@seasonkoh/webaz 0.1.24 → 0.1.25

package/dist/pwa/routes/shops.js

@@ -1,46 +1,48 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerShopsRoutes(app, deps) {
-    const { db, auth } = deps;
-    app.get('/api/shops/:identifier', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
+    const { auth } = deps;
+    app.get('/api/shops/:identifier', async (req, res) => {
         const id = String(req.params.identifier || '').replace(/^@/, '');
         // 先按 handle 查，找不到再按 id
-        let seller = db.prepare(`
+        let seller = await dbOne(`
       SELECT id, name, handle, role, bio, shop_banner_url, shop_intro, created_at, region
       FROM users WHERE handle = ? AND role = 'seller'
-    `).get(id);
+    `, [id]);
         if (!seller) {
-            seller = db.prepare(`
+            seller = await dbOne(`
         SELECT id, name, handle, role, bio, shop_banner_url, shop_intro, created_at, region
         FROM users WHERE id = ? AND role = 'seller'
-      `).get(id);
+      `, [id]);
         }
         if (!seller)
             return void res.status(404).json({ error: '店铺不存在' });
         const sellerId = String(seller.id);
-        const products = db.prepare(`
+        const products = await dbAll(`
       SELECT p.id, p.title, p.price, p.stock, p.category, p.images, p.has_variants, p.commission_rate,
         (SELECT COUNT(1) FROM orders o WHERE o.product_id = p.id AND o.status = 'completed') as sales_count
       FROM products p
       WHERE p.seller_id = ? AND p.status = 'active'
       ORDER BY sales_count DESC, p.created_at DESC
       LIMIT 50
-    `).all(sellerId);
-        const ratingsAgg = db.prepare(`
+    `, [sellerId]);
+        const ratingsAgg = (await dbOne(`
       SELECT COUNT(*) as cnt, COALESCE(AVG(stars), 0) as avg_stars FROM order_ratings WHERE seller_id = ?
-    `).get(sellerId);
-        const followers = db.prepare(`SELECT COUNT(*) as n FROM follows WHERE followee_id = ?`).get(sellerId).n;
-        const completedOrders = db.prepare(`SELECT COUNT(*) as n FROM orders WHERE seller_id = ? AND status = 'completed'`).get(sellerId).n;
+    `, [sellerId]));
+        const followers = (await dbOne(`SELECT COUNT(*) as n FROM follows WHERE followee_id = ?`, [sellerId])).n;
+        const completedOrders = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE seller_id = ? AND status = 'completed'`, [sellerId])).n;
         // 当前 viewer 是否关注
         let is_following = false;
         try {
             const token = (req.headers.authorization || '').replace(/^Bearer\s+/i, '');
             if (token) {
-                const u = db.prepare('SELECT id FROM users WHERE api_key = ?').get(token);
+                const u = await dbOne('SELECT id FROM users WHERE api_key = ?', [token]);
                 if (u)
-                    is_following = !!db.prepare('SELECT 1 FROM follows WHERE follower_id = ? AND followee_id = ?').get(u.id, sellerId);
+                    is_following = !!(await dbOne('SELECT 1 FROM follows WHERE follower_id = ? AND followee_id = ?', [u.id, sellerId]));
             }
         }
         catch { }
-        const recentRatings = db.prepare(`
+        const recentRatings = await dbAll(`
       SELECT r.stars, r.comment, r.reply, r.created_at,
         u.handle as buyer_handle, p.title as product_title
       FROM order_ratings r
@@ -48,7 +50,7 @@ export function registerShopsRoutes(app, deps) {
       JOIN products p ON p.id = r.product_id
       WHERE r.seller_id = ?
       ORDER BY r.created_at DESC LIMIT 5
-    `).all(sellerId);
+    `, [sellerId]);
         res.json({
             seller,
             stats: {
@@ -64,7 +66,7 @@ export function registerShopsRoutes(app, deps) {
         });
     });
     // 卖家更新自己店铺装饰
-    app.patch('/api/shops/me', (req, res) => {
+    app.patch('/api/shops/me', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -92,7 +94,7 @@ export function registerShopsRoutes(app, deps) {
             return void res.status(400).json({ error: '无可更新字段' });
         sets.push(`updated_at = datetime('now')`);
         args.push(user.id);
-        db.prepare(`UPDATE users SET ${sets.join(', ')} WHERE id = ?`).run(...args);
+        await dbRun(`UPDATE users SET ${sets.join(', ')} WHERE id = ?`, args);
         res.json({ success: true });
     });
 }

package/dist/pwa/routes/signaling.js

@@ -1,6 +1,8 @@
+import { dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerSignalingRoutes(app, deps) {
-    const { db, auth, generateId } = deps;
-    app.post('/api/signaling/send', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbAll/dbRun),不再直接用 deps.db
+    const { auth, generateId } = deps;
+    app.post('/api/signaling/send', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
@@ -11,23 +13,22 @@ export function registerSignalingRoutes(app, deps) {
             return void res.json({ error: 'type 不合法' });
         if (JSON.stringify(data).length > 50000)
             return void res.json({ error: 'data 过大' });
-        db.prepare(`INSERT INTO signaling_queue (id, to_peer_id, from_peer_id, signal_type, signal_data, created_at)
-                VALUES (?,?,?,?,?,datetime('now'))`)
-            .run(generateId('sig'), to, me.id, type, JSON.stringify(data));
+        await dbRun(`INSERT INTO signaling_queue (id, to_peer_id, from_peer_id, signal_type, signal_data, created_at)
+                VALUES (?,?,?,?,?,datetime('now'))`, [generateId('sig'), to, me.id, type, JSON.stringify(data)]);
         res.json({ ok: true });
     });
-    app.get('/api/signaling/poll', (req, res) => {
+    app.get('/api/signaling/poll', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT id, from_peer_id, signal_type, signal_data, created_at FROM signaling_queue
       WHERE to_peer_id = ? AND delivered_at IS NULL AND created_at > datetime('now', '-2 minutes')
       ORDER BY created_at ASC LIMIT 50
-    `).all(me.id);
+    `, [me.id]);
         if (rows.length > 0) {
             const ids = rows.map(r => r.id);
-            db.prepare(`UPDATE signaling_queue SET delivered_at = datetime('now') WHERE id IN (${ids.map(() => '?').join(',')})`).run(...ids);
+            await dbRun(`UPDATE signaling_queue SET delivered_at = datetime('now') WHERE id IN (${ids.map(() => '?').join(',')})`, ids);
         }
         res.json({ signals: rows.map(r => {
                 let signal_data = null;

package/dist/pwa/routes/skill-market.js

@@ -1,18 +1,18 @@
+import { dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 import { publishListing, updateListing, delistListing, resubmitListing, listMarket, getMarketDetail, getMyListings, purchaseListing, readContent, getMyLibrary, listPendingAudit, auditListing, } from '../../layer4-economics/L4-4-skill-market/skill-listing-engine.js';
 export function registerSkillMarketRoutes(app, deps) {
     const { db, generateId, auth, getUser, requireContentAdmin, getProtocolParam } = deps;
     const feeRate = () => getProtocolParam('skill_fee_rate', 0.05);
-    const notify = (userId, title, body) => {
+    const notify = async (userId, title, body) => {
         try {
-            db.prepare('INSERT INTO notifications (id, user_id, title, body, order_id) VALUES (?,?,?,?,?)')
-                .run(generateId('ntf'), userId, title, body, null);
+            await dbRun('INSERT INTO notifications (id, user_id, title, body, order_id) VALUES (?,?,?,?,?)', [generateId('ntf'), userId, title, body, null]);
         }
         catch { /* notifications best-effort */ }
     };
     // ─── 公开列表 ───────────────────────────────────────────────
-    app.get('/api/skill-market', (req, res) => {
+    app.get('/api/skill-market', async (req, res) => {
         const user = getUser(req);
-        res.json(listMarket(db, {
+        res.json(await listMarket(db, {
             category: req.query.category,
             skillKind: req.query.kind,
             billingMode: req.query.billing,
@@ -22,23 +22,23 @@ export function registerSkillMarketRoutes(app, deps) {
         }));
     });
     // ─── 我发布的（须在 /:id 之前注册）───────────────────────────
-    app.get('/api/skill-market/mine', (req, res) => {
+    app.get('/api/skill-market/mine', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        res.json(getMyListings(db, user.id));
+        res.json(await getMyListings(db, user.id));
     });
     // ─── 我的技能库 ─────────────────────────────────────────────
-    app.get('/api/skill-market/library', (req, res) => {
+    app.get('/api/skill-market/library', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        res.json(getMyLibrary(db, user.id));
+        res.json(await getMyLibrary(db, user.id));
     });
     // ─── 公开详情 ───────────────────────────────────────────────
-    app.get('/api/skill-market/:id', (req, res) => {
+    app.get('/api/skill-market/:id', async (req, res) => {
         const user = getUser(req);
-        const detail = getMarketDetail(db, req.params.id, user?.id);
+        const detail = await getMarketDetail(db, req.params.id, user?.id);
         if (!detail)
             return void res.status(404).json({ error: '技能不存在或未上架' });
         res.json(detail);
@@ -141,14 +141,14 @@ export function registerSkillMarketRoutes(app, deps) {
         }
     });
     // ─── Admin：待审列表 ────────────────────────────────────────
-    app.get('/api/admin/skill-market/pending', (req, res) => {
+    app.get('/api/admin/skill-market/pending', async (req, res) => {
         const admin = requireContentAdmin(req, res);
         if (!admin)
             return;
-        res.json({ items: listPendingAudit(db) });
+        res.json({ items: await listPendingAudit(db) });
     });
     // ─── Admin：审核 ────────────────────────────────────────────
-    app.post('/api/admin/skill-market/:id/audit', (req, res) => {
+    app.post('/api/admin/skill-market/:id/audit', async (req, res) => {
         const admin = requireContentAdmin(req, res);
         if (!admin)
             return;
@@ -159,10 +159,10 @@ export function registerSkillMarketRoutes(app, deps) {
         try {
             const listing = auditListing(db, req.params.id, admin.id, decision, note);
             if (decision === 'approve') {
-                notify(listing.author_id, '✓ 技能审核通过', `「${listing.title}」已上架技能市场`);
+                await notify(listing.author_id, '✓ 技能审核通过', `「${listing.title}」已上架技能市场`);
             }
             else {
-                notify(listing.author_id, '✗ 技能审核未通过', `「${listing.title}」被退回：${note ?? ''}`);
+                await notify(listing.author_id, '✗ 技能审核未通过', `「${listing.title}」被退回：${note ?? ''}`);
             }
             res.json({ success: true, listing });
         }

package/dist/pwa/routes/skills.js

@@ -1,4 +1,5 @@
 import { publishSkill, listSkills, getMySkills, subscribeSkill, unsubscribeSkill, getMySubscriptions, } from '../../layer4-economics/L4-4-skill-market/skill-engine.js';
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 const SKILL_TRUST_REQ = {
     price_negotiation: 'quality',
     quality_guarantee: 'quality',
@@ -10,9 +11,9 @@ const LEVEL_ORDER = ['new', 'trusted', 'quality', 'legend'];
 export function registerSkillsRoutes(app, deps) {
     const { db, auth, getUser } = deps;
     // 公开浏览
-    app.get('/api/skills', (req, res) => {
+    app.get('/api/skills', async (req, res) => {
         const user = getUser(req);
-        const skills = listSkills(db, {
+        const skills = await listSkills(db, {
             skillType: req.query.type,
             query: req.query.q,
             subscriberId: user?.id,
@@ -20,20 +21,20 @@ export function registerSkillsRoutes(app, deps) {
         });
         res.json(skills);
     });
-    app.get('/api/skills/mine', (req, res) => {
+    app.get('/api/skills/mine', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        res.json(getMySkills(db, user.id));
+        res.json(await getMySkills(db, user.id));
     });
-    app.get('/api/skills/subscriptions', (req, res) => {
+    app.get('/api/skills/subscriptions', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        res.json(getMySubscriptions(db, user.id));
+        res.json(await getMySubscriptions(db, user.id));
     });
     // 发布
-    app.post('/api/skills', (req, res) => {
+    app.post('/api/skills', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -45,7 +46,7 @@ export function registerSkillsRoutes(app, deps) {
         // trust level 门槛
         const required = SKILL_TRUST_REQ[skill_type] || 'new';
         if (required !== 'new') {
-            const rep = db.prepare(`SELECT level FROM agent_reputation WHERE api_key = ?`).get(user.api_key);
+            const rep = await dbOne(`SELECT level FROM agent_reputation WHERE api_key = ?`, [user.api_key]);
             const myLevel = rep?.level || 'new';
             if (LEVEL_ORDER.indexOf(myLevel) < LEVEL_ORDER.indexOf(required)) {
                 return void res.status(403).json({
@@ -103,11 +104,11 @@ export function registerSkillsRoutes(app, deps) {
         }
     });
     // 卖家：修改 Skill
-    app.patch('/api/skills/:id', (req, res) => {
+    app.patch('/api/skills/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const skill = db.prepare('SELECT seller_id FROM skills WHERE id = ?').get(req.params.id);
+        const skill = await dbOne('SELECT seller_id FROM skills WHERE id = ?', [req.params.id]);
         if (!skill)
             return void res.status(404).json({ error: 'Skill 不存在' });
         if (skill.seller_id !== user.id)
@@ -134,20 +135,20 @@ export function registerSkillsRoutes(app, deps) {
         if (!updates.length)
             return void res.json({ error: '无任何修改' });
         args.push(req.params.id);
-        db.prepare(`UPDATE skills SET ${updates.join(', ')} WHERE id = ?`).run(...args);
+        await dbRun(`UPDATE skills SET ${updates.join(', ')} WHERE id = ?`, args);
         res.json({ success: true });
     });
     // 卖家：停用
-    app.post('/api/skills/:id/disable', (req, res) => {
+    app.post('/api/skills/:id/disable', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const skill = db.prepare('SELECT seller_id FROM skills WHERE id = ?').get(req.params.id);
+        const skill = await dbOne('SELECT seller_id FROM skills WHERE id = ?', [req.params.id]);
         if (!skill)
             return void res.status(404).json({ error: 'Skill 不存在' });
         if (skill.seller_id !== user.id)
             return void res.status(403).json({ error: '仅 Skill owner 可停用' });
-        db.prepare("UPDATE skills SET active = 0 WHERE id = ?").run(req.params.id);
+        await dbRun("UPDATE skills SET active = 0 WHERE id = ?", [req.params.id]);
         res.json({ success: true });
     });
     // 订阅

package/dist/pwa/routes/snf.js

@@ -1,3 +1,4 @@
+import { dbOne } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 import { snfSend, snfPullInbox, snfListInbox, snfAck, snfPendingCount, snfVerify, snfDesignate, snfGetDesignation, snfNack, snfListDeadLetter, snfRevive, } from '../../layer2-business/L2-7-snf/snf-engine.js';
 export function registerSnfRoutes(app, deps) {
     const { db, auth } = deps;
@@ -26,13 +27,13 @@ export function registerSnfRoutes(app, deps) {
         }
     });
     // 只读列表（不消费）
-    app.get('/api/snf/inbox', (req, res) => {
+    app.get('/api/snf/inbox', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const limit = Math.min(200, Math.max(1, Number(req.query.limit) || 80));
         const sinceDays = Math.min(180, Math.max(1, Number(req.query.since_days) || 30));
-        const msgs = snfListInbox(db, user.id, limit, sinceDays);
+        const msgs = await snfListInbox(db, user.id, limit, sinceDays);
         res.json({ items: msgs, count: msgs.length });
     });
     // 协议级 pull — 一次性消费，agent / 内部组件用
@@ -56,12 +57,12 @@ export function registerSnfRoutes(app, deps) {
         const r = snfNack(db, user.id, ids, error);
         res.json({ ok: true, reopened: r.reopened, dead_lettered: r.deadLettered });
     });
-    app.get('/api/snf/dead-letter', (req, res) => {
+    app.get('/api/snf/dead-letter', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const limit = Math.min(200, Math.max(1, Number(req.query.limit) || 50));
-        const items = snfListDeadLetter(db, user.id, limit);
+        const items = await snfListDeadLetter(db, user.id, limit);
         res.json({ items, count: items.length });
     });
     app.post('/api/snf/revive/:id', (req, res) => {
@@ -76,7 +77,7 @@ export function registerSnfRoutes(app, deps) {
         res.json({ ok: true });
     });
     // 显式 ack（无 ids → ack 全部未读）
-    app.post('/api/snf/ack', (req, res) => {
+    app.post('/api/snf/ack', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -85,29 +86,29 @@ export function registerSnfRoutes(app, deps) {
             const r = snfAck(db, user.id, ids);
             return void res.json({ ok: true, acked: r.acked });
         }
-        const all = snfListInbox(db, user.id, 200, 365).filter(m => !m.delivered_at).map(m => m.id);
+        const all = (await snfListInbox(db, user.id, 200, 365)).filter(m => !m.delivered_at).map(m => m.id);
         const r = snfAck(db, user.id, all);
         res.json({ ok: true, acked: r.acked });
     });
-    app.get('/api/snf/pending', (req, res) => {
+    app.get('/api/snf/pending', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        res.json({ pending: snfPendingCount(db, user.id) });
+        res.json({ pending: await snfPendingCount(db, user.id) });
     });
     // 验签（仅当事人或 arbitrator/admin）
-    app.get('/api/snf/:id/verify', (req, res) => {
+    app.get('/api/snf/:id/verify', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const r = db.prepare(`SELECT sender_id, recipient_id FROM snf_messages WHERE id = ?`).get(req.params.id);
+        const r = await dbOne(`SELECT sender_id, recipient_id FROM snf_messages WHERE id = ?`, [req.params.id]);
         if (!r)
             return void res.status(404).json({ error: '消息不存在' });
         const uid = user.id;
         if (uid !== r.sender_id && uid !== r.recipient_id && user.role !== 'arbitrator' && user.role !== 'admin') {
             return void res.status(403).json({ error: '无权验证' });
         }
-        res.json(snfVerify(db, req.params.id));
+        res.json(await snfVerify(db, req.params.id));
     });
     app.post('/api/snf/designate', (req, res) => {
         const user = auth(req, res);
@@ -117,10 +118,10 @@ export function registerSnfRoutes(app, deps) {
         snfDesignate(db, user.id, peers);
         res.json({ ok: true, peers });
     });
-    app.get('/api/snf/designate', (req, res) => {
+    app.get('/api/snf/designate', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        res.json({ peers: snfGetDesignation(db, user.id), server_implicit: true });
+        res.json({ peers: await snfGetDesignation(db, user.id), server_implicit: true });
     });
 }

package/dist/pwa/routes/tags.js

@@ -1,11 +1,12 @@
-export function registerTagsRoutes(app, deps) {
-    const { db } = deps;
-    app.get('/api/tags/:tag/notes', (req, res) => {
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
+export function registerTagsRoutes(app, _deps) {
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbAll),不再用 deps.db
+    app.get('/api/tags/:tag/notes', async (req, res) => {
         const tag = String(req.params.tag || '').trim().toLowerCase();
         if (!tag || tag.length > 30)
             return void res.status(400).json({ error: 'tag invalid' });
         const limit = Math.min(50, Math.max(1, Number(req.query.limit) || 30));
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT s.id, s.owner_id, s.owner_code, s.type, s.title, s.native_text,
              s.related_product_id, s.related_anchor, s.photo_hashes,
              s.click_count, s.like_count, s.created_at,
@@ -18,7 +19,7 @@ export function registerTagsRoutes(app, deps) {
       LEFT JOIN users u ON u.id = s.owner_id
       WHERE t.tag = ? AND s.status = 'active'
       ORDER BY s.created_at DESC LIMIT ?
-    `).all(tag, limit);
+    `, [tag, limit]);
         for (const r of rows) {
             if (typeof r.photo_hashes === 'string') {
                 try {
@@ -29,19 +30,19 @@ export function registerTagsRoutes(app, deps) {
                 }
             }
         }
-        const stat = db.prepare(`SELECT COUNT(*) as count FROM shareable_tags WHERE tag = ?`).get(tag);
+        const stat = (await dbOne(`SELECT COUNT(*) as count FROM shareable_tags WHERE tag = ?`, [tag]));
         res.json({ tag, count: stat.count, items: rows });
     });
     // 热门标签：24h + 总数综合排序
-    app.get('/api/tags/trending', (_req, res) => {
-        const rows = db.prepare(`
+    app.get('/api/tags/trending', async (_req, res) => {
+        const rows = await dbAll(`
       SELECT tag, COUNT(*) as total,
         SUM(CASE WHEN created_at > datetime('now', '-1 day') THEN 1 ELSE 0 END) as recent_24h
       FROM shareable_tags
       GROUP BY tag
       HAVING total >= 1
       ORDER BY recent_24h DESC, total DESC LIMIT 20
-    `).all();
+    `);
         res.json({ items: rows });
     });
 }

package/dist/pwa/routes/task-proposals.js

@@ -0,0 +1,45 @@
+import { validateProposalInput, insertTaskProposal, listTaskProposals, reviewTaskProposal } from '../../layer2-business/L2-9-contribution/task-proposal-store.js';
+import { withUncommittedValueBoundary } from '../../layer2-business/L2-9-contribution/contribution-display-envelope.js';
+import { getCanonicalContributionTarget } from '../../layer2-business/L2-9-contribution/canonical-contribution-target.js';
+const PROPOSAL_NOTICE = 'A task proposal is a SUGGESTION in the maintainer review inbox. It is NOT a contribution fact, formal participation, or any reward / payout / score, and it never appears on the public task board until a maintainer reviews and (manually) converts it. source_ref is a reference only; the canonical contribution target is fixed by trusted config.';
+function withProposalEnvelope(payload) {
+    return withUncommittedValueBoundary({ ...payload, proposal_notice: PROPOSAL_NOTICE, canonical_contribution_target: getCanonicalContributionTarget() });
+}
+export function registerTaskProposalsRoutes(app, deps) {
+    const { db, errorRes, requireSupportAdmin, rateLimitOk } = deps;
+    // public submit — anonymous; proposer_account_id is never taken from the body (anti-spoof).
+    app.post('/api/public/task-proposals', (req, res) => {
+        // anti-flood: per-IP rate limit (counts every attempt, before validation) then a recent-window dedup.
+        const ip = (typeof req.headers['x-forwarded-for'] === 'string' ? req.headers['x-forwarded-for'].split(',')[0].trim() : '') || req.ip || 'unknown';
+        if (!rateLimitOk(`proposal:${ip}`))
+            return void errorRes(res, 429, 'RATE_LIMITED', '提交过于频繁,请稍后再试');
+        const v = validateProposalInput(req.body);
+        if (!v.ok)
+            return void errorRes(res, 400, v.code, v.message);
+        const result = insertTaskProposal(db, v.input, null);
+        if ('duplicate' in result)
+            return void errorRes(res, 409, 'DUPLICATE_PROPOSAL', '相同建议已在收件箱中,请勿重复提交', { existing_id: result.existing_id });
+        res.json(withProposalEnvelope({ proposal: { id: result.id, status: result.status } }));
+    });
+    // admin list (maintainer only)
+    app.get('/api/admin/task-proposals', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        const status = typeof req.query.status === 'string' ? req.query.status : undefined;
+        res.json(withProposalEnvelope({ proposals: listTaskProposals(db, { status }) }));
+    });
+    // admin review (maintainer only): needs_info | rejected | converted — no build_task is created here.
+    app.post('/api/admin/task-proposals/:id/review', (req, res) => {
+        const admin = requireSupportAdmin(req, res);
+        if (!admin)
+            return;
+        const { status, note, converted_ref } = req.body ?? {};
+        const result = reviewTaskProposal(db, String(req.params.id), admin.id, String(status), note, converted_ref);
+        if ('error' in result) {
+            const code = result.code === 'NOT_FOUND' ? 404 : result.code === 'ALREADY_TERMINAL' ? 409 : 400;
+            return void errorRes(res, code, result.code, result.error);
+        }
+        res.json(withProposalEnvelope({ proposal: result }));
+    });
+}