@seasonkoh/webaz 0.1.24 → 0.1.26

package/dist/pwa/routes/admin-admins.js

@@ -1,17 +1,18 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAdminAdminsRoutes(app, deps) {
     const { db, generateId, requireAdmin, requireRootAdmin, isRootAdmin, getAdminPermissions, ADMIN_PERMISSIONS } = deps;
     // GET 全部 admin 列表
-    app.get('/api/admin/admins', (req, res) => {
+    app.get('/api/admin/admins', async (req, res) => {
         const me = requireAdmin(req, res);
         if (!me)
             return;
-        const items = db.prepare(`
+        const items = await dbAll(`
       SELECT id, name, handle, role, admin_type, admin_scope, admin_permissions, email, created_at,
              (SELECT MAX(created_at) FROM admin_audit_log WHERE admin_id = users.id) AS last_action_at
       FROM users
       WHERE role = 'admin' OR (roles IS NOT NULL AND roles LIKE '%admin%')
       ORDER BY admin_type DESC, created_at ASC
-    `).all();
+    `, []);
         // 普通 admin 视角下 email 脱敏
         const masked = items.map((u) => {
             const enriched = { ...u, admin_permissions: u.admin_type === 'root' ? ['all'] : (() => { try {
@@ -31,7 +32,7 @@ export function registerAdminAdminsRoutes(app, deps) {
         });
     });
     // POST 创建 admin（仅 root）
-    app.post('/api/admin/admins', (req, res) => {
+    app.post('/api/admin/admins', async (req, res) => {
         const root = requireRootAdmin(req, res);
         if (!root)
             return;
@@ -60,7 +61,7 @@ export function registerAdminAdminsRoutes(app, deps) {
             return void res.json({ error: 'admin_type 无效' });
         if (!['global', 'china', 'us', 'eu', 'india', 'singapore', 'global_north'].includes(adminScope))
             return void res.json({ error: 'admin_scope 无效' });
-        const target = db.prepare(`SELECT id, role, roles, admin_type FROM users WHERE id = ?`).get(targetUserId);
+        const target = await dbOne(`SELECT id, role, roles, admin_type FROM users WHERE id = ?`, [targetUserId]);
         if (!target)
             return void res.json({ error: '用户不存在' });
         if (target.admin_type)
@@ -87,7 +88,7 @@ export function registerAdminAdminsRoutes(app, deps) {
         res.json({ ok: true, user_id: targetUserId, admin_type: adminType, admin_scope: adminScope, admin_permissions: adminPerms });
     });
     // PATCH 更新权限（root only）
-    app.patch('/api/admin/admins/:id/permissions', (req, res) => {
+    app.patch('/api/admin/admins/:id/permissions', async (req, res) => {
         const root = requireRootAdmin(req, res);
         if (!root)
             return;
@@ -102,33 +103,31 @@ export function registerAdminAdminsRoutes(app, deps) {
         for (const p of adminPerms)
             if (!validPerms.has(p))
                 return void res.json({ error: `权限 "${p}" 无效` });
-        const target = db.prepare(`SELECT id, admin_type FROM users WHERE id = ?`).get(targetId);
+        const target = await dbOne(`SELECT id, admin_type FROM users WHERE id = ?`, [targetId]);
         if (!target?.admin_type)
             return void res.json({ error: '该用户不是 admin' });
         if (target.admin_type === 'root')
             return void res.json({ error: 'root admin 权限不可手动调整（永远是 all）' });
         if (adminPerms.length === 0)
             return void res.json({ error: '至少保留一项权限' });
-        db.prepare(`UPDATE users SET admin_permissions = ?${adminScope ? ', admin_scope = ?' : ''} WHERE id = ?`)
-            .run(JSON.stringify(adminPerms), ...(adminScope ? [adminScope, targetId] : [targetId]));
-        db.prepare(`INSERT INTO admin_audit_log (id, admin_id, action, target_type, target_id, detail) VALUES (?,?,?,?,?,?)`)
-            .run(generateId('audit'), root.id, 'admin_update_perms', 'user', targetId, JSON.stringify({ admin_permissions: adminPerms, admin_scope: adminScope }));
+        await dbRun(`UPDATE users SET admin_permissions = ?${adminScope ? ', admin_scope = ?' : ''} WHERE id = ?`, [JSON.stringify(adminPerms), ...(adminScope ? [adminScope, targetId] : [targetId])]);
+        await dbRun(`INSERT INTO admin_audit_log (id, admin_id, action, target_type, target_id, detail) VALUES (?,?,?,?,?,?)`, [generateId('audit'), root.id, 'admin_update_perms', 'user', targetId, JSON.stringify({ admin_permissions: adminPerms, admin_scope: adminScope })]);
         res.json({ ok: true, admin_permissions: adminPerms, admin_scope: adminScope });
     });
     // DELETE 撤销 admin（root only；不能撤自己；至少保留 1 个 root）
-    app.delete('/api/admin/admins/:id', (req, res) => {
+    app.delete('/api/admin/admins/:id', async (req, res) => {
         const root = requireRootAdmin(req, res);
         if (!root)
             return;
         const targetId = req.params.id;
         if (targetId === root.id)
             return void res.json({ error: '不能撤销自己' });
-        const target = db.prepare(`SELECT id, name, admin_type FROM users WHERE id = ?`).get(targetId);
+        const target = await dbOne(`SELECT id, name, admin_type FROM users WHERE id = ?`, [targetId]);
         if (!target || !target.admin_type)
             return void res.json({ error: '该用户不是 admin' });
         // 保护：至少保留 1 个 root
         if (target.admin_type === 'root') {
-            const rootCount = db.prepare(`SELECT COUNT(1) as n FROM users WHERE admin_type = 'root'`).get().n;
+            const rootCount = (await dbOne(`SELECT COUNT(1) as n FROM users WHERE admin_type = 'root'`, [])).n;
             if (rootCount <= 1)
                 return void res.json({ error: '至少保留 1 个 root admin，不可撤销最后一个' });
         }

package/dist/pwa/routes/admin-analytics.js

@@ -1,36 +1,38 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAdminAnalyticsRoutes(app, deps) {
-    const { db, adminAuth, requireAdmin, requireRootAdmin, getProtocolParam, INTERNAL_AUDITOR_ID } = deps;
-    app.get('/api/admin/usage', (req, res) => {
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbAll),不再直接用 deps.db
+    const { adminAuth, requireAdmin, requireRootAdmin, getProtocolParam, INTERNAL_AUDITOR_ID } = deps;
+    app.get('/api/admin/usage', async (req, res) => {
         if (!adminAuth(req, res))
             return;
-        const total = db.prepare(`SELECT COUNT(*) as n FROM mcp_tool_calls`).get();
-        const total24h = db.prepare(`SELECT COUNT(*) as n FROM mcp_tool_calls WHERE ts > datetime('now','-1 day')`).get();
-        const total7d = db.prepare(`SELECT COUNT(*) as n FROM mcp_tool_calls WHERE ts > datetime('now','-7 day')`).get();
-        const totalUsers = db.prepare(`SELECT COUNT(DISTINCT user_id_hash) as n FROM mcp_tool_calls WHERE user_id_hash IS NOT NULL`).get();
-        const wau7d = db.prepare(`SELECT COUNT(DISTINCT user_id_hash) as n FROM mcp_tool_calls WHERE user_id_hash IS NOT NULL AND ts > datetime('now','-7 day')`).get();
-        const dau24h = db.prepare(`SELECT COUNT(DISTINCT user_id_hash) as n FROM mcp_tool_calls WHERE user_id_hash IS NOT NULL AND ts > datetime('now','-1 day')`).get();
-        const byTool = db.prepare(`
+        const total = (await dbOne(`SELECT COUNT(*) as n FROM mcp_tool_calls`));
+        const total24h = (await dbOne(`SELECT COUNT(*) as n FROM mcp_tool_calls WHERE ts > datetime('now','-1 day')`));
+        const total7d = (await dbOne(`SELECT COUNT(*) as n FROM mcp_tool_calls WHERE ts > datetime('now','-7 day')`));
+        const totalUsers = (await dbOne(`SELECT COUNT(DISTINCT user_id_hash) as n FROM mcp_tool_calls WHERE user_id_hash IS NOT NULL`));
+        const wau7d = (await dbOne(`SELECT COUNT(DISTINCT user_id_hash) as n FROM mcp_tool_calls WHERE user_id_hash IS NOT NULL AND ts > datetime('now','-7 day')`));
+        const dau24h = (await dbOne(`SELECT COUNT(DISTINCT user_id_hash) as n FROM mcp_tool_calls WHERE user_id_hash IS NOT NULL AND ts > datetime('now','-1 day')`));
+        const byTool = await dbAll(`
       SELECT tool_name,
              COUNT(*) AS calls,
              SUM(CASE WHEN outcome='error' THEN 1 ELSE 0 END) AS errors,
              ROUND(AVG(latency_ms), 0) AS avg_latency_ms
       FROM mcp_tool_calls WHERE ts > datetime('now','-7 day')
       GROUP BY tool_name ORDER BY calls DESC
-    `).all();
-        const byDay = db.prepare(`
+    `);
+        const byDay = await dbAll(`
       SELECT substr(ts, 1, 10) AS day,
              COUNT(*) AS calls,
              COUNT(DISTINCT user_id_hash) AS distinct_users
       FROM mcp_tool_calls WHERE ts > datetime('now','-14 day')
       GROUP BY day ORDER BY day
-    `).all();
-        const byVersion = db.prepare(`
+    `);
+        const byVersion = await dbAll(`
       SELECT server_version,
              COUNT(*) AS calls,
              COUNT(DISTINCT user_id_hash) AS distinct_users
       FROM mcp_tool_calls WHERE ts > datetime('now','-7 day')
       GROUP BY server_version ORDER BY calls DESC
-    `).all();
+    `);
         res.json({
             summary: {
                 total_calls: total.n,
@@ -45,24 +47,23 @@ export function registerAdminAnalyticsRoutes(app, deps) {
             by_version_7d: byVersion,
         });
     });
-    app.get('/api/admin/auditor', (req, res) => {
+    app.get('/api/admin/auditor', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
-        const auditor = db.prepare('SELECT id, name, api_key, created_at FROM users WHERE id = ?')
-            .get(INTERNAL_AUDITOR_ID);
+        const auditor = await dbOne('SELECT id, name, api_key, created_at FROM users WHERE id = ?', [INTERNAL_AUDITOR_ID]);
         if (!auditor)
             return void res.json({ error: '内部审核账号未初始化' });
         res.json({ id: auditor.id, name: auditor.name, api_key: auditor.api_key });
     });
-    app.get('/api/admin/finance/monthly', (req, res) => {
+    app.get('/api/admin/finance/monthly', async (req, res) => {
         const admin = requireAdmin(req, res);
         if (!admin)
             return;
         const months = Math.max(3, Math.min(24, Number(req.query.months) || 12));
         const feeShop = getProtocolParam('protocol_fee_rate_shop', 0.02);
         const feeSecondhand = getProtocolParam('protocol_fee_rate_secondhand', 0.01);
-        const orderRows = db.prepare(`
+        const orderRows = await dbAll(`
       SELECT strftime('%Y-%m', created_at) as ym,
              COALESCE(SUM(CASE WHEN source = 'secondhand' THEN total_amount * ? ELSE total_amount * ? END), 0) as fee,
              COALESCE(SUM(total_amount), 0) as gmv,
@@ -71,13 +72,13 @@ export function registerAdminAnalyticsRoutes(app, deps) {
       WHERE status = 'completed'
         AND created_at > datetime('now', '-' || ? || ' months')
       GROUP BY ym ORDER BY ym DESC
-    `).all(feeSecondhand, feeShop, months);
-        const rewardRows = db.prepare(`
+    `, [feeSecondhand, feeShop, months]);
+        const rewardRows = await dbAll(`
       SELECT strftime('%Y-%m', created_at) as ym, COALESCE(SUM(amount), 0) as rewards, COUNT(*) as count
       FROM platform_reward_log
       WHERE created_at > datetime('now', '-' || ? || ' months')
       GROUP BY ym ORDER BY ym DESC
-    `).all(months);
+    `, [months]);
         const byMonth = new Map();
         for (const o of orderRows)
             byMonth.set(o.ym, { ym: o.ym, fee: o.fee, gmv: o.gmv, orders: o.orders_count, rewards: 0, reward_count: 0 });
@@ -94,7 +95,7 @@ export function registerAdminAnalyticsRoutes(app, deps) {
         const totalFee = rows.reduce((s, r) => s + r.fee, 0);
         const totalRewards = rows.reduce((s, r) => s + r.rewards, 0);
         const totalGmv = rows.reduce((s, r) => s + r.gmv, 0);
-        const sysWallet = db.prepare("SELECT balance FROM wallets WHERE user_id = 'sys_protocol'").get();
+        const sysWallet = await dbOne("SELECT balance FROM wallets WHERE user_id = 'sys_protocol'");
         res.json({
             months,
             fee_rate_shop: feeShop,
@@ -109,23 +110,23 @@ export function registerAdminAnalyticsRoutes(app, deps) {
             },
         });
     });
-    app.get('/api/admin/protocol-kpi', (req, res) => {
+    app.get('/api/admin/protocol-kpi', async (req, res) => {
         const admin = requireAdmin(req, res);
         if (!admin)
             return;
-        const windowCounts = (label, days) => {
+        const windowCounts = async (label, days) => {
             const t = `datetime('now','-${days} days')`;
-            const orders = db.prepare(`SELECT COUNT(*) as n, COALESCE(SUM(total_amount),0) as gmv FROM orders WHERE created_at > ${t}`).get();
-            const completed = db.prepare(`SELECT COUNT(*) as n FROM orders WHERE status='completed' AND created_at > ${t}`).get().n;
-            const disputes = db.prepare(`SELECT COUNT(*) as n FROM disputes WHERE created_at > ${t}`).get().n;
-            const refunds = db.prepare(`SELECT COUNT(*) as n FROM return_requests WHERE status='refunded' AND created_at > ${t}`).get().n;
-            const newUsers = db.prepare(`SELECT COUNT(*) as n FROM users WHERE created_at > ${t} AND id NOT IN ('sys_protocol', ?)`).get(INTERNAL_AUDITOR_ID).n;
+            const orders = (await dbOne(`SELECT COUNT(*) as n, COALESCE(SUM(total_amount),0) as gmv FROM orders WHERE created_at > ${t}`));
+            const completed = (await dbOne(`SELECT COUNT(*) as n FROM orders WHERE status='completed' AND created_at > ${t}`)).n;
+            const disputes = (await dbOne(`SELECT COUNT(*) as n FROM disputes WHERE created_at > ${t}`)).n;
+            const refunds = (await dbOne(`SELECT COUNT(*) as n FROM return_requests WHERE status='refunded' AND created_at > ${t}`)).n;
+            const newUsers = (await dbOne(`SELECT COUNT(*) as n FROM users WHERE created_at > ${t} AND id NOT IN ('sys_protocol', ?)`, [INTERNAL_AUDITOR_ID])).n;
             return { label, days, orders: orders.n, gmv: orders.gmv, completed, disputes, refunds, new_users: newUsers,
                 dispute_rate: orders.n > 0 ? disputes / orders.n : 0,
                 refund_rate: completed > 0 ? refunds / completed : 0,
             };
         };
-        const dauProxy = db.prepare(`
+        const dauProxy = (await dbOne(`
       SELECT COUNT(DISTINCT u_id) as n FROM (
         SELECT buyer_id as u_id FROM orders WHERE created_at > datetime('now', '-1 day')
         UNION SELECT seller_id FROM orders WHERE created_at > datetime('now', '-1 day')
@@ -133,8 +134,8 @@ export function registerAdminAnalyticsRoutes(app, deps) {
         UNION SELECT user_id FROM daily_checkins WHERE checkin_date >= date('now', '-1 day')
         UNION SELECT user_id FROM feedback_tickets WHERE created_at > datetime('now', '-1 day')
       )
-    `).get().n;
-        const mauProxy = db.prepare(`
+    `)).n;
+        const mauProxy = (await dbOne(`
       SELECT COUNT(DISTINCT u_id) as n FROM (
         SELECT buyer_id as u_id FROM orders WHERE created_at > datetime('now', '-30 days')
         UNION SELECT seller_id FROM orders WHERE created_at > datetime('now', '-30 days')
@@ -142,8 +143,8 @@ export function registerAdminAnalyticsRoutes(app, deps) {
         UNION SELECT user_id FROM daily_checkins WHERE checkin_date >= date('now', '-30 days')
         UNION SELECT user_id FROM feedback_tickets WHERE created_at > datetime('now', '-30 days')
       )
-    `).get().n;
-        const userTotals = db.prepare(`
+    `)).n;
+        const userTotals = (await dbOne(`
       SELECT
         SUM(CASE WHEN role='buyer' THEN 1 ELSE 0 END) as buyers,
         SUM(CASE WHEN role='seller' THEN 1 ELSE 0 END) as sellers,
@@ -153,26 +154,26 @@ export function registerAdminAnalyticsRoutes(app, deps) {
         SUM(CASE WHEN role='admin' THEN 1 ELSE 0 END) as admins,
         COUNT(*) as total
       FROM users WHERE id NOT IN ('sys_protocol', ?)
-    `).get(INTERNAL_AUDITOR_ID);
-        const sysWallet = db.prepare("SELECT balance FROM wallets WHERE user_id = 'sys_protocol'").get();
-        const totalEscrowed = db.prepare("SELECT COALESCE(SUM(escrowed),0) as t FROM wallets").get().t;
-        const totalStaked = db.prepare("SELECT COALESCE(SUM(staked),0) as t FROM wallets").get().t;
-        const platformRewards = db.prepare("SELECT COALESCE(SUM(amount),0) as t FROM platform_reward_log").get().t;
-        const platformRewardsToday = db.prepare("SELECT COALESCE(SUM(amount),0) as t FROM platform_reward_log WHERE created_at > datetime('now','-1 day')").get().t;
-        const products = db.prepare("SELECT COUNT(*) as n, SUM(CASE WHEN status='active' THEN 1 ELSE 0 END) as active FROM products").get();
-        const ratings = db.prepare("SELECT COUNT(*) as n FROM order_ratings").get().n;
-        const subs = db.prepare("SELECT COUNT(*) as n FROM push_subscriptions WHERE enabled=1").get().n;
-        const trustOpen = db.prepare(`
+    `, [INTERNAL_AUDITOR_ID]));
+        const sysWallet = await dbOne("SELECT balance FROM wallets WHERE user_id = 'sys_protocol'");
+        const totalEscrowed = (await dbOne("SELECT COALESCE(SUM(escrowed),0) as t FROM wallets")).t;
+        const totalStaked = (await dbOne("SELECT COALESCE(SUM(staked),0) as t FROM wallets")).t;
+        const platformRewards = (await dbOne("SELECT COALESCE(SUM(amount),0) as t FROM platform_reward_log")).t;
+        const platformRewardsToday = (await dbOne("SELECT COALESCE(SUM(amount),0) as t FROM platform_reward_log WHERE created_at > datetime('now','-1 day')")).t;
+        const products = (await dbOne("SELECT COUNT(*) as n, SUM(CASE WHEN status='active' THEN 1 ELSE 0 END) as active FROM products"));
+        const ratings = (await dbOne("SELECT COUNT(*) as n FROM order_ratings")).n;
+        const subs = (await dbOne("SELECT COUNT(*) as n FROM push_subscriptions WHERE enabled=1")).n;
+        const trustOpen = (await dbOne(`
       SELECT
         (SELECT COUNT(*) FROM disputes WHERE status IN ('open','in_review')) as disputes_open,
         (SELECT COUNT(*) FROM feedback_tickets WHERE status IN ('open','in_progress')) as feedback_open,
         (SELECT COUNT(*) FROM return_requests WHERE status='pending') as returns_pending
-    `).get();
+    `));
         res.json({
             activity: {
                 dau_proxy: dauProxy,
                 mau_proxy: mauProxy,
-                windows: [windowCounts('24h', 1), windowCounts('7d', 7), windowCounts('30d', 30)],
+                windows: await Promise.all([windowCounts('24h', 1), windowCounts('7d', 7), windowCounts('30d', 30)]),
             },
             users: userTotals,
             finance: {
@@ -191,35 +192,35 @@ export function registerAdminAnalyticsRoutes(app, deps) {
             trust_open: trustOpen,
         });
     });
-    app.get('/api/admin/dashboard', (req, res) => {
+    app.get('/api/admin/dashboard', async (req, res) => {
         const admin = requireAdmin(req, res);
         if (!admin)
             return;
-        const u = db.prepare("SELECT COUNT(*) as n FROM users WHERE id NOT IN ('sys_protocol', ?)").get(INTERNAL_AUDITOR_ID);
-        const sellers = db.prepare("SELECT COUNT(*) as n FROM users WHERE role = 'seller' AND id NOT IN ('sys_protocol', ?)").get(INTERNAL_AUDITOR_ID);
-        const active = db.prepare("SELECT COUNT(*) as n FROM products WHERE status = 'active'").get();
-        const o24 = db.prepare("SELECT COUNT(*) as n, COALESCE(SUM(total_amount),0) as gmv FROM orders WHERE created_at > datetime('now','-1 day')").get();
-        const dOpen = db.prepare("SELECT COUNT(*) as n FROM disputes WHERE status IN ('open','in_review')").get();
-        const vOpen = db.prepare("SELECT COUNT(*) as n FROM verify_tasks WHERE status IN ('open','code_issued')").get();
-        const locked = db.prepare("SELECT COALESCE(SUM(staked + escrowed),0) as t FROM wallets").get();
-        const sus = db.prepare("SELECT COUNT(*) as n FROM user_moderation WHERE suspended = 1").get();
-        const verifierApps = db.prepare("SELECT COUNT(*) as n FROM verifier_applications WHERE status = 'pending'").get();
-        const verifierAppeals = db.prepare("SELECT COUNT(*) as n FROM verifier_appeals WHERE status = 'pending'").get();
-        const quotaApps = db.prepare("SELECT COUNT(*) as n FROM quota_increase_applications WHERE status = 'pending'").get();
-        const listingPaused = db.prepare("SELECT COUNT(*) as n FROM users WHERE listing_paused = 1").get();
-        const activeVerifiers = db.prepare(`
+        const u = (await dbOne("SELECT COUNT(*) as n FROM users WHERE id NOT IN ('sys_protocol', ?)", [INTERNAL_AUDITOR_ID]));
+        const sellers = (await dbOne("SELECT COUNT(*) as n FROM users WHERE role = 'seller' AND id NOT IN ('sys_protocol', ?)", [INTERNAL_AUDITOR_ID]));
+        const active = (await dbOne("SELECT COUNT(*) as n FROM products WHERE status = 'active'"));
+        const o24 = (await dbOne("SELECT COUNT(*) as n, COALESCE(SUM(total_amount),0) as gmv FROM orders WHERE created_at > datetime('now','-1 day')"));
+        const dOpen = (await dbOne("SELECT COUNT(*) as n FROM disputes WHERE status IN ('open','in_review')"));
+        const vOpen = (await dbOne("SELECT COUNT(*) as n FROM verify_tasks WHERE status IN ('open','code_issued')"));
+        const locked = (await dbOne("SELECT COALESCE(SUM(staked + escrowed),0) as t FROM wallets"));
+        const sus = (await dbOne("SELECT COUNT(*) as n FROM user_moderation WHERE suspended = 1"));
+        const verifierApps = (await dbOne("SELECT COUNT(*) as n FROM verifier_applications WHERE status = 'pending'"));
+        const verifierAppeals = (await dbOne("SELECT COUNT(*) as n FROM verifier_appeals WHERE status = 'pending'"));
+        const quotaApps = (await dbOne("SELECT COUNT(*) as n FROM quota_increase_applications WHERE status = 'pending'"));
+        const listingPaused = (await dbOne("SELECT COUNT(*) as n FROM users WHERE listing_paused = 1"));
+        const activeVerifiers = (await dbOne(`
       SELECT COUNT(*) as n FROM verifier_whitelist vw
       LEFT JOIN verifier_stats vs ON vs.user_id = vw.user_id
       WHERE (vw.cooldown_until IS NULL OR vw.cooldown_until < datetime('now'))
         AND (vs.suspended_until IS NULL OR vs.suspended_until < datetime('now'))
-    `).get();
-        const tokenomics = (() => {
-            const gf = db.prepare("SELECT pool_balance, total_scores_pending, current_n, last_settled_at FROM global_fund WHERE id=1").get();
-            const mb = db.prepare("SELECT balance FROM management_bonus_pool WHERE id=1").get();
-            const pendingLedger = db.prepare("SELECT COUNT(*) as n FROM pv_ledger WHERE processed = 0").get().n;
-            const commCount = db.prepare("SELECT COUNT(*) as n, COALESCE(SUM(amount),0) as t FROM commission_records").get();
-            const dirtyUsers = db.prepare("SELECT COUNT(*) as n FROM users WHERE pv_dirty_at IS NOT NULL").get().n;
-            const matchedTotal = db.prepare("SELECT COUNT(*) as n, COALESCE(SUM(waz_amount),0) as w FROM binary_score_records WHERE settled_at IS NOT NULL").get();
+    `));
+        const tokenomics = await (async () => {
+            const gf = await dbOne("SELECT pool_balance, total_scores_pending, current_n, last_settled_at FROM global_fund WHERE id=1");
+            const mb = await dbOne("SELECT balance FROM management_bonus_pool WHERE id=1");
+            const pendingLedger = (await dbOne("SELECT COUNT(*) as n FROM pv_ledger WHERE processed = 0")).n;
+            const commCount = (await dbOne("SELECT COUNT(*) as n, COALESCE(SUM(amount),0) as t FROM commission_records"));
+            const dirtyUsers = (await dbOne("SELECT COUNT(*) as n FROM users WHERE pv_dirty_at IS NOT NULL")).n;
+            const matchedTotal = (await dbOne("SELECT COUNT(*) as n, COALESCE(SUM(waz_amount),0) as w FROM binary_score_records WHERE settled_at IS NOT NULL"));
             return {
                 pool_balance: Number(gf?.pool_balance ?? 0),
                 scores_pending: Number(gf?.total_scores_pending ?? 0),
@@ -250,4 +251,43 @@ export function registerAdminAnalyticsRoutes(app, deps) {
             tokenomics,
         });
     });
+    // RFC-002 rewards opt-in 生命周期监控(#937 A8)— 申请流 / 佣金 escrow / consent 版本漂移。
+    //   之前这三张表(rewards_applications / pending_commission_escrow / rewards_consent_texts)只有
+    //   引擎 cron 读写,无 admin 监控视图;上线后需盯:opt-in 申请量、escrow 待兑付/将到期、
+    //   以及"在旧 major consent 上仍 opted-in"= 下次 auto_downgrade cron 的降级候选。
+    app.get('/api/admin/rewards-health', async (req, res) => {
+        const admin = requireAdmin(req, res);
+        if (!admin)
+            return;
+        // 1. 申请流:按 action 计数 + 当前 opted-in 用户数 + 最近 20 条
+        const appsByAction = await dbAll(`SELECT action, COUNT(*) AS n FROM rewards_applications GROUP BY action ORDER BY n DESC`);
+        const optedIn = (await dbOne(`SELECT COUNT(*) AS n FROM users WHERE rewards_opted_in = 1`)).n;
+        const recentApps = await dbAll(`SELECT id, user_id, action, consent_version, verification_method, created_at
+      FROM rewards_applications ORDER BY created_at DESC LIMIT 20`);
+        // 2. 佣金 escrow:按 status 计数+金额、待兑付按 attribution_path、24h 内将到期
+        const nowSec = Math.floor(Date.now() / 1000);
+        const escrowByStatus = await dbAll(`SELECT status, COUNT(*) AS n, COALESCE(SUM(amount),0) AS total
+      FROM pending_commission_escrow GROUP BY status`);
+        const escrowPendingByPath = await dbAll(`SELECT attribution_path, COUNT(*) AS n, COALESCE(SUM(amount),0) AS total
+      FROM pending_commission_escrow WHERE status='pending' GROUP BY attribution_path`);
+        const expiringSoon = (await dbOne(`SELECT COUNT(*) AS n, COALESCE(SUM(amount),0) AS total
+      FROM pending_commission_escrow WHERE status='pending' AND expires_at <= ?`, [nowSec + 86400]));
+        // 3. consent 版本:当前 major + 仍停留在旧 major 上的 opted-in 用户数(= auto_downgrade 候选)
+        const currentMajor = await dbOne(`SELECT version, effective_at FROM rewards_consent_texts WHERE change_class='major' ORDER BY effective_at DESC LIMIT 1`);
+        let staleConsentOptedIn = 0;
+        if (currentMajor) {
+            staleConsentOptedIn = (await dbOne(`SELECT COUNT(*) AS n FROM users u
+        WHERE u.rewards_opted_in = 1 AND (
+          SELECT consent_version FROM rewards_applications
+          WHERE user_id = u.id AND action IN ('activate','reconfirm') ORDER BY created_at DESC LIMIT 1
+        ) IS NOT ?`, [currentMajor.version])).n;
+        }
+        const consentVersions = await dbAll(`SELECT version, change_class, effective_at FROM rewards_consent_texts ORDER BY effective_at DESC LIMIT 10`);
+        res.json({
+            applications: { by_action: appsByAction, opted_in_users: optedIn, recent: recentApps },
+            commission_escrow: { by_status: escrowByStatus, pending_by_path: escrowPendingByPath, expiring_within_24h: expiringSoon },
+            consent: { current_major: currentMajor || null, stale_consent_opted_in: staleConsentOptedIn, versions: consentVersions },
+            generated_at: new Date().toISOString(),
+        });
+    });
 }

package/dist/pwa/routes/admin-atomic.js

@@ -1,21 +1,27 @@
 export function registerAdminAtomicRoutes(app, deps) {
-    const { requireProtocolAdmin, processPvLedger, runBinarySettlement, executeSafeSettlementCron } = deps;
+    const { requireProtocolAdmin, processPvLedger, runBinarySettlement, executeSafeSettlementCron, logAdminAction } = deps;
     app.post('/api/admin/atomic/process-ledger', (req, res) => {
         const admin = requireProtocolAdmin(req, res);
         if (!admin)
             return;
-        res.json({ processed: processPvLedger() });
+        const processed = processPvLedger();
+        logAdminAction(admin.id, 'atomic_process_ledger', 'protocol', null, { processed });
+        res.json({ processed });
     });
     app.post('/api/admin/atomic/run-settlement', (req, res) => {
         const admin = requireProtocolAdmin(req, res);
         if (!admin)
             return;
-        res.json({ settled: runBinarySettlement() });
+        const settled = runBinarySettlement();
+        logAdminAction(admin.id, 'atomic_run_settlement', 'protocol', null, { settled });
+        res.json({ settled });
     });
     app.post('/api/admin/atomic/distribute', (req, res) => {
         const admin = requireProtocolAdmin(req, res);
         if (!admin)
             return;
-        res.json(executeSafeSettlementCron());
+        const result = executeSafeSettlementCron();
+        logAdminAction(admin.id, 'atomic_distribute', 'protocol', null, { result });
+        res.json(result);
     });
 }

package/dist/pwa/routes/admin-catalog.js

@@ -1,7 +1,9 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAdminCatalogRoutes(app, deps) {
-    const { db, requireContentAdmin, logAdminAction } = deps;
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
+    const { requireContentAdmin, logAdminAction } = deps;
     // ─── 类目 季节性配置 ─────────────────────────────────────
-    app.post('/api/admin/categories/:id/seasonal', (req, res) => {
+    app.post('/api/admin/categories/:id/seasonal', async (req, res) => {
         const admin = requireContentAdmin(req, res);
         if (!admin)
             return;
@@ -12,22 +14,22 @@ export function registerAdminCatalogRoutes(app, deps) {
         const valid = months.filter(m => Number.isInteger(m) && m >= 1 && m <= 12);
         if (valid.length === 0)
             return void res.json({ error: '没有有效的月份（1-12）' });
-        const cat = db.prepare('SELECT id, name FROM product_categories WHERE id = ?').get(req.params.id);
+        const cat = await dbOne('SELECT id, name FROM product_categories WHERE id = ?', [req.params.id]);
         if (!cat)
             return void res.status(404).json({ error: 'category 不存在' });
         const csv = [...new Set(valid)].sort((a, b) => a - b).join(',');
-        db.prepare('UPDATE product_categories SET seasonal_months = ? WHERE id = ?').run(csv, req.params.id);
+        await dbRun('UPDATE product_categories SET seasonal_months = ? WHERE id = ?', [csv, req.params.id]);
         res.json({ success: true, category: cat.name, seasonal_months: csv });
     });
-    app.delete('/api/admin/categories/:id/seasonal', (req, res) => {
+    app.delete('/api/admin/categories/:id/seasonal', async (req, res) => {
         const admin = requireContentAdmin(req, res);
         if (!admin)
             return;
-        db.prepare('UPDATE product_categories SET seasonal_months = NULL WHERE id = ?').run(req.params.id);
+        await dbRun('UPDATE product_categories SET seasonal_months = NULL WHERE id = ?', [req.params.id]);
         res.json({ success: true });
     });
     // ─── 商品 列表 + 强制下架 ───────────────────────────────
-    app.get('/api/admin/products', (req, res) => {
+    app.get('/api/admin/products', async (req, res) => {
         const admin = requireContentAdmin(req, res);
         if (!admin)
             return;
@@ -41,23 +43,23 @@ export function registerAdminCatalogRoutes(app, deps) {
             params.push(status);
         }
         sql += ` ORDER BY p.created_at DESC LIMIT 100`;
-        res.json({ products: db.prepare(sql).all(...params) });
+        res.json({ products: await dbAll(sql, params) });
     });
-    app.post('/api/admin/products/:id/force-delist', (req, res) => {
+    app.post('/api/admin/products/:id/force-delist', async (req, res) => {
         // P0.5: 需 content 权限（之前仅 requireAdmin）
         const admin = requireContentAdmin(req, res);
         if (!admin)
             return;
         const { reason } = req.body;
         const productId = req.params.id;
-        const product = db.prepare("SELECT id, status, title FROM products WHERE id = ?").get(productId);
+        const product = await dbOne("SELECT id, status, title FROM products WHERE id = ?", [productId]);
         if (!product)
             return void res.json({ error: '商品不存在' });
         if (product.status === 'deleted')
             return void res.json({ error: '商品已删除' });
         if (product.status === 'paused')
             return void res.json({ error: '商品已是下架状态' });
-        db.prepare("UPDATE products SET status = 'paused', updated_at = datetime('now') WHERE id = ?").run(productId);
+        await dbRun("UPDATE products SET status = 'paused', updated_at = datetime('now') WHERE id = ?", [productId]);
         logAdminAction(admin.id, 'force_delist', 'product', productId, { reason: reason || null, title: product.title });
         res.json({ success: true });
     });

package/dist/pwa/routes/admin-editor-picks.js

@@ -1,6 +1,8 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAdminEditorPicksRoutes(app, deps) {
-    const { db, requireContentAdmin, generateId } = deps;
-    app.post('/api/admin/editor-picks', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
+    const { requireContentAdmin, generateId } = deps;
+    app.post('/api/admin/editor-picks', async (req, res) => {
         const admin = requireContentAdmin(req, res);
         if (!admin)
             return;
@@ -10,11 +12,11 @@ export function registerAdminEditorPicksRoutes(app, deps) {
         if (!target_id)
             return void res.status(400).json({ error: 'target_id 必填' });
         if (kind === 'product') {
-            if (!db.prepare("SELECT 1 FROM products WHERE id = ? AND status != 'deleted'").get(target_id))
+            if (!await dbOne("SELECT 1 FROM products WHERE id = ? AND status != 'deleted'", [target_id]))
                 return void res.status(400).json({ error: '商品不存在' });
         }
         else {
-            if (!db.prepare("SELECT 1 FROM users WHERE id = ? AND role = 'seller'").get(target_id))
+            if (!await dbOne("SELECT 1 FROM users WHERE id = ? AND role = 'seller'", [target_id]))
                 return void res.status(400).json({ error: '卖家不存在' });
         }
         // SQLite 兼容："YYYY-MM-DD HH:MM:SS" — ISO 'T'/毫秒会让窗口比较失效
@@ -24,22 +26,25 @@ export function registerAdminEditorPicksRoutes(app, deps) {
         if (endsDate <= startsDate)
             return void res.status(400).json({ error: 'ends_at 必须晚于 starts_at' });
         const id = generateId('ep');
-        db.prepare(`INSERT INTO editor_picks (id, kind, target_id, title, note, starts_at, ends_at, sort_order, created_by) VALUES (?,?,?,?,?,?,?,?,?)`)
-            .run(id, kind, target_id, title ? String(title).slice(0, 100) : null, note ? String(note).slice(0, 500) : null, toSqliteUtc(startsDate), toSqliteUtc(endsDate), Number(sort_order) || 0, admin.id);
+        await dbRun(`INSERT INTO editor_picks (id, kind, target_id, title, note, starts_at, ends_at, sort_order, created_by) VALUES (?,?,?,?,?,?,?,?,?)`, [id, kind, target_id,
+            title ? String(title).slice(0, 100) : null,
+            note ? String(note).slice(0, 500) : null,
+            toSqliteUtc(startsDate), toSqliteUtc(endsDate),
+            Number(sort_order) || 0, admin.id]);
         res.json({ success: true, id });
     });
-    app.delete('/api/admin/editor-picks/:id', (req, res) => {
+    app.delete('/api/admin/editor-picks/:id', async (req, res) => {
         const admin = requireContentAdmin(req, res);
         if (!admin)
             return;
-        db.prepare('DELETE FROM editor_picks WHERE id = ?').run(req.params.id);
+        await dbRun('DELETE FROM editor_picks WHERE id = ?', [req.params.id]);
         res.json({ success: true });
     });
-    app.get('/api/admin/editor-picks', (req, res) => {
+    app.get('/api/admin/editor-picks', async (req, res) => {
         const admin = requireContentAdmin(req, res);
         if (!admin)
             return;
-        const rows = db.prepare(`SELECT * FROM editor_picks ORDER BY ends_at DESC LIMIT 200`).all();
+        const rows = await dbAll(`SELECT * FROM editor_picks ORDER BY ends_at DESC LIMIT 200`);
         res.json({ items: rows });
     });
 }

package/dist/pwa/routes/admin-events.js

@@ -1,5 +1,7 @@
+import { dbOne } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAdminEventsRoutes(app, deps) {
-    const { db, requireAdmin, generateId, systemEventBuffer, SYSTEM_EVENT_BUFFER_SIZE, adminEventClients } = deps;
+    // db 已走 RFC-016 异步 seam(dbOne),不再直接用 deps.db
+    const { requireAdmin, generateId, systemEventBuffer, SYSTEM_EVENT_BUFFER_SIZE, adminEventClients } = deps;
     app.get('/api/admin/events/recent', (req, res) => {
         const admin = requireAdmin(req, res);
         if (!admin)
@@ -24,14 +26,14 @@ export function registerAdminEventsRoutes(app, deps) {
         sseTickets.set(ticket, { userId: String(admin.id), expiresAt: Date.now() + 60_000 });
         res.json({ ticket, expires_in: 60 });
     });
-    app.get('/api/admin/events/stream', (req, res) => {
+    app.get('/api/admin/events/stream', async (req, res) => {
         const ticket = String(req.query.ticket || '');
         cleanupSseTickets();
         const info = sseTickets.get(ticket);
         if (!info)
             return void res.status(403).json({ error: '无效或已过期的 ticket' });
         sseTickets.delete(ticket); // 单次使用
-        const u = db.prepare('SELECT role FROM users WHERE id = ?').get(info.userId);
+        const u = await dbOne('SELECT role FROM users WHERE id = ?', [info.userId]);
         if (!u || u.role !== 'admin')
             return void res.status(403).json({ error: '需要 admin 身份' });
         res.setHeader('Content-Type', 'text/event-stream');

package/dist/pwa/routes/admin-health.js

@@ -1,3 +1,4 @@
+import { dbOne } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAdminHealthRoutes(app, deps) {
     const { db, requireProtocolAdmin, getPublicClient, getRpcUrl, getNetwork, adminEventClients, sseClients, systemEventBuffer, authFailures } = deps;
     app.get('/api/admin/health', async (req, res) => {
@@ -21,7 +22,7 @@ export function registerAdminHealthRoutes(app, deps) {
             if (t === 'system_events_buffer_in_mem')
                 continue;
             try {
-                tableCounts[t] = db.prepare(`SELECT COUNT(*) as n FROM ${t}`).get().n;
+                tableCounts[t] = (await dbOne(`SELECT COUNT(*) as n FROM ${t}`)).n;
             }
             catch {
                 tableCounts[t] = -1;