────────────────────────────────────
+    // submit a quota-increase request
+    app.post('/api/me/quota-requests', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const b = (req.body ?? {});
+        const r = createQuotaRequest(db, {
+            requesterId: String(user.id),
+            requestedExtraCount: Number(b.requested_extra_count),
+            reason: String(b.reason ?? ''),
+            linkedRefs: b.linked_refs,
+            urgency: b.urgency,
+            requestedDurationHours: b.requested_duration_hours == null ? null : Number(b.requested_duration_hours),
+            quotaType: b.quota_type,
+        });
+        if (isQuotaError(r))
+            return void errorRes(res, httpFor(r.error_code), r.error_code, r.error);
+        res.json({ request: r });
+    });
+    // list my own requests + current remaining temporary quota
+    app.get('/api/me/quota-requests', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const requests = listMyQuotaRequests(db, String(user.id)).map(shapeRequest);
+        res.json({ requests, remaining_quota: remainingQuota(db, String(user.id)) });
+    });
+    // ── ROOT admin review surface ─────────────────────────────────────────────
+    // list quota requests (optional ?status=)
+    app.get('/api/admin/quota-requests', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const status = typeof req.query.status === 'string' ? req.query.status : undefined;
+        const requests = listQuotaRequests(db, { status }).map(shapeRequest);
+        res.json({ requests });
+    });
+    // detail of one request + the requester's live 24h create usage (reviewer context)
+    app.get('/api/admin/quota-requests/:id', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const r = getQuotaRequest(db, String(req.params.id));
+        if (!r)
+            return void errorRes(res, 404, 'NOT_FOUND', 'quota request not found');
+        res.json({ request: shapeRequest(r), requester_usage_24h: requesterUsage24h(db, String(r.requester_user_id)) });
+    });
+    // approve → time-boxed counted grant (self-approval rejected in the store)
+    app.post('/api/admin/quota-requests/:id/approve', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const b = (req.body ?? {});
+        const r = approveQuotaRequest(db, String(req.params.id), String(admin.id), {
+            grantedCount: b.extra_count == null ? undefined : Number(b.extra_count),
+            durationHours: b.duration_hours == null ? undefined : Number(b.duration_hours),
+            expiresAt: typeof b.expires_at === 'string' ? b.expires_at : undefined,
+            decisionNote: typeof b.approval_note === 'string' ? b.approval_note : undefined,
+        });
+        if (isQuotaError(r))
+            return void errorRes(res, httpFor(r.error_code), r.error_code, r.error);
+        res.json({ approved: r });
+    });
+    // reject (self-rejection also blocked by the store's SELF_DECISION guard)
+    app.post('/api/admin/quota-requests/:id/reject', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const b = (req.body ?? {});
+        const r = rejectQuotaRequest(db, String(req.params.id), String(admin.id), { decisionNote: typeof b.rejection_note === 'string' ? b.rejection_note : undefined });
+        if (isQuotaError(r))
+            return void errorRes(res, httpFor(r.error_code), r.error_code, r.error);
+        res.json({ rejected: r });
+    });
+    // revoke an already-approved grant (root)
+    app.post('/api/admin/quota-requests/:id/revoke', (req, res) => {
+        const admin = requireRootAdmin(req, res);
+        if (!admin)
+            return;
+        const b = (req.body ?? {});
+        const r = revokeQuotaRequest(db, String(req.params.id), String(admin.id), { decisionNote: typeof b.revocation_note === 'string' ? b.revocation_note : undefined });
+        if (isQuotaError(r))
+            return void errorRes(res, httpFor(r.error_code), r.error_code, r.error);
+        res.json({ revoked: r });
+    });
+}

package/dist/pwa/routes/claim-verify.js

@@ -1,4 +1,6 @@
 import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js';
+// #420 P1-3 — verifier outlier 阈值改由 governance-adjustable protocol_params 驱动
+import { readAntiAbuseThresholds, verifierOutlierBand } from '../anti-abuse-thresholds.js';
 // RFC-016 Phase 1 — 仅端点纯校验读/列表/公开查询/读回 + 单语句标记/字段写 + 写后通知 → async seam。
 // 全部保持同步(Phase 3 再用 pg tx/行锁):
 //   - 模块级 helper(settleClaimTask 三路径结算 / distributePool / checkAndApplyOutlierStrike /
@@ -23,11 +25,10 @@ const CLAIM_VALID_VOTES = new Set(['pass', 'fail', 'no_fault', 'abstain']);
 // V3：abstain 不计入 3-vote 共识、不参与 majority、不触发 outlier
 const CLAIM_SELLER_FINE_RATE = 0.10; // pass 时扣 product.stake_amount × 10%
 const CLAIM_NO_FAULT_SUBSIDY = 1; // no_fault 路径协议池补贴每个 verifier 1 WAZ
-// 跨域共用（server.ts checkVerifierOutlier 跨 6 套 vote table 聚合也用同一阈值）
-export const CLAIM_SUSPEND_THRESHOLD = 3; // 180d 内 ≥3 次 outlier → 30d 冻结
-export const CLAIM_REVOKE_THRESHOLD = 5; // 180d 内 ≥5 次 outlier → 永封
-export const CLAIM_SUSPEND_DAYS = 30;
-export const CLAIM_OUTLIER_WINDOW_DAYS = 180;
+// #420 P1-3:verifier outlier 阈值（暂停/撤销/窗口/暂停时长）已抽到 governance-adjustable
+// protocol_params,单一真相源在 ../anti-abuse-thresholds.ts(DEFAULT_ANTI_ABUSE_THRESHOLDS:
+// outlierSuspendCount=3 / outlierRevokeCount=5 / outlierSuspendDays=30 / outlierWindowDays=180)。
+// checkAndApplyOutlierStrike + server.ts checkVerifierOutlier 通过 readAntiAbuseThresholds(db) 读取。
 // ─── helpers (module-level, db 通过参数传) ───────────────────
 // 2026-05-22 V2：通知所有资格内 verifier 有新 claim 任务
 export function notifyEligibleVerifiers(db, generateId, args) {
@@ -99,28 +100,31 @@ export function activeClaimTaskCountForVerifier(db, userId) {
 }
 // M7.3b：单个 outlier 处罚检查
 function checkAndApplyOutlierStrike(db, generateId, userId) {
+    // #420 P1-3:窗口/暂停/撤销阈值由 protocol_params 驱动(默认 = 原 180d/≥5/≥3/30d)
+    const t = readAntiAbuseThresholds(db);
     const cnt = db.prepare(`
     SELECT COUNT(*) as n FROM claim_verification_votes cvv
     JOIN claim_verification_tasks cvt ON cvt.id = cvv.task_id
     WHERE cvv.verifier_id = ?
       AND cvv.was_majority = 0
       AND cvt.resolved_at IS NOT NULL
-      AND cvt.resolved_at >= datetime('now', '-${CLAIM_OUTLIER_WINDOW_DAYS} days')
+      AND cvt.resolved_at >= datetime('now', '-${t.outlierWindowDays} days')
   `).get(userId).n;
     const existing = db.prepare(`SELECT type, outlier_count FROM claim_verifier_suspensions
     WHERE user_id = ? AND (type = 'revoked' OR until_at > datetime('now'))
     ORDER BY created_at DESC LIMIT 1`).get(userId);
     if (existing?.type === 'revoked')
         return { strikes_180d: cnt };
-    if (cnt >= CLAIM_REVOKE_THRESHOLD && (!existing || existing.outlier_count < CLAIM_REVOKE_THRESHOLD)) {
+    const band = verifierOutlierBand(cnt, t);
+    if (band === 'revoke' && (!existing || existing.outlier_count < t.outlierRevokeCount)) {
         db.prepare(`INSERT INTO claim_verifier_suspensions (id, user_id, type, reason, outlier_count)
-      VALUES (?,?, 'revoked', ?, ?)`).run(generateId('cvs'), userId, `180d 内累计 ${cnt} 次 outlier`, cnt);
+      VALUES (?,?, 'revoked', ?, ?)`).run(generateId('cvs'), userId, `${t.outlierWindowDays}d 内累计 ${cnt} 次 outlier`, cnt);
         return { strikes_180d: cnt, suspension: { type: 'revoked', until_at: null } };
     }
-    if (cnt >= CLAIM_SUSPEND_THRESHOLD && !existing) {
-        const until = new Date(Date.now() + CLAIM_SUSPEND_DAYS * 86400_000).toISOString();
+    if (band === 'suspend' && !existing) {
+        const until = new Date(Date.now() + t.outlierSuspendDays * 86400_000).toISOString();
         db.prepare(`INSERT INTO claim_verifier_suspensions (id, user_id, type, until_at, reason, outlier_count)
-      VALUES (?,?, 'suspended', ?, ?, ?)`).run(generateId('cvs'), userId, until, `180d 内累计 ${cnt} 次 outlier`, cnt);
+      VALUES (?,?, 'suspended', ?, ?, ?)`).run(generateId('cvs'), userId, until, `${t.outlierWindowDays}d 内累计 ${cnt} 次 outlier`, cnt);
         return { strikes_180d: cnt, suspension: { type: 'suspended', until_at: until } };
     }
     return { strikes_180d: cnt };

package/dist/pwa/routes/contribution-facts.js

@@ -0,0 +1,18 @@
+import { getMyContributionFacts } from '../../layer2-business/L2-9-contribution/contribution-facts-read.js';
+import { withUncommittedValueBoundary } from '../../layer2-business/L2-9-contribution/contribution-display-envelope.js';
+export function registerContributionFactsRoutes(app, deps) {
+    const { db, auth, errorRes } = deps;
+    // ── READ-ONLY: the caller's OWN attributable contribution facts (GitHub + admin coordination) ──
+    app.get('/api/contribution-facts/me', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        try {
+            const surface = getMyContributionFacts(db, user.id);
+            res.json(withUncommittedValueBoundary(surface));
+        }
+        catch {
+            return void errorRes(res, 500, 'INTERNAL', '内部错误'); // never leak a stack / query
+        }
+    });
+}

package/dist/pwa/routes/dispute-cases.js

@@ -1,4 +1,5 @@
 import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { genuineSalePredicate } from '../../layer0-foundation/L0-2-state-machine/genuine-sale.js'; // 真实成交单一真相源
 export function registerDisputeCasesRoutes(app, deps) {
     const { db, auth, getUser, generateId, piiSanitize, detectFraud, commentBlocklistHit, llmModerateComment } = deps;
     // 公共发言门槛 — 防新号/小号刷评论/投票
@@ -7,7 +8,7 @@ export function registerDisputeCasesRoutes(app, deps) {
         const lifetime = Number(user.lifetime_score || 0);
         if (lifetime >= 5)
             return { ok: true };
-        const completed = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE (buyer_id = ? OR seller_id = ?) AND status = 'completed'`, [user.id, user.id])).n;
+        const completed = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE (buyer_id = ? OR seller_id = ?) AND ${genuineSalePredicate('orders')}`, [user.id, user.id])).n; // 真实成交,排除退款/违约
         if (completed >= 1)
             return { ok: true };
         const created = user.created_at ? new Date(String(user.created_at).replace(' ', 'T') + 'Z').getTime() : 0;
@@ -93,9 +94,9 @@ export function registerDisputeCasesRoutes(app, deps) {
         };
         // 评论 + 自动身份标签
         const rawComments = await dbAll(`
-      SELECT dc.*, u.handle, u.name, u.role, u.lifetime_score,
+      SELECT dc.*, u.handle, u.name, u.role,
         (SELECT COUNT(*) FROM orders o
-         WHERE o.buyer_id = dc.commenter_id AND o.product_id = ? AND o.status = 'completed') as bought_count,
+         WHERE o.buyer_id = dc.commenter_id AND o.product_id = ? AND ${genuineSalePredicate('o')}) as bought_count,
         (SELECT COUNT(*) FROM products p
          WHERE p.seller_id = dc.commenter_id AND p.category = (SELECT category FROM products WHERE id = ?) AND p.status = 'active') as same_cat_seller_count
       FROM dispute_comments dc
@@ -118,7 +119,7 @@ export function registerDisputeCasesRoutes(app, deps) {
         // W5: 取所有子回复，按 parent_comment_id 分组挂在 comments 下
         const commentIds = rawComments.map(r => r.id);
         const rawReplies = commentIds.length > 0 ? await dbAll(`
-      SELECT r.*, u.handle, u.name, u.role, u.lifetime_score
+      SELECT r.*, u.handle, u.name, u.role
       FROM dispute_comment_replies r LEFT JOIN users u ON u.id = r.replier_id
       WHERE r.parent_comment_id IN (${commentIds.map(() => '?').join(',')})
       ORDER BY r.created_at ASC

package/dist/pwa/routes/growth.js

@@ -49,7 +49,7 @@ const GROWTH_TASK_CATALOG = [
     { id: 'tier1_match', chapter: 3,
         title_zh: '持续贡献阶段 1', title_en: 'Contribution stage 1',
         desc_zh: '推荐网络贡献达到第一阶段标准', desc_en: 'Referral-network contribution reaches stage-1 threshold',
-        evaluate: c => c.weak_leg_pv >= 30000 },
+        evaluate: c => c.min_leg_pv >= 30000 },
     // 第 4 关：分享达人
     { id: 'monthly_100', chapter: 4,
         title_zh: '月度推荐收益 100 WAZ', title_en: 'Monthly referral income 100 WAZ',
@@ -83,7 +83,7 @@ async function buildGrowthTaskCtx(_db, userId) {
     const sCount = (await dbOne("SELECT COUNT(*) AS n FROM shareables WHERE owner_id = ? AND status = 'active'", [userId])).n;
     const mCount = (await dbOne("SELECT COUNT(*) AS n FROM manifest_registry WHERE owner_id = ? AND status = 'active'", [userId])).n;
     const pv = await dbOne("SELECT total_left_pv, total_right_pv FROM users WHERE id = ?", [userId]);
-    const weakLeg = Math.min(Number(pv?.total_left_pv || 0), Number(pv?.total_right_pv || 0));
+    const minLeg = Math.min(Number(pv?.total_left_pv || 0), Number(pv?.total_right_pv || 0));
     const comm30 = (await dbOne(`SELECT COALESCE(SUM(amount),0) AS s FROM commission_records WHERE beneficiary_id = ? AND created_at >= datetime('now','-30 days')`, [userId])).s;
     const waz30 = (await dbOne(`SELECT COALESCE(SUM(waz_amount),0) AS s FROM binary_score_records WHERE user_id = ? AND settled_at >= datetime('now','-30 days')`, [userId])).s;
     return {
@@ -97,7 +97,7 @@ async function buildGrowthTaskCtx(_db, userId) {
         earnings_grand: grand,
         shareables_count: sCount,
         manifests_count: mCount,
-        weak_leg_pv: weakLeg,
+        min_leg_pv: minLeg,
         last_30_total: comm30 + waz30,
     };
 }