feat(gamification): Phase 1 — full kill-switch + textbook XP wrapping

Until now the 'gamification' feature flag did nothing: it had no row in
app_settings, the admin couldn't toggle it, awardXP/awardCoins ignored
it, and the CSS only hid three dashboard widgets — XP bars in textbooks
stayed visible regardless.

Phase 1 closes every hole.

Backend (source of truth):
  • migration 029 seeds feature_gamification_enabled=1
  • new isGamificationEnabled() helper in gamification/_shared.js with a
    30s cache + invalidateGamificationCache() for instant admin toggles
  • awardXP / awardCoins / updateStreak / unlockAchievement /
    checkAchievements all bail out when the flag is off
  • /api/gamification/* and /api/shop/* (user routes) return 404 when
    disabled; admin routes remain open so the switch itself is reachable
  • adminController.updateFeatures gains 'gamification' in the allow-list
    and invalidates the cache on flip

Frontend:
  • LS.isGamificationEnabled() (synchronous, populated by loadFeatures)
    so xp.js + applyCosmetics can bail without a round-trip
  • xp.js load/add/flush become no-ops when the flag is off
  • applyCosmetics skips the round-trip when off
  • CSS .no-gamification rule expanded to cover .hero-xp-badge, .po-xp,
    .xp-card, .xp-bar, #frames-section, and a universal [data-gamified]
    hook for future blocks

Textbooks (Variant 2 of the plan):
  • backend/scripts/wrap_textbook_xp.py — idempotent script that adds
    data-gamified to 167 XP tags across 63 textbook files (chapters +
    hubs, all subjects/grades). Single CSS rule now hides everything.

Verified end-to-end: with the flag off, awardXP/awardCoins write nothing;
flipping back restores normal behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/routes/gamification.js

@@ -8,6 +8,18 @@ const {
   onLabExperiment, selfAward,
   adminAward, adminReset, adminGamStats, adminGetUser
 } = require('../controllers/gamificationController');
+const { isGamificationEnabled } = require('../controllers/gamification/_shared');
+
+/* When gamification is globally disabled, user-facing routes return 404.
+   Admin routes (under /admin/*) stay accessible so the kill-switch itself
+   can still be flipped from the panel. */
+function gamGate(req, res, next) {
+  if (req.path.startsWith('/admin/')) return next();
+  if (!isGamificationEnabled()) {
+    return res.status(404).json({ error: 'Gamification disabled' });
+  }
+  next();
+}
 
 const labLimiter = rateLimit({ windowMs: 60_000, max: 30, message: 'Слишком частые запросы лаборатории' });
 const labSchema  = { body: { reactionsDiscovered: { type: 'number', min: 0, max: 100, integer: true } } };
@@ -22,6 +34,7 @@ const selfAwardSchema = {
 };
 
 router.use(authMiddleware);
+router.use(gamGate);
 
 router.get('/me',              getMe);
 router.get('/achievements',    getAchievements);

backend/src/routes/shop.js

@@ -6,6 +6,16 @@ const {
   getItems, purchaseItem, getPurchases, getCoins, getMyActive, activateItem,
   adminGetItems, adminCreateItem, adminUpdateItem, adminDeleteItem, adminAwardCoins, adminShopStats
 } = require('../controllers/shopController');
+const { isGamificationEnabled } = require('../controllers/gamification/_shared');
+
+/* Same kill-switch as gamification routes — shop is part of the gam loop. */
+function shopGate(req, res, next) {
+  if (req.path.startsWith('/admin/')) return next();
+  if (!isGamificationEnabled()) {
+    return res.status(404).json({ error: 'Gamification disabled' });
+  }
+  next();
+}
 
 const purchaseLimiter = rateLimit({ windowMs: 60_000, max: 10, message: 'Слишком много покупок, подождите минуту' });
 const activateSchema  = { body: { type: { type: 'string', oneOf: ['frame', 'title', 'effect'] } } };
@@ -20,6 +30,7 @@ const awardCoinsSchema = { body: {
 }};
 
 router.use(authMiddleware);
+router.use(shopGate);
 
 router.get('/items', getItems);
 router.post('/items/:id/purchase', requirePermission('shop.purchase'), purchaseLimiter, purchaseItem);