@seasonkoh/webaz 0.1.7 → 0.1.9

package/dist/pwa/routes/secondhand.js

@@ -0,0 +1,278 @@
+import { transition } from '../../layer0-foundation/L0-2-state-machine/engine.js';
+import { notifyTransition } from '../../layer2-business/L2-6-notifications/notification-engine.js';
+const SH_CATEGORIES = new Set(['phone', 'computer', 'appliance', 'furniture', 'clothing', 'book', 'toy', 'sports', 'other']);
+const SH_CONDITIONS = new Set(['brand_new', 'like_new', 'lightly_used', 'well_used', 'heavily_used']);
+const SH_FULFILLMENT = new Set(['shipping', 'in_person', 'both']);
+const SH_STATUS_USER_SET = new Set(['available', 'reserved', 'closed']); // 'sold' 由系统在 settleOrder 设
+function addHours(date, hours) {
+    return new Date(date.getTime() + hours * 3_600_000).toISOString();
+}
+export function registerSecondhandRoutes(app, deps) {
+    const { db, generateId, auth, errorRes } = deps;
+    // 1. 发布
+    app.post('/api/secondhand', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { title, description, category, condition_grade, price, negotiable, images, region, fulfillment } = req.body || {};
+        const t = String(title || '').trim();
+        if (t.length < 2 || t.length > 60)
+            return void res.status(400).json({ error: '标题需 2-60 字' });
+        if (!SH_CATEGORIES.has(category))
+            return void res.status(400).json({ error: '类目无效' });
+        if (!SH_CONDITIONS.has(condition_grade))
+            return void res.status(400).json({ error: '成色无效' });
+        const p = Number(price);
+        if (!Number.isFinite(p) || p <= 0 || p > 100000)
+            return void res.status(400).json({ error: '价格须 0-100000 WAZ' });
+        const desc = description ? String(description).trim().slice(0, 1000) : null;
+        const imgs = Array.isArray(images) ? images.filter((x) => typeof x === 'string' && x.length < 800_000).slice(0, 9) : [];
+        if (imgs.length === 0)
+            return void res.status(400).json({ error: '至少上传 1 张图片' });
+        const ff = SH_FULFILLMENT.has(fulfillment) ? fulfillment : 'both';
+        const reg = region ? String(region).trim().slice(0, 40) : null;
+        const id = generateId('shi');
+        db.prepare(`INSERT INTO secondhand_items (id, seller_id, title, description, category, condition_grade, price, negotiable, images, region, fulfillment)
+                VALUES (?,?,?,?,?,?,?,?,?,?,?)`).run(id, user.id, t, desc, category, condition_grade, p, negotiable ? 1 : 0, JSON.stringify(imgs), reg, ff);
+        res.json({ success: true, id });
+    });
+    // 2. 列表（市场入口）
+    app.get('/api/secondhand', (req, res) => {
+        const category = String(req.query.category || '').trim();
+        const conditionList = String(req.query.condition || '').split(',').map(s => s.trim()).filter(s => SH_CONDITIONS.has(s));
+        const region = String(req.query.region || '').trim();
+        const minP = Number(req.query.min_price) || 0;
+        const maxP = Number(req.query.max_price) || Infinity;
+        const q = String(req.query.q || '').trim().toLowerCase();
+        const limit = Math.min(Math.max(Number(req.query.limit) || 60, 1), 100);
+        const sort = String(req.query.sort || 'newest');
+        const orderBy = sort === 'price_asc' ? 'si.price ASC' : sort === 'price_desc' ? 'si.price DESC' : sort === 'popular' ? 'si.view_count DESC, si.created_at DESC' : 'si.created_at DESC';
+        const where = [`status = 'available'`];
+        const args = [];
+        if (SH_CATEGORIES.has(category)) {
+            where.push('category = ?');
+            args.push(category);
+        }
+        if (conditionList.length > 0) {
+            where.push(`condition_grade IN (${conditionList.map(() => '?').join(',')})`);
+            args.push(...conditionList);
+        }
+        if (region) {
+            where.push('region = ?');
+            args.push(region);
+        }
+        if (minP > 0) {
+            where.push('price >= ?');
+            args.push(minP);
+        }
+        if (Number.isFinite(maxP)) {
+            where.push('price <= ?');
+            args.push(maxP);
+        }
+        if (q) {
+            where.push('LOWER(title) LIKE ?');
+            args.push('%' + q + '%');
+        }
+        // 排除自己（如登录）
+        const me = (req.headers.authorization || '').replace('Bearer ', '');
+        if (me) {
+            const u = db.prepare("SELECT id FROM users WHERE api_key = ?").get(me);
+            if (u) {
+                where.push('seller_id != ?');
+                args.push(u.id);
+            }
+        }
+        const rows = db.prepare(`SELECT si.id, si.seller_id, si.title, si.category, si.condition_grade, si.price, si.negotiable,
+      si.region, si.fulfillment, si.images, si.view_count, si.created_at,
+      u.name as seller_name, u.handle as seller_handle
+      FROM secondhand_items si JOIN users u ON u.id = si.seller_id
+      WHERE ${where.join(' AND ')}
+      ORDER BY ${orderBy} LIMIT ${limit}`).all(...args);
+        for (const r of rows) {
+            try {
+                const arr = JSON.parse(r.images);
+                r.cover = arr[0] || null;
+            }
+            catch {
+                r.cover = null;
+            }
+            delete r.images;
+        }
+        res.json({ items: rows });
+    });
+    // 3. 我的二手发布
+    app.get('/api/secondhand/mine', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rows = db.prepare(`SELECT id, title, category, condition_grade, price, negotiable, status,
+      region, fulfillment, images, view_count, created_at, sold_at, sold_order_id
+      FROM secondhand_items WHERE seller_id = ? ORDER BY created_at DESC LIMIT 100`).all(user.id);
+        for (const r of rows) {
+            try {
+                const arr = JSON.parse(r.images);
+                r.cover = arr[0] || null;
+            }
+            catch {
+                r.cover = null;
+            }
+            delete r.images;
+        }
+        const stats = db.prepare(`SELECT
+      SUM(CASE WHEN status='available' THEN 1 ELSE 0 END) as available_count,
+      SUM(CASE WHEN status='reserved' THEN 1 ELSE 0 END) as reserved_count,
+      SUM(CASE WHEN status='sold' THEN 1 ELSE 0 END) as sold_count,
+      SUM(CASE WHEN status='closed' THEN 1 ELSE 0 END) as closed_count,
+      COALESCE(SUM(CASE WHEN status='sold' THEN price ELSE 0 END), 0) as gross_sold_amount
+      FROM secondhand_items WHERE seller_id = ?`).get(user.id);
+        // 估算净收入（扣 1% 协议 + 1% 基金）
+        stats.estimated_earned = Math.round((stats.gross_sold_amount || 0) * 0.98 * 100) / 100;
+        res.json({ items: rows, stats });
+    });
+    // 4. 详情（view_count++）+ 同卖家其他在售
+    app.get('/api/secondhand/:id', (req, res) => {
+        const row = db.prepare(`SELECT si.*, u.name as seller_name, u.handle as seller_handle, u.permanent_code as seller_code
+      FROM secondhand_items si JOIN users u ON u.id = si.seller_id WHERE si.id = ?`).get(req.params.id);
+        if (!row)
+            return void res.status(404).json({ error: '物品不存在' });
+        db.prepare('UPDATE secondhand_items SET view_count = view_count + 1 WHERE id = ?').run(req.params.id);
+        try {
+            row.images = JSON.parse(row.images);
+        }
+        catch {
+            row.images = [];
+        }
+        const sellerOthers = db.prepare(`SELECT id, title, category, condition_grade, price, images, region
+      FROM secondhand_items WHERE seller_id = ? AND status='available' AND id != ?
+      ORDER BY created_at DESC LIMIT 6`).all(row.seller_id, req.params.id);
+        for (const o of sellerOthers) {
+            try {
+                const arr = JSON.parse(o.images);
+                o.cover = arr[0] || null;
+            }
+            catch {
+                o.cover = null;
+            }
+            delete o.images;
+        }
+        res.json({ item: row, seller_others: sellerOthers });
+    });
+    // 5. 编辑（仅 owner；可改 price / description / negotiable / status / fulfillment）
+    app.patch('/api/secondhand/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const item = db.prepare('SELECT * FROM secondhand_items WHERE id = ?').get(req.params.id);
+        if (!item)
+            return void res.status(404).json({ error: '物品不存在' });
+        if (item.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅发布者可编辑' });
+        if (item.status === 'sold')
+            return void res.status(400).json({ error: '已售出，不可编辑' });
+        const sets = [];
+        const args = [];
+        const { price, description, negotiable, status, fulfillment } = req.body || {};
+        if (price !== undefined) {
+            const p = Number(price);
+            if (!Number.isFinite(p) || p <= 0 || p > 100000)
+                return void res.status(400).json({ error: '价格无效' });
+            sets.push('price = ?');
+            args.push(p);
+        }
+        if (description !== undefined) {
+            sets.push('description = ?');
+            args.push(String(description).slice(0, 1000));
+        }
+        if (negotiable !== undefined) {
+            sets.push('negotiable = ?');
+            args.push(negotiable ? 1 : 0);
+        }
+        if (status !== undefined) {
+            if (!SH_STATUS_USER_SET.has(status))
+                return void res.status(400).json({ error: '状态无效（仅 available / reserved / closed 可手动设置）' });
+            if (item.status === 'reserved' && status === 'available') {
+                return void res.status(400).json({ error: 'reserved 状态由系统管理，请等待买家完成支付' });
+            }
+            // Sprint 5: claim_loss_count >= 3 的 closed 物品不可自助 re-open
+            if (status === 'available' && (Number(item.claim_loss_count) || 0) >= 3) {
+                return void errorRes(res, 403, 'CLAIM_THRESHOLD_REACHED', `该物品累计 ${item.claim_loss_count} 次声明被验证不实，已达自动下架阈值。需 admin 干预方可重新上架。`);
+            }
+            sets.push('status = ?');
+            args.push(status);
+        }
+        if (fulfillment !== undefined) {
+            if (!SH_FULFILLMENT.has(fulfillment))
+                return void res.status(400).json({ error: '履约方式无效' });
+            sets.push('fulfillment = ?');
+            args.push(fulfillment);
+        }
+        if (sets.length === 0)
+            return void res.status(400).json({ error: '无字段更新' });
+        sets.push("updated_at = datetime('now')");
+        args.push(req.params.id);
+        db.prepare(`UPDATE secondhand_items SET ${sets.join(', ')} WHERE id = ?`).run(...args);
+        res.json({ success: true });
+    });
+    // 6. 下单（CAS 锁库存）
+    app.post('/api/secondhand/:id/order', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { shipping_address, notes, fulfillment_mode } = req.body || {};
+        const item = db.prepare('SELECT * FROM secondhand_items WHERE id = ?').get(req.params.id);
+        if (!item)
+            return void res.status(404).json({ error: '物品不存在' });
+        if (item.status !== 'available')
+            return void res.status(409).json({ error: `物品状态：${item.status}，不可购买` });
+        if (item.seller_id === user.id)
+            return void res.status(403).json({ error: '不可购买自己的物品' });
+        const mode = String(fulfillment_mode || 'shipping');
+        if (mode !== 'shipping' && mode !== 'in_person')
+            return void res.status(400).json({ error: 'fulfillment_mode 必须为 shipping / in_person' });
+        if (item.fulfillment === 'shipping' && mode === 'in_person')
+            return void res.status(400).json({ error: '该物品仅支持快递' });
+        if (item.fulfillment === 'in_person' && mode === 'shipping')
+            return void res.status(400).json({ error: '该物品仅支持面交' });
+        if (mode === 'shipping' && !shipping_address)
+            return void res.status(400).json({ error: '快递必须填收货地址' });
+        const total = item.price;
+        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        if (wallet.balance < total)
+            return void res.status(400).json({ error: `余额不足：需 ${total} WAZ，当前 ${wallet.balance}` });
+        // CAS 抢占
+        const claim = db.prepare(`UPDATE secondhand_items SET status='reserved', updated_at=datetime('now')
+      WHERE id = ? AND status='available'`).run(req.params.id);
+        if (claim.changes !== 1)
+            return void res.status(409).json({ error: '物品已被预定，请刷新' });
+        try {
+            const now = new Date();
+            const orderId = generateId('ord');
+            const buyer = db.prepare("SELECT sponsor_id, sponsor_path, region FROM users WHERE id = ?").get(user.id);
+            const buyerRegionSnapshot = buyer?.region || 'global';
+            // orders.product_id 原本 FK products(id)，二手指向 secondhand_items(id) — 临时关 FK
+            db.pragma('foreign_keys = OFF');
+            try {
+                db.prepare(`INSERT INTO orders (
+          id, product_id, buyer_id, seller_id, quantity, unit_price, total_amount, escrow_amount,
+          status, shipping_address, notes, pay_deadline, accept_deadline, ship_deadline,
+          pickup_deadline, delivery_deadline, confirm_deadline,
+          snapshot_commission_rate, buyer_region, source, fulfillment_mode
+        ) VALUES (?,?,?,?,1,?,?,?,'created',?,?,?,?,?,?,?,?,?,?, 'secondhand', ?)`).run(orderId, req.params.id, user.id, item.seller_id, total, total, total, mode === 'shipping' ? shipping_address : (shipping_address || '面交'), notes || null, addHours(now, 24), addHours(now, 48), addHours(now, 120), addHours(now, 168), addHours(now, 336), addHours(now, 408), 0, buyerRegionSnapshot, mode);
+            }
+            finally {
+                db.pragma('foreign_keys = ON');
+            }
+            db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ?')
+                .run(total, total, user.id);
+            transition(db, orderId, 'paid', user.id, [], '二手下单 — escrow 已锁');
+            notifyTransition(db, orderId, 'created', 'paid');
+            res.json({ success: true, order_id: orderId, total_amount: total, fulfillment_mode: mode });
+        }
+        catch (e) {
+            // 失败回滚：释放 reserved
+            db.prepare(`UPDATE secondhand_items SET status='available', updated_at=datetime('now') WHERE id = ?`).run(req.params.id);
+            console.error('[secondhand order]', e);
+            res.status(500).json({ error: '下单失败：' + e.message });
+        }
+    });
+}

package/dist/pwa/routes/seller-quota.js

@@ -0,0 +1,225 @@
+export function registerSellerQuotaRoutes(app, deps) {
+    const { db, generateId, auth, requireUsersAdmin, safeRoles, checkSellerCanList, adminCanOperateOn, logAdminAction, QUOTA_TIERS } = deps;
+    // 配额状态
+    app.get('/api/seller/quota-status', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (user.role !== 'seller' && !safeRoles(user).includes('seller')) {
+            return void res.json({ error: '仅卖家可查看配额' });
+        }
+        const status = checkSellerCanList(user);
+        const pending = db.prepare("SELECT id, requested_quota, applied_at FROM quota_increase_applications WHERE user_id = ? AND status = 'pending' ORDER BY applied_at DESC LIMIT 1").get(user.id);
+        const max = Number(user.max_products ?? 200);
+        const nextTierIdx = QUOTA_TIERS.indexOf(max);
+        const nextTier = nextTierIdx >= 0 && nextTierIdx < QUOTA_TIERS.length - 1 ? QUOTA_TIERS[nextTierIdx + 1] : null;
+        res.json({
+            max_products: max,
+            total_used: status.total ?? 0,
+            daily_limit: status.daily_limit,
+            daily_used: status.daily_used ?? 0,
+            new_user: !!status.new_user,
+            listing_paused: !!user.listing_paused,
+            listing_paused_reason: user.listing_paused_reason ?? null,
+            next_tier: nextTier,
+            pending_application: pending ?? null,
+            can_list: status.ok,
+            block_reason: status.reason ?? null,
+        });
+    });
+    // 数据中心（30d GMV / 7d 曲线 / Top 5 / 客户洞察 / 状态分布）
+    app.get('/api/seller/insights', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const roles = safeRoles(user);
+        if (user.role !== 'seller' && !roles.includes('seller')) {
+            return void res.json({ error: '仅卖家可查看' });
+        }
+        const sellerId = user.id;
+        const now = Date.now();
+        // SQLite datetime('now') 返回 'YYYY-MM-DD HH:MM:SS' — 用同格式避免字典比较错位
+        const fmt = (d) => d.toISOString().replace('T', ' ').slice(0, 19);
+        const d30 = fmt(new Date(now - 30 * 86400000));
+        const d60 = fmt(new Date(now - 60 * 86400000));
+        const orders = db.prepare(`
+      SELECT o.id, o.product_id, o.buyer_id, o.status, o.total_amount, o.created_at,
+             COALESCE(p.title, '已下架商品') as product_title,
+             COALESCE(ub.name, '匿名') as buyer_name
+      FROM orders o
+      LEFT JOIN products p ON o.product_id = p.id
+      LEFT JOIN users ub ON o.buyer_id = ub.id
+      WHERE o.seller_id = ? AND o.created_at >= ?
+      ORDER BY o.created_at DESC
+    `).all(sellerId, d60);
+        const completedStatuses = new Set(['completed', 'confirmed']);
+        const disputedStatuses = new Set(['disputed', 'fault_seller', 'fault_buyer', 'fault_logistics', 'resolved_for_seller', 'refunded_partial', 'refunded_full', 'dispute_dismissed']);
+        const cancelledStatuses = new Set(['cancelled', 'expired']);
+        const inLast30 = orders.filter(o => o.created_at >= d30);
+        const inPrev30 = orders.filter(o => o.created_at < d30);
+        const gmv = (arr) => arr.filter(o => completedStatuses.has(o.status)).reduce((s, o) => s + Number(o.total_amount || 0), 0);
+        const curGmv = gmv(inLast30);
+        const prevGmv = gmv(inPrev30);
+        const curCount = inLast30.length;
+        const prevCount = inPrev30.length;
+        // 7 天日序列
+        const daily = [];
+        for (let i = 6; i >= 0; i--) {
+            const dt = new Date(now - i * 86400000).toISOString().slice(0, 10);
+            const day = inLast30.filter(o => (o.created_at || '').startsWith(dt));
+            daily.push({
+                date: dt,
+                orders: day.length,
+                gmv: day.filter(o => completedStatuses.has(o.status)).reduce((s, o) => s + Number(o.total_amount || 0), 0),
+            });
+        }
+        // Top 5 商品（30 天 GMV）
+        const productAgg = new Map();
+        for (const o of inLast30) {
+            if (!completedStatuses.has(o.status))
+                continue;
+            const cur = productAgg.get(o.product_id) || { product_id: o.product_id, title: o.product_title, gmv: 0, count: 0 };
+            cur.gmv += Number(o.total_amount || 0);
+            cur.count += 1;
+            productAgg.set(o.product_id, cur);
+        }
+        const topProducts = [...productAgg.values()].sort((a, b) => b.gmv - a.gmv).slice(0, 5);
+        // 客户洞察
+        const customerAgg = new Map();
+        for (const o of inLast30) {
+            if (!completedStatuses.has(o.status))
+                continue;
+            const cur = customerAgg.get(o.buyer_id) || { buyer_id: o.buyer_id, name: o.buyer_name || '匿名', gmv: 0, count: 0 };
+            cur.gmv += Number(o.total_amount || 0);
+            cur.count += 1;
+            customerAgg.set(o.buyer_id, cur);
+        }
+        const customers = [...customerAgg.values()];
+        const uniqueBuyers = customers.length;
+        const repeatBuyers = customers.filter(c => c.count >= 2).length;
+        const repeatRate = uniqueBuyers > 0 ? repeatBuyers / uniqueBuyers : 0;
+        const topCustomers = customers.sort((a, b) => b.gmv - a.gmv).slice(0, 3);
+        const statusBreakdown = {
+            completed: inLast30.filter(o => completedStatuses.has(o.status)).length,
+            disputed: inLast30.filter(o => disputedStatuses.has(o.status)).length,
+            cancelled: inLast30.filter(o => cancelledStatuses.has(o.status)).length,
+            in_progress: inLast30.filter(o => !completedStatuses.has(o.status) && !disputedStatuses.has(o.status) && !cancelledStatuses.has(o.status)).length,
+        };
+        const totalConcluded = statusBreakdown.completed + statusBreakdown.disputed + statusBreakdown.cancelled;
+        const completeRate = totalConcluded > 0 ? statusBreakdown.completed / totalConcluded : 0;
+        const disputeRate = totalConcluded > 0 ? statusBreakdown.disputed / totalConcluded : 0;
+        const completedOrders30 = inLast30.filter(o => completedStatuses.has(o.status));
+        const aov = completedOrders30.length > 0 ? curGmv / completedOrders30.length : 0;
+        res.json({
+            period_days: 30,
+            summary: {
+                gmv: curGmv,
+                order_count: curCount,
+                completed_count: completedOrders30.length,
+                aov,
+                unique_buyers: uniqueBuyers,
+                repeat_buyers: repeatBuyers,
+                repeat_rate: repeatRate,
+                complete_rate: completeRate,
+                dispute_rate: disputeRate,
+            },
+            vs_prev: {
+                gmv_delta: curGmv - prevGmv,
+                gmv_pct: prevGmv > 0 ? (curGmv - prevGmv) / prevGmv : (curGmv > 0 ? 1 : 0),
+                count_delta: curCount - prevCount,
+                count_pct: prevCount > 0 ? (curCount - prevCount) / prevCount : (curCount > 0 ? 1 : 0),
+            },
+            daily_7d: daily,
+            top_products: topProducts,
+            top_customers: topCustomers,
+            status_breakdown: statusBreakdown,
+        });
+    });
+    app.post('/api/seller/apply-quota-increase', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (user.role !== 'seller' && !safeRoles(user).includes('seller')) {
+            return void res.json({ error: '仅卖家可申请扩容' });
+        }
+        const { requested_quota, reason } = req.body;
+        const current = Number(user.max_products ?? 200);
+        const currentIdx = QUOTA_TIERS.indexOf(current);
+        if (currentIdx < 0 || currentIdx >= QUOTA_TIERS.length - 1) {
+            return void res.json({ error: '已是最高配额，无法继续扩容' });
+        }
+        const nextTier = QUOTA_TIERS[currentIdx + 1];
+        if (Number(requested_quota) !== nextTier) {
+            return void res.json({ error: `下一档配额应为 ${nextTier}` });
+        }
+        const existing = db.prepare("SELECT 1 FROM quota_increase_applications WHERE user_id = ? AND status = 'pending' LIMIT 1").get(user.id);
+        if (existing)
+            return void res.json({ error: '已有待审申请' });
+        db.prepare(`INSERT INTO quota_increase_applications (id, user_id, current_quota, requested_quota, reason) VALUES (?,?,?,?,?)`)
+            .run(generateId('qapp'), user.id, current, nextTier, (reason || '').toString().slice(0, 500));
+        res.json({ success: true, requested_quota: nextTier });
+    });
+    app.post('/api/seller/withdraw-quota-application', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const pending = db.prepare("SELECT id FROM quota_increase_applications WHERE user_id = ? AND status = 'pending' LIMIT 1").get(user.id);
+        if (!pending)
+            return void res.json({ error: '没有待审申请' });
+        db.prepare("UPDATE quota_increase_applications SET status = 'withdrawn', reviewed_at = datetime('now') WHERE id = ?").run(pending.id);
+        res.json({ success: true });
+    });
+    // Admin
+    app.get('/api/admin/quota-applications', (req, res) => {
+        const admin = requireUsersAdmin(req, res);
+        if (!admin)
+            return;
+        const status = req.query.status || 'pending';
+        const rows = db.prepare(`
+      SELECT qa.*, u.name as user_name, u.email
+      FROM quota_increase_applications qa
+      LEFT JOIN users u ON u.id = qa.user_id
+      WHERE qa.status = ?
+      ORDER BY qa.applied_at DESC LIMIT 100
+    `).all(status);
+        res.json({ applications: rows });
+    });
+    app.post('/api/admin/quota-applications/:id/approve', (req, res) => {
+        const admin = requireUsersAdmin(req, res);
+        if (!admin)
+            return;
+        const { note } = req.body;
+        const appRow = db.prepare("SELECT id, user_id, requested_quota, status FROM quota_increase_applications WHERE id = ?")
+            .get(req.params.id);
+        if (!appRow)
+            return void res.json({ error: '申请不存在' });
+        if (!adminCanOperateOn(admin, appRow.user_id, res))
+            return;
+        if (appRow.status !== 'pending')
+            return void res.json({ error: '该申请不在待审状态' });
+        if (!QUOTA_TIERS.includes(appRow.requested_quota))
+            return void res.json({ error: '请求配额不合法' });
+        db.prepare("UPDATE quota_increase_applications SET status='approved', reviewed_at=datetime('now'), reviewed_by=?, decision_note=? WHERE id=?")
+            .run(admin.id, note || null, appRow.id);
+        db.prepare("UPDATE users SET max_products = ?, updated_at = datetime('now') WHERE id = ?").run(appRow.requested_quota, appRow.user_id);
+        logAdminAction(admin.id, 'approve_quota_increase', 'user', appRow.user_id, { quota: appRow.requested_quota, note });
+        res.json({ success: true });
+    });
+    app.post('/api/admin/quota-applications/:id/reject', (req, res) => {
+        const admin = requireUsersAdmin(req, res);
+        if (!admin)
+            return;
+        const { note } = req.body;
+        const appRow = db.prepare("SELECT id, user_id, status FROM quota_increase_applications WHERE id = ?").get(req.params.id);
+        if (!appRow)
+            return void res.json({ error: '申请不存在' });
+        if (!adminCanOperateOn(admin, appRow.user_id, res))
+            return;
+        if (appRow.status !== 'pending')
+            return void res.json({ error: '该申请不在待审状态' });
+        db.prepare("UPDATE quota_increase_applications SET status='rejected', reviewed_at=datetime('now'), reviewed_by=?, decision_note=? WHERE id=?")
+            .run(admin.id, note || null, appRow.id);
+        logAdminAction(admin.id, 'reject_quota_increase', 'user', appRow.user_id, { note });
+        res.json({ success: true });
+    });
+}

package/dist/pwa/routes/share-redirects.js

@@ -0,0 +1,164 @@
+import QRCode from 'qrcode';
+import { createHash } from 'crypto';
+export function registerShareRedirectsRoutes(app, deps) {
+    const { db, auth, clientIpHash, clientUaHash } = deps;
+    // 二维码生成（24h cache + ETag）
+    app.get('/api/qr', async (req, res) => {
+        const text = String(req.query.text || '').slice(0, 1024).trim();
+        if (!text)
+            return void res.status(400).send('text required');
+        const size = Math.min(Math.max(parseInt(String(req.query.size || '256'), 10) || 256, 64), 1024);
+        try {
+            const svg = await QRCode.toString(text, { type: 'svg', margin: 1, width: size, errorCorrectionLevel: 'M' });
+            const etag = '"' + createHash('sha1').update(text + ':' + size).digest('hex').slice(0, 16) + '"';
+            if (req.headers['if-none-match'] === etag)
+                return void res.status(304).end();
+            res.set('Content-Type', 'image/svg+xml');
+            res.set('Cache-Control', 'public, max-age=86400, immutable');
+            res.set('ETag', etag);
+            res.send(svg);
+        }
+        catch (e) {
+            res.status(500).send('qr generation failed: ' + e.message);
+        }
+    });
+    // 商品分享短链 /s/<shareable_id>
+    // 笔记 → 跳 PWA 内 #note/<id>；商品 → #order-product/<id>；外链 → 直跳外部 URL
+    app.get('/s/:id', (req, res) => {
+        const id = String(req.params.id || '').trim();
+        const row = db.prepare(`
+      SELECT id, owner_id, owner_code, type, external_url, related_product_id, related_anchor, status
+      FROM shareables WHERE id = ? AND status = 'active'
+    `).get(id);
+        // Phase C 笔记着陆页 — type=note 优先跳 PWA 内的 #note/<id>
+        if (row && row.type === 'note') {
+            const ownerRef = row.owner_code || row.owner_id || '';
+            const qs = new URLSearchParams();
+            if (ownerRef)
+                qs.set('ref', String(ownerRef));
+            qs.set('share_id', id);
+            try {
+                const ipHash = clientIpHash(req);
+                const uaHash = clientUaHash(req);
+                const dup = db.prepare(`SELECT 1 FROM shareable_click_log WHERE shareable_id = ? AND ip_hash = ? AND ua_hash = ? AND created_at > datetime('now', '-6 hours') LIMIT 1`).get(id, ipHash, uaHash);
+                db.prepare(`INSERT INTO shareable_click_log (shareable_id, ip_hash, ua_hash, ref_path) VALUES (?,?,?,?)`).run(id, ipHash, uaHash, req.originalUrl || null);
+                db.prepare(`UPDATE shareables SET click_count = COALESCE(click_count,0) + 1 WHERE id = ?`).run(id);
+                if (!dup)
+                    db.prepare(`UPDATE shareables SET unique_click_count = COALESCE(unique_click_count,0) + 1 WHERE id = ?`).run(id);
+            }
+            catch (e) {
+                console.error('[note-click]', e);
+            }
+            return void res.redirect(302, `/?${qs.toString()}#note/${id}`);
+        }
+        if (!row)
+            return void res.status(404).send('Shareable not found or removed.');
+        // 点击量 + 反互助点击 unique 去重（6h 窗口）
+        try {
+            const ipHash = clientIpHash(req);
+            const uaHash = clientUaHash(req);
+            const dup = db.prepare(`
+        SELECT 1 FROM shareable_click_log
+        WHERE shareable_id = ? AND ip_hash = ? AND ua_hash = ?
+          AND created_at > datetime('now', '-6 hours') LIMIT 1
+      `).get(id, ipHash, uaHash);
+            db.prepare(`INSERT INTO shareable_click_log (shareable_id, ip_hash, ua_hash, ref_path) VALUES (?,?,?,?)`)
+                .run(id, ipHash, uaHash, req.originalUrl || null);
+            db.prepare(`UPDATE shareables SET click_count = COALESCE(click_count,0) + 1 WHERE id = ?`).run(id);
+            if (!dup) {
+                db.prepare(`UPDATE shareables SET unique_click_count = COALESCE(unique_click_count,0) + 1 WHERE id = ?`).run(id);
+            }
+        }
+        catch (e) {
+            console.error('[M3-click]', e);
+        }
+        const ownerRef = row.owner_code || row.owner_id || '';
+        const isProduct = !!row.related_product_id;
+        const baseParams = new URLSearchParams();
+        if (ownerRef)
+            baseParams.set('ref', String(ownerRef));
+        if (isProduct)
+            baseParams.set('share_id', id);
+        const qs = baseParams.toString() ? '?' + baseParams.toString() : '';
+        if (isProduct) {
+            return void res.redirect(302, `/${qs}#order-product/${row.related_product_id}`);
+        }
+        if (row.related_anchor) {
+            return void res.redirect(302, `/${qs}#u/${row.owner_id}`);
+        }
+        if (row.external_url) {
+            return void res.redirect(302, String(row.external_url));
+        }
+        res.redirect(302, `/${qs}#u/${row.owner_id}`);
+    });
+    // 商品分享归因落库（前端登录后首次进入带 share_id 时调用）
+    app.post('/api/product-share/touch', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { shareable_id } = req.body || {};
+        if (!shareable_id || typeof shareable_id !== 'string') {
+            return void res.json({ ok: false, error: 'invalid_shareable_id' });
+        }
+        const s = db.prepare(`
+      SELECT id, owner_id, related_product_id FROM shareables
+      WHERE id = ? AND status = 'active'
+    `).get(shareable_id);
+        if (!s || !s.related_product_id)
+            return void res.json({ ok: false, error: 'not_product_shareable' });
+        if (s.owner_id === user.id)
+            return void res.json({ ok: false, error: 'cannot_self_attribute' });
+        const expiresAt = new Date(Date.now() + 30 * 86400_000).toISOString().slice(0, 19).replace('T', ' ');
+        // first-touch：未过期 → 静默保留；过期 → 替换
+        const existing = db.prepare(`
+      SELECT sharer_id, expires_at FROM product_share_attribution
+      WHERE product_id = ? AND recipient_id = ?
+    `).get(s.related_product_id, user.id);
+        if (!existing) {
+            db.prepare(`
+        INSERT INTO product_share_attribution (product_id, recipient_id, sharer_id, shareable_id, expires_at)
+        VALUES (?, ?, ?, ?, ?)
+      `).run(s.related_product_id, user.id, s.owner_id, s.id, expiresAt);
+            return void res.json({ ok: true, attributed: true, sharer_id: s.owner_id, product_id: s.related_product_id });
+        }
+        const stillValid = new Date(existing.expires_at.replace(' ', 'T') + 'Z').getTime() > Date.now();
+        if (stillValid) {
+            return void res.json({ ok: true, attributed: false, existing_sharer_id: existing.sharer_id, locked: true });
+        }
+        // 已过期 → 刷新
+        db.prepare(`
+      UPDATE product_share_attribution
+      SET sharer_id = ?, shareable_id = ?, created_at = datetime('now'), expires_at = ?
+      WHERE product_id = ? AND recipient_id = ?
+    `).run(s.owner_id, s.id, expiresAt, s.related_product_id, user.id);
+        res.json({ ok: true, attributed: true, refreshed: true, sharer_id: s.owner_id });
+    });
+    // 邀请短链 /i/CODE
+    // 格式：/i/VKSF9P / /i/VKSF9P-L / /i/VKSF9P-R / /i/@handle / /i/@handle-L
+    app.get('/i/:code', (req, res) => {
+        let raw = String(req.params.code || '').trim();
+        let side = null;
+        const m = raw.match(/^(.+?)-([lLrR])$/);
+        if (m) {
+            raw = m[1];
+            side = m[2].toLowerCase() === 'l' ? 'left' : 'right';
+        }
+        // permanent_code 或 handle 规范化
+        let display = null;
+        if (/^[A-Z0-9]{6,7}$/.test(raw.toUpperCase()) && !raw.startsWith('@')) {
+            const r = db.prepare("SELECT permanent_code FROM users WHERE permanent_code = ? AND id != 'sys_protocol'").get(raw.toUpperCase());
+            if (r)
+                display = r.permanent_code;
+        }
+        if (!display) {
+            const h = raw.replace(/^@/, '').toLowerCase();
+            const r = db.prepare("SELECT handle FROM users WHERE handle = ? AND id != 'sys_protocol'").get(h);
+            if (r)
+                display = '@' + r.handle; // @ 前缀辨识 handle 形态
+        }
+        if (!display)
+            return void res.status(404).send('Invitation link not found. Code: ' + raw);
+        const target = `/?ref=${encodeURIComponent(display)}${side ? `&side=${side}` : ''}`;
+        res.redirect(302, target);
+    });
+}