@seasonkoh/webaz 0.1.23 → 0.1.25

package/dist/pwa/routes/products-create.js

@@ -1,6 +1,7 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProductsCreateRoutes(app, deps) {
     const { db, auth, generateId, checkSellerCanList, getStakeDiscount, VALID_PRODUCT_TYPES, parsePlatformUrl, makeCommitmentHash, makeDescriptionHash, makePriceHash } = deps;
-    app.post('/api/products', (req, res) => {
+    app.post('/api/products', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -8,10 +9,10 @@ export function registerProductsCreateRoutes(app, deps) {
             return void res.json({ error: '仅卖家可上架商品' });
         // 里程碑 3-D：1h 上架限速（防 spam 批量上架）
         const LISTING_RATE_LIMIT = 5;
-        const recentListings = db.prepare(`
+        const recentListings = (await dbOne(`
       SELECT COUNT(1) as n FROM products
       WHERE seller_id = ? AND created_at > datetime('now', '-1 hour')
-    `).get(user.id).n;
+    `, [user.id])).n;
         if (recentListings >= LISTING_RATE_LIMIT) {
             return void res.status(429).json({
                 error: `上架过于频繁：1 小时内最多 ${LISTING_RATE_LIMIT} 个商品（当前已 ${recentListings} 个）`,
@@ -54,11 +55,11 @@ export function registerProductsCreateRoutes(app, deps) {
         }
         // 上架前检查：同一卖家不能重复关联相同外部链接
         if (source_url) {
-            const sameSellerDupe = db.prepare(`
+            const sameSellerDupe = (await dbOne(`
         SELECT COUNT(*) as n FROM product_external_links pel
         JOIN products p ON pel.product_id = p.id
         WHERE pel.url = ? AND p.seller_id = ?
-      `).get(source_url, user.id);
+      `, [source_url, user.id]));
             if (sameSellerDupe.n > 0) {
                 return void res.json({ error: '您已上架过来自此链接的商品，不能重复关联相同外部链接' });
             }
@@ -66,7 +67,7 @@ export function registerProductsCreateRoutes(app, deps) {
         // M7.2.6 / 方案 3：上架免质押 — 零门槛入驻
         // stake_amount 字段记录"预期 stake"（首单成交时从订单 escrow 锁定）
         const priceNum = Number(price);
-        const stakeDiscount = getStakeDiscount(db, user.id);
+        const stakeDiscount = await getStakeDiscount(db, user.id);
         const stakeRate = Math.max(0.05, 0.15 - stakeDiscount);
         const stakeAmount = Math.round(priceNum * stakeRate * 100) / 100;
         const now = new Date().toISOString();
@@ -74,14 +75,23 @@ export function registerProductsCreateRoutes(app, deps) {
         const specsJson = specs ? (typeof specs === 'string' ? specs : JSON.stringify(specs)) : null;
         const estJson = estimated_days ? (typeof estimated_days === 'string' ? estimated_days : JSON.stringify(estimated_days)) : null;
         const pFields = { ship_regions, handling_hours, estimated_days: estJson, return_days, return_condition, warranty_days };
-        db.prepare(`INSERT INTO products (
+        await dbRun(`INSERT INTO products (
       id, seller_id, title, description, price, stock, category, stake_amount,
       specs, brand, model, source_url, source_price, source_price_at,
       weight_kg, ship_regions, handling_hours, estimated_days, fragile,
       return_days, return_condition, warranty_days,
       commitment_hash, description_hash, price_hash, hashed_at,
       commission_rate, product_type, images
-    ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)`).run(id, user.id, title, description, priceNum, Number(stock), category, stakeAmount, specsJson, brand ?? null, model ?? null, source_url ?? null, source_price ? Number(source_price) : null, source_price ? now : null, weight_kg ? Number(weight_kg) : null, ship_regions, Number(handling_hours), estJson, fragile ? 1 : 0, Number(return_days), return_condition, Number(warranty_days), makeCommitmentHash(pFields), makeDescriptionHash({ title, description, specs: specsJson }), makePriceHash(priceNum, now), now, commissionRateNum, product_type, imagesJsonForInsert);
+    ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)`, [
+            id, user.id, title, description, priceNum, Number(stock), category, stakeAmount,
+            specsJson, brand ?? null, model ?? null,
+            source_url ?? null, source_price ? Number(source_price) : null, source_price ? now : null,
+            weight_kg ? Number(weight_kg) : null, ship_regions, Number(handling_hours), estJson, fragile ? 1 : 0,
+            Number(return_days), return_condition, Number(warranty_days),
+            makeCommitmentHash(pFields), makeDescriptionHash({ title, description, specs: specsJson }),
+            makePriceHash(priceNum, now), now,
+            commissionRateNum, product_type, imagesJsonForInsert
+        ]);
         // M7.2.6：免质押上架 — 不再扣 stake；首单成交时 settleOrder 自动从订单 escrow 锁定
         // M7.2-6: 上架时同步入 aliases（卖家已勾选的 candidates）
         if (Array.isArray(aliases) && aliases.length > 0) {
@@ -99,8 +109,7 @@ export function registerProductsCreateRoutes(app, deps) {
                 if (type === 'title_substring' && !String(title).includes(value))
                     continue;
                 try {
-                    db.prepare(`INSERT INTO product_aliases (id, product_id, alias_type, alias_value, min_match_chars) VALUES (?,?,?,?,6)`)
-                        .run(generateId('pal'), id, type, value);
+                    await dbRun(`INSERT INTO product_aliases (id, product_id, alias_type, alias_value, min_match_chars) VALUES (?,?,?,?,6)`, [generateId('pal'), id, type, value]);
                     n++;
                 }
                 catch { }
@@ -110,48 +119,54 @@ export function registerProductsCreateRoutes(app, deps) {
         let linkConflict = null;
         if (source_url) {
             // 另一家卖家已认领此链接（verified=1）
-            const otherClaim = db.prepare(`
+            const otherClaim = await dbOne(`
         SELECT pel.product_id FROM product_external_links pel
         JOIN products p ON pel.product_id = p.id
         WHERE pel.url = ? AND pel.verified = 1 AND p.seller_id != ?
-      `).get(source_url, user.id);
+      `, [source_url, user.id]);
             if (otherClaim) {
-                // 插入为未验证状态
-                db.prepare(`INSERT OR IGNORE INTO product_external_links
-          (id, product_id, url, source, verified, verify_note, platform, external_id, external_title)
-          VALUES (?, ?, ?, 'import', 0, '链接冲突：等待众包验证确认归属', ?, ?, ?)`).run(generateId('lnk'), id, source_url, sourceMeta?.platform ?? null, sourceMeta?.external_id ?? null, externalTitleVal);
                 // 创建认领验证任务（扣锁定费）
                 const VERIFIERS_NEEDED = 1;
                 const REWARD_EACH = 0.1;
                 const feeLocked = VERIFIERS_NEEDED * REWARD_EACH;
-                const walletNow = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
                 const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789';
                 const code = Array.from({ length: 8 }, () => chars[Math.floor(Math.random() * chars.length)]).join('');
+                const linkId2 = generateId('lnk');
                 const taskId = generateId('vtk');
                 const expiresAt = new Date(Date.now() + 72 * 3600_000).toISOString();
                 const baseMsg = `此商品来源链接已被其他商家认领。请将验证码 [${code}] 放入该平台商品标题或描述，等待人工审核确认后归属自动转移。`;
-                if (walletNow.balance >= feeLocked) {
-                    try {
+                // 冲突解析原子段:INSERT 冲突链接 + 商品转 warehouse + (余额够则)守恒扣验证费 + INSERT 验证任务。
+                // 扣费用 WHERE balance >= fee 守恒;不够则不建任务(feeOk=false → 手动验证文案),链接/仓库仍落。
+                let feeOk = false;
+                try {
+                    feeOk = db.transaction(() => {
+                        db.prepare(`INSERT OR IGNORE INTO product_external_links
+              (id, product_id, url, source, verified, verify_note, platform, external_id, external_title)
+              VALUES (?, ?, ?, 'import', 0, '链接冲突：等待众包验证确认归属', ?, ?, ?)`)
+                            .run(linkId2, id, source_url, sourceMeta?.platform ?? null, sourceMeta?.external_id ?? null, externalTitleVal);
+                        db.prepare(`UPDATE products SET status='warehouse', updated_at=datetime('now') WHERE id=?`).run(id);
+                        const debit = db.prepare(`UPDATE wallets SET balance = balance - ? WHERE user_id = ? AND balance >= ?`).run(feeLocked, user.id, feeLocked);
+                        if (debit.changes === 0)
+                            return false;
                         db.prepare(`INSERT INTO verify_tasks (id, type, product_id, url, code, verifiers_needed, reward_per_verifier, fee_locked, status, expires_at)
               VALUES (?,?,?,?,?,?,?,?,'code_issued',?)`).run(taskId, 'code_check', id, source_url, code, VERIFIERS_NEEDED, REWARD_EACH, feeLocked, expiresAt);
-                        db.prepare(`UPDATE wallets SET balance = balance - ? WHERE user_id = ?`).run(feeLocked, user.id);
-                        linkConflict = { task_id: taskId, code: `[${code}]`, expires_at: expiresAt, message: baseMsg };
-                    }
-                    catch {
-                        linkConflict = { message: `${baseMsg}（余额不足以锁定验证费 ${feeLocked} WAZ，请前往商品外部链接手动发起验证）` };
-                    }
+                        return true;
+                    })();
                 }
-                else {
-                    linkConflict = { message: `${baseMsg}（当前余额不足以锁定验证费 ${feeLocked} WAZ，请充值后前往商品编辑页手动发起验证）` };
+                catch (e) {
+                    console.error('[products-create conflict tx]', e.message);
+                    return void res.status(500).json({ error: '创建失败,请重试' });
                 }
-                // 有冲突：商品进入仓库，等待验证结果后再上架
-                db.prepare(`UPDATE products SET status='warehouse', updated_at=datetime('now') WHERE id=?`).run(id);
+                linkConflict = feeOk
+                    ? { task_id: taskId, code: `[${code}]`, expires_at: expiresAt, message: baseMsg }
+                    : { message: `${baseMsg}（当前余额不足以锁定验证费 ${feeLocked} WAZ，请充值后前往商品编辑页手动发起验证）` };
             }
             else {
                 // 无冲突 — 直接 verified=1
-                db.prepare(`INSERT OR IGNORE INTO product_external_links
+                await dbRun(`INSERT OR IGNORE INTO product_external_links
           (id, product_id, url, source, verified, verified_at, platform, external_id, external_title)
-          VALUES (?, ?, ?, 'import', 1, datetime('now'), ?, ?, ?)`).run(generateId('lnk'), id, source_url, sourceMeta?.platform ?? null, sourceMeta?.external_id ?? null, externalTitleVal);
+          VALUES (?, ?, ?, 'import', 1, datetime('now'), ?, ?, ?)`, [generateId('lnk'), id, source_url,
+                    sourceMeta?.platform ?? null, sourceMeta?.external_id ?? null, externalTitleVal]);
             }
         }
         // 额外链接：同步冲突检查（最多 5 个）
@@ -161,25 +176,25 @@ export function registerProductsCreateRoutes(app, deps) {
             for (const extraUrl of additionalLinks.slice(0, 5)) {
                 if (typeof extraUrl !== 'string' || !extraUrl.startsWith('http'))
                     continue;
-                const alreadyLinked = db.prepare('SELECT id FROM product_external_links WHERE product_id = ? AND url = ?').get(id, extraUrl);
+                const alreadyLinked = await dbOne('SELECT id FROM product_external_links WHERE product_id = ? AND url = ?', [id, extraUrl]);
                 if (alreadyLinked)
                     continue;
                 // 同卖家已在其他商品关联过此链接
-                const selfConflict = db.prepare(`
+                const selfConflict = await dbOne(`
           SELECT p.title FROM product_external_links pel
           JOIN products p ON pel.product_id = p.id
           WHERE pel.url = ? AND p.seller_id = ? AND p.id != ?
-        `).get(extraUrl, user.id, id);
+        `, [extraUrl, user.id, id]);
                 if (selfConflict) {
                     blockedLinks.push({ url: extraUrl, message: `您已在商品「${selfConflict.title}」中关联了此链接` });
                     continue;
                 }
                 // 他人已认领（verified=1）
-                const otherConflict = db.prepare(`
+                const otherConflict = await dbOne(`
           SELECT p.title FROM product_external_links pel
           JOIN products p ON pel.product_id = p.id
           WHERE pel.url = ? AND pel.verified = 1 AND p.seller_id != ?
-        `).get(extraUrl, user.id);
+        `, [extraUrl, user.id]);
                 if (otherConflict) {
                     blockedLinks.push({ url: extraUrl, message: `此链接已被其他商家认领，上架后可在商品编辑页发起验证任务` });
                     continue;
@@ -187,9 +202,9 @@ export function registerProductsCreateRoutes(app, deps) {
                 // 无冲突 — 直接 verified=1
                 try {
                     const extraMeta = parsePlatformUrl(extraUrl);
-                    db.prepare(`INSERT OR IGNORE INTO product_external_links
+                    await dbRun(`INSERT OR IGNORE INTO product_external_links
             (id, product_id, url, source, verified, verified_at, platform, external_id)
-            VALUES (?, ?, ?, 'import_extra', 1, datetime('now'), ?, ?)`).run(generateId('lnk'), id, extraUrl, extraMeta?.platform ?? null, extraMeta?.external_id ?? null);
+            VALUES (?, ?, ?, 'import_extra', 1, datetime('now'), ?, ?)`, [generateId('lnk'), id, extraUrl, extraMeta?.platform ?? null, extraMeta?.external_id ?? null]);
                 }
                 catch { }
             }

package/dist/pwa/routes/products-crud.js

@@ -1,31 +1,32 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProductsCrudRoutes(app, deps) {
     const { db, auth, errorRes, formatProductForAgent, retireAnchorsByTarget } = deps;
     // 单品详情（agent verify price 时使用）
     // 卖家可查看自己的非上架商品（编辑页用），其他人只能看 active
-    app.get('/api/products/:id', (req, res) => {
+    app.get('/api/products/:id', async (req, res) => {
         const token = (req.headers.authorization || '').replace('Bearer ', '');
-        const selfUser = token ? db.prepare('SELECT id FROM users WHERE api_key = ?').get(token) : undefined;
-        const row = db.prepare(`
+        const selfUser = token ? await dbOne('SELECT id FROM users WHERE api_key = ?', [token]) : undefined;
+        const row = await dbOne(`
       SELECT p.*, u.name as seller_name,
         COALESCE(rs.total_points, 0) as rep_points, COALESCE(rs.level, 'new') as rep_level
       FROM products p
       JOIN users u ON p.seller_id = u.id
       LEFT JOIN reputation_scores rs ON rs.user_id = p.seller_id
       WHERE p.id = ? AND (p.status = 'active' OR p.seller_id = ?)
-    `).get(req.params.id, selfUser?.id ?? '');
+    `, [req.params.id, selfUser?.id ?? '']);
         if (!row)
             return void res.status(404).json({ error: 'not_found' });
         res.json(formatProductForAgent(row, req));
     });
     // 状态切换（active / warehouse / deleted）
-    app.patch('/api/products/:id/status', (req, res) => {
+    app.patch('/api/products/:id/status', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const { status } = req.body;
         if (!['active', 'warehouse', 'deleted'].includes(status))
             return void res.json({ error: '无效状态值' });
-        const product = db.prepare('SELECT id, claim_loss_count FROM products WHERE id = ? AND seller_id = ?').get(req.params.id, user.id);
+        const product = await dbOne('SELECT id, claim_loss_count FROM products WHERE id = ? AND seller_id = ?', [req.params.id, user.id]);
         if (!product)
             return void res.status(404).json({ error: '商品不存在或无权限' });
         if (status === 'active') {
@@ -33,33 +34,33 @@ export function registerProductsCrudRoutes(app, deps) {
             if ((product.claim_loss_count || 0) >= 3) {
                 return void errorRes(res, 403, 'CLAIM_THRESHOLD_REACHED', `该商品累计 ${product.claim_loss_count} 次声明被验证不实，已达自动下架阈值。需 admin 干预方可重新上架，请联系管理员。`);
             }
-            const pendingTask = db.prepare(`SELECT id FROM verify_tasks WHERE product_id=? AND status IN ('code_issued','open')`).get(req.params.id);
+            const pendingTask = await dbOne(`SELECT id FROM verify_tasks WHERE product_id=? AND status IN ('code_issued','open')`, [req.params.id]);
             if (pendingTask)
                 return void res.json({ error: '链接核验进行中，请等待验证结果后再上架' });
-            const hasRevoked = db.prepare(`SELECT id FROM product_external_links WHERE product_id=? AND revoked=1`).get(req.params.id);
-            const hasValid = db.prepare(`SELECT id FROM product_external_links WHERE product_id=? AND verified=1 AND (revoked IS NULL OR revoked=0)`).get(req.params.id);
+            const hasRevoked = await dbOne(`SELECT id FROM product_external_links WHERE product_id=? AND revoked=1`, [req.params.id]);
+            const hasValid = await dbOne(`SELECT id FROM product_external_links WHERE product_id=? AND verified=1 AND (revoked IS NULL OR revoked=0)`, [req.params.id]);
             if (hasRevoked && !hasValid)
                 return void res.json({ error: '所有外部链接已失效（主权失效），请先添加新链接后再上架' });
         }
-        db.prepare(`UPDATE products SET status = ?, updated_at = datetime('now') WHERE id = ?`).run(status, req.params.id);
+        await dbRun(`UPDATE products SET status = ?, updated_at = datetime('now') WHERE id = ?`, [status, req.params.id]);
         res.json({ success: true });
     });
     // 硬删（仅 deleted 状态 + 无进行中订单）
-    app.delete('/api/products/:id', (req, res) => {
+    app.delete('/api/products/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const product = db.prepare('SELECT * FROM products WHERE id = ? AND seller_id = ?').get(req.params.id, user.id);
+        const product = await dbOne('SELECT * FROM products WHERE id = ? AND seller_id = ?', [req.params.id, user.id]);
         if (!product)
             return void res.status(404).json({ error: '商品不存在或无权限' });
         if (product.status !== 'deleted')
             return void res.json({ error: '请先将商品移入回收箱' });
-        const activeOrders = db.prepare(`
+        const activeOrders = (await dbOne(`
       SELECT COUNT(*) as n FROM orders WHERE product_id = ? AND status NOT IN ('completed','cancelled','refunded','expired')
-    `).get(req.params.id);
+    `, [req.params.id]));
         if (activeOrders.n > 0)
             return void res.json({ error: '该商品有进行中的订单，暂无法删除' });
-        db.prepare('DELETE FROM product_external_links WHERE product_id = ?').run(req.params.id);
+        await dbRun('DELETE FROM product_external_links WHERE product_id = ?', [req.params.id]);
         // E1 anchor GC: 指向该 product 的 active anchor → retired
         try {
             retireAnchorsByTarget(db, 'product', String(req.params.id));
@@ -67,7 +68,7 @@ export function registerProductsCrudRoutes(app, deps) {
         catch (e) {
             console.warn('[anchor-gc product]', e.message);
         }
-        db.prepare('DELETE FROM products WHERE id = ?').run(req.params.id);
+        await dbRun('DELETE FROM products WHERE id = ?', [req.params.id]);
         res.json({ success: true });
     });
 }

package/dist/pwa/routes/products-links.js

@@ -1,23 +1,26 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProductsLinksRoutes(app, deps) {
+    // 只读/单写站点走 RFC-016 异步 seam;db 保留:认领冲突分支是 fee-lock 资金路径,
+    // INSERT 链接 + INSERT 验证任务 + 钱包扣费必须原子(db.transaction + 守恒/dup guard),Phase 3 迁 pg 行锁。
     const { db, auth, generateId, extractUrlFromText, extractTitleFromText, parsePlatformUrl } = deps;
-    app.get('/api/products/:id/links', (req, res) => {
+    app.get('/api/products/:id/links', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const product = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.id);
+        const product = await dbOne('SELECT seller_id FROM products WHERE id = ?', [req.params.id]);
         if (!product)
             return void res.status(404).json({ error: '商品不存在' });
         if (product.seller_id !== user.id)
             return void res.status(403).json({ error: '无权限' });
-        const links = db.prepare(`SELECT id, url, source, verified, revoked, verify_note, added_at, platform, external_id, external_title FROM product_external_links WHERE product_id = ? ORDER BY added_at ASC`).all(req.params.id);
+        const links = await dbAll(`SELECT id, url, source, verified, revoked, verify_note, added_at, platform, external_id, external_title FROM product_external_links WHERE product_id = ? ORDER BY added_at ASC`, [req.params.id]);
         res.json(links);
     });
     // 新链接（无人认领）直接 verified=1；已被他人认领则发起众包验证任务
-    app.post('/api/products/:id/links', (req, res) => {
+    app.post('/api/products/:id/links', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const product = db.prepare('SELECT * FROM products WHERE id = ? AND seller_id = ?').get(req.params.id, user.id);
+        const product = await dbOne('SELECT * FROM products WHERE id = ? AND seller_id = ?', [req.params.id, user.id]);
         if (!product)
             return void res.status(404).json({ error: '商品不存在或无权限' });
         // 支持两种 body：(a) {url, external_title?} (b) {text}
@@ -34,44 +37,42 @@ export function registerProductsLinksRoutes(app, deps) {
         // 精准匹配原则：external_title 必须显式输入，不 fallback 到 product.title
         const linkExternalTitle = bodyExternalTitle && bodyExternalTitle.trim() ? bodyExternalTitle.trim() : null;
         // 已关联此商品
-        const existing = db.prepare('SELECT id, verified, revoked FROM product_external_links WHERE product_id = ? AND url = ?')
-            .get(req.params.id, url);
+        const existing = await dbOne('SELECT id, verified, revoked FROM product_external_links WHERE product_id = ? AND url = ?', [req.params.id, url]);
         if (existing) {
             // 主权失效的旧记录：删除后允许重新发起认领
             if (existing.revoked) {
-                db.prepare('DELETE FROM product_external_links WHERE id = ?').run(existing.id);
+                await dbRun('DELETE FROM product_external_links WHERE id = ?', [existing.id]);
             }
             else {
                 return void res.json({ error: '该链接已关联到此商品' });
             }
         }
         // 同卖家的其他商品已关联此链接
-        const sameSellerOther = db.prepare(`
+        const sameSellerOther = await dbOne(`
       SELECT p.title FROM product_external_links pel
       JOIN products p ON pel.product_id = p.id
       WHERE pel.url = ? AND p.seller_id = ? AND pel.product_id != ?
-    `).get(url, user.id, req.params.id);
+    `, [url, user.id, req.params.id]);
         if (sameSellerOther) {
             return void res.json({ error: `此链接已在您的商品「${sameSellerOther.title}」中关联，一个链接不能关联多个商品` });
         }
         // 是否已被其他卖家 verified 认领
-        const otherClaim = db.prepare(`
+        const otherClaim = await dbOne(`
       SELECT p.title as product_title FROM product_external_links pel
       JOIN products p ON pel.product_id = p.id
       WHERE pel.url = ? AND pel.verified = 1 AND p.seller_id != ?
-    `).get(url, user.id);
+    `, [url, user.id]);
         if (!otherClaim) {
             // 新链接，无冲突：直接 verified=1
             const linkId = generateId('lnk');
             const meta = parsePlatformUrl(url);
-            db.prepare(`INSERT INTO product_external_links
+            await dbRun(`INSERT INTO product_external_links
         (id, product_id, url, source, verified, verified_at, platform, external_id, external_title)
-        VALUES (?, ?, ?, 'manual', 1, datetime('now'), ?, ?, ?)`).run(linkId, req.params.id, url, meta?.platform ?? null, meta?.external_id ?? null, linkExternalTitle);
+        VALUES (?, ?, ?, 'manual', 1, datetime('now'), ?, ?, ?)`, [linkId, req.params.id, url, meta?.platform ?? null, meta?.external_id ?? null, linkExternalTitle]);
             return void res.json({ link_id: linkId, verified: 1, external_title: linkExternalTitle, message: '链接已关联' });
         }
         // 已被他人认领：发起众包验证任务
-        const existingTask = db.prepare(`SELECT id, code, status, expires_at FROM verify_tasks WHERE product_id = ? AND url = ? AND status IN ('code_issued','open')`)
-            .get(req.params.id, url);
+        const existingTask = await dbOne(`SELECT id, code, status, expires_at FROM verify_tasks WHERE product_id = ? AND url = ? AND status IN ('code_issued','open')`, [req.params.id, url]);
         if (existingTask) {
             const isPending = existingTask.status === 'code_issued';
             return void res.json({
@@ -89,7 +90,8 @@ export function registerProductsLinksRoutes(app, deps) {
         const VERIFIERS_NEEDED = 1;
         const REWARD_EACH = 0.1;
         const feeLocked = VERIFIERS_NEEDED * REWARD_EACH;
-        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        // 友好预检查(读):真正的守恒门在事务内(WHERE balance >= feeLocked)。
+        const wallet = (await dbOne('SELECT balance FROM wallets WHERE user_id = ?', [user.id]));
         if (wallet.balance < feeLocked) {
             return void res.json({ error: `余额不足：认领验证需锁定 ${feeLocked} WAZ，当前余额 ${wallet.balance} WAZ` });
         }
@@ -100,12 +102,33 @@ export function registerProductsLinksRoutes(app, deps) {
         const taskId = generateId('vtk');
         const expiresAt = new Date(Date.now() + 72 * 3600_000).toISOString();
         const claimMeta = parsePlatformUrl(url);
-        db.prepare(`INSERT INTO product_external_links
-      (id, product_id, url, source, verified, verify_note, platform, external_id, external_title)
-      VALUES (?, ?, ?, 'manual', 0, '认领验证进行中', ?, ?, ?)`).run(linkId, req.params.id, url, claimMeta?.platform ?? null, claimMeta?.external_id ?? null, linkExternalTitle);
-        db.prepare(`INSERT INTO verify_tasks (id, type, product_id, url, code, verifiers_needed, reward_per_verifier, fee_locked, status, expires_at)
-      VALUES (?,?,?,?,?,?,?,?,'code_issued',?)`).run(taskId, 'claim', req.params.id, url, code, VERIFIERS_NEEDED, REWARD_EACH, feeLocked, expiresAt);
-        db.prepare(`UPDATE wallets SET balance = balance - ? WHERE user_id = ?`).run(feeLocked, user.id);
+        // fee-lock 原子段:重检无进行中任务(防双任务双锁费)+ 钱包扣费(守恒 guard)+ INSERT 链接 + INSERT 验证任务。
+        try {
+            db.transaction(() => {
+                const dupTask = db.prepare(`SELECT id FROM verify_tasks WHERE product_id = ? AND url = ? AND status IN ('code_issued','open')`).get(req.params.id, url);
+                if (dupTask)
+                    throw new Error('LINK_TASK_EXISTS');
+                const debit = db.prepare(`UPDATE wallets SET balance = balance - ? WHERE user_id = ? AND balance >= ?`).run(feeLocked, user.id, feeLocked);
+                if (debit.changes === 0)
+                    throw new Error('LINK_INSUFFICIENT');
+                db.prepare(`INSERT INTO product_external_links
+          (id, product_id, url, source, verified, verify_note, platform, external_id, external_title)
+          VALUES (?, ?, ?, 'manual', 0, '认领验证进行中', ?, ?, ?)`)
+                    .run(linkId, req.params.id, url, claimMeta?.platform ?? null, claimMeta?.external_id ?? null, linkExternalTitle);
+                db.prepare(`INSERT INTO verify_tasks (id, type, product_id, url, code, verifiers_needed, reward_per_verifier, fee_locked, status, expires_at)
+          VALUES (?,?,?,?,?,?,?,?,'code_issued',?)`)
+                    .run(taskId, 'claim', req.params.id, url, code, VERIFIERS_NEEDED, REWARD_EACH, feeLocked, expiresAt);
+            })();
+        }
+        catch (e) {
+            const msg = e.message;
+            if (msg === 'LINK_TASK_EXISTS')
+                return void res.json({ error: '此链接已有进行中的认领任务，请刷新页面查看' });
+            if (msg === 'LINK_INSUFFICIENT')
+                return void res.json({ error: `余额不足：认领验证需锁定 ${feeLocked} WAZ` });
+            console.error('[products-links claim tx]', msg);
+            return void res.status(500).json({ error: '发起认领失败,请重试' });
+        }
         res.json({
             link_id: linkId,
             task_id: taskId,
@@ -116,14 +139,14 @@ export function registerProductsLinksRoutes(app, deps) {
             expires_at: expiresAt,
         });
     });
-    app.delete('/api/products/:id/links/:linkId', (req, res) => {
+    app.delete('/api/products/:id/links/:linkId', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const product = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.id);
+        const product = await dbOne('SELECT seller_id FROM products WHERE id = ?', [req.params.id]);
         if (!product || product.seller_id !== user.id)
             return void res.status(403).json({ error: '无权限' });
-        db.prepare('DELETE FROM product_external_links WHERE id = ? AND product_id = ?').run(req.params.linkId, req.params.id);
+        await dbRun('DELETE FROM product_external_links WHERE id = ? AND product_id = ?', [req.params.linkId, req.params.id]);
         res.json({ success: true });
     });
 }

package/dist/pwa/routes/products-list.js

@@ -1,7 +1,9 @@
 import { createHmac } from 'crypto';
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProductsListRoutes(app, deps) {
-    const { db, getUser, VALID_PRODUCT_TYPES, RAW_MODE_MIN_TRUST, getAgentTrustCached, VALID_SORTS, PRODUCT_LIMITS, TRENDING_SCORE_EXPR, findProductsByAlias, decodeProductCursor, encodeProductCursor, MASTER_SEED, formatProductForAgent } = deps;
-    app.get('/api/products', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll),不再直接用 deps.db
+    const { getUser, VALID_PRODUCT_TYPES, RAW_MODE_MIN_TRUST, getAgentTrustCached, VALID_SORTS, PRODUCT_LIMITS, TRENDING_SCORE_EXPR, findProductsByAlias, decodeProductCursor, encodeProductCursor, MASTER_SEED, formatProductForAgent } = deps;
+    app.get('/api/products', async (req, res) => {
         const { q = '', category, max_price, min_return_days, max_handling_hours, has_sales, ship_to, mode: modeRaw = 'pwa', sort: sortRaw, cursor, limit: limitRaw, seller_id, product_type: productTypeRaw, fuzzy: fuzzyRaw, since_days: sinceDaysRaw } = req.query;
         let mode = modeRaw === 'agent' ? 'agent' : (modeRaw === 'raw' ? 'raw' : 'pwa');
         // fuzzy=true → 发现页用，模糊 LIKE；否则用协议级 alias 精确匹配（智能下单页）
@@ -213,7 +215,7 @@ export function registerProductsListRoutes(app, deps) {
         const finalParams = [...params, ...cursorParams, buffer];
         let candidates;
         try {
-            candidates = db.prepare(sql).all(...finalParams);
+            candidates = await dbAll(sql, finalParams);
         }
         catch (e) {
             console.error('[/api/products] sql error:', e, '\nSQL:', sql);
@@ -296,7 +298,7 @@ export function registerProductsListRoutes(app, deps) {
                 nextCursor = encodeProductCursor(Number(anchor.trending_score) || 0, String(anchor.id));
             }
             else {
-                const jd = db.prepare(`SELECT julianday(?) as j`).get(anchor.created_at).j;
+                const jd = (await dbOne(`SELECT julianday(?) as j`, [anchor.created_at])).j;
                 nextCursor = encodeProductCursor(jd, String(anchor.id));
             }
         }