@seasonkoh/webaz 0.1.24 → 0.1.26

package/dist/pwa/routes/products-meta.js

@@ -1,32 +1,34 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProductsMetaRoutes(app, deps) {
     const { db, auth, generateId, rateLimitOk, flagNewAccountShareable, refreshProductSharerCount } = deps;
+    void db; // RFC-016: 本文件已全量走异步 seam;db 仍在 deps 由调用方注入,此处不直接使用
     const PH_RATE = 60; // 每 IP/分钟 60 次
     const PH_MIN_SAMPLE = 5;
-    app.get('/api/products/:id/price-history', (req, res) => {
+    app.get('/api/products/:id/price-history', async (req, res) => {
         const ip = req.ip || 'unknown';
         if (!rateLimitOk(`ph:${ip}`, PH_RATE, 60_000))
             return void res.status(429).json({ error: 'rate-limited' });
-        const p = db.prepare("SELECT id, price as current_price, category, category_id FROM products WHERE id = ?").get(req.params.id);
+        const p = await dbOne("SELECT id, price as current_price, category, category_id FROM products WHERE id = ?", [req.params.id]);
         if (!p)
             return void res.status(404).json({ error: 'not_found' });
-        const lifetimeCount = db.prepare(`SELECT COUNT(1) as n FROM orders WHERE product_id = ? AND status = 'completed'`).get(req.params.id).n;
+        const lifetimeCount = (await dbOne(`SELECT COUNT(1) as n FROM orders WHERE product_id = ? AND status = 'completed'`, [req.params.id])).n;
         if (lifetimeCount < PH_MIN_SAMPLE) {
             return void res.json({ product_id: req.params.id, current_price: p.current_price, insufficient_data: true, lifetime_sales: lifetimeCount, min_sample: PH_MIN_SAMPLE });
         }
-        function aggregateWindow(days) {
+        async function aggregateWindow(days) {
             const where = days != null
                 ? `product_id = ? AND status = 'completed' AND created_at > datetime('now', '-' || ? || ' days')`
                 : `product_id = ? AND status = 'completed'`;
             const args = days != null ? [req.params.id, days] : [req.params.id];
-            const row = db.prepare(`
+            const row = (await dbOne(`
         SELECT COUNT(1) as sales, COALESCE(SUM(total_amount), 0) as volume,
           COALESCE(AVG(unit_price), 0) as avg
         FROM orders WHERE ${where}
-      `).get(...args);
+      `, args));
             if (row.sales === 0)
                 return { sales: 0, volume: 0, avg: 0, median: 0, p25: 0, p75: 0 };
             // SQLite 无 percentile 函数；P1 fix #1: LIMIT 5000 防爆
-            const prices = db.prepare(`SELECT unit_price FROM orders WHERE ${where} ORDER BY unit_price ASC LIMIT 5000`).all(...args).map(r => Number(r.unit_price));
+            const prices = (await dbAll(`SELECT unit_price FROM orders WHERE ${where} ORDER BY unit_price ASC LIMIT 5000`, args)).map(r => Number(r.unit_price));
             // P1 fix #2: 真百分位（linear interp）
             const pct = (frac) => {
                 if (!prices.length)
@@ -48,15 +50,15 @@ export function registerProductsMetaRoutes(app, deps) {
                 p75: pct(0.75),
             };
         }
-        const d30 = aggregateWindow(30);
-        const d90 = aggregateWindow(90);
-        const lifetime = aggregateWindow(null);
+        const d30 = await aggregateWindow(30);
+        const d90 = await aggregateWindow(90);
+        const lifetime = await aggregateWindow(null);
         // 价位分布（90 天内，最多 20 个 bucket）
-        const buckets = db.prepare(`
+        const buckets = await dbAll(`
       SELECT unit_price as price, COUNT(1) as count, COALESCE(SUM(quantity), COUNT(1)) as qty
       FROM orders WHERE product_id = ? AND status = 'completed' AND created_at > datetime('now', '-90 days')
       GROUP BY unit_price ORDER BY unit_price ASC LIMIT 20
-    `).all(req.params.id);
+    `, [req.params.id]);
         const totalBucketSales = buckets.reduce((s, b) => s + b.count, 0) || 1;
         const priceBuckets = buckets.map(b => ({
             price: Number(b.price),
@@ -65,11 +67,11 @@ export function registerProductsMetaRoutes(app, deps) {
             pct: Math.round((b.count / totalBucketSales) * 10000) / 100,
         }));
         // 30 日日均价 sparkline — P1 fix #4: 单日 sales=1 不返回 avg（防反查买家身份）
-        const daily = db.prepare(`
+        const daily = await dbAll(`
       SELECT substr(created_at, 1, 10) as date, COUNT(1) as sales, AVG(unit_price) as avg
       FROM orders WHERE product_id = ? AND status = 'completed' AND created_at > datetime('now', '-30 days')
       GROUP BY date ORDER BY date ASC
-    `).all(req.params.id);
+    `, [req.params.id]);
         const dailyAvg = daily.map(d => ({
             date: d.date,
             sales: d.sales,
@@ -78,10 +80,10 @@ export function registerProductsMetaRoutes(app, deps) {
         // 同类目近 30 天均价对照（cat_default 不算 meaningful）
         let categoryAvg30d = null;
         if (p.category_id && p.category_id !== 'cat_default') {
-            const row = db.prepare(`
+            const row = (await dbOne(`
         SELECT AVG(o.unit_price) as avg FROM orders o JOIN products p ON p.id = o.product_id
         WHERE p.category_id = ? AND o.status = 'completed' AND o.created_at > datetime('now', '-30 days')
-      `).get(p.category_id);
+      `, [p.category_id]));
             categoryAvg30d = row.avg != null ? Math.round(Number(row.avg) * 100) / 100 : null;
         }
         // 异常预警
@@ -104,23 +106,23 @@ export function registerProductsMetaRoutes(app, deps) {
         });
     });
     // 公开预览：未登录可调，返回最小公开信息（分享 banner 用）
-    app.get('/api/products/:id/preview', (req, res) => {
-        const row = db.prepare(`
+    app.get('/api/products/:id/preview', async (req, res) => {
+        const row = await dbOne(`
       SELECT p.id, p.title, p.price, p.category, u.name as seller_name
       FROM products p
       JOIN users u ON p.seller_id = u.id
       WHERE p.id = ? AND p.status = 'active'
-    `).get(req.params.id);
+    `, [req.params.id]);
         if (!row)
             return void res.status(404).json({ error: 'not_found' });
         res.json(row);
     });
     // 分享许可：是否对该商品有 completed 订单
-    app.get('/api/products/:id/can-share', (req, res) => {
+    app.get('/api/products/:id/can-share', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const completed = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'").get(user.id, req.params.id).n;
+        const completed = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'", [user.id, req.params.id])).n;
         res.json({
             can_share: completed > 0,
             completed_orders: completed,
@@ -128,22 +130,22 @@ export function registerProductsMetaRoutes(app, deps) {
         });
     });
     // 获取或创建商品 shareable（被 sharePromoLink 用，走 /s/<id> 短链）
-    app.post('/api/products/:id/get-or-create-share', (req, res) => {
+    app.post('/api/products/:id/get-or-create-share', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const productId = req.params.id;
         // RFC-002 §3.5 valuation-layer gate — share_link generation requires opt-in
-        const optIn = db.prepare("SELECT rewards_opted_in FROM users WHERE id = ?").get(user.id)?.rewards_opted_in ?? 0;
+        const optIn = (await dbOne("SELECT rewards_opted_in FROM users WHERE id = ?", [user.id]))?.rewards_opted_in ?? 0;
         if (optIn !== 1) {
-            const getParam = (key, def) => {
-                const r = db.prepare("SELECT value FROM protocol_params WHERE key = ?").get(key);
+            const getParam = async (key, def) => {
+                const r = await dbOne("SELECT value FROM protocol_params WHERE key = ?", [key]);
                 return r ? Number(r.value) : def;
             };
-            const minOrders = getParam('rewards_opt_in.min_completed_orders', 1);
-            const requirePasskey = getParam('rewards_opt_in.require_passkey', 1);
-            const totalCompleted = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'").get(user.id).n;
-            const passkeyCount = db.prepare("SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?").get(user.id).n;
+            const minOrders = await getParam('rewards_opt_in.min_completed_orders', 1);
+            const requirePasskey = await getParam('rewards_opt_in.require_passkey', 1);
+            const totalCompleted = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND status = 'completed'", [user.id])).n;
+            const passkeyCount = (await dbOne("SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?", [user.id])).n;
             const missing = [];
             if (totalCompleted < minOrders)
                 missing.push(`completed_orders ${totalCompleted}/${minOrders}`);
@@ -153,31 +155,30 @@ export function registerProductsMetaRoutes(app, deps) {
                 missing.push('application_not_submitted');
             return void res.status(403).json({
                 error: 'rewards_opt_in_required',
-                message_zh: '生成分享链接属于估值层操作 — 需先申请共建身份(RFC-002)',
-                message_en: 'Share-link generation is a valuation-layer action — requires builder-identity opt-in (RFC-002)',
+                message_zh: '生成分享链接属于估值层操作 — 需先开通分享分润 / share-commission opt-in(RFC-002)',
+                message_en: 'Share-link generation is a valuation-layer (rewards / share-link) action, NOT a contribution gate — requires rewards / share-commission opt-in (RFC-002)',
                 missing_requirements: missing,
                 next_steps: [
-                    'Open PWA #me → tap "申请共建身份 / Apply for builder identity"',
+                    'Open PWA #me → tap "申请分享分润 / Enable share-commission opt-in"',
                     'Read the 8-second disclosure (cannot skip)',
                     'Submit application — pre-checks run server-side',
                 ],
             });
         }
-        const completed = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'").get(user.id, productId).n;
+        const completed = (await dbOne("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'", [user.id, productId])).n;
         if (completed === 0)
             return void res.json({ error: '需先完成该商品的购买才能分享', completed_orders: 0 });
         // 优先复用现有 active shareable
-        const existing = db.prepare(`SELECT id, owner_code FROM shareables WHERE owner_id = ? AND related_product_id = ? AND status = 'active' LIMIT 1`).get(user.id, productId);
+        const existing = await dbOne(`SELECT id, owner_code FROM shareables WHERE owner_id = ? AND related_product_id = ? AND status = 'active' LIMIT 1`, [user.id, productId]);
         if (existing) {
             return void res.json({ ok: true, shareable_id: existing.id, owner_code: existing.owner_code, short_url: `/s/${existing.id}`, reused: true });
         }
         // 创建新 shareable（纯商品分享：无外链，无 native，仅绑 product_id）
         const id = generateId('shr');
-        const ownerCode = db.prepare("SELECT permanent_code FROM users WHERE id = ?").get(user.id)?.permanent_code || null;
-        const product = db.prepare("SELECT title FROM products WHERE id = ?").get(productId);
-        db.prepare(`INSERT INTO shareables (id, owner_id, type, title, related_product_id, owner_code)
-                VALUES (?,?,?,?,?,?)`)
-            .run(id, user.id, 'product_promo', product?.title || null, productId, ownerCode);
+        const ownerCode = (await dbOne("SELECT permanent_code FROM users WHERE id = ?", [user.id]))?.permanent_code || null;
+        const product = await dbOne("SELECT title FROM products WHERE id = ?", [productId]);
+        await dbRun(`INSERT INTO shareables (id, owner_id, type, title, related_product_id, owner_code)
+                VALUES (?,?,?,?,?,?)`, [id, user.id, 'product_promo', product?.title || null, productId, ownerCode]);
         flagNewAccountShareable(id, user.id);
         refreshProductSharerCount(productId);
         res.json({ ok: true, shareable_id: id, owner_code: ownerCode, short_url: `/s/${id}`, reused: false });

package/dist/pwa/routes/products-update.js

@@ -1,10 +1,12 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProductsUpdateRoutes(app, deps) {
-    const { db, auth, makeCommitmentHash, makeDescriptionHash, makePriceHash, notifyWaitlist, notifyWishlistPriceDrop, checkStockAndMaybeDelist } = deps;
-    app.put('/api/products/:id', (req, res) => {
+    // db 已走 RFC-016 异步 seam(dbOne/dbRun),不再直接用 deps.db
+    const { auth, makeCommitmentHash, makeDescriptionHash, makePriceHash, notifyWaitlist, notifyWishlistPriceDrop, checkStockAndMaybeDelist } = deps;
+    app.put('/api/products/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const product = db.prepare('SELECT * FROM products WHERE id = ? AND seller_id = ?').get(req.params.id, user.id);
+        const product = await dbOne('SELECT * FROM products WHERE id = ? AND seller_id = ?', [req.params.id, user.id]);
         if (!product)
             return void res.status(404).json({ error: '商品不存在或无权限' });
         const { title, description, price, stock, specs, brand, model, handling_hours, ship_regions, estimated_days, fragile, return_days, return_condition, warranty_days, low_stock_threshold, auto_delist_on_zero, origin_claims, i18n_titles, i18n_descs, } = req.body;
@@ -81,7 +83,7 @@ export function registerProductsUpdateRoutes(app, deps) {
         const descsResult = validateI18n(i18n_descs);
         const newI18nTitles = titlesResult === undefined ? product.i18n_titles : titlesResult;
         const newI18nDescs = descsResult === undefined ? product.i18n_descs : descsResult;
-        db.prepare(`UPDATE products SET
+        await dbRun(`UPDATE products SET
       title=?, description=?, price=?, stock=?,
       specs=?, brand=?, model=?, handling_hours=?, ship_regions=?,
       estimated_days=?, fragile=?, return_days=?, return_condition=?, warranty_days=?,
@@ -91,7 +93,19 @@ export function registerProductsUpdateRoutes(app, deps) {
       i18n_titles=?, i18n_descs=?,
       commitment_hash=?, description_hash=?, price_hash=?, hashed_at=?,
       updated_at=datetime('now')
-      WHERE id=?`).run(newTitle, newDesc, newPrice, newStock, specsJson, brand ?? product.brand, model ?? product.model, newHandling, newShipRegions, newEstDays, newFragile, newReturnDays, newReturnCond, newWarranty, newLowThreshold, newAutoDelist, resetAlert, newOriginClaims, newI18nTitles, newI18nDescs, makeCommitmentHash(pFields), makeDescriptionHash({ title: newTitle, description: newDesc, specs: specsJson }), makePriceHash(newPrice, now), now, req.params.id);
+      WHERE id=?`, [
+            newTitle, newDesc, newPrice, newStock,
+            specsJson, brand ?? product.brand, model ?? product.model,
+            newHandling, newShipRegions, newEstDays, newFragile,
+            newReturnDays, newReturnCond, newWarranty,
+            newLowThreshold, newAutoDelist, resetAlert,
+            newOriginClaims,
+            newI18nTitles, newI18nDescs,
+            makeCommitmentHash(pFields),
+            makeDescriptionHash({ title: newTitle, description: newDesc, specs: specsJson }),
+            makePriceHash(newPrice, now), now,
+            req.params.id
+        ]);
         // Wave B-2: stock 从 0 → 正数时通知 waitlist 用户
         if (oldStock === 0 && Number(newStock) > 0) {
             try {

package/dist/pwa/routes/profile-credentials.js

@@ -1,8 +1,10 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 export function registerProfileCredentialsRoutes(app, deps) {
-    const { db, auth, verifyPassword, hashPassword, issueCode, findActiveCode, IS_DEV, MAX_CODE_ATTEMPTS } = deps;
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbRun),不再直接用 deps.db
+    const { auth, verifyPassword, hashPassword, issueCode, findActiveCode, MAX_CODE_ATTEMPTS } = deps;
     // 设置 / 修改密码
-    app.post('/api/profile/set-password', (req, res) => {
+    app.post('/api/profile/set-password', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -19,8 +21,7 @@ export function registerProfileCredentialsRoutes(app, deps) {
             }
         }
         const hash = hashPassword(String(new_password));
-        db.prepare("UPDATE users SET password_hash = ?, failed_attempts = 0, locked_until = NULL, updated_at = datetime('now') WHERE id = ?")
-            .run(hash, user.id);
+        await dbRun("UPDATE users SET password_hash = ?, failed_attempts = 0, locked_until = NULL, updated_at = datetime('now') WHERE id = ?", [hash, user.id]);
         res.json({ success: true });
     });
     // 验证密码（显示 API Key 前的二次确认）
@@ -39,7 +40,7 @@ export function registerProfileCredentialsRoutes(app, deps) {
         res.json({ ok: true });
     });
     // 移除密码（恢复只用 API Key 模式）
-    app.post('/api/profile/remove-password', (req, res) => {
+    app.post('/api/profile/remove-password', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -49,12 +50,11 @@ export function registerProfileCredentialsRoutes(app, deps) {
         if (!current_password || !verifyPassword(String(current_password), user.password_hash)) {
             return void res.json({ error: '密码错误' });
         }
-        db.prepare("UPDATE users SET password_hash = NULL, updated_at = datetime('now') WHERE id = ?")
-            .run(user.id);
+        await dbRun("UPDATE users SET password_hash = NULL, updated_at = datetime('now') WHERE id = ?", [user.id]);
         res.json({ success: true });
     });
     // 绑定邮箱 — 步骤 1：发码
-    app.post('/api/profile/bind-email', (req, res) => {
+    app.post('/api/profile/bind-email', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -62,19 +62,22 @@ export function registerProfileCredentialsRoutes(app, deps) {
         if (!email?.trim() || !EMAIL_RE.test(email.trim()))
             return void res.json({ error: '邮箱格式无效' });
         const target = email.trim().toLowerCase();
-        const dup = db.prepare("SELECT 1 FROM users WHERE email = ? AND id != ? LIMIT 1").get(target, user.id);
+        const dup = await dbOne("SELECT 1 FROM users WHERE email = ? AND id != ? LIMIT 1", [target, user.id]);
         if (dup)
             return void res.json({ error: '该邮箱已被其他账户绑定' });
-        const { expires_at, code } = issueCode(user.id, 'email', target, 'bind_email');
+        const issued = await issueCode(user.id, 'email', target, 'bind_email');
+        if (!issued.ok) {
+            return void res.status(issued.status).json({ error: issued.error, error_code: issued.error_code });
+        }
         res.json({
             success: true,
             target_hint: target.replace(/^(.).*(@.*)$/, '$1***$2'),
-            expires_at,
-            ...(IS_DEV ? { dev_code: code } : {}),
+            expires_at: issued.expires_at,
+            ...(issued.provider === 'dev_console' ? { dev_code: issued.code } : {}),
         });
     });
     // 绑定邮箱 — 步骤 2：确认验证码
-    app.post('/api/profile/confirm-email', (req, res) => {
+    app.post('/api/profile/confirm-email', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -90,16 +93,14 @@ export function registerProfileCredentialsRoutes(app, deps) {
         if (String(row.code) !== code.trim()) {
             const attempts = row.attempts + 1;
             if (attempts >= MAX_CODE_ATTEMPTS) {
-                db.prepare("UPDATE verification_codes SET attempts = ?, used_at = datetime('now') WHERE id = ?")
-                    .run(attempts, row.id);
+                await dbRun("UPDATE verification_codes SET attempts = ?, used_at = datetime('now') WHERE id = ?", [attempts, row.id]);
                 return void res.json({ error: '错误次数过多，验证码已作废，请重新获取' });
             }
-            db.prepare("UPDATE verification_codes SET attempts = ? WHERE id = ?").run(attempts, row.id);
+            await dbRun("UPDATE verification_codes SET attempts = ? WHERE id = ?", [attempts, row.id]);
             return void res.json({ error: `验证码错误（剩余 ${MAX_CODE_ATTEMPTS - attempts} 次）` });
         }
-        db.prepare("UPDATE verification_codes SET used_at = datetime('now') WHERE id = ?").run(row.id);
-        db.prepare("UPDATE users SET email = ?, email_verified = 1, updated_at = datetime('now') WHERE id = ?")
-            .run(target, user.id);
+        await dbRun("UPDATE verification_codes SET used_at = datetime('now') WHERE id = ?", [row.id]);
+        await dbRun("UPDATE users SET email = ?, email_verified = 1, updated_at = datetime('now') WHERE id = ?", [target, user.id]);
         res.json({ success: true, email: target });
     });
 }

package/dist/pwa/routes/profile-identity.js

@@ -1,7 +1,10 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 const ROLE_LOCKED_ROLES = ['admin', 'verifier'];
 const VALID_REGIONS = new Set(['china', 'us', 'eu', 'india', 'singapore', 'global_north', 'global']);
 const HANDLE_BASE_COOLDOWN_MONTHS = 12;
 export function registerProfileIdentityRoutes(app, deps) {
+    // db 仍保留:用于 add-role 的 db.transaction(re-read+write 防丢更新,better-sqlite3 事务须同步)。
+    // 其余站点已走 RFC-016 异步 seam(dbOne/dbRun)。
     const { db, generateId, auth, safeRoles } = deps;
     app.post('/api/profile/add-role', (req, res) => {
         const user = auth(req, res);
@@ -48,7 +51,7 @@ export function registerProfileIdentityRoutes(app, deps) {
             return void res.json({ error: '已拥有该角色' });
         res.json({ success: true, roles: finalRoles });
     });
-    app.post('/api/profile/switch-role', (req, res) => {
+    app.post('/api/profile/switch-role', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -63,10 +66,10 @@ export function registerProfileIdentityRoutes(app, deps) {
                 hint: '权责分离原则；如需买卖请用其他账号。'
             });
         }
-        db.prepare("UPDATE users SET role = ?, updated_at = datetime('now') WHERE id = ?").run(role, user.id);
+        await dbRun("UPDATE users SET role = ?, updated_at = datetime('now') WHERE id = ?", [role, user.id]);
         res.json({ success: true, role, roles });
     });
-    app.post('/api/profile/region', (req, res) => {
+    app.post('/api/profile/region', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -79,7 +82,7 @@ export function registerProfileIdentityRoutes(app, deps) {
             return void res.json({ success: true, region, unchanged: true });
         }
         // 30 天冷却（防规避 MLM 合规 + 历史 commission 已按当时 region 快照结算）
-        const lastChange = db.prepare(`SELECT created_at FROM region_change_log WHERE user_id = ? ORDER BY created_at DESC LIMIT 1`).get(user.id);
+        const lastChange = await dbOne(`SELECT created_at FROM region_change_log WHERE user_id = ? ORDER BY created_at DESC LIMIT 1`, [user.id]);
         if (lastChange) {
             const sinceMs = Date.now() - new Date(lastChange.created_at + 'Z').getTime();
             const COOLDOWN_MS = 30 * 24 * 3600 * 1000;
@@ -91,13 +94,12 @@ export function registerProfileIdentityRoutes(app, deps) {
                 });
             }
         }
-        db.prepare("UPDATE users SET region = ?, updated_at = datetime('now') WHERE id = ?").run(region, user.id);
+        await dbRun("UPDATE users SET region = ?, updated_at = datetime('now') WHERE id = ?", [region, user.id]);
         const ip = req.ip || '';
-        db.prepare(`INSERT INTO region_change_log (id, user_id, from_region, to_region, ip) VALUES (?,?,?,?,?)`)
-            .run(generateId('rcl'), user.id, fromRegion, region, ip || null);
+        await dbRun(`INSERT INTO region_change_log (id, user_id, from_region, to_region, ip) VALUES (?,?,?,?,?)`, [generateId('rcl'), user.id, fromRegion, region, ip || null]);
         res.json({ success: true, region });
     });
-    app.post('/api/profile/change-name', (req, res) => {
+    app.post('/api/profile/change-name', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -110,11 +112,11 @@ export function registerProfileIdentityRoutes(app, deps) {
         if (trimmed === user.name)
             return void res.json({ error: '新昵称与当前相同' });
         // 昵称可重复（唯一标识由 handle / permanent_code 承担）
-        db.prepare("UPDATE users SET name = ?, updated_at = datetime('now') WHERE id = ?").run(trimmed, user.id);
+        await dbRun("UPDATE users SET name = ?, updated_at = datetime('now') WHERE id = ?", [trimmed, user.id]);
         res.json({ success: true, name: trimmed });
     });
     // 改 handle：累进式冷却 — 第 N 次改需距上次 N × 12 月
-    app.post('/api/profile/change-handle', (req, res) => {
+    app.post('/api/profile/change-handle', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -155,13 +157,12 @@ export function registerProfileIdentityRoutes(app, deps) {
             }
         }
         // 唯一性
-        const dup = db.prepare("SELECT 1 FROM users WHERE handle = ? AND id != ?").get(raw, user.id);
+        const dup = await dbOne("SELECT 1 FROM users WHERE handle = ? AND id != ?", [raw, user.id]);
         if (dup)
             return void res.json({ error: '该用户名已被占用' });
         log.push({ at: new Date().toISOString().slice(0, 19).replace('T', ' '), from: String(user.handle || '') });
         // 全量保留 — 累进式冷却需要完整历史
-        db.prepare(`UPDATE users SET handle = ?, handle_last_created_at = datetime('now'), handle_change_log = ?, updated_at = datetime('now') WHERE id = ?`)
-            .run(raw, JSON.stringify(log), user.id);
+        await dbRun(`UPDATE users SET handle = ?, handle_last_created_at = datetime('now'), handle_change_log = ?, updated_at = datetime('now') WHERE id = ?`, [raw, JSON.stringify(log), user.id]);
         const nextRequiredMonths = (N + 1) * HANDLE_BASE_COOLDOWN_MONTHS;
         res.json({
             success: true,

package/dist/pwa/routes/profile-location.js

@@ -1,11 +1,13 @@
+import { dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 function quantizeCoord(value, precision_deg) {
     // 例：precision=0.1 → factor=10；precision=0.05 → factor=20
     const factor = 1 / precision_deg;
     return Math.round(value * factor) / factor;
 }
 export function registerProfileLocationRoutes(app, deps) {
-    const { db, auth, getNearbyCellPrecision } = deps;
-    app.post('/api/profile/set-location', (req, res) => {
+    // db 已全量走 RFC-016 异步 seam(dbRun),不再直接用 deps.db
+    const { auth, getNearbyCellPrecision } = deps;
+    app.post('/api/profile/set-location', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -21,15 +23,14 @@ export function registerProfileLocationRoutes(app, deps) {
         // 服务端截断（防客户端传精确坐标）
         const lat = quantizeCoord(rawLat, precision_deg);
         const lng = quantizeCoord(rawLng, precision_deg);
-        db.prepare("UPDATE users SET geo_lat = ?, geo_lng = ?, geo_updated_at = datetime('now'), updated_at = datetime('now') WHERE id = ?")
-            .run(lat, lng, user.id);
+        await dbRun("UPDATE users SET geo_lat = ?, geo_lng = ?, geo_updated_at = datetime('now'), updated_at = datetime('now') WHERE id = ?", [lat, lng, user.id]);
         res.json({ ok: true, lat, lng, precision_deg, approx_km });
     });
-    app.post('/api/profile/clear-location', (req, res) => {
+    app.post('/api/profile/clear-location', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        db.prepare("UPDATE users SET geo_lat = NULL, geo_lng = NULL, geo_updated_at = NULL WHERE id = ?").run(user.id);
+        await dbRun("UPDATE users SET geo_lat = NULL, geo_lng = NULL, geo_updated_at = NULL WHERE id = ?", [user.id]);
         res.json({ ok: true });
     });
 }

package/dist/pwa/routes/profile-placement.js

@@ -1,10 +1,12 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProfilePlacementRoutes(app, deps) {
-    const { db, auth, internalAuditorId, resolveUserRef, pickPreferredSide, joinPowerLeg } = deps;
-    app.get('/api/profile/placement-status', (req, res) => {
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbRun),不再直接用 deps.db
+    const { auth, internalAuditorId, resolveInviteCodeRef, pickPreferredSide, joinPowerLeg } = deps;
+    app.get('/api/profile/placement-status', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const u = db.prepare("SELECT placement_id, placement_side, left_child_id, right_child_id, placement_pref FROM users WHERE id = ?").get(user.id);
+        const u = await dbOne("SELECT placement_id, placement_side, left_child_id, right_child_id, placement_pref FROM users WHERE id = ?", [user.id]);
         const hasPlacement = !!u?.placement_id;
         const hasDownline = !!u?.left_child_id || !!u?.right_child_id;
         res.json({
@@ -16,36 +18,35 @@ export function registerProfilePlacementRoutes(app, deps) {
             placement_side: u?.placement_side,
         });
     });
-    app.post('/api/profile/bind-placement', (req, res) => {
+    app.post('/api/profile/bind-placement', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const { inviter_id, side } = req.body;
+        const { inviter_id } = req.body;
         if (!inviter_id || typeof inviter_id !== 'string')
             return void res.json({ error: '请提供 inviter_id' });
-        // 多形态识别：usr_xxx / VKSF9P / @handle
-        const resolvedInviterId = resolveUserRef(inviter_id);
-        if (!resolvedInviterId)
-            return void res.json({ error: 'inviter 不存在' });
+        // invite-code ONLY: 6-7 位 permanent_code。usr_xxx / @handle / 裸 handle 不再接受 —
+        // 这是积分树关系绑定入口,必须与收窄后的邀请面一致。
+        const ref = resolveInviteCodeRef(inviter_id);
+        if (!ref)
+            return void res.json({ error: 'inviter 邀请码无效（仅 6-7 位永久码）' });
+        const resolvedInviterId = ref.userId;
         if (resolvedInviterId === user.id)
             return void res.json({ error: '不能挂靠到自己' });
-        const u = db.prepare("SELECT placement_id, left_child_id, right_child_id FROM users WHERE id = ?").get(user.id);
+        const u = await dbOne("SELECT placement_id, left_child_id, right_child_id FROM users WHERE id = ?", [user.id]);
         if (u?.placement_id)
             return void res.json({ error: '你已在双轨树中（永久第一触点，不可改）' });
         if (u?.left_child_id || u?.right_child_id)
             return void res.json({ error: '你已有下线，不可补绑（防破坏树结构）' });
-        const inviter = db.prepare("SELECT id, placement_path FROM users WHERE id = ? AND id NOT IN ('sys_protocol', ?)")
-            .get(resolvedInviterId, internalAuditorId);
+        const inviter = await dbOne("SELECT id, placement_path FROM users WHERE id = ? AND id NOT IN ('sys_protocol', ?)", [resolvedInviterId, internalAuditorId]);
         if (!inviter)
             return void res.json({ error: 'inviter 不存在' });
         // 环路检查：inviter 的 placement_path 不能含自己
         if ((inviter.placement_path || '').split('>').includes(user.id)) {
             return void res.json({ error: '检测到环路（你已是 inviter 的上线）' });
         }
-        // 选边：用户提供 side / 否则用 inviter.placement_pref 自动选
-        const chosenSide = (side === 'left' || side === 'right')
-            ? side
-            : pickPreferredSide(inviter.id);
+        // pre-public 去左右码:忽略用户/邀请码指定的左右侧,放置侧别永远由系统自动决定
+        const chosenSide = pickPreferredSide(inviter.id);
         try {
             const placed = joinPowerLeg(inviter.id, chosenSide, user.id);
             res.json({ success: true, inviter_id: inviter.id, side: chosenSide, depth: placed.depth });
@@ -54,7 +55,7 @@ export function registerProfilePlacementRoutes(app, deps) {
             res.json({ error: `挂靠失败: ${e.message}` });
         }
     });
-    app.post('/api/profile/placement-pref', (req, res) => {
+    app.post('/api/profile/placement-pref', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -64,7 +65,7 @@ export function registerProfilePlacementRoutes(app, deps) {
         }
         // legacy left/right 已不再支持长期强偏，无声折算为 team_count（agent 兼容期保护）
         const stored = (pref === 'left' || pref === 'right') ? 'team_count' : pref;
-        db.prepare("UPDATE users SET placement_pref = ?, updated_at = datetime('now') WHERE id = ?").run(stored, user.id);
-        res.json({ success: true, placement_pref: stored, coerced: stored !== pref ? `${pref} → ${stored}（已统一为长期默认偏好；要单次强偏请使用左/右码）` : undefined });
+        await dbRun("UPDATE users SET placement_pref = ?, updated_at = datetime('now') WHERE id = ?", [stored, user.id]);
+        res.json({ success: true, placement_pref: stored, coerced: stored !== pref ? `${pref} → ${stored}（已统一为长期默认偏好）` : undefined });
     });
 }

package/dist/pwa/routes/profile-prefs.js

@@ -1,7 +1,9 @@
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerProfilePrefsRoutes(app, deps) {
-    const { db, auth } = deps;
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbRun),不再直接用 deps.db
+    const { auth } = deps;
     // 默认地址（结构化 + 兼容旧 text/region）
-    app.post('/api/profile/default-address', (req, res) => {
+    app.post('/api/profile/default-address', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -10,8 +12,7 @@ export function registerProfilePrefsRoutes(app, deps) {
         if (body.text !== undefined || body.region !== undefined) {
             const text = (body.text || '').toString().trim().slice(0, 200);
             const region = (body.region || '').toString().trim().slice(0, 40);
-            db.prepare("UPDATE users SET default_address_text = ?, default_address_region = ?, updated_at = datetime('now') WHERE id = ?")
-                .run(text || null, region || null, user.id);
+            await dbRun("UPDATE users SET default_address_text = ?, default_address_region = ?, updated_at = datetime('now') WHERE id = ?", [text || null, region || null, user.id]);
             return void res.json({ ok: true, text: text || null, region: region || null });
         }
         // 结构化模式
@@ -42,21 +43,20 @@ export function registerProfilePrefsRoutes(app, deps) {
         }
         const structured = { line1, line2, country, state, city, recipient_name: recipient, phone1, phone2, postal_code: postal };
         const text = [recipient, `${country} ${state} ${city}`.trim(), line1, line2, postal, phone1].filter(Boolean).join(' / ').slice(0, 200);
-        db.prepare("UPDATE users SET default_address_text = ?, default_address_region = ?, default_address_json = ?, updated_at = datetime('now') WHERE id = ?")
-            .run(text || null, state || null, JSON.stringify(structured), user.id);
+        await dbRun("UPDATE users SET default_address_text = ?, default_address_region = ?, default_address_json = ?, updated_at = datetime('now') WHERE id = ?", [text || null, state || null, JSON.stringify(structured), user.id]);
         res.json({ ok: true, address: structured, derived_text: text, derived_region: state });
     });
     // 隐私开关（旧 API，向后兼容；新代码用 PATCH /api/profile）
-    app.patch('/api/profile/feed-visible', (req, res) => {
+    app.patch('/api/profile/feed-visible', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
         const v = req.body?.visible ? 1 : 0;
-        db.prepare("UPDATE users SET feed_visible = ?, updated_at = datetime('now') WHERE id = ?").run(v, user.id);
+        await dbRun("UPDATE users SET feed_visible = ?, updated_at = datetime('now') WHERE id = ?", [v, user.id]);
         res.json({ ok: true, feed_visible: v });
     });
     // 通用 profile patch（search_anchor / bio / feed_visible）
-    app.patch('/api/profile', (req, res) => {
+    app.patch('/api/profile', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -86,8 +86,8 @@ export function registerProfilePrefsRoutes(app, deps) {
             return void res.json({ error: '没有可更新的字段' });
         updates.push(`updated_at = datetime('now')`);
         values.push(user.id);
-        db.prepare(`UPDATE users SET ${updates.join(', ')} WHERE id = ?`).run(...values);
-        const u = db.prepare("SELECT search_anchor, bio, feed_visible FROM users WHERE id = ?").get(user.id);
+        await dbRun(`UPDATE users SET ${updates.join(', ')} WHERE id = ?`, values);
+        const u = (await dbOne("SELECT search_anchor, bio, feed_visible FROM users WHERE id = ?", [user.id]));
         res.json({ ok: true, search_anchor: u.search_anchor, bio: u.bio, feed_visible: Number(u.feed_visible ?? 1) });
     });
 }