@seasonkoh/webaz 0.1.7 → 0.1.9

package/dist/pwa/routes/chat.js

@@ -0,0 +1,318 @@
+const VALID_CHAT_KINDS = new Set(['order', 'rfq', 'listing_qa']);
+// 反诈正则（命中即 flag，仍发出）
+const FRAUD_PATTERNS = [
+    { name: 'phone_cn', rx: /(?<!\d)1[3-9]\d{9}(?!\d)/ }, // 中国手机号 11 位
+    { name: 'wechat', rx: /(微信|vx|wechat|weixin|v[xX]\s*[:：])/i },
+    { name: 'alipay', rx: /(支付宝|alipay)/i },
+    { name: 'qq', rx: /\bqq\s*[:：]\s*\d{5,11}\b/i },
+    { name: 'bank_card', rx: /(?<!\d)\d{16,19}(?!\d)/ },
+    { name: 'telegram', rx: /(@[A-Za-z0-9_]{5,32}|t\.me\/[A-Za-z0-9_]+|telegram)/i },
+    // 锚定 host 段：(?:localhost|webaz\.app|webaz\.io) 后必须紧跟 / 或 : 或末端，防 webaz.io.evil.com 绕过
+    { name: 'external_url', rx: /https?:\/\/(?!(?:localhost|webaz\.app|webaz\.io)(?:[/:]|$))[^\s]+/i },
+];
+// exported because server.ts 其它端点（如 listing Q&A / 评论审核）也用同一套反诈 regex
+export function detectFraud(text) {
+    const hits = [];
+    for (const p of FRAUD_PATTERNS)
+        if (p.rx.test(text))
+            hits.push(p.name);
+    return hits;
+}
+export function registerChatRoutes(app, deps) {
+    const { db, auth, generateId, rateLimitOk } = deps;
+    // 上下文 + 对方校验：只允许有真实商业关系的两方建会话
+    function resolveChatParticipants(kind, contextId, requesterId, recipientId) {
+        if (kind === 'order') {
+            const o = db.prepare('SELECT buyer_id, seller_id FROM orders WHERE id = ?').get(contextId);
+            if (!o)
+                return { user_a: '', user_b: '', allowed: false, reason: '订单不存在' };
+            if (requesterId !== o.buyer_id && requesterId !== o.seller_id)
+                return { user_a: '', user_b: '', allowed: false, reason: '仅订单买卖双方可聊' };
+            return { user_a: o.buyer_id, user_b: o.seller_id, allowed: true };
+        }
+        if (kind === 'rfq') {
+            const r = db.prepare('SELECT buyer_id, status FROM rfqs WHERE id = ?').get(contextId);
+            if (!r)
+                return { user_a: '', user_b: '', allowed: false, reason: 'RFQ 不存在' };
+            if (requesterId === r.buyer_id) {
+                // buyer 主动找某个 bidder
+                if (!recipientId)
+                    return { user_a: '', user_b: '', allowed: false, reason: '需指定 recipient' };
+                const hasBid = db.prepare('SELECT 1 FROM bids WHERE rfq_id = ? AND seller_id = ?').get(contextId, recipientId);
+                if (!hasBid)
+                    return { user_a: '', user_b: '', allowed: false, reason: '对方未对此 RFQ 报价' };
+                return { user_a: r.buyer_id, user_b: recipientId, allowed: true };
+            }
+            // seller 找 buyer：必须自己已 bid
+            const myBid = db.prepare('SELECT 1 FROM bids WHERE rfq_id = ? AND seller_id = ?').get(contextId, requesterId);
+            if (!myBid)
+                return { user_a: '', user_b: '', allowed: false, reason: '需先报价才能联系买家' };
+            return { user_a: r.buyer_id, user_b: requesterId, allowed: true };
+        }
+        if (kind === 'listing_qa') {
+            const l = db.prepare('SELECT created_by FROM listings WHERE id = ?').get(contextId);
+            if (!l)
+                return { user_a: '', user_b: '', allowed: false, reason: 'listing 不存在' };
+            // 仅非创建者可主动发起（避免 listing 创建者主动 spam）
+            if (requesterId === l.created_by) {
+                // 创建者只能回复已存在的线程；不能新建
+                if (!recipientId)
+                    return { user_a: '', user_b: '', allowed: false, reason: '请等买家先发起咨询' };
+                const [a, b] = l.created_by < recipientId ? [l.created_by, recipientId] : [recipientId, l.created_by];
+                const exists = db.prepare("SELECT 1 FROM conversations WHERE kind = 'listing_qa' AND context_id = ? AND user_a = ? AND user_b = ?").get(contextId, a, b);
+                if (!exists)
+                    return { user_a: '', user_b: '', allowed: false, reason: '请等买家先发起咨询' };
+                return { user_a: l.created_by, user_b: recipientId, allowed: true };
+            }
+            return { user_a: l.created_by, user_b: requesterId, allowed: true };
+        }
+        return { user_a: '', user_b: '', allowed: false, reason: 'kind 无效' };
+    }
+    function findOrCreateConv(kind, contextId, userA, userB) {
+        // 规范化：user_a 字典序较小
+        const [a, b] = userA < userB ? [userA, userB] : [userB, userA];
+        const selectStmt = db.prepare('SELECT id FROM conversations WHERE kind = ? AND context_id = ? AND user_a = ? AND user_b = ?');
+        const existing = selectStmt.get(kind, contextId, a, b);
+        if (existing)
+            return existing.id;
+        // 并发场景下 UNIQUE 可能触发；用 INSERT OR IGNORE + 再次 SELECT 兜底
+        const id = generateId('cv');
+        db.prepare(`INSERT OR IGNORE INTO conversations (id, kind, context_id, user_a, user_b) VALUES (?,?,?,?,?)`)
+            .run(id, kind, contextId, a, b);
+        const final = selectStmt.get(kind, contextId, a, b);
+        return final.id;
+    }
+    // 开会话（idempotent — 已存在则返回 id）
+    app.post('/api/conversations/start', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { kind, context_id, recipient_id } = req.body;
+        if (!VALID_CHAT_KINDS.has(String(kind)))
+            return void res.json({ error: 'kind 无效' });
+        if (!context_id)
+            return void res.json({ error: 'context_id 必填' });
+        const r = resolveChatParticipants(String(kind), String(context_id), user.id, recipient_id ? String(recipient_id) : null);
+        if (!r.allowed)
+            return void res.json({ error: r.reason || '无权开启会话' });
+        const id = findOrCreateConv(String(kind), String(context_id), r.user_a, r.user_b);
+        res.json({ id, kind, context_id });
+    });
+    // 我的会话列表
+    app.get('/api/conversations', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rows = db.prepare(`
+      SELECT c.*,
+        CASE WHEN c.user_a = ? THEN c.unread_a ELSE c.unread_b END as my_unread,
+        CASE WHEN c.user_a = ? THEN c.user_b ELSE c.user_a END as other_id,
+        (SELECT handle FROM users WHERE id = CASE WHEN c.user_a = ? THEN c.user_b ELSE c.user_a END) as other_handle,
+        (SELECT name   FROM users WHERE id = CASE WHEN c.user_a = ? THEN c.user_b ELSE c.user_a END) as other_name
+      FROM conversations c
+      WHERE (c.user_a = ? OR c.user_b = ?) AND c.status NOT IN ('blocked','archived')
+      ORDER BY COALESCE(c.last_message_at, c.created_at) DESC
+      LIMIT 100
+    `).all(user.id, user.id, user.id, user.id, user.id, user.id);
+        res.json({ items: rows });
+    });
+    // 会话详情 + 消息分页
+    app.get('/api/conversations/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const conv = db.prepare('SELECT * FROM conversations WHERE id = ?').get(req.params.id);
+        if (!conv)
+            return void res.status(404).json({ error: '会话不存在' });
+        if (conv.user_a !== user.id && conv.user_b !== user.id)
+            return void res.status(403).json({ error: '无权访问' });
+        const before = req.query.before ? String(req.query.before) : null;
+        const limit = Math.min(100, Math.max(1, Number(req.query.limit) || 50));
+        const args = [req.params.id];
+        let whereExtra = '';
+        if (before) {
+            whereExtra = ' AND created_at < ?';
+            args.push(before);
+        }
+        args.push(limit);
+        const messages = db.prepare(`
+      SELECT id, sender_id, body, attachments, flagged, flag_reasons, read_at, kind, meta, created_at
+      FROM messages
+      WHERE conversation_id = ?${whereExtra}
+      ORDER BY created_at DESC
+      LIMIT ?
+    `).all(...args);
+        messages.reverse(); // 返回时间正序，便于前端 append
+        // QA 轮 11 P1：read 端 flag_reasons 是 JSON string，send 端是 array → agent 双向 parse 易错
+        // 统一为 array (send 端格式)
+        for (const m of messages) {
+            if (typeof m.flag_reasons === 'string') {
+                try {
+                    m.flag_reasons = JSON.parse(m.flag_reasons);
+                }
+                catch {
+                    m.flag_reasons = [];
+                }
+            }
+            else if (m.flag_reasons == null) {
+                m.flag_reasons = [];
+            }
+            if (typeof m.attachments === 'string') {
+                try {
+                    m.attachments = JSON.parse(m.attachments);
+                }
+                catch {
+                    m.attachments = [];
+                }
+            }
+            else if (m.attachments == null) {
+                m.attachments = [];
+            }
+        }
+        const otherId = conv.user_a === user.id ? conv.user_b : conv.user_a;
+        const other = db.prepare('SELECT id, handle, name, region FROM users WHERE id = ?').get(otherId);
+        res.json({ conv, messages, other });
+    });
+    // 发消息
+    app.post('/api/conversations/:id/messages', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        // P1: 频率限制 — 同用户每分钟 ≤ 60 条（≈ 1/s 持续 + 短时突发）
+        if (!rateLimitOk(`chat_msg:${user.id}`, 60, 60_000))
+            return void res.status(429).json({ error: '发送过于频繁，请稍等' });
+        const conv = db.prepare('SELECT * FROM conversations WHERE id = ?').get(req.params.id);
+        if (!conv)
+            return void res.status(404).json({ error: '会话不存在' });
+        if (conv.status === 'blocked')
+            return void res.json({ error: '该会话已被屏蔽' });
+        if (conv.user_a !== user.id && conv.user_b !== user.id)
+            return void res.status(403).json({ error: '无权发送' });
+        const body = String(req.body.body || '').trim();
+        const attachmentsRaw = req.body.attachments;
+        const attachments = Array.isArray(attachmentsRaw)
+            ? attachmentsRaw.filter((a) => typeof a === 'string' && a.length < 200_000).slice(0, 4)
+            : [];
+        // W1: 结构化 kind + meta
+        const kind = String(req.body.kind || 'text');
+        if (!['text', 'offer', 'tracking'].includes(kind))
+            return void res.status(400).json({ error: '无效 kind' });
+        const metaIn = req.body.meta;
+        let metaJson = null;
+        let structuredPreview = null;
+        if (kind === 'offer') {
+            const amount = Number(metaIn?.amount);
+            const productId = metaIn?.product_id ? String(metaIn.product_id) : null;
+            const note = metaIn?.note ? String(metaIn.note).slice(0, 200) : '';
+            if (!(amount > 0) || amount > 1_000_000)
+                return void res.status(400).json({ error: '报价金额需在 0-1000000 之间' });
+            metaJson = JSON.stringify({ amount, product_id: productId, note });
+            structuredPreview = `💰 ${amount} WAZ${note ? ' · ' + note.slice(0, 30) : ''}`;
+        }
+        else if (kind === 'tracking') {
+            const carrier = metaIn?.carrier ? String(metaIn.carrier).slice(0, 40) : '';
+            const trackingNo = metaIn?.tracking_no ? String(metaIn.tracking_no).trim().slice(0, 60) : '';
+            if (!trackingNo)
+                return void res.status(400).json({ error: '单号必填' });
+            metaJson = JSON.stringify({ carrier, tracking_no: trackingNo });
+            structuredPreview = `🚚 ${carrier ? carrier + ' ' : ''}${trackingNo}`;
+        }
+        if (kind === 'text' && !body && attachments.length === 0)
+            return void res.json({ error: '内容不能为空' });
+        if (body.length > 2000)
+            return void res.json({ error: '消息最长 2000 字' });
+        const reasons = kind === 'text' ? detectFraud(body) : [];
+        const id = generateId('msg');
+        const isFromA = conv.user_a === user.id;
+        const preview = structuredPreview || (body ? body.slice(0, 60) : '[📷 ' + attachments.length + ']');
+        db.transaction(() => {
+            db.prepare(`INSERT INTO messages (id, conversation_id, sender_id, body, attachments, flagged, flag_reasons, kind, meta)
+                  VALUES (?,?,?,?,?,?,?,?,?)`)
+                .run(id, req.params.id, user.id, body, attachments.length ? JSON.stringify(attachments) : null, reasons.length ? 1 : 0, reasons.length ? JSON.stringify(reasons) : null, kind, metaJson);
+            db.prepare(`UPDATE conversations SET
+        last_message_at = datetime('now'),
+        last_preview = ?,
+        ${isFromA ? 'unread_b = unread_b + 1' : 'unread_a = unread_a + 1'}
+        WHERE id = ?`).run(preview, req.params.id);
+        })();
+        // 通知接收方
+        try {
+            const recipient = isFromA ? conv.user_b : conv.user_a;
+            db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
+                  VALUES (?,?,'chat_new',?,?,datetime('now'))`)
+                .run(generateId('ntf'), recipient, `💬 新消息`, preview);
+        }
+        catch (e) {
+            console.error('[chat notify]', e);
+        }
+        res.json({ id, flagged: reasons.length > 0, flag_reasons: reasons });
+    });
+    // 标记已读
+    app.post('/api/conversations/:id/read', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const conv = db.prepare('SELECT user_a, user_b FROM conversations WHERE id = ?').get(req.params.id);
+        if (!conv)
+            return void res.status(404).json({ error: '会话不存在' });
+        if (conv.user_a !== user.id && conv.user_b !== user.id)
+            return void res.status(403).json({ error: '无权访问' });
+        const col = conv.user_a === user.id ? 'unread_a' : 'unread_b';
+        db.transaction(() => {
+            db.prepare(`UPDATE conversations SET ${col} = 0 WHERE id = ?`).run(req.params.id);
+            db.prepare(`UPDATE messages SET read_at = datetime('now')
+                  WHERE conversation_id = ? AND sender_id != ? AND read_at IS NULL`).run(req.params.id, user.id);
+        })();
+        res.json({ success: true });
+    });
+    // 归档（仅自己侧）
+    app.post('/api/conversations/:id/archive', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const conv = db.prepare('SELECT user_a, user_b, status FROM conversations WHERE id = ?').get(req.params.id);
+        if (!conv)
+            return void res.status(404).json({ error: '会话不存在' });
+        if (conv.user_a !== user.id && conv.user_b !== user.id)
+            return void res.status(403).json({ error: '无权操作' });
+        db.prepare("UPDATE conversations SET status = 'archived' WHERE id = ?").run(req.params.id);
+        res.json({ success: true });
+    });
+    // 拉黑（双向屏蔽）
+    app.post('/api/conversations/:id/block', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const conv = db.prepare('SELECT user_a, user_b FROM conversations WHERE id = ?').get(req.params.id);
+        if (!conv)
+            return void res.status(404).json({ error: '会话不存在' });
+        if (conv.user_a !== user.id && conv.user_b !== user.id)
+            return void res.status(403).json({ error: '无权操作' });
+        db.prepare("UPDATE conversations SET status = 'blocked' WHERE id = ?").run(req.params.id);
+        res.json({ success: true });
+    });
+    // 举报（人工审核）
+    app.post('/api/conversations/:id/report', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const conv = db.prepare('SELECT user_a, user_b FROM conversations WHERE id = ?').get(req.params.id);
+        if (!conv)
+            return void res.status(404).json({ error: '会话不存在' });
+        if (conv.user_a !== user.id && conv.user_b !== user.id)
+            return void res.status(403).json({ error: '无权操作' });
+        const body = req.body;
+        const reason = String(body.reason || '').trim();
+        if (!reason)
+            return void res.json({ error: '原因必填' });
+        // P1: 同 (reporter, conversation) 24h 内最多 3 次
+        const recentRpt = db.prepare(`SELECT COUNT(1) as n FROM chat_reports WHERE conversation_id = ? AND reporter_id = ? AND created_at > datetime('now','-1 day')`).get(req.params.id, user.id).n;
+        if (recentRpt >= 3)
+            return void res.status(429).json({ error: '24 小时内对同一会话最多举报 3 次' });
+        const reportedId = conv.user_a === user.id ? conv.user_b : conv.user_a;
+        db.prepare(`INSERT INTO chat_reports (id, conversation_id, message_id, reporter_id, reported_id, reason, note)
+                VALUES (?,?,?,?,?,?,?)`)
+            .run(generateId('rpt'), req.params.id, body.message_id ? String(body.message_id) : null, user.id, reportedId, reason, body.note ? String(body.note).slice(0, 500) : null);
+        res.json({ success: true });
+    });
+}

package/dist/pwa/routes/checkin-tasks.js

@@ -0,0 +1,122 @@
+export function registerCheckinTasksRoutes(app, deps) {
+    const { db, auth, isTrustedRole, errorRes, generateId, getProtocolParam, resolveCheckinDate, TASK_DEFS, computeTaskProgress, disbursePlatformReward, broadcastSystemEvent } = deps;
+    app.get('/api/checkin/status', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void errorRes(res, 403, 'TRUSTED_ROLE_NO_TRADE', '受信角色无此功能');
+        const today = resolveCheckinDate(req.query.local_date ? String(req.query.local_date) : undefined);
+        const todayCheckin = db.prepare('SELECT reward, streak FROM daily_checkins WHERE user_id = ? AND checkin_date = ?').get(user.id, today);
+        // streak: 连续签到 — 检查昨日
+        const yesterday = new Date(new Date(today + 'T00:00:00Z').getTime() - 86400000).toISOString().slice(0, 10);
+        const yesterdayCheckin = db.prepare('SELECT streak FROM daily_checkins WHERE user_id = ? AND checkin_date = ?').get(user.id, yesterday);
+        const currentStreak = todayCheckin?.streak || (yesterdayCheckin ? yesterdayCheckin.streak + 1 : 1);
+        // F-2: 里程碑参数 admin 可调
+        const bonus7 = getProtocolParam('streak_bonus_7', 5);
+        const bonus30 = getProtocolParam('streak_bonus_30', 20);
+        const bonus100 = getProtocolParam('streak_bonus_100', 50);
+        const milestoneBonus = (s) => s % 100 === 0 ? bonus100 : s % 30 === 0 ? bonus30 : s % 7 === 0 ? bonus7 : 0;
+        const baseReward = getProtocolParam('checkin_base_reward', 0.5);
+        const nextReward = baseReward + milestoneBonus(currentStreak);
+        // 任务列表
+        const progress = computeTaskProgress(String(user.id));
+        const claimed = new Map();
+        for (const row of db.prepare('SELECT task_key, claimed_at FROM task_completions WHERE user_id = ?').all(user.id)) {
+            if (row.claimed_at)
+                claimed.set(row.task_key, row.claimed_at);
+        }
+        const tasks = Object.entries(TASK_DEFS).map(([key, def]) => ({
+            key, label: def.label, reward: def.reward,
+            progress: progress[key].progress,
+            goal: progress[key].goal,
+            eligible: progress[key].eligible,
+            claimed_at: claimed.get(key) || null,
+        }));
+        res.json({
+            today,
+            today_checked_in: !!todayCheckin,
+            today_reward: todayCheckin?.reward || nextReward,
+            current_streak: currentStreak,
+            next_reward: nextReward,
+            base_reward: baseReward,
+            tasks,
+        });
+    });
+    app.post('/api/checkin', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void errorRes(res, 403, 'TRUSTED_ROLE_NO_TRADE', '受信角色无此功能');
+        const today = resolveCheckinDate(req.body?.local_date ? String(req.body.local_date) : undefined);
+        const existing = db.prepare('SELECT reward FROM daily_checkins WHERE user_id = ? AND checkin_date = ?').get(user.id, today);
+        if (existing)
+            return void res.status(400).json({ error: '今日已签到', error_code: 'ALREADY_CHECKED_IN' });
+        const yesterday = new Date(new Date(today + 'T00:00:00Z').getTime() - 86400000).toISOString().slice(0, 10);
+        const yesterdayCheckin = db.prepare('SELECT streak FROM daily_checkins WHERE user_id = ? AND checkin_date = ?').get(user.id, yesterday);
+        const streak = yesterdayCheckin ? yesterdayCheckin.streak + 1 : 1;
+        // F-2: admin 可调里程碑
+        const bonus7 = getProtocolParam('streak_bonus_7', 5);
+        const bonus30 = getProtocolParam('streak_bonus_30', 20);
+        const bonus100 = getProtocolParam('streak_bonus_100', 50);
+        const baseReward = getProtocolParam('checkin_base_reward', 0.5);
+        const milestoneBonus = streak % 100 === 0 ? bonus100 : streak % 30 === 0 ? bonus30 : streak % 7 === 0 ? bonus7 : 0;
+        const reward = baseReward + milestoneBonus;
+        db.transaction(() => {
+            db.prepare(`INSERT INTO daily_checkins (user_id, checkin_date, reward, streak) VALUES (?,?,?,?)`).run(user.id, today, reward, streak);
+            // P1-3: 走平台拨付（从 sys_protocol 扣 + 给 user 加 + 写日志）
+            disbursePlatformReward(String(user.id), reward, milestoneBonus > 0 ? `milestone_${streak}` : 'daily_checkin', String(streak));
+            // 2026-05-24 写通知：让消息中心通知 sub-tab 能看到
+            const title = milestoneBonus > 0 ? `🎉 连续签到 ${streak} 天里程碑！` : `✅ 签到成功`;
+            const body = `+${reward} WAZ${milestoneBonus > 0 ? ` (含里程碑奖 ${milestoneBonus})` : ''} · streak ${streak} 天`;
+            try {
+                db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, order_id) VALUES (?,?,?,?,?,?)`)
+                    .run(generateId('ntf'), user.id, 'reward', title, body, null);
+            }
+            catch (e) {
+                console.error('[checkin notif]', e);
+            }
+        })();
+        try {
+            broadcastSystemEvent('checkin', '📅', `签到 streak=${streak} · +${reward} WAZ`, String(user.id));
+        }
+        catch { }
+        res.json({ success: true, reward, streak, milestone_bonus: milestoneBonus });
+    });
+    app.post('/api/tasks/:key/claim', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void errorRes(res, 403, 'TRUSTED_ROLE_NO_TRADE', '受信角色无此功能');
+        const taskKey = String(req.params.key);
+        const def = TASK_DEFS[taskKey];
+        if (!def)
+            return void res.status(400).json({ error: '任务不存在' });
+        const progress = computeTaskProgress(String(user.id));
+        if (!progress[taskKey].eligible)
+            return void res.status(400).json({ error: '任务未完成', progress: progress[taskKey] });
+        const existing = db.prepare('SELECT claimed_at FROM task_completions WHERE user_id = ? AND task_key = ?').get(user.id, taskKey);
+        if (existing?.claimed_at)
+            return void res.status(400).json({ error: '任务奖励已领取' });
+        db.transaction(() => {
+            db.prepare(`INSERT OR REPLACE INTO task_completions (user_id, task_key, completed_at, claimed_at, reward) VALUES (?,?,datetime('now'),datetime('now'),?)`).run(user.id, taskKey, def.reward);
+            // P1-3: 走平台拨付助手
+            disbursePlatformReward(String(user.id), def.reward, `task_${taskKey}`, null);
+            // 2026-05-24 写通知
+            try {
+                db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, order_id) VALUES (?,?,?,?,?,?)`)
+                    .run(generateId('ntf'), user.id, 'reward', `🎁 任务完成 — ${def.label || taskKey}`, `+${def.reward} WAZ`, null);
+            }
+            catch (e) {
+                console.error('[task notif]', e);
+            }
+        })();
+        try {
+            broadcastSystemEvent('task_claim', '🎁', `任务领取 ${taskKey} · +${def.reward} WAZ`, String(user.id));
+        }
+        catch { }
+        res.json({ success: true, reward: def.reward });
+    });
+}

package/dist/pwa/routes/checkout-helpers.js

@@ -0,0 +1,85 @@
+export function registerCheckoutHelpersRoutes(app, deps) {
+    const { db, auth, generateId, formatProductForAgent } = deps;
+    app.get('/api/checkout/tax-preview', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const productId = String(req.query.product_id || '');
+        const qtyN = Math.max(1, Math.floor(Number(req.query.quantity) || 1));
+        if (!productId)
+            return void res.status(400).json({ error: 'product_id required' });
+        const product = db.prepare(`SELECT p.id, p.price, p.title, u.region as seller_region
+                                FROM products p JOIN users u ON u.id = p.seller_id
+                                WHERE p.id = ?`).get(productId);
+        if (!product)
+            return void res.status(404).json({ error: '商品不存在' });
+        const buyerRegion = user.region || 'global';
+        const sellerRegion = product.seller_region || 'global';
+        const isCrossBorder = buyerRegion !== sellerRegion;
+        if (!isCrossBorder) {
+            return void res.json({
+                is_cross_border: false, buyer_region: buyerRegion, seller_region: sellerRegion,
+                estimated_duty_waz: 0, duty_pct: 0, threshold_waz: 0, below_threshold: true,
+                disclaimer: '同地区订单，无跨境关税',
+            });
+        }
+        const cfg = db.prepare(`SELECT est_import_duty_pct, est_import_threshold_waz
+                            FROM region_config WHERE region = ?`).get(buyerRegion);
+        const pct = Number(cfg?.est_import_duty_pct || 0);
+        const threshold = Number(cfg?.est_import_threshold_waz || 0);
+        const orderTotal = Number(product.price) * qtyN;
+        const belowThreshold = orderTotal < threshold;
+        const dutyWaz = belowThreshold ? 0 : Math.round(orderTotal * pct * 100) / 100;
+        res.json({
+            is_cross_border: true,
+            buyer_region: buyerRegion, seller_region: sellerRegion,
+            order_total_waz: orderTotal,
+            duty_pct: pct, threshold_waz: threshold,
+            below_threshold: belowThreshold,
+            estimated_duty_waz: dutyWaz,
+            total_with_duty: Math.round((orderTotal + dutyWaz) * 100) / 100,
+            disclaimer: pct > 0
+                ? `跨境订单可能产生约 ${(pct * 100).toFixed(1)}% 关税/进口税（具体由海关认定 · 协议不代收）`
+                : '跨境订单 — 协议无该地区税费数据，请咨询当地海关',
+        });
+    });
+    app.post('/api/verify-price', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { product_id, quantity = 1 } = req.body;
+        if (!product_id)
+            return void res.json({ error: '请提供 product_id' });
+        const product = db.prepare(`
+      SELECT p.*, u.name as seller_name,
+        COALESCE(rs.level, 'new') as rep_level
+      FROM products p
+      JOIN users u ON p.seller_id = u.id
+      LEFT JOIN reputation_scores rs ON rs.user_id = p.seller_id
+      WHERE p.id = ? AND p.status = 'active'
+    `).get(product_id);
+        if (!product)
+            return void res.json({ error: '商品不存在或已下架' });
+        const qty = Number(quantity);
+        if (product.stock < qty) {
+            return void res.json({ error: `库存不足：当前库存 ${product.stock}，请求数量 ${qty}` });
+        }
+        const now = new Date();
+        const expiresAt = new Date(now.getTime() + 10 * 60_000);
+        const token = generateId('pst');
+        db.prepare(`
+      INSERT INTO price_sessions (token, product_id, user_id, price, quantity, created_at, expires_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?)
+    `).run(token, product_id, user.id, product.price, qty, now.toISOString(), expiresAt.toISOString());
+        res.json({
+            session_token: token,
+            verified_price: product.price,
+            quantity: qty,
+            total: product.price * qty,
+            product: formatProductForAgent(product),
+            expires_at: expiresAt.toISOString(),
+            expires_in_seconds: 600,
+            note: '此价格在10分钟内有效。下单时传入 session_token 可保证此价格不变。',
+        });
+    });
+}

package/dist/pwa/routes/claim-initiators.js

@@ -0,0 +1,88 @@
+export function registerClaimInitiatorsRoutes(app, deps) {
+    const { db, auth, isTrustedRole, errorRes, generateId } = deps;
+    const wire = (cfg) => {
+        const { entityPath, entityTable, entityIdCol, entityPartyCol, taskTable, taskPartyCol, voteTable, targets, stake, deadlineHours, idPrefix, allowedStatuses, notFoundMsg, ownClaimMsg, statusErrMsg, dupErrMsg, taskAlias: a } = cfg;
+        app.post(`/api/${entityPath}/:id/claim`, (req, res) => {
+            const user = auth(req, res);
+            if (!user)
+                return;
+            if (isTrustedRole(user)) {
+                return void errorRes(res, 403, 'TRUSTED_ROLE_NO_CLAIM', '受信角色不可发起声明');
+            }
+            const entity = db.prepare(`SELECT id, ${entityPartyCol}, status FROM ${entityTable} WHERE id = ?`)
+                .get(req.params.id);
+            if (!entity)
+                return void res.status(404).json({ error: notFoundMsg });
+            const partyId = entity[entityPartyCol];
+            if (partyId === user.id)
+                return void errorRes(res, 403, 'CANNOT_CLAIM_OWN', ownClaimMsg);
+            if (!allowedStatuses.includes(entity.status))
+                return void res.status(400).json({ error: statusErrMsg });
+            const target = String(req.body?.claim_target || '').trim();
+            if (!targets.has(target))
+                return void res.status(400).json({ error: `claim_target 须为 ${[...targets].join(' / ')}` });
+            const text = String(req.body?.claim_text || '').trim();
+            if (text.length < 6 || text.length > 500)
+                return void res.status(400).json({ error: 'claim_text 长度需 6-500 字' });
+            const evidence = req.body?.evidence_uri ? String(req.body.evidence_uri).trim().slice(0, 500) : null;
+            const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+            if (!wallet || wallet.balance < stake)
+                return void res.status(400).json({ error: `余额不足：发起需锁 ${stake} WAZ` });
+            const dup = db.prepare(`SELECT id FROM ${taskTable} WHERE ${entityIdCol} = ? AND claimant_id = ? AND claim_target = ? AND status = 'open'`)
+                .get(req.params.id, user.id, target);
+            if (dup)
+                return void res.status(409).json({ error: dupErrMsg });
+            const id = generateId(idPrefix);
+            const deadline = new Date(Date.now() + deadlineHours * 3600_000).toISOString();
+            db.prepare(`INSERT INTO ${taskTable} (id, ${entityIdCol}, ${taskPartyCol}, claimant_id, claim_target, claim_text, evidence_uri, stake_claimant, deadline_at, status) VALUES (?,?,?,?,?,?,?,?,?,'open')`)
+                .run(id, req.params.id, partyId, user.id, target, text, evidence, stake, deadline);
+            db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ?')
+                .run(stake, stake, user.id);
+            res.json({ success: true, claim_id: id, deadline_at: deadline, stake_locked: stake });
+        });
+        app.get(`/api/${entityPath}/:id/claims`, (req, res) => {
+            const sql = `
+        SELECT ${a}.id, ${a}.claim_target, ${a}.claim_text, ${a}.evidence_uri, ${a}.status, ${a}.ruling, ${a}.deadline_at, ${a}.resolved_at, ${a}.created_at,
+               u.name as claimant_name,
+               (SELECT COUNT(*) FROM ${voteTable} WHERE claim_id = ${a}.id) as votes_count
+        FROM ${taskTable} ${a} JOIN users u ON u.id = ${a}.claimant_id
+        WHERE ${a}.${entityIdCol} = ? ORDER BY ${a}.created_at DESC LIMIT 50
+      `;
+            const rows = db.prepare(sql).all(req.params.id);
+            res.json({ claims: rows, votes_needed: 3 });
+        });
+    };
+    wire({
+        entityPath: 'secondhand', entityTable: 'secondhand_items', entityIdCol: 'sh_item_id',
+        entityPartyCol: 'seller_id', taskTable: 'secondhand_claim_tasks', taskPartyCol: 'seller_id',
+        voteTable: 'secondhand_claim_votes', voteCountedFromVotesTable: 'secondhand_claim_votes',
+        targets: new Set(['condition', 'images', 'description', 'title', 'price', 'other']),
+        stake: 5, deadlineHours: 72, idPrefix: 'sct',
+        allowedStatuses: ['available'],
+        notFoundMsg: '二手物品不存在', ownClaimMsg: '不可对自己挂售的物品发起声明',
+        statusErrMsg: '仅在售物品可发起声明', dupErrMsg: '你已对此物品同一项发起过 open 声明',
+        taskAlias: 'sct',
+    });
+    wire({
+        entityPath: 'auctions', entityTable: 'auctions', entityIdCol: 'auction_id',
+        entityPartyCol: 'seller_id', taskTable: 'auction_claim_tasks', taskPartyCol: 'seller_id',
+        voteTable: 'auction_claim_votes', voteCountedFromVotesTable: 'auction_claim_votes',
+        targets: new Set(['unreasonable_reserve', 'shill_bidding', 'collusion', 'fake_listing', 'other']),
+        stake: 5, deadlineHours: 72, idPrefix: 'act',
+        allowedStatuses: ['open'],
+        notFoundMsg: '拍卖不存在', ownClaimMsg: '不可对自己发起的拍卖发起声明',
+        statusErrMsg: '仅进行中的拍卖可发起声明', dupErrMsg: '你已对此拍卖同一项发起过 open 声明',
+        taskAlias: 'act',
+    });
+    wire({
+        entityPath: 'wishes', entityTable: 'wishes', entityIdCol: 'wish_id',
+        entityPartyCol: 'user_id', taskTable: 'wish_claim_tasks', taskPartyCol: 'wisher_id',
+        voteTable: 'wish_claim_votes', voteCountedFromVotesTable: 'wish_claim_votes',
+        targets: new Set(['fake_identity', 'fake_story', 'already_fulfilled', 'duplicate', 'inappropriate', 'other']),
+        stake: 5, deadlineHours: 72, idPrefix: 'wct',
+        allowedStatuses: ['open', 'claimed'],
+        notFoundMsg: '许愿不存在', ownClaimMsg: '不可对自己发起的许愿发起声明',
+        statusErrMsg: '仅 open / claimed 状态的许愿可发起声明', dupErrMsg: '你已对此许愿同一项发起过 open 声明',
+        taskAlias: 'wct',
+    });
+}