@seasonkoh/webaz 0.1.8 → 0.1.9

package/dist/pwa/routes/auth-register.js

@@ -0,0 +1,138 @@
+export function registerAuthRegisterRoutes(app, deps) {
+    // VALID_REGIONS + INVITE_ROTATION_HANDLES 通过 deps.X 在 handler 内延迟读
+    // （server.ts 用 getter 注入；destructure at register-time would trigger TDZ 因为它们在下方 const）
+    const { db, errorRes, INTERNAL_AUDITOR_ID, isAllowedSponsor, resolveUserRef, generateId, generateSecureKey, generatePermanentCode, deriveHandle, clientIpHash, clientUaHash, pickPreferredSide, joinPowerLeg, inviteRotationLookup, recordSession, broadcastSystemEvent } = deps;
+    app.post('/api/register', (req, res) => {
+        const { name, role, sponsor_id, region, placement_inviter_id, placement_side } = req.body;
+        const validRoles = ['buyer', 'seller'];
+        if (!name?.trim())
+            return void errorRes(res, 400, 'NAME_REQUIRED', '请填写名称');
+        if (!validRoles.includes(role))
+            return void errorRes(res, 400, 'ROLE_NOT_PUBLIC_REGISTERABLE', '角色无效（仅允许 buyer/seller — 受信角色须经内部审批）');
+        const trimmed = name.trim();
+        if (trimmed.length < 2 || trimmed.length > 40)
+            return void errorRes(res, 400, 'NAME_LENGTH', '名称长度需在 2–40 个字符之间');
+        const dup = db.prepare("SELECT 1 FROM users WHERE name = ? AND id NOT IN ('sys_protocol', ?) LIMIT 1").get(trimmed, INTERNAL_AUDITOR_ID);
+        if (dup)
+            return void errorRes(res, 409, 'NAME_TAKEN', '该名称已被占用，请换一个');
+        const ROLE_WHITELIST = [];
+        const requireRef = db.prepare("SELECT value FROM system_state WHERE key='require_ref_to_register'").get()?.value === '1';
+        // 2026-05-30 合规复审:取消 china 豁免——D1b 引入时保留 china 通道是为获客,
+        // 但合规上正好反向(china 是 MLM 风险最高地区,豁免反而把最高风险地区做成最容易进)。
+        // 全球统一需邀请。第三方尽调报告风险 1 + 问题 1 的回应。
+        if (requireRef && !sponsor_id && !ROLE_WHITELIST.includes(role)) {
+            return void errorRes(res, 403, 'INVITE_REQUIRED', '注册需要邀请码。请联系已有用户获取邀请链接。', { hint: 'require_ref_enabled' });
+        }
+        let sponsorId = null;
+        let sponsorPath = null;
+        let sponsorSkipped = null;
+        let sponsorRawRef = (sponsor_id && typeof sponsor_id === 'string') ? sponsor_id.trim() : '';
+        let suffixSide = null;
+        const sufM = sponsorRawRef.match(/^(.+?)-([lLrR])$/);
+        if (sufM) {
+            sponsorRawRef = sufM[1];
+            suffixSide = sufM[2].toLowerCase() === 'l' ? 'left' : 'right';
+        }
+        if (sponsorRawRef) {
+            const resolvedSponsorId = resolveUserRef(sponsorRawRef);
+            if (!resolvedSponsorId || resolvedSponsorId === 'sys_protocol' || resolvedSponsorId === INTERNAL_AUDITOR_ID) {
+                return void errorRes(res, 400, 'INVALID_SPONSOR_REF', `邀请码无效：${sponsorRawRef.slice(0, 24)}（请检查或留空跳过）`);
+            }
+            const sponsor = db.prepare("SELECT id, sponsor_path FROM users WHERE id = ?")
+                .get(resolvedSponsorId);
+            if (!sponsor) {
+                return void errorRes(res, 400, 'INVALID_SPONSOR_REF', `邀请码对应用户不存在：${sponsorRawRef.slice(0, 24)}`);
+            }
+            sponsorId = sponsor.id;
+            sponsorPath = sponsor.sponsor_path ? `${sponsor.sponsor_path}>${sponsor.id}` : sponsor.id;
+            if (!isAllowedSponsor(sponsor.id))
+                sponsorSkipped = 'sponsor_pending_verification';
+        }
+        if (!sponsorId && !ROLE_WHITELIST.includes(role)) {
+            sponsorId = 'sys_protocol';
+            sponsorPath = 'sys_protocol';
+        }
+        const userRegion = (typeof region === 'string' && region.trim()) ? region.trim() : '';
+        if (!deps.VALID_REGIONS.has(userRegion)) {
+            return void errorRes(res, 400, 'REGION_REQUIRED', '请选择国家 / 地区（影响分润分账配置）');
+        }
+        const id = generateId('usr');
+        const apiKey = generateSecureKey('key');
+        const permaCode = generatePermanentCode();
+        const userHandle = deriveHandle(trimmed);
+        const ipHash = clientIpHash(req);
+        const uaHash = clientUaHash(req);
+        // Phase 3a：注册限频 — 同 IP 每小时最多 5 个新账号(挡批量刷号)
+        const recentReg = db.prepare(`SELECT COUNT(*) AS n FROM registration_audit_log WHERE ip_hash = ? AND created_at > datetime('now','-1 hour')`).get(ipHash).n;
+        if (recentReg >= 5) {
+            return void errorRes(res, 429, 'REGISTER_RATE_LIMITED', '注册过于频繁 — 同一网络每小时最多 5 个新账号，请稍后再试');
+        }
+        const registerTx = db.transaction(() => {
+            db.prepare(`INSERT INTO users (id, name, role, roles, api_key, sponsor_id, sponsor_path, region, permanent_code, handle)
+                  VALUES (?,?,?,?,?,?,?,?,?,?)`)
+                .run(id, trimmed, role, JSON.stringify([role]), apiKey, sponsorId, sponsorPath, userRegion, permaCode, userHandle);
+            db.prepare('INSERT INTO wallets (user_id, balance) VALUES (?,1000)').run(id);
+            db.prepare(`INSERT INTO registration_audit_log (user_id, ip_hash, ua_hash, sponsor_id) VALUES (?,?,?,?)`)
+                .run(id, ipHash, uaHash, sponsorId);
+            let effectiveInviter = placement_inviter_id ? resolveUserRef(String(placement_inviter_id).replace(/-[lLrR]$/, '')) : null;
+            let effectiveSide = (placement_side === 'left' || placement_side === 'right') ? placement_side : suffixSide;
+            if (!effectiveInviter && sponsorRawRef)
+                effectiveInviter = resolveUserRef(sponsorRawRef);
+            if (effectiveInviter && !effectiveSide) {
+                try {
+                    effectiveSide = pickPreferredSide(effectiveInviter);
+                }
+                catch {
+                    effectiveSide = 'left';
+                }
+            }
+            let placement = null;
+            if (effectiveInviter && effectiveSide) {
+                const inviter = db.prepare("SELECT id FROM users WHERE id = ? AND id NOT IN ('sys_protocol', ?) LIMIT 1")
+                    .get(effectiveInviter, INTERNAL_AUDITOR_ID);
+                if (inviter) {
+                    try {
+                        placement = joinPowerLeg(inviter.id, effectiveSide, id);
+                    }
+                    catch { }
+                }
+            }
+            const rotationEnabled = db.prepare("SELECT value FROM system_state WHERE key='invite_rotation_enabled'").get()?.value === '1';
+            if (rotationEnabled && sponsorId) {
+                for (let i = 0; i < deps.INVITE_ROTATION_HANDLES.length; i++) {
+                    const u = inviteRotationLookup(i);
+                    if (u && u.id === sponsorId) {
+                        db.prepare("UPDATE invite_rotation_stats SET registered_count = registered_count + 1 WHERE slot = ?").run(i);
+                        break;
+                    }
+                }
+            }
+            return { placement, effectiveInviter, effectiveSide };
+        });
+        let txResult;
+        try {
+            txResult = registerTx();
+        }
+        catch (e) {
+            console.error('[register-tx]', e.message);
+            return void res.status(500).json({ error: '注册写入失败，请重试' });
+        }
+        const { placement, effectiveInviter, effectiveSide } = txResult;
+        try {
+            recordSession(id, apiKey, req);
+        }
+        catch { }
+        try {
+            broadcastSystemEvent('register', '🎉', `新用户注册: ${trimmed} (${role})`, id);
+        }
+        catch { }
+        res.json({
+            success: true, api_key: apiKey, user_id: id, name: trimmed, role, roles: [role],
+            sponsor_id: sponsorId, region: userRegion,
+            permanent_code: permaCode,
+            handle: userHandle,
+            placement: placement ? { inviter_id: effectiveInviter, side: effectiveSide, depth: placement.depth } : null,
+            ...(sponsorSkipped ? { sponsor_skipped: sponsorSkipped } : {}),
+        });
+    });
+}

package/dist/pwa/routes/auth-sessions.js

@@ -0,0 +1,62 @@
+export function registerAuthSessionsRoutes(app, deps) {
+    const { db, auth, verifyPassword, recordSession, generateSecureKey } = deps;
+    app.get('/api/auth/sessions', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const currentKey = req.headers.authorization?.replace('Bearer ', '') ?? '';
+        const rows = db.prepare(`
+      SELECT id, ip, user_agent, fingerprint_hash, created_at, last_seen_at, revoked_at, api_key
+      FROM user_sessions WHERE user_id = ? AND revoked_at IS NULL
+      ORDER BY last_seen_at DESC LIMIT 30
+    `).all(user.id);
+        res.json({
+            sessions: rows.map(r => ({
+                id: r.id,
+                ip: r.ip,
+                user_agent: r.user_agent,
+                fingerprint_hash: r.fingerprint_hash?.slice(0, 8),
+                created_at: r.created_at,
+                last_seen_at: r.last_seen_at,
+                is_current: r.api_key === currentKey,
+            })),
+        });
+    });
+    // 远程吊销某个会话（不影响当前 session）
+    app.post('/api/auth/sessions/:id/revoke', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const sid = req.params.id;
+        const row = db.prepare("SELECT user_id, api_key FROM user_sessions WHERE id = ?").get(sid);
+        if (!row || row.user_id !== user.id)
+            return void res.status(404).json({ error: '会话不存在' });
+        const currentKey = req.headers.authorization?.replace('Bearer ', '') ?? '';
+        if (row.api_key === currentKey)
+            return void res.json({ error: '不能吊销当前会话，请改用「全部登出」' });
+        db.prepare("UPDATE user_sessions SET revoked_at = datetime('now') WHERE id = ?").run(sid);
+        res.json({ ok: true });
+    });
+    // 一键全登出：rotate users.api_key + 吊销所有 session
+    // 要求密码二次验证（防 api_key 被盗后攻击者锁死真用户）
+    app.post('/api/auth/logout-all', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const pwd = String(req.body?.password || '');
+        if (!user.password_hash)
+            return void res.json({ error: '该账户未设置登录密码，无法一键全登出。请先设置密码。' });
+        if (!verifyPassword(pwd, user.password_hash))
+            return void res.json({ error: '密码错误' });
+        const newKey = generateSecureKey('key');
+        db.prepare("UPDATE users SET api_key = ? WHERE id = ?").run(newKey, user.id);
+        db.prepare("UPDATE user_sessions SET revoked_at = datetime('now') WHERE user_id = ? AND revoked_at IS NULL")
+            .run(user.id);
+        // 为新 key 建一个 session 行（让当前发起者继续可用）
+        try {
+            recordSession(user.id, newKey, req);
+        }
+        catch { }
+        res.json({ ok: true, new_api_key: newKey });
+    });
+}

package/dist/pwa/routes/blocklist.js

@@ -0,0 +1,60 @@
+export function registerBlocklistRoutes(app, deps) {
+    const { db, auth } = deps;
+    app.post('/api/blocklist/:user_id', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const target = req.params.user_id;
+        if (target === me.id)
+            return void res.json({ error: '不能拉黑自己' });
+        if (target === 'sys_protocol')
+            return void res.json({ error: '不能拉黑系统账户' });
+        const exists = db.prepare("SELECT 1 FROM users WHERE id = ?").get(target);
+        if (!exists)
+            return void res.json({ error: '用户不存在' });
+        const reason = (req.body?.reason || '').toString().slice(0, 200);
+        db.prepare("INSERT OR IGNORE INTO user_blocklist (blocker_id, blocked_id, reason) VALUES (?, ?, ?)")
+            .run(me.id, target, reason || null);
+        res.json({ ok: true });
+    });
+    app.delete('/api/blocklist/:user_id', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        db.prepare("DELETE FROM user_blocklist WHERE blocker_id = ? AND blocked_id = ?").run(me.id, req.params.user_id);
+        res.json({ ok: true });
+    });
+    // D-2: 列表
+    app.get('/api/blocklist', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const rows = db.prepare(`
+      SELECT b.blocked_id, b.reason, b.created_at,
+        u.name, u.handle, u.role
+      FROM user_blocklist b
+      JOIN users u ON u.id = b.blocked_id
+      WHERE b.blocker_id = ?
+      ORDER BY b.created_at DESC LIMIT 200
+    `).all(me.id);
+        res.json({ items: rows });
+    });
+    app.get('/api/blocklist/me', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const rows = db.prepare(`
+      SELECT b.blocked_id, b.reason, b.created_at, u.name as blocked_name, u.role as blocked_role
+      FROM user_blocklist b LEFT JOIN users u ON u.id = b.blocked_id
+      WHERE b.blocker_id = ? ORDER BY b.created_at DESC
+    `).all(me.id);
+        res.json({ blocked: rows });
+    });
+    app.get('/api/blocklist/:user_id/status', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const row = db.prepare("SELECT 1 FROM user_blocklist WHERE blocker_id = ? AND blocked_id = ?").get(me.id, req.params.user_id);
+        res.json({ blocked: !!row });
+    });
+}

package/dist/pwa/routes/buyer-feeds.js

@@ -0,0 +1,224 @@
+export function registerBuyerFeedsRoutes(app, deps) {
+    const { db, auth, isTrustedRole, errorRes, getNearbyCellPrecision, getProtocolParam } = deps;
+    app.get('/api/recommendations/me', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void errorRes(res, 403, 'TRUSTED_ROLE_NO_TRADE', '受信角色无购物功能');
+        const limit = Math.min(30, Math.max(5, Number(req.query.limit) || 20));
+        const wishlistRows = db.prepare(`
+      SELECT w.product_id, p.category, p.seller_id FROM user_wishlist w
+      JOIN products p ON p.id = w.product_id
+      WHERE w.user_id = ? AND p.status = 'active' LIMIT 50
+    `).all(user.id);
+        const purchasedRows = db.prepare(`
+      SELECT DISTINCT product_id, seller_id FROM orders WHERE buyer_id = ? AND status = 'completed' LIMIT 200
+    `).all(user.id);
+        const followedRows = db.prepare(`SELECT followee_id FROM follows WHERE follower_id = ?`).all(user.id);
+        const wishCats = new Set(wishlistRows.map(r => r.category).filter(Boolean));
+        const knownProductIds = new Set([...wishlistRows.map(r => r.product_id), ...purchasedRows.map(r => r.product_id)]);
+        const knownSellerIds = new Set([...wishlistRows.map(r => r.seller_id), ...purchasedRows.map(r => r.seller_id)]);
+        const followedSellerIds = followedRows.map(r => r.followee_id);
+        const EXCL_LIMIT = 500;
+        const exclArgs = [...knownProductIds].slice(0, EXCL_LIMIT);
+        const exclSql = exclArgs.length > 0
+            ? `AND p.id NOT IN (${exclArgs.map(() => '?').join(',')})`
+            : '';
+        const baseCols = `p.id, p.title, p.price, p.stock, p.category, p.images, p.has_variants, p.seller_id,
+      (SELECT COUNT(1) FROM orders o WHERE o.product_id = p.id AND o.status = 'completed') as sales_count,
+      u.name as seller_name, u.handle as seller_handle`;
+        let followedProducts = [];
+        if (followedSellerIds.length > 0) {
+            const ph = followedSellerIds.map(() => '?').join(',');
+            followedProducts = db.prepare(`
+        SELECT ${baseCols}
+        FROM products p JOIN users u ON u.id = p.seller_id
+        WHERE p.seller_id IN (${ph}) AND p.status = 'active' AND p.stock > 0 ${exclSql}
+        ORDER BY p.created_at DESC LIMIT 10
+      `).all(...followedSellerIds, ...exclArgs);
+        }
+        let categoryProducts = [];
+        if (wishCats.size > 0) {
+            const ph = [...wishCats].map(() => '?').join(',');
+            categoryProducts = db.prepare(`
+        SELECT ${baseCols}
+        FROM products p JOIN users u ON u.id = p.seller_id
+        WHERE p.category IN (${ph}) AND p.status = 'active' AND p.stock > 0 ${exclSql}
+        ORDER BY sales_count DESC LIMIT 10
+      `).all(...wishCats, ...exclArgs);
+        }
+        let pastSellerProducts = [];
+        const pastSellers = [...knownSellerIds].filter(s => !followedSellerIds.includes(s));
+        if (pastSellers.length > 0) {
+            const ph = pastSellers.map(() => '?').join(',');
+            pastSellerProducts = db.prepare(`
+        SELECT ${baseCols}
+        FROM products p JOIN users u ON u.id = p.seller_id
+        WHERE p.seller_id IN (${ph}) AND p.status = 'active' AND p.stock > 0 ${exclSql}
+        ORDER BY p.created_at DESC LIMIT 10
+      `).all(...pastSellers, ...exclArgs);
+        }
+        const fallback = db.prepare(`
+      SELECT ${baseCols}
+      FROM products p JOIN users u ON u.id = p.seller_id
+      WHERE p.status = 'active' AND p.stock > 0 ${exclSql}
+      ORDER BY sales_count DESC, p.created_at DESC LIMIT 10
+    `).all(...exclArgs);
+        const seen = new Set();
+        const labeled = (bucket, arr) => arr.filter(it => {
+            const id = String(it.id);
+            if (seen.has(id))
+                return false;
+            seen.add(id);
+            return true;
+        }).map(it => ({ ...it, _bucket: bucket }));
+        const all = [
+            ...labeled('followed', followedProducts),
+            ...labeled('category', categoryProducts),
+            ...labeled('past_seller', pastSellerProducts),
+            ...labeled('trending', fallback),
+        ].slice(0, limit);
+        res.json({
+            items: all,
+            signals: {
+                wishlist_categories: [...wishCats],
+                followed_sellers: followedSellerIds.length,
+                past_purchases: purchasedRows.length,
+            },
+        });
+    });
+    app.get('/api/feed', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const scope = String(req.query.scope || 'all');
+        const params = [];
+        if (scope === 'following') {
+            params.push(user.id, user.id, user.id);
+        }
+        const sql = `
+      SELECT * FROM (
+        SELECT 'purchase' as kind, o.id as ref_id, o.buyer_id as actor_id, ub.name as actor_name,
+               o.product_id, p.title as product_title, p.category, p.price, o.updated_at as ts,
+               NULL as extra
+        FROM orders o
+        JOIN products p ON p.id = o.product_id
+        JOIN users ub ON ub.id = o.buyer_id
+        WHERE o.status = 'completed'
+          AND COALESCE(ub.feed_visible, 1) = 1
+          ${scope === 'following' ? `AND o.buyer_id IN (SELECT followee_id FROM follows WHERE follower_id = ?)` : ''}
+
+        UNION ALL
+
+        SELECT 'join_binary' as kind, u.id as ref_id, u.id as actor_id, u.name as actor_name,
+               NULL as product_id, NULL as product_title, NULL as category, NULL as price,
+               u.created_at as ts,
+               json_object('placement_side', u.placement_side, 'placement_name', up.name) as extra
+        FROM users u
+        LEFT JOIN users up ON up.id = u.placement_id
+        WHERE u.placement_id IS NOT NULL
+          AND COALESCE(u.feed_visible, 1) = 1
+          ${scope === 'following' ? `AND u.id IN (SELECT followee_id FROM follows WHERE follower_id = ?)` : ''}
+
+        UNION ALL
+
+        SELECT 'commission' as kind, cr.id as ref_id, cr.beneficiary_id as actor_id, ub.name as actor_name,
+               o.product_id, p.title as product_title, p.category, p.price, cr.created_at as ts,
+               json_object('level', cr.level, 'amount', cr.amount) as extra
+        FROM commission_records cr
+        JOIN orders o ON o.id = cr.order_id
+        JOIN products p ON p.id = o.product_id
+        JOIN users ub ON ub.id = cr.beneficiary_id
+        WHERE cr.beneficiary_id != 'sys_protocol'
+          AND COALESCE(ub.feed_visible, 1) = 1
+          ${scope === 'following' ? `AND cr.beneficiary_id IN (SELECT followee_id FROM follows WHERE follower_id = ?)` : ''}
+      )
+      WHERE ts IS NOT NULL
+      ORDER BY ts DESC LIMIT 50
+    `;
+        const events = db.prepare(sql).all(...params);
+        res.json({ events, scope });
+    });
+    // 雷达扫描 MVP (2026-05-29)：scope 范围档 + window 时间窗，k≥3 守护贯穿
+    //   scope: cell(本格) / neighbors(周边 3×3) / region(同城) / global(全网)
+    //   window: 24h / 7d / 30d
+    app.get('/api/nearby', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const VALID_SCOPES = ['cell', 'neighbors', 'region', 'global'];
+        const scope = VALID_SCOPES.includes(String(req.query.scope)) ? String(req.query.scope) : 'neighbors';
+        const windowKey = ['24h', '7d', '30d'].includes(String(req.query.window)) ? String(req.query.window) : '7d';
+        const days = windowKey === '24h' ? 1 : windowKey === '30d' ? 30 : 7;
+        const { precision_deg, approx_km } = getNearbyCellPrecision();
+        const K = getProtocolParam('nearby_k_anonymity', 3);
+        const u = db.prepare("SELECT geo_lat, geo_lng, geo_updated_at, region FROM users WHERE id = ?").get(user.id);
+        const needsGeo = scope === 'cell' || scope === 'neighbors';
+        if (needsGeo && (u?.geo_lat == null || u?.geo_lng == null)) {
+            // 本格/周边需定位；同城/全网不需 → 前端可引导切到更大范围
+            return void res.json({ has_location: false, scope, window: windowKey, k_threshold: K });
+        }
+        // 按 scope 构造 WHERE + 标签
+        let where, args, scopeLabel;
+        let cell = null;
+        if (scope === 'cell') {
+            where = 'u.geo_lat = ? AND u.geo_lng = ?';
+            args = [u.geo_lat, u.geo_lng];
+            scopeLabel = `本格 ${approx_km}km`;
+            cell = { lat: u.geo_lat, lng: u.geo_lng, precision_deg, approx_km };
+        }
+        else if (scope === 'neighbors') {
+            const eps = precision_deg * 1.5;
+            where = 'u.geo_lat BETWEEN ? AND ? AND u.geo_lng BETWEEN ? AND ?';
+            args = [Number(u.geo_lat) - eps, Number(u.geo_lat) + eps, Number(u.geo_lng) - eps, Number(u.geo_lng) + eps];
+            scopeLabel = `周边 ~${Math.round(approx_km * 3)}km`;
+            cell = { lat: u.geo_lat, lng: u.geo_lng, precision_deg, approx_km };
+        }
+        else if (scope === 'region') {
+            where = 'u.region = ?';
+            args = [u.region || 'global'];
+            scopeLabel = `同城 · ${u.region || '区域'}`;
+        }
+        else { // global
+            where = '1=1';
+            args = [];
+            scopeLabel = '全网';
+        }
+        const dayClause = `o.updated_at > datetime('now', '-${days} day')`;
+        const totals = db.prepare(`
+      SELECT COUNT(DISTINCT o.buyer_id) as au, COUNT(*) as orders
+      FROM orders o JOIN users u ON u.id = o.buyer_id
+      WHERE ${where} AND o.status = 'completed' AND ${dayClause}
+    `).get(...args);
+        const sufficient = Number(totals.au) >= K;
+        const topProducts = sufficient ? db.prepare(`
+      SELECT p.id, p.title, p.price, p.category, p.images, COUNT(DISTINCT o.buyer_id) as buyers
+      FROM orders o JOIN users u ON u.id = o.buyer_id JOIN products p ON p.id = o.product_id
+      WHERE ${where} AND o.status = 'completed' AND ${dayClause}
+      GROUP BY p.id HAVING buyers >= ? ORDER BY buyers DESC LIMIT 10
+    `).all(...args, K) : [];
+        const topCategories = sufficient ? db.prepare(`
+      SELECT p.category, COUNT(*) as orders, COUNT(DISTINCT o.buyer_id) as buyers
+      FROM orders o JOIN users u ON u.id = o.buyer_id JOIN products p ON p.id = o.product_id
+      WHERE ${where} AND o.status = 'completed' AND ${dayClause} AND p.category IS NOT NULL
+      GROUP BY p.category HAVING buyers >= ? ORDER BY orders DESC LIMIT 6
+    `).all(...args, K) : [];
+        const staleDays = u?.geo_updated_at
+            ? Math.floor((Date.now() - new Date(u.geo_updated_at.replace(' ', 'T') + 'Z').getTime()) / 86400_000)
+            : null;
+        res.json({
+            has_location: true,
+            scope, scope_label: scopeLabel, window: windowKey, k_threshold: K,
+            cell,
+            location_stale_days: staleDays,
+            sufficient,
+            aggregate: {
+                active_users: sufficient ? Number(totals.au) : -1,
+                orders: sufficient ? Number(totals.orders) : -1,
+            },
+            top_products: topProducts,
+            top_categories: topCategories,
+        });
+    });
+}

package/dist/pwa/routes/cart.js

@@ -0,0 +1,155 @@
+import { transition } from '../../layer0-foundation/L0-2-state-machine/engine.js';
+import { notifyTransition } from '../../layer2-business/L2-6-notifications/notification-engine.js';
+export function registerCartRoutes(app, deps) {
+    const { db, generateId, auth, isTrustedRole, errorRes, broadcastSystemEvent, checkStockAndMaybeDelist, addHours } = deps;
+    app.get('/api/cart', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const items = db.prepare(`
+      SELECT c.product_id, c.qty, c.added_at,
+        p.title, p.price, p.category, p.commission_rate, p.stock, p.status as product_status,
+        u.name as seller_name
+      FROM cart_items c
+      JOIN products p ON p.id = c.product_id
+      JOIN users u ON u.id = p.seller_id
+      WHERE c.user_id = ?
+      ORDER BY c.added_at DESC
+    `).all(user.id);
+        res.json({ items });
+    });
+    app.post('/api/cart', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { product_id, qty } = req.body;
+        const q = Math.max(1, Math.min(99, Number(qty) || 1));
+        if (!product_id)
+            return void res.json({ error: 'product_id 必填' });
+        const product = db.prepare("SELECT id, status FROM products WHERE id = ?").get(product_id);
+        if (!product)
+            return void res.json({ error: '商品不存在' });
+        if (product.status !== 'active')
+            return void res.json({ error: '商品已下架' });
+        db.prepare(`
+      INSERT INTO cart_items (user_id, product_id, qty) VALUES (?, ?, ?)
+      ON CONFLICT(user_id, product_id) DO UPDATE SET qty = MIN(99, cart_items.qty + ?)
+    `).run(user.id, product_id, q, q);
+        res.json({ ok: true });
+    });
+    app.patch('/api/cart/:product_id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const q = Math.max(1, Math.min(99, Number(req.body.qty) || 1));
+        const r = db.prepare("UPDATE cart_items SET qty = ? WHERE user_id = ? AND product_id = ?").run(q, user.id, req.params.product_id);
+        if (r.changes === 0)
+            return void res.json({ error: '购物车中没有此商品' });
+        res.json({ ok: true, qty: q });
+    });
+    // C-1: 购物车批量下单（按 seller 自动分订单）
+    app.post('/api/cart/checkout', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void errorRes(res, 403, 'TRUSTED_ROLE_NO_TRADE', '受信角色无购物功能');
+        if (user.role !== 'buyer')
+            return void res.status(403).json({ error: '仅买家可下单' });
+        const { shipping_address, notes } = req.body || {};
+        if (!shipping_address)
+            return void res.status(400).json({ error: '请填写收货地址' });
+        const items = db.prepare(`
+      SELECT c.product_id, c.qty, p.title, p.price, p.stock, p.seller_id, p.has_variants, p.status
+      FROM cart_items c JOIN products p ON p.id = c.product_id
+      WHERE c.user_id = ?
+    `).all(user.id);
+        if (items.length === 0)
+            return void res.status(400).json({ error: '购物车为空' });
+        const skipped = [];
+        const created = [];
+        let totalNeed = 0;
+        const ok = [];
+        for (const it of items) {
+            if (it.status !== 'active') {
+                skipped.push({ product_id: it.product_id, reason: '商品已下架' });
+                continue;
+            }
+            if (it.has_variants) {
+                skipped.push({ product_id: it.product_id, reason: '需在商品详情页选规格下单' });
+                continue;
+            }
+            if (it.stock < it.qty) {
+                skipped.push({ product_id: it.product_id, reason: `库存不足（${it.stock} < ${it.qty}）` });
+                continue;
+            }
+            if (it.seller_id === user.id) {
+                skipped.push({ product_id: it.product_id, reason: '不可购买自己的商品' });
+                continue;
+            }
+            ok.push(it);
+            totalNeed += Number(it.price) * Number(it.qty);
+        }
+        if (ok.length === 0) {
+            return void res.status(400).json({ error: '购物车中无可下单商品', skipped });
+        }
+        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        if (!wallet)
+            return void res.status(500).json({ error: '钱包记录缺失' });
+        if (wallet.balance < totalNeed)
+            return void res.status(400).json({ error: `余额不足：需 ${totalNeed.toFixed(2)} WAZ，当前 ${wallet.balance.toFixed(2)}` });
+        try {
+            db.transaction(() => {
+                const now = new Date();
+                for (const it of ok) {
+                    const total = Number(it.price) * Number(it.qty);
+                    const orderId = generateId('ord');
+                    db.prepare(`INSERT INTO orders (
+            id, product_id, buyer_id, seller_id, quantity, unit_price, total_amount, escrow_amount,
+            status, shipping_address, notes, pay_deadline, accept_deadline, ship_deadline,
+            pickup_deadline, delivery_deadline, confirm_deadline, source
+          ) VALUES (?,?,?,?,?,?,?,?,'created',?,?,?,?,?,?,?,?, 'cart_batch')`).run(orderId, it.product_id, user.id, it.seller_id, it.qty, it.price, total, total, shipping_address, notes || `[批量下单]`, addHours(now, 24), addHours(now, 48), addHours(now, 120), addHours(now, 168), addHours(now, 336), addHours(now, 408));
+                    db.prepare('UPDATE wallets SET balance = balance - ?, escrowed = escrowed + ? WHERE user_id = ?').run(total, total, user.id);
+                    // 扣库存（原子）
+                    const upd = db.prepare('UPDATE products SET stock = stock - ? WHERE id = ? AND stock >= ?').run(it.qty, it.product_id, it.qty);
+                    if (upd.changes !== 1)
+                        throw new Error(`STOCK_RACE:${it.product_id}`);
+                    checkStockAndMaybeDelist(it.product_id);
+                    transition(db, orderId, 'paid', user.id, [], '购物车批量支付');
+                    notifyTransition(db, orderId, 'created', 'paid');
+                    created.push({ order_id: orderId, product_id: it.product_id, total });
+                }
+                // 清空已下单的 cart items
+                const okIds = ok.map(i => i.product_id);
+                const ph = okIds.map(() => '?').join(',');
+                db.prepare(`DELETE FROM cart_items WHERE user_id = ? AND product_id IN (${ph})`).run(user.id, ...okIds);
+            })();
+        }
+        catch (e) {
+            const msg = e.message;
+            if (msg.startsWith('STOCK_RACE:')) {
+                return void res.status(409).json({ error: '库存已被抢光，请重试', error_code: 'STOCK_DEPLETED' });
+            }
+            console.error('[POST /cart/checkout]', msg);
+            return void res.status(500).json({ error: '下单失败，请重试' });
+        }
+        try {
+            broadcastSystemEvent('cart_checkout', '🧺', `购物车批量下单 ${created.length} 单 · 总 ${totalNeed.toFixed(2)} WAZ`, String(user.id));
+        }
+        catch { }
+        res.json({
+            success: true,
+            orders_created: created.length,
+            orders: created,
+            skipped,
+            total_paid: created.reduce((s, c) => s + c.total, 0),
+        });
+    });
+    app.delete('/api/cart/:product_id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        db.prepare("DELETE FROM cart_items WHERE user_id = ? AND product_id = ?").run(user.id, req.params.product_id);
+        res.json({ ok: true });
+    });
+}