feat: 初始化项目结构并添加核心功能模块

- 新增文档模板和导航结构
- 实现服务器基础API路由和控制器
- 添加扩展插件配置和前端框架
- 引入多租户和权限管理模块
- 集成日志和数据库配置
- 添加核心业务模型和类型定义

server/src/api/routes/ai.ts

@@ -0,0 +1,190 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { AIController } from '../controllers/AIController';
+
+const router = Router();
+
+/**
+ * [UX_FE_CLEANUP_02] AI 控制台交互
+ */
+router.post('/chat', requireTraceContext, AIController.chat);
+
+/**
+ * [CORE_AI_20] 联邦学习指标 API
+ */
+router.get('/federated/metrics', requireTraceContext, requirePermission('audit:read'), AIController.getFederatedMetrics);
+
+/**
+ * [BIZ_AI_10] AI 经营分析 API
+ */
+router.get('/analysis/context', requireTraceContext, requirePermission('trade:read'), AIController.getAnalysisContext);
+router.get('/analysis/prompt', requireTraceContext, requirePermission('trade:read'), AIController.getAnalysisPrompt);
+
+/**
+ * [UX_XAI_01] AI 决策可解释性看板 (Explainable AI Dashboard)
+ */
+router.get('/decision/logic/:traceId', requireTraceContext, AIController.getDecisionLogicChain);
+router.get('/decision/narrative/:traceId', requireTraceContext, AIController.getDecisionNarrative);
+router.get('/decision/traces', requireTraceContext, requirePermission('audit:read'), AIController.getDecisionTraces);
+router.get('/decision/summary', requireTraceContext, requirePermission('audit:read'), AIController.getDecisionSummary);
+router.get('/decision/narrative/:traceId/stream', requireTraceContext, AIController.streamNarrative);
+
+/**
+ * [CORE_AI_22] 情感分析与评论生成
+ */
+router.post('/sentiment/analyze', requireTraceContext, requirePermission('product:read'), AIController.analyzeSentiment);
+
+/**
+ * [CORE_AI_28] 风格自动对齐
+ */
+router.post('/style/align', requireTraceContext, requirePermission('product:write'), AIController.alignStyle);
+
+/**
+ * [CORE_AI_32] 视频自动切片与卖点提取
+ */
+router.post('/video/highlight', requireTraceContext, requirePermission('product:write'), AIController.processVideo);
+
+/**
+ * [CORE_AI_33] 语义漂移检测
+ */
+router.post('/semantic/drift-detect', requireTraceContext, requirePermission('product:read'), AIController.detectSemanticDrift);
+
+/**
+ * [CORE_SEC_12] Prompt 指令安全扫描
+ */
+router.post('/security/prompt-scan', requireTraceContext, AIController.scanPrompt);
+
+/**
+ * [CORE_SEC_15] TEE 硬件隔离任务执行
+ */
+router.post('/security/tee-execute', requireTraceContext, requirePermission('admin:all'), AIController.runTEEProtectedTask);
+
+/**
+ * [CORE_SEC_16] DID 安全握手
+ */
+router.post('/security/did-handshake', requireTraceContext, requirePermission('admin:all'), AIController.initiateDIDHandshake);
+
+/**
+ * [CORE_SEC_21] AGI 熔断控制
+ */
+router.post('/security/agi-kill-switch', requireTraceContext, requirePermission('admin:all'), AIController.toggleKillSwitch);
+
+/**
+ * [CORE_AGI_01] 代理自我进化
+ */
+router.post('/agi/evolve', requireTraceContext, requirePermission('product:write'), AIController.triggerSelfEvolution);
+
+/**
+ * [BIZ_GOV_07] 配额与熔断检查
+ */
+router.post('/governance/quota-check', requireTraceContext, AIController.checkQuota);
+
+/**
+ * [CORE_AGI_03] 获取对手认知画像
+ */
+router.get('/agi/profile/:counterpartyId', requireTraceContext, requirePermission('trade:read'), AIController.getCounterpartyProfile);
+
+/**
+ * [CORE_DEV_35] 申请弹性算力资源
+ */
+router.post('/agi/compute/schedule', requireTraceContext, requirePermission('admin:all'), AIController.scheduleComputeJob);
+
+/**
+ * [BIZ_AGI_META_01] 执行战略审计
+ */
+router.post('/agi/meta/audit', requireTraceContext, requirePermission('admin:all'), AIController.performStrategicAudit);
+
+/**
+ * [BIZ_MKT_AVATAR_01] 生成数字人直播剧本
+ */
+router.post('/agi/avatar/script', requireTraceContext, requirePermission('product:write'), AIController.generateLiveScript);
+
+/**
+ * [BIZ_ECO_COLLAB_01] 加入采购联盟
+ */
+router.post('/agi/alliance/join', requireTraceContext, requirePermission('trade:write'), AIController.joinSourcingAlliance);
+
+/**
+ * [BIZ_SOV_LEGAL_01] 审计贸易契约
+ */
+router.post('/agi/legal/audit', requireTraceContext, requirePermission('trade:write'), AIController.auditContract);
+
+/**
+ * [BIZ_TRADE_GEO_01] 执行地缘政治风险审计
+ */
+router.post('/agi/geo/audit', requireTraceContext, requirePermission('trade:read'), AIController.performGeopoliticalAudit);
+
+/**
+ * [BIZ_SOV_08] 跨主权资源共享
+ */
+router.post('/agi/sovereign/resource/publish', requireTraceContext, requirePermission('trade:write'), AIController.publishResource);
+router.get('/agi/sovereign/resource/match', requireTraceContext, requirePermission('trade:read'), AIController.findOptimalResource);
+
+/**
+ * [BIZ_ECO_06] 自治生产节点动态协调
+ */
+router.post('/agi/manufacturing/dispatch', requireTraceContext, requirePermission('trade:write'), AIController.dispatchProductionOrder);
+
+/**
+ * [BIZ_FIN_23] 跨主权多资产实时结算
+ */
+router.post('/agi/settlement/initiate', requireTraceContext, requirePermission('finance:write'), AIController.initiateSettlement);
+
+/**
+ * [BIZ_TRADE_23] 主权碳信用
+ */
+router.post('/agi/sovereign/carbon/issue', requireTraceContext, requirePermission('trade:write'), AIController.issueCarbonCredit);
+
+/**
+ * [BIZ_ECO_08] 自治危机管理
+ */
+router.post('/agi/sovereign/crisis/detect', requireTraceContext, requirePermission('trade:write'), AIController.detectCrisis);
+
+/**
+ * [BIZ_FIN_25] 主权财富基金
+ */
+router.post('/agi/sovereign/fund/inject', requireTraceContext, requirePermission('finance:write'), AIController.injectCapital);
+
+/**
+ * [BIZ_SOV_12] 主权声誉可移植性
+ */
+router.post('/agi/sovereign/reputation/token', requireTraceContext, requirePermission('trade:read'), AIController.generateReputationToken);
+
+/**
+ * [BIZ_AGI_META_02] 策略演化
+ */
+router.post('/agi/strategy/audit', requireTraceContext, requirePermission('trade:write'), AIController.performStrategyAudit);
+router.post('/agi/strategy/adopt', requireTraceContext, requirePermission('trade:write'), AIController.adoptStrategyPivot);
+
+/**
+ * [BIZ_AGI_UX_01] 决策因果叙述
+ */
+router.get('/agi/decision/narrative/:traceId', requireTraceContext, requirePermission('trade:read'), AIController.getDecisionNarrative);
+
+/**
+ * [CORE_DEV_30] 算力池状态
+ */
+router.get('/agi/compute/pool', requireTraceContext, requirePermission('admin:read'), AIController.getComputePoolStatus);
+
+/**
+ * [BIZ_TRADE_25] 履约路径编排
+ */
+router.post('/agi/fulfillment/orchestrate', requireTraceContext, requirePermission('trade:write'), AIController.orchestrateFulfillment);
+
+/**
+ * [CORE_DEV_20] 数据湖入库优化
+ */
+router.post('/datalake/optimize', requireTraceContext, requirePermission('admin:all'), AIController.optimizeDataLake);
+
+/**
+ * [CORE_DEV_23] 数据冷热分层迁移
+ */
+router.post('/datalake/tiering', requireTraceContext, requirePermission('admin:all'), AIController.migrateColdData);
+
+/**
+ * [CORE_DEV_22] 实时指标上报
+ */
+router.post('/metrics/report', requireTraceContext, AIController.reportMetric);
+
+export default router;

server/src/api/routes/arbitrage.ts

@@ -0,0 +1,21 @@
+import { Router } from 'express';
+import { ArbitrageController } from '../controllers/ArbitrageController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+/**
+ * [BIZ_ARB_01] & [UX_BI_05] 套利中心 API
+ */
+
+// 获取多维套利空间热力图
+router.get('/heatmap', requireTraceContext, requirePermission('analytics:view'), ArbitrageController.getHeatmap);
+
+// [CORE_AI_50] 多模态 AGI 视觉寻源
+router.post('/visual-sourcing', requireTraceContext, requirePermission('order:write'), ArbitrageController.visualSourcing);
+
+// 初始化数据库表
+router.post('/init', requireTraceContext, requirePermission('admin:all'), ArbitrageController.init);
+
+export default router;

server/src/api/routes/audit.ts

@@ -0,0 +1,41 @@
+import { Router } from 'express';
+import { AuditController } from '../controllers/AuditController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+router.get('/timeline', requireTraceContext, AuditController.getTimeline);
+router.get('/risk-profile', requireTraceContext, AuditController.getRiskProfile);
+
+/**
+ * [BIZ_AUDIT_11] 红蓝对抗
+ */
+router.post('/red-teaming/run', requireTraceContext, requirePermission('audit:write'), AuditController.runRedTeaming);
+
+/**
+ * [CORE_LOG_05] NL-Audit
+ */
+router.post('/nl-query', requireTraceContext, requirePermission('audit:read'), AuditController.queryNLAudit);
+
+/**
+ * [UX_IAT_07] AI 决策解释
+ */
+router.get('/ai-explanations', requireTraceContext, AuditController.getAIExplanations);
+
+/**
+ * [CORE_TELE_08] API 成本账单
+ */
+router.get('/cost-bill', requireTraceContext, requirePermission('finance:read'), AuditController.getCostBill);
+
+/**
+ * [BIZ_AUDIT_12] AI 幻觉审计
+ */
+router.post('/hallucination', requireTraceContext, requirePermission('audit:write'), AuditController.auditHallucination);
+
+/**
+ * [CORE_TELE_09] 分布式追踪拓扑
+ */
+router.get('/telemetry/topo', requireTraceContext, requirePermission('audit:read'), AuditController.getTracingTopo);
+
+export default router;

server/src/api/routes/auth.ts

@@ -0,0 +1,24 @@
+import { Router } from 'express';
+import { AuthController } from '../controllers/AuthController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+
+const router = Router();
+
+/**
+ * [CORE_AUTH_01] 多租户身份中心路由
+ */
+
+// 公开接口
+router.post('/login', AuthController.login);
+router.post('/refresh', AuthController.refreshToken);
+router.post('/register', AuthController.register);
+router.post('/oauth2/token', AuthController.oauth2Token);
+
+// 需要认证的接口
+router.get('/me', requireTraceContext, AuthController.me);
+router.post('/mfa/enable', requireTraceContext, AuthController.enableMFA);
+router.post('/mfa/verify', requireTraceContext, AuthController.verifyMFA);
+router.get('/oauth2/authorize', requireTraceContext, AuthController.oauth2Authorize);
+router.post('/oauth2/client', requireTraceContext, AuthController.createOAuth2Client);
+
+export default router;

server/src/api/routes/billing.ts

@@ -0,0 +1,18 @@
+import { Router } from 'express';
+import { BillingController } from '../controllers/BillingController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+/**
+ * [BIZ_BILL_01] 企业配额与订阅计费中心 API
+ */
+
+// 激活/更新套餐 (需要财务/管理员权限)
+router.post('/subscribe', requireTraceContext, requirePermission('finance:write'), BillingController.subscribe);
+
+// 获取用量统计 (所有用户可看，但通常受租户隔离)
+router.get('/usage', requireTraceContext, BillingController.getUsage);
+
+export default router;

server/src/api/routes/biz.ts

@@ -0,0 +1,18 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { BizController } from '../controllers/BizController';
+
+const router = Router();
+
+/**
+ * [BIZ_START_01] 前期业务 API (Early Stage Business)
+ * @description 处理新手引导、极速刊登、店铺初始化等“冷启动”业务。
+ */
+router.get('/onboarding', requireTraceContext, BizController.getOnboarding);
+router.post('/localization/start', requireTraceContext, BizController.startLocalization); // [BIZ_TOC_01]
+router.post('/store/setup', requireTraceContext, requirePermission('tenant:setup'), BizController.setupStore);
+router.post('/listing/quick', requireTraceContext, requirePermission('product:write'), BizController.quickListing);
+router.get('/sourcing/radar', requireTraceContext, BizController.getSourcingRadar);
+
+export default router;

server/src/api/routes/chatbot.ts

@@ -0,0 +1,19 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { ChatBotController } from '../controllers/ChatBotController';
+
+const router = Router();
+
+/**
+ * [AI_CHAT_01] 智能客服机器人API
+ */
+router.post('/message', requireTraceContext, ChatBotController.handleMessage);
+router.get('/history', requireTraceContext, ChatBotController.getChatHistory);
+router.post('/train', requireTraceContext, requirePermission('admin:all'), ChatBotController.trainIntentModel);
+router.post('/init', requireTraceContext, requirePermission('admin:all'), ChatBotController.initChatBot);
+router.get('/health', (req, res) => {
+  res.json({ status: 'ok', service: 'ChatBotService' });
+});
+
+export default router;

server/src/api/routes/command.ts

@@ -0,0 +1,13 @@
+import { Router } from 'express';
+import { CommandCenterController } from '../controllers/CommandCenterController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+
+const router = Router();
+
+/**
+ * [UX_AUTO_01] AI 交互式指令台接口
+ */
+router.post('/submit', requireTraceContext, CommandCenterController.submitNaturalCommand);
+router.get('/status/:instanceId', requireTraceContext, CommandCenterController.getActiveCommandStatus);
+
+export default router;

server/src/api/routes/config.ts

@@ -0,0 +1,11 @@
+import { Router } from 'express';
+import { ConfigController } from '../controllers/ConfigController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+
+const router = Router();
+
+router.get('/', ConfigController.getAll);
+router.get('/:key', ConfigController.getByKey);
+router.put('/:key', requireTraceContext, ConfigController.update);
+
+export default router;

server/src/api/routes/console_lite.ts

@@ -0,0 +1,14 @@
+import { Router } from 'express';
+import { LiteConsoleController } from '../controllers/LiteConsoleController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+
+const router = Router();
+
+/**
+ * [UX_LITE_01] 极简控制台 API (Lite Console for Beginners)
+ * @description 核心逻辑：为新手卖家提供极简的一体化经营看板。
+ */
+router.get('/summary', requireTraceContext, LiteConsoleController.getSummary);
+router.get('/listings', requireTraceContext, LiteConsoleController.getListingHistory);
+
+export default router;

server/src/api/routes/creative.ts

@@ -0,0 +1,21 @@
+import { Router } from 'express';
+import { CreativeController } from '../controllers/CreativeController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+/**
+ * [BIZ_CRE_01] 多模态 AI 创作 API
+ */
+
+// 创建创作任务 (TTS/IMAGE/VIDEO)
+router.post('/tasks', requireTraceContext, requirePermission('order:write'), CreativeController.createTask);
+
+// 获取任务详情
+router.get('/tasks/:taskId', requireTraceContext, CreativeController.getTask);
+
+// 获取素材库
+router.get('/assets', requireTraceContext, CreativeController.getAssets);
+
+export default router;

server/src/api/routes/customer.ts

@@ -0,0 +1,33 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { CustomerController } from '../controllers/CustomerController';
+
+const router = Router();
+
+/**
+ * [BIZ_CRM_10] 智能售后与客户成功 API
+ */
+
+// 获取争议列表
+router.get('/disputes', requireTraceContext, requirePermission('order:read'), CustomerController.getDisputes);
+
+// 同步争议事件 (平台回调使用)
+router.post('/disputes/sync', requireTraceContext, requirePermission('order:write'), CustomerController.syncDispute);
+
+/**
+ * [BIZ_CSM_20] 多语言 AGI 智能客服 API
+ */
+
+// 触发自动回复
+router.post('/support/tickets/:ticketId/auto-reply', requireTraceContext, requirePermission('order:write'), CustomerController.autoReply);
+
+// 获取工单统计
+router.get('/support/stats', requireTraceContext, requirePermission('order:read'), CustomerController.getSupportStats);
+
+/**
+ * [BIZ_CUS_15] 多模态售后自动化处理 API
+ */
+router.post('/after-sales/auto-audit', requireTraceContext, requirePermission('order:write'), CustomerController.autoAudit);
+
+export default router;

server/src/api/routes/finance.ts

@@ -0,0 +1,134 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { CommodityHedgingService } from '../../services/CommodityHedgingService';
+import { PoolSourcingService } from '../../services/PoolSourcingService';
+import { SovereignCreditPoolService } from '../../services/SovereignCreditPoolService';
+import { SovereigntySettlementService } from '../../services/SovereigntySettlementService';
+import { PricingController } from '../controllers/PricingController';
+import { SettlementController } from '../controllers/SettlementController';
+
+const router = Router();
+
+/**
+ * [BIZ_ARB_01] 统一净利测算与风控
+ */
+router.post('/calculate', requireTraceContext, PricingController.calculate);
+
+/**
+ * [BIZ_FIN_12] 多币种汇率避险接口
+ */
+router.post('/fx/lock-rate', requireTraceContext, requirePermission('finance:write'), PricingController.lockRate);
+router.get('/fx/gain-loss', requireTraceContext, requirePermission('finance:read'), PricingController.getFXGainLoss);
+
+/**
+ * [BIZ_FIN_08] 实时毛利计算与分账引擎 (Settlement)
+ */
+router.get('/settlement/summary', requireTraceContext, requirePermission('finance:read'), SettlementController.getSummary);
+router.get('/settlement/:orderId', requireTraceContext, requirePermission('finance:read'), SettlementController.settleOrder);
+
+/**
+ * [BIZ_FIN_01] 财务对账链路
+ */
+router.get('/reconcile/:orderId', requireTraceContext, PricingController.reconcile);
+
+/**
+ * [BIZ_FIN_01] 租户账单回放
+ */
+router.get('/playback', requireTraceContext, PricingController.getPlayback);
+
+/**
+ * [BIZ_SOV_03] 跨平台资金主权结算 (Sovereignty Settlement)
+ */
+router.post('/sovereignty/settle', requireTraceContext, requirePermission('finance:write'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { amount, currency } = req.body;
+    const hash = await SovereigntySettlementService.initiateSettlement(tenantId, amount, currency, traceId);
+    res.json({ success: true, data: { settlementHash: hash } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.get('/sovereignty/history', requireTraceContext, requirePermission('finance:read'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const history = await SovereigntySettlementService.getSettlementHistory(tenantId);
+    res.json({ success: true, data: history });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_FIN_20] 基于主权身份的全球授信池 (Sovereign Credit Pool)
+ */
+router.post('/sovereignty/credit/init', requireTraceContext, requirePermission('finance:admin'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    await SovereignCreditPoolService.initializeCreditPool(tenantId, traceId);
+    res.json({ success: true, message: 'Sovereign credit pool initialized' });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.post('/sovereignty/credit/refresh', requireTraceContext, requirePermission('finance:admin'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    await SovereignCreditPoolService.refreshCreditLimit(tenantId, traceId);
+    res.json({ success: true, message: 'Sovereign credit limit refreshed based on latest reputation' });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_FIN_14] 大宗商品价格对冲 (Commodity Hedging)
+ */
+router.post('/hedging/create', requireTraceContext, requirePermission('finance:write'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { commodityType, quantity, strikePrice, expiryDate } = req.body;
+    const id = await CommodityHedgingService.createHedgingPosition(tenantId, commodityType, quantity, strikePrice, new Date(expiryDate), traceId);
+    res.json({ success: true, data: { positionId: id } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.get('/hedging/active', requireTraceContext, requirePermission('finance:read'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const positions = await CommodityHedgingService.getActivePositions(tenantId);
+    res.json({ success: true, data: positions });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_FIN_18] 跨租户集中采购议价池 (Pool Sourcing)
+ */
+router.post('/pool/join', requireTraceContext, requirePermission('finance:write'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { commodityType, quantity } = req.body;
+    await PoolSourcingService.joinPool(tenantId, commodityType, quantity, traceId);
+    res.json({ success: true, message: 'Joined procurement pool successfully' });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.get('/pool/active', requireTraceContext, requirePermission('finance:read'), async (req, res) => {
+  try {
+    const pools = await PoolSourcingService.getActivePools();
+    res.json({ success: true, data: pools });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+export default router;

server/src/api/routes/governance.ts

@@ -0,0 +1,30 @@
+import { Router } from 'express';
+import { GovernanceController } from '../controllers/GovernanceController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+/**
+ * [BIZ_GOV_06] 功能治理 API
+ */
+router.get('/flags', requireTraceContext, requirePermission('admin:all'), GovernanceController.getFeatureFlags);
+router.post('/flags/register', requireTraceContext, requirePermission('admin:all'), GovernanceController.registerFeature);
+router.post('/flags/toggle', requireTraceContext, requirePermission('admin:all'), GovernanceController.toggleFeature);
+router.post('/flags/override', requireTraceContext, requirePermission('admin:all'), GovernanceController.setTenantOverride);
+router.get('/flags/tenant/:tenantId', requireTraceContext, requirePermission('admin:all'), GovernanceController.getTenantOverrides);
+
+/**
+ * [FE_INBOX_01] 任务中心 API
+ */
+router.get('/tasks/pending', requireTraceContext, GovernanceController.getPendingTasks);
+router.post('/tasks/claim', requireTraceContext, GovernanceController.claimTask);
+router.post('/tasks/complete', requireTraceContext, GovernanceController.completeTask);
+
+/**
+ * [BIZ_AUDIT_RED_TEAMING] 红蓝对抗 API
+ */
+router.post('/redteam/run', requireTraceContext, requirePermission('admin:all'), GovernanceController.runRedTeamTests);
+router.get('/redteam/report', requireTraceContext, requirePermission('admin:all'), GovernanceController.getSecurityReport);
+
+export default router;

server/src/api/routes/image-recognition.ts

@@ -0,0 +1,75 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { ImageRecognitionController } from '../controllers/ImageRecognitionController';
+
+const router = Router();
+
+// 健康检查路由
+router.get('/health', async (req, res) => {
+  const controller = new ImageRecognitionController();
+  const result = await controller.healthCheck();
+  res.json(result);
+});
+
+// 图像识别路由（需要权限）
+router.post('/recognize', 
+  requireTraceContext,
+  requirePermission('image:recognize'),
+  async (req, res) => {
+    const controller = new ImageRecognitionController();
+    const result = await controller.recognizeImage(req.body);
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+// 批量图像识别路由
+router.post('/batch-recognize', 
+  requireTraceContext,
+  requirePermission('image:batch_recognize'),
+  async (req, res) => {
+    const controller = new ImageRecognitionController();
+    const result = await controller.batchRecognizeImages(req.body);
+    res.status(200).json(result);
+  }
+);
+
+// 获取识别历史路由
+router.get('/history', 
+  requireTraceContext,
+  requirePermission('image:read_history'),
+  async (req, res) => {
+    const controller = new ImageRecognitionController();
+    const { tenantId, limit } = req.query;
+    const result = await controller.getRecognitionHistory(
+      tenantId as string, 
+      limit ? parseInt(limit as string) : 50
+    );
+    res.json(result);
+  }
+);
+
+// 获取模型统计路由
+router.get('/stats', 
+  requireTraceContext,
+  requirePermission('image:read_stats'),
+  async (req, res) => {
+    const controller = new ImageRecognitionController();
+    const { tenantId } = req.query;
+    const result = await controller.getModelStats(tenantId as string);
+    res.json(result);
+  }
+);
+
+// 初始化服务路由（仅管理员）
+router.post('/init', 
+  requireTraceContext,
+  requirePermission('image:admin'),
+  async (req, res) => {
+    const controller = new ImageRecognitionController();
+    const result = await controller.initImageRecognition();
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+export default router;

server/src/api/routes/marketing.ts

@@ -0,0 +1,13 @@
+import { Router } from 'express';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { AdOpsController } from '../controllers/AdOpsController';
+
+const router = Router();
+
+// Ad Campaign Operations
+router.get('/campaigns', requireTraceContext, AdOpsController.getCampaigns);
+router.post('/sync-campaigns', requireTraceContext, requirePermission('marketing:write'), AdOpsController.syncCampaigns);
+router.post('/campaigns/:campaignId/optimize', requireTraceContext, requirePermission('marketing:write'), AdOpsController.optimizeBudget);
+
+export default router;

server/src/api/routes/nlp.ts

@@ -0,0 +1,97 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { NaturalLanguageProcessingController } from '../controllers/NaturalLanguageProcessingController';
+
+const router = Router();
+
+// 健康检查路由
+router.get('/health', async (req, res) => {
+  const controller = new NaturalLanguageProcessingController();
+  const result = await controller.healthCheck();
+  res.json(result);
+});
+
+// 单文本处理路由（需要权限）
+router.post('/process', 
+  requireTraceContext,
+  requirePermission('nlp:process'),
+  async (req, res) => {
+    const controller = new NaturalLanguageProcessingController();
+    const result = await controller.processText(req.body);
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+// 批量文本处理路由
+router.post('/batch-process', 
+  requireTraceContext,
+  requirePermission('nlp:batch_process'),
+  async (req, res) => {
+    const controller = new NaturalLanguageProcessingController();
+    const result = await controller.batchProcessTexts(req.body);
+    res.status(200).json(result);
+  }
+);
+
+// 语言检测路由
+router.post('/detect-language', 
+  requireTraceContext,
+  requirePermission('nlp:detect_language'),
+  async (req, res) => {
+    const controller = new NaturalLanguageProcessingController();
+    const result = await controller.detectLanguage(req.body);
+    res.json(result);
+  }
+);
+
+// 获取处理历史路由
+router.get('/history', 
+  requireTraceContext,
+  requirePermission('nlp:read_history'),
+  async (req, res) => {
+    const controller = new NaturalLanguageProcessingController();
+    const { tenantId, limit } = req.query;
+    const result = await controller.getProcessingHistory(
+      tenantId as string, 
+      limit ? parseInt(limit as string) : 50
+    );
+    res.json(result);
+  }
+);
+
+// 获取模型统计路由
+router.get('/stats', 
+  requireTraceContext,
+  requirePermission('nlp:read_stats'),
+  async (req, res) => {
+    const controller = new NaturalLanguageProcessingController();
+    const { tenantId } = req.query;
+    const result = await controller.getModelStats(tenantId as string);
+    res.json(result);
+  }
+);
+
+// 获取支持语言路由
+router.get('/supported-languages', 
+  requireTraceContext,
+  requirePermission('nlp:read_languages'),
+  async (req, res) => {
+    const controller = new NaturalLanguageProcessingController();
+    const result = await controller.getSupportedLanguages();
+    res.json(result);
+  }
+);
+
+// 初始化服务路由（仅管理员）
+router.post('/init', 
+  requireTraceContext,
+  requirePermission('nlp:admin'),
+  async (req, res) => {
+    const controller = new NaturalLanguageProcessingController();
+    const result = await controller.initNLP();
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+export default router;

server/src/api/routes/node.ts

@@ -0,0 +1,22 @@
+import { Router } from 'express';
+import { NodeController } from '../controllers/NodeController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+
+const router = Router();
+
+router.get('/', NodeController.getAll);
+
+/**
+ * [CORE_SEC_03/04] 节点安全下发通道与零信任身份
+ */
+router.post('/register', NodeController.register); // 公开注册接口 (PENDING 状态)
+router.post('/session', requireTraceContext, NodeController.requestSession);
+router.get('/credential', requireTraceContext, NodeController.getCredential);
+
+/**
+ * [FE_SEC_01] ZKP 隐私声誉证明 API
+ */
+router.get('/zkp/proof', requireTraceContext, NodeController.getZkpProof);
+router.post('/zkp/verify', requireTraceContext, NodeController.verifyZkpProof);
+
+export default router;

server/src/api/routes/order.ts

@@ -0,0 +1,79 @@
+import { Router } from 'express';
+import { OrderController } from '../controllers/OrderController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+/**
+ * [BIZ_OPS_01] 多平台订单实时同步 API
+ */
+
+// 平台 Webhook 接收 (不强制 traceContext，因为由平台推送，但可根据 Header 识别租户)
+router.post('/webhook/:platform', OrderController.handlePlatformWebhook);
+
+// 手动触发同步 (需权限)
+router.post('/sync', requireTraceContext, requirePermission('trade:write'), OrderController.triggerManualSync);
+
+// 获取订单统计 (需权限)
+router.get('/stats', requireTraceContext, requirePermission('trade:read'), OrderController.getStats);
+
+/**
+ * [ERP_ORD_01] 订单管理 API
+ */
+
+// 创建订单
+router.post('/', requireTraceContext, requirePermission('order:write'), OrderController.createOrder);
+
+// 获取订单详情
+router.get('/:id', requireTraceContext, requirePermission('order:read'), OrderController.getOrderById);
+
+// 更新订单
+router.put('/:id', requireTraceContext, requirePermission('order:write'), OrderController.updateOrder);
+
+// 删除订单
+router.delete('/:id', requireTraceContext, requirePermission('order:delete'), OrderController.deleteOrder);
+
+// 获取订单列表
+router.get('/', requireTraceContext, requirePermission('order:read'), OrderController.getOrders);
+
+// 批量更新订单
+router.put('/batch', requireTraceContext, requirePermission('order:write'), OrderController.batchUpdateOrders);
+
+// 订单状态流转
+router.post('/:id/status', requireTraceContext, requirePermission('order:write'), OrderController.transitionOrderStatus);
+
+// 批量审核订单
+router.post('/batch/audit', requireTraceContext, requirePermission('order:write'), OrderController.batchAuditOrders);
+
+// 批量发货
+router.post('/batch/ship', requireTraceContext, requirePermission('order:write'), OrderController.batchShipOrders);
+
+// 标记订单为异常
+router.post('/:id/exception', requireTraceContext, requirePermission('order:write'), OrderController.markOrderAsException);
+
+// 自动改派订单
+router.post('/:id/reroute', requireTraceContext, requirePermission('order:write'), OrderController.autoRerouteOrder);
+
+// 重试异常订单
+router.post('/:id/retry', requireTraceContext, requirePermission('order:write'), OrderController.retryExceptionOrder);
+
+// 取消订单
+router.post('/:id/cancel', requireTraceContext, requirePermission('order:write'), OrderController.cancelOrder);
+
+// 申请退款
+router.post('/:id/refund', requireTraceContext, requirePermission('order:write'), OrderController.requestRefund);
+
+// 审批退款
+router.post('/refund/:id/approve', requireTraceContext, requirePermission('order:write'), OrderController.approveRefund);
+
+// 申请售后
+router.post('/:id/after-sales', requireTraceContext, requirePermission('order:write'), OrderController.requestAfterSales);
+
+// 处理售后申请
+router.post('/after-sales/:id/process', requireTraceContext, requirePermission('order:write'), OrderController.processAfterSales);
+
+// 完成订单
+router.post('/:id/complete', requireTraceContext, requirePermission('order:write'), OrderController.completeOrder);
+
+export default router;

server/src/api/routes/product.ts

@@ -0,0 +1,28 @@
+import { Router } from 'express';
+import { TurboGateway } from '../../core/gateway/TurboGateway';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { ProductController } from '../controllers/ProductController';
+
+const router = Router();
+
+// Standard CRUD
+router.get('/', TurboGateway.cache(300), ProductController.getAll);
+
+// Enhanced Crawlful AI functions
+router.post('/autonomous-listing', requireTraceContext, ProductController.startAutonomousListing);
+router.post('/collect-async', requireTraceContext, ProductController.collectAsync);
+router.get('/collect-and-optimize', TurboGateway.throttle(10, 60000), ProductController.collectAndOptimize);
+router.get('/:id/arbitrage-analyze', requireTraceContext, ProductController.analyzeArbitrage);
+router.get('/visual-match', TurboGateway.cache(600), ProductController.findSimilar);
+router.post('/:id/review', requireTraceContext, requirePermission('product:write'), ProductController.approve);
+router.post('/:id/pulse', requireTraceContext, ProductController.checkPulse);
+router.post('/:id/wash', requireTraceContext, requirePermission('product:write'), ProductController.washAndLocalize);
+router.post('/:id/inquiry', requireTraceContext, requirePermission('product:write'), ProductController.generateInquiry);
+router.get('/:id/price-advice', ProductController.getPriceAdvice);
+router.get('/:id', TurboGateway.cache(300), ProductController.getById);
+router.post('/', requireTraceContext, requirePermission('product:write'), ProductController.create);
+router.put('/:id', requireTraceContext, requirePermission('product:write'), ProductController.update);
+router.delete('/:id', requireTraceContext, requirePermission('product:delete'), ProductController.delete);
+
+export default router;

server/src/api/routes/publish.ts

@@ -0,0 +1,17 @@
+import { Router } from 'express';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { PublishController } from '../controllers/PublishController';
+
+const router = Router();
+
+/**
+ * [CORE_INT_03] 商品发布接口
+ */
+router.post('/', requireTraceContext, PublishController.publish);
+
+/**
+ * [CORE_NODE_03] Node Agent 回执接口
+ */
+router.post('/receipt', PublishController.reportReceipt);
+
+export default router;

server/src/api/routes/recommendation.ts

@@ -0,0 +1,105 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { RecommendationController } from '../controllers/RecommendationController';
+
+const router = Router();
+
+// 健康检查路由
+router.get('/health', async (req, res) => {
+  const controller = new RecommendationController();
+  const result = await controller.healthCheck();
+  res.json(result);
+});
+
+// 记录用户行为路由（需要权限）
+router.post('/record-behavior', 
+  requireTraceContext,
+  requirePermission('recommendation:record_behavior'),
+  async (req, res) => {
+    const controller = new RecommendationController();
+    const result = await controller.recordUserBehavior(req.body);
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+// 更新商品属性路由
+router.post('/update-item', 
+  requireTraceContext,
+  requirePermission('recommendation:update_item'),
+  async (req, res) => {
+    const controller = new RecommendationController();
+    const result = await controller.updateItemAttributes(req.body);
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+// 获取推荐结果路由
+router.post('/recommendations', 
+  requireTraceContext,
+  requirePermission('recommendation:get_recommendations'),
+  async (req, res) => {
+    const controller = new RecommendationController();
+    const result = await controller.getRecommendations(req.body);
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+// 获取推荐统计路由
+router.get('/stats', 
+  requireTraceContext,
+  requirePermission('recommendation:read_stats'),
+  async (req, res) => {
+    const controller = new RecommendationController();
+    const { tenantId } = req.query;
+    const result = await controller.getRecommendationStats(tenantId as string);
+    res.json(result);
+  }
+);
+
+// 清理缓存路由（仅管理员）
+router.post('/cleanup-cache', 
+  requireTraceContext,
+  requirePermission('recommendation:admin'),
+  async (req, res) => {
+    const controller = new RecommendationController();
+    const result = await controller.cleanupExpiredCache(req.body);
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+// 测试算法路由
+router.post('/test-algorithm', 
+  requireTraceContext,
+  requirePermission('recommendation:test_algorithm'),
+  async (req, res) => {
+    const controller = new RecommendationController();
+    const result = await controller.testAlgorithm(req.body);
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+// 获取算法配置路由
+router.get('/algorithm-config', 
+  requireTraceContext,
+  requirePermission('recommendation:read_config'),
+  async (req, res) => {
+    const controller = new RecommendationController();
+    const { tenantId } = req.query;
+    const result = await controller.getAlgorithmConfig(tenantId as string);
+    res.json(result);
+  }
+);
+
+// 初始化服务路由（仅管理员）
+router.post('/init', 
+  requireTraceContext,
+  requirePermission('recommendation:admin'),
+  async (req, res) => {
+    const controller = new RecommendationController();
+    const result = await controller.initRecommendation();
+    res.status(result.status === 'error' ? 500 : 200).json(result);
+  }
+);
+
+export default router;

server/src/api/routes/report.ts

@@ -0,0 +1,23 @@
+import { Router } from 'express';
+import { ReportController } from '../controllers/ReportController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+/**
+ * [BIZ_REP_01] 全业务多维报表 API
+ */
+
+/**
+ * [FE_FIN_01] 实时 P&L 穿透分析 API
+ */
+router.get('/finance/profit-breakdown', requireTraceContext, requirePermission('finance:read'), ReportController.getProfitBreakdown);
+
+// [CORE_GOV_03] 证据链下钻
+router.get('/evidence/:traceId', requireTraceContext, requirePermission('audit:read'), ReportController.getDetailedEvidence);
+
+// 获取指定类型的报表数据
+router.get('/:type', requireTraceContext, requirePermission('order:read'), ReportController.getReport);
+
+export default router;

server/src/api/routes/sovereignty.ts

@@ -0,0 +1,134 @@
+import { Router } from 'express';
+import { ReputationZKPService } from '../../core/ai/ReputationZKPService';
+import { BehavioralRiskService } from '../../core/governance/BehavioralRiskService';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { DIDHandshakeService } from '../../core/security/DIDHandshakeService';
+import { PrivateAuditService } from '../../core/security/PrivateAuditService';
+import { SovereigntyGovernanceService } from '../../services/SovereigntyGovernanceService';
+import { SovereigntyIdentityService } from '../../services/SovereigntyIdentityService';
+
+const router = Router();
+
+/**
+ * [BIZ_SOV_01] 主权身份管理 (Sovereignty Identity)
+ */
+router.post('/identity/register', requireTraceContext, requirePermission('tenant:admin'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { identityData } = req.body;
+    const did = await SovereigntyIdentityService.registerIdentity(tenantId, identityData, traceId);
+    res.json({ success: true, data: { did } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.get('/identity/status', requireTraceContext, requirePermission('tenant:read'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const identity = await SovereigntyIdentityService.getIdentity(tenantId);
+    res.json({ success: true, data: identity });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [CORE_SEC_16] 基于 DID 的跨租户安全握手 (DID Handshake)
+ */
+router.post('/handshake/initiate', requireTraceContext, requirePermission('tenant:admin'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const { targetTenantId, sourceDid, targetDid } = req.body;
+    const sessionId = await DIDHandshakeService.initiateHandshake({
+      sourceTenantId: tenantId,
+      targetTenantId,
+      sourceDid,
+      targetDid
+    });
+    res.json({ success: true, data: { sessionId } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.post('/handshake/verify', requireTraceContext, requirePermission('tenant:admin'), async (req, res) => {
+  try {
+    const { sessionId, proof } = req.body;
+    const isValid = await DIDHandshakeService.verifyHandshake(sessionId, proof);
+    res.json({ success: true, data: { isValid } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_SOV_04] 主权治理与决策审计 (Sovereign Governance)
+ */
+router.post('/governance/propose', requireTraceContext, requirePermission('tenant:admin'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { proposalType, data } = req.body;
+    const proposalId = await SovereigntyGovernanceService.createProposal(tenantId, proposalType, data, traceId);
+    res.json({ success: true, data: { proposalId } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [CORE_SEC_20] 基于零知识证明的隐私审计 (Private Audit)
+ */
+router.post('/audit/proof/generate', requireTraceContext, requirePermission('audit:write'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const { auditType, sensitiveData } = req.body;
+    const record = await PrivateAuditService.generateAuditProof({
+      tenantId,
+      auditType,
+      sensitiveData
+    });
+    res.json({ success: true, data: record });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.post('/audit/proof/verify', requireTraceContext, requirePermission('audit:admin'), async (req, res) => {
+  try {
+    const { verificationHash, auditorId } = req.body;
+    const isValid = await PrivateAuditService.verifyProof(verificationHash, auditorId);
+    res.json({ success: true, data: { isValid } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [SOV_NET_07] 基于 ZKP 的隐私声誉分值证明 (ZKP Reputation)
+ */
+router.post('/reputation/verify', requireTraceContext, requirePermission('tenant:admin'), async (req, res) => {
+  try {
+    const { verificationHash } = req.body;
+    const isValid = await ReputationZKPService.verifyReputationProof(verificationHash);
+    res.json({ success: true, data: { isValid } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_GOV_09] 租户行为风险画像 (Behavioral Risk)
+ */
+router.get('/risk/status', requireTraceContext, requirePermission('audit:read'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const status = await BehavioralRiskService.getRiskStatus(tenantId);
+    res.json({ success: true, data: status });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+export default router;

server/src/api/routes/strategy.ts

@@ -0,0 +1,47 @@
+import { Router } from 'express';
+import { BizStrategyController } from '../controllers/BizStrategyController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+/**
+ * [BIZ_AI_16] 交互式策略建议 (Actionable Insights)
+ */
+router.get('/advice', requireTraceContext, requirePermission('strategy:read'), BizStrategyController.getAdvice);
+router.post('/advice/approve', requireTraceContext, requirePermission('strategy:execute'), BizStrategyController.approveAdvice);
+router.get('/advice/:adviceId/explanation', requireTraceContext, requirePermission('strategy:read'), BizStrategyController.getAdviceExplanation);
+
+/**
+ * [UX_IAT_01] 自治控制中心：停机与模式切换
+ */
+router.post('/kill-switch', requireTraceContext, requirePermission('strategy:kill'), BizStrategyController.toggleKillSwitch);
+router.post('/mode', requireTraceContext, requirePermission('strategy:write'), BizStrategyController.updateAutonomousMode);
+router.get('/status', requireTraceContext, BizStrategyController.getAutonomousStatus);
+
+/**
+ * [FE_SB_01] 策略仿真沙盒 (Sandbox Dashboard)
+ */
+router.post('/sandbox/run', requireTraceContext, requirePermission('strategy:write'), BizStrategyController.runSandboxSimulation);
+router.get('/sandbox/results', requireTraceContext, requirePermission('strategy:read'), BizStrategyController.getSandboxResults);
+
+/**
+ * [BIZ_SC_11] 供应链询盘流 (Semi-Inquiry)
+ */
+router.post('/inquiry/start', requireTraceContext, BizStrategyController.startInquiry);
+router.post('/inquiry/:inquiryId/review', requireTraceContext, BizStrategyController.reviewInquiry);
+router.post('/inquiry/:inquiryId/send', requireTraceContext, BizStrategyController.sendInquiry);
+router.post('/inquiry/:inquiryId/accept', requireTraceContext, BizStrategyController.acceptAndPurchase);
+
+/**
+ * [BIZ_TRADE_02] 多仓库存编排 (Inventory Orchestration)
+ */
+router.get('/inventory/orchestrate', requireTraceContext, BizStrategyController.orchestrateInventory);
+router.post('/inventory/transfer', requireTraceContext, BizStrategyController.approveTransfer);
+
+/**
+ * [BIZ_AIS_01] 独立站套利回流 (Pixel Feedback)
+ */
+router.post('/pixel/event', requireTraceContext, BizStrategyController.collectPixelEvent);
+
+export default router;

server/src/api/routes/sync.ts

@@ -0,0 +1,11 @@
+import { Router } from 'express';
+import { SyncController } from '../controllers/SyncController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+
+const router = Router();
+
+router.post('/report-audit', requireTraceContext, SyncController.reportAudit);
+router.post('/distribute', requireTraceContext, SyncController.distribute);
+router.post('/record-action', requireTraceContext, SyncController.recordAction);
+
+export default router;

server/src/api/routes/telemetry.ts

@@ -0,0 +1,46 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { TelemetryController } from '../controllers/TelemetryController';
+
+const router = Router();
+
+/**
+ * [CORE_LOG_03] 语义日志搜索与聚类
+ */
+router.get('/semantic/search', requireTraceContext, requirePermission('audit:read'), TelemetryController.searchSemanticLogs);
+router.get('/semantic/clusters', requireTraceContext, requirePermission('audit:read'), TelemetryController.clusterAnomalyPatterns);
+
+/**
+ * [CORE_TELE_10] & [CORE_TELE_PREDICTIVE_HEALTH] 系统诊断与健康预测
+ */
+router.get('/diagnostics/run', requireTraceContext, requirePermission('admin:all'), TelemetryController.runDiagnostics);
+router.get('/health/prediction', requireTraceContext, requirePermission('admin:all'), TelemetryController.getHealthPrediction);
+router.get('/topology', requireTraceContext, requirePermission('admin:all'), TelemetryController.getNetworkTopology);
+
+/**
+ * [V31.3] 影子测试
+ */
+router.get('/audit/shadow', requireTraceContext, requirePermission('admin:all'), TelemetryController.runShadowAudit);
+
+/**
+ * [CORE_TELE_08] 成本审计
+ */
+router.get('/cost/bill/:tenantId', requireTraceContext, requirePermission('finance:read'), TelemetryController.getApiBill);
+
+/**
+ * [UX_REVIEW_01] 批量建议批复
+ */
+router.post('/suggestions/batch-approve', requireTraceContext, requirePermission('trade:write'), TelemetryController.batchApproveSuggestions);
+
+/**
+ * [BIZ_GOV_05] ROI 看板
+ */
+router.get('/roi/dashboard', requireTraceContext, requirePermission('finance:read'), TelemetryController.getRoiDashboard);
+
+/**
+ * [UX_EXT_19] 插件端异常上报
+ */
+router.post('/anomaly', requireTraceContext, TelemetryController.reportAnomaly);
+
+export default router;

server/src/api/routes/tenant.ts

@@ -0,0 +1,8 @@
+import { Router } from 'express';
+import { TenantController } from '../controllers/TenantController';
+
+const router = Router();
+
+router.get('/', TenantController.getAll);
+
+export default router;

server/src/api/routes/trace.ts

@@ -0,0 +1,19 @@
+import { Router } from 'express';
+import { TraceController } from '../controllers/TraceController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+/**
+ * [CORE_LOG_02] 操作流水线追踪 API
+ */
+router.get('/pipeline/:traceId', requireTraceContext, requirePermission('audit:read'), TraceController.getPipeline);
+router.get('/activities', requireTraceContext, requirePermission('audit:read'), TraceController.getActivities);
+
+/**
+ * [CORE_TELE_01] AI 代理自愈遥测 API
+ */
+router.get('/telemetry/healing', requireTraceContext, requirePermission('audit:read'), TraceController.getTelemetry);
+
+export default router;

server/src/api/routes/trade.ts

@@ -0,0 +1,257 @@
+import { Router } from 'express';
+import { requirePermission } from '../../core/guards/rbac.guard';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { AutonomousSettlementService } from '../../core/pipeline/AutonomousSettlementService';
+import { SourcingRoutingService } from '../../domains/Trade/SourcingRoutingService';
+import { TradeService } from '../../domains/Trade/TradeService';
+import { AutonomousEcoService } from '../../services/AutonomousEcoService';
+import { AutonomousSourcingService } from '../../services/AutonomousSourcingService';
+import { DecentralizedArbitrationService } from '../../services/DecentralizedArbitrationService';
+import { EcoValueSharingService } from '../../services/EcoValueSharingService';
+import { FulfillmentConsensusService } from '../../services/FulfillmentConsensusService';
+import { InventoryService } from '../../services/InventoryService';
+import { SovereigntyReputationService } from '../../services/SovereigntyReputationService';
+import { WarehouseService } from '../../services/WarehouseService';
+
+const router = Router();
+
+/**
+ * [BIZ_SOV_05] 发布匿名声誉评价
+ */
+router.post('/reputation/publish', requireTraceContext, requirePermission('trade:write'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { targetEntityId, rating, feedback, orderVolume } = req.body;
+
+    await SovereigntyReputationService.publishAnonymousRating(
+      tenantId, targetEntityId, rating, feedback, traceId, orderVolume
+    );
+
+    res.json({ success: true, message: 'Reputation published anonymously' });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_SOV_05] 获取实体声誉报告
+ */
+router.get('/reputation/:entityId/report', requireTraceContext, requirePermission('trade:read'), async (req, res) => {
+  try {
+    const { entityId } = req.params;
+    const report = await SovereigntyReputationService.getReputationReport(entityId);
+    
+    if (!report) {
+      return res.status(404).json({ success: false, error: 'No reputation data found for this entity' });
+    }
+
+    res.json({ success: true, data: report });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_SOV_02] 去中心化贸易纠纷仲裁
+ */
+router.post('/arbitration/start', requireTraceContext, requirePermission('trade:admin'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { disputeId } = req.body;
+    await DecentralizedArbitrationService.startArbitration(tenantId, disputeId, traceId);
+    res.json({ success: true, message: 'Decentralized arbitration process started' });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.get('/arbitration/history', requireTraceContext, requirePermission('trade:read'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const history = await DecentralizedArbitrationService.getArbitrationHistory(tenantId);
+    res.json({ success: true, data: history });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_TRADE_20] 物流履约去中心化共识
+ */
+router.post('/fulfillment/consensus/event', requireTraceContext, requirePermission('trade:write'), async (req, res) => {
+  try {
+    const { traceId } = (req as any).traceContext;
+    const { orderId, nodeId, eventType, signature } = req.body;
+    await FulfillmentConsensusService.registerNodeEvent(orderId, nodeId, eventType, signature, traceId);
+    res.json({ success: true, message: 'Node verification event registered' });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.get('/fulfillment/:orderId/consensus', requireTraceContext, requirePermission('trade:read'), async (req, res) => {
+  try {
+    const { orderId } = req.params;
+    const chain = await FulfillmentConsensusService.getConsensusChain(orderId);
+    res.json({ success: true, data: chain });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_SUP_15] 多源供应比价与路由优化 (Sourcing Optimization)
+ */
+router.post('/sourcing/optimize', requireTraceContext, requirePermission('trade:read'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const { productTitle, imageUrl, targetQuantity, maxDays, priority } = req.body;
+
+    const result = await SourcingRoutingService.optimizeSourcing({
+      productTitle,
+      imageUrl,
+      targetQuantity,
+      maxDays,
+      priority,
+      tenantId
+    });
+
+    res.json({ success: true, data: result });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_ECO_03] 自治寻源与自动签约
+ */
+router.post('/sourcing/autonomous/start', requireTraceContext, requirePermission('trade:write'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { category } = req.body;
+    await AutonomousSourcingService.startSourcing(tenantId, category, traceId);
+    res.json({ success: true, message: 'Autonomous sourcing and contracting triggered' });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.get('/sourcing/contracts', requireTraceContext, requirePermission('trade:read'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const contracts = await AutonomousEcoService.getContracts(tenantId);
+    res.json({ success: true, data: contracts });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_ECO_02] 供应商价值共享博弈
+ */
+router.post('/eco/share/calculate', requireTraceContext, requirePermission('trade:admin'), async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { supplierId, totalProfit } = req.body;
+    const amount = await EcoValueSharingService.calculateAndShare(tenantId, supplierId, totalProfit, traceId);
+    res.json({ success: true, data: { sharedAmount: amount } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+router.get('/eco/share/history', requireTraceContext, requirePermission('trade:read'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const history = await EcoValueSharingService.getSharingHistory(tenantId);
+    res.json({ success: true, data: report });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_SOV_10] 触发自治结算
+ */
+router.post('/settlement/trigger', requireTraceContext, requirePermission('finance:write'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const { targetTenantId, amount, currency, fulfillmentHash } = req.body;
+    const settlementId = await AutonomousSettlementService.triggerSettlement({
+      sourceTenantId: tenantId, targetTenantId, amount, currency, fulfillmentHash
+    });
+    res.json({ success: true, data: { settlementId } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [CORE_TRADE_01] 获取仓库列表
+ */
+router.get('/warehouses', requireTraceContext, async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const warehouses = await WarehouseService.listWarehouses(tenantId);
+    res.json({ success: true, data: warehouses });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [CORE_TRADE_01] 创建仓库
+ */
+router.post('/warehouses', requireTraceContext, async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const { id, name, type, countryCode, address } = req.body;
+    
+    const warehouseId = await WarehouseService.createWarehouse({
+      id, tenantId, name, type, countryCode, address
+    });
+    
+    res.json({ success: true, data: { warehouseId } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [BIZ_TRADE_02] 创建调拨单
+ */
+router.post('/transfers', requireTraceContext, async (req, res) => {
+  try {
+    const { tenantId, traceId } = (req as any).traceContext;
+    const { productId, skuId, fromWarehouseId, toWarehouseId, quantity } = req.body;
+
+    const transferId = await TradeService.createTransferOrder({
+      tenantId,
+      productId,
+      skuId,
+      fromWarehouseId,
+      toWarehouseId,
+      quantity,
+      traceId
+    });
+
+    res.json({ success: true, data: { transferId } });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+/**
+ * [FE_INV_01] 全球库存分布热力图 API
+ */
+router.get('/inventory/hotmap', requireTraceContext, requirePermission('inventory:read'), async (req, res) => {
+  try {
+    const { tenantId } = (req as any).traceContext;
+    const data = await InventoryService.getInventoryHotmap(tenantId);
+    res.json({ success: true, data });
+  } catch (err: any) {
+    res.status(500).json({ success: false, error: err.message });
+  }
+});
+
+export default router;

server/src/api/routes/vault.ts

@@ -0,0 +1,17 @@
+import { Router } from 'express';
+import { VaultController } from '../controllers/VaultController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+
+const router = Router();
+
+/**
+ * [CORE_SEC_01] 凭证保险库路由
+ * 强制要求 Trace 上下文
+ */
+router.use(requireTraceContext);
+
+router.post('/', VaultController.save);
+router.get('/', VaultController.list);
+router.get('/:id/decrypt', VaultController.decrypt);
+
+export default router;

server/src/api/routes/webhook.ts

@@ -0,0 +1,18 @@
+import { Router } from 'express';
+import { WebhookController } from '../controllers/WebhookController';
+import { requireTraceContext } from '../../core/guards/trace-context.guard';
+import { requirePermission } from '../../core/guards/rbac.guard';
+
+const router = Router();
+
+/**
+ * [BIZ_INT_12] 企业集成网关 - Webhook 配置 API
+ */
+
+// 获取配置 (需要管理权限)
+router.get('/config', requireTraceContext, requirePermission('governance:read'), WebhookController.getConfig);
+
+// 保存配置 (需要管理权限)
+router.post('/config', requireTraceContext, requirePermission('governance:write'), WebhookController.saveConfig);
+
+export default router;