@seasonkoh/webaz 0.1.25 → 0.1.26

package/dist/layer2-business/L2-9-contribution/build-task-agent-metadata-store.js

@@ -171,3 +171,12 @@ export function getBuildTaskAgentMetadata(db, taskId) {
     row.accountable_party_required = row.accountable_party_required === 1;
     return row;
 }
+/**
+ * Flip a task's audience (used to PUBLISH an internal draft → 'public'). Validated against AUDIENCES.
+ * Returns the number of rows changed (0 = no metadata row for that task).
+ */
+export function setBuildTaskAudience(db, taskId, audience) {
+    const a = assertEnum('audience', audience, AUDIENCES);
+    const r = db.prepare(`UPDATE build_task_agent_metadata SET audience = ? WHERE task_id = ?`).run(a, taskId);
+    return r.changes;
+}

package/dist/layer2-business/L2-9-contribution/build-tasks-engine.js

@@ -45,7 +45,7 @@ export function initBuildTasksSchema(db) {
   `);
     db.exec(`CREATE INDEX IF NOT EXISTS idx_build_task_events ON build_task_events(task_id, created_at)`);
 }
-function logTaskEvent(db, taskId, actorId, from, to, note) {
+export function logTaskEvent(db, taskId, actorId, from, to, note) {
     db.prepare(`INSERT INTO build_task_events (id, task_id, actor_id, from_status, to_status, note) VALUES (?,?,?,?,?,?)`)
         .run(generateId('btev'), taskId, actorId, from, to, note);
 }

package/dist/layer2-business/L2-9-contribution/identity-claim-discovery.js

@@ -0,0 +1,55 @@
+/**
+ * F10 — claimable GitHub contribution DISCOVERY (read-only). Lets a logged-in account see which
+ * credential-backed GitHub contribution facts are currently CLAIMABLE — i.e. their GitHub actor is not
+ * yet bound by ANY account — so the F9 claim UI no longer depends on a maintainer hand-delivering
+ * `source_event_key` / `github_actor_id` (dogfood R3 finding F10, proposal tp_ce110fed).
+ *
+ * Trust / safety boundaries (mirrors identity-claim-read.ts, PR-F4):
+ *   - READ-ONLY: this module issues SELECT only — it never writes identity_bindings_active /
+ *     identity_binding_events / contribution_facts / github_fact_credentials /
+ *     identity_claim_challenges, never issues a challenge, never touches accountable_ref.
+ *   - Same credential-backed trust root as F2/F3b/F4: a fact is surfaced only when it is
+ *     `source='github'` + `status='active'` + linked to a credential whose actor matches the fact's
+ *     `executor_ref` ('github:' || actor) — a forged executor_ref without a credential never appears.
+ *   - CLAIMABLE = the actor has NO active binding (LEFT JOIN … IS NULL): an actor bound by another
+ *     account is excluded (it is theirs), and an actor bound by the CALLER is also excluded here —
+ *     those facts already appear in /github/me's attributable_facts (the F4 surface).
+ *   - No secret in the output: no account_id, credential_id, core_json/digest, token, nonce,
+ *     nonce_hash, proof material. Only minimal display fields + what the claim form needs
+ *     (source_event_key + github_actor_id — both already disclosed-by-design at claim-challenge).
+ *   - `accountId` is accepted for interface parity with the other read engines (the route always passes
+ *     the SESSION user) and reserved for future per-account filtering; discovery output is currently
+ *     account-independent by construction (unbound actors only).
+ *
+ * Visibility posture: same as claim-challenge (#311, by design) — an unclaimed, credential-backed
+ * contribution is discoverable and claimable; that is the point of the GitHub-first promise.
+ * No reward / score / valuation anywhere; the route wraps the response in the uncommitted-value boundary.
+ */
+import { dbAll } from '../../layer0-foundation/L0-1-database/db.js'; // RFC-016 async read seam
+// Active, credential-backed, executor-matching GitHub facts whose actor is NOT bound by any account.
+// DISTINCT collapses credential-version upgrade chains (multiple credentials → the same fact carry the
+// same PR identity fields). Newest merged work first; bounded.
+const CLAIMABLE_SQL = `
+  SELECT DISTINCT f.fact_id, f.source_event_key, f.source, f.type, f.artifact_ref, f.occurred_at,
+         f.created_at, c.github_actor_id, c.repository_id, c.pr_number, c.merge_commit_sha,
+         c.merged_at, c.lifecycle_event
+  FROM contribution_facts f
+  JOIN github_fact_credentials l
+    ON l.fact_id = f.fact_id AND l.source_event_key = f.source_event_key
+  JOIN github_contribution_credentials c
+    ON c.credential_id = l.credential_id AND c.source_event_key = l.source_event_key
+  LEFT JOIN identity_bindings_active b
+    ON b.github_actor_id = c.github_actor_id
+  WHERE f.source = 'github'
+    AND f.status = 'active'
+    AND f.executor_ref = 'github:' || c.github_actor_id
+    AND b.github_actor_id IS NULL
+  ORDER BY COALESCE(c.merged_at, f.created_at) DESC, f.fact_id
+  LIMIT 50`;
+/** List the currently claimable (unbound-actor) credential-backed GitHub facts. Read-only. */
+export async function listClaimableGithubIdentityFacts(accountId) {
+    if (!accountId || typeof accountId !== 'string')
+        return { claimable_facts: [] };
+    const rows = await dbAll(CLAIMABLE_SQL, []);
+    return { claimable_facts: rows };
+}

package/dist/layer2-business/L2-9-contribution/task-proposal-ai-store.js

@@ -0,0 +1,99 @@
+import { createHash } from 'node:crypto';
+import { generateId } from '../../layer0-foundation/L0-1-database/schema.js';
+export function initTaskProposalAiSchema(db) {
+    // CREATE only (no ALTER) — additive, never blocks an existing fresh-DB boot.
+    db.exec(`CREATE TABLE IF NOT EXISTS task_proposal_ai_suggestions (
+    id            TEXT PRIMARY KEY,
+    proposal_id   TEXT NOT NULL,
+    reviewer_type TEXT NOT NULL DEFAULT 'ai',
+    model         TEXT,
+    provider      TEXT,
+    input_hash    TEXT,
+    input_summary TEXT,
+    output_json   TEXT NOT NULL,
+    created_at    TEXT NOT NULL DEFAULT (datetime('now'))
+  )`);
+    db.exec(`CREATE INDEX IF NOT EXISTS idx_tpai_proposal ON task_proposal_ai_suggestions(proposal_id, created_at DESC)`);
+}
+/** Read the fields the recommender needs (keeps the route free of direct SQL). */
+export function getProposalLite(db, id) {
+    return db.prepare('SELECT id, title, summary, suggested_area, source_ref, expected_outcome FROM task_proposals WHERE id = ?').get(id) ?? null;
+}
+const CATEGORY_KEYWORDS = {
+    docs: ['doc', 'readme', '文档', 'guide'], i18n: ['i18n', 'translat', '翻译', 'locale'],
+    tests: ['test', '测试', 'spec'], ui: ['ui', 'page', 'button', '界面', 'pwa', 'css'],
+    api: ['api', 'endpoint', 'route'], schema: ['schema', 'migration', 'table', '字段'],
+    infra: ['ci', 'deploy', 'infra', 'pipeline', 'docker'], governance: ['governance', 'charter', '治理', 'rfc'],
+    audit: ['audit', 'security', '审计', '安全'], code: ['fix', 'bug', 'refactor', 'implement', '实现', '修复'],
+};
+const HIGH_RISK_KEYWORDS = ['wallet', 'withdraw', 'fund', 'money', 'settle', 'escrow', 'payment', 'reward', 'schema', 'migration', 'auth', 'admin', 'key', '资金', '钱包', '提现', '结算', '权限', '密钥'];
+const norm = (s) => s.toLowerCase().replace(/[^a-z0-9一-鿿]+/g, ' ').trim();
+/**
+ * Deterministic local heuristic recommendation (stub for a future model). Read-only; never decides.
+ */
+export function recommendForProposal(db, p) {
+    const text = norm(`${p.title} ${p.summary} ${p.suggested_area ?? ''}`);
+    // category
+    let category = 'other';
+    let best = 0;
+    for (const [cat, kws] of Object.entries(CATEGORY_KEYWORDS)) {
+        const hits = kws.filter(k => text.includes(k)).length;
+        if (hits > best) {
+            best = hits;
+            category = cat;
+        }
+    }
+    // risk
+    const risk = HIGH_RISK_KEYWORDS.some(k => text.includes(k)) ? 'high' : (p.summary.length > 400 ? 'medium' : 'low');
+    // effort by summary size
+    const effort = p.summary.length > 600 ? 'large' : p.summary.length > 200 ? 'medium' : 'small';
+    // missing info flags
+    const missing_info = [];
+    if (p.summary.trim().length < 40)
+        missing_info.push('summary too short — needs concrete scope / acceptance');
+    if (!p.source_ref)
+        missing_info.push('no source_ref (file / RFC / issue reference)');
+    if (!p.expected_outcome)
+        missing_info.push('no expected_outcome (definition of done)');
+    // duplicate likelihood: normalized-title overlap vs existing proposals + build_tasks
+    const titleNorm = norm(p.title);
+    const titleWords = new Set(titleNorm.split(' ').filter(w => w.length >= 3));
+    let dupScore = 0;
+    if (titleWords.size > 0) {
+        const others = db.prepare(`SELECT title FROM task_proposals WHERE id != ? UNION ALL SELECT title FROM build_tasks`).all(p.id);
+        for (const o of others) {
+            const ow = new Set(norm(o.title).split(' ').filter(w => w.length >= 3));
+            let inter = 0;
+            for (const w of titleWords)
+                if (ow.has(w))
+                    inter++;
+            const jac = inter / (titleWords.size + ow.size - inter || 1);
+            if (jac > dupScore)
+                dupScore = jac;
+        }
+    }
+    const duplicate_likelihood = dupScore >= 0.6 ? 'high' : dupScore >= 0.3 ? 'medium' : 'low';
+    const recommendation = {
+        category, risk, effort, missing_info, duplicate_likelihood,
+        suggested: {
+            title: p.title,
+            area: p.suggested_area ?? category,
+            description: p.summary,
+            acceptance_criteria: p.expected_outcome ? [String(p.expected_outcome).slice(0, 500)] : [],
+            verification_commands: [],
+        },
+    };
+    return { recommendation, model: 'heuristic-v1', provider: 'local' };
+}
+/** Persist an AI suggestion as evidence (accountability metadata). Returns the row id. */
+export function insertAiSuggestion(db, args) {
+    const id = generateId('tpai');
+    const inputHash = createHash('sha256').update(args.inputSummary).digest('hex');
+    db.prepare(`INSERT INTO task_proposal_ai_suggestions (id, proposal_id, reviewer_type, model, provider, input_hash, input_summary, output_json)
+    VALUES (?,?,?,?,?,?,?,?)`).run(id, args.proposalId, args.reviewerType ?? 'ai', args.model ?? null, args.provider ?? null, inputHash, args.inputSummary.slice(0, 1000), args.outputJson);
+    return { id };
+}
+export function listAiSuggestions(db, proposalId) {
+    return db.prepare(`SELECT id, proposal_id, reviewer_type, model, provider, input_summary, output_json, created_at
+    FROM task_proposal_ai_suggestions WHERE proposal_id = ? ORDER BY created_at DESC LIMIT 20`).all(proposalId);
+}

package/dist/layer2-business/L2-9-contribution/task-proposal-draft.js

@@ -0,0 +1,191 @@
+import { createBuildTask, logTaskEvent } from './build-tasks-engine.js';
+import { insertBuildTaskAgentMetadata, getBuildTaskAgentMetadata, setBuildTaskAudience, RISK_LEVELS, TASK_TYPES } from './build-task-agent-metadata-store.js';
+import { reviewTaskProposal } from './task-proposal-store.js';
+/** Source-proposal ↔ draft-task link (lets a draft preserve its origin WITHOUT marking the proposal terminal). */
+export function initTaskProposalDraftLinkSchema(db) {
+    db.exec(`CREATE TABLE IF NOT EXISTS task_proposal_draft_links (
+    task_id     TEXT PRIMARY KEY,
+    proposal_id TEXT NOT NULL,
+    created_by  TEXT NOT NULL,
+    created_at  TEXT NOT NULL DEFAULT (datetime('now'))
+  )`);
+    // UNIQUE: one draft per source proposal (aligns the DB with the createDraftFromProposal business rule).
+    db.exec(`CREATE UNIQUE INDEX IF NOT EXISTS idx_tpdl_proposal ON task_proposal_draft_links(proposal_id)`);
+}
+const strList = (v) => Array.isArray(v) ? v.slice(0, 50).map(s => String(s).slice(0, 500)).filter(s => s.trim()) : [];
+const txt = (v) => (v ?? '').trim();
+/** Handoff fields an executable agent task must carry. Returns the list of missing ones (empty = complete). */
+function missingHandoff(f) {
+    const missing = [];
+    if (!txt(f.title))
+        missing.push('title');
+    if (!txt(f.description))
+        missing.push('summary/description (reason)');
+    if (f.allowed_paths.length === 0)
+        missing.push('allowed_paths (execution boundary)');
+    if (f.prohibited_actions.length === 0)
+        missing.push('forbidden_actions');
+    if (f.acceptance_criteria.length === 0)
+        missing.push('acceptance_criteria');
+    if (f.verification_commands.length === 0)
+        missing.push('verification_commands');
+    if (f.deliverables.length === 0)
+        missing.push('deliverables');
+    if (!txt(f.expected_results))
+        missing.push('expected_results');
+    if (!txt(f.definition_of_done))
+        missing.push('definition_of_done');
+    return missing;
+}
+/**
+ * Create an UNPUBLISHED draft (internal build_task) from a non-terminal proposal and record the
+ * source-proposal ↔ draft link. Does NOT mark the proposal 'converted' (acceptance happens at publish).
+ * Returns the new draft task id.
+ */
+export function createDraftFromProposal(db, a) {
+    // 1) proposal must exist + be non-terminal (only new / needs_info → draft). Pre-check before creating anything.
+    const prop = db.prepare('SELECT id, status FROM task_proposals WHERE id = ?').get(a.proposalId);
+    if (!prop)
+        return { error: 'proposal not found', error_code: 'PROPOSAL_NOT_FOUND' };
+    if (prop.status === 'rejected' || prop.status === 'converted')
+        return { error: `proposal already ${prop.status}`, error_code: 'PROPOSAL_TERMINAL' };
+    // one draft per proposal (without using a terminal proposal status as the guard)
+    const existingLink = db.prepare('SELECT task_id FROM task_proposal_draft_links WHERE proposal_id = ?').get(a.proposalId);
+    if (existingLink)
+        return { error: `a task draft already exists for this proposal (${existingLink.task_id})`, error_code: 'PROPOSAL_HAS_DRAFT' };
+    // draft risk stays low/medium (high/critical metadata rules are out of scope for this PR)
+    const riskLevel = (a.riskLevel === 'medium') ? 'medium' : 'low';
+    if (a.riskLevel && !RISK_LEVELS.includes(a.riskLevel))
+        return { error: 'invalid risk_level', error_code: 'BAD_RISK_LEVEL' };
+    if (a.riskLevel === 'high' || a.riskLevel === 'critical')
+        return { error: 'draft risk_level must be low or medium (high/critical deferred)', error_code: 'RISK_TOO_HIGH_FOR_DRAFT' };
+    const taskType = (a.taskType && TASK_TYPES.includes(a.taskType)) ? a.taskType : 'other';
+    // 2) assemble the agent-handoff fields and VALIDATE completeness BEFORE creating anything — the existing
+    //    task model requires these to be executable, so we never create an incomplete/orphan task.
+    const allowed = strList(a.allowedPaths);
+    const prohibited = strList(a.forbiddenActions);
+    const accept = strList(a.acceptanceCriteria);
+    const verify = strList(a.verificationCommands);
+    const deliver = strList(a.deliverables);
+    const description = txt(a.description);
+    const dod = txt(a.definitionOfDone).slice(0, 1000);
+    const expected = (txt(a.expectedResults) || description).slice(0, 1000);
+    const missing = missingHandoff({ title: txt(a.title), description, allowed_paths: allowed, prohibited_actions: prohibited, acceptance_criteria: accept, verification_commands: verify, deliverables: deliver, expected_results: expected, definition_of_done: dod });
+    if (missing.length > 0)
+        return { error: `draft incomplete — provide: ${missing.join(', ')}`, error_code: 'DRAFT_INCOMPLETE', missing };
+    // 3) create the formal task via the trusted path (creator = admin → accountability)
+    const created = createBuildTask(db, { creatorId: a.adminId, title: a.title, area: a.area ?? undefined, description: a.description ?? undefined, rfcRef: a.sourceRef ?? undefined });
+    if ('error' in created)
+        return created;
+    const taskId = created.id;
+    // 4) attach agent_metadata as an INTERNAL draft (hidden + unclaimable via the existing read/participation
+    //    guards). auto_claimable defaults TRUE so once published the task enters the normal agent claim flow
+    //    (maintainer may opt human-only with autoClaimable:false). While audience='internal' it is unclaimable.
+    const caps = strList(a.requiredCapabilities);
+    if (caps.length === 0)
+        caps.push('general');
+    const meta = {
+        task_type: taskType,
+        source_ref: a.sourceRef ?? null,
+        allowed_paths: allowed,
+        forbidden_paths: strList(a.forbiddenPaths),
+        prohibited_actions: prohibited,
+        risk_level: riskLevel,
+        audience: 'internal',
+        agent_autonomy: 'human_in_the_loop',
+        auto_claimable: a.autoClaimable !== false,
+        required_capabilities: caps,
+        acceptance_criteria: accept,
+        verification_commands: verify,
+        expected_results: expected,
+        deliverables: deliver,
+        definition_of_done: dod,
+        estimated_duration_min_minutes: 0,
+        estimated_duration_max_minutes: 0,
+        estimated_context_size: 'small',
+        estimated_agent_budget: 'minimal',
+        value_state: 'uncommitted',
+        contribution_type: 'task',
+        accountable_party_required: true,
+    };
+    insertBuildTaskAgentMetadata(db, taskId, meta);
+    // 5) record the source-proposal ↔ draft link (accountability) — WITHOUT marking the proposal converted;
+    //    the proposal stays non-terminal until an explicit human publish.
+    db.prepare('INSERT INTO task_proposal_draft_links (task_id, proposal_id, created_by) VALUES (?,?,?)').run(taskId, a.proposalId, a.adminId);
+    return { draft_task_id: taskId };
+}
+/** Admin list of UNPUBLISHED drafts (internal, open) + their source proposal id (via the draft-link table). */
+export function listDraftBuildTasks(db) {
+    return db.prepare(`
+    SELECT t.id, t.title, t.area, t.description, t.rfc_ref, t.status, t.created_by, t.created_at,
+           m.risk_level, m.audience, m.auto_claimable,
+           l.proposal_id AS source_proposal_id
+    FROM build_tasks t
+    JOIN build_task_agent_metadata m ON m.task_id = t.id
+    LEFT JOIN task_proposal_draft_links l ON l.task_id = t.id
+    WHERE m.audience = 'internal' AND t.status = 'open'
+    ORDER BY t.created_at DESC LIMIT 200
+  `).all();
+}
+/**
+ * Validate that a draft carries enough agent-handoff info to be executed by another participant's agent.
+ * Returns the list of missing fields (empty = complete). Gate for publish — never publish an incomplete task.
+ */
+export function validateDraftForPublish(task, meta) {
+    return missingHandoff({
+        title: txt(task.title), description: txt(task.description),
+        allowed_paths: meta.allowed_paths ?? [], prohibited_actions: meta.prohibited_actions ?? [],
+        acceptance_criteria: meta.acceptance_criteria ?? [], verification_commands: meta.verification_commands ?? [],
+        deliverables: meta.deliverables ?? [], expected_results: txt(meta.expected_results), definition_of_done: txt(meta.definition_of_done),
+    });
+}
+/**
+ * PUBLISH a draft → audience 'public' (now on the board / claimable via the existing flow). Explicit
+ * human/admin action only; validates agent-handoff completeness first (never publishes an incomplete task).
+ * This is also where the source proposal is marked 'converted' (converted_ref=task id, reviewer=actor) —
+ * acceptance happens at publish, not at draft creation. The canonical repo / PR target is the protocol-wide
+ * canonical contribution target enforced by the existing submit path — it is not stored per-task.
+ *
+ * Evidence-chain guard: the linked proposal is validated BEFORE anything is published. If it was rejected (or
+ * converted to a different task) since draft creation, publish is refused (409) and the task stays internal —
+ * so a public, claimable task can never coexist with a rejected source proposal. The audience flip + proposal
+ * conversion run in one transaction (both or neither).
+ */
+export function publishDraftBuildTask(db, taskId, adminId) {
+    const meta = getBuildTaskAgentMetadata(db, taskId);
+    if (!meta)
+        return { error: 'task has no draft metadata', error_code: 'NOT_A_DRAFT' };
+    if (meta.audience !== 'internal')
+        return { error: 'task is not an internal draft', error_code: 'NOT_DRAFT_AUDIENCE' };
+    const t = db.prepare('SELECT status, title, description FROM build_tasks WHERE id = ?').get(taskId);
+    if (!t)
+        return { error: 'task not found', error_code: 'NOT_FOUND' };
+    const missing = validateDraftForPublish(t, meta);
+    if (missing.length > 0)
+        return { error: `draft incomplete — fill before publish: ${missing.join(', ')}`, error_code: 'DRAFT_INCOMPLETE', missing };
+    // validate the linked proposal FIRST — do not publish on top of a rejected / elsewhere-converted proposal.
+    const link = db.prepare('SELECT proposal_id FROM task_proposal_draft_links WHERE task_id = ?').get(taskId);
+    let proposalToConvert = null;
+    if (link) {
+        const prop = db.prepare('SELECT status, converted_ref FROM task_proposals WHERE id = ?').get(link.proposal_id);
+        if (prop) {
+            if (prop.status === 'rejected')
+                return { error: 'source proposal was rejected — cannot publish', error_code: 'PROPOSAL_REJECTED' };
+            if (prop.status === 'converted' && prop.converted_ref !== taskId)
+                return { error: 'source proposal already converted to a different task', error_code: 'PROPOSAL_CONVERTED_ELSEWHERE' };
+            if (prop.status === 'new' || prop.status === 'needs_info')
+                proposalToConvert = link.proposal_id;
+        }
+    }
+    // all validation passed → publish atomically: flip audience + (if applicable) mark the proposal converted.
+    db.transaction(() => {
+        setBuildTaskAudience(db, taskId, 'public');
+        logTaskEvent(db, taskId, adminId, t.status, t.status, 'published from draft (audience → public)');
+        if (proposalToConvert) {
+            const rv = reviewTaskProposal(db, proposalToConvert, adminId, 'converted', `published as formal task ${taskId}`, taskId);
+            if ('error' in rv)
+                throw new Error(`proposal conversion failed: ${rv.code}`); // rollback the audience flip
+        }
+    })();
+    return { ok: true, task_id: taskId };
+}

package/dist/pwa/admin-bearer-auth.js

@@ -0,0 +1,21 @@
+export function resolveBearerProtocolAdmin(db, req, isProtocolAdmin) {
+    const authz = req?.headers?.authorization;
+    if (typeof authz !== 'string' || !authz.startsWith('Bearer '))
+        return null; // Bearer only — NOT req.body.api_key
+    const key = authz.slice('Bearer '.length).trim();
+    if (!key)
+        return null;
+    const u = db.prepare('SELECT * FROM users WHERE api_key = ?').get(key);
+    if (!u)
+        return null;
+    const mod = db.prepare('SELECT suspended FROM user_moderation WHERE user_id = ?').get(u.id);
+    if (mod?.suspended)
+        return null; // suspended admin cannot approve
+    const session = db.prepare('SELECT revoked_at FROM user_sessions WHERE api_key = ? ORDER BY created_at DESC LIMIT 1')
+        .get(key);
+    if (session?.revoked_at)
+        return null; // remotely logged-out session cannot approve
+    if (!isProtocolAdmin(u))
+        return null; // admin role + protocol permission (caller-supplied, central logic)
+    return u;
+}

package/dist/pwa/email-delivery.js

@@ -0,0 +1,127 @@
+const DEFAULT_FROM = 'WebAZ <noreply@webaz.xyz>';
+const DEFAULT_BASE_URL = 'https://webaz.xyz';
+export function emailDeliveryNotConfigured() {
+    return {
+        ok: false,
+        status: 503,
+        error_code: 'EMAIL_DELIVERY_NOT_CONFIGURED',
+        error: '邮箱发送服务未配置，请稍后再试',
+    };
+}
+export function emailDeliveryFailed() {
+    return {
+        ok: false,
+        status: 502,
+        error_code: 'EMAIL_DELIVERY_FAILED',
+        error: '验证码邮件发送失败，请稍后再试',
+    };
+}
+function isProtectedEmailEnv(env) {
+    return env.NODE_ENV === 'production'
+        || !!env.RAILWAY_ENVIRONMENT
+        || !!env.RAILWAY_PROJECT_ID
+        || !!env.RAILWAY_SERVICE_ID;
+}
+export function isVerificationEmailReady(env = process.env) {
+    if (!isProtectedEmailEnv(env))
+        return true;
+    return !!env.RESEND_API_KEY?.trim();
+}
+function purposeText(purpose) {
+    if (purpose === 'register')
+        return { zh: '注册账户（验证邮箱）', en: 'register your account (verify email)' };
+    if (purpose === 'bind_email')
+        return { zh: '绑定邮箱', en: 'bind your email address' };
+    if (purpose === 'recover_key')
+        return { zh: '找回密钥', en: 'recover your account key' };
+    if (purpose.startsWith('withdraw_confirm'))
+        return { zh: '确认提现', en: 'confirm a withdrawal' };
+    return { zh: '验证身份', en: 'verify your identity' };
+}
+function escapeHtml(s) {
+    return s.replace(/[&<>"']/g, c => ({
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#39;',
+    }[c] || c));
+}
+export function buildVerificationEmail(input) {
+    const purpose = purposeText(input.purpose);
+    const baseUrl = input.baseUrl?.trim() || DEFAULT_BASE_URL;
+    const subject = 'WebAZ 验证码 / Verification code';
+    const text = [
+        `WebAZ 验证码: ${input.code}`,
+        '',
+        `用途: ${purpose.zh}`,
+        `有效期: ${input.ttlMin} 分钟`,
+        '',
+        `Your WebAZ verification code is ${input.code}.`,
+        `Use it to ${purpose.en}. It expires in ${input.ttlMin} minutes.`,
+        '',
+        'If you did not request this code, you can ignore this email.',
+        baseUrl,
+    ].join('\n');
+    const html = [
+        '<div style="font-family:system-ui,-apple-system,Segoe UI,sans-serif;line-height:1.5;color:#111827">',
+        '<h2 style="margin:0 0 12px">WebAZ verification code</h2>',
+        `<p style="margin:0 0 8px">用途: ${escapeHtml(purpose.zh)} / ${escapeHtml(purpose.en)}</p>`,
+        `<p style="font-size:28px;font-weight:700;letter-spacing:4px;margin:16px 0">${escapeHtml(input.code)}</p>`,
+        `<p style="margin:0 0 8px">有效期 ${input.ttlMin} 分钟 / Expires in ${input.ttlMin} minutes.</p>`,
+        '<p style="margin:16px 0 0;color:#6b7280">If you did not request this code, you can ignore this email.</p>',
+        `<p style="margin:16px 0 0"><a href="${escapeHtml(baseUrl)}">${escapeHtml(baseUrl)}</a></p>`,
+        '</div>',
+    ].join('');
+    return { subject, text, html };
+}
+export async function deliverVerificationCode(input) {
+    const env = input.env || process.env;
+    const logger = input.logger || console;
+    if (!isProtectedEmailEnv(env)) {
+        logger.log(`[verify] ${input.purpose} -> ${input.target}  code=${input.code}  (expires ${input.ttlMin}min)`);
+        return { ok: true, provider: 'dev_console' };
+    }
+    const apiKey = env.RESEND_API_KEY?.trim();
+    if (!apiKey)
+        return emailDeliveryNotConfigured();
+    const fetchImpl = input.fetchImpl || globalThis.fetch;
+    if (!fetchImpl)
+        return emailDeliveryNotConfigured();
+    const baseUrl = env.WEBAZ_PUBLIC_URL?.trim() || env.PUBLIC_BASE_URL?.trim() || DEFAULT_BASE_URL;
+    const email = buildVerificationEmail({
+        code: input.code,
+        purpose: input.purpose,
+        ttlMin: input.ttlMin,
+        baseUrl,
+    });
+    const body = {
+        from: env.EMAIL_FROM?.trim() || DEFAULT_FROM,
+        to: [input.target],
+        subject: email.subject,
+        text: email.text,
+        html: email.html,
+    };
+    const replyTo = env.EMAIL_REPLY_TO?.trim();
+    if (replyTo)
+        body.reply_to = replyTo;
+    try {
+        const response = await fetchImpl('https://api.resend.com/emails', {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${apiKey}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify(body),
+        });
+        if (!response.ok) {
+            logger.warn(`[verify] resend delivery failed: status=${response.status} purpose=${input.purpose}`);
+            return emailDeliveryFailed();
+        }
+        return { ok: true, provider: 'resend' };
+    }
+    catch {
+        logger.warn(`[verify] resend delivery failed: network purpose=${input.purpose}`);
+        return emailDeliveryFailed();
+    }
+}