@seasonkoh/webaz 0.1.7 → 0.1.9

package/dist/pwa/routes/me-data.js

@@ -0,0 +1,101 @@
+export function registerMeDataRoutes(app, deps) {
+    const { db, auth } = deps;
+    // COP 飞轮: 完成订单 7d 引导发笔记
+    app.get('/api/me/note-prompts', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rows = db.prepare(`
+      SELECT o.id as order_id, o.product_id, o.updated_at as completed_at, o.total_amount,
+             p.title as product_title, p.images as product_images
+      FROM orders o
+      JOIN products p ON p.id = o.product_id
+      WHERE o.buyer_id = ?
+        AND o.status IN ('confirmed', 'completed')
+        AND datetime(o.updated_at) > datetime('now', '-7 days')
+        AND NOT EXISTS (
+          SELECT 1 FROM shareables s
+          WHERE s.owner_id = ? AND s.related_order_id = o.id AND s.type = 'note' AND s.status = 'active'
+        )
+      ORDER BY o.updated_at DESC
+      LIMIT 10
+    `).all(user.id, user.id);
+        const prompts = rows.map(r => {
+            let firstImage = null;
+            try {
+                const arr = JSON.parse(r.product_images || '[]');
+                if (Array.isArray(arr) && arr.length > 0)
+                    firstImage = String(arr[0]);
+            }
+            catch { }
+            return {
+                order_id: r.order_id,
+                product_id: r.product_id,
+                product_title: r.product_title,
+                product_image: firstImage,
+                completed_at: r.completed_at,
+                total_amount: r.total_amount,
+            };
+        });
+        res.json({ prompts });
+    });
+    // COP P0-1: 数据导出（用户主权）
+    app.get('/api/me/export', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const uid = user.id;
+        const data = {
+            exported_at: new Date().toISOString(),
+            user_id: uid,
+            notice: 'WebAZ COP 承诺：你的数据属于你。可随时导出，可随时迁出。',
+        };
+        try {
+            data.profile = db.prepare(`SELECT id, name, handle, role, region, bio, search_anchor, email, phone, permanent_code, created_at, reputation FROM users WHERE id = ?`).get(uid);
+            data.wallet = db.prepare(`SELECT balance, staked, escrowed, earned FROM wallets WHERE user_id = ?`).get(uid);
+            data.orders = db.prepare(`SELECT * FROM orders WHERE buyer_id = ? OR seller_id = ? ORDER BY created_at DESC LIMIT 1000`).all(uid, uid);
+            data.shareables = db.prepare(`SELECT * FROM shareables WHERE owner_id = ? AND status != 'removed'`).all(uid);
+            data.bookmarks = db.prepare(`SELECT b.*, s.title FROM shareable_bookmarks b LEFT JOIN shareables s ON s.id = b.shareable_id WHERE b.user_id = ?`).all(uid);
+            data.likes = db.prepare(`SELECT l.*, s.title FROM shareable_likes l LEFT JOIN shareables s ON s.id = l.shareable_id WHERE l.user_id = ?`).all(uid);
+            data.follows_following = db.prepare(`SELECT followee_id, created_at FROM follows WHERE follower_id = ?`).all(uid);
+            data.follows_followers = db.prepare(`SELECT follower_id, created_at FROM follows WHERE followee_id = ?`).all(uid);
+            data.addresses = db.prepare(`SELECT * FROM user_addresses WHERE user_id = ?`).all(uid);
+            data.kyc = db.prepare(`SELECT status, id_type, id_number_last4, submitted_at, reviewed_at FROM kyc_records WHERE user_id = ?`).get(uid);
+            // #1017: wallet_history 不存在 — 用 deposits + withdrawals + commissions 复合
+            try {
+                data.deposits = db.prepare(`SELECT * FROM deposit_txns WHERE user_id = ? ORDER BY created_at DESC LIMIT 200`).all(uid);
+            }
+            catch {
+                data.deposits = [];
+            }
+            try {
+                data.withdrawals = db.prepare(`SELECT * FROM withdrawal_requests WHERE user_id = ? ORDER BY created_at DESC LIMIT 200`).all(uid);
+            }
+            catch {
+                data.withdrawals = [];
+            }
+            data.commissions = db.prepare(`SELECT * FROM commission_records WHERE beneficiary_id = ? ORDER BY created_at DESC LIMIT 500`).all(uid) || [];
+            data.anchors = db.prepare(`SELECT anchor, target_kind, target_id, status, created_at FROM anchor_registry WHERE owner_id = ?`).all(uid);
+            data.notifications = db.prepare(`SELECT * FROM notifications WHERE user_id = ? ORDER BY created_at DESC LIMIT 500`).all(uid);
+            data.error_log = db.prepare(`SELECT id, source, message, created_at FROM error_log WHERE user_id = ? ORDER BY id DESC LIMIT 100`).all(uid) || [];
+        }
+        catch (e) {
+            console.warn('[export] partial:', e.message);
+        }
+        const format = String(req.query.format || 'json').toLowerCase();
+        if (format === 'csv') {
+            // CSV：只导 orders 主表
+            const orders = data.orders;
+            if (!orders || orders.length === 0)
+                return void res.status(204).end();
+            const cols = Object.keys(orders[0]);
+            const csv = [cols.join(',')].concat(orders.map(o => cols.map(c => JSON.stringify(o[c] ?? '')).join(','))).join('\n');
+            res.setHeader('Content-Type', 'text/csv; charset=utf-8');
+            res.setHeader('Content-Disposition', `attachment; filename="webaz-orders-${uid}-${Date.now()}.csv"`);
+            return void res.send(csv);
+        }
+        res.setHeader('Content-Type', 'application/json; charset=utf-8');
+        res.setHeader('Content-Disposition', `attachment; filename="webaz-export-${uid}-${Date.now()}.json"`);
+        res.json(data);
+    });
+}

package/dist/pwa/routes/notifications.js

@@ -0,0 +1,48 @@
+import { getNotifications, getUnreadCount, markRead } from '../../layer2-business/L2-6-notifications/notification-engine.js';
+export function registerNotificationsRoutes(app, deps) {
+    const { db, auth, sseClients } = deps;
+    // SSE 实时推送流（EventSource 不支持自定义 header，URL ?key= 也兼容）
+    app.get('/api/notifications/stream', (req, res) => {
+        const key = req.query.key ?? req.headers.authorization?.replace('Bearer ', '');
+        const user = key ? db.prepare('SELECT * FROM users WHERE api_key = ?').get(key) : null;
+        if (!user)
+            return void res.status(401).end();
+        res.setHeader('Content-Type', 'text/event-stream');
+        res.setHeader('Cache-Control', 'no-cache');
+        res.setHeader('Connection', 'keep-alive');
+        res.flushHeaders();
+        sseClients.set(user.id, res);
+        // 连接时推送未读数
+        const unread = getUnreadCount(db, user.id);
+        res.write(`data: ${JSON.stringify({ type: 'init', unread })}\n\n`);
+        // 心跳保活（每 30s）
+        const heartbeat = setInterval(() => {
+            try {
+                res.write(': ping\n\n');
+            }
+            catch {
+                clearInterval(heartbeat);
+            }
+        }, 30_000);
+        req.on('close', () => {
+            sseClients.delete(user.id);
+            clearInterval(heartbeat);
+        });
+    });
+    app.get('/api/notifications', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const onlyUnread = req.query.unread === '1';
+        const notifs = getNotifications(db, user.id, onlyUnread);
+        const unread = getUnreadCount(db, user.id);
+        res.json({ unread, notifications: notifs });
+    });
+    app.post('/api/notifications/read', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        markRead(db, user.id, req.body?.id);
+        res.json({ success: true });
+    });
+}

package/dist/pwa/routes/offers.js

@@ -0,0 +1,96 @@
+export function registerOffersRoutes(app, deps) {
+    const { db, auth, VALID_FULFILLMENT_TYPES } = deps;
+    app.patch('/api/offers/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const offer = db.prepare("SELECT * FROM products WHERE id = ? AND listing_id IS NOT NULL").get(req.params.id);
+        if (!offer)
+            return void res.status(404).json({ error: 'offer 不存在' });
+        if (offer.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅卖家本人可修改' });
+        const body = req.body;
+        const updates = [];
+        const args = [];
+        if (body.price != null) {
+            const p = Number(body.price);
+            if (!Number.isFinite(p) || p <= 0)
+                return void res.json({ error: 'price 必须 > 0' });
+            updates.push('price = ?');
+            args.push(p);
+        }
+        if (body.stock != null) {
+            const s = Math.max(0, Math.floor(Number(body.stock) || 0));
+            updates.push('stock = ?');
+            args.push(s);
+        }
+        if (body.fulfillment_type != null) {
+            const ft = String(body.fulfillment_type);
+            if (!VALID_FULFILLMENT_TYPES.has(ft))
+                return void res.json({ error: 'fulfillment_type 无效' });
+            updates.push('fulfillment_type = ?');
+            args.push(ft);
+        }
+        if (body.eta_hours != null) {
+            updates.push('eta_hours = ?');
+            args.push(Number(body.eta_hours));
+        }
+        if (body.is_clearance != null) {
+            updates.push('is_clearance = ?');
+            args.push(body.is_clearance ? 1 : 0);
+        }
+        if (body.clearance_until !== undefined) {
+            updates.push('clearance_until = ?');
+            args.push(body.clearance_until ? String(body.clearance_until) : null);
+        }
+        if (!updates.length)
+            return void res.json({ error: '无任何修改' });
+        updates.push("updated_at = datetime('now')");
+        updates.push("freshness_ts = datetime('now')");
+        args.push(req.params.id);
+        db.prepare(`UPDATE products SET ${updates.join(', ')} WHERE id = ?`).run(...args);
+        res.json({ success: true });
+    });
+    // 撤回 offer（status=warehouse + 释放 stake；不真删 product）
+    app.delete('/api/offers/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const offer = db.prepare("SELECT * FROM products WHERE id = ? AND listing_id IS NOT NULL").get(req.params.id);
+        if (!offer)
+            return void res.status(404).json({ error: 'offer 不存在' });
+        if (offer.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅卖家本人可撤回' });
+        const pending = db.prepare(`SELECT COUNT(1) as n FROM orders WHERE product_id = ? AND status NOT IN ('completed','cancelled','refunded','expired')`).get(req.params.id);
+        if (pending.n > 0)
+            return void res.json({ error: `该 offer 有 ${pending.n} 个进行中订单，暂无法撤回` });
+        const stake = Number(offer.listing_stake_locked) || 0;
+        const tx = db.transaction(() => {
+            db.prepare(`UPDATE products SET status = 'warehouse', listing_stake_locked = 0, updated_at = datetime('now') WHERE id = ?`).run(req.params.id);
+            if (stake > 0) {
+                db.prepare(`UPDATE wallets SET balance = balance + ?, staked = staked - ? WHERE user_id = ?`).run(stake, stake, user.id);
+            }
+            db.prepare(`UPDATE listings SET total_offers = MAX(0, total_offers - 1) WHERE id = ?`).run(String(offer.listing_id));
+        });
+        try {
+            tx();
+        }
+        catch (e) {
+            return void res.status(500).json({ error: String(e.message) });
+        }
+        res.json({ success: true, stake_released: stake });
+    });
+    // 刷新 freshness（卖家点 "现货确认"）
+    app.post('/api/offers/:id/refresh', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const offer = db.prepare("SELECT seller_id FROM products WHERE id = ? AND listing_id IS NOT NULL").get(req.params.id);
+        if (!offer)
+            return void res.status(404).json({ error: 'offer 不存在' });
+        if (offer.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅卖家本人可刷新' });
+        db.prepare(`UPDATE products SET freshness_ts = datetime('now') WHERE id = ?`).run(req.params.id);
+        res.json({ success: true });
+    });
+}

package/dist/pwa/routes/orders-action.js

@@ -0,0 +1,285 @@
+export function registerOrdersActionRoutes(app, deps) {
+    const { db, auth, isTrustedRole, generateId, transition, notifyTransition, settleOrder, detectFraud, createDispute, checkTimeouts, recordViolationReputation, broadcastSystemEvent } = deps;
+    // C-4: 卖家批量发货
+    app.post('/api/orders/batch-ship', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { order_ids, logistics_company_id, tracking_numbers } = req.body || {};
+        if (!Array.isArray(order_ids) || order_ids.length === 0)
+            return void res.status(400).json({ error: 'order_ids 必填' });
+        if (order_ids.length > 100)
+            return void res.status(400).json({ error: '单次最多 100 单' });
+        if (!logistics_company_id)
+            return void res.status(400).json({ error: 'logistics_company_id 必填' });
+        const lc = db.prepare("SELECT id FROM users WHERE id = ? AND role = 'logistics'").get(logistics_company_id);
+        if (!lc)
+            return void res.status(400).json({ error: '物流公司不存在' });
+        const results = [];
+        const trackingMap = (tracking_numbers && typeof tracking_numbers === 'object') ? tracking_numbers : {};
+        for (const oid of order_ids) {
+            try {
+                const o = db.prepare("SELECT id, seller_id, status, logistics_id FROM orders WHERE id = ?").get(oid);
+                if (!o) {
+                    results.push({ order_id: oid, status: 'skipped', reason: '订单不存在' });
+                    continue;
+                }
+                if (o.seller_id !== user.id) {
+                    results.push({ order_id: oid, status: 'skipped', reason: '非自家订单' });
+                    continue;
+                }
+                if (o.status !== 'accepted') {
+                    results.push({ order_id: oid, status: 'skipped', reason: `状态非 accepted (当前 ${o.status})` });
+                    continue;
+                }
+                if (!o.logistics_id) {
+                    db.prepare("UPDATE orders SET logistics_id = ? WHERE id = ?").run(logistics_company_id, oid);
+                }
+                const tn = trackingMap[oid] ? String(trackingMap[oid]).slice(0, 50) : null;
+                const evIds = [];
+                if (tn) {
+                    const eid = generateId('evt');
+                    db.prepare(`INSERT INTO evidence (id, order_id, uploader_id, type, description, file_hash)
+            VALUES (?,?,?,'description',?,?)`).run(eid, oid, user.id, `快递单号：${tn}`, `hash_${Date.now()}`);
+                    evIds.push(eid);
+                }
+                const result = transition(db, oid, 'shipped', user.id, evIds, tn ? `批量发货 · ${tn}` : '批量发货');
+                if (!result.success) {
+                    results.push({ order_id: oid, status: 'skipped', reason: result.error || '状态机拒绝' });
+                    continue;
+                }
+                notifyTransition(db, oid, 'accepted', 'shipped');
+                results.push({ order_id: oid, status: 'shipped' });
+            }
+            catch (e) {
+                results.push({ order_id: oid, status: 'skipped', reason: e.message });
+            }
+        }
+        const shipped = results.filter(r => r.status === 'shipped').length;
+        res.json({ success: true, shipped, skipped: results.filter(r => r.status === 'skipped').length, results });
+    });
+    // 买家确认面交完成 → 直接 completed + settleOrder
+    app.post('/api/orders/:id/confirm-in-person', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const order = db.prepare('SELECT * FROM orders WHERE id = ?').get(req.params.id);
+        if (!order)
+            return void res.status(404).json({ error: '订单不存在' });
+        if (order.fulfillment_mode !== 'in_person')
+            return void res.status(400).json({ error: '该订单非面交' });
+        if (order.buyer_id !== user.id)
+            return void res.status(403).json({ error: '仅买家可确认面交完成' });
+        if (!['paid', 'accepted'].includes(order.status))
+            return void res.status(400).json({ error: `订单状态 ${order.status} 不可确认面交` });
+        if (order.has_pending_claim)
+            return void res.status(400).json({ error: '存在进行中的验证任务，不可确认' });
+        const tx = db.transaction(() => {
+            db.prepare(`UPDATE orders SET status='completed', updated_at=datetime('now') WHERE id = ?`).run(req.params.id);
+            db.prepare(`INSERT INTO order_state_history (id, order_id, from_status, to_status, actor_id, actor_role, notes)
+        VALUES (?,?,?,?,?,?, '面交完成 — 买家确认')`)
+                .run(generateId('hst'), req.params.id, order.status, 'completed', user.id, user.role || 'buyer');
+        });
+        try {
+            tx();
+        }
+        catch (e) {
+            return void res.status(500).json({ error: '状态写入失败：' + e.message });
+        }
+        try {
+            settleOrder(req.params.id);
+        }
+        catch (e) {
+            console.error('[settleOrder in-person]', e);
+        }
+        res.json({ success: true });
+    });
+    // 通用状态机 action — accept/ship/pickup/transit/deliver/confirm/dispute
+    app.post('/api/orders/:id/action', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        // P0 fix: 受信角色禁交易
+        if (isTrustedRole(user))
+            return void res.status(403).json({ error: '受信角色不可参与订单流转', error_code: 'TRUSTED_ROLE_NO_TRADE' });
+        const { action, notes = '', evidence_description = '', logistics_company_id = '' } = req.body;
+        const order = db.prepare('SELECT * FROM orders WHERE id = ?').get(req.params.id);
+        if (!order)
+            return void res.status(404).json({ error: '订单不存在' });
+        // P0: 路由层 ownership 校验（engine 层只看 role，必须补 ownership）
+        const buyerId = order.buyer_id;
+        const sellerId = order.seller_id;
+        const logisticsId = order.logistics_id || null;
+        const uid = user.id;
+        if ((action === 'accept' || action === 'ship') && uid !== sellerId) {
+            return void res.status(403).json({ error: '你不是本订单的卖家', error_code: 'NOT_ORDER_SELLER' });
+        }
+        if (action === 'confirm' && uid !== buyerId) {
+            return void res.status(403).json({ error: '你不是本订单的买家', error_code: 'NOT_ORDER_BUYER' });
+        }
+        if (action === 'pickup' || action === 'transit' || action === 'deliver') {
+            // pickup 时若订单尚无物流，允许领取（孤儿单兜底）
+            const isOrphanPickup = action === 'pickup' && !logisticsId;
+            if (!isOrphanPickup && uid !== logisticsId) {
+                return void res.status(403).json({ error: '你不是本订单的物流方', error_code: 'NOT_ORDER_LOGISTICS' });
+            }
+        }
+        if (action === 'dispute' && uid !== buyerId && uid !== sellerId && uid !== logisticsId) {
+            return void res.status(403).json({ error: '只有交易参与方可发起争议', error_code: 'NOT_ORDER_PARTY' });
+        }
+        // 卖家发货时绑定物流公司
+        if (action === 'ship' && logistics_company_id) {
+            const logi = db.prepare(`SELECT id FROM users WHERE id = ? AND role = 'logistics'`).get(logistics_company_id);
+            if (!logi)
+                return void res.json({ error: '所选物流公司不存在' });
+            db.prepare('UPDATE orders SET logistics_id = ? WHERE id = ?').run(logistics_company_id, req.params.id);
+        }
+        // 物流自行揽收（卖家未指定物流时的兜底）
+        if (action === 'pickup' && !order.logistics_id && user.role === 'logistics') {
+            db.prepare('UPDATE orders SET logistics_id = ? WHERE id = ?').run(user.id, req.params.id);
+        }
+        const actionMap = {
+            accept: 'accepted', ship: 'shipped', pickup: 'picked_up',
+            transit: 'in_transit', deliver: 'delivered', confirm: 'confirmed', dispute: 'disputed'
+        };
+        const toStatus = actionMap[action];
+        if (!toStatus)
+            return void res.json({ error: `未知操作：${action}` });
+        // 创建证据记录 + 跨窗反诈：description 跑 detectFraud
+        const evidenceIds = [];
+        if (evidence_description) {
+            const eid = generateId('evt');
+            const evReasons = detectFraud(String(evidence_description));
+            db.prepare(`INSERT INTO evidence (id, order_id, uploader_id, type, description, file_hash, flag_reasons)
+        VALUES (?,?,?,'description',?,?,?)`).run(eid, req.params.id, user.id, evidence_description, `hash_${Date.now()}`, evReasons.length ? JSON.stringify(evReasons) : null);
+            evidenceIds.push(eid);
+        }
+        const fromStatus = order.status;
+        const result = transition(db, req.params.id, toStatus, user.id, evidenceIds, notes);
+        if (!result.success)
+            return void res.json({ error: result.error });
+        notifyTransition(db, req.params.id, fromStatus, toStatus);
+        if (toStatus === 'disputed') {
+            createDispute(db, req.params.id, user.id, notes || evidence_description || '买家发起争议', evidenceIds);
+            try {
+                broadcastSystemEvent('dispute_open', '⚖', `争议发起 (订单 ${req.params.id})`, req.params.id);
+            }
+            catch { }
+        }
+        if (toStatus === 'completed') {
+            try {
+                broadcastSystemEvent('order_completed', '✓', `订单完成 ${req.params.id}`, req.params.id);
+            }
+            catch { }
+        }
+        // 确认收货时自动结算
+        let settlementBreakdown = null;
+        if (toStatus === 'confirmed') {
+            const sysUser = db.prepare("SELECT id FROM users WHERE id = 'sys_protocol'").get();
+            transition(db, req.params.id, 'completed', sysUser.id, [], '系统自动结算');
+            notifyTransition(db, req.params.id, 'confirmed', 'completed');
+            settleOrder(req.params.id);
+            // QA 轮 9.4-retry-v3 P1：post-hoc build breakdown 从 DB，让 agent 看清每分钱去哪
+            try {
+                const round2 = (n) => Math.round(n * 100) / 100;
+                const ord = db.prepare("SELECT id, total_amount, source, fulfillment_mode, snapshot_commission_rate, l1_uid, l2_uid, l3_uid, logistics_id, seller_id FROM orders WHERE id = ?").get(req.params.id);
+                if (ord) {
+                    const total = Number(ord.total_amount);
+                    const isSecondhand = ord.source === 'secondhand';
+                    const isInPerson = ord.fulfillment_mode === 'in_person';
+                    const feeRate = isSecondhand ? 0.01 : 0.02;
+                    const protocolFee = round2(total * feeRate);
+                    const logisticsFee = isInPerson ? 0 : round2(total * 0.05);
+                    const logisticsActual = ord.logistics_id ? logisticsFee : 0;
+                    const commissionRate = Number(ord.snapshot_commission_rate ?? 0.10);
+                    const commissionPool = round2(total * commissionRate);
+                    const commRecs = db.prepare("SELECT level, amount, beneficiary_id FROM commission_records WHERE order_id = ?").all(req.params.id);
+                    const commByLevel = {
+                        1: { amount: 0, to: null }, 2: { amount: 0, to: null }, 3: { amount: 0, to: null },
+                    };
+                    let commissionDistributed = 0;
+                    for (const r of commRecs) {
+                        commByLevel[r.level] = { amount: Number(r.amount), to: r.beneficiary_id };
+                        commissionDistributed += Number(r.amount);
+                    }
+                    const commissionRedirected = round2(commissionPool - commissionDistributed);
+                    // QA 轮 14.b P2：redirected_total 拆 chain_gap(→charity) vs region_cap(→global_fund)
+                    // 之前单一数字让 agent 无法分辨钱去哪（global region L2/L3 进 global_fund，不是 charity）
+                    const charityRow = db.prepare("SELECT COALESCE(SUM(amount),0) AS s FROM charity_fund_txns WHERE related_order_id = ?").get(req.params.id);
+                    const redirectedToCharity = round2(Number(charityRow.s));
+                    const fundDepRow = db.prepare("SELECT COALESCE(SUM(amount_l3),0) AS s FROM fund_deposits WHERE order_id = ?").get(req.params.id);
+                    const redirectedToGlobalFund = round2(Number(fundDepRow.s));
+                    // QA 轮 9.5 P2：payouts 表只 MCP legacy 写，PWA settleOrder 直更 wallet.balance 不写 payouts
+                    // 改用公式推算 sellerAmount（跟 PWA settleOrder 内部计算一致），更可靠
+                    const fundBase1pct = round2(total * 0.01);
+                    const sellerAmountComputed = round2(total - protocolFee - logisticsActual - commissionPool - fundBase1pct);
+                    // sum_check 守恒：order_amount 应 = seller_net + protocol_fund + logistics + commission_pool(L1+L2+L3+redirect) + fund_base
+                    const sumComponents = round2(sellerAmountComputed + protocolFee + logisticsActual + commissionPool + fundBase1pct);
+                    settlementBreakdown = {
+                        order_amount: total,
+                        distribution: {
+                            seller_net: { amount: sellerAmountComputed, to: ord.seller_id, note: '不含可能的首销 stake 锁定（settleOrder 内 stake_locked_at 首次锁，从 sellerAmount 划出）' },
+                            protocol_fund_2pct: { amount: protocolFee, split: { management_bonus_pool: round2(protocolFee / 2), sys_protocol_ops: round2(protocolFee / 2) } },
+                            logistics_fee: { amount: logisticsActual, rate: isInPerson ? 'N/A in_person' : (ord.logistics_id ? '5%' : 'N/A self-fulfill') },
+                            commission_pool: { total: commissionPool, rate: `${(commissionRate * 100).toFixed(1)}%` },
+                            commission_distribution_7_2_1: {
+                                l1: commByLevel[1],
+                                l2: commByLevel[2],
+                                l3: commByLevel[3],
+                                distributed_total: round2(commissionDistributed),
+                                redirected_total: commissionRedirected,
+                                redirected_to_charity: redirectedToCharity, // chain_gap (无 L / sponsor 无效)
+                                redirected_to_global_fund: redirectedToGlobalFund, // region cap (level > region max_levels)
+                                redirect_note: 'chain_gap (无 L) → charity_fund; region cap (level > max_levels) → global_fund',
+                            },
+                            fund_base_1pct: fundBase1pct,
+                        },
+                        sum_check: sumComponents,
+                        sum_check_ok: Math.abs(sumComponents - total) < 0.01,
+                        transparency_note: 'sum_check 校验：order_amount = seller_net + protocol_fund + logistics + commission_pool + fund_base。stake / pinner / PV 分账见各自专用查询。',
+                    };
+                }
+            }
+            catch (e) {
+                console.error('[settlement_breakdown build]', e);
+            }
+        }
+        res.json({
+            success: true,
+            new_status: result.newStatus,
+            ...(settlementBreakdown ? { settlement_breakdown: settlementBreakdown } : {}),
+        });
+    });
+    // 手动触发超时判责（当事人）
+    app.post('/api/orders/:id/force-timeout-check', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const order = db.prepare('SELECT buyer_id, seller_id, logistics_id, status FROM orders WHERE id = ?').get(req.params.id);
+        if (!order)
+            return void res.status(404).json({ error: '订单不存在' });
+        const uid = user.id;
+        if (uid !== order.buyer_id && uid !== order.seller_id && uid !== order.logistics_id) {
+            return void res.status(403).json({ error: '非订单当事人' });
+        }
+        const beforeStatus = order.status;
+        const r = checkTimeouts(db);
+        const after = db.prepare('SELECT status FROM orders WHERE id = ?').get(req.params.id);
+        const touched = r.details.find((d) => d.orderId === req.params.id) || null;
+        if (touched) {
+            const faultMatch = touched.action.match(/→ (fault_\w+)/);
+            if (faultMatch) {
+                try {
+                    recordViolationReputation(db, req.params.id, faultMatch[1]);
+                }
+                catch { }
+            }
+        }
+        res.json({
+            before_status: beforeStatus,
+            after_status: after.status,
+            changed: beforeStatus !== after.status,
+            action: touched?.action || null,
+        });
+    });
+}