npm - @seasonkoh/webaz - Versions diffs - 0.1.8 → 0.1.9 - Mend

@seasonkoh/webaz 0.1.8 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/LICENSE +48 -0
package/README.md +156 -20
package/dist/layer0-foundation/L0-1-database/schema.js +5 -4
package/dist/layer0-foundation/L0-2-state-machine/engine.js +228 -7
package/dist/layer0-foundation/L0-2-state-machine/order-chain.js +156 -0
package/dist/layer0-foundation/L0-2-state-machine/transitions.js +53 -12
package/dist/layer0-foundation/L0-5-manifest/manifest.js +14 -1
package/dist/layer1-agent/L1-1-mcp-server/auth.js +1 -1
package/dist/layer1-agent/L1-1-mcp-server/server.js +3543 -852
package/dist/layer1-agent/L1-2-external-anchor/anchor-engine.js +324 -0
package/dist/layer1-agent/L1-2-identity/agent-passport.js +100 -0
package/dist/layer2-business/L2-6-notifications/notification-engine.js +72 -5
package/dist/layer2-business/L2-7-snf/snf-engine.js +287 -0
package/dist/layer2-business/L2-anchor-registry/anchor-registry.js +396 -0
package/dist/layer2-business/L2-notes/note-photo-storage.js +133 -0
package/dist/layer3-trust/L3-1-dispute-engine/dispute-engine.js +6 -6
package/dist/layer3-trust/L3-1-dispute-engine/evidence-storage.js +246 -0
package/dist/layer4-economics/L4-3-reputation/reputation-engine.js +95 -1
package/dist/layer4-economics/L4-4-skill-market/skill-engine.js +31 -2
package/dist/layer4-economics/L4-4-skill-market/skill-listing-engine.js +358 -0
package/dist/pwa/public/app.js +31230 -2345
package/dist/pwa/public/i18n.js +5282 -111
package/dist/pwa/public/icon.svg +11 -0
package/dist/pwa/public/index.html +4 -1
package/dist/pwa/public/manifest.json +39 -4
package/dist/pwa/public/openapi.json +5946 -0
package/dist/pwa/public/style.css +278 -5
package/dist/pwa/public/sw.js +41 -2
package/dist/pwa/public/vendor/jsQR.js +10102 -0
package/dist/pwa/public/webaz-logo.png +0 -0
package/dist/pwa/routes/account-deletion.js +53 -0
package/dist/pwa/routes/addresses.js +105 -0
package/dist/pwa/routes/admin-admins.js +151 -0
package/dist/pwa/routes/admin-analytics.js +253 -0
package/dist/pwa/routes/admin-atomic.js +21 -0
package/dist/pwa/routes/admin-catalog.js +64 -0
package/dist/pwa/routes/admin-editor-picks.js +45 -0
package/dist/pwa/routes/admin-events.js +60 -0
package/dist/pwa/routes/admin-health.js +66 -0
package/dist/pwa/routes/admin-moderation.js +120 -0
package/dist/pwa/routes/admin-ops.js +179 -0
package/dist/pwa/routes/admin-protocol-params.js +79 -0
package/dist/pwa/routes/admin-reports.js +154 -0
package/dist/pwa/routes/admin-tokenomics.js +113 -0
package/dist/pwa/routes/admin-users-lifecycle.js +237 -0
package/dist/pwa/routes/admin-users-query.js +390 -0
package/dist/pwa/routes/admin-verifier-flow.js +126 -0
package/dist/pwa/routes/admin-verifier-whitelist.js +111 -0
package/dist/pwa/routes/admin-wallet-ops.js +66 -0
package/dist/pwa/routes/agent-buy.js +215 -0
package/dist/pwa/routes/agent-governance.js +341 -0
package/dist/pwa/routes/agent-reputation.js +34 -0
package/dist/pwa/routes/ai.js +101 -0
package/dist/pwa/routes/analytics.js +272 -0
package/dist/pwa/routes/anchors.js +169 -0
package/dist/pwa/routes/announcements.js +110 -0
package/dist/pwa/routes/arbitrator.js +117 -0
package/dist/pwa/routes/auction.js +436 -0
package/dist/pwa/routes/auth-login.js +40 -0
package/dist/pwa/routes/auth-read.js +66 -0
package/dist/pwa/routes/auth-register.js +138 -0
package/dist/pwa/routes/auth-sessions.js +62 -0
package/dist/pwa/routes/blocklist.js +60 -0
package/dist/pwa/routes/buyer-feeds.js +224 -0
package/dist/pwa/routes/cart.js +155 -0
package/dist/pwa/routes/charity.js +816 -0
package/dist/pwa/routes/chat.js +318 -0
package/dist/pwa/routes/checkin-tasks.js +122 -0
package/dist/pwa/routes/checkout-helpers.js +85 -0
package/dist/pwa/routes/claim-initiators.js +88 -0
package/dist/pwa/routes/claim-verify.js +615 -0
package/dist/pwa/routes/claim-voting.js +114 -0
package/dist/pwa/routes/claim-withdrawals.js +20 -0
package/dist/pwa/routes/coupons.js +165 -0
package/dist/pwa/routes/dashboards.js +99 -0
package/dist/pwa/routes/dispute-cases.js +267 -0
package/dist/pwa/routes/disputes-read.js +358 -0
package/dist/pwa/routes/disputes-write.js +475 -0
package/dist/pwa/routes/evidence.js +86 -0
package/dist/pwa/routes/external-anchors.js +107 -0
package/dist/pwa/routes/feedback.js +270 -0
package/dist/pwa/routes/flash-sales.js +130 -0
package/dist/pwa/routes/follows.js +103 -0
package/dist/pwa/routes/group-buys.js +208 -0
package/dist/pwa/routes/growth.js +199 -0
package/dist/pwa/routes/import-product.js +153 -0
package/dist/pwa/routes/kyc.js +40 -0
package/dist/pwa/routes/leaderboard.js +149 -0
package/dist/pwa/routes/listings.js +281 -0
package/dist/pwa/routes/logistics.js +35 -0
package/dist/pwa/routes/manifests.js +126 -0
package/dist/pwa/routes/me-data.js +101 -0
package/dist/pwa/routes/notifications.js +48 -0
package/dist/pwa/routes/offers.js +96 -0
package/dist/pwa/routes/orders-action.js +285 -0
package/dist/pwa/routes/orders-create.js +339 -0
package/dist/pwa/routes/orders-read.js +180 -0
package/dist/pwa/routes/p2p-products.js +178 -0
package/dist/pwa/routes/payments-governance.js +311 -0
package/dist/pwa/routes/peers.js +34 -0
package/dist/pwa/routes/pin-receipts.js +39 -0
package/dist/pwa/routes/products-aliases.js +119 -0
package/dist/pwa/routes/products-claims.js +60 -0
package/dist/pwa/routes/products-create.js +206 -0
package/dist/pwa/routes/products-crud.js +73 -0
package/dist/pwa/routes/products-links.js +129 -0
package/dist/pwa/routes/products-list.js +424 -0
package/dist/pwa/routes/products-meta.js +155 -0
package/dist/pwa/routes/products-update.js +125 -0
package/dist/pwa/routes/profile-credentials.js +105 -0
package/dist/pwa/routes/profile-identity.js +174 -0
package/dist/pwa/routes/profile-location.js +35 -0
package/dist/pwa/routes/profile-placement.js +70 -0
package/dist/pwa/routes/profile-prefs.js +93 -0
package/dist/pwa/routes/promoter.js +208 -0
package/dist/pwa/routes/public-utils.js +170 -0
package/dist/pwa/routes/push.js +54 -0
package/dist/pwa/routes/ratings.js +220 -0
package/dist/pwa/routes/recover-key.js +100 -0
package/dist/pwa/routes/referral.js +58 -0
package/dist/pwa/routes/reputation.js +34 -0
package/dist/pwa/routes/returns.js +493 -0
package/dist/pwa/routes/reviews.js +81 -0
package/dist/pwa/routes/rfqs.js +443 -0
package/dist/pwa/routes/search.js +172 -0
package/dist/pwa/routes/secondhand.js +278 -0
package/dist/pwa/routes/seller-quota.js +225 -0
package/dist/pwa/routes/share-redirects.js +164 -0
package/dist/pwa/routes/shareables-interactions.js +212 -0
package/dist/pwa/routes/shareables.js +470 -0
package/dist/pwa/routes/shops.js +98 -0
package/dist/pwa/routes/signaling.js +43 -0
package/dist/pwa/routes/skill-market.js +173 -0
package/dist/pwa/routes/skills.js +174 -0
package/dist/pwa/routes/snf.js +126 -0
package/dist/pwa/routes/tags.js +47 -0
package/dist/pwa/routes/trial.js +333 -0
package/dist/pwa/routes/trusted-kpi.js +87 -0
package/dist/pwa/routes/url-claim.js +113 -0
package/dist/pwa/routes/users-public.js +317 -0
package/dist/pwa/routes/variants.js +156 -0
package/dist/pwa/routes/verifier-user.js +107 -0
package/dist/pwa/routes/verify-tasks.js +120 -0
package/dist/pwa/routes/waitlist.js +65 -0
package/dist/pwa/routes/wallet-read.js +218 -0
package/dist/pwa/routes/wallet-write.js +273 -0
package/dist/pwa/routes/webauthn.js +188 -0
package/dist/pwa/routes/webhooks.js +162 -0
package/dist/pwa/routes/welcome.js +226 -0
package/dist/pwa/routes/wishlist-qa.js +135 -0
package/dist/pwa/security/ssrf.js +110 -0
package/dist/pwa/server.js +9247 -2097
package/package.json +8 -3

package/dist/pwa/routes/wallet-write.js ADDED Viewed

@@ -0,0 +1,273 @@
+import { verifyMessage } from 'viem';
+export function registerWalletWriteRoutes(app, deps) {
+    const { db, auth, isTrustedRole, generateId, getProtocolParam, consumeGateToken, issueCode, findActiveCode, maskEmail, LARGE_WITHDRAW_THRESHOLD } = deps;
+    // Wave G-1: 签名挑战 — 5min 一次性 nonce
+    const walletChallenges = new Map();
+    const cleanupWalletChallenges = () => {
+        const now = Date.now();
+        for (const [k, v] of walletChallenges)
+            if (v.expiresAt < now)
+                walletChallenges.delete(k);
+    };
+    app.post('/api/wallet/connect/challenge', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void res.status(403).json({ error: '受信角色无钱包' });
+        cleanupWalletChallenges();
+        const nonce = generateId('nce').replace(/[^a-zA-Z0-9]/g, '').slice(0, 16) + Date.now().toString(36);
+        const id = generateId('chl');
+        walletChallenges.set(id, { userId: String(user.id), nonce, expiresAt: Date.now() + 5 * 60_000 });
+        const message = `WebAZ 钱包绑定验证\n\nNonce: ${nonce}\nUserID: ${user.id}\nExpires: ${new Date(Date.now() + 5 * 60_000).toISOString()}\n\n签名仅用于证明地址归属，不消耗任何 gas，也不会触发任何链上交易。`;
+        res.json({ challenge_id: id, message });
+    });
+    app.post('/api/wallet/connect/verify', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        // H-2 P1-1: 防御性 — 受信角色不应能绑钱包
+        if (isTrustedRole(user))
+            return void res.status(403).json({ error: '受信角色无钱包' });
+        cleanupWalletChallenges();
+        const { challenge_id, address, signature, label } = req.body || {};
+        if (!challenge_id || !address || !signature) {
+            return void res.status(400).json({ error: '缺少 challenge_id / address / signature' });
+        }
+        if (!/^0x[0-9a-fA-F]{40}$/.test(String(address))) {
+            return void res.status(400).json({ error: '地址格式无效' });
+        }
+        const chl = walletChallenges.get(String(challenge_id));
+        if (!chl)
+            return void res.status(400).json({ error: 'challenge 无效或已过期' });
+        if (chl.userId !== String(user.id))
+            return void res.status(403).json({ error: 'challenge 不属于当前用户' });
+        walletChallenges.delete(String(challenge_id)); // 单次使用
+        const message = `WebAZ 钱包绑定验证\n\nNonce: ${chl.nonce}\nUserID: ${user.id}\nExpires: ${new Date(chl.expiresAt).toISOString()}\n\n签名仅用于证明地址归属，不消耗任何 gas，也不会触发任何链上交易。`;
+        // viem verifyMessage 自动处理 EIP-191 personal_sign 格式
+        try {
+            const valid = await verifyMessage({
+                address: address,
+                message,
+                signature: signature,
+            });
+            if (!valid)
+                return void res.status(400).json({ error: '签名验证失败' });
+        }
+        catch (e) {
+            return void res.status(400).json({ error: '签名格式错误: ' + e.message });
+        }
+        // 已通过签名校验 → 加入白名单，免 24h 冷却（activates_at = NOW）
+        const addrLc = String(address).toLowerCase();
+        const existing = db.prepare('SELECT id, revoked_at FROM withdrawal_whitelist WHERE user_id = ? AND address = ?').get(user.id, addrLc);
+        if (existing) {
+            db.prepare(`UPDATE withdrawal_whitelist SET activates_at = datetime('now'), revoked_at = NULL,
+        signature_verified_at = datetime('now'), label = COALESCE(?, label) WHERE id = ?`)
+                .run(label || null, existing.id);
+            return void res.json({ success: true, id: existing.id, activated: true });
+        }
+        const id = generateId('wl');
+        db.prepare(`INSERT INTO withdrawal_whitelist (id, user_id, address, label, activates_at, signature_verified_at)
+      VALUES (?,?,?,?,datetime('now'),datetime('now'))`)
+            .run(id, user.id, addrLc, label ? String(label).slice(0, 30) : null);
+        res.json({ success: true, id, activated: true });
+    });
+    // 提现申请
+    app.post('/api/wallet/withdraw', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (isTrustedRole(user))
+            return void res.status(403).json({ error: '受信角色无钱包，不可提现', error_code: 'TRUSTED_ROLE_NO_WALLET' });
+        const { to_address: to_address_raw, amount } = req.body;
+        // P0-1: toLowerCase 后与白名单匹配
+        const to_address = typeof to_address_raw === 'string' ? to_address_raw.toLowerCase() : to_address_raw;
+        if (!/^0x[0-9a-fA-F]{40}$/.test(to_address ?? '')) {
+            return void res.json({ error: '请输入有效的以太坊地址（0x 开头，42 位字符）' });
+        }
+        const amountNum = Number(amount);
+        if (!amountNum || amountNum <= 0)
+            return void res.json({ error: '请输入提现金额' });
+        const minWithdraw = getProtocolParam('usdc_min_withdraw_waz', 10);
+        if (amountNum < minWithdraw)
+            return void res.json({ error: `最低提现金额为 ${minWithdraw} WAZ` });
+        // 2026-05-22 audit P1：大额提现 KYC 强制（双维度防 smurf 分拆）
+        const kycThreshold = getProtocolParam('kyc_required_withdraw_waz', 1000);
+        const kycDailyThreshold = getProtocolParam('kyc_daily_cumulative_waz', 3000);
+        let kycReason = null;
+        let kycField = 'single';
+        if (amountNum >= kycThreshold) {
+            kycReason = `提现 ≥ ${kycThreshold} WAZ 需要先完成实名认证（KYC）`;
+            kycField = 'single';
+        }
+        else {
+            const dailyRow = db.prepare(`
+        SELECT COALESCE(SUM(amount), 0) as total
+        FROM withdrawal_requests
+        WHERE user_id = ?
+          AND status IN ('pending', 'processing', 'completed', 'awaiting_email_confirm')
+          AND created_at > datetime('now', '-1 day')
+      `).get(user.id);
+            const dailyTotal = Number(dailyRow.total) + amountNum;
+            if (dailyTotal >= kycDailyThreshold) {
+                kycReason = `24h 内提现累计 ${dailyTotal.toFixed(2)} ≥ ${kycDailyThreshold} WAZ，需先完成实名认证（防 smurf）`;
+                kycField = 'daily_cumulative';
+            }
+        }
+        if (kycReason) {
+            const k = db.prepare("SELECT status FROM kyc_records WHERE user_id = ?").get(user.id);
+            if (!k || k.status !== 'approved') {
+                return void res.status(403).json({
+                    error: kycReason,
+                    error_code: 'KYC_REQUIRED_FOR_WITHDRAW',
+                    trigger: kycField,
+                    threshold: kycField === 'single' ? kycThreshold : kycDailyThreshold,
+                });
+            }
+        }
+        // WebAuthn gate
+        //   opt-in webauthn_required_for_withdraw → 所有金额都要 Passkey
+        //   #1009 大额自动强制 — 已注册 Passkey + 金额 > LARGE_WITHDRAW_THRESHOLD 一律走 Passkey
+        //   未注册 Passkey 的用户走原邮件确认路径（不强制注册，避免新用户卡死）
+        const hasPasskeyRow = db.prepare('SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?').get(user.id);
+        const hasPasskey = (hasPasskeyRow?.n || 0) > 0;
+        const forceWebauthnByAmount = amountNum > LARGE_WITHDRAW_THRESHOLD && hasPasskey;
+        if (user.webauthn_required_for_withdraw || forceWebauthnByAmount) {
+            const token = req.headers['x-webauthn-token'];
+            const gate = consumeGateToken(user.id, token, 'withdraw', (data) => {
+                const d = (data || {});
+                return d.to_address === to_address && Number(d.amount) === amountNum;
+            });
+            if (!gate.ok) {
+                return void res.status(403).json({
+                    error: gate.reason,
+                    webauthn_required: true,
+                    purpose: 'withdraw',
+                    purpose_data: { to_address, amount: amountNum },
+                    force_reason: forceWebauthnByAmount && !user.webauthn_required_for_withdraw
+                        ? `large_withdraw_auto:${LARGE_WITHDRAW_THRESHOLD}` : 'user_opted_in',
+                });
+            }
+        }
+        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        if (!wallet)
+            return void res.status(500).json({ error: '钱包记录缺失', error_code: 'WALLET_MISSING' });
+        if (wallet.balance < amountNum) {
+            return void res.json({ error: `余额不足：当前可用 ${wallet.balance.toFixed(2)} WAZ` });
+        }
+        // 白名单校验：必须在 user 的 active 白名单内，且过了 24h 冷却
+        const wl = db.prepare(`
+      SELECT activates_at FROM withdrawal_whitelist
+      WHERE user_id = ? AND address = ? AND revoked_at IS NULL
+    `).get(user.id, to_address);
+        if (!wl) {
+            return void res.json({ error: '该地址不在你的白名单中，请先到「提现白名单」添加（添加后 24h 冷却生效）' });
+        }
+        if (new Date(wl.activates_at.replace(' ', 'T') + 'Z').getTime() > Date.now()) {
+            const mins = Math.ceil((new Date(wl.activates_at.replace(' ', 'T') + 'Z').getTime() - Date.now()) / 60_000);
+            return void res.json({ error: `该地址在冷却期内，约 ${mins} 分钟后可用（添加后 24h 强制冷却）` });
+        }
+        // 大额提现 → 强制邮件确认
+        const isLarge = amountNum > LARGE_WITHDRAW_THRESHOLD;
+        if (isLarge) {
+            if (!user.email_verified || !user.email) {
+                return void res.json({ error: `大额提现（> ${LARGE_WITHDRAW_THRESHOLD} WAZ）需先绑定邮箱用于二次确认` });
+            }
+            // 不立即扣款 + 不写入正式 pending — 进入 pending_email 阶段，待 confirm
+            const wid = generateId('wdr');
+            db.prepare(`INSERT INTO withdrawal_requests (id, user_id, to_address, amount, status, status_detail)
+                  VALUES (?,?,?,?,?,?)`)
+                .run(wid, user.id, to_address, amountNum, 'pending_email', 'awaiting_email_confirm');
+            issueCode(user.id, 'email', user.email, 'withdraw_confirm:' + wid);
+            return void res.json({
+                success: true,
+                request_id: wid,
+                requires_email_code: true,
+                email: maskEmail(user.email),
+                message: '已发送邮件验证码，请查收并输入 6 位数字以确认提现',
+            });
+        }
+        // 普通额度 → 即时扣款 + pending（admin 处理）
+        const wid = generateId('wdr');
+        db.prepare(`INSERT INTO withdrawal_requests (id, user_id, to_address, amount) VALUES (?,?,?,?)`)
+            .run(wid, user.id, to_address, amountNum);
+        db.prepare('UPDATE wallets SET balance = balance - ? WHERE user_id = ?').run(amountNum, user.id);
+        res.json({
+            success: true,
+            request_id: wid,
+            message: '提现申请已提交，将在 24 小时内到账。',
+        });
+    });
+    // 大额提现：邮件验证码确认
+    app.post('/api/wallet/withdraw/:id/confirm', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const wid = req.params.id;
+        const code = String(req.body?.code || '').trim();
+        if (!/^\d{6}$/.test(code))
+            return void res.json({ error: '请输入 6 位验证码' });
+        const wr = db.prepare(`
+      SELECT id, user_id, amount, to_address, status FROM withdrawal_requests WHERE id = ?
+    `).get(wid);
+        if (!wr || wr.user_id !== user.id)
+            return void res.json({ error: '请求不存在' });
+        if (wr.status !== 'pending_email')
+            return void res.json({ error: '该请求无需邮件确认或已确认' });
+        const purpose = 'withdraw_confirm:' + wid;
+        const row = findActiveCode('email', user.email, purpose);
+        if (!row)
+            return void res.json({ error: '验证码已过期，请重新发起提现' });
+        if (row.code !== code)
+            return void res.json({ error: '验证码错误' });
+        db.prepare("UPDATE verification_codes SET used_at = datetime('now') WHERE id = ?").run(row.id);
+        const wallet = db.prepare('SELECT balance FROM wallets WHERE user_id = ?').get(user.id);
+        if (wallet.balance < wr.amount) {
+            db.prepare("UPDATE withdrawal_requests SET status = 'rejected', status_detail = 'insufficient_balance_at_confirm' WHERE id = ?").run(wid);
+            return void res.json({ error: '余额不足（确认时刻余额已变化），请重新提现' });
+        }
+        db.prepare('UPDATE wallets SET balance = balance - ? WHERE user_id = ?').run(wr.amount, user.id);
+        db.prepare(`UPDATE withdrawal_requests SET status = 'pending', email_confirmed_at = datetime('now'), status_detail = NULL WHERE id = ?`).run(wid);
+        res.json({ success: true, message: '邮件确认通过，提现进入处理队列，24 小时内到账' });
+    });
+    // 用户取消尚未 approve 的 withdrawal — 余额自动退回
+    app.post('/api/wallet/withdrawals/:id/cancel', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const wid = req.params.id;
+        const tx = db.transaction(() => {
+            // SELECT inside tx + UPDATE WHERE status='pending' 双重门防并发取消 + admin approve 抢跑
+            const wr = db.prepare(`SELECT user_id, amount, status FROM withdrawal_requests WHERE id = ?`).get(wid);
+            if (!wr)
+                throw new Error('withdrawal_not_found');
+            if (wr.user_id !== user.id)
+                throw new Error('not_owner');
+            if (wr.status !== 'pending' && wr.status !== 'pending_email')
+                throw new Error('cannot_cancel_in_status_' + wr.status);
+            const isPendingEmail = wr.status === 'pending_email';
+            // pending 阶段已扣款 → 退；pending_email 还没扣款 → 不退
+            const upd = db.prepare(`UPDATE withdrawal_requests SET status = 'cancelled', status_detail = 'user_cancelled' WHERE id = ? AND status = ?`)
+                .run(wid, wr.status);
+            if (upd.changes === 0)
+                throw new Error('race_status_changed');
+            if (!isPendingEmail) {
+                db.prepare(`UPDATE wallets SET balance = balance + ? WHERE user_id = ?`).run(wr.amount, user.id);
+                return wr.amount;
+            }
+            return 0;
+        });
+        try {
+            const refunded = tx();
+            res.json({ success: true, refunded });
+        }
+        catch (e) {
+            const msg = e.message;
+            const status = msg === 'not_owner' || msg.startsWith('cannot_cancel_in_status_') ? 403
+                : msg === 'withdrawal_not_found' ? 404
+                    : msg === 'race_status_changed' ? 409
+                        : 400;
+            res.status(status).json({ error: msg });
+        }
+    });
+}

package/dist/pwa/routes/webauthn.js ADDED Viewed

@@ -0,0 +1,188 @@
+import { generateRegistrationOptions, verifyRegistrationResponse, generateAuthenticationOptions, verifyAuthenticationResponse, } from '@simplewebauthn/server';
+import { randomBytes } from 'node:crypto';
+export function registerWebauthnRoutes(app, deps) {
+    const { db, auth, generateId, rpId, rpName, origin, challengeTtlMs, gateTtlMs, invalidateAgentRiskCacheForUser, requireHumanPresence } = deps;
+    // 1. 注册：start — 生成 challenge + 选项
+    app.post('/api/webauthn/register/start', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const existing = db.prepare('SELECT id FROM webauthn_credentials WHERE user_id = ?').all(user.id);
+        const opts = await generateRegistrationOptions({
+            rpName,
+            rpID: rpId,
+            userName: String(user.handle || user.name || user.id),
+            userID: new TextEncoder().encode(String(user.id)),
+            attestationType: 'none',
+            excludeCredentials: existing.map(c => ({ id: c.id })),
+            // H-1: 注册时就强制生物识别 / PIN，否则只按硬件键 = 无 UV 闸门
+            authenticatorSelection: { residentKey: 'preferred', userVerification: 'required' },
+        });
+        const chId = generateId('wac');
+        db.prepare(`INSERT INTO webauthn_challenges (id, user_id, challenge, purpose, expires_at) VALUES (?,?,?,?,?)`)
+            .run(chId, user.id, opts.challenge, 'register', new Date(Date.now() + challengeTtlMs).toISOString());
+        res.json({ options: opts, challenge_id: chId });
+    });
+    // 2. 注册：finish — 验证 + 入库
+    app.post('/api/webauthn/register/finish', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { challenge_id, response, device_label } = req.body || {};
+        const ch = db.prepare(`SELECT challenge, expires_at, consumed_at FROM webauthn_challenges WHERE id = ? AND user_id = ? AND purpose = 'register'`).get(challenge_id, user.id);
+        if (!ch)
+            return void res.status(404).json({ error: 'challenge not found' });
+        if (ch.consumed_at)
+            return void res.status(409).json({ error: 'challenge already used' });
+        if (new Date(ch.expires_at).getTime() < Date.now())
+            return void res.status(410).json({ error: 'challenge expired' });
+        try {
+            const verification = await verifyRegistrationResponse({
+                response,
+                expectedChallenge: ch.challenge,
+                expectedOrigin: origin,
+                expectedRPID: rpId,
+                // H-1: 大额闸门必须有真正的生物识别 / PIN（user verified bit = 1）
+                requireUserVerification: true,
+            });
+            if (!verification.verified || !verification.registrationInfo) {
+                return void res.status(400).json({ error: 'verification failed' });
+            }
+            const { credential } = verification.registrationInfo;
+            db.prepare(`INSERT INTO webauthn_credentials (id, user_id, public_key, counter, transports, device_label) VALUES (?,?,?,?,?,?)`)
+                .run(credential.id, user.id, Buffer.from(credential.publicKey), credential.counter || 0, JSON.stringify(credential.transports || []), (device_label || '').slice(0, 60) || null);
+            db.prepare("UPDATE webauthn_challenges SET consumed_at = datetime('now') WHERE id = ?").run(challenge_id);
+            invalidateAgentRiskCacheForUser(user.id); // 让 D2b 中间件立刻看到刚绑的 Passkey,否则 5min 缓存窗内仍被拦
+            res.json({ success: true, credential_id: credential.id });
+        }
+        catch (e) {
+            res.status(400).json({ error: e.message });
+        }
+    });
+    // 3. 认证：start — 生成 challenge（指定 purpose + 业务数据；同一 challenge 不可复用）
+    app.post('/api/webauthn/auth/start', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const purpose = String(req.body?.purpose || '').trim();
+        const allowed = new Set(['withdraw', 'change-password', 'reveal-key', 'region', 'delete_passkey']);
+        if (!allowed.has(purpose))
+            return void res.status(400).json({ error: 'invalid purpose' });
+        const purpose_data = req.body?.purpose_data ?? null;
+        const creds = db.prepare('SELECT id, transports FROM webauthn_credentials WHERE user_id = ?').all(user.id);
+        if (creds.length === 0)
+            return void res.status(403).json({ error: '尚未注册任何 Passkey' });
+        const opts = await generateAuthenticationOptions({
+            rpID: rpId,
+            // H-1: 闸门必须真正 UV，不接受 "硬件按一下" 兜底
+            userVerification: 'required',
+            allowCredentials: creds.map(c => ({ id: c.id, transports: (() => { try {
+                    return JSON.parse(c.transports);
+                }
+                catch {
+                    return [];
+                } })() })),
+        });
+        const chId = generateId('wac');
+        db.prepare(`INSERT INTO webauthn_challenges (id, user_id, challenge, purpose, purpose_data, expires_at) VALUES (?,?,?,?,?,?)`)
+            .run(chId, user.id, opts.challenge, purpose, purpose_data ? JSON.stringify(purpose_data) : null, new Date(Date.now() + challengeTtlMs).toISOString());
+        res.json({ options: opts, challenge_id: chId });
+    });
+    // 4. 认证：finish — 验证签名 + 颁发短 gate token
+    app.post('/api/webauthn/auth/finish', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const { challenge_id, response } = req.body || {};
+        const ch = db.prepare(`SELECT challenge, purpose, purpose_data, expires_at, consumed_at FROM webauthn_challenges WHERE id = ? AND user_id = ?`).get(challenge_id, user.id);
+        if (!ch)
+            return void res.status(404).json({ error: 'challenge not found' });
+        if (ch.consumed_at)
+            return void res.status(409).json({ error: 'challenge already used' });
+        if (new Date(ch.expires_at).getTime() < Date.now())
+            return void res.status(410).json({ error: 'challenge expired' });
+        const cred = db.prepare(`SELECT id, public_key, counter, transports FROM webauthn_credentials WHERE id = ? AND user_id = ?`)
+            .get(response?.id, user.id);
+        if (!cred)
+            return void res.status(404).json({ error: 'credential not registered' });
+        try {
+            const verification = await verifyAuthenticationResponse({
+                response,
+                expectedChallenge: ch.challenge,
+                expectedOrigin: origin,
+                expectedRPID: rpId,
+                credential: {
+                    id: cred.id,
+                    publicKey: new Uint8Array(cred.public_key),
+                    counter: cred.counter,
+                    transports: (() => { try {
+                        return JSON.parse(cred.transports);
+                    }
+                    catch {
+                        return undefined;
+                    } })(),
+                },
+                // H-1: 签名必须由 UV 通过的 authenticator 产生（user verified bit = 1）
+                requireUserVerification: true,
+            });
+            if (!verification.verified)
+                return void res.status(400).json({ error: 'signature failed' });
+            // 更新 counter（防重放）
+            db.prepare(`UPDATE webauthn_credentials SET counter = ?, last_used_at = datetime('now') WHERE id = ?`)
+                .run(verification.authenticationInfo.newCounter, cred.id);
+            db.prepare("UPDATE webauthn_challenges SET consumed_at = datetime('now') WHERE id = ?").run(challenge_id);
+            // 颁发短 token
+            const token = generateId('wgt') + '_' + randomBytes(8).toString('hex');
+            db.prepare(`INSERT INTO webauthn_gate_tokens (id, user_id, purpose, purpose_data, expires_at) VALUES (?,?,?,?,?)`)
+                .run(token, user.id, ch.purpose, ch.purpose_data, new Date(Date.now() + gateTtlMs).toISOString());
+            res.json({ success: true, gate_token: token, expires_in_seconds: Math.floor(gateTtlMs / 1000) });
+        }
+        catch (e) {
+            res.status(400).json({ error: e.message });
+        }
+    });
+    // 列出 / 删除 credential
+    app.get('/api/webauthn/credentials', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rows = db.prepare(`SELECT id, device_label, transports, created_at, last_used_at FROM webauthn_credentials WHERE user_id = ? ORDER BY created_at DESC`).all(user.id);
+        const required = !!user.webauthn_required_for_withdraw;
+        res.json({ credentials: rows, settings: { required_for_withdraw: required } });
+    });
+    app.delete('/api/webauthn/credentials/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        // #1044 防"失窃 Passkey 不需 Passkey 即可删除"漏洞 — 删 passkey 自身要先用同一把(或同账号其它)passkey ceremony 拿 token
+        // 验证 purpose_data.credential_id 必须等于路径 :id,避免"为删 A 拿到的 token 被复用去删 B"
+        const hpCheck = requireHumanPresence(user.id, 'delete_passkey', (req.body || {}).webauthn_token, 'require_human_presence_for_delete_passkey', (data) => {
+            try {
+                return typeof data === 'object' && data !== null && data.credential_id === req.params.id;
+            }
+            catch {
+                return false;
+            }
+        });
+        if (!hpCheck.ok)
+            return void res.status(412).json({ error: hpCheck.reason, error_code: hpCheck.error_code });
+        const r = db.prepare('DELETE FROM webauthn_credentials WHERE id = ? AND user_id = ?').run(req.params.id, user.id);
+        if (r.changes > 0)
+            invalidateAgentRiskCacheForUser(user.id); // 删到最后一把就丢真人身份,立刻反映到 D2b
+        res.json({ success: true, deleted: r.changes });
+    });
+    app.post('/api/webauthn/settings', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const required = req.body?.required_for_withdraw ? 1 : 0;
+        // 开启前必须至少有 1 个 credential
+        if (required) {
+            const n = db.prepare('SELECT COUNT(*) as n FROM webauthn_credentials WHERE user_id = ?').get(user.id).n;
+            if (n === 0)
+                return void res.status(400).json({ error: '请先注册至少一个 Passkey' });
+        }
+        db.prepare('UPDATE users SET webauthn_required_for_withdraw = ? WHERE id = ?').run(required, user.id);
+        res.json({ success: true, required_for_withdraw: !!required });
+    });
+}

package/dist/pwa/routes/webhooks.js ADDED Viewed

@@ -0,0 +1,162 @@
+import { createHmac } from 'node:crypto';
+import { isPrivateOrInternalHost } from '../security/ssrf.js';
+export const WEBHOOK_EVENT_TYPES = [
+    'order.created', 'order.paid', 'order.shipped', 'order.delivered', 'order.completed', 'order.disputed',
+    'wish.claimed', 'wish.proof', 'wish.confirmed', 'wish.repay', 'wish.repay_resp',
+    'rfq.bid_received', 'rfq.awarded',
+    'charity.donation', 'charity.fund_redirect',
+];
+// P2.2 失败通知：连续 5 次失败 → 自动 active=0 + 通知用户
+function recordWebhookFailure(db, generateId, sub, errMsg) {
+    db.prepare(`UPDATE webhook_subscriptions SET fail_count = fail_count + 1, last_error = ?, last_fired_at = datetime('now') WHERE id = ?`).run(errMsg, sub.id);
+    const after = db.prepare(`SELECT fail_count, active FROM webhook_subscriptions WHERE id = ?`).get(sub.id);
+    if (after.active && after.fail_count > 0 && after.fail_count % 5 === 0) {
+        try {
+            db.prepare(`INSERT INTO notifications (id, user_id, type, title, body, created_at)
+                  VALUES (?,?,'webhook_fail',?,?,datetime('now'))`)
+                .run(generateId('ntf'), sub.user_id, `⚠ Webhook 连续 ${after.fail_count} 次失败`, `${sub.event_type} → ${String(sub.target_url).slice(0, 60)}... · ${errMsg}`);
+        }
+        catch (e) {
+            console.error('[webhook notify fail]', e);
+        }
+        // 失败 >= 20 次 → 自动暂停
+        if (after.fail_count >= 20) {
+            db.prepare(`UPDATE webhook_subscriptions SET active = 0 WHERE id = ?`).run(sub.id);
+        }
+    }
+}
+// 触发 webhook 投递（v1 同步 fetch，超时 5s）
+// 跨域 API — charity / RFQ / orders 等通过此函数广播事件
+export async function fireWebhooks(db, generateId, eventType, payload, userIds) {
+    const where = userIds && userIds.length
+        ? `event_type = ? AND active = 1 AND user_id IN (${userIds.map(() => '?').join(',')})`
+        : `event_type = ? AND active = 1`;
+    const args = [eventType, ...(userIds || [])];
+    const subs = db.prepare(`SELECT * FROM webhook_subscriptions WHERE ${where}`).all(...args);
+    for (const sub of subs) {
+        // P1.1 SSRF：投递前再次校验（防止旧订阅或 DB 直改绕过创建时检查）
+        if (isPrivateOrInternalHost(String(sub.target_url))) {
+            db.prepare(`UPDATE webhook_subscriptions SET fail_count = fail_count + 1, last_error = ?, active = 0 WHERE id = ?`)
+                .run('blocked: private/internal host', sub.id);
+            continue;
+        }
+        const body = JSON.stringify({ event: eventType, payload, ts: new Date().toISOString() });
+        const sig = sub.secret ? createHmac('sha256', String(sub.secret)).update(body).digest('hex') : null;
+        try {
+            const ctrl = new AbortController();
+            const tm = setTimeout(() => ctrl.abort(), 5000);
+            const r = await fetch(String(sub.target_url), {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json', ...(sig ? { 'X-WebAZ-Signature': sig } : {}) },
+                body, signal: ctrl.signal,
+            });
+            clearTimeout(tm);
+            if (r.ok) {
+                db.prepare(`UPDATE webhook_subscriptions SET fire_count = fire_count + 1, last_fired_at = datetime('now'), last_error = NULL WHERE id = ?`).run(sub.id);
+            }
+            else {
+                recordWebhookFailure(db, generateId, sub, 'HTTP ' + r.status);
+            }
+        }
+        catch (e) {
+            recordWebhookFailure(db, generateId, sub, String(e.message).slice(0, 200));
+        }
+    }
+}
+export function registerWebhookRoutes(app, deps) {
+    const { db, auth, generateId, rateLimitOk } = deps;
+    // POST 订阅
+    app.post('/api/webhooks', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (!rateLimitOk(req.ip || '', 10, 60_000))
+            return void res.status(429).json({ error: '请求过于频繁' });
+        const body = req.body;
+        const url = String(body.target_url || '').trim();
+        const eventType = String(body.event_type || '').trim();
+        const secret = body.secret ? String(body.secret).slice(0, 200) : null;
+        if (!url.startsWith('https://'))
+            return void res.json({ error: 'target_url 必须以 https:// 开头' });
+        if (url.length > 500)
+            return void res.json({ error: 'URL 过长' });
+        // P1.1 SSRF 修复：拒绝私网/localhost/metadata 端点
+        if (isPrivateOrInternalHost(url))
+            return void res.json({ error: 'target_url 不可指向私网/localhost/内部地址' });
+        if (!WEBHOOK_EVENT_TYPES.includes(eventType))
+            return void res.json({ error: '不支持的 event_type' });
+        // 每用户最多 20 个订阅
+        const cnt = db.prepare(`SELECT COUNT(1) as n FROM webhook_subscriptions WHERE user_id = ?`).get(user.id).n;
+        if (cnt >= 20)
+            return void res.json({ error: '订阅数量上限 20' });
+        const id = generateId('whk');
+        db.prepare(`INSERT INTO webhook_subscriptions (id, user_id, event_type, target_url, secret) VALUES (?,?,?,?,?)`)
+            .run(id, user.id, eventType, url, secret);
+        res.json({ id, event_type: eventType, target_url: url });
+    });
+    // GET 我的订阅
+    app.get('/api/webhooks', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const items = db.prepare(`SELECT id, event_type, target_url, active, last_fired_at, fire_count, fail_count, last_error, created_at
+                              FROM webhook_subscriptions WHERE user_id = ? ORDER BY created_at DESC`).all(user.id);
+        res.json({ items, event_types: WEBHOOK_EVENT_TYPES });
+    });
+    // DELETE
+    app.delete('/api/webhooks/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const r = db.prepare(`DELETE FROM webhook_subscriptions WHERE id = ? AND user_id = ?`).run(req.params.id, user.id);
+        if (r.changes === 0)
+            return void res.json({ error: '订阅不存在或非你所有' });
+        res.json({ ok: true });
+    });
+    // PATCH active toggle
+    app.patch('/api/webhooks/:id', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const active = req.body.active ? 1 : 0;
+        const r = db.prepare(`UPDATE webhook_subscriptions SET active = ? WHERE id = ? AND user_id = ?`).run(active, req.params.id, user.id);
+        if (r.changes === 0)
+            return void res.json({ error: '订阅不存在' });
+        res.json({ ok: true, active });
+    });
+    // P2.4 测试端点：subscribe 前先验 endpoint 可达 + 不私网
+    app.post('/api/webhooks/test', async (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        if (!rateLimitOk(req.ip || '', 5, 60_000))
+            return void res.status(429).json({ error: '请求过于频繁' });
+        const body = req.body;
+        const url = String(body.target_url || '').trim();
+        const secret = body.secret ? String(body.secret).slice(0, 200) : null;
+        if (!url.startsWith('https://'))
+            return void res.json({ ok: false, error: 'target_url 必须 https://' });
+        if (isPrivateOrInternalHost(url))
+            return void res.json({ ok: false, error: 'target_url 不可指向私网/localhost/内部地址' });
+        const payload = JSON.stringify({ event: 'webaz.test_ping', payload: { hello: 'from WebAZ', user_id: user.id }, ts: new Date().toISOString() });
+        const sig = secret ? createHmac('sha256', secret).update(payload).digest('hex') : null;
+        try {
+            const ctrl = new AbortController();
+            const tm = setTimeout(() => ctrl.abort(), 5000);
+            const t0 = Date.now();
+            const r = await fetch(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json', ...(sig ? { 'X-WebAZ-Signature': sig } : {}) },
+                body: payload, signal: ctrl.signal,
+            });
+            clearTimeout(tm);
+            const ms = Date.now() - t0;
+            if (r.ok)
+                return void res.json({ ok: true, status: r.status, ms });
+            return void res.json({ ok: false, status: r.status, ms, error: 'HTTP ' + r.status });
+        }
+        catch (e) {
+            return void res.json({ ok: false, error: String(e.message).slice(0, 200) });
+        }
+    });
+}