@seasonkoh/webaz 0.1.7 → 0.1.9

package/dist/pwa/routes/products-update.js

@@ -0,0 +1,125 @@
+export function registerProductsUpdateRoutes(app, deps) {
+    const { db, auth, makeCommitmentHash, makeDescriptionHash, makePriceHash, notifyWaitlist, notifyWishlistPriceDrop, checkStockAndMaybeDelist } = deps;
+    app.put('/api/products/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const product = db.prepare('SELECT * FROM products WHERE id = ? AND seller_id = ?').get(req.params.id, user.id);
+        if (!product)
+            return void res.status(404).json({ error: '商品不存在或无权限' });
+        const { title, description, price, stock, specs, brand, model, handling_hours, ship_regions, estimated_days, fragile, return_days, return_condition, warranty_days, low_stock_threshold, auto_delist_on_zero, origin_claims, i18n_titles, i18n_descs, } = req.body;
+        const now = new Date().toISOString();
+        const specsJson = specs != null ? (typeof specs === 'object' ? JSON.stringify(specs) : specs) : product.specs;
+        const estJson = estimated_days != null ? (typeof estimated_days === 'object' ? JSON.stringify(estimated_days) : String(estimated_days)) : product.estimated_days;
+        const newTitle = title ?? product.title;
+        const newDesc = description ?? product.description;
+        const newPrice = price != null ? Number(price) : product.price;
+        const newHandling = handling_hours != null ? Number(handling_hours) : product.handling_hours;
+        const newShipRegions = ship_regions ?? product.ship_regions;
+        const newEstDays = estJson;
+        const newReturnDays = return_days != null ? Number(return_days) : product.return_days;
+        const newReturnCond = return_condition ?? product.return_condition;
+        const newWarranty = warranty_days != null ? Number(warranty_days) : product.warranty_days;
+        const newFragile = fragile != null ? (fragile ? 1 : 0) : product.fragile;
+        const pFields = { ship_regions: newShipRegions, handling_hours: newHandling, estimated_days: newEstDays, return_days: newReturnDays, return_condition: newReturnCond, warranty_days: newWarranty };
+        const newStock = stock != null ? Number(stock) : product.stock;
+        const oldStock = Number(product.stock || 0);
+        // 库存预警 / 自动下架配置（默认沿用旧值）
+        const newLowThreshold = low_stock_threshold != null
+            ? Math.max(0, Math.floor(Number(low_stock_threshold) || 0))
+            : (product.low_stock_threshold ?? 3);
+        const newAutoDelist = auto_delist_on_zero != null
+            ? (auto_delist_on_zero ? 1 : 0)
+            : (product.auto_delist_on_zero ?? 1);
+        // 库存回归到阈值之上 → 清零 alert 时间戳，让下次下穿能再发
+        const resetAlert = Number(newStock) > Number(newLowThreshold) ? 1 : 0;
+        // S4 商品溯源：origin_claims 必须是 object（可空），最大 4KB
+        let newOriginClaims = product.origin_claims;
+        if (origin_claims !== undefined) {
+            if (origin_claims === null || (typeof origin_claims === 'object' && Object.keys(origin_claims).length === 0)) {
+                newOriginClaims = null;
+            }
+            else if (typeof origin_claims === 'object') {
+                const json = JSON.stringify(origin_claims);
+                if (json.length > 4096)
+                    return void res.status(400).json({ error: 'origin_claims 超 4KB' });
+                // certs sha256 格式校验
+                const certs = origin_claims.certs;
+                if (Array.isArray(certs)) {
+                    for (const c of certs) {
+                        if (c && typeof c === 'object' && c.sha256) {
+                            const s = String(c.sha256);
+                            if (!/^[0-9a-f]{64}$/i.test(s))
+                                return void res.status(400).json({ error: '证书 sha256 必须是 64 位 hex' });
+                        }
+                    }
+                }
+                newOriginClaims = json;
+            }
+        }
+        // S3 i18n：zh 默认在 title/description；i18n_titles/descs 存 en/ja/ko 等
+        const SUPPORTED_LANGS = new Set(['en', 'ja', 'ko', 'fr', 'de', 'es', 'pt', 'ru', 'ar']);
+        const validateI18n = (raw) => {
+            if (raw === undefined)
+                return undefined; // 不更新
+            if (raw === null)
+                return null;
+            if (typeof raw !== 'object')
+                return undefined;
+            const obj = raw;
+            const out = {};
+            for (const [k, v] of Object.entries(obj)) {
+                if (!SUPPORTED_LANGS.has(k))
+                    continue;
+                if (typeof v !== 'string' || v.length === 0)
+                    continue;
+                out[k] = v.slice(0, 500);
+            }
+            return Object.keys(out).length > 0 ? JSON.stringify(out) : null;
+        };
+        const titlesResult = validateI18n(i18n_titles);
+        const descsResult = validateI18n(i18n_descs);
+        const newI18nTitles = titlesResult === undefined ? product.i18n_titles : titlesResult;
+        const newI18nDescs = descsResult === undefined ? product.i18n_descs : descsResult;
+        db.prepare(`UPDATE products SET
+      title=?, description=?, price=?, stock=?,
+      specs=?, brand=?, model=?, handling_hours=?, ship_regions=?,
+      estimated_days=?, fragile=?, return_days=?, return_condition=?, warranty_days=?,
+      low_stock_threshold=?, auto_delist_on_zero=?,
+      low_stock_alerted_at = CASE WHEN ?=1 THEN NULL ELSE low_stock_alerted_at END,
+      origin_claims=?,
+      i18n_titles=?, i18n_descs=?,
+      commitment_hash=?, description_hash=?, price_hash=?, hashed_at=?,
+      updated_at=datetime('now')
+      WHERE id=?`).run(newTitle, newDesc, newPrice, newStock, specsJson, brand ?? product.brand, model ?? product.model, newHandling, newShipRegions, newEstDays, newFragile, newReturnDays, newReturnCond, newWarranty, newLowThreshold, newAutoDelist, resetAlert, newOriginClaims, newI18nTitles, newI18nDescs, makeCommitmentHash(pFields), makeDescriptionHash({ title: newTitle, description: newDesc, specs: specsJson }), makePriceHash(newPrice, now), now, req.params.id);
+        // Wave B-2: stock 从 0 → 正数时通知 waitlist 用户
+        if (oldStock === 0 && Number(newStock) > 0) {
+            try {
+                notifyWaitlist(String(req.params.id), String(newTitle));
+            }
+            catch (e) {
+                console.error('[waitlist notify]', e);
+            }
+        }
+        // 卖家手动减库存到 ≤ 阈值时也触发检查
+        if (Number(newStock) < oldStock) {
+            try {
+                checkStockAndMaybeDelist(String(req.params.id));
+            }
+            catch (e) {
+                console.error('[stock-check]', e);
+            }
+        }
+        // 2026-05-24 价格下降 → 通知 wishlist 中开启 notify_price_drop 的用户
+        const oldPrice = Number(product.price);
+        if (newPrice < oldPrice) {
+            try {
+                notifyWishlistPriceDrop(String(req.params.id), String(newTitle), oldPrice, newPrice);
+            }
+            catch (e) {
+                console.error('[wishlist price-drop notify]', e);
+            }
+        }
+        res.json({ success: true });
+    });
+}

package/dist/pwa/routes/profile-credentials.js

@@ -0,0 +1,105 @@
+const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+export function registerProfileCredentialsRoutes(app, deps) {
+    const { db, auth, verifyPassword, hashPassword, issueCode, findActiveCode, IS_DEV, MAX_CODE_ATTEMPTS } = deps;
+    // 设置 / 修改密码
+    app.post('/api/profile/set-password', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { old_password, new_password } = req.body;
+        if (!new_password || String(new_password).length < 8)
+            return void res.json({ error: '新密码至少 8 字符' });
+        if (String(new_password).length > 200)
+            return void res.json({ error: '密码过长（>200 字符）' });
+        if (user.password_hash) {
+            if (!old_password)
+                return void res.json({ error: '请提供原密码' });
+            if (!verifyPassword(String(old_password), user.password_hash)) {
+                return void res.json({ error: '原密码错误' });
+            }
+        }
+        const hash = hashPassword(String(new_password));
+        db.prepare("UPDATE users SET password_hash = ?, failed_attempts = 0, locked_until = NULL, updated_at = datetime('now') WHERE id = ?")
+            .run(hash, user.id);
+        res.json({ success: true });
+    });
+    // 验证密码（显示 API Key 前的二次确认）
+    app.post('/api/profile/verify-password', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (!user.password_hash)
+            return void res.json({ ok: false, no_password: true, error: '未设置密码' });
+        const { password } = req.body;
+        if (!password)
+            return void res.json({ ok: false, error: '请输入密码' });
+        if (!verifyPassword(String(password), user.password_hash)) {
+            return void res.json({ ok: false, error: '密码错误' });
+        }
+        res.json({ ok: true });
+    });
+    // 移除密码（恢复只用 API Key 模式）
+    app.post('/api/profile/remove-password', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { current_password } = req.body;
+        if (!user.password_hash)
+            return void res.json({ error: '当前未设置密码' });
+        if (!current_password || !verifyPassword(String(current_password), user.password_hash)) {
+            return void res.json({ error: '密码错误' });
+        }
+        db.prepare("UPDATE users SET password_hash = NULL, updated_at = datetime('now') WHERE id = ?")
+            .run(user.id);
+        res.json({ success: true });
+    });
+    // 绑定邮箱 — 步骤 1：发码
+    app.post('/api/profile/bind-email', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { email } = req.body;
+        if (!email?.trim() || !EMAIL_RE.test(email.trim()))
+            return void res.json({ error: '邮箱格式无效' });
+        const target = email.trim().toLowerCase();
+        const dup = db.prepare("SELECT 1 FROM users WHERE email = ? AND id != ? LIMIT 1").get(target, user.id);
+        if (dup)
+            return void res.json({ error: '该邮箱已被其他账户绑定' });
+        const { expires_at, code } = issueCode(user.id, 'email', target, 'bind_email');
+        res.json({
+            success: true,
+            target_hint: target.replace(/^(.).*(@.*)$/, '$1***$2'),
+            expires_at,
+            ...(IS_DEV ? { dev_code: code } : {}),
+        });
+    });
+    // 绑定邮箱 — 步骤 2：确认验证码
+    app.post('/api/profile/confirm-email', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { email, code } = req.body;
+        if (!email?.trim() || !code?.trim())
+            return void res.json({ error: '请填写邮箱和验证码' });
+        const target = email.trim().toLowerCase();
+        const row = findActiveCode('email', target, 'bind_email');
+        if (!row)
+            return void res.json({ error: '验证码已过期或未发送，请重新获取' });
+        if (row.user_id !== user.id)
+            return void res.json({ error: '此验证码不属于当前账号' });
+        if (String(row.code) !== code.trim()) {
+            const attempts = row.attempts + 1;
+            if (attempts >= MAX_CODE_ATTEMPTS) {
+                db.prepare("UPDATE verification_codes SET attempts = ?, used_at = datetime('now') WHERE id = ?")
+                    .run(attempts, row.id);
+                return void res.json({ error: '错误次数过多，验证码已作废，请重新获取' });
+            }
+            db.prepare("UPDATE verification_codes SET attempts = ? WHERE id = ?").run(attempts, row.id);
+            return void res.json({ error: `验证码错误（剩余 ${MAX_CODE_ATTEMPTS - attempts} 次）` });
+        }
+        db.prepare("UPDATE verification_codes SET used_at = datetime('now') WHERE id = ?").run(row.id);
+        db.prepare("UPDATE users SET email = ?, email_verified = 1, updated_at = datetime('now') WHERE id = ?")
+            .run(target, user.id);
+        res.json({ success: true, email: target });
+    });
+}

package/dist/pwa/routes/profile-identity.js

@@ -0,0 +1,174 @@
+const ROLE_LOCKED_ROLES = ['admin', 'verifier'];
+const VALID_REGIONS = new Set(['china', 'us', 'eu', 'india', 'singapore', 'global_north', 'global']);
+const HANDLE_BASE_COOLDOWN_MONTHS = 12;
+export function registerProfileIdentityRoutes(app, deps) {
+    const { db, generateId, auth, safeRoles } = deps;
+    app.post('/api/profile/add-role', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { role } = req.body;
+        const SELF_SERVE_ROLES = ['buyer', 'seller'];
+        const currentRoles = safeRoles(user);
+        if (currentRoles.some(r => ROLE_LOCKED_ROLES.includes(r))) {
+            return void res.json({
+                error: '受信角色（admin / verifier）不能自助添加其他角色',
+                hint: '权责分离原则：管理员 / 审核员需保持纯净身份，避免利益冲突。如需切换身份，请用其他账号注册。'
+            });
+        }
+        if (!SELF_SERVE_ROLES.includes(role)) {
+            return void res.json({
+                error: '该角色不能自助添加',
+                hint: role === 'verifier' ? '请到「申请审核员」页面提交申请'
+                    : role === 'admin' ? '管理员角色仅可由现有管理员授予'
+                        : '请联系管理员申请此角色（logistics / arbitrator）'
+            });
+        }
+        // P2: 事务内 re-read + write 防并发丢失更新
+        let finalRoles = [];
+        let alreadyHas = false;
+        try {
+            db.transaction(() => {
+                const fresh = db.prepare('SELECT roles FROM users WHERE id = ?').get(user.id);
+                const list = safeRoles({ roles: fresh?.roles });
+                if (list.includes(role)) {
+                    alreadyHas = true;
+                    finalRoles = list;
+                    return;
+                }
+                list.push(role);
+                db.prepare("UPDATE users SET roles = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(list), user.id);
+                finalRoles = list;
+            })();
+        }
+        catch (e) {
+            return void res.status(500).json({ error: '更新角色失败', detail: e.message });
+        }
+        if (alreadyHas)
+            return void res.json({ error: '已拥有该角色' });
+        res.json({ success: true, roles: finalRoles });
+    });
+    app.post('/api/profile/switch-role', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { role } = req.body;
+        const roles = safeRoles(user);
+        if (!roles.includes(role))
+            return void res.json({ error: '你还没有该角色，请先添加' });
+        // 防御：已是 admin/verifier 的用户不能切到 buyer/seller（防遗留多角色账户绕过）
+        if (roles.some(r => ROLE_LOCKED_ROLES.includes(r)) && !ROLE_LOCKED_ROLES.includes(role)) {
+            return void res.json({
+                error: '受信角色不能切换为 buyer / seller',
+                hint: '权责分离原则；如需买卖请用其他账号。'
+            });
+        }
+        db.prepare("UPDATE users SET role = ?, updated_at = datetime('now') WHERE id = ?").run(role, user.id);
+        res.json({ success: true, role, roles });
+    });
+    app.post('/api/profile/region', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const region = String(req.body?.region || '').trim();
+        if (!VALID_REGIONS.has(region)) {
+            return void res.json({ error: 'region 必须是 china / us / eu / india / singapore / global_north / global 之一' });
+        }
+        const fromRegion = user.region ?? null;
+        if (fromRegion === region) {
+            return void res.json({ success: true, region, unchanged: true });
+        }
+        // 30 天冷却（防规避 MLM 合规 + 历史 commission 已按当时 region 快照结算）
+        const lastChange = db.prepare(`SELECT created_at FROM region_change_log WHERE user_id = ? ORDER BY created_at DESC LIMIT 1`).get(user.id);
+        if (lastChange) {
+            const sinceMs = Date.now() - new Date(lastChange.created_at + 'Z').getTime();
+            const COOLDOWN_MS = 30 * 24 * 3600 * 1000;
+            if (sinceMs < COOLDOWN_MS) {
+                const remainDays = Math.ceil((COOLDOWN_MS - sinceMs) / (24 * 3600_000));
+                return void res.status(429).json({
+                    error: `region 切换 30 天仅 1 次，请 ${remainDays} 天后再试（防止规避 MLM 合规限制）`,
+                    retry_after_days: remainDays,
+                });
+            }
+        }
+        db.prepare("UPDATE users SET region = ?, updated_at = datetime('now') WHERE id = ?").run(region, user.id);
+        const ip = req.ip || '';
+        db.prepare(`INSERT INTO region_change_log (id, user_id, from_region, to_region, ip) VALUES (?,?,?,?,?)`)
+            .run(generateId('rcl'), user.id, fromRegion, region, ip || null);
+        res.json({ success: true, region });
+    });
+    app.post('/api/profile/change-name', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { name } = req.body;
+        if (!name?.trim())
+            return void res.json({ error: '请填写新昵称' });
+        const trimmed = name.trim();
+        if (trimmed.length < 1 || trimmed.length > 40)
+            return void res.json({ error: '昵称长度需在 1–40 个字符之间' });
+        if (trimmed === user.name)
+            return void res.json({ error: '新昵称与当前相同' });
+        // 昵称可重复（唯一标识由 handle / permanent_code 承担）
+        db.prepare("UPDATE users SET name = ?, updated_at = datetime('now') WHERE id = ?").run(trimmed, user.id);
+        res.json({ success: true, name: trimmed });
+    });
+    // 改 handle：累进式冷却 — 第 N 次改需距上次 N × 12 月
+    app.post('/api/profile/change-handle', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const raw = String(req.body?.handle ?? '').trim().replace(/^@/, '').toLowerCase();
+        if (!raw)
+            return void res.json({ error: '请填写新用户名' });
+        if (!/^[a-z0-9._]+$/.test(raw))
+            return void res.json({ error: '只能用小写字母 / 数字 / . _' });
+        if (raw.length < 3 || raw.length > 20)
+            return void res.json({ error: '用户名长度需在 3–20 个字符之间' });
+        if (/^[._]|[._]$/.test(raw))
+            return void res.json({ error: '开头/结尾不能是 . 或 _' });
+        if (/^(usr|sys|admin|webaz|anonymous|null)/i.test(raw))
+            return void res.json({ error: '该前缀被系统保留' });
+        if (raw === user.handle)
+            return void res.json({ error: '新用户名与当前相同' });
+        // 累进冷却
+        let log = [];
+        try {
+            log = JSON.parse(user.handle_change_log || '[]');
+        }
+        catch { }
+        const N = log.length; // 已发生的改名次数
+        if (N > 0) {
+            const lastChange = log[log.length - 1];
+            const lastMs = new Date(lastChange.at.replace(' ', 'T') + (lastChange.at.includes('Z') ? '' : 'Z')).getTime();
+            const requiredMonths = N * HANDLE_BASE_COOLDOWN_MONTHS;
+            const requiredMs = requiredMonths * 30 * 86400_000;
+            if (Date.now() - lastMs < requiredMs) {
+                const remainMs = requiredMs - (Date.now() - lastMs);
+                const remainMonths = Math.ceil(remainMs / (30 * 86400_000));
+                return void res.json({
+                    error: `第 ${N + 1} 次改名需距上次至少 ${requiredMonths} 个月，还差约 ${remainMonths} 个月`,
+                    change_count: N,
+                    required_months_for_next: requiredMonths,
+                    remain_months: remainMonths,
+                });
+            }
+        }
+        // 唯一性
+        const dup = db.prepare("SELECT 1 FROM users WHERE handle = ? AND id != ?").get(raw, user.id);
+        if (dup)
+            return void res.json({ error: '该用户名已被占用' });
+        log.push({ at: new Date().toISOString().slice(0, 19).replace('T', ' '), from: String(user.handle || '') });
+        // 全量保留 — 累进式冷却需要完整历史
+        db.prepare(`UPDATE users SET handle = ?, handle_last_created_at = datetime('now'), handle_change_log = ?, updated_at = datetime('now') WHERE id = ?`)
+            .run(raw, JSON.stringify(log), user.id);
+        const nextRequiredMonths = (N + 1) * HANDLE_BASE_COOLDOWN_MONTHS;
+        res.json({
+            success: true,
+            handle: raw,
+            change_count: N + 1,
+            next_change_required_months: nextRequiredMonths,
+            hint: `下次改名需距本次至少 ${nextRequiredMonths} 个月`,
+        });
+    });
+}

package/dist/pwa/routes/profile-location.js

@@ -0,0 +1,35 @@
+function quantizeCoord(value, precision_deg) {
+    // 例：precision=0.1 → factor=10；precision=0.05 → factor=20
+    const factor = 1 / precision_deg;
+    return Math.round(value * factor) / factor;
+}
+export function registerProfileLocationRoutes(app, deps) {
+    const { db, auth, getNearbyCellPrecision } = deps;
+    app.post('/api/profile/set-location', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rawLat = Number(req.body?.lat);
+        const rawLng = Number(req.body?.lng);
+        if (!Number.isFinite(rawLat) || !Number.isFinite(rawLng)) {
+            return void res.json({ error: 'lat/lng 必须为有效数字' });
+        }
+        if (rawLat < -90 || rawLat > 90 || rawLng < -180 || rawLng > 180) {
+            return void res.json({ error: 'lat/lng 超出地理范围' });
+        }
+        const { precision_deg, approx_km } = getNearbyCellPrecision();
+        // 服务端截断（防客户端传精确坐标）
+        const lat = quantizeCoord(rawLat, precision_deg);
+        const lng = quantizeCoord(rawLng, precision_deg);
+        db.prepare("UPDATE users SET geo_lat = ?, geo_lng = ?, geo_updated_at = datetime('now'), updated_at = datetime('now') WHERE id = ?")
+            .run(lat, lng, user.id);
+        res.json({ ok: true, lat, lng, precision_deg, approx_km });
+    });
+    app.post('/api/profile/clear-location', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        db.prepare("UPDATE users SET geo_lat = NULL, geo_lng = NULL, geo_updated_at = NULL WHERE id = ?").run(user.id);
+        res.json({ ok: true });
+    });
+}

package/dist/pwa/routes/profile-placement.js

@@ -0,0 +1,70 @@
+export function registerProfilePlacementRoutes(app, deps) {
+    const { db, auth, internalAuditorId, resolveUserRef, pickPreferredSide, joinPowerLeg } = deps;
+    app.get('/api/profile/placement-status', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const u = db.prepare("SELECT placement_id, placement_side, left_child_id, right_child_id, placement_pref FROM users WHERE id = ?").get(user.id);
+        const hasPlacement = !!u?.placement_id;
+        const hasDownline = !!u?.left_child_id || !!u?.right_child_id;
+        res.json({
+            has_placement: hasPlacement,
+            has_downline: hasDownline,
+            can_bind: !hasPlacement && !hasDownline,
+            placement_pref: u?.placement_pref || 'team_count',
+            placement_id: u?.placement_id,
+            placement_side: u?.placement_side,
+        });
+    });
+    app.post('/api/profile/bind-placement', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { inviter_id, side } = req.body;
+        if (!inviter_id || typeof inviter_id !== 'string')
+            return void res.json({ error: '请提供 inviter_id' });
+        // 多形态识别：usr_xxx / VKSF9P / @handle
+        const resolvedInviterId = resolveUserRef(inviter_id);
+        if (!resolvedInviterId)
+            return void res.json({ error: 'inviter 不存在' });
+        if (resolvedInviterId === user.id)
+            return void res.json({ error: '不能挂靠到自己' });
+        const u = db.prepare("SELECT placement_id, left_child_id, right_child_id FROM users WHERE id = ?").get(user.id);
+        if (u?.placement_id)
+            return void res.json({ error: '你已在双轨树中（永久第一触点，不可改）' });
+        if (u?.left_child_id || u?.right_child_id)
+            return void res.json({ error: '你已有下线，不可补绑（防破坏树结构）' });
+        const inviter = db.prepare("SELECT id, placement_path FROM users WHERE id = ? AND id NOT IN ('sys_protocol', ?)")
+            .get(resolvedInviterId, internalAuditorId);
+        if (!inviter)
+            return void res.json({ error: 'inviter 不存在' });
+        // 环路检查：inviter 的 placement_path 不能含自己
+        if ((inviter.placement_path || '').split('>').includes(user.id)) {
+            return void res.json({ error: '检测到环路（你已是 inviter 的上线）' });
+        }
+        // 选边：用户提供 side / 否则用 inviter.placement_pref 自动选
+        const chosenSide = (side === 'left' || side === 'right')
+            ? side
+            : pickPreferredSide(inviter.id);
+        try {
+            const placed = joinPowerLeg(inviter.id, chosenSide, user.id);
+            res.json({ success: true, inviter_id: inviter.id, side: chosenSide, depth: placed.depth });
+        }
+        catch (e) {
+            res.json({ error: `挂靠失败: ${e.message}` });
+        }
+    });
+    app.post('/api/profile/placement-pref', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { pref } = req.body;
+        if (!['team_count', 'pv_count', 'left', 'right'].includes(pref)) {
+            return void res.json({ error: 'pref 必须是 team_count / pv_count' });
+        }
+        // legacy left/right 已不再支持长期强偏，无声折算为 team_count（agent 兼容期保护）
+        const stored = (pref === 'left' || pref === 'right') ? 'team_count' : pref;
+        db.prepare("UPDATE users SET placement_pref = ?, updated_at = datetime('now') WHERE id = ?").run(stored, user.id);
+        res.json({ success: true, placement_pref: stored, coerced: stored !== pref ? `${pref} → ${stored}（已统一为长期默认偏好；要单次强偏请使用左/右码）` : undefined });
+    });
+}

package/dist/pwa/routes/profile-prefs.js

@@ -0,0 +1,93 @@
+export function registerProfilePrefsRoutes(app, deps) {
+    const { db, auth } = deps;
+    // 默认地址（结构化 + 兼容旧 text/region）
+    app.post('/api/profile/default-address', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const body = req.body || {};
+        // 兼容旧 API
+        if (body.text !== undefined || body.region !== undefined) {
+            const text = (body.text || '').toString().trim().slice(0, 200);
+            const region = (body.region || '').toString().trim().slice(0, 40);
+            db.prepare("UPDATE users SET default_address_text = ?, default_address_region = ?, updated_at = datetime('now') WHERE id = ?")
+                .run(text || null, region || null, user.id);
+            return void res.json({ ok: true, text: text || null, region: region || null });
+        }
+        // 结构化模式
+        const line1 = (body.line1 || '').toString().trim().slice(0, 100);
+        const line2 = (body.line2 || '').toString().trim().slice(0, 100);
+        const country = (body.country || '').toString().trim().slice(0, 40);
+        const state = (body.state || '').toString().trim().slice(0, 40);
+        const city = (body.city || '').toString().trim().slice(0, 40);
+        const recipient = (body.recipient_name || '').toString().trim().slice(0, 40);
+        const phone1 = (body.phone1 || '').toString().trim().slice(0, 30);
+        const phone2 = (body.phone2 || '').toString().trim().slice(0, 30);
+        const postal = (body.postal_code || '').toString().trim().slice(0, 20);
+        const missing = [];
+        if (!line1)
+            missing.push('地址行 1');
+        if (!country)
+            missing.push('国家/地区');
+        if (!state)
+            missing.push('省/州');
+        if (!city)
+            missing.push('城市');
+        if (!recipient)
+            missing.push('收件人姓名');
+        if (!phone1)
+            missing.push('主要联系方式');
+        if (missing.length > 0) {
+            return void res.json({ error: '以下必填项缺失：' + missing.join('、') });
+        }
+        const structured = { line1, line2, country, state, city, recipient_name: recipient, phone1, phone2, postal_code: postal };
+        const text = [recipient, `${country} ${state} ${city}`.trim(), line1, line2, postal, phone1].filter(Boolean).join(' / ').slice(0, 200);
+        db.prepare("UPDATE users SET default_address_text = ?, default_address_region = ?, default_address_json = ?, updated_at = datetime('now') WHERE id = ?")
+            .run(text || null, state || null, JSON.stringify(structured), user.id);
+        res.json({ ok: true, address: structured, derived_text: text, derived_region: state });
+    });
+    // 隐私开关（旧 API，向后兼容；新代码用 PATCH /api/profile）
+    app.patch('/api/profile/feed-visible', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const v = req.body?.visible ? 1 : 0;
+        db.prepare("UPDATE users SET feed_visible = ?, updated_at = datetime('now') WHERE id = ?").run(v, user.id);
+        res.json({ ok: true, feed_visible: v });
+    });
+    // 通用 profile patch（search_anchor / bio / feed_visible）
+    app.patch('/api/profile', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const updates = [];
+        const values = [];
+        if ('search_anchor' in (req.body || {})) {
+            const raw = (req.body.search_anchor || '').toString().trim();
+            if (raw.length > 40)
+                return void res.json({ error: 'search_anchor 不能超过 40 字符' });
+            if (raw && !/^[\w一-龥\-_\.]+$/.test(raw))
+                return void res.json({ error: 'search_anchor 仅允许字母/数字/汉字/-_.' });
+            updates.push('search_anchor = ?');
+            values.push(raw || null);
+        }
+        if ('bio' in (req.body || {})) {
+            const raw = (req.body.bio || '').toString().trim();
+            if (raw.length > 120)
+                return void res.json({ error: 'bio 不能超过 120 字符' });
+            updates.push('bio = ?');
+            values.push(raw || null);
+        }
+        if ('feed_visible' in (req.body || {})) {
+            updates.push('feed_visible = ?');
+            values.push(req.body.feed_visible ? 1 : 0);
+        }
+        if (updates.length === 0)
+            return void res.json({ error: '没有可更新的字段' });
+        updates.push(`updated_at = datetime('now')`);
+        values.push(user.id);
+        db.prepare(`UPDATE users SET ${updates.join(', ')} WHERE id = ?`).run(...values);
+        const u = db.prepare("SELECT search_anchor, bio, feed_visible FROM users WHERE id = ?").get(user.id);
+        res.json({ ok: true, search_anchor: u.search_anchor, bio: u.bio, feed_visible: Number(u.feed_visible ?? 1) });
+    });
+}