@seasonkoh/webaz 0.1.26 → 0.1.28

package/dist/pwa/server.js

@@ -24,7 +24,10 @@ import { setSeamDb } from '../layer0-foundation/L0-1-database/db.js'; // RFC-016
 import { initSystemUser, transition, getOrderStatus, checkTimeouts, settleFault } from '../layer0-foundation/L0-2-state-machine/engine.js';
 import { endpointToAction, endpointToReadAction } from './endpoint-actions.js';
 import { AGENT_RATE_PER_MIN_DEFAULTS, CROSS_USER_READ_DAILY_CAP, MASS_ACTION_TYPES, MASS_ACTION_DAILY_CAPS } from './limits.js';
+// #420 P1-2/P1-3/P1-4 — 反滥用阈值单一真相源（governance-adjustable protocol_params）+ 纯决策函数
+import { ANTI_ABUSE_PARAMS, readAntiAbuseThresholds, agentTrustLevel, agentSybilPenalty, agentStrikeSeverity, verifierOutlierBand } from './anti-abuse-thresholds.js';
 import { initOrderChainSchema, appendOrderEvent, getOrderChain, verifyOrderChain } from '../layer0-foundation/L0-2-state-machine/order-chain.js';
+import { initVerifierWhitelistSchema, initMcpToolCallsSchema, initNotePhotoIndexSchema, initUserWishlistSchema, initProductQaSchema, initCouponsSchema, initAnnouncementsSchema, initProductWaitlistSchema, initFlashSalesSchema, initPublicIdeasSchema, initAuctionRemindersSchema, initEmailSubscriptionsSchema, initFeedbackTicketsSchema, initFeedbackMessagesSchema, initDisputeCasesSchema, initDisputeCommentsSchema, initDisputeCommentRepliesSchema, initShareableCommentsSchema, initDisputeFairnessVotesSchema, initOrderRatingsSchema, initBuyerRatingsSchema, initUserAddressesSchema, initP2pShopsSchema, initShareableLikesSchema, initShareableBookmarksSchema, initShareableTagsSchema, initManifestRegistrySchema, initPeerDirectorySchema, initSignalingQueueSchema, initConversationsSchema, initMessagesSchema, initChatReportsSchema, initQuotaIncreaseApplicationsSchema, initVerifierApplicationsSchema, initArbitratorReviewSchema, initVerifierAppealsSchema, initUserModerationSchema, initAdminAuditLogSchema, initVerificationCodesSchema, initAgentCallLogSchema, initAgentReputationSchema, initAgentDeclarationsSchema, initAgentAttestationsSchema, initAgentStrikesSchema, initAgentRevocationsSchema, initProductAliasesSchema, initRegionChangeLogSchema, initCartItemsSchema, initFollowsSchema, initPushSubscriptionsSchema, initUserSessionsSchema, initUserBlocklistSchema, initImportLogsSchema, initErrorLogSchema, initSecondhandItemsSchema, initProductTrialCampaignsSchema, initProductTrialClaimsSchema, initReturnRequestsSchema, initReturnMessagesSchema, initProductVariantsSchema, initEditorPicksSchema, initKycRecordsSchema, initWebauthnSchema, initClaimVerificationBaseSchema, initClaimVerifierSuspensionsSchema, initProductClaimSchema, initReviewClaimSchema, initSecondhandClaimSchema, initAuctionClaimSchema, initWishClaimSchema, initShareableClickLogSchema, initCommissionAuditLogSchema, initRegistrationAuditLogSchema, initProductExternalLinksBaseSchema, initLinkChallengesSchema, initVerifyTasksSchema, initVerifySubmissionsSchema, initVerifierStatsSchema, initRegisterListSearchColumns } from './server-schema.js';
 // RFC-014 PR4 — 正常成交结算走整数 base-units + allocate + 绝对值落库。
 import { toUnits, toDecimal, mulRate, allocate } from '../money.js';
 import { applyWalletDelta, creditColumns } from '../ledger.js';
@@ -42,7 +45,6 @@ import { initSkillSchema, shouldAutoAccept, } from '../layer4-economics/L4-4-ski
 import { initReputationSchema, recordOrderReputation, recordViolationReputation, recordDisputeReputation, recordRepEvent, getReputation, getStakeDiscount, applyDecayIfDue, } from '../layer4-economics/L4-3-reputation/reputation-engine.js';
 import { generateManifest } from '../layer0-foundation/L0-5-manifest/manifest.js';
 import Anthropic from '@anthropic-ai/sdk';
-import { privateKeyToAddress, privateKeyToAccount } from 'viem/accounts';
 import { createPublicClient, createWalletClient, http, parseAbiItem, parseAbi, parseEther } from 'viem';
 import { baseSepolia, base } from 'viem/chains';
 import { createHmac, createHash, randomBytes, scryptSync, timingSafeEqual } from 'node:crypto';
@@ -73,9 +75,10 @@ import { registerDisputeCasesRoutes } from './routes/dispute-cases.js';
 // Claim verify (#1013 Phase 9) — 8 endpoints + 三路径结算 cron + 铁律 §4
 // requireHumanPresence 仍在 server.ts（arbitrate / agent_revoke / vote 3 处用），通过 deps 注入
 // settleClaimTask + 多个内部 helper 已 export 供 server.ts 其它路径调用（如 product-claims）
-import { registerClaimVerifyRoutes, processClaimTaskQueue, isEligibleClaimVerifier as isEligibleClaimVerifierRaw, activeClaimTaskCountForVerifier as activeClaimTaskCountForVerifierRaw, settleClaimTask as settleClaimTaskRaw, notifyEligibleVerifiers as notifyEligibleVerifiersRaw, 
-// 跨域共用常量（checkVerifierOutlier 跨多 vote table 聚合用）
-CLAIM_SUSPEND_THRESHOLD, CLAIM_REVOKE_THRESHOLD, CLAIM_SUSPEND_DAYS, CLAIM_OUTLIER_WINDOW_DAYS, } from './routes/claim-verify.js';
+import { registerClaimVerifyRoutes, processClaimTaskQueue, isEligibleClaimVerifier as isEligibleClaimVerifierRaw, activeClaimTaskCountForVerifier as activeClaimTaskCountForVerifierRaw, settleClaimTask as settleClaimTaskRaw, notifyEligibleVerifiers as notifyEligibleVerifiersRaw,
+// #420 P1-3:verifier outlier 阈值改由 protocol_params 驱动(见 anti-abuse-thresholds.ts),
+// checkVerifierOutlier 不再 import claim-verify 的 CLAIM_*_THRESHOLD 常量。
+ } from './routes/claim-verify.js';
 // Follows (#1013 Phase 10) — 4 endpoints (status/post/delete/me)
 // /api/follows/feed 留 server.ts（依赖 products 跨域，待商品域拆分时一并处理）
 import { registerFollowsRoutes } from './routes/follows.js';
@@ -174,7 +177,7 @@ import { registerShareRedirectsRoutes } from './routes/share-redirects.js';
 import { registerShopReferralRoutes } from './routes/shop-referral.js';
 // Profile 凭据 (#1013 Phase 55) — 5 endpoints (密码 + 邮箱绑定)
 import { registerProfileCredentialsRoutes } from './routes/profile-credentials.js';
-// Profile 双轨挂靠 (#1013 Phase 56) — 3 endpoints
+// Profile 放置挂靠 (#1013 Phase 56) — 3 endpoints
 import { registerProfilePlacementRoutes } from './routes/profile-placement.js';
 // Profile 位置 (#1013 Phase 57) — 2 endpoints
 import { registerProfileLocationRoutes } from './routes/profile-location.js';
@@ -314,15 +317,24 @@ import { initBuildTaskAgentMetadataSchema } from '../layer2-business/L2-9-contri
 import { initTaskProposalSchema } from '../layer2-business/L2-9-contribution/task-proposal-store.js';
 import { initTaskProposalAiSchema } from '../layer2-business/L2-9-contribution/task-proposal-ai-store.js';
 import { initTaskProposalDraftLinkSchema } from '../layer2-business/L2-9-contribution/task-proposal-draft.js';
+import { initBuildTaskQuotaSchema } from '../layer2-business/L2-9-contribution/build-task-quota.js';
+import { registerBuildTaskQuotaRoutes } from './routes/build-task-quota.js';
+import { registerAdminOperatorClaimRoutes } from './routes/admin-operator-claims.js';
 import { registerTaskProposalsRoutes } from './routes/task-proposals.js';
+import { participationRecordingActive, matchingRewardsActive } from './pv-kill-switch.js'; // Category C: participation recording (default ON) vs matching-rewards payout (default OFF)
+import { createPvSettlementEngine } from './internal/pv-settlement.js'; // matching-rewards engine EXCISED — no-op stub (see internal/pv-settlement.ts)
+import { createLocalSeedSigner } from './internal/wallet-signer.js'; // Phase 0: hot-wallet custody signer seam (docs/HOT-WALLET-CUSTODY-MIGRATION.md)
+import { createCfOriginGuard } from './cf-origin-guard.js'; // Cloudflare-only origin guard (off by default)
 import { createSlidingWindowLimiter } from './rate-limit.js';
 import { registerBuildReputationRoutes } from './routes/build-reputation.js';
 import { initBuildReputationSchema } from '../layer2-business/L2-9-contribution/build-reputation-engine.js';
 import { initGithubCredentialStoreSchema } from '../layer2-business/L2-9-contribution/github-credential-store.js';
 import { initIdentityBindingSchema } from '../layer2-business/L2-9-contribution/identity-binding-store.js';
 import { initIdentityClaimChallengeSchema } from '../layer2-business/L2-9-contribution/identity-claim-challenge-store.js';
+import { initAdminCoordinationSchema } from '../layer2-business/L2-9-contribution/admin-coordination-store.js';
 import { registerContributionIdentityRoutes } from './routes/contribution-identity.js';
 import { registerContributionScoreRoutes } from './routes/contribution-score.js';
+import { registerContributionFactsRoutes } from './routes/contribution-facts.js';
 const anthropic = new Anthropic({ apiKey: process.env.ANTHROPIC_API_KEY });
 // ─── 链上地址派生 ──────────────────────────────────────────────
 const MASTER_SEED = process.env.WALLET_MASTER_SEED ?? 'webaz-dev-seed-changeme';
@@ -353,11 +365,13 @@ else if (MASTER_SEED.length < 32) {
 function generateSecureKey(prefix) {
     return `${prefix}_${randomBytes(32).toString('hex')}`;
 }
-function derivePrivKey(seed) {
-    return `0x${createHmac('sha256', MASTER_SEED).update(seed).digest('hex')}`;
-}
+// Phase 0 (docs/HOT-WALLET-CUSTODY-MIGRATION.md): all USDC-custody key derivation / signing goes
+// through the WalletSigner seam. LocalSeedSigner reproduces the historical HMAC-SHA256(MASTER_SEED, role)
+// derivation EXACTLY — addresses + signatures unchanged. Phase 1+ swaps in KMS / multisig signers
+// (HOT_WALLET_SIGNER env) behind the same interface, no call-site changes.
+const walletSigner = createLocalSeedSigner(MASTER_SEED);
 function deriveDepositAddress(userId) {
-    return privateKeyToAddress(derivePrivKey(userId));
+    return walletSigner.depositAddress(userId);
 }
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const db = initDatabase();
@@ -381,10 +395,13 @@ initBuildTaskAgentMetadataSchema(db); // PR9B — agent-ready task metadata sate
 initTaskProposalSchema(db); // Task Proposal Inbox v1 — suggestion inbox(maintainer review;never auto build_task)
 initTaskProposalAiSchema(db); // Task Proposal AI-assist — assistant-only recommendation/evidence(human decides)
 initTaskProposalDraftLinkSchema(db); // Task Proposal draft links — source proposal ↔ draft task(converted at publish)
+initBuildTaskQuotaSchema(db); // PR #18 — build_task create quota-increase requests(non-root request → root grant)
 initBuildReputationSchema(db); // RFC-006 build_reputation(独立池 + 贡献者看板)
 initGithubCredentialStoreSchema(db); // PR 3B-3a — GitHub credential store + RFC-017 fact layer (schema only)
 initIdentityBindingSchema(db); // PR 4a — GitHub identity → WebAZ account binding (append-only events + active projection)
 initIdentityClaimChallengeSchema(db); // PR-F1 — identity-claim publication-challenge state (server-side nonce hash; schema only)
+// NB: initAdminCoordinationSchema is intentionally NOT called here — it FKs admin_audit_log, which is
+// created later; it runs right after the admin_audit_log block below (search initAdminCoordinationSchema).
 initSnfSchema(db);
 initExternalAnchorSchema(db);
 // 启动时检查月衰减（last_decay_at ≥25 天才触发，重启幂等）
@@ -401,11 +418,11 @@ ensureEvidenceColumns(db);
 initAnchorRegistrySchema(db);
 // boot-order fix（2026-05-26）：anchor migration 引用 users.handle / search_anchor，
 // 但对应 ALTER TABLE 在 735+/958+ 行才跑。旧 DB（v3 era）触发 prepare 失败 → 此处 catch
-// 后 warn 不阻塞 server，但日志噪音 → 预热那两列让 migration 真正能跑
-try {
-    db.exec("ALTER TABLE users ADD COLUMN handle TEXT");
-}
-catch { }
+// 后 warn 不阻塞 server，但日志噪音 → 预热那两列让 migration 真正能跑。
+// handle 现由 initRegisterListSearchColumns 在此预热(与 MCP runtime schema 同源,见
+// src/runtime/webaz-schema-helpers.ts)；该 helper 同时建 permanent_code/region + 11 个
+// products 结构化字段(纯非钱列,从下方各 inline 块单点收口到此处,CREATE-before-ALTER 不变)。
+initRegisterListSearchColumns(db);
 try {
     db.exec("ALTER TABLE users ADD COLUMN search_anchor TEXT");
 }
@@ -443,27 +460,9 @@ catch (e) {
     console.warn('[anchor-registry] migration:', e.message);
 }
 // ─── 验证员白名单表 ───────────────────────────────────────────────
-db.exec(`
-  CREATE TABLE IF NOT EXISTS verifier_whitelist (
-    user_id   TEXT PRIMARY KEY,
-    added_at  TEXT DEFAULT (datetime('now')),
-    note      TEXT
-  )
-`);
+initVerifierWhitelistSchema(db);
 // ─── MCP 工具调用埋点表（远程上报）─────────────────────────────────
-db.exec(`
-  CREATE TABLE IF NOT EXISTS mcp_tool_calls (
-    id             INTEGER PRIMARY KEY AUTOINCREMENT,
-    tool_name      TEXT NOT NULL,
-    user_id_hash   TEXT,
-    server_version TEXT,
-    outcome        TEXT NOT NULL,
-    latency_ms     INTEGER NOT NULL,
-    ts             TEXT NOT NULL DEFAULT (datetime('now'))
-  )
-`);
-db.exec(`CREATE INDEX IF NOT EXISTS idx_mcp_tc_ts   ON mcp_tool_calls(ts)`);
-db.exec(`CREATE INDEX IF NOT EXISTS idx_mcp_tc_tool ON mcp_tool_calls(tool_name, ts)`);
+initMcpToolCallsSchema(db);
 // ─── 内部审核账号（固定 ID，密钥由 MASTER_SEED 派生，幂等）────────
 const INTERNAL_AUDITOR_ID = 'usr_iaudit_001';
 const INTERNAL_AUDITOR_KEY = 'key_iaudit_' + createHmac('sha256', MASTER_SEED).update('internal_auditor_v1').digest('hex').slice(0, 32);
@@ -521,11 +520,10 @@ try {
 }
 catch { }
 // Tokenomics 推土机轨道 — Phase 1（分享现金分润）
-// 详见 docs/modules/tokenomics-pv-commission.md
 for (const stmt of [
     'ALTER TABLE users ADD COLUMN sponsor_id   TEXT',
     'ALTER TABLE users ADD COLUMN sponsor_path TEXT',
-    "ALTER TABLE users ADD COLUMN region       TEXT DEFAULT 'global'",
+    // users.region moved to initRegisterListSearchColumns (single source, shared w/ MCP) — see ~line 494.
     // Admin 分级：root 全权 / regional 按 admin_scope 区域受限
     "ALTER TABLE users ADD COLUMN admin_type   TEXT", // root | regional
     "ALTER TABLE users ADD COLUMN admin_scope  TEXT", // global | china | us | eu | india | singapore
@@ -583,28 +581,7 @@ for (const stmt of [
 // M8 二手板块：独立表，避免污染 products 商家货架
 // 关键差异：1 件即 1 件（无库存）、个人卖家无需 seller 角色、无质保、协议费 1%（vs 商家 2%）
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS secondhand_items (
-    id            TEXT PRIMARY KEY,
-    seller_id     TEXT NOT NULL,
-    title         TEXT NOT NULL,
-    description   TEXT,
-    category      TEXT NOT NULL,        -- phone/computer/appliance/furniture/clothing/book/toy/sports/other
-    condition_grade TEXT NOT NULL,      -- brand_new/like_new/lightly_used/well_used/heavily_used
-    price         REAL NOT NULL,
-    negotiable    INTEGER DEFAULT 0,
-    images        TEXT,                 -- JSON 数组：dataURL 字符串 (最多 9 张)
-    region        TEXT,
-    fulfillment   TEXT DEFAULT 'both',  -- shipping / in_person / both
-    status        TEXT DEFAULT 'available',  -- available / reserved / sold / closed
-    view_count    INTEGER DEFAULT 0,
-    created_at    TEXT DEFAULT (datetime('now')),
-    updated_at    TEXT DEFAULT (datetime('now')),
-    sold_at       TEXT,
-    sold_order_id TEXT
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_si_status_created ON secondhand_items(status, created_at DESC)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_si_seller ON secondhand_items(seller_id, status)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_si_cat ON secondhand_items(category, status)`);
+    initSecondhandItemsSchema(db);
 }
 catch (e) {
     console.error('[secondhand schema]', e);
@@ -729,7 +706,7 @@ db.exec(`
     max_levels      INTEGER NOT NULL,   -- 0=完全禁 MLM / 1=仅 L1 / 2=L1+L2 / 3=全三级（仅控佣金层级）
     active          INTEGER DEFAULT 1,
     mlm_ui_visible  INTEGER DEFAULT 1,  -- 0=UI 全面隐藏推土机/分润链/佣金展示
-    pv_enabled      INTEGER DEFAULT 0   -- 2026-06-04 解耦：PV 双轨/对碰系统是否开启（独立于 max_levels）。默认 0=全关
+    pv_enabled      INTEGER DEFAULT 0   -- 区域级 PV 开关（独立于佣金层级 max_levels）。默认 0=关
   )
 `);
 // Phase B 迁移：加 mlm_ui_visible 列
@@ -737,7 +714,7 @@ try {
     db.exec('ALTER TABLE region_config ADD COLUMN mlm_ui_visible INTEGER DEFAULT 1');
 }
 catch { /* 已存在 */ }
-// 2026-06-04 解耦迁移：加 pv_enabled 列（PV 双轨独立开关，与佣金层级 max_levels 分离）
+// 2026-06-04 解耦迁移：加 pv_enabled 列（区域级 PV 开关，与佣金层级 max_levels 分离）
 try {
     db.exec('ALTER TABLE region_config ADD COLUMN pv_enabled INTEGER DEFAULT 0');
 }
@@ -780,29 +757,9 @@ catch { }
     }
     catch { }
 });
-// P13: 购物车
-db.exec(`
-  CREATE TABLE IF NOT EXISTS cart_items (
-    user_id     TEXT NOT NULL,
-    product_id  TEXT NOT NULL,
-    qty         INTEGER NOT NULL DEFAULT 1,
-    added_at    TEXT DEFAULT (datetime('now')),
-    PRIMARY KEY (user_id, product_id)
-  )
-`);
-// P14: 关注关系（社交电商）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS follows (
-    follower_id  TEXT NOT NULL,
-    followee_id  TEXT NOT NULL,
-    created_at   TEXT DEFAULT (datetime('now')),
-    PRIMARY KEY (follower_id, followee_id)
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_follows_followee ON follows(followee_id)');
-}
-catch { }
+// P13: 购物车 / P14: 关注关系（社交电商）→ server-schema.ts
+initCartItemsSchema(db);
+initFollowsSchema(db);
 // P14: 用户 feed 可见性开关（默认公开）
 try {
     db.exec("ALTER TABLE users ADD COLUMN feed_visible INTEGER DEFAULT 1");
@@ -857,6 +814,13 @@ try {
 catch { }
 // 已注册默认参数（首次启动 seed） — P0-2 加 min/max 边界
 const DEFAULT_PARAMS = [
+    // Category C:参与记录 vs 奖励兑付,分开两套开关。
+    //  · 参与记录默认 ON:PV 是参与/贡献记录(非收益/非兑付/非权益),默认允许记录(只在显式 =0 时关)。
+    //  · 匹配奖励引擎已切除(#401):该标志保留但只门控一个 no-op stub,无兑付路径;
+    //    matching_rewards_activation_cleared = 法律/治理放行、matching_rewards_active = 运营开关。pre-launch 均 0。
+    { key: 'participation_recording_active', value: '1', type: 'number', description: '参与记录开关:PV 生成+聚合(参与记录,非收益/非兑付);默认 1=开。置 0 才停止记录。', category: 'system', min: 0, max: 1 },
+    { key: 'matching_rewards_active', value: '0', type: 'number', description: '匹配奖励运营开关(引擎已切除 #401,现仅门控 no-op stub;无兑付);默认 0=关。', category: 'system', min: 0, max: 1 },
+    { key: 'matching_rewards_activation_cleared', value: '0', type: 'number', description: '奖励兑付法律/治理放行标志(开启奖励前必须经合规+治理审批置 1);默认 0。', category: 'system', min: 0, max: 1 },
     // RFC-008:平台费硬帽 2%(=当前稳态 → 治理只能在 0–2% 减免、永不涨)。合计封顶 = 平台费2% + fund_base1% = 3%。宪法级合法性见 CHARTER 修订(单独治理步)。
     { key: 'protocol_fee_rate_shop', value: '0.02', type: 'number', description: '商家订单平台费率(RFC-008 硬帽 2%,只减不涨;前期可减免)', category: 'fee', min: 0, max: 0.02 },
     { key: 'protocol_fee_rate_secondhand', value: '0.01', type: 'number', description: '二手订单平台费率(RFC-008 硬帽 2%,只减不涨)', category: 'fee', min: 0, max: 0.02 },
@@ -881,6 +845,8 @@ const DEFAULT_PARAMS = [
     { key: 'max_addresses_per_user', value: '20', type: 'number', description: '单用户最多收货地址数', category: 'limit', min: 1, max: 100 },
     { key: 'max_compare_items', value: '4', type: 'number', description: '商品对比最多件数', category: 'limit', min: 2, max: 10 },
     { key: 'feedback_rate_per_hour', value: '5', type: 'number', description: '反馈工单每小时上限', category: 'limit', min: 1, max: 100 },
+    { key: 'max_quota_extra_count', value: '50', type: 'number', description: 'PR#18 build_task 扩容申请:单次最多额外任务数', category: 'limit', min: 1, max: 500 },
+    { key: 'max_quota_duration_hours', value: '72', type: 'number', description: 'PR#18 build_task 扩容授权:最长有效期(小时)', category: 'limit', min: 1, max: 2160 },
     { key: 'export_csv_limit', value: '5000', type: 'number', description: '订单导出 CSV 行数上限', category: 'limit', min: 100, max: 50000 },
     { key: 'return_window_extension_days', value: '0', type: 'number', description: '退货窗口全局延长天数', category: 'general', min: 0, max: 90 },
     // Wave G-2: USDC / 链上配置
@@ -948,6 +914,9 @@ const DEFAULT_PARAMS = [
     // 假设:这两个 param 都满足"increase = more protection"语义(见 admin-protocol-params.ts 头部注释)
     { key: 'constitutional_supermajority_ratio', value: '0.667', type: 'number', description: 'CHARTER §4 I-4:宪法级修改超级多数比例(phase A: user solo 1-of-1;phase B+: maintainer 多签 ratio)— only-increase 防绕过', category: 'constitutional', min: 0.5, max: 1.0 },
     { key: 'constitutional_notice_days', value: '60', type: 'number', description: 'CHARTER §4 I-4:宪法级修改 RFC 公示期(天)— only-increase 防绕过', category: 'constitutional', min: 30, max: 365 },
+    // #420 P1-2/P1-3/P1-4:反滥用阈值(agent 信任公式 / strike 阶梯 / verifier outlier)→ 治理可调。
+    // 默认值 === 抽取前硬编码字面量(单一真相源在 anti-abuse-thresholds.ts;测试强制校验一致)。
+    ...ANTI_ABUSE_PARAMS,
 ];
 for (const p of DEFAULT_PARAMS) {
     try {
@@ -1161,23 +1130,7 @@ function disbursePlatformReward(userId, amount, source, ref) {
 // Wave E-5: PWA Push 订阅
 // 注：实际 push 投递需要 web-push 库（npm i web-push）+ VAPID 私钥签名；
 // 当前实现只做订阅层 + SW push 事件处理，留待 web-push 接入后即可发送
-db.exec(`
-  CREATE TABLE IF NOT EXISTS push_subscriptions (
-    id            TEXT PRIMARY KEY,
-    user_id       TEXT NOT NULL,
-    endpoint      TEXT NOT NULL,
-    p256dh        TEXT NOT NULL,
-    auth          TEXT NOT NULL,
-    user_agent    TEXT,
-    enabled       INTEGER DEFAULT 1,
-    created_at    TEXT DEFAULT (datetime('now')),
-    UNIQUE(user_id, endpoint)
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_push_user ON push_subscriptions(user_id, enabled)');
-}
-catch { }
+initPushSubscriptionsSchema(db);
 // 2026-05-22 V2：verifier 新任务通知偏好（默认开，可关）
 try {
     db.exec('ALTER TABLE users ADD COLUMN notify_claim_tasks INTEGER DEFAULT 1');
@@ -1250,14 +1203,8 @@ catch { } // 完整店铺介绍（多段）
 // ─── 4 层身份模型 ─────────────────────────────────────────
 // id (内部 usr_xxx, 永不可改) + permanent_code (6 位 Crockford base32, 永不可改, 对外短码)
 // + handle (@username, 可改 7天1次/年3次) + name (昵称, 可重复可改)
-try {
-    db.exec("ALTER TABLE users ADD COLUMN permanent_code TEXT");
-}
-catch { }
-try {
-    db.exec("ALTER TABLE users ADD COLUMN handle TEXT");
-}
-catch { }
+// permanent_code / handle + 其唯一索引已上移到 initRegisterListSearchColumns(~line 494,
+// 与 MCP runtime schema 同源);此处仅保留 handle 的附属列(不在 register/list/search 路径上)。
 try {
     db.exec("ALTER TABLE users ADD COLUMN handle_last_created_at TEXT");
 }
@@ -1266,14 +1213,6 @@ try {
     db.exec("ALTER TABLE users ADD COLUMN handle_change_log TEXT");
 }
 catch { } // JSON: [{at, from}], 保留近 365 天
-try {
-    db.exec("CREATE UNIQUE INDEX IF NOT EXISTS idx_users_permanent_code ON users(permanent_code) WHERE permanent_code IS NOT NULL");
-}
-catch { }
-try {
-    db.exec("CREATE UNIQUE INDEX IF NOT EXISTS idx_users_handle ON users(handle) WHERE handle IS NOT NULL");
-}
-catch { }
 // P15 雷达扫描：粗粒度地理位置（0.1° ≈ 11km × 11km，QVOD 风格匿名聚合）
 try {
     db.exec("ALTER TABLE users ADD COLUMN geo_lat REAL");
@@ -1369,27 +1308,7 @@ const LARGE_WITHDRAW_THRESHOLD = 100;
 // 用途：防 api_key 泄露后无法吊销的根本问题。每个 api_key 关联一个 session 行；
 // 用户可在 "活跃会话" 页查看 IP/UA/最后活跃，单点吊销或一键全登出。
 // "一键全登出" = rotate users.api_key（所有旧 key 即刻 401，新 key 在 session 表里）。
-db.exec(`
-  CREATE TABLE IF NOT EXISTS user_sessions (
-    id              TEXT PRIMARY KEY,
-    user_id         TEXT NOT NULL,
-    api_key         TEXT NOT NULL,
-    ip              TEXT,
-    user_agent      TEXT,
-    fingerprint_hash TEXT,
-    created_at      TEXT DEFAULT (datetime('now')),
-    last_seen_at    TEXT DEFAULT (datetime('now')),
-    revoked_at      TEXT
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_sessions_user ON user_sessions(user_id, revoked_at)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_sessions_key ON user_sessions(api_key)');
-}
-catch { }
+initUserSessionsSchema(db);
 // A4 智能下单：用户默认地址（搜索时自动过滤不可达商品 + 下单时预填）
 try {
     db.exec("ALTER TABLE users ADD COLUMN default_address_text TEXT");
@@ -1405,19 +1324,7 @@ try {
 }
 catch { }
 // A2 黑名单（精准匹配护栏）：买家可拉黑卖家，搜索时自动过滤
-db.exec(`
-  CREATE TABLE IF NOT EXISTS user_blocklist (
-    blocker_id  TEXT NOT NULL,
-    blocked_id  TEXT NOT NULL,
-    reason      TEXT,
-    created_at  TEXT DEFAULT (datetime('now')),
-    PRIMARY KEY (blocker_id, blocked_id)
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_blocklist_blocker ON user_blocklist(blocker_id)");
-}
-catch { }
+initUserBlocklistSchema(db);
 // P-Distrib β：分布式内容层（外链 shareables + P2P 原生 manifests + pin 经济）
 // shareables = 外链分享（YouTube/TikTok/小红书 等外部内容）— 仅索引 URL，零内容存储
 db.exec(`
@@ -1503,99 +1410,12 @@ try {
     db.exec("CREATE INDEX IF NOT EXISTS idx_share_order ON shareables(related_order_id) WHERE related_order_id IS NOT NULL");
 }
 catch { }
-// 审计修 C-1：笔记图片 hash 索引表 — O(1) 剽窃检测，替代全表扫描
-// hash PRIMARY KEY 天然唯一约束；删笔记时同步删对应行
-db.exec(`
-  CREATE TABLE IF NOT EXISTS note_photo_index (
-    hash         TEXT PRIMARY KEY,
-    shareable_id TEXT NOT NULL
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_npi_shareable ON note_photo_index(shareable_id)");
-}
-catch { }
-// Wave A-1: 个人心愿单（独立于慈善 wishes）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS user_wishlist (
-    user_id      TEXT NOT NULL,
-    product_id   TEXT NOT NULL,
-    note         TEXT,
-    notify_price_drop    INTEGER DEFAULT 1,
-    notify_back_in_stock INTEGER DEFAULT 1,
-    price_at_add REAL,
-    created_at   TEXT DEFAULT (datetime('now')),
-    PRIMARY KEY(user_id, product_id)
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_wl_product ON user_wishlist(product_id)');
-}
-catch { }
-// Wave A-2: 商品 Q&A（公开问答 — 自动 FAQ + 防虚假承诺）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS product_qa (
-    id           TEXT PRIMARY KEY,
-    product_id   TEXT NOT NULL,
-    asker_id     TEXT NOT NULL,
-    seller_id    TEXT NOT NULL,
-    question     TEXT NOT NULL,
-    answer       TEXT,
-    answered_at  TEXT,
-    is_public    INTEGER DEFAULT 1,
-    helpful_count INTEGER DEFAULT 0,
-    created_at   TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_qa_product ON product_qa(product_id, created_at DESC)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_qa_seller ON product_qa(seller_id, answered_at)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_qa_asker ON product_qa(asker_id)');
-}
-catch { }
-// 防重复 +1 的 votes 表
-db.exec(`
-  CREATE TABLE IF NOT EXISTS product_qa_helpful_voters (
-    qa_id TEXT NOT NULL,
-    user_id TEXT NOT NULL,
-    voted_at TEXT DEFAULT (datetime('now')),
-    PRIMARY KEY (qa_id, user_id)
-  )
-`);
-// Wave A-3: 优惠券 / 限时折扣（卖家发券 · 全店满减 · 单品限时）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS coupons (
-    id               TEXT PRIMARY KEY,
-    seller_id        TEXT NOT NULL,
-    code             TEXT NOT NULL,
-    scope            TEXT NOT NULL,           -- 'product' | 'shop' | 'all'
-    scope_id         TEXT,                    -- product_id when scope='product'
-    discount_type    TEXT NOT NULL,           -- 'percentage' | 'fixed'
-    discount_value   REAL NOT NULL,
-    min_order_amount REAL DEFAULT 0,
-    max_uses         INTEGER DEFAULT 0,       -- 0 = unlimited
-    uses_count       INTEGER DEFAULT 0,
-    starts_at        TEXT,
-    expires_at       TEXT,
-    is_active        INTEGER DEFAULT 1,
-    created_at       TEXT DEFAULT (datetime('now')),
-    UNIQUE(seller_id, code)
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_coupons_seller ON coupons(seller_id, is_active)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_coupons_scope ON coupons(scope, scope_id) WHERE is_active = 1');
-}
-catch { }
+// 笔记图片 hash 索引 / Wave A 购物表（心愿单 · 商品Q&A · 优惠券）→ server-schema.ts
+// 纯幂等建表/建索引 DDL，原位调用保持 boot 顺序不变
+initNotePhotoIndexSchema(db);
+initUserWishlistSchema(db);
+initProductQaSchema(db);
+initCouponsSchema(db);
 // Orders 表加 coupon 字段（记录使用了哪张券、折扣多少）
 for (const stmt of [
     'ALTER TABLE orders ADD COLUMN coupon_id TEXT',
@@ -1606,147 +1426,20 @@ for (const stmt of [
     }
     catch { }
 }
-// Wave A-4: 平台公告（admin 发布 → 角色 / 区域定向）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS announcements (
-    id              TEXT PRIMARY KEY,
-    author_id       TEXT NOT NULL,
-    title           TEXT NOT NULL,
-    body            TEXT NOT NULL,
-    target_roles    TEXT,                    -- JSON array: ['buyer','seller'] or null=all
-    target_regions  TEXT,                    -- JSON array: ['china','us'] or null=all
-    severity        TEXT DEFAULT 'info',     -- 'info' | 'warning' | 'critical'
-    is_active       INTEGER DEFAULT 1,
-    starts_at       TEXT,
-    expires_at      TEXT,
-    created_at      TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_ann_active ON announcements(is_active, created_at DESC)');
-}
-catch { }
-// 用户阅读记录（PK 防重复 dismiss）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS announcement_reads (
-    user_id      TEXT NOT NULL,
-    announcement_id TEXT NOT NULL,
-    read_at      TEXT DEFAULT (datetime('now')),
-    PRIMARY KEY (user_id, announcement_id)
-  )
-`);
-// Wave B-2: 预售 / waitlist（缺货商品允许买家排队 → 回货时通知）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS product_waitlist (
-    user_id      TEXT NOT NULL,
-    product_id   TEXT NOT NULL,
-    desired_qty  INTEGER DEFAULT 1,
-    note         TEXT,
-    notified_at  TEXT,                    -- 回货时填，表示已发通知
-    created_at   TEXT DEFAULT (datetime('now')),
-    PRIMARY KEY (user_id, product_id)
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_waitlist_product ON product_waitlist(product_id) WHERE notified_at IS NULL');
-}
-catch { }
-// Wave D-4: 限时促销 / Flash Sale
-db.exec(`
-  CREATE TABLE IF NOT EXISTS flash_sales (
-    id              TEXT PRIMARY KEY,
-    seller_id       TEXT NOT NULL,
-    product_id      TEXT NOT NULL,
-    variant_id      TEXT,                 -- 可选，绑定具体规格
-    sale_price      REAL NOT NULL,
-    original_price  REAL NOT NULL,        -- 创建时快照，用于显示「省 X」
-    max_qty         INTEGER DEFAULT 0,    -- 0 = 不限
-    sold_count      INTEGER DEFAULT 0,
-    starts_at       TEXT NOT NULL,
-    ends_at         TEXT NOT NULL,
-    is_active       INTEGER DEFAULT 1,
-    created_at      TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_flash_product ON flash_sales(product_id, is_active)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_flash_seller ON flash_sales(seller_id, ends_at DESC)');
-}
-catch { }
+// Wave A-4 公告+阅读 / Wave B-2 预售waitlist / Wave D-4 限时促销 → server-schema.ts
+// 纯幂等建表/建索引 DDL，原位调用保持 boot 顺序不变
+initAnnouncementsSchema(db);
+initProductWaitlistSchema(db);
+initFlashSalesSchema(db);
 // 公共助手：拿商品（含 variant 选项）当前生效的 flash sale
 // #1013 Phase 23: 已迁出到 routes/flash-sales.ts，本地 wrapper 让 orders 流程签名不变
 const getActiveFlashSale = (productId, variantId) => getActiveFlashSaleRaw(db, productId, variantId);
 // 2026-05-24 #978: 测评免单 (Trial Review Refund)
 // 卖家发新品时可开启「测评免单」计划：买家以原价正常下单，发笔记达 reach 阈值后系统自动退款
 // reach_score = views * 0.1 + shares * 1 + conversions * 10
-db.exec(`
-  CREATE TABLE IF NOT EXISTS product_trial_campaigns (
-    id                TEXT PRIMARY KEY,                   -- ptc_xxxx
-    -- 1 product 1 row (复用同一行：关闭后再开 = UPDATE status='active'，避免 UNIQUE 阻断 reopen)
-    product_id        TEXT NOT NULL UNIQUE REFERENCES products(id),
-    seller_id         TEXT NOT NULL REFERENCES users(id),
-    quota_total       INTEGER NOT NULL,                   -- 总名额 1-200
-    quota_claimed     INTEGER NOT NULL DEFAULT 0,
-    reach_threshold   INTEGER NOT NULL,                   -- 综合 reach 阈值 (默认 50)
-    min_chars         INTEGER NOT NULL DEFAULT 50,        -- 笔记最少字数
-    min_days_live     INTEGER NOT NULL DEFAULT 7,         -- 笔记需 live 至少 N 天才评估
-    status            TEXT NOT NULL DEFAULT 'active',     -- active / paused / closed
-    created_at        TEXT DEFAULT (datetime('now')),
-    closed_at         TEXT
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_ptc_seller ON product_trial_campaigns(seller_id, status)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_ptc_product ON product_trial_campaigns(product_id, status)");
-}
-catch { }
-db.exec(`
-  CREATE TABLE IF NOT EXISTS product_trial_claims (
-    id                TEXT PRIMARY KEY,                   -- pcl_xxxx
-    campaign_id       TEXT NOT NULL REFERENCES product_trial_campaigns(id),
-    product_id        TEXT NOT NULL REFERENCES products(id),
-    seller_id         TEXT NOT NULL REFERENCES users(id),
-    buyer_id          TEXT NOT NULL REFERENCES users(id),
-    order_id          TEXT NOT NULL REFERENCES orders(id),
-    note_id           TEXT,                               -- shareables.id with type='note'
-    status            TEXT NOT NULL DEFAULT 'pending_note', -- pending_note / pending_threshold / refunded / expired / cancelled
-    reach_score       REAL DEFAULT 0,
-    metrics_json      TEXT,                               -- 最新评估的 {views, shares, conversions} 快照
-    refund_amount     REAL,
-    refunded_at       TEXT,
-    expired_at        TEXT,
-    last_eval_at      TEXT,
-    claimed_at        TEXT DEFAULT (datetime('now')),
-    note_linked_at    TEXT,
-    UNIQUE(buyer_id, product_id)                          -- 一买家一商品仅 1 个名额
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_pcl_campaign ON product_trial_claims(campaign_id, status)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_pcl_buyer ON product_trial_claims(buyer_id, status)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_pcl_seller ON product_trial_claims(seller_id, status)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_pcl_eval ON product_trial_claims(status, last_eval_at)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_pcl_note ON product_trial_claims(note_id) WHERE note_id IS NOT NULL");
-}
-catch { }
+// 测评免单计划 + 认领 → server-schema.ts；claims 的 snap/audit ALTER 刻意留原位（紧跟下方）
+initProductTrialCampaignsSchema(db);
+initProductTrialClaimsSchema(db);
 // 审计 P0-1：claim 时快照 campaign 配置，cron 评估按快照而非当前活动（防卖家中途上调阈值白嫖）
 for (const col of [
     'ALTER TABLE product_trial_claims ADD COLUMN snap_reach_threshold INTEGER',
@@ -1763,29 +1456,8 @@ for (const col of [
     }
     catch { /* 已存在 */ }
 }
-// 2026-05-25 邮箱订阅独立表（GDPR-ready）— 与 ideas 解耦
-// consent 显式存；unsubscribe_token 让用户主动退订；source 区分来源
-db.exec(`
-  CREATE TABLE IF NOT EXISTS email_subscriptions (
-    id                   TEXT PRIMARY KEY,
-    email                TEXT NOT NULL UNIQUE,
-    source               TEXT NOT NULL DEFAULT 'welcome',
-    consent_at           TEXT NOT NULL DEFAULT (datetime('now')),
-    unsubscribe_token    TEXT NOT NULL UNIQUE,
-    unsubscribed_at      TEXT,
-    ip_hash              TEXT,
-    user_id              TEXT,
-    created_at           TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_es_status ON email_subscriptions(unsubscribed_at, created_at DESC)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_es_source ON email_subscriptions(source, created_at DESC)");
-}
-catch { }
+// 邮箱订阅独立表（GDPR-ready）→ server-schema.ts；后续 ALTER 列扩展刻意留原位（紧跟下方）
+initEmailSubscriptionsSchema(db);
 // 2026-05-26: 用户期望身份 + 备注（welcome 表单丰富化）
 try {
     db.exec("ALTER TABLE email_subscriptions ADD COLUMN role_preference TEXT");
@@ -1808,71 +1480,13 @@ try {
     db.exec("ALTER TABLE email_subscriptions ADD COLUMN handled_by    TEXT");
 }
 catch { }
-// 2026-05-24 首屏「我有建议」公开收集（匿名可投，登录态自动绑 user_id）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS public_ideas (
-    id            TEXT PRIMARY KEY,
-    user_id       TEXT,                                  -- 可空（匿名提交）
-    contact       TEXT,                                  -- 可选 email / handle / 任何联系方式
-    content       TEXT NOT NULL,
-    ip_hash       TEXT,
-    ua_hash       TEXT,
-    status        TEXT NOT NULL DEFAULT 'new',          -- new / triaged / resolved / spam
-    created_at    TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_pi_status ON public_ideas(status, created_at DESC)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_pi_rate ON public_ideas(ip_hash, created_at)");
-}
-catch { }
-// 2026-05-24 #959: 拍卖「⏰ 提醒我」
-// 买家订阅拍卖，cron 在 deadline - lead_minutes 时发通知；1 个订阅 = 多行（每个 lead 时间一行）
-// 默认订阅 = [60, 10]（结束前 1h + 10min 各提醒一次）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS auction_reminders (
-    id            TEXT PRIMARY KEY,                   -- arm_xxxx
-    auction_id    TEXT NOT NULL REFERENCES auctions(id),
-    user_id       TEXT NOT NULL REFERENCES users(id),
-    lead_minutes  INTEGER NOT NULL,                   -- 提前多少分钟提醒
-    fire_at       TEXT NOT NULL,                      -- deadline - lead_minutes（创建时算好）
-    sent_at       TEXT,
-    created_at    TEXT DEFAULT (datetime('now')),
-    UNIQUE(auction_id, user_id, lead_minutes)
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_arm_due ON auction_reminders(sent_at, fire_at) WHERE sent_at IS NULL");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_arm_user ON auction_reminders(user_id, auction_id)");
-}
-catch { }
-// Wave D-3: 用户反馈 / 客服工单（buyer-to-platform，独立于 disputes）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS feedback_tickets (
-    id            TEXT PRIMARY KEY,
-    user_id       TEXT NOT NULL,
-    category      TEXT NOT NULL,         -- 'bug' | 'abuse' | 'feature' | 'account' | 'other'
-    severity      TEXT DEFAULT 'medium', -- 'low' | 'medium' | 'high'
-    subject       TEXT NOT NULL,
-    body          TEXT NOT NULL,
-    status        TEXT NOT NULL DEFAULT 'open',  -- open | in_progress | resolved | closed
-    admin_reply   TEXT,
-    replied_by    TEXT,
-    replied_at    TEXT,
-    created_at    TEXT DEFAULT (datetime('now')),
-    updated_at    TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_feedback_user ON feedback_tickets(user_id, created_at DESC)');
-}
-catch { }
+// 首屏「我有建议」公开收集 / #959 拍卖「⏰ 提醒我」 → server-schema.ts
+// 纯幂等建表/建索引 DDL，原位调用保持 boot 顺序不变（email_subscriptions 仍留原位）
+initPublicIdeasSchema(db);
+initAuctionRemindersSchema(db);
+// Wave D-3: 用户反馈 / 客服工单（buyer-to-platform，独立于 disputes）→ server-schema.ts
+// 后续 ALTER 列扩展刻意留原位（紧跟下方）
+initFeedbackTicketsSchema(db);
 // G-4: AI 建议回复
 try {
     db.exec('ALTER TABLE feedback_tickets ADD COLUMN ai_suggested_reply TEXT');
@@ -1891,21 +1505,9 @@ try {
     db.exec('ALTER TABLE feedback_tickets ADD COLUMN admin_seen_at TEXT');
 }
 catch { }
-// W7 客服 ticket-thread — 多轮消息（user ↔ admin）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS feedback_messages (
-    id          TEXT PRIMARY KEY,            -- fmsg_xxx
-    ticket_id   TEXT NOT NULL,
-    sender_id   TEXT NOT NULL,
-    sender_role TEXT NOT NULL,               -- 'user' | 'admin'
-    body        TEXT NOT NULL,
-    created_at  TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_fmsg_ticket ON feedback_messages(ticket_id, created_at)');
-}
-catch { }
+// W7 客服 ticket-thread — 多轮消息（user ↔ admin）→ server-schema.ts
+// 后续 ALTER 列扩展刻意留原位（紧跟下方）
+initFeedbackMessagesSchema(db);
 // 跨窗反诈一致性：所有 thread 消息表加 flagged + flag_reasons
 try {
     db.exec('ALTER TABLE feedback_messages ADD COLUMN flagged INTEGER DEFAULT 0');
@@ -1916,50 +1518,10 @@ try {
 }
 catch { }
 // ─── 公开仲裁判例 (P1) ─────────────────────────────────────
-// disputes 是当事人/仲裁员私域；dispute_cases 是裁决后的公开脱敏版本
-db.exec(`
-  CREATE TABLE IF NOT EXISTS dispute_cases (
-    id              TEXT PRIMARY KEY,            -- dcase_xxx
-    dispute_id      TEXT,                         -- 原始 disputes.id (内部追溯)
-    order_id        TEXT,
-    product_id      TEXT,                         -- 关键索引：按商品查公开判例
-    seller_id       TEXT,
-    buyer_id        TEXT,                         -- 仅内部使用，不外露
-    category_tag    TEXT,                         -- 物流 / 质量 / 描述不符 / 售后 / 拒收 / 其他
-    winner          TEXT,                         -- buyer / seller / split / dismissed
-    resolution      TEXT,                         -- 简短人读判决 (如 '全额退款')
-    amount_bucket   TEXT,                         -- '0-100' / '100-500' / '500-2000' / '2000+' WAZ
-    buyer_argument  TEXT,                         -- 脱敏后买家陈述
-    seller_argument TEXT,                         -- 脱敏后卖家陈述
-    ruling_text     TEXT,                         -- 仲裁员判决书
-    arbitrator_id   TEXT,
-    fairness_yes    INTEGER DEFAULT 0,
-    fairness_no     INTEGER DEFAULT 0,
-    comment_count   INTEGER DEFAULT 0,
-    published_at    TEXT DEFAULT (datetime('now')),
-    created_at      TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_dcase_product ON dispute_cases(product_id, published_at DESC)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_dcase_seller ON dispute_cases(seller_id, published_at DESC)');
-}
-catch { }
-db.exec(`
-  CREATE TABLE IF NOT EXISTS dispute_comments (
-    id              TEXT PRIMARY KEY,            -- dcom_xxx
-    case_id         TEXT NOT NULL,
-    commenter_id    TEXT NOT NULL,
-    body            TEXT NOT NULL,
-    flagged         INTEGER DEFAULT 0,
-    likes           INTEGER DEFAULT 0,
-    created_at      TEXT DEFAULT (datetime('now')),
-    UNIQUE(case_id, commenter_id)                -- 一案一人一次（防刷）
-  )
-`);
+// 公开判例（裁决后脱敏版本，disputes 是当事人/仲裁员私域）→ server-schema.ts
+initDisputeCasesSchema(db);
+// 公开判例评论 → server-schema.ts；anonymous ALTER + idx_dcom_case 刻意留原位
+initDisputeCommentsSchema(db);
 try {
     db.exec('ALTER TABLE dispute_comments ADD COLUMN anonymous INTEGER DEFAULT 0');
 }
@@ -1968,27 +1530,8 @@ try {
     db.exec('CREATE INDEX IF NOT EXISTS idx_dcom_case ON dispute_comments(case_id, created_at DESC)');
 }
 catch { }
-// W5 仲裁公开评论楼中楼 — 单层子回复；保留原 dispute_comments UNIQUE
-db.exec(`
-  CREATE TABLE IF NOT EXISTS dispute_comment_replies (
-    id                TEXT PRIMARY KEY,           -- drep_xxx
-    parent_comment_id TEXT NOT NULL,              -- 指向 dispute_comments.id
-    case_id           TEXT NOT NULL,
-    replier_id        TEXT NOT NULL,
-    body              TEXT NOT NULL,
-    anonymous         INTEGER DEFAULT 0,
-    likes             INTEGER DEFAULT 0,
-    created_at        TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_drep_parent ON dispute_comment_replies(parent_comment_id, created_at)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_drep_case ON dispute_comment_replies(case_id, created_at DESC)');
-}
-catch { }
+// W5 仲裁公开评论楼中楼 — 单层子回复 → server-schema.ts；后续 ALTER 刻意留原位
+initDisputeCommentRepliesSchema(db);
 // 跨窗反诈一致性
 try {
     db.exec('ALTER TABLE dispute_comment_replies ADD COLUMN flagged INTEGER DEFAULT 0');
@@ -2003,68 +1546,21 @@ try {
     db.exec('ALTER TABLE dispute_comments ADD COLUMN flag_reasons TEXT');
 }
 catch { }
-// W6 笔记评论 — 原生 parent_id 楼中楼（仅 1 层；非 root 不可再 reply）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS shareable_comments (
-    id           TEXT PRIMARY KEY,                -- scom_xxx
-    shareable_id TEXT NOT NULL,                    -- shareables.id
-    commenter_id TEXT NOT NULL,
-    parent_id    TEXT,                             -- 子评论指向父评论；root = NULL
-    body         TEXT NOT NULL,
-    flagged      INTEGER DEFAULT 0,
-    likes        INTEGER DEFAULT 0,
-    created_at   TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_scom_shareable ON shareable_comments(shareable_id, parent_id, created_at DESC)');
-}
-catch { }
+// W6 笔记评论 — 原生 parent_id 楼中楼（仅 1 层）→ server-schema.ts；flag_reasons ALTER 刻意留原位
+initShareableCommentsSchema(db);
 try {
     db.exec('ALTER TABLE shareable_comments ADD COLUMN flag_reasons TEXT');
 }
 catch { }
-db.exec(`
-  CREATE TABLE IF NOT EXISTS dispute_fairness_votes (
-    case_id     TEXT NOT NULL,
-    voter_id    TEXT NOT NULL,
-    vote        TEXT NOT NULL,                   -- 'yes' / 'no'
-    created_at  TEXT DEFAULT (datetime('now')),
-    PRIMARY KEY (case_id, voter_id)
-  )
-`);
+// 公开判例公平性投票 → server-schema.ts；idx_feedback_open 刻意留原位（非本表索引，不相邻）
+initDisputeFairnessVotesSchema(db);
 try {
     db.exec('CREATE INDEX IF NOT EXISTS idx_feedback_open ON feedback_tickets(status, created_at DESC) WHERE status IN (\'open\', \'in_progress\')');
 }
 catch { }
-// Wave C-3: 买家评价 / 评分 — 完成订单后给卖家 1-5 星 + 文字
-db.exec(`
-  CREATE TABLE IF NOT EXISTS order_ratings (
-    order_id     TEXT PRIMARY KEY,
-    buyer_id     TEXT NOT NULL,
-    seller_id    TEXT NOT NULL,
-    product_id   TEXT NOT NULL,
-    stars        INTEGER NOT NULL,            -- 1-5
-    comment      TEXT,
-    reply        TEXT,                        -- seller 可回复
-    replied_at   TEXT,
-    created_at   TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_rating_seller ON order_ratings(seller_id, created_at DESC)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_rating_product ON order_ratings(product_id, created_at DESC)');
-}
-catch { }
-// P2 hot-path：覆盖 recommend_count 子查询（COUNT DISTINCT buyer_id WHERE product_id=? AND stars>=4）
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_rating_recommend ON order_ratings(product_id, stars, buyer_id)');
-}
-catch { }
-// P2 hot-path：覆盖 sales_count 子查询（COUNT WHERE product_id=? AND status=completed）
+// Wave C-3: 买家评价 / 评分 → server-schema.ts；后续结构化维度 ALTER + 跨表 orders 索引刻意留原位
+initOrderRatingsSchema(db);
+// P2 hot-path：覆盖 sales_count 子查询（COUNT WHERE product_id=? AND status=completed）—— orders 表索引，留原位
 try {
     db.exec('CREATE INDEX IF NOT EXISTS idx_orders_product_status ON orders(product_id, status)');
 }
@@ -2095,73 +1591,12 @@ try {
     db.exec('ALTER TABLE order_ratings ADD COLUMN buyer_followup_at TEXT');
 }
 catch { }
-db.exec(`
-  CREATE TABLE IF NOT EXISTS buyer_ratings (
-    order_id              TEXT PRIMARY KEY,
-    seller_id             TEXT NOT NULL,
-    buyer_id              TEXT NOT NULL,
-    stars                 INTEGER NOT NULL,
-    comment               TEXT,
-    dim_payment_speed     INTEGER,
-    dim_communication     INTEGER,
-    dim_responsiveness    INTEGER,
-    hidden_until          TEXT,
-    created_at            TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_buyer_ratings_buyer ON buyer_ratings(buyer_id, created_at DESC)');
-}
-catch { }
-// Wave C-2: 多收货地址簿 — buyer 保存常用地址，下单时选择默认地址
-db.exec(`
-  CREATE TABLE IF NOT EXISTS user_addresses (
-    id           TEXT PRIMARY KEY,
-    user_id      TEXT NOT NULL,
-    label        TEXT NOT NULL,           -- 标签（家 / 公司 / 父母家）
-    recipient    TEXT NOT NULL,
-    phone        TEXT,
-    region       TEXT,                    -- 省/市/区
-    detail       TEXT NOT NULL,           -- 详细地址
-    is_default   INTEGER DEFAULT 0,
-    created_at   TEXT DEFAULT (datetime('now')),
-    updated_at   TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_addr_user ON user_addresses(user_id, is_default DESC)');
-}
-catch { }
-// Wave B-3: 退货请求 — 买家在 return_days 窗口内可发起，卖家可接受/拒绝；拒绝后可走 dispute
-db.exec(`
-  CREATE TABLE IF NOT EXISTS return_requests (
-    id                   TEXT PRIMARY KEY,
-    order_id             TEXT NOT NULL,
-    buyer_id             TEXT NOT NULL,
-    seller_id            TEXT NOT NULL,
-    product_id           TEXT NOT NULL,
-    reason               TEXT NOT NULL,          -- 'quality' | 'wrong_item' | 'damaged' | 'no_longer_needed' | 'other'
-    reason_text          TEXT,
-    refund_amount        DECIMAL(18,2),          -- 默认 = order.total_amount
-    status               TEXT NOT NULL DEFAULT 'pending', -- pending | accepted | rejected | refunded | escalated | cancelled
-    seller_response      TEXT,
-    escalated_dispute_id TEXT,
-    created_at           TEXT DEFAULT (datetime('now')),
-    resolved_at          TEXT
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_returns_seller_pending ON return_requests(seller_id, status) WHERE status = \'pending\'');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_returns_buyer ON return_requests(buyer_id, created_at)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_returns_order ON return_requests(order_id)');
-}
-catch { }
+// 反向评价：卖家给买家评分（双盲）→ server-schema.ts
+initBuyerRatingsSchema(db);
+// Wave C-2: 多收货地址簿 → server-schema.ts
+initUserAddressesSchema(db);
+// Wave B-3: 退货请求 → server-schema.ts；pickup ALTER 刻意留原位（紧跟下方）
+initReturnRequestsSchema(db);
 // 2026-05-22 L3+B3：退货上门取件（MVP — 仅声明阶段）
 // 完整状态机（accepted_pickup_pending → picked_up → refunded）留 Phase 2
 try {
@@ -2172,21 +1607,8 @@ try {
     db.exec('ALTER TABLE return_requests ADD COLUMN pickup_address TEXT');
 }
 catch { }
-// W2 售后协商时间线 — 多轮消息（buyer ↔ seller）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS return_messages (
-    id          TEXT PRIMARY KEY,            -- rmsg_xxx
-    return_id   TEXT NOT NULL,
-    sender_id   TEXT NOT NULL,
-    sender_role TEXT NOT NULL,               -- 'buyer' | 'seller' | 'system'
-    body        TEXT NOT NULL,
-    created_at  TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_rmsg_return ON return_messages(return_id, created_at)');
-}
-catch { }
+// W2 售后协商时间线 — 多轮消息（buyer ↔ seller）→ server-schema.ts；flagged/flag_reasons ALTER 刻意留原位（紧跟下方）
+initReturnMessagesSchema(db);
 // 跨窗反诈一致性
 try {
     db.exec('ALTER TABLE return_messages ADD COLUMN flagged INTEGER DEFAULT 0');
@@ -2198,24 +1620,8 @@ try {
 catch { }
 // Wave B-1 Phase 1: 商品 variants（同款多 SKU — 颜色/尺寸/规格组合）
 // schema + CRUD 端点；Phase 2 再集成订单/购物车
-db.exec(`
-  CREATE TABLE IF NOT EXISTS product_variants (
-    id              TEXT PRIMARY KEY,
-    product_id      TEXT NOT NULL,
-    sku             TEXT,                 -- 卖家内部 SKU 编号（可选）
-    options_json    TEXT NOT NULL,        -- {"颜色":"红","尺寸":"L"} 必填
-    price_override  REAL,                 -- null = 用 product.price
-    stock           INTEGER DEFAULT 0,
-    images_json     TEXT,                 -- variant 专属图（可选，null = 用 product.images）
-    is_active       INTEGER DEFAULT 1,
-    created_at      TEXT DEFAULT (datetime('now')),
-    updated_at      TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_pv_product ON product_variants(product_id, is_active)');
-}
-catch { }
+// Wave B-1: 商品 variants → server-schema.ts；has_variants/options_key ALTER + 回填 + uniq 索引刻意留原位（紧跟下方）
+initProductVariantsSchema(db);
 // 给 products 加 has_variants 标记（避免每次查 join 检查）
 try {
     db.exec('ALTER TABLE products ADD COLUMN has_variants INTEGER DEFAULT 0');
@@ -2274,146 +1680,15 @@ try {
     db.exec('CREATE INDEX IF NOT EXISTS idx_products_p2p ON products(p2p_mode, status)');
 }
 catch { }
-db.exec(`
-  CREATE TABLE IF NOT EXISTS p2p_shops (
-    id              TEXT PRIMARY KEY,
-    owner_id        TEXT NOT NULL,
-    name            TEXT NOT NULL,
-    description     TEXT,
-    thumbnail_uri   TEXT,
-    peer_endpoint   TEXT,
-    peer_pubkey     TEXT,
-    status          TEXT NOT NULL DEFAULT 'active',
-    created_at      TEXT DEFAULT (datetime('now')),
-    updated_at      TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_p2p_shops_owner ON p2p_shops(owner_id, status)');
-}
-catch { }
-db.exec(`
-  CREATE TABLE IF NOT EXISTS shareable_likes (
-    id            TEXT PRIMARY KEY,
-    shareable_id  TEXT NOT NULL,
-    user_id       TEXT NOT NULL,
-    created_at    TEXT DEFAULT (datetime('now')),
-    UNIQUE(shareable_id, user_id)
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_shr_likes_shr ON shareable_likes(shareable_id)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_shr_likes_user ON shareable_likes(user_id, created_at DESC)');
-}
-catch { }
-// 2026-05-22 audit P2：收藏功能（小红书风格"收藏" tab）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS shareable_bookmarks (
-    id            TEXT PRIMARY KEY,
-    shareable_id  TEXT NOT NULL,
-    user_id       TEXT NOT NULL,
-    created_at    TEXT DEFAULT (datetime('now')),
-    UNIQUE(shareable_id, user_id)
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_shr_bm_user ON shareable_bookmarks(user_id, created_at DESC)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_shr_bm_shr ON shareable_bookmarks(shareable_id)');
-}
-catch { }
-// 2026-05-22 audit P1 backlog：# 话题/标签系统（小红书风格内容分发）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS shareable_tags (
-    id            INTEGER PRIMARY KEY AUTOINCREMENT,
-    shareable_id  TEXT NOT NULL,
-    tag           TEXT NOT NULL,          -- 已 lowercase + trim，最长 30 字符
-    created_at    TEXT DEFAULT (datetime('now')),
-    UNIQUE(shareable_id, tag)
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_shr_tags_tag ON shareable_tags(tag, created_at DESC)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_shr_tags_shr ON shareable_tags(shareable_id)');
-}
-catch { }
-// manifest_registry = 原生 P2P 内容索引（仅 hash + 签名 + 元数据；字节在用户设备）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS manifest_registry (
-    hash                 TEXT PRIMARY KEY,
-    owner_id             TEXT NOT NULL,
-    content_type         TEXT NOT NULL,
-    byte_size            INTEGER NOT NULL,
-    title                TEXT,
-    description          TEXT,
-    thumbnail_data_uri   TEXT,
-    signature            TEXT NOT NULL,
-    signed_at            TEXT NOT NULL,
-    related_product_id   TEXT,
-    related_anchor       TEXT,
-    status               TEXT DEFAULT 'active',
-    takedown_reason      TEXT,
-    takedown_at          TEXT,
-    takedown_by          TEXT,
-    created_at           TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_mfst_owner ON manifest_registry(owner_id, status)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_mfst_product ON manifest_registry(related_product_id, status)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_mfst_anchor ON manifest_registry(related_anchor, status)");
-}
-catch { }
-// peer_directory = 在线 peer 注册（哪些 user 持有哪些 hash 的 cache，heartbeat 5min 失效）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS peer_directory (
-    peer_id             TEXT NOT NULL,
-    manifest_hash       TEXT NOT NULL,
-    is_owner            INTEGER DEFAULT 0,
-    pin_intent          INTEGER DEFAULT 0,
-    last_heartbeat      TEXT NOT NULL,
-    bytes_served_total  INTEGER DEFAULT 0,
-    PRIMARY KEY (peer_id, manifest_hash)
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_peer_hash ON peer_directory(manifest_hash, last_heartbeat DESC)");
-}
-catch { }
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_peer_heartbeat ON peer_directory(last_heartbeat)");
-}
-catch { }
-// signaling_queue = WebRTC SDP/ICE 中继（TTL 2min，cron 清理）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS signaling_queue (
-    id              TEXT PRIMARY KEY,
-    to_peer_id      TEXT NOT NULL,
-    from_peer_id    TEXT NOT NULL,
-    signal_type     TEXT NOT NULL,
-    signal_data     TEXT NOT NULL,
-    created_at      TEXT NOT NULL,
-    delivered_at    TEXT
-  )
-`);
-try {
-    db.exec("CREATE INDEX IF NOT EXISTS idx_sig_to ON signaling_queue(to_peer_id, delivered_at)");
-}
-catch { }
+// P2P 店铺 / 笔记点赞·收藏·标签 / manifest·peer·signaling（原生 P2P 内容层）→ server-schema.ts
+// 纯幂等建表/建索引 DDL，原位调用保持 boot 顺序不变
+initP2pShopsSchema(db);
+initShareableLikesSchema(db);
+initShareableBookmarksSchema(db);
+initShareableTagsSchema(db);
+initManifestRegistrySchema(db);
+initPeerDirectorySchema(db);
+initSignalingQueueSchema(db);
 // pin_receipts = 服务证明（pinner 给 recipient 传输 N bytes 时双签的回执）
 // recipient 之后下单同商品 → settlePinRewards 从 basin 拨 0.5% 订单额分给最近 5 个 pinners
 db.exec(`
@@ -2617,7 +1892,7 @@ catch { }
 // 2026-06-04：佣金兜底科目从 charity_fund 拆出，慈善科目自此【纯净】只服务慈善许愿板块。
 // 三级佣金中【无资格人 / 无资格 / 区域档位截断 / max=0 整池 / opt-out 放弃 / escrow 到期】
 // 的部分，统一入此【独立科目】。定位 = 协议储备，**只进不出**，用途由治理(DAO/创始人)决定。
-// 与 global_fund(PV 资金，由 1% base 注资发对碰) 互不流通 —— 三套科目彻底独立。
+// 与 global_fund(由 1% base 注资的预留池;匹配奖励引擎已切除,当前无消费方) 互不流通 —— 三套科目彻底独立。
 // 命名注意：本表是【持久储备科目】，区别于每单的 commission_pool/commissionPool（= total×rate 预算变量）。
 //   total_chain_gap        — L2/L3 空缺（自发现/上家断链）
 //   total_orphan_sponsor   — sponsor 被封/无资格 + opt-out 主动放弃 + escrow 到期（无合格受益人桶）
@@ -2796,7 +2071,7 @@ try {
     db.exec("CREATE INDEX IF NOT EXISTS idx_cft_from_kind_time ON charity_fund_txns(from_user_id, kind, created_at DESC)");
 }
 catch { }
-// 原子能轨道 Phase 2 — 双轨对碰数据层
+// 放置树 / PV 参与记录数据层(中性参与记录;匹配奖励引擎已切除)
 for (const stmt of [
     'ALTER TABLE users ADD COLUMN placement_id    TEXT',
     "ALTER TABLE users ADD COLUMN placement_side  TEXT",
@@ -2895,14 +2170,20 @@ try {
     db.exec('ALTER TABLE global_fund ADD COLUMN pv_escrow_reserve REAL DEFAULT 0');
 }
 catch { /* 已存在 */ }
+// 迁移:management_bonus_pool → protocol_reserve_pool(中性标识,去 comp-plan;保留既有余额)。
+// RENAME 必须在 CREATE IF NOT EXISTS 之前:旧库重命名保余额;新库无旧表→ALTER 抛错被吞,由下方 CREATE 建新表。
+try {
+    db.exec('ALTER TABLE management_bonus_pool RENAME TO protocol_reserve_pool');
+}
+catch { /* 已迁移 / 全新库 */ }
 db.exec(`
-  CREATE TABLE IF NOT EXISTS management_bonus_pool (
+  CREATE TABLE IF NOT EXISTS protocol_reserve_pool (
     id INTEGER PRIMARY KEY CHECK(id=1),
     balance REAL DEFAULT 0
   )
 `);
 try {
-    db.prepare('INSERT OR IGNORE INTO management_bonus_pool (id) VALUES (1)').run();
+    db.prepare('INSERT OR IGNORE INTO protocol_reserve_pool (id) VALUES (1)').run();
 }
 catch { }
 db.exec(`
@@ -2911,95 +2192,24 @@ db.exec(`
     pv_threshold    REAL NOT NULL,
     score_per_hit   REAL NOT NULL,
     active          INTEGER DEFAULT 1
-  )
-`);
-[
-    [1, 30_000, 100],
-    [2, 100_000, 180],
-    [3, 300_000, 250],
-    [4, 1_000_000, 320],
-    [5, 3_000_000, 380],
-].forEach(([tier, threshold, score]) => {
-    try {
-        db.prepare("INSERT OR IGNORE INTO binary_tier_config (tier, pv_threshold, score_per_hit) VALUES (?,?,?)").run(tier, threshold, score);
-    }
-    catch { }
-});
-// ─── 7档级差对碰升级（资金/PV 解耦控盘版）─────────────────────
-// 资金流：1% 永远入基金池；区域 max_levels<3 时 L3 分润那份也回流入池
-// PV 流：order.total × product.category.pv_multiplier（防交叉补贴）
-// 对碰：7 档阶梯门槛 300→33000，折扣系数 1.00→0.70；成功匹配单次双侧全清
-// 安全阀：30%/50%/70% 拨出率 × pool；100 元/点 cap；剩余沉淀
-for (const stmt of [
-    'ALTER TABLE binary_tier_config ADD COLUMN base_score REAL',
-    'ALTER TABLE binary_tier_config ADD COLUMN discount_coef REAL DEFAULT 1.0',
-]) {
-    try {
-        db.exec(stmt);
-    }
-    catch { }
-}
-// V3 升级（方案 D · 强激励）：score_per_hit 直接 = 元（不再 base × coef 中间步骤）
-// PV 阈值跳跃 2.3–2.5x 平均 → 完美对碰拨比 1.20，实际拨比 ~1.5（考虑 min/max 不平衡）
-// 实际沉淀率 ~26%（vs 旧方案 28%），但 T7 门槛大幅降低 → 推广友好度 5×
-//
-// 升级触发：用独立 system_state.tokenomics_version 标志，幂等 + 防 admin 改 tier 后误触发
-// （之前用 T7 score_per_hit 检测，admin 改值会导致重启时重复 ×100 score —— 严重 bug）
-// 提前 CREATE 一次 system_state（line 1723 之前），不影响后续幂等创建
-try {
-    db.exec("CREATE TABLE IF NOT EXISTS system_state (key TEXT PRIMARY KEY, value TEXT)");
-}
-catch { }
-const _currentTokenomicsVersion = (() => {
-    try {
-        const row = db.prepare("SELECT value FROM system_state WHERE key = 'tokenomics_version'").get();
-        return row?.value ?? null;
-    }
-    catch {
-        return null;
-    }
-})();
-const _needsTierV3Seed = _currentTokenomicsVersion !== 'v3';
-if (_needsTierV3Seed) {
-    try {
-        db.prepare("DELETE FROM binary_tier_config").run();
-    }
-    catch { }
-    ;
-    [
-        // [tier, pv_threshold, score (= 元)]
-        [1, 300, 100],
-        [2, 700, 200],
-        [3, 1600, 400],
-        [4, 3800, 800],
-        [5, 9000, 1600],
-        [6, 22000, 3200],
-        [7, 55000, 6400],
-    ].forEach(([tier, threshold, score]) => {
-        try {
-            db.prepare(`INSERT INTO binary_tier_config (tier, pv_threshold, base_score, discount_coef, score_per_hit, active)
-                  VALUES (?,?,?,?,?,1)`).run(tier, threshold, score, 1.0, score);
-        }
-        catch { }
-    });
-    // V3 迁移：旧 score (1, 1.9, 3.6, ...) 是基于 cap=100 设计的；新规则 cap=1.0
-    // 所有未结算 score × 100，保证用户应得金额不变（旧 score×100 + 新 cap1.0 = 旧 score×100）
-    // 仅在 version 从 null/旧值 → 'v3' 时执行一次，admin 后续改 tier 不重触发
-    if (_currentTokenomicsVersion !== 'v3') {
-        try {
-            db.prepare("UPDATE binary_score_records SET score = score * 100 WHERE settled_at IS NULL").run();
-        }
-        catch (e) {
-            console.error('[V3 score migration]', e);
-        }
-    }
+  )
+`);
+// binary_tier_config 保留为【预留空表 / dormant structure】—— 不 seed 任何档位 / 阈值 / 分数参数。
+// 匹配奖励引擎已切除(#401);若未来经法律 / 治理放行重启奖励功能,再按届时合规设计填充。
+// (base_score / discount_coef 列仅为历史 schema 兼容保留,不写入)
+for (const stmt of [
+    'ALTER TABLE binary_tier_config ADD COLUMN base_score REAL',
+    'ALTER TABLE binary_tier_config ADD COLUMN discount_coef REAL DEFAULT 1.0',
+]) {
     try {
-        db.prepare("INSERT OR REPLACE INTO system_state (key, value) VALUES ('tokenomics_version', 'v3')").run();
-    }
-    catch (e) {
-        console.error('[V3 version flag]', e);
+        db.exec(stmt);
     }
+    catch { }
+}
+try {
+    db.exec("CREATE TABLE IF NOT EXISTS system_state (key TEXT PRIMARY KEY, value TEXT)");
 }
+catch { }
 // 商品类目（PV 乘数 = 资金/PV 解耦核心）
 db.exec(`
   CREATE TABLE IF NOT EXISTS product_categories (
@@ -3226,56 +2436,10 @@ try {
     db.exec('CREATE INDEX IF NOT EXISTS idx_aucbids_buyer ON auction_bids(buyer_id, status, submitted_at DESC)');
 }
 catch { }
-// CHAT — 上下文绑定聊天（order / rfq / listing_qa）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS conversations (
-    id              TEXT PRIMARY KEY,
-    kind            TEXT NOT NULL,
-    context_id      TEXT NOT NULL,
-    user_a          TEXT NOT NULL,
-    user_b          TEXT NOT NULL,
-    last_message_at TEXT,
-    last_preview    TEXT,
-    unread_a        INTEGER NOT NULL DEFAULT 0,
-    unread_b        INTEGER NOT NULL DEFAULT 0,
-    status          TEXT NOT NULL DEFAULT 'active',
-    created_at      TEXT DEFAULT (datetime('now')),
-    UNIQUE(kind, context_id, user_a, user_b)
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_conv_a ON conversations(user_a, last_message_at DESC)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_conv_b ON conversations(user_b, last_message_at DESC)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_conv_ctx ON conversations(kind, context_id)');
-}
-catch { }
-db.exec(`
-  CREATE TABLE IF NOT EXISTS messages (
-    id              TEXT PRIMARY KEY,
-    conversation_id TEXT NOT NULL,
-    sender_id       TEXT NOT NULL,
-    body            TEXT NOT NULL DEFAULT '',
-    attachments     TEXT,
-    flagged         INTEGER NOT NULL DEFAULT 0,
-    flag_reasons    TEXT,
-    read_at         TEXT,
-    created_at      TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_msg_conv ON messages(conversation_id, created_at)');
-}
-catch { }
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_msg_sender ON messages(sender_id, created_at DESC)');
-}
-catch { }
+// CHAT — 上下文绑定聊天（order / rfq / listing_qa）→ server-schema.ts
+initConversationsSchema(db);
+// 聊天消息 → server-schema.ts；kind/meta ALTER 刻意留原位（紧跟下方）
+initMessagesSchema(db);
 // W1 私信结构化消息：kind = 'text' | 'offer' | 'tracking'；meta = JSON payload
 try {
     db.exec("ALTER TABLE messages ADD COLUMN kind TEXT DEFAULT 'text'");
@@ -3285,24 +2449,8 @@ try {
     db.exec('ALTER TABLE messages ADD COLUMN meta TEXT');
 }
 catch { }
-// 反诈举报表（chat report → 人工审核）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS chat_reports (
-    id              TEXT PRIMARY KEY,
-    conversation_id TEXT NOT NULL,
-    message_id      TEXT,
-    reporter_id     TEXT NOT NULL,
-    reported_id     TEXT NOT NULL,
-    reason          TEXT NOT NULL,
-    note            TEXT,
-    status          TEXT NOT NULL DEFAULT 'pending',
-    created_at      TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_chatrpt_status ON chat_reports(status, created_at)');
-}
-catch { }
+// 反诈举报表（chat report → 人工审核）→ server-schema.ts
+initChatReportsSchema(db);
 // 基金池入池流水（depositToFund 审计 + 4 周历史均值数据源）
 db.exec(`
   CREATE TABLE IF NOT EXISTS fund_deposits (
@@ -3347,7 +2495,7 @@ try {
     db.exec('CREATE INDEX IF NOT EXISTS idx_settle_periods_status ON settlement_periods(status, started_at)');
 }
 catch { }
-// 管理津贴门控：默认关闭，等运营稳定后再开启 + 仅特定资格用户可得
+// 休眠:管理津贴 payout 已随匹配引擎切除(#401);列 + state 作为休眠结构保留(可逆,默认关闭、无消费方)。
 try {
     db.exec("ALTER TABLE users ADD COLUMN mgmt_bonus_eligible INTEGER DEFAULT 0");
 }
@@ -3562,39 +2710,15 @@ try {
 catch (e) {
     console.warn('[D1b] migration', e);
 }
-// 邀请码轮询：5 用户固定列表（按 handle），admin 可切开关；
-// 默认关闭，前端按钮置灰。开启后访客点 "获取邀请码" → 按"自纠偏轮询"派号。
-// 算法：
-//   · 每槽维护 issued_count / registered_count
-//   · max_reg - min_reg ≥ 3（不均衡）→ 发 registered 最少的（补齐）
-//   · 否则 → 发 issued 最少的（顺序均分）
-//   · 点击即 issued++；注册成功 → registered++
-try {
-    db.prepare("INSERT OR IGNORE INTO system_state (key, value) VALUES ('invite_rotation_enabled', '0')").run();
-}
-catch { }
-try {
-    db.exec(`CREATE TABLE IF NOT EXISTS invite_rotation_stats (
-    slot             INTEGER PRIMARY KEY,
-    issued_count     INTEGER NOT NULL DEFAULT 0,
-    registered_count INTEGER NOT NULL DEFAULT 0
-  )`);
-    for (let i = 0; i < 5; i++) {
-        db.prepare("INSERT OR IGNORE INTO invite_rotation_stats (slot) VALUES (?)").run(i);
-    }
-}
-catch (e) {
-    console.error('[invite-rotation schema]', e);
-}
 // 让 sys_protocol 可作为公库 sponsor（孤儿注册时分润自动归公库）
 try {
     db.prepare("UPDATE users SET l1_share_override = 1 WHERE id = 'sys_protocol'").run();
 }
 catch { }
 // M7.2.6 + 2026-05-21 PV 合规扩展：按全球各国监管态度分档
-// 详细法律依据 + 风险评估见 docs/MLM-COMPLIANCE.md
+// 详细法律依据 + 风险评估见 docs/PARTICIPATION-ATTRIBUTION-COMPLIANCE.md
 //
-// max_levels=0（完全禁 MLM，整池入 charity_fund）：
+// max_levels=0（完全禁 MLM，整池入 commission_reserve）：
 //   GCC 国家 / 伊朗 / 朝鲜 / 缅甸 — 法律完全禁止任何下线计酬
 // max_levels=1（仅 L1，类联盟营销）：
 //   越南 / 印尼 / 菲律宾 — 严格 license 制度，多级风险高
@@ -3691,68 +2815,13 @@ for (const stmt of [
     }
     catch { }
 }
-db.exec(`
-  CREATE TABLE IF NOT EXISTS quota_increase_applications (
-    id              TEXT PRIMARY KEY,
-    user_id         TEXT NOT NULL,
-    current_quota   INTEGER,
-    requested_quota INTEGER,
-    reason          TEXT,
-    status          TEXT DEFAULT 'pending',
-    applied_at      TEXT DEFAULT (datetime('now')),
-    reviewed_at     TEXT,
-    reviewed_by     TEXT,
-    decision_note   TEXT
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_quota_apps_status ON quota_increase_applications(status)');
-}
-catch { }
-// Verifier 申请记录
-db.exec(`
-  CREATE TABLE IF NOT EXISTS verifier_applications (
-    id              TEXT PRIMARY KEY,
-    user_id         TEXT NOT NULL,
-    status          TEXT DEFAULT 'pending',
-    applied_at      TEXT DEFAULT (datetime('now')),
-    reviewed_at     TEXT,
-    reviewed_by     TEXT,
-    decision_note   TEXT,
-    snapshot        TEXT
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_verifier_apps_status ON verifier_applications(status)');
-}
-catch { }
-// Arbitrator 申请 + 白名单（外部仲裁员路径 — 与 verifier 平行）
-// 内部仲裁员：role='arbitrator'（admin 通过 /admin/admins 创建，自动 is_system=1）
-// 外部仲裁员：role='buyer' + arbitrator_whitelist 行（buyer 申请→admin 批准）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS arbitrator_applications (
-    id              TEXT PRIMARY KEY,
-    user_id         TEXT NOT NULL,
-    status          TEXT DEFAULT 'pending',
-    applied_at      TEXT DEFAULT (datetime('now')),
-    reviewed_at     TEXT,
-    reviewed_by     TEXT,
-    decision_note   TEXT,
-    snapshot        TEXT
-  );
-  CREATE TABLE IF NOT EXISTS arbitrator_whitelist (
-    user_id         TEXT PRIMARY KEY,
-    added_at        TEXT DEFAULT (datetime('now')),
-    note            TEXT,
-    is_system       INTEGER DEFAULT 0,
-    granted_by      TEXT,
-    stake_amount    INTEGER DEFAULT 0
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_arb_apps_status ON arbitrator_applications(status)');
-}
-catch { }
+// 配额提升申请 → server-schema.ts
+initQuotaIncreaseApplicationsSchema(db);
+// Verifier 申请记录 → server-schema.ts
+initVerifierApplicationsSchema(db);
+// Arbitrator 申请 + 白名单（外部仲裁员路径）→ server-schema.ts
+// legacy 内部仲裁员 → 白名单的 migration INSERT 刻意留原位（紧跟下方）
+initArbitratorReviewSchema(db);
 // Migration：legacy 内部仲裁员 (role='arbitrator') → 自动加入白名单（is_system=1）
 try {
     db.prepare(`
@@ -3763,26 +2832,8 @@ try {
 catch (e) {
     console.warn('[arb migration]', e.message);
 }
-// Verifier 申诉记录
-db.exec(`
-  CREATE TABLE IF NOT EXISTS verifier_appeals (
-    id            TEXT PRIMARY KEY,
-    user_id       TEXT NOT NULL,
-    task_id       TEXT,
-    submission_id TEXT,
-    reason        TEXT NOT NULL,
-    evidence_urls TEXT DEFAULT '[]',
-    status        TEXT DEFAULT 'pending',
-    admin_note    TEXT,
-    reviewed_by   TEXT,
-    reviewed_at   TEXT,
-    created_at    TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_verifier_appeals_status ON verifier_appeals(status)');
-}
-catch { }
+// Verifier 申诉记录 → server-schema.ts
+initVerifierAppealsSchema(db);
 // 扩展 verifier_whitelist
 for (const stmt of [
     "ALTER TABLE verifier_whitelist ADD COLUMN tier             TEXT DEFAULT 'active-2'", // 旧数据兼容：当满级
@@ -3805,34 +2856,14 @@ try {
     db.prepare("UPDATE verifier_whitelist SET is_system = 1, tier = 'active-2', daily_quota = 9999 WHERE user_id = ?").run(INTERNAL_AUDITOR_ID);
 }
 catch { }
-// 用户暂停状态（admin 管理）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS user_moderation (
-    user_id        TEXT PRIMARY KEY,
-    suspended      INTEGER DEFAULT 0,
-    reason         TEXT,
-    suspended_by   TEXT,
-    suspended_at   TEXT
-  )
-`);
-// admin 操作审计日志
-db.exec(`
-  CREATE TABLE IF NOT EXISTS admin_audit_log (
-    id           TEXT PRIMARY KEY,
-    admin_id     TEXT NOT NULL,
-    action       TEXT NOT NULL,
-    target_type  TEXT,
-    target_id    TEXT,
-    detail       TEXT,
-    created_at   TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_admin_audit_log_created ON admin_audit_log(created_at)');
-}
-catch { }
-// Bootstrap admin（env BOOTSTRAP_ADMIN_NAME → 该用户升为 admin，幂等）
-;
+// 用户暂停状态（admin 管理）→ server-schema.ts
+initUserModerationSchema(db);
+// admin 操作审计日志 → server-schema.ts（initAdminCoordinationSchema FK 依赖本表，须先建）
+initAdminAuditLogSchema(db);
+// admin/agent coordination contribution — operator-claim + agent-mandate event logs + fact-source link
+// (schema only). Placed HERE because it FKs users + contribution_facts (both created above) AND
+// admin_audit_log (created just above). No ingestion runs at boot.
+initAdminCoordinationSchema(db);
 (() => {
     const bootName = process.env.BOOTSTRAP_ADMIN_NAME;
     if (!bootName?.trim())
@@ -3855,41 +2886,16 @@ catch { }
         .run(JSON.stringify(roles), u.id);
     console.log(`[WebAZ] ✓ ${u.name} 已升级为 admin (bootstrap)`);
 })();
-// 验证码表（邮箱绑定 / 找回密钥 / 改密码 等共用）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS verification_codes (
-    id          TEXT PRIMARY KEY,
-    user_id     TEXT NOT NULL,
-    channel     TEXT NOT NULL,           -- 'email' / 'phone'
-    target      TEXT NOT NULL,           -- 邮箱地址 / 手机号
-    code        TEXT NOT NULL,           -- 6 位数字
-    purpose     TEXT NOT NULL,           -- 'bind_email' / 'recover_key' / ...
-    attempts    INTEGER DEFAULT 0,
-    used_at     TEXT,
-    expires_at  TEXT NOT NULL,
-    created_at  TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_verification_codes_lookup ON verification_codes(channel, target, purpose)');
-}
-catch { }
+// 验证码表（邮箱绑定 / 找回密钥 / 改密码 等共用）→ server-schema.ts
+initVerificationCodesSchema(db);
 const NEW_PRODUCT_COLS = [
-    'ALTER TABLE products ADD COLUMN specs TEXT',
-    'ALTER TABLE products ADD COLUMN brand TEXT',
-    'ALTER TABLE products ADD COLUMN model TEXT',
+    // specs/brand/model/source_price/ship_regions/handling_hours/estimated_days/
+    // fragile/return_days/return_condition/warranty_days moved to
+    // initRegisterListSearchColumns (single source, shared w/ MCP) — see ~line 494.
     'ALTER TABLE products ADD COLUMN source_url TEXT',
-    'ALTER TABLE products ADD COLUMN source_price REAL',
     'ALTER TABLE products ADD COLUMN source_price_at TEXT',
     'ALTER TABLE products ADD COLUMN weight_kg REAL',
-    'ALTER TABLE products ADD COLUMN ship_regions TEXT DEFAULT "全国"',
     'ALTER TABLE products ADD COLUMN excluded_regions TEXT',
-    'ALTER TABLE products ADD COLUMN handling_hours INTEGER DEFAULT 24',
-    'ALTER TABLE products ADD COLUMN estimated_days TEXT',
-    'ALTER TABLE products ADD COLUMN fragile INTEGER DEFAULT 0',
-    'ALTER TABLE products ADD COLUMN return_days INTEGER DEFAULT 7',
-    'ALTER TABLE products ADD COLUMN return_condition TEXT',
-    'ALTER TABLE products ADD COLUMN warranty_days INTEGER DEFAULT 0',
     'ALTER TABLE products ADD COLUMN commitment_hash TEXT',
     'ALTER TABLE products ADD COLUMN description_hash TEXT',
     'ALTER TABLE products ADD COLUMN price_hash TEXT',
@@ -3993,20 +2999,12 @@ catch { }
 })();
 // ─── 里程碑 3：反操纵层 schema ─────────────────────────────────
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS shareable_click_log (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
-    shareable_id TEXT NOT NULL,
-    ip_hash TEXT NOT NULL,
-    ua_hash TEXT NOT NULL,
-    ref_path TEXT,
-    created_at TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_scl_share_ts ON shareable_click_log(shareable_id, created_at)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_scl_share_ipua ON shareable_click_log(shareable_id, ip_hash, ua_hash, created_at)`);
+    initShareableClickLogSchema(db);
 }
 catch (e) {
     console.error('[M3 schema scl]', e);
 }
+// shareables ALTER 刻意留原位（scl init 之后、cal init 之前）
 try {
     db.exec('ALTER TABLE shareables ADD COLUMN unique_click_count INTEGER DEFAULT 0');
 }
@@ -4016,137 +3014,42 @@ try {
 }
 catch { }
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS commission_audit_log (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
-    order_id TEXT,
-    buyer_id TEXT NOT NULL,
-    seller_id TEXT NOT NULL,
-    flag TEXT NOT NULL,                  -- 'sponsor_chain_cross' / 'self_in_chain'
-    detail TEXT,                          -- JSON: { relation: 'buyer_ancestor_of_seller' | ..., path: '...' }
-    created_at TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_cal_buyer ON commission_audit_log(buyer_id, created_at)`);
+    initCommissionAuditLogSchema(db);
 }
 catch (e) {
     console.error('[M3 schema cal]', e);
 }
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS registration_audit_log (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
-    user_id TEXT NOT NULL,
-    ip_hash TEXT NOT NULL,
-    ua_hash TEXT NOT NULL,
-    sponsor_id TEXT,
-    created_at TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_ral_ip_ts ON registration_audit_log(ip_hash, created_at)`);
+    initRegistrationAuditLogSchema(db);
 }
 catch (e) {
     console.error('[M3 schema ral]', e);
 }
-// ─── 里程碑 4：Agent Reputation schema ─────────────────────────
+// ─── 里程碑 4：Agent observability/reputation schema → server-schema.ts ─
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS agent_call_log (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
-    api_key TEXT,
-    user_id TEXT,
-    endpoint TEXT NOT NULL,
-    method TEXT,
-    status_code INTEGER,
-    created_at TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_acl_apikey_ts ON agent_call_log(api_key, created_at)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_acl_user_ts ON agent_call_log(user_id, created_at)`);
+    initAgentCallLogSchema(db);
 }
 catch (e) {
     console.error('[M4 schema acl]', e);
 }
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS agent_reputation (
-    api_key TEXT PRIMARY KEY,
-    user_id TEXT NOT NULL,
-    trust_score REAL DEFAULT 0,
-    level TEXT DEFAULT 'new',
-    signals TEXT,                    -- JSON
-    last_calculated_at TEXT,
-    created_at TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_ar_user ON agent_reputation(user_id)`);
+    initAgentReputationSchema(db);
 }
 catch (e) {
     console.error('[M4 schema ar]', e);
 }
-// ─── 2026-05-23 Agent 治理（spec: docs/AGENT-GOVERNANCE.md）─────
-try {
-    // agent_declarations：agent 自声明（trust > new 必须先登记）
-    db.exec(`CREATE TABLE IF NOT EXISTS agent_declarations (
-    api_key           TEXT PRIMARY KEY,
-    user_id           TEXT NOT NULL,
-    operator_name     TEXT NOT NULL,             -- 公司/开发者名
-    operator_contact  TEXT NOT NULL,             -- email/handle/DID
-    purpose           TEXT NOT NULL,             -- ≤200 字
-    declared_scope    TEXT NOT NULL,             -- JSON: {roles, actions, regions}
-    attestations      TEXT,                      -- JSON: {gdpr, kids_safe, no_pii_export, ...}
-    repo_url          TEXT,
-    homepage          TEXT,
-    revoked_at        TEXT,                      -- 撤销时间（用户主动 revoke）
-    revoked_reason    TEXT,
-    created_at        TEXT DEFAULT (datetime('now')),
-    updated_at        TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_agd_operator ON agent_declarations(operator_name)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_agd_revoked ON agent_declarations(revoked_at) WHERE revoked_at IS NOT NULL`);
-    // agent_attestations：bilateral consent（用户主动同意某 agent 的 scope）
-    db.exec(`CREATE TABLE IF NOT EXISTS agent_attestations (
-    id                TEXT PRIMARY KEY,
-    api_key           TEXT NOT NULL,             -- agent 的 api_key
-    user_id           TEXT NOT NULL,             -- 同意此 agent 行动的用户
-    approved_scope    TEXT NOT NULL,             -- JSON：用户实际批准的子集
-    spend_cap_per_order REAL,                    -- 该用户给此 agent 的单笔下单上限（可空 = 沿用 declared_scope）
-    spend_cap_daily   REAL,                      -- 24h 累计上限
-    granted_at        TEXT DEFAULT (datetime('now')),
-    revoked_at        TEXT,
-    UNIQUE(api_key, user_id)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_aat_user ON agent_attestations(user_id, revoked_at)`);
-    // agent_strikes：违规累积（3-strike state machine）
-    db.exec(`CREATE TABLE IF NOT EXISTS agent_strikes (
-    id                INTEGER PRIMARY KEY AUTOINCREMENT,
-    api_key           TEXT NOT NULL,
-    user_id           TEXT NOT NULL,
-    severity          TEXT NOT NULL,             -- 'warning' | 'suspend_7d' | 'permanent'
-    reason_code       TEXT NOT NULL,             -- 'fake_shipment' | 'mass_spam' | 'overlimit_order' | 'fraud_claim' | ...
-    reason_detail     TEXT,
-    reported_by       TEXT,                      -- user_id（举报人 / system / admin）
-    related_ref       TEXT,                      -- 关联 order/dispute/claim_task id
-    issued_at         TEXT DEFAULT (datetime('now')),
-    expires_at        TEXT,                      -- warning=24h; suspend_7d=7d; permanent=null
-    appeal_status     TEXT DEFAULT 'none',       -- 'none' | 'pending' | 'approved' | 'denied'
-    appeal_reason     TEXT,
-    appeal_decided_by TEXT,
-    appeal_decided_at TEXT
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_ast_apikey ON agent_strikes(api_key, issued_at DESC)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_ast_user ON agent_strikes(user_id, issued_at DESC)`);
-    // 注：SQLite 不允许 partial index 用非确定性函数 (datetime('now'))；用 expires_at 普通索引代替
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_ast_active ON agent_strikes(api_key, expires_at)`);
-    // 2026-05-23 P1 fix 5.3：skills 加 disabled_by_strike_at（被 strike 自动停用后可恢复）
+// ─── 2026-05-23 Agent 治理（spec: docs/AGENT-GOVERNANCE.md）→ server-schema.ts ─
+// 顺序须保持：declarations → attestations → strikes →（ALTER skills 留原位）→ revocations
+try {
+    initAgentDeclarationsSchema(db);
+    initAgentAttestationsSchema(db);
+    initAgentStrikesSchema(db);
+    // 2026-05-23 P1 fix 5.3：skills 加 disabled_by_strike_at（被 strike 自动停用后可恢复）—— 留 server.ts 原位
     try {
         db.exec(`ALTER TABLE skills ADD COLUMN disabled_by_strike_at TEXT`);
     }
     catch { }
-    // agent_revocations：operator-级撤销（封禁同 operator 名下所有 agent）
-    db.exec(`CREATE TABLE IF NOT EXISTS agent_revocations (
-    id                INTEGER PRIMARY KEY AUTOINCREMENT,
-    target_kind       TEXT NOT NULL,             -- 'api_key' | 'operator_name'
-    target_value      TEXT NOT NULL,
-    revoked_by        TEXT NOT NULL,             -- user_id（用户自己 OR root admin）
-    revoked_by_role   TEXT,                      -- 'self' | 'admin'
-    reason            TEXT,
-    revoked_at        TEXT DEFAULT (datetime('now')),
-    UNIQUE(target_kind, target_value, revoked_by)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_arev_target ON agent_revocations(target_kind, target_value)`);
+    initAgentRevocationsSchema(db);
 }
 catch (e) {
     console.error('[agent_governance schema]', e);
@@ -4155,73 +3058,22 @@ catch (e) {
 // 协议级精准匹配：卖家声明该 SKU 的多种 alias（外部 id / 标题 / 短链 / 淘口令 token / 标题片段）
 // 服务端用 findProductsByAlias 做"完全相等 + 包含"判定。alias 至少 6 字符，反通用词。
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS product_aliases (
-    id              TEXT PRIMARY KEY,
-    product_id      TEXT NOT NULL,
-    alias_type      TEXT NOT NULL,            -- 'external_id' | 'external_title' | 'short_url' | 'kouling_token' | 'title_substring'
-    alias_value     TEXT NOT NULL,
-    min_match_chars INTEGER DEFAULT 6,
-    created_at      TEXT DEFAULT (datetime('now')),
-    challenged_at   TEXT,                     -- M7.4 verifier 挑战时间
-    status          TEXT DEFAULT 'active',    -- 'active' | 'revoked' | 'challenged'
-    UNIQUE(alias_type, alias_value, product_id)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_alias_value ON product_aliases(alias_value)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_alias_product ON product_aliases(product_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_alias_type ON product_aliases(alias_type)`);
+    initProductAliasesSchema(db);
 }
 catch (e) {
     console.error('[M7.2 schema product_aliases]', e);
 }
-// M-5：region 切换 audit log + 24h 限流
+// M-5：region 切换 audit log + 24h 限流 → server-schema.ts
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS region_change_log (
-    id          TEXT PRIMARY KEY,
-    user_id     TEXT NOT NULL,
-    from_region TEXT,
-    to_region   TEXT NOT NULL,
-    ip          TEXT,
-    created_at  TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_region_change_user_ts ON region_change_log(user_id, created_at DESC)`);
+    initRegionChangeLogSchema(db);
 }
 catch (e) {
     console.error('[M-5 schema region_change_log]', e);
 }
-// WebAuthn / Passkey — 大额提现 等敏感操作的二次确认（commit B）
+// WebAuthn / Passkey — 大额提现 等敏感操作的二次确认（commit B）→ server-schema.ts
+// users.webauthn_required_for_withdraw ALTER 刻意留原位（init 后、同一 try 内）
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS webauthn_credentials (
-    id              TEXT PRIMARY KEY,         -- credential.id (base64url)
-    user_id         TEXT NOT NULL,
-    public_key      BLOB NOT NULL,            -- COSE public key
-    counter         INTEGER NOT NULL DEFAULT 0,
-    transports      TEXT,                     -- JSON array
-    device_label    TEXT,                     -- user-friendly label
-    created_at      TEXT DEFAULT (datetime('now')),
-    last_used_at    TEXT
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_wac_user ON webauthn_credentials(user_id)`);
-    db.exec(`CREATE TABLE IF NOT EXISTS webauthn_challenges (
-    id           TEXT PRIMARY KEY,
-    user_id      TEXT NOT NULL,
-    challenge    TEXT NOT NULL,
-    purpose      TEXT NOT NULL,                -- 'register' | 'withdraw' | 'change-password' | 'reveal-key' | 'region'
-    purpose_data TEXT,                          -- JSON：例如 {amount: 1000, to_address: '0x...'}
-    created_at   TEXT DEFAULT (datetime('now')),
-    expires_at   TEXT NOT NULL,
-    consumed_at  TEXT
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_wac_chall_user ON webauthn_challenges(user_id, expires_at)`);
-    // gate token：auth/finish 成功后颁发，绑定 user + purpose + 业务参数（防重放）
-    db.exec(`CREATE TABLE IF NOT EXISTS webauthn_gate_tokens (
-    id           TEXT PRIMARY KEY,             -- token
-    user_id      TEXT NOT NULL,
-    purpose      TEXT NOT NULL,
-    purpose_data TEXT,                          -- JSON
-    expires_at   TEXT NOT NULL,                 -- now + 60s
-    consumed_at  TEXT
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_wac_gate_user ON webauthn_gate_tokens(user_id, expires_at)`);
+    initWebauthnSchema(db);
     // 用户 opt-in 设置
     try {
         db.exec("ALTER TABLE users ADD COLUMN webauthn_required_for_withdraw INTEGER DEFAULT 0");
@@ -4243,41 +3095,8 @@ const WEBAUTHN_CHALLENGE_TTL_MS = 5 * 60 * 1000; // 5 分钟
 const WEBAUTHN_GATE_TTL_MS = 90 * 1000; // 90 秒
 // M7.3：claim 验证任务系统 — 买家对推荐理由发起验证，3 verifier 共识仲裁
 try {
-    db.exec(`CREATE TABLE IF NOT EXISTS claim_verification_tasks (
-    id                  TEXT PRIMARY KEY,
-    order_id            TEXT NOT NULL,
-    buyer_id            TEXT NOT NULL,
-    seller_id           TEXT NOT NULL,
-    product_id          TEXT NOT NULL,
-    claim_target        TEXT NOT NULL,    -- 'price' | 'commission' | 'protection' | 'return' | 'warranty' | 'handling' | 'other'
-    claim_text          TEXT NOT NULL,    -- 买家陈述（≤ 500 字）
-    evidence_uri        TEXT,             -- 买家证据（URL / hash）
-    stake_buyer         REAL NOT NULL,    -- 买家锁定的质押金
-    seller_evidence_uri TEXT,             -- 卖家提交的证据
-    seller_evidence_at  TEXT,
-    deadline_at         TEXT NOT NULL,    -- 默认 48h；卖家提交证据后 +24h
-    status              TEXT NOT NULL DEFAULT 'open',  -- 'open' | 'sealed' | 'resolved_pass' | 'resolved_fail' | 'resolved_no_fault' | 'timeout_pass' | 'timeout_fail'
-    resolved_at         TEXT,
-    created_at          TEXT DEFAULT (datetime('now')),
-    UNIQUE(order_id)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_cvt_status ON claim_verification_tasks(status)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_cvt_buyer ON claim_verification_tasks(buyer_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_cvt_seller ON claim_verification_tasks(seller_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_cvt_deadline ON claim_verification_tasks(deadline_at) WHERE status = 'open'`);
-    db.exec(`CREATE TABLE IF NOT EXISTS claim_verification_votes (
-    id           TEXT PRIMARY KEY,
-    task_id      TEXT NOT NULL,
-    verifier_id  TEXT NOT NULL,
-    vote         TEXT NOT NULL,   -- 'pass' | 'fail' | 'no_fault'
-    evidence_uri TEXT,
-    note         TEXT,
-    voted_at     TEXT DEFAULT (datetime('now')),
-    UNIQUE(task_id, verifier_id)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_cvv_task ON claim_verification_votes(task_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_cvv_verifier ON claim_verification_votes(verifier_id)`);
-    // M7.3b 结算扩展
+    initClaimVerificationBaseSchema(db);
+    // M7.3b 结算扩展 — 刻意留 server.ts 原位（base init 之后，按原顺序）
     try {
         db.exec(`ALTER TABLE claim_verification_tasks ADD COLUMN majority_vote TEXT`);
     }
@@ -4286,187 +3105,18 @@ try {
         db.exec(`ALTER TABLE claim_verification_votes ADD COLUMN was_majority INTEGER`);
     }
     catch { }
-    // verifier 禁言 / 永封记录（outlier 累计触发）
-    db.exec(`CREATE TABLE IF NOT EXISTS claim_verifier_suspensions (
-    id            TEXT PRIMARY KEY,
-    user_id       TEXT NOT NULL,
-    type          TEXT NOT NULL,    -- 'suspended' | 'revoked'
-    until_at      TEXT,             -- NULL = permanent (revoked)
-    reason        TEXT,
-    outlier_count INTEGER,
-    created_at    TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_cvs_user ON claim_verifier_suspensions(user_id, created_at DESC)`);
-    // Sprint 1: 商品声明验证（与 order claim 平行，但作用于 product 层）
-    // 任何登录用户（除 seller 本人）可对商品的某项声明发起验证
-    // 3 verifier 共识投票判定 upheld（声明不实，卖家失分）/ dismissed（声明属实，发起人失质押）
-    db.exec(`CREATE TABLE IF NOT EXISTS product_claim_tasks (
-    id              TEXT PRIMARY KEY,
-    product_id      TEXT NOT NULL,
-    claimant_id     TEXT NOT NULL,
-    seller_id       TEXT NOT NULL,
-    claim_target    TEXT NOT NULL,    -- 'title' | 'description' | 'condition' | 'return_days' | 'handling_hours' | 'warranty_days' | 'shipping_regions' | 'origin' | 'other'
-    claim_text      TEXT NOT NULL,    -- 发起人陈述 6-500 字
-    evidence_uri    TEXT,             -- 发起人证据 URL
-    stake_claimant  REAL NOT NULL,    -- 发起人锁定质押
-    seller_evidence_uri TEXT,         -- 卖家反驳证据
-    seller_evidence_at  TEXT,
-    deadline_at     TEXT NOT NULL,    -- 默认 72h；卖家提交证据后 +24h
-    status          TEXT NOT NULL DEFAULT 'open',  -- 'open' | 'sealed' | 'resolved_upheld' | 'resolved_dismissed' | 'expired'
-    ruling          TEXT,             -- 'upheld' | 'dismissed' | 'insufficient'
-    majority_vote   TEXT,
-    resolved_at     TEXT,
-    created_at      TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_pct_status ON product_claim_tasks(status)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_pct_product ON product_claim_tasks(product_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_pct_claimant ON product_claim_tasks(claimant_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_pct_seller ON product_claim_tasks(seller_id)`);
-    db.exec(`CREATE TABLE IF NOT EXISTS product_claim_votes (
-    id           TEXT PRIMARY KEY,
-    claim_id     TEXT NOT NULL,
-    verifier_id  TEXT NOT NULL,
-    vote         TEXT NOT NULL,    -- 'upheld' | 'dismissed' | 'insufficient'
-    evidence_uri TEXT,
-    note         TEXT,
-    was_majority INTEGER,
-    voted_at     TEXT DEFAULT (datetime('now')),
-    UNIQUE(claim_id, verifier_id)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_pcv_claim ON product_claim_votes(claim_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_pcv_verifier ON product_claim_votes(verifier_id)`);
-    // Sprint 2-A: 测评真实性验证（针对 shareables / manifests）
-    // 任何登录用户可对某条评测发起验证（不是真实购买/付费推广/利益相关等）
-    db.exec(`CREATE TABLE IF NOT EXISTS review_claim_tasks (
-    id              TEXT PRIMARY KEY,
-    review_type     TEXT NOT NULL,    -- 'shareable' | 'manifest'
-    review_id       TEXT NOT NULL,    -- shareable.id 或 manifest.hash
-    product_id      TEXT,             -- 关联商品（用于显示）
-    reviewer_id     TEXT NOT NULL,    -- 被诉评测作者
-    claimant_id     TEXT NOT NULL,
-    claim_target    TEXT NOT NULL,    -- 'not_real_purchase' | 'paid_promo' | 'incentivized' | 'misleading' | 'fake' | 'other'
-    claim_text      TEXT NOT NULL,
-    evidence_uri    TEXT,
-    stake_claimant  REAL NOT NULL,
-    deadline_at     TEXT NOT NULL,
-    status          TEXT NOT NULL DEFAULT 'open',
-    ruling          TEXT,
-    majority_vote   TEXT,
-    resolved_at     TEXT,
-    created_at      TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_rct_status ON review_claim_tasks(status)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_rct_review ON review_claim_tasks(review_type, review_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_rct_reviewer ON review_claim_tasks(reviewer_id)`);
-    db.exec(`CREATE TABLE IF NOT EXISTS review_claim_votes (
-    id           TEXT PRIMARY KEY,
-    claim_id     TEXT NOT NULL,
-    verifier_id  TEXT NOT NULL,
-    vote         TEXT NOT NULL,    -- 'upheld' | 'dismissed' | 'insufficient'
-    evidence_uri TEXT,
-    note         TEXT,
-    was_majority INTEGER,
-    voted_at     TEXT DEFAULT (datetime('now')),
-    UNIQUE(claim_id, verifier_id)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_rcv_claim ON review_claim_votes(claim_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_rcv_verifier ON review_claim_votes(verifier_id)`);
-    // Sprint 2-B: 二手成色验证（针对 secondhand_items）
-    db.exec(`CREATE TABLE IF NOT EXISTS secondhand_claim_tasks (
-    id              TEXT PRIMARY KEY,
-    sh_item_id      TEXT NOT NULL,
-    seller_id       TEXT NOT NULL,    -- 二手卖家
-    claimant_id     TEXT NOT NULL,
-    claim_target    TEXT NOT NULL,    -- 'condition' | 'images' | 'description' | 'title' | 'price' | 'other'
-    claim_text      TEXT NOT NULL,
-    evidence_uri    TEXT,
-    stake_claimant  REAL NOT NULL,
-    deadline_at     TEXT NOT NULL,
-    status          TEXT NOT NULL DEFAULT 'open',
-    ruling          TEXT,
-    majority_vote   TEXT,
-    resolved_at     TEXT,
-    created_at      TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_sct_status ON secondhand_claim_tasks(status)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_sct_item ON secondhand_claim_tasks(sh_item_id)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_sct_seller ON secondhand_claim_tasks(seller_id)`);
-    db.exec(`CREATE TABLE IF NOT EXISTS secondhand_claim_votes (
-    id           TEXT PRIMARY KEY,
-    claim_id     TEXT NOT NULL,
-    verifier_id  TEXT NOT NULL,
-    vote         TEXT NOT NULL,
-    evidence_uri TEXT,
-    note         TEXT,
-    was_majority INTEGER,
-    voted_at     TEXT DEFAULT (datetime('now')),
-    UNIQUE(claim_id, verifier_id)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_scv_claim ON secondhand_claim_votes(claim_id)`);
-    // Sprint 3-A: 拍卖声明（auctions）
-    // 任何非 seller 用户可对 active auction 的合理性发起验证
-    db.exec(`CREATE TABLE IF NOT EXISTS auction_claim_tasks (
-    id              TEXT PRIMARY KEY,
-    auction_id      TEXT NOT NULL,
-    seller_id       TEXT NOT NULL,
-    claimant_id     TEXT NOT NULL,
-    claim_target    TEXT NOT NULL,    -- 'unreasonable_reserve' | 'shill_bidding' | 'collusion' | 'fake_listing' | 'other'
-    claim_text      TEXT NOT NULL,
-    evidence_uri    TEXT,
-    stake_claimant  REAL NOT NULL,
-    deadline_at     TEXT NOT NULL,
-    status          TEXT NOT NULL DEFAULT 'open',
-    ruling          TEXT,
-    majority_vote   TEXT,
-    resolved_at     TEXT,
-    created_at      TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_act_status ON auction_claim_tasks(status)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_act_auction ON auction_claim_tasks(auction_id)`);
-    db.exec(`CREATE TABLE IF NOT EXISTS auction_claim_votes (
-    id           TEXT PRIMARY KEY,
-    claim_id     TEXT NOT NULL,
-    verifier_id  TEXT NOT NULL,
-    vote         TEXT NOT NULL,
-    evidence_uri TEXT,
-    note         TEXT,
-    was_majority INTEGER,
-    voted_at     TEXT DEFAULT (datetime('now')),
-    UNIQUE(claim_id, verifier_id)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_acv_claim ON auction_claim_votes(claim_id)`);
-    // Sprint 3-B: 慈善许愿声明（wishes）
-    // 任何非 wisher 用户可对 wish 真实性发起验证
-    db.exec(`CREATE TABLE IF NOT EXISTS wish_claim_tasks (
-    id              TEXT PRIMARY KEY,
-    wish_id         TEXT NOT NULL,
-    wisher_id       TEXT NOT NULL,
-    claimant_id     TEXT NOT NULL,
-    claim_target    TEXT NOT NULL,    -- 'fake_identity' | 'fake_story' | 'already_fulfilled' | 'duplicate' | 'inappropriate' | 'other'
-    claim_text      TEXT NOT NULL,
-    evidence_uri    TEXT,
-    stake_claimant  REAL NOT NULL,
-    deadline_at     TEXT NOT NULL,
-    status          TEXT NOT NULL DEFAULT 'open',
-    ruling          TEXT,
-    majority_vote   TEXT,
-    resolved_at     TEXT,
-    created_at      TEXT DEFAULT (datetime('now'))
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_wct_status ON wish_claim_tasks(status)`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_wct_wish ON wish_claim_tasks(wish_id)`);
-    db.exec(`CREATE TABLE IF NOT EXISTS wish_claim_votes (
-    id           TEXT PRIMARY KEY,
-    claim_id     TEXT NOT NULL,
-    verifier_id  TEXT NOT NULL,
-    vote         TEXT NOT NULL,
-    evidence_uri TEXT,
-    note         TEXT,
-    was_majority INTEGER,
-    voted_at     TEXT DEFAULT (datetime('now')),
-    UNIQUE(claim_id, verifier_id)
-  )`);
-    db.exec(`CREATE INDEX IF NOT EXISTS idx_wcv_claim ON wish_claim_votes(claim_id)`);
+    // verifier 禁言 / 永封记录 → server-schema.ts
+    initClaimVerifierSuspensionsSchema(db);
+    // Sprint 1: 商品声明验证 → server-schema.ts
+    initProductClaimSchema(db);
+    // Sprint 2-A: 测评真实性验证 → server-schema.ts
+    initReviewClaimSchema(db);
+    // Sprint 2-B: 二手成色验证 → server-schema.ts
+    initSecondhandClaimSchema(db);
+    // Sprint 3-A: 拍卖声明 → server-schema.ts
+    initAuctionClaimSchema(db);
+    // Sprint 3-B: 慈善许愿声明 → server-schema.ts
+    initWishClaimSchema(db);
 }
 catch (e) {
     console.error('[M7.3 schema claim_verification]', e);
@@ -4603,24 +3253,23 @@ function computeAgentTrust(apiKey) {
         ? db.prepare(`SELECT COUNT(DISTINCT user_id) as n FROM registration_audit_log WHERE ip_hash = ?`).get(myReg.ip_hash).n
         : 0;
     const sameIpOthers = Math.max(0, sybilSize - 1); // 排除自己
-    // 双轨同支审计 / 上架限速命中
+    // 放置同支审计 / 上架限速命中
     const crossHits = db.prepare(`SELECT COUNT(*) as n FROM commission_audit_log WHERE buyer_id = ? OR seller_id = ?`).get(user.id, user.id).n;
     // 限速命中 — 简化：30 天内 429 状态码次数
     const ratelimitHits = db.prepare(`SELECT COUNT(*) as n FROM agent_call_log WHERE api_key = ? AND status_code = 429 AND created_at > datetime('now', '-30 days')`).get(apiKey).n;
-    // 公式
+    // 公式 — #420 P1-2:penalty 系数 / sybil 阈值 / 等级 cutoff 由 protocol_params 驱动(默认 = 原字面量)
+    const t = readAntiAbuseThresholds(db);
     const agePts = Math.min(ageDays, 90) * 0.5;
     const orderPts = Math.min(completedBuyer + completedSeller, 50) * 0.5;
     const sharePts = Math.min(shareConversions, 20) * 1.0;
     const diversityPts = Math.min(diversity, 25) * 0.4;
-    const disputeP = -disputeLoss * 10;
-    const sybilP = sybilSize > 3 ? -(sybilSize - 3) * 5 : 0;
-    const crossP = -crossHits * 3;
-    const ratelimitP = -ratelimitHits * 2;
+    const disputeP = -disputeLoss * t.trustDisputePenalty;
+    const sybilP = agentSybilPenalty(sybilSize, t);
+    const crossP = -crossHits * t.trustCrossPenalty;
+    const ratelimitP = -ratelimitHits * t.trustRatelimitPenalty;
     const raw = agePts + orderPts + sharePts + diversityPts + disputeP + sybilP + crossP + ratelimitP;
     const trust = Math.max(0, Math.round(raw * 100) / 100);
-    const level = trust >= 80 ? 'legend' :
-        trust >= 50 ? 'quality' :
-            trust >= 20 ? 'trusted' : 'new';
+    const level = agentTrustLevel(trust, t);
     const signals = {
         age_days: Math.round(ageDays * 10) / 10,
         completed_buyer: completedBuyer,
@@ -4672,7 +3321,7 @@ function antiCheatHash(input) {
         return 'unknown';
     return createHmac('sha256', MASTER_SEED).update('m3:' + input).digest('hex').slice(0, 24);
 }
-// 双轨同支检测：写入 commission_audit_log（监测+证据；不阻断）
+// 放置同支检测：写入 commission_audit_log（监测+证据；不阻断）
 function auditSponsorChainCross(orderId, buyerId, sellerId, buyerSponsorPath) {
     if (buyerId === sellerId)
         return;
@@ -4803,7 +3452,7 @@ function extractUrlFromText(text) {
     return m?.[0] ?? null;
 }
 // Agent-first 设计：粘贴外链匹配 **只允许精准匹配**，没有 LIKE 兜底。
-// 模糊匹配与外推荐留给未来独立的"模糊搜索"入口（参见 memory: WebAZ Search Philosophy）。
+// 模糊匹配与外推荐留给未来独立的"模糊搜索"入口（精准 trust，0 命中引导用户去 discover，不加 LIKE 兜底）。
 function searchByExternalLink(opts) {
     const cols = `p.id, p.title, p.description, p.price, p.stock, p.category, p.seller_id,
     p.specs, p.brand, p.model, p.handling_hours, p.return_days, p.warranty_days, p.ship_regions, p.fragile,
@@ -5021,19 +3670,8 @@ db.exec(`
     used_at    TEXT
   )
 `);
-db.exec(`
-  CREATE TABLE IF NOT EXISTS product_external_links (
-    id          TEXT PRIMARY KEY,
-    product_id  TEXT NOT NULL,
-    url         TEXT NOT NULL,
-    source      TEXT DEFAULT 'manual',
-    verified    INTEGER DEFAULT 0,
-    verify_note TEXT,
-    added_at    TEXT DEFAULT (datetime('now')),
-    verified_at TEXT,
-    UNIQUE(product_id, url)
-  )
-`);
+// 外部链接验证 base → server-schema.ts；ALTER/index/回填 IIFE 刻意留原位（紧跟下方）
+initProductExternalLinksBaseSchema(db);
 try {
     db.exec('ALTER TABLE product_external_links ADD COLUMN revoked INTEGER DEFAULT 0');
 }
@@ -5084,58 +3722,12 @@ catch { }
         console.error('[backfill failed]', e.message);
     }
 })();
-// link_challenges 保留用于向后兼容，新流程用 verify_tasks
-db.exec(`
-  CREATE TABLE IF NOT EXISTS link_challenges (
-    id          TEXT PRIMARY KEY,
-    product_id  TEXT NOT NULL,
-    url         TEXT NOT NULL,
-    code        TEXT NOT NULL,
-    status      TEXT DEFAULT 'pending',
-    created_at  TEXT DEFAULT (datetime('now')),
-    expires_at  TEXT NOT NULL,
-    verified_at TEXT
-  )
-`);
-db.exec(`
-  CREATE TABLE IF NOT EXISTS verify_tasks (
-    id                  TEXT PRIMARY KEY,
-    type                TEXT NOT NULL DEFAULT 'code_check',
-    product_id          TEXT NOT NULL,
-    url                 TEXT NOT NULL,
-    code                TEXT,
-    verifiers_needed    INTEGER NOT NULL DEFAULT 3,
-    reward_per_verifier REAL NOT NULL DEFAULT 0.1,
-    fee_locked          REAL NOT NULL DEFAULT 0,
-    status              TEXT NOT NULL DEFAULT 'open',
-    result              TEXT,
-    created_at          TEXT DEFAULT (datetime('now')),
-    expires_at          TEXT NOT NULL,
-    settled_at          TEXT
-  )
-`);
-db.exec(`
-  CREATE TABLE IF NOT EXISTS verify_submissions (
-    id           TEXT PRIMARY KEY,
-    task_id      TEXT NOT NULL,
-    verifier_id  TEXT NOT NULL,
-    submission   TEXT,
-    verdict      TEXT,
-    claimed_at   TEXT DEFAULT (datetime('now')),
-    submitted_at TEXT,
-    UNIQUE(task_id, verifier_id)
-  )
-`);
-db.exec(`
-  CREATE TABLE IF NOT EXISTS verifier_stats (
-    user_id       TEXT PRIMARY KEY,
-    verify_rights INTEGER NOT NULL DEFAULT 3,
-    tasks_done    INTEGER NOT NULL DEFAULT 0,
-    tasks_correct INTEGER NOT NULL DEFAULT 0,
-    tasks_wrong   INTEGER NOT NULL DEFAULT 0,
-    suspended_until TEXT
-  )
-`);
+// link_challenges 保留用于向后兼容，新流程用 verify_tasks → server-schema.ts
+initLinkChallengesSchema(db);
+initVerifyTasksSchema(db);
+initVerifySubmissionsSchema(db);
+// verifier_stats 须在 PERMANENT_ACCOUNTS bootstrap 之前完成 → server-schema.ts
+initVerifierStatsSchema(db);
 (() => {
     for (const acc of PERMANENT_ACCOUNTS) {
         const apiKey = 'key_perm_' + createHmac('sha256', MASTER_SEED).update(acc.seed).digest('hex');
@@ -5181,6 +3773,9 @@ const app = express();
 // — 防伪造（开发：直连 ::1/127 → req.ip 返回 socket IP；生产：信任同机/同 VPC 内的反代）
 // — 部署在 Cloudflare/nginx 后面时若不在同 VPC，需改为 ['cloudflare-cidr', ...] 或具体 IP 列表，绝不要写 true
 app.set('trust proxy', 'loopback, linklocal, uniquelocal');
+// Cloudflare-only origin guard (defense-in-depth vs direct-to-origin bypass). OFF by default;
+// configured via CF_ORIGIN_GUARD_MODE (off|observe|enforce) + CF_ORIGIN_SHARED_SECRET — see cf-origin-guard.ts.
+app.use(createCfOriginGuard());
 app.use(express.json());
 // ─── Security headers (CSP + nosniff + frame-options) ─────────
 // 注意：现有代码大量使用 inline onclick="..." / style="..."，无法启用纯净 CSP
@@ -5296,32 +3891,23 @@ function invalidateAgentRiskCacheForUser(userId) {
 function issueAgentStrike(opts) {
     const { apiKey, userId, reasonCode } = opts;
     const initial = opts.initialSeverity || 'warning';
+    // #420 P1-4:升级阶梯阈值/窗口/过期 由 protocol_params 驱动(默认 = 原 7d/30d/≥1/≥2/24h/7d)
+    const t = readAntiAbuseThresholds(db);
     // 看是否需要升级
     const warnings7d = db.prepare(`SELECT COUNT(*) as n FROM agent_strikes
-    WHERE api_key = ? AND severity = 'warning' AND issued_at > datetime('now', '-7 days')
+    WHERE api_key = ? AND severity = 'warning' AND issued_at > datetime('now', '-${t.strikeWarnWindowDays} days')
       AND appeal_status NOT IN ('approved')`).get(apiKey).n;
     const suspends30d = db.prepare(`SELECT COUNT(*) as n FROM agent_strikes
-    WHERE api_key = ? AND severity = 'suspend_7d' AND issued_at > datetime('now', '-30 days')
+    WHERE api_key = ? AND severity = 'suspend_7d' AND issued_at > datetime('now', '-${t.strikeSuspendWindowDays} days')
       AND appeal_status NOT IN ('approved')`).get(apiKey).n;
-    let severity = initial;
-    let escalated = false;
-    if (initial === 'warning' && warnings7d >= 1) { // 已有 1 次 warning + 本次新 warning = 累计 2 → 升 suspend
-        severity = 'suspend_7d';
-        escalated = true;
-    }
-    if (initial === 'suspend_7d' || severity === 'suspend_7d') {
-        if (suspends30d >= 2) { // 已有 2 次 suspend + 本次 = 3 → 升 permanent
-            severity = 'permanent';
-            escalated = true;
-        }
-    }
+    const { severity, escalated } = agentStrikeSeverity(initial, warnings7d, suspends30d, t);
     // expires_at
     let expiresAt = null;
     if (severity === 'warning') {
-        expiresAt = new Date(Date.now() + 24 * 3600_000).toISOString().replace('T', ' ').slice(0, 19);
+        expiresAt = new Date(Date.now() + t.strikeWarnExpiryHours * 3600_000).toISOString().replace('T', ' ').slice(0, 19);
     }
     else if (severity === 'suspend_7d') {
-        expiresAt = new Date(Date.now() + 7 * 86400_000).toISOString().replace('T', ' ').slice(0, 19);
+        expiresAt = new Date(Date.now() + t.strikeSuspendExpiryDays * 86400_000).toISOString().replace('T', ' ').slice(0, 19);
     }
     db.prepare(`INSERT INTO agent_strikes (api_key, user_id, severity, reason_code, reason_detail, reported_by, related_ref, expires_at)
     VALUES (?,?,?,?,?,?,?,?)`).run(apiKey, userId, severity, reasonCode, opts.reasonDetail || null, opts.reportedBy || 'system', opts.relatedRef || null, expiresAt);
@@ -5854,8 +4440,6 @@ registerAuthRegisterRoutes(app, {
     clientIpHash, clientUaHash,
     get VALID_REGIONS() { return VALID_REGIONS; },
     pickPreferredSide, joinPowerLeg,
-    get INVITE_ROTATION_HANDLES() { return INVITE_ROTATION_HANDLES; },
-    inviteRotationLookup,
     // 邮箱验证优先注册 — issueCode/findActiveCode 是 hoisted 函数声明、isVerificationEmailReady/
     // emailDeliveryNotConfigured 是 import,均可在此安全引用;CODE_TTL_MIN/MAX_CODE_ATTEMPTS 是后置 const,
     // 走 getter 延迟读避免 TDZ。
@@ -5894,6 +4478,21 @@ registerTaskProposalsRoutes(app, {
     db, errorRes,
     requireSupportAdmin: (req, res) => requireAdminPermission(req, res, 'support'),
     rateLimitOk: (key) => proposalRateLimiter(key),
+    auth, // required auth for proposer-facing /api/me/task-proposals
+    resolveUser: (req) => getUser(req), // optional resolver — links a submission to the logged-in submitter
+});
+// PR #18 — build_task create quota-increase requests(requester submit + ROOT-only review/approve/reject/revoke)
+registerBuildTaskQuotaRoutes(app, {
+    db, errorRes, auth,
+    requireRootAdmin: (req, res) => requireRootAdmin(req, res),
+});
+// Phase 2 — admin operator-claim workflow: link an admin SEAT → a real contributor account
+// (propose → confirm → approve → revoke/supersede). Claim workflow only; writes NO contribution_facts.
+registerAdminOperatorClaimRoutes(app, {
+    db, errorRes, auth,
+    requireAdmin: (req, res) => requireAdmin(req, res),
+    requireRootAdmin: (req, res) => requireRootAdmin(req, res),
+    consumeGateToken, // unlink REQUEST requires a fresh passkey gate (purpose 'operator_claim_unlink')
 });
 // RFC-006 Gap 2:贡献者自查看板(build_reputation 独立池)
 registerBuildReputationRoutes(app, { db, auth });
@@ -5908,6 +4507,10 @@ registerContributionIdentityRoutes(app, {
 // PR5F — Contribution Score v1 evidence READ surface (logged-in self-view; read-only, no score).
 // Returns the caller's OWN component evidence wrapped in the PR5A uncommitted-value boundary.
 registerContributionScoreRoutes(app, { auth, errorRes });
+// Contribution read-out V1 — the caller's OWN attributable facts (GitHub + admin coordination), grouped
+// by source, read-only, wrapped in the uncommitted-value boundary. Attribution is read-time (GitHub
+// binding overlay + operator-claim as-of); writes nothing, no reward/payout.
+registerContributionFactsRoutes(app, { db, auth, errorRes });
 // #1013 Phase 48: 3 auth/sessions endpoints 已迁出到 routes/auth-sessions.ts
 registerAuthSessionsRoutes(app, { db, auth, verifyPassword, recordSession, generateSecureKey });
 // 个人资料：查看 API Key + 联系方式
@@ -5956,8 +4559,8 @@ registerAgentGovernanceRoutes(app, {
     // 监护人指纹：HMAC(MASTER_SEED) over owner id — 可追溯(协议持 seed)不暴露身份
     custodianFingerprint: (ownerId) => createHmac('sha256', MASTER_SEED).update('custodian:' + ownerId).digest('hex').slice(0, 16),
     // Phase 4 护照签名：用协议热钱包私钥签(eip191),issuer 地址 = DID 锚点,任何人 ecrecover 可验(闭包→调用时求值,晚于热钱包初始化)
-    signPassport: (message) => privateKeyToAccount(derivePrivKey('platform-hot-wallet')).signMessage({ message }),
-    issuerAddress: () => privateKeyToAddress(derivePrivKey('platform-hot-wallet')),
+    signPassport: (message) => walletSigner.issuerSignMessage(message),
+    issuerAddress: () => walletSigner.issuerAddress(),
 });
 // ─── 2026-05-22 COP 飞轮 + COP P0-1 数据导出 ─────────────
 // #1013 Phase 39: 2 endpoints (note-prompts + export) 已迁出到 routes/me-data.ts
@@ -6623,60 +5226,9 @@ registerAdminTokenomicsRoutes(app, {
     logAdminAction,
 });
 // system-flags — Phase 107 已迁出
-// 邀请码轮询 — "issued + registered 自纠偏"模型
-const INVITE_ROTATION_HANDLES = ['xiaohua', 'mian', 'holden', 'jiayi', 'qingliang'];
-const INVITE_REBALANCE_THRESHOLD = 5; // max_reg - min_reg ≥ 5 → 进入补齐模式
-function readInviteStats() {
-    return db.prepare("SELECT slot, issued_count as issued, registered_count as registered FROM invite_rotation_stats ORDER BY slot")
-        .all();
-}
-function inviteRotationLookup(handleIdx) {
-    const handle = INVITE_ROTATION_HANDLES[handleIdx];
-    const u = db.prepare("SELECT id, permanent_code, handle, name FROM users WHERE handle = ?").get(handle);
-    if (!u?.permanent_code)
-        return null;
-    return { id: u.id, code: u.permanent_code, handle: u.handle, name: u.name };
-}
-// 派号：取 (registered 不均衡 ? min_registered : min_issued)；同值取低 slot
-function pickInviteSlot(stats) {
-    const regs = stats.map(s => s.registered);
-    const maxReg = Math.max(...regs), minReg = Math.min(...regs);
-    const useReg = (maxReg - minReg) >= INVITE_REBALANCE_THRESHOLD;
-    const key = useReg ? 'registered' : 'issued';
-    const minVal = useReg ? minReg : Math.min(...stats.map(s => s.issued));
-    for (const s of stats) {
-        if (s[key] === minVal)
-            return s.slot;
-    }
-    return 0;
-}
-// 派号 + issued++ 包在 transaction（better-sqlite3 同步顺序执行）
-const issueInviteSlot = db.transaction(() => {
-    const stats = readInviteStats();
-    const slot = pickInviteSlot(stats);
-    db.prepare("UPDATE invite_rotation_stats SET issued_count = issued_count + 1 WHERE slot = ?").run(slot);
-    return slot;
-});
 // #1013 Phase 73: GET /api/reviews/recent 已迁出（claim 2 端点也由同模块注册，定义在下游）
-// B-4: 编辑精选 / 每周推荐
-db.exec(`
-  CREATE TABLE IF NOT EXISTS editor_picks (
-    id          TEXT PRIMARY KEY,
-    kind        TEXT NOT NULL,     -- 'product' | 'seller'
-    target_id   TEXT NOT NULL,
-    title       TEXT,              -- 编辑推荐语
-    note        TEXT,
-    starts_at   TEXT NOT NULL,
-    ends_at     TEXT NOT NULL,
-    sort_order  INTEGER DEFAULT 0,
-    created_by  TEXT,
-    created_at  TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_ep_active ON editor_picks(kind, ends_at, sort_order)');
-}
-catch { }
+// B-4: 编辑精选 / 每周推荐 → server-schema.ts
+initEditorPicksSchema(db);
 // editor-picks 公开 — Phase 107 已迁出
 // #1013 Phase 66: 3 admin/editor-picks endpoints 已迁出
 registerAdminEditorPicksRoutes(app, {
@@ -6738,25 +5290,8 @@ registerAdminOpsRoutes(app, {
 });
 // AI 2 endpoints — Phase 100 已迁出
 registerAiRoutes(app, { db, auth, anthropic });
-// D-3: KYC light — 实名认证（轻度，不存原始证件号）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS kyc_records (
-    user_id        TEXT PRIMARY KEY,
-    real_name      TEXT NOT NULL,
-    id_type        TEXT NOT NULL,            -- 'passport' | 'national_id' | 'driver_license'
-    id_number_hash TEXT NOT NULL,            -- sha256(id_number + MASTER_SEED)
-    id_number_last4 TEXT,                    -- 末 4 位明文（便于核对）
-    status         TEXT NOT NULL DEFAULT 'pending',  -- pending / approved / rejected
-    reject_reason  TEXT,
-    reviewed_by    TEXT,
-    reviewed_at    TEXT,
-    submitted_at   TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_kyc_status ON kyc_records(status, submitted_at)');
-}
-catch { }
+// D-3: KYC light — 实名认证（轻度，不存原始证件号）→ server-schema.ts
+initKycRecordsSchema(db);
 // KYC 2 endpoints — Phase 97 已迁出
 registerKycRoutes(app, { db, auth, MASTER_SEED });
 // #1013 Phase 68: 6 admin/kyc+risk endpoints 已迁出
@@ -6766,11 +5301,9 @@ registerAdminModerationRoutes(app, {
     authFailures, INTERNAL_AUDITOR_ID, broadcastSystemEvent,
     logAdminAction,
 });
-// 邀请码 3 endpoints — Phase 98 已迁出
+// 邀请 endpoints — Phase 98 已迁出
 registerReferralRoutes(app, {
     db, auth,
-    requireProtocolAdmin: (req, res) => requireAdminPermission(req, res, 'protocol'),
-    logAdminAction, issueInviteSlot, inviteRotationLookup,
 });
 // 推土机权限：是否允许作为 sponsor 拿分享佣金
 // 默认：必须有 ≥ 1 笔 completed 订单（verified buyer）才能 sponsor
@@ -6833,7 +5366,7 @@ registerAdminReportsRoutes(app, {
     requireArbitrationAdmin: (req, res) => requireAdminPermission(req, res, 'arbitration'),
     requireProtocolAdmin: (req, res) => requireAdminPermission(req, res, 'protocol'),
 });
-// ─── 原子能轨道（Phase 2）：双轨树挂靠 ───────────────────────
+// ─── 放置树挂靠(中性参与记录:position + 每腿 PV 累计) ───────────────────────
 const PV_PROPAGATION_DEPTH_LIMIT = 5000; // PV 累积深度上限（admin 可调，存 system_state 之后）
 // (2026-06-04 移除 countSubtreeUsers — 旧实现只数单条脊链, 名实不符;
 //  team_count 改读增量维护的 users.left_count/right_count, 见 pickPreferredSide + joinPowerLeg)
@@ -6907,12 +5440,15 @@ function joinPowerLeg(inviterId, side, newUserId) {
 // ─── 原子能 Cron 结算引擎 ─────────────────────────────────────
 // Step 1: 处理 pv_ledger → 累积到上线 total_left/right_pv（最多 5000 层）
 function processPvLedger() {
+    // Category C: 纯聚合(pv_ledger → total_left/right_pv 计数,不产生 score/WAZ/权益)= 参与记录 → 默认 ON。
+    if (!participationRecordingActive(db))
+        return 0;
     const pending = db.prepare(`SELECT * FROM pv_ledger WHERE processed = 0 ORDER BY created_at ASC LIMIT 1000`).all();
     for (const lg of pending) {
         try {
             const buyer = db.prepare("SELECT placement_id, placement_side, placement_path FROM users WHERE id = ?").get(lg.buyer_id);
             if (!buyer?.placement_id || !buyer.placement_side) {
-                // buyer 不在双轨树（无 placement）→ 流水跳过但标 processed
+                // buyer 不在放置树（无 placement）→ 流水跳过但标 processed
                 db.prepare("UPDATE pv_ledger SET processed = 1 WHERE id = ?").run(lg.id);
                 continue;
             }
@@ -6957,258 +5493,17 @@ function processPvLedger() {
     }
     return pending.length;
 }
-export function calculate7LevelTaperingScore(leftPv, rightPv, tiersDescByThreshold) {
-    const minPv = Math.min(leftPv, rightPv);
-    if (minPv <= 0)
-        return null;
-    for (const t of tiersDescByThreshold) {
-        if (minPv >= t.pv_threshold) {
-            return {
-                tier: t.tier,
-                score: t.score_per_hit,
-                consumedLeft: leftPv,
-                consumedRight: rightPv,
-            };
-        }
-    }
-    return null; // 不达最低档（< 300 PV）→ PV 保留滚动到下一期
-}
-// Step 2: 对碰结算 — 单次匹配 + 双侧全清
-function runBinarySettlement() {
-    const tiers = db.prepare("SELECT tier, pv_threshold, base_score, discount_coef, score_per_hit FROM binary_tier_config WHERE active = 1 ORDER BY pv_threshold DESC").all();
-    if (tiers.length === 0)
-        return 0;
-    const SINGLE_USER_PERIOD_CAP = 1500; // paranoia 上限（实际上 single-match 已天然限速）
-    const dirty = db.prepare(`SELECT id, total_left_pv, total_right_pv FROM users WHERE pv_dirty_at IS NOT NULL`).all();
-    let settled = 0;
-    const now = new Date().toISOString();
-    const periodStart = new Date(Date.now() - 7 * 86400_000).toISOString();
-    for (const u of dirty) {
-        // 注：对碰【分数照常计算累积】，不在此 gate region。PV 经济闸在【兑付】层
-        // （score → WAZ 时按 region pv_enabled 决定是否真实发放；未开启则分数挂账，
-        //  待辖区开启 / 用户迁移到可用辖区再兑现）。2026-06-04 解耦设计。
-        // 周期内已得 Score（paranoia 封顶）
-        const weekScore = db.prepare(`SELECT COALESCE(SUM(score),0) as s FROM binary_score_records WHERE user_id = ? AND created_at > ?`).get(u.id, periodStart).s;
-        if (weekScore >= SINGLE_USER_PERIOD_CAP) {
-            db.prepare("UPDATE users SET pv_dirty_at = NULL WHERE id = ?").run(u.id);
-            continue;
-        }
-        const match = calculate7LevelTaperingScore(u.total_left_pv, u.total_right_pv, tiers);
-        if (!match) {
-            // 不达最低档 → PV 保留滚动到下一期；只清 dirty 标记
-            db.prepare("UPDATE users SET pv_dirty_at = NULL WHERE id = ?").run(u.id);
-            continue;
-        }
-        // 命中 → 记 score + 双侧全清（含溢出归零，按 spec "对碰完成后双侧清零"）
-        db.prepare(`INSERT INTO binary_score_records (id, user_id, tier, score, consumed_left_pv, consumed_right_pv, period_start, period_end)
-                VALUES (?,?,?,?,?,?,?,?)`)
-            .run(generateId('bsr'), u.id, match.tier, match.score, match.consumedLeft, match.consumedRight, periodStart, now);
-        db.prepare(`UPDATE global_fund SET total_scores_pending = total_scores_pending + ? WHERE id = 1`).run(match.score);
-        db.prepare("UPDATE users SET total_left_pv = 0, total_right_pv = 0, pv_dirty_at = NULL WHERE id = ?").run(u.id);
-        settled++;
-    }
-    return settled;
-}
-// 管理津贴比例（大博主的 L1/L2/L3 对碰获利时，博主额外得 10/5/2%）
-const MGMT_BONUS_RATES = [0.10, 0.05, 0.02];
-function executeSafeSettlementCron() {
-    const result = { periodId: '', status: 'noop' };
-    const txn = db.transaction(() => {
-        // 1. 快照基金池余额
-        const fund = db.prepare("SELECT pool_balance FROM global_fund WHERE id = 1").get();
-        const fundBalanceStart = Math.round(Number(fund?.pool_balance ?? 0) * 100) / 100;
-        if (fundBalanceStart <= 0) {
-            result.status = 'empty_pool';
-            return;
-        }
-        // 2. 全网当期 pending Score 汇总
-        // 2026-06-04 解耦：PV 隐藏不关闭 —— 分数照常计算累积。兑付层按 earner【当前 region】
-        // 的 pv_enabled 过滤：未开启的 earner 分数【保留 pending（不入本期分配、不稀释合格者单价）】，
-        // 待辖区开启 / 用户迁移到可用辖区，下期自动兑现。挂账的钱按实际发放扣减(见步骤7)自然留池。
-        const allPending = db.prepare(`SELECT id, user_id, score FROM binary_score_records WHERE settled_at IS NULL`).all();
-        const pending = allPending.filter(r => {
-            const reg = db.prepare("SELECT region FROM users WHERE id = ?").get(r.user_id)?.region || 'global';
-            return regionPvEnabled(reg);
-        });
-        if (pending.length === 0) {
-            result.status = 'no_pending';
-            return;
-        }
-        const totalScores = pending.reduce((s, r) => s + Number(r.score), 0);
-        if (totalScores <= 0) {
-            result.status = 'no_pending';
-            return;
-        }
-        // 3. 4 周历史均值（settlement_periods 中近 28 天 completed 行的 deposited 均值）
-        const histRow = db.prepare(`
-      SELECT AVG(deposited_this_period) as avg_dep
-      FROM settlement_periods
-      WHERE status = 'completed' AND started_at > datetime('now', '-28 days')
-    `).get();
-        const historyAverage = Math.round(Number(histRow?.avg_dep ?? 0) * 100) / 100;
-        // 3.5. R11 风控：基金池水位硬停（防挤兑）
-        // - 相对底线：池子 < 历史均值的 20% → 硬停（已稳定运行后保护机制）
-        // - 绝对底线：池子 < 100 WAZ → 硬停（冷启动期 / 极端情况保护）
-        // 触发时写一条 paused 周期日志（审计透明，便于 admin 监控 + 用户解释）
-        const POOL_FLOOR_RATIO = 0.2;
-        const POOL_FLOOR_ABSOLUTE = 100;
-        let pauseReason = null;
-        if (fundBalanceStart < POOL_FLOOR_ABSOLUTE) {
-            pauseReason = `pool_balance ${fundBalanceStart} < absolute floor ${POOL_FLOOR_ABSOLUTE}`;
-        }
-        else if (historyAverage > 0 && fundBalanceStart < historyAverage * POOL_FLOOR_RATIO) {
-            pauseReason = `pool_balance ${fundBalanceStart} < ${POOL_FLOOR_RATIO * 100}% of hist avg ${historyAverage}`;
-        }
-        if (pauseReason) {
-            const periodId = generateId('sp');
-            db.prepare(`INSERT INTO settlement_periods (
-                    period_id, started_at, completed_at, fund_balance_start,
-                    history_average, total_scores, status, note
-                  ) VALUES (?, datetime('now'), datetime('now'), ?, ?, ?, 'paused_low_water', ?)`)
-                .run(periodId, fundBalanceStart, historyAverage, totalScores, pauseReason);
-            Object.assign(result, {
-                periodId, status: 'paused_low_water',
-                fund_balance_start: fundBalanceStart, history_average: historyAverage,
-                total_scores: totalScores, pause_reason: pauseReason,
-            });
-            return;
-        }
-        // 4. 动态拨出率（30% / 50% / 70%）
-        let payoutRate = 0.5;
-        if (historyAverage > 0) {
-            if (fundBalanceStart > historyAverage * 2)
-                payoutRate = 0.7; // 蓄水池极度健康
-            else if (fundBalanceStart < historyAverage * 0.5)
-                payoutRate = 0.3; // 水位见底保护
-        }
-        // 冷启动（无历史）默认 0.5
-        const poolToDistribute = Math.round(fundBalanceStart * payoutRate * 100) / 100;
-        const nValueCash = poolToDistribute / totalScores;
-        // V3 动态分配率：score_per_hit 已经 = 元，cap 是"票面比例"
-        // 池子健康度 = pool / hist_avg
-        //   ≥ 2.0  → cap 1.6 (奖励早期用户，多发 60%)
-        //   1.0-2.0 → cap 1.0-1.6 线性插值
-        //   < 1.0  → cap 1.0 (保底拿满票面)
-        // 冷启动期（hist=0）默认 1.0
-        let distributionCap = 1.0;
-        if (historyAverage > 0) {
-            const healthRatio = fundBalanceStart / historyAverage;
-            distributionCap = Math.max(1.0, Math.min(1.6, healthRatio));
-        }
-        const effectiveUnitCash = Math.min(nValueCash, distributionCap);
-        // 5. 本期入池额（用于下次的历史均值数据源）
-        const lastPeriodEnd = db.prepare(`SELECT MAX(started_at) as t FROM settlement_periods WHERE status = 'completed'`).get().t;
-        const depositedThisPeriod = Number(db.prepare(lastPeriodEnd
-            ? `SELECT COALESCE(SUM(amount_base + amount_l3), 0) as s FROM fund_deposits WHERE deposited_at > ?`
-            : `SELECT COALESCE(SUM(amount_base + amount_l3), 0) as s FROM fund_deposits`).get(...(lastPeriodEnd ? [lastPeriodEnd] : [])).s);
-        // 6. 派发（按 effectiveUnitCash 计算每用户 cash，等额 WAZ 入钱包）
-        let cashDistributed = 0;
-        let bonusPaid = 0;
-        let settledUsers = 0;
-        const mgmtEnabled = db.prepare("SELECT value FROM system_state WHERE key = 'mgmt_bonus_enabled'").get()?.value === '1';
-        for (const r of pending) {
-            const cashDue = Math.round(Number(r.score) * effectiveUnitCash * 100) / 100;
-            if (cashDue <= 0) {
-                db.prepare("UPDATE binary_score_records SET settled_at = datetime('now'), waz_amount = 0 WHERE id = ?").run(r.id);
-                continue;
-            }
-            // V1：1 WAZ = 1 元（场景 B 杠杆延后）
-            const wazAmount = cashDue;
-            // RFC-002 §3.5 PV-pair opt-in gate (PR-1c-b) — symmetric to settleCommission L1/L2/L3 gate
-            //   opted-in        → normal wallet credit
-            //   opted-out + 'deactivate' → 不发放，waz 留在 PV 资金池（forfeit，非慈善）
-            //   opted-out + other → escrow（pv_pair），金额从 pool 移入 pv_escrow_reserve（#1106 隔离负债）
-            // 2026-06-04 修双计 bug：deactivate 旧版 redirectToCharity 新增慈善余额，但 waz 因不计入
-            //   cashDistributed 已留在 pool → 钱印了两份。现 deactivate 仅标记 settled，钱留 PV 资金池。
-            const optIn = db.prepare("SELECT rewards_opted_in FROM users WHERE id = ?").get(r.user_id)?.rewards_opted_in ?? 0;
-            if (optIn !== 1) {
-                const lastAction = db.prepare("SELECT action FROM rewards_applications WHERE user_id = ? ORDER BY created_at DESC LIMIT 1").get(r.user_id)?.action;
-                const isEscrow = lastAction !== 'deactivate';
-                db.transaction(() => {
-                    if (isEscrow) {
-                        // never_activated / auto_downgrade → escrow（pv_pair）。
-                        // #1106：把 waz 从可分配池移入 pv_escrow_reserve（隔离负债），避免后续周期把这笔预留发给别人、
-                        // 到兑付时池里没钱却仍给钱包加钱（凭空印钱）。兑付从 reserve 出、到期退回 pool。
-                        const escrowDays = Number(db.prepare("SELECT value FROM protocol_params WHERE key = 'rewards_opt_in.escrow_days'").get()?.value ?? 30);
-                        const nowMs = Date.now();
-                        db.prepare(`INSERT INTO pending_commission_escrow (recipient_user_id, order_id, amount, attribution_path, status, created_at, expires_at) VALUES (?, NULL, ?, 'pv_pair', 'pending', ?, ?)`)
-                            .run(r.user_id, wazAmount, nowMs, nowMs + escrowDays * 86400 * 1000);
-                        db.prepare("UPDATE global_fund SET pv_escrow_reserve = pv_escrow_reserve + ? WHERE id = 1").run(wazAmount);
-                    }
-                    // deactivate：什么都不转，waz 自然留在 pool（cashRetained）
-                    db.prepare("UPDATE binary_score_records SET settled_at = datetime('now'), waz_amount = 0 WHERE id = ?").run(r.id);
-                })();
-                // escrow 分支：计入 cashDistributed → 末尾 cashRetained 会把这笔从 pool 扣掉（已移入 reserve）。
-                // deactivate 分支：不计入 → 留在 pool。
-                if (isEscrow)
-                    cashDistributed += cashDue;
-                // Do NOT credit wallet, lifetime_score, or count as settledUser — opt-out path
-                continue;
-            }
-            db.prepare("UPDATE wallets SET balance = balance + ?, earned = earned + ? WHERE user_id = ?").run(wazAmount, wazAmount, r.user_id);
-            db.prepare("UPDATE binary_score_records SET settled_at = datetime('now'), waz_amount = ? WHERE id = ?").run(wazAmount, r.id);
-            // V3 用户成长等级：累加 lifetime_score（实际兑现的 WAZ 金额，不是 pending score）
-            db.prepare("UPDATE users SET lifetime_score = COALESCE(lifetime_score, 0) + ? WHERE id = ?").run(wazAmount, r.user_id);
-            cashDistributed += cashDue;
-            settledUsers++;
-            // 管理津贴（默认关闭；仅 mgmt_bonus_enabled='1' 且 ancestor mgmt_bonus_eligible=1 时发）
-            if (!mgmtEnabled)
-                continue;
-            try {
-                const sp = db.prepare("SELECT sponsor_path FROM users WHERE id = ?").get(r.user_id);
-                const ancestors = sp?.sponsor_path ? sp.sponsor_path.split('>').reverse().slice(0, 3) : [];
-                for (let i = 0; i < ancestors.length; i++) {
-                    const elig = db.prepare("SELECT mgmt_bonus_eligible FROM users WHERE id = ?").get(ancestors[i]);
-                    if (!elig?.mgmt_bonus_eligible)
-                        continue;
-                    const bonus = Math.round(wazAmount * MGMT_BONUS_RATES[i] * 100) / 100;
-                    if (bonus <= 0)
-                        continue;
-                    const pool = db.prepare("SELECT balance FROM management_bonus_pool WHERE id=1").get();
-                    if (pool.balance < bonus)
-                        continue;
-                    db.prepare("UPDATE management_bonus_pool SET balance = balance - ? WHERE id=1").run(bonus);
-                    db.prepare("UPDATE wallets SET balance = balance + ?, earned = earned + ? WHERE user_id = ?").run(bonus, bonus, ancestors[i]);
-                    bonusPaid += bonus;
-                }
-            }
-            catch (e) {
-                console.error('[mgmt bonus]', e);
-            }
-        }
-        cashDistributed = Math.round(cashDistributed * 100) / 100;
-        // 7. 沉淀剩余（pool - distributed = surplus 留在基金池，下期使用）
-        const cashRetained = Math.round((fundBalanceStart - cashDistributed) * 100) / 100;
-        db.prepare("UPDATE global_fund SET pool_balance = ?, total_scores_pending = 0, current_n = ?, last_settled_at = datetime('now') WHERE id = 1")
-            .run(cashRetained, effectiveUnitCash);
-        // 8. 周期日志（幂等保障 + 4 周历史源 + 审计）
-        const periodId = generateId('sp');
-        db.prepare(`INSERT INTO settlement_periods (
-                  period_id, started_at, completed_at, fund_balance_start, deposited_this_period,
-                  history_average, payout_rate, pool_to_distribute, total_scores, n_value_cash,
-                  effective_unit_cash, cash_distributed, cash_retained, settled_users, status
-                ) VALUES (?, datetime('now'), datetime('now'), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'completed')`)
-            .run(periodId, fundBalanceStart, depositedThisPeriod, historyAverage, payoutRate, poolToDistribute, totalScores, nValueCash, effectiveUnitCash, cashDistributed, cashRetained, settledUsers);
-        Object.assign(result, {
-            periodId, status: 'completed',
-            fund_balance_start: fundBalanceStart, history_average: historyAverage,
-            payout_rate: payoutRate, pool_to_distribute: poolToDistribute,
-            total_scores: totalScores, n_value_cash: Math.round(nValueCash * 100) / 100,
-            effective_unit_cash: Math.round(effectiveUnitCash * 100) / 100,
-            cash_distributed: cashDistributed, cash_retained: cashRetained,
-            settled_users: settledUsers, mgmt_bonus_paid: Math.round(bonusPaid * 100) / 100,
-        });
-    });
-    try {
-        txn();
-    }
-    catch (e) {
-        console.error('[safeSettlement]', e);
-        result.status = 'failed';
-    }
-    return result;
-}
-// 启动定时任务（每 1h 处理 ledger + settle；每 24h 安全阀结算）
+// ─── 匹配奖励结算引擎(Category C)— 已切除 / EXCISED ───────────────────────────
+// 匹配奖励结算 + 兑付 = REWARD 路径,已从公开代码切除:internal/pv-settlement.ts
+// 现为永久 no-op stub(runBinarySettlement → 0;executeSafeSettlementCron → disabled,无视 kill-switch)。
+// 比门控更强 —— 即便翻 matching_rewards_active='1',公开代码也无引擎可跑、不会兑付。完整引擎归档在
+// docs/modules/pv-settlement-engine.INTERNAL.md(gitignored)+ git 历史;重启需律师/治理放行 + 重接,非翻 flag。
+// 留在本文件的中性【参与记录】(默认 ON,不受影响):joinPowerLeg(放置树)/ processPvLedger(PV 聚合)/ calculatePv。
+// 注:工厂签名不变,下游 1h/24h cron 调用点零改动(stub 安全返回)。regionPvEnabled 为函数声明(hoisted)。
+const { runBinarySettlement, executeSafeSettlementCron } = createPvSettlementEngine({ db, generateId, regionPvEnabled });
+// 启动定时任务（每 1h 处理 ledger + settle；每 24h 兑付结算）
+// Category C:1h cron 混了【参与记录】(processPvLedger,默认 ON)+【奖励】(runBinarySettlement,默认 OFF) —
+// 不加外层守卫,各函数自门控(recording vs rewards)。24h 兑付是纯 REWARD → 外层 matchingRewardsActive 守卫。
 setInterval(() => {
     try {
         processPvLedger();
@@ -7224,6 +5519,8 @@ setInterval(() => {
     }
 }, 60 * 60_000);
 setInterval(() => {
+    if (!matchingRewardsActive(db))
+        return;
     try {
         const r = executeSafeSettlementCron();
         if (r.status === 'completed') {
@@ -7275,7 +5572,7 @@ registerProfilePlacementRoutes(app, {
 // shares/dashboard — Phase 110 已迁出
 // ─── 推土机轨道：推广统计端点 ─────────────────────────────────
 // #1013 Phase 77: 2 promoter endpoints 已迁出
-registerPromoterRoutes(app, { db, auth, isAllowedSponsor });
+registerPromoterRoutes(app, { db, auth, isAllowedSponsor, participationRecordingActive: () => participationRecordingActive(db), matchingRewardsActive: () => matchingRewardsActive(db) });
 // ─── 成长任务（分享达人养成主线）─────────────────────────────
 // #1013 Phase 30: 4 endpoints + catalog + evaluator 已迁出到 routes/growth.ts
 registerGrowthRoutes(app, { db, auth });
@@ -7732,8 +6029,8 @@ registerOrdersCreateRoutes(app, {
     getProductShareChain, isAllowedSponsor, checkStockAndMaybeDelist, auditSponsorChainCross,
     appendOrderEvent, transition, notifyTransition, shouldAutoAccept, ensureCharityRep,
     broadcastSystemEvent, resolveInviteCodeRef,
-    signPassport: (message) => privateKeyToAccount(derivePrivKey('platform-hot-wallet')).signMessage({ message }),
-    issuerAddress: () => privateKeyToAddress(derivePrivKey('platform-hot-wallet')),
+    signPassport: (message) => walletSigner.issuerSignMessage(message),
+    issuerAddress: () => walletSigner.issuerAddress(),
 });
 // #1013 Phase 45: 卖家配额 + 数据中心 7 endpoints — 2026-05-31 修补:之前 import 了但忘了 register,
 // 导致 /api/seller/quota-status + /api/seller/insights 落入 SPA fallback 返回 HTML,前端 JSON.parse 死循环
@@ -8375,14 +6672,8 @@ setInterval(() => {
 // #1013 Phase 4: 8 endpoints + 4 helpers 已迁出到 routes/chat.ts
 // ============================================================
 registerChatRoutes(app, { db, auth, generateId, rateLimitOk });
-// 初始化导入次数追踪表
-db.exec(`
-  CREATE TABLE IF NOT EXISTS import_logs (
-    id         TEXT PRIMARY KEY,
-    user_id    TEXT NOT NULL,
-    created_at TEXT DEFAULT (datetime('now'))
-  )
-`);
+// 初始化导入次数追踪表 → server-schema.ts
+initImportLogsSchema(db);
 const FREE_IMPORT_LIMIT = 10;
 // #1013 Phase 114: import-product 已迁出
 registerImportProductRoutes(app, {
@@ -8779,8 +7070,8 @@ registerExternalAnchorsRoutes(app, { db, auth });
 // #1013 Phase 109: checkout/tax-preview + verify-price 已迁出
 registerCheckoutHelpersRoutes(app, {
     db, auth, generateId, formatProductForAgent,
-    signPassport: (message) => privateKeyToAccount(derivePrivKey('platform-hot-wallet')).signMessage({ message }),
-    issuerAddress: () => privateKeyToAddress(derivePrivKey('platform-hot-wallet')),
+    signPassport: (message) => walletSigner.issuerSignMessage(message),
+    issuerAddress: () => walletSigner.issuerAddress(),
 });
 // ─── M8 二手板块 ────────────────────────────────────────────
 // #1013 Phase 27: 6 endpoints + 4 SH_* sets + addHours 已迁出到 routes/secondhand.ts
@@ -8848,8 +7139,10 @@ function getRegionMaxLevels(region) {
     // 已显式审计且合规允许的地区在 region_config 表里设 2 或 3
     return row?.max_levels ?? 1;
 }
-// 2026-06-04 解耦：PV 双轨/对碰系统是否在该 region 开启 —— 与 max_levels（佣金层级）独立。
-// 未配置 / 未知地区一律 false（保守默认 PV 全关，需治理显式开 pv_enabled=1）。
+// PV 匹配奖励的【区域兑付过滤器】—— 不是奖励总闸。与 max_levels（佣金层级）独立。
+// 总闸是全局 Category C 双闸（见 pv-kill-switch.ts）：实际兑付仍必须同时满足
+// matching_rewards_active='1' + matching_rewards_activation_cleared='1'；本函数只是其后的额外区域过滤。
+// 未配置 / 未知地区返回 false，表示该地区过滤器不允许兑付（保守默认）。
 function regionPvEnabled(region) {
     const row = db.prepare("SELECT pv_enabled FROM region_config WHERE region = ?").get(region);
     return Number(row?.pv_enabled ?? 0) === 1;
@@ -9013,10 +7306,13 @@ function getUserLevel(lifetimeScore) {
 }
 // V3 PV 单位：每 100 元成交 = 1 PV（pv_multiplier 默认 1.0）
 // MAX_PV_PER_ORDER 1000 防单笔暴增 — 单笔订单最多产生 1000 PV (= 10 万元封顶)
-// 溢出部分作"协议留存"，等同基金池入金但不发对碰
+// 溢出部分作"协议留存"，等同基金池入金(预留池,当前无消费方)
 const PV_PER_YUAN = 0.01;
 const MAX_PV_PER_ORDER = 1000;
 function calculatePv(amount, multiplier = 1.0) {
+    // Category C: PV 是【参与记录】(非收益/非兑付)→ 默认 ON,只在 participation_recording 显式关闭时不生成。
+    if (!participationRecordingActive(db))
+        return 0;
     // 防御：负值 / NaN / Infinity 直接返回 0（不写入 pv_ledger）
     if (!Number.isFinite(amount) || amount <= 0)
         return 0;
@@ -9132,9 +7428,9 @@ function settleOrder(orderId) {
         }
         if (split.stakeToLockU > 0)
             applyWalletDelta(db, order.seller_id, { staked: split.stakeToLockU });
-        // 协议费拆分：50% 注入管理津贴池，50% 入 sys_protocol 运营
-        if (split.protocolToBonusU > 0)
-            creditColumns(db, 'management_bonus_pool', 'id = 1', [], { balance: split.protocolToBonusU });
+        // 协议费拆分：50% 注入协议储备池，50% 入 sys_protocol 运营
+        if (split.protocolToReserveU > 0)
+            creditColumns(db, 'protocol_reserve_pool', 'id = 1', [], { balance: split.protocolToReserveU });
         if (split.protocolToOpsU > 0)
             applyWalletDelta(db, 'sys_protocol', { balance: split.protocolToOpsU });
         // 推土机分享分润：正常分账 → 钱包；兜底 → commission_reserve（三级公池，独立科目）
@@ -9529,7 +7825,7 @@ registerEvidenceRoutes(app, { db, auth, detectFraud });
 // #1013 Phase 1: 7 endpoint handlers 已迁出到 src/pwa/routes/webauthn.ts
 // helpers (consumeGateToken / requireHumanPresence) 仍在本文件，被 withdraw/arbitrate/vote 等引用
 registerWebauthnRoutes(app, {
-    db, auth, generateId,
+    db, auth, generateId, rateLimitOk,
     rpId: WEBAUTHN_RP_ID,
     rpName: WEBAUTHN_RP_NAME,
     origin: WEBAUTHN_ORIGIN,
@@ -9695,7 +7991,7 @@ function settleGenericClaim(taskTable, voteTable, claimId) {
     return { ok: true, majority, ruling: majority };
 }
 // Sprint 4/5 — claim 结算后的后续影响（声誉 + 目标对象计数 + 自动下架 + voter outlier）
-// 复用 line 13482-13485 已存在的 CLAIM_SUSPEND_THRESHOLD / CLAIM_REVOKE_THRESHOLD / CLAIM_SUSPEND_DAYS / CLAIM_OUTLIER_WINDOW_DAYS
+// #420 P1-3:voter outlier 的窗口/暂停/撤销阈值由 protocol_params 驱动(见 checkVerifierOutlier + anti-abuse-thresholds.ts)
 const CLAIM_AUTO_SUSPEND_THRESHOLD = 3; // 商品 / 拍卖 / 二手 累计 N 次 upheld → 自动下架
 // Wave A-5: 通用 claim 撤回 helper（只有 0 票时 claimant 可撤回，退 stake）
 function withdrawClaim(taskTable, voteTable, claimId, userId) {
@@ -9799,10 +8095,12 @@ function checkVerifierOutlier(verifierId) {
     const existing = db.prepare(`SELECT type FROM claim_verifier_suspensions WHERE user_id = ? AND type = 'revoked' LIMIT 1`).get(verifierId);
     if (existing)
         return;
-    // 统计 180d 内 outlier 票数（跨所有 5 套 vote table）
+    // #420 P1-3:窗口/阈值/暂停时长由 protocol_params 驱动(默认 = 原 180d/≥5/≥3/30d)
+    const t = readAntiAbuseThresholds(db);
+    // 统计窗口内 outlier 票数（跨所有 vote table）
     const VOTE_TABLES = ['claim_verification_votes', 'product_claim_votes', 'review_claim_votes', 'secondhand_claim_votes', 'auction_claim_votes', 'wish_claim_votes'];
     let outlierCount = 0;
-    const since = new Date(Date.now() - CLAIM_OUTLIER_WINDOW_DAYS * 86400_000).toISOString();
+    const since = new Date(Date.now() - t.outlierWindowDays * 86400_000).toISOString();
     for (const tbl of VOTE_TABLES) {
         try {
             const n = db.prepare(`SELECT COUNT(*) as n FROM ${tbl} WHERE verifier_id = ? AND was_majority = 0 AND voted_at > ?`).get(verifierId, since).n;
@@ -9810,26 +8108,27 @@ function checkVerifierOutlier(verifierId) {
         }
         catch { }
     }
-    if (outlierCount >= CLAIM_REVOKE_THRESHOLD) {
+    const band = verifierOutlierBand(outlierCount, t);
+    if (band === 'revoke') {
         // 永久撤销
         db.prepare(`INSERT INTO claim_verifier_suspensions (id, user_id, type, until_at, reason, outlier_count) VALUES (?,?,?,NULL,?,?)`)
-            .run(generateId('cvs'), verifierId, 'revoked', `累计 ${outlierCount} 次 outlier（180d 内）→ 永久撤销 verifier 资格`, outlierCount);
+            .run(generateId('cvs'), verifierId, 'revoked', `累计 ${outlierCount} 次 outlier（${t.outlierWindowDays}d 内）→ 永久撤销 verifier 资格`, outlierCount);
         try {
             db.prepare(`INSERT INTO notifications (id, user_id, title, body, order_id) VALUES (?,?,?,?,?)`)
-                .run(generateId('ntf'), verifierId, '⚠ Verifier 资格已撤销', `你在 180 天内累计 ${outlierCount} 次 outlier 投票，按协议规则资格被永久撤销。`, null);
+                .run(generateId('ntf'), verifierId, '⚠ Verifier 资格已撤销', `你在 ${t.outlierWindowDays} 天内累计 ${outlierCount} 次 outlier 投票，按协议规则资格被永久撤销。`, null);
         }
         catch { }
     }
-    else if (outlierCount >= CLAIM_SUSPEND_THRESHOLD) {
+    else if (band === 'suspend') {
         // 临时 suspend，避免重复 suspend
         const dup = db.prepare(`SELECT id FROM claim_verifier_suspensions WHERE user_id = ? AND type = 'suspended' AND (until_at IS NULL OR until_at > datetime('now')) LIMIT 1`).get(verifierId);
         if (!dup) {
-            const until = new Date(Date.now() + CLAIM_SUSPEND_DAYS * 86400_000).toISOString();
+            const until = new Date(Date.now() + t.outlierSuspendDays * 86400_000).toISOString();
             db.prepare(`INSERT INTO claim_verifier_suspensions (id, user_id, type, until_at, reason, outlier_count) VALUES (?,?,?,?,?,?)`)
-                .run(generateId('cvs'), verifierId, 'suspended', until, `累计 ${outlierCount} 次 outlier（180d 内）→ 暂停 ${CLAIM_SUSPEND_DAYS} 天`, outlierCount);
+                .run(generateId('cvs'), verifierId, 'suspended', until, `累计 ${outlierCount} 次 outlier（${t.outlierWindowDays}d 内）→ 暂停 ${t.outlierSuspendDays} 天`, outlierCount);
             try {
                 db.prepare(`INSERT INTO notifications (id, user_id, title, body, order_id) VALUES (?,?,?,?,?)`)
-                    .run(generateId('ntf'), verifierId, '⏳ Verifier 资格已暂停', `你在 180 天内累计 ${outlierCount} 次 outlier 投票，资格暂停 ${CLAIM_SUSPEND_DAYS} 天直至 ${until.slice(0, 10)}。`, null);
+                    .run(generateId('ntf'), verifierId, '⏳ Verifier 资格已暂停', `你在 ${t.outlierWindowDays} 天内累计 ${outlierCount} 次 outlier 投票，资格暂停 ${t.outlierSuspendDays} 天直至 ${until.slice(0, 10)}。`, null);
             }
             catch { }
         }
@@ -9915,7 +8214,7 @@ registerPublicUtilsRoutes(app, {
     db, MASTER_SEED, NODE_ENV, SERVICE_START_MS,
     rateLimitOk, generateManifest, getUser, logError,
     // #1045 信任锚:Phase 4 同一把签名 key 的地址,公开发布让第三方验真者锚定
-    issuerAddress: () => privateKeyToAddress(derivePrivKey('platform-hot-wallet')),
+    issuerAddress: () => walletSigner.issuerAddress(),
 });
 // ─── 静态文件 + SPA 回退（必须在所有 API 路由之后）────────────
 // PWA 壳文件必须 no-cache(否则 CF/浏览器 4h 缓存挡新版本)；
@@ -10041,7 +8340,8 @@ function runEnforcement() {
 //   2. BASE_RPC_URL=https://mainnet.base.org（或自有 RPC）
 //   3. USDC_CONTRACT=0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913（Base mainnet USDC）
 //   4. WALLET_MASTER_SEED=<高熵随机值，建议来自 KMS / 硬件签名器>
-//   5. 强烈建议把 HOT_WALLET 切到多签（如 Gnosis Safe），把 derivePrivKey 替换为 KMS 调用
+//   5. 强烈建议把 HOT_WALLET 切到多签（如 Gnosis Safe）+ KMS 签名器 —— 经 WalletSigner seam
+//      (internal/wallet-signer.ts) 换 LocalSeedSigner → KMS/Safe 实现，见 docs/HOT-WALLET-CUSTODY-MIGRATION.md
 //   6. NODE_ENV=production（启用默认 seed 拒启 + bootstrap key 脱敏）
 const NETWORK = (process.env.NETWORK || 'testnet').toLowerCase();
 const IS_MAINNET = NETWORK === 'mainnet';
@@ -10060,7 +8360,7 @@ if (IS_MAINNET && (MASTER_SEED === 'webaz-dev-seed-changeme' || !process.env.WAL
 }
 if (IS_MAINNET && !process.env.HOT_WALLET_KMS_ACK) {
     console.warn('⚠ 主网热钱包 HOT_WALLET 私钥仍由 MASTER_SEED 派生 — 强烈建议改 KMS / 多签');
-    console.warn('  设 HOT_WALLET_KMS_ACK=1 表示你已知悉风险继续运行（生产应替换 derivePrivKey 调用）');
+    console.warn('  设 HOT_WALLET_KMS_ACK=1 表示你已知悉风险继续运行（生产应把 WalletSigner 换成 KMS/多签实现，见 docs/HOT-WALLET-CUSTODY-MIGRATION.md）');
 }
 const USDC_ABI = parseAbi([
     'function transfer(address to, uint256 value) returns (bool)',
@@ -10074,10 +8374,10 @@ const publicClient = createPublicClient({
     transport: http(rpcUrl),
 });
 // ─── 热钱包（归集 + 提现出账）────────────────────────────────────
-const HOT_WALLET_PRIV = derivePrivKey('platform-hot-wallet');
-const HOT_WALLET_ADDR = privateKeyToAddress(HOT_WALLET_PRIV);
+// Phase 0: hot-wallet signing via the WalletSigner seam (Phase 1 swaps LocalSeedSigner → KMS here).
+const HOT_WALLET_ADDR = walletSigner.hotAddress();
 const hotWalletClient = createWalletClient({
-    account: privateKeyToAccount(HOT_WALLET_PRIV),
+    account: walletSigner.hotAccount(),
     chain: ACTIVE_CHAIN,
     transport: http(rpcUrl),
 });
@@ -10099,7 +8399,7 @@ async function sweepToHotWallet(userId, depositAddress) {
     await publicClient.waitForTransactionReceipt({ hash: ethHash });
     // 充值地址把 USDC 转给热钱包
     const depClient = createWalletClient({
-        account: privateKeyToAccount(derivePrivKey(userId)),
+        account: walletSigner.depositAccount(userId),
         chain: ACTIVE_CHAIN,
         transport: http(rpcUrl),
     });
@@ -10277,22 +8577,7 @@ function startDepositWatcher() {
 // 轻量级自建错误上报 — 避免外部 Sentry 依赖
 // 后端：进程级 uncaughtException + unhandledRejection
 // 前端：POST /api/error-report（window.onerror → 入此表）
-db.exec(`
-  CREATE TABLE IF NOT EXISTS error_log (
-    id          INTEGER PRIMARY KEY AUTOINCREMENT,
-    source      TEXT NOT NULL,    -- 'server-uncaught' | 'server-rejection' | 'client'
-    message     TEXT NOT NULL,
-    stack       TEXT,
-    url         TEXT,             -- 客户端 location.href
-    user_agent  TEXT,             -- 客户端 UA
-    user_id     TEXT,             -- 已登录用户（可空）
-    created_at  TEXT DEFAULT (datetime('now'))
-  )
-`);
-try {
-    db.exec('CREATE INDEX IF NOT EXISTS idx_error_log_created ON error_log(created_at)');
-}
-catch { }
+initErrorLogSchema(db);
 // ─── 治理岗位上岗(W3.5-B,2026-06-02)──────────────────────────
 // docs/GOVERNANCE-ONBOARDING.md — arbitrator + verifier 申请 / 上岗 / 卸任 / 申诉
 // 1 表:governance_applications(append-only,记录 apply/activate/resign/auto_deactivate/appeal)