@seasonkoh/webaz 0.1.24 → 0.1.26

package/dist/pwa/routes/payments-governance.js

@@ -1,97 +1,102 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 const PAYMENT_METHOD_KINDS = new Set(['crypto_onchain', 'bank_wire', 'card', 'mobile_wallet', 'p2p']);
 const PAYMENT_METHOD_STATUSES = new Set(['active', 'preview', 'inactive', 'deprecated']);
 const RPM_DIRECTIONS = new Set(['deposit', 'withdraw', 'both']);
 const RPM_STATUSES = new Set(['active', 'paused', 'blocked']);
 export function registerPaymentsGovernanceRoutes(app, deps) {
-    const { db, generateId, requireRootAdmin } = deps;
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
+    const { generateId, requireRootAdmin } = deps;
     // 写支付变更审计日志
-    function logPaymentChange(entity_kind, entity_id, action, oldValue, newValue, changed_by, reason) {
-        db.prepare(`INSERT INTO payment_methods_log (entity_kind, entity_id, action, old_value, new_value, changed_by, reason) VALUES (?,?,?,?,?,?,?)`).run(entity_kind, entity_id, action, oldValue == null ? null : JSON.stringify(oldValue), newValue == null ? null : JSON.stringify(newValue), changed_by, reason ?? null);
+    async function logPaymentChange(entity_kind, entity_id, action, oldValue, newValue, changed_by, reason) {
+        await dbRun(`INSERT INTO payment_methods_log (entity_kind, entity_id, action, old_value, new_value, changed_by, reason) VALUES (?,?,?,?,?,?,?)`, [entity_kind, entity_id, action,
+            oldValue == null ? null : JSON.stringify(oldValue),
+            newValue == null ? null : JSON.stringify(newValue),
+            changed_by, reason ?? null]);
     }
     // ─── 治理参数 ────────────────────────────────────────────────
-    app.get('/api/governance/params', (_req, res) => {
-        const params = db.prepare(`
+    app.get('/api/governance/params', async (_req, res) => {
+        const params = await dbAll(`
       SELECT key, value, type, description, category, default_value, min_value, max_value, updated_at
       FROM protocol_params
       ORDER BY category, key
-    `).all();
+    `);
         // 每个参数附最近 5 条变更
         for (const p of params) {
-            const recent = db.prepare(`
+            const recent = await dbAll(`
         SELECT old_value, new_value, action, created_at
         FROM protocol_params_log
         WHERE key = ?
         ORDER BY id DESC LIMIT 5
-      `).all(p.key);
+      `, [p.key]);
             p.recent_changes = recent;
         }
         res.json({
             notice: 'WebAZ 协议参数公示 — COP 团队自约束：所有参数变更必须可被任何人查询。',
             params,
-            last_change: db.prepare(`SELECT key, old_value, new_value, action, created_at FROM protocol_params_log ORDER BY id DESC LIMIT 1`).get() || null,
+            last_change: (await dbOne(`SELECT key, old_value, new_value, action, created_at FROM protocol_params_log ORDER BY id DESC LIMIT 1`)) || null,
         });
     });
-    app.get('/api/governance/params/:key/history', (req, res) => {
-        const param = db.prepare(`SELECT * FROM protocol_params WHERE key = ?`).get(req.params.key);
+    app.get('/api/governance/params/:key/history', async (req, res) => {
+        const param = await dbOne(`SELECT * FROM protocol_params WHERE key = ?`, [req.params.key]);
         if (!param)
             return void res.status(404).json({ error: 'param not found' });
-        const history = db.prepare(`
+        const history = await dbAll(`
       SELECT id, old_value, new_value, action, created_at,
         (SELECT name FROM users WHERE id = protocol_params_log.changed_by) as changed_by_name
       FROM protocol_params_log
       WHERE key = ?
       ORDER BY id DESC LIMIT 100
-    `).all(req.params.key);
+    `, [req.params.key]);
         res.json({ param, history });
     });
     // ─── 公共支付方法 ───────────────────────────────────────────
-    app.get('/api/payment-methods', (_req, res) => {
-        const rows = db.prepare(`SELECT id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, watcher_status, notes
-       FROM payment_methods WHERE status IN ('active','preview') ORDER BY status DESC, kind, asset`).all();
+    app.get('/api/payment-methods', async (_req, res) => {
+        const rows = await dbAll(`SELECT id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, watcher_status, notes
+       FROM payment_methods WHERE status IN ('active','preview') ORDER BY status DESC, kind, asset`);
         res.json({ items: rows });
     });
     // 某地区可用方法（fallback 到 global）
-    app.get('/api/payment-methods/for-region', (req, res) => {
+    app.get('/api/payment-methods/for-region', async (req, res) => {
         const region = String(req.query.region || 'global');
         const direction = String(req.query.direction || ''); // 'deposit' | 'withdraw' | '' (任意)
         if (direction && !RPM_DIRECTIONS.has(direction)) {
             return void res.status(400).json({ error: `direction 必须是 ${[...RPM_DIRECTIONS].join(' / ')}` });
         }
-        const rowsRegion = db.prepare(`
+        const rowsRegion = await dbAll(`
       SELECT rpm.region, rpm.method_id, rpm.direction, rpm.status, rpm.min_amount, rpm.max_amount, rpm.daily_cap, rpm.notes,
         pm.display_name, pm.display_name_en, pm.kind, pm.asset, pm.chain, pm.icon, pm.status as method_status, pm.watcher_status
       FROM region_payment_methods rpm JOIN payment_methods pm ON pm.id = rpm.method_id
       WHERE rpm.region = ? AND rpm.status = 'active' AND pm.status IN ('active','preview')
-    `).all(region);
+    `, [region]);
         const useFallback = rowsRegion.length === 0 && region !== 'global';
         const finalRegion = useFallback ? 'global' : region;
-        const rows = useFallback ? db.prepare(`
+        const rows = useFallback ? await dbAll(`
       SELECT rpm.region, rpm.method_id, rpm.direction, rpm.status, rpm.min_amount, rpm.max_amount, rpm.daily_cap, rpm.notes,
         pm.display_name, pm.display_name_en, pm.kind, pm.asset, pm.chain, pm.icon, pm.status as method_status, pm.watcher_status
       FROM region_payment_methods rpm JOIN payment_methods pm ON pm.id = rpm.method_id
       WHERE rpm.region = 'global' AND rpm.status = 'active' AND pm.status IN ('active','preview')
-    `).all() : rowsRegion;
+    `) : rowsRegion;
         const filtered = direction
             ? rows.filter(r => r.direction === direction || r.direction === 'both')
             : rows;
         res.json({ region: finalRegion, fallback_from: useFallback ? region : null, items: filtered });
     });
     // 公共变更审计日志（COP transparency）
-    app.get('/api/payment-methods/log', (req, res) => {
+    app.get('/api/payment-methods/log', async (req, res) => {
         const limit = Math.min(200, Math.max(10, Number(req.query.limit) || 50));
-        const rows = db.prepare(`SELECT id, entity_kind, entity_id, action, old_value, new_value, changed_by, reason, created_at
-       FROM payment_methods_log ORDER BY id DESC LIMIT ?`).all(limit);
+        const rows = await dbAll(`SELECT id, entity_kind, entity_id, action, old_value, new_value, changed_by, reason, created_at
+       FROM payment_methods_log ORDER BY id DESC LIMIT ?`, [limit]);
         res.json({ items: rows });
     });
     // ─── Admin payment_methods CRUD（root admin only · 基础设施变更需根权限）─
-    app.get('/api/admin/payment-methods', (req, res) => {
+    app.get('/api/admin/payment-methods', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`SELECT * FROM payment_methods ORDER BY status DESC, kind, asset`).all();
+        const rows = await dbAll(`SELECT * FROM payment_methods ORDER BY status DESC, kind, asset`);
         res.json({ items: rows });
     });
-    app.post('/api/admin/payment-methods', (req, res) => {
+    app.post('/api/admin/payment-methods', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
@@ -99,7 +104,7 @@ export function registerPaymentsGovernanceRoutes(app, deps) {
         const id = String(b.id || '').trim().toLowerCase();
         if (!/^[a-z0-9_]{3,40}$/.test(id))
             return void res.status(400).json({ error: 'id 必须是 3-40 位 [a-z0-9_]（如 usdc_base）' });
-        if (db.prepare(`SELECT 1 FROM payment_methods WHERE id = ?`).get(id))
+        if (await dbOne(`SELECT 1 FROM payment_methods WHERE id = ?`, [id]))
             return void res.status(409).json({ error: 'id 已存在' });
         const display_name = String(b.display_name || '').trim();
         if (display_name.length < 1 || display_name.length > 60)
@@ -122,18 +127,18 @@ export function registerPaymentsGovernanceRoutes(app, deps) {
             return void res.status(400).json({ error: `status 必须是 ${[...PAYMENT_METHOD_STATUSES].join(' / ')}` });
         const notes = b.notes ? String(b.notes).slice(0, 200) : null;
         const newRow = { id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, watcher_status: 'unconfigured', notes };
-        db.prepare(`INSERT INTO payment_methods (
+        await dbRun(`INSERT INTO payment_methods (
       id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, watcher_status, notes, updated_by
-    ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)`).run(id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, 'unconfigured', notes, user.id);
-        logPaymentChange('method', id, 'create', null, newRow, user.id, String(b.reason || ''));
+    ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)`, [id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, 'unconfigured', notes, user.id]);
+        await logPaymentChange('method', id, 'create', null, newRow, user.id, String(b.reason || ''));
         res.json({ ok: true, id });
     });
-    app.put('/api/admin/payment-methods/:id', (req, res) => {
+    app.put('/api/admin/payment-methods/:id', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
         const id = req.params.id;
-        const existing = db.prepare(`SELECT * FROM payment_methods WHERE id = ?`).get(id);
+        const existing = await dbOne(`SELECT * FROM payment_methods WHERE id = ?`, [id]);
         if (!existing)
             return void res.status(404).json({ error: 'not_found' });
         const b = req.body;
@@ -175,29 +180,29 @@ export function registerPaymentsGovernanceRoutes(app, deps) {
             return void res.status(400).json({ error: '无更新字段' });
         const cols = Object.keys(updates).map(k => `${k} = ?`).join(', ');
         const vals = Object.values(updates);
-        db.prepare(`UPDATE payment_methods SET ${cols}, updated_at = datetime('now'), updated_by = ? WHERE id = ?`).run(...vals, user.id, id);
-        logPaymentChange('method', id, 'update', existing, { ...existing, ...updates }, user.id, String(b.reason || ''));
+        await dbRun(`UPDATE payment_methods SET ${cols}, updated_at = datetime('now'), updated_by = ? WHERE id = ?`, [...vals, user.id, id]);
+        await logPaymentChange('method', id, 'update', existing, { ...existing, ...updates }, user.id, String(b.reason || ''));
         res.json({ ok: true });
     });
-    app.delete('/api/admin/payment-methods/:id', (req, res) => {
+    app.delete('/api/admin/payment-methods/:id', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
         const id = req.params.id;
         if (id === 'usdc_base')
             return void res.status(400).json({ error: '默认协议方法 usdc_base 不可删除，可改为 deprecated 状态' });
-        const existing = db.prepare(`SELECT * FROM payment_methods WHERE id = ?`).get(id);
+        const existing = await dbOne(`SELECT * FROM payment_methods WHERE id = ?`, [id]);
         if (!existing)
             return void res.status(404).json({ error: 'not_found' });
-        const refs = db.prepare(`SELECT COUNT(*) as n FROM region_payment_methods WHERE method_id = ? AND status = 'active'`).get(id).n;
+        const refs = (await dbOne(`SELECT COUNT(*) as n FROM region_payment_methods WHERE method_id = ? AND status = 'active'`, [id])).n;
         if (refs > 0)
             return void res.status(409).json({ error: `还有 ${refs} 条 active 区域映射引用该方法，请先停用` });
-        db.prepare(`DELETE FROM payment_methods WHERE id = ?`).run(id);
-        logPaymentChange('method', id, 'delete', existing, null, user.id, String((req.body || {}).reason || ''));
+        await dbRun(`DELETE FROM payment_methods WHERE id = ?`, [id]);
+        await logPaymentChange('method', id, 'delete', existing, null, user.id, String((req.body || {}).reason || ''));
         res.json({ ok: true });
     });
     // ─── region_payment_methods CRUD ──────────────────────────
-    app.get('/api/admin/region-payment-methods', (req, res) => {
+    app.get('/api/admin/region-payment-methods', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
@@ -212,15 +217,15 @@ export function registerPaymentsGovernanceRoutes(app, deps) {
             params.push(String(req.query.method_id));
         }
         const whereSql = where.length ? `WHERE ${where.join(' AND ')}` : '';
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT rpm.*, pm.display_name, pm.display_name_en, pm.icon, pm.asset, pm.chain
       FROM region_payment_methods rpm JOIN payment_methods pm ON pm.id = rpm.method_id
       ${whereSql}
       ORDER BY rpm.region, pm.kind, pm.asset
-    `).all(...params);
+    `, params);
         res.json({ items: rows });
     });
-    app.post('/api/admin/region-payment-methods', (req, res) => {
+    app.post('/api/admin/region-payment-methods', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
@@ -229,7 +234,7 @@ export function registerPaymentsGovernanceRoutes(app, deps) {
         if (!/^[a-z_]{2,20}$/.test(region))
             return void res.status(400).json({ error: 'region 必须是 2-20 位 [a-z_]' });
         const method_id = String(b.method_id || '');
-        if (!db.prepare(`SELECT 1 FROM payment_methods WHERE id = ?`).get(method_id))
+        if (!(await dbOne(`SELECT 1 FROM payment_methods WHERE id = ?`, [method_id])))
             return void res.status(404).json({ error: 'method_id 不存在' });
         const direction = String(b.direction || 'both');
         if (!RPM_DIRECTIONS.has(direction))
@@ -245,24 +250,24 @@ export function registerPaymentsGovernanceRoutes(app, deps) {
         const notes = b.notes ? String(b.notes).slice(0, 200) : null;
         const id = generateId('rpm');
         try {
-            db.prepare(`INSERT INTO region_payment_methods (
+            await dbRun(`INSERT INTO region_payment_methods (
         id, region, method_id, direction, status, min_amount, max_amount, daily_cap, notes, updated_by
-      ) VALUES (?,?,?,?,?,?,?,?,?,?)`).run(id, region, method_id, direction, status, min_amount, max_amount, daily_cap, notes, user.id);
+      ) VALUES (?,?,?,?,?,?,?,?,?,?)`, [id, region, method_id, direction, status, min_amount, max_amount, daily_cap, notes, user.id]);
         }
         catch (e) {
             if (String(e).includes('UNIQUE'))
                 return void res.status(409).json({ error: '同一 region + method + direction 已存在' });
             throw e;
         }
-        logPaymentChange('region_mapping', id, 'create', null, { region, method_id, direction, status, min_amount, max_amount, daily_cap, notes }, user.id, String(b.reason || ''));
+        await logPaymentChange('region_mapping', id, 'create', null, { region, method_id, direction, status, min_amount, max_amount, daily_cap, notes }, user.id, String(b.reason || ''));
         res.json({ ok: true, id });
     });
-    app.put('/api/admin/region-payment-methods/:id', (req, res) => {
+    app.put('/api/admin/region-payment-methods/:id', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
         const id = req.params.id;
-        const existing = db.prepare(`SELECT * FROM region_payment_methods WHERE id = ?`).get(id);
+        const existing = await dbOne(`SELECT * FROM region_payment_methods WHERE id = ?`, [id]);
         if (!existing)
             return void res.status(404).json({ error: 'not_found' });
         const b = req.body;
@@ -289,23 +294,23 @@ export function registerPaymentsGovernanceRoutes(app, deps) {
             return void res.status(400).json({ error: 'min_amount 不能大于 max_amount' });
         const cols = Object.keys(updates).map(k => `${k} = ?`).join(', ');
         const vals = Object.values(updates);
-        db.prepare(`UPDATE region_payment_methods SET ${cols}, updated_at = datetime('now'), updated_by = ? WHERE id = ?`).run(...vals, user.id, id);
-        logPaymentChange('region_mapping', id, 'update', existing, { ...existing, ...updates }, user.id, String(b.reason || ''));
+        await dbRun(`UPDATE region_payment_methods SET ${cols}, updated_at = datetime('now'), updated_by = ? WHERE id = ?`, [...vals, user.id, id]);
+        await logPaymentChange('region_mapping', id, 'update', existing, { ...existing, ...updates }, user.id, String(b.reason || ''));
         res.json({ ok: true });
     });
-    app.delete('/api/admin/region-payment-methods/:id', (req, res) => {
+    app.delete('/api/admin/region-payment-methods/:id', async (req, res) => {
         const user = requireRootAdmin(req, res);
         if (!user)
             return;
         const id = req.params.id;
-        const existing = db.prepare(`SELECT * FROM region_payment_methods WHERE id = ?`).get(id);
+        const existing = await dbOne(`SELECT * FROM region_payment_methods WHERE id = ?`, [id]);
         if (!existing)
             return void res.status(404).json({ error: 'not_found' });
         if (existing.region === 'global' && existing.method_id === 'usdc_base') {
             return void res.status(400).json({ error: '默认协议映射 global × usdc_base 不可删除' });
         }
-        db.prepare(`DELETE FROM region_payment_methods WHERE id = ?`).run(id);
-        logPaymentChange('region_mapping', id, 'delete', existing, null, user.id, String((req.body || {}).reason || ''));
+        await dbRun(`DELETE FROM region_payment_methods WHERE id = ?`, [id]);
+        await logPaymentChange('region_mapping', id, 'delete', existing, null, user.id, String((req.body || {}).reason || ''));
         res.json({ ok: true });
     });
 }

package/dist/pwa/routes/peers.js

@@ -1,6 +1,8 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerPeersRoutes(app, deps) {
-    const { db, auth } = deps;
-    app.post('/api/peers/heartbeat', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbOne/dbRun),不再直接用 deps.db
+    const { auth } = deps;
+    app.post('/api/peers/heartbeat', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
@@ -11,24 +13,23 @@ export function registerPeersRoutes(app, deps) {
         for (const h of hashes) {
             if (typeof h !== 'string' || !/^[a-f0-9]{64}$/.test(h))
                 continue;
-            const m = db.prepare("SELECT owner_id, status FROM manifest_registry WHERE hash = ?").get(h);
+            const m = await dbOne("SELECT owner_id, status FROM manifest_registry WHERE hash = ?", [h]);
             if (!m || m.status !== 'active')
                 continue;
             const isOwner = m.owner_id === me.id ? 1 : 0;
             const pinIntent = pinIntents.has(h) ? 1 : 0;
-            db.prepare(`INSERT INTO peer_directory (peer_id, manifest_hash, is_owner, pin_intent, last_heartbeat)
+            await dbRun(`INSERT INTO peer_directory (peer_id, manifest_hash, is_owner, pin_intent, last_heartbeat)
                   VALUES (?,?,?,?,?)
-                  ON CONFLICT(peer_id, manifest_hash) DO UPDATE SET is_owner=excluded.is_owner, pin_intent=excluded.pin_intent, last_heartbeat=excluded.last_heartbeat`)
-                .run(me.id, h, isOwner, pinIntent, now);
+                  ON CONFLICT(peer_id, manifest_hash) DO UPDATE SET is_owner=excluded.is_owner, pin_intent=excluded.pin_intent, last_heartbeat=excluded.last_heartbeat`, [me.id, h, isOwner, pinIntent, now]);
             registered++;
         }
         res.json({ ok: true, registered });
     });
-    app.delete('/api/peers/:hash', (req, res) => {
+    app.delete('/api/peers/:hash', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
-        db.prepare("DELETE FROM peer_directory WHERE peer_id = ? AND manifest_hash = ?").run(me.id, req.params.hash);
+        await dbRun("DELETE FROM peer_directory WHERE peer_id = ? AND manifest_hash = ?", [me.id, req.params.hash]);
         res.json({ ok: true });
     });
 }

package/dist/pwa/routes/pin-receipts.js

@@ -1,6 +1,8 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerPinReceiptsRoutes(app, deps) {
-    const { db, auth, generateId } = deps;
-    app.post('/api/pin-receipts', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
+    const { auth, generateId } = deps;
+    app.post('/api/pin-receipts', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
@@ -13,27 +15,25 @@ export function registerPinReceiptsRoutes(app, deps) {
         }
         if (pinner_id === me.id)
             return void res.json({ error: 'pinner 不能是自己' });
-        const m = db.prepare("SELECT 1 FROM manifest_registry WHERE hash = ? AND status = 'active'").get(manifest_hash);
+        const m = await dbOne("SELECT 1 FROM manifest_registry WHERE hash = ? AND status = 'active'", [manifest_hash]);
         if (!m)
             return void res.json({ error: 'manifest 不存在或已下架' });
-        const dup = db.prepare(`SELECT id FROM pin_receipts WHERE manifest_hash = ? AND pinner_id = ? AND recipient_id = ? AND served_at > datetime('now', '-1 day')`).get(manifest_hash, pinner_id, me.id);
+        const dup = await dbOne(`SELECT id FROM pin_receipts WHERE manifest_hash = ? AND pinner_id = ? AND recipient_id = ? AND served_at > datetime('now', '-1 day')`, [manifest_hash, pinner_id, me.id]);
         if (dup)
             return void res.json({ error: '24 小时内已有相同 pin 回执' });
         const id = generateId('pin');
-        db.prepare(`INSERT INTO pin_receipts (id, manifest_hash, pinner_id, recipient_id, bytes_served, served_at, pinner_sig, recipient_sig)
-                VALUES (?,?,?,?,?,?,?,?)`)
-            .run(id, manifest_hash, pinner_id, me.id, bytes_served, served_at, pinner_sig, recipient_sig);
-        db.prepare(`UPDATE peer_directory SET bytes_served_total = bytes_served_total + ? WHERE peer_id = ? AND manifest_hash = ?`)
-            .run(bytes_served, pinner_id, manifest_hash);
+        await dbRun(`INSERT INTO pin_receipts (id, manifest_hash, pinner_id, recipient_id, bytes_served, served_at, pinner_sig, recipient_sig)
+                VALUES (?,?,?,?,?,?,?,?)`, [id, manifest_hash, pinner_id, me.id, bytes_served, served_at, pinner_sig, recipient_sig]);
+        await dbRun(`UPDATE peer_directory SET bytes_served_total = bytes_served_total + ? WHERE peer_id = ? AND manifest_hash = ?`, [bytes_served, pinner_id, manifest_hash]);
         res.json({ ok: true, id });
     });
-    app.get('/api/pin-receipts/mine', (req, res) => {
+    app.get('/api/pin-receipts/mine', async (req, res) => {
         const me = auth(req, res);
         if (!me)
             return;
-        const earned = db.prepare(`SELECT COALESCE(SUM(rewarded_waz), 0) as total, COUNT(*) as count FROM pin_receipts WHERE pinner_id = ? AND rewarded_at IS NOT NULL`).get(me.id);
-        const pending = db.prepare(`SELECT COUNT(*) as n FROM pin_receipts WHERE pinner_id = ? AND rewarded_at IS NULL`).get(me.id);
-        const recent = db.prepare(`SELECT p.*, m.title as manifest_title FROM pin_receipts p LEFT JOIN manifest_registry m ON m.hash = p.manifest_hash WHERE p.pinner_id = ? ORDER BY p.served_at DESC LIMIT 20`).all(me.id);
+        const earned = (await dbOne(`SELECT COALESCE(SUM(rewarded_waz), 0) as total, COUNT(*) as count FROM pin_receipts WHERE pinner_id = ? AND rewarded_at IS NOT NULL`, [me.id]));
+        const pending = (await dbOne(`SELECT COUNT(*) as n FROM pin_receipts WHERE pinner_id = ? AND rewarded_at IS NULL`, [me.id]));
+        const recent = await dbAll(`SELECT p.*, m.title as manifest_title FROM pin_receipts p LEFT JOIN manifest_registry m ON m.hash = p.manifest_hash WHERE p.pinner_id = ? ORDER BY p.served_at DESC LIMIT 20`, [me.id]);
         res.json({ earned, pending_count: pending.n, recent });
     });
 }

package/dist/pwa/routes/products-aliases.js

@@ -1,4 +1,7 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProductsAliasesRoutes(app, deps) {
+    // db 仍保留:用于 POST /aliases 的 db.transaction(TOCTOU 防护,better-sqlite3 事务须同步)。
+    // 其余只读/单写站点已走 RFC-016 异步 seam(dbOne/dbAll/dbRun)。
     const { db, auth, generateId, extractCandidateAliases } = deps;
     // M7.2-5: 从外部原文提取候选 alias
     app.post('/api/products/extract-aliases', (req, res) => {
@@ -14,24 +17,24 @@ export function registerProductsAliasesRoutes(app, deps) {
         res.json({ candidates, hint: '勾选要声明为该商品 alias 的项目（≥ 6 字符；过短或过通用的项会被反作弊机制挑战）' });
     });
     // M7.2-7: alias CRUD（仅商品 owner）
-    app.get('/api/products/:id/aliases', (req, res) => {
+    app.get('/api/products/:id/aliases', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const p = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.id);
+        const p = await dbOne('SELECT seller_id FROM products WHERE id = ?', [req.params.id]);
         if (!p)
             return void res.status(404).json({ error: '商品不存在' });
         if (p.seller_id !== user.id)
             return void res.status(403).json({ error: '仅商品 owner 可查看 alias' });
-        const rows = db.prepare(`SELECT id, alias_type, alias_value, min_match_chars, status, challenged_at, created_at
-      FROM product_aliases WHERE product_id = ? ORDER BY created_at DESC`).all(req.params.id);
+        const rows = await dbAll(`SELECT id, alias_type, alias_value, min_match_chars, status, challenged_at, created_at
+      FROM product_aliases WHERE product_id = ? ORDER BY created_at DESC`, [req.params.id]);
         res.json({ aliases: rows });
     });
-    app.post('/api/products/:id/aliases', (req, res) => {
+    app.post('/api/products/:id/aliases', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const p = db.prepare('SELECT seller_id, title FROM products WHERE id = ?').get(req.params.id);
+        const p = await dbOne('SELECT seller_id, title FROM products WHERE id = ?', [req.params.id]);
         if (!p)
             return void res.status(404).json({ error: '商品不存在' });
         if (p.seller_id !== user.id)
@@ -103,17 +106,16 @@ export function registerProductsAliasesRoutes(app, deps) {
         }
         res.json({ inserted: inserted.length, skipped });
     });
-    app.delete('/api/products/:id/aliases/:aliasId', (req, res) => {
+    app.delete('/api/products/:id/aliases/:aliasId', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const p = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.id);
+        const p = await dbOne('SELECT seller_id FROM products WHERE id = ?', [req.params.id]);
         if (!p)
             return void res.status(404).json({ error: '商品不存在' });
         if (p.seller_id !== user.id)
             return void res.status(403).json({ error: '仅商品 owner 可删除 alias' });
-        const r = db.prepare(`UPDATE product_aliases SET status = 'revoked' WHERE id = ? AND product_id = ?`)
-            .run(req.params.aliasId, req.params.id);
+        const r = await dbRun(`UPDATE product_aliases SET status = 'revoked' WHERE id = ? AND product_id = ?`, [req.params.aliasId, req.params.id]);
         res.json({ success: r.changes > 0 });
     });
 }

package/dist/pwa/routes/products-claims.js

@@ -1,6 +1,9 @@
+import { dbOne, dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProductsClaimsRoutes(app, deps) {
+    // 只读/单写站点走 RFC-016 异步 seam;db 保留:claim 是质押/escrow 资金路径,
+    // dup 门 + 钱包扣减 + INSERT 任务必须原子(db.transaction),Phase 3 迁 pg 行锁。
     const { db, auth, isTrustedRole, errorRes, generateId, PRODUCT_CLAIM_TARGETS, PRODUCT_CLAIM_STAKE_DEFAULT, PRODUCT_CLAIM_DEADLINE_HOURS, PRODUCT_CLAIM_VERIFIERS_NEEDED } = deps;
-    app.post('/api/products/:id/claim', (req, res) => {
+    app.post('/api/products/:id/claim', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -8,7 +11,7 @@ export function registerProductsClaimsRoutes(app, deps) {
         if (isTrustedRole(user)) {
             return void errorRes(res, 403, 'TRUSTED_ROLE_NO_CLAIM', '受信角色不可发起商品声明');
         }
-        const product = db.prepare('SELECT * FROM products WHERE id = ?').get(req.params.id);
+        const product = await dbOne('SELECT * FROM products WHERE id = ?', [req.params.id]);
         if (!product)
             return void res.status(404).json({ error: '商品不存在' });
         if (product.seller_id === user.id)
@@ -24,29 +27,45 @@ export function registerProductsClaimsRoutes(app, deps) {
             return void res.status(400).json({ error: 'claim_text 长度需 6-500 字' });
         }
         const evidence_uri = req.body?.evidence_uri ? String(req.body.evidence_uri).trim().slice(0, 500) : null;
-        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        // 友好预检查(读):真正的守恒门在事务内(WHERE balance >= stake)。
+        const wallet = await dbOne('SELECT balance FROM wallets WHERE user_id = ?', [user.id]);
         const stake = PRODUCT_CLAIM_STAKE_DEFAULT;
         if (!wallet || wallet.balance < stake) {
             return void res.status(400).json({ error: `余额不足：发起需锁 ${stake} WAZ，当前 ${wallet?.balance ?? 0} WAZ` });
         }
-        // 同用户对同商品同 target 只能挂一个 open claim
-        const dup = db.prepare(`SELECT id FROM product_claim_tasks WHERE product_id = ? AND claimant_id = ? AND claim_target = ? AND status = 'open'`)
-            .get(req.params.id, user.id, claim_target);
-        if (dup)
-            return void res.status(409).json({ error: '你已对此商品的同一项发起过 open 声明' });
         const id = generateId('pct');
         const deadline = new Date(Date.now() + PRODUCT_CLAIM_DEADLINE_HOURS * 3600_000).toISOString();
-        db.prepare(`INSERT INTO product_claim_tasks
-      (id, product_id, claimant_id, seller_id, claim_target, claim_text, evidence_uri, stake_claimant, deadline_at, status)
-      VALUES (?,?,?,?,?,?,?,?,?,'open')`)
-            .run(id, req.params.id, user.id, product.seller_id, claim_target, claim_text, evidence_uri, stake, deadline);
-        db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ?')
-            .run(stake, stake, user.id);
+        // 质押/escrow 原子段(同步事务):dup 门 + 钱包扣减(守恒 guard)+ INSERT 任务。
+        try {
+            db.transaction(() => {
+                const dup = db.prepare(`SELECT id FROM product_claim_tasks WHERE product_id = ? AND claimant_id = ? AND claim_target = ? AND status = 'open'`)
+                    .get(req.params.id, user.id, claim_target);
+                if (dup)
+                    throw new Error('CLAIM_DUP');
+                const debit = db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ? AND balance >= ?')
+                    .run(stake, stake, user.id, stake);
+                if (debit.changes === 0)
+                    throw new Error('CLAIM_INSUFFICIENT');
+                db.prepare(`INSERT INTO product_claim_tasks
+          (id, product_id, claimant_id, seller_id, claim_target, claim_text, evidence_uri, stake_claimant, deadline_at, status)
+          VALUES (?,?,?,?,?,?,?,?,?,'open')`)
+                    .run(id, req.params.id, user.id, product.seller_id, claim_target, claim_text, evidence_uri, stake, deadline);
+            })();
+        }
+        catch (e) {
+            const msg = e.message;
+            if (msg === 'CLAIM_DUP')
+                return void res.status(409).json({ error: '你已对此商品的同一项发起过 open 声明' });
+            if (msg === 'CLAIM_INSUFFICIENT')
+                return void res.status(400).json({ error: `余额不足：发起需锁 ${stake} WAZ` });
+            console.error('[products-claims tx]', msg);
+            return void res.status(500).json({ error: '发起声明失败,请重试' });
+        }
         res.json({ success: true, claim_id: id, deadline_at: deadline, stake_locked: stake });
     });
     // 公开：列出某商品的全部声明（含已结算）
-    app.get('/api/products/:id/claims', (req, res) => {
-        const rows = db.prepare(`
+    app.get('/api/products/:id/claims', async (req, res) => {
+        const rows = await dbAll(`
       SELECT pct.id, pct.claim_target, pct.claim_text, pct.evidence_uri, pct.status, pct.ruling, pct.deadline_at, pct.resolved_at, pct.created_at,
              u.name as claimant_name,
              (SELECT COUNT(*) FROM product_claim_votes WHERE claim_id = pct.id) as votes_count
@@ -54,7 +73,7 @@ export function registerProductsClaimsRoutes(app, deps) {
       JOIN users u ON u.id = pct.claimant_id
       WHERE pct.product_id = ?
       ORDER BY pct.created_at DESC LIMIT 50
-    `).all(req.params.id);
+    `, [req.params.id]);
         res.json({ claims: rows, votes_needed: PRODUCT_CLAIM_VERIFIERS_NEEDED });
     });
 }