@seasonkoh/webaz 0.1.10 → 0.1.11

package/dist/layer1-agent/L1-1-mcp-server/server.js

@@ -4006,7 +4006,7 @@ export async function startMCPServer() {
                         type: 'text',
                         text: `用户需求:${args.user_intent || '(未提供)'}\n\n` +
                             `请使用 webaz_search 工具(可粘贴外链精准匹配,详见工具描述)找到最匹配的商品,` +
-                            `然后用 webaz_verify_price 锁价(返回 session_token,5 分钟有效),` +
+                            `然后用 webaz_verify_price 锁价(返回 session_token,10 分钟有效),` +
                             `最后用 webaz_place_order(session_token=...) 下单。` +
                             `下单时记得跟用户确认收货地址 + 是否需要使用推荐人 promoter_api_key(可选)。\n\n` +
                             `重要:不要跳过 verify_price 这一步 — 它是防价格篡改的关键。`,

package/dist/pwa/public/app.js

@@ -10687,7 +10687,18 @@ window.doRegister = async () => {
   // #1049 Turnstile token(若启用)
   if (window._turnstileToken) body.turnstile_token = window._turnstileToken
   const res = await POST('/register', body)
-  if (res.error) return showMsg('error', res.error)
+  if (res.error) {
+    // P0-3: token 单次消耗,任何注册失败(name 重 / invite 缺 / captcha 假)后都要 reset widget 拿新 challenge,
+    // 否则用户 retry 时旧 token 已失效 → 后端 timeout-or-duplicate → 死循环
+    try {
+      window._turnstileToken = ''
+      if (window.turnstile) {
+        const slot = document.getElementById('reg-turnstile-slot')
+        if (slot) window.turnstile.reset(slot)
+      }
+    } catch {}
+    return showMsg('error', res.error)
+  }
   // 注册成功后清掉 hint（已绑定）
   localStorage.removeItem('webaz_share_hint')
   localStorage.removeItem('webaz_ref')
@@ -11631,7 +11642,6 @@ async function renderDiscover(app) {
           position: idx + 1,
           item: {
             '@type': 'Product',
-            inLanguage: lang,
             name: nameField,
             url: location.origin + '/#order-product/' + pp.id,
             ...(img ? { image: img } : {}),
@@ -15723,7 +15733,6 @@ async function renderBuyPage(app, productId) {
     setJsonLd({
       '@context': 'https://schema.org',
       '@type': 'Product',
-      inLanguage: curLang,
       name: nameField,
       description: descField,
       sku: p.id,

package/dist/pwa/public/sw.js

@@ -1,5 +1,5 @@
 // Service Worker — 网络优先，离线降级缓存；API 请求不缓存
-const CACHE = 'webaz-v478'
+const CACHE = 'webaz-v480'
 
 self.addEventListener('install', e => {
   self.skipWaiting()

package/dist/pwa/routes/ap2-mandate.js

@@ -113,9 +113,11 @@ export function buildPaymentMandate(input) {
     forSign.proof.signature = '';
     return { canonical: canonical(forSign), mandate };
 }
-/** 把 build*Mandate 输出的 canonical 经 signFn 签名后,塞回 mandate.proof.signature */
+/** 把 build*Mandate 输出的 canonical 经 signFn 签名后,返回带 signature 的深 clone(不 mutate 入参) */
 export async function signMandate(out, signFn) {
     const sig = await signFn(out.canonical);
-    out.mandate.proof.signature = sig;
-    return out.mandate;
+    // P2-3:深 clone 后再塞 signature;入参 out.mandate 保持不变,防调用方持引用被旁路修改
+    const signed = JSON.parse(JSON.stringify(out.mandate));
+    signed.proof.signature = sig;
+    return signed;
 }

package/dist/pwa/routes/auth-register.js

@@ -15,6 +15,10 @@ export function registerAuthRegisterRoutes(app, deps) {
             if (!turnstile_token || typeof turnstile_token !== 'string') {
                 return void errorRes(res, 400, 'CAPTCHA_REQUIRED', '请完成人机校验');
             }
+            // P1-3:Cloudflare Turnstile token 通常 <2KB,卡 4KB 防大体积注入 siteverify 浪费带宽
+            if (turnstile_token.length > 4096) {
+                return void errorRes(res, 400, 'CAPTCHA_INVALID', '人机校验未通过,请刷新后重试');
+            }
             try {
                 const remoteIp = req.ip || req.socket?.remoteAddress || '';
                 const verifyRes = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {

package/dist/pwa/server.js

@@ -4995,8 +4995,9 @@ const CROSS_USER_READ_DAILY_CAP = {
 };
 const crossUserReadBuckets = new Map();
 function extractCrossUserTarget(path, currentUserId) {
-    // /api/users/:id/anything → :id;同 user 不算跨;sys_* 协议账号不算
-    const m = path.match(/^\/api\/users\/([^/]+)\//);
+    // /api/users/:id 或 /api/users/:id/anything → :id;同 user 不算跨;sys_* 协议账号不算
+    // P1-4 修:允许 trailing path 缺失(/api/users/:user_id 是合法 endpoint,返回用户档案)
+    const m = path.match(/^\/api\/users\/([^/?#]+)(?:[/?#]|$)/);
     if (!m)
         return null;
     const target = m[1];
@@ -5193,7 +5194,9 @@ app.use((req, res, next) => {
         });
     }
     // #1043(补 A) 跨用户读日 cap — 真人也罩;只对路径里显式带 other user id 的 GET 计数
-    if (req.method === 'GET') {
+    // P0-2 优化:先 regex 快判 path 命中(零开销),命中才查 owner.id + level — 避免每 GET 跑 SQLite
+    // P1-4 修:正则允许 /api/users/:id 无 trailing slash(GET /api/users/:user_id 是返回用户档案的合法端点)
+    if (req.method === 'GET' && /^\/api\/users\/[^/?#]+/.test(req.path)) {
         const owner = db.prepare(`SELECT id FROM users WHERE api_key = ?`).get(apiKey);
         if (owner) {
             const target = extractCrossUserTarget(req.path, owner.id);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seasonkoh/webaz",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "Agent-native decentralized commerce protocol. Humans and AI agents trade on the same protocol via MCP tools.",
   "main": "dist/mcp.js",
   "bin": {