@seasonkoh/webaz 0.1.24 → 0.1.26

package/dist/pwa/routes/governance-onboarding.js

@@ -1,6 +1,9 @@
 import { createHash } from 'crypto';
 import { getQuestionsForRole, scoreQuiz } from '../data/onboarding-quiz.js';
 import { getCasesForRole, getCasesForMaintainer, validateCaseReviews } from '../data/onboarding-cases.js';
+// RFC-016 Phase 1 — 申请/题目/案例/申诉的校验读 + 列表读 + 单语句写 → async seam;
+//   activate/resign/resolve-appeal 的 3 个角色态 CAS db.transaction 保持同步(Phase 3 迁 pg)。
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js';
 // PR #22 review fix P1-2:披露文本版本(server 与 client 同步,变更披露需 bump)
 // client 在 src/pwa/public/app.js 必须用相同 version
 export const GOVERNANCE_APPLY_DISCLOSURE_VERSION = 'v1.0-2026-06-02';
@@ -12,7 +15,7 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
     function expectedConsentHash(role, userId, pageLoadedAt) {
         return sha256_hex(`governance_apply|disclosure=${GOVERNANCE_APPLY_DISCLOSURE_VERSION}|role=${role}|user=${userId}|page_loaded_at=${pageLoadedAt}`);
     }
-    app.post('/api/governance/onboarding/apply', (req, res) => {
+    app.post('/api/governance/onboarding/apply', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -65,11 +68,11 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
                 return void errorRes(res, 401, 'PASSKEY_INVALID', `Passkey 验证失败: ${result.reason || '未知'}`);
             }
         }
-        const existing = db.prepare(`
+        const existing = await dbOne(`
       SELECT id, status, cooldown_until FROM governance_applications
       WHERE user_id = ? AND role = ? AND status IN ('pending_onboarding', 'active', 'cooldown')
       ORDER BY created_at DESC LIMIT 1
-    `).get(userId, role);
+    `, [userId, role]);
         if (existing) {
             if (existing.status === 'active') {
                 return void errorRes(res, 409, 'ALREADY_ACTIVE', `你已是 ${role},无需重复申请`);
@@ -100,11 +103,11 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
         const id = generateId('gapp');
         const ip = String(req.ip || req.headers['x-forwarded-for'] || 'unknown').split(',')[0].trim();
         const ua = String(req.headers['user-agent'] || 'unknown');
-        db.prepare(`
+        await dbRun(`
       INSERT INTO governance_applications
         (id, user_id, role, action, status, consent_hash, passkey_sig, iron_rule_method, ip_hash, ua_hash)
       VALUES (?, ?, ?, 'apply', 'pending_onboarding', ?, ?, ?, ?, ?)
-    `).run(id, userId, role, consent_hash, passkey_sig, iron_rule_method, sha256_16(ip), sha256_16(ua));
+    `, [id, userId, role, consent_hash, passkey_sig, iron_rule_method, sha256_16(ip), sha256_16(ua)]);
         res.json({
             success: true,
             application_id: id,
@@ -113,18 +116,18 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
             note: 'Maintainer 将 review 你的申请。下一步:完成 onboarding 学习 + 案例分析 + 题目(本阶段未上线)',
         });
     });
-    app.get('/api/governance/onboarding/my', (req, res) => {
+    app.get('/api/governance/onboarding/my', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const userId = user.id;
-        const items = db.prepare(`
+        const items = await dbAll(`
       SELECT id, role, action, status, quiz_score, quiz_passed_at, cooldown_until, appeal_reason, appeal_resolution, created_at
       FROM governance_applications
       WHERE user_id = ?
       ORDER BY created_at DESC
       LIMIT 50
-    `).all(userId);
+    `, [userId]);
         res.json({ items, count: items.length });
     });
     // GET /api/governance/onboarding/quiz?role=arbitrator|verifier
@@ -144,7 +147,7 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
     // POST /api/governance/onboarding/quiz-submit
     // 提交题目答案 → server-side scoring → 写 governance_applications.quiz_score
     // body: { role, answers: [{question_id, answer}] }
-    app.post('/api/governance/onboarding/quiz-submit', (req, res) => {
+    app.post('/api/governance/onboarding/quiz-submit', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -159,30 +162,35 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
             return void errorRes(res, 400, 'MISSING_ANSWERS', 'answers 数组为空');
         }
         // 找用户的最新 pending_onboarding application(必须先 apply 才能提交 quiz)
-        const app_ = db.prepare(`
+        const app_ = await dbOne(`
       SELECT id, status FROM governance_applications
       WHERE user_id = ? AND role = ? AND status = 'pending_onboarding'
       ORDER BY created_at DESC LIMIT 1
-    `).get(userId, role);
+    `, [userId, role]);
         if (!app_) {
             return void errorRes(res, 404, 'NO_PENDING_APPLICATION', `未找到 ${role} 待审申请,请先提交申请`);
         }
         // 读 quiz_pass_score(protocol_params,默认 80)
-        const param = db.prepare("SELECT value FROM protocol_params WHERE key = ?").get('governance_onboarding.quiz_pass_score');
+        const param = await dbOne("SELECT value FROM protocol_params WHERE key = ?", ['governance_onboarding.quiz_pass_score']);
         const passThreshold = param ? Number(param.value) : 80;
         // 评分
         const result = scoreQuiz(role, answers, passThreshold);
         // 更新 quiz_score(只在分数有提升时更新,允许重考)
-        const existing = db.prepare("SELECT quiz_score, quiz_passed_at FROM governance_applications WHERE id = ?").get(app_.id);
+        const existing = (await dbOne("SELECT quiz_score, quiz_passed_at FROM governance_applications WHERE id = ?", [app_.id]));
         const newScore = result.score_pct;
+        // Codex #234 P1:await 预读与写之间 maintainer 可能激活/解决该申请;所有写必须带
+        // status='pending_onboarding' 守卫,否则会篡改已离开 pending 的 onboarding audit 证据。
         if (existing.quiz_score == null || newScore > existing.quiz_score) {
-            db.prepare("UPDATE governance_applications SET quiz_score = ? WHERE id = ?").run(newScore, app_.id);
+            const u = await dbRun("UPDATE governance_applications SET quiz_score = ? WHERE id = ? AND status = 'pending_onboarding'", [newScore, app_.id]);
+            if (u.changes === 0)
+                return void errorRes(res, 409, 'APPLICATION_MOVED', '申请状态已变更(已被激活/解决),无法更新成绩');
         }
         // PR #22 review fix P1-3:quiz pass 推进环节状态(quiz_passed_at 时间戳)
         // 一旦合格,记录时间戳;后续不变(即便重考更低分,也不抹掉已合格状态)
+        // quiz_passed_at IS NULL 守卫保证"只盖一次戳",叠加 status 守卫防离开 pending 后篡改
         if (result.passed && !existing.quiz_passed_at) {
             const now = Math.floor(Date.now() / 1000);
-            db.prepare("UPDATE governance_applications SET quiz_passed_at = ? WHERE id = ?").run(now, app_.id);
+            await dbRun("UPDATE governance_applications SET quiz_passed_at = ? WHERE id = ? AND status = 'pending_onboarding' AND quiz_passed_at IS NULL", [now, app_.id]);
         }
         res.json({
             success: true,
@@ -214,7 +222,7 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
     // body: { role, reviews: [{case_id, chosen_verdict, reasoning}] }
     // 写 governance_applications.case_review_text(JSON string)
     // 不立即评分 — maintainer 上岗签字前(阶段 3 #1093)对比 expected_verdict
-    app.post('/api/governance/onboarding/case-review', (req, res) => {
+    app.post('/api/governance/onboarding/case-review', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -229,11 +237,11 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
             return void errorRes(res, 400, 'MISSING_REVIEWS', 'reviews 数组为空');
         }
         // 找用户的 pending_onboarding application
-        const app_ = db.prepare(`
+        const app_ = await dbOne(`
       SELECT id, status FROM governance_applications
       WHERE user_id = ? AND role = ? AND status = 'pending_onboarding'
       ORDER BY created_at DESC LIMIT 1
-    `).get(userId, role);
+    `, [userId, role]);
         if (!app_) {
             return void errorRes(res, 404, 'NO_PENDING_APPLICATION', `未找到 ${role} 待审申请,请先提交申请`);
         }
@@ -255,8 +263,10 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
                 reasoning: r.reasoning.trim(),
             })),
         };
-        db.prepare("UPDATE governance_applications SET case_review_text = ? WHERE id = ?")
-            .run(JSON.stringify(payload), app_.id);
+        // Codex #234 P1:status 守卫,防 await 后申请被激活/解决时仍篡改 case_review audit 证据
+        const cu = await dbRun("UPDATE governance_applications SET case_review_text = ? WHERE id = ? AND status = 'pending_onboarding'", [JSON.stringify(payload), app_.id]);
+        if (cu.changes === 0)
+            return void errorRes(res, 409, 'APPLICATION_MOVED', '申请状态已变更(已被激活/解决),无法提交案例 review');
         res.json({
             success: true,
             application_id: app_.id,
@@ -267,11 +277,11 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
     // ─── Admin (maintainer activation flow, #1093 阶段 3) ─────────
     // spec docs/GOVERNANCE-ONBOARDING.md §4.4
     // GET /api/admin/governance/applications — 列出 pending_onboarding(可筛 quiz_passed + has_case_review)
-    app.get('/api/admin/governance/applications', (req, res) => {
+    app.get('/api/admin/governance/applications', async (req, res) => {
         const admin = requireGovernanceAdmin(req, res);
         if (!admin)
             return;
-        const items = db.prepare(`
+        const items = await dbAll(`
       SELECT ga.id, ga.user_id, ga.role, ga.action, ga.status, ga.quiz_score, ga.quiz_passed_at,
              CASE WHEN ga.case_review_text IS NOT NULL THEN 1 ELSE 0 END AS has_case_review,
              ga.created_at,
@@ -281,21 +291,21 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
       WHERE ga.status = 'pending_onboarding' AND ga.action = 'apply'
       ORDER BY ga.created_at ASC
       LIMIT 100
-    `).all();
+    `);
         res.json({ items, count: items.length });
     });
     // GET /api/admin/governance/application/:id — 详情(含 expected_verdict 用于对比 — 仅 maintainer 看)
-    app.get('/api/admin/governance/application/:id', (req, res) => {
+    app.get('/api/admin/governance/application/:id', async (req, res) => {
         const admin = requireGovernanceAdmin(req, res);
         if (!admin)
             return;
         const id = req.params.id;
-        const row = db.prepare(`
+        const row = await dbOne(`
       SELECT ga.*, u.name AS user_name, u.handle, u.email
       FROM governance_applications ga
       JOIN users u ON u.id = ga.user_id
       WHERE ga.id = ?
-    `).get(id);
+    `, [id]);
         if (!row)
             return void errorRes(res, 404, 'NOT_FOUND', 'application 不存在');
         const role = row.role;
@@ -319,7 +329,7 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
     //   4. INSERT action='activate' row + users.roles 加 role
     //   5. logAdminAction 留痕
     // body: { application_id, webauthn_token, note? }
-    app.post('/api/admin/governance/activate', (req, res) => {
+    app.post('/api/admin/governance/activate', async (req, res) => {
         const admin = requireGovernanceAdmin(req, res);
         if (!admin)
             return;
@@ -332,10 +342,10 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
             return void errorRes(res, 400, 'MISSING_APPLICATION_ID', 'application_id 必填');
         }
         // 1. 找 pending application(predicate read,真 status check 在 transaction 内)
-        const app_ = db.prepare(`
+        const app_ = await dbOne(`
       SELECT id, user_id, role, status, quiz_passed_at, case_review_text
       FROM governance_applications WHERE id = ?
-    `).get(application_id);
+    `, [application_id]);
         if (!app_)
             return void errorRes(res, 404, 'NOT_FOUND', 'application 不存在');
         if (app_.status !== 'pending_onboarding') {
@@ -424,8 +434,10 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
         logAdminAction(adminId, 'governance_activate', 'user', app_.user_id, { role, application_id, note });
         // 7. 通知 user(站内)
         try {
-            db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, order_id) VALUES (?,?,?,?,?,?)`)
-                .run(generateId('ntf'), app_.user_id, 'governance', `🎉 你的 ${role} 申请已通过`, `你已正式上岗 ${role}。本通知由 maintainer ${adminId} 签发。详 #me 治理面板。`, null);
+            await dbRun(`INSERT INTO notifications (id, user_id, type, title, body, order_id) VALUES (?,?,?,?,?,?)`, [generateId('ntf'), app_.user_id, 'governance',
+                `🎉 你的 ${role} 申请已通过`,
+                `你已正式上岗 ${role}。本通知由 maintainer ${adminId} 签发。详 #me 治理面板。`,
+                null]);
         }
         catch (_e) { /* notification 失败不阻塞 activate */ }
         res.json({
@@ -441,7 +453,7 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
     // POST /api/governance/onboarding/resign — 主动卸任
     // body: { role, confirm_text, webauthn_token }
     // confirm_text 必须等于 'RESIGN arbitrator' 或 'RESIGN verifier'(type-to-confirm 防误触)
-    app.post('/api/governance/onboarding/resign', (req, res) => {
+    app.post('/api/governance/onboarding/resign', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -458,7 +470,7 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
             return void errorRes(res, 400, 'CONFIRM_MISMATCH', `请准确输入 "${expectedConfirm}" 确认卸任(type-to-confirm 防误触)`);
         }
         // 真源判定:users.roles JSON 包含该 role(防 1 user 多 active 行 / 防 active 行存量不一致)
-        const userRow = db.prepare("SELECT roles FROM users WHERE id = ?").get(userId);
+        const userRow = await dbOne("SELECT roles FROM users WHERE id = ?", [userId]);
         let currentRoles = [];
         try {
             currentRoles = JSON.parse(userRow?.roles || '[]');
@@ -470,21 +482,21 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
             return void errorRes(res, 404, 'NOT_ACTIVE', `你当前不是 ${role},无需卸任`);
         }
         // 用于日志显示 + 后续 INSERT 关联(取最新的 active 行;若没有也容许,以 user.roles 为准)
-        const activeRow = db.prepare(`
+        const activeRow = await dbOne(`
       SELECT id FROM governance_applications
       WHERE user_id = ? AND role = ? AND status = 'active'
       ORDER BY created_at DESC LIMIT 1
-    `).get(userId, role);
+    `, [userId, role]);
         // active case 检查(spec §6.1:有未结案 → block,要求先 transfer/完成)
         // 只对 arbitrator 适用 — verifier 投票无长期 assigned
         if (role === 'arbitrator') {
             // disputes.assigned_arbitrators 是 JSON 数组;ruling_type IS NULL = 未结案
-            const openCases = db.prepare(`
+            const openCases = await dbAll(`
         SELECT id FROM disputes
         WHERE ruling_type IS NULL
           AND assigned_arbitrators IS NOT NULL
           AND assigned_arbitrators LIKE ?
-      `).all(`%"${userId}"%`);
+      `, [`%"${userId}"%`]);
             if (openCases.length > 0) {
                 return void res.status(409).json({
                     error: '尚有未结案 dispute',
@@ -563,7 +575,7 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
     // POST /api/governance/onboarding/appeal — auto_deactivate 后申诉
     // body: { source_application_id, appeal_reason }
     // 必须:source 行 action='auto_deactivate' + window 内 + 未已 appeal + reason 长度
-    app.post('/api/governance/onboarding/appeal', (req, res) => {
+    app.post('/api/governance/onboarding/appeal', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -578,10 +590,10 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
         if (appeal_reason.length < minChars) {
             return void errorRes(res, 400, 'REASON_TOO_SHORT', `申诉理由至少 ${minChars} 字符,当前 ${appeal_reason.length}`);
         }
-        const source = db.prepare(`
+        const source = await dbOne(`
       SELECT id, user_id, role, action, status, created_at
       FROM governance_applications WHERE id = ?
-    `).get(source_application_id);
+    `, [source_application_id]);
         if (!source)
             return void errorRes(res, 404, 'SOURCE_NOT_FOUND', '原 application 不存在');
         if (source.user_id !== userId)
@@ -595,20 +607,20 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
             return void errorRes(res, 400, 'APPEAL_WINDOW_EXPIRED', `申诉窗口已过期(${windowDays} 天内可申诉)`);
         }
         // 已 appeal 过?(防重复)
-        const existing = db.prepare(`
+        const existing = await dbOne(`
       SELECT id, status FROM governance_applications
       WHERE source_application_id = ? AND action = 'appeal'
       ORDER BY created_at DESC LIMIT 1
-    `).get(source_application_id);
+    `, [source_application_id]);
         if (existing) {
             return void errorRes(res, 409, 'APPEAL_EXISTS', `已对该 application 提交过申诉(id=${existing.id} status=${existing.status})`);
         }
         const id = generateId('gapp');
-        db.prepare(`
+        await dbRun(`
       INSERT INTO governance_applications
         (id, user_id, role, action, status, appeal_reason, source_application_id)
       VALUES (?, ?, ?, 'appeal', 'pending_review', ?, ?)
-    `).run(id, userId, source.role, appeal_reason, source_application_id);
+    `, [id, userId, source.role, appeal_reason, source_application_id]);
         res.json({
             success: true,
             appeal_application_id: id,
@@ -618,12 +630,12 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
     });
     // GET /api/admin/governance/auto-deactivations — recent auto_deactivate audit
     // spec §6.2 公示触发原因(透明 — 元规则 #1)
-    app.get('/api/admin/governance/auto-deactivations', (req, res) => {
+    app.get('/api/admin/governance/auto-deactivations', async (req, res) => {
         const admin = requireGovernanceAdmin(req, res);
         if (!admin)
             return;
         const limit = Math.min(200, Math.max(1, Number(req.query.limit) || 50));
-        const items = db.prepare(`
+        const items = await dbAll(`
       SELECT ga.id, ga.user_id, ga.role, ga.appeal_reason AS trigger_reason,
              ga.cooldown_until, ga.created_at,
              u.name AS user_name, u.handle,
@@ -634,15 +646,15 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
       WHERE ga.action = 'auto_deactivate'
       ORDER BY ga.created_at DESC
       LIMIT ?
-    `).all(limit);
+    `, [limit]);
         res.json({ items, count: items.length });
     });
     // GET /api/admin/governance/appeals — maintainer 看待裁决申诉
-    app.get('/api/admin/governance/appeals', (req, res) => {
+    app.get('/api/admin/governance/appeals', async (req, res) => {
         const admin = requireGovernanceAdmin(req, res);
         if (!admin)
             return;
-        const items = db.prepare(`
+        const items = await dbAll(`
       SELECT ga.id, ga.user_id, ga.role, ga.appeal_reason, ga.source_application_id, ga.created_at,
              u.name AS user_name, u.handle, u.email,
              src.created_at AS auto_deactivate_at
@@ -652,13 +664,13 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
       WHERE ga.action = 'appeal' AND ga.status = 'pending_review'
       ORDER BY ga.created_at ASC
       LIMIT 100
-    `).all();
+    `);
         res.json({ items, count: items.length });
     });
     // POST /api/admin/governance/resolve-appeal — maintainer 裁决申诉
     // body: { appeal_application_id, decision: 'accept' | 'reject', resolution_text, webauthn_token }
     // accept → 恢复 active(spec §7.2) ;reject → 维持 inactive,公开理由
-    app.post('/api/admin/governance/resolve-appeal', (req, res) => {
+    app.post('/api/admin/governance/resolve-appeal', async (req, res) => {
         const admin = requireGovernanceAdmin(req, res);
         if (!admin)
             return;
@@ -676,10 +688,10 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
         if (resolution_text.length < 30) {
             return void errorRes(res, 400, 'RESOLUTION_TOO_SHORT', '处置理由至少 30 字符(spec §7.2 公开理由)');
         }
-        const appeal = db.prepare(`
+        const appeal = await dbOne(`
       SELECT id, user_id, role, action, status, source_application_id
       FROM governance_applications WHERE id = ?
-    `).get(appeal_application_id);
+    `, [appeal_application_id]);
         if (!appeal)
             return void errorRes(res, 404, 'NOT_FOUND', 'appeal 不存在');
         if (appeal.action !== 'appeal')
@@ -748,8 +760,7 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
             const title = decision === 'accept'
                 ? `✅ 你的 ${appeal.role} 申诉已通过`
                 : `❌ 你的 ${appeal.role} 申诉被驳回`;
-            db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, order_id) VALUES (?,?,?,?,?,?)`)
-                .run(generateId('ntf'), appeal.user_id, 'governance', title, resolution_text, null);
+            await dbRun(`INSERT INTO notifications (id, user_id, type, title, body, order_id) VALUES (?,?,?,?,?,?)`, [generateId('ntf'), appeal.user_id, 'governance', title, resolution_text, null]);
         }
         catch (_e) { /* ignore */ }
         res.json({
@@ -762,19 +773,19 @@ export function registerGovernanceOnboardingRoutes(app, deps) {
     });
     // GET /api/governance/onboarding/progress
     // 返回 onboarding 整体进度(spec §4):申请状态 + 学习包(client localStorage) + 题目分数 + 案例(后续)
-    app.get('/api/governance/onboarding/progress', (req, res) => {
+    app.get('/api/governance/onboarding/progress', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const userId = user.id;
         // 各 role 最新 application
-        const applications = db.prepare(`
+        const applications = await dbAll(`
       SELECT id, role, action, status, quiz_score, quiz_passed_at, case_review_text, cooldown_until, created_at
       FROM governance_applications
       WHERE user_id = ?
       ORDER BY created_at DESC
-    `).all(userId);
-        const param = db.prepare("SELECT value FROM protocol_params WHERE key = ?").get('governance_onboarding.quiz_pass_score');
+    `, [userId]);
+        const param = await dbOne("SELECT value FROM protocol_params WHERE key = ?", ['governance_onboarding.quiz_pass_score']);
         const passThreshold = param ? Number(param.value) : 80;
         res.json({
             applications,

package/dist/pwa/routes/group-buys.js

@@ -1,3 +1,4 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 const VALID_GB_DISCOUNT_MIN = 0.05;
 const VALID_GB_DISCOUNT_MAX = 0.50;
 /** 结算团购 — 成团创建订单 + 退差价；未达成全员退款。export 仅供 cron。 */
@@ -64,14 +65,14 @@ export function sweepExpiredGroupBuys(db, generateId, broadcastSystemEvent) {
 export function registerGroupBuysRoutes(app, deps) {
     const { db, generateId, auth, isTrustedRole, errorRes, broadcastSystemEvent } = deps;
     // 卖家开团
-    app.post('/api/group-buys', (req, res) => {
+    app.post('/api/group-buys', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const { product_id, variant_id, target_count, discount_pct, duration_hours } = req.body || {};
         if (!product_id)
             return void res.status(400).json({ error: 'product_id 必填' });
-        const p = db.prepare('SELECT id, seller_id, price, has_variants FROM products WHERE id = ? AND status = \'active\'').get(product_id);
+        const p = await dbOne('SELECT id, seller_id, price, has_variants FROM products WHERE id = ? AND status = \'active\'', [product_id]);
         if (!p)
             return void res.status(404).json({ error: '商品不存在或已下架' });
         if (p.seller_id !== user.id)
@@ -86,13 +87,12 @@ export function registerGroupBuysRoutes(app, deps) {
         if (Number(p.has_variants) === 1 && !variant_id)
             return void res.status(400).json({ error: '该商品有规格，请指定 variant_id' });
         if (variant_id) {
-            const v = db.prepare('SELECT id FROM product_variants WHERE id = ? AND product_id = ? AND is_active = 1').get(variant_id, p.id);
+            const v = await dbOne('SELECT id FROM product_variants WHERE id = ? AND product_id = ? AND is_active = 1', [variant_id, p.id]);
             if (!v)
                 return void res.status(400).json({ error: 'variant 不存在' });
         }
         const id = generateId('gb');
-        db.prepare(`INSERT INTO group_buys (id, seller_id, product_id, variant_id, target_count, discount_pct, ends_at) VALUES (?,?,?,?,?,?,?)`)
-            .run(id, user.id, p.id, variant_id || null, target, disc, endsAt);
+        await dbRun(`INSERT INTO group_buys (id, seller_id, product_id, variant_id, target_count, discount_pct, ends_at) VALUES (?,?,?,?,?,?,?)`, [id, user.id, p.id, variant_id || null, target, disc, endsAt]);
         try {
             broadcastSystemEvent('group_buy_created', '👥', `团购创建 ${id} · 目标 ${target} 人 · ${(disc * 100).toFixed(0)}% off`, p.id);
         }
@@ -100,8 +100,8 @@ export function registerGroupBuysRoutes(app, deps) {
         res.json({ success: true, id, ends_at: endsAt });
     });
     // 公开列表
-    app.get('/api/group-buys/live', (_req, res) => {
-        const rows = db.prepare(`
+    app.get('/api/group-buys/live', async (_req, res) => {
+        const rows = await dbAll(`
       SELECT gb.*, p.title as product_title, p.price as original_price, p.images, p.category,
         u.handle as seller_handle, u.name as seller_name,
         (SELECT COUNT(*) FROM group_buy_participants WHERE group_buy_id = gb.id AND status != 'refunded') as joined_count
@@ -110,31 +110,31 @@ export function registerGroupBuysRoutes(app, deps) {
       JOIN users u ON u.id = gb.seller_id
       WHERE gb.status = 'active' AND gb.ends_at > datetime('now')
       ORDER BY gb.ends_at ASC LIMIT 100
-    `).all();
+    `, []);
         res.json({ items: rows });
     });
     // 详情 + participants
-    app.get('/api/group-buys/:id', (req, res) => {
-        const gb = db.prepare(`
+    app.get('/api/group-buys/:id', async (req, res) => {
+        const gb = await dbOne(`
       SELECT gb.*, p.title as product_title, p.price as original_price, p.images, p.category,
         u.handle as seller_handle, u.name as seller_name
       FROM group_buys gb
       JOIN products p ON p.id = gb.product_id
       JOIN users u ON u.id = gb.seller_id
       WHERE gb.id = ?
-    `).get(req.params.id);
+    `, [req.params.id]);
         if (!gb)
             return void res.status(404).json({ error: '团购不存在' });
-        const participants = db.prepare(`
+        const participants = await dbAll(`
       SELECT p.id, p.buyer_id, p.status, p.created_at, u.handle as buyer_handle
       FROM group_buy_participants p JOIN users u ON u.id = p.buyer_id
       WHERE p.group_buy_id = ? AND p.status != 'refunded'
       ORDER BY p.created_at ASC
-    `).all(req.params.id);
+    `, [req.params.id]);
         res.json({ ...gb, participants });
     });
     // 加入团购
-    app.post('/api/group-buys/:id/join', (req, res) => {
+    app.post('/api/group-buys/:id/join', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -143,7 +143,7 @@ export function registerGroupBuysRoutes(app, deps) {
         const { shipping_address } = req.body || {};
         if (!shipping_address)
             return void res.status(400).json({ error: '请填写收货地址' });
-        const gb = db.prepare('SELECT id, seller_id, product_id, status, target_count, ends_at, discount_pct FROM group_buys WHERE id = ?').get(req.params.id);
+        const gb = await dbOne('SELECT id, seller_id, product_id, status, target_count, ends_at, discount_pct FROM group_buys WHERE id = ?', [req.params.id]);
         if (!gb)
             return void res.status(404).json({ error: '团购不存在' });
         if (gb.status !== 'active')
@@ -152,14 +152,14 @@ export function registerGroupBuysRoutes(app, deps) {
             return void res.status(400).json({ error: '团购已结束' });
         if (gb.seller_id === user.id)
             return void res.status(400).json({ error: '不可加入自己的团购' });
-        const existing = db.prepare('SELECT id FROM group_buy_participants WHERE group_buy_id = ? AND buyer_id = ? AND status != \'refunded\'').get(gb.id, user.id);
+        const existing = await dbOne('SELECT id FROM group_buy_participants WHERE group_buy_id = ? AND buyer_id = ? AND status != \'refunded\'', [gb.id, user.id]);
         if (existing)
             return void res.status(400).json({ error: '已加入此团购' });
-        const product = db.prepare('SELECT price FROM products WHERE id = ?').get(gb.product_id);
+        const product = await dbOne('SELECT price FROM products WHERE id = ?', [gb.product_id]);
         if (!product)
             return void res.status(500).json({ error: '商品记录缺失' });
         const escrow = Number(product.price);
-        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        const wallet = await dbOne('SELECT balance FROM wallets WHERE user_id = ?', [user.id]);
         if (!wallet || wallet.balance < escrow)
             return void res.status(400).json({ error: `余额不足：需 ${escrow} WAZ` });
         const id = generateId('gbp');
@@ -168,7 +168,7 @@ export function registerGroupBuysRoutes(app, deps) {
                 .run(id, gb.id, user.id, String(shipping_address).slice(0, 200), escrow);
             db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ?').run(escrow, escrow, user.id);
         })();
-        const joined = db.prepare(`SELECT COUNT(*) as n FROM group_buy_participants WHERE group_buy_id = ? AND status != 'refunded'`).get(gb.id).n;
+        const joined = (await dbOne(`SELECT COUNT(*) as n FROM group_buy_participants WHERE group_buy_id = ? AND status != 'refunded'`, [gb.id])).n;
         if (joined >= gb.target_count) {
             try {
                 settleGroupBuy(db, generateId, broadcastSystemEvent, gb.id);
@@ -184,13 +184,13 @@ export function registerGroupBuysRoutes(app, deps) {
         res.json({ success: true, id, joined_count: joined, target_count: gb.target_count });
     });
     // 离开团购
-    app.delete('/api/group-buys/:id/leave', (req, res) => {
+    app.delete('/api/group-buys/:id/leave', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const p = db.prepare(`SELECT p.id, p.escrow_amount, p.status, gb.status as gb_status FROM group_buy_participants p
+        const p = await dbOne(`SELECT p.id, p.escrow_amount, p.status, gb.status as gb_status FROM group_buy_participants p
       JOIN group_buys gb ON gb.id = p.group_buy_id
-      WHERE p.group_buy_id = ? AND p.buyer_id = ?`).get(req.params.id, user.id);
+      WHERE p.group_buy_id = ? AND p.buyer_id = ?`, [req.params.id, user.id]);
         if (!p)
             return void res.status(404).json({ error: '未加入此团购' });
         if (p.status === 'fulfilled')