@seasonkoh/webaz 0.1.23 → 0.1.25

package/dist/pwa/routes/rewards-auto-downgrade.js

@@ -1,7 +1,9 @@
-export function runAutoDowngradeSweep(deps) {
+// RFC-016 Phase 1 — cron 的 currentMajor + 候选扫描读 → async seam;逐用户降级 db.transaction 写仍同步(Phase 3)。
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js';
+export async function runAutoDowngradeSweep(deps) {
     const { db, getProtocolParam } = deps;
     // Current major consent
-    const currentMajor = db.prepare(`SELECT version, effective_at FROM rewards_consent_texts WHERE change_class='major' ORDER BY effective_at DESC LIMIT 1`).get();
+    const currentMajor = await dbOne(`SELECT version, effective_at FROM rewards_consent_texts WHERE change_class='major' ORDER BY effective_at DESC LIMIT 1`);
     if (!currentMajor)
         return { scanned: 0, downgraded: [], skip_reason: 'no major consent text in rewards_consent_texts' };
     const graceDays = Number(getProtocolParam('rewards_opt_in.reconfirm_grace_days', 14));
@@ -11,14 +13,14 @@ export function runAutoDowngradeSweep(deps) {
         return { scanned: 0, downgraded: [], skip_reason: `current_major ${currentMajor.version} grace not yet expired (deadline=${deadline})` };
     // Candidates: opted-in users whose LATEST activate-or-reconfirm consent_version
     // is older than the current major.
-    const candidates = db.prepare(`
+    const candidates = await dbAll(`
     SELECT u.id AS user_id, (
       SELECT consent_version FROM rewards_applications
       WHERE user_id = u.id AND action IN ('activate','reconfirm')
       ORDER BY created_at DESC LIMIT 1
     ) AS last_version
     FROM users u WHERE u.rewards_opted_in = 1
-  `).all();
+  `);
     const downgraded = [];
     for (const c of candidates) {
         if (c.last_version === currentMajor.version)
@@ -40,7 +42,7 @@ export function runAutoDowngradeSweep(deps) {
             // Failure here is non-fatal — notification is best-effort, downgrade itself is the source of truth.
             try {
                 db.prepare(`INSERT INTO notifications (id, user_id, type, title, body) VALUES (?, ?, 'rewards_auto_downgrade', ?, ?)`)
-                    .run(`ntf_rwd_${c.user_id}_${now}`, c.user_id, '共建身份已自动降级 / Rewards auto-downgraded', `新 consent 版本 ${currentMajor.version} 未在 grace 期内重新确认。未来 commission 进入 escrow(30 天可激活领回)。前往 #rewards-me 重新申请。 / New consent ${currentMajor.version} not re-confirmed within grace window. Future commission flows to escrow (30d recovery window). Visit #rewards-me to re-apply.`);
+                    .run(`ntf_rwd_${c.user_id}_${now}`, c.user_id, '分享分润已自动降级 / Rewards auto-downgraded', `新 consent 版本 ${currentMajor.version} 未在 grace 期内重新确认。未来 commission 进入 escrow(30 天可激活领回)。前往 #rewards-me 重新申请。 / New consent ${currentMajor.version} not re-confirmed within grace window. Future commission flows to escrow (30d recovery window). Visit #rewards-me to re-apply.`);
             }
             catch { /* notifications schema diff between envs; best-effort */ }
             downgraded.push({ user_id: c.user_id, last_version: c.last_version, current_major: currentMajor.version, effective_at: currentMajor.effective_at });
@@ -50,9 +52,9 @@ export function runAutoDowngradeSweep(deps) {
 }
 export function startAutoDowngradeCron(deps) {
     const ms = 24 * 60 * 60 * 1000; // 1d fixed
-    setInterval(() => {
+    setInterval(async () => {
         try {
-            const r = runAutoDowngradeSweep(deps);
+            const r = await runAutoDowngradeSweep(deps);
             if (r.downgraded.length > 0) {
                 console.log(`[rewards-auto-downgrade] swept ${r.scanned}, downgraded ${r.downgraded.length}: ${r.downgraded.map(d => `${d.user_id} ${d.last_version || '(none)'}→${d.current_major}`).join(', ')}`);
             }

package/dist/pwa/routes/rewards-escrow-expire.js

@@ -1,13 +1,15 @@
-export function runEscrowExpireSweep(deps) {
+// RFC-016 Phase 1 — cron 扫描读 → async seam;到期 materialize 的 db.transaction 写仍同步(Phase 3 迁 pg)。
+import { dbAll } from '../../layer0-foundation/L0-1-database/db.js';
+export async function runEscrowExpireSweep(deps) {
     const { db, redirectToCommissionReserve } = deps;
     const now = Date.now();
-    const rows = db.prepare(`
+    const rows = await dbAll(`
     SELECT id, recipient_user_id, order_id, amount, attribution_path, expires_at
     FROM pending_commission_escrow
     WHERE status = 'pending' AND expires_at <= ?
     ORDER BY expires_at ASC
     LIMIT 1000
-  `).all(now);
+  `, [now]);
     const expired = [];
     for (const r of rows) {
         db.transaction(() => {
@@ -33,9 +35,9 @@ export function runEscrowExpireSweep(deps) {
 }
 export function startEscrowExpireCron(deps) {
     const ms = 60 * 60 * 1000; // 1h fixed (escrow_days is in days; sub-day granularity unnecessary)
-    setInterval(() => {
+    setInterval(async () => {
         try {
-            const r = runEscrowExpireSweep(deps);
+            const r = await runEscrowExpireSweep(deps);
             if (r.expired.length > 0) {
                 console.log(`[rewards-escrow-expire] swept ${r.scanned}, expired ${r.expired.length}: ${r.expired.map(e => `${e.recipient_user_id}/${e.attribution_path}/${e.amount}`).join(', ')}`);
             }

package/dist/pwa/routes/rfqs.js

@@ -1,3 +1,4 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js';
 export function registerRfqsRoutes(app, deps) {
     const { db, auth, generateId, VALID_RFQ_URGENCIES, VALID_AWARD_MODES, RFQ_MAX_QTY, RFQ_MAX_PRICE, RFQ_DAILY_CAP_PER_BUYER, RFQ_MAX_WINDOW_MIN, RFQ_DEFAULT_WINDOW_MIN, BID_DAILY_CAP_PER_SELLER, BID_STAKE_RATE, VALID_FULFILLMENT_TYPES, isListingCategoryKey, LISTING_CATEGORIES, awardBidAndCreateOrder, notifyMatchedSellers, evaluateAutoBidsForRfq, shouldAutoAccept, transition, notifyTransition } = deps;
     // 内联押金 helper（小巧、仅 rfq 域用）
@@ -7,7 +8,7 @@ export function registerRfqsRoutes(app, deps) {
     };
     const bidStakeFor = (price, qty) => Math.max(0.5, Math.round(price * qty * BID_STAKE_RATE * 100) / 100);
     // 买家：创建 RFQ
-    app.post('/api/rfqs', (req, res) => {
+    app.post('/api/rfqs', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -36,17 +37,17 @@ export function registerRfqsRoutes(app, deps) {
             return void res.json({ error: '类目无效' });
         const explicitWindow = body.award_window_min != null ? Math.max(5, Math.min(RFQ_MAX_WINDOW_MIN, Math.floor(Number(body.award_window_min)))) : null;
         const windowMin = explicitWindow ?? RFQ_DEFAULT_WINDOW_MIN[urgency];
-        const todayCount = db.prepare("SELECT COUNT(1) as n FROM rfqs WHERE buyer_id = ? AND created_at > datetime('now','-1 day')").get(user.id).n;
+        const todayCount = (await dbOne("SELECT COUNT(1) as n FROM rfqs WHERE buyer_id = ? AND created_at > datetime('now','-1 day')", [user.id])).n;
         if (todayCount >= RFQ_DAILY_CAP_PER_BUYER) {
             return void res.json({ error: `今日已达上限 ${RFQ_DAILY_CAP_PER_BUYER} 单求购` });
         }
         const deposit = buyerRfqDeposit(maxPrice, qty);
-        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        const wallet = await dbOne('SELECT balance FROM wallets WHERE user_id = ?', [user.id]);
         if (!wallet || Number(wallet.balance) < deposit) {
             return void res.json({ error: `余额不足，发求购需 ${deposit} WAZ 押金（中标后释放，撤销扣 30%）` });
         }
         // P3c：award 自动建单需要收货地址。优先 body，否则 buyer 的默认地址
-        const buyerProfile = db.prepare('SELECT default_address_text, default_address_json FROM users WHERE id = ?').get(user.id);
+        const buyerProfile = await dbOne('SELECT default_address_text, default_address_json FROM users WHERE id = ?', [user.id]);
         let shippingAddress = body.shipping_address ? String(body.shipping_address).trim() : null;
         if (!shippingAddress) {
             if (buyerProfile?.default_address_text)
@@ -66,14 +67,25 @@ export function registerRfqsRoutes(app, deps) {
         const id = generateId('rfq');
         const regionRequired = body.region_required ? String(body.region_required) : user.region || null;
         const fulfillmentRequired = body.fulfillment_required ? JSON.stringify(body.fulfillment_required) : null;
-        db.transaction(() => {
-            db.prepare(`
-        INSERT INTO rfqs (id, buyer_id, listing_id, title, spec_json, qty, category, region_required, urgency,
-          max_price, fulfillment_required, award_mode, award_window_min, deadline_at, buyer_stake_locked, notes, shipping_address)
-        VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,datetime('now', '+' || ? || ' minutes'),?,?,?)
-      `).run(id, user.id, body.listing_id ? String(body.listing_id) : null, title, body.spec_json ? JSON.stringify(body.spec_json) : null, qty, category, regionRequired, urgency, maxPrice, fulfillmentRequired, awardMode, windowMin, windowMin, deposit, body.notes ? String(body.notes) : null, shippingAddress);
-            db.prepare('UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ?').run(deposit, deposit, user.id);
-        })();
+        // Codex #236 P1:await 余额预检与同步 tx 间有 yield;扣款带 balance>=deposit 守卫,
+        // changes!==1 即并发已花掉余额 → 抛回滚(连带回滚已插入的 rfq),杜绝超额。
+        try {
+            db.transaction(() => {
+                db.prepare(`
+          INSERT INTO rfqs (id, buyer_id, listing_id, title, spec_json, qty, category, region_required, urgency,
+            max_price, fulfillment_required, award_mode, award_window_min, deadline_at, buyer_stake_locked, notes, shipping_address)
+          VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,datetime('now', '+' || ? || ' minutes'),?,?,?)
+        `).run(id, user.id, body.listing_id ? String(body.listing_id) : null, title, body.spec_json ? JSON.stringify(body.spec_json) : null, qty, category, regionRequired, urgency, maxPrice, fulfillmentRequired, awardMode, windowMin, windowMin, deposit, body.notes ? String(body.notes) : null, shippingAddress);
+                const d = db.prepare('UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ? AND balance >= ?').run(deposit, deposit, user.id, deposit);
+                if (d.changes !== 1)
+                    throw new Error('RFQ_INSUFFICIENT_BALANCE');
+            })();
+        }
+        catch (e) {
+            if (e.message === 'RFQ_INSUFFICIENT_BALANCE')
+                return void res.json({ error: `余额不足，发求购需 ${deposit} WAZ 押金（中标后释放，撤销扣 30%）` });
+            throw e;
+        }
         try {
             notifyMatchedSellers(id);
         }
@@ -90,7 +102,7 @@ export function registerRfqsRoutes(app, deps) {
         res.json({ id, deposit, window_min: windowMin, deadline_at_minutes: windowMin, auto_bids: autoBidCount });
     });
     // 卖家 RFQ 看板
-    app.get('/api/rfqs', (req, res) => {
+    app.get('/api/rfqs', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -118,7 +130,7 @@ export function registerRfqsRoutes(app, deps) {
             args.push('%' + qE + '%', '%' + qE + '%');
         }
         const limit = Math.min(100, Math.max(1, Number(req.query.limit) || 30));
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT r.id, r.title, r.qty, r.category, r.region_required, r.urgency, r.max_price,
              r.award_mode, r.deadline_at, r.bid_count, r.created_at,
              (SELECT MIN(price) FROM bids b WHERE b.rfq_id = r.id AND b.status = 'active') as current_lowest_bid,
@@ -127,32 +139,32 @@ export function registerRfqsRoutes(app, deps) {
       WHERE ${where.join(' AND ')}
       ORDER BY r.created_at DESC
       LIMIT ?
-    `).all(user.id, ...args, limit);
+    `, [user.id, ...args, limit]);
         res.json({ items: rows, urgencies: ['now', 'today', 'flex'], categories: LISTING_CATEGORIES });
     });
-    app.get('/api/rfqs/mine', (req, res) => {
+    app.get('/api/rfqs/mine', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT r.*,
         (SELECT MIN(price) FROM bids b WHERE b.rfq_id = r.id AND b.status = 'active') as current_lowest_bid
       FROM rfqs r
       WHERE r.buyer_id = ?
       ORDER BY r.created_at DESC
       LIMIT 100
-    `).all(user.id);
+    `, [user.id]);
         res.json({ items: rows });
     });
-    app.get('/api/rfqs/:id', (req, res) => {
+    app.get('/api/rfqs/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rfq = db.prepare('SELECT * FROM rfqs WHERE id = ?').get(req.params.id);
+        const rfq = await dbOne('SELECT * FROM rfqs WHERE id = ?', [req.params.id]);
         if (!rfq)
             return void res.status(404).json({ error: 'RFQ 不存在' });
         const isOwner = rfq.buyer_id === user.id;
-        const bids = db.prepare(`
+        const bids = await dbAll(`
       SELECT b.id, b.seller_id, b.price, b.qty_offered, b.eta_hours, b.fulfillment_type, b.note,
         b.auto_bid_skill, b.status, b.submitted_at, b.offer_id,
         u.handle as seller_handle, u.region as seller_region,
@@ -161,7 +173,7 @@ export function registerRfqsRoutes(app, deps) {
       LEFT JOIN users u ON u.id = b.seller_id
       WHERE b.rfq_id = ?
       ORDER BY b.price ASC, b.submitted_at ASC
-    `).all(req.params.id);
+    `, [req.params.id]);
         // 仅 owner 看全部；第三方只看自己 + 计数
         const visibleBids = isOwner ? bids : bids.filter(b => b.seller_id === user.id);
         // P1：非 owner 时 buyer 身份脱敏（防止私下交易）
@@ -173,11 +185,11 @@ export function registerRfqsRoutes(app, deps) {
         }
         res.json({ rfq: safeRfq, bids: visibleBids, bid_count: bids.length, is_owner: isOwner });
     });
-    app.delete('/api/rfqs/:id', (req, res) => {
+    app.delete('/api/rfqs/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rfq = db.prepare('SELECT * FROM rfqs WHERE id = ?').get(req.params.id);
+        const rfq = await dbOne('SELECT * FROM rfqs WHERE id = ?', [req.params.id]);
         if (!rfq)
             return void res.status(404).json({ error: 'RFQ 不存在' });
         if (rfq.buyer_id !== user.id)
@@ -187,26 +199,39 @@ export function registerRfqsRoutes(app, deps) {
         const deposit = Number(rfq.buyer_stake_locked) || 0;
         const forfeit = Math.round(deposit * 0.30 * 100) / 100;
         const refund = Math.round((deposit - forfeit) * 100) / 100;
-        db.transaction(() => {
-            db.prepare("UPDATE rfqs SET status = 'cancelled', updated_at = datetime('now') WHERE id = ?").run(req.params.id);
-            if (refund > 0)
-                db.prepare('UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?').run(refund, deposit, user.id);
-            const activeBids = db.prepare("SELECT id, seller_id, stake_locked FROM bids WHERE rfq_id = ? AND status = 'active'").all(req.params.id);
-            for (const b of activeBids) {
-                db.prepare("UPDATE bids SET status = 'cancelled', resolved_at = datetime('now') WHERE id = ?").run(b.id);
-                if (b.stake_locked > 0)
-                    db.prepare('UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?').run(b.stake_locked, b.stake_locked, b.seller_id);
-            }
-        })();
-        res.json({ success: true, refund, forfeit, active_bids_released: 0 });
+        // Codex #236 P1:tx 内先 CAS RFQ open→cancelled,changes!==1 即并发已取消/中标 → 抛回滚,
+        // 先于释放买家/bid stake,杜绝重复释放。
+        let releasedCount = 0;
+        try {
+            db.transaction(() => {
+                const c = db.prepare("UPDATE rfqs SET status = 'cancelled', updated_at = datetime('now') WHERE id = ? AND status = 'open'").run(req.params.id);
+                if (c.changes !== 1)
+                    throw new Error('RFQ_NOT_OPEN');
+                if (refund > 0)
+                    db.prepare('UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?').run(refund, deposit, user.id);
+                const activeBids = db.prepare("SELECT id, seller_id, stake_locked FROM bids WHERE rfq_id = ? AND status = 'active'").all(req.params.id);
+                for (const b of activeBids) {
+                    db.prepare("UPDATE bids SET status = 'cancelled', resolved_at = datetime('now') WHERE id = ?").run(b.id);
+                    if (b.stake_locked > 0)
+                        db.prepare('UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?').run(b.stake_locked, b.stake_locked, b.seller_id);
+                    releasedCount++;
+                }
+            })();
+        }
+        catch (e) {
+            if (e.message === 'RFQ_NOT_OPEN')
+                return void res.json({ error: `当前状态不可取消（可能已取消/中标）` });
+            throw e;
+        }
+        res.json({ success: true, refund, forfeit, active_bids_released: releasedCount });
     });
-    app.post('/api/rfqs/:id/bids', (req, res) => {
+    app.post('/api/rfqs/:id/bids', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         if (user.role !== 'seller')
             return void res.json({ error: '仅卖家可报价' });
-        const rfq = db.prepare('SELECT * FROM rfqs WHERE id = ?').get(req.params.id);
+        const rfq = await dbOne('SELECT * FROM rfqs WHERE id = ?', [req.params.id]);
         if (!rfq)
             return void res.status(404).json({ error: 'RFQ 不存在' });
         if (rfq.status !== 'open')
@@ -228,32 +253,48 @@ export function registerRfqsRoutes(app, deps) {
         const fulfillmentType = String(body.fulfillment_type || 'standard');
         if (!VALID_FULFILLMENT_TYPES.has(fulfillmentType))
             return void res.json({ error: 'fulfillment_type 无效' });
-        const today = db.prepare("SELECT COUNT(1) as n FROM bids WHERE seller_id = ? AND submitted_at > datetime('now','-1 day')").get(user.id).n;
+        const today = (await dbOne("SELECT COUNT(1) as n FROM bids WHERE seller_id = ? AND submitted_at > datetime('now','-1 day')", [user.id])).n;
         if (today >= BID_DAILY_CAP_PER_SELLER) {
             return void res.json({ error: `今日报价已达上限 ${BID_DAILY_CAP_PER_SELLER} 条` });
         }
         // 一卖家 × 一 RFQ = 一 bid（已有则用 PATCH）
-        const existing = db.prepare("SELECT id, status FROM bids WHERE rfq_id = ? AND seller_id = ?").get(req.params.id, user.id);
+        const existing = await dbOne("SELECT id, status FROM bids WHERE rfq_id = ? AND seller_id = ?", [req.params.id, user.id]);
         if (existing && existing.status === 'active')
             return void res.json({ error: '已有进行中的 bid，请改用 PATCH 修改', bid_id: existing.id });
         const stake = bidStakeFor(price, qtyOffered);
-        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        const wallet = await dbOne('SELECT balance FROM wallets WHERE user_id = ?', [user.id]);
         if (!wallet || Number(wallet.balance) < stake) {
             return void res.json({ error: `余额不足，bid 押金 ${stake} WAZ（落选/取消立即释放，中标后转 escrow）` });
         }
         const id = generateId('bid');
-        db.transaction(() => {
-            db.prepare(`
-        INSERT INTO bids (id, rfq_id, seller_id, offer_id, price, qty_offered, eta_hours, fulfillment_type, note, stake_locked, auto_bid_skill)
-        VALUES (?,?,?,?,?,?,?,?,?,?,?)
-      `).run(id, req.params.id, user.id, body.offer_id ? String(body.offer_id) : null, price, qtyOffered, body.eta_hours != null ? Number(body.eta_hours) : null, fulfillmentType, body.note ? String(body.note).slice(0, 500) : null, stake, body.auto_bid_skill ? 1 : 0);
-            db.prepare('UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ?').run(stake, stake, user.id);
-            db.prepare(`UPDATE rfqs SET bid_count = bid_count + 1, status = 'open', updated_at = datetime('now') WHERE id = ?`).run(req.params.id);
-        })();
+        // Codex #236 P1:await 预检(rfq open / 余额)与同步 tx 间有 yield。tx 内先原子确认 RFQ 仍 open
+        // (WHERE status='open' bump bid_count;原来无条件 SET status='open' 会把已中标/取消的 RFQ 复活,一并修掉),
+        // 再插 bid + 带 balance>=stake 守卫扣款;任一失败抛回滚(连带回滚已插 bid),杜绝超额/向已关闭 RFQ 报价。
         try {
-            db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
-                  VALUES (?,?,'rfq_bid',?,?,datetime('now'))`)
-                .run(generateId('ntf'), rfq.buyer_id, `💰 新报价 ${price} WAZ`, `RFQ：${rfq.title} · #${req.params.id}`);
+            db.transaction(() => {
+                const rOpen = db.prepare(`UPDATE rfqs SET bid_count = bid_count + 1, updated_at = datetime('now') WHERE id = ? AND status = 'open'`).run(req.params.id);
+                if (rOpen.changes !== 1)
+                    throw new Error('RFQ_NOT_OPEN');
+                db.prepare(`
+          INSERT INTO bids (id, rfq_id, seller_id, offer_id, price, qty_offered, eta_hours, fulfillment_type, note, stake_locked, auto_bid_skill)
+          VALUES (?,?,?,?,?,?,?,?,?,?,?)
+        `).run(id, req.params.id, user.id, body.offer_id ? String(body.offer_id) : null, price, qtyOffered, body.eta_hours != null ? Number(body.eta_hours) : null, fulfillmentType, body.note ? String(body.note).slice(0, 500) : null, stake, body.auto_bid_skill ? 1 : 0);
+                const d = db.prepare('UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ? AND balance >= ?').run(stake, stake, user.id, stake);
+                if (d.changes !== 1)
+                    throw new Error('BID_INSUFFICIENT_BALANCE');
+            })();
+        }
+        catch (e) {
+            const m = e.message;
+            if (m === 'RFQ_NOT_OPEN')
+                return void res.json({ error: `当前状态不接受报价（可能已中标/取消）` });
+            if (m === 'BID_INSUFFICIENT_BALANCE')
+                return void res.json({ error: `余额不足，bid 押金 ${stake} WAZ（落选/取消立即释放，中标后转 escrow）` });
+            throw e;
+        }
+        try {
+            await dbRun(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
+                  VALUES (?,?,'rfq_bid',?,?,datetime('now'))`, [generateId('ntf'), rfq.buyer_id, `💰 新报价 ${price} WAZ`, `RFQ：${rfq.title} · #${req.params.id}`]);
         }
         catch (e) {
             console.error('[P3 notify bid]', e);
@@ -277,9 +318,8 @@ export function registerRfqsRoutes(app, deps) {
                     if (result.ok) {
                         autoAwardedOrder = result.order_id;
                         try {
-                            db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
-                          VALUES (?,?,'rfq_won',?,?,datetime('now'))`)
-                                .run(generateId('ntf'), user.id, `🎉 中标（first_match 自动选）`, `订单 ${result.order_id}`);
+                            await dbRun(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
+                          VALUES (?,?,'rfq_won',?,?,datetime('now'))`, [generateId('ntf'), user.id, `🎉 中标（first_match 自动选）`, `订单 ${result.order_id}`]);
                         }
                         catch (e) {
                             console.error('[P3c notify first_match won]', e);
@@ -294,18 +334,18 @@ export function registerRfqsRoutes(app, deps) {
         res.json({ id, stake_locked: stake, auto_awarded_order_id: autoAwardedOrder });
     });
     // 卖家：修改 bid（仅 active；stake 差额自动结算）
-    app.patch('/api/bids/:id', (req, res) => {
+    app.patch('/api/bids/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const bid = db.prepare('SELECT * FROM bids WHERE id = ?').get(req.params.id);
+        const bid = await dbOne('SELECT * FROM bids WHERE id = ?', [req.params.id]);
         if (!bid)
             return void res.status(404).json({ error: 'bid 不存在' });
         if (bid.seller_id !== user.id)
             return void res.status(403).json({ error: '仅本人可修改' });
         if (bid.status !== 'active')
             return void res.json({ error: `当前状态 ${bid.status} 不可修改` });
-        const rfq = db.prepare('SELECT max_price, status, deadline_at FROM rfqs WHERE id = ?').get(bid.rfq_id);
+        const rfq = await dbOne('SELECT max_price, status, deadline_at FROM rfqs WHERE id = ?', [bid.rfq_id]);
         if (!rfq || rfq.status !== 'open')
             return void res.json({ error: 'RFQ 已不接受改价' });
         const body = req.body;
@@ -342,50 +382,89 @@ export function registerRfqsRoutes(app, deps) {
         const newStake = bidStakeFor(newPrice, newQty);
         const delta = Math.round((newStake - oldStake) * 100) / 100;
         if (delta > 0) {
-            const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+            const wallet = await dbOne('SELECT balance FROM wallets WHERE user_id = ?', [user.id]);
             if (!wallet || Number(wallet.balance) < delta) {
                 return void res.json({ error: `余额不足补足 stake 差额 ${delta} WAZ` });
             }
         }
-        db.transaction(() => {
-            db.prepare(`UPDATE bids SET price = ?, qty_offered = ?, eta_hours = ?, fulfillment_type = ?, note = ?, stake_locked = ?
-                  WHERE id = ?`).run(newPrice, newQty, newEta, newFt, newNote, newStake, req.params.id);
-            if (delta > 0) {
-                db.prepare('UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ?').run(delta, delta, user.id);
-            }
-            else if (delta < 0) {
-                const back = -delta;
-                db.prepare('UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?').run(back, back, user.id);
-            }
-        })();
-        res.json({ success: true, stake_locked: newStake, stake_delta: delta });
+        // Codex #236 P1:await 预检后进入同步 tx 前,bid/rfq 状态与 stake 可能变。tx 内重读 bid(必须仍
+        // active)+ rfq(必须仍 open),delta 用【tx 内重读的 stake】重算,正 delta 扣款带 balance 守卫。
+        let txDelta = delta;
+        try {
+            db.transaction(() => {
+                const freshBid = db.prepare('SELECT status, stake_locked FROM bids WHERE id = ?').get(req.params.id);
+                if (!freshBid || freshBid.status !== 'active')
+                    throw new Error('BID_NOT_ACTIVE');
+                const freshRfq = db.prepare('SELECT status FROM rfqs WHERE id = ?').get(bid.rfq_id);
+                if (!freshRfq || freshRfq.status !== 'open')
+                    throw new Error('RFQ_NOT_OPEN');
+                txDelta = Math.round((newStake - (Number(freshBid.stake_locked) || 0)) * 100) / 100;
+                db.prepare(`UPDATE bids SET price = ?, qty_offered = ?, eta_hours = ?, fulfillment_type = ?, note = ?, stake_locked = ?
+                    WHERE id = ?`).run(newPrice, newQty, newEta, newFt, newNote, newStake, req.params.id);
+                if (txDelta > 0) {
+                    const d = db.prepare('UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ? AND balance >= ?').run(txDelta, txDelta, user.id, txDelta);
+                    if (d.changes !== 1)
+                        throw new Error('PATCH_INSUFFICIENT_BALANCE');
+                }
+                else if (txDelta < 0) {
+                    const back = -txDelta;
+                    db.prepare('UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?').run(back, back, user.id);
+                }
+            })();
+        }
+        catch (e) {
+            const m = e.message;
+            if (m === 'BID_NOT_ACTIVE')
+                return void res.json({ error: 'bid 已不是 active 状态,不可修改' });
+            if (m === 'RFQ_NOT_OPEN')
+                return void res.json({ error: 'RFQ 已不接受改价' });
+            if (m === 'PATCH_INSUFFICIENT_BALANCE')
+                return void res.json({ error: `余额不足补足 stake 差额 ${txDelta} WAZ` });
+            throw e;
+        }
+        res.json({ success: true, stake_locked: newStake, stake_delta: txDelta });
     });
     // 卖家：撤回 bid（释放 stake）
-    app.delete('/api/bids/:id', (req, res) => {
+    app.delete('/api/bids/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const bid = db.prepare('SELECT * FROM bids WHERE id = ?').get(req.params.id);
+        const bid = await dbOne('SELECT * FROM bids WHERE id = ?', [req.params.id]);
         if (!bid)
             return void res.status(404).json({ error: 'bid 不存在' });
         if (bid.seller_id !== user.id)
             return void res.status(403).json({ error: '仅本人可撤回' });
         if (bid.status !== 'active')
             return void res.json({ error: `当前状态 ${bid.status} 不可撤回` });
-        const stake = Number(bid.stake_locked) || 0;
-        db.transaction(() => {
-            db.prepare("UPDATE bids SET status = 'cancelled', resolved_at = datetime('now') WHERE id = ?").run(req.params.id);
-            if (stake > 0)
-                db.prepare('UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?').run(stake, stake, user.id);
-            db.prepare("UPDATE rfqs SET bid_count = MAX(0, bid_count - 1), updated_at = datetime('now') WHERE id = ?").run(String(bid.rfq_id));
-        })();
-        res.json({ success: true, stake_released: stake });
+        // Codex #236 P1:tx 内先 CAS bid active→cancelled,changes!==1 即并发已撤回/中标 → 抛回滚,
+        // 先于释放 stake + 减 bid_count;释放额用 tx 内重读的 stake_locked(防并发 patch 改过)。
+        let releasedStake = 0;
+        try {
+            db.transaction(() => {
+                const c = db.prepare("UPDATE bids SET status = 'cancelled', resolved_at = datetime('now') WHERE id = ? AND status = 'active'").run(req.params.id);
+                if (c.changes !== 1)
+                    throw new Error('BID_NOT_ACTIVE');
+                const fresh = db.prepare('SELECT stake_locked FROM bids WHERE id = ?').get(req.params.id);
+                releasedStake = Number(fresh.stake_locked) || 0;
+                if (releasedStake > 0)
+                    db.prepare('UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?').run(releasedStake, releasedStake, user.id);
+                db.prepare("UPDATE rfqs SET bid_count = MAX(0, bid_count - 1), updated_at = datetime('now') WHERE id = ?").run(String(bid.rfq_id));
+            })();
+        }
+        catch (e) {
+            if (e.message === 'BID_NOT_ACTIVE')
+                return void res.json({ error: `当前状态不可撤回（可能已撤回/中标）` });
+            throw e;
+        }
+        res.json({ success: true, stake_released: releasedStake });
     });
     // 买家：选定 winning bid
-    app.post('/api/rfqs/:id/award', (req, res) => {
+    app.post('/api/rfqs/:id/award', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
+        // 选标读保持同步:rfq/winner 直接作为权威 subject 喂进 awardBidAndCreateOrder,
+        // 而该函数事务内不再 re-read,async 化会在读→建单事务之间插入 await gap → 破坏原子性。
         const rfq = db.prepare('SELECT * FROM rfqs WHERE id = ?').get(req.params.id);
         if (!rfq)
             return void res.status(404).json({ error: 'RFQ 不存在' });
@@ -417,9 +496,8 @@ export function registerRfqsRoutes(app, deps) {
         }
         // 通知（事务外）：中标
         try {
-            db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
-                  VALUES (?,?,'rfq_won',?,?,datetime('now'))`)
-                .run(generateId('ntf'), winner.seller_id, `🎉 中标：${rfq.title}`, `订单 ${result.order_id}`);
+            await dbRun(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
+                  VALUES (?,?,'rfq_won',?,?,datetime('now'))`, [generateId('ntf'), winner.seller_id, `🎉 中标：${rfq.title}`, `订单 ${result.order_id}`]);
         }
         catch (e) {
             console.error('[P3 notify won]', e);

package/dist/pwa/routes/search.js

@@ -1,13 +1,15 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerSearchRoutes(app, deps) {
-    const { db, auth, applyCouponToOrder, extractUrlFromText, extractTitleFromText, parsePlatformUrl, searchByExternalLink, detectShareCommandFormat, formatProductForAgent } = deps;
-    app.get('/api/coupons/preview', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll);applyCouponToOrder 是注入的同步 wrapper(订单金钱路径)
+    const { auth, applyCouponToOrder, extractUrlFromText, extractTitleFromText, parsePlatformUrl, searchByExternalLink, detectShareCommandFormat, formatProductForAgent } = deps;
+    app.get('/api/coupons/preview', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const { code, product_id } = req.query;
         if (!code || !product_id)
             return void res.status(400).json({ error: '需提供 code + product_id' });
-        const p = db.prepare('SELECT seller_id, price FROM products WHERE id = ?').get(product_id);
+        const p = await dbOne('SELECT seller_id, price FROM products WHERE id = ?', [product_id]);
         if (!p)
             return void res.status(404).json({ error: '商品不存在' });
         const result = applyCouponToOrder(code, p.seller_id, product_id, Number(p.price));
@@ -15,11 +17,11 @@ export function registerSearchRoutes(app, deps) {
             return void res.json({ ok: false, error: result.error });
         res.json({ ok: true, discount: result.discount, final_price: Math.max(0, Number(p.price) - (result.discount || 0)) });
     });
-    app.get('/api/my-products', (req, res) => {
+    app.get('/api/my-products', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const products = db.prepare(`
+        const products = await dbAll(`
       SELECT p.*,
         CASE WHEN EXISTS (
           SELECT 1 FROM verify_tasks WHERE product_id=p.id AND status IN ('code_issued','open')
@@ -28,7 +30,7 @@ export function registerSearchRoutes(app, deps) {
           AND NOT EXISTS (SELECT 1 FROM product_external_links WHERE product_id=p.id AND verified=1 AND (revoked IS NULL OR revoked=0))
         THEN 1 ELSE 0 END as all_links_revoked
       FROM products p WHERE p.seller_id = ? ORDER BY p.created_at DESC
-    `).all(user.id);
+    `, [user.id]);
         res.json(products);
     });
     app.post('/api/search-by-link', (req, res) => {
@@ -83,7 +85,7 @@ export function registerSearchRoutes(app, deps) {
             ...(unsupportedHint ? { unsupported_format: true, hint: unsupportedHint } : {}),
         });
     });
-    app.get('/api/search-fuzzy', (req, res) => {
+    app.get('/api/search-fuzzy', async (req, res) => {
         const q = String(req.query.q ?? '').trim();
         const threshold = 0.5;
         if (!q)
@@ -103,14 +105,14 @@ export function registerSearchRoutes(app, deps) {
             return out;
         };
         const qg = grams(qn);
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT p.*, u.name as seller_name,
         COALESCE(rs.total_points, 0) as rep_points, COALESCE(rs.level, 'new') as rep_level
       FROM products p
       JOIN users u ON p.seller_id = u.id
       LEFT JOIN reputation_scores rs ON rs.user_id = p.seller_id
       WHERE p.status = 'active' AND p.stock > 0
-    `).all();
+    `);
         const scored = rows
             .map((r) => {
             const tn = norm(String(r.title ?? ''));
@@ -144,26 +146,26 @@ export function registerSearchRoutes(app, deps) {
             score_threshold: threshold,
         });
     });
-    app.get('/api/check-url', (req, res) => {
+    app.get('/api/check-url', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const url = req.query.url;
         if (!url)
             return void res.json({ error: '请提供 url 参数' });
-        const selfClaim = db.prepare(`
+        const selfClaim = await dbOne(`
       SELECT p.id as product_id, p.title FROM product_external_links pel
       JOIN products p ON pel.product_id = p.id
       WHERE pel.url = ? AND p.seller_id = ?
-    `).get(url, user.id);
+    `, [url, user.id]);
         if (selfClaim) {
             return void res.json({ claimed: true, self: true, product_title: selfClaim.title, message: `您已在商品「${selfClaim.title}」中关联了此链接` });
         }
-        const otherClaim = db.prepare(`
+        const otherClaim = await dbOne(`
       SELECT p.title as product_title FROM product_external_links pel
       JOIN products p ON pel.product_id = p.id
       WHERE pel.url = ? AND pel.verified = 1 AND p.seller_id != ?
-    `).get(url, user.id);
+    `, [url, user.id]);
         if (otherClaim) {
             return void res.json({ claimed: true, self: false, message: `此链接已被其他商家认领，不能直接添加，上架后请在商品编辑页发起认领验证任务` });
         }