@seasonkoh/webaz 0.1.7 → 0.1.9

package/dist/pwa/routes/admin-users-query.js

@@ -0,0 +1,390 @@
+export function registerAdminUsersQueryRoutes(app, deps) {
+    const { db, requireUsersAdmin, adminCanOperateOn, isRootAdmin, isAllowedSponsor, maskApiKey, computeLightTags, getAdminScope, getSellerDailyLimit, todayStartISO, broadcastSystemEvent, INTERNAL_AUDITOR_ID } = deps;
+    // P1-1: 按 handle / id 任意角色查找
+    app.get('/api/admin/users/lookup', (req, res) => {
+        const admin = requireUsersAdmin(req, res);
+        if (!admin)
+            return;
+        const raw = String(req.query.q || '').trim();
+        if (!raw)
+            return void res.status(400).json({ error: 'q 必填（user_id 或 handle）' });
+        const term = raw.replace(/^@/, '');
+        let user = db.prepare("SELECT id, name, handle, role, created_at FROM users WHERE handle = ? AND id NOT IN ('sys_protocol', ?)").get(term, INTERNAL_AUDITOR_ID);
+        if (!user)
+            user = db.prepare("SELECT id, name, handle, role, created_at FROM users WHERE id = ? AND id NOT IN ('sys_protocol', ?)").get(term, INTERNAL_AUDITOR_ID);
+        if (!user)
+            return void res.status(404).json({ error: '用户不存在' });
+        res.json({ user });
+    });
+    // Wave F-3: 完整事件流
+    app.get('/api/admin/users/:id/timeline', (req, res) => {
+        const admin = requireUsersAdmin(req, res);
+        if (!admin)
+            return;
+        const id = req.params.id;
+        const limit = Math.min(500, Math.max(10, Number(req.query.limit) || 100));
+        const events = [];
+        const push = (ts, type, icon, summary, refId, refType, amount) => {
+            if (!ts)
+                return;
+            events.push({ ts, type, icon, summary, ref_id: refId || null, ref_type: refType || null, amount: amount ?? null });
+        };
+        db.prepare(`SELECT id, status, total_amount, created_at, buyer_id, seller_id, logistics_id FROM orders WHERE buyer_id=? OR seller_id=? OR logistics_id=? ORDER BY created_at DESC LIMIT 100`).all(id, id, id).forEach(o => {
+            const role = o.buyer_id === id ? '买家' : o.seller_id === id ? '卖家' : '物流';
+            push(o.created_at, 'order', '📦', `订单 (${role}) ${o.id} · ${o.total_amount} WAZ · ${o.status}`, o.id, 'order', o.total_amount);
+        });
+        db.prepare(`SELECT order_id, stars, comment, created_at, buyer_id, seller_id FROM order_ratings WHERE buyer_id=? OR seller_id=? ORDER BY created_at DESC LIMIT 50`).all(id, id).forEach(r => {
+            const role = r.buyer_id === id ? '给出' : '收到';
+            push(r.created_at, 'rating', '⭐', `${role} ${r.stars} 星评价 (订单 ${r.order_id})`, r.order_id, 'order');
+        });
+        db.prepare(`SELECT id, order_id, reason, refund_amount, status, created_at, buyer_id, seller_id FROM return_requests WHERE buyer_id=? OR seller_id=? ORDER BY created_at DESC LIMIT 50`).all(id, id).forEach(r => {
+            const role = r.buyer_id === id ? '发起' : '收到';
+            push(r.created_at, 'return', '↩', `${role} 退货 (${r.status}, ${r.refund_amount} WAZ, ${r.reason})`, r.order_id, 'order', r.refund_amount);
+        });
+        db.prepare(`SELECT id, category, subject, status, created_at FROM feedback_tickets WHERE user_id=? ORDER BY created_at DESC LIMIT 30`).all(id).forEach(f => {
+            push(f.created_at, 'feedback', '💬', `反馈 (${f.category}/${f.status}): ${f.subject}`, f.id, 'feedback');
+        });
+        db.prepare(`SELECT checkin_date, reward, streak, created_at FROM daily_checkins WHERE user_id=? ORDER BY created_at DESC LIMIT 30`).all(id).forEach(c => {
+            push(c.created_at, 'checkin', '📅', `签到 ${c.checkin_date} · streak ${c.streak} · +${c.reward} WAZ`, null, null, c.reward);
+        });
+        db.prepare(`SELECT task_key, reward, claimed_at FROM task_completions WHERE user_id=? AND claimed_at IS NOT NULL ORDER BY claimed_at DESC LIMIT 30`).all(id).forEach(tc => {
+            push(tc.claimed_at, 'task', '🎁', `任务 ${tc.task_key} 领取 +${tc.reward} WAZ`, null, null, tc.reward);
+        });
+        db.prepare(`SELECT amount, source, ref, created_at FROM platform_reward_log WHERE user_id=? ORDER BY created_at DESC LIMIT 50`).all(id).forEach(p => {
+            push(p.created_at, 'reward', '💰', `平台拨付 (${p.source}${p.ref ? '/' + p.ref : ''}) +${p.amount} WAZ`, null, null, p.amount);
+        });
+        db.prepare(`SELECT followee_id, created_at FROM follows WHERE follower_id=? ORDER BY created_at DESC LIMIT 20`).all(id).forEach(f => {
+            push(f.created_at, 'follow', '🤝', `关注 ${f.followee_id}`, f.followee_id, 'user');
+        });
+        db.prepare(`SELECT product_id, created_at FROM user_wishlist WHERE user_id=? ORDER BY created_at DESC LIMIT 20`).all(id).forEach(w => {
+            push(w.created_at, 'wishlist', '❤', `加入心愿单 ${w.product_id}`, w.product_id, 'product');
+        });
+        db.prepare(`SELECT product_id, created_at FROM product_waitlist WHERE user_id=? ORDER BY created_at DESC LIMIT 20`).all(id).forEach(w => {
+            push(w.created_at, 'waitlist', '⏰', `加入补货提醒 ${w.product_id}`, w.product_id, 'product');
+        });
+        db.prepare(`SELECT id, status, ruling_type, created_at, resolved_at, initiator_id, defendant_id FROM disputes WHERE initiator_id=? OR defendant_id=? ORDER BY created_at DESC LIMIT 30`).all(id, id).forEach(d => {
+            const role = d.initiator_id === id ? '发起' : '被诉';
+            push(d.created_at, 'dispute_open', '⚖', `${role} 争议 ${d.id} (${d.status})`, d.id, 'dispute');
+            if (d.resolved_at)
+                push(d.resolved_at, 'dispute_resolved', '⚖', `争议 ${d.id} 结案 (${d.ruling_type || '—'})`, d.id, 'dispute');
+        });
+        const userRow = db.prepare(`SELECT created_at, name, role FROM users WHERE id=?`).get(id);
+        if (userRow)
+            push(userRow.created_at, 'register', '🎉', `注册账号 ${userRow.name} (${userRow.role})`, null, null);
+        events.sort((a, b) => String(b.ts).localeCompare(String(a.ts)));
+        res.json({ items: events.slice(0, limit), total: events.length });
+    });
+    app.post('/api/admin/users/batch-action', (req, res) => {
+        const admin = requireUsersAdmin(req, res);
+        if (!admin)
+            return;
+        const { user_ids, action, reason } = req.body || {};
+        if (!Array.isArray(user_ids) || user_ids.length === 0)
+            return void res.status(400).json({ error: 'user_ids 必填' });
+        if (user_ids.length > 200)
+            return void res.status(400).json({ error: '单次最多 200 用户' });
+        if (!['suspend', 'unsuspend'].includes(String(action)))
+            return void res.status(400).json({ error: 'action 必须 suspend/unsuspend' });
+        const reasonStr = action === 'suspend' ? (reason ? String(reason).slice(0, 200) : 'admin 批量暂停') : null;
+        const results = [];
+        for (const uid of user_ids) {
+            try {
+                if (uid === 'sys_protocol' || uid === admin.id) {
+                    results.push({ user_id: uid, status: 'skipped', reason: '保留账户或自己' });
+                    continue;
+                }
+                if (action === 'suspend') {
+                    db.prepare(`INSERT INTO user_moderation (user_id, suspended, reason, suspended_by, suspended_at)
+            VALUES (?, 1, ?, ?, datetime('now'))
+            ON CONFLICT(user_id) DO UPDATE SET suspended = 1, reason = excluded.reason, suspended_by = excluded.suspended_by, suspended_at = excluded.suspended_at`)
+                        .run(uid, reasonStr, admin.id);
+                }
+                else {
+                    db.prepare(`UPDATE user_moderation SET suspended = 0 WHERE user_id = ?`).run(uid);
+                }
+                results.push({ user_id: uid, status: 'ok' });
+            }
+            catch (e) {
+                results.push({ user_id: uid, status: 'skipped', reason: e.message });
+            }
+        }
+        const ok = results.filter(r => r.status === 'ok').length;
+        try {
+            broadcastSystemEvent('admin_bulk_' + action, '🛡', `${admin.id} 批量${action === 'suspend' ? '暂停' : '解封'} ${ok} 用户`, null);
+        }
+        catch { }
+        res.json({ success: true, applied: ok, results });
+    });
+    app.get('/api/admin/users', (req, res) => {
+        const admin = requireUsersAdmin(req, res);
+        if (!admin)
+            return;
+        const q = req.query.q?.trim();
+        const role = req.query.role?.trim();
+        const type = req.query.type?.trim();
+        const region = req.query.region?.trim();
+        let sql = `SELECT u.id, u.name, u.role, u.roles, u.email, u.email_verified, u.created_at, u.failed_attempts,
+                u.region, u.admin_type, u.admin_scope,
+                COALESCE(m.suspended,0) as suspended, m.reason as suspend_reason,
+                vw.tier as v_tier, vw.is_system as v_is_system,
+                (SELECT 1 FROM verifier_applications va WHERE va.user_id = u.id AND va.status='pending' LIMIT 1) as v_app_pending
+               FROM users u
+               LEFT JOIN user_moderation m       ON m.user_id  = u.id
+               LEFT JOIN verifier_whitelist vw   ON vw.user_id = u.id
+               WHERE u.id NOT IN ('sys_protocol', ?)`;
+        const params = [INTERNAL_AUDITOR_ID];
+        let match_mode = null;
+        if (q) {
+            if (q.startsWith('usr_')) {
+                sql += ` AND u.id = ?`;
+                params.push(q);
+                match_mode = 'id';
+            }
+            else if (q.includes('@')) {
+                sql += ` AND u.email = ?`;
+                params.push(q.toLowerCase());
+                match_mode = 'email';
+            }
+            else {
+                const qE = String(q).replace(/[\\%_]/g, '\\$&');
+                sql += ` AND u.name LIKE ? ESCAPE '\\'`;
+                params.push(`%${qE}%`);
+                match_mode = 'name';
+            }
+        }
+        if (role) {
+            sql += ` AND u.role = ?`;
+            params.push(role);
+        }
+        if (type === 'internal') {
+            sql += ` AND u.role IN ('admin','verifier','logistics','arbitrator')`;
+        }
+        else if (type === 'external') {
+            sql += ` AND u.role IN ('buyer','seller')`;
+        }
+        if (region) {
+            sql += ` AND u.region = ?`;
+            params.push(region);
+        }
+        // 区域 admin 仅看自己 scope 内的用户
+        if (!isRootAdmin(admin)) {
+            const scope = getAdminScope(admin);
+            if (scope !== 'global') {
+                sql += ` AND u.region = ?`;
+                params.push(scope);
+            }
+        }
+        sql += ` ORDER BY u.created_at DESC LIMIT 100`;
+        const rows = db.prepare(sql).all(...params);
+        res.json({
+            match_mode,
+            my_admin_type: admin.admin_type || 'root',
+            my_admin_scope: admin.admin_scope || 'global',
+            users: rows.map(r => {
+                const mod = { suspended: Number(r.suspended) };
+                const vw = r.v_tier ? { tier: r.v_tier, is_system: Number(r.v_is_system) } : null;
+                const vAppPending = !!r.v_app_pending;
+                return {
+                    id: r.id,
+                    name: r.name,
+                    role: r.role,
+                    roles: (() => { try {
+                        return JSON.parse(r.roles || '[]');
+                    }
+                    catch {
+                        return [];
+                    } })(),
+                    email: r.email,
+                    email_verified: !!r.email_verified,
+                    region: r.region,
+                    admin_type: r.admin_type,
+                    admin_scope: r.admin_scope,
+                    created_at: r.created_at,
+                    suspended: !!r.suspended,
+                    suspend_reason: r.suspend_reason,
+                    tags: computeLightTags(r, mod, vw, vAppPending),
+                };
+            }),
+        });
+    });
+    // 完整档案聚合
+    app.get('/api/admin/users/:id/profile', (req, res) => {
+        const admin = requireUsersAdmin(req, res);
+        if (!admin)
+            return;
+        if (!adminCanOperateOn(admin, req.params.id, res))
+            return;
+        const id = req.params.id;
+        const user = db.prepare("SELECT * FROM users WHERE id = ?").get(id);
+        if (!user)
+            return void res.json({ error: '用户不存在' });
+        const wallet = db.prepare("SELECT balance, staked, escrowed, earned, deposit_address FROM wallets WHERE user_id = ?").get(id);
+        const mod = db.prepare("SELECT suspended, reason, suspended_by, suspended_at FROM user_moderation WHERE user_id = ?").get(id);
+        const vw = db.prepare("SELECT tier, daily_quota, tasks_today, quota_reset_at, granted_by, stake_amount, cooldown_until, error_count_180d, is_system, added_at FROM verifier_whitelist WHERE user_id = ?").get(id);
+        const vs = db.prepare("SELECT verify_rights, tasks_done, tasks_correct, tasks_wrong, suspended_until FROM verifier_stats WHERE user_id = ?").get(id);
+        const vAppPending = !!db.prepare("SELECT 1 FROM verifier_applications WHERE user_id = ? AND status='pending' LIMIT 1").get(id);
+        const roleSet = new Set((() => { try {
+            return JSON.parse(user.roles || '[]');
+        }
+        catch {
+            return [];
+        } })());
+        const kpis = {};
+        if (roleSet.has('seller')) {
+            const p = db.prepare(`SELECT COUNT(*) as total,
+                                   SUM(CASE WHEN status='active' THEN 1 ELSE 0 END) as active,
+                                   SUM(CASE WHEN status='paused' THEN 1 ELSE 0 END) as paused,
+                                   SUM(CASE WHEN status='deleted'THEN 1 ELSE 0 END) as deleted
+                            FROM products WHERE seller_id = ?`).get(id);
+            const o = db.prepare(`SELECT COUNT(*) as total,
+                                   SUM(CASE WHEN status='completed' THEN 1 ELSE 0 END) as completed,
+                                   COALESCE(SUM(CASE WHEN status='completed' THEN total_amount ELSE 0 END),0) as total_sales
+                            FROM orders WHERE seller_id = ?`).get(id);
+            const d = db.prepare(`SELECT COUNT(*) as defendant_count,
+                                   SUM(CASE WHEN ruling_type IN ('refund_buyer','partial_refund') THEN 1 ELSE 0 END) as lost
+                            FROM disputes WHERE defendant_id = ?`).get(id);
+            const today = todayStartISO();
+            const todayCount = db.prepare("SELECT COUNT(*) as n FROM products WHERE seller_id = ? AND created_at >= ?").get(id, today).n;
+            const dailyLimit = getSellerDailyLimit({ id, created_at: user.created_at });
+            kpis.seller = {
+                products_total: p.total, products_active: p.active, products_paused: p.paused, products_deleted: p.deleted,
+                orders_total: o.total, orders_completed: o.completed, total_sales: o.total_sales,
+                disputes_as_defendant: d.defendant_count, disputes_lost: d.lost,
+                max_products: Number(user.max_products ?? 200),
+                daily_limit: dailyLimit, daily_used: todayCount,
+                listing_paused: !!user.listing_paused,
+                listing_paused_reason: user.listing_paused_reason ?? null,
+            };
+        }
+        if (roleSet.has('buyer')) {
+            const o = db.prepare(`SELECT COUNT(*) as total,
+                                   SUM(CASE WHEN status='completed' THEN 1 ELSE 0 END) as completed,
+                                   COALESCE(SUM(CASE WHEN status='completed' THEN total_amount ELSE 0 END),0) as total_spent,
+                                   MAX(created_at) as last_order_at
+                            FROM orders WHERE buyer_id = ?`).get(id);
+            kpis.buyer = {
+                orders_total: o.total, orders_completed: o.completed,
+                total_spent: o.total_spent, last_order_at: o.last_order_at,
+            };
+        }
+        if (roleSet.has('logistics')) {
+            const o = db.prepare(`SELECT COUNT(*) as total,
+                                   SUM(CASE WHEN status='completed' THEN 1 ELSE 0 END) as completed
+                            FROM orders WHERE logistics_id = ?`).get(id);
+            kpis.logistics = { deliveries_total: o.total, deliveries_completed: o.completed };
+        }
+        if (roleSet.has('verifier') && vw) {
+            const accuracy = (vs && vs.tasks_done > 0)
+                ? Number(vs.tasks_correct / vs.tasks_done).toFixed(3) : '—';
+            kpis.verifier = {
+                tier: vw.tier, daily_quota: vw.daily_quota, tasks_today: vw.tasks_today,
+                remaining: Number(vw.daily_quota) > 0 ? Math.max(0, Number(vw.daily_quota) - Number(vw.tasks_today)) : 0,
+                tasks_done: vs?.tasks_done ?? 0, tasks_correct: vs?.tasks_correct ?? 0,
+                accuracy, error_count_180d: vw.error_count_180d,
+                verify_rights: vs?.verify_rights ?? 0,
+                suspended_until: vs?.suspended_until, cooldown_until: vw.cooldown_until,
+                is_system: vw.is_system === 1,
+            };
+        }
+        const tags = computeLightTags(user, mod ? { suspended: Number(mod.suspended) } : null, vw ? { tier: vw.tier, is_system: Number(vw.is_system) } : null, vAppPending);
+        if (wallet && Number(wallet.balance) > 1000)
+            tags.push('high_balance');
+        // 最近活动
+        const events = [];
+        const pushEvt = (ts, type, icon, summary, refId, refType) => {
+            if (!ts)
+                return;
+            events.push({ ts, type, icon, summary, ref_id: refId, ref_type: refType });
+        };
+        db.prepare(`SELECT id, total_amount, product_id, status, created_at FROM orders WHERE buyer_id = ? ORDER BY created_at DESC LIMIT 10`).all(id).forEach(o => pushEvt(o.created_at, 'order_buy', '🛒', `下单 ${o.total_amount} WAZ (${o.status})`, o.id, 'order'));
+        db.prepare(`SELECT id, total_amount, status, created_at FROM orders WHERE seller_id = ? ORDER BY created_at DESC LIMIT 10`).all(id).forEach(o => pushEvt(o.created_at, 'order_sell', '💰', `售出 ${o.total_amount} WAZ (${o.status})`, o.id, 'order'));
+        db.prepare(`SELECT id, title, status, created_at FROM products WHERE seller_id = ? ORDER BY created_at DESC LIMIT 10`).all(id).forEach(p => pushEvt(p.created_at, 'product_listed', '🏪', `上架商品 ${(p.title || '').slice(0, 30)}`, p.id, 'product'));
+        db.prepare(`SELECT id, task_id, verdict, claimed_at, submitted_at FROM verify_submissions WHERE verifier_id = ? ORDER BY claimed_at DESC LIMIT 10`).all(id).forEach(s => {
+            pushEvt(s.claimed_at, 'verify_claimed', '🔍', `认领验证任务`, s.task_id, 'task');
+            if (s.submitted_at) {
+                const icon = s.verdict === 'correct' ? '✓' : s.verdict === 'wrong' ? '✗' : '⏳';
+                pushEvt(s.submitted_at, 'verify_submitted', icon, `提交验证 (${s.verdict || 'pending'})`, s.task_id, 'task');
+            }
+        });
+        db.prepare(`SELECT id, status, ruling_type, created_at, resolved_at, initiator_id, defendant_id FROM disputes WHERE initiator_id = ? OR defendant_id = ? ORDER BY created_at DESC LIMIT 10`).all(id, id).forEach(d => {
+            const role = d.initiator_id === id ? '发起' : '被告';
+            pushEvt(d.created_at, 'dispute_init', '⚖', `争议 ${role} (${d.status})`, d.id, 'dispute');
+            if (d.resolved_at)
+                pushEvt(d.resolved_at, 'dispute_resolved', '⚖', `争议结案 (${d.ruling_type || '—'})`, d.id, 'dispute');
+        });
+        db.prepare(`SELECT id, status, decision_note, applied_at, reviewed_at FROM verifier_applications WHERE user_id = ? ORDER BY applied_at DESC LIMIT 5`).all(id).forEach(a => {
+            pushEvt(a.applied_at, 'verifier_apply', '📥', `提交审核员申请`, a.id, 'verifier_app');
+            if (a.reviewed_at)
+                pushEvt(a.reviewed_at, 'verifier_review', a.status === 'approved' ? '✅' : '❌', `申请${a.status === 'approved' ? '获批' : a.status === 'rejected' ? '被拒' : a.status}`, a.id, 'verifier_app');
+        });
+        db.prepare(`SELECT id, status, created_at, reviewed_at FROM verifier_appeals WHERE user_id = ? ORDER BY created_at DESC LIMIT 5`).all(id).forEach(a => {
+            pushEvt(a.created_at, 'appeal_submitted', '📩', `提交申诉`, a.id, 'appeal');
+            if (a.reviewed_at)
+                pushEvt(a.reviewed_at, 'appeal_decided', a.status === 'accepted' ? '✅' : '❌', `申诉${a.status === 'accepted' ? '成立' : '驳回'}`, a.id, 'appeal');
+        });
+        events.sort((a, b) => (a.ts < b.ts ? 1 : a.ts > b.ts ? -1 : 0));
+        const activity = events.slice(0, 20);
+        // 风险信号
+        const risks = [];
+        const failedAttempts = Number(user.failed_attempts ?? 0);
+        if (failedAttempts >= 3)
+            risks.push({ severity: 'medium', label: '近期多次登录失败', detail: `${failedAttempts} 次` });
+        if (user.locked_until && new Date(user.locked_until).getTime() > Date.now()) {
+            risks.push({ severity: 'high', label: '账户已锁定', detail: `解锁: ${user.locked_until}` });
+        }
+        const openDisputes = db.prepare("SELECT COUNT(*) as n FROM disputes WHERE defendant_id = ? AND status IN ('open','in_review')").get(id).n;
+        if (openDisputes > 0)
+            risks.push({ severity: 'medium', label: '未结争议作为被告', detail: `${openDisputes} 起` });
+        const lostCount = db.prepare("SELECT COUNT(*) as n FROM disputes WHERE defendant_id = ? AND ruling_type IN ('refund_buyer','partial_refund')").get(id).n;
+        if (lostCount > 0)
+            risks.push({ severity: 'low', label: '历史仲裁判输', detail: `${lostCount} 次` });
+        if (wallet && Number(wallet.staked) > Number(wallet.balance) * 2) {
+            risks.push({ severity: 'low', label: '钱包大额锁定', detail: `锁定 ${Number(wallet.staked).toFixed(2)} / 余 ${Number(wallet.balance).toFixed(2)}` });
+        }
+        if (vw && Number(vw.error_count_180d) >= 1 && !vw.is_system) {
+            const ec = Number(vw.error_count_180d);
+            risks.push({ severity: ec >= 2 ? 'high' : 'medium', label: '审核员近期错误', detail: `180 天 ${ec} 次` });
+        }
+        const audit = db.prepare(`
+      SELECT al.id, al.admin_id, al.action, al.detail, al.created_at,
+             u.name as admin_name
+      FROM admin_audit_log al
+      LEFT JOIN users u ON u.id = al.admin_id
+      WHERE al.target_type = 'user' AND al.target_id = ?
+      ORDER BY al.created_at DESC LIMIT 20
+    `).all(id).map(r => ({
+            ...r,
+            detail: r.detail ? (() => { try {
+                return JSON.parse(r.detail);
+            }
+            catch {
+                return r.detail;
+            } })() : null,
+        }));
+        res.json({
+            basic: {
+                id: user.id, name: user.name,
+                role: user.role,
+                roles: Array.from(roleSet),
+                api_key_masked: maskApiKey(user.api_key),
+                created_at: user.created_at, updated_at: user.updated_at,
+                email: user.email, email_verified: !!user.email_verified,
+                phone: user.phone, phone_verified: !!user.phone_verified,
+                has_password: !!user.password_hash,
+                reputation: user.reputation,
+                failed_attempts: user.failed_attempts ?? 0,
+                locked_until: user.locked_until,
+                mgmt_bonus_eligible: !!user.mgmt_bonus_eligible,
+                l1_share_override: Number(user.l1_share_override ?? 0),
+                can_l1_share: isAllowedSponsor(user.id),
+            },
+            wallet: wallet ?? null,
+            moderation: mod ?? null,
+            tags,
+            kpis,
+            activity,
+            risks,
+            audit,
+        });
+    });
+}

package/dist/pwa/routes/admin-verifier-flow.js

@@ -0,0 +1,126 @@
+export function registerAdminVerifierFlowRoutes(app, deps) {
+    const { db, requireVerifierMgmtAdmin, TIER_QUOTAS, VERIFIER_STAKE_REQUIRED, todayStartISO, logAdminAction } = deps;
+    app.get('/api/admin/verifier-applications', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        const status = req.query.status || 'pending';
+        const rows = db.prepare(`
+      SELECT va.id, va.user_id, va.status, va.applied_at, va.reviewed_at, va.reviewed_by, va.decision_note, va.snapshot,
+             u.name as user_name, u.email
+      FROM verifier_applications va
+      LEFT JOIN users u ON u.id = va.user_id
+      WHERE va.status = ?
+      ORDER BY va.applied_at DESC LIMIT 100
+    `).all(status);
+        res.json({
+            applications: rows.map(r => ({
+                ...r,
+                snapshot: r.snapshot ? (() => { try {
+                    return JSON.parse(r.snapshot);
+                }
+                catch {
+                    return r.snapshot;
+                } })() : null,
+            })),
+        });
+    });
+    app.post('/api/admin/verifier-applications/:id/approve', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        const { tier, note } = req.body;
+        const validTier = ['trial-1', 'trial-2', 'trial-3', 'active-1', 'active-2'].includes(tier) ? tier : 'trial-1';
+        const apl = db.prepare("SELECT id, user_id, status FROM verifier_applications WHERE id = ?").get(req.params.id);
+        if (!apl)
+            return void res.json({ error: '申请不存在' });
+        if (apl.status !== 'pending')
+            return void res.json({ error: '该申请不在待审状态' });
+        db.prepare("UPDATE verifier_applications SET status='approved', reviewed_at=datetime('now'), reviewed_by=?, decision_note=? WHERE id=?")
+            .run(admin.id, note || null, apl.id);
+        db.prepare(`INSERT OR REPLACE INTO verifier_whitelist
+                (user_id, note, tier, daily_quota, tasks_today, quota_reset_at, granted_by, stake_amount, is_system)
+                VALUES (?,?,?,?,0,?,?,?,0)`)
+            .run(apl.user_id, note || `批准为 ${validTier}`, validTier, TIER_QUOTAS[validTier], todayStartISO(), admin.id, VERIFIER_STAKE_REQUIRED);
+        db.prepare("INSERT OR IGNORE INTO verifier_stats (user_id) VALUES (?)").run(apl.user_id);
+        logAdminAction(admin.id, 'approve_verifier', 'user', apl.user_id, { tier: validTier, note });
+        res.json({ success: true });
+    });
+    app.post('/api/admin/verifier-applications/:id/reject', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        const { note } = req.body;
+        const apl = db.prepare("SELECT id, user_id, status FROM verifier_applications WHERE id = ?").get(req.params.id);
+        if (!apl)
+            return void res.json({ error: '申请不存在' });
+        if (apl.status !== 'pending')
+            return void res.json({ error: '该申请不在待审状态' });
+        db.prepare("UPDATE verifier_applications SET status='rejected', reviewed_at=datetime('now'), reviewed_by=?, decision_note=? WHERE id=?")
+            .run(admin.id, note || null, apl.id);
+        // 退回质押
+        if (VERIFIER_STAKE_REQUIRED > 0) {
+            db.prepare("UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?")
+                .run(VERIFIER_STAKE_REQUIRED, VERIFIER_STAKE_REQUIRED, apl.user_id);
+        }
+        logAdminAction(admin.id, 'reject_verifier', 'user', apl.user_id, { note });
+        res.json({ success: true });
+    });
+    app.get('/api/admin/verifier-appeals', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        const status = req.query.status || 'pending';
+        const rows = db.prepare(`
+      SELECT va.id, va.user_id, va.task_id, va.submission_id, va.reason, va.evidence_urls, va.status,
+             va.admin_note, va.reviewed_by, va.reviewed_at, va.created_at, u.name as user_name
+      FROM verifier_appeals va LEFT JOIN users u ON u.id = va.user_id
+      WHERE va.status = ?
+      ORDER BY va.created_at DESC LIMIT 100
+    `).all(status);
+        res.json({
+            appeals: rows.map(r => ({
+                ...r,
+                evidence_urls: r.evidence_urls ? (() => { try {
+                    return JSON.parse(r.evidence_urls);
+                }
+                catch {
+                    return [];
+                } })() : [],
+            })),
+        });
+    });
+    app.post('/api/admin/verifier-appeals/:id/decide', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        const { decision, note } = req.body; // 'accepted' | 'rejected'
+        if (!['accepted', 'rejected'].includes(decision))
+            return void res.json({ error: 'decision 无效' });
+        const appeal = db.prepare("SELECT id, user_id, status FROM verifier_appeals WHERE id = ?").get(req.params.id);
+        if (!appeal)
+            return void res.json({ error: '申诉不存在' });
+        if (appeal.status !== 'pending')
+            return void res.json({ error: '该申诉已处理' });
+        db.prepare("UPDATE verifier_appeals SET status = ?, admin_note = ?, reviewed_by = ?, reviewed_at = datetime('now') WHERE id = ?")
+            .run(decision, note || null, admin.id, appeal.id);
+        if (decision === 'accepted') {
+            // 解封 + 验证权 +2 + 错误次数 -1
+            db.prepare("UPDATE verifier_stats SET suspended_until = NULL, verify_rights = verify_rights + 2 WHERE user_id = ?").run(appeal.user_id);
+            db.prepare("UPDATE verifier_whitelist SET error_count_180d = MAX(0, error_count_180d - 1) WHERE user_id = ?").run(appeal.user_id);
+            // 完整重审：翻转该 verifier 在该 task 的 verdict + 补发奖励 + 翻回 stats
+            const fullAppeal = db.prepare("SELECT task_id FROM verifier_appeals WHERE id = ?").get(appeal.id);
+            if (fullAppeal?.task_id) {
+                const sub = db.prepare("SELECT vs.id, vs.verdict, vt.reward_per_verifier FROM verify_submissions vs JOIN verify_tasks vt ON vt.id = vs.task_id WHERE vs.task_id = ? AND vs.verifier_id = ?")
+                    .get(fullAppeal.task_id, appeal.user_id);
+                if (sub && sub.verdict === 'wrong') {
+                    db.prepare("UPDATE verify_submissions SET verdict = 'correct' WHERE id = ?").run(sub.id);
+                    db.prepare("UPDATE verifier_stats SET tasks_correct = tasks_correct + 1, tasks_wrong = MAX(0, tasks_wrong - 1), verify_rights = verify_rights + 3 WHERE user_id = ?").run(appeal.user_id);
+                    db.prepare("UPDATE wallets SET balance = balance + ? WHERE user_id = ?").run(sub.reward_per_verifier, appeal.user_id);
+                }
+            }
+        }
+        logAdminAction(admin.id, 'decide_appeal', 'user', appeal.user_id, { decision, note: note || null });
+        res.json({ success: true });
+    });
+}

package/dist/pwa/routes/admin-verifier-whitelist.js

@@ -0,0 +1,111 @@
+export function registerAdminVerifierWhitelistRoutes(app, deps) {
+    const { db, requireVerifierMgmtAdmin, adminCanOperateOn, logAdminAction, INTERNAL_AUDITOR_ID, TIER_QUOTAS, REVOKE_COOLDOWN_DAYS } = deps;
+    app.get('/api/admin/verifier-whitelist', (req, res) => {
+        const user = requireVerifierMgmtAdmin(req, res);
+        if (!user)
+            return;
+        const list = db.prepare(`
+      SELECT vw.user_id, vw.added_at, vw.note, u.name, u.role
+      FROM verifier_whitelist vw
+      JOIN users u ON u.id = vw.user_id
+      ORDER BY vw.added_at ASC
+    `).all();
+        res.json(list);
+    });
+    app.post('/api/admin/verifier-whitelist', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        const { user_id, name, note } = req.body;
+        let targetId = user_id;
+        if (!targetId && name) {
+            const found = db.prepare('SELECT id FROM users WHERE name = ?').get(name);
+            if (!found)
+                return void res.json({ error: `用户「${name}」不存在` });
+            targetId = found.id;
+        }
+        if (!targetId)
+            return void res.json({ error: '请提供 user_id 或 name' });
+        const target = db.prepare('SELECT id, name FROM users WHERE id = ?').get(targetId);
+        if (!target)
+            return void res.json({ error: '用户不存在' });
+        if (!adminCanOperateOn(admin, targetId, res))
+            return;
+        db.prepare('INSERT OR IGNORE INTO verifier_whitelist (user_id, note) VALUES (?, ?)').run(targetId, note ?? null);
+        res.json({ success: true, user_id: targetId, name: target.name });
+    });
+    app.delete('/api/admin/verifier-whitelist/:userId', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        const targetId = String(req.params.userId);
+        if (targetId === INTERNAL_AUDITOR_ID)
+            return void res.json({ error: '内部审核员不可移除' });
+        if (!adminCanOperateOn(admin, targetId, res))
+            return;
+        db.prepare('DELETE FROM verifier_whitelist WHERE user_id = ?').run(targetId);
+        res.json({ success: true });
+    });
+    app.post('/api/admin/verifier-whitelist/:userId/promote', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        if (!adminCanOperateOn(admin, req.params.userId, res))
+            return;
+        const { tier } = req.body;
+        if (!TIER_QUOTAS[tier])
+            return void res.json({ error: 'tier 无效' });
+        const targetId = req.params.userId;
+        const wl = db.prepare("SELECT is_system FROM verifier_whitelist WHERE user_id = ?").get(targetId);
+        if (!wl)
+            return void res.json({ error: '该用户不在白名单' });
+        if (wl.is_system)
+            return void res.json({ error: '系统兜底账户不可手动 promote' });
+        db.prepare("UPDATE verifier_whitelist SET tier = ?, daily_quota = ? WHERE user_id = ?")
+            .run(tier, TIER_QUOTAS[tier], targetId);
+        logAdminAction(admin.id, 'promote_verifier', 'user', targetId, { tier });
+        res.json({ success: true });
+    });
+    app.post('/api/admin/verifier-whitelist/:userId/suspend', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        if (!adminCanOperateOn(admin, req.params.userId, res))
+            return;
+        const { days, reason } = req.body;
+        const targetId = req.params.userId;
+        const n = Number(days) > 0 ? Number(days) : 7;
+        const until = new Date(Date.now() + n * 86400_000).toISOString();
+        db.prepare("INSERT OR IGNORE INTO verifier_stats (user_id) VALUES (?)").run(targetId);
+        db.prepare("UPDATE verifier_stats SET suspended_until = ? WHERE user_id = ?").run(until, targetId);
+        logAdminAction(admin.id, 'suspend_verifier', 'user', targetId, { days: n, reason: reason || null, until });
+        res.json({ success: true, suspended_until: until });
+    });
+    app.post('/api/admin/verifier-whitelist/:userId/revoke', (req, res) => {
+        const admin = requireVerifierMgmtAdmin(req, res);
+        if (!admin)
+            return;
+        if (!adminCanOperateOn(admin, req.params.userId, res))
+            return;
+        const { reason } = req.body;
+        const targetId = req.params.userId;
+        const wl = db.prepare("SELECT is_system, stake_amount FROM verifier_whitelist WHERE user_id = ?").get(targetId);
+        if (!wl)
+            return void res.json({ error: '该用户不在白名单' });
+        if (wl.is_system)
+            return void res.json({ error: '系统兜底账户不可撤销' });
+        const cooldownUntil = new Date(Date.now() + REVOKE_COOLDOWN_DAYS * 86400_000).toISOString();
+        // 没收 50% 质押
+        const forfeit = (wl.stake_amount || 0) * 0.5;
+        db.prepare("UPDATE wallets SET staked = staked - ? WHERE user_id = ?").run(wl.stake_amount || 0, targetId);
+        if ((wl.stake_amount || 0) > forfeit) {
+            db.prepare("UPDATE wallets SET balance = balance + ? WHERE user_id = ?").run((wl.stake_amount || 0) - forfeit, targetId);
+        }
+        db.prepare("DELETE FROM verifier_whitelist WHERE user_id = ?").run(targetId);
+        // 用 cooldown 记录在 verifier_stats 上（应用层兼容）
+        db.prepare(`INSERT INTO verifier_whitelist (user_id, note, tier, daily_quota, cooldown_until, is_system) VALUES (?,?,?,?,?,0)`)
+            .run(targetId, `撤销冷却中: ${reason || ''}`, 'trial-1', 0, cooldownUntil);
+        logAdminAction(admin.id, 'revoke_verifier', 'user', targetId, { reason: reason || null, forfeit, cooldown_until: cooldownUntil });
+        res.json({ success: true, cooldown_until: cooldownUntil, forfeit });
+    });
+}