@seasonkoh/webaz 0.1.24 → 0.1.25

package/dist/pwa/routes/users-public.js

@@ -1,21 +1,23 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerUsersPublicRoutes(app, deps) {
-    const { db, auth, noteAuthenticityBadges } = deps;
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbAll),不再直接用 deps.db
+    const { auth, noteAuthenticityBadges } = deps;
     // ref → user id（usr_xxx / permanent_code / @handle 三态）
-    const resolveUserId = (ref0) => {
+    const resolveUserId = async (ref0) => {
         const ref = String(ref0 || '').trim();
         if (/^usr_[A-Za-z0-9_]+$/.test(ref))
             return ref;
         if (/^[A-Z0-9]{6,7}$/i.test(ref) && !ref.startsWith('@')) {
-            const r = db.prepare("SELECT id FROM users WHERE permanent_code = ?").get(ref.toUpperCase());
+            const r = await dbOne("SELECT id FROM users WHERE permanent_code = ?", [ref.toUpperCase()]);
             if (r)
                 return r.id;
         }
         const h = ref.replace(/^@/, '').toLowerCase();
-        const r = db.prepare("SELECT id FROM users WHERE handle = ?").get(h);
+        const r = await dbOne("SELECT id FROM users WHERE handle = ?", [h]);
         return r ? r.id : null;
     };
     // 公开 reputation — 仅 level
-    app.get('/api/users/:id/reputation', (req, res) => {
+    app.get('/api/users/:id/reputation', async (req, res) => {
         let userId = req.params.id;
         if (userId === 'me') {
             const user = auth(req, res);
@@ -23,17 +25,17 @@ export function registerUsersPublicRoutes(app, deps) {
                 return;
             userId = user.id;
         }
-        const row = db.prepare(`
+        const row = await dbOne(`
       SELECT level, MAX(trust_score) as max_score
       FROM agent_reputation WHERE user_id = ?
       GROUP BY user_id
-    `).get(userId);
+    `, [userId]);
         if (!row)
             return void res.json({ user_id: userId, level: 'new' });
         res.json({ user_id: userId, level: row.level });
     });
     // PV 简报：组织图点击节点用
-    app.get('/api/users/:id/pv-summary', (req, res) => {
+    app.get('/api/users/:id/pv-summary', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
@@ -42,29 +44,29 @@ export function registerUsersPublicRoutes(app, deps) {
         if (/^usr_[A-Za-z0-9_]+$/.test(ref))
             targetId = ref;
         else if (/^[A-Z0-9]{6,7}$/i.test(ref) && !ref.startsWith('@')) {
-            const r = db.prepare("SELECT id FROM users WHERE permanent_code = ?").get(ref.toUpperCase());
+            const r = await dbOne("SELECT id FROM users WHERE permanent_code = ?", [ref.toUpperCase()]);
             if (r)
                 targetId = r.id;
         }
         if (!targetId)
             return void res.json({ error: 'user not found' });
-        const u = db.prepare(`
+        const u = await dbOne(`
       SELECT id, name, permanent_code, handle, total_left_pv, total_right_pv,
              placement_id, placement_side, placement_depth, left_child_id, right_child_id, created_at
       FROM users WHERE id = ?
-    `).get(targetId);
+    `, [targetId]);
         if (!u)
             return void res.json({ error: 'user not found' });
-        const placementName = u.placement_id ? db.prepare("SELECT name FROM users WHERE id = ?").get(u.placement_id)?.name : null;
-        const leftChildName = u.left_child_id ? db.prepare("SELECT name FROM users WHERE id = ?").get(u.left_child_id)?.name : null;
-        const rightChildName = u.right_child_id ? db.prepare("SELECT name FROM users WHERE id = ?").get(u.right_child_id)?.name : null;
-        const score = db.prepare(`
+        const placementName = u.placement_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [u.placement_id]))?.name : null;
+        const leftChildName = u.left_child_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [u.left_child_id]))?.name : null;
+        const rightChildName = u.right_child_id ? (await dbOne("SELECT name FROM users WHERE id = ?", [u.right_child_id]))?.name : null;
+        const score = (await dbOne(`
       SELECT
         COALESCE(SUM(CASE WHEN settled_at IS NULL THEN score ELSE 0 END),0) AS pending_score,
         COALESCE(SUM(CASE WHEN settled_at IS NOT NULL THEN waz_amount ELSE 0 END),0) AS settled_waz,
         COUNT(*) AS total_hits
       FROM binary_score_records WHERE user_id = ?
-    `).get(targetId);
+    `, [targetId]));
         const leftPv = Number(u.total_left_pv ?? 0);
         const rightPv = Number(u.total_right_pv ?? 0);
         const weak = Math.min(leftPv, rightPv);
@@ -86,25 +88,25 @@ export function registerUsersPublicRoutes(app, deps) {
         });
     });
     // 用户公开 shareables
-    app.get('/api/users/:id/shareables', (req, res) => {
+    app.get('/api/users/:id/shareables', async (req, res) => {
         const ref = String(req.params.id || '').trim();
         let ownerId = null;
         if (/^usr_[A-Za-z0-9_]+$/.test(ref))
             ownerId = ref;
         else if (/^[A-Z0-9]{6,7}$/i.test(ref) && !ref.startsWith('@')) {
-            const r = db.prepare("SELECT id FROM users WHERE permanent_code = ?").get(ref.toUpperCase());
+            const r = await dbOne("SELECT id FROM users WHERE permanent_code = ?", [ref.toUpperCase()]);
             if (r)
                 ownerId = r.id;
         }
         if (!ownerId) {
             const h = ref.replace(/^@/, '').toLowerCase();
-            const r = db.prepare("SELECT id FROM users WHERE handle = ?").get(h);
+            const r = await dbOne("SELECT id FROM users WHERE handle = ?", [h]);
             if (r)
                 ownerId = r.id;
         }
         if (!ownerId)
             return void res.status(404).json({ error: 'user not found' });
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT s.id, s.owner_id, s.owner_code, s.type, s.external_url, s.external_platform, s.external_video_id,
              s.thumbnail_url, s.title, s.description, s.related_product_id, s.related_anchor,
              s.related_order_id, s.photo_hashes,
@@ -114,68 +116,68 @@ export function registerUsersPublicRoutes(app, deps) {
       LEFT JOIN products p ON p.id = s.related_product_id
       WHERE s.owner_id = ? AND s.status = 'active'
       ORDER BY s.created_at DESC LIMIT 100
-    `).all(ownerId);
+    `, [ownerId]);
         for (const r of rows) {
             r.badges = noteAuthenticityBadges(r);
         }
         res.json({ shareables: rows });
     });
     // 用户在售二手（公开：available + reserved）
-    app.get('/api/users/:id/secondhand', (req, res) => {
-        const ownerId = resolveUserId(req.params.id);
+    app.get('/api/users/:id/secondhand', async (req, res) => {
+        const ownerId = await resolveUserId(req.params.id);
         if (!ownerId)
             return void res.status(404).json({ error: 'user not found' });
-        const items = db.prepare(`
+        const items = await dbAll(`
       SELECT id, title, price, condition_grade, images, status, category, created_at
       FROM secondhand_items
       WHERE seller_id = ? AND status IN ('available', 'reserved')
       ORDER BY created_at DESC LIMIT 50
-    `).all(ownerId);
+    `, [ownerId]);
         res.json({ items });
     });
     // 用户进行中拍卖（公开：open）
-    app.get('/api/users/:id/auctions', (req, res) => {
-        const ownerId = resolveUserId(req.params.id);
+    app.get('/api/users/:id/auctions', async (req, res) => {
+        const ownerId = await resolveUserId(req.params.id);
         if (!ownerId)
             return void res.status(404).json({ error: 'user not found' });
-        const items = db.prepare(`
+        const items = await dbAll(`
       SELECT id, title, current_price, starting_price, status, deadline_at, bid_count, category, created_at
       FROM auctions
       WHERE seller_id = ? AND status = 'open' AND deadline_at > datetime('now')
       ORDER BY deadline_at ASC LIMIT 50
-    `).all(ownerId);
+    `, [ownerId]);
         res.json({ items });
     });
     // 用户写的测评（公开：作为买家给出的评价）
-    app.get('/api/users/:id/reviews', (req, res) => {
-        const ownerId = resolveUserId(req.params.id);
+    app.get('/api/users/:id/reviews', async (req, res) => {
+        const ownerId = await resolveUserId(req.params.id);
         if (!ownerId)
             return void res.status(404).json({ error: 'user not found' });
-        const items = db.prepare(`
+        const items = await dbAll(`
       SELECT r.order_id, r.product_id, r.stars, r.comment, r.reply, r.created_at,
              p.title AS product_title, p.images AS product_images
       FROM order_ratings r
       LEFT JOIN products p ON p.id = r.product_id
       WHERE r.buyer_id = ? AND (r.hidden_until IS NULL OR r.hidden_until <= datetime('now'))
       ORDER BY r.created_at DESC LIMIT 50
-    `).all(ownerId);
+    `, [ownerId]);
         res.json({ items });
     });
     // 用户在售商品（公开：卖家 active 商品）
-    app.get('/api/users/:id/products', (req, res) => {
-        const ownerId = resolveUserId(req.params.id);
+    app.get('/api/users/:id/products', async (req, res) => {
+        const ownerId = await resolveUserId(req.params.id);
         if (!ownerId)
             return void res.status(404).json({ error: 'user not found' });
-        const items = db.prepare(`
+        const items = await dbAll(`
       SELECT id, title, price, images, category, completion_count, total_likes, created_at
       FROM products
       WHERE seller_id = ? AND status = 'active' AND stock > 0
       ORDER BY completion_count DESC, created_at DESC LIMIT 50
-    `).all(ownerId);
+    `, [ownerId]);
         res.json({ items });
     });
     // 用户赞过的 shareables（仅 owner 可见）
-    app.get('/api/users/:id/liked-shareables', (req, res) => {
+    app.get('/api/users/:id/liked-shareables', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
@@ -185,7 +187,7 @@ export function registerUsersPublicRoutes(app, deps) {
             ownerId = me.id;
         if (!ownerId)
             return void res.status(403).json({ error: 'only owner can view liked list' });
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT s.id, s.owner_id, s.owner_code, s.type, s.external_url, s.external_platform,
              s.thumbnail_url, s.title, s.description, s.photo_hashes, s.related_product_id, s.related_anchor,
              s.click_count, s.like_count, s.created_at,
@@ -196,7 +198,7 @@ export function registerUsersPublicRoutes(app, deps) {
       LEFT JOIN products p ON p.id = s.related_product_id
       WHERE l.user_id = ? AND s.status = 'active'
       ORDER BY l.created_at DESC LIMIT 100
-    `).all(ownerId);
+    `, [ownerId]);
         for (const r of rows) {
             if (typeof r.photo_hashes === 'string') {
                 try {
@@ -210,20 +212,20 @@ export function registerUsersPublicRoutes(app, deps) {
         res.json({ shareables: rows });
     });
     // 公开卡（未登录可调，分享 banner 用）
-    app.get('/api/users/:id/public-card', (req, res) => {
+    app.get('/api/users/:id/public-card', async (req, res) => {
         const ref = String(req.params.id || '').trim();
         const cols = "id, name, bio, search_anchor, created_at, permanent_code, handle";
         const filter = " AND id != 'sys_protocol'";
         let row;
         if (/^usr_[A-Za-z0-9_]+$/.test(ref)) {
-            row = db.prepare(`SELECT ${cols} FROM users WHERE id = ?${filter}`).get(ref);
+            row = await dbOne(`SELECT ${cols} FROM users WHERE id = ?${filter}`, [ref]);
         }
         if (!row && /^[A-Z0-9]{6,7}$/.test(ref.toUpperCase()) && !ref.startsWith('@')) {
-            row = db.prepare(`SELECT ${cols} FROM users WHERE permanent_code = ?${filter}`).get(ref.toUpperCase());
+            row = await dbOne(`SELECT ${cols} FROM users WHERE permanent_code = ?${filter}`, [ref.toUpperCase()]);
         }
         if (!row) {
             const h = ref.replace(/^@/, '').toLowerCase();
-            row = db.prepare(`SELECT ${cols} FROM users WHERE handle = ?${filter}`).get(h);
+            row = await dbOne(`SELECT ${cols} FROM users WHERE handle = ?${filter}`, [h]);
         }
         if (!row)
             return void res.status(404).json({ error: 'not_found' });
@@ -240,7 +242,7 @@ export function registerUsersPublicRoutes(app, deps) {
         });
     });
     // 公开用户主页 + D2 信誉徽章墙
-    app.get('/api/users/:user_id', (req, res) => {
+    app.get('/api/users/:user_id', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
@@ -248,30 +250,30 @@ export function registerUsersPublicRoutes(app, deps) {
         const cols = "id, name, role, region, bio, search_anchor, created_at, reputation, COALESCE(feed_visible, 1) as feed_visible";
         let target;
         if (/^usr_[A-Za-z0-9_]+$/.test(ref)) {
-            target = db.prepare(`SELECT ${cols} FROM users WHERE id = ? AND id != 'sys_protocol'`).get(ref);
+            target = await dbOne(`SELECT ${cols} FROM users WHERE id = ? AND id != 'sys_protocol'`, [ref]);
         }
         else if (/^[A-Z0-9]{6,7}$/.test(ref) && !ref.startsWith('@')) {
-            target = db.prepare(`SELECT ${cols} FROM users WHERE permanent_code = ? AND id != 'sys_protocol'`).get(ref.toUpperCase());
+            target = await dbOne(`SELECT ${cols} FROM users WHERE permanent_code = ? AND id != 'sys_protocol'`, [ref.toUpperCase()]);
         }
         if (!target) {
             const h = ref.replace(/^@/, '').toLowerCase();
-            target = db.prepare(`SELECT ${cols} FROM users WHERE handle = ? AND id != 'sys_protocol'`).get(h);
+            target = await dbOne(`SELECT ${cols} FROM users WHERE handle = ? AND id != 'sys_protocol'`, [h]);
         }
         if (!target)
             return void res.status(404).json({ error: '用户不存在' });
-        const followers = db.prepare("SELECT COUNT(*) as n FROM follows WHERE followee_id = ?").get(target.id).n;
-        const following = db.prepare("SELECT COUNT(*) as n FROM follows WHERE follower_id = ?").get(target.id).n;
-        const isFollowing = !!db.prepare("SELECT 1 FROM follows WHERE follower_id = ? AND followee_id = ?").get(me.id, target.id);
-        const purchaseCount = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'").get(target.id).n;
-        const salesCount = db.prepare("SELECT COUNT(*) as n FROM orders WHERE seller_id = ? AND status = 'completed'").get(target.id).n;
-        const likesReceived = db.prepare("SELECT COALESCE(SUM(like_count), 0) as n FROM shareables WHERE owner_id = ? AND status = 'active'").get(target.id).n;
+        const followers = (await dbOne("SELECT COUNT(*) as n FROM follows WHERE followee_id = ?", [target.id])).n;
+        const following = (await dbOne("SELECT COUNT(*) as n FROM follows WHERE follower_id = ?", [target.id])).n;
+        const isFollowing = !!(await dbOne("SELECT 1 FROM follows WHERE follower_id = ? AND followee_id = ?", [me.id, target.id]));
+        const purchaseCount = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [target.id])).n;
+        const salesCount = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE seller_id = ? AND status = 'completed'", [target.id])).n;
+        const likesReceived = (await dbOne("SELECT COALESCE(SUM(like_count), 0) as n FROM shareables WHERE owner_id = ? AND status = 'active'", [target.id])).n;
         // 主人视角加私有统计
         const isOwner = me.id === target.id;
         let privateStats = null;
         if (isOwner) {
-            const w = db.prepare('SELECT balance, earned FROM wallets WHERE user_id = ?').get(me.id);
-            const pv = db.prepare("SELECT total_left_pv, total_right_pv FROM users WHERE id = ?").get(me.id);
-            const score = db.prepare("SELECT COALESCE(SUM(score),0) as s FROM binary_score_records WHERE user_id = ? AND settled_at IS NULL").get(me.id).s;
+            const w = await dbOne('SELECT balance, earned FROM wallets WHERE user_id = ?', [me.id]);
+            const pv = await dbOne("SELECT total_left_pv, total_right_pv FROM users WHERE id = ?", [me.id]);
+            const score = (await dbOne("SELECT COALESCE(SUM(score),0) as s FROM binary_score_records WHERE user_id = ? AND settled_at IS NULL", [me.id])).s;
             privateStats = {
                 wallet_balance: Number(w?.balance ?? 0),
                 wallet_earned: Number(w?.earned ?? 0),
@@ -288,14 +290,14 @@ export function registerUsersPublicRoutes(app, deps) {
                     rep >= 30 ? { tier: 2, label: '可靠', emoji: '✓', color: '#16a34a' } :
                         { tier: 1, label: '新手', emoji: '🌱', color: '#9ca3af' };
         // Agent trust band（P1.2 隐私：trust_score 仅 owner 看，他人仅 level）
-        const agentRow = db.prepare(`SELECT level, MAX(trust_score) as score FROM agent_reputation WHERE user_id = ? GROUP BY user_id`).get(target.id);
+        const agentRow = await dbOne(`SELECT level, MAX(trust_score) as score FROM agent_reputation WHERE user_id = ? GROUP BY user_id`, [target.id]);
         const agentBand = agentRow ? (isOwner
             ? { level: agentRow.level, score: Math.round(agentRow.score || 0) }
             : { level: agentRow.level }) : null;
-        const charity = db.prepare(`SELECT prestige_score, badge_tier, wishes_fulfilled, wishes_made FROM charity_reputation WHERE user_id = ?`).get(target.id);
+        const charity = await dbOne(`SELECT prestige_score, badge_tier, wishes_fulfilled, wishes_made FROM charity_reputation WHERE user_id = ?`, [target.id]);
         let verifier;
         try {
-            verifier = db.prepare(`SELECT tier FROM verifier_whitelist WHERE user_id = ?`).get(target.id);
+            verifier = await dbOne(`SELECT tier FROM verifier_whitelist WHERE user_id = ?`, [target.id]);
         }
         catch { }
         res.json({

package/dist/pwa/routes/variants.js

@@ -1,3 +1,4 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 /** options → canonical key（sort + join）— 防同规格组合两次入库 */
 function canonicalOptionsKey(options) {
     return Object.keys(options).sort().map(k => `${k}=${String(options[k])}`).join('|');
@@ -5,13 +6,13 @@ function canonicalOptionsKey(options) {
 export function registerVariantsRoutes(app, deps) {
     const { db, generateId, auth } = deps;
     // 公开列出（含 buyer 下单页查可选项）
-    app.get('/api/products/:product_id/variants', (req, res) => {
-        const rows = db.prepare(`
+    app.get('/api/products/:product_id/variants', async (req, res) => {
+        const rows = await dbAll(`
       SELECT id, sku, options_json, price_override, stock, images_json, is_active, created_at
       FROM product_variants
       WHERE product_id = ? AND is_active = 1
       ORDER BY created_at ASC LIMIT 100
-    `).all(req.params.product_id);
+    `, [req.params.product_id]);
         const items = rows.map(r => {
             let options = {};
             let images = [];
@@ -28,11 +29,11 @@ export function registerVariantsRoutes(app, deps) {
         });
         res.json({ items });
     });
-    app.post('/api/products/:product_id/variants', (req, res) => {
+    app.post('/api/products/:product_id/variants', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const p = db.prepare('SELECT id, seller_id FROM products WHERE id = ?').get(req.params.product_id);
+        const p = await dbOne('SELECT id, seller_id FROM products WHERE id = ?', [req.params.product_id]);
         if (!p)
             return void res.status(404).json({ error: '商品不存在' });
         if (p.seller_id !== user.id)
@@ -46,8 +47,7 @@ export function registerVariantsRoutes(app, deps) {
         if (priceN != null && (priceN <= 0 || priceN > 1_000_000))
             return void res.status(400).json({ error: 'price_override 无效' });
         const optKey = canonicalOptionsKey(options);
-        const dup = db.prepare(`SELECT id FROM product_variants WHERE product_id = ? AND options_key = ? AND is_active = 1`)
-            .get(req.params.product_id, optKey);
+        const dup = await dbOne(`SELECT id FROM product_variants WHERE product_id = ? AND options_key = ? AND is_active = 1`, [req.params.product_id, optKey]);
         if (dup)
             return void res.status(409).json({ error: '该规格组合已存在', existing_id: dup.id });
         const id = generateId('pv');
@@ -66,11 +66,11 @@ export function registerVariantsRoutes(app, deps) {
         })();
         res.json({ success: true, id });
     });
-    app.patch('/api/products/:product_id/variants/:variant_id', (req, res) => {
+    app.patch('/api/products/:product_id/variants/:variant_id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const v = db.prepare(`SELECT v.*, p.seller_id FROM product_variants v JOIN products p ON p.id = v.product_id WHERE v.id = ? AND v.product_id = ?`).get(req.params.variant_id, req.params.product_id);
+        const v = await dbOne(`SELECT v.*, p.seller_id FROM product_variants v JOIN products p ON p.id = v.product_id WHERE v.id = ? AND v.product_id = ?`, [req.params.variant_id, req.params.product_id]);
         if (!v)
             return void res.status(404).json({ error: 'variant 不存在' });
         if (v.seller_id !== user.id)
@@ -87,8 +87,7 @@ export function registerVariantsRoutes(app, deps) {
                 return void res.status(400).json({ error: 'options 不能为空' });
             }
             const newKey = canonicalOptionsKey(options);
-            const dup = db.prepare(`SELECT id FROM product_variants WHERE product_id = ? AND options_key = ? AND id != ? AND is_active = 1`)
-                .get(req.params.product_id, newKey, req.params.variant_id);
+            const dup = await dbOne(`SELECT id FROM product_variants WHERE product_id = ? AND options_key = ? AND id != ? AND is_active = 1`, [req.params.product_id, newKey, req.params.variant_id]);
             if (dup)
                 return void res.status(409).json({ error: '该规格组合已存在', existing_id: dup.id });
             sets.push('options_json = ?');
@@ -129,11 +128,11 @@ export function registerVariantsRoutes(app, deps) {
         })();
         res.json({ success: true });
     });
-    app.delete('/api/products/:product_id/variants/:variant_id', (req, res) => {
+    app.delete('/api/products/:product_id/variants/:variant_id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const v = db.prepare(`SELECT v.id, v.stock, p.seller_id FROM product_variants v JOIN products p ON p.id = v.product_id WHERE v.id = ? AND v.product_id = ?`).get(req.params.variant_id, req.params.product_id);
+        const v = await dbOne(`SELECT v.id, v.stock, p.seller_id FROM product_variants v JOIN products p ON p.id = v.product_id WHERE v.id = ? AND v.product_id = ?`, [req.params.variant_id, req.params.product_id]);
         if (!v)
             return void res.status(404).json({ error: 'variant 不存在' });
         if (v.seller_id !== user.id)

package/dist/pwa/routes/verifier-user.js

@@ -1,4 +1,7 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam (dbRun: appeal single-write)
 export function registerVerifierUserRoutes(app, deps) {
+    // 只读/单写站点走 RFC-016 异步 seam;db 保留:apply/withdraw 是 stake 资金路径,
+    // 状态翻转 + 钱包扣/退必须原子(db.transaction + CAS),Phase 3 迁 pg 行锁。
     const { db, generateId, auth, errorRes, checkVerifierEligibility, getVerifierState, resetDailyQuotaIfNeeded, TIER_QUOTAS, VERIFIER_STAKE_REQUIRED, APP_REJECT_COOLDOWN_DAYS, } = deps;
     app.get('/api/verifier/eligibility', (req, res) => {
         const user = auth(req, res);
@@ -26,7 +29,7 @@ export function registerVerifierUserRoutes(app, deps) {
             stake_amount: Number(wl?.stake_amount ?? 0),
         });
     });
-    app.post('/api/verifier/apply', (req, res) => {
+    app.post('/api/verifier/apply', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -35,14 +38,14 @@ export function registerVerifierUserRoutes(app, deps) {
         if (user.role !== 'buyer') {
             return void errorRes(res, 403, 'ROLE_NOT_BUYER', '外部审核员仅 buyer 角色可申请（卖家 / 受信角色请联系管理员）');
         }
-        const wl = db.prepare("SELECT 1 FROM verifier_whitelist WHERE user_id = ?").get(userId);
+        const wl = await dbOne("SELECT 1 FROM verifier_whitelist WHERE user_id = ?", [userId]);
         if (wl)
             return void res.json({ error: '你已经是审核员，无需重新申请' });
-        const pending = db.prepare("SELECT 1 FROM verifier_applications WHERE user_id = ? AND status = 'pending'").get(userId);
+        const pending = await dbOne("SELECT 1 FROM verifier_applications WHERE user_id = ? AND status = 'pending'", [userId]);
         if (pending)
             return void res.json({ error: '你已有待审申请' });
         // 30d 拒绝冷却
-        const lastReject = db.prepare("SELECT reviewed_at FROM verifier_applications WHERE user_id = ? AND status = 'rejected' ORDER BY reviewed_at DESC LIMIT 1").get(userId);
+        const lastReject = await dbOne("SELECT reviewed_at FROM verifier_applications WHERE user_id = ? AND status = 'rejected' ORDER BY reviewed_at DESC LIMIT 1", [userId]);
         if (lastReject?.reviewed_at) {
             const cooldownEnd = new Date(new Date(lastReject.reviewed_at).getTime() + APP_REJECT_COOLDOWN_DAYS * 86400_000);
             if (cooldownEnd > new Date()) {
@@ -53,34 +56,72 @@ export function registerVerifierUserRoutes(app, deps) {
         if (!elig.eligible) {
             return void res.json({ error: '信誉指标未达标', eligibility: elig });
         }
+        // 友好预检查(读):真正的守恒门在事务内(WHERE balance >= stake)。
         if (VERIFIER_STAKE_REQUIRED > 0) {
-            const wallet = db.prepare("SELECT balance, staked FROM wallets WHERE user_id = ?").get(userId);
+            const wallet = await dbOne("SELECT balance FROM wallets WHERE user_id = ?", [userId]);
             if (!wallet || wallet.balance < VERIFIER_STAKE_REQUIRED) {
                 return void res.json({ error: `质押需 ${VERIFIER_STAKE_REQUIRED} WAZ，钱包余额不足` });
             }
-            db.prepare("UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ?")
-                .run(VERIFIER_STAKE_REQUIRED, VERIFIER_STAKE_REQUIRED, userId);
         }
-        db.prepare(`INSERT INTO verifier_applications (id, user_id, status, snapshot) VALUES (?,?,?,?)`)
-            .run(generateId('vapp'), userId, 'pending', JSON.stringify(elig.items));
+        const appId = generateId('vapp');
+        // stake 原子段:重检 whitelist/pending(防并发双申请双质押)+ 钱包扣减(守恒 guard)+ INSERT 申请
+        try {
+            db.transaction(() => {
+                if (db.prepare("SELECT 1 FROM verifier_whitelist WHERE user_id = ?").get(userId))
+                    throw new Error('VER_ALREADY');
+                if (db.prepare("SELECT 1 FROM verifier_applications WHERE user_id = ? AND status = 'pending'").get(userId))
+                    throw new Error('VER_PENDING');
+                if (VERIFIER_STAKE_REQUIRED > 0) {
+                    const debit = db.prepare("UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ? AND balance >= ?")
+                        .run(VERIFIER_STAKE_REQUIRED, VERIFIER_STAKE_REQUIRED, userId, VERIFIER_STAKE_REQUIRED);
+                    if (debit.changes === 0)
+                        throw new Error('VER_INSUFFICIENT');
+                }
+                db.prepare(`INSERT INTO verifier_applications (id, user_id, status, snapshot) VALUES (?,?,?,?)`)
+                    .run(appId, userId, 'pending', JSON.stringify(elig.items));
+            })();
+        }
+        catch (e) {
+            const msg = e.message;
+            if (msg === 'VER_ALREADY')
+                return void res.json({ error: '你已经是审核员，无需重新申请' });
+            if (msg === 'VER_PENDING')
+                return void res.json({ error: '你已有待审申请' });
+            if (msg === 'VER_INSUFFICIENT')
+                return void res.json({ error: `质押需 ${VERIFIER_STAKE_REQUIRED} WAZ，钱包余额不足` });
+            console.error('[verifier apply tx]', msg);
+            return void res.status(500).json({ error: '申请失败,请重试' });
+        }
         res.json({ success: true, stake_locked: VERIFIER_STAKE_REQUIRED });
     });
-    app.post('/api/verifier/withdraw-application', (req, res) => {
+    app.post('/api/verifier/withdraw-application', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const userId = user.id;
-        const pending = db.prepare("SELECT id FROM verifier_applications WHERE user_id = ? AND status = 'pending' LIMIT 1").get(userId);
+        const pending = await dbOne("SELECT id FROM verifier_applications WHERE user_id = ? AND status = 'pending' LIMIT 1", [userId]);
         if (!pending)
             return void res.json({ error: '没有待审申请' });
-        db.prepare("UPDATE verifier_applications SET status = 'withdrawn', reviewed_at = datetime('now') WHERE id = ?").run(pending.id);
-        if (VERIFIER_STAKE_REQUIRED > 0) {
-            db.prepare("UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?")
-                .run(VERIFIER_STAKE_REQUIRED, VERIFIER_STAKE_REQUIRED, userId);
+        // 原子段:CAS 翻转 pending→withdrawn(防并发/admin 抢跑双退)+ 退质押仅在本请求真翻转时
+        try {
+            db.transaction(() => {
+                const cas = db.prepare("UPDATE verifier_applications SET status = 'withdrawn', reviewed_at = datetime('now') WHERE id = ? AND status = 'pending'").run(pending.id);
+                if (cas.changes === 0)
+                    throw new Error('VER_RACE');
+                if (VERIFIER_STAKE_REQUIRED > 0) {
+                    db.prepare("UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?").run(VERIFIER_STAKE_REQUIRED, VERIFIER_STAKE_REQUIRED, userId);
+                }
+            })();
+        }
+        catch (e) {
+            if (e.message === 'VER_RACE')
+                return void res.status(409).json({ error: '申请状态已变化,请刷新' });
+            console.error('[verifier withdraw tx]', e.message);
+            return void res.status(500).json({ error: '撤回失败,请重试' });
         }
         res.json({ success: true });
     });
-    app.post('/api/verifier/appeal', (req, res) => {
+    app.post('/api/verifier/appeal', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -90,18 +131,17 @@ export function registerVerifierUserRoutes(app, deps) {
         if (reason.length > 500)
             return void res.json({ error: '申诉理由过长（>500 字）' });
         // 必须当前 suspended
-        const stats = db.prepare("SELECT suspended_until FROM verifier_stats WHERE user_id = ?").get(user.id);
+        const stats = await dbOne("SELECT suspended_until FROM verifier_stats WHERE user_id = ?", [user.id]);
         if (!stats?.suspended_until || new Date(stats.suspended_until).getTime() <= Date.now()) {
             return void res.json({ error: '当前未处于暂停状态，无需申诉' });
         }
         // 近 30 天有申诉过即重复
-        const recent = db.prepare(`SELECT 1 FROM verifier_appeals WHERE user_id = ? AND created_at > datetime('now','-30 day')`).get(user.id);
+        const recent = await dbOne(`SELECT 1 FROM verifier_appeals WHERE user_id = ? AND created_at > datetime('now','-30 day')`, [user.id]);
         if (recent)
             return void res.json({ error: '近期已申诉过，每次处罚只能申诉一次' });
         const evidenceArr = Array.isArray(evidence_urls) ? evidence_urls.slice(0, 3) : [];
-        db.prepare(`INSERT INTO verifier_appeals (id, user_id, task_id, submission_id, reason, evidence_urls)
-                VALUES (?,?,?,?,?,?)`)
-            .run(generateId('vapl'), user.id, task_id || null, submission_id || null, reason.trim(), JSON.stringify(evidenceArr));
+        await dbRun(`INSERT INTO verifier_appeals (id, user_id, task_id, submission_id, reason, evidence_urls)
+                VALUES (?,?,?,?,?,?)`, [generateId('vapl'), user.id, task_id || null, submission_id || null, reason.trim(), JSON.stringify(evidenceArr)]);
         res.json({ success: true });
     });
 }