@seasonkoh/webaz 0.1.24 → 0.1.26

package/dist/pwa/routes/manifests.js

@@ -1,4 +1,5 @@
 import crypto from 'crypto';
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 const MANIFEST_DAILY_LIMIT = 20;
 const THUMB_MAX_BYTES = 12000; // ~12KB base64 ≈ 9KB 原始图
 function verifyManifestSig(hash, ownerId, contentType, byteSize, signedAt, apiKey, signature) {
@@ -7,8 +8,9 @@ function verifyManifestSig(hash, ownerId, contentType, byteSize, signedAt, apiKe
     return expected === signature;
 }
 export function registerManifestsRoutes(app, deps) {
-    const { db, auth, safeRoles } = deps;
-    app.post('/api/manifests', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
+    const { auth, safeRoles } = deps;
+    app.post('/api/manifests', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
@@ -29,21 +31,20 @@ export function registerManifestsRoutes(app, deps) {
             return void res.json({ error: '签名验证失败' });
         }
         // 日上限
-        const todayCount = db.prepare(`SELECT COUNT(*) as n FROM manifest_registry WHERE owner_id = ? AND created_at > datetime('now', '-1 day')`).get(me.id).n;
+        const todayCount = (await dbOne(`SELECT COUNT(*) as n FROM manifest_registry WHERE owner_id = ? AND created_at > datetime('now', '-1 day')`, [me.id])).n;
         if (todayCount >= MANIFEST_DAILY_LIMIT)
             return void res.json({ error: `每日上限 ${MANIFEST_DAILY_LIMIT} 条` });
         if (related_product_id) {
-            const p = db.prepare("SELECT id FROM products WHERE id = ?").get(related_product_id);
+            const p = await dbOne("SELECT id FROM products WHERE id = ?", [related_product_id]);
             if (!p)
                 return void res.json({ error: '关联商品不存在' });
         }
         try {
-            db.prepare(`INSERT INTO manifest_registry (hash, owner_id, content_type, byte_size, title, description, thumbnail_data_uri, signature, signed_at, related_product_id, related_anchor)
-                  VALUES (?,?,?,?,?,?,?,?,?,?,?)`)
-                .run(hash, me.id, content_type, byte_size, title || null, description || null, thumbnail_data_uri || null, signature, signed_at, related_product_id || null, related_anchor || null);
+            await dbRun(`INSERT INTO manifest_registry (hash, owner_id, content_type, byte_size, title, description, thumbnail_data_uri, signature, signed_at, related_product_id, related_anchor)
+                  VALUES (?,?,?,?,?,?,?,?,?,?,?)`, [hash, me.id, content_type, byte_size, title || null, description || null, thumbnail_data_uri || null, signature, signed_at, related_product_id || null, related_anchor || null]);
             // 创作者立即注册为 owner peer
-            db.prepare(`INSERT OR REPLACE INTO peer_directory (peer_id, manifest_hash, is_owner, pin_intent, last_heartbeat)
-                  VALUES (?,?,1,1,datetime('now'))`).run(me.id, hash);
+            await dbRun(`INSERT OR REPLACE INTO peer_directory (peer_id, manifest_hash, is_owner, pin_intent, last_heartbeat)
+                  VALUES (?,?,1,1,datetime('now'))`, [me.id, hash]);
             res.json({ ok: true, hash });
         }
         catch (e) {
@@ -53,63 +54,63 @@ export function registerManifestsRoutes(app, deps) {
             res.json({ error: '发布失败：' + msg });
         }
     });
-    app.get('/api/manifests/me', (req, res) => {
+    app.get('/api/manifests/me', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT m.*, p.title as product_title FROM manifest_registry m
       LEFT JOIN products p ON p.id = m.related_product_id
       WHERE m.owner_id = ? AND m.status != 'removed'
       ORDER BY m.created_at DESC LIMIT 100
-    `).all(me.id);
+    `, [me.id]);
         res.json({ manifests: rows });
     });
-    app.get('/api/manifests/:hash', (req, res) => {
+    app.get('/api/manifests/:hash', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
-        const m = db.prepare(`SELECT * FROM manifest_registry WHERE hash = ?`).get(req.params.hash);
+        const m = await dbOne(`SELECT * FROM manifest_registry WHERE hash = ?`, [req.params.hash]);
         if (!m)
             return void res.status(404).json({ error: 'manifest 不存在' });
         if (m.status === 'removed' || m.status === 'takedown_admin')
             return void res.json({ error: '内容已下架', removed: true, reason: m.takedown_reason || null });
-        const peers = db.prepare(`
+        const peers = await dbAll(`
       SELECT peer_id, is_owner, pin_intent, last_heartbeat FROM peer_directory
       WHERE manifest_hash = ? AND last_heartbeat > datetime('now', '-5 minutes')
       ORDER BY is_owner DESC, last_heartbeat DESC LIMIT 30
-    `).all(req.params.hash);
+    `, [req.params.hash]);
         res.json({ manifest: m, peers });
     });
-    app.get('/api/manifests/by-product/:pid', (req, res) => {
+    app.get('/api/manifests/by-product/:pid', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT m.*, u.name as owner_name FROM manifest_registry m
       LEFT JOIN users u ON u.id = m.owner_id
       WHERE m.related_product_id = ? AND m.status = 'active'
       ORDER BY m.created_at DESC LIMIT 20
-    `).all(req.params.pid);
+    `, [req.params.pid]);
         res.json({ manifests: rows });
     });
-    app.get('/api/manifests/by-anchor/:anchor', (req, res) => {
+    app.get('/api/manifests/by-anchor/:anchor', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT m.*, u.name as owner_name FROM manifest_registry m
       LEFT JOIN users u ON u.id = m.owner_id
       WHERE m.related_anchor = ? AND m.status = 'active'
       ORDER BY m.created_at DESC LIMIT 50
-    `).all(req.params.anchor);
+    `, [req.params.anchor]);
         res.json({ manifests: rows });
     });
-    app.patch('/api/manifests/:hash/takedown', (req, res) => {
+    app.patch('/api/manifests/:hash/takedown', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
-        const m = db.prepare("SELECT owner_id FROM manifest_registry WHERE hash = ?").get(req.params.hash);
+        const m = await dbOne("SELECT owner_id FROM manifest_registry WHERE hash = ?", [req.params.hash]);
         if (!m)
             return void res.status(404).json({ error: 'manifest 不存在' });
         const isAdmin = me.role === 'admin' || safeRoles(me).includes('admin');
@@ -117,10 +118,9 @@ export function registerManifestsRoutes(app, deps) {
         if (!isOwner && !isAdmin)
             return void res.json({ error: '无权下架' });
         const reason = (req.body?.reason || '').toString().slice(0, 200);
-        db.prepare(`UPDATE manifest_registry SET status = ?, takedown_reason = ?, takedown_at = datetime('now'), takedown_by = ? WHERE hash = ?`)
-            .run(isAdmin && !isOwner ? 'takedown_admin' : 'removed', reason, me.id, req.params.hash);
+        await dbRun(`UPDATE manifest_registry SET status = ?, takedown_reason = ?, takedown_at = datetime('now'), takedown_by = ? WHERE hash = ?`, [isAdmin && !isOwner ? 'takedown_admin' : 'removed', reason, me.id, req.params.hash]);
         // 同步清空 peer directory（强制客户端 evict）
-        db.prepare("DELETE FROM peer_directory WHERE manifest_hash = ?").run(req.params.hash);
+        await dbRun("DELETE FROM peer_directory WHERE manifest_hash = ?", [req.params.hash]);
         res.json({ ok: true });
     });
 }

package/dist/pwa/routes/me-data.js

@@ -1,11 +1,13 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerMeDataRoutes(app, deps) {
-    const { db, auth } = deps;
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbAll),不再直接用 deps.db
+    const { auth } = deps;
     // COP 飞轮: 完成订单 7d 引导发笔记
-    app.get('/api/me/note-prompts', (req, res) => {
+    app.get('/api/me/note-prompts', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT o.id as order_id, o.product_id, o.updated_at as completed_at, o.total_amount,
              p.title as product_title, p.images as product_images
       FROM orders o
@@ -19,7 +21,7 @@ export function registerMeDataRoutes(app, deps) {
         )
       ORDER BY o.updated_at DESC
       LIMIT 10
-    `).all(user.id, user.id);
+    `, [user.id, user.id]);
         const prompts = rows.map(r => {
             let firstImage = null;
             try {
@@ -40,7 +42,7 @@ export function registerMeDataRoutes(app, deps) {
         res.json({ prompts });
     });
     // COP P0-1: 数据导出（用户主权）
-    app.get('/api/me/export', (req, res) => {
+    app.get('/api/me/export', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -51,33 +53,33 @@ export function registerMeDataRoutes(app, deps) {
             notice: 'WebAZ COP 承诺：你的数据属于你。可随时导出，可随时迁出。',
         };
         try {
-            data.profile = db.prepare(`SELECT id, name, handle, role, region, bio, search_anchor, email, phone, permanent_code, created_at, reputation FROM users WHERE id = ?`).get(uid);
-            data.wallet = db.prepare(`SELECT balance, staked, escrowed, earned FROM wallets WHERE user_id = ?`).get(uid);
-            data.orders = db.prepare(`SELECT * FROM orders WHERE buyer_id = ? OR seller_id = ? ORDER BY created_at DESC LIMIT 1000`).all(uid, uid);
-            data.shareables = db.prepare(`SELECT * FROM shareables WHERE owner_id = ? AND status != 'removed'`).all(uid);
-            data.bookmarks = db.prepare(`SELECT b.*, s.title FROM shareable_bookmarks b LEFT JOIN shareables s ON s.id = b.shareable_id WHERE b.user_id = ?`).all(uid);
-            data.likes = db.prepare(`SELECT l.*, s.title FROM shareable_likes l LEFT JOIN shareables s ON s.id = l.shareable_id WHERE l.user_id = ?`).all(uid);
-            data.follows_following = db.prepare(`SELECT followee_id, created_at FROM follows WHERE follower_id = ?`).all(uid);
-            data.follows_followers = db.prepare(`SELECT follower_id, created_at FROM follows WHERE followee_id = ?`).all(uid);
-            data.addresses = db.prepare(`SELECT * FROM user_addresses WHERE user_id = ?`).all(uid);
-            data.kyc = db.prepare(`SELECT status, id_type, id_number_last4, submitted_at, reviewed_at FROM kyc_records WHERE user_id = ?`).get(uid);
+            data.profile = await dbOne(`SELECT id, name, handle, role, region, bio, search_anchor, email, phone, permanent_code, created_at, reputation FROM users WHERE id = ?`, [uid]);
+            data.wallet = await dbOne(`SELECT balance, staked, escrowed, earned FROM wallets WHERE user_id = ?`, [uid]);
+            data.orders = await dbAll(`SELECT * FROM orders WHERE buyer_id = ? OR seller_id = ? ORDER BY created_at DESC LIMIT 1000`, [uid, uid]);
+            data.shareables = await dbAll(`SELECT * FROM shareables WHERE owner_id = ? AND status != 'removed'`, [uid]);
+            data.bookmarks = await dbAll(`SELECT b.*, s.title FROM shareable_bookmarks b LEFT JOIN shareables s ON s.id = b.shareable_id WHERE b.user_id = ?`, [uid]);
+            data.likes = await dbAll(`SELECT l.*, s.title FROM shareable_likes l LEFT JOIN shareables s ON s.id = l.shareable_id WHERE l.user_id = ?`, [uid]);
+            data.follows_following = await dbAll(`SELECT followee_id, created_at FROM follows WHERE follower_id = ?`, [uid]);
+            data.follows_followers = await dbAll(`SELECT follower_id, created_at FROM follows WHERE followee_id = ?`, [uid]);
+            data.addresses = await dbAll(`SELECT * FROM user_addresses WHERE user_id = ?`, [uid]);
+            data.kyc = await dbOne(`SELECT status, id_type, id_number_last4, submitted_at, reviewed_at FROM kyc_records WHERE user_id = ?`, [uid]);
             // #1017: wallet_history 不存在 — 用 deposits + withdrawals + commissions 复合
             try {
-                data.deposits = db.prepare(`SELECT * FROM deposit_txns WHERE user_id = ? ORDER BY created_at DESC LIMIT 200`).all(uid);
+                data.deposits = await dbAll(`SELECT * FROM deposit_txns WHERE user_id = ? ORDER BY created_at DESC LIMIT 200`, [uid]);
             }
             catch {
                 data.deposits = [];
             }
             try {
-                data.withdrawals = db.prepare(`SELECT * FROM withdrawal_requests WHERE user_id = ? ORDER BY created_at DESC LIMIT 200`).all(uid);
+                data.withdrawals = await dbAll(`SELECT * FROM withdrawal_requests WHERE user_id = ? ORDER BY created_at DESC LIMIT 200`, [uid]);
             }
             catch {
                 data.withdrawals = [];
             }
-            data.commissions = db.prepare(`SELECT * FROM commission_records WHERE beneficiary_id = ? ORDER BY created_at DESC LIMIT 500`).all(uid) || [];
-            data.anchors = db.prepare(`SELECT anchor, target_kind, target_id, status, created_at FROM anchor_registry WHERE owner_id = ?`).all(uid);
-            data.notifications = db.prepare(`SELECT * FROM notifications WHERE user_id = ? ORDER BY created_at DESC LIMIT 500`).all(uid);
-            data.error_log = db.prepare(`SELECT id, source, message, created_at FROM error_log WHERE user_id = ? ORDER BY id DESC LIMIT 100`).all(uid) || [];
+            data.commissions = await dbAll(`SELECT * FROM commission_records WHERE beneficiary_id = ? ORDER BY created_at DESC LIMIT 500`, [uid]) || [];
+            data.anchors = await dbAll(`SELECT anchor, target_kind, target_id, status, created_at FROM anchor_registry WHERE owner_id = ?`, [uid]);
+            data.notifications = await dbAll(`SELECT * FROM notifications WHERE user_id = ? ORDER BY created_at DESC LIMIT 500`, [uid]);
+            data.error_log = await dbAll(`SELECT id, source, message, created_at FROM error_log WHERE user_id = ? ORDER BY id DESC LIMIT 100`, [uid]) || [];
         }
         catch (e) {
             console.warn('[export] partial:', e.message);

package/dist/pwa/routes/notifications.js

@@ -1,10 +1,11 @@
+import { dbOne } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 import { getNotifications, getUnreadCount, markRead } from '../../layer2-business/L2-6-notifications/notification-engine.js';
 export function registerNotificationsRoutes(app, deps) {
     const { db, auth, sseClients } = deps;
     // SSE 实时推送流（EventSource 不支持自定义 header，URL ?key= 也兼容）
-    app.get('/api/notifications/stream', (req, res) => {
+    app.get('/api/notifications/stream', async (req, res) => {
         const key = req.query.key ?? req.headers.authorization?.replace('Bearer ', '');
-        const user = key ? db.prepare('SELECT * FROM users WHERE api_key = ?').get(key) : null;
+        const user = key ? await dbOne('SELECT * FROM users WHERE api_key = ?', [key]) : null;
         if (!user)
             return void res.status(401).end();
         res.setHeader('Content-Type', 'text/event-stream');
@@ -13,7 +14,7 @@ export function registerNotificationsRoutes(app, deps) {
         res.flushHeaders();
         sseClients.set(user.id, res);
         // 连接时推送未读数
-        const unread = getUnreadCount(db, user.id);
+        const unread = await getUnreadCount(db, user.id);
         res.write(`data: ${JSON.stringify({ type: 'init', unread })}\n\n`);
         // 心跳保活（每 30s）
         const heartbeat = setInterval(() => {
@@ -29,13 +30,13 @@ export function registerNotificationsRoutes(app, deps) {
             clearInterval(heartbeat);
         });
     });
-    app.get('/api/notifications', (req, res) => {
+    app.get('/api/notifications', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const onlyUnread = req.query.unread === '1';
-        const notifs = getNotifications(db, user.id, onlyUnread);
-        const unread = getUnreadCount(db, user.id);
+        const notifs = await getNotifications(db, user.id, onlyUnread);
+        const unread = await getUnreadCount(db, user.id);
         res.json({ unread, notifications: notifs });
     });
     app.post('/api/notifications/read', (req, res) => {

package/dist/pwa/routes/offers.js

@@ -1,10 +1,13 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerOffersRoutes(app, deps) {
+    // db 仍保留:用于 DELETE /offers 的 db.transaction(撤回 offer + 释放质押守恒,better-sqlite3 事务须同步)。
+    // 其余只读/单写站点已走 RFC-016 异步 seam(dbOne/dbRun)。
     const { db, auth, VALID_FULFILLMENT_TYPES } = deps;
-    app.patch('/api/offers/:id', (req, res) => {
+    app.patch('/api/offers/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const offer = db.prepare("SELECT * FROM products WHERE id = ? AND listing_id IS NOT NULL").get(req.params.id);
+        const offer = await dbOne("SELECT * FROM products WHERE id = ? AND listing_id IS NOT NULL", [req.params.id]);
         if (!offer)
             return void res.status(404).json({ error: 'offer 不存在' });
         if (offer.seller_id !== user.id)
@@ -48,27 +51,37 @@ export function registerOffersRoutes(app, deps) {
         updates.push("updated_at = datetime('now')");
         updates.push("freshness_ts = datetime('now')");
         args.push(req.params.id);
-        db.prepare(`UPDATE products SET ${updates.join(', ')} WHERE id = ?`).run(...args);
+        await dbRun(`UPDATE products SET ${updates.join(', ')} WHERE id = ?`, args);
         res.json({ success: true });
     });
     // 撤回 offer（status=warehouse + 释放 stake；不真删 product）
-    app.delete('/api/offers/:id', (req, res) => {
+    app.delete('/api/offers/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const offer = db.prepare("SELECT * FROM products WHERE id = ? AND listing_id IS NOT NULL").get(req.params.id);
+        const offer = await dbOne("SELECT * FROM products WHERE id = ? AND listing_id IS NOT NULL", [req.params.id]);
         if (!offer)
             return void res.status(404).json({ error: 'offer 不存在' });
         if (offer.seller_id !== user.id)
             return void res.status(403).json({ error: '仅卖家本人可撤回' });
-        const pending = db.prepare(`SELECT COUNT(1) as n FROM orders WHERE product_id = ? AND status NOT IN ('completed','cancelled','refunded','expired')`).get(req.params.id);
+        const pending = (await dbOne(`SELECT COUNT(1) as n FROM orders WHERE product_id = ? AND status NOT IN ('completed','cancelled','refunded','expired')`, [req.params.id]));
         if (pending.n > 0)
             return void res.json({ error: `该 offer 有 ${pending.n} 个进行中订单，暂无法撤回` });
         const stake = Number(offer.listing_stake_locked) || 0;
         const tx = db.transaction(() => {
-            db.prepare(`UPDATE products SET status = 'warehouse', listing_stake_locked = 0, updated_at = datetime('now') WHERE id = ?`).run(req.params.id);
+            // await-gap P1(proactive sweep,与 #239 系列同类):offer 行先 await 读出 stake,再进同步 tx 释放。
+            //   并发双撤回会都读到同一 listing_stake_locked 并各退一次 → 双倍退质押(印钱)。CAS 抢占该 offer
+            //   (仍未撤回 + stake 仍等于读到的值),changes!==1 即并发已撤回 → 抛回滚,先于任何钱写。
+            const flip = db.prepare(`UPDATE products SET status = 'warehouse', listing_stake_locked = 0, updated_at = datetime('now') WHERE id = ? AND status != 'warehouse' AND listing_stake_locked = ?`).run(req.params.id, stake);
+            if (flip.changes !== 1)
+                throw new Error('OFFER_ALREADY_WITHDRAWN');
             if (stake > 0) {
-                db.prepare(`UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?`).run(stake, stake, user.id);
+                // Codex #254 follow-up P2:钱包释放带 staked>=stake 守卫 + changes 校验。若 wallet 行缺失或
+                //   staked < listing_stake_locked(历史漂移/并发异常/前序 bug),不能在已清零 products.stake 的同时
+                //   让 staked 变负或丢质押 —— changes!==1 即抛回滚整笔(products 不清零、listings 不递减、钱包不动)。
+                const rel = db.prepare(`UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ? AND staked >= ?`).run(stake, stake, user.id, stake);
+                if (rel.changes !== 1)
+                    throw new Error('OFFER_STAKE_INVARIANT_VIOLATION');
             }
             db.prepare(`UPDATE listings SET total_offers = MAX(0, total_offers - 1) WHERE id = ?`).run(String(offer.listing_id));
         });
@@ -76,21 +89,26 @@ export function registerOffersRoutes(app, deps) {
             tx();
         }
         catch (e) {
-            return void res.status(500).json({ error: String(e.message) });
+            const m = e.message;
+            if (m === 'OFFER_ALREADY_WITHDRAWN')
+                return void res.status(409).json({ error: '该 offer 已撤回（请刷新）', error_code: 'OFFER_ALREADY_WITHDRAWN' });
+            if (m === 'OFFER_STAKE_INVARIANT_VIOLATION')
+                return void res.status(500).json({ error: '质押释放校验失败（资金状态异常，已回滚未做任何变更，请联系支持）', error_code: 'OFFER_STAKE_INVARIANT_VIOLATION' });
+            return void res.status(500).json({ error: String(m) });
         }
         res.json({ success: true, stake_released: stake });
     });
     // 刷新 freshness（卖家点 "现货确认"）
-    app.post('/api/offers/:id/refresh', (req, res) => {
+    app.post('/api/offers/:id/refresh', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const offer = db.prepare("SELECT seller_id FROM products WHERE id = ? AND listing_id IS NOT NULL").get(req.params.id);
+        const offer = await dbOne("SELECT seller_id FROM products WHERE id = ? AND listing_id IS NOT NULL", [req.params.id]);
         if (!offer)
             return void res.status(404).json({ error: 'offer 不存在' });
         if (offer.seller_id !== user.id)
             return void res.status(403).json({ error: '仅卖家本人可刷新' });
-        db.prepare(`UPDATE products SET freshness_ts = datetime('now') WHERE id = ?`).run(req.params.id);
+        await dbRun(`UPDATE products SET freshness_ts = datetime('now') WHERE id = ?`, [req.params.id]);
         res.json({ success: true });
     });
 }

package/dist/pwa/routes/orders-action.js

@@ -1,3 +1,4 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js';
 export function registerOrdersActionRoutes(app, deps) {
     const { db, auth, isTrustedRole, generateId, transition, notifyTransition, settleOrder, settleFault, detectFraud, createDispute, checkTimeouts, recordViolationReputation, broadcastSystemEvent } = deps;
     // RFC-007 stage 2：卖家主动拒单 reason_code 白名单。
@@ -11,7 +12,7 @@ export function registerOrdersActionRoutes(app, deps) {
     // 客观-声称理由:链下事实(外部已售/损毁),协议无确定性信号可自动核验 → 临时判责 + 举证窗口(stage 5 仲裁)。
     const OBJECTIVE_DECLINE_REASONS = new Set(['stock_consumed_concurrent', 'stale_price_snapshot', 'force_majeure']);
     // C-4: 卖家批量发货
-    app.post('/api/orders/batch-ship', (req, res) => {
+    app.post('/api/orders/batch-ship', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -20,11 +21,14 @@ export function registerOrdersActionRoutes(app, deps) {
             return void res.status(400).json({ error: 'order_ids 必填' });
         if (order_ids.length > 100)
             return void res.status(400).json({ error: '单次最多 100 单' });
-        if (!logistics_company_id)
-            return void res.status(400).json({ error: 'logistics_company_id 必填' });
-        const lc = db.prepare("SELECT id FROM users WHERE id = ? AND role = 'logistics'").get(logistics_company_id);
-        if (!lc)
-            return void res.status(400).json({ error: '物流公司不存在' });
+        // 自发货(self-fulfill,Phase 1 默认):不传 logistics_company_id → logistics_id 留空,卖家自负后续流转。
+        // 只有传了物流公司时才校验其存在。
+        // RFC-016: 纯校验读 → 异步 seam(物流公司是否存在);循环内的逐单 read+write 仍同步(Phase 3 随订单事务迁)
+        if (logistics_company_id) {
+            const lc = await dbOne("SELECT id FROM users WHERE id = ? AND role = 'logistics'", [logistics_company_id]);
+            if (!lc)
+                return void res.status(400).json({ error: '物流公司不存在' });
+        }
         const results = [];
         const trackingMap = (tracking_numbers && typeof tracking_numbers === 'object') ? tracking_numbers : {};
         for (const oid of order_ids) {
@@ -42,18 +46,22 @@ export function registerOrdersActionRoutes(app, deps) {
                     results.push({ order_id: oid, status: 'skipped', reason: `状态非 accepted (当前 ${o.status})` });
                     continue;
                 }
-                if (!o.logistics_id) {
+                // 仅当指定了物流公司时才绑定;自发货保持 logistics_id 为空(seller self-fulfill)
+                if (logistics_company_id && !o.logistics_id) {
                     db.prepare("UPDATE orders SET logistics_id = ? WHERE id = ?").run(logistics_company_id, oid);
                 }
                 const tn = trackingMap[oid] ? String(trackingMap[oid]).slice(0, 50) : null;
+                // accepted→shipped 状态机要求 evidence(requiresEvidence)。【始终】写一条文字 evidence,
+                // 否则无单号(尤其自发货默认)会被状态机拒绝 → shipped:0 卡在 accepted。单号可之后补。
+                const evDesc = logistics_company_id
+                    ? (tn ? `批量发货 · 快递单号：${tn} · 物流方 ${logistics_company_id}` : `批量发货，已交付物流公司 ${logistics_company_id}，快递单号待物流揽收后回传`)
+                    : (tn ? `卖家自己发货（批量）· 快递单号：${tn}` : `卖家自己发货（批量·自提自送）—— 由卖家负责揽收/运输/送达，单号可之后补`);
                 const evIds = [];
-                if (tn) {
-                    const eid = generateId('evt');
-                    db.prepare(`INSERT INTO evidence (id, order_id, uploader_id, type, description, file_hash)
-            VALUES (?,?,?,'description',?,?)`).run(eid, oid, user.id, `快递单号：${tn}`, `hash_${Date.now()}`);
-                    evIds.push(eid);
-                }
-                const result = transition(db, oid, 'shipped', user.id, evIds, tn ? `批量发货 · ${tn}` : '批量发货');
+                const eid = generateId('evt');
+                db.prepare(`INSERT INTO evidence (id, order_id, uploader_id, type, description, file_hash)
+          VALUES (?,?,?,'description',?,?)`).run(eid, oid, user.id, evDesc, `hash_${Date.now()}`);
+                evIds.push(eid);
+                const result = transition(db, oid, 'shipped', user.id, evIds, evDesc);
                 if (!result.success) {
                     results.push({ order_id: oid, status: 'skipped', reason: result.error || '状态机拒绝' });
                     continue;
@@ -69,11 +77,12 @@ export function registerOrdersActionRoutes(app, deps) {
         res.json({ success: true, shipped, skipped: results.filter(r => r.status === 'skipped').length, results });
     });
     // 买家确认面交完成 → 直接 completed + settleOrder
-    app.post('/api/orders/:id/confirm-in-person', (req, res) => {
+    app.post('/api/orders/:id/confirm-in-person', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const order = db.prepare('SELECT * FROM orders WHERE id = ?').get(req.params.id);
+        // RFC-016: 校验读 → 异步 seam;下方 completed+history 写仍是同步 db.transaction(Phase 3 迁 pg 事务)
+        const order = await dbOne('SELECT * FROM orders WHERE id = ?', [req.params.id]);
         if (!order)
             return void res.status(404).json({ error: '订单不存在' });
         if (order.fulfillment_mode !== 'in_person')
@@ -105,7 +114,7 @@ export function registerOrdersActionRoutes(app, deps) {
         res.json({ success: true });
     });
     // 通用状态机 action — accept/ship/pickup/transit/deliver/confirm/dispute
-    app.post('/api/orders/:id/action', (req, res) => {
+    app.post('/api/orders/:id/action', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -113,7 +122,8 @@ export function registerOrdersActionRoutes(app, deps) {
         if (isTrustedRole(user))
             return void res.status(403).json({ error: '受信角色不可参与订单流转', error_code: 'TRUSTED_ROLE_NO_TRADE' });
         const { action, notes = '', evidence_description = '', logistics_company_id = '' } = req.body;
-        const order = db.prepare('SELECT * FROM orders WHERE id = ?').get(req.params.id);
+        // RFC-016: 顶层校验读 → 异步 seam;state-machine / settle / decline 写序列仍同步(Phase 3 迁 pg 行锁+事务)
+        const order = await dbOne('SELECT * FROM orders WHERE id = ?', [req.params.id]);
         if (!order)
             return void res.status(404).json({ error: '订单不存在' });
         // P0: 路由层 ownership 校验（engine 层只看 role，必须补 ownership）
@@ -190,16 +200,26 @@ export function registerOrdersActionRoutes(app, deps) {
                 });
             }
             // 主观(或窗口=0):立即违约结算(退款买家 + 按 stake_backing 罚没,守恒,绝不印钱)
+            // Codex #119 P1:这是资金结算路径,settleFault / completed transition 失败【绝不能】吞掉后仍报 success。
+            // 订单此刻已在 fault_seller(上面 transition 已提交)。只有结算 + 推进 completed 都成功才返回 success;
+            // 任一失败 → 返回 500 DECLINE_SETTLEMENT_FAILED(订单停在 fault_seller,可重试/人工/cron 终结),不谎称已退款。
             const sysUser = db.prepare("SELECT id FROM users WHERE id = 'sys_protocol'").get();
             try {
+                if (!sysUser)
+                    throw new Error('sys_protocol user missing — cannot finalize decline settlement');
                 settleFault(db, req.params.id, 'fault_seller');
-                if (sysUser) {
-                    transition(db, req.params.id, 'completed', sysUser.id, [], '主动拒单：系统执行违约结算');
-                    notifyTransition(db, req.params.id, 'fault_seller', 'completed');
-                }
+                const rc = transition(db, req.params.id, 'completed', sysUser.id, [], '主动拒单：系统执行违约结算');
+                if (!rc?.success)
+                    throw new Error(`fault_seller→completed transition failed: ${rc?.error || 'unknown'}`);
+                notifyTransition(db, req.params.id, 'fault_seller', 'completed');
             }
             catch (e) {
                 console.error('[decline settleFault]', e);
+                return void res.status(500).json({
+                    error: '违约结算未完成,订单仍停在 fault_seller,请稍后重试或联系支持(买家尚未退款)',
+                    error_code: 'DECLINE_SETTLEMENT_FAILED',
+                    outcome: 'fault_seller',
+                });
             }
             return void res.json({
                 success: true, outcome: 'fault_seller', decline_reason_code: reasonCode,
@@ -278,7 +298,8 @@ export function registerOrdersActionRoutes(app, deps) {
             // QA 轮 9.4-retry-v3 P1：post-hoc build breakdown 从 DB，让 agent 看清每分钱去哪
             try {
                 const round2 = (n) => Math.round(n * 100) / 100;
-                const ord = db.prepare("SELECT id, total_amount, source, fulfillment_mode, snapshot_commission_rate, l1_uid, l2_uid, l3_uid, logistics_id, seller_id FROM orders WHERE id = ?").get(req.params.id);
+                // RFC-016: settleOrder 已完成,以下纯只读 breakdown 查询 → 异步 seam(无写,无原子性要求)
+                const ord = await dbOne("SELECT id, total_amount, source, fulfillment_mode, snapshot_commission_rate, l1_uid, l2_uid, l3_uid, logistics_id, seller_id FROM orders WHERE id = ?", [req.params.id]);
                 if (ord) {
                     const total = Number(ord.total_amount);
                     const isSecondhand = ord.source === 'secondhand';
@@ -289,7 +310,7 @@ export function registerOrdersActionRoutes(app, deps) {
                     const logisticsActual = ord.logistics_id ? logisticsFee : 0;
                     const commissionRate = Number(ord.snapshot_commission_rate ?? 0.10);
                     const commissionPool = round2(total * commissionRate);
-                    const commRecs = db.prepare("SELECT level, amount, beneficiary_id FROM commission_records WHERE order_id = ?").all(req.params.id);
+                    const commRecs = await dbAll("SELECT level, amount, beneficiary_id FROM commission_records WHERE order_id = ?", [req.params.id]);
                     const commByLevel = {
                         1: { amount: 0, to: null }, 2: { amount: 0, to: null }, 3: { amount: 0, to: null },
                     };
@@ -301,9 +322,9 @@ export function registerOrdersActionRoutes(app, deps) {
                     const commissionRedirected = round2(commissionPool - commissionDistributed);
                     // QA 轮 14.b P2：redirected_total 拆 chain_gap(→charity) vs region_cap(→global_fund)
                     // 之前单一数字让 agent 无法分辨钱去哪（global region L2/L3 进 global_fund，不是 charity）
-                    const charityRow = db.prepare("SELECT COALESCE(SUM(amount),0) AS s FROM charity_fund_txns WHERE related_order_id = ?").get(req.params.id);
+                    const charityRow = (await dbOne("SELECT COALESCE(SUM(amount),0) AS s FROM charity_fund_txns WHERE related_order_id = ?", [req.params.id]));
                     const redirectedToCharity = round2(Number(charityRow.s));
-                    const fundDepRow = db.prepare("SELECT COALESCE(SUM(amount_l3),0) AS s FROM fund_deposits WHERE order_id = ?").get(req.params.id);
+                    const fundDepRow = (await dbOne("SELECT COALESCE(SUM(amount_l3),0) AS s FROM fund_deposits WHERE order_id = ?", [req.params.id]));
                     const redirectedToGlobalFund = round2(Number(fundDepRow.s));
                     // QA 轮 9.5 P2：payouts 表只 MCP legacy 写，PWA settleOrder 直更 wallet.balance 不写 payouts
                     // 改用公式推算 sellerAmount（跟 PWA settleOrder 内部计算一致），更可靠
@@ -347,11 +368,12 @@ export function registerOrdersActionRoutes(app, deps) {
         });
     });
     // 手动触发超时判责（当事人）
-    app.post('/api/orders/:id/force-timeout-check', (req, res) => {
+    app.post('/api/orders/:id/force-timeout-check', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const order = db.prepare('SELECT buyer_id, seller_id, logistics_id, status FROM orders WHERE id = ?').get(req.params.id);
+        // RFC-016: 当事人校验读 → 异步 seam;checkTimeouts(db) 自身仍是同步判责引擎(Phase 3 内部迁)
+        const order = await dbOne('SELECT buyer_id, seller_id, logistics_id, status FROM orders WHERE id = ?', [req.params.id]);
         if (!order)
             return void res.status(404).json({ error: '订单不存在' });
         const uid = user.id;
@@ -360,7 +382,7 @@ export function registerOrdersActionRoutes(app, deps) {
         }
         const beforeStatus = order.status;
         const r = checkTimeouts(db);
-        const after = db.prepare('SELECT status FROM orders WHERE id = ?').get(req.params.id);
+        const after = (await dbOne('SELECT status FROM orders WHERE id = ?', [req.params.id]));
         const touched = r.details.find((d) => d.orderId === req.params.id) || null;
         if (touched) {
             const faultMatch = touched.action.match(/→ (fault_\w+)/);