npm - @seasonkoh/webaz - Versions diffs - 0.1.8 → 0.1.9 - Mend

@seasonkoh/webaz 0.1.8 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/LICENSE +48 -0
package/README.md +156 -20
package/dist/layer0-foundation/L0-1-database/schema.js +5 -4
package/dist/layer0-foundation/L0-2-state-machine/engine.js +228 -7
package/dist/layer0-foundation/L0-2-state-machine/order-chain.js +156 -0
package/dist/layer0-foundation/L0-2-state-machine/transitions.js +53 -12
package/dist/layer0-foundation/L0-5-manifest/manifest.js +14 -1
package/dist/layer1-agent/L1-1-mcp-server/auth.js +1 -1
package/dist/layer1-agent/L1-1-mcp-server/server.js +3543 -852
package/dist/layer1-agent/L1-2-external-anchor/anchor-engine.js +324 -0
package/dist/layer1-agent/L1-2-identity/agent-passport.js +100 -0
package/dist/layer2-business/L2-6-notifications/notification-engine.js +72 -5
package/dist/layer2-business/L2-7-snf/snf-engine.js +287 -0
package/dist/layer2-business/L2-anchor-registry/anchor-registry.js +396 -0
package/dist/layer2-business/L2-notes/note-photo-storage.js +133 -0
package/dist/layer3-trust/L3-1-dispute-engine/dispute-engine.js +6 -6
package/dist/layer3-trust/L3-1-dispute-engine/evidence-storage.js +246 -0
package/dist/layer4-economics/L4-3-reputation/reputation-engine.js +95 -1
package/dist/layer4-economics/L4-4-skill-market/skill-engine.js +31 -2
package/dist/layer4-economics/L4-4-skill-market/skill-listing-engine.js +358 -0
package/dist/pwa/public/app.js +31230 -2345
package/dist/pwa/public/i18n.js +5282 -111
package/dist/pwa/public/icon.svg +11 -0
package/dist/pwa/public/index.html +4 -1
package/dist/pwa/public/manifest.json +39 -4
package/dist/pwa/public/openapi.json +5946 -0
package/dist/pwa/public/style.css +278 -5
package/dist/pwa/public/sw.js +41 -2
package/dist/pwa/public/vendor/jsQR.js +10102 -0
package/dist/pwa/public/webaz-logo.png +0 -0
package/dist/pwa/routes/account-deletion.js +53 -0
package/dist/pwa/routes/addresses.js +105 -0
package/dist/pwa/routes/admin-admins.js +151 -0
package/dist/pwa/routes/admin-analytics.js +253 -0
package/dist/pwa/routes/admin-atomic.js +21 -0
package/dist/pwa/routes/admin-catalog.js +64 -0
package/dist/pwa/routes/admin-editor-picks.js +45 -0
package/dist/pwa/routes/admin-events.js +60 -0
package/dist/pwa/routes/admin-health.js +66 -0
package/dist/pwa/routes/admin-moderation.js +120 -0
package/dist/pwa/routes/admin-ops.js +179 -0
package/dist/pwa/routes/admin-protocol-params.js +79 -0
package/dist/pwa/routes/admin-reports.js +154 -0
package/dist/pwa/routes/admin-tokenomics.js +113 -0
package/dist/pwa/routes/admin-users-lifecycle.js +237 -0
package/dist/pwa/routes/admin-users-query.js +390 -0
package/dist/pwa/routes/admin-verifier-flow.js +126 -0
package/dist/pwa/routes/admin-verifier-whitelist.js +111 -0
package/dist/pwa/routes/admin-wallet-ops.js +66 -0
package/dist/pwa/routes/agent-buy.js +215 -0
package/dist/pwa/routes/agent-governance.js +341 -0
package/dist/pwa/routes/agent-reputation.js +34 -0
package/dist/pwa/routes/ai.js +101 -0
package/dist/pwa/routes/analytics.js +272 -0
package/dist/pwa/routes/anchors.js +169 -0
package/dist/pwa/routes/announcements.js +110 -0
package/dist/pwa/routes/arbitrator.js +117 -0
package/dist/pwa/routes/auction.js +436 -0
package/dist/pwa/routes/auth-login.js +40 -0
package/dist/pwa/routes/auth-read.js +66 -0
package/dist/pwa/routes/auth-register.js +138 -0
package/dist/pwa/routes/auth-sessions.js +62 -0
package/dist/pwa/routes/blocklist.js +60 -0
package/dist/pwa/routes/buyer-feeds.js +224 -0
package/dist/pwa/routes/cart.js +155 -0
package/dist/pwa/routes/charity.js +816 -0
package/dist/pwa/routes/chat.js +318 -0
package/dist/pwa/routes/checkin-tasks.js +122 -0
package/dist/pwa/routes/checkout-helpers.js +85 -0
package/dist/pwa/routes/claim-initiators.js +88 -0
package/dist/pwa/routes/claim-verify.js +615 -0
package/dist/pwa/routes/claim-voting.js +114 -0
package/dist/pwa/routes/claim-withdrawals.js +20 -0
package/dist/pwa/routes/coupons.js +165 -0
package/dist/pwa/routes/dashboards.js +99 -0
package/dist/pwa/routes/dispute-cases.js +267 -0
package/dist/pwa/routes/disputes-read.js +358 -0
package/dist/pwa/routes/disputes-write.js +475 -0
package/dist/pwa/routes/evidence.js +86 -0
package/dist/pwa/routes/external-anchors.js +107 -0
package/dist/pwa/routes/feedback.js +270 -0
package/dist/pwa/routes/flash-sales.js +130 -0
package/dist/pwa/routes/follows.js +103 -0
package/dist/pwa/routes/group-buys.js +208 -0
package/dist/pwa/routes/growth.js +199 -0
package/dist/pwa/routes/import-product.js +153 -0
package/dist/pwa/routes/kyc.js +40 -0
package/dist/pwa/routes/leaderboard.js +149 -0
package/dist/pwa/routes/listings.js +281 -0
package/dist/pwa/routes/logistics.js +35 -0
package/dist/pwa/routes/manifests.js +126 -0
package/dist/pwa/routes/me-data.js +101 -0
package/dist/pwa/routes/notifications.js +48 -0
package/dist/pwa/routes/offers.js +96 -0
package/dist/pwa/routes/orders-action.js +285 -0
package/dist/pwa/routes/orders-create.js +339 -0
package/dist/pwa/routes/orders-read.js +180 -0
package/dist/pwa/routes/p2p-products.js +178 -0
package/dist/pwa/routes/payments-governance.js +311 -0
package/dist/pwa/routes/peers.js +34 -0
package/dist/pwa/routes/pin-receipts.js +39 -0
package/dist/pwa/routes/products-aliases.js +119 -0
package/dist/pwa/routes/products-claims.js +60 -0
package/dist/pwa/routes/products-create.js +206 -0
package/dist/pwa/routes/products-crud.js +73 -0
package/dist/pwa/routes/products-links.js +129 -0
package/dist/pwa/routes/products-list.js +424 -0
package/dist/pwa/routes/products-meta.js +155 -0
package/dist/pwa/routes/products-update.js +125 -0
package/dist/pwa/routes/profile-credentials.js +105 -0
package/dist/pwa/routes/profile-identity.js +174 -0
package/dist/pwa/routes/profile-location.js +35 -0
package/dist/pwa/routes/profile-placement.js +70 -0
package/dist/pwa/routes/profile-prefs.js +93 -0
package/dist/pwa/routes/promoter.js +208 -0
package/dist/pwa/routes/public-utils.js +170 -0
package/dist/pwa/routes/push.js +54 -0
package/dist/pwa/routes/ratings.js +220 -0
package/dist/pwa/routes/recover-key.js +100 -0
package/dist/pwa/routes/referral.js +58 -0
package/dist/pwa/routes/reputation.js +34 -0
package/dist/pwa/routes/returns.js +493 -0
package/dist/pwa/routes/reviews.js +81 -0
package/dist/pwa/routes/rfqs.js +443 -0
package/dist/pwa/routes/search.js +172 -0
package/dist/pwa/routes/secondhand.js +278 -0
package/dist/pwa/routes/seller-quota.js +225 -0
package/dist/pwa/routes/share-redirects.js +164 -0
package/dist/pwa/routes/shareables-interactions.js +212 -0
package/dist/pwa/routes/shareables.js +470 -0
package/dist/pwa/routes/shops.js +98 -0
package/dist/pwa/routes/signaling.js +43 -0
package/dist/pwa/routes/skill-market.js +173 -0
package/dist/pwa/routes/skills.js +174 -0
package/dist/pwa/routes/snf.js +126 -0
package/dist/pwa/routes/tags.js +47 -0
package/dist/pwa/routes/trial.js +333 -0
package/dist/pwa/routes/trusted-kpi.js +87 -0
package/dist/pwa/routes/url-claim.js +113 -0
package/dist/pwa/routes/users-public.js +317 -0
package/dist/pwa/routes/variants.js +156 -0
package/dist/pwa/routes/verifier-user.js +107 -0
package/dist/pwa/routes/verify-tasks.js +120 -0
package/dist/pwa/routes/waitlist.js +65 -0
package/dist/pwa/routes/wallet-read.js +218 -0
package/dist/pwa/routes/wallet-write.js +273 -0
package/dist/pwa/routes/webauthn.js +188 -0
package/dist/pwa/routes/webhooks.js +162 -0
package/dist/pwa/routes/welcome.js +226 -0
package/dist/pwa/routes/wishlist-qa.js +135 -0
package/dist/pwa/security/ssrf.js +110 -0
package/dist/pwa/server.js +9247 -2097
package/package.json +8 -3

package/dist/pwa/routes/verify-tasks.js ADDED Viewed

@@ -0,0 +1,120 @@
+export function registerVerifyTasksRoutes(app, deps) {
+    const { db, auth, assignVerifiers, settleTask, getVerifierStats } = deps;
+    // 卖家确认：已在原平台添加验证码 → 任务进入分配池
+    app.post('/api/verify-tasks/:id/confirm', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const task = db.prepare(`SELECT * FROM verify_tasks WHERE id = ? AND status IN ('code_issued','open')`).get(req.params.id);
+        if (!task)
+            return void res.json({ error: '任务不存在或已结束' });
+        const product = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(task.product_id);
+        if (!product || product.seller_id !== user.id)
+            return void res.status(403).json({ error: '无权限' });
+        if (task.status === 'open') {
+            return void res.json({ success: true, already_open: true, message: '任务已在验证中，无需重复确认' });
+        }
+        db.prepare(`UPDATE verify_tasks SET status='open' WHERE id=?`).run(req.params.id);
+        try {
+            assignVerifiers(req.params.id);
+        }
+        catch { }
+        res.json({ success: true, message: '任务已提交到验证池，等待审核员确认' });
+    });
+    // 卖家：查询某商品的进行中验证任务（供编辑页展示验证码）
+    app.get('/api/verify-tasks/by-product/:productId', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const product = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.productId);
+        if (!product || product.seller_id !== user.id)
+            return void res.status(403).json({ error: '无权限' });
+        const tasks = db.prepare(`
+      SELECT id, type, url, code, status, expires_at, created_at,
+        (SELECT COUNT(*) FROM verify_submissions WHERE task_id = verify_tasks.id AND submitted_at IS NOT NULL) as submissions_done
+      FROM verify_tasks WHERE product_id = ? AND status IN ('code_issued','open') ORDER BY created_at DESC
+    `).all(req.params.productId);
+        res.json(tasks);
+    });
+    // 卖家：查询我发起的所有认领任务（用于"查看任务进度"页）
+    app.get('/api/verify-tasks/my-claims', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const tasks = db.prepare(`
+      SELECT vt.id, vt.type, vt.url, vt.code, vt.status, vt.result,
+             vt.verifiers_needed, vt.expires_at, vt.created_at, vt.settled_at,
+             p.title as product_title, p.id as product_id,
+             (SELECT COUNT(*) FROM verify_submissions WHERE task_id=vt.id AND submitted_at IS NOT NULL) as submissions_done
+      FROM verify_tasks vt
+      JOIN products p ON vt.product_id = p.id
+      WHERE p.seller_id = ?
+      ORDER BY vt.created_at DESC
+      LIMIT 30
+    `).all(user.id);
+        res.json(tasks);
+    });
+    app.get('/api/verify-tasks/mine', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const tasks = db.prepare(`
+      SELECT vt.id, vt.type, vt.url, vt.verifiers_needed, vt.reward_per_verifier, vt.expires_at,
+        vs.id as sub_id, vs.submitted_at, vs.verdict,
+        (SELECT COUNT(*) FROM verify_submissions WHERE task_id = vt.id AND submitted_at IS NOT NULL) as submissions_done
+      FROM verify_tasks vt
+      JOIN verify_submissions vs ON vs.task_id = vt.id AND vs.verifier_id = ?
+      WHERE vt.status = 'open'
+      ORDER BY vt.created_at DESC
+    `).all(user.id);
+        const stats = getVerifierStats(user.id);
+        res.json({ tasks, stats });
+    });
+    // 验证者：提交验证结果（填入式）
+    app.post('/api/verify-tasks/:id/submit', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { submission } = req.body;
+        const sub = db.prepare(`SELECT * FROM verify_submissions WHERE task_id = ? AND verifier_id = ?`)
+            .get(req.params.id, user.id);
+        if (!sub)
+            return void res.json({ error: '未分配到此任务' });
+        if (sub.submitted_at)
+            return void res.json({ error: '已提交过' });
+        const task = db.prepare('SELECT * FROM verify_tasks WHERE id = ? AND status = ?').get(req.params.id, 'open');
+        if (!task)
+            return void res.json({ error: '任务已结束或不存在' });
+        if (new Date(task.expires_at) < new Date())
+            return void res.json({ error: '任务已过期' });
+        db.prepare(`UPDATE verify_submissions SET submission=?, submitted_at=datetime('now') WHERE task_id=? AND verifier_id=?`)
+            .run((submission ?? '').trim(), req.params.id, user.id);
+        const doneCount = db.prepare(`SELECT COUNT(*) as n FROM verify_submissions WHERE task_id = ? AND submitted_at IS NOT NULL`).get(req.params.id).n;
+        if (doneCount >= task.verifiers_needed)
+            settleTask(req.params.id);
+        res.json({ success: true, message: '提交成功，等待其他验证者完成后自动结算' });
+    });
+    // 公开验证大厅 — 仅显示分配给我的未提交任务
+    app.get('/api/verify-tasks/open', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const tasks = db.prepare(`
+      SELECT vt.id, vt.type, vt.url, vt.reward_per_verifier, vt.expires_at,
+        (SELECT COUNT(*) FROM verify_submissions WHERE task_id=vt.id AND submitted_at IS NOT NULL) as done,
+        vt.verifiers_needed
+      FROM verify_tasks vt
+      JOIN verify_submissions vs ON vs.task_id = vt.id AND vs.verifier_id = ? AND vs.submitted_at IS NULL
+      WHERE vt.status = 'open'
+      ORDER BY vt.created_at ASC
+      LIMIT 10
+    `).all(user.id);
+        res.json(tasks);
+    });
+    app.get('/api/verify-stats', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        res.json(getVerifierStats(user.id));
+    });
+}

package/dist/pwa/routes/waitlist.js ADDED Viewed

@@ -0,0 +1,65 @@
+export function registerWaitlistRoutes(app, deps) {
+    const { db, auth, isTrustedRole, errorRes } = deps;
+    app.post('/api/products/:product_id/waitlist', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void errorRes(res, 403, 'TRUSTED_ROLE_NO_TRADE', '受信角色无购物功能');
+        const p = db.prepare('SELECT id, seller_id, status, stock FROM products WHERE id = ?').get(req.params.product_id);
+        if (!p)
+            return void res.status(404).json({ error: '商品不存在' });
+        if (p.seller_id === user.id)
+            return void res.status(400).json({ error: '不可对自己商品排队' });
+        if (p.status !== 'active')
+            return void res.status(400).json({ error: '商品已下架，无法排队' });
+        if (p.stock > 0)
+            return void res.status(400).json({ error: '商品有货，无需排队 — 直接下单即可' });
+        const qty = Math.max(1, Math.min(99, Number(req.body?.desired_qty) || 1));
+        const note = req.body?.note ? String(req.body.note).slice(0, 200) : null;
+        db.prepare(`INSERT OR REPLACE INTO product_waitlist (user_id, product_id, desired_qty, note) VALUES (?,?,?,?)`)
+            .run(user.id, req.params.product_id, qty, note);
+        res.json({ success: true });
+    });
+    app.delete('/api/products/:product_id/waitlist', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        db.prepare('DELETE FROM product_waitlist WHERE user_id = ? AND product_id = ?').run(user.id, req.params.product_id);
+        res.json({ success: true });
+    });
+    app.get('/api/waitlist', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rows = db.prepare(`
+      SELECT w.product_id, w.desired_qty, w.note, w.notified_at, w.created_at,
+             p.title, p.price, p.stock, p.status as product_status, p.category,
+             u.name as seller_name, u.handle as seller_handle
+      FROM product_waitlist w
+      JOIN products p ON p.id = w.product_id AND p.status != 'deleted'
+      JOIN users u ON u.id = p.seller_id
+      WHERE w.user_id = ?
+      ORDER BY w.created_at DESC LIMIT 200
+    `).all(user.id);
+        res.json({ items: rows });
+    });
+    app.get('/api/products/:product_id/waitlist/check', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const exists = db.prepare('SELECT 1 FROM product_waitlist WHERE user_id = ? AND product_id = ?').get(user.id, req.params.product_id);
+        res.json({ in_waitlist: !!exists });
+    });
+    // seller 查 waitlist count（决定备多少货）
+    app.get('/api/products/:product_id/waitlist/count', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const p = db.prepare('SELECT seller_id FROM products WHERE id = ?').get(req.params.product_id);
+        if (!p || p.seller_id !== user.id)
+            return void res.status(403).json({ error: '仅卖家可看' });
+        const r = db.prepare(`SELECT COUNT(*) as cnt, COALESCE(SUM(desired_qty), 0) as total_qty FROM product_waitlist WHERE product_id = ? AND notified_at IS NULL`).get(req.params.product_id);
+        res.json({ pending_users: r.cnt, total_desired: r.total_qty });
+    });
+}

package/dist/pwa/routes/wallet-read.js ADDED Viewed

@@ -0,0 +1,218 @@
+export function registerWalletReadRoutes(app, deps) {
+    const { db, auth, isTrustedRole, generateId, verifyPassword, deriveDepositAddress, getProtocolParam, getPublicClient, getIsMainnet, getActiveChainId, getUsdcContract, getNetwork } = deps;
+    // 钱包状态
+    app.get('/api/wallet', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void res.status(403).json({ error: '受信角色无钱包', error_code: 'TRUSTED_ROLE_NO_WALLET' });
+        const wallet = db.prepare('SELECT * FROM wallets WHERE user_id = ?').get(user.id);
+        if (!wallet)
+            return void res.status(500).json({ error: '钱包记录缺失', error_code: 'WALLET_MISSING' });
+        if (!wallet.deposit_address) {
+            const addr = deriveDepositAddress(user.id);
+            db.prepare('UPDATE wallets SET deposit_address = ? WHERE user_id = ?').run(addr, user.id);
+            wallet.deposit_address = addr;
+        }
+        res.json(wallet);
+    });
+    // 充值地址 QR — SVG（轻量 + 矢量，移动端扫码体验最佳）
+    app.get('/api/wallet/deposit-qr', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const wallet = db.prepare('SELECT deposit_address FROM wallets WHERE user_id = ?').get(user.id);
+        if (!wallet?.deposit_address)
+            return void res.status(404).json({ error: '充值地址未生成' });
+        try {
+            const { toString } = await import('qrcode');
+            // 裸地址 + 客户端按需加 hint；EIP-681 兼容性参差
+            const payload = wallet.deposit_address;
+            const svg = await toString(payload, { type: 'svg', errorCorrectionLevel: 'M', margin: 1, width: 240 });
+            res.setHeader('Content-Type', 'image/svg+xml');
+            res.setHeader('Cache-Control', 'private, max-age=86400');
+            res.send(svg);
+        }
+        catch (e) {
+            res.status(500).json({ error: 'QR 生成失败：' + e.message });
+        }
+    });
+    // 公开汇率
+    app.get('/api/wallet/rate', (_req, res) => {
+        res.json({
+            waz_usdc_rate: getProtocolParam('waz_usdc_rate', 1.0),
+            min_deposit_usdc: getProtocolParam('usdc_min_deposit', 0.01),
+            min_withdraw_waz: getProtocolParam('usdc_min_withdraw_waz', 10),
+            required_confirmations: getProtocolParam('usdc_required_confirmations', 12),
+            chain: getIsMainnet() ? 'base-mainnet' : 'base-sepolia',
+            chain_id: getActiveChainId(),
+            usdc_contract: getUsdcContract(),
+            network: getNetwork(),
+        });
+    });
+    // 白名单 GET / POST / DELETE
+    app.get('/api/wallet/whitelist', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rows = db.prepare(`
+      SELECT id, address, label, added_at, activates_at
+      FROM withdrawal_whitelist
+      WHERE user_id = ? AND revoked_at IS NULL
+      ORDER BY added_at DESC
+    `).all(user.id);
+        const now = Date.now();
+        res.json({
+            whitelist: rows.map(r => ({
+                ...r,
+                activated: new Date(r.activates_at.replace(' ', 'T') + 'Z').getTime() <= now,
+            })),
+        });
+    });
+    app.post('/api/wallet/whitelist', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const pwd = String(req.body?.password || '');
+        if (!user.password_hash)
+            return void res.json({ error: '请先设置登录密码（敏感操作必需）' });
+        if (!verifyPassword(pwd, user.password_hash))
+            return void res.json({ error: '密码错误' });
+        const addressRaw = String(req.body?.address || '').trim();
+        const label = String(req.body?.label || '').trim().slice(0, 50);
+        if (!/^0x[0-9a-fA-F]{40}$/.test(addressRaw))
+            return void res.json({ error: '请输入有效的以太坊地址' });
+        // P0-1: 统一小写存储
+        const address = addressRaw.toLowerCase();
+        const existing = db.prepare(`SELECT id, revoked_at FROM withdrawal_whitelist WHERE user_id = ? AND address = ?`).get(user.id, address);
+        if (existing && !existing.revoked_at)
+            return void res.json({ error: '该地址已在白名单中' });
+        const id = generateId('wl');
+        const activatesAt = new Date(Date.now() + 24 * 3600_000).toISOString().slice(0, 19).replace('T', ' ');
+        if (existing) {
+            db.prepare(`UPDATE withdrawal_whitelist
+                  SET revoked_at = NULL, added_at = datetime('now'), activates_at = ?, label = ?, id = ?
+                  WHERE user_id = ? AND address = ?`)
+                .run(activatesAt, label || null, id, user.id, address);
+        }
+        else {
+            db.prepare(`INSERT INTO withdrawal_whitelist (id, user_id, address, label, activates_at)
+                  VALUES (?,?,?,?,?)`).run(id, user.id, address, label || null, activatesAt);
+        }
+        res.json({ ok: true, id, activates_at: activatesAt, message: '地址已添加，24 小时冷却期后可用于提现' });
+    });
+    app.delete('/api/wallet/whitelist/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const row = db.prepare(`SELECT user_id FROM withdrawal_whitelist WHERE id = ?`).get(req.params.id);
+        if (!row || row.user_id !== user.id)
+            return void res.status(404).json({ error: '地址不存在' });
+        db.prepare(`UPDATE withdrawal_whitelist SET revoked_at = datetime('now') WHERE id = ?`).run(req.params.id);
+        res.json({ ok: true });
+    });
+    // 我的提现记录
+    app.get('/api/wallet/withdrawals', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const list = db.prepare(`SELECT id, to_address, amount, status, created_at, tx_hash FROM withdrawal_requests WHERE user_id = ? ORDER BY created_at DESC LIMIT 10`).all(user.id);
+        res.json(list);
+    });
+    // 我的充值记录（含确认进度）
+    // P1-2: latestBlock 30s 缓存，多用户访问不重复打 RPC
+    let _latestBlockCache = null;
+    const getCachedLatestBlock = async () => {
+        const now = Date.now();
+        if (_latestBlockCache && _latestBlockCache.expiresAt > now)
+            return _latestBlockCache.value;
+        try {
+            const v = Number(await getPublicClient().getBlockNumber());
+            _latestBlockCache = { value: v, expiresAt: now + 30_000 };
+            return v;
+        }
+        catch {
+            return _latestBlockCache?.value ?? null;
+        }
+    };
+    app.get('/api/wallet/deposits', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const list = db.prepare(`SELECT tx_hash, amount, credited_waz, block_number, swept, confirmed_at, block_at_seen, created_at
+       FROM deposit_txns WHERE user_id = ? ORDER BY created_at DESC LIMIT 10`).all(user.id);
+        const requiredConf = getProtocolParam('usdc_required_confirmations', 12);
+        let latestBlock = null;
+        if (list.some(r => !r.confirmed_at)) {
+            latestBlock = await getCachedLatestBlock();
+        }
+        const enriched = list.map(r => {
+            const pending = !r.confirmed_at;
+            const confs = pending && latestBlock != null ? Math.max(0, latestBlock - r.block_number) : null;
+            return {
+                ...r,
+                status: r.confirmed_at ? 'confirmed' : 'pending',
+                confirmations: confs,
+                required_confirmations: requiredConf,
+            };
+        });
+        res.json(enriched);
+    });
+    // 收入构成：分享 / 双轨对碰 / 销售
+    app.get('/api/wallet/income', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const commByLevel = db.prepare(`
+      SELECT level, COUNT(*) as cnt, COALESCE(SUM(amount),0) as total
+      FROM commission_records WHERE beneficiary_id = ? GROUP BY level
+    `).all(user.id);
+        const commMap = { l1: { count: 0, total: 0 }, l2: { count: 0, total: 0 }, l3: { count: 0, total: 0 } };
+        for (const r of commByLevel) {
+            const key = `l${r.level}`;
+            if (commMap[key])
+                commMap[key] = { count: r.cnt, total: Number(r.total.toFixed(2)) };
+        }
+        const binary = db.prepare(`
+      SELECT
+        COUNT(CASE WHEN settled_at IS NOT NULL THEN 1 END) as settled_cnt,
+        COALESCE(SUM(CASE WHEN settled_at IS NOT NULL THEN waz_amount END), 0) as settled_waz,
+        COALESCE(SUM(CASE WHEN settled_at IS NULL THEN score END), 0) as pending_score
+      FROM binary_score_records WHERE user_id = ?
+    `).get(user.id);
+        const sales = db.prepare(`
+      SELECT COUNT(*) as cnt, COALESCE(SUM(total_amount),0) as total
+      FROM orders WHERE seller_id = ? AND status = 'completed'
+    `).get(user.id);
+        const totalIncome = commMap.l1.total + commMap.l2.total + commMap.l3.total +
+            Number(binary.settled_waz) + Number(sales.total);
+        res.json({
+            commissions: commMap,
+            binary: {
+                settled_count: binary.settled_cnt,
+                settled_waz: Number(Number(binary.settled_waz).toFixed(2)),
+                pending_score: Number(Number(binary.pending_score).toFixed(2)),
+            },
+            sales: { count: sales.cnt, total: Number(Number(sales.total).toFixed(2)) },
+            total_income: Number(totalIncome.toFixed(2)),
+        });
+    });
+    // P0 测试充值（Phase 0 专用）
+    app.post('/api/wallet/topup', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void res.status(403).json({ error: '受信角色无钱包', error_code: 'TRUSTED_ROLE_NO_WALLET' });
+        const amount = Math.min(1000, Math.max(1, Number(req.body?.amount) || 500));
+        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        if (!wallet)
+            return void res.status(500).json({ error: '钱包记录缺失', error_code: 'WALLET_MISSING' });
+        if (wallet.balance >= 5000)
+            return void res.json({ error: '余额已达上限 5000 WAZ，无需充值' });
+        const actual = Math.min(amount, 5000 - wallet.balance);
+        db.prepare('UPDATE wallets SET balance = balance + ? WHERE user_id = ?').run(actual, user.id);
+        res.json({ success: true, added: actual, new_balance: wallet.balance + actual });
+    });
+}