npm - @seasonkoh/webaz - Versions diffs - 0.1.26 → 0.1.28 - Mend

@seasonkoh/webaz 0.1.26 → 0.1.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/LICENSE +2 -2
package/NOTICE +24 -3
package/README.md +74 -330
package/README.zh-CN.md +419 -0
package/dist/layer0-foundation/L0-2-state-machine/genuine-sale.js +21 -0
package/dist/layer0-foundation/L0-5-manifest/manifest.js +8 -3
package/dist/layer1-agent/L1-1-mcp-server/auth.js +13 -1
package/dist/layer1-agent/L1-1-mcp-server/network-mode.js +69 -0
package/dist/layer1-agent/L1-1-mcp-server/server.js +270 -82
package/dist/layer2-business/L2-9-contribution/admin-coordination-ingestion-engine.js +181 -0
package/dist/layer2-business/L2-9-contribution/admin-coordination-resolver.js +114 -0
package/dist/layer2-business/L2-9-contribution/admin-coordination-store.js +251 -0
package/dist/layer2-business/L2-9-contribution/admin-operator-claim-workflow.js +390 -0
package/dist/layer2-business/L2-9-contribution/build-task-agent-metadata-store.js +24 -0
package/dist/layer2-business/L2-9-contribution/build-task-participation.js +6 -2
package/dist/layer2-business/L2-9-contribution/build-task-quota.js +337 -0
package/dist/layer2-business/L2-9-contribution/build-task-read.js +25 -2
package/dist/layer2-business/L2-9-contribution/build-tasks-engine.js +57 -7
package/dist/layer2-business/L2-9-contribution/canonical-contribution-target.js +1 -1
package/dist/layer2-business/L2-9-contribution/contribution-facts-read.js +66 -0
package/dist/layer2-business/L2-9-contribution/task-proposal-draft.js +187 -18
package/dist/layer2-business/L2-9-contribution/task-proposal-store.js +29 -4
package/dist/ledger.js +1 -1
package/dist/pwa/admin-audit.js +38 -0
package/dist/pwa/anti-abuse-thresholds.js +135 -0
package/dist/pwa/cf-origin-guard.js +33 -0
package/dist/pwa/contract-fingerprint.js +1 -0
package/dist/pwa/data/onboarding-cases.js +2 -2
package/dist/pwa/data/onboarding-quiz.js +1 -1
package/dist/pwa/economic-participation.js +2 -2
package/dist/pwa/integration-contract.js +46 -4
package/dist/pwa/internal/pv-settlement.js +12 -0
package/dist/pwa/internal/wallet-signer.js +26 -0
package/dist/pwa/public/app-account.js +977 -0
package/dist/pwa/public/app-admin.js +608 -0
package/dist/pwa/public/app-agents.js +63 -0
package/dist/pwa/public/app-ai.js +2162 -0
package/dist/pwa/public/app-contribution.js +836 -0
package/dist/pwa/public/app-discover.js +1296 -0
package/dist/pwa/public/app-listings.js +226 -0
package/dist/pwa/public/app-profile.js +1692 -0
package/dist/pwa/public/app-seller.js +199 -0
package/dist/pwa/public/app-shop.js +1145 -0
package/dist/pwa/public/app.js +15075 -23960
package/dist/pwa/public/i18n.js +31 -28
package/dist/pwa/public/index.html +11 -1
package/dist/pwa/public/openapi.json +4851 -2776
package/dist/pwa/pv-kill-switch.js +31 -0
package/dist/pwa/routes/admin-admins.js +48 -1
package/dist/pwa/routes/admin-analytics.js +1 -10
package/dist/pwa/routes/admin-atomic.js +4 -17
package/dist/pwa/routes/admin-operator-claims.js +280 -0
package/dist/pwa/routes/admin-reports.js +4 -26
package/dist/pwa/routes/admin-tokenomics.js +2 -76
package/dist/pwa/routes/admin-users-lifecycle.js +1 -14
package/dist/pwa/routes/admin-users-query.js +23 -1
package/dist/pwa/routes/admin-wallet-ops.js +1 -1
package/dist/pwa/routes/agent-grants.js +255 -0
package/dist/pwa/routes/auth-read.js +1 -5
package/dist/pwa/routes/auth-register.js +3 -13
package/dist/pwa/routes/build-task-quota.js +113 -0
package/dist/pwa/routes/claim-verify.js +15 -11
package/dist/pwa/routes/contribution-facts.js +18 -0
package/dist/pwa/routes/dispute-cases.js +5 -4
package/dist/pwa/routes/growth.js +3 -3
package/dist/pwa/routes/orders-action.js +27 -10
package/dist/pwa/routes/orders-create.js +1 -1
package/dist/pwa/routes/products-meta.js +19 -6
package/dist/pwa/routes/profile-placement.js +1 -1
package/dist/pwa/routes/promoter.js +10 -29
package/dist/pwa/routes/public-build-tasks.js +5 -1
package/dist/pwa/routes/public-utils.js +9 -12
package/dist/pwa/routes/referral.js +5 -26
package/dist/pwa/routes/rewards-apply.js +3 -2
package/dist/pwa/routes/share-redirects.js +1 -1
package/dist/pwa/routes/shareables-interactions.js +2 -1
package/dist/pwa/routes/task-proposals.js +85 -9
package/dist/pwa/routes/users-public.js +1 -4
package/dist/pwa/routes/wallet-read.js +2 -14
package/dist/pwa/routes/webauthn.js +7 -2
package/dist/pwa/server-schema.js +9 -0
package/dist/pwa/server.js +319 -2034
package/dist/runtime/agent-grant-scopes.js +128 -0
package/dist/runtime/agent-grant-verifier.js +67 -0
package/dist/runtime/agent-pairing.js +60 -0
package/dist/runtime/apply-webaz-runtime-schema.js +15 -0
package/dist/runtime/webaz-schema-helpers.js +1848 -0
package/dist/settlement-math.js +3 -3
package/dist/version.js +6 -4
package/package.json +43 -8
package/dist/index.js +0 -182
package/dist/pwa/public/docs/ECONOMIC-MODEL.md +0 -287
package/dist/pwa/public/docs/INTEGRATOR.md +0 -67
package/dist/pwa/public/docs/META-RULES-FULL.md +0 -543
package/dist/test-dispute.js +0 -153
package/dist/test-manifest.js +0 -61
package/dist/test-mcp-tools.js +0 -135
package/dist/test-reputation.js +0 -116
package/dist/test-skill-market.js +0 -101

package/dist/pwa/routes/orders-action.js CHANGED Viewed

@@ -320,12 +320,27 @@ export function registerOrdersActionRoutes(app, deps) {
                         commissionDistributed += Number(r.amount);
                     }
                     const commissionRedirected = round2(commissionPool - commissionDistributed);
-                    // QA 轮 14.b P2：redirected_total 拆 chain_gap(→charity) vs region_cap(→global_fund)
-                    // 之前单一数字让 agent 无法分辨钱去哪（global region L2/L3 进 global_fund，不是 charity）
-                    const charityRow = (await dbOne("SELECT COALESCE(SUM(amount),0) AS s FROM charity_fund_txns WHERE related_order_id = ?", [req.params.id]));
-                    const redirectedToCharity = round2(Number(charityRow.s));
-                    const fundDepRow = (await dbOne("SELECT COALESCE(SUM(amount_l3),0) AS s FROM fund_deposits WHERE order_id = ?", [req.params.id]));
-                    const redirectedToGlobalFund = round2(Number(fundDepRow.s));
+                    // 2026-06-04 三科目解耦后：未发出的 commission 不再进 charity_fund / global_fund。
+                    //   region_cap / chain_gap / orphan_sponsor / opt_out_deactivated → commission_reserve（按 kind）
+                    //   opt-out 未激活（never_activated / auto_downgrade）         → pending_commission_escrow（30 天内 recipient opt-in 可恢复）
+                    // 此处只读汇总本单去向，让 agent 看清 redirected_total 实际落点（settleOrder 已完成，无写、无原子性要求）。
+                    const crRows = await dbAll("SELECT kind, COALESCE(SUM(amount),0) AS s FROM commission_reserve_txns WHERE related_order_id = ? GROUP BY kind", [req.params.id]);
+                    const reserveByKind = { region_cap: 0, chain_gap: 0, orphan_sponsor: 0, opt_out_deactivated: 0, escrow_expired: 0 };
+                    for (const r of crRows) {
+                        if (r.kind === 'redirect_region_cap')
+                            reserveByKind.region_cap = round2(Number(r.s));
+                        else if (r.kind === 'redirect_chain_gap')
+                            reserveByKind.chain_gap = round2(Number(r.s));
+                        else if (r.kind === 'redirect_orphan_sponsor')
+                            reserveByKind.orphan_sponsor = round2(Number(r.s));
+                        else if (r.kind === 'redirect_opt_out_deactivated')
+                            reserveByKind.opt_out_deactivated = round2(Number(r.s));
+                        else if (r.kind === 'redirect_escrow_expired')
+                            reserveByKind.escrow_expired = round2(Number(r.s));
+                    }
+                    const redirectedToCommissionReserve = round2(reserveByKind.region_cap + reserveByKind.chain_gap + reserveByKind.orphan_sponsor + reserveByKind.opt_out_deactivated + reserveByKind.escrow_expired);
+                    const escrowRow = (await dbOne("SELECT COALESCE(SUM(amount),0) AS s FROM pending_commission_escrow WHERE order_id = ? AND status = 'pending'", [req.params.id]));
+                    const heldInOptOutEscrow = round2(Number(escrowRow.s));
                     // QA 轮 9.5 P2：payouts 表只 MCP legacy 写，PWA settleOrder 直更 wallet.balance 不写 payouts
                     // 改用公式推算 sellerAmount（跟 PWA settleOrder 内部计算一致），更可靠
                     const fundBase1pct = round2(total * 0.01);
@@ -336,7 +351,7 @@ export function registerOrdersActionRoutes(app, deps) {
                         order_amount: total,
                         distribution: {
                             seller_net: { amount: sellerAmountComputed, to: ord.seller_id, note: '不含可能的首销 stake 锁定（settleOrder 内 stake_locked_at 首次锁，从 sellerAmount 划出）' },
-                            protocol_fund_2pct: { amount: protocolFee, split: { management_bonus_pool: round2(protocolFee / 2), sys_protocol_ops: round2(protocolFee / 2) } },
+                            protocol_fund_2pct: { amount: protocolFee, split: { protocol_reserve_pool: round2(protocolFee / 2), sys_protocol_ops: round2(protocolFee / 2) } },
                             logistics_fee: { amount: logisticsActual, rate: isInPerson ? 'N/A in_person' : (ord.logistics_id ? '5%' : 'N/A self-fulfill') },
                             commission_pool: { total: commissionPool, rate: `${(commissionRate * 100).toFixed(1)}%` },
                             commission_distribution_7_2_1: {
@@ -345,9 +360,11 @@ export function registerOrdersActionRoutes(app, deps) {
                                 l3: commByLevel[3],
                                 distributed_total: round2(commissionDistributed),
                                 redirected_total: commissionRedirected,
-                                redirected_to_charity: redirectedToCharity, // chain_gap (无 L / sponsor 无效)
-                                redirected_to_global_fund: redirectedToGlobalFund, // region cap (level > region max_levels)
-                                redirect_note: 'chain_gap (无 L) → charity_fund; region cap (level > max_levels) → global_fund',
+                                redirected_to_commission_reserve: redirectedToCommissionReserve,
+                                reserve_by_kind: reserveByKind, // region_cap / chain_gap / orphan_sponsor / opt_out_deactivated / escrow_expired
+                                held_in_opt_out_escrow: heldInOptOutEscrow, // never_activated / auto_downgrade — recipient opt-in 可恢复
+                                redirect_accounted_ok: Math.abs(commissionRedirected - round2(redirectedToCommissionReserve + heldInOptOutEscrow)) < 0.01,
+                                redirect_note: '未发出佣金 → commission_reserve（region_cap / chain_gap / orphan_sponsor / opt_out_deactivated）；opt-out 未激活（never_activated / auto_downgrade）暂存 pending_commission_escrow（30 天内 opt-in 可恢复），逾期未恢复则转入 commission_reserve（escrow_expired）。2026-06-04 起不再进 charity_fund / global_fund。',
                             },
                             fund_base_1pct: fundBase1pct,
                         },

package/dist/pwa/routes/orders-create.js CHANGED Viewed

@@ -371,7 +371,7 @@ export function registerOrdersCreateRoutes(app, deps) {
                 }
                 transition(db, orderId, 'paid', user.id, [], '模拟支付完成');
                 notifyTransition(db, orderId, 'created', 'paid');
-                // 里程碑 3-C：双轨同支检测（监测+审计；不阻断）
+                // 里程碑 3-C：放置同支检测（监测+审计；不阻断）
                 try {
                     auditSponsorChainCross(orderId, user.id, String(product.seller_uid), buyer.sponsor_path);
                 }

package/dist/pwa/routes/products-meta.js CHANGED Viewed

@@ -1,4 +1,17 @@
 import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { genuineSalePredicate } from '../../layer0-foundation/L0-2-state-machine/genuine-sale.js'; // 真实成交单一真相源
+/**
+ * 真实收货完成的订单数(分享资格判据)。
+ * 关键:status='completed' 是状态机的通用终态 — 不只「无争议自然完成」(confirmed→completed),
+ * 还包括 fault_seller / fault_logistics / fault_buyer / declined_nofault / disputed → completed
+ * 这些退款 / 违约 / 争议处置终态。单看 status='completed' 会把「被退款的失败交易」当成有效成交,
+ * 错误授予分享(进而分享分润)资格。
+ * 真实收货 = 该订单曾进入过 confirmed(买家确认收货,或送达后 72h 自动确认)— 仅 happy path 经过,
+ * 所有 fault/争议/退款终态都不经过 confirmed,据此排除。
+ */
+async function genuineReceiptCount(buyerId, productId) {
+    return (await dbOne(`SELECT COUNT(*) AS n FROM orders WHERE buyer_id = ? AND product_id = ? AND ${genuineSalePredicate('orders')}`, [buyerId, productId])).n;
+}
 export function registerProductsMetaRoutes(app, deps) {
     const { db, auth, generateId, rateLimitOk, flagNewAccountShareable, refreshProductSharerCount } = deps;
     void db; // RFC-016: 本文件已全量走异步 seam;db 仍在 deps 由调用方注入,此处不直接使用
@@ -117,16 +130,16 @@ export function registerProductsMetaRoutes(app, deps) {
             return void res.status(404).json({ error: 'not_found' });
         res.json(row);
     });
-    // 分享许可：是否对该商品有 completed 订单
+    // 分享许可：是否真实收货完成该商品(经过 confirmed,排除退款/违约/争议终态)
     app.get('/api/products/:id/can-share', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const completed = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'", [user.id, req.params.id])).n;
+        const completed = await genuineReceiptCount(user.id, req.params.id);
         res.json({
             can_share: completed > 0,
             completed_orders: completed,
-            reason: completed > 0 ? 'verified_buyer_of_product' : 'need_completed_order_of_this_product',
+            reason: completed > 0 ? 'genuine_receipt_of_product' : 'need_genuine_receipt_of_this_product',
         });
     });
     // 获取或创建商品 shareable（被 sharePromoLink 用，走 /s/<id> 短链）
@@ -144,7 +157,7 @@ export function registerProductsMetaRoutes(app, deps) {
             };
             const minOrders = await getParam('rewards_opt_in.min_completed_orders', 1);
             const requirePasskey = await getParam('rewards_opt_in.require_passkey', 1);
-            const totalCompleted = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [user.id])).n;
+            const totalCompleted = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')}`, [user.id])).n; // 真实成交,排除退款/违约
             const passkeyCount = (await dbOne("SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?", [user.id])).n;
             const missing = [];
             if (totalCompleted < minOrders)
@@ -165,9 +178,9 @@ export function registerProductsMetaRoutes(app, deps) {
                 ],
             });
         }
-        const completed = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'", [user.id, productId])).n;
+        const completed = await genuineReceiptCount(user.id, productId);
         if (completed === 0)
-            return void res.json({ error: '需先完成该商品的购买才能分享', completed_orders: 0 });
+            return void res.json({ error: '需先真实收货完成该商品的购买才能分享(退款 / 违约 / 争议订单不算)', completed_orders: 0 });
         // 优先复用现有 active shareable
         const existing = await dbOne(`SELECT id, owner_code FROM shareables WHERE owner_id = ? AND related_product_id = ? AND status = 'active' LIMIT 1`, [user.id, productId]);
         if (existing) {

package/dist/pwa/routes/profile-placement.js CHANGED Viewed

@@ -35,7 +35,7 @@ export function registerProfilePlacementRoutes(app, deps) {
             return void res.json({ error: '不能挂靠到自己' });
         const u = await dbOne("SELECT placement_id, left_child_id, right_child_id FROM users WHERE id = ?", [user.id]);
         if (u?.placement_id)
-            return void res.json({ error: '你已在双轨树中（永久第一触点，不可改）' });
+            return void res.json({ error: '你已在放置树中（永久第一触点，不可改）' });
         if (u?.left_child_id || u?.right_child_id)
             return void res.json({ error: '你已有下线，不可补绑（防破坏树结构）' });
         const inviter = await dbOne("SELECT id, placement_path FROM users WHERE id = ? AND id NOT IN ('sys_protocol', ?)", [resolvedInviterId, internalAuditorId]);

package/dist/pwa/routes/promoter.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { genuineSalePredicate } from '../../layer0-foundation/L0-2-state-machine/genuine-sale.js'; // 真实成交单一真相源
 export function registerPromoterRoutes(app, deps) {
-    const { db, auth, isAllowedSponsor } = deps;
+    const { db, auth, isAllowedSponsor, participationRecordingActive } = deps;
     void db; // RFC-016: 本文件已全量走异步 seam;db 仍在 deps 由调用方注入,此处不直接使用
     app.get('/api/promoter/dashboard', async (req, res) => {
         const user = auth(req, res);
@@ -41,21 +42,9 @@ export function registerPromoterRoutes(app, deps) {
         const leftChildName = myUser?.left_child_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [myUser.left_child_id]))?.name : null;
         const rightChildName = myUser?.right_child_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [myUser.right_child_id]))?.name : null;
         const myPlacementName = myUser?.placement_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [myUser.placement_id]))?.name : null;
-        const scoreAgg = (await dbOne(`
-      SELECT
-        COALESCE(SUM(CASE WHEN settled_at IS NULL THEN score ELSE 0 END),0) as pending_score,
-        COALESCE(SUM(CASE WHEN settled_at IS NOT NULL THEN waz_amount ELSE 0 END),0) as settled_waz,
-        COUNT(*) as total_hits
-      FROM binary_score_records WHERE user_id = ?
-    `, [userId]));
-        const recentBinary = await dbAll(`
-      SELECT id, tier, score, settled_at, waz_amount, created_at
-      FROM binary_score_records WHERE user_id = ?
-      ORDER BY created_at DESC LIMIT 10
-    `, [userId]);
-        const tiers = await dbAll("SELECT tier, pv_threshold, score_per_hit FROM binary_tier_config WHERE active=1 ORDER BY tier ASC");
+        // matching-rewards reads (score / recent matches / tier config) removed — engine excised (#401).
         const canL1Share = isAllowedSponsor(userId);
-        const completedOrders = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [userId])).n;
+        const completedOrders = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')}`, [userId])).n; // 真实成交,排除退款/违约
         const overrideRow = await dbOne("SELECT l1_share_override FROM users WHERE id = ?", [userId]);
         const shareableProducts = await dbAll(`
       SELECT p.id, p.title, p.price, p.category, p.commission_rate,
@@ -64,7 +53,7 @@ export function registerPromoterRoutes(app, deps) {
                   JOIN orders o2 ON o2.id = cr.order_id
                   WHERE cr.beneficiary_id = ? AND o2.product_id = p.id), 0) as my_earned
       FROM products p
-      WHERE p.id IN (SELECT DISTINCT product_id FROM orders WHERE buyer_id = ? AND status = 'completed')
+      WHERE p.id IN (SELECT DISTINCT product_id FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')})
         AND p.commission_rate IS NOT NULL AND p.commission_rate > 0
         AND p.status = 'active'
       ORDER BY my_earned DESC, total_sales DESC LIMIT 20
@@ -77,21 +66,15 @@ export function registerPromoterRoutes(app, deps) {
       SELECT COALESCE(SUM(amount),0) as total FROM commission_records
       WHERE beneficiary_id = ? AND created_at >= datetime('now','-60 days')
         AND created_at < datetime('now','-30 days')
-    `, [userId])).total;
-        const wazLast30 = (await dbOne(`
-      SELECT COALESCE(SUM(waz_amount),0) as total FROM binary_score_records
-      WHERE user_id = ? AND settled_at >= datetime('now','-30 days')
     `, [userId])).total;
         const projection = {
             last_30_commission: earnedLast30,
             prev_30_commission: earnedPrev30,
-            last_30_atomic_waz: wazLast30,
             growth_rate: earnedPrev30 > 0 ? earnedLast30 / earnedPrev30 - 1 : null,
-            next_30_estimate: earnedLast30 + wazLast30,
+            next_30_estimate: earnedLast30,
         };
         const insights = [];
-        // pre-public de-MLM:移除弱腿 / pairing / PV-tier 经营建议 —— PV 对碰为 pre-launch、未对用户启用,
-        // 不在用户面 surface 营销主推弱腿 / pairing 公式 / PV-tier 进度等玩法。位置 / PV 仅为参与记录,非收益路径。
+        // 匹配奖励引擎已切除(#401):不展示任何奖励经营建议;位置 / PV 仅为参与记录,非收益路径。
         const lastInvite = (await dbOne(`SELECT MAX(created_at) as t FROM users WHERE sponsor_id = ?`, [userId]));
         if (lastInvite.t) {
             const days = Math.floor((Date.now() - new Date(lastInvite.t).getTime()) / 86400_000);
@@ -167,17 +150,15 @@ export function registerPromoterRoutes(app, deps) {
             shareable_products: shareableProducts,
             projection,
             insights,
+            gates: { participation_recording_active: participationRecordingActive() },
+            // Neutral participation record only — placement position + per-leg PV. No rewards (matching engine excised #401).
+            // (response keys `atomic` / `binary_tree` kept as the placement structure's stable shape — frontend reads them)
             atomic: {
-                left_invite_url: codeForLink ? `${host}/i/${codeForLink}-L` : null,
-                right_invite_url: codeForLink ? `${host}/i/${codeForLink}-R` : null,
                 total_left_pv: Number(myUser?.total_left_pv ?? 0),
                 total_right_pv: Number(myUser?.total_right_pv ?? 0),
                 left_child: myUser?.left_child_id ? { id: myUser.left_child_id, name: leftChildName } : null,
                 right_child: myUser?.right_child_id ? { id: myUser.right_child_id, name: rightChildName } : null,
                 my_placement: myUser?.placement_id ? { id: myUser.placement_id, name: myPlacementName, side: myUser.placement_side } : null,
-                score: scoreAgg,
-                recent_binary: recentBinary,
-                tier_config: tiers,
                 binary_tree: binaryTree,
             },
         });

package/dist/pwa/routes/public-build-tasks.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { listBuildTasksWithAgentMetadata, getBuildTaskWithAgentMetadata, validateTaskFilters, withContributionReadEnvelope } from '../../layer2-business/L2-9-contribution/build-task-read.js';
+import { caseIdForTask } from '../../layer2-business/L2-9-contribution/task-proposal-draft.js';
 export function registerPublicBuildTasksRoutes(app, deps) {
     const { db, errorRes } = deps;
     app.get('/api/public/build-tasks', (req, res) => {
@@ -14,6 +15,9 @@ export function registerPublicBuildTasksRoutes(app, deps) {
         const task = getBuildTaskWithAgentMetadata(db, String(req.params.id), 'public');
         if (!task)
             return void errorRes(res, 404, 'NOT_FOUND', '任务不存在');
-        res.json(withContributionReadEnvelope({ task }));
+        // case_id threads proposal → task → PR (= source proposal id if converted from a proposal, else the task id),
+        // so the proposer, the contributor, and the PR all quote one id. (Helper lives in the store — keeps this
+        // route off the RFC-016 raw-db seam.)
+        res.json(withContributionReadEnvelope({ task: { ...task, case_id: caseIdForTask(db, String(req.params.id)) } }));
     });
 }

package/dist/pwa/routes/public-utils.js CHANGED Viewed

@@ -66,12 +66,10 @@ export function registerPublicUtilsRoutes(app, deps) {
     });
     app.get('/api/system-flags', async (_req, res) => {
         const requireRef = (await dbOne("SELECT value FROM system_state WHERE key='require_ref_to_register'"))?.value === '1';
-        const inviteRotation = (await dbOne("SELECT value FROM system_state WHERE key='invite_rotation_enabled'"))?.value === '1';
         // #1049 Turnstile 公钥(若启用),前端注册表单 widget 用
         const turnstileSiteKey = process.env.TURNSTILE_SITE_KEY || null;
         res.json({
             require_ref_to_register: requireRef,
-            invite_rotation_enabled: inviteRotation,
             turnstile_site_key: turnstileSiteKey,
         });
     });
@@ -134,13 +132,12 @@ export function registerPublicUtilsRoutes(app, deps) {
             },
             // 公开披露文档(#1050) — 协议层"钱怎么流"的源真理(协议外可读)
             disclosures: {
-                // 源码仓库 launch 前私有,下列 github 链接可能 404(launch 时开),不是死项目;机器可读 spec 已全在 /.well-known/*。
-                source_status: 'repo private until W8 public launch — github.com links below may 404 until then (they open at launch); the full spec is already public via /.well-known/*.',
-                economic_model: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/ECONOMIC-MODEL.md',
-                mlm_compliance: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/MLM-COMPLIANCE.md',
-                agent_governance: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/AGENT-GOVERNANCE.md',
-                protocol_compatibility: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/PROTOCOL-COMPATIBILITY-AUDIT-2026-05-30.md',
-                changelog: 'https://github.com/seasonsagents-art/webaz/blob/main/CHANGELOG.md',
+                // 源码仓库已公开(github.com/webaz-protocol/webaz);机器可读 spec 也全在 /.well-known/*。
+                source_status: 'repo is public (github.com/webaz-protocol/webaz); the full spec is also available via /.well-known/*.',
+                economic_model: 'https://github.com/webaz-protocol/webaz/blob/main/docs/ECONOMIC-MODEL.md',
+                mlm_compliance: 'https://github.com/webaz-protocol/webaz/blob/main/docs/PARTICIPATION-ATTRIBUTION-COMPLIANCE.md',
+                agent_governance: 'https://github.com/webaz-protocol/webaz/blob/main/docs/AGENT-GOVERNANCE.md',
+                changelog: 'https://github.com/webaz-protocol/webaz/blob/main/CHANGELOG.md',
                 // RFC-011 §②:agent 可读能力矩阵(写边界 action-scope + 敏感读 scope),live doc=code
                 capability_matrix: 'https://webaz.xyz/.well-known/webaz-capabilities.json',
             },
@@ -457,9 +454,9 @@ export function registerPublicUtilsRoutes(app, deps) {
                 eligibility,
                 quiz_pass_score: quizPassScore,
                 spec_urls: {
-                    onboarding: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/GOVERNANCE-ONBOARDING.md',
-                    playbook: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/ARBITRATION-PLAYBOOK.md',
-                    leaderboard: 'https://github.com/seasonsagents-art/webaz/blob/main/docs/GOVERNANCE-LEADERBOARD-SPEC.md',
+                    onboarding: 'https://github.com/webaz-protocol/webaz/blob/main/docs/GOVERNANCE-ONBOARDING.md',
+                    playbook: 'https://github.com/webaz-protocol/webaz/blob/main/docs/ARBITRATION-PLAYBOOK.md',
+                    leaderboard: 'https://github.com/webaz-protocol/webaz/blob/main/docs/GOVERNANCE-LEADERBOARD-SPEC.md',
                 },
             });
         }

package/dist/pwa/routes/referral.js CHANGED Viewed

@@ -1,7 +1,8 @@
-import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { genuineSalePredicate } from '../../layer0-foundation/L0-2-state-machine/genuine-sale.js'; // 真实成交单一真相源
 export function registerReferralRoutes(app, deps) {
     // db 已全量走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
-    const { auth, requireProtocolAdmin, logAdminAction, issueInviteSlot, inviteRotationLookup } = deps;
+    const { auth } = deps;
     // B-1: 个人邀请 dashboard
     app.get('/api/referral/me', async (req, res) => {
         const user = auth(req, res);
@@ -36,28 +37,6 @@ export function registerReferralRoutes(app, deps) {
             },
         });
     });
-    // 公开邀请码轮询（开关 ON 时）
-    app.post('/api/invite/rotate', async (_req, res) => {
-        const enabled = (await dbOne("SELECT value FROM system_state WHERE key='invite_rotation_enabled'"))?.value === '1';
-        if (!enabled)
-            return void res.status(403).json({ error: '邀请码获取暂未开放', enabled: false });
-        const slot = issueInviteSlot();
-        const u = inviteRotationLookup(slot);
-        if (!u)
-            return void res.status(503).json({ error: `轮询用户未就绪，请联系管理员`, enabled: true });
-        res.json({ enabled: true, code: u.code });
-    });
-    // protocol 开关
-    app.post('/api/admin/invite-rotation/toggle', async (req, res) => {
-        const admin = requireProtocolAdmin(req, res);
-        if (!admin)
-            return;
-        const { enabled } = req.body;
-        const v = enabled ? '1' : '0';
-        await dbRun("INSERT OR REPLACE INTO system_state (key, value) VALUES ('invite_rotation_enabled', ?)", [v]);
-        logAdminAction(admin.id, 'invite_rotation_toggle', 'system', 'invite_rotation_enabled', { value: v });
-        res.json({ success: true, enabled: !!enabled });
-    });
     // RFC-003 #1122: 生成商品分享链接(把 MCP webaz_share_link 的本地计算搬到服务端,
     // 让 MCP NETWORK 模式可代理)。RFC-002 §3.5 valuation-layer gate:需 rewards opt-in。
     // pre-public 去左右码:不再接受/返回 side,放置侧别由注册时系统自动决定。
@@ -77,7 +56,7 @@ export function registerReferralRoutes(app, deps) {
             };
             const minOrders = await getParam('rewards_opt_in.min_completed_orders', 1);
             const requirePasskey = await getParam('rewards_opt_in.require_passkey', 1);
-            const totalCompleted = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [userId])).n;
+            const totalCompleted = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')}`, [userId])).n; // 真实成交,排除退款/违约
             const passkeyCount = (await dbOne("SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?", [userId])).n;
             const missing = [];
             if (totalCompleted < minOrders)
@@ -101,7 +80,7 @@ export function registerReferralRoutes(app, deps) {
         if (!product)
             return void res.status(404).json({ error: '商品不存在或已下架', error_code: 'PRODUCT_NOT_FOUND' });
         // pre-public 去左右码:分享链接不再计算/携带 side(放置侧别由注册时系统自动决定)
-        const completed = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [userId])).n;
+        const completed = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')}`, [userId])).n; // 真实成交,排除退款/违约
         const override = (await dbOne("SELECT l1_share_override FROM users WHERE id = ?", [userId]))?.l1_share_override ?? 0;
         const canL1 = override === 1 || (override === 0 && completed > 0);
         const rate = Number(product.commission_rate ?? 0);

package/dist/pwa/routes/rewards-apply.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { createHash } from 'node:crypto';
 import { dbOne } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { genuineSalePredicate } from '../../layer0-foundation/L0-2-state-machine/genuine-sale.js'; // 真实成交单一真相源
 function sha256_hex(s) {
     return createHash('sha256').update(s).digest('hex');
 }
@@ -26,7 +27,7 @@ export function registerRewardsApplyRoutes(app, deps) {
             state = 'auto_downgraded';
         else
             state = 'never_activated';
-        const completedOrders = (await dbOne("SELECT COUNT(*) AS n FROM orders WHERE buyer_id = ? AND status = 'completed'", [userId])).n;
+        const completedOrders = (await dbOne(`SELECT COUNT(*) AS n FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')}`, [userId])).n; // 真实成交,排除退款/违约
         const passkeyCount = (await dbOne("SELECT COUNT(*) AS n FROM webauthn_credentials WHERE user_id = ?", [userId])).n;
         const minOrders = Number(getProtocolParam('rewards_opt_in.min_completed_orders', 1));
         const requirePasskey = Number(getProtocolParam('rewards_opt_in.require_passkey', 1));
@@ -103,7 +104,7 @@ export function registerRewardsApplyRoutes(app, deps) {
         }
         // 5. Pre-conditions (re-check inside server)
         const minOrders = Number(getProtocolParam('rewards_opt_in.min_completed_orders', 1));
-        const completedOrders = (await dbOne("SELECT COUNT(*) AS n FROM orders WHERE buyer_id = ? AND status = 'completed'", [userId])).n;
+        const completedOrders = (await dbOne(`SELECT COUNT(*) AS n FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')}`, [userId])).n; // 真实成交,排除退款/违约
         if (completedOrders < minOrders)
             return void errorRes(res, 403, 'INSUFFICIENT_ORDERS', `需 ${minOrders} 笔已完成订单,目前 ${completedOrders}`);
         const requirePasskey = Number(getProtocolParam('rewards_opt_in.require_passkey', 1));

package/dist/pwa/routes/share-redirects.js CHANGED Viewed

@@ -158,7 +158,7 @@ export function registerShareRedirectsRoutes(app, deps) {
     // 邀请短链 /i/CODE — invite-code ONLY (permanent_code, 兼容旧的 -L/-R 后缀). usr_xxx / @handle / 裸 handle
     // 一律 404(不再做 handle 解析)。pre-public 去左右码:/i/CODE 与旧 /i/CODE-L、/i/CODE-R 一律
     // 规范化重定向到 /?ref=CODE(丢弃 side;放置侧别由注册时系统自动决定),旧链接/二维码仍可用。
-    // 不受 invite_rotation_enabled 影响:已有用户分享出的 /i/CODE 链接和二维码必须始终可用。
+    // 不受注册门控开关影响:已有用户分享出的 /i/CODE 链接和二维码必须始终可用。
     app.get('/i/:code', (req, res) => {
         const ref = resolveInviteCodeRef(String(req.params.code || ''));
         if (!ref)

package/dist/pwa/routes/shareables-interactions.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+import { genuineSalePredicate } from '../../layer0-foundation/L0-2-state-machine/genuine-sale.js'; // 真实成交单一真相源
 export function registerShareablesInteractionsRoutes(app, deps) {
     const { db, auth, generateId, rateLimitOk, piiSanitize, detectFraud, commentBlocklistHit, llmModerateComment, parseMentions, notifyMentions } = deps;
     app.post('/api/shareables/:id/click', async (req, res) => {
@@ -21,7 +22,7 @@ export function registerShareablesInteractionsRoutes(app, deps) {
         if (sh.owner_id === user.id)
             return void res.json({ error: '不能给自己点赞' });
         // P1 Sybil 软门槛：至少完成过 1 笔订单（不限购买该商品，只需活跃用户）
-        const completed = (await dbOne("SELECT COUNT(1) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [user.id])).n;
+        const completed = (await dbOne(`SELECT COUNT(1) as n FROM orders WHERE buyer_id = ? AND ${genuineSalePredicate('orders')}`, [user.id])).n; // 真实成交,排除退款/违约
         if (completed < 1)
             return void res.json({ error: '完成首笔购买后才能点赞（防止刷赞）' });
         // P0 fix：SELECT existing 进 transaction

package/dist/pwa/routes/task-proposals.js CHANGED Viewed

@@ -1,15 +1,25 @@
-import { validateProposalInput, insertTaskProposal, listTaskProposals, reviewTaskProposal } from '../../layer2-business/L2-9-contribution/task-proposal-store.js';
+import { validateProposalInput, insertTaskProposal, listTaskProposals, listMyProposals, reviewTaskProposal } from '../../layer2-business/L2-9-contribution/task-proposal-store.js';
 import { withUncommittedValueBoundary } from '../../layer2-business/L2-9-contribution/contribution-display-envelope.js';
 import { getCanonicalContributionTarget } from '../../layer2-business/L2-9-contribution/canonical-contribution-target.js';
-import { createDraftFromProposal, listDraftBuildTasks, publishDraftBuildTask } from '../../layer2-business/L2-9-contribution/task-proposal-draft.js';
+import { createDraftFromProposal, listDraftBuildTasks, getDraftBuildTaskDetail, publishDraftBuildTask, discardDraft, withdrawPublishedTask } from '../../layer2-business/L2-9-contribution/task-proposal-draft.js';
 import { recommendForProposal, insertAiSuggestion, listAiSuggestions, getProposalLite } from '../../layer2-business/L2-9-contribution/task-proposal-ai-store.js';
 const AI_NOTICE = 'AI suggestion — assistant only, NOT a decision. A human maintainer must explicitly create / publish / reject the formal task. AI never auto-publishes, auto-rejects, hides proposals, or assigns reward / credit.';
 const PROPOSAL_NOTICE = 'A task proposal is a SUGGESTION in the maintainer review inbox. It is NOT a contribution fact, formal participation, or any reward / payout / score, and it never appears on the public task board until a maintainer reviews and (manually) converts it. source_ref is a reference only; the canonical contribution target is fixed by trusted config.';
 function withProposalEnvelope(payload) {
     return withUncommittedValueBoundary({ ...payload, proposal_notice: PROPOSAL_NOTICE, canonical_contribution_target: getCanonicalContributionTarget() });
 }
+// Agent-readable next-step hint per status (the channel is agent-native both ways).
+function nextActionFor(status) {
+    switch (status) {
+        case 'new': return 'Awaiting maintainer review — no action needed.';
+        case 'needs_info': return 'Maintainer needs more detail. Submit an updated proposal (webaz_feedback type=proposal) referencing this id; see public_reply for what is missing.';
+        case 'rejected': return 'Not converted to a task. See public_reply for the reason; you may submit a revised proposal.';
+        case 'converted': return 'Converted to a task. See converted_ref for the linked task / PR / decision.';
+        default: return 'No action.';
+    }
+}
 export function registerTaskProposalsRoutes(app, deps) {
-    const { db, errorRes, requireSupportAdmin, rateLimitOk } = deps;
+    const { db, errorRes, requireSupportAdmin, rateLimitOk, auth, resolveUser } = deps;
     // public submit — anonymous; proposer_account_id is never taken from the body (anti-spoof).
     app.post('/api/public/task-proposals', (req, res) => {
         // anti-flood: per-IP rate limit (counts every attempt, before validation) then a recent-window dedup.
@@ -19,10 +29,23 @@ export function registerTaskProposalsRoutes(app, deps) {
         const v = validateProposalInput(req.body);
         if (!v.ok)
             return void errorRes(res, 400, v.code, v.message);
-        const result = insertTaskProposal(db, v.input, null);
+        // Link to the submitter when authenticated (account id comes from the session, NEVER the body — anti-spoof);
+        // anonymous submit still works (account id null) — it just won't show up in "my proposals".
+        const submitter = resolveUser(req);
+        const accountId = submitter ? String(submitter.id) : null;
+        const result = insertTaskProposal(db, v.input, accountId);
         if ('duplicate' in result)
             return void errorRes(res, 409, 'DUPLICATE_PROPOSAL', '相同建议已在收件箱中,请勿重复提交', { existing_id: result.existing_id });
-        res.json(withProposalEnvelope({ proposal: { id: result.id, status: result.status } }));
+        res.json(withProposalEnvelope({ proposal: { id: result.id, status: result.status }, linked_to_account: !!accountId }));
+    });
+    // proposer-facing read: the caller's OWN proposals + status + public_reply (agent-readable). No review_note; own rows only.
+    app.get('/api/me/task-proposals', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        // case_id threads the whole case (proposal → task → PR). For a proposal it is the proposal's own id.
+        const proposals = listMyProposals(db, String(user.id)).map(p => ({ ...p, case_id: p.id, next_action: nextActionFor(String(p.status)) }));
+        res.json(withProposalEnvelope({ proposals }));
     });
     // admin list (maintainer only)
     app.get('/api/admin/task-proposals', (req, res) => {
@@ -30,15 +53,17 @@ export function registerTaskProposalsRoutes(app, deps) {
         if (!admin)
             return;
         const status = typeof req.query.status === 'string' ? req.query.status : undefined;
-        res.json(withProposalEnvelope({ proposals: listTaskProposals(db, { status }) }));
+        // case_id = the proposal's own id (the case originates at the proposal); shown in the management inbox.
+        const proposals = listTaskProposals(db, { status }).map(p => ({ ...p, case_id: p.id }));
+        res.json(withProposalEnvelope({ proposals }));
     });
     // admin review (maintainer only): needs_info | rejected | converted — no build_task is created here.
     app.post('/api/admin/task-proposals/:id/review', (req, res) => {
         const admin = requireSupportAdmin(req, res);
         if (!admin)
             return;
-        const { status, note, converted_ref } = req.body ?? {};
-        const result = reviewTaskProposal(db, String(req.params.id), admin.id, String(status), note, converted_ref);
+        const { status, note, converted_ref, public_reply } = req.body ?? {};
+        const result = reviewTaskProposal(db, String(req.params.id), admin.id, String(status), note, converted_ref, public_reply);
         if ('error' in result) {
             const code = result.code === 'NOT_FOUND' ? 404 : result.code === 'ALREADY_TERMINAL' ? 409 : 400;
             return void errorRes(res, code, result.code, result.error);
@@ -90,6 +115,11 @@ export function registerTaskProposalsRoutes(app, deps) {
             definitionOfDone: b.definition_of_done ?? null,
             expectedResults: b.expected_results ?? null,
             autoClaimable: b.auto_claimable === false ? false : undefined,
+            // optional real effort estimate (#34/#5); if omitted the draft is a 0–0 placeholder and publish is fail-closed.
+            estimatedDurationMinMinutes: typeof b.estimated_duration_min_minutes === 'number' ? b.estimated_duration_min_minutes : undefined,
+            estimatedDurationMaxMinutes: typeof b.estimated_duration_max_minutes === 'number' ? b.estimated_duration_max_minutes : undefined,
+            estimatedAgentBudget: b.estimated_agent_budget,
+            estimatedContextSize: b.estimated_context_size,
             riskLevel: b.risk_level, taskType: b.task_type, note: b.note ?? null,
         });
         if ('error' in r) {
@@ -105,12 +135,30 @@ export function registerTaskProposalsRoutes(app, deps) {
             return;
         res.json(withProposalEnvelope({ drafts: listDraftBuildTasks(db) }));
     });
+    // full stored body of ONE unpublished internal draft — for PRE-PUBLISH PREVIEW (publish against visible content).
+    app.get('/api/admin/build-task-drafts/:id', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        const draft = getDraftBuildTaskDetail(db, String(req.params.id));
+        if (!draft)
+            return void errorRes(res, 404, 'NOT_FOUND', 'draft not found (or not an unpublished internal draft)');
+        res.json(withProposalEnvelope({ draft }));
+    });
     // PUBLISH a draft → public open task — explicit human/admin action; records the acting admin
     app.post('/api/admin/build-task-drafts/:id/publish', (req, res) => {
         const admin = requireSupportAdmin(req, res);
         if (!admin)
             return;
-        const r = publishDraftBuildTask(db, String(req.params.id), admin.id);
+        const b = (req.body ?? {});
+        // a published task MUST carry a real effort estimate (#34/#5). The maintainer supplies it here when the
+        // draft is still a 0–0 placeholder; without it publishDraftBuildTask fails closed (DRAFT_ESTIMATE_REQUIRED).
+        const r = publishDraftBuildTask(db, String(req.params.id), admin.id, {
+            minMinutes: typeof b.estimated_duration_min_minutes === 'number' ? b.estimated_duration_min_minutes : undefined,
+            maxMinutes: typeof b.estimated_duration_max_minutes === 'number' ? b.estimated_duration_max_minutes : undefined,
+            budget: b.estimated_agent_budget,
+            contextSize: b.estimated_context_size,
+        });
         if ('error' in r) {
             const code = r.error_code === 'NOT_FOUND' ? 404
                 : (r.error_code === 'PROPOSAL_REJECTED' || r.error_code === 'PROPOSAL_CONVERTED_ELSEWHERE') ? 409 : 400;
@@ -118,4 +166,32 @@ export function registerTaskProposalsRoutes(app, deps) {
         }
         res.json(withProposalEnvelope({ published: { task_id: r.task_id, published: true }, published_by: admin.id }));
     });
+    // DISCARD an unpublished internal draft (soft-delete → frees the proposal's draft slot; provenance retained).
+    // Fail-closed: refuses a published / claimed draft or an already-converted source proposal. Scope = discard only.
+    app.post('/api/admin/build-task-drafts/:id/discard', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        const r = discardDraft(db, String(req.params.id), admin.id);
+        if ('error' in r) {
+            const code = r.error_code === 'NOT_FOUND' ? 404
+                : (r.error_code === 'ALREADY_PUBLISHED' || r.error_code === 'DRAFT_CLAIMED' || r.error_code === 'ALREADY_CONVERTED') ? 409 : 400;
+            return void errorRes(res, code, r.error_code, r.error);
+        }
+        res.json(withProposalEnvelope({ discarded: { task_id: r.task_id, status: 'discarded', already_discarded: !!r.already_discarded }, discarded_by: admin.id }));
+    });
+    // RECOVERY: withdraw an UNCLAIMED published task off the board + reopen its source proposal (so a corrected
+    // draft can be built). Fail-closed: refuses a claimed task or a non-published task. Soft-delete (provenance kept).
+    app.post('/api/admin/build-tasks/:id/withdraw', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        const r = withdrawPublishedTask(db, String(req.params.id), admin.id);
+        if ('error' in r) {
+            const code = r.error_code === 'NOT_FOUND' ? 404
+                : (r.error_code === 'TASK_CLAIMED' || r.error_code === 'NOT_PUBLISHED') ? 409 : 400;
+            return void errorRes(res, code, r.error_code, r.error);
+        }
+        res.json(withProposalEnvelope({ withdrawn: { task_id: r.task_id, reopened_proposal_id: r.reopened_proposal_id }, withdrawn_by: admin.id }));
+    });
 }

package/dist/pwa/routes/users-public.js CHANGED Viewed

@@ -62,8 +62,7 @@ export function registerUsersPublicRoutes(app, deps) {
         const rightChildName = u.right_child_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [u.right_child_id]))?.name : null;
         const leftPv = Number(u.total_left_pv ?? 0);
         const rightPv = Number(u.total_right_pv ?? 0);
-        // pre-public de-MLM: PV 对碰为 pre-launch、未启用 —— public 端口不再暴露弱腿 / 对碰收益指标
-        // (weak_leg_pv / pending_score / settled_waz / total_hits)。位置 + 左右区 PV 仅作为参与记录保留。
+        // 匹配奖励引擎已切除(#401):public 端口只保留位置 + 左右区 PV 作为参与记录,不暴露任何奖励指标。
         res.json({
             id: u.id,
             name: u.name,
@@ -263,13 +262,11 @@ export function registerUsersPublicRoutes(app, deps) {
         if (isOwner) {
             const w = await dbOne('SELECT balance, earned FROM wallets WHERE user_id = ?', [me.id]);
             const pv = await dbOne("SELECT total_left_pv, total_right_pv FROM users WHERE id = ?", [me.id]);
-            const score = (await dbOne("SELECT COALESCE(SUM(score),0) as s FROM binary_score_records WHERE user_id = ? AND settled_at IS NULL", [me.id])).s;
             privateStats = {
                 wallet_balance: Number(w?.balance ?? 0),
                 wallet_earned: Number(w?.earned ?? 0),
                 total_left_pv: Number(pv?.total_left_pv ?? 0),
                 total_right_pv: Number(pv?.total_right_pv ?? 0),
-                pending_score: Number(score),
             };
         }
         // D2 信誉徽章墙

package/dist/pwa/routes/wallet-read.js CHANGED Viewed

@@ -175,26 +175,14 @@ export function registerWalletReadRoutes(app, deps) {
             if (commMap[key])
                 commMap[key] = { count: r.cnt, total: Number(r.total.toFixed(2)) };
         }
-        const binary = (await dbOne(`
-      SELECT
-        COUNT(CASE WHEN settled_at IS NOT NULL THEN 1 END) as settled_cnt,
-        COALESCE(SUM(CASE WHEN settled_at IS NOT NULL THEN waz_amount END), 0) as settled_waz,
-        COALESCE(SUM(CASE WHEN settled_at IS NULL THEN score END), 0) as pending_score
-      FROM binary_score_records WHERE user_id = ?
-    `, [user.id]));
+        // matching-rewards income removed — engine excised (#401). Income = affiliate commission (real sales) + own sales.
         const sales = (await dbOne(`
       SELECT COUNT(*) as cnt, COALESCE(SUM(total_amount),0) as total
       FROM orders WHERE seller_id = ? AND status = 'completed'
     `, [user.id]));
-        const totalIncome = commMap.l1.total + commMap.l2.total + commMap.l3.total +
-            Number(binary.settled_waz) + Number(sales.total);
+        const totalIncome = commMap.l1.total + commMap.l2.total + commMap.l3.total + Number(sales.total);
         res.json({
             commissions: commMap,
-            binary: {
-                settled_count: binary.settled_cnt,
-                settled_waz: Number(Number(binary.settled_waz).toFixed(2)),
-                pending_score: Number(Number(binary.pending_score).toFixed(2)),
-            },
             sales: { count: sales.cnt, total: Number(Number(sales.total).toFixed(2)) },
             total_income: Number(totalIncome.toFixed(2)),
         });