@seasonkoh/webaz 0.1.8 → 0.1.9

package/dist/pwa/routes/p2p-products.js

@@ -0,0 +1,178 @@
+export function registerP2pProductsRoutes(app, deps) {
+    const { db, auth, generateId, verifyP2pSig, isValidPeerEndpoint, isFreshSignedAt, P2P_TITLE_MAX, P2P_THUMB_MAX, P2P_DAILY_CAP, RFQ_MAX_PRICE, RFQ_MAX_QTY } = deps;
+    // 发布 / 重发 P2P 商品
+    app.post('/api/p2p-products', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (user.role !== 'seller')
+            return void res.json({ error: '仅卖家可上架' });
+        const body = req.body;
+        const title = String(body.title || '').trim();
+        if (title.length < 2 || title.length > P2P_TITLE_MAX)
+            return void res.json({ error: `title 需 2-${P2P_TITLE_MAX} 字` });
+        const price = Number(body.price);
+        if (!Number.isFinite(price) || price <= 0)
+            return void res.json({ error: 'price 必须 > 0' });
+        if (price > RFQ_MAX_PRICE)
+            return void res.json({ error: `price 超出上限 ${RFQ_MAX_PRICE} WAZ` });
+        const stock = Math.max(1, Math.floor(Number(body.stock) || 1));
+        if (stock > RFQ_MAX_QTY)
+            return void res.json({ error: `stock 超出上限 ${RFQ_MAX_QTY}` });
+        const contentHash = String(body.content_hash || '');
+        if (!/^[a-f0-9]{64}$/.test(contentHash))
+            return void res.json({ error: 'content_hash 必须为 64 字符十六进制（sha256）' });
+        const signedAt = String(body.content_signed_at || '');
+        if (!signedAt)
+            return void res.json({ error: 'content_signed_at 必填' });
+        if (!isFreshSignedAt(signedAt))
+            return void res.json({ error: 'content_signed_at 必须在最近 24h 内（防重放）' });
+        const signature = String(body.content_signature || '');
+        // 用调用者 api_key 验签（防伪造）
+        const apiKey = req.headers.authorization?.replace('Bearer ', '') ?? '';
+        if (!verifyP2pSig(contentHash, signedAt, apiKey, signature))
+            return void res.json({ error: 'content_signature 签名无效' });
+        const peerEndpoint = String(body.peer_endpoint || '').trim();
+        if (!isValidPeerEndpoint(peerEndpoint))
+            return void res.json({ error: 'peer_endpoint 必须是 http:// 或 https:// 协议' });
+        // peer_endpoint 可空（manifest_uri 模式留 P2 阶段扩展），但 thumbnail 必须有以供预览
+        const thumbnail = body.thumbnail_uri ? String(body.thumbnail_uri) : null;
+        if (thumbnail && thumbnail.length > P2P_THUMB_MAX)
+            return void res.json({ error: `thumbnail 超过 ${P2P_THUMB_MAX} 字节` });
+        // 频率限制
+        const today = db.prepare("SELECT COUNT(1) as n FROM products WHERE seller_id = ? AND p2p_mode = 1 AND created_at > datetime('now','-1 day')").get(user.id).n;
+        if (today >= P2P_DAILY_CAP)
+            return void res.json({ error: `今日 P2P 上架已达上限 ${P2P_DAILY_CAP}` });
+        const category = String(body.category || 'general');
+        const region = String(body.region || user.region || '全国');
+        const id = generateId('p');
+        db.prepare(`
+      INSERT INTO products (id, seller_id, title, description, price, stock, status, images, ship_regions,
+        handling_hours, commission_rate, category_id, stake_amount, p2p_mode, content_hash, peer_endpoint,
+        content_signature, content_signed_at)
+      VALUES (?,?,?,?,?,?,'active',?,?,24,0.10,'cat_default',0,1,?,?,?,?)
+    `).run(id, user.id, title, `[P2P] ${title}（完整详情见卖家节点）`, price, stock, thumbnail ? JSON.stringify([thumbnail]) : '[]', region, contentHash, peerEndpoint || null, signature, signedAt);
+        res.json({ id, content_hash: contentHash });
+    });
+    // 更新（重发 hash + signature，价格/库存/标题可改；旧 hash 给在途订单保留）
+    app.patch('/api/p2p-products/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const product = db.prepare("SELECT * FROM products WHERE id = ? AND p2p_mode = 1").get(req.params.id);
+        if (!product)
+            return void res.status(404).json({ error: 'P2P 商品不存在' });
+        if (product.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅卖家本人可修改' });
+        if (product.status === 'deleted')
+            return void res.json({ error: '已删除商品不可修改' });
+        const body = req.body;
+        const updates = [];
+        const args = [];
+        if (body.title != null) {
+            const ttl = String(body.title).trim();
+            if (ttl.length < 2 || ttl.length > P2P_TITLE_MAX)
+                return void res.json({ error: 'title 长度无效' });
+            updates.push('title = ?');
+            args.push(ttl);
+        }
+        if (body.price != null) {
+            const p = Number(body.price);
+            if (!Number.isFinite(p) || p <= 0)
+                return void res.json({ error: 'price 无效' });
+            if (p > RFQ_MAX_PRICE)
+                return void res.json({ error: `price 超上限 ${RFQ_MAX_PRICE}` });
+            updates.push('price = ?');
+            args.push(p);
+        }
+        if (body.stock != null) {
+            const s = Math.max(0, Math.floor(Number(body.stock) || 0));
+            updates.push('stock = ?');
+            args.push(s);
+        }
+        if (body.peer_endpoint !== undefined) {
+            const ep = body.peer_endpoint ? String(body.peer_endpoint).trim() : '';
+            if (ep && !isValidPeerEndpoint(ep))
+                return void res.json({ error: 'peer_endpoint 必须是 http:// 或 https://' });
+            updates.push('peer_endpoint = ?');
+            args.push(ep || null);
+        }
+        if (body.status != null) {
+            const st = String(body.status);
+            if (!['active', 'paused', 'warehouse'].includes(st))
+                return void res.json({ error: 'status 无效（active/paused/warehouse）' });
+            updates.push('status = ?');
+            args.push(st);
+        }
+        // 富内容变了 → 必须重签 hash
+        if (body.content_hash != null || body.content_signature != null) {
+            const newHash = String(body.content_hash || '');
+            if (!/^[a-f0-9]{64}$/.test(newHash))
+                return void res.json({ error: 'content_hash 必须为 sha256 hex' });
+            const newSignedAt = String(body.content_signed_at || '');
+            if (!isFreshSignedAt(newSignedAt))
+                return void res.json({ error: 'content_signed_at 必须在最近 24h 内' });
+            const newSig = String(body.content_signature || '');
+            const apiKey = req.headers.authorization?.replace('Bearer ', '') ?? '';
+            if (!verifyP2pSig(newHash, newSignedAt, apiKey, newSig))
+                return void res.json({ error: '新 signature 无效' });
+            updates.push('content_hash = ?');
+            args.push(newHash);
+            updates.push('content_signature = ?');
+            args.push(newSig);
+            updates.push('content_signed_at = ?');
+            args.push(newSignedAt);
+            // 旧 hash 自动保留在 orders.content_hash_at_order（争议时凭买家所见 hash 判定）
+        }
+        if (!updates.length)
+            return void res.json({ error: '无任何修改' });
+        updates.push("updated_at = datetime('now')");
+        args.push(req.params.id);
+        db.prepare(`UPDATE products SET ${updates.join(', ')} WHERE id = ?`).run(...args);
+        res.json({ success: true });
+    });
+    // 下架（保留行 + status='warehouse'，在途订单 hash 仍可证）
+    app.delete('/api/p2p-products/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const product = db.prepare("SELECT seller_id, status FROM products WHERE id = ? AND p2p_mode = 1").get(req.params.id);
+        if (!product)
+            return void res.status(404).json({ error: 'P2P 商品不存在' });
+        if (product.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅卖家本人可下架' });
+        const pendingOrders = db.prepare("SELECT COUNT(1) as n FROM orders WHERE product_id = ? AND status NOT IN ('completed','cancelled','refunded','expired')").get(req.params.id).n;
+        if (pendingOrders > 0)
+            return void res.json({ error: `该商品有 ${pendingOrders} 个进行中订单，无法下架` });
+        db.prepare("UPDATE products SET status = 'warehouse', updated_at = datetime('now') WHERE id = ?").run(req.params.id);
+        res.json({ success: true });
+    });
+    // 公开：列表
+    app.get('/api/p2p-products', (_req, res) => {
+        const rows = db.prepare(`
+      SELECT p.id, p.seller_id, p.title, p.price, p.stock, p.images as thumbnail_json,
+        p.ship_regions as region, p.content_hash, p.peer_endpoint, p.content_signed_at,
+        u.handle as seller_handle, u.region as seller_region
+      FROM products p
+      LEFT JOIN users u ON u.id = p.seller_id
+      WHERE p.status = 'active' AND p.stock > 0 AND p.p2p_mode = 1
+      ORDER BY p.created_at DESC
+      LIMIT 50
+    `).all();
+        res.json({ items: rows });
+    });
+    // 公开：详情（含 hash + peer_endpoint）
+    app.get('/api/p2p-products/:id', (req, res) => {
+        const row = db.prepare(`
+      SELECT p.id, p.seller_id, p.title, p.price, p.stock, p.images as thumbnail_json,
+        p.ship_regions as region, p.content_hash, p.peer_endpoint, p.content_signature, p.content_signed_at,
+        u.handle as seller_handle, u.region as seller_region, u.permanent_code as seller_code
+      FROM products p
+      LEFT JOIN users u ON u.id = p.seller_id
+      WHERE p.id = ? AND p.p2p_mode = 1
+    `).get(req.params.id);
+        if (!row)
+            return void res.status(404).json({ error: 'P2P 商品不存在' });
+        res.json({ product: row });
+    });
+}

package/dist/pwa/routes/payments-governance.js

@@ -0,0 +1,311 @@
+const PAYMENT_METHOD_KINDS = new Set(['crypto_onchain', 'bank_wire', 'card', 'mobile_wallet', 'p2p']);
+const PAYMENT_METHOD_STATUSES = new Set(['active', 'preview', 'inactive', 'deprecated']);
+const RPM_DIRECTIONS = new Set(['deposit', 'withdraw', 'both']);
+const RPM_STATUSES = new Set(['active', 'paused', 'blocked']);
+export function registerPaymentsGovernanceRoutes(app, deps) {
+    const { db, generateId, requireRootAdmin } = deps;
+    // 写支付变更审计日志
+    function logPaymentChange(entity_kind, entity_id, action, oldValue, newValue, changed_by, reason) {
+        db.prepare(`INSERT INTO payment_methods_log (entity_kind, entity_id, action, old_value, new_value, changed_by, reason) VALUES (?,?,?,?,?,?,?)`).run(entity_kind, entity_id, action, oldValue == null ? null : JSON.stringify(oldValue), newValue == null ? null : JSON.stringify(newValue), changed_by, reason ?? null);
+    }
+    // ─── 治理参数 ────────────────────────────────────────────────
+    app.get('/api/governance/params', (_req, res) => {
+        const params = db.prepare(`
+      SELECT key, value, type, description, category, default_value, min_value, max_value, updated_at
+      FROM protocol_params
+      ORDER BY category, key
+    `).all();
+        // 每个参数附最近 5 条变更
+        for (const p of params) {
+            const recent = db.prepare(`
+        SELECT old_value, new_value, action, created_at
+        FROM protocol_params_log
+        WHERE key = ?
+        ORDER BY id DESC LIMIT 5
+      `).all(p.key);
+            p.recent_changes = recent;
+        }
+        res.json({
+            notice: 'WebAZ 协议参数公示 — COP 团队自约束：所有参数变更必须可被任何人查询。',
+            params,
+            last_change: db.prepare(`SELECT key, old_value, new_value, action, created_at FROM protocol_params_log ORDER BY id DESC LIMIT 1`).get() || null,
+        });
+    });
+    app.get('/api/governance/params/:key/history', (req, res) => {
+        const param = db.prepare(`SELECT * FROM protocol_params WHERE key = ?`).get(req.params.key);
+        if (!param)
+            return void res.status(404).json({ error: 'param not found' });
+        const history = db.prepare(`
+      SELECT id, old_value, new_value, action, created_at,
+        (SELECT name FROM users WHERE id = protocol_params_log.changed_by) as changed_by_name
+      FROM protocol_params_log
+      WHERE key = ?
+      ORDER BY id DESC LIMIT 100
+    `).all(req.params.key);
+        res.json({ param, history });
+    });
+    // ─── 公共支付方法 ───────────────────────────────────────────
+    app.get('/api/payment-methods', (_req, res) => {
+        const rows = db.prepare(`SELECT id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, watcher_status, notes
+       FROM payment_methods WHERE status IN ('active','preview') ORDER BY status DESC, kind, asset`).all();
+        res.json({ items: rows });
+    });
+    // 某地区可用方法（fallback 到 global）
+    app.get('/api/payment-methods/for-region', (req, res) => {
+        const region = String(req.query.region || 'global');
+        const direction = String(req.query.direction || ''); // 'deposit' | 'withdraw' | '' (任意)
+        if (direction && !RPM_DIRECTIONS.has(direction)) {
+            return void res.status(400).json({ error: `direction 必须是 ${[...RPM_DIRECTIONS].join(' / ')}` });
+        }
+        const rowsRegion = db.prepare(`
+      SELECT rpm.region, rpm.method_id, rpm.direction, rpm.status, rpm.min_amount, rpm.max_amount, rpm.daily_cap, rpm.notes,
+        pm.display_name, pm.display_name_en, pm.kind, pm.asset, pm.chain, pm.icon, pm.status as method_status, pm.watcher_status
+      FROM region_payment_methods rpm JOIN payment_methods pm ON pm.id = rpm.method_id
+      WHERE rpm.region = ? AND rpm.status = 'active' AND pm.status IN ('active','preview')
+    `).all(region);
+        const useFallback = rowsRegion.length === 0 && region !== 'global';
+        const finalRegion = useFallback ? 'global' : region;
+        const rows = useFallback ? db.prepare(`
+      SELECT rpm.region, rpm.method_id, rpm.direction, rpm.status, rpm.min_amount, rpm.max_amount, rpm.daily_cap, rpm.notes,
+        pm.display_name, pm.display_name_en, pm.kind, pm.asset, pm.chain, pm.icon, pm.status as method_status, pm.watcher_status
+      FROM region_payment_methods rpm JOIN payment_methods pm ON pm.id = rpm.method_id
+      WHERE rpm.region = 'global' AND rpm.status = 'active' AND pm.status IN ('active','preview')
+    `).all() : rowsRegion;
+        const filtered = direction
+            ? rows.filter(r => r.direction === direction || r.direction === 'both')
+            : rows;
+        res.json({ region: finalRegion, fallback_from: useFallback ? region : null, items: filtered });
+    });
+    // 公共变更审计日志（COP transparency）
+    app.get('/api/payment-methods/log', (req, res) => {
+        const limit = Math.min(200, Math.max(10, Number(req.query.limit) || 50));
+        const rows = db.prepare(`SELECT id, entity_kind, entity_id, action, old_value, new_value, changed_by, reason, created_at
+       FROM payment_methods_log ORDER BY id DESC LIMIT ?`).all(limit);
+        res.json({ items: rows });
+    });
+    // ─── Admin payment_methods CRUD（root admin only · 基础设施变更需根权限）─
+    app.get('/api/admin/payment-methods', (req, res) => {
+        const user = requireRootAdmin(req, res);
+        if (!user)
+            return;
+        const rows = db.prepare(`SELECT * FROM payment_methods ORDER BY status DESC, kind, asset`).all();
+        res.json({ items: rows });
+    });
+    app.post('/api/admin/payment-methods', (req, res) => {
+        const user = requireRootAdmin(req, res);
+        if (!user)
+            return;
+        const b = req.body;
+        const id = String(b.id || '').trim().toLowerCase();
+        if (!/^[a-z0-9_]{3,40}$/.test(id))
+            return void res.status(400).json({ error: 'id 必须是 3-40 位 [a-z0-9_]（如 usdc_base）' });
+        if (db.prepare(`SELECT 1 FROM payment_methods WHERE id = ?`).get(id))
+            return void res.status(409).json({ error: 'id 已存在' });
+        const display_name = String(b.display_name || '').trim();
+        if (display_name.length < 1 || display_name.length > 60)
+            return void res.status(400).json({ error: 'display_name 1-60 字' });
+        const display_name_en = b.display_name_en ? String(b.display_name_en).slice(0, 60) : null;
+        const kind = String(b.kind || '');
+        if (!PAYMENT_METHOD_KINDS.has(kind))
+            return void res.status(400).json({ error: `kind 必须是 ${[...PAYMENT_METHOD_KINDS].join(' / ')}` });
+        const asset = String(b.asset || '').trim().toUpperCase();
+        if (!/^[A-Z]{2,10}$/.test(asset))
+            return void res.status(400).json({ error: 'asset 必须是 2-10 位大写字母（如 USDC）' });
+        const chain = b.chain ? String(b.chain).trim().toLowerCase().slice(0, 20) : null;
+        const contract_address = b.contract_address ? String(b.contract_address).trim().slice(0, 80) : null;
+        const decimals = Number.isFinite(Number(b.decimals)) ? Number(b.decimals) : 6;
+        if (decimals < 0 || decimals > 18)
+            return void res.status(400).json({ error: 'decimals 0-18' });
+        const icon = b.icon ? String(b.icon).slice(0, 8) : null;
+        const status = String(b.status || 'inactive');
+        if (!PAYMENT_METHOD_STATUSES.has(status))
+            return void res.status(400).json({ error: `status 必须是 ${[...PAYMENT_METHOD_STATUSES].join(' / ')}` });
+        const notes = b.notes ? String(b.notes).slice(0, 200) : null;
+        const newRow = { id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, watcher_status: 'unconfigured', notes };
+        db.prepare(`INSERT INTO payment_methods (
+      id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, watcher_status, notes, updated_by
+    ) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)`).run(id, display_name, display_name_en, kind, asset, chain, contract_address, decimals, icon, status, 'unconfigured', notes, user.id);
+        logPaymentChange('method', id, 'create', null, newRow, user.id, String(b.reason || ''));
+        res.json({ ok: true, id });
+    });
+    app.put('/api/admin/payment-methods/:id', (req, res) => {
+        const user = requireRootAdmin(req, res);
+        if (!user)
+            return;
+        const id = req.params.id;
+        const existing = db.prepare(`SELECT * FROM payment_methods WHERE id = ?`).get(id);
+        if (!existing)
+            return void res.status(404).json({ error: 'not_found' });
+        const b = req.body;
+        const updates = {};
+        if (b.display_name !== undefined) {
+            const v = String(b.display_name).trim();
+            if (v.length < 1 || v.length > 60)
+                return void res.status(400).json({ error: 'display_name 1-60 字' });
+            updates.display_name = v;
+        }
+        if (b.display_name_en !== undefined)
+            updates.display_name_en = b.display_name_en ? String(b.display_name_en).slice(0, 60) : null;
+        if (b.status !== undefined) {
+            if (!PAYMENT_METHOD_STATUSES.has(String(b.status)))
+                return void res.status(400).json({ error: 'status 非法' });
+            updates.status = String(b.status);
+        }
+        if (b.chain !== undefined)
+            updates.chain = b.chain ? String(b.chain).trim().toLowerCase().slice(0, 20) : null;
+        if (b.contract_address !== undefined)
+            updates.contract_address = b.contract_address ? String(b.contract_address).trim().slice(0, 80) : null;
+        if (b.decimals !== undefined) {
+            const d = Number(b.decimals);
+            if (!Number.isFinite(d) || d < 0 || d > 18)
+                return void res.status(400).json({ error: 'decimals 0-18' });
+            updates.decimals = d;
+        }
+        if (b.icon !== undefined)
+            updates.icon = b.icon ? String(b.icon).slice(0, 8) : null;
+        if (b.notes !== undefined)
+            updates.notes = b.notes ? String(b.notes).slice(0, 200) : null;
+        if (b.watcher_status !== undefined) {
+            const ws = String(b.watcher_status);
+            if (!['active', 'unconfigured', 'failing'].includes(ws))
+                return void res.status(400).json({ error: 'watcher_status 非法' });
+            updates.watcher_status = ws;
+        }
+        if (Object.keys(updates).length === 0)
+            return void res.status(400).json({ error: '无更新字段' });
+        const cols = Object.keys(updates).map(k => `${k} = ?`).join(', ');
+        const vals = Object.values(updates);
+        db.prepare(`UPDATE payment_methods SET ${cols}, updated_at = datetime('now'), updated_by = ? WHERE id = ?`).run(...vals, user.id, id);
+        logPaymentChange('method', id, 'update', existing, { ...existing, ...updates }, user.id, String(b.reason || ''));
+        res.json({ ok: true });
+    });
+    app.delete('/api/admin/payment-methods/:id', (req, res) => {
+        const user = requireRootAdmin(req, res);
+        if (!user)
+            return;
+        const id = req.params.id;
+        if (id === 'usdc_base')
+            return void res.status(400).json({ error: '默认协议方法 usdc_base 不可删除，可改为 deprecated 状态' });
+        const existing = db.prepare(`SELECT * FROM payment_methods WHERE id = ?`).get(id);
+        if (!existing)
+            return void res.status(404).json({ error: 'not_found' });
+        const refs = db.prepare(`SELECT COUNT(*) as n FROM region_payment_methods WHERE method_id = ? AND status = 'active'`).get(id).n;
+        if (refs > 0)
+            return void res.status(409).json({ error: `还有 ${refs} 条 active 区域映射引用该方法，请先停用` });
+        db.prepare(`DELETE FROM payment_methods WHERE id = ?`).run(id);
+        logPaymentChange('method', id, 'delete', existing, null, user.id, String((req.body || {}).reason || ''));
+        res.json({ ok: true });
+    });
+    // ─── region_payment_methods CRUD ──────────────────────────
+    app.get('/api/admin/region-payment-methods', (req, res) => {
+        const user = requireRootAdmin(req, res);
+        if (!user)
+            return;
+        const where = [];
+        const params = [];
+        if (req.query.region) {
+            where.push('rpm.region = ?');
+            params.push(String(req.query.region));
+        }
+        if (req.query.method_id) {
+            where.push('rpm.method_id = ?');
+            params.push(String(req.query.method_id));
+        }
+        const whereSql = where.length ? `WHERE ${where.join(' AND ')}` : '';
+        const rows = db.prepare(`
+      SELECT rpm.*, pm.display_name, pm.display_name_en, pm.icon, pm.asset, pm.chain
+      FROM region_payment_methods rpm JOIN payment_methods pm ON pm.id = rpm.method_id
+      ${whereSql}
+      ORDER BY rpm.region, pm.kind, pm.asset
+    `).all(...params);
+        res.json({ items: rows });
+    });
+    app.post('/api/admin/region-payment-methods', (req, res) => {
+        const user = requireRootAdmin(req, res);
+        if (!user)
+            return;
+        const b = req.body;
+        const region = String(b.region || '').trim().toLowerCase();
+        if (!/^[a-z_]{2,20}$/.test(region))
+            return void res.status(400).json({ error: 'region 必须是 2-20 位 [a-z_]' });
+        const method_id = String(b.method_id || '');
+        if (!db.prepare(`SELECT 1 FROM payment_methods WHERE id = ?`).get(method_id))
+            return void res.status(404).json({ error: 'method_id 不存在' });
+        const direction = String(b.direction || 'both');
+        if (!RPM_DIRECTIONS.has(direction))
+            return void res.status(400).json({ error: `direction 必须是 ${[...RPM_DIRECTIONS].join(' / ')}` });
+        const status = String(b.status || 'active');
+        if (!RPM_STATUSES.has(status))
+            return void res.status(400).json({ error: `status 必须是 ${[...RPM_STATUSES].join(' / ')}` });
+        const min_amount = b.min_amount != null ? Math.max(0, Number(b.min_amount)) : 0;
+        const max_amount = b.max_amount != null && b.max_amount !== '' ? Math.max(0, Number(b.max_amount)) : null;
+        const daily_cap = b.daily_cap != null && b.daily_cap !== '' ? Math.max(0, Number(b.daily_cap)) : null;
+        if (max_amount != null && min_amount > max_amount)
+            return void res.status(400).json({ error: 'min_amount 不能大于 max_amount' });
+        const notes = b.notes ? String(b.notes).slice(0, 200) : null;
+        const id = generateId('rpm');
+        try {
+            db.prepare(`INSERT INTO region_payment_methods (
+        id, region, method_id, direction, status, min_amount, max_amount, daily_cap, notes, updated_by
+      ) VALUES (?,?,?,?,?,?,?,?,?,?)`).run(id, region, method_id, direction, status, min_amount, max_amount, daily_cap, notes, user.id);
+        }
+        catch (e) {
+            if (String(e).includes('UNIQUE'))
+                return void res.status(409).json({ error: '同一 region + method + direction 已存在' });
+            throw e;
+        }
+        logPaymentChange('region_mapping', id, 'create', null, { region, method_id, direction, status, min_amount, max_amount, daily_cap, notes }, user.id, String(b.reason || ''));
+        res.json({ ok: true, id });
+    });
+    app.put('/api/admin/region-payment-methods/:id', (req, res) => {
+        const user = requireRootAdmin(req, res);
+        if (!user)
+            return;
+        const id = req.params.id;
+        const existing = db.prepare(`SELECT * FROM region_payment_methods WHERE id = ?`).get(id);
+        if (!existing)
+            return void res.status(404).json({ error: 'not_found' });
+        const b = req.body;
+        const updates = {};
+        if (b.status !== undefined) {
+            if (!RPM_STATUSES.has(String(b.status)))
+                return void res.status(400).json({ error: 'status 非法' });
+            updates.status = String(b.status);
+        }
+        if (b.min_amount !== undefined)
+            updates.min_amount = Math.max(0, Number(b.min_amount));
+        if (b.max_amount !== undefined)
+            updates.max_amount = b.max_amount === null || b.max_amount === '' ? null : Math.max(0, Number(b.max_amount));
+        if (b.daily_cap !== undefined)
+            updates.daily_cap = b.daily_cap === null || b.daily_cap === '' ? null : Math.max(0, Number(b.daily_cap));
+        if (b.notes !== undefined)
+            updates.notes = b.notes ? String(b.notes).slice(0, 200) : null;
+        if (Object.keys(updates).length === 0)
+            return void res.status(400).json({ error: '无更新字段' });
+        // min/max 交叉校验
+        const newMin = updates.min_amount != null ? Number(updates.min_amount) : Number(existing.min_amount);
+        const newMax = updates.max_amount !== undefined ? updates.max_amount : existing.max_amount;
+        if (newMax != null && newMin > newMax)
+            return void res.status(400).json({ error: 'min_amount 不能大于 max_amount' });
+        const cols = Object.keys(updates).map(k => `${k} = ?`).join(', ');
+        const vals = Object.values(updates);
+        db.prepare(`UPDATE region_payment_methods SET ${cols}, updated_at = datetime('now'), updated_by = ? WHERE id = ?`).run(...vals, user.id, id);
+        logPaymentChange('region_mapping', id, 'update', existing, { ...existing, ...updates }, user.id, String(b.reason || ''));
+        res.json({ ok: true });
+    });
+    app.delete('/api/admin/region-payment-methods/:id', (req, res) => {
+        const user = requireRootAdmin(req, res);
+        if (!user)
+            return;
+        const id = req.params.id;
+        const existing = db.prepare(`SELECT * FROM region_payment_methods WHERE id = ?`).get(id);
+        if (!existing)
+            return void res.status(404).json({ error: 'not_found' });
+        if (existing.region === 'global' && existing.method_id === 'usdc_base') {
+            return void res.status(400).json({ error: '默认协议映射 global × usdc_base 不可删除' });
+        }
+        db.prepare(`DELETE FROM region_payment_methods WHERE id = ?`).run(id);
+        logPaymentChange('region_mapping', id, 'delete', existing, null, user.id, String((req.body || {}).reason || ''));
+        res.json({ ok: true });
+    });
+}

package/dist/pwa/routes/peers.js

@@ -0,0 +1,34 @@
+export function registerPeersRoutes(app, deps) {
+    const { db, auth } = deps;
+    app.post('/api/peers/heartbeat', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const hashes = Array.isArray(req.body?.hashes) ? req.body.hashes : [];
+        const pinIntents = Array.isArray(req.body?.pin_intents) ? new Set(req.body.pin_intents) : new Set();
+        const now = new Date().toISOString();
+        let registered = 0;
+        for (const h of hashes) {
+            if (typeof h !== 'string' || !/^[a-f0-9]{64}$/.test(h))
+                continue;
+            const m = db.prepare("SELECT owner_id, status FROM manifest_registry WHERE hash = ?").get(h);
+            if (!m || m.status !== 'active')
+                continue;
+            const isOwner = m.owner_id === me.id ? 1 : 0;
+            const pinIntent = pinIntents.has(h) ? 1 : 0;
+            db.prepare(`INSERT INTO peer_directory (peer_id, manifest_hash, is_owner, pin_intent, last_heartbeat)
+                  VALUES (?,?,?,?,?)
+                  ON CONFLICT(peer_id, manifest_hash) DO UPDATE SET is_owner=excluded.is_owner, pin_intent=excluded.pin_intent, last_heartbeat=excluded.last_heartbeat`)
+                .run(me.id, h, isOwner, pinIntent, now);
+            registered++;
+        }
+        res.json({ ok: true, registered });
+    });
+    app.delete('/api/peers/:hash', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        db.prepare("DELETE FROM peer_directory WHERE peer_id = ? AND manifest_hash = ?").run(me.id, req.params.hash);
+        res.json({ ok: true });
+    });
+}

package/dist/pwa/routes/pin-receipts.js

@@ -0,0 +1,39 @@
+export function registerPinReceiptsRoutes(app, deps) {
+    const { db, auth, generateId } = deps;
+    app.post('/api/pin-receipts', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const { manifest_hash, pinner_id, bytes_served, served_at, pinner_sig, recipient_sig } = req.body || {};
+        if (!manifest_hash || !pinner_id || !pinner_sig || !recipient_sig || !served_at) {
+            return void res.json({ error: '缺少字段' });
+        }
+        if (typeof bytes_served !== 'number' || bytes_served <= 0 || bytes_served > 500 * 1024 * 1024) {
+            return void res.json({ error: 'bytes_served 不合法' });
+        }
+        if (pinner_id === me.id)
+            return void res.json({ error: 'pinner 不能是自己' });
+        const m = db.prepare("SELECT 1 FROM manifest_registry WHERE hash = ? AND status = 'active'").get(manifest_hash);
+        if (!m)
+            return void res.json({ error: 'manifest 不存在或已下架' });
+        const dup = db.prepare(`SELECT id FROM pin_receipts WHERE manifest_hash = ? AND pinner_id = ? AND recipient_id = ? AND served_at > datetime('now', '-1 day')`).get(manifest_hash, pinner_id, me.id);
+        if (dup)
+            return void res.json({ error: '24 小时内已有相同 pin 回执' });
+        const id = generateId('pin');
+        db.prepare(`INSERT INTO pin_receipts (id, manifest_hash, pinner_id, recipient_id, bytes_served, served_at, pinner_sig, recipient_sig)
+                VALUES (?,?,?,?,?,?,?,?)`)
+            .run(id, manifest_hash, pinner_id, me.id, bytes_served, served_at, pinner_sig, recipient_sig);
+        db.prepare(`UPDATE peer_directory SET bytes_served_total = bytes_served_total + ? WHERE peer_id = ? AND manifest_hash = ?`)
+            .run(bytes_served, pinner_id, manifest_hash);
+        res.json({ ok: true, id });
+    });
+    app.get('/api/pin-receipts/mine', (req, res) => {
+        const me = auth(req, res);
+        if (!me)
+            return;
+        const earned = db.prepare(`SELECT COALESCE(SUM(rewarded_waz), 0) as total, COUNT(*) as count FROM pin_receipts WHERE pinner_id = ? AND rewarded_at IS NOT NULL`).get(me.id);
+        const pending = db.prepare(`SELECT COUNT(*) as n FROM pin_receipts WHERE pinner_id = ? AND rewarded_at IS NULL`).get(me.id);
+        const recent = db.prepare(`SELECT p.*, m.title as manifest_title FROM pin_receipts p LEFT JOIN manifest_registry m ON m.hash = p.manifest_hash WHERE p.pinner_id = ? ORDER BY p.served_at DESC LIMIT 20`).all(me.id);
+        res.json({ earned, pending_count: pending.n, recent });
+    });
+}