@seasonkoh/webaz 0.1.24 → 0.1.26

package/dist/pwa/routes/secondhand.js

@@ -1,5 +1,6 @@
 import { transition } from '../../layer0-foundation/L0-2-state-machine/engine.js';
 import { notifyTransition } from '../../layer2-business/L2-6-notifications/notification-engine.js';
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 const SH_CATEGORIES = new Set(['phone', 'computer', 'appliance', 'furniture', 'clothing', 'book', 'toy', 'sports', 'other']);
 const SH_CONDITIONS = new Set(['brand_new', 'like_new', 'lightly_used', 'well_used', 'heavily_used']);
 const SH_FULFILLMENT = new Set(['shipping', 'in_person', 'both']);
@@ -8,9 +9,11 @@ function addHours(date, hours) {
     return new Date(date.getTime() + hours * 3_600_000).toISOString();
 }
 export function registerSecondhandRoutes(app, deps) {
+    // db 仍保留:order 下单是 money/escrow 路径(pragma FK-OFF 窗口 + CAS + 钱包扣减),
+    // 不能引入 await 否则会在 FK-OFF 窗口被其他请求并发穿插;随 order/资金路径在 Phase 3 一并迁移。
     const { db, generateId, auth, errorRes } = deps;
     // 1. 发布
-    app.post('/api/secondhand', (req, res) => {
+    app.post('/api/secondhand', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -32,12 +35,12 @@ export function registerSecondhandRoutes(app, deps) {
         const ff = SH_FULFILLMENT.has(fulfillment) ? fulfillment : 'both';
         const reg = region ? String(region).trim().slice(0, 40) : null;
         const id = generateId('shi');
-        db.prepare(`INSERT INTO secondhand_items (id, seller_id, title, description, category, condition_grade, price, negotiable, images, region, fulfillment)
-                VALUES (?,?,?,?,?,?,?,?,?,?,?)`).run(id, user.id, t, desc, category, condition_grade, p, negotiable ? 1 : 0, JSON.stringify(imgs), reg, ff);
+        await dbRun(`INSERT INTO secondhand_items (id, seller_id, title, description, category, condition_grade, price, negotiable, images, region, fulfillment)
+                VALUES (?,?,?,?,?,?,?,?,?,?,?)`, [id, user.id, t, desc, category, condition_grade, p, negotiable ? 1 : 0, JSON.stringify(imgs), reg, ff]);
         res.json({ success: true, id });
     });
     // 2. 列表（市场入口）
-    app.get('/api/secondhand', (req, res) => {
+    app.get('/api/secondhand', async (req, res) => {
         const category = String(req.query.category || '').trim();
         const conditionList = String(req.query.condition || '').split(',').map(s => s.trim()).filter(s => SH_CONDITIONS.has(s));
         const region = String(req.query.region || '').trim();
@@ -76,18 +79,18 @@ export function registerSecondhandRoutes(app, deps) {
         // 排除自己（如登录）
         const me = (req.headers.authorization || '').replace('Bearer ', '');
         if (me) {
-            const u = db.prepare("SELECT id FROM users WHERE api_key = ?").get(me);
+            const u = await dbOne("SELECT id FROM users WHERE api_key = ?", [me]);
             if (u) {
                 where.push('seller_id != ?');
                 args.push(u.id);
             }
         }
-        const rows = db.prepare(`SELECT si.id, si.seller_id, si.title, si.category, si.condition_grade, si.price, si.negotiable,
+        const rows = await dbAll(`SELECT si.id, si.seller_id, si.title, si.category, si.condition_grade, si.price, si.negotiable,
       si.region, si.fulfillment, si.images, si.view_count, si.created_at,
       u.name as seller_name, u.handle as seller_handle
       FROM secondhand_items si JOIN users u ON u.id = si.seller_id
       WHERE ${where.join(' AND ')}
-      ORDER BY ${orderBy} LIMIT ${limit}`).all(...args);
+      ORDER BY ${orderBy} LIMIT ${limit}`, args);
         for (const r of rows) {
             try {
                 const arr = JSON.parse(r.images);
@@ -101,13 +104,13 @@ export function registerSecondhandRoutes(app, deps) {
         res.json({ items: rows });
     });
     // 3. 我的二手发布
-    app.get('/api/secondhand/mine', (req, res) => {
+    app.get('/api/secondhand/mine', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const rows = db.prepare(`SELECT id, title, category, condition_grade, price, negotiable, status,
+        const rows = await dbAll(`SELECT id, title, category, condition_grade, price, negotiable, status,
       region, fulfillment, images, view_count, created_at, sold_at, sold_order_id
-      FROM secondhand_items WHERE seller_id = ? ORDER BY created_at DESC LIMIT 100`).all(user.id);
+      FROM secondhand_items WHERE seller_id = ? ORDER BY created_at DESC LIMIT 100`, [user.id]);
         for (const r of rows) {
             try {
                 const arr = JSON.parse(r.images);
@@ -118,33 +121,33 @@ export function registerSecondhandRoutes(app, deps) {
             }
             delete r.images;
         }
-        const stats = db.prepare(`SELECT
+        const stats = (await dbOne(`SELECT
       SUM(CASE WHEN status='available' THEN 1 ELSE 0 END) as available_count,
       SUM(CASE WHEN status='reserved' THEN 1 ELSE 0 END) as reserved_count,
       SUM(CASE WHEN status='sold' THEN 1 ELSE 0 END) as sold_count,
       SUM(CASE WHEN status='closed' THEN 1 ELSE 0 END) as closed_count,
       COALESCE(SUM(CASE WHEN status='sold' THEN price ELSE 0 END), 0) as gross_sold_amount
-      FROM secondhand_items WHERE seller_id = ?`).get(user.id);
+      FROM secondhand_items WHERE seller_id = ?`, [user.id]));
         // 估算净收入（扣 1% 协议 + 1% 基金）
         stats.estimated_earned = Math.round((stats.gross_sold_amount || 0) * 0.98 * 100) / 100;
         res.json({ items: rows, stats });
     });
     // 4. 详情（view_count++）+ 同卖家其他在售
-    app.get('/api/secondhand/:id', (req, res) => {
-        const row = db.prepare(`SELECT si.*, u.name as seller_name, u.handle as seller_handle, u.permanent_code as seller_code
-      FROM secondhand_items si JOIN users u ON u.id = si.seller_id WHERE si.id = ?`).get(req.params.id);
+    app.get('/api/secondhand/:id', async (req, res) => {
+        const row = await dbOne(`SELECT si.*, u.name as seller_name, u.handle as seller_handle, u.permanent_code as seller_code
+      FROM secondhand_items si JOIN users u ON u.id = si.seller_id WHERE si.id = ?`, [req.params.id]);
         if (!row)
             return void res.status(404).json({ error: '物品不存在' });
-        db.prepare('UPDATE secondhand_items SET view_count = view_count + 1 WHERE id = ?').run(req.params.id);
+        await dbRun('UPDATE secondhand_items SET view_count = view_count + 1 WHERE id = ?', [req.params.id]);
         try {
             row.images = JSON.parse(row.images);
         }
         catch {
             row.images = [];
         }
-        const sellerOthers = db.prepare(`SELECT id, title, category, condition_grade, price, images, region
+        const sellerOthers = await dbAll(`SELECT id, title, category, condition_grade, price, images, region
       FROM secondhand_items WHERE seller_id = ? AND status='available' AND id != ?
-      ORDER BY created_at DESC LIMIT 6`).all(row.seller_id, req.params.id);
+      ORDER BY created_at DESC LIMIT 6`, [row.seller_id, req.params.id]);
         for (const o of sellerOthers) {
             try {
                 const arr = JSON.parse(o.images);
@@ -158,11 +161,11 @@ export function registerSecondhandRoutes(app, deps) {
         res.json({ item: row, seller_others: sellerOthers });
     });
     // 5. 编辑（仅 owner；可改 price / description / negotiable / status / fulfillment）
-    app.patch('/api/secondhand/:id', (req, res) => {
+    app.patch('/api/secondhand/:id', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const item = db.prepare('SELECT * FROM secondhand_items WHERE id = ?').get(req.params.id);
+        const item = await dbOne('SELECT * FROM secondhand_items WHERE id = ?', [req.params.id]);
         if (!item)
             return void res.status(404).json({ error: '物品不存在' });
         if (item.seller_id !== user.id)
@@ -210,10 +213,10 @@ export function registerSecondhandRoutes(app, deps) {
             return void res.status(400).json({ error: '无字段更新' });
         sets.push("updated_at = datetime('now')");
         args.push(req.params.id);
-        db.prepare(`UPDATE secondhand_items SET ${sets.join(', ')} WHERE id = ?`).run(...args);
+        await dbRun(`UPDATE secondhand_items SET ${sets.join(', ')} WHERE id = ?`, args);
         res.json({ success: true });
     });
-    // 6. 下单（CAS 锁库存）
+    // 6. 下单（CAS 锁库存）— money/escrow + pragma FK-OFF 窗口,保持同步,Phase 3 随资金路径迁移
     app.post('/api/secondhand/:id/order', (req, res) => {
         const user = auth(req, res);
         if (!user)

package/dist/pwa/routes/seller-quota.js

@@ -1,7 +1,9 @@
+import { dbOne, dbAll, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerSellerQuotaRoutes(app, deps) {
-    const { db, generateId, auth, requireUsersAdmin, safeRoles, checkSellerCanList, adminCanOperateOn, logAdminAction, QUOTA_TIERS } = deps;
+    // db 已走 RFC-016 异步 seam(dbOne/dbAll/dbRun),不再直接用 deps.db
+    const { generateId, auth, requireUsersAdmin, safeRoles, checkSellerCanList, adminCanOperateOn, logAdminAction, QUOTA_TIERS } = deps;
     // 配额状态
-    app.get('/api/seller/quota-status', (req, res) => {
+    app.get('/api/seller/quota-status', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -9,7 +11,7 @@ export function registerSellerQuotaRoutes(app, deps) {
             return void res.json({ error: '仅卖家可查看配额' });
         }
         const status = checkSellerCanList(user);
-        const pending = db.prepare("SELECT id, requested_quota, applied_at FROM quota_increase_applications WHERE user_id = ? AND status = 'pending' ORDER BY applied_at DESC LIMIT 1").get(user.id);
+        const pending = await dbOne("SELECT id, requested_quota, applied_at FROM quota_increase_applications WHERE user_id = ? AND status = 'pending' ORDER BY applied_at DESC LIMIT 1", [user.id]);
         const max = Number(user.max_products ?? 200);
         const nextTierIdx = QUOTA_TIERS.indexOf(max);
         const nextTier = nextTierIdx >= 0 && nextTierIdx < QUOTA_TIERS.length - 1 ? QUOTA_TIERS[nextTierIdx + 1] : null;
@@ -28,7 +30,7 @@ export function registerSellerQuotaRoutes(app, deps) {
         });
     });
     // 数据中心（30d GMV / 7d 曲线 / Top 5 / 客户洞察 / 状态分布）
-    app.get('/api/seller/insights', (req, res) => {
+    app.get('/api/seller/insights', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -42,7 +44,7 @@ export function registerSellerQuotaRoutes(app, deps) {
         const fmt = (d) => d.toISOString().replace('T', ' ').slice(0, 19);
         const d30 = fmt(new Date(now - 30 * 86400000));
         const d60 = fmt(new Date(now - 60 * 86400000));
-        const orders = db.prepare(`
+        const orders = await dbAll(`
       SELECT o.id, o.product_id, o.buyer_id, o.status, o.total_amount, o.created_at,
              COALESCE(p.title, '已下架商品') as product_title,
              COALESCE(ub.name, '匿名') as buyer_name
@@ -51,7 +53,7 @@ export function registerSellerQuotaRoutes(app, deps) {
       LEFT JOIN users ub ON o.buyer_id = ub.id
       WHERE o.seller_id = ? AND o.created_at >= ?
       ORDER BY o.created_at DESC
-    `).all(sellerId, d60);
+    `, [sellerId, d60]);
         const completedStatuses = new Set(['completed', 'confirmed']);
         const disputedStatuses = new Set(['disputed', 'fault_seller', 'fault_buyer', 'fault_logistics', 'resolved_for_seller', 'refunded_partial', 'refunded_full', 'dispute_dismissed']);
         const cancelledStatuses = new Set(['cancelled', 'expired']);
@@ -135,7 +137,7 @@ export function registerSellerQuotaRoutes(app, deps) {
             status_breakdown: statusBreakdown,
         });
     });
-    app.post('/api/seller/apply-quota-increase', (req, res) => {
+    app.post('/api/seller/apply-quota-increase', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -152,45 +154,43 @@ export function registerSellerQuotaRoutes(app, deps) {
         if (Number(requested_quota) !== nextTier) {
             return void res.json({ error: `下一档配额应为 ${nextTier}` });
         }
-        const existing = db.prepare("SELECT 1 FROM quota_increase_applications WHERE user_id = ? AND status = 'pending' LIMIT 1").get(user.id);
+        const existing = await dbOne("SELECT 1 FROM quota_increase_applications WHERE user_id = ? AND status = 'pending' LIMIT 1", [user.id]);
         if (existing)
             return void res.json({ error: '已有待审申请' });
-        db.prepare(`INSERT INTO quota_increase_applications (id, user_id, current_quota, requested_quota, reason) VALUES (?,?,?,?,?)`)
-            .run(generateId('qapp'), user.id, current, nextTier, (reason || '').toString().slice(0, 500));
+        await dbRun(`INSERT INTO quota_increase_applications (id, user_id, current_quota, requested_quota, reason) VALUES (?,?,?,?,?)`, [generateId('qapp'), user.id, current, nextTier, (reason || '').toString().slice(0, 500)]);
         res.json({ success: true, requested_quota: nextTier });
     });
-    app.post('/api/seller/withdraw-quota-application', (req, res) => {
+    app.post('/api/seller/withdraw-quota-application', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
-        const pending = db.prepare("SELECT id FROM quota_increase_applications WHERE user_id = ? AND status = 'pending' LIMIT 1").get(user.id);
+        const pending = await dbOne("SELECT id FROM quota_increase_applications WHERE user_id = ? AND status = 'pending' LIMIT 1", [user.id]);
         if (!pending)
             return void res.json({ error: '没有待审申请' });
-        db.prepare("UPDATE quota_increase_applications SET status = 'withdrawn', reviewed_at = datetime('now') WHERE id = ?").run(pending.id);
+        await dbRun("UPDATE quota_increase_applications SET status = 'withdrawn', reviewed_at = datetime('now') WHERE id = ?", [pending.id]);
         res.json({ success: true });
     });
     // Admin
-    app.get('/api/admin/quota-applications', (req, res) => {
+    app.get('/api/admin/quota-applications', async (req, res) => {
         const admin = requireUsersAdmin(req, res);
         if (!admin)
             return;
         const status = req.query.status || 'pending';
-        const rows = db.prepare(`
+        const rows = await dbAll(`
       SELECT qa.*, u.name as user_name, u.email
       FROM quota_increase_applications qa
       LEFT JOIN users u ON u.id = qa.user_id
       WHERE qa.status = ?
       ORDER BY qa.applied_at DESC LIMIT 100
-    `).all(status);
+    `, [status]);
         res.json({ applications: rows });
     });
-    app.post('/api/admin/quota-applications/:id/approve', (req, res) => {
+    app.post('/api/admin/quota-applications/:id/approve', async (req, res) => {
         const admin = requireUsersAdmin(req, res);
         if (!admin)
             return;
         const { note } = req.body;
-        const appRow = db.prepare("SELECT id, user_id, requested_quota, status FROM quota_increase_applications WHERE id = ?")
-            .get(req.params.id);
+        const appRow = await dbOne("SELECT id, user_id, requested_quota, status FROM quota_increase_applications WHERE id = ?", [req.params.id]);
         if (!appRow)
             return void res.json({ error: '申请不存在' });
         if (!adminCanOperateOn(admin, appRow.user_id, res))
@@ -199,26 +199,24 @@ export function registerSellerQuotaRoutes(app, deps) {
             return void res.json({ error: '该申请不在待审状态' });
         if (!QUOTA_TIERS.includes(appRow.requested_quota))
             return void res.json({ error: '请求配额不合法' });
-        db.prepare("UPDATE quota_increase_applications SET status='approved', reviewed_at=datetime('now'), reviewed_by=?, decision_note=? WHERE id=?")
-            .run(admin.id, note || null, appRow.id);
-        db.prepare("UPDATE users SET max_products = ?, updated_at = datetime('now') WHERE id = ?").run(appRow.requested_quota, appRow.user_id);
+        await dbRun("UPDATE quota_increase_applications SET status='approved', reviewed_at=datetime('now'), reviewed_by=?, decision_note=? WHERE id=?", [admin.id, note || null, appRow.id]);
+        await dbRun("UPDATE users SET max_products = ?, updated_at = datetime('now') WHERE id = ?", [appRow.requested_quota, appRow.user_id]);
         logAdminAction(admin.id, 'approve_quota_increase', 'user', appRow.user_id, { quota: appRow.requested_quota, note });
         res.json({ success: true });
     });
-    app.post('/api/admin/quota-applications/:id/reject', (req, res) => {
+    app.post('/api/admin/quota-applications/:id/reject', async (req, res) => {
         const admin = requireUsersAdmin(req, res);
         if (!admin)
             return;
         const { note } = req.body;
-        const appRow = db.prepare("SELECT id, user_id, status FROM quota_increase_applications WHERE id = ?").get(req.params.id);
+        const appRow = await dbOne("SELECT id, user_id, status FROM quota_increase_applications WHERE id = ?", [req.params.id]);
         if (!appRow)
             return void res.json({ error: '申请不存在' });
         if (!adminCanOperateOn(admin, appRow.user_id, res))
             return;
         if (appRow.status !== 'pending')
             return void res.json({ error: '该申请不在待审状态' });
-        db.prepare("UPDATE quota_increase_applications SET status='rejected', reviewed_at=datetime('now'), reviewed_by=?, decision_note=? WHERE id=?")
-            .run(admin.id, note || null, appRow.id);
+        await dbRun("UPDATE quota_increase_applications SET status='rejected', reviewed_at=datetime('now'), reviewed_by=?, decision_note=? WHERE id=?", [admin.id, note || null, appRow.id]);
         logAdminAction(admin.id, 'reject_quota_increase', 'user', appRow.user_id, { note });
         res.json({ success: true });
     });

package/dist/pwa/routes/share-redirects.js

@@ -1,7 +1,29 @@
 import QRCode from 'qrcode';
 import { createHash } from 'crypto';
+import { dbOne, dbRun } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 异步 DB seam
 export function registerShareRedirectsRoutes(app, deps) {
-    const { db, auth, clientIpHash, clientUaHash } = deps;
+    // db 已全量走 RFC-016 异步 seam(dbOne/dbRun),不再直接用 deps.db
+    const { auth, clientIpHash, clientUaHash, resolveInviteCodeRef } = deps;
+    // Resolve the ?ref for a /s/<shareable> redirect: a permanent_code ONLY — never the raw owner_id (usr_xxx).
+    // Prefer the shareable's stored owner_code; if missing/invalid, look up the owner's permanent_code and
+    // opportunistically backfill owner_code. If the owner has no permanent_code, return null (emit NO ref).
+    async function shareOwnerRefCode(ownerCode, ownerId) {
+        const oc = typeof ownerCode === 'string' ? ownerCode.trim().toUpperCase() : '';
+        if (/^[A-Z0-9]{6,7}$/.test(oc))
+            return oc;
+        const oid = typeof ownerId === 'string' ? ownerId : '';
+        if (oid) {
+            const r = await dbOne("SELECT permanent_code FROM users WHERE id = ? AND id != 'sys_protocol'", [oid]);
+            if (r?.permanent_code) {
+                try {
+                    await dbRun("UPDATE shareables SET owner_code = ? WHERE owner_id = ? AND (owner_code IS NULL OR owner_code = '')", [r.permanent_code, oid]);
+                }
+                catch { }
+                return r.permanent_code;
+            }
+        }
+        return null;
+    }
     // 二维码生成（24h cache + ETag）
     app.get('/api/qr', async (req, res) => {
         const text = String(req.query.text || '').slice(0, 1024).trim();
@@ -24,27 +46,27 @@ export function registerShareRedirectsRoutes(app, deps) {
     });
     // 商品分享短链 /s/<shareable_id>
     // 笔记 → 跳 PWA 内 #note/<id>；商品 → #order-product/<id>；外链 → 直跳外部 URL
-    app.get('/s/:id', (req, res) => {
+    app.get('/s/:id', async (req, res) => {
         const id = String(req.params.id || '').trim();
-        const row = db.prepare(`
+        const row = await dbOne(`
       SELECT id, owner_id, owner_code, type, external_url, related_product_id, related_anchor, status
       FROM shareables WHERE id = ? AND status = 'active'
-    `).get(id);
+    `, [id]);
         // Phase C 笔记着陆页 — type=note 优先跳 PWA 内的 #note/<id>
         if (row && row.type === 'note') {
-            const ownerRef = row.owner_code || row.owner_id || '';
+            const ownerRef = await shareOwnerRefCode(row.owner_code, row.owner_id);
             const qs = new URLSearchParams();
             if (ownerRef)
-                qs.set('ref', String(ownerRef));
+                qs.set('ref', ownerRef);
             qs.set('share_id', id);
             try {
                 const ipHash = clientIpHash(req);
                 const uaHash = clientUaHash(req);
-                const dup = db.prepare(`SELECT 1 FROM shareable_click_log WHERE shareable_id = ? AND ip_hash = ? AND ua_hash = ? AND created_at > datetime('now', '-6 hours') LIMIT 1`).get(id, ipHash, uaHash);
-                db.prepare(`INSERT INTO shareable_click_log (shareable_id, ip_hash, ua_hash, ref_path) VALUES (?,?,?,?)`).run(id, ipHash, uaHash, req.originalUrl || null);
-                db.prepare(`UPDATE shareables SET click_count = COALESCE(click_count,0) + 1 WHERE id = ?`).run(id);
+                const dup = await dbOne(`SELECT 1 FROM shareable_click_log WHERE shareable_id = ? AND ip_hash = ? AND ua_hash = ? AND created_at > datetime('now', '-6 hours') LIMIT 1`, [id, ipHash, uaHash]);
+                await dbRun(`INSERT INTO shareable_click_log (shareable_id, ip_hash, ua_hash, ref_path) VALUES (?,?,?,?)`, [id, ipHash, uaHash, req.originalUrl || null]);
+                await dbRun(`UPDATE shareables SET click_count = COALESCE(click_count,0) + 1 WHERE id = ?`, [id]);
                 if (!dup)
-                    db.prepare(`UPDATE shareables SET unique_click_count = COALESCE(unique_click_count,0) + 1 WHERE id = ?`).run(id);
+                    await dbRun(`UPDATE shareables SET unique_click_count = COALESCE(unique_click_count,0) + 1 WHERE id = ?`, [id]);
             }
             catch (e) {
                 console.error('[note-click]', e);
@@ -57,26 +79,25 @@ export function registerShareRedirectsRoutes(app, deps) {
         try {
             const ipHash = clientIpHash(req);
             const uaHash = clientUaHash(req);
-            const dup = db.prepare(`
+            const dup = await dbOne(`
         SELECT 1 FROM shareable_click_log
         WHERE shareable_id = ? AND ip_hash = ? AND ua_hash = ?
           AND created_at > datetime('now', '-6 hours') LIMIT 1
-      `).get(id, ipHash, uaHash);
-            db.prepare(`INSERT INTO shareable_click_log (shareable_id, ip_hash, ua_hash, ref_path) VALUES (?,?,?,?)`)
-                .run(id, ipHash, uaHash, req.originalUrl || null);
-            db.prepare(`UPDATE shareables SET click_count = COALESCE(click_count,0) + 1 WHERE id = ?`).run(id);
+      `, [id, ipHash, uaHash]);
+            await dbRun(`INSERT INTO shareable_click_log (shareable_id, ip_hash, ua_hash, ref_path) VALUES (?,?,?,?)`, [id, ipHash, uaHash, req.originalUrl || null]);
+            await dbRun(`UPDATE shareables SET click_count = COALESCE(click_count,0) + 1 WHERE id = ?`, [id]);
             if (!dup) {
-                db.prepare(`UPDATE shareables SET unique_click_count = COALESCE(unique_click_count,0) + 1 WHERE id = ?`).run(id);
+                await dbRun(`UPDATE shareables SET unique_click_count = COALESCE(unique_click_count,0) + 1 WHERE id = ?`, [id]);
             }
         }
         catch (e) {
             console.error('[M3-click]', e);
         }
-        const ownerRef = row.owner_code || row.owner_id || '';
+        const ownerRef = await shareOwnerRefCode(row.owner_code, row.owner_id);
         const isProduct = !!row.related_product_id;
         const baseParams = new URLSearchParams();
         if (ownerRef)
-            baseParams.set('ref', String(ownerRef));
+            baseParams.set('ref', ownerRef);
         if (isProduct)
             baseParams.set('share_id', id);
         const qs = baseParams.toString() ? '?' + baseParams.toString() : '';
@@ -92,7 +113,7 @@ export function registerShareRedirectsRoutes(app, deps) {
         res.redirect(302, `/${qs}#u/${row.owner_id}`);
     });
     // 商品分享归因落库（前端登录后首次进入带 share_id 时调用）
-    app.post('/api/product-share/touch', (req, res) => {
+    app.post('/api/product-share/touch', async (req, res) => {
         const user = auth(req, res);
         if (!user)
             return;
@@ -100,25 +121,25 @@ export function registerShareRedirectsRoutes(app, deps) {
         if (!shareable_id || typeof shareable_id !== 'string') {
             return void res.json({ ok: false, error: 'invalid_shareable_id' });
         }
-        const s = db.prepare(`
+        const s = await dbOne(`
       SELECT id, owner_id, related_product_id FROM shareables
       WHERE id = ? AND status = 'active'
-    `).get(shareable_id);
+    `, [shareable_id]);
         if (!s || !s.related_product_id)
             return void res.json({ ok: false, error: 'not_product_shareable' });
         if (s.owner_id === user.id)
             return void res.json({ ok: false, error: 'cannot_self_attribute' });
         const expiresAt = new Date(Date.now() + 30 * 86400_000).toISOString().slice(0, 19).replace('T', ' ');
         // first-touch：未过期 → 静默保留；过期 → 替换
-        const existing = db.prepare(`
+        const existing = await dbOne(`
       SELECT sharer_id, expires_at FROM product_share_attribution
       WHERE product_id = ? AND recipient_id = ?
-    `).get(s.related_product_id, user.id);
+    `, [s.related_product_id, user.id]);
         if (!existing) {
-            db.prepare(`
-        INSERT INTO product_share_attribution (product_id, recipient_id, sharer_id, shareable_id, expires_at)
-        VALUES (?, ?, ?, ?, ?)
-      `).run(s.related_product_id, user.id, s.owner_id, s.id, expiresAt);
+            await dbRun(`
+        INSERT INTO product_share_attribution (product_id, recipient_id, sharer_id, shareable_id, expires_at, source_type, source_ref)
+        VALUES (?, ?, ?, ?, ?, 'direct_share', ?)
+      `, [s.related_product_id, user.id, s.owner_id, s.id, expiresAt, s.id]);
             return void res.json({ ok: true, attributed: true, sharer_id: s.owner_id, product_id: s.related_product_id });
         }
         const stillValid = new Date(existing.expires_at.replace(' ', 'T') + 'Z').getTime() > Date.now();
@@ -126,39 +147,23 @@ export function registerShareRedirectsRoutes(app, deps) {
             return void res.json({ ok: true, attributed: false, existing_sharer_id: existing.sharer_id, locked: true });
         }
         // 已过期 → 刷新
-        db.prepare(`
+        await dbRun(`
       UPDATE product_share_attribution
-      SET sharer_id = ?, shareable_id = ?, created_at = datetime('now'), expires_at = ?
+      SET sharer_id = ?, shareable_id = ?, created_at = datetime('now'), expires_at = ?,
+          source_type = 'direct_share', source_ref = ?, source_shop_seller_id = NULL, source_qualified_order_id = NULL
       WHERE product_id = ? AND recipient_id = ?
-    `).run(s.owner_id, s.id, expiresAt, s.related_product_id, user.id);
+    `, [s.owner_id, s.id, expiresAt, s.id, s.related_product_id, user.id]);
         res.json({ ok: true, attributed: true, refreshed: true, sharer_id: s.owner_id });
     });
-    // 邀请短链 /i/CODE
-    // 格式：/i/VKSF9P / /i/VKSF9P-L / /i/VKSF9P-R / /i/@handle / /i/@handle-L
+    // 邀请短链 /i/CODE — invite-code ONLY (permanent_code, 兼容旧的 -L/-R 后缀). usr_xxx / @handle / 裸 handle
+    // 一律 404(不再做 handle 解析)。pre-public 去左右码:/i/CODE 与旧 /i/CODE-L、/i/CODE-R 一律
+    // 规范化重定向到 /?ref=CODE(丢弃 side;放置侧别由注册时系统自动决定),旧链接/二维码仍可用。
+    // 不受 invite_rotation_enabled 影响:已有用户分享出的 /i/CODE 链接和二维码必须始终可用。
     app.get('/i/:code', (req, res) => {
-        let raw = String(req.params.code || '').trim();
-        let side = null;
-        const m = raw.match(/^(.+?)-([lLrR])$/);
-        if (m) {
-            raw = m[1];
-            side = m[2].toLowerCase() === 'l' ? 'left' : 'right';
-        }
-        // permanent_code 或 handle 规范化
-        let display = null;
-        if (/^[A-Z0-9]{6,7}$/.test(raw.toUpperCase()) && !raw.startsWith('@')) {
-            const r = db.prepare("SELECT permanent_code FROM users WHERE permanent_code = ? AND id != 'sys_protocol'").get(raw.toUpperCase());
-            if (r)
-                display = r.permanent_code;
-        }
-        if (!display) {
-            const h = raw.replace(/^@/, '').toLowerCase();
-            const r = db.prepare("SELECT handle FROM users WHERE handle = ? AND id != 'sys_protocol'").get(h);
-            if (r)
-                display = '@' + r.handle; // @ 前缀辨识 handle 形态
-        }
-        if (!display)
-            return void res.status(404).send('Invitation link not found. Code: ' + raw);
-        const target = `/?ref=${encodeURIComponent(display)}${side ? `&side=${side}` : ''}`;
+        const ref = resolveInviteCodeRef(String(req.params.code || ''));
+        if (!ref)
+            return void res.status(404).send('Invitation link not found.');
+        const target = `/?ref=${encodeURIComponent(ref.code)}`;
         res.redirect(302, target);
     });
 }