@seasonkoh/webaz 0.1.23 → 0.1.25

package/dist/pwa/routes/shareables-interactions.js

@@ -1,18 +1,19 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerShareablesInteractionsRoutes(app, deps) {
     const { db, auth, generateId, rateLimitOk, piiSanitize, detectFraud, commentBlocklistHit, llmModerateComment, parseMentions, notifyMentions } = deps;
-    app.post('/api/shareables/:id/click', (req, res) => {
+    app.post('/api/shareables/:id/click', async (req, res) => {
         // 点击计数（不要求 auth — 任何人点击外链都计数）
-        db.prepare("UPDATE shareables SET click_count = click_count + 1 WHERE id = ? AND status = 'active'").run(req.params.id);
+        await dbRun("UPDATE shareables SET click_count = click_count + 1 WHERE id = ? AND status = 'active'", [req.params.id]);
         res.json({ ok: true });
     });
     // LIKE 系统：toggle 点赞（每用户对每 shareable 一票；不能给自己点）
-    app.post('/api/shareables/:id/like', (req, res) => {
+    app.post('/api/shareables/:id/like', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         if (!rateLimitOk(`like:${user.id}`, 60, 60_000))
             return void res.status(429).json({ error: '点赞过于频繁' });
-        const sh = db.prepare("SELECT id, owner_id, related_product_id, status FROM shareables WHERE id = ?").get(req.params.id);
+        const sh = await dbOne("SELECT id, owner_id, related_product_id, status FROM shareables WHERE id = ?", [req.params.id]);
         if (!sh)
             return void res.status(404).json({ error: 'shareable 不存在' });
         if (sh.status !== 'active')
@@ -20,7 +21,7 @@ export function registerShareablesInteractionsRoutes(app, deps) {
         if (sh.owner_id === user.id)
             return void res.json({ error: '不能给自己点赞' });
         // P1 Sybil 软门槛：至少完成过 1 笔订单（不限购买该商品，只需活跃用户）
-        const completed = db.prepare("SELECT COUNT(1) as n FROM orders WHERE buyer_id = ? AND status = 'completed'").get(user.id).n;
+        const completed = (await dbOne("SELECT COUNT(1) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [user.id])).n;
         if (completed < 1)
             return void res.json({ error: '完成首笔购买后才能点赞（防止刷赞）' });
         // P0 fix：SELECT existing 进 transaction
@@ -42,39 +43,38 @@ export function registerShareablesInteractionsRoutes(app, deps) {
                 liked = true;
             }
         })();
-        const newCount = db.prepare('SELECT like_count FROM shareables WHERE id = ?').get(req.params.id).like_count;
+        const newCount = (await dbOne('SELECT like_count FROM shareables WHERE id = ?', [req.params.id])).like_count;
         // 通知 owner（仅新增点赞，避免取消时打扰）
         if (liked) {
             try {
-                db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
-                    VALUES (?,?,'shareable_like',?,?,datetime('now'))`)
-                    .run(generateId('ntf'), sh.owner_id, `❤️ 收到点赞`, `分享 #${req.params.id.slice(-8)} 被点赞（累计 ${newCount}）`);
+                await dbRun(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
+                    VALUES (?,?,'shareable_like',?,?,datetime('now'))`, [generateId('ntf'), sh.owner_id, `❤️ 收到点赞`, `分享 #${req.params.id.slice(-8)} 被点赞（累计 ${newCount}）`]);
             }
             catch { }
         }
         res.json({ liked, like_count: newCount });
     });
     // W6 笔记评论 — 楼中楼 1 层（root + replies）
-    app.get('/api/shareables/:id/comments', (req, res) => {
-        const sh = db.prepare(`SELECT id FROM shareables WHERE id = ?`).get(req.params.id);
+    app.get('/api/shareables/:id/comments', async (req, res) => {
+        const sh = await dbOne(`SELECT id FROM shareables WHERE id = ?`, [req.params.id]);
         if (!sh)
             return void res.status(404).json({ error: 'shareable 不存在' });
         const limit = Math.min(100, Math.max(10, Number(req.query.limit) || 50));
         const sort = String(req.query.sort || 'newest');
         const orderBy = sort === 'top' ? 'c.likes DESC, c.created_at DESC' : 'c.created_at DESC';
-        const roots = db.prepare(`
+        const roots = await dbAll(`
       SELECT c.*, u.handle, u.name, u.role
       FROM shareable_comments c LEFT JOIN users u ON u.id = c.commenter_id
       WHERE c.shareable_id = ? AND c.parent_id IS NULL AND c.flagged = 0
       ORDER BY ${orderBy} LIMIT ?
-    `).all(sh.id, limit);
+    `, [sh.id, limit]);
         const rootIds = roots.map(r => r.id);
-        const replies = rootIds.length > 0 ? db.prepare(`
+        const replies = rootIds.length > 0 ? await dbAll(`
       SELECT c.*, u.handle, u.name, u.role
       FROM shareable_comments c LEFT JOIN users u ON u.id = c.commenter_id
       WHERE c.parent_id IN (${rootIds.map(() => '?').join(',')}) AND c.flagged = 0
       ORDER BY c.created_at ASC
-    `).all(...rootIds) : [];
+    `, rootIds) : [];
         const replyMap = new Map();
         for (const r of replies) {
             const pid = String(r.parent_id);
@@ -83,21 +83,21 @@ export function registerShareablesInteractionsRoutes(app, deps) {
             replyMap.set(pid, arr);
         }
         const items = roots.map(r => ({ ...r, replies: replyMap.get(r.id) || [] }));
-        const total = db.prepare(`SELECT COUNT(*) as n FROM shareable_comments WHERE shareable_id = ? AND flagged = 0`).get(sh.id).n;
+        const total = (await dbOne(`SELECT COUNT(*) as n FROM shareable_comments WHERE shareable_id = ? AND flagged = 0`, [sh.id])).n;
         res.json({ items, total, sort });
     });
     app.post('/api/shareables/:id/comments', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const sh = db.prepare(`SELECT id, owner_id, status FROM shareables WHERE id = ?`).get(req.params.id);
+        const sh = await dbOne(`SELECT id, owner_id, status FROM shareables WHERE id = ?`, [req.params.id]);
         if (!sh)
             return void res.status(404).json({ error: 'shareable 不存在' });
         if (sh.status !== 'active')
             return void res.status(400).json({ error: 'shareable 已下架' });
         const parentId = req.body?.parent_id ? String(req.body.parent_id) : null;
         if (parentId) {
-            const parent = db.prepare(`SELECT id, parent_id FROM shareable_comments WHERE id = ? AND shareable_id = ?`).get(parentId, sh.id);
+            const parent = await dbOne(`SELECT id, parent_id FROM shareable_comments WHERE id = ? AND shareable_id = ?`, [parentId, sh.id]);
             if (!parent)
                 return void res.status(404).json({ error: '父评论不存在' });
             if (parent.parent_id)
@@ -120,14 +120,13 @@ export function registerShareablesInteractionsRoutes(app, deps) {
         // 同仲裁评论：flagged 给管理员，flag_reasons 给反诈；用 rawBody
         const reasons = detectFraud(rawBody);
         const cid = generateId('scom');
-        db.prepare(`INSERT INTO shareable_comments (id, shareable_id, commenter_id, parent_id, body, flag_reasons) VALUES (?,?,?,?,?,?)`)
-            .run(cid, sh.id, user.id, parentId, body, reasons.length ? JSON.stringify(reasons) : null);
+        await dbRun(`INSERT INTO shareable_comments (id, shareable_id, commenter_id, parent_id, body, flag_reasons) VALUES (?,?,?,?,?,?)`, [cid, sh.id, user.id, parentId, body,
+            reasons.length ? JSON.stringify(reasons) : null]);
         // 通知作者（自己评论自己除外）+ W9 action
         if (sh.owner_id !== user.id) {
             try {
                 const actions = JSON.stringify([{ kind: 'navigate', label: '查看笔记', href: `#note/${sh.id}`, style: 'primary' }]);
-                db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, order_id, actions) VALUES (?,?,?,?,?,?,?)`)
-                    .run(generateId('ntf'), sh.owner_id, 'note_comment', parentId ? '💬 笔记评论新回复' : '💬 笔记新评论', body.slice(0, 80), null, actions);
+                await dbRun(`INSERT INTO notifications (id, user_id, type, title, body, order_id, actions) VALUES (?,?,?,?,?,?,?)`, [generateId('ntf'), sh.owner_id, 'note_comment', parentId ? '💬 笔记评论新回复' : '💬 笔记新评论', body.slice(0, 80), null, actions]);
             }
             catch (e) {
                 console.warn('[notif note_comment]', e.message);
@@ -139,43 +138,43 @@ export function registerShareablesInteractionsRoutes(app, deps) {
         res.json({ success: true, id: cid, flag_reasons: reasons, mentions: commentMentions.map(m => m.handle) });
     });
     // 查询单个 shareable 我是否点赞过（用于 UI 状态）
-    app.get('/api/shareables/:id/like-status', (req, res) => {
+    app.get('/api/shareables/:id/like-status', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const row = db.prepare('SELECT id FROM shareable_likes WHERE shareable_id = ? AND user_id = ?').get(req.params.id, user.id);
-        const count = db.prepare('SELECT like_count FROM shareables WHERE id = ?').get(req.params.id)?.like_count ?? 0;
+        const row = await dbOne('SELECT id FROM shareable_likes WHERE shareable_id = ? AND user_id = ?', [req.params.id, user.id]);
+        const count = (await dbOne('SELECT like_count FROM shareables WHERE id = ?', [req.params.id]))?.like_count ?? 0;
         res.json({ liked: !!row, like_count: count });
     });
     // ─── 收藏 Bookmarks（小红书风格"收藏" tab）── 2026-05-22 audit ─────
     // POST 切换：未收藏 → 加 / 已收藏 → 删（toggle 模式）
-    app.post('/api/shareables/:id/bookmark', (req, res) => {
+    app.post('/api/shareables/:id/bookmark', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const id = String(req.params.id);
         // 确认 shareable 存在 + active
-        const sh = db.prepare("SELECT id FROM shareables WHERE id = ? AND status = 'active'").get(id);
+        const sh = await dbOne("SELECT id FROM shareables WHERE id = ? AND status = 'active'", [id]);
         if (!sh)
             return void res.status(404).json({ error: 'not_found' });
-        const existing = db.prepare('SELECT id FROM shareable_bookmarks WHERE shareable_id = ? AND user_id = ?').get(id, user.id);
+        const existing = await dbOne('SELECT id FROM shareable_bookmarks WHERE shareable_id = ? AND user_id = ?', [id, user.id]);
         if (existing) {
-            db.prepare('DELETE FROM shareable_bookmarks WHERE id = ?').run(existing.id);
+            await dbRun('DELETE FROM shareable_bookmarks WHERE id = ?', [existing.id]);
             return void res.json({ bookmarked: false });
         }
-        db.prepare('INSERT INTO shareable_bookmarks (id, shareable_id, user_id) VALUES (?, ?, ?)').run(generateId('bm'), id, user.id);
+        await dbRun('INSERT INTO shareable_bookmarks (id, shareable_id, user_id) VALUES (?, ?, ?)', [generateId('bm'), id, user.id]);
         res.json({ bookmarked: true });
     });
     // 查 bookmark 状态
-    app.get('/api/shareables/:id/bookmark-status', (req, res) => {
+    app.get('/api/shareables/:id/bookmark-status', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const row = db.prepare('SELECT id FROM shareable_bookmarks WHERE shareable_id = ? AND user_id = ?').get(req.params.id, user.id);
+        const row = await dbOne('SELECT id FROM shareable_bookmarks WHERE shareable_id = ? AND user_id = ?', [req.params.id, user.id]);
         res.json({ bookmarked: !!row });
     });
     // 我收藏过的 shareables（仅 owner 自己可见）
-    app.get('/api/users/:id/bookmarked-shareables', (req, res) => {
+    app.get('/api/users/:id/bookmarked-shareables', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
@@ -185,7 +184,7 @@ export function registerShareablesInteractionsRoutes(app, deps) {
             ownerId = me.id;
         if (!ownerId)
             return void res.status(403).json({ error: 'only owner can view bookmarks' });
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT s.id, s.owner_id, s.owner_code, s.type, s.external_url, s.external_platform,
              s.thumbnail_url, s.title, s.description, s.photo_hashes, s.related_product_id, s.related_anchor,
              s.click_count, s.like_count, s.created_at,
@@ -196,7 +195,7 @@ export function registerShareablesInteractionsRoutes(app, deps) {
       LEFT JOIN products p ON p.id = s.related_product_id
       WHERE b.user_id = ? AND s.status = 'active'
       ORDER BY b.created_at DESC LIMIT 100
-    `).all(ownerId);
+    `, [ownerId]);
         for (const r of rows) {
             if (typeof r.photo_hashes === 'string') {
                 try {

package/dist/pwa/routes/shareables.js

@@ -1,6 +1,7 @@
 import express from 'express';
 import { writeNotePhoto, readNotePhoto, noteBlobExists, NOTE_PHOTO_MAX_BYTES, NOTE_PHOTO_ALLOWED_MIME } from '../../layer2-business/L2-notes/note-photo-storage.js';
 import { retireAnchorsByTarget } from '../../layer2-business/L2-anchor-registry/anchor-registry.js';
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export const SHAREABLE_DAILY_LIMIT = 10;
 export function registerShareablesRoutes(app, deps) {
     const { db, auth, getUser, generateId, lightAuthGuard, detectExternalPlatform, noteAuthenticityBadges, parseHashtags, parseMentions, notifyMentions, flagNewAccountShareable, refreshProductSharerCount } = deps;
@@ -47,7 +48,7 @@ export function registerShareablesRoutes(app, deps) {
         }
     });
     // 创建 shareable — 双路径：笔记模式 / 外链或 native_text 模式
-    app.post('/api/shareables', (req, res) => {
+    app.post('/api/shareables', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
@@ -61,7 +62,7 @@ export function registerShareablesRoutes(app, deps) {
             // ─── 笔记模式专属校验 ───────────────────────────────────────
             if (!related_order_id)
                 return void res.json({ error: '笔记必须关联订单（你购买过的 completed 订单）' });
-            const order = db.prepare(`SELECT id, buyer_id, seller_id, product_id, status FROM orders WHERE id = ?`).get(related_order_id);
+            const order = await dbOne(`SELECT id, buyer_id, seller_id, product_id, status FROM orders WHERE id = ?`, [related_order_id]);
             if (!order)
                 return void res.status(404).json({ error: '订单不存在' });
             if (order.buyer_id !== me.id)
@@ -69,7 +70,7 @@ export function registerShareablesRoutes(app, deps) {
             if (order.status !== 'completed')
                 return void res.json({ error: '订单完成后才能发笔记' });
             // 每订单 1 篇原创（转发不算 — 转发用 parent_id）
-            const dupOrder = db.prepare(`SELECT id FROM shareables WHERE owner_id = ? AND related_order_id = ? AND type = 'note' AND parent_id IS NULL AND status != 'removed' LIMIT 1`).get(me.id, related_order_id);
+            const dupOrder = await dbOne(`SELECT id FROM shareables WHERE owner_id = ? AND related_order_id = ? AND type = 'note' AND parent_id IS NULL AND status != 'removed' LIMIT 1`, [me.id, related_order_id]);
             if (dupOrder && !parent_id)
                 return void res.json({ error: '该订单已发过原创笔记', existing_id: dupOrder.id });
             if (trimText.length < 30)
@@ -89,7 +90,7 @@ export function registerShareablesRoutes(app, deps) {
             // 图 hash 跨笔记唯一（防剽窃）— 审计修 C-1
             const hashList = photo_hashes;
             for (const h of hashList) {
-                const existing = db.prepare(`SELECT shareable_id FROM note_photo_index WHERE hash = ?`).get(h);
+                const existing = await dbOne(`SELECT shareable_id FROM note_photo_index WHERE hash = ?`, [h]);
                 if (existing && existing.shareable_id) {
                     return void res.json({
                         error: `图片已被其它笔记使用（疑似剽窃）：${h.slice(0, 12)}…`,
@@ -100,25 +101,27 @@ export function registerShareablesRoutes(app, deps) {
             const productId = order.product_id;
             // parent_id 校验（转发链）
             if (parent_id) {
-                const parent = db.prepare(`SELECT id, related_product_id FROM shareables WHERE id = ? AND status != 'removed'`).get(parent_id);
+                const parent = await dbOne(`SELECT id, related_product_id FROM shareables WHERE id = ? AND status != 'removed'`, [parent_id]);
                 if (!parent)
                     return void res.json({ error: '原笔记不存在' });
                 if (parent.related_product_id !== productId)
                     return void res.json({ error: '转发必须基于同一商品的笔记' });
             }
             // 日上限
-            const todayCount = db.prepare(`SELECT COUNT(*) as n FROM shareables WHERE owner_id = ? AND created_at > datetime('now', '-1 day')`).get(me.id).n;
+            const todayCount = (await dbOne(`SELECT COUNT(*) as n FROM shareables WHERE owner_id = ? AND created_at > datetime('now', '-1 day')`, [me.id])).n;
             if (todayCount >= SHAREABLE_DAILY_LIMIT)
                 return void res.json({ error: `每日上限 ${SHAREABLE_DAILY_LIMIT} 条，请明天再来` });
             const id = generateId('shr');
-            const ownerCode = db.prepare("SELECT permanent_code FROM users WHERE id = ?").get(me.id)?.permanent_code || null;
-            db.prepare(`INSERT INTO shareables
+            const ownerCode = (await dbOne("SELECT permanent_code FROM users WHERE id = ?", [me.id]))?.permanent_code || null;
+            await dbRun(`INSERT INTO shareables
         (id, owner_id, type, native_text, title, description, related_product_id, related_order_id, parent_id, photo_hashes, owner_code)
-        VALUES (?,?,?,?,?,?,?,?,?,?,?)`)
-                .run(id, me.id, 'note', trimText, (title || null), (description || null), productId, related_order_id, parent_id || null, JSON.stringify(hashList), ownerCode);
+        VALUES (?,?,?,?,?,?,?,?,?,?,?)`, [id, me.id, 'note', trimText,
+                (title || null), (description || null),
+                productId, related_order_id, parent_id || null,
+                JSON.stringify(hashList), ownerCode]);
             for (const h of hashList) {
                 try {
-                    db.prepare(`INSERT OR IGNORE INTO note_photo_index (hash, shareable_id) VALUES (?,?)`).run(h, id);
+                    await dbRun(`INSERT OR IGNORE INTO note_photo_index (hash, shareable_id) VALUES (?,?)`, [h, id]);
                 }
                 catch { }
             }
@@ -126,7 +129,7 @@ export function registerShareablesRoutes(app, deps) {
             const tags = parseHashtags((title || '') + ' ' + trimText);
             for (const tg of tags) {
                 try {
-                    db.prepare(`INSERT OR IGNORE INTO shareable_tags (shareable_id, tag) VALUES (?,?)`).run(id, tg);
+                    await dbRun(`INSERT OR IGNORE INTO shareable_tags (shareable_id, tag) VALUES (?,?)`, [id, tg]);
                 }
                 catch { }
             }
@@ -148,16 +151,16 @@ export function registerShareablesRoutes(app, deps) {
             return void res.json({ error: '标题不能超过 100 字' });
         if ((description || '').length > 200)
             return void res.json({ error: '描述不能超过 200 字' });
-        const todayCount = db.prepare(`SELECT COUNT(*) as n FROM shareables WHERE owner_id = ? AND created_at > datetime('now', '-1 day')`).get(me.id).n;
+        const todayCount = (await dbOne(`SELECT COUNT(*) as n FROM shareables WHERE owner_id = ? AND created_at > datetime('now', '-1 day')`, [me.id])).n;
         if (todayCount >= SHAREABLE_DAILY_LIMIT)
             return void res.json({ error: `每日上限 ${SHAREABLE_DAILY_LIMIT} 条，请明天再来` });
         if (trimUrl) {
-            const dup = db.prepare(`SELECT id FROM shareables WHERE owner_id = ? AND external_url = ? AND status != 'removed' LIMIT 1`).get(me.id, trimUrl);
+            const dup = await dbOne(`SELECT id FROM shareables WHERE owner_id = ? AND external_url = ? AND status != 'removed' LIMIT 1`, [me.id, trimUrl]);
             if (dup)
                 return void res.json({ error: '已存在相同链接，请编辑现有条目', existing_id: dup.id });
         }
         if (related_product_id) {
-            const p = db.prepare("SELECT id FROM products WHERE id = ?").get(related_product_id);
+            const p = await dbOne("SELECT id FROM products WHERE id = ?", [related_product_id]);
             if (!p)
                 return void res.json({ error: '关联商品不存在' });
         }
@@ -165,58 +168,59 @@ export function registerShareablesRoutes(app, deps) {
         const { type, platform, video_id, thumbnail } = trimUrl
             ? detectExternalPlatform(trimUrl)
             : { type: 'native_text', platform: 'native', video_id: undefined, thumbnail: undefined };
-        const ownerCode = db.prepare("SELECT permanent_code FROM users WHERE id = ?").get(me.id)?.permanent_code || null;
-        db.prepare(`INSERT INTO shareables (id, owner_id, type, external_url, external_platform, external_video_id, thumbnail_url, title, description, native_text, related_product_id, related_anchor, owner_code)
-                VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)`)
-            .run(id, me.id, type, trimUrl || null, platform, video_id || null, thumbnail || null, (title || null), (description || null), trimText || null, related_product_id || null, related_anchor || null, ownerCode);
+        const ownerCode = (await dbOne("SELECT permanent_code FROM users WHERE id = ?", [me.id]))?.permanent_code || null;
+        await dbRun(`INSERT INTO shareables (id, owner_id, type, external_url, external_platform, external_video_id, thumbnail_url, title, description, native_text, related_product_id, related_anchor, owner_code)
+                VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)`, [id, me.id, type, trimUrl || null, platform, video_id || null, thumbnail || null,
+            (title || null), (description || null), trimText || null,
+            related_product_id || null, related_anchor || null, ownerCode]);
         flagNewAccountShareable(id, me.id);
         if (related_product_id)
             refreshProductSharerCount(related_product_id);
         res.json({ ok: true, id, type, platform, thumbnail, owner_code: ownerCode });
     });
-    app.get('/api/shareables/me', (req, res) => {
+    app.get('/api/shareables/me', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT s.*, p.title as product_title FROM shareables s
       LEFT JOIN products p ON p.id = s.related_product_id
       WHERE s.owner_id = ? AND s.status != 'removed'
       ORDER BY s.created_at DESC LIMIT 100
-    `).all(me.id);
+    `, [me.id]);
         res.json({ shareables: rows });
     });
     // 里程碑 L3：创作者贡献仪表盘
-    app.get('/api/creator/stats', (req, res) => {
+    app.get('/api/creator/stats', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
         const meId = me.id;
-        const shareables = db.prepare(`
+        const shareables = await dbAll(`
       SELECT id, related_product_id, click_count, unique_click_count, flag_new_account, created_at
       FROM shareables WHERE owner_id = ? AND status != 'removed'
-    `).all(meId);
+    `, [meId]);
         const totalShares = shareables.length;
         const productShares = shareables.filter(s => s.related_product_id);
         const uniqueProducts = new Set(productShares.map(s => s.related_product_id)).size;
         const rawClicks = shareables.reduce((a, s) => a + (s.click_count || 0), 0);
         const uniqueClicks = shareables.reduce((a, s) => a + (s.unique_click_count || 0), 0);
         const newAccountFlagged = shareables.filter(s => s.flag_new_account).length;
-        const conversions = db.prepare(`
+        const conversions = (await dbOne(`
       SELECT COUNT(*) as n FROM product_share_attribution psa
       JOIN orders o ON o.product_id = psa.product_id AND o.buyer_id = psa.recipient_id
       WHERE psa.sharer_id = ? AND o.status = 'completed' AND o.created_at >= psa.created_at
-    `).get(meId).n;
-        const l1Earn = db.prepare(`
+    `, [meId])).n;
+        const l1Earn = (await dbOne(`
       SELECT COALESCE(SUM(amount), 0) as total
       FROM commission_records WHERE beneficiary_id = ? AND level = 1
-    `).get(meId).total;
+    `, [meId])).total;
         // #7 按 source_type 分项 — 笔记 vs 普通分享 vs sponsor 链
-        const bySource = db.prepare(`
+        const bySource = await dbAll(`
       SELECT source_type, COALESCE(SUM(amount), 0) as total, COUNT(*) as cnt
       FROM commission_records WHERE beneficiary_id = ?
       GROUP BY source_type
-    `).all(meId);
+    `, [meId]);
         const sourceBreakdown = { note: 0, link: 0, sponsor: 0 };
         const sourceCntBreakdown = { note: 0, link: 0, sponsor: 0 };
         for (const r of bySource) {
@@ -225,13 +229,13 @@ export function registerShareablesRoutes(app, deps) {
             sourceCntBreakdown[k] += Number(r.cnt) || 0;
         }
         // 30 天点击趋势
-        const trend30d = db.prepare(`
+        const trend30d = await dbAll(`
       SELECT substr(created_at, 1, 10) as day, COUNT(*) as raw_clicks, COUNT(DISTINCT ip_hash || ':' || ua_hash) as unique_clicks
       FROM shareable_click_log
       WHERE shareable_id IN (SELECT id FROM shareables WHERE owner_id = ?)
         AND created_at > datetime('now', '-30 days')
       GROUP BY day ORDER BY day ASC
-    `).all(meId);
+    `, [meId]);
         res.json({
             shares: { total: totalShares, product_count: uniqueProducts, new_account_flagged: newAccountFlagged },
             clicks: { raw: rawClicks, unique: uniqueClicks, raw_to_unique_ratio: rawClicks > 0 ? Math.round(uniqueClicks / rawClicks * 100) / 100 : null },
@@ -251,11 +255,11 @@ export function registerShareablesRoutes(app, deps) {
         });
     });
     // 策展引用：按 click*1 + like*3 + induced_orders*10 加权排序，取 top 10
-    app.get('/api/shareables/by-product/:pid', (req, res) => {
+    app.get('/api/shareables/by-product/:pid', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT * FROM (
         SELECT s.*, u.name as owner_name, u.handle as owner_handle,
           (SELECT COUNT(DISTINCT o.id) FROM orders o
@@ -268,29 +272,29 @@ export function registerShareablesRoutes(app, deps) {
       ) sub
       ORDER BY (click_count * 1.0 + like_count * 3.0 + induced_orders * 10.0) DESC, created_at DESC
       LIMIT 10
-    `).all(req.params.pid);
+    `, [req.params.pid]);
         for (const r of rows) {
             r.badges = noteAuthenticityBadges(r);
         }
         res.json({ shareables: rows });
     });
-    app.get('/api/shareables/by-anchor/:anchor', (req, res) => {
+    app.get('/api/shareables/by-anchor/:anchor', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT s.*, u.name as owner_name FROM shareables s
       LEFT JOIN users u ON u.id = s.owner_id
       WHERE s.related_anchor = ? AND s.status = 'active'
       ORDER BY s.created_at DESC LIMIT 50
-    `).all(req.params.anchor);
+    `, [req.params.anchor]);
         res.json({ shareables: rows });
     });
     // Phase D2 笔记 list — 公开 feed，3 种 sort
     // sort=newest: created_at DESC
     // sort=trending: (likes*2 + click/10 + freshness/(age_hours+1)) DESC
     // sort=following: 需登录，仅显示 follows.followee_id 的笔记
-    app.get('/api/notes', (req, res) => {
+    app.get('/api/notes', async (req, res) => {
         const limit = Math.min(50, Math.max(1, Number(req.query.limit) || 20));
         const cursor = req.query.cursor ? String(req.query.cursor) : null;
         const sort = String(req.query.sort || 'newest');
@@ -326,7 +330,7 @@ export function registerShareablesRoutes(app, deps) {
       LIMIT ?
     `;
         args.push(limit + 1);
-        const rows = db.prepare(sql).all(...args);
+        const rows = await dbAll(sql, args);
         const hasMore = rows.length > limit;
         const items = rows.slice(0, limit).map(r => {
             let photos = [];
@@ -351,16 +355,16 @@ export function registerShareablesRoutes(app, deps) {
         res.json({ items, next_cursor: nextCursor, sort });
     });
     // Phase C 笔记公开读 — 任何人可读
-    app.get('/api/shareables/:id', (req, res) => {
+    app.get('/api/shareables/:id', async (req, res) => {
         const id = String(req.params.id);
-        const row = db.prepare(`
+        const row = await dbOne(`
       SELECT s.id, s.owner_id, s.owner_code, s.type, s.title, s.description, s.native_text,
              s.related_product_id, s.related_order_id, s.parent_id, s.photo_hashes,
              s.click_count, s.unique_click_count, s.like_count, s.created_at, s.status,
              u.handle as owner_handle, u.name as owner_name, u.region as owner_region
       FROM shareables s LEFT JOIN users u ON u.id = s.owner_id
       WHERE s.id = ? AND s.status = 'active'
-    `).get(id);
+    `, [id]);
         if (!row)
             return void res.status(404).json({ error: 'not_found' });
         let photos = [];
@@ -370,9 +374,9 @@ export function registerShareablesRoutes(app, deps) {
         catch { }
         let product = null;
         if (row.related_product_id) {
-            product = db.prepare(`SELECT id, title, price, category, images FROM products WHERE id = ?`).get(row.related_product_id);
+            product = (await dbOne(`SELECT id, title, price, category, images FROM products WHERE id = ?`, [row.related_product_id])) ?? null;
         }
-        const tags = db.prepare(`SELECT tag FROM shareable_tags WHERE shareable_id = ? ORDER BY id`).all(id).map(r => r.tag);
+        const tags = (await dbAll(`SELECT tag FROM shareable_tags WHERE shareable_id = ? ORDER BY id`, [id])).map(r => r.tag);
         const badges = noteAuthenticityBadges(row);
         res.json({
             id: row.id, type: row.type,
@@ -389,11 +393,11 @@ export function registerShareablesRoutes(app, deps) {
             badges,
         });
     });
-    app.patch('/api/shareables/:id', (req, res) => {
+    app.patch('/api/shareables/:id', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
-        const row = db.prepare("SELECT owner_id FROM shareables WHERE id = ?").get(req.params.id);
+        const row = await dbOne("SELECT owner_id FROM shareables WHERE id = ?", [req.params.id]);
         if (!row || row.owner_id !== me.id)
             return void res.json({ error: '无权操作' });
         const updates = [];
@@ -426,14 +430,14 @@ export function registerShareablesRoutes(app, deps) {
             return void res.json({ error: '没有可更新字段' });
         updates.push(`updated_at = datetime('now')`);
         values.push(req.params.id);
-        db.prepare(`UPDATE shareables SET ${updates.join(', ')} WHERE id = ?`).run(...values);
+        await dbRun(`UPDATE shareables SET ${updates.join(', ')} WHERE id = ?`, values);
         res.json({ ok: true });
     });
-    app.delete('/api/shareables/:id', (req, res) => {
+    app.delete('/api/shareables/:id', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
-        const row = db.prepare("SELECT owner_id, related_product_id, like_count, status, type FROM shareables WHERE id = ?").get(req.params.id);
+        const row = await dbOne("SELECT owner_id, related_product_id, like_count, status, type FROM shareables WHERE id = ?", [req.params.id]);
         if (!row || row.owner_id !== me.id)
             return void res.json({ error: '无权操作' });
         if (row.status === 'removed')

package/dist/pwa/routes/shop-referral.js

@@ -0,0 +1,57 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js';
+export function registerShopReferralRoutes(app, deps) {
+    const { auth, errorRes, internalAuditorId, resolveUserRef, resolveInviteCodeRef } = deps;
+    app.post('/api/shop-referral/touch', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const recipientId = user.id;
+        const { seller_identifier, ref_code, side } = req.body || {};
+        if (!seller_identifier || typeof seller_identifier !== 'string')
+            return void errorRes(res, 400, 'SELLER_REQUIRED', 'seller_identifier required');
+        if (!ref_code || typeof ref_code !== 'string')
+            return void errorRes(res, 400, 'REF_REQUIRED', 'ref_code required');
+        // referrer = invite code ONLY (permanent_code [+ -L/-R]); usr_xxx / @handle / handle rejected.
+        const ref = resolveInviteCodeRef(ref_code);
+        if (!ref)
+            return void errorRes(res, 400, 'INVALID_REF_CODE', '邀请码无效（仅 6-7 位永久码，可带 -L/-R）');
+        const referrerId = ref.userId;
+        // ref_code 自带的 -L/-R 优先,否则用 body.side
+        const finalSide = ref.side || ((side === 'left' || side === 'right') ? side : null);
+        // seller 定位:个人页多形态(usr_xxx / @handle / handle / permanent_code)。
+        // 必须是真实 seller 店铺 —— 普通 buyer / admin / 其它角色不能被写成 shop_referral_attribution.seller_id。
+        const sellerId = resolveUserRef(seller_identifier);
+        if (!sellerId)
+            return void errorRes(res, 404, 'SELLER_NOT_FOUND', '店铺不存在');
+        const sellerRow = await dbOne("SELECT role FROM users WHERE id = ?", [sellerId]);
+        if (sellerRow?.role !== 'seller')
+            return void errorRes(res, 404, 'SELLER_NOT_FOUND', '店铺不存在');
+        if ([referrerId, sellerId].some(id => id === 'sys_protocol' || id === internalAuditorId)) {
+            return void errorRes(res, 400, 'INVALID_PARTY', '无效推荐关系');
+        }
+        // 退化关系安全跳过(不报错,不写坏数据)
+        if (recipientId === referrerId)
+            return void res.json({ ok: true, attributed: false, skipped: 'self_referral', seller_id: sellerId });
+        if (recipientId === sellerId)
+            return void res.json({ ok: true, attributed: false, skipped: 'recipient_is_seller', seller_id: sellerId });
+        // first-touch:已有未过期记录不覆盖;过期记录可被刷新。
+        const existing = await dbOne("SELECT referrer_id FROM shop_referral_attribution WHERE seller_id = ? AND recipient_id = ? AND expires_at > datetime('now')", [sellerId, recipientId]);
+        if (existing)
+            return void res.json({ ok: true, attributed: false, skipped: 'already_locked', seller_id: sellerId });
+        const had = await dbOne("SELECT referrer_id FROM shop_referral_attribution WHERE seller_id = ? AND recipient_id = ?", [sellerId, recipientId]);
+        try {
+            if (had) {
+                // 只刷新仍过期的行(WHERE 双保险:并发下另一请求先刷新 → 本次 0 行,不覆盖)
+                await dbRun("UPDATE shop_referral_attribution SET referrer_id = ?, ref_code = ?, side = ?, created_at = datetime('now'), expires_at = datetime('now','+30 days'), source = 'shop_referral' WHERE seller_id = ? AND recipient_id = ? AND expires_at <= datetime('now')", [referrerId, ref.code, finalSide, sellerId, recipientId]);
+            }
+            else {
+                await dbRun("INSERT INTO shop_referral_attribution (seller_id, recipient_id, referrer_id, ref_code, side, expires_at) VALUES (?,?,?,?,?, datetime('now','+30 days'))", [sellerId, recipientId, referrerId, ref.code, finalSide]);
+            }
+        }
+        catch {
+            // SELECT→INSERT 非原子(async seam):并发 first-touch 撞 PRIMARY KEY → 视作已锁定,不 500
+            return void res.json({ ok: true, attributed: false, skipped: 'already_locked', seller_id: sellerId });
+        }
+        res.json({ ok: true, attributed: true, seller_id: sellerId });
+    });
+}