@seasonkoh/webaz 0.1.23 → 0.1.25

package/dist/pwa/routes/chat.js

@@ -1,3 +1,4 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 const VALID_CHAT_KINDS = new Set(['order', 'rfq', 'listing_qa']);
 // 反诈正则（命中即 flag，仍发出）
 const FRAUD_PATTERNS = [
@@ -21,9 +22,9 @@ export function detectFraud(text) {
 export function registerChatRoutes(app, deps) {
     const { db, auth, generateId, rateLimitOk } = deps;
     // 上下文 + 对方校验：只允许有真实商业关系的两方建会话
-    function resolveChatParticipants(kind, contextId, requesterId, recipientId) {
+    async function resolveChatParticipants(kind, contextId, requesterId, recipientId) {
         if (kind === 'order') {
-            const o = db.prepare('SELECT buyer_id, seller_id FROM orders WHERE id = ?').get(contextId);
+            const o = await dbOne('SELECT buyer_id, seller_id FROM orders WHERE id = ?', [contextId]);
             if (!o)
                 return { user_a: '', user_b: '', allowed: false, reason: '订单不存在' };
             if (requesterId !== o.buyer_id && requesterId !== o.seller_id)
@@ -31,26 +32,26 @@ export function registerChatRoutes(app, deps) {
             return { user_a: o.buyer_id, user_b: o.seller_id, allowed: true };
         }
         if (kind === 'rfq') {
-            const r = db.prepare('SELECT buyer_id, status FROM rfqs WHERE id = ?').get(contextId);
+            const r = await dbOne('SELECT buyer_id, status FROM rfqs WHERE id = ?', [contextId]);
             if (!r)
                 return { user_a: '', user_b: '', allowed: false, reason: 'RFQ 不存在' };
             if (requesterId === r.buyer_id) {
                 // buyer 主动找某个 bidder
                 if (!recipientId)
                     return { user_a: '', user_b: '', allowed: false, reason: '需指定 recipient' };
-                const hasBid = db.prepare('SELECT 1 FROM bids WHERE rfq_id = ? AND seller_id = ?').get(contextId, recipientId);
+                const hasBid = await dbOne('SELECT 1 FROM bids WHERE rfq_id = ? AND seller_id = ?', [contextId, recipientId]);
                 if (!hasBid)
                     return { user_a: '', user_b: '', allowed: false, reason: '对方未对此 RFQ 报价' };
                 return { user_a: r.buyer_id, user_b: recipientId, allowed: true };
             }
             // seller 找 buyer：必须自己已 bid
-            const myBid = db.prepare('SELECT 1 FROM bids WHERE rfq_id = ? AND seller_id = ?').get(contextId, requesterId);
+            const myBid = await dbOne('SELECT 1 FROM bids WHERE rfq_id = ? AND seller_id = ?', [contextId, requesterId]);
             if (!myBid)
                 return { user_a: '', user_b: '', allowed: false, reason: '需先报价才能联系买家' };
             return { user_a: r.buyer_id, user_b: requesterId, allowed: true };
         }
         if (kind === 'listing_qa') {
-            const l = db.prepare('SELECT created_by FROM listings WHERE id = ?').get(contextId);
+            const l = await dbOne('SELECT created_by FROM listings WHERE id = ?', [contextId]);
             if (!l)
                 return { user_a: '', user_b: '', allowed: false, reason: 'listing 不存在' };
             // 仅非创建者可主动发起（避免 listing 创建者主动 spam）
@@ -59,7 +60,7 @@ export function registerChatRoutes(app, deps) {
                 if (!recipientId)
                     return { user_a: '', user_b: '', allowed: false, reason: '请等买家先发起咨询' };
                 const [a, b] = l.created_by < recipientId ? [l.created_by, recipientId] : [recipientId, l.created_by];
-                const exists = db.prepare("SELECT 1 FROM conversations WHERE kind = 'listing_qa' AND context_id = ? AND user_a = ? AND user_b = ?").get(contextId, a, b);
+                const exists = await dbOne("SELECT 1 FROM conversations WHERE kind = 'listing_qa' AND context_id = ? AND user_a = ? AND user_b = ?", [contextId, a, b]);
                 if (!exists)
                     return { user_a: '', user_b: '', allowed: false, reason: '请等买家先发起咨询' };
                 return { user_a: l.created_by, user_b: recipientId, allowed: true };
@@ -68,22 +69,21 @@ export function registerChatRoutes(app, deps) {
         }
         return { user_a: '', user_b: '', allowed: false, reason: 'kind 无效' };
     }
-    function findOrCreateConv(kind, contextId, userA, userB) {
+    async function findOrCreateConv(kind, contextId, userA, userB) {
         // 规范化：user_a 字典序较小
         const [a, b] = userA < userB ? [userA, userB] : [userB, userA];
-        const selectStmt = db.prepare('SELECT id FROM conversations WHERE kind = ? AND context_id = ? AND user_a = ? AND user_b = ?');
-        const existing = selectStmt.get(kind, contextId, a, b);
+        const SELECT_SQL = 'SELECT id FROM conversations WHERE kind = ? AND context_id = ? AND user_a = ? AND user_b = ?';
+        const existing = await dbOne(SELECT_SQL, [kind, contextId, a, b]);
         if (existing)
             return existing.id;
         // 并发场景下 UNIQUE 可能触发；用 INSERT OR IGNORE + 再次 SELECT 兜底
         const id = generateId('cv');
-        db.prepare(`INSERT OR IGNORE INTO conversations (id, kind, context_id, user_a, user_b) VALUES (?,?,?,?,?)`)
-            .run(id, kind, contextId, a, b);
-        const final = selectStmt.get(kind, contextId, a, b);
+        await dbRun(`INSERT OR IGNORE INTO conversations (id, kind, context_id, user_a, user_b) VALUES (?,?,?,?,?)`, [id, kind, contextId, a, b]);
+        const final = await dbOne(SELECT_SQL, [kind, contextId, a, b]);
         return final.id;
     }
     // 开会话（idempotent — 已存在则返回 id）
-    app.post('/api/conversations/start', (req, res) => {
+    app.post('/api/conversations/start', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -92,18 +92,18 @@ export function registerChatRoutes(app, deps) {
             return void res.json({ error: 'kind 无效' });
         if (!context_id)
             return void res.json({ error: 'context_id 必填' });
-        const r = resolveChatParticipants(String(kind), String(context_id), user.id, recipient_id ? String(recipient_id) : null);
+        const r = await resolveChatParticipants(String(kind), String(context_id), user.id, recipient_id ? String(recipient_id) : null);
         if (!r.allowed)
             return void res.json({ error: r.reason || '无权开启会话' });
-        const id = findOrCreateConv(String(kind), String(context_id), r.user_a, r.user_b);
+        const id = await findOrCreateConv(String(kind), String(context_id), r.user_a, r.user_b);
         res.json({ id, kind, context_id });
     });
     // 我的会话列表
-    app.get('/api/conversations', (req, res) => {
+    app.get('/api/conversations', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT c.*,
         CASE WHEN c.user_a = ? THEN c.unread_a ELSE c.unread_b END as my_unread,
         CASE WHEN c.user_a = ? THEN c.user_b ELSE c.user_a END as other_id,
@@ -113,15 +113,15 @@ export function registerChatRoutes(app, deps) {
       WHERE (c.user_a = ? OR c.user_b = ?) AND c.status NOT IN ('blocked','archived')
       ORDER BY COALESCE(c.last_message_at, c.created_at) DESC
       LIMIT 100
-    `).all(user.id, user.id, user.id, user.id, user.id, user.id);
+    `, [user.id, user.id, user.id, user.id, user.id, user.id]);
         res.json({ items: rows });
     });
     // 会话详情 + 消息分页
-    app.get('/api/conversations/:id', (req, res) => {
+    app.get('/api/conversations/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const conv = db.prepare('SELECT * FROM conversations WHERE id = ?').get(req.params.id);
+        const conv = await dbOne('SELECT * FROM conversations WHERE id = ?', [req.params.id]);
         if (!conv)
             return void res.status(404).json({ error: '会话不存在' });
         if (conv.user_a !== user.id && conv.user_b !== user.id)
@@ -135,13 +135,13 @@ export function registerChatRoutes(app, deps) {
             args.push(before);
         }
         args.push(limit);
-        const messages = db.prepare(`
+        const messages = await dbAll(`
       SELECT id, sender_id, body, attachments, flagged, flag_reasons, read_at, kind, meta, created_at
       FROM messages
       WHERE conversation_id = ?${whereExtra}
       ORDER BY created_at DESC
       LIMIT ?
-    `).all(...args);
+    `, args);
         messages.reverse(); // 返回时间正序，便于前端 append
         // QA 轮 11 P1：read 端 flag_reasons 是 JSON string，send 端是 array → agent 双向 parse 易错
         // 统一为 array (send 端格式)
@@ -170,18 +170,18 @@ export function registerChatRoutes(app, deps) {
             }
         }
         const otherId = conv.user_a === user.id ? conv.user_b : conv.user_a;
-        const other = db.prepare('SELECT id, handle, name, region FROM users WHERE id = ?').get(otherId);
+        const other = await dbOne('SELECT id, handle, name, region FROM users WHERE id = ?', [otherId]);
         res.json({ conv, messages, other });
     });
     // 发消息
-    app.post('/api/conversations/:id/messages', (req, res) => {
+    app.post('/api/conversations/:id/messages', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         // P1: 频率限制 — 同用户每分钟 ≤ 60 条（≈ 1/s 持续 + 短时突发）
         if (!rateLimitOk(`chat_msg:${user.id}`, 60, 60_000))
             return void res.status(429).json({ error: '发送过于频繁，请稍等' });
-        const conv = db.prepare('SELECT * FROM conversations WHERE id = ?').get(req.params.id);
+        const conv = await dbOne('SELECT * FROM conversations WHERE id = ?', [req.params.id]);
         if (!conv)
             return void res.status(404).json({ error: '会话不存在' });
         if (conv.status === 'blocked')
@@ -238,9 +238,8 @@ export function registerChatRoutes(app, deps) {
         // 通知接收方
         try {
             const recipient = isFromA ? conv.user_b : conv.user_a;
-            db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
-                  VALUES (?,?,'chat_new',?,?,datetime('now'))`)
-                .run(generateId('ntf'), recipient, `💬 新消息`, preview);
+            await dbRun(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
+                  VALUES (?,?,'chat_new',?,?,datetime('now'))`, [generateId('ntf'), recipient, `💬 新消息`, preview]);
         }
         catch (e) {
             console.error('[chat notify]', e);
@@ -248,11 +247,11 @@ export function registerChatRoutes(app, deps) {
         res.json({ id, flagged: reasons.length > 0, flag_reasons: reasons });
     });
     // 标记已读
-    app.post('/api/conversations/:id/read', (req, res) => {
+    app.post('/api/conversations/:id/read', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const conv = db.prepare('SELECT user_a, user_b FROM conversations WHERE id = ?').get(req.params.id);
+        const conv = await dbOne('SELECT user_a, user_b FROM conversations WHERE id = ?', [req.params.id]);
         if (!conv)
             return void res.status(404).json({ error: '会话不存在' });
         if (conv.user_a !== user.id && conv.user_b !== user.id)
@@ -266,37 +265,37 @@ export function registerChatRoutes(app, deps) {
         res.json({ success: true });
     });
     // 归档（仅自己侧）
-    app.post('/api/conversations/:id/archive', (req, res) => {
+    app.post('/api/conversations/:id/archive', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const conv = db.prepare('SELECT user_a, user_b, status FROM conversations WHERE id = ?').get(req.params.id);
+        const conv = await dbOne('SELECT user_a, user_b, status FROM conversations WHERE id = ?', [req.params.id]);
         if (!conv)
             return void res.status(404).json({ error: '会话不存在' });
         if (conv.user_a !== user.id && conv.user_b !== user.id)
             return void res.status(403).json({ error: '无权操作' });
-        db.prepare("UPDATE conversations SET status = 'archived' WHERE id = ?").run(req.params.id);
+        await dbRun("UPDATE conversations SET status = 'archived' WHERE id = ?", [req.params.id]);
         res.json({ success: true });
     });
     // 拉黑（双向屏蔽）
-    app.post('/api/conversations/:id/block', (req, res) => {
+    app.post('/api/conversations/:id/block', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const conv = db.prepare('SELECT user_a, user_b FROM conversations WHERE id = ?').get(req.params.id);
+        const conv = await dbOne('SELECT user_a, user_b FROM conversations WHERE id = ?', [req.params.id]);
         if (!conv)
             return void res.status(404).json({ error: '会话不存在' });
         if (conv.user_a !== user.id && conv.user_b !== user.id)
             return void res.status(403).json({ error: '无权操作' });
-        db.prepare("UPDATE conversations SET status = 'blocked' WHERE id = ?").run(req.params.id);
+        await dbRun("UPDATE conversations SET status = 'blocked' WHERE id = ?", [req.params.id]);
         res.json({ success: true });
     });
     // 举报（人工审核）
-    app.post('/api/conversations/:id/report', (req, res) => {
+    app.post('/api/conversations/:id/report', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const conv = db.prepare('SELECT user_a, user_b FROM conversations WHERE id = ?').get(req.params.id);
+        const conv = await dbOne('SELECT user_a, user_b FROM conversations WHERE id = ?', [req.params.id]);
         if (!conv)
             return void res.status(404).json({ error: '会话不存在' });
         if (conv.user_a !== user.id && conv.user_b !== user.id)
@@ -306,13 +305,13 @@ export function registerChatRoutes(app, deps) {
         if (!reason)
             return void res.json({ error: '原因必填' });
         // P1: 同 (reporter, conversation) 24h 内最多 3 次
-        const recentRpt = db.prepare(`SELECT COUNT(1) as n FROM chat_reports WHERE conversation_id = ? AND reporter_id = ? AND created_at > datetime('now','-1 day')`).get(req.params.id, user.id).n;
+        const recentRpt = (await dbOne(`SELECT COUNT(1) as n FROM chat_reports WHERE conversation_id = ? AND reporter_id = ? AND created_at > datetime('now','-1 day')`, [req.params.id, user.id])).n;
         if (recentRpt >= 3)
             return void res.status(429).json({ error: '24 小时内对同一会话最多举报 3 次' });
         const reportedId = conv.user_a === user.id ? conv.user_b : conv.user_a;
-        db.prepare(`INSERT INTO chat_reports (id, conversation_id, message_id, reporter_id, reported_id, reason, note)
-                VALUES (?,?,?,?,?,?,?)`)
-            .run(generateId('rpt'), req.params.id, body.message_id ? String(body.message_id) : null, user.id, reportedId, reason, body.note ? String(body.note).slice(0, 500) : null);
+        await dbRun(`INSERT INTO chat_reports (id, conversation_id, message_id, reporter_id, reported_id, reason, note)
+                VALUES (?,?,?,?,?,?,?)`, [generateId('rpt'), req.params.id, body.message_id ? String(body.message_id) : null,
+            user.id, reportedId, reason, body.note ? String(body.note).slice(0, 500) : null]);
         res.json({ success: true });
     });
 }

package/dist/pwa/routes/checkin-tasks.js

@@ -1,16 +1,17 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerCheckinTasksRoutes(app, deps) {
     const { db, auth, isTrustedRole, errorRes, generateId, getProtocolParam, resolveCheckinDate, TASK_DEFS, computeTaskProgress, disbursePlatformReward, broadcastSystemEvent } = deps;
-    app.get('/api/checkin/status', (req, res) => {
+    app.get('/api/checkin/status', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         if (isTrustedRole(user))
             return void errorRes(res, 403, 'TRUSTED_ROLE_NO_TRADE', '受信角色无此功能');
         const today = resolveCheckinDate(req.query.local_date ? String(req.query.local_date) : undefined);
-        const todayCheckin = db.prepare('SELECT reward, streak FROM daily_checkins WHERE user_id = ? AND checkin_date = ?').get(user.id, today);
+        const todayCheckin = await dbOne('SELECT reward, streak FROM daily_checkins WHERE user_id = ? AND checkin_date = ?', [user.id, today]);
         // streak: 连续签到 — 检查昨日
         const yesterday = new Date(new Date(today + 'T00:00:00Z').getTime() - 86400000).toISOString().slice(0, 10);
-        const yesterdayCheckin = db.prepare('SELECT streak FROM daily_checkins WHERE user_id = ? AND checkin_date = ?').get(user.id, yesterday);
+        const yesterdayCheckin = await dbOne('SELECT streak FROM daily_checkins WHERE user_id = ? AND checkin_date = ?', [user.id, yesterday]);
         const currentStreak = todayCheckin?.streak || (yesterdayCheckin ? yesterdayCheckin.streak + 1 : 1);
         // F-2: 里程碑参数 admin 可调
         const bonus7 = getProtocolParam('streak_bonus_7', 5);
@@ -22,7 +23,7 @@ export function registerCheckinTasksRoutes(app, deps) {
         // 任务列表
         const progress = computeTaskProgress(String(user.id));
         const claimed = new Map();
-        for (const row of db.prepare('SELECT task_key, claimed_at FROM task_completions WHERE user_id = ?').all(user.id)) {
+        for (const row of await dbAll('SELECT task_key, claimed_at FROM task_completions WHERE user_id = ?', [user.id])) {
             if (row.claimed_at)
                 claimed.set(row.task_key, row.claimed_at);
         }
@@ -43,18 +44,18 @@ export function registerCheckinTasksRoutes(app, deps) {
             tasks,
         });
     });
-    app.post('/api/checkin', (req, res) => {
+    app.post('/api/checkin', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         if (isTrustedRole(user))
             return void errorRes(res, 403, 'TRUSTED_ROLE_NO_TRADE', '受信角色无此功能');
         const today = resolveCheckinDate(req.body?.local_date ? String(req.body.local_date) : undefined);
-        const existing = db.prepare('SELECT reward FROM daily_checkins WHERE user_id = ? AND checkin_date = ?').get(user.id, today);
+        const existing = await dbOne('SELECT reward FROM daily_checkins WHERE user_id = ? AND checkin_date = ?', [user.id, today]);
         if (existing)
             return void res.status(400).json({ error: '今日已签到', error_code: 'ALREADY_CHECKED_IN' });
         const yesterday = new Date(new Date(today + 'T00:00:00Z').getTime() - 86400000).toISOString().slice(0, 10);
-        const yesterdayCheckin = db.prepare('SELECT streak FROM daily_checkins WHERE user_id = ? AND checkin_date = ?').get(user.id, yesterday);
+        const yesterdayCheckin = await dbOne('SELECT streak FROM daily_checkins WHERE user_id = ? AND checkin_date = ?', [user.id, yesterday]);
         const streak = yesterdayCheckin ? yesterdayCheckin.streak + 1 : 1;
         // F-2: admin 可调里程碑
         const bonus7 = getProtocolParam('streak_bonus_7', 5);
@@ -84,7 +85,7 @@ export function registerCheckinTasksRoutes(app, deps) {
         catch { }
         res.json({ success: true, reward, streak, milestone_bonus: milestoneBonus });
     });
-    app.post('/api/tasks/:key/claim', (req, res) => {
+    app.post('/api/tasks/:key/claim', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -97,7 +98,7 @@ export function registerCheckinTasksRoutes(app, deps) {
         const progress = computeTaskProgress(String(user.id));
         if (!progress[taskKey].eligible)
             return void res.status(400).json({ error: '任务未完成', progress: progress[taskKey] });
-        const existing = db.prepare('SELECT claimed_at FROM task_completions WHERE user_id = ? AND task_key = ?').get(user.id, taskKey);
+        const existing = await dbOne('SELECT claimed_at FROM task_completions WHERE user_id = ? AND task_key = ?', [user.id, taskKey]);
         if (existing?.claimed_at)
             return void res.status(400).json({ error: '任务奖励已领取' });
         db.transaction(() => {

package/dist/pwa/routes/checkout-helpers.js

@@ -1,7 +1,9 @@
 import { buildIntentMandate, signMandate } from './ap2-mandate.js';
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerCheckoutHelpersRoutes(app, deps) {
-    const { db, auth, generateId, formatProductForAgent, signPassport, issuerAddress } = deps;
-    app.get('/api/checkout/tax-preview', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbOne/dbRun),不再直接用 deps.db
+    const { auth, generateId, formatProductForAgent, signPassport, issuerAddress } = deps;
+    app.get('/api/checkout/tax-preview', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -9,9 +11,9 @@ export function registerCheckoutHelpersRoutes(app, deps) {
         const qtyN = Math.max(1, Math.floor(Number(req.query.quantity) || 1));
         if (!productId)
             return void res.status(400).json({ error: 'product_id required' });
-        const product = db.prepare(`SELECT p.id, p.price, p.title, u.region as seller_region
+        const product = await dbOne(`SELECT p.id, p.price, p.title, u.region as seller_region
                                 FROM products p JOIN users u ON u.id = p.seller_id
-                                WHERE p.id = ?`).get(productId);
+                                WHERE p.id = ?`, [productId]);
         if (!product)
             return void res.status(404).json({ error: '商品不存在' });
         const buyerRegion = user.region || 'global';
@@ -24,8 +26,8 @@ export function registerCheckoutHelpersRoutes(app, deps) {
                 disclaimer: '同地区订单，无跨境关税',
             });
         }
-        const cfg = db.prepare(`SELECT est_import_duty_pct, est_import_threshold_waz
-                            FROM region_config WHERE region = ?`).get(buyerRegion);
+        const cfg = await dbOne(`SELECT est_import_duty_pct, est_import_threshold_waz
+                            FROM region_config WHERE region = ?`, [buyerRegion]);
         const pct = Number(cfg?.est_import_duty_pct || 0);
         const threshold = Number(cfg?.est_import_threshold_waz || 0);
         const orderTotal = Number(product.price) * qtyN;
@@ -51,14 +53,14 @@ export function registerCheckoutHelpersRoutes(app, deps) {
         const { product_id, quantity = 1 } = req.body;
         if (!product_id)
             return void res.json({ error: '请提供 product_id' });
-        const product = db.prepare(`
+        const product = await dbOne(`
       SELECT p.*, u.name as seller_name,
         COALESCE(rs.level, 'new') as rep_level
       FROM products p
       JOIN users u ON p.seller_id = u.id
       LEFT JOIN reputation_scores rs ON rs.user_id = p.seller_id
       WHERE p.id = ? AND p.status = 'active'
-    `).get(product_id);
+    `, [product_id]);
         if (!product)
             return void res.json({ error: '商品不存在或已下架' });
         const qty = Number(quantity);
@@ -68,10 +70,10 @@ export function registerCheckoutHelpersRoutes(app, deps) {
         const now = new Date();
         const expiresAt = new Date(now.getTime() + 10 * 60_000);
         const token = generateId('pst');
-        db.prepare(`
+        await dbRun(`
       INSERT INTO price_sessions (token, product_id, user_id, price, quantity, created_at, expires_at)
       VALUES (?, ?, ?, ?, ?, ?, ?)
-    `).run(token, product_id, user.id, product.price, qty, now.toISOString(), expiresAt.toISOString());
+    `, [token, product_id, user.id, product.price, qty, now.toISOString(), expiresAt.toISOString()]);
         // AP2 (B.4 b) — Intent Mandate 并存输出;不破坏现有 session_token
         let ap2_intent_mandate = null;
         try {

package/dist/pwa/routes/claim-initiators.js

@@ -1,16 +1,18 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerClaimInitiatorsRoutes(app, deps) {
+    // 只读/单写站点走 RFC-016 异步 seam;db 保留:claim 是质押/escrow 资金路径,
+    // dup 门 + 钱包扣减 + INSERT 任务必须原子(db.transaction),Phase 3 迁 pg 行锁。
     const { db, auth, isTrustedRole, errorRes, generateId } = deps;
     const wire = (cfg) => {
         const { entityPath, entityTable, entityIdCol, entityPartyCol, taskTable, taskPartyCol, voteTable, targets, stake, deadlineHours, idPrefix, allowedStatuses, notFoundMsg, ownClaimMsg, statusErrMsg, dupErrMsg, taskAlias: a } = cfg;
-        app.post(`/api/${entityPath}/:id/claim`, (req, res) => {
+        app.post(`/api/${entityPath}/:id/claim`, async (req, res) => {
             const user = auth(req, res);
             if (!user)
                 return;
             if (isTrustedRole(user)) {
                 return void errorRes(res, 403, 'TRUSTED_ROLE_NO_CLAIM', '受信角色不可发起声明');
             }
-            const entity = db.prepare(`SELECT id, ${entityPartyCol}, status FROM ${entityTable} WHERE id = ?`)
-                .get(req.params.id);
+            const entity = await dbOne(`SELECT id, ${entityPartyCol}, status FROM ${entityTable} WHERE id = ?`, [req.params.id]);
             if (!entity)
                 return void res.status(404).json({ error: notFoundMsg });
             const partyId = entity[entityPartyCol];
@@ -25,22 +27,40 @@ export function registerClaimInitiatorsRoutes(app, deps) {
             if (text.length < 6 || text.length > 500)
                 return void res.status(400).json({ error: 'claim_text 长度需 6-500 字' });
             const evidence = req.body?.evidence_uri ? String(req.body.evidence_uri).trim().slice(0, 500) : null;
-            const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+            // 友好预检查(读):余额不足直接早退;真正的守恒门在事务内(WHERE balance >= stake)。
+            const wallet = await dbOne('SELECT balance FROM wallets WHERE user_id = ?', [user.id]);
             if (!wallet || wallet.balance < stake)
                 return void res.status(400).json({ error: `余额不足：发起需锁 ${stake} WAZ` });
-            const dup = db.prepare(`SELECT id FROM ${taskTable} WHERE ${entityIdCol} = ? AND claimant_id = ? AND claim_target = ? AND status = 'open'`)
-                .get(req.params.id, user.id, target);
-            if (dup)
-                return void res.status(409).json({ error: dupErrMsg });
             const id = generateId(idPrefix);
             const deadline = new Date(Date.now() + deadlineHours * 3600_000).toISOString();
-            db.prepare(`INSERT INTO ${taskTable} (id, ${entityIdCol}, ${taskPartyCol}, claimant_id, claim_target, claim_text, evidence_uri, stake_claimant, deadline_at, status) VALUES (?,?,?,?,?,?,?,?,?,'open')`)
-                .run(id, req.params.id, partyId, user.id, target, text, evidence, stake, deadline);
-            db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ?')
-                .run(stake, stake, user.id);
+            // 质押/escrow 原子段(同步事务):dup 门 + 钱包扣减(守恒 guard)+ INSERT 任务,
+            // 任一失败整段回滚 → 不会出现"任务已建但钱没锁"或"双重 open 声明"或透支。
+            try {
+                db.transaction(() => {
+                    const dup = db.prepare(`SELECT id FROM ${taskTable} WHERE ${entityIdCol} = ? AND claimant_id = ? AND claim_target = ? AND status = 'open'`)
+                        .get(req.params.id, user.id, target);
+                    if (dup)
+                        throw new Error('CLAIM_DUP');
+                    const debit = db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ? AND balance >= ?')
+                        .run(stake, stake, user.id, stake);
+                    if (debit.changes === 0)
+                        throw new Error('CLAIM_INSUFFICIENT');
+                    db.prepare(`INSERT INTO ${taskTable} (id, ${entityIdCol}, ${taskPartyCol}, claimant_id, claim_target, claim_text, evidence_uri, stake_claimant, deadline_at, status) VALUES (?,?,?,?,?,?,?,?,?,'open')`)
+                        .run(id, req.params.id, partyId, user.id, target, text, evidence, stake, deadline);
+                })();
+            }
+            catch (e) {
+                const msg = e.message;
+                if (msg === 'CLAIM_DUP')
+                    return void res.status(409).json({ error: dupErrMsg });
+                if (msg === 'CLAIM_INSUFFICIENT')
+                    return void res.status(400).json({ error: `余额不足：发起需锁 ${stake} WAZ` });
+                console.error('[claim-initiators tx]', msg);
+                return void res.status(500).json({ error: '发起声明失败,请重试' });
+            }
             res.json({ success: true, claim_id: id, deadline_at: deadline, stake_locked: stake });
         });
-        app.get(`/api/${entityPath}/:id/claims`, (req, res) => {
+        app.get(`/api/${entityPath}/:id/claims`, async (req, res) => {
             const sql = `
         SELECT ${a}.id, ${a}.claim_target, ${a}.claim_text, ${a}.evidence_uri, ${a}.status, ${a}.ruling, ${a}.deadline_at, ${a}.resolved_at, ${a}.created_at,
                u.name as claimant_name,
@@ -48,7 +68,7 @@ export function registerClaimInitiatorsRoutes(app, deps) {
         FROM ${taskTable} ${a} JOIN users u ON u.id = ${a}.claimant_id
         WHERE ${a}.${entityIdCol} = ? ORDER BY ${a}.created_at DESC LIMIT 50
       `;
-            const rows = db.prepare(sql).all(req.params.id);
+            const rows = await dbAll(sql, [req.params.id]);
             res.json({ claims: rows, votes_needed: 3 });
         });
     };