@seasonkoh/webaz 0.1.24 → 0.1.26

package/dist/pwa/routes/admin-verifier-whitelist.js

@@ -1,40 +1,43 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAdminVerifierWhitelistRoutes(app, deps) {
+    // 单写白名单管理站点走 RFC-016 异步 seam;db 保留:revoke 是没收/退质押 + 白名单重写的
+    // 多写资金路径,必须原子(db.transaction + 防重复没收 guard),Phase 3 迁 pg 行锁。
     const { db, requireVerifierMgmtAdmin, adminCanOperateOn, logAdminAction, INTERNAL_AUDITOR_ID, TIER_QUOTAS, REVOKE_COOLDOWN_DAYS } = deps;
-    app.get('/api/admin/verifier-whitelist', (req, res) => {
+    app.get('/api/admin/verifier-whitelist', async (req, res) => {
         const user = requireVerifierMgmtAdmin(req, res);
         if (!user)
             return;
-        const list = db.prepare(`
+        const list = await dbAll(`
       SELECT vw.user_id, vw.added_at, vw.note, u.name, u.role
       FROM verifier_whitelist vw
       JOIN users u ON u.id = vw.user_id
       ORDER BY vw.added_at ASC
-    `).all();
+    `);
         res.json(list);
     });
-    app.post('/api/admin/verifier-whitelist', (req, res) => {
+    app.post('/api/admin/verifier-whitelist', async (req, res) => {
         const admin = requireVerifierMgmtAdmin(req, res);
         if (!admin)
             return;
         const { user_id, name, note } = req.body;
         let targetId = user_id;
         if (!targetId && name) {
-            const found = db.prepare('SELECT id FROM users WHERE name = ?').get(name);
+            const found = await dbOne('SELECT id FROM users WHERE name = ?', [name]);
             if (!found)
                 return void res.json({ error: `用户「${name}」不存在` });
             targetId = found.id;
         }
         if (!targetId)
             return void res.json({ error: '请提供 user_id 或 name' });
-        const target = db.prepare('SELECT id, name FROM users WHERE id = ?').get(targetId);
+        const target = await dbOne('SELECT id, name FROM users WHERE id = ?', [targetId]);
         if (!target)
             return void res.json({ error: '用户不存在' });
         if (!adminCanOperateOn(admin, targetId, res))
             return;
-        db.prepare('INSERT OR IGNORE INTO verifier_whitelist (user_id, note) VALUES (?, ?)').run(targetId, note ?? null);
+        await dbRun('INSERT OR IGNORE INTO verifier_whitelist (user_id, note) VALUES (?, ?)', [targetId, note ?? null]);
         res.json({ success: true, user_id: targetId, name: target.name });
     });
-    app.delete('/api/admin/verifier-whitelist/:userId', (req, res) => {
+    app.delete('/api/admin/verifier-whitelist/:userId', async (req, res) => {
         const admin = requireVerifierMgmtAdmin(req, res);
         if (!admin)
             return;
@@ -43,10 +46,10 @@ export function registerAdminVerifierWhitelistRoutes(app, deps) {
             return void res.json({ error: '内部审核员不可移除' });
         if (!adminCanOperateOn(admin, targetId, res))
             return;
-        db.prepare('DELETE FROM verifier_whitelist WHERE user_id = ?').run(targetId);
+        await dbRun('DELETE FROM verifier_whitelist WHERE user_id = ?', [targetId]);
         res.json({ success: true });
     });
-    app.post('/api/admin/verifier-whitelist/:userId/promote', (req, res) => {
+    app.post('/api/admin/verifier-whitelist/:userId/promote', async (req, res) => {
         const admin = requireVerifierMgmtAdmin(req, res);
         if (!admin)
             return;
@@ -56,17 +59,16 @@ export function registerAdminVerifierWhitelistRoutes(app, deps) {
         if (!TIER_QUOTAS[tier])
             return void res.json({ error: 'tier 无效' });
         const targetId = req.params.userId;
-        const wl = db.prepare("SELECT is_system FROM verifier_whitelist WHERE user_id = ?").get(targetId);
+        const wl = await dbOne("SELECT is_system FROM verifier_whitelist WHERE user_id = ?", [targetId]);
         if (!wl)
             return void res.json({ error: '该用户不在白名单' });
         if (wl.is_system)
             return void res.json({ error: '系统兜底账户不可手动 promote' });
-        db.prepare("UPDATE verifier_whitelist SET tier = ?, daily_quota = ? WHERE user_id = ?")
-            .run(tier, TIER_QUOTAS[tier], targetId);
+        await dbRun("UPDATE verifier_whitelist SET tier = ?, daily_quota = ? WHERE user_id = ?", [tier, TIER_QUOTAS[tier], targetId]);
         logAdminAction(admin.id, 'promote_verifier', 'user', targetId, { tier });
         res.json({ success: true });
     });
-    app.post('/api/admin/verifier-whitelist/:userId/suspend', (req, res) => {
+    app.post('/api/admin/verifier-whitelist/:userId/suspend', async (req, res) => {
         const admin = requireVerifierMgmtAdmin(req, res);
         if (!admin)
             return;
@@ -76,12 +78,12 @@ export function registerAdminVerifierWhitelistRoutes(app, deps) {
         const targetId = req.params.userId;
         const n = Number(days) > 0 ? Number(days) : 7;
         const until = new Date(Date.now() + n * 86400_000).toISOString();
-        db.prepare("INSERT OR IGNORE INTO verifier_stats (user_id) VALUES (?)").run(targetId);
-        db.prepare("UPDATE verifier_stats SET suspended_until = ? WHERE user_id = ?").run(until, targetId);
+        await dbRun("INSERT OR IGNORE INTO verifier_stats (user_id) VALUES (?)", [targetId]);
+        await dbRun("UPDATE verifier_stats SET suspended_until = ? WHERE user_id = ?", [until, targetId]);
         logAdminAction(admin.id, 'suspend_verifier', 'user', targetId, { days: n, reason: reason || null, until });
         res.json({ success: true, suspended_until: until });
     });
-    app.post('/api/admin/verifier-whitelist/:userId/revoke', (req, res) => {
+    app.post('/api/admin/verifier-whitelist/:userId/revoke', async (req, res) => {
         const admin = requireVerifierMgmtAdmin(req, res);
         if (!admin)
             return;
@@ -89,22 +91,48 @@ export function registerAdminVerifierWhitelistRoutes(app, deps) {
             return;
         const { reason } = req.body;
         const targetId = req.params.userId;
-        const wl = db.prepare("SELECT is_system, stake_amount FROM verifier_whitelist WHERE user_id = ?").get(targetId);
+        // 友好预检查(读);真正的守恒 + 防重复没收门在事务内(重读 active 行 + cooldown guard)。
+        const wl = await dbOne("SELECT is_system, stake_amount FROM verifier_whitelist WHERE user_id = ?", [targetId]);
         if (!wl)
             return void res.json({ error: '该用户不在白名单' });
         if (wl.is_system)
             return void res.json({ error: '系统兜底账户不可撤销' });
         const cooldownUntil = new Date(Date.now() + REVOKE_COOLDOWN_DAYS * 86400_000).toISOString();
-        // 没收 50% 质押
-        const forfeit = (wl.stake_amount || 0) * 0.5;
-        db.prepare("UPDATE wallets SET staked = staked - ? WHERE user_id = ?").run(wl.stake_amount || 0, targetId);
-        if ((wl.stake_amount || 0) > forfeit) {
-            db.prepare("UPDATE wallets SET balance = balance + ? WHERE user_id = ?").run((wl.stake_amount || 0) - forfeit, targetId);
+        // 原子段:重读 active 行 → 没收 50% + 退还另一半 + DELETE active + INSERT cooldown 一起落。
+        // cooldown guard 防并发两次 revoke 重复没收/退款。
+        let forfeit = 0;
+        try {
+            forfeit = db.transaction(() => {
+                const cur = db.prepare("SELECT is_system, stake_amount, cooldown_until FROM verifier_whitelist WHERE user_id = ?")
+                    .get(targetId);
+                if (!cur)
+                    throw new Error('REVOKE_GONE');
+                if (cur.is_system)
+                    throw new Error('REVOKE_SYSTEM');
+                if (cur.cooldown_until)
+                    throw new Error('REVOKE_ALREADY'); // 已在撤销冷却,不再没收一次
+                const stakeAmt = cur.stake_amount || 0;
+                const f = Math.round(stakeAmt * 0.5 * 100) / 100;
+                db.prepare("UPDATE wallets SET staked = staked - ? WHERE user_id = ?").run(stakeAmt, targetId);
+                if (stakeAmt > f)
+                    db.prepare("UPDATE wallets SET balance = balance + ? WHERE user_id = ?").run(stakeAmt - f, targetId);
+                db.prepare("DELETE FROM verifier_whitelist WHERE user_id = ?").run(targetId);
+                db.prepare(`INSERT INTO verifier_whitelist (user_id, note, tier, daily_quota, cooldown_until, is_system) VALUES (?,?,?,?,?,0)`)
+                    .run(targetId, `撤销冷却中: ${reason || ''}`, 'trial-1', 0, cooldownUntil);
+                return f;
+            })();
+        }
+        catch (e) {
+            const msg = e.message;
+            if (msg === 'REVOKE_GONE')
+                return void res.json({ error: '该用户不在白名单' });
+            if (msg === 'REVOKE_SYSTEM')
+                return void res.json({ error: '系统兜底账户不可撤销' });
+            if (msg === 'REVOKE_ALREADY')
+                return void res.json({ error: '该用户已在撤销冷却中' });
+            console.error('[verifier revoke tx]', msg);
+            return void res.status(500).json({ error: '撤销失败,请重试' });
         }
-        db.prepare("DELETE FROM verifier_whitelist WHERE user_id = ?").run(targetId);
-        // 用 cooldown 记录在 verifier_stats 上（应用层兼容）
-        db.prepare(`INSERT INTO verifier_whitelist (user_id, note, tier, daily_quota, cooldown_until, is_system) VALUES (?,?,?,?,?,0)`)
-            .run(targetId, `撤销冷却中: ${reason || ''}`, 'trial-1', 0, cooldownUntil);
         logAdminAction(admin.id, 'revoke_verifier', 'user', targetId, { reason: reason || null, forfeit, cooldown_until: cooldownUntil });
         res.json({ success: true, cooldown_until: cooldownUntil, forfeit });
     });

package/dist/pwa/routes/admin-wallet-ops.js

@@ -1,5 +1,7 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAdminWalletOpsRoutes(app, deps) {
-    const { db, requireProtocolAdmin, adminAuth, getPublicClient, getUsdcAddr, getUsdcAbi, getHotWalletAddr, wazToUsdc, getIsMainnet, getNetwork, executeWithdrawal } = deps;
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll),不再直接用 deps.db
+    const { requireProtocolAdmin, adminAuth, getPublicClient, getUsdcAddr, getUsdcAbi, getHotWalletAddr, wazToUsdc, getIsMainnet, getNetwork, executeWithdrawal, logAdminAction, resolveProtocolAdminSoft } = deps;
     // P2-5: protocol 权限（区域 admin 看不到全局热钱包）
     app.get('/api/admin/hot-wallet/status', async (req, res) => {
         const admin = requireProtocolAdmin(req, res);
@@ -12,7 +14,7 @@ export function registerAdminWalletOpsRoutes(app, deps) {
                 address: getUsdcAddr(), abi: getUsdcAbi(), functionName: 'balanceOf', args: [hw],
             });
             const ethBal = await pc.getBalance({ address: hw });
-            const pending = db.prepare("SELECT COALESCE(SUM(amount), 0) as t FROM withdrawal_requests WHERE status = 'pending'").get();
+            const pending = (await dbOne("SELECT COALESCE(SUM(amount), 0) as t FROM withdrawal_requests WHERE status = 'pending'"));
             const pendingUsdc = wazToUsdc(Number(pending.t));
             res.json({
                 address: hw,
@@ -45,22 +47,45 @@ export function registerAdminWalletOpsRoutes(app, deps) {
             res.json({ address: hw, usdc_balance: null, error: e.message });
         }
     });
-    app.get('/api/admin/withdrawals', (req, res) => {
+    app.get('/api/admin/withdrawals', async (req, res) => {
         if (!adminAuth(req, res))
             return;
-        const list = db.prepare(`
+        const list = await dbAll(`
       SELECT wr.*, u.name as user_name
       FROM withdrawal_requests wr JOIN users u ON wr.user_id = u.id
       WHERE wr.status = 'pending' ORDER BY wr.created_at ASC
-    `).all();
+    `);
         res.json(list);
     });
     app.post('/api/admin/withdrawals/:id/approve', async (req, res) => {
-        if (!adminAuth(req, res))
-            return;
+        // 双轨过渡鉴权:优先认登录的 protocol-admin(Bearer)→ 记其真实 admin id;
+        // 否则回落到共享 ADMIN_KEY(adminAuth,既有运维路径,行为不变)→ actor 记中性标记 'admin_key'。
+        // 仅认 protocol 权限的 admin;非 protocol 的 Bearer 不放行(soft 解析返回 null),不扩大访问面,只精确归属。
+        let actorId = 'admin_key';
+        let authMethod = 'admin_key';
+        const bearerAdmin = resolveProtocolAdminSoft(req);
+        if (bearerAdmin) {
+            actorId = String(bearerAdmin.id);
+            authMethod = 'bearer_admin';
+        }
+        else {
+            if (!adminAuth(req, res))
+                return;
+        }
+        // 出金前读取目标(user + amount),便于审计;执行后用真实 txHash 记一条 admin_audit_log。
+        const wr = await dbOne('SELECT user_id, amount FROM withdrawal_requests WHERE id = ?', [req.params.id]);
         const result = await executeWithdrawal(req.params.id).catch(e => ({ success: false, error: e.message, txHash: undefined }));
         if (!result.success)
             return void res.json({ error: result.error });
+        // 审计时机:仅在出金成功后写。actor = 真实 admin id(bearer_admin)或中性标记 'admin_key';不写任何密钥。
+        try {
+            logAdminAction(actorId, 'withdrawal_approve', 'withdrawal', req.params.id, {
+                user_id: wr?.user_id ?? null, amount: wr?.amount ?? null, tx_hash: result.txHash, network: getNetwork(), auth_method: authMethod,
+            });
+        }
+        catch (e) {
+            console.error('[withdrawal_approve audit]', e);
+        }
         res.json({ success: true, tx_hash: result.txHash });
     });
 }

package/dist/pwa/routes/agent-buy.js

@@ -163,33 +163,57 @@ ${webazFormatted.length > 0 ? JSON.stringify(webazFormatted.map(p => ({
                     const now = new Date();
                     const expiresAt = new Date(now.getTime() + 10 * 60_000);
                     sessionToken = generateId('pst');
-                    db.prepare(`INSERT INTO price_sessions (token, product_id, user_id, price, quantity, created_at, expires_at) VALUES (?,?,?,?,1,?,?)`)
-                        .run(sessionToken, product.id, user.id, product.price, now.toISOString(), expiresAt.toISOString());
-                    verifiedPrice = product.price;
                     const oId = generateId('ord');
                     const totalAmount = product.price;
                     const seller = db.prepare('SELECT id FROM users WHERE id = ?').get(product.seller_id);
-                    db.prepare(`INSERT INTO orders (
-            id, product_id, buyer_id, seller_id, quantity, unit_price, total_amount, escrow_amount,
-            status, shipping_address, notes, pay_deadline, accept_deadline, ship_deadline,
-            pickup_deadline, delivery_deadline, confirm_deadline
-          ) VALUES (?,?,?,?,1,?,?,?,'created',?,?,?,?,?,?,?,?)`).run(oId, product.id, user.id, seller.id, totalAmount, totalAmount, totalAmount, shipping_address, `[智能下单] ${decision.reason}`, addHours(now, 24), addHours(now, 48), addHours(now, 120), addHours(now, 168), addHours(now, 336), addHours(now, 408));
-                    db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ?')
-                        .run(totalAmount, totalAmount, user.id);
-                    db.prepare('UPDATE products SET stock = stock - 1 WHERE id = ?').run(product.id);
-                    checkStockAndMaybeDelist(String(product.id));
-                    db.prepare(`UPDATE price_sessions SET used_at = datetime('now') WHERE token = ?`).run(sessionToken);
-                    transition(db, oId, 'paid', user.id, [], '智能下单：模拟支付完成');
-                    notifyTransition(db, oId, 'created', 'paid');
-                    if (shouldAutoAccept(db, oId)) {
-                        const sys = db.prepare("SELECT id FROM users WHERE id = 'sys_protocol'").get();
-                        if (sys) {
-                            const ar = transition(db, oId, 'accepted', sys.id, [], '⚡ auto_accept Skill 自动接单');
-                            if (ar.success)
-                                notifyTransition(db, oId, 'paid', 'accepted');
+                    // 原子核心:余额扣款(balance>=amount 守卫)+ 库存 CAS(stock>=1)+ 建单 + 价格锁,任一 changes!==1 抛回滚整笔。
+                    //   注:transition() 自带 db.transaction,不能嵌套进来(better-sqlite3 禁套娃);故状态推进 + 通知放 tx 提交后,
+                    //   与原顺序一致(原本就是 insert(created) → 扣款 → transition(paid))。守卫杜绝并发超卖/超扣 + 半写(Phase 3 pg 安全)。
+                    let committed = false;
+                    try {
+                        db.transaction(() => {
+                            const deb = db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ? AND balance >= ?')
+                                .run(totalAmount, totalAmount, user.id, totalAmount);
+                            if (deb.changes !== 1)
+                                throw new Error('AGENTBUY_INSUFFICIENT_BALANCE');
+                            const dec = db.prepare('UPDATE products SET stock = stock - 1 WHERE id = ? AND stock >= 1').run(product.id);
+                            if (dec.changes !== 1)
+                                throw new Error('AGENTBUY_OUT_OF_STOCK');
+                            db.prepare(`INSERT INTO price_sessions (token, product_id, user_id, price, quantity, created_at, expires_at) VALUES (?,?,?,?,1,?,?)`)
+                                .run(sessionToken, product.id, user.id, product.price, now.toISOString(), expiresAt.toISOString());
+                            db.prepare(`INSERT INTO orders (
+                id, product_id, buyer_id, seller_id, quantity, unit_price, total_amount, escrow_amount,
+                status, shipping_address, notes, pay_deadline, accept_deadline, ship_deadline,
+                pickup_deadline, delivery_deadline, confirm_deadline
+              ) VALUES (?,?,?,?,1,?,?,?,'created',?,?,?,?,?,?,?,?)`).run(oId, product.id, user.id, seller.id, totalAmount, totalAmount, totalAmount, shipping_address, `[智能下单] ${decision.reason}`, addHours(now, 24), addHours(now, 48), addHours(now, 120), addHours(now, 168), addHours(now, 336), addHours(now, 408));
+                            db.prepare(`UPDATE price_sessions SET used_at = datetime('now') WHERE token = ?`).run(sessionToken);
+                            committed = true;
+                        })();
+                    }
+                    catch (e) {
+                        const m = e.message;
+                        if (m !== 'AGENTBUY_INSUFFICIENT_BALANCE' && m !== 'AGENTBUY_OUT_OF_STOCK')
+                            throw e;
+                        // 并发售罄 / 余额已变 → 不下单(auto_bought=false),在 reason 里说明
+                        sessionToken = null;
+                        decision.reason = (decision.reason || '') + (m === 'AGENTBUY_OUT_OF_STOCK' ? ' · auto_buy 跳过：商品已售罄' : ' · auto_buy 跳过：余额不足');
+                    }
+                    if (committed) {
+                        // tx 提交后:状态推进 + 通知(transition 自带事务,故置于此)
+                        checkStockAndMaybeDelist(String(product.id));
+                        transition(db, oId, 'paid', user.id, [], '智能下单：模拟支付完成');
+                        notifyTransition(db, oId, 'created', 'paid');
+                        if (shouldAutoAccept(db, oId)) {
+                            const sys = db.prepare("SELECT id FROM users WHERE id = 'sys_protocol'").get();
+                            if (sys) {
+                                const ar = transition(db, oId, 'accepted', sys.id, [], '⚡ auto_accept Skill 自动接单');
+                                if (ar.success)
+                                    notifyTransition(db, oId, 'paid', 'accepted');
+                            }
                         }
+                        verifiedPrice = product.price;
+                        orderId = oId;
                     }
-                    orderId = oId;
                 }
             }
         }

package/dist/pwa/routes/agent-governance.js

@@ -1,16 +1,17 @@
 import { computeAgentPassport } from '../../layer1-agent/L1-2-identity/agent-passport.js';
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerAgentGovernanceRoutes(app, deps) {
     const { db, generateId, auth, requireRootAdmin, invalidateAgentBlockedCache, requireHumanPresence, issueAgentStrike, custodianFingerprint, signPassport, issuerAddress } = deps;
     // /api/me/agents — 列出本账号所有 agent + declaration / strikes
-    app.get('/api/me/agents', (req, res) => {
+    app.get('/api/me/agents', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const keys = db.prepare(`SELECT api_key FROM users WHERE id = ? UNION SELECT api_key FROM agent_reputation WHERE user_id = ?`).all(user.id, user.id);
-        const items = keys.map(k => {
-            const decl = db.prepare(`SELECT operator_name, operator_contact, purpose, declared_scope, attestations, repo_url, revoked_at FROM agent_declarations WHERE api_key = ?`).get(k.api_key);
+        const keys = await dbAll(`SELECT api_key FROM users WHERE id = ? UNION SELECT api_key FROM agent_reputation WHERE user_id = ?`, [user.id, user.id]);
+        const items = await Promise.all(keys.map(async (k) => {
+            const decl = await dbOne(`SELECT operator_name, operator_contact, purpose, declared_scope, attestations, repo_url, revoked_at FROM agent_declarations WHERE api_key = ?`, [k.api_key]);
             // P1 fix 4.4：附 signals JSON
-            const rep = db.prepare(`SELECT trust_score, level, signals, last_calculated_at FROM agent_reputation WHERE api_key = ?`).get(k.api_key);
+            const rep = await dbOne(`SELECT trust_score, level, signals, last_calculated_at FROM agent_reputation WHERE api_key = ?`, [k.api_key]);
             if (rep && rep.signals) {
                 try {
                     rep.signals = JSON.parse(rep.signals);
@@ -19,9 +20,9 @@ export function registerAgentGovernanceRoutes(app, deps) {
                     rep.signals = null;
                 }
             }
-            const calls30d = db.prepare(`SELECT COUNT(*) as n FROM agent_call_log WHERE api_key = ? AND created_at > datetime('now', '-30 days')`).get(k.api_key).n;
-            const last = db.prepare(`SELECT endpoint, method, status_code, created_at FROM agent_call_log WHERE api_key = ? ORDER BY created_at DESC LIMIT 1`).get(k.api_key);
-            const strikes = db.prepare(`SELECT severity, reason_code, issued_at, expires_at, appeal_status FROM agent_strikes WHERE api_key = ? ORDER BY issued_at DESC LIMIT 5`).all(k.api_key);
+            const calls30d = (await dbOne(`SELECT COUNT(*) as n FROM agent_call_log WHERE api_key = ? AND created_at > datetime('now', '-30 days')`, [k.api_key])).n;
+            const last = await dbOne(`SELECT endpoint, method, status_code, created_at FROM agent_call_log WHERE api_key = ? ORDER BY created_at DESC LIMIT 1`, [k.api_key]);
+            const strikes = await dbAll(`SELECT severity, reason_code, issued_at, expires_at, appeal_status FROM agent_strikes WHERE api_key = ? ORDER BY issued_at DESC LIMIT 5`, [k.api_key]);
             let passport = null;
             try {
                 passport = computeAgentPassport(db, k.api_key, user.id, custodianFingerprint);
@@ -37,9 +38,9 @@ export function registerAgentGovernanceRoutes(app, deps) {
                 recent_strikes: strikes,
                 passport,
             };
-        });
+        }));
         // Phase 2 监护人总览(只读/软绑定):真人态 + 旗下 agent 聚合 + 连带
-        const hasPasskey = (db.prepare('SELECT COUNT(*) AS n FROM webauthn_credentials WHERE user_id = ?').get(user.id)?.n || 0) > 0;
+        const hasPasskey = ((await dbOne('SELECT COUNT(*) AS n FROM webauthn_credentials WHERE user_id = ?', [user.id]))?.n || 0) > 0;
         const pps = items.map(i => i.passport).filter(Boolean);
         const depthRank = { shallow: 0, medium: 1, deep: 2, profound: 3 };
         const deepest = pps.reduce((d, p) => (depthRank[p.engagement_depth] ?? 0) > (depthRank[d] ?? 0) ? p.engagement_depth : d, 'shallow');
@@ -65,7 +66,7 @@ export function registerAgentGovernanceRoutes(app, deps) {
         const prefix = String(req.params.apiKeyPrefix || '').replace('...', '');
         if (prefix.length < 6)
             return void res.status(400).json({ error: 'apiKeyPrefix 太短' });
-        const keys = db.prepare(`SELECT api_key FROM users WHERE id = ? UNION SELECT api_key FROM agent_reputation WHERE user_id = ?`).all(user.id, user.id);
+        const keys = await dbAll(`SELECT api_key FROM users WHERE id = ? UNION SELECT api_key FROM agent_reputation WHERE user_id = ?`, [user.id, user.id]);
         const match = keys.find(k => k.api_key.startsWith(prefix));
         if (!match)
             return void res.status(404).json({ error: '未找到该 agent(或不属于你)' });
@@ -135,32 +136,30 @@ export function registerAgentGovernanceRoutes(app, deps) {
             webaz_format, // 显式重复让消费者明确选哪个
         });
     });
-    app.get('/api/me/agents/:apiKeyPrefix/log', (req, res) => {
+    app.get('/api/me/agents/:apiKeyPrefix/log', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const prefix = String(req.params.apiKeyPrefix || '').replace(/[^A-Za-z0-9_]/g, '').slice(0, 32);
         if (prefix.length < 8)
             return void res.status(400).json({ error: 'apiKeyPrefix 至少 8 字符' });
-        const targetKey = db.prepare(`SELECT api_key FROM users WHERE id = ? AND api_key LIKE ? || '%'
-      UNION SELECT api_key FROM agent_reputation WHERE user_id = ? AND api_key LIKE ? || '%'`)
-            .get(user.id, prefix, user.id, prefix);
+        const targetKey = await dbOne(`SELECT api_key FROM users WHERE id = ? AND api_key LIKE ? || '%'
+      UNION SELECT api_key FROM agent_reputation WHERE user_id = ? AND api_key LIKE ? || '%'`, [user.id, prefix, user.id, prefix]);
         if (!targetKey)
             return void res.status(404).json({ error: '未找到匹配的 agent api_key（仅可查本人的）' });
         const limit = Math.min(500, Math.max(10, Number(req.query.limit) || 100));
-        const rows = db.prepare(`SELECT endpoint, method, status_code, created_at FROM agent_call_log
-      WHERE api_key = ? AND created_at > datetime('now', '-30 days') ORDER BY id DESC LIMIT ?`).all(targetKey.api_key, limit);
+        const rows = await dbAll(`SELECT endpoint, method, status_code, created_at FROM agent_call_log
+      WHERE api_key = ? AND created_at > datetime('now', '-30 days') ORDER BY id DESC LIMIT ?`, [targetKey.api_key, limit]);
         res.json({ items: rows });
     });
-    app.post('/api/me/agents/declarations', (req, res) => {
+    app.post('/api/me/agents/declarations', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const b = req.body;
         const targetApiKey = b.api_key ? String(b.api_key) : user.api_key;
-        const ownership = db.prepare(`SELECT id FROM users WHERE id = ? AND api_key = ?
-      UNION SELECT user_id as id FROM agent_reputation WHERE user_id = ? AND api_key = ?`)
-            .get(user.id, targetApiKey, user.id, targetApiKey);
+        const ownership = await dbOne(`SELECT id FROM users WHERE id = ? AND api_key = ?
+      UNION SELECT user_id as id FROM agent_reputation WHERE user_id = ? AND api_key = ?`, [user.id, targetApiKey, user.id, targetApiKey]);
         if (!ownership)
             return void res.status(403).json({ error: 'api_key 不属于本账号' });
         const operator_name = String(b.operator_name || '').trim().slice(0, 60);
@@ -185,7 +184,7 @@ export function registerAgentGovernanceRoutes(app, deps) {
         const attestationsJson = b.attestations && typeof b.attestations === 'object' ? JSON.stringify(b.attestations).slice(0, 2000) : null;
         const repo_url = b.repo_url ? String(b.repo_url).slice(0, 200) : null;
         const homepage = b.homepage ? String(b.homepage).slice(0, 200) : null;
-        db.prepare(`INSERT INTO agent_declarations (
+        await dbRun(`INSERT INTO agent_declarations (
       api_key, user_id, operator_name, operator_contact, purpose, declared_scope, attestations, repo_url, homepage
     ) VALUES (?,?,?,?,?,?,?,?,?)
     ON CONFLICT(api_key) DO UPDATE SET
@@ -197,36 +196,35 @@ export function registerAgentGovernanceRoutes(app, deps) {
       repo_url = excluded.repo_url,
       homepage = excluded.homepage,
       revoked_at = NULL,
-      updated_at = datetime('now')`).run(targetApiKey, user.id, operator_name, operator_contact, purpose, scopeJson, attestationsJson, repo_url, homepage);
+      updated_at = datetime('now')`, [targetApiKey, user.id, operator_name, operator_contact, purpose, scopeJson, attestationsJson, repo_url, homepage]);
         invalidateAgentBlockedCache(targetApiKey);
         res.json({ ok: true });
     });
     // 用户撤销 agent（铁律 §4 human presence）
-    app.post('/api/me/agents/:apiKeyPrefix/revoke', (req, res) => {
+    app.post('/api/me/agents/:apiKeyPrefix/revoke', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const prefix = String(req.params.apiKeyPrefix || '').replace(/[^A-Za-z0-9_]/g, '').slice(0, 32);
         if (prefix.length < 8)
             return void res.status(400).json({ error: 'apiKeyPrefix 至少 8 字符' });
-        const targetKey = db.prepare(`SELECT api_key FROM users WHERE id = ? AND api_key LIKE ? || '%'
-      UNION SELECT api_key FROM agent_reputation WHERE user_id = ? AND api_key LIKE ? || '%'`)
-            .get(user.id, prefix, user.id, prefix);
+        const targetKey = await dbOne(`SELECT api_key FROM users WHERE id = ? AND api_key LIKE ? || '%'
+      UNION SELECT api_key FROM agent_reputation WHERE user_id = ? AND api_key LIKE ? || '%'`, [user.id, prefix, user.id, prefix]);
         if (!targetKey)
             return void res.status(404).json({ error: '未找到匹配的 agent api_key' });
         const hpCheck = requireHumanPresence(user.id, 'agent_revoke', (req.body || {}).webauthn_token, 'require_human_presence_for_agent_revoke', () => true);
         if (!hpCheck.ok)
             return void res.status(412).json({ error: hpCheck.reason, error_code: hpCheck.error_code });
         const reason = String((req.body || {}).reason || '').slice(0, 300);
-        db.prepare(`INSERT INTO agent_revocations (target_kind, target_value, revoked_by, revoked_by_role, reason)
+        await dbRun(`INSERT INTO agent_revocations (target_kind, target_value, revoked_by, revoked_by_role, reason)
       VALUES ('api_key', ?, ?, 'self', ?)
-      ON CONFLICT(target_kind, target_value, revoked_by) DO NOTHING`).run(targetKey.api_key, user.id, reason);
-        db.prepare(`UPDATE agent_declarations SET revoked_at = datetime('now'), revoked_reason = ? WHERE api_key = ?`).run(reason, targetKey.api_key);
+      ON CONFLICT(target_kind, target_value, revoked_by) DO NOTHING`, [targetKey.api_key, user.id, reason]);
+        await dbRun(`UPDATE agent_declarations SET revoked_at = datetime('now'), revoked_reason = ? WHERE api_key = ?`, [reason, targetKey.api_key]);
         invalidateAgentBlockedCache(targetKey.api_key);
         res.json({ ok: true });
     });
     // 撤销同 operator 名下所有 agent（仅撤销本用户给 operator 旗下 agent 的 attestation）
-    app.post('/api/me/agents/operators/:operator_name/revoke', (req, res) => {
+    app.post('/api/me/agents/operators/:operator_name/revoke', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -237,27 +235,26 @@ export function registerAgentGovernanceRoutes(app, deps) {
         if (!hpCheck.ok)
             return void res.status(412).json({ error: hpCheck.reason, error_code: hpCheck.error_code });
         const reason = String((req.body || {}).reason || '').slice(0, 300);
-        const affected = db.prepare(`UPDATE agent_attestations SET revoked_at = datetime('now')
+        const affected = await dbRun(`UPDATE agent_attestations SET revoked_at = datetime('now')
       WHERE user_id = ? AND revoked_at IS NULL
-        AND api_key IN (SELECT api_key FROM agent_declarations WHERE operator_name = ?)`)
-            .run(user.id, opName);
-        db.prepare(`INSERT INTO agent_revocations (target_kind, target_value, revoked_by, revoked_by_role, reason)
+        AND api_key IN (SELECT api_key FROM agent_declarations WHERE operator_name = ?)`, [user.id, opName]);
+        await dbRun(`INSERT INTO agent_revocations (target_kind, target_value, revoked_by, revoked_by_role, reason)
       VALUES ('operator_name', ?, ?, 'self', ?)
-      ON CONFLICT(target_kind, target_value, revoked_by) DO NOTHING`).run(opName, user.id, reason);
-        const keys = db.prepare(`SELECT api_key FROM agent_declarations WHERE operator_name = ?`).all(opName);
+      ON CONFLICT(target_kind, target_value, revoked_by) DO NOTHING`, [opName, user.id, reason]);
+        const keys = await dbAll(`SELECT api_key FROM agent_declarations WHERE operator_name = ?`, [opName]);
         for (const k of keys)
             invalidateAgentBlockedCache(k.api_key);
         res.json({ ok: true, attestations_revoked: affected.changes });
     });
     // P0 audit fix 4.2: 申诉 strike
-    app.post('/api/me/agents/strikes/:strikeId/appeal', (req, res) => {
+    app.post('/api/me/agents/strikes/:strikeId/appeal', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const strikeId = Number(req.params.strikeId);
         if (!Number.isInteger(strikeId) || strikeId <= 0)
             return void res.status(400).json({ error: 'strikeId 必须是正整数' });
-        const strike = db.prepare(`SELECT id, api_key, user_id, severity, issued_at, appeal_status FROM agent_strikes WHERE id = ?`).get(strikeId);
+        const strike = await dbOne(`SELECT id, api_key, user_id, severity, issued_at, appeal_status FROM agent_strikes WHERE id = ?`, [strikeId]);
         if (!strike)
             return void res.status(404).json({ error: 'strike 不存在' });
         if (strike.user_id !== user.id)
@@ -270,11 +267,11 @@ export function registerAgentGovernanceRoutes(app, deps) {
         const reason = String((req.body || {}).reason || '').trim().slice(0, 500);
         if (reason.length < 10)
             return void res.status(400).json({ error: '申诉理由 ≥10 字' });
-        db.prepare(`UPDATE agent_strikes SET appeal_status = 'pending', appeal_reason = ? WHERE id = ?`).run(reason, strikeId);
+        await dbRun(`UPDATE agent_strikes SET appeal_status = 'pending', appeal_reason = ? WHERE id = ?`, [reason, strikeId]);
         res.json({ ok: true, message: '申诉已提交，等待 root admin 审核' });
     });
     // Admin: 审核 strike 申诉
-    app.post('/api/admin/agent-strikes/:strikeId/decide', (req, res) => {
+    app.post('/api/admin/agent-strikes/:strikeId/decide', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
@@ -284,21 +281,20 @@ export function registerAgentGovernanceRoutes(app, deps) {
         const decision = String((req.body || {}).decision || '');
         if (!['approved', 'denied'].includes(decision))
             return void res.status(400).json({ error: 'decision 必须是 approved / denied' });
-        const strike = db.prepare(`SELECT id, api_key, appeal_status FROM agent_strikes WHERE id = ?`).get(strikeId);
+        const strike = await dbOne(`SELECT id, api_key, appeal_status FROM agent_strikes WHERE id = ?`, [strikeId]);
         if (!strike)
             return void res.status(404).json({ error: 'strike 不存在' });
         if (strike.appeal_status !== 'pending')
             return void res.status(409).json({ error: `当前状态 ${strike.appeal_status} 不可裁决` });
-        db.prepare(`UPDATE agent_strikes SET appeal_status = ?, appeal_decided_by = ?, appeal_decided_at = datetime('now') WHERE id = ?`)
-            .run(decision, user.id, strikeId);
+        await dbRun(`UPDATE agent_strikes SET appeal_status = ?, appeal_decided_by = ?, appeal_decided_at = datetime('now') WHERE id = ?`, [decision, user.id, strikeId]);
         invalidateAgentBlockedCache(strike.api_key);
         // P1 fix 5.3: appeal approved → 恢复因 strike 自动停用的 skills
         if (decision === 'approved') {
             try {
-                const uRow = db.prepare(`SELECT id FROM users WHERE api_key = ?`).get(strike.api_key);
+                const uRow = await dbOne(`SELECT id FROM users WHERE api_key = ?`, [strike.api_key]);
                 if (uRow) {
-                    const r = db.prepare(`UPDATE skills SET active = 1, disabled_by_strike_at = NULL
-            WHERE seller_id = ? AND disabled_by_strike_at IS NOT NULL AND active = 0`).run(uRow.id);
+                    const r = await dbRun(`UPDATE skills SET active = 1, disabled_by_strike_at = NULL
+            WHERE seller_id = ? AND disabled_by_strike_at IS NOT NULL AND active = 0`, [uRow.id]);
                     if (r.changes > 0)
                         console.log(`[appeal approved→skill] restored ${r.changes} skills for ${uRow.id}`);
                 }
@@ -310,17 +306,17 @@ export function registerAgentGovernanceRoutes(app, deps) {
         res.json({ ok: true, decision });
     });
     // Admin: 列出待审 strike 申诉
-    app.get('/api/admin/agent-strikes/pending', (req, res) => {
+    app.get('/api/admin/agent-strikes/pending', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`SELECT s.id, s.api_key, s.user_id, u.handle, s.severity, s.reason_code, s.reason_detail, s.issued_at, s.appeal_reason
+        const rows = await dbAll(`SELECT s.id, s.api_key, s.user_id, u.handle, s.severity, s.reason_code, s.reason_detail, s.issued_at, s.appeal_reason
       FROM agent_strikes s JOIN users u ON u.id = s.user_id
-      WHERE s.appeal_status = 'pending' ORDER BY s.id DESC LIMIT 100`).all();
+      WHERE s.appeal_status = 'pending' ORDER BY s.id DESC LIMIT 100`);
         res.json({ items: rows });
     });
     // P1 fix 4.3: admin 主动 issue strike
-    app.post('/api/admin/agent-strikes/issue', (req, res) => {
+    app.post('/api/admin/agent-strikes/issue', async (req, res) => {
         const adminUser = requireRootAdmin(req, res);
         if (!adminUser)
             return;
@@ -328,7 +324,7 @@ export function registerAgentGovernanceRoutes(app, deps) {
         const apiKey = String(b.api_key || '').trim();
         if (apiKey.length < 8)
             return void res.status(400).json({ error: 'api_key 必填' });
-        const targetUser = db.prepare(`SELECT id, handle FROM users WHERE api_key = ?`).get(apiKey);
+        const targetUser = await dbOne(`SELECT id, handle FROM users WHERE api_key = ?`, [apiKey]);
         if (!targetUser)
             return void res.status(404).json({ error: '未找到该 api_key' });
         const reasonCode = String(b.reason_code || '').trim().slice(0, 40);
@@ -349,7 +345,7 @@ export function registerAgentGovernanceRoutes(app, deps) {
         res.json({ ok: true, target_handle: targetUser.handle, ...result });
     });
     // bilateral attestation（用户批准某 agent 的 scope）
-    app.post('/api/me/agents/attestations', (req, res) => {
+    app.post('/api/me/agents/attestations', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -357,7 +353,7 @@ export function registerAgentGovernanceRoutes(app, deps) {
         const apiKey = String(b.api_key || '');
         if (!apiKey)
             return void res.status(400).json({ error: 'api_key 必填' });
-        const decl = db.prepare(`SELECT declared_scope, operator_name, purpose FROM agent_declarations WHERE api_key = ? AND revoked_at IS NULL`).get(apiKey);
+        const decl = await dbOne(`SELECT declared_scope, operator_name, purpose FROM agent_declarations WHERE api_key = ? AND revoked_at IS NULL`, [apiKey]);
         if (!decl)
             return void res.status(404).json({ error: '该 agent 未声明 / 已撤销，无法授权' });
         let approvedScopeJson;
@@ -373,14 +369,14 @@ export function registerAgentGovernanceRoutes(app, deps) {
         const spendCapPerOrder = b.spend_cap_per_order != null ? Math.max(0, Number(b.spend_cap_per_order)) : null;
         const spendCapDaily = b.spend_cap_daily != null ? Math.max(0, Number(b.spend_cap_daily)) : null;
         const id = generateId('aat');
-        db.prepare(`INSERT INTO agent_attestations (id, api_key, user_id, approved_scope, spend_cap_per_order, spend_cap_daily)
+        await dbRun(`INSERT INTO agent_attestations (id, api_key, user_id, approved_scope, spend_cap_per_order, spend_cap_daily)
       VALUES (?,?,?,?,?,?)
       ON CONFLICT(api_key, user_id) DO UPDATE SET
         approved_scope = excluded.approved_scope,
         spend_cap_per_order = excluded.spend_cap_per_order,
         spend_cap_daily = excluded.spend_cap_daily,
         revoked_at = NULL,
-        granted_at = datetime('now')`).run(id, apiKey, user.id, approvedScopeJson, spendCapPerOrder, spendCapDaily);
+        granted_at = datetime('now')`, [id, apiKey, user.id, approvedScopeJson, spendCapPerOrder, spendCapDaily]);
         res.json({ ok: true });
     });
 }