npm - @seasonkoh/webaz - Versions diffs - 0.1.23 → 0.1.25 - Mend

@seasonkoh/webaz 0.1.23 → 0.1.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (187) hide show

package/README.md +2 -0
package/dist/layer0-foundation/L0-1-database/db-backends/pg-backend.js +51 -0
package/dist/layer0-foundation/L0-1-database/db-backends/sql-dialect-datetime.js +437 -0
package/dist/layer0-foundation/L0-1-database/db-backends/sql-placeholders.js +98 -0
package/dist/layer0-foundation/L0-1-database/db.js +65 -0
package/dist/layer0-foundation/L0-2-state-machine/order-chain.js +13 -11
package/dist/layer0-foundation/L0-2-state-machine/transitions.js +1 -1
package/dist/layer0-foundation/L0-5-manifest/manifest.js +13 -11
package/dist/layer1-agent/L1-1-mcp-server/server.js +198 -83
package/dist/layer1-agent/L1-2-external-anchor/anchor-engine.js +14 -12
package/dist/layer2-business/L2-6-notifications/notification-engine.js +8 -5
package/dist/layer2-business/L2-7-snf/snf-engine.js +16 -14
package/dist/layer2-business/L2-8-feedback/build-feedback-engine.js +18 -10
package/dist/layer2-business/L2-9-contribution/build-reputation-engine.js +37 -23
package/dist/layer2-business/L2-9-contribution/build-task-agent-metadata-store.js +173 -0
package/dist/layer2-business/L2-9-contribution/build-task-participation.js +47 -0
package/dist/layer2-business/L2-9-contribution/build-task-read.js +222 -0
package/dist/layer2-business/L2-9-contribution/build-tasks-engine.js +10 -2
package/dist/layer2-business/L2-9-contribution/canonical-contribution-target.js +16 -0
package/dist/layer2-business/L2-9-contribution/contribution-display-envelope.js +40 -0
package/dist/layer2-business/L2-9-contribution/contribution-score-contract.js +36 -0
package/dist/layer2-business/L2-9-contribution/contribution-score-evidence.js +61 -0
package/dist/layer2-business/L2-9-contribution/github-credential/canonical.js +60 -0
package/dist/layer2-business/L2-9-contribution/github-credential/github-credential.schema.js +140 -0
package/dist/layer2-business/L2-9-contribution/github-credential/github-fetch-adapter.js +437 -0
package/dist/layer2-business/L2-9-contribution/github-credential/self-consistency.js +38 -0
package/dist/layer2-business/L2-9-contribution/github-credential/verifier.js +231 -0
package/dist/layer2-business/L2-9-contribution/github-credential-ingestion-engine.js +145 -0
package/dist/layer2-business/L2-9-contribution/github-credential-store.js +115 -0
package/dist/layer2-business/L2-9-contribution/identity-binding-engine.js +134 -0
package/dist/layer2-business/L2-9-contribution/identity-binding-store.js +101 -0
package/dist/layer2-business/L2-9-contribution/identity-claim-challenge-engine.js +126 -0
package/dist/layer2-business/L2-9-contribution/identity-claim-challenge-store.js +30 -0
package/dist/layer2-business/L2-9-contribution/identity-claim-engine.js +109 -0
package/dist/layer2-business/L2-9-contribution/identity-claim-fact-precondition.js +22 -0
package/dist/layer2-business/L2-9-contribution/identity-claim-proof-verifier.js +97 -0
package/dist/layer2-business/L2-9-contribution/identity-claim-read.js +59 -0
package/dist/layer2-business/L2-9-contribution/task-proposal-store.js +129 -0
package/dist/layer2-business/L2-notes/note-photo-storage.js +4 -2
package/dist/layer3-trust/L3-1-dispute-engine/dispute-engine.js +17 -15
package/dist/layer3-trust/L3-1-dispute-engine/evidence-storage.js +11 -8
package/dist/layer4-economics/L4-3-reputation/reputation-engine.js +9 -8
package/dist/layer4-economics/L4-4-skill-market/skill-engine.js +11 -8
package/dist/layer4-economics/L4-4-skill-market/skill-listing-engine.js +22 -16
package/dist/pwa/acp-feed.js +13 -1
package/dist/pwa/contract-fingerprint.js +2 -0
package/dist/pwa/endpoint-actions.js +5 -1
package/dist/pwa/goal-index.js +8 -8
package/dist/pwa/human-presence.js +62 -0
package/dist/pwa/public/app.js +575 -68
package/dist/pwa/public/i18n.js +29 -20
package/dist/pwa/public/index.html +1 -0
package/dist/pwa/public/openapi.json +2 -2
package/dist/pwa/rate-limit.js +22 -0
package/dist/pwa/routes/account-deletion.js +15 -13
package/dist/pwa/routes/addresses.js +10 -9
package/dist/pwa/routes/admin-admins.js +13 -14
package/dist/pwa/routes/admin-analytics.js +109 -69
package/dist/pwa/routes/admin-catalog.js +13 -11
package/dist/pwa/routes/admin-editor-picks.js +15 -10
package/dist/pwa/routes/admin-events.js +5 -3
package/dist/pwa/routes/admin-health.js +2 -1
package/dist/pwa/routes/admin-moderation.js +26 -29
package/dist/pwa/routes/admin-ops.js +22 -21
package/dist/pwa/routes/admin-protocol-params.js +16 -19
package/dist/pwa/routes/admin-reports.js +23 -21
package/dist/pwa/routes/admin-tokenomics.js +26 -25
package/dist/pwa/routes/admin-users-lifecycle.js +37 -40
package/dist/pwa/routes/admin-users-query.js +54 -53
package/dist/pwa/routes/admin-verifier-flow.js +82 -41
package/dist/pwa/routes/admin-verifier-whitelist.js +55 -27
package/dist/pwa/routes/admin-wallet-ops.js +7 -5
package/dist/pwa/routes/agent-buy.js +46 -22
package/dist/pwa/routes/agent-governance.js +52 -56
package/dist/pwa/routes/ai.js +7 -5
package/dist/pwa/routes/analytics.js +43 -41
package/dist/pwa/routes/anchors.js +19 -20
package/dist/pwa/routes/announcements.js +13 -13
package/dist/pwa/routes/arbitrator.js +97 -31
package/dist/pwa/routes/auction.js +153 -114
package/dist/pwa/routes/auth-login.js +6 -4
package/dist/pwa/routes/auth-read.js +11 -9
package/dist/pwa/routes/auth-register.js +35 -20
package/dist/pwa/routes/auth-sessions.js +12 -11
package/dist/pwa/routes/blocklist.js +16 -15
package/dist/pwa/routes/build-feedback.js +10 -9
package/dist/pwa/routes/build-reputation.js +6 -2
package/dist/pwa/routes/build-tasks.js +45 -13
package/dist/pwa/routes/buyer-feeds.js +27 -25
package/dist/pwa/routes/cart.js +16 -15
package/dist/pwa/routes/charity.js +212 -150
package/dist/pwa/routes/chat.js +42 -43
package/dist/pwa/routes/checkin-tasks.js +10 -9
package/dist/pwa/routes/checkout-helpers.js +12 -10
package/dist/pwa/routes/claim-initiators.js +34 -14
package/dist/pwa/routes/claim-verify.js +86 -53
package/dist/pwa/routes/claim-voting.js +43 -18
package/dist/pwa/routes/contribution-identity.js +147 -0
package/dist/pwa/routes/contribution-score.js +19 -0
package/dist/pwa/routes/coupons.js +19 -16
package/dist/pwa/routes/dashboards.js +18 -16
package/dist/pwa/routes/dispute-cases.js +25 -24
package/dist/pwa/routes/disputes-read.js +45 -51
package/dist/pwa/routes/disputes-write.js +124 -61
package/dist/pwa/routes/evidence.js +9 -9
package/dist/pwa/routes/external-anchors.js +13 -12
package/dist/pwa/routes/feedback.js +29 -33
package/dist/pwa/routes/flash-sales.js +18 -16
package/dist/pwa/routes/follows.js +25 -24
package/dist/pwa/routes/governance-auto-deactivate.js +21 -9
package/dist/pwa/routes/governance-onboarding.js +70 -59
package/dist/pwa/routes/group-buys.js +22 -22
package/dist/pwa/routes/growth.js +33 -30
package/dist/pwa/routes/import-product.js +12 -10
package/dist/pwa/routes/kyc.js +9 -8
package/dist/pwa/routes/leaderboard.js +20 -18
package/dist/pwa/routes/listings.js +23 -22
package/dist/pwa/routes/logistics.js +10 -8
package/dist/pwa/routes/manifests.js +27 -27
package/dist/pwa/routes/me-data.js +23 -21
package/dist/pwa/routes/notifications.js +7 -6
package/dist/pwa/routes/offers.js +30 -12
package/dist/pwa/routes/orders-action.js +33 -17
package/dist/pwa/routes/orders-create.js +75 -20
package/dist/pwa/routes/orders-read.js +21 -20
package/dist/pwa/routes/p2p-products.js +30 -18
package/dist/pwa/routes/payments-governance.js +61 -56
package/dist/pwa/routes/peers.js +9 -8
package/dist/pwa/routes/pin-receipts.js +13 -13
package/dist/pwa/routes/products-aliases.js +12 -10
package/dist/pwa/routes/products-claims.js +36 -17
package/dist/pwa/routes/products-create.js +53 -38
package/dist/pwa/routes/products-crud.js +17 -16
package/dist/pwa/routes/products-links.js +49 -26
package/dist/pwa/routes/products-list.js +6 -4
package/dist/pwa/routes/products-meta.js +40 -39
package/dist/pwa/routes/products-update.js +19 -5
package/dist/pwa/routes/profile-credentials.js +14 -16
package/dist/pwa/routes/profile-identity.js +14 -13
package/dist/pwa/routes/profile-location.js +7 -6
package/dist/pwa/routes/profile-placement.js +19 -17
package/dist/pwa/routes/profile-prefs.js +11 -11
package/dist/pwa/routes/promoter.js +55 -49
package/dist/pwa/routes/public-build-tasks.js +19 -0
package/dist/pwa/routes/public-utils.js +108 -46
package/dist/pwa/routes/push.js +16 -15
package/dist/pwa/routes/ratings.js +30 -30
package/dist/pwa/routes/recover-key.js +13 -12
package/dist/pwa/routes/referral.js +37 -32
package/dist/pwa/routes/reputation.js +3 -2
package/dist/pwa/routes/returns.js +76 -73
package/dist/pwa/routes/reviews.js +41 -18
package/dist/pwa/routes/rewards-apply.js +16 -15
package/dist/pwa/routes/rewards-auto-downgrade.js +9 -7
package/dist/pwa/routes/rewards-escrow-expire.js +7 -5
package/dist/pwa/routes/rfqs.js +163 -85
package/dist/pwa/routes/search.js +16 -14
package/dist/pwa/routes/secondhand.js +25 -22
package/dist/pwa/routes/seller-quota.js +24 -26
package/dist/pwa/routes/share-redirects.js +59 -55
package/dist/pwa/routes/shareables-interactions.js +34 -35
package/dist/pwa/routes/shareables.js +55 -51
package/dist/pwa/routes/shop-referral.js +57 -0
package/dist/pwa/routes/shops.js +20 -18
package/dist/pwa/routes/signaling.js +10 -9
package/dist/pwa/routes/skill-market.js +16 -16
package/dist/pwa/routes/skills.js +15 -14
package/dist/pwa/routes/snf.js +14 -13
package/dist/pwa/routes/tags.js +10 -9
package/dist/pwa/routes/task-proposals.js +45 -0
package/dist/pwa/routes/trial.js +69 -51
package/dist/pwa/routes/trusted-kpi.js +20 -18
package/dist/pwa/routes/url-claim.js +67 -28
package/dist/pwa/routes/users-public.js +62 -60
package/dist/pwa/routes/variants.js +12 -13
package/dist/pwa/routes/verifier-user.js +61 -21
package/dist/pwa/routes/verify-tasks.js +49 -25
package/dist/pwa/routes/waitlist.js +16 -15
package/dist/pwa/routes/wallet-read.js +74 -36
package/dist/pwa/routes/wallet-write.js +12 -9
package/dist/pwa/routes/webauthn.js +25 -26
package/dist/pwa/routes/webhooks.js +26 -26
package/dist/pwa/routes/welcome.js +45 -50
package/dist/pwa/routes/wishlist-qa.js +29 -32
package/dist/pwa/server.js +237 -81
package/dist/version.js +1 -1
package/package.json +47 -2

package/dist/pwa/routes/ratings.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { recordRatingReputation } from '../../layer4-economics/L4-3-reputation/reputation-engine.js';
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 const RATING_BLIND_DAYS = 14;
 function parseDim(v) {
     const n = Number(v);
@@ -7,20 +8,20 @@ function parseDim(v) {
 export function registerRatingsRoutes(app, deps) {
     const { db, generateId, auth, isTrustedRole, errorRes, broadcastSystemEvent } = deps;
     // buyer → seller 评价（一单一评，仅 completed 订单可评）
-    app.post('/api/orders/:order_id/rating', (req, res) => {
+    app.post('/api/orders/:order_id/rating', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         if (isTrustedRole(user))
             return void errorRes(res, 403, 'TRUSTED_ROLE_NO_TRADE', '受信角色无购物功能');
-        const order = db.prepare('SELECT id, buyer_id, seller_id, product_id, status FROM orders WHERE id = ?').get(req.params.order_id);
+        const order = await dbOne('SELECT id, buyer_id, seller_id, product_id, status FROM orders WHERE id = ?', [req.params.order_id]);
         if (!order)
             return void res.status(404).json({ error: '订单不存在' });
         if (order.buyer_id !== user.id)
             return void res.status(403).json({ error: '仅买家可评价' });
         if (order.status !== 'completed')
             return void res.status(400).json({ error: '订单完成后才能评价' });
-        const existing = db.prepare('SELECT order_id FROM order_ratings WHERE order_id = ?').get(order.id);
+        const existing = await dbOne('SELECT order_id FROM order_ratings WHERE order_id = ?', [order.id]);
         if (existing)
             return void res.status(400).json({ error: '已评价过，每单仅可评一次' });
         const stars = Number(req.body?.stars);
@@ -55,18 +56,18 @@ export function registerRatingsRoutes(app, deps) {
         res.json({ success: true });
     });
     // seller → buyer 反向评价
-    app.post('/api/orders/:order_id/buyer-rating', (req, res) => {
+    app.post('/api/orders/:order_id/buyer-rating', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const order = db.prepare('SELECT id, buyer_id, seller_id, status FROM orders WHERE id = ?').get(req.params.order_id);
+        const order = await dbOne('SELECT id, buyer_id, seller_id, status FROM orders WHERE id = ?', [req.params.order_id]);
         if (!order)
             return void res.status(404).json({ error: '订单不存在' });
         if (order.seller_id !== user.id)
             return void res.status(403).json({ error: '仅卖家可评价买家' });
         if (order.status !== 'completed')
             return void res.status(400).json({ error: '订单完成后才能评价' });
-        const existing = db.prepare('SELECT order_id FROM buyer_ratings WHERE order_id = ?').get(order.id);
+        const existing = await dbOne('SELECT order_id FROM buyer_ratings WHERE order_id = ?', [order.id]);
         if (existing)
             return void res.status(400).json({ error: '已评价过，每单仅可评一次' });
         const stars = Number(req.body?.stars);
@@ -96,21 +97,21 @@ export function registerRatingsRoutes(app, deps) {
         res.json({ success: true });
     });
     // 查 seller → buyer 评价（双盲遮蔽：buyer 看不到，除非自己也评过 OR 窗口到期）
-    app.get('/api/orders/:order_id/buyer-rating', (req, res) => {
+    app.get('/api/orders/:order_id/buyer-rating', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const order = db.prepare('SELECT buyer_id, seller_id FROM orders WHERE id = ?').get(req.params.order_id);
+        const order = await dbOne('SELECT buyer_id, seller_id FROM orders WHERE id = ?', [req.params.order_id]);
         if (!order)
             return void res.status(404).json({ error: '订单不存在' });
         if (order.buyer_id !== user.id && order.seller_id !== user.id) {
             return void res.status(403).json({ error: '无权查看' });
         }
-        const br = db.prepare(`SELECT stars, comment, dim_payment_speed, dim_communication, dim_responsiveness, hidden_until, created_at FROM buyer_ratings WHERE order_id = ?`).get(req.params.order_id);
+        const br = await dbOne(`SELECT stars, comment, dim_payment_speed, dim_communication, dim_responsiveness, hidden_until, created_at FROM buyer_ratings WHERE order_id = ?`, [req.params.order_id]);
         if (!br)
             return void res.json({ item: null });
         const isBuyerView = order.buyer_id === user.id;
-        const buyerAlsoRated = !!db.prepare(`SELECT order_id FROM order_ratings WHERE order_id = ?`).get(req.params.order_id);
+        const buyerAlsoRated = !!(await dbOne(`SELECT order_id FROM order_ratings WHERE order_id = ?`, [req.params.order_id]));
         const blindExpired = br.hidden_until && new Date(br.hidden_until) < new Date();
         if (isBuyerView && !buyerAlsoRated && !blindExpired) {
             return void res.json({ item: { masked: true, hidden_until: br.hidden_until, reason: 'blind_until_both_or_expire' } });
@@ -118,32 +119,32 @@ export function registerRatingsRoutes(app, deps) {
         res.json({ item: br });
     });
     // 查 buyer → seller 评价（双盲遮蔽：seller 视角同样）
-    app.get('/api/orders/:order_id/rating', (req, res) => {
+    app.get('/api/orders/:order_id/rating', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const order = db.prepare('SELECT buyer_id, seller_id FROM orders WHERE id = ?').get(req.params.order_id);
+        const order = await dbOne('SELECT buyer_id, seller_id FROM orders WHERE id = ?', [req.params.order_id]);
         if (!order)
             return void res.status(404).json({ error: '订单不存在' });
         if (order.buyer_id !== user.id && order.seller_id !== user.id) {
             return void res.status(403).json({ error: '无权查看' });
         }
-        const r = db.prepare('SELECT stars, comment, reply, replied_at, buyer_followup, buyer_followup_at, dim_quality, dim_speed, dim_service, hidden_until, created_at FROM order_ratings WHERE order_id = ?').get(req.params.order_id);
+        const r = await dbOne('SELECT stars, comment, reply, replied_at, buyer_followup, buyer_followup_at, dim_quality, dim_speed, dim_service, hidden_until, created_at FROM order_ratings WHERE order_id = ?', [req.params.order_id]);
         if (!r)
             return void res.json({ item: null });
         const isSellerView = order.seller_id === user.id;
-        const sellerAlsoRated = !!db.prepare(`SELECT order_id FROM buyer_ratings WHERE order_id = ?`).get(req.params.order_id);
+        const sellerAlsoRated = !!(await dbOne(`SELECT order_id FROM buyer_ratings WHERE order_id = ?`, [req.params.order_id]));
         const blindExpired = r.hidden_until && new Date(r.hidden_until) < new Date();
         if (isSellerView && !sellerAlsoRated && !blindExpired) {
             return void res.json({ item: { masked: true, hidden_until: r.hidden_until, reason: 'blind_until_both_or_expire' } });
         }
         res.json({ item: r });
     });
-    app.post('/api/orders/:order_id/rating/reply', (req, res) => {
+    app.post('/api/orders/:order_id/rating/reply', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const r = db.prepare('SELECT seller_id, reply FROM order_ratings WHERE order_id = ?').get(req.params.order_id);
+        const r = await dbOne('SELECT seller_id, reply FROM order_ratings WHERE order_id = ?', [req.params.order_id]);
         if (!r)
             return void res.status(404).json({ error: '该订单暂无评价' });
         if (r.seller_id !== user.id)
@@ -153,15 +154,15 @@ export function registerRatingsRoutes(app, deps) {
         const reply = req.body?.reply ? String(req.body.reply).slice(0, 500) : null;
         if (!reply)
             return void res.status(400).json({ error: '回复不能为空' });
-        db.prepare(`UPDATE order_ratings SET reply = ?, replied_at = datetime('now') WHERE order_id = ?`).run(reply, req.params.order_id);
+        await dbRun(`UPDATE order_ratings SET reply = ?, replied_at = datetime('now') WHERE order_id = ?`, [reply, req.params.order_id]);
         res.json({ success: true });
     });
     // W3 买家追问 — 在卖家 reply 后可追问一次
-    app.post('/api/orders/:order_id/rating/followup', (req, res) => {
+    app.post('/api/orders/:order_id/rating/followup', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const r = db.prepare('SELECT buyer_id, reply, buyer_followup FROM order_ratings WHERE order_id = ?').get(req.params.order_id);
+        const r = await dbOne('SELECT buyer_id, reply, buyer_followup FROM order_ratings WHERE order_id = ?', [req.params.order_id]);
         if (!r)
             return void res.status(404).json({ error: '该订单暂无评价' });
         if (r.buyer_id !== user.id)
@@ -173,15 +174,14 @@ export function registerRatingsRoutes(app, deps) {
         const followup = req.body?.followup ? String(req.body.followup).trim().slice(0, 200) : '';
         if (followup.length < 2)
             return void res.status(400).json({ error: '追问内容至少 2 字' });
-        db.prepare(`UPDATE order_ratings SET buyer_followup = ?, buyer_followup_at = datetime('now') WHERE order_id = ?`)
-            .run(followup, req.params.order_id);
+        await dbRun(`UPDATE order_ratings SET buyer_followup = ?, buyer_followup_at = datetime('now') WHERE order_id = ?`, [followup, req.params.order_id]);
         res.json({ success: true });
     });
     // 公开：商品评价 + 聚合（仅展示双盲已揭晓的）
-    app.get('/api/products/:product_id/ratings', (req, res) => {
+    app.get('/api/products/:product_id/ratings', async (req, res) => {
         const limit = Math.min(50, Math.max(1, Number(req.query.limit) || 20));
         const blindOpen = `(EXISTS (SELECT 1 FROM buyer_ratings br WHERE br.order_id = r.order_id) OR r.hidden_until IS NULL OR datetime(r.hidden_until) <= datetime('now'))`;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT r.stars, r.comment, r.reply, r.replied_at, r.buyer_followup, r.buyer_followup_at, r.created_at,
              r.dim_quality, r.dim_speed, r.dim_service,
              u.name as buyer_name, u.handle as buyer_handle
@@ -189,8 +189,8 @@ export function registerRatingsRoutes(app, deps) {
       JOIN users u ON u.id = r.buyer_id
       WHERE r.product_id = ? AND ${blindOpen}
       ORDER BY r.created_at DESC LIMIT ?
-    `).all(req.params.product_id, limit);
-        const agg = db.prepare(`
+    `, [req.params.product_id, limit]);
+        const agg = await dbOne(`
       SELECT COUNT(*) as cnt, COALESCE(AVG(stars), 0) as avg_stars,
         SUM(CASE WHEN stars = 5 THEN 1 ELSE 0 END) as s5,
         SUM(CASE WHEN stars = 4 THEN 1 ELSE 0 END) as s4,
@@ -198,13 +198,13 @@ export function registerRatingsRoutes(app, deps) {
         SUM(CASE WHEN stars = 2 THEN 1 ELSE 0 END) as s2,
         SUM(CASE WHEN stars = 1 THEN 1 ELSE 0 END) as s1
       FROM order_ratings r WHERE product_id = ? AND ${blindOpen}
-    `).get(req.params.product_id);
+    `, [req.params.product_id]);
         res.json({ items: rows, agg });
     });
     // 公开：卖家评价聚合（卖家主页）
-    app.get('/api/sellers/:seller_id/ratings', (req, res) => {
+    app.get('/api/sellers/:seller_id/ratings', async (req, res) => {
         const limit = Math.min(50, Math.max(1, Number(req.query.limit) || 20));
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT r.stars, r.comment, r.reply, r.replied_at, r.buyer_followup, r.buyer_followup_at, r.created_at, r.product_id,
              p.title as product_title,
              u.name as buyer_name, u.handle as buyer_handle
@@ -213,8 +213,8 @@ export function registerRatingsRoutes(app, deps) {
       JOIN users u ON u.id = r.buyer_id
       WHERE r.seller_id = ?
       ORDER BY r.created_at DESC LIMIT ?
-    `).all(req.params.seller_id, limit);
-        const agg = db.prepare(`SELECT COUNT(*) as cnt, COALESCE(AVG(stars), 0) as avg_stars FROM order_ratings WHERE seller_id = ?`).get(req.params.seller_id);
+    `, [req.params.seller_id, limit]);
+        const agg = await dbOne(`SELECT COUNT(*) as cnt, COALESCE(AVG(stars), 0) as avg_stars FROM order_ratings WHERE seller_id = ?`, [req.params.seller_id]);
         res.json({ items: rows, agg });
     });
 }

package/dist/pwa/routes/recover-key.js CHANGED Viewed

@@ -1,8 +1,10 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerRecoverKeyRoutes(app, deps) {
-    const { db, internalAuditorId, issueCode, findActiveCode, CODE_TTL_MIN, MAX_CODE_ATTEMPTS } = deps;
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
+    const { internalAuditorId, issueCode, findActiveCode, CODE_TTL_MIN, MAX_CODE_ATTEMPTS } = deps;
     // IP 级速率（5/min）— 防爆破列举账户
     const recoverKeyHits = new Map();
-    app.post('/api/recover-key', (req, res) => {
+    app.post('/api/recover-key', async (req, res) => {
         const ip = req.ip || '';
         if (ip) {
             const now = Date.now();
@@ -24,7 +26,7 @@ export function registerRecoverKeyRoutes(app, deps) {
         const { name } = req.body;
         if (!name?.trim())
             return void res.json({ error: '请填写注册时使用的名称' });
-        const rows = db.prepare("SELECT name, role, api_key, email, phone, created_at FROM users WHERE name = ? AND id NOT IN ('sys_protocol', ?)").all(name.trim(), internalAuditorId);
+        const rows = await dbAll("SELECT name, role, api_key, email, phone, created_at FROM users WHERE name = ? AND id NOT IN ('sys_protocol', ?)", [name.trim(), internalAuditorId]);
         if (rows.length === 0)
             return void res.json({ error: '未找到该名称的账号' });
         const mask = (s) => s && s.length > 8 ? `${s.slice(0, 4)}…${s.slice(-4)}` : s;
@@ -54,16 +56,16 @@ export function registerRecoverKeyRoutes(app, deps) {
         });
     });
     // 步骤 1：发送验证码到已绑定邮箱（防泄露：找没找到都同响应）
-    app.post('/api/recover-key/start', (req, res) => {
+    app.post('/api/recover-key/start', async (req, res) => {
         const { name, email } = req.body;
         if (!name?.trim() || !email?.trim())
             return void res.json({ error: '请填写名称和邮箱' });
         const target = email.trim().toLowerCase();
-        const user = db.prepare(`
+        const user = await dbOne(`
       SELECT id, name, email FROM users
       WHERE name = ? AND email = ? AND email_verified = 1
         AND id NOT IN ('sys_protocol', ?) LIMIT 1
-    `).get(name.trim(), target, internalAuditorId);
+    `, [name.trim(), target, internalAuditorId]);
         if (user)
             issueCode(user.id, 'email', target, 'recover_key');
         res.json({
@@ -73,7 +75,7 @@ export function registerRecoverKeyRoutes(app, deps) {
         });
     });
     // 步骤 2：提交验证码 → 返回完整 api_key
-    app.post('/api/recover-key/confirm', (req, res) => {
+    app.post('/api/recover-key/confirm', async (req, res) => {
         const { name, email, code } = req.body;
         if (!name?.trim() || !email?.trim() || !code?.trim())
             return void res.json({ error: '请填写完整信息' });
@@ -81,20 +83,19 @@ export function registerRecoverKeyRoutes(app, deps) {
         const row = findActiveCode('email', target, 'recover_key');
         if (!row)
             return void res.json({ error: '验证码已过期或未发送，请重新开始' });
-        const user = db.prepare(`SELECT id, name, api_key FROM users WHERE id = ?`).get(row.user_id);
+        const user = await dbOne(`SELECT id, name, api_key FROM users WHERE id = ?`, [row.user_id]);
         if (!user || user.name !== name.trim())
             return void res.json({ error: '名称与验证码不匹配' });
         if (String(row.code) !== code.trim()) {
             const attempts = row.attempts + 1;
             if (attempts >= MAX_CODE_ATTEMPTS) {
-                db.prepare("UPDATE verification_codes SET attempts = ?, used_at = datetime('now') WHERE id = ?")
-                    .run(attempts, row.id);
+                await dbRun("UPDATE verification_codes SET attempts = ?, used_at = datetime('now') WHERE id = ?", [attempts, row.id]);
                 return void res.json({ error: '错误次数过多，验证码已作废，请重新开始' });
             }
-            db.prepare("UPDATE verification_codes SET attempts = ? WHERE id = ?").run(attempts, row.id);
+            await dbRun("UPDATE verification_codes SET attempts = ? WHERE id = ?", [attempts, row.id]);
             return void res.json({ error: `验证码错误（剩余 ${MAX_CODE_ATTEMPTS - attempts} 次）` });
         }
-        db.prepare("UPDATE verification_codes SET used_at = datetime('now') WHERE id = ?").run(row.id);
+        await dbRun("UPDATE verification_codes SET used_at = datetime('now') WHERE id = ?", [row.id]);
         res.json({ success: true, api_key: user.api_key, name: user.name });
     });
 }

package/dist/pwa/routes/referral.js CHANGED Viewed

@@ -1,28 +1,31 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerReferralRoutes(app, deps) {
-    const { db, auth, requireProtocolAdmin, logAdminAction, issueInviteSlot, inviteRotationLookup } = deps;
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
+    const { auth, requireProtocolAdmin, logAdminAction, issueInviteSlot, inviteRotationLookup } = deps;
     // B-1: 个人邀请 dashboard
-    app.get('/api/referral/me', (req, res) => {
+    app.get('/api/referral/me', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const code = user.permanent_code || null;
         // 我直接邀请的人
-        const directInvitees = db.prepare(`
+        const directInvitees = await dbAll(`
       SELECT u.id, u.handle, u.name, u.role, u.created_at,
         (SELECT COUNT(*) FROM orders WHERE buyer_id = u.id AND status = 'completed') as completed_orders,
         (SELECT COALESCE(SUM(total_amount), 0) FROM orders WHERE buyer_id = u.id AND status = 'completed') as gmv
       FROM users u WHERE u.sponsor_id = ?
       ORDER BY u.created_at DESC LIMIT 50
-    `).all(user.id);
+    `, [user.id]);
         // 推土机奖励 / 商品分享佣金（commission_records 按订单粒度）
-        const earnings = db.prepare(`
+        const earnings = (await dbOne(`
       SELECT COUNT(*) as cnt, COALESCE(SUM(amount), 0) as total FROM commission_records WHERE beneficiary_id = ?
-    `).get(user.id);
-        const todayEarnings = db.prepare(`SELECT COALESCE(SUM(amount), 0) as t FROM commission_records WHERE beneficiary_id = ? AND created_at > datetime('now', '-1 day')`).get(user.id).t;
-        const monthEarnings = db.prepare(`SELECT COALESCE(SUM(amount), 0) as t FROM commission_records WHERE beneficiary_id = ? AND created_at > datetime('now', '-30 days')`).get(user.id).t;
+    `, [user.id]));
+        const todayEarnings = (await dbOne(`SELECT COALESCE(SUM(amount), 0) as t FROM commission_records WHERE beneficiary_id = ? AND created_at > datetime('now', '-1 day')`, [user.id])).t;
+        const monthEarnings = (await dbOne(`SELECT COALESCE(SUM(amount), 0) as t FROM commission_records WHERE beneficiary_id = ? AND created_at > datetime('now', '-30 days')`, [user.id])).t;
         res.json({
             invite_code: code,
-            invite_link: code ? `${req.protocol}://${req.get('host')}/?ref=${code}` : null,
+            invite_link: code ? `${req.protocol}://${req.get('host')}/i/${code}` : null,
+            invite_unavailable_reason: code ? null : 'permanent_code_missing — refresh or contact support',
             direct_invitees_count: directInvitees.length,
             direct_invitees: directInvitees,
             earnings: {
@@ -34,8 +37,8 @@ export function registerReferralRoutes(app, deps) {
         });
     });
     // 公开邀请码轮询（开关 ON 时）
-    app.post('/api/invite/rotate', (_req, res) => {
-        const enabled = db.prepare("SELECT value FROM system_state WHERE key='invite_rotation_enabled'").get()?.value === '1';
+    app.post('/api/invite/rotate', async (_req, res) => {
+        const enabled = (await dbOne("SELECT value FROM system_state WHERE key='invite_rotation_enabled'"))?.value === '1';
         if (!enabled)
             return void res.status(403).json({ error: '邀请码获取暂未开放', enabled: false });
         const slot = issueInviteSlot();
@@ -45,20 +48,20 @@ export function registerReferralRoutes(app, deps) {
         res.json({ enabled: true, code: u.code });
     });
     // protocol 开关
-    app.post('/api/admin/invite-rotation/toggle', (req, res) => {
+    app.post('/api/admin/invite-rotation/toggle', async (req, res) => {
         const admin = requireProtocolAdmin(req, res);
         if (!admin)
             return;
         const { enabled } = req.body;
         const v = enabled ? '1' : '0';
-        db.prepare("INSERT OR REPLACE INTO system_state (key, value) VALUES ('invite_rotation_enabled', ?)").run(v);
+        await dbRun("INSERT OR REPLACE INTO system_state (key, value) VALUES ('invite_rotation_enabled', ?)", [v]);
         logAdminAction(admin.id, 'invite_rotation_toggle', 'system', 'invite_rotation_enabled', { value: v });
         res.json({ success: true, enabled: !!enabled });
     });
     // RFC-003 #1122: 生成商品分享链接(把 MCP webaz_share_link 的本地计算搬到服务端,
     // 让 MCP NETWORK 模式可代理)。RFC-002 §3.5 valuation-layer gate:需 rewards opt-in。
     // 与 PWA pickPreferredSide 对齐的 side 选择(team_count | pv_count)。
-    app.get('/api/share-link', (req, res) => {
+    app.get('/api/share-link', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -67,16 +70,16 @@ export function registerReferralRoutes(app, deps) {
         const sideArg = String(req.query.side || 'auto');
         if (!productId)
             return void res.status(400).json({ error: 'product_id required', error_code: 'PRODUCT_ID_REQUIRED' });
-        const optIn = db.prepare("SELECT rewards_opted_in FROM users WHERE id = ?").get(userId)?.rewards_opted_in ?? 0;
+        const optIn = (await dbOne("SELECT rewards_opted_in FROM users WHERE id = ?", [userId]))?.rewards_opted_in ?? 0;
         if (optIn !== 1) {
-            const getParam = (key, def) => {
-                const r = db.prepare("SELECT value FROM protocol_params WHERE key = ?").get(key);
+            const getParam = async (key, def) => {
+                const r = await dbOne("SELECT value FROM protocol_params WHERE key = ?", [key]);
                 return r ? Number(r.value) : def;
             };
-            const minOrders = getParam('rewards_opt_in.min_completed_orders', 1);
-            const requirePasskey = getParam('rewards_opt_in.require_passkey', 1);
-            const totalCompleted = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'").get(userId).n;
-            const passkeyCount = db.prepare("SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?").get(userId).n;
+            const minOrders = await getParam('rewards_opt_in.min_completed_orders', 1);
+            const requirePasskey = await getParam('rewards_opt_in.require_passkey', 1);
+            const totalCompleted = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [userId])).n;
+            const passkeyCount = (await dbOne("SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?", [userId])).n;
             const missing = [];
             if (totalCompleted < minOrders)
                 missing.push(`completed_orders ${totalCompleted}/${minOrders}`);
@@ -86,16 +89,16 @@ export function registerReferralRoutes(app, deps) {
                 missing.push('application_not_submitted');
             return void res.status(403).json({
                 error: 'rewards_opt_in_required',
-                message: 'Share-link generation is a valuation-layer action — requires builder-identity opt-in (RFC-002 §3.5)',
+                message: 'Share-link generation is a valuation-layer (rewards / share-link) action, NOT a contribution gate — requires rewards / share-commission opt-in (RFC-002 §3.5)',
                 missing_requirements: missing,
                 next_steps: [
-                    'Open PWA #me → tap "申请共建身份 / Apply for builder identity"',
+                    'Open PWA #me → tap "申请分享分润 / Enable share-commission opt-in"',
                     'Read the 8-second disclosure (cannot skip)',
                     'Submit application — pre-checks run server-side',
                 ],
             });
         }
-        const product = db.prepare("SELECT id, title, price, commission_rate FROM products WHERE id = ? AND status='active'").get(productId);
+        const product = await dbOne("SELECT id, title, price, commission_rate FROM products WHERE id = ? AND status='active'", [productId]);
         if (!product)
             return void res.status(404).json({ error: '商品不存在或已下架', error_code: 'PRODUCT_NOT_FOUND' });
         let side = 'right';
@@ -103,14 +106,12 @@ export function registerReferralRoutes(app, deps) {
             side = sideArg;
         }
         else {
-            const u = db.prepare("SELECT placement_pref, total_left_pv, total_right_pv, left_count, right_count FROM users WHERE id = ?")
-                .get(userId);
+            const u = await dbOne("SELECT placement_pref, total_left_pv, total_right_pv, left_count, right_count FROM users WHERE id = ?", [userId]);
             const pref = u?.placement_pref || 'team_count';
             if (pref === 'pv_count') {
                 const since = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000).toISOString().slice(0, 19).replace('T', ' ');
-                const w = db.prepare(`SELECT COALESCE(SUM(consumed_left_pv),0) AS l, COALESCE(SUM(consumed_right_pv),0) AS r
-                              FROM binary_score_records WHERE user_id = ? AND created_at >= ?`)
-                    .get(userId, since);
+                const w = (await dbOne(`SELECT COALESCE(SUM(consumed_left_pv),0) AS l, COALESCE(SUM(consumed_right_pv),0) AS r
+                              FROM binary_score_records WHERE user_id = ? AND created_at >= ?`, [userId, since]));
                 const leftPv = Number(u?.total_left_pv ?? 0) + Number(w.l);
                 const rightPv = Number(u?.total_right_pv ?? 0) + Number(w.r);
                 side = leftPv <= rightPv ? 'left' : 'right';
@@ -119,11 +120,15 @@ export function registerReferralRoutes(app, deps) {
                 side = (Number(u?.left_count ?? 0) <= Number(u?.right_count ?? 0)) ? 'left' : 'right';
             }
         }
-        const completed = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'").get(userId).n;
-        const override = db.prepare("SELECT l1_share_override FROM users WHERE id = ?").get(userId)?.l1_share_override ?? 0;
+        const completed = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [userId])).n;
+        const override = (await dbOne("SELECT l1_share_override FROM users WHERE id = ?", [userId]))?.l1_share_override ?? 0;
         const canL1 = override === 1 || (override === 0 && completed > 0);
         const rate = Number(product.commission_rate ?? 0);
-        const link = `/?ref=${userId}&side=${side}#order-product/${productId}`;
+        // share ref uses permanent_code ONLY — never the raw user_id; fail clearly if it's missing.
+        const refCode = (await dbOne("SELECT permanent_code FROM users WHERE id = ?", [userId]))?.permanent_code || null;
+        if (!refCode)
+            return void res.status(409).json({ error: '邀请码暂不可用，请刷新或联系支持', error_code: 'PERMANENT_CODE_MISSING' });
+        const link = `/?ref=${refCode}&side=${side}#order-product/${productId}`;
         res.json({
             product: { id: product.id, title: product.title, price: product.price, commission_rate: rate },
             share_link: link,

package/dist/pwa/routes/reputation.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { dbOne } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerReputationRoutes(app, deps) {
     const { db, auth, getReputation, getSellerMetrics } = deps;
     app.get('/api/reputation', (req, res) => {
@@ -16,9 +17,9 @@ export function registerReputationRoutes(app, deps) {
             metrics: getSellerMetrics(user.id),
         });
     });
-    app.get('/api/reputation/:userId', (req, res) => {
+    app.get('/api/reputation/:userId', async (req, res) => {
         const rep = getReputation(db, req.params.userId);
-        const decayRow = db.prepare(`SELECT last_decay_at FROM reputation_scores WHERE user_id = ?`).get(req.params.userId);
+        const decayRow = await dbOne(`SELECT last_decay_at FROM reputation_scores WHERE user_id = ?`, [req.params.userId]);
         res.json({
             level: rep.level,
             total_points: rep.total_points,