@seasonkoh/webaz 0.1.7 → 0.1.9

package/dist/pwa/routes/leaderboard.js

@@ -0,0 +1,149 @@
+export function registerLeaderboardRoutes(app, deps) {
+    const { db, internalAuditorId, rateLimitOk } = deps;
+    const LB_RATE = 60; // 每 IP/分钟 60 次 — 公开端点防 DoS
+    app.get('/api/leaderboard', (req, res) => {
+        const ip = req.ip || 'unknown';
+        if (!rateLimitOk(`lb:${ip}`, LB_RATE, 60_000))
+            return void res.status(429).json({ error: 'rate-limited' });
+        const kind = String(req.query.kind || 'products');
+        const limit = Math.min(50, Math.max(5, Number(req.query.limit) || 20));
+        if (kind === 'products') {
+            // recommend_count 严格语义：完成购买 + 4 星+评价 + 去重 buyer_id（一买家计 1）
+            // 排序权重也用 recommend_count 替代旧 unique_sharer_count（任何人分享）
+            const rows = db.prepare(`
+        SELECT p.id, p.title, p.price, p.total_likes, p.completion_count,
+          u.handle as seller_handle, u.name as seller_name,
+          (SELECT COUNT(DISTINCT buyer_id) FROM order_ratings r
+           WHERE r.product_id = p.id AND r.stars >= 4) as recommend_count,
+          (COALESCE(p.completion_count, 0) * 0.5
+           + (SELECT COUNT(DISTINCT buyer_id) FROM order_ratings r
+              WHERE r.product_id = p.id AND r.stars >= 4) * 2.0
+           + COALESCE(p.total_likes, 0) * 1.0) as rank_score
+        FROM products p
+        LEFT JOIN users u ON u.id = p.seller_id
+        WHERE p.status = 'active' AND p.stock > 0
+        ORDER BY rank_score DESC, p.id DESC
+        LIMIT ?
+      `).all(limit);
+            return void res.json({ kind, items: rows });
+        }
+        if (kind === 'creators') {
+            // 创作者维度：聚合自己 shareables 的总点赞 + 关联商品总数
+            const rows = db.prepare(`
+        SELECT u.id, u.handle, u.name, u.region,
+          COUNT(DISTINCT s.related_product_id) as products_shared,
+          COUNT(s.id) as shareable_count,
+          COALESCE(SUM(s.like_count), 0) as total_likes,
+          COALESCE(SUM(s.click_count), 0) as total_clicks
+        FROM users u
+        JOIN shareables s ON s.owner_id = u.id AND s.status = 'active'
+        GROUP BY u.id
+        ORDER BY total_likes DESC, shareable_count DESC, u.id DESC
+        LIMIT ?
+      `).all(limit);
+            return void res.json({ kind, items: rows });
+        }
+        // B-2: 用户排行 — top buyers / sellers / verifiers
+        // 2026-05-23 隐私第一原理：移除 gmv 字段（运营状态私密，防过早 fork）
+        if (kind === 'buyers') {
+            const rows = db.prepare(`
+        SELECT u.id, u.handle, u.name, u.region,
+          COUNT(*) as orders_count
+        FROM orders o JOIN users u ON u.id = o.buyer_id
+        WHERE o.status = 'completed' AND u.id NOT IN ('sys_protocol', ?)
+        GROUP BY u.id ORDER BY orders_count DESC, u.id DESC LIMIT ?
+      `).all(internalAuditorId, limit);
+            return void res.json({ kind, items: rows });
+        }
+        if (kind === 'sellers') {
+            // 排序改为 评分主导（avg_rating × log(1+rating_count)），不再按 GMV
+            const rows = db.prepare(`
+        SELECT u.id, u.handle, u.name, u.region,
+          COUNT(*) as orders_count,
+          (SELECT COALESCE(AVG(stars), 0) FROM order_ratings WHERE seller_id = u.id) as avg_rating,
+          (SELECT COUNT(*) FROM order_ratings WHERE seller_id = u.id) as rating_count
+        FROM orders o JOIN users u ON u.id = o.seller_id
+        WHERE o.status = 'completed' AND u.role = 'seller'
+        GROUP BY u.id
+        ORDER BY (avg_rating * (1.0 + log(1.0 + rating_count))) DESC, rating_count DESC, orders_count DESC
+        LIMIT ?
+      `).all(limit);
+            return void res.json({ kind, items: rows });
+        }
+        if (kind === 'value_products') {
+            // 2026-05-23 S5：极致性价比榜 — 按 value_badge=1 + 同类目 rank 排
+            // 排序：rank 越小越靠前（同类目第 1 名最便宜），相同 rank 按 pct 折扣大优先
+            const rows = db.prepare(`
+        SELECT p.id, p.title, p.price, p.category,
+          p.value_badge_rank, p.value_badge_pct, p.value_badge_at,
+          p.completion_count, p.total_likes,
+          u.handle as seller_handle, u.name as seller_name
+        FROM products p
+        LEFT JOIN users u ON u.id = p.seller_id
+        WHERE p.value_badge = 1 AND p.status = 'active' AND p.stock > 0
+        ORDER BY p.value_badge_rank ASC, p.value_badge_pct DESC LIMIT ?
+      `).all(limit);
+            return void res.json({ kind, items: rows });
+        }
+        if (kind === 'agents') {
+            // 2026-05-22 AG1：Agent 评测竞赛榜单
+            // 数据源：agent_reputation（trust_score + level）+ agent_call_log（30d 调用数）
+            // 不暴露 api_key（隐私），只展示 user handle + 聚合指标
+            const rows = db.prepare(`
+        SELECT u.id, u.handle, u.name,
+          MAX(ar.trust_score) as trust_score,
+          MAX(ar.level) as level,
+          COUNT(DISTINCT ar.api_key) as keys_count,
+          (SELECT COUNT(*) FROM agent_call_log acl
+            WHERE acl.user_id = u.id
+            AND acl.created_at > datetime('now', '-30 days')) as calls_30d
+        FROM agent_reputation ar
+        JOIN users u ON u.id = ar.user_id
+        WHERE u.id != 'sys_protocol'
+        GROUP BY u.id
+        HAVING calls_30d > 0 OR trust_score > 0
+        ORDER BY trust_score DESC, calls_30d DESC LIMIT ?
+      `).all(limit);
+            return void res.json({ kind, items: rows });
+        }
+        if (kind === 'arbitrators') {
+            // 2026-05-22 A3：仲裁员声誉排行
+            // 从 dispute_cases 聚合 — 每个 arbitrator_id 的 case 数 + 公平评价
+            // fairness_score = fairness_yes / (fairness_yes + fairness_no)（仅在有评价时）
+            const rows = db.prepare(`
+        SELECT u.id, u.handle, u.name,
+          COUNT(dc.id) as cases_count,
+          COALESCE(SUM(dc.fairness_yes), 0) as total_yes,
+          COALESCE(SUM(dc.fairness_no), 0) as total_no,
+          CASE
+            WHEN COALESCE(SUM(dc.fairness_yes + dc.fairness_no), 0) > 0
+            THEN ROUND(CAST(SUM(dc.fairness_yes) AS REAL) / SUM(dc.fairness_yes + dc.fairness_no), 3)
+            ELSE NULL
+          END as fairness_score
+        FROM dispute_cases dc
+        JOIN users u ON u.id = dc.arbitrator_id
+        WHERE dc.arbitrator_id IS NOT NULL
+        GROUP BY u.id
+        ORDER BY cases_count DESC, fairness_score DESC LIMIT ?
+      `).all(limit);
+            return void res.json({ kind, items: rows });
+        }
+        if (kind === 'verifiers') {
+            // 2026-05-22 V1：移除 tasks_done >= 5 门槛 — 小协议早期阶段会卡死榜单
+            // 新人有 tasks_done < 5 时前端打 "新人" badge 区分（仍能看到自己排名）
+            const rows = db.prepare(`
+        SELECT u.id, u.handle, u.name,
+          vs.tasks_done, vs.tasks_correct, vs.tasks_wrong,
+          CASE WHEN vs.tasks_done > 0 THEN ROUND(CAST(vs.tasks_correct AS REAL) / vs.tasks_done, 3) ELSE NULL END as accuracy,
+          vw.tier
+        FROM verifier_stats vs
+        JOIN users u ON u.id = vs.user_id
+        LEFT JOIN verifier_whitelist vw ON vw.user_id = vs.user_id
+        WHERE vs.tasks_done >= 1
+        ORDER BY vs.tasks_correct DESC, accuracy DESC, vs.tasks_done DESC LIMIT ?
+      `).all(limit);
+            return void res.json({ kind, items: rows });
+        }
+        return void res.json({ error: 'kind 必须是 products / creators / buyers / sellers / verifiers / arbitrators / agents / value_products' });
+    });
+}

package/dist/pwa/routes/listings.js

@@ -0,0 +1,281 @@
+const URGENCY_WEIGHTS = {
+    now: { price: 0.10, eta: 0.50, trust: 0.20, region: 0.10, fresh: 0.10, eta_hard_max: 4 },
+    today: { price: 0.25, eta: 0.35, trust: 0.15, region: 0.15, fresh: 0.10, eta_hard_max: 24 },
+    flex: { price: 0.45, eta: 0.10, trust: 0.20, region: 0.10, fresh: 0.15, eta_hard_max: null },
+};
+function isUrgencyKey(s) {
+    return s === 'now' || s === 'today' || s === 'flex';
+}
+const VALID_OFFER_SORTS = new Set(['smart', 'cheapest', 'fastest', 'trusted', 'nearest', 'clearance']);
+function computeOfferScore(o, urgency, ctx) {
+    const w = URGENCY_WEIGHTS[urgency];
+    const price = Number(o.price);
+    const eta = o.eta_hours != null ? Number(o.eta_hours) : null;
+    if (w.eta_hard_max != null && eta != null && eta > w.eta_hard_max)
+        return -1;
+    const pSpread = ctx.maxPrice - ctx.minPrice;
+    const priceNorm = pSpread > 0 ? (ctx.maxPrice - price) / pSpread : 1;
+    const etaScore = eta != null ? Math.max(0, 1 - eta / 72) : Math.max(0, 1 - 48 / 72);
+    const trustNorm = Math.min(1, Number(o.seller_sales || 0) / 100);
+    const regionMatch = ctx.buyerRegion && o.seller_region === ctx.buyerRegion ? 1 : 0.3;
+    const freshTs = o.freshness_ts ? String(o.freshness_ts) : o.updated_at;
+    const ageH = freshTs ? (Date.parse(ctx.nowIso) - Date.parse(freshTs)) / 3600_000 : 0;
+    const freshScore = ageH < 24 ? 1 : ageH < 168 ? 0.85 : 0.5;
+    let score = w.price * priceNorm + w.eta * etaScore + w.trust * trustNorm + w.region * regionMatch + w.fresh * freshScore;
+    if (Number(o.cold_start_remaining || 0) > 0)
+        score *= 0.7;
+    return Math.round(score * 10000) / 10000;
+}
+export function registerListingsRoutes(app, deps) {
+    const { db, generateId, auth, LISTING_CATEGORIES, BASE_LISTING_STAKE, VALID_FULFILLMENT_TYPES, isListingCategoryKey } = deps;
+    function sellerCompletedSales(uid) {
+        const r = db.prepare(`SELECT COUNT(1) as n FROM orders WHERE seller_id = ? AND status = 'completed'`).get(uid);
+        return Number(r?.n ?? 0);
+    }
+    // 列表搜索（公开）
+    app.get('/api/listings', (req, res) => {
+        const q = String(req.query.q || '').trim();
+        const category = String(req.query.category || '').trim();
+        const limit = Math.min(100, Math.max(1, Number(req.query.limit) || 30));
+        const sort = String(req.query.sort || 'newest');
+        const where = ["l.status = 'active'"];
+        const args = [];
+        if (q) {
+            const qE = String(q).replace(/[\\%_]/g, '\\$&');
+            where.push("(l.title LIKE ? ESCAPE '\\' OR l.spec LIKE ? ESCAPE '\\' OR l.category_path LIKE ? ESCAPE '\\')");
+            args.push(`%${qE}%`, `%${qE}%`, `%${qE}%`);
+        }
+        if (category && isListingCategoryKey(category)) {
+            where.push("l.category = ?");
+            args.push(category);
+        }
+        const orderBy = sort === 'popular' ? 'l.total_sales DESC, l.created_at DESC' : 'l.created_at DESC';
+        const rows = db.prepare(`
+      SELECT l.*,
+        (SELECT MIN(p.price) FROM products p WHERE p.listing_id = l.id AND p.status = 'active') as min_price,
+        (SELECT COUNT(1)     FROM products p WHERE p.listing_id = l.id AND p.status = 'active') as offer_count
+      FROM listings l
+      WHERE ${where.join(' AND ')}
+      ORDER BY ${orderBy}
+      LIMIT ?
+    `).all(...args, limit);
+        res.json({ items: rows, categories: LISTING_CATEGORIES });
+    });
+    // 我的跟卖
+    app.get('/api/listings/mine', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (user.role !== 'seller')
+            return void res.status(403).json({ error: '仅卖家可用', error_code: 'SELLER_ONLY' });
+        const rows = db.prepare(`
+      SELECT l.id, l.title, l.category, l.category_path, l.external_id, l.created_at,
+        (SELECT COUNT(*) FROM products WHERE listing_id = l.id AND seller_id = ? AND status = 'active') as my_offer_count,
+        (SELECT MIN(price) FROM products WHERE listing_id = l.id AND seller_id = ? AND status = 'active') as my_min_price,
+        (SELECT COUNT(*) FROM products WHERE listing_id = l.id AND status = 'active') as total_offer_count,
+        (SELECT MIN(price) FROM products WHERE listing_id = l.id AND status = 'active') as global_min_price,
+        (l.created_by = ?) as is_creator
+      FROM listings l
+      WHERE l.status = 'active' AND EXISTS (
+        SELECT 1 FROM products WHERE listing_id = l.id AND seller_id = ? AND status = 'active'
+      )
+      ORDER BY l.created_at DESC
+      LIMIT 100
+    `).all(user.id, user.id, user.id, user.id);
+        res.json({ items: rows });
+    });
+    // 详情 + offers 加权排序
+    app.get('/api/listings/:id', (req, res) => {
+        const listing = db.prepare("SELECT * FROM listings WHERE id = ? AND status != 'blocked'").get(req.params.id);
+        if (!listing)
+            return void res.status(404).json({ error: 'listing 不存在' });
+        const urgency = isUrgencyKey(String(req.query.urgency || '')) ? String(req.query.urgency) : 'flex';
+        const sortParam = String(req.query.sort || 'smart');
+        const sortMode = VALID_OFFER_SORTS.has(sortParam) ? sortParam : 'smart';
+        const offers = db.prepare(`
+      SELECT p.id, p.seller_id, p.title, p.price, p.stock, p.status,
+        p.fulfillment_type, p.eta_hours, p.freshness_ts, p.is_clearance, p.clearance_until,
+        p.cold_start_remaining, p.listing_stake_locked, p.ship_regions, p.commission_rate,
+        p.created_at, p.updated_at,
+        u.handle as seller_handle,
+        u.region as seller_region,
+        (SELECT COUNT(1) FROM orders WHERE seller_id = p.seller_id AND status = 'completed') as seller_sales
+      FROM products p
+      LEFT JOIN users u ON u.id = p.seller_id
+      WHERE p.listing_id = ? AND p.status = 'active'
+    `).all(req.params.id);
+        const buyerRegion = req.query.buyer_region ? String(req.query.buyer_region) : null;
+        const nowIso = new Date().toISOString();
+        if (offers.length) {
+            const prices = offers.map(o => Number(o.price));
+            const minPrice = Math.min(...prices);
+            const maxPrice = Math.max(...prices);
+            const etas = offers.filter(o => o.eta_hours != null).map(o => Number(o.eta_hours));
+            const minEta = etas.length ? Math.min(...etas) : null;
+            offers.forEach(o => {
+                const tags = [];
+                if (Number(o.price) === minPrice)
+                    tags.push('cheapest');
+                if (minEta != null && o.eta_hours != null && Number(o.eta_hours) === minEta)
+                    tags.push('fastest');
+                if (buyerRegion && o.seller_region === buyerRegion)
+                    tags.push('nearest');
+                if (Number(o.seller_sales) >= 50)
+                    tags.push('trusted');
+                if (o.is_clearance && (!o.clearance_until || String(o.clearance_until) > nowIso))
+                    tags.push('clearance');
+                const freshTs = o.freshness_ts ? String(o.freshness_ts) : o.updated_at;
+                const ageH = freshTs ? (Date.parse(nowIso) - Date.parse(freshTs)) / 3600_000 : 0;
+                if (ageH >= 168)
+                    tags.push('stale');
+                o.tags = tags;
+                o.score = computeOfferScore(o, urgency, { minPrice, maxPrice, buyerRegion, nowIso });
+            });
+            if (sortMode === 'smart') {
+                offers.sort((a, b) => Number(b.score) - Number(a.score));
+            }
+            else if (sortMode === 'cheapest') {
+                offers.sort((a, b) => Number(a.price) - Number(b.price));
+            }
+            else if (sortMode === 'fastest') {
+                offers.sort((a, b) => (Number(a.eta_hours ?? Infinity) - Number(b.eta_hours ?? Infinity)));
+            }
+            else if (sortMode === 'trusted') {
+                offers.sort((a, b) => Number(b.seller_sales || 0) - Number(a.seller_sales || 0));
+            }
+            else if (sortMode === 'nearest') {
+                offers.sort((a, b) => {
+                    const am = buyerRegion && a.seller_region === buyerRegion ? 0 : 1;
+                    const bm = buyerRegion && b.seller_region === buyerRegion ? 0 : 1;
+                    if (am !== bm)
+                        return am - bm;
+                    return Number(a.price) - Number(b.price);
+                });
+            }
+            else if (sortMode === 'clearance') {
+                offers.sort((a, b) => {
+                    const ac = a.is_clearance ? 0 : 1;
+                    const bc = b.is_clearance ? 0 : 1;
+                    if (ac !== bc)
+                        return ac - bc;
+                    return Number(a.price) - Number(b.price);
+                });
+            }
+        }
+        res.json({ listing, offers, urgency, sort: sortMode, categories: LISTING_CATEGORIES });
+    });
+    // 创建 listing（首创者）
+    app.post('/api/listings', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const body = req.body;
+        const title = String(body.title || '').trim();
+        if (title.length < 2)
+            return void res.json({ error: 'title 至少 2 字' });
+        const cat = String(body.category || 'general');
+        if (!isListingCategoryKey(cat))
+            return void res.json({ error: '类目无效' });
+        const catCfg = LISTING_CATEGORIES[cat];
+        if (catCfg.requires_kyc) {
+            const k = db.prepare("SELECT status FROM kyc_records WHERE user_id = ?").get(user.id);
+            if (!k || k.status !== 'approved') {
+                return void res.json({ error: `${catCfg.name} 类目需先完成实名认证（KYC）`, error_code: 'KYC_REQUIRED' });
+            }
+        }
+        if (catCfg.min_sales > 0) {
+            const sales = sellerCompletedSales(user.id);
+            if (sales < catCfg.min_sales) {
+                return void res.json({ error: `${catCfg.name} 类目需至少 ${catCfg.min_sales} 单成功历史（当前 ${sales}）` });
+            }
+        }
+        // 首创者 stake = 1.5 × 基础 × 类目倍数
+        const stakeRequired = Math.round(BASE_LISTING_STAKE * catCfg.stake_mult * 1.5 * 100) / 100;
+        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        if (!wallet || Number(wallet.balance) < stakeRequired) {
+            return void res.json({ error: `余额不足，创建 ${catCfg.name} listing 需 ${stakeRequired} WAZ` });
+        }
+        const externalId = body.external_id ? String(body.external_id).trim() : null;
+        if (externalId) {
+            const existing = db.prepare("SELECT id FROM listings WHERE external_id = ? AND status = 'active'").get(externalId);
+            if (existing)
+                return void res.json({ error: '该型号已存在 listing，请改为跟卖', listing_id: existing.id, suggestion: 'follow' });
+        }
+        const id = generateId('l');
+        const tx = db.transaction(() => {
+            db.prepare(`
+        INSERT INTO listings (id, external_id, category, category_path, title, spec, cover_image, description, created_by)
+        VALUES (?,?,?,?,?,?,?,?,?)
+      `).run(id, externalId, cat, body.category_path ? String(body.category_path) : null, title, body.spec ? JSON.stringify(body.spec) : null, body.cover_image ? String(body.cover_image) : null, body.description ? String(body.description) : null, user.id);
+            db.prepare(`UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ?`).run(stakeRequired, stakeRequired, user.id);
+        });
+        try {
+            tx();
+        }
+        catch (e) {
+            return void res.status(500).json({ error: String(e.message) });
+        }
+        res.json({ id, stake_locked: stakeRequired, category: cat });
+    });
+    // 跟卖：为已有 listing 创建本卖家的 product（即一个 offer）
+    app.post('/api/listings/:id/offers', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (user.role !== 'seller')
+            return void res.json({ error: '仅卖家可跟卖' });
+        const listing = db.prepare("SELECT id, category, title, cover_image, description FROM listings WHERE id = ? AND status = 'active'").get(req.params.id);
+        if (!listing)
+            return void res.status(404).json({ error: 'listing 不存在或已下架' });
+        const cat = String(listing.category);
+        const catCfg = isListingCategoryKey(cat) ? LISTING_CATEGORIES[cat] : LISTING_CATEGORIES.general;
+        if (catCfg.min_sales > 0) {
+            const sales = sellerCompletedSales(user.id);
+            if (sales < catCfg.min_sales) {
+                return void res.json({ error: `${catCfg.name} 类目跟卖需至少 ${catCfg.min_sales} 单成功历史（当前 ${sales}）` });
+            }
+        }
+        const body = req.body;
+        const priceNum = Number(body.price);
+        if (!Number.isFinite(priceNum) || priceNum <= 0)
+            return void res.json({ error: 'price 必须 > 0' });
+        const stockNum = Math.max(0, Math.floor(Number(body.stock) || 0));
+        if (stockNum < 1)
+            return void res.json({ error: 'stock 至少 1' });
+        const fulfillmentType = String(body.fulfillment_type || 'standard');
+        if (!VALID_FULFILLMENT_TYPES.has(fulfillmentType))
+            return void res.json({ error: 'fulfillment_type 无效' });
+        const shipRegions = body.ship_regions ? String(body.ship_regions).trim() : '全国';
+        const stakeRequired = Math.round(BASE_LISTING_STAKE * catCfg.stake_mult * 100) / 100;
+        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        if (!wallet || Number(wallet.balance) < stakeRequired) {
+            return void res.json({ error: `余额不足，跟卖 ${catCfg.name} 需 ${stakeRequired} WAZ` });
+        }
+        // 一卖家 × 一 listing = 一 offer
+        const existing = db.prepare("SELECT id, status FROM products WHERE listing_id = ? AND seller_id = ? AND status != 'deleted'").get(req.params.id, user.id);
+        if (existing)
+            return void res.json({ error: '已存在该商品的 offer，请修改而非新建', offer_id: existing.id });
+        const id = generateId('p');
+        const coverImg = body.cover_image ? String(body.cover_image) : listing.cover_image;
+        const imagesJson = coverImg ? JSON.stringify([coverImg]) : '[]';
+        const tx = db.transaction(() => {
+            db.prepare(`
+        INSERT INTO products (
+          id, seller_id, title, description, price, stock, status, images,
+          ship_regions, handling_hours, commission_rate, category_id, stake_amount,
+          listing_id, fulfillment_type, eta_hours, freshness_ts,
+          is_clearance, clearance_until, cold_start_remaining, listing_stake_locked
+        ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,datetime('now'),?,?,?,?)
+      `).run(id, user.id, listing.title, (body.description ? String(body.description) : listing.description || ''), priceNum, stockNum, 'active', imagesJson, shipRegions, 24, 0.10, 'cat_default', 0, req.params.id, fulfillmentType, body.eta_hours != null ? Number(body.eta_hours) : null, body.is_clearance ? 1 : 0, body.clearance_until ? String(body.clearance_until) : null, catCfg.cold_start, stakeRequired);
+            db.prepare(`UPDATE wallets SET balance = balance - ?, staked = staked + ? WHERE user_id = ?`).run(stakeRequired, stakeRequired, user.id);
+            db.prepare(`UPDATE listings SET total_offers = total_offers + 1, updated_at = datetime('now') WHERE id = ?`).run(req.params.id);
+        });
+        try {
+            tx();
+        }
+        catch (e) {
+            return void res.status(500).json({ error: String(e.message) });
+        }
+        res.json({ id, stake_locked: stakeRequired });
+    });
+}

package/dist/pwa/routes/logistics.js

@@ -0,0 +1,35 @@
+export function registerLogisticsRoutes(app, deps) {
+    const { db, auth } = deps;
+    app.get('/api/logistics/companies', (_req, res) => {
+        const companies = db.prepare(`SELECT id, name FROM users WHERE role = 'logistics' ORDER BY name ASC`).all();
+        res.json(companies);
+    });
+    app.get('/api/logistics/orders', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (user.role !== 'logistics')
+            return void res.status(403).json({ error: '仅限物流角色' });
+        const available = db.prepare(`
+      SELECT o.*, p.title as product_title, p.category,
+        ub.name as buyer_name, us.name as seller_name
+      FROM orders o
+      JOIN products p ON o.product_id = p.id
+      JOIN users ub ON o.buyer_id = ub.id
+      JOIN users us ON o.seller_id = us.id
+      WHERE o.status = 'shipped' AND (o.logistics_id IS NULL OR o.logistics_id = '')
+      ORDER BY o.created_at ASC LIMIT 20
+    `).all();
+        const mine = db.prepare(`
+      SELECT o.*, p.title as product_title, p.category,
+        ub.name as buyer_name, us.name as seller_name
+      FROM orders o
+      JOIN products p ON o.product_id = p.id
+      JOIN users ub ON o.buyer_id = ub.id
+      JOIN users us ON o.seller_id = us.id
+      WHERE o.logistics_id = ? AND o.status IN ('shipped','picked_up','in_transit')
+      ORDER BY o.created_at ASC LIMIT 20
+    `).all(user.id);
+        res.json({ available, mine });
+    });
+}

package/dist/pwa/routes/manifests.js

@@ -0,0 +1,126 @@
+import crypto from 'crypto';
+const MANIFEST_DAILY_LIMIT = 20;
+const THUMB_MAX_BYTES = 12000; // ~12KB base64 ≈ 9KB 原始图
+function verifyManifestSig(hash, ownerId, contentType, byteSize, signedAt, apiKey, signature) {
+    const payload = `${hash}|${ownerId}|${contentType}|${byteSize}|${signedAt}`;
+    const expected = crypto.createHmac('sha256', apiKey).update(payload).digest('hex');
+    return expected === signature;
+}
+export function registerManifestsRoutes(app, deps) {
+    const { db, auth, safeRoles } = deps;
+    app.post('/api/manifests', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const { hash, content_type, byte_size, title, description, thumbnail_data_uri, signature, signed_at, related_product_id, related_anchor } = req.body || {};
+        if (!hash || !/^[a-f0-9]{64}$/.test(hash))
+            return void res.json({ error: 'hash 必须为 64 字符十六进制' });
+        if (!content_type || !signature || !signed_at)
+            return void res.json({ error: '缺少必要字段' });
+        if (typeof byte_size !== 'number' || byte_size <= 0 || byte_size > 500 * 1024 * 1024)
+            return void res.json({ error: 'byte_size 不合法（最大 500MB）' });
+        if (!related_product_id && !related_anchor)
+            return void res.json({ error: '请关联商品或流量口令' });
+        if (thumbnail_data_uri && thumbnail_data_uri.length > THUMB_MAX_BYTES)
+            return void res.json({ error: '缩略图过大（≤ 9KB 原始）' });
+        // 验签
+        const apiKey = me.api_key;
+        if (!verifyManifestSig(hash, me.id, content_type, byte_size, signed_at, apiKey, signature)) {
+            return void res.json({ error: '签名验证失败' });
+        }
+        // 日上限
+        const todayCount = db.prepare(`SELECT COUNT(*) as n FROM manifest_registry WHERE owner_id = ? AND created_at > datetime('now', '-1 day')`).get(me.id).n;
+        if (todayCount >= MANIFEST_DAILY_LIMIT)
+            return void res.json({ error: `每日上限 ${MANIFEST_DAILY_LIMIT} 条` });
+        if (related_product_id) {
+            const p = db.prepare("SELECT id FROM products WHERE id = ?").get(related_product_id);
+            if (!p)
+                return void res.json({ error: '关联商品不存在' });
+        }
+        try {
+            db.prepare(`INSERT INTO manifest_registry (hash, owner_id, content_type, byte_size, title, description, thumbnail_data_uri, signature, signed_at, related_product_id, related_anchor)
+                  VALUES (?,?,?,?,?,?,?,?,?,?,?)`)
+                .run(hash, me.id, content_type, byte_size, title || null, description || null, thumbnail_data_uri || null, signature, signed_at, related_product_id || null, related_anchor || null);
+            // 创作者立即注册为 owner peer
+            db.prepare(`INSERT OR REPLACE INTO peer_directory (peer_id, manifest_hash, is_owner, pin_intent, last_heartbeat)
+                  VALUES (?,?,1,1,datetime('now'))`).run(me.id, hash);
+            res.json({ ok: true, hash });
+        }
+        catch (e) {
+            const msg = e?.message || '';
+            if (msg.includes('UNIQUE'))
+                return void res.json({ error: '该 hash 已注册', existing: true });
+            res.json({ error: '发布失败：' + msg });
+        }
+    });
+    app.get('/api/manifests/me', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const rows = db.prepare(`
+      SELECT m.*, p.title as product_title FROM manifest_registry m
+      LEFT JOIN products p ON p.id = m.related_product_id
+      WHERE m.owner_id = ? AND m.status != 'removed'
+      ORDER BY m.created_at DESC LIMIT 100
+    `).all(me.id);
+        res.json({ manifests: rows });
+    });
+    app.get('/api/manifests/:hash', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const m = db.prepare(`SELECT * FROM manifest_registry WHERE hash = ?`).get(req.params.hash);
+        if (!m)
+            return void res.status(404).json({ error: 'manifest 不存在' });
+        if (m.status === 'removed' || m.status === 'takedown_admin')
+            return void res.json({ error: '内容已下架', removed: true, reason: m.takedown_reason || null });
+        const peers = db.prepare(`
+      SELECT peer_id, is_owner, pin_intent, last_heartbeat FROM peer_directory
+      WHERE manifest_hash = ? AND last_heartbeat > datetime('now', '-5 minutes')
+      ORDER BY is_owner DESC, last_heartbeat DESC LIMIT 30
+    `).all(req.params.hash);
+        res.json({ manifest: m, peers });
+    });
+    app.get('/api/manifests/by-product/:pid', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rows = db.prepare(`
+      SELECT m.*, u.name as owner_name FROM manifest_registry m
+      LEFT JOIN users u ON u.id = m.owner_id
+      WHERE m.related_product_id = ? AND m.status = 'active'
+      ORDER BY m.created_at DESC LIMIT 20
+    `).all(req.params.pid);
+        res.json({ manifests: rows });
+    });
+    app.get('/api/manifests/by-anchor/:anchor', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rows = db.prepare(`
+      SELECT m.*, u.name as owner_name FROM manifest_registry m
+      LEFT JOIN users u ON u.id = m.owner_id
+      WHERE m.related_anchor = ? AND m.status = 'active'
+      ORDER BY m.created_at DESC LIMIT 50
+    `).all(req.params.anchor);
+        res.json({ manifests: rows });
+    });
+    app.patch('/api/manifests/:hash/takedown', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const m = db.prepare("SELECT owner_id FROM manifest_registry WHERE hash = ?").get(req.params.hash);
+        if (!m)
+            return void res.status(404).json({ error: 'manifest 不存在' });
+        const isAdmin = me.role === 'admin' || safeRoles(me).includes('admin');
+        const isOwner = m.owner_id === me.id;
+        if (!isOwner && !isAdmin)
+            return void res.json({ error: '无权下架' });
+        const reason = (req.body?.reason || '').toString().slice(0, 200);
+        db.prepare(`UPDATE manifest_registry SET status = ?, takedown_reason = ?, takedown_at = datetime('now'), takedown_by = ? WHERE hash = ?`)
+            .run(isAdmin && !isOwner ? 'takedown_admin' : 'removed', reason, me.id, req.params.hash);
+        // 同步清空 peer directory（强制客户端 evict）
+        db.prepare("DELETE FROM peer_directory WHERE manifest_hash = ?").run(req.params.hash);
+        res.json({ ok: true });
+    });
+}