@seasonkoh/webaz 0.1.8 → 0.1.9

package/dist/pwa/routes/products-list.js

@@ -0,0 +1,424 @@
+import { createHmac } from 'crypto';
+export function registerProductsListRoutes(app, deps) {
+    const { db, getUser, VALID_PRODUCT_TYPES, RAW_MODE_MIN_TRUST, getAgentTrustCached, VALID_SORTS, PRODUCT_LIMITS, TRENDING_SCORE_EXPR, findProductsByAlias, decodeProductCursor, encodeProductCursor, MASTER_SEED, formatProductForAgent } = deps;
+    app.get('/api/products', (req, res) => {
+        const { q = '', category, max_price, min_return_days, max_handling_hours, has_sales, ship_to, mode: modeRaw = 'pwa', sort: sortRaw, cursor, limit: limitRaw, seller_id, product_type: productTypeRaw, fuzzy: fuzzyRaw, since_days: sinceDaysRaw } = req.query;
+        let mode = modeRaw === 'agent' ? 'agent' : (modeRaw === 'raw' ? 'raw' : 'pwa');
+        // fuzzy=true → 发现页用，模糊 LIKE；否则用协议级 alias 精确匹配（智能下单页）
+        const isFuzzy = fuzzyRaw === 'true' || fuzzyRaw === '1';
+        // product_type 过滤：pwa 默认 retail（不混 B2B/数字/服务）；agent/raw 不默认过滤
+        let productTypeFilter = null;
+        if (typeof productTypeRaw === 'string' && productTypeRaw && VALID_PRODUCT_TYPES.has(productTypeRaw)) {
+            productTypeFilter = productTypeRaw;
+        }
+        else if (productTypeRaw === 'all') {
+            productTypeFilter = null;
+        }
+        else if (mode === 'pwa') {
+            productTypeFilter = 'retail';
+        }
+        const me = getUser(req); // 可选 auth — 登录用户应用黑名单过滤
+        // raw mode 鉴权（trust_score ≥ RAW_MODE_MIN_TRUST）
+        if (mode === 'raw') {
+            const key = req.headers.authorization?.replace('Bearer ', '') ?? '';
+            if (!key)
+                return void res.status(401).json({ error: 'raw_mode_requires_auth', min_trust: RAW_MODE_MIN_TRUST });
+            const t = getAgentTrustCached(key);
+            if (!t || t.trust_score < RAW_MODE_MIN_TRUST) {
+                return void res.status(403).json({
+                    error: 'raw_mode_trust_insufficient',
+                    your_trust: t?.trust_score ?? 0,
+                    min_trust: RAW_MODE_MIN_TRUST,
+                    hint: '提升 trust_score 后可使用 raw mode：见 /api/agents/me/reputation',
+                });
+            }
+        }
+        // 排序模式
+        let sort = (typeof sortRaw === 'string' && VALID_SORTS.has(sortRaw)) ? sortRaw : 'trending';
+        // #977：新品发现 (has_sales=false) trending/recommended 转用卖家维度
+        const isNewArrivalsCtx = has_sales === 'false';
+        // limit
+        const cap = PRODUCT_LIMITS[mode];
+        let lim = Number(limitRaw);
+        if (!Number.isFinite(lim) || lim <= 0)
+            lim = mode === 'pwa' ? 30 : (mode === 'raw' ? 100 : 50);
+        if (lim > cap)
+            lim = cap;
+        // 内层 SELECT：把 score 计算出来，外层用它过滤 + 排序
+        // recommend_count = 已购买的买家中 4 星+ 评价的去重数（一个买家只能推荐一次）
+        const innerSelect = `SELECT p.*, u.name as seller_name, u.created_at as seller_created_at,
+      COALESCE(rs.total_points, 0) as rep_points, COALESCE(rs.level, 'new') as rep_level,
+      COALESCE(rs.transactions_done, 0) as seller_tx_count,
+      pc.seasonal_months as seasonal_months,
+      (SELECT COUNT(1) FROM orders o WHERE o.product_id = p.id AND o.status = 'completed') as sales_count,
+      (SELECT COUNT(DISTINCT buyer_id) FROM order_ratings r WHERE r.product_id = p.id AND r.stars >= 4) as recommend_count,
+      (SELECT COUNT(*) FROM dispute_cases dc WHERE dc.seller_id = p.seller_id) as seller_dispute_count,
+      -- 卖家仲裁胜率：无案件视为 0.8 中性（未经检验）；有案件按真实比率
+      CASE
+        WHEN (SELECT COUNT(*) FROM dispute_cases WHERE seller_id = p.seller_id) = 0 THEN 0.8
+        ELSE CAST((SELECT COUNT(*) FROM dispute_cases WHERE seller_id = p.seller_id AND winner = 'seller') AS REAL) /
+             (SELECT COUNT(*) FROM dispute_cases WHERE seller_id = p.seller_id)
+      END as seller_win_rate,
+      -- #977：卖家维度聚合 — 新品发现页按卖家排序
+      (SELECT COUNT(DISTINCT r2.buyer_id) FROM order_ratings r2
+         JOIN products p2 ON p2.id = r2.product_id
+         WHERE p2.seller_id = p.seller_id AND r2.stars >= 4) as seller_recommend_count,
+      -- #982：测评免单标记
+      (SELECT quota_total - quota_claimed FROM product_trial_campaigns
+         WHERE product_id = p.id AND status = 'active') as trial_quota_remaining,
+      ${TRENDING_SCORE_EXPR} as trending_score`;
+        let where = `WHERE p.status = 'active' AND p.stock > 0
+        AND COALESCE(u.listing_paused, 0) = 0
+        AND NOT (
+          EXISTS (SELECT 1 FROM product_external_links pel WHERE pel.product_id = p.id AND pel.revoked = 1)
+          AND NOT EXISTS (SELECT 1 FROM product_external_links pel WHERE pel.product_id = p.id AND pel.verified = 1 AND (pel.revoked IS NULL OR pel.revoked = 0))
+        )`;
+        const params = [];
+        if (me?.id) {
+            where += ` AND u.id NOT IN (SELECT blocked_id FROM user_blocklist WHERE blocker_id = ?)`;
+            params.push(me.id);
+        }
+        // fuzzy=true 含义升级为 strict → fuzzy 自动回退
+        let matchMode = 'none';
+        if (q) {
+            const ids = [...findProductsByAlias(String(q))];
+            if (ids.length > 0) {
+                where += ` AND p.id IN (${ids.map(() => '?').join(',')})`;
+                params.push(...ids);
+                matchMode = 'strict';
+            }
+            else if (isFuzzy) {
+                // strict 无果 → fallback 模糊匹配
+                // P0 fix: 转义用户输入里的 LIKE 通配符 % _ \ 防止 "%abc"/"a_b" 过宽
+                const qStr = String(q).trim().slice(0, 100).replace(/[\\%_]/g, '\\$&');
+                where += ` AND (p.title LIKE ? ESCAPE '\\' OR p.description LIKE ? ESCAPE '\\' OR p.category LIKE ? ESCAPE '\\' OR COALESCE(p.brand,'') LIKE ? ESCAPE '\\')`;
+                params.push(`%${qStr}%`, `%${qStr}%`, `%${qStr}%`, `%${qStr}%`);
+                matchMode = 'fuzzy';
+            }
+            else {
+                // strict 无果 + 不允许 fuzzy → 协议契约 0 命中
+                where += ` AND 1 = 0`;
+            }
+        }
+        if (category) {
+            where += ` AND p.category = ?`;
+            params.push(category);
+        }
+        if (max_price) {
+            where += ` AND p.price <= ?`;
+            params.push(Number(max_price));
+        }
+        if (min_return_days) {
+            where += ` AND p.return_days >= ?`;
+            params.push(Number(min_return_days));
+        }
+        if (max_handling_hours) {
+            where += ` AND p.handling_hours <= ?`;
+            params.push(Number(max_handling_hours));
+        }
+        if (seller_id) {
+            where += ` AND p.seller_id = ?`;
+            params.push(String(seller_id));
+        }
+        if (productTypeFilter) {
+            where += ` AND COALESCE(p.product_type, 'retail') = ?`;
+            params.push(productTypeFilter);
+        }
+        if (ship_to && typeof ship_to === 'string' && ship_to.trim()) {
+            const target = ship_to.trim();
+            where += ` AND (p.ship_regions = '全国' OR p.ship_regions LIKE ? OR p.ship_regions LIKE ? OR p.ship_regions LIKE ? OR p.ship_regions = ?)`;
+            params.push(`${target},%`, `%,${target},%`, `%,${target}`, target);
+            where += ` AND (p.excluded_regions IS NULL OR p.excluded_regions = '' OR (p.excluded_regions NOT LIKE ? AND p.excluded_regions NOT LIKE ? AND p.excluded_regions NOT LIKE ? AND p.excluded_regions != ?))`;
+            params.push(`${target},%`, `%,${target},%`, `%,${target}`, target);
+        }
+        // #987：has_trial=true 优先级高于 has_sales=false
+        if (has_sales === 'true') {
+            where += ` AND EXISTS (SELECT 1 FROM orders WHERE product_id = p.id AND status = 'completed')`;
+        }
+        else if (has_sales === 'false' && req.query.has_trial !== 'true') {
+            where += ` AND NOT EXISTS (SELECT 1 FROM orders WHERE product_id = p.id AND status = 'completed')`;
+        }
+        // P1-4：新品发现时段过滤
+        if (sinceDaysRaw && typeof sinceDaysRaw === 'string') {
+            const d = Number(sinceDaysRaw);
+            if (Number.isFinite(d) && d > 0 && d <= 365) {
+                where += ` AND p.created_at >= datetime('now', '-' || ? || ' days')`;
+                params.push(d);
+            }
+        }
+        // #987：has_trial=true 只返回开了测评免单 + 还有名额的商品
+        if (req.query.has_trial === 'true') {
+            where += ` AND EXISTS (SELECT 1 FROM product_trial_campaigns ptc WHERE ptc.product_id = p.id AND ptc.status='active' AND ptc.quota_claimed < ptc.quota_total)`;
+        }
+        const baseFrom = `FROM products p JOIN users u ON p.seller_id = u.id LEFT JOIN reputation_scores rs ON rs.user_id = p.seller_id LEFT JOIN product_categories pc ON pc.id = p.category_id ${where}`;
+        // 排序 + cursor
+        // Sprint 5-D: claim_loss_count ASC 全 sort 最高优先级
+        let orderBy = '';
+        let cursorClause = '';
+        const cursorParams = [];
+        if (sort === 'trending') {
+            if (isNewArrivalsCtx) {
+                // 新品页：按卖家近期交易量降序
+                orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, seller_tx_count DESC, created_at DESC, id DESC`;
+            }
+            else {
+                orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, trending_score DESC, id DESC`;
+                if (typeof cursor === 'string') {
+                    const c = decodeProductCursor(cursor);
+                    if (c) {
+                        cursorClause = ` AND (trending_score < ? OR (trending_score = ? AND id < ?))`;
+                        cursorParams.push(c.score, c.score, c.id);
+                    }
+                }
+            }
+        }
+        else if (sort === 'newest') {
+            orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, created_at DESC, id DESC`;
+            if (typeof cursor === 'string') {
+                const c = decodeProductCursor(cursor);
+                if (c) {
+                    cursorClause = ` AND (julianday(created_at) < ? OR (julianday(created_at) = ? AND id < ?))`;
+                    cursorParams.push(c.score, c.score, c.id);
+                }
+            }
+        }
+        else if (sort === 'rating') {
+            orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, rep_points DESC, id DESC`;
+        }
+        else if (sort === 'price_asc') {
+            orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, price ASC, id ASC`;
+        }
+        else if (sort === 'price_desc') {
+            orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, price DESC, id DESC`;
+        }
+        else if (sort === 'random') {
+            orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, RANDOM()`;
+        }
+        else if (sort === 'recommended') {
+            if (isNewArrivalsCtx) {
+                orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, seller_recommend_count DESC, seller_tx_count DESC, id DESC`;
+            }
+            else {
+                orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, recommend_count DESC, sales_count DESC, id DESC`;
+            }
+        }
+        else if (sort === 'seller_win_rate') {
+            orderBy = ` ORDER BY COALESCE(claim_loss_count, 0) ASC, seller_win_rate DESC, seller_dispute_count DESC, id DESC`;
+        }
+        // 多取候选 buffer 用于 jitter 排序 + 单卖家上限
+        const applySellerCap = !seller_id;
+        const SELLER_CAP = 3;
+        const buffer = (sort === 'trending' || applySellerCap) ? Math.min(lim * 3, lim + 30) : lim;
+        const sql = `SELECT * FROM (${innerSelect} ${baseFrom}) WHERE 1=1 ${cursorClause} ${orderBy} LIMIT ?`;
+        const finalParams = [...params, ...cursorParams, buffer];
+        let candidates;
+        try {
+            candidates = db.prepare(sql).all(...finalParams);
+        }
+        catch (e) {
+            console.error('[/api/products] sql error:', e, '\nSQL:', sql);
+            return void res.status(500).json({ error: 'query_failed' });
+        }
+        // 单卖家 slot 上限
+        let filtered = candidates;
+        if (applySellerCap) {
+            const perSeller = new Map();
+            filtered = [];
+            for (const c of candidates) {
+                const sid = String(c.seller_id);
+                const n = perSeller.get(sid) || 0;
+                if (n >= SELLER_CAP)
+                    continue;
+                perSeller.set(sid, n + 1);
+                filtered.push(c);
+                if (filtered.length >= lim + 10)
+                    break;
+            }
+        }
+        // 温和 jitter：仅 trending + pwa
+        let rows = filtered;
+        if (sort === 'trending' && mode === 'pwa' && rows.length > 1) {
+            const jittered = rows.map(r => ({ r, k: (Number(r.trending_score) || 0) + (Math.random() - 0.5) }));
+            jittered.sort((a, b) => b.k - a.k);
+            rows = jittered.map(x => x.r);
+        }
+        // 新卖家 slot 保护（trending only, ≤90d）
+        const NEW_SELLER_SLOTS = 2;
+        const NEW_SELLER_AGE_MS = 90 * 86400_000;
+        if (sort === 'trending' && !seller_id && rows.length > NEW_SELLER_SLOTS) {
+            const headSliceForCheck = rows.slice(0, lim);
+            const headSellerSet = new Set(headSliceForCheck.map(r => String(r.seller_id)));
+            const newSellerCandidates = [];
+            for (const r of rows) {
+                const sid = String(r.seller_id);
+                if (newSellerCandidates.some(x => String(x.seller_id) === sid))
+                    continue;
+                if (headSellerSet.has(sid))
+                    continue;
+                const sc = r.seller_created_at;
+                if (!sc)
+                    continue;
+                const ageMs = Date.now() - new Date(sc.replace(' ', 'T') + 'Z').getTime();
+                if (ageMs <= NEW_SELLER_AGE_MS) {
+                    newSellerCandidates.push(r);
+                    if (newSellerCandidates.length >= NEW_SELLER_SLOTS)
+                        break;
+                }
+            }
+            if (newSellerCandidates.length) {
+                const newSet = new Set(newSellerCandidates.map(r => String(r.id)));
+                const others = rows.filter(r => !newSet.has(String(r.id)));
+                const keepHead = others.slice(0, lim - newSellerCandidates.length);
+                rows = [...keepHead, ...newSellerCandidates];
+            }
+        }
+        rows = rows.slice(0, lim);
+        // 下一页 cursor — 基于 rows 中 raw score 最低位（防 jitter 翻页丢候选）
+        let nextCursor = null;
+        const hasMore = ((sort === 'trending' || sort === 'newest')
+            && rows.length > 0
+            && (candidates.length >= buffer || rows.length === lim));
+        if (hasMore) {
+            let anchor = rows[0];
+            for (const r of rows) {
+                const aScore = Number(anchor.trending_score) || 0;
+                const rScore = Number(r.trending_score) || 0;
+                if (sort === 'trending') {
+                    if (rScore < aScore || (rScore === aScore && String(r.id) < String(anchor.id)))
+                        anchor = r;
+                }
+                else {
+                    if (String(r.created_at) < String(anchor.created_at) || (String(r.created_at) === String(anchor.created_at) && String(r.id) < String(anchor.id)))
+                        anchor = r;
+                }
+            }
+            if (sort === 'trending') {
+                nextCursor = encodeProductCursor(Number(anchor.trending_score) || 0, String(anchor.id));
+            }
+            else {
+                const jd = db.prepare(`SELECT julianday(?) as j`).get(anchor.created_at).j;
+                nextCursor = encodeProductCursor(jd, String(anchor.id));
+            }
+        }
+        if (nextCursor)
+            res.setHeader('X-Next-Cursor', nextCursor);
+        res.setHeader('X-Sort', sort);
+        res.setHeader('X-Mode', mode);
+        if (matchMode !== 'none')
+            res.setHeader('X-Match-Mode', matchMode);
+        res.setHeader('Access-Control-Expose-Headers', 'X-Next-Cursor, X-Sort, X-Mode, X-Match-Mode');
+        if (mode === 'pwa') {
+            // 兼容旧前端：返回数组；cursor 走 X-Next-Cursor header
+            // 库存稀缺感 — stock ≤3 且 last_sold_at 近 7d 才标 low_stock
+            return void res.json(rows.map(r => {
+                const stockNum = Number(r.stock) || 0;
+                const lastSoldRecent = r.last_sold_at
+                    && (Date.now() - new Date(String(r.last_sold_at).replace(' ', 'T') + 'Z').getTime()) < 7 * 86400_000;
+                const lowStock = stockNum > 0 && stockNum <= 3 && lastSoldRecent;
+                return {
+                    ...formatProductForAgent(r),
+                    sales_count: Number(r.sales_count) || 0,
+                    product_type: r.product_type || 'retail',
+                    low_stock: lowStock ? stockNum : 0,
+                };
+            }));
+        }
+        if (mode === 'raw') {
+            // 原始数据 + HMAC 签名（trust ≥ 30 已通过）
+            const payload = {
+                mode, sort, limit: lim, cursor: nextCursor,
+                generated_at: new Date().toISOString(),
+                count: rows.length,
+                products: rows.map(r => ({
+                    id: r.id,
+                    title: r.title,
+                    seller_id: r.seller_id,
+                    seller_name: r.seller_name,
+                    price: r.price,
+                    stock: r.stock,
+                    category: r.category,
+                    category_id: r.category_id,
+                    ship_regions: r.ship_regions,
+                    commission_rate: r.commission_rate,
+                    rep_points: Number(r.rep_points) || 0,
+                    rep_level: r.rep_level || 'new',
+                    completion_count: Number(r.completion_count) || 0,
+                    dispute_loss_count: Number(r.dispute_loss_count) || 0,
+                    unique_sharer_count: Number(r.unique_sharer_count) || 0,
+                    last_sold_at: r.last_sold_at,
+                    sales_count: Number(r.sales_count) || 0,
+                    trending_score: Number(r.trending_score) || 0,
+                    created_at: r.created_at,
+                })),
+            };
+            const signature = createHmac('sha256', MASTER_SEED).update(JSON.stringify(payload)).digest('hex');
+            res.setHeader('X-Signature', signature);
+            res.setHeader('X-Signature-Algo', 'HMAC-SHA256');
+            return void res.json(payload);
+        }
+        // agent 模式：富信息 + 元数据
+        res.json({
+            mode, sort, limit: lim, cursor: nextCursor,
+            count: rows.length,
+            products: rows.map(r => {
+                const formatted = formatProductForAgent(r);
+                const completion = Number(r.completion_count) || 0;
+                const dispute = Number(r.dispute_loss_count) || 0;
+                const sharer = Number(r.unique_sharer_count) || 0;
+                const rep = Number(r.rep_points) || 0;
+                // 与 SQL TRENDING_SCORE_EXPR 阶梯保持一致
+                const ageDaysSinceSold = r.last_sold_at
+                    ? (Date.now() - new Date(String(r.last_sold_at).replace(' ', 'T') + 'Z').getTime()) / 86400_000
+                    : null;
+                let freshness = 0;
+                if (ageDaysSinceSold !== null) {
+                    if (ageDaysSinceSold < 30)
+                        freshness = 10;
+                    else if (ageDaysSinceSold < 90)
+                        freshness = 10 * (1 - (ageDaysSinceSold - 30) / 60);
+                    else if (ageDaysSinceSold < 180)
+                        freshness = -5;
+                    else
+                        freshness = -15;
+                }
+                const ageDaysSinceFirst = r.first_sold_at
+                    ? (Date.now() - new Date(String(r.first_sold_at).replace(' ', 'T') + 'Z').getTime()) / 86400_000
+                    : null;
+                const firstSaleBoost = ageDaysSinceFirst !== null && ageDaysSinceFirst < 14 ? 5 : 0;
+                // 季节性：与 SQL CASE 同步
+                const seasonalCsv = r.seasonal_months;
+                let seasonalPenalty = 0;
+                if (seasonalCsv) {
+                    const currentMonth = new Date().getUTCMonth() + 1;
+                    const activeMonths = seasonalCsv.split(',').map(s => Number(s.trim())).filter(n => n >= 1 && n <= 12);
+                    if (activeMonths.length && !activeMonths.includes(currentMonth))
+                        seasonalPenalty = -10;
+                }
+                const score = Number(r.trending_score) || 0;
+                return {
+                    ...formatted,
+                    sales_count: Number(r.sales_count) || 0,
+                    metrics: {
+                        completion_count: completion,
+                        dispute_loss_count: dispute,
+                        unique_sharer_count: sharer,
+                        last_sold_at: r.last_sold_at || null,
+                        first_sold_at: r.first_sold_at || null,
+                        rep_points: rep,
+                        rep_level: r.rep_level || 'new',
+                    },
+                    score,
+                    score_breakdown: {
+                        completion: Math.round(completion * 0.5 * 100) / 100,
+                        rep: Math.round(rep * 0.1 * 100) / 100,
+                        unique_sharer: Math.round(sharer * 2.0 * 100) / 100,
+                        freshness: Math.round(freshness * 100) / 100,
+                        first_sale_boost: firstSaleBoost,
+                        seasonal_penalty: seasonalPenalty,
+                        dispute_penalty: Math.round(-dispute * 5.0 * 100) / 100,
+                    },
+                };
+            }),
+        });
+    });
+}

package/dist/pwa/routes/products-meta.js

@@ -0,0 +1,155 @@
+export function registerProductsMetaRoutes(app, deps) {
+    const { db, auth, generateId, rateLimitOk, flagNewAccountShareable, refreshProductSharerCount } = deps;
+    const PH_RATE = 60; // 每 IP/分钟 60 次
+    const PH_MIN_SAMPLE = 5;
+    app.get('/api/products/:id/price-history', (req, res) => {
+        const ip = req.ip || 'unknown';
+        if (!rateLimitOk(`ph:${ip}`, PH_RATE, 60_000))
+            return void res.status(429).json({ error: 'rate-limited' });
+        const p = db.prepare("SELECT id, price as current_price, category, category_id FROM products WHERE id = ?").get(req.params.id);
+        if (!p)
+            return void res.status(404).json({ error: 'not_found' });
+        const lifetimeCount = db.prepare(`SELECT COUNT(1) as n FROM orders WHERE product_id = ? AND status = 'completed'`).get(req.params.id).n;
+        if (lifetimeCount < PH_MIN_SAMPLE) {
+            return void res.json({ product_id: req.params.id, current_price: p.current_price, insufficient_data: true, lifetime_sales: lifetimeCount, min_sample: PH_MIN_SAMPLE });
+        }
+        function aggregateWindow(days) {
+            const where = days != null
+                ? `product_id = ? AND status = 'completed' AND created_at > datetime('now', '-' || ? || ' days')`
+                : `product_id = ? AND status = 'completed'`;
+            const args = days != null ? [req.params.id, days] : [req.params.id];
+            const row = db.prepare(`
+        SELECT COUNT(1) as sales, COALESCE(SUM(total_amount), 0) as volume,
+          COALESCE(AVG(unit_price), 0) as avg
+        FROM orders WHERE ${where}
+      `).get(...args);
+            if (row.sales === 0)
+                return { sales: 0, volume: 0, avg: 0, median: 0, p25: 0, p75: 0 };
+            // SQLite 无 percentile 函数；P1 fix #1: LIMIT 5000 防爆
+            const prices = db.prepare(`SELECT unit_price FROM orders WHERE ${where} ORDER BY unit_price ASC LIMIT 5000`).all(...args).map(r => Number(r.unit_price));
+            // P1 fix #2: 真百分位（linear interp）
+            const pct = (frac) => {
+                if (!prices.length)
+                    return 0;
+                const idx = (prices.length - 1) * frac;
+                const lo = Math.floor(idx);
+                const hi = Math.ceil(idx);
+                if (lo === hi)
+                    return prices[lo];
+                const w = idx - lo;
+                return Math.round((prices[lo] * (1 - w) + prices[hi] * w) * 100) / 100;
+            };
+            return {
+                sales: row.sales,
+                volume: Math.round(row.volume * 100) / 100,
+                avg: Math.round(row.avg * 100) / 100,
+                median: pct(0.5),
+                p25: pct(0.25),
+                p75: pct(0.75),
+            };
+        }
+        const d30 = aggregateWindow(30);
+        const d90 = aggregateWindow(90);
+        const lifetime = aggregateWindow(null);
+        // 价位分布（90 天内，最多 20 个 bucket）
+        const buckets = db.prepare(`
+      SELECT unit_price as price, COUNT(1) as count, COALESCE(SUM(quantity), COUNT(1)) as qty
+      FROM orders WHERE product_id = ? AND status = 'completed' AND created_at > datetime('now', '-90 days')
+      GROUP BY unit_price ORDER BY unit_price ASC LIMIT 20
+    `).all(req.params.id);
+        const totalBucketSales = buckets.reduce((s, b) => s + b.count, 0) || 1;
+        const priceBuckets = buckets.map(b => ({
+            price: Number(b.price),
+            count: b.count,
+            qty: b.qty,
+            pct: Math.round((b.count / totalBucketSales) * 10000) / 100,
+        }));
+        // 30 日日均价 sparkline — P1 fix #4: 单日 sales=1 不返回 avg（防反查买家身份）
+        const daily = db.prepare(`
+      SELECT substr(created_at, 1, 10) as date, COUNT(1) as sales, AVG(unit_price) as avg
+      FROM orders WHERE product_id = ? AND status = 'completed' AND created_at > datetime('now', '-30 days')
+      GROUP BY date ORDER BY date ASC
+    `).all(req.params.id);
+        const dailyAvg = daily.map(d => ({
+            date: d.date,
+            sales: d.sales,
+            avg: d.sales >= 2 ? Math.round(Number(d.avg) * 100) / 100 : null,
+        }));
+        // 同类目近 30 天均价对照（cat_default 不算 meaningful）
+        let categoryAvg30d = null;
+        if (p.category_id && p.category_id !== 'cat_default') {
+            const row = db.prepare(`
+        SELECT AVG(o.unit_price) as avg FROM orders o JOIN products p ON p.id = o.product_id
+        WHERE p.category_id = ? AND o.status = 'completed' AND o.created_at > datetime('now', '-30 days')
+      `).get(p.category_id);
+            categoryAvg30d = row.avg != null ? Math.round(Number(row.avg) * 100) / 100 : null;
+        }
+        // 异常预警
+        const flags = [];
+        if (d30.median > 0 && p.current_price < d30.median * 0.7)
+            flags.push('current_below_70pct_median');
+        if (categoryAvg30d != null && p.current_price < categoryAvg30d * 0.5)
+            flags.push('far_below_category_avg');
+        if (categoryAvg30d != null && p.current_price > categoryAvg30d * 3)
+            flags.push('far_above_category_avg');
+        res.json({
+            product_id: req.params.id,
+            current_price: p.current_price,
+            insufficient_data: false,
+            windows: { d30, d90, lifetime },
+            price_buckets: priceBuckets,
+            daily_avg: dailyAvg,
+            category_avg_30d: categoryAvg30d,
+            anomaly_flags: flags,
+        });
+    });
+    // 公开预览：未登录可调，返回最小公开信息（分享 banner 用）
+    app.get('/api/products/:id/preview', (req, res) => {
+        const row = db.prepare(`
+      SELECT p.id, p.title, p.price, p.category, u.name as seller_name
+      FROM products p
+      JOIN users u ON p.seller_id = u.id
+      WHERE p.id = ? AND p.status = 'active'
+    `).get(req.params.id);
+        if (!row)
+            return void res.status(404).json({ error: 'not_found' });
+        res.json(row);
+    });
+    // 分享许可：是否对该商品有 completed 订单
+    app.get('/api/products/:id/can-share', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const completed = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'").get(user.id, req.params.id).n;
+        res.json({
+            can_share: completed > 0,
+            completed_orders: completed,
+            reason: completed > 0 ? 'verified_buyer_of_product' : 'need_completed_order_of_this_product',
+        });
+    });
+    // 获取或创建商品 shareable（被 sharePromoLink 用，走 /s/<id> 短链）
+    app.post('/api/products/:id/get-or-create-share', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const productId = req.params.id;
+        const completed = db.prepare("SELECT COUNT(*) as n FROM orders WHERE buyer_id = ? AND product_id = ? AND status = 'completed'").get(user.id, productId).n;
+        if (completed === 0)
+            return void res.json({ error: '需先完成该商品的购买才能分享', completed_orders: 0 });
+        // 优先复用现有 active shareable
+        const existing = db.prepare(`SELECT id, owner_code FROM shareables WHERE owner_id = ? AND related_product_id = ? AND status = 'active' LIMIT 1`).get(user.id, productId);
+        if (existing) {
+            return void res.json({ ok: true, shareable_id: existing.id, owner_code: existing.owner_code, short_url: `/s/${existing.id}`, reused: true });
+        }
+        // 创建新 shareable（纯商品分享：无外链，无 native，仅绑 product_id）
+        const id = generateId('shr');
+        const ownerCode = db.prepare("SELECT permanent_code FROM users WHERE id = ?").get(user.id)?.permanent_code || null;
+        const product = db.prepare("SELECT title FROM products WHERE id = ?").get(productId);
+        db.prepare(`INSERT INTO shareables (id, owner_id, type, title, related_product_id, owner_code)
+                VALUES (?,?,?,?,?,?)`)
+            .run(id, user.id, 'product_promo', product?.title || null, productId, ownerCode);
+        flagNewAccountShareable(id, user.id);
+        refreshProductSharerCount(productId);
+        res.json({ ok: true, shareable_id: id, owner_code: ownerCode, short_url: `/s/${id}`, reused: false });
+    });
+}