@seasonkoh/webaz 0.1.7 → 0.1.9

package/dist/pwa/routes/products-aliases.js

@@ -0,0 +1,119 @@
+export function registerProductsAliasesRoutes(app, deps) {
+    const { db, auth, generateId, extractCandidateAliases } = deps;
+    // M7.2-5: 从外部原文提取候选 alias
+    app.post('/api/products/extract-aliases', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const text = String(req.body?.text || '').trim();
+        if (!text || text.length < 6)
+            return void res.json({ error: '文本至少 6 字符' });
+        if (text.length > 5000)
+            return void res.json({ error: '文本过长（≤ 5000 字符）' });
+        const candidates = extractCandidateAliases(text);
+        res.json({ candidates, hint: '勾选要声明为该商品 alias 的项目（≥ 6 字符；过短或过通用的项会被反作弊机制挑战）' });
+    });
+    // M7.2-7: alias CRUD（仅商品 owner）
+    app.get('/api/products/:id/aliases', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const p = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.id);
+        if (!p)
+            return void res.status(404).json({ error: '商品不存在' });
+        if (p.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅商品 owner 可查看 alias' });
+        const rows = db.prepare(`SELECT id, alias_type, alias_value, min_match_chars, status, challenged_at, created_at
+      FROM product_aliases WHERE product_id = ? ORDER BY created_at DESC`).all(req.params.id);
+        res.json({ aliases: rows });
+    });
+    app.post('/api/products/:id/aliases', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const p = db.prepare('SELECT seller_id, title FROM products WHERE id = ?').get(req.params.id);
+        if (!p)
+            return void res.status(404).json({ error: '商品不存在' });
+        if (p.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅商品 owner 可添加 alias' });
+        const inputs = Array.isArray(req.body?.aliases) ? req.body.aliases : [];
+        if (!inputs.length)
+            return void res.json({ error: '请提供 aliases 数组' });
+        const ALLOWED_TYPES = new Set(['external_id', 'external_title', 'short_url', 'kouling_token', 'title_substring']);
+        const ALIAS_LIMIT_PER_PRODUCT = 20;
+        const countActive = db.prepare(`SELECT COUNT(*) as n FROM product_aliases WHERE product_id = ? AND status = 'active'`);
+        const insertAlias = db.prepare(`INSERT INTO product_aliases (id, product_id, alias_type, alias_value, min_match_chars) VALUES (?,?,?,?,?)`);
+        const rollbackAlias = db.prepare(`DELETE FROM product_aliases WHERE id = ?`);
+        // M-3 fix：事务 + 每次 INSERT 后立即 SELECT COUNT 校验
+        // 防止并发 / 多 INSERT 突破上限 → 单事务内 TOCTOU 不复存在
+        const inserted = [];
+        const skipped = [];
+        const tx = db.transaction(() => {
+            const startCount = countActive.get(req.params.id).n;
+            if (startCount >= ALIAS_LIMIT_PER_PRODUCT) {
+                throw new Error(`LIMIT_REACHED:${startCount}`);
+            }
+            for (const a of inputs) {
+                const type = String(a?.type || '').trim();
+                const value = String(a?.value || '').trim();
+                if (!ALLOWED_TYPES.has(type)) {
+                    skipped.push({ value, reason: `unknown type: ${type}` });
+                    continue;
+                }
+                if (value.length < 6) {
+                    skipped.push({ value, reason: '< 6 字符' });
+                    continue;
+                }
+                if (value.length > 200) {
+                    skipped.push({ value, reason: '> 200 字符' });
+                    continue;
+                }
+                if (type === 'title_substring' && !p.title.includes(value)) {
+                    skipped.push({ value, reason: 'title_substring 必须是商品标题的真子串' });
+                    continue;
+                }
+                const minChars = Math.max(6, Number(a?.min_chars) || 6);
+                const id = generateId('pal');
+                try {
+                    insertAlias.run(id, req.params.id, type, value, minChars);
+                }
+                catch {
+                    skipped.push({ value, reason: 'duplicate or constraint' });
+                    continue;
+                }
+                // 立即校验：超 limit 立刻回滚这条
+                const afterCount = countActive.get(req.params.id).n;
+                if (afterCount > ALIAS_LIMIT_PER_PRODUCT) {
+                    rollbackAlias.run(id);
+                    skipped.push({ value, reason: `reached ${ALIAS_LIMIT_PER_PRODUCT} cap` });
+                    break;
+                }
+                inserted.push(id);
+            }
+        });
+        try {
+            tx();
+        }
+        catch (e) {
+            const msg = String(e.message || '');
+            if (msg.startsWith('LIMIT_REACHED:')) {
+                return void res.json({ error: `每个商品最多 ${ALIAS_LIMIT_PER_PRODUCT} 个 active alias` });
+            }
+            return void res.status(500).json({ error: msg });
+        }
+        res.json({ inserted: inserted.length, skipped });
+    });
+    app.delete('/api/products/:id/aliases/:aliasId', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const p = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.id);
+        if (!p)
+            return void res.status(404).json({ error: '商品不存在' });
+        if (p.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅商品 owner 可删除 alias' });
+        const r = db.prepare(`UPDATE product_aliases SET status = 'revoked' WHERE id = ? AND product_id = ?`)
+            .run(req.params.aliasId, req.params.id);
+        res.json({ success: r.changes > 0 });
+    });
+}

package/dist/pwa/routes/products-claims.js

@@ -0,0 +1,60 @@
+export function registerProductsClaimsRoutes(app, deps) {
+    const { db, auth, isTrustedRole, errorRes, generateId, PRODUCT_CLAIM_TARGETS, PRODUCT_CLAIM_STAKE_DEFAULT, PRODUCT_CLAIM_DEADLINE_HOURS, PRODUCT_CLAIM_VERIFIERS_NEEDED } = deps;
+    app.post('/api/products/:id/claim', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        // 受信角色不可参与（管理员中立）
+        if (isTrustedRole(user)) {
+            return void errorRes(res, 403, 'TRUSTED_ROLE_NO_CLAIM', '受信角色不可发起商品声明');
+        }
+        const product = db.prepare('SELECT * FROM products WHERE id = ?').get(req.params.id);
+        if (!product)
+            return void res.status(404).json({ error: '商品不存在' });
+        if (product.seller_id === user.id)
+            return void errorRes(res, 403, 'CANNOT_CLAIM_OWN', '不可对自己的商品发起声明');
+        if (product.status !== 'active')
+            return void res.status(400).json({ error: '仅在售商品可发起声明' });
+        const claim_target = String(req.body?.claim_target || '').trim();
+        if (!PRODUCT_CLAIM_TARGETS.has(claim_target)) {
+            return void res.status(400).json({ error: `claim_target 须为 ${[...PRODUCT_CLAIM_TARGETS].join(' / ')}` });
+        }
+        const claim_text = String(req.body?.claim_text || '').trim();
+        if (claim_text.length < 6 || claim_text.length > 500) {
+            return void res.status(400).json({ error: 'claim_text 长度需 6-500 字' });
+        }
+        const evidence_uri = req.body?.evidence_uri ? String(req.body.evidence_uri).trim().slice(0, 500) : null;
+        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        const stake = PRODUCT_CLAIM_STAKE_DEFAULT;
+        if (!wallet || wallet.balance < stake) {
+            return void res.status(400).json({ error: `余额不足：发起需锁 ${stake} WAZ，当前 ${wallet?.balance ?? 0} WAZ` });
+        }
+        // 同用户对同商品同 target 只能挂一个 open claim
+        const dup = db.prepare(`SELECT id FROM product_claim_tasks WHERE product_id = ? AND claimant_id = ? AND claim_target = ? AND status = 'open'`)
+            .get(req.params.id, user.id, claim_target);
+        if (dup)
+            return void res.status(409).json({ error: '你已对此商品的同一项发起过 open 声明' });
+        const id = generateId('pct');
+        const deadline = new Date(Date.now() + PRODUCT_CLAIM_DEADLINE_HOURS * 3600_000).toISOString();
+        db.prepare(`INSERT INTO product_claim_tasks
+      (id, product_id, claimant_id, seller_id, claim_target, claim_text, evidence_uri, stake_claimant, deadline_at, status)
+      VALUES (?,?,?,?,?,?,?,?,?,'open')`)
+            .run(id, req.params.id, user.id, product.seller_id, claim_target, claim_text, evidence_uri, stake, deadline);
+        db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ?')
+            .run(stake, stake, user.id);
+        res.json({ success: true, claim_id: id, deadline_at: deadline, stake_locked: stake });
+    });
+    // 公开：列出某商品的全部声明（含已结算）
+    app.get('/api/products/:id/claims', (req, res) => {
+        const rows = db.prepare(`
+      SELECT pct.id, pct.claim_target, pct.claim_text, pct.evidence_uri, pct.status, pct.ruling, pct.deadline_at, pct.resolved_at, pct.created_at,
+             u.name as claimant_name,
+             (SELECT COUNT(*) FROM product_claim_votes WHERE claim_id = pct.id) as votes_count
+      FROM product_claim_tasks pct
+      JOIN users u ON u.id = pct.claimant_id
+      WHERE pct.product_id = ?
+      ORDER BY pct.created_at DESC LIMIT 50
+    `).all(req.params.id);
+        res.json({ claims: rows, votes_needed: PRODUCT_CLAIM_VERIFIERS_NEEDED });
+    });
+}

package/dist/pwa/routes/products-create.js

@@ -0,0 +1,206 @@
+export function registerProductsCreateRoutes(app, deps) {
+    const { db, auth, generateId, checkSellerCanList, getStakeDiscount, VALID_PRODUCT_TYPES, parsePlatformUrl, makeCommitmentHash, makeDescriptionHash, makePriceHash } = deps;
+    app.post('/api/products', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (user.role !== 'seller')
+            return void res.json({ error: '仅卖家可上架商品' });
+        // 里程碑 3-D：1h 上架限速（防 spam 批量上架）
+        const LISTING_RATE_LIMIT = 5;
+        const recentListings = db.prepare(`
+      SELECT COUNT(1) as n FROM products
+      WHERE seller_id = ? AND created_at > datetime('now', '-1 hour')
+    `).get(user.id).n;
+        if (recentListings >= LISTING_RATE_LIMIT) {
+            return void res.status(429).json({
+                error: `上架过于频繁：1 小时内最多 ${LISTING_RATE_LIMIT} 个商品（当前已 ${recentListings} 个）`,
+                retry_after_seconds: 3600,
+            });
+        }
+        // 发新品配额检查（模块 A）
+        const quotaCheck = checkSellerCanList(user);
+        if (!quotaCheck.ok)
+            return void res.json({ error: quotaCheck.reason });
+        const { title, description, price, stock = 1, category = '', specs, brand, model, source_url, source_price, external_title, weight_kg, ship_regions = '全国', handling_hours = 24, estimated_days, fragile = 0, return_days = 7, return_condition = '', warranty_days = 0, commission_rate, product_type = 'retail', // 里程碑 6
+        aliases = [], // 里程碑 7.2：上架时同步声明的 alias 集合
+        image_hashes = [], // 商品图片 — 只存 hash（64 hex），实际 blob 在卖家节点 IDB
+         } = req.body;
+        // 协议化原则：服务端只存 hash 引用，不存图片字节。校验仅做格式 + 数量。
+        let imagesJsonForInsert = null;
+        if (Array.isArray(image_hashes) && image_hashes.length > 0) {
+            if (image_hashes.length > 9)
+                return void res.json({ error: '图片最多 9 张' });
+            for (const h of image_hashes) {
+                if (typeof h !== 'string' || !/^[a-f0-9]{64}$/.test(h)) {
+                    return void res.json({ error: 'image_hashes 必须为 64 字符十六进制' });
+                }
+            }
+            imagesJsonForInsert = JSON.stringify(image_hashes);
+        }
+        // product_type 校验
+        if (typeof product_type !== 'string' || !VALID_PRODUCT_TYPES.has(product_type)) {
+            return void res.json({ error: `product_type 必须是 ${[...VALID_PRODUCT_TYPES].join(' / ')} 之一` });
+        }
+        const sourceMeta = parsePlatformUrl(source_url);
+        // 精准匹配原则：external_title 必须显式提供，不 fallback 到店铺 title
+        const externalTitleVal = typeof external_title === 'string' && external_title.trim() ? external_title.trim() : null;
+        if (!title || !description || !price)
+            return void res.json({ error: '请填写商品名、描述、价格' });
+        // 推土机 commission_rate（1%-50%）
+        const commissionRateNum = Number(commission_rate ?? 0.10);
+        if (!(commissionRateNum >= 0.01 && commissionRateNum <= 0.50)) {
+            return void res.json({ error: 'commission_rate 必须在 1% - 50% 之间（小数 0.01-0.50）' });
+        }
+        // 上架前检查：同一卖家不能重复关联相同外部链接
+        if (source_url) {
+            const sameSellerDupe = db.prepare(`
+        SELECT COUNT(*) as n FROM product_external_links pel
+        JOIN products p ON pel.product_id = p.id
+        WHERE pel.url = ? AND p.seller_id = ?
+      `).get(source_url, user.id);
+            if (sameSellerDupe.n > 0) {
+                return void res.json({ error: '您已上架过来自此链接的商品，不能重复关联相同外部链接' });
+            }
+        }
+        // M7.2.6 / 方案 3：上架免质押 — 零门槛入驻
+        // stake_amount 字段记录"预期 stake"（首单成交时从订单 escrow 锁定）
+        const priceNum = Number(price);
+        const stakeDiscount = getStakeDiscount(db, user.id);
+        const stakeRate = Math.max(0.05, 0.15 - stakeDiscount);
+        const stakeAmount = Math.round(priceNum * stakeRate * 100) / 100;
+        const now = new Date().toISOString();
+        const id = generateId('prd');
+        const specsJson = specs ? (typeof specs === 'string' ? specs : JSON.stringify(specs)) : null;
+        const estJson = estimated_days ? (typeof estimated_days === 'string' ? estimated_days : JSON.stringify(estimated_days)) : null;
+        const pFields = { ship_regions, handling_hours, estimated_days: estJson, return_days, return_condition, warranty_days };
+        db.prepare(`INSERT INTO products (
+      id, seller_id, title, description, price, stock, category, stake_amount,
+      specs, brand, model, source_url, source_price, source_price_at,
+      weight_kg, ship_regions, handling_hours, estimated_days, fragile,
+      return_days, return_condition, warranty_days,
+      commitment_hash, description_hash, price_hash, hashed_at,
+      commission_rate, product_type, images
+    ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)`).run(id, user.id, title, description, priceNum, Number(stock), category, stakeAmount, specsJson, brand ?? null, model ?? null, source_url ?? null, source_price ? Number(source_price) : null, source_price ? now : null, weight_kg ? Number(weight_kg) : null, ship_regions, Number(handling_hours), estJson, fragile ? 1 : 0, Number(return_days), return_condition, Number(warranty_days), makeCommitmentHash(pFields), makeDescriptionHash({ title, description, specs: specsJson }), makePriceHash(priceNum, now), now, commissionRateNum, product_type, imagesJsonForInsert);
+        // M7.2.6：免质押上架 — 不再扣 stake；首单成交时 settleOrder 自动从订单 escrow 锁定
+        // M7.2-6: 上架时同步入 aliases（卖家已勾选的 candidates）
+        if (Array.isArray(aliases) && aliases.length > 0) {
+            const ALLOWED_TYPES = new Set(['external_id', 'external_title', 'short_url', 'kouling_token', 'title_substring']);
+            const ALIAS_LIMIT = 20;
+            let n = 0;
+            for (const a of aliases) {
+                if (n >= ALIAS_LIMIT)
+                    break;
+                const type = String(a?.type || '').trim();
+                const value = String(a?.value || '').trim();
+                if (!ALLOWED_TYPES.has(type) || value.length < 6 || value.length > 200)
+                    continue;
+                // M-2 fix: title_substring 必须是 product.title 真子串
+                if (type === 'title_substring' && !String(title).includes(value))
+                    continue;
+                try {
+                    db.prepare(`INSERT INTO product_aliases (id, product_id, alias_type, alias_value, min_match_chars) VALUES (?,?,?,?,6)`)
+                        .run(generateId('pal'), id, type, value);
+                    n++;
+                }
+                catch { }
+            }
+        }
+        // 来源链接：冲突检测
+        let linkConflict = null;
+        if (source_url) {
+            // 另一家卖家已认领此链接（verified=1）
+            const otherClaim = db.prepare(`
+        SELECT pel.product_id FROM product_external_links pel
+        JOIN products p ON pel.product_id = p.id
+        WHERE pel.url = ? AND pel.verified = 1 AND p.seller_id != ?
+      `).get(source_url, user.id);
+            if (otherClaim) {
+                // 插入为未验证状态
+                db.prepare(`INSERT OR IGNORE INTO product_external_links
+          (id, product_id, url, source, verified, verify_note, platform, external_id, external_title)
+          VALUES (?, ?, ?, 'import', 0, '链接冲突：等待众包验证确认归属', ?, ?, ?)`).run(generateId('lnk'), id, source_url, sourceMeta?.platform ?? null, sourceMeta?.external_id ?? null, externalTitleVal);
+                // 创建认领验证任务（扣锁定费）
+                const VERIFIERS_NEEDED = 1;
+                const REWARD_EACH = 0.1;
+                const feeLocked = VERIFIERS_NEEDED * REWARD_EACH;
+                const walletNow = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+                const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789';
+                const code = Array.from({ length: 8 }, () => chars[Math.floor(Math.random() * chars.length)]).join('');
+                const taskId = generateId('vtk');
+                const expiresAt = new Date(Date.now() + 72 * 3600_000).toISOString();
+                const baseMsg = `此商品来源链接已被其他商家认领。请将验证码 [${code}] 放入该平台商品标题或描述，等待人工审核确认后归属自动转移。`;
+                if (walletNow.balance >= feeLocked) {
+                    try {
+                        db.prepare(`INSERT INTO verify_tasks (id, type, product_id, url, code, verifiers_needed, reward_per_verifier, fee_locked, status, expires_at)
+              VALUES (?,?,?,?,?,?,?,?,'code_issued',?)`).run(taskId, 'code_check', id, source_url, code, VERIFIERS_NEEDED, REWARD_EACH, feeLocked, expiresAt);
+                        db.prepare(`UPDATE wallets SET balance = balance - ? WHERE user_id = ?`).run(feeLocked, user.id);
+                        linkConflict = { task_id: taskId, code: `[${code}]`, expires_at: expiresAt, message: baseMsg };
+                    }
+                    catch {
+                        linkConflict = { message: `${baseMsg}（余额不足以锁定验证费 ${feeLocked} WAZ，请前往商品外部链接手动发起验证）` };
+                    }
+                }
+                else {
+                    linkConflict = { message: `${baseMsg}（当前余额不足以锁定验证费 ${feeLocked} WAZ，请充值后前往商品编辑页手动发起验证）` };
+                }
+                // 有冲突：商品进入仓库，等待验证结果后再上架
+                db.prepare(`UPDATE products SET status='warehouse', updated_at=datetime('now') WHERE id=?`).run(id);
+            }
+            else {
+                // 无冲突 — 直接 verified=1
+                db.prepare(`INSERT OR IGNORE INTO product_external_links
+          (id, product_id, url, source, verified, verified_at, platform, external_id, external_title)
+          VALUES (?, ?, ?, 'import', 1, datetime('now'), ?, ?, ?)`).run(generateId('lnk'), id, source_url, sourceMeta?.platform ?? null, sourceMeta?.external_id ?? null, externalTitleVal);
+            }
+        }
+        // 额外链接：同步冲突检查（最多 5 个）
+        const additionalLinks = req.body.additional_links;
+        const blockedLinks = [];
+        if (Array.isArray(additionalLinks) && additionalLinks.length > 0) {
+            for (const extraUrl of additionalLinks.slice(0, 5)) {
+                if (typeof extraUrl !== 'string' || !extraUrl.startsWith('http'))
+                    continue;
+                const alreadyLinked = db.prepare('SELECT id FROM product_external_links WHERE product_id = ? AND url = ?').get(id, extraUrl);
+                if (alreadyLinked)
+                    continue;
+                // 同卖家已在其他商品关联过此链接
+                const selfConflict = db.prepare(`
+          SELECT p.title FROM product_external_links pel
+          JOIN products p ON pel.product_id = p.id
+          WHERE pel.url = ? AND p.seller_id = ? AND p.id != ?
+        `).get(extraUrl, user.id, id);
+                if (selfConflict) {
+                    blockedLinks.push({ url: extraUrl, message: `您已在商品「${selfConflict.title}」中关联了此链接` });
+                    continue;
+                }
+                // 他人已认领（verified=1）
+                const otherConflict = db.prepare(`
+          SELECT p.title FROM product_external_links pel
+          JOIN products p ON pel.product_id = p.id
+          WHERE pel.url = ? AND pel.verified = 1 AND p.seller_id != ?
+        `).get(extraUrl, user.id);
+                if (otherConflict) {
+                    blockedLinks.push({ url: extraUrl, message: `此链接已被其他商家认领，上架后可在商品编辑页发起验证任务` });
+                    continue;
+                }
+                // 无冲突 — 直接 verified=1
+                try {
+                    const extraMeta = parsePlatformUrl(extraUrl);
+                    db.prepare(`INSERT OR IGNORE INTO product_external_links
+            (id, product_id, url, source, verified, verified_at, platform, external_id)
+            VALUES (?, ?, ?, 'import_extra', 1, datetime('now'), ?, ?)`).run(generateId('lnk'), id, extraUrl, extraMeta?.platform ?? null, extraMeta?.external_id ?? null);
+                }
+                catch { }
+            }
+        }
+        res.json({
+            success: true,
+            product_id: id,
+            stake_locked: 0, // 免质押上架（M7.2.6 方案 3）
+            stake_deferred: stakeAmount, // 首单成交时自动锁定（trusted+ 跳过）
+            ...(linkConflict ? { link_conflict: linkConflict } : {}),
+            ...(blockedLinks.length > 0 ? { blocked_links: blockedLinks } : {}),
+        });
+    });
+}

package/dist/pwa/routes/products-crud.js

@@ -0,0 +1,73 @@
+export function registerProductsCrudRoutes(app, deps) {
+    const { db, auth, errorRes, formatProductForAgent, retireAnchorsByTarget } = deps;
+    // 单品详情（agent verify price 时使用）
+    // 卖家可查看自己的非上架商品（编辑页用），其他人只能看 active
+    app.get('/api/products/:id', (req, res) => {
+        const token = (req.headers.authorization || '').replace('Bearer ', '');
+        const selfUser = token ? db.prepare('SELECT id FROM users WHERE api_key = ?').get(token) : undefined;
+        const row = db.prepare(`
+      SELECT p.*, u.name as seller_name,
+        COALESCE(rs.total_points, 0) as rep_points, COALESCE(rs.level, 'new') as rep_level
+      FROM products p
+      JOIN users u ON p.seller_id = u.id
+      LEFT JOIN reputation_scores rs ON rs.user_id = p.seller_id
+      WHERE p.id = ? AND (p.status = 'active' OR p.seller_id = ?)
+    `).get(req.params.id, selfUser?.id ?? '');
+        if (!row)
+            return void res.status(404).json({ error: 'not_found' });
+        res.json(formatProductForAgent(row, req));
+    });
+    // 状态切换（active / warehouse / deleted）
+    app.patch('/api/products/:id/status', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { status } = req.body;
+        if (!['active', 'warehouse', 'deleted'].includes(status))
+            return void res.json({ error: '无效状态值' });
+        const product = db.prepare('SELECT id, claim_loss_count FROM products WHERE id = ? AND seller_id = ?').get(req.params.id, user.id);
+        if (!product)
+            return void res.status(404).json({ error: '商品不存在或无权限' });
+        if (status === 'active') {
+            // Sprint 5 audit fix: claim_loss_count >= 3 禁 seller 自助再上架，必须 admin 干预（content 权限）
+            if ((product.claim_loss_count || 0) >= 3) {
+                return void errorRes(res, 403, 'CLAIM_THRESHOLD_REACHED', `该商品累计 ${product.claim_loss_count} 次声明被验证不实，已达自动下架阈值。需 admin 干预方可重新上架，请联系管理员。`);
+            }
+            const pendingTask = db.prepare(`SELECT id FROM verify_tasks WHERE product_id=? AND status IN ('code_issued','open')`).get(req.params.id);
+            if (pendingTask)
+                return void res.json({ error: '链接核验进行中，请等待验证结果后再上架' });
+            const hasRevoked = db.prepare(`SELECT id FROM product_external_links WHERE product_id=? AND revoked=1`).get(req.params.id);
+            const hasValid = db.prepare(`SELECT id FROM product_external_links WHERE product_id=? AND verified=1 AND (revoked IS NULL OR revoked=0)`).get(req.params.id);
+            if (hasRevoked && !hasValid)
+                return void res.json({ error: '所有外部链接已失效（主权失效），请先添加新链接后再上架' });
+        }
+        db.prepare(`UPDATE products SET status = ?, updated_at = datetime('now') WHERE id = ?`).run(status, req.params.id);
+        res.json({ success: true });
+    });
+    // 硬删（仅 deleted 状态 + 无进行中订单）
+    app.delete('/api/products/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const product = db.prepare('SELECT * FROM products WHERE id = ? AND seller_id = ?').get(req.params.id, user.id);
+        if (!product)
+            return void res.status(404).json({ error: '商品不存在或无权限' });
+        if (product.status !== 'deleted')
+            return void res.json({ error: '请先将商品移入回收箱' });
+        const activeOrders = db.prepare(`
+      SELECT COUNT(*) as n FROM orders WHERE product_id = ? AND status NOT IN ('completed','cancelled','refunded','expired')
+    `).get(req.params.id);
+        if (activeOrders.n > 0)
+            return void res.json({ error: '该商品有进行中的订单，暂无法删除' });
+        db.prepare('DELETE FROM product_external_links WHERE product_id = ?').run(req.params.id);
+        // E1 anchor GC: 指向该 product 的 active anchor → retired
+        try {
+            retireAnchorsByTarget(db, 'product', String(req.params.id));
+        }
+        catch (e) {
+            console.warn('[anchor-gc product]', e.message);
+        }
+        db.prepare('DELETE FROM products WHERE id = ?').run(req.params.id);
+        res.json({ success: true });
+    });
+}

package/dist/pwa/routes/products-links.js

@@ -0,0 +1,129 @@
+export function registerProductsLinksRoutes(app, deps) {
+    const { db, auth, generateId, extractUrlFromText, extractTitleFromText, parsePlatformUrl } = deps;
+    app.get('/api/products/:id/links', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const product = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.id);
+        if (!product)
+            return void res.status(404).json({ error: '商品不存在' });
+        if (product.seller_id !== user.id)
+            return void res.status(403).json({ error: '无权限' });
+        const links = db.prepare(`SELECT id, url, source, verified, revoked, verify_note, added_at, platform, external_id, external_title FROM product_external_links WHERE product_id = ? ORDER BY added_at ASC`).all(req.params.id);
+        res.json(links);
+    });
+    // 新链接（无人认领）直接 verified=1；已被他人认领则发起众包验证任务
+    app.post('/api/products/:id/links', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const product = db.prepare('SELECT * FROM products WHERE id = ? AND seller_id = ?').get(req.params.id, user.id);
+        if (!product)
+            return void res.status(404).json({ error: '商品不存在或无权限' });
+        // 支持两种 body：(a) {url, external_title?} (b) {text}
+        const rawText = req.body?.text;
+        let url = req.body?.url;
+        let bodyExternalTitle = req.body?.external_title;
+        if (!url && rawText) {
+            url = extractUrlFromText(rawText) ?? undefined;
+            if (!bodyExternalTitle)
+                bodyExternalTitle = extractTitleFromText(rawText) ?? undefined;
+        }
+        if (!url || !url.startsWith('http'))
+            return void res.json({ error: '请提供有效链接（URL 或包含 URL 的分享文本）' });
+        // 精准匹配原则：external_title 必须显式输入，不 fallback 到 product.title
+        const linkExternalTitle = bodyExternalTitle && bodyExternalTitle.trim() ? bodyExternalTitle.trim() : null;
+        // 已关联此商品
+        const existing = db.prepare('SELECT id, verified, revoked FROM product_external_links WHERE product_id = ? AND url = ?')
+            .get(req.params.id, url);
+        if (existing) {
+            // 主权失效的旧记录：删除后允许重新发起认领
+            if (existing.revoked) {
+                db.prepare('DELETE FROM product_external_links WHERE id = ?').run(existing.id);
+            }
+            else {
+                return void res.json({ error: '该链接已关联到此商品' });
+            }
+        }
+        // 同卖家的其他商品已关联此链接
+        const sameSellerOther = db.prepare(`
+      SELECT p.title FROM product_external_links pel
+      JOIN products p ON pel.product_id = p.id
+      WHERE pel.url = ? AND p.seller_id = ? AND pel.product_id != ?
+    `).get(url, user.id, req.params.id);
+        if (sameSellerOther) {
+            return void res.json({ error: `此链接已在您的商品「${sameSellerOther.title}」中关联，一个链接不能关联多个商品` });
+        }
+        // 是否已被其他卖家 verified 认领
+        const otherClaim = db.prepare(`
+      SELECT p.title as product_title FROM product_external_links pel
+      JOIN products p ON pel.product_id = p.id
+      WHERE pel.url = ? AND pel.verified = 1 AND p.seller_id != ?
+    `).get(url, user.id);
+        if (!otherClaim) {
+            // 新链接，无冲突：直接 verified=1
+            const linkId = generateId('lnk');
+            const meta = parsePlatformUrl(url);
+            db.prepare(`INSERT INTO product_external_links
+        (id, product_id, url, source, verified, verified_at, platform, external_id, external_title)
+        VALUES (?, ?, ?, 'manual', 1, datetime('now'), ?, ?, ?)`).run(linkId, req.params.id, url, meta?.platform ?? null, meta?.external_id ?? null, linkExternalTitle);
+            return void res.json({ link_id: linkId, verified: 1, external_title: linkExternalTitle, message: '链接已关联' });
+        }
+        // 已被他人认领：发起众包验证任务
+        const existingTask = db.prepare(`SELECT id, code, status, expires_at FROM verify_tasks WHERE product_id = ? AND url = ? AND status IN ('code_issued','open')`)
+            .get(req.params.id, url);
+        if (existingTask) {
+            const isPending = existingTask.status === 'code_issued';
+            return void res.json({
+                task_id: existingTask.id,
+                code: `[${existingTask.code}]`,
+                status: existingTask.status,
+                expires_at: existingTask.expires_at,
+                already_pending: true,
+                conflict: true,
+                instructions: isPending
+                    ? `此链接已有认领任务，请将验证码 [${existingTask.code}] 放入原平台商品标题或描述，完成后回来点击「确认已添加」提交任务。`
+                    : `此链接已有进行中的认领任务，等待验证者确认。`,
+            });
+        }
+        const VERIFIERS_NEEDED = 1;
+        const REWARD_EACH = 0.1;
+        const feeLocked = VERIFIERS_NEEDED * REWARD_EACH;
+        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        if (wallet.balance < feeLocked) {
+            return void res.json({ error: `余额不足：认领验证需锁定 ${feeLocked} WAZ，当前余额 ${wallet.balance} WAZ` });
+        }
+        // 8 位验证码（排除易混 IOOLZ）
+        const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789';
+        const code = Array.from({ length: 8 }, () => chars[Math.floor(Math.random() * chars.length)]).join('');
+        const linkId = generateId('lnk');
+        const taskId = generateId('vtk');
+        const expiresAt = new Date(Date.now() + 72 * 3600_000).toISOString();
+        const claimMeta = parsePlatformUrl(url);
+        db.prepare(`INSERT INTO product_external_links
+      (id, product_id, url, source, verified, verify_note, platform, external_id, external_title)
+      VALUES (?, ?, ?, 'manual', 0, '认领验证进行中', ?, ?, ?)`).run(linkId, req.params.id, url, claimMeta?.platform ?? null, claimMeta?.external_id ?? null, linkExternalTitle);
+        db.prepare(`INSERT INTO verify_tasks (id, type, product_id, url, code, verifiers_needed, reward_per_verifier, fee_locked, status, expires_at)
+      VALUES (?,?,?,?,?,?,?,?,'code_issued',?)`).run(taskId, 'claim', req.params.id, url, code, VERIFIERS_NEEDED, REWARD_EACH, feeLocked, expiresAt);
+        db.prepare(`UPDATE wallets SET balance = balance - ? WHERE user_id = ?`).run(feeLocked, user.id);
+        res.json({
+            link_id: linkId,
+            task_id: taskId,
+            verified: 0,
+            conflict: true,
+            code: `[${code}]`,
+            instructions: `此链接已被其他商家的商品「${otherClaim.product_title}」认领。请将验证码 [${code}] 放入该平台商品标题或描述，完成后在商品编辑页点击「确认已添加」提交验证任务，经审核确认后，链接归属将转移到您的商品。`,
+            expires_at: expiresAt,
+        });
+    });
+    app.delete('/api/products/:id/links/:linkId', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const product = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.id);
+        if (!product || product.seller_id !== user.id)
+            return void res.status(403).json({ error: '无权限' });
+        db.prepare('DELETE FROM product_external_links WHERE id = ? AND product_id = ?').run(req.params.linkId, req.params.id);
+        res.json({ success: true });
+    });
+}