Fix audit backlog: upvotes, library sort, job double-run, 简繁, perf split, tests

User-visible bugs:
- Upvotes always 0: feed + comments now merge live votes-table COUNT(*)
  (functions/routes/social.ts), not the never-incremented up column.
- Dead library sort: listBooks computes readsN (distinct readers from progress)
  and liners (highlights), sorts in SQL, and exposes createdAt
  (functions/lib/catalog.ts).
- Platform job double-run: runPlatformJob claims atomically
  (WHERE status!='running' OR started_at<stale); runDuePlatformJobs also sweeps
  stale 'running' jobs so a crashed run is recovered, not lost (functions/lib/platform.ts).
- 简→繁 wrong chars: ambiguous chars default to the common reading (后→後,
  里→裡, 余→餘) with exception phrases (皇后/公里/头发), applied via a placeholder
  pass so phrase output survives the char map (src/lib/zh-convert.js).

Perf:
- @mysten/sui + @simplewebauthn dynamic-imported in the sign-in/subscribe
  handlers → first-paint main chunk ~91KB → ~57KB gzip (onboarding/cli-auth/profile).

Tests:
- Extract money/auth checks to functions/lib/verify.mjs (Stripe HMAC, Sui payment
  match, constant-time compare, nonce binding); behavioral tests in
  test/verify.test.mjs — previously zero executed-code coverage.

docs/AUDIT.md records the full audit + remaining backlog. Adversarially reviewed;
the review's one finding (crash-recovery regression in the job claim) is fixed above.
typecheck + build + tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: DaviRain-Su

docs/AUDIT.md

@@ -0,0 +1,92 @@
+# Liber — Code Audit (2026-05-31)
+
+A multi-dimension audit (security, correctness, architecture, data/migrations,
+tests/CI, ops, product/UX/a11y, performance) of the Cloudflare Pages app. Each
+finding was grounded in real code and adversarially re-verified. Severities are
+the post-verification ratings.
+
+## Fixed
+
+### Security & cost (commits 1792e2c, 0e380f0, 387c5b8)
+- **CORS info-disclosure** — `functions/api/[[route]].ts` reflected an arbitrary
+  `Origin` with `credentials:true`, letting any third-party site read a logged-in
+  user's private JSON (`/api/auth/me`, `/api/ai/conversations`). Now an explicit
+  allowlist (liber-99x.pages.dev + preview subdomains + localhost + `ALLOWED_ORIGINS`).
+- **Privilege escalation** — any wallet user could self-mint a CLI token
+  (`/auth/cli/token`) that `platformAuth`/`adminAuth` treated as `ADMIN_TOKEN`.
+  Platform/graph (infra/cost) endpoints now require `ADMIN_TOKEN` (constant-time)
+  or a CLI token from an `ADMIN_WALLETS`-listed wallet. Book *publishing* still
+  accepts any CLI token (its intended use).
+- **SSRF** — `/books/ingest` fetched an unvalidated `sourceUrl`. Now restricted to
+  an https public-domain host allowlist (`INGEST_HOSTS` to extend); private/loopback
+  hosts rejected.
+- **Wallet-login replay** — `/auth/verify` did not bind the signed message to the
+  nonce. It now requires the message to equal the exact server template
+  (`loginMessage`), and the nonce is single-use.
+- **AI cost-abuse** — cookieless `/ai/chat` + `/platform/search` ran Workers AI
+  unmetered. Now per-IP rate-limited (`AI_RATE_PER_MIN`, default 20/min) via a D1
+  atomic counter (migration `0011_rate_limits`). NOTE: Cloudflare KV is **not**
+  usable for this (eventually-consistent reads); Cloudflare's native Rate Limiting
+  binding is **not** supported in Pages config. For hard burst limits, enable AI
+  Gateway rate limiting (`AI_GATEWAY_ID`).
+- **Translation cache poisoning** — an empty (non-throwing) AI response was cached
+  as a real translation forever. `functions/lib/ai.ts` now flags it `error:true` so
+  the route skips the cache write.
+
+### User-visible bugs & quality (this batch)
+- **Upvotes always 0** — the feed hardcoded shares to `up:0` and the comments list
+  returned the stale `up` column, despite votes existing in the `votes` table. Both
+  now merge live `COUNT(*)` (`functions/routes/social.ts`).
+- **Dead library sort** — real books had `readsN`/`liners` hardcoded to 0 and
+  `created_at` dropped, so "最多人读 / 划线最多 / 最近上链" did nothing. `listBooks`
+  now computes the metrics (distinct readers from `progress`, highlights from
+  `highlights`) and sorts in SQL; books carry `createdAt` (`functions/lib/catalog.ts`).
+- **Platform job double-run** — `runPlatformJob` had no claim guard, so the queue
+  consumer and `/jobs/drain` could execute the same job twice. It now claims
+  atomically (`UPDATE ... WHERE id=? AND status!='running'`, check `meta.changes`)
+  (`functions/lib/platform.ts`).
+- **Simplified→traditional wrong chars** — S2T was a lossy reverse of a many-to-one
+  map. Ambiguous chars now default to their most-common traditional form (后→後,
+  里→裡, 余→餘) with exception phrases for the rest (皇后→皇后, 公里→公里, 头发→頭髮),
+  applied via a placeholder pass so phrase output survives the char map
+  (`src/lib/zh-convert.js`).
+
+### Performance & tests (this batch)
+- **First-paint bundle** — `@mysten/sui` (~32 kB gzip) and `@simplewebauthn` were
+  in the main chunk. Now dynamic-imported in the sign-in/subscribe handlers
+  (`product-onboarding.jsx`, `cli-auth.jsx`, `product-profile.jsx`) → main chunk
+  dropped ~91 kB → ~57 kB gzip; the Sui SDK loads only on sign-in.
+- **Tests** — extracted the money/auth verification into `functions/lib/verify.mjs`
+  (Stripe HMAC, Sui payment matching, constant-time compare, nonce binding) with
+  behavioral tests in `test/verify.test.mjs` — previously zero executed-code coverage.
+
+## Backlog (confirmed, not yet fixed)
+
+- **MED (arch)** — `Reader()` is a ~927-line god component (45 useState / 23
+  useEffect, `src/components/product-reader.jsx`). Biggest future-velocity tax.
+- **MED (tests)** — auth/session, AI parsing, graph echoes, and platform job state
+  still have no runtime tests; many `functions/` tests only string-grep source.
+  No vitest/miniflare harness.
+- **MED (perf)** — no route-level code-splitting (~20 screens eager); Google Fonts
+  render-blocking `@import`; JSON GETs (`/books`, `/charts`) lack `Cache-Control`;
+  `getChapters` does serial R2 reads (N+1).
+- **MED (ops)** — no error tracking/alerting (≈4 `console.*` total); the platform
+  queue has no dead-letter queue; AI Gateway off by default; `db:migrate` re-runs
+  all migrations by hand (safe only while every migration is `IF NOT EXISTS`).
+- **MED (a11y)** — book-grid cards and AppBar nav are `div`/`a`+`onClick` with no
+  role/tabIndex/keyboard support.
+- **LOW** — dual catalog source-of-truth (`window.BOOKS` vs `catalog.js`);
+  duplicated `profileRef`/seed-fallback helpers; dead `Placeholder` export;
+  embeddings ledger records the first vector's dim for all sids; "最近上链" frontend
+  sort branch still missing (backend now provides `createdAt`).
+
+Verifier **refuted** one finding: the knowledge-graph pipeline is not
+"misconfigured/inert" — it is a deliberate, consistently flag-gated
+(`GRAPH_ENABLED`) pre-launch feature.
+
+## Methodology
+
+8 parallel auditors read real code and reported findings with `file:line`; every
+critical/high finding was re-verified by an independent adversarial agent against
+the cited code (which down-rated several and refuted one). Deploys are local
+(`npm run deploy`); migrations are applied by hand (`npm run db:migrate`).

functions/lib/auth.ts

@@ -9,6 +9,7 @@ import { getCookie } from "hono/cookie";
 import type { Env, Variables } from "./types";
 import { first, run, id, now } from "./db";
 import { chain } from "./chains";
+import { timingSafeEqual } from "./verify.mjs";
 
 type Ctx = Context<{ Bindings: Env; Variables: Variables }>;
 
@@ -80,13 +81,9 @@ export async function createCliPublishToken(env: Env, user: UserRow): Promise<{
   return { token, expiresIn: CLI_TOKEN_TTL };
 }
 
-// Constant-time string compare — avoids leaking ADMIN_TOKEN via response timing.
-export function constantTimeEqual(a?: string | null, b?: string | null): boolean {
-  if (typeof a !== "string" || typeof b !== "string" || a.length !== b.length) return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
-  return diff === 0;
-}
+// Constant-time string compare (shared, unit-tested impl in verify.mjs) —
+// avoids leaking ADMIN_TOKEN via response timing.
+export const constantTimeEqual = timingSafeEqual;
 
 // Extract a Bearer token from the Authorization header, or null.
 export function bearerToken(c: Ctx): string | null {

functions/lib/catalog.ts

@@ -409,6 +409,7 @@ export function normalizeBook(row: any) {
     long: row.description ?? row.long ?? "",
     featured: !!row.featured,
     dynamic: row.dynamic ?? true,
+    createdAt: Number(row.created_at ?? row.createdAt ?? 0) || 0,
     license: row.license ?? "CC0-1.0",
     sourceUrl: row.source_url ?? row.sourceUrl ?? "",
     hasEpub: Boolean(
@@ -445,23 +446,33 @@ export async function countBooks(env: Env, opts: { cat?: string } = {}) {
 export async function listBooks(env: Env, opts: { cat?: string; sort?: string; limit?: number } = {}) {
   const cat = scopedCategory(opts.cat);
   const limit = Math.max(1, Math.min(Number(opts.limit) || 1000, 2000));
-  const sql = `SELECT id, title, subtitle, author, category, lang, year, pages, words AS words_count,
-                      cover_class, seal, blurb, description, featured, walrus, arweave, sui_index,
-                      license, source_url, created_at
-               FROM library_books
-               ${cat ? "WHERE category = ?" : ""}
-               ORDER BY created_at DESC
+  // Sort in SQL on real metrics so the ranking is correct even with a LIMIT.
+  // readsN = distinct readers (progress), liners = total highlights.
+  const sort = opts.sort || "reads";
+  const order =
+    sort === "lines" || sort === "划线最多" ? "liners DESC, lb.created_at DESC"
+      : sort === "recent" || sort === "new" || sort === "最近上链" ? "lb.created_at DESC"
+        : "readsN DESC, lb.created_at DESC";
+  const sql = `SELECT lb.id, lb.title, lb.subtitle, lb.author, lb.category, lb.lang, lb.year, lb.pages,
+                      lb.words AS words_count, lb.cover_class, lb.seal, lb.blurb, lb.description,
+                      lb.featured, lb.walrus, lb.arweave, lb.sui_index, lb.license, lb.source_url,
+                      lb.created_at,
+                      COALESCE(p.readers, 0) AS readsN,
+                      COALESCE(h.lines_n, 0) AS liners
+               FROM library_books lb
+               LEFT JOIN (SELECT book_id, COUNT(DISTINCT user_id) AS readers FROM progress GROUP BY book_id) p ON p.book_id = lb.id
+               LEFT JOIN (SELECT book_id, COUNT(*) AS lines_n FROM highlights GROUP BY book_id) h ON h.book_id = lb.id
+               ${cat ? "WHERE lb.category = ?" : ""}
+               ORDER BY ${order}
                LIMIT ?`;
-  const rows = await all<any>(
-    env.DB,
-    sql,
-    ...(cat ? [cat, limit] : [limit]),
-  );
+  const rows = await all<any>(env.DB, sql, ...(cat ? [cat, limit] : [limit]));
   const dynamic = rows.map(normalizeBook);
-  let list = dynamic.length ? dynamic : S.BOOKS.map((b) => ({ ...b, dynamic: false }));
-  if (cat && !dynamic.length) list = list.filter((b) => b.cat === cat);
-  if (opts.sort === "lines") list = [...list].sort((a, b) => b.liners - a.liners);
-  else list = [...list].sort((a, b) => b.readsN - a.readsN);
+  if (dynamic.length) return dynamic;
+  // seed fallback (no live catalog yet)
+  let list = S.BOOKS.map((b) => ({ ...b, dynamic: false }));
+  if (cat) list = list.filter((b) => b.cat === cat);
+  if (sort === "lines" || sort === "划线最多") list = [...list].sort((a, b) => (b.liners || 0) - (a.liners || 0));
+  else if (!(sort === "recent" || sort === "new" || sort === "最近上链")) list = [...list].sort((a, b) => (b.readsN || 0) - (a.readsN || 0));
   return list;
 }
 

functions/lib/platform.ts

@@ -378,12 +378,27 @@ export async function renderShareCard(env: Env, payload: Record<string, unknown>
   return { id: assetId, key, contentType: "image/png", width: 1200, height: 630 };
 }
 
+// A job 'running' longer than this is treated as crashed (its isolate was
+// evicted / timed out before the failure branch ran) and becomes re-claimable.
+// Far longer than any real platform job, so a live job is never reclaimed.
+const PLATFORM_JOB_STALE_MS = 10 * 60 * 1000;
+
 export async function runPlatformJob(env: Env, input: string | PlatformQueueMessage) {
   const jobId = typeof input === "string" ? input : input.id;
   const row = await first<any>(env.DB, `SELECT * FROM platform_jobs WHERE id = ?`, jobId);
   if (!row) throw new Error("未找到任务");
   const payload = parsePayload(row.payload);
-  await run(env.DB, `UPDATE platform_jobs SET status = 'running', attempts = attempts + 1, started_at = ?, updated_at = ? WHERE id = ?`, now(), now(), jobId);
+  // Atomically claim the job so concurrent callers (queue consumer vs /jobs/drain
+  // vs /jobs/:id/run) cannot both execute it (double share-card render / double
+  // Vectorize upsert). The claim also reclaims a job stuck 'running' past
+  // PLATFORM_JOB_STALE_MS — a crashed prior run — which would otherwise never
+  // complete (the queue silently acks the skipped retry; there is no DLQ).
+  const claim = await run(
+    env.DB,
+    `UPDATE platform_jobs SET status = 'running', attempts = attempts + 1, started_at = ?, updated_at = ? WHERE id = ? AND (status != 'running' OR started_at < ?)`,
+    now(), now(), jobId, now() - PLATFORM_JOB_STALE_MS,
+  );
+  if (!claim.meta?.changes) return { id: jobId, status: "running", skipped: true, reason: "任务已在执行中" };
   try {
     const result = row.type === "index-book"
       ? await indexBookSemantics(env, String(row.target_id || payload.bookId || ""))
@@ -414,12 +429,16 @@ export async function runPlatformJob(env: Env, input: string | PlatformQueueMess
 }
 
 export async function runDuePlatformJobs(env: Env, limit = 5) {
+  // Pick up due queued jobs, plus jobs stuck 'running' past the stale window
+  // (crashed prior runs) so they get re-claimed and completed rather than lost.
   const rows = await all<any>(
     env.DB,
     `SELECT id FROM platform_jobs
-     WHERE status = 'queued' AND (run_after IS NULL OR run_after <= ?)
+     WHERE (status = 'queued' AND (run_after IS NULL OR run_after <= ?))
+        OR (status = 'running' AND started_at IS NOT NULL AND started_at < ?)
      ORDER BY priority DESC, created_at ASC LIMIT ?`,
     now(),
+    now() - PLATFORM_JOB_STALE_MS,
     Math.max(1, Math.min(limit, 20)),
   );
   const results: any[] = [];

functions/lib/verify.mjs

@@ -0,0 +1,70 @@
+// Pure security/verification helpers, shared by the routes and unit-tested in
+// test/verify.test.mjs. Written as plain ESM JS (not .ts) so `node --test` on
+// CI (node 20, no type-stripping) can import it directly; the .ts routes import
+// it via allowJs. These are the app's highest-value money/auth checks, so they
+// live in one tested place rather than inline in route handlers.
+import { normalizeSuiAddress } from "@mysten/sui/utils";
+
+// Constant-time string compare — avoids leaking a secret (ADMIN_TOKEN, an HMAC)
+// via response timing. Returns false for non-strings or length mismatch.
+export function timingSafeEqual(a, b) {
+  if (typeof a !== "string" || typeof b !== "string" || a.length !== b.length) return false;
+  let out = 0;
+  for (let i = 0; i < a.length; i++) out |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return out === 0;
+}
+
+export async function hmacHex(secret, payload) {
+  const enc = new TextEncoder();
+  const key = await crypto.subtle.importKey("raw", enc.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+  const sig = await crypto.subtle.sign("HMAC", key, enc.encode(payload));
+  return [...new Uint8Array(sig)].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// Stripe webhook signature: HMAC-SHA256 over `${t}.${body}`, compared in
+// constant time against any v1 signature in the stripe-signature header.
+export async function validStripeSignature(secret, header, body) {
+  if (!secret || !header) return false;
+  const parts = header.split(",").map((p) => p.split("="));
+  const timestamp = parts.find(([k]) => k === "t")?.[1];
+  const sigs = parts.filter(([k]) => k === "v1").map(([, v]) => v);
+  if (!timestamp || !sigs.length) return false;
+  const expected = await hmacHex(secret, `${timestamp}.${body}`);
+  return sigs.some((sig) => timingSafeEqual(sig, expected));
+}
+
+export function ownerAddress(owner) {
+  if (typeof owner === "string") return owner;
+  if (owner?.AddressOwner) return owner.AddressOwner;
+  if (owner?.addressOwner) return owner.addressOwner;
+  return null;
+}
+
+export function sameSuiAddress(a, b) {
+  if (!a || !b) return false;
+  try {
+    return normalizeSuiAddress(a) === normalizeSuiAddress(b);
+  } catch {
+    return a.toLowerCase() === b.toLowerCase();
+  }
+}
+
+// True when `balanceChanges` shows at least `amount` (atomic units) of
+// `coinType` credited to `treasury`. Mirrors the /crypto/confirm payment check
+// so a forged/short/wrong-coin transfer cannot unlock Pro.
+export function paymentReceived(balanceChanges, { coinType, treasury, amount }) {
+  let need;
+  try { need = BigInt(amount); } catch { return false; }
+  return (balanceChanges || []).some((bc) => {
+    if (bc.coinType !== coinType) return false;
+    if (!sameSuiAddress(ownerAddress(bc.owner), treasury)) return false;
+    try { return BigInt(bc.amount) >= need; } catch { return false; }
+  });
+}
+
+// The exact message a wallet must sign to log in. Issued by /auth/nonce and
+// re-derived by /auth/verify, which rejects a signature whose message does not
+// equal this — binding the signature to the single-use nonce (anti-replay).
+export function loginMessage(nonce) {
+  return `Liber 登录\nnonce: ${nonce}`;
+}

functions/routes/auth.ts

@@ -10,6 +10,7 @@ import {
   passkeyRegisterOptions, passkeyRegisterVerify, passkeyLoginOptions, passkeyLoginVerify,
 } from "../lib/passkey";
 import { readingStats } from "../lib/reading-summary";
+import { loginMessage } from "../lib/verify.mjs";
 import { run } from "../lib/db";
 
 const auth = new Hono<{ Bindings: Env; Variables: Variables }>();
@@ -19,7 +20,7 @@ const cookieOpts = { httpOnly: true, secure: true, sameSite: "Lax" as const, max
 // 1) request a nonce + the message the wallet should sign
 auth.post("/nonce", async (c) => {
   const nonce = await issueNonce(c.env);
-  return c.json({ nonce, message: `Liber 登录\nnonce: ${nonce}` });
+  return c.json({ nonce, message: loginMessage(nonce) });
 });
 
 // 2) verify a wallet signature via the active chain adapter, then mint a session.
@@ -29,7 +30,7 @@ auth.post("/verify", async (c) => {
   // server-issued message template (see /nonce). Without this, message/nonce are
   // independent fields and a captured (message, signature) pair could be replayed
   // with a freshly requested nonce. The nonce itself is single-use (consumed).
-  if (typeof message !== "string" || message !== `Liber 登录\nnonce: ${nonce}`) {
+  if (typeof message !== "string" || message !== loginMessage(nonce)) {
     return c.json({ error: "签名消息与 nonce 不匹配" }, 400);
   }
   if (!(await consumeNonce(c.env, nonce))) return c.json({ error: "nonce 无效或已过期" }, 400);