hypercall/rsm/

engine_state_snapshot.rs

//! Persistent engine state snapshots for fast restart recovery.
//!
//! After journal replay the engine writes a snapshot of its core state
//! (orderbooks, counters, expired instruments) to disk. On the next
//! restart the snapshot is loaded first, and only the delta since the
//! snapshot's `last_command_id` needs to be replayed from the journal.
//!
//! **File format**: `[msgpack payload][4-byte CRC32 LE]`
//!
//! **Atomic write**: temp → fsync → rename (same as journal checkpoint writes).

use crate::rsm::engine_deps::EngineCtx;
use crc::{Crc, CRC_32_ISO_HDLC};
use hypercall_journal::checkpoint::WalCheckpointMetadata;
use hypercall_types::{Side, WalletAddress};
use rust_decimal::Decimal;
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::fs::{create_dir_all, OpenOptions};
use std::io::Write;
use std::path::{Path, PathBuf};
use tracing::{info, warn};

const SNAPSHOT_CRC: Crc<u32> = Crc::<u32>::new(&CRC_32_ISO_HDLC);

/// Current snapshot format version.
const SNAPSHOT_VERSION: u32 = 3;
const LEGACY_SNAPSHOT_VERSION_V2: u32 = 2;
const LEGACY_SNAPSHOT_VERSION_V1: u32 = 1;
const LEGACY_BALANCE_UPDATE_SEQ_MIGRATION_EPOCH: u64 = 0;

fn msgpack_array_start(payload: &[u8]) -> Option<(usize, usize)> {
    let marker = *payload.first()?;
    match marker {
        0x90..=0x9f => Some(((marker & 0x0f) as usize, 1)),
        0xdc => {
            let bytes: [u8; 2] = payload.get(1..3)?.try_into().ok()?;
            Some((u16::from_be_bytes(bytes) as usize, 3))
        }
        0xdd => {
            let bytes: [u8; 4] = payload.get(1..5)?.try_into().ok()?;
            Some((u32::from_be_bytes(bytes) as usize, 5))
        }
        _ => None,
    }
}

fn msgpack_map_start(payload: &[u8]) -> Option<(usize, usize)> {
    let marker = *payload.first()?;
    match marker {
        0x80..=0x8f => Some(((marker & 0x0f) as usize, 1)),
        0xde => {
            let bytes: [u8; 2] = payload.get(1..3)?.try_into().ok()?;
            Some((u16::from_be_bytes(bytes) as usize, 3))
        }
        0xdf => {
            let bytes: [u8; 4] = payload.get(1..5)?.try_into().ok()?;
            Some((u32::from_be_bytes(bytes) as usize, 5))
        }
        _ => None,
    }
}

fn msgpack_u32_at(payload: &[u8], offset: usize) -> Option<u32> {
    let marker = *payload.get(offset)?;
    match marker {
        0x00..=0x7f => Some(marker as u32),
        0xcc => Some(*payload.get(offset + 1)? as u32),
        0xcd => {
            let bytes: [u8; 2] = payload.get(offset + 1..offset + 3)?.try_into().ok()?;
            Some(u16::from_be_bytes(bytes) as u32)
        }
        0xce => {
            let bytes: [u8; 4] = payload.get(offset + 1..offset + 5)?.try_into().ok()?;
            Some(u32::from_be_bytes(bytes))
        }
        _ => None,
    }
}

fn msgpack_str_at(payload: &[u8], offset: usize) -> Option<(&str, usize)> {
    let marker = *payload.get(offset)?;
    let (len, start) = match marker {
        0xa0..=0xbf => ((marker & 0x1f) as usize, offset + 1),
        0xd9 => (*payload.get(offset + 1)? as usize, offset + 2),
        0xda => {
            let bytes: [u8; 2] = payload.get(offset + 1..offset + 3)?.try_into().ok()?;
            (u16::from_be_bytes(bytes) as usize, offset + 3)
        }
        0xdb => {
            let bytes: [u8; 4] = payload.get(offset + 1..offset + 5)?.try_into().ok()?;
            (u32::from_be_bytes(bytes) as usize, offset + 5)
        }
        _ => return None,
    };
    let end = start.checked_add(len)?;
    std::str::from_utf8(payload.get(start..end)?)
        .ok()
        .map(|value| (value, end))
}

fn snapshot_payload_version(payload: &[u8]) -> Option<u32> {
    if let Some((len, offset)) = msgpack_array_start(payload) {
        if len == 0 {
            return None;
        }
        return msgpack_u32_at(payload, offset);
    }

    if let Some((len, offset)) = msgpack_map_start(payload) {
        if len == 0 {
            return None;
        }
        if let Some((key, value_offset)) = msgpack_str_at(payload, offset) {
            if key == "version" {
                return msgpack_u32_at(payload, value_offset);
            }
        }
    }

    let value: serde_json::Value = rmp_serde::from_slice(payload).ok()?;
    match value {
        serde_json::Value::Array(fields) => fields.first()?.as_u64()?.try_into().ok(),
        serde_json::Value::Object(fields) => fields.get("version")?.as_u64()?.try_into().ok(),
        _ => None,
    }
}

/// Persistent engine state snapshot for fast restart recovery.
#[derive(Debug, Serialize, Deserialize)]
pub struct EngineStateSnapshot {
    /// Format version for forward compatibility.
    pub version: u32,
    /// Last command ID replicated to Postgres (from checkpoint at write time).
    pub last_command_id: i64,
    /// Last L2 sequence number (from checkpoint at write time).
    pub last_l2_seq: i64,
    /// Next order ID counter.
    pub next_order_id: u64,
    /// Next trade ID counter.
    pub next_trade_id: u64,
    /// Expired instruments map (symbol → expired flag).
    pub expired_instruments: HashMap<String, bool>,
    /// Orderbook orders keyed by symbol.
    pub orderbooks: HashMap<String, Vec<OrderSnapshotEntry>>,
    /// Engine-owned positions (wallet+symbol -> quantity+entry_price).
    #[serde(default)]
    pub engine_positions: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EnginePosition>,
    /// Engine-owned cash balances per wallet.
    pub balance_ledger: HashMap<WalletAddress, rust_decimal::Decimal>,
    /// Last applied canonical balance update sequence.
    pub last_balance_update_seq: u64,
    /// Last applied deposit update per wallet.
    #[serde(default)]
    pub deposit_update_watermarks:
        HashMap<WalletAddress, crate::rsm::engine_deps::DepositUpdateWatermark>,
    /// Agent authorizations: owner wallet → list of (agent wallet, optional expiry ms).
    #[serde(default)]
    pub agent_authorizations: HashMap<WalletAddress, Vec<(WalletAddress, Option<u64>)>>,
    /// Legacy marker retained only so existing snapshots deserialize.
    #[serde(default)]
    pub agent_auth_loaded: bool,
    /// Per-wallet nonce high-water marks for replay protection (legacy format).
    #[serde(default)]
    pub nonce_watermarks: HashMap<WalletAddress, u64>,
    /// Per-signer bounded nonce sets (HL model). Serialized as sorted Vec<u64>.
    #[serde(default)]
    pub nonce_sets: HashMap<WalletAddress, Vec<u64>>,
    /// HyperCore account equity per wallet for PM margin calculations.
    #[serde(default)]
    pub hypercore_account_equity: HashMap<WalletAddress, rust_decimal::Decimal>,
    /// Last applied HyperCore equity update timestamp per wallet.
    #[serde(default)]
    pub hypercore_equity_timestamps: HashMap<WalletAddress, u64>,
    /// HyperCore perp positions per account and coin for PM margin calculations.
    #[serde(default)]
    pub perp_positions: HashMap<(String, String), crate::hypercore::PerpPosition>,
    /// Canonical spot prices used by deterministic margin checks.
    #[serde(default)]
    pub spot_prices: HashMap<String, rust_decimal::Decimal>,
    /// Canonical IV surfaces used by deterministic margin checks.
    #[serde(default)]
    pub iv_surfaces: HashMap<String, VolatilitySurfaceSnapshot>,
    /// Source timestamps for canonical IV surfaces.
    #[serde(default)]
    pub iv_source_timestamps: HashMap<String, i64>,
    /// Per-instrument trading mode.
    #[serde(default)]
    pub instrument_trading_modes: HashMap<String, hypercall_types::TradingModes>,
    /// Engine-owned MMP state per wallet/currency.
    #[serde(default)]
    pub mmp_state: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EngineMmpState>,
    /// Engine-owned liquidation state per wallet.
    #[serde(default)]
    pub liquidation_states: HashMap<WalletAddress, hypercall_types::LiquidationStateType>,
    /// Engine-owned margin mode per wallet.
    #[serde(default)]
    pub wallet_margin_modes: HashMap<WalletAddress, crate::rsm::margin_mode::MarginMode>,
    /// Engine-owned MMP enabled state per wallet/currency.
    #[serde(default)]
    pub mmp_enabled: HashMap<(WalletAddress, String), bool>,
    /// Engine-owned trading limits per wallet.
    #[serde(default)]
    pub wallet_trading_limits: HashMap<WalletAddress, hypercall_types::api_models::TradingLimits>,
    /// Default trading limits used when a wallet has no explicit tier.
    #[serde(default)]
    pub default_trading_limits: hypercall_types::api_models::TradingLimits,
    /// Engine-owned tier name per wallet.
    #[serde(default)]
    pub wallet_tiers: HashMap<WalletAddress, String>,
    /// Canonical next RSM nonce per signer.
    #[serde(default)]
    pub rsm_signer_nonces: HashMap<WalletAddress, u64>,
    /// Applied cash DepositUpdate source event hashes.
    ///
    /// This is intentionally unbounded incident-stabilization state. See
    /// EngineCtx field docs for the replacement plan.
    #[serde(default)]
    pub applied_deposit_source_event_hashes:
        std::collections::BTreeSet<alloy::primitives::FixedBytes<32>>,
    /// Engine-owned PM settlement-pool state. Projection rows are downstream
    /// and must never hydrate this field.
    #[serde(default)]
    pub pm_settlement_state: crate::rsm::portfolio_margin::settlement_state::PmSettlementState,
}

/// Pre-CALL-1707 snapshot layout without `last_balance_update_seq`.
///
/// Temporary legacy migration hook: this is only for environments that still
/// have a v1/v2 snapshot and a hot journal tail that starts after command 1.
/// It must be removed once every deployed environment has written a v3
/// snapshot with canonical balance-update sequence metadata.
#[derive(Debug, Deserialize)]
struct LegacyEngineStateSnapshot {
    version: u32,
    last_command_id: i64,
    last_l2_seq: i64,
    next_order_id: u64,
    next_trade_id: u64,
    expired_instruments: HashMap<String, bool>,
    orderbooks: HashMap<String, Vec<OrderSnapshotEntry>>,
    #[serde(default)]
    engine_positions: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EnginePosition>,
    balance_ledger: HashMap<WalletAddress, rust_decimal::Decimal>,
    #[serde(default)]
    deposit_update_watermarks:
        HashMap<WalletAddress, crate::rsm::engine_deps::DepositUpdateWatermark>,
    #[serde(default)]
    agent_authorizations: HashMap<WalletAddress, Vec<(WalletAddress, Option<u64>)>>,
    #[serde(default)]
    agent_auth_loaded: bool,
    #[serde(default)]
    nonce_watermarks: HashMap<WalletAddress, u64>,
    #[serde(default)]
    nonce_sets: HashMap<WalletAddress, Vec<u64>>,
    #[serde(default)]
    hypercore_account_equity: HashMap<WalletAddress, rust_decimal::Decimal>,
    #[serde(default)]
    hypercore_equity_timestamps: HashMap<WalletAddress, u64>,
    #[serde(default)]
    perp_positions: HashMap<(String, String), crate::hypercore::PerpPosition>,
    #[serde(default)]
    spot_prices: HashMap<String, rust_decimal::Decimal>,
    #[serde(default)]
    iv_surfaces: HashMap<String, VolatilitySurfaceSnapshot>,
    #[serde(default)]
    iv_source_timestamps: HashMap<String, i64>,
    #[serde(default)]
    instrument_trading_modes: HashMap<String, hypercall_types::TradingModes>,
    #[serde(default)]
    mmp_state: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EngineMmpState>,
    #[serde(default)]
    liquidation_states: HashMap<WalletAddress, hypercall_types::LiquidationStateType>,
    #[serde(default)]
    wallet_margin_modes: HashMap<WalletAddress, crate::rsm::margin_mode::MarginMode>,
    #[serde(default)]
    mmp_enabled: HashMap<(WalletAddress, String), bool>,
    #[serde(default)]
    wallet_trading_limits: HashMap<WalletAddress, hypercall_types::api_models::TradingLimits>,
    #[serde(default)]
    default_trading_limits: hypercall_types::api_models::TradingLimits,
    #[serde(default)]
    wallet_tiers: HashMap<WalletAddress, String>,
    #[serde(default)]
    rsm_signer_nonces: HashMap<WalletAddress, u64>,
    #[serde(default)]
    applied_deposit_source_event_hashes:
        std::collections::BTreeSet<alloy::primitives::FixedBytes<32>>,
}

/// Older v2 layout from before snapshot fields were made append-only.
///
/// Temporary legacy migration hook: remove with `LegacyEngineStateSnapshot`
/// after all deployed environments have written v3 snapshots.
#[derive(Debug, Deserialize)]
struct LegacyEngineStateSnapshotPreAppendOnlyV2 {
    version: u32,
    last_command_id: i64,
    last_l2_seq: i64,
    next_order_id: u64,
    next_trade_id: u64,
    expired_instruments: HashMap<String, bool>,
    orderbooks: HashMap<String, Vec<OrderSnapshotEntry>>,
    #[serde(default)]
    engine_positions: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EnginePosition>,
    balance_ledger: HashMap<WalletAddress, rust_decimal::Decimal>,
    #[serde(default)]
    deposit_update_watermarks:
        HashMap<WalletAddress, crate::rsm::engine_deps::DepositUpdateWatermark>,
    #[serde(default)]
    applied_deposit_source_event_hashes:
        std::collections::BTreeSet<alloy::primitives::FixedBytes<32>>,
    #[serde(default)]
    agent_authorizations: HashMap<WalletAddress, Vec<(WalletAddress, Option<u64>)>>,
    #[serde(default)]
    agent_auth_loaded: bool,
    #[serde(default)]
    nonce_watermarks: HashMap<WalletAddress, u64>,
    #[serde(default)]
    nonce_sets: HashMap<WalletAddress, Vec<u64>>,
    #[serde(default)]
    hypercore_account_equity: HashMap<WalletAddress, rust_decimal::Decimal>,
    #[serde(default)]
    hypercore_equity_timestamps: HashMap<WalletAddress, u64>,
    #[serde(default)]
    perp_positions: HashMap<(String, String), crate::hypercore::PerpPosition>,
    #[serde(default)]
    spot_prices: HashMap<String, rust_decimal::Decimal>,
    #[serde(default)]
    iv_surfaces: HashMap<String, VolatilitySurfaceSnapshot>,
    #[serde(default)]
    iv_source_timestamps: HashMap<String, i64>,
    #[serde(default)]
    instrument_trading_modes: HashMap<String, hypercall_types::TradingModes>,
    #[serde(default)]
    mmp_state: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EngineMmpState>,
    #[serde(default)]
    liquidation_states: HashMap<WalletAddress, hypercall_types::LiquidationStateType>,
    #[serde(default)]
    wallet_margin_modes: HashMap<WalletAddress, crate::rsm::margin_mode::MarginMode>,
    #[serde(default)]
    mmp_enabled: HashMap<(WalletAddress, String), bool>,
    #[serde(default)]
    wallet_trading_limits: HashMap<WalletAddress, hypercall_types::api_models::TradingLimits>,
    #[serde(default)]
    default_trading_limits: hypercall_types::api_models::TradingLimits,
    #[serde(default)]
    wallet_tiers: HashMap<WalletAddress, String>,
    #[serde(default)]
    rsm_signer_nonces: HashMap<WalletAddress, u64>,
}

impl From<LegacyEngineStateSnapshotPreAppendOnlyV2> for LegacyEngineStateSnapshot {
    fn from(snapshot: LegacyEngineStateSnapshotPreAppendOnlyV2) -> Self {
        Self {
            version: snapshot.version,
            last_command_id: snapshot.last_command_id,
            last_l2_seq: snapshot.last_l2_seq,
            next_order_id: snapshot.next_order_id,
            next_trade_id: snapshot.next_trade_id,
            expired_instruments: snapshot.expired_instruments,
            orderbooks: snapshot.orderbooks,
            engine_positions: snapshot.engine_positions,
            balance_ledger: snapshot.balance_ledger,
            deposit_update_watermarks: snapshot.deposit_update_watermarks,
            agent_authorizations: snapshot.agent_authorizations,
            agent_auth_loaded: snapshot.agent_auth_loaded,
            nonce_watermarks: snapshot.nonce_watermarks,
            nonce_sets: snapshot.nonce_sets,
            hypercore_account_equity: snapshot.hypercore_account_equity,
            hypercore_equity_timestamps: snapshot.hypercore_equity_timestamps,
            perp_positions: snapshot.perp_positions,
            spot_prices: snapshot.spot_prices,
            iv_surfaces: snapshot.iv_surfaces,
            iv_source_timestamps: snapshot.iv_source_timestamps,
            instrument_trading_modes: snapshot.instrument_trading_modes,
            mmp_state: snapshot.mmp_state,
            liquidation_states: snapshot.liquidation_states,
            wallet_margin_modes: snapshot.wallet_margin_modes,
            mmp_enabled: snapshot.mmp_enabled,
            wallet_trading_limits: snapshot.wallet_trading_limits,
            default_trading_limits: snapshot.default_trading_limits,
            wallet_tiers: snapshot.wallet_tiers,
            rsm_signer_nonces: snapshot.rsm_signer_nonces,
            applied_deposit_source_event_hashes: snapshot.applied_deposit_source_event_hashes,
        }
    }
}

impl LegacyEngineStateSnapshot {
    fn into_migration_snapshot(mut self, path: &Path) -> EngineStateSnapshot {
        let missing_hypercore_equity_watermarks: Vec<WalletAddress> = self
            .hypercore_account_equity
            .keys()
            .filter(|wallet| !self.hypercore_equity_timestamps.contains_key(wallet))
            .copied()
            .collect();
        if !missing_hypercore_equity_watermarks.is_empty() {
            warn!(
                snapshot_path = %path.display(),
                missing_watermark_count = missing_hypercore_equity_watermarks.len(),
                "Legacy engine snapshot has HyperCore equity without timestamp watermarks; seeding zero watermarks for one-time v3 migration replay"
            );
            for wallet in missing_hypercore_equity_watermarks {
                self.hypercore_equity_timestamps.insert(wallet, 0);
            }
        }

        EngineStateSnapshot {
            version: SNAPSHOT_VERSION,
            last_command_id: self.last_command_id,
            last_l2_seq: self.last_l2_seq,
            next_order_id: self.next_order_id,
            next_trade_id: self.next_trade_id,
            expired_instruments: self.expired_instruments,
            orderbooks: self.orderbooks,
            engine_positions: self.engine_positions,
            balance_ledger: self.balance_ledger,
            last_balance_update_seq: LEGACY_BALANCE_UPDATE_SEQ_MIGRATION_EPOCH,
            deposit_update_watermarks: self.deposit_update_watermarks,
            agent_authorizations: self.agent_authorizations,
            agent_auth_loaded: self.agent_auth_loaded,
            nonce_watermarks: self.nonce_watermarks,
            nonce_sets: self.nonce_sets,
            hypercore_account_equity: self.hypercore_account_equity,
            hypercore_equity_timestamps: self.hypercore_equity_timestamps,
            perp_positions: self.perp_positions,
            spot_prices: self.spot_prices,
            iv_surfaces: self.iv_surfaces,
            iv_source_timestamps: self.iv_source_timestamps,
            instrument_trading_modes: self.instrument_trading_modes,
            mmp_state: self.mmp_state,
            liquidation_states: self.liquidation_states,
            wallet_margin_modes: self.wallet_margin_modes,
            mmp_enabled: self.mmp_enabled,
            wallet_trading_limits: self.wallet_trading_limits,
            default_trading_limits: self.default_trading_limits,
            wallet_tiers: self.wallet_tiers,
            rsm_signer_nonces: self.rsm_signer_nonces,
            applied_deposit_source_event_hashes: self.applied_deposit_source_event_hashes,
            pm_settlement_state:
                crate::rsm::portfolio_margin::settlement_state::PmSettlementState::default(),
        }
    }
}

fn decode_legacy_engine_state_snapshot(
    payload: &[u8],
    path: &Path,
) -> Result<(LegacyEngineStateSnapshot, &'static str), String> {
    match rmp_serde::from_slice::<LegacyEngineStateSnapshot>(payload) {
        Ok(snapshot) => Ok((snapshot, "append-only-v1-v2")),
        Err(append_only_error) => {
            let pre_append_snapshot =
                rmp_serde::from_slice::<LegacyEngineStateSnapshotPreAppendOnlyV2>(payload)
                    .map_err(|pre_append_error| {
                        format!(
                            "failed to deserialize legacy snapshot {} for CALL-1707 migration replay; append-only layout error: {}; pre-append-only v2 layout error: {}",
                            path.display(),
                            append_only_error,
                            pre_append_error,
                        )
                    })?;
            Ok((pre_append_snapshot.into(), "pre-append-only-v2"))
        }
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VolatilitySurfaceSnapshot {
    #[serde(default)]
    pub strike_points: Vec<crate::vol_oracle::vol_surface_cache::VolPoint>,
    #[serde(default)]
    pub atm_vols: Vec<(i64, f64)>,
    #[serde(default)]
    pub delta_curves: Vec<crate::vol_oracle::vol_surface_cache::DeltaCurveExport>,
}

impl From<&crate::vol_oracle::vol_surface_cache::VolatilitySurface> for VolatilitySurfaceSnapshot {
    fn from(surface: &crate::vol_oracle::vol_surface_cache::VolatilitySurface) -> Self {
        Self {
            strike_points: surface.export_all_points(),
            atm_vols: surface.export_atm_vols(),
            delta_curves: surface.export_delta_curves(),
        }
    }
}

impl VolatilitySurfaceSnapshot {
    pub fn into_surface(self) -> crate::vol_oracle::vol_surface_cache::VolatilitySurface {
        let mut surface = crate::vol_oracle::vol_surface_cache::VolatilitySurface::new();
        for point in self.strike_points {
            surface.insert(point.strike, point.expiry, point.iv);
        }
        for (expiry, iv) in self.atm_vols {
            surface.set_atm_vol(expiry, iv);
        }
        for curve in self.delta_curves {
            for point in curve.points {
                surface.set_delta_iv(curve.expiry, point.delta, point.iv);
            }
        }
        surface
    }
}

/// A single order in the snapshot, matching `OrderBook::get_all_orders()` output.
///
/// New fields use `#[serde(default)]` for backwards compatibility: old snapshots
/// without these fields will deserialize with `None`/`false`/`None` defaults.
#[derive(Debug, Serialize, Deserialize)]
pub struct OrderSnapshotEntry {
    pub order_id: u64,
    pub price: Decimal,
    pub quantity: Decimal,
    pub side: Side,
    pub wallet: WalletAddress,
    pub timestamp: u64,
    /// Client ID (e.g. "cli_123" for MM orders). Absent in old snapshots.
    #[serde(default)]
    pub client_id: Option<String>,
    /// Whether MMP (market-maker protection) is enabled. Absent in old snapshots.
    #[serde(default)]
    pub mmp_enabled: bool,
    /// Original order size at placement time. `None` in old snapshots means
    /// fall back to `quantity` (remaining size) as a best-effort default.
    #[serde(default)]
    pub original_size: Option<Decimal>,
}

/// Derive the snapshot file path from the WAL path.
pub fn snapshot_path_from_wal_path(wal_path: &Path) -> PathBuf {
    let mut os = wal_path.as_os_str().to_os_string();
    os.push(".engine_snapshot");
    PathBuf::from(os)
}

/// Build a snapshot from current engine state, tagged with the checkpoint boundary.
///
/// **Critical**: `last_command_id` and `last_l2_seq` come from the WAL checkpoint
/// (the Postgres-replicated boundary), NOT from the live engine. This ensures
/// that delta replay on the next restart queries Postgres starting from a point
/// where all commands have been replicated.
pub fn build_snapshot(ctx: &EngineCtx, checkpoint: &WalCheckpointMetadata) -> EngineStateSnapshot {
    let mut orderbooks = HashMap::new();
    let mut total_orders = 0u64;

    for (symbol, orderbook) in &ctx.orderbooks {
        let all_orders = orderbook.get_all_orders();
        let entries: Vec<OrderSnapshotEntry> = all_orders
            .into_iter()
            .map(|r| OrderSnapshotEntry {
                order_id: r.order_id,
                price: r.price,
                quantity: r.quantity,
                side: r.side,
                wallet: r.wallet,
                timestamp: r.timestamp,
                client_id: r.client_id,
                mmp_enabled: r.mmp_enabled,
                original_size: Some(r.original_size),
            })
            .collect();
        total_orders += entries.len() as u64;
        orderbooks.insert(symbol.clone(), entries);
    }

    info!(
        "Built engine state snapshot: last_command_id={}, last_l2_seq={}, \
         next_order_id={}, next_trade_id={}, orderbooks={}, orders={}",
        checkpoint.last_command_id,
        checkpoint.last_l2_seq,
        ctx.next_order_id,
        ctx.next_trade_id,
        orderbooks.len(),
        total_orders,
    );

    let agent_authorizations: HashMap<WalletAddress, Vec<(WalletAddress, Option<u64>)>> = ctx
        .agent_authorizations
        .iter()
        .map(|(wallet, agents)| {
            let mut sorted: Vec<(WalletAddress, Option<u64>)> =
                agents.iter().map(|(a, e)| (*a, *e)).collect();
            sorted.sort_by_key(|(a, _)| *a);
            (*wallet, sorted)
        })
        .collect();

    if let Some(wallet) = ctx
        .deps
        .hypercore_account_equity
        .keys()
        .find(|wallet| !ctx.deps.hypercore_equity_timestamps.contains_key(wallet))
    {
        panic!(
            "build_snapshot refusing to serialize hypercore_account_equity without \
             hypercore_equity_timestamps for wallet {}; read_snapshot enforces the same invariant",
            wallet
        );
    }

    EngineStateSnapshot {
        version: SNAPSHOT_VERSION,
        last_command_id: checkpoint.last_command_id,
        last_l2_seq: checkpoint.last_l2_seq,
        next_order_id: ctx.next_order_id,
        next_trade_id: ctx.next_trade_id,
        expired_instruments: ctx.expired_instruments.clone(),
        spot_prices: ctx.spot_prices.clone(),
        iv_surfaces: ctx
            .iv_surfaces
            .iter()
            .map(|(underlying, surface)| (underlying.clone(), surface.into()))
            .collect(),
        iv_source_timestamps: ctx.iv_source_timestamps.clone(),
        instrument_trading_modes: ctx.instrument_trading_modes.clone(),
        orderbooks,
        engine_positions: ctx.engine_positions.clone(),
        mmp_state: ctx.mmp_state.clone(),
        liquidation_states: ctx.deps.liquidation_states.clone(),
        wallet_margin_modes: ctx.deps.wallet_margin_modes.clone(),
        mmp_enabled: ctx.deps.mmp_enabled.clone(),
        wallet_trading_limits: ctx.deps.wallet_trading_limits.clone(),
        default_trading_limits: ctx.deps.default_trading_limits,
        wallet_tiers: ctx.deps.wallet_tiers.clone(),
        balance_ledger: ctx.balance_ledger.snapshot_map(),
        last_balance_update_seq: ctx.balance_ledger.last_balance_update_seq(),
        deposit_update_watermarks: ctx.deposit_update_watermarks.clone(),
        applied_deposit_source_event_hashes: ctx.applied_deposit_source_event_hashes.clone(),
        pm_settlement_state: ctx.pm_settlement_state.clone(),
        agent_authorizations,
        agent_auth_loaded: true,
        nonce_watermarks: HashMap::new(),
        nonce_sets: {
            let now_ms = std::time::SystemTime::now()
                .duration_since(std::time::UNIX_EPOCH)
                .map(|d| d.as_millis() as u64)
                .unwrap_or(0);
            ctx.nonce_sets
                .iter()
                .filter_map(|(signer, set)| {
                    let mut pruned = set.clone();
                    pruned.purge_expired(now_ms);
                    if pruned.count() > 0 {
                        Some((*signer, pruned.to_vec()))
                    } else {
                        None
                    }
                })
                .collect()
        },
        rsm_signer_nonces: ctx.rsm_signer_nonces.clone(),
        hypercore_account_equity: ctx.deps.hypercore_account_equity.clone(),
        hypercore_equity_timestamps: ctx.deps.hypercore_equity_timestamps.clone(),
        perp_positions: ctx.deps.perp_positions.clone(),
    }
}

/// Write a snapshot atomically: temp → fsync → rename → dir sync.
pub fn write_snapshot(path: &Path, snapshot: &EngineStateSnapshot) -> Result<(), String> {
    if let Some(parent) = path.parent() {
        if !parent.as_os_str().is_empty() {
            create_dir_all(parent).map_err(|e| {
                format!(
                    "failed to create snapshot directory {}: {}",
                    parent.display(),
                    e
                )
            })?;
        }
    }

    let mut tmp_os = path.as_os_str().to_os_string();
    tmp_os.push(".tmp");
    let tmp_path = PathBuf::from(tmp_os);

    #[cfg(unix)]
    let mut file = {
        use std::os::unix::fs::OpenOptionsExt;
        OpenOptions::new()
            .create(true)
            .truncate(true)
            .write(true)
            .mode(0o600)
            .open(&tmp_path)
            .map_err(|e| format!("failed to open snapshot temp {}: {}", tmp_path.display(), e))?
    };
    #[cfg(not(unix))]
    let mut file = OpenOptions::new()
        .create(true)
        .truncate(true)
        .write(true)
        .open(&tmp_path)
        .map_err(|e| format!("failed to open snapshot temp {}: {}", tmp_path.display(), e))?;

    let payload =
        rmp_serde::to_vec(snapshot).map_err(|e| format!("failed to serialize snapshot: {}", e))?;

    let crc = SNAPSHOT_CRC.checksum(&payload);

    file.write_all(&payload).map_err(|e| {
        format!(
            "failed to write snapshot temp {}: {}",
            tmp_path.display(),
            e
        )
    })?;
    file.write_all(&crc.to_le_bytes())
        .map_err(|e| format!("failed to write snapshot CRC {}: {}", tmp_path.display(), e))?;
    file.sync_data()
        .map_err(|e| format!("failed to sync snapshot temp {}: {}", tmp_path.display(), e))?;

    std::fs::rename(&tmp_path, path).map_err(|e| {
        format!(
            "failed to atomically replace snapshot {} with {}: {}",
            path.display(),
            tmp_path.display(),
            e
        )
    })?;

    #[cfg(unix)]
    {
        let parent = path.parent().ok_or_else(|| {
            format!(
                "snapshot {} has no parent directory to sync",
                path.display()
            )
        })?;
        let parent = if parent.as_os_str().is_empty() {
            Path::new(".")
        } else {
            parent
        };

        OpenOptions::new()
            .read(true)
            .open(parent)
            .and_then(|dir| dir.sync_all())
            .map_err(|e| {
                format!(
                    "failed to sync snapshot directory {}: {}",
                    parent.display(),
                    e
                )
            })?;
    }

    Ok(())
}

/// Read a snapshot from disk with CRC32 integrity verification.
///
/// Returns `Ok(None)` if the file does not exist.
/// Returns `Err` if the file exists but is corrupt or has an unsupported version.
pub fn read_snapshot(path: &Path) -> Result<Option<EngineStateSnapshot>, String> {
    if !path.exists() {
        return Ok(None);
    }

    let data = std::fs::read(path)
        .map_err(|e| format!("failed to read snapshot {}: {}", path.display(), e))?;

    if data.len() < 4 {
        return Err(format!(
            "snapshot {} too small ({} bytes, need at least 4 for CRC)",
            path.display(),
            data.len()
        ));
    }

    let (payload, crc_bytes) = data.split_at(data.len() - 4);
    let stored_crc = u32::from_le_bytes(
        crc_bytes
            .try_into()
            .map_err(|_| format!("snapshot {} CRC slice length mismatch", path.display()))?,
    );
    let computed_crc = SNAPSHOT_CRC.checksum(payload);

    if stored_crc != computed_crc {
        return Err(format!(
            "snapshot {} CRC mismatch: stored={:#010x}, computed={:#010x}",
            path.display(),
            stored_crc,
            computed_crc
        ));
    }

    let payload_version = snapshot_payload_version(payload);
    match payload_version {
        Some(LEGACY_SNAPSHOT_VERSION_V2 | LEGACY_SNAPSHOT_VERSION_V1) => {
            let (legacy, legacy_layout) = decode_legacy_engine_state_snapshot(payload, path)?;
            if !matches!(
                legacy.version,
                LEGACY_SNAPSHOT_VERSION_V2 | LEGACY_SNAPSHOT_VERSION_V1
            ) {
                return Err(format!(
                    "snapshot {} payload version probe returned {}, but decoded legacy version was {}",
                    path.display(),
                    payload_version.expect("legacy version branch has a version"),
                    legacy.version
                ));
            }
            info!(
                snapshot_path = %path.display(),
                legacy_version = legacy.version,
                legacy_layout = legacy_layout,
                legacy_last_command_id = legacy.last_command_id,
                balance_update_seq = LEGACY_BALANCE_UPDATE_SEQ_MIGRATION_EPOCH,
                "Restoring legacy engine snapshot as temporary CALL-1707 migration base; WAL tail replay will rebuild canonical balance-update sequence state"
            );
            return Ok(Some(legacy.into_migration_snapshot(path)));
        }
        Some(SNAPSHOT_VERSION) | None => {}
        Some(unsupported) => {
            return Err(format!(
                "snapshot {} has unsupported version {} (expected {})",
                path.display(),
                unsupported,
                SNAPSHOT_VERSION,
            ));
        }
    }
    if payload_version.is_none() && msgpack_map_start(payload).is_some() {
        info!(
            snapshot_path = %path.display(),
            "Ignoring legacy map-shaped engine snapshot without readable version metadata; WAL replay will rebuild engine state"
        );
        // Temporary CALL-1707 legacy hook: map-shaped artifacts without a
        // readable version cannot be migrated with a trustworthy replay
        // watermark. Treat them as absent and let the existing hot-journal
        // coverage gate decide whether full WAL rebuild is safe. Remove this
        // after every deployed environment has written a v3 snapshot.
        return Ok(None);
    }

    let snapshot: EngineStateSnapshot = rmp_serde::from_slice(payload)
        .map_err(|e| format!("failed to deserialize snapshot {}: {}", path.display(), e))?;

    match snapshot.version {
        SNAPSHOT_VERSION => {}
        unsupported => {
            return Err(format!(
                "snapshot {} has unsupported version {} (expected {})",
                path.display(),
                unsupported,
                SNAPSHOT_VERSION,
            ));
        }
    }

    if snapshot.version == SNAPSHOT_VERSION {
        let missing_hypercore_equity_watermarks = snapshot
            .hypercore_account_equity
            .keys()
            .filter(|wallet| !snapshot.hypercore_equity_timestamps.contains_key(wallet))
            .count();
        if missing_hypercore_equity_watermarks > 0 {
            return Err(format!(
                "snapshot {} has {} HyperCore equity entries without timestamp watermarks",
                path.display(),
                missing_hypercore_equity_watermarks
            ));
        }
    }

    Ok(Some(snapshot))
}

/// Count total orders across all orderbooks in a snapshot.
pub fn snapshot_order_count(snapshot: &EngineStateSnapshot) -> usize {
    snapshot.orderbooks.values().map(|v| v.len()).sum()
}

#[cfg(test)]
mod tests {
    use super::*;

    fn make_test_snapshot() -> EngineStateSnapshot {
        let mut orderbooks = HashMap::new();
        orderbooks.insert(
            "ETH-20260131-4000-C".to_string(),
            vec![
                OrderSnapshotEntry {
                    order_id: 1,
                    price: Decimal::new(1000, 1),  // 100.0
                    quantity: Decimal::new(50, 1), // 5.0
                    side: Side::Buy,
                    wallet: WalletAddress::from(alloy::primitives::Address::repeat_byte(1)),
                    timestamp: 1000,
                    client_id: None,
                    mmp_enabled: false,
                    original_size: None,
                },
                OrderSnapshotEntry {
                    order_id: 2,
                    price: Decimal::new(1100, 1),  // 110.0
                    quantity: Decimal::new(30, 1), // 3.0
                    side: Side::Sell,
                    wallet: WalletAddress::from(alloy::primitives::Address::repeat_byte(2)),
                    timestamp: 2000,
                    client_id: None,
                    mmp_enabled: false,
                    original_size: None,
                },
            ],
        );

        let mut expired = HashMap::new();
        expired.insert("ETH-20250101-3000-C".to_string(), true);

        EngineStateSnapshot {
            version: SNAPSHOT_VERSION,
            last_command_id: 42,
            last_l2_seq: 99,
            next_order_id: 100,
            next_trade_id: 50,
            expired_instruments: expired,
            spot_prices: HashMap::new(),
            iv_surfaces: HashMap::new(),
            iv_source_timestamps: HashMap::new(),
            instrument_trading_modes: HashMap::new(),
            orderbooks,
            engine_positions: HashMap::new(),
            mmp_state: HashMap::new(),
            liquidation_states: HashMap::new(),
            wallet_margin_modes: HashMap::new(),
            mmp_enabled: HashMap::new(),
            wallet_trading_limits: HashMap::new(),
            default_trading_limits: hypercall_types::api_models::TradingLimits::default(),
            wallet_tiers: HashMap::new(),
            balance_ledger: HashMap::new(),
            last_balance_update_seq: 0,
            deposit_update_watermarks: HashMap::new(),
            applied_deposit_source_event_hashes: std::collections::BTreeSet::new(),
            pm_settlement_state:
                crate::rsm::portfolio_margin::settlement_state::PmSettlementState::default(),
            agent_authorizations: HashMap::new(),
            agent_auth_loaded: false,
            nonce_watermarks: HashMap::new(),
            nonce_sets: HashMap::new(),
            rsm_signer_nonces: HashMap::new(),
            hypercore_account_equity: HashMap::new(),
            hypercore_equity_timestamps: HashMap::new(),
            perp_positions: HashMap::new(),
        }
    }

    #[test]
    fn snapshot_roundtrip() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir.path().join("test.engine_snapshot");
        let snapshot = make_test_snapshot();

        write_snapshot(&path, &snapshot).expect("write snapshot");
        let loaded = read_snapshot(&path)
            .expect("read snapshot")
            .expect("snapshot should exist");

        assert_eq!(loaded.version, SNAPSHOT_VERSION);
        assert_eq!(loaded.last_command_id, 42);
        assert_eq!(loaded.last_l2_seq, 99);
        assert_eq!(loaded.next_order_id, 100);
        assert_eq!(loaded.next_trade_id, 50);
        assert_eq!(loaded.expired_instruments.len(), 1);
        assert_eq!(
            loaded.expired_instruments.get("ETH-20250101-3000-C"),
            Some(&true)
        );

        let orders = loaded
            .orderbooks
            .get("ETH-20260131-4000-C")
            .expect("should have orderbook");
        assert_eq!(orders.len(), 2);
        assert_eq!(orders[0].order_id, 1);
        assert_eq!(orders[1].order_id, 2);
    }

    #[test]
    fn snapshot_missing_returns_none() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir.path().join("missing.engine_snapshot");
        assert!(read_snapshot(&path).expect("should not error").is_none());
    }

    #[test]
    fn snapshot_corrupt_crc_returns_err() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir.path().join("corrupt.engine_snapshot");
        let snapshot = make_test_snapshot();

        write_snapshot(&path, &snapshot).expect("write snapshot");

        // Corrupt one byte in the payload
        let mut data = std::fs::read(&path).unwrap();
        if data.len() > 4 {
            data[0] ^= 0xFF;
        }
        std::fs::write(&path, &data).unwrap();

        let err = read_snapshot(&path).expect_err("should detect corruption");
        assert!(err.contains("CRC mismatch"), "unexpected error: {}", err);
    }

    #[test]
    fn snapshot_too_small_returns_err() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir.path().join("tiny.engine_snapshot");
        std::fs::write(&path, b"ab").unwrap();

        let err = read_snapshot(&path).expect_err("should reject too-small file");
        assert!(err.contains("too small"), "unexpected error: {}", err);
    }

    #[test]
    fn snapshot_path_from_wal_path_appends_suffix() {
        let wal = PathBuf::from("/data/engine-journal.wal");
        let snap = snapshot_path_from_wal_path(&wal);
        assert_eq!(
            snap,
            PathBuf::from("/data/engine-journal.wal.engine_snapshot")
        );
    }

    #[test]
    fn snapshot_order_count_works() {
        let snapshot = make_test_snapshot();
        assert_eq!(snapshot_order_count(&snapshot), 2);
    }

    #[test]
    fn snapshot_metadata_roundtrip() {
        // Snapshot with metadata populated should preserve it across write/read.
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir.path().join("meta.engine_snapshot");

        let mut orderbooks = HashMap::new();
        orderbooks.insert(
            "BTC-20260311-90000-C".to_string(),
            vec![
                OrderSnapshotEntry {
                    order_id: 10,
                    price: Decimal::new(5000, 0),
                    quantity: Decimal::new(3, 0),
                    side: Side::Sell,
                    wallet: WalletAddress::from(alloy::primitives::Address::repeat_byte(0xAA)),
                    timestamp: 9999,
                    client_id: Some("cli_42".to_string()),
                    mmp_enabled: true,
                    original_size: Some(Decimal::new(10, 0)),
                },
                OrderSnapshotEntry {
                    order_id: 11,
                    price: Decimal::new(4500, 0),
                    quantity: Decimal::new(7, 0),
                    side: Side::Buy,
                    wallet: WalletAddress::from(alloy::primitives::Address::repeat_byte(0xBB)),
                    timestamp: 10000,
                    client_id: None, // FE order — no client_id
                    mmp_enabled: false,
                    original_size: Some(Decimal::new(7, 0)),
                },
            ],
        );

        let snapshot = EngineStateSnapshot {
            version: SNAPSHOT_VERSION,
            last_command_id: 100,
            last_l2_seq: 200,
            next_order_id: 500,
            next_trade_id: 300,
            expired_instruments: HashMap::new(),
            spot_prices: HashMap::new(),
            iv_surfaces: HashMap::new(),
            iv_source_timestamps: HashMap::new(),
            instrument_trading_modes: HashMap::new(),
            orderbooks,
            engine_positions: HashMap::new(),
            mmp_state: HashMap::new(),
            liquidation_states: HashMap::new(),
            wallet_margin_modes: HashMap::new(),
            mmp_enabled: HashMap::new(),
            wallet_trading_limits: HashMap::new(),
            default_trading_limits: hypercall_types::api_models::TradingLimits::default(),
            wallet_tiers: HashMap::new(),
            balance_ledger: HashMap::new(),
            last_balance_update_seq: 0,
            deposit_update_watermarks: HashMap::new(),
            applied_deposit_source_event_hashes: std::collections::BTreeSet::new(),
            pm_settlement_state:
                crate::rsm::portfolio_margin::settlement_state::PmSettlementState::default(),
            agent_authorizations: HashMap::new(),
            agent_auth_loaded: false,
            nonce_watermarks: HashMap::new(),
            nonce_sets: HashMap::new(),
            rsm_signer_nonces: HashMap::new(),
            hypercore_account_equity: HashMap::new(),
            hypercore_equity_timestamps: HashMap::new(),
            perp_positions: HashMap::new(),
        };

        write_snapshot(&path, &snapshot).expect("write");
        let loaded = read_snapshot(&path).expect("read").expect("exists");

        let orders = loaded
            .orderbooks
            .get("BTC-20260311-90000-C")
            .expect("orderbook");
        assert_eq!(orders.len(), 2);

        // MM order: metadata preserved
        assert_eq!(orders[0].client_id, Some("cli_42".to_string()));
        assert!(orders[0].mmp_enabled);
        assert_eq!(orders[0].original_size, Some(Decimal::new(10, 0)));

        // FE order: no client_id
        assert_eq!(orders[1].client_id, None);
        assert!(!orders[1].mmp_enabled);
        assert_eq!(orders[1].original_size, Some(Decimal::new(7, 0)));
    }

    /// Legacy snapshot entry WITHOUT the new metadata fields.
    /// Used to produce a truly old-format payload for backwards compat testing.
    #[derive(Debug, Serialize)]
    struct LegacyOrderSnapshotEntry {
        order_id: u64,
        price: Decimal,
        quantity: Decimal,
        side: Side,
        wallet: WalletAddress,
        timestamp: u64,
    }

    #[derive(Debug, Serialize)]
    struct MinimalLegacyEngineStateSnapshot {
        version: u32,
        last_command_id: i64,
        last_l2_seq: i64,
        next_order_id: u64,
        next_trade_id: u64,
        expired_instruments: HashMap<String, bool>,
        orderbooks: HashMap<String, Vec<LegacyOrderSnapshotEntry>>,
        engine_positions: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EnginePosition>,
        balance_ledger: HashMap<WalletAddress, Decimal>,
    }

    #[derive(Debug, Serialize)]
    struct MissingBalanceLedgerSnapshot {
        version: u32,
        last_command_id: i64,
        last_l2_seq: i64,
        next_order_id: u64,
        next_trade_id: u64,
        expired_instruments: HashMap<String, bool>,
        orderbooks: HashMap<String, Vec<LegacyOrderSnapshotEntry>>,
        engine_positions: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EnginePosition>,
        last_balance_update_seq: u64,
    }

    #[derive(Debug, Serialize)]
    struct SnapshotBeforeDepositSourceHashField {
        version: u32,
        last_command_id: i64,
        last_l2_seq: i64,
        next_order_id: u64,
        next_trade_id: u64,
        expired_instruments: HashMap<String, bool>,
        orderbooks: HashMap<String, Vec<LegacyOrderSnapshotEntry>>,
        engine_positions: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EnginePosition>,
        balance_ledger: HashMap<WalletAddress, Decimal>,
        last_balance_update_seq: u64,
        deposit_update_watermarks:
            HashMap<WalletAddress, crate::rsm::engine_deps::DepositUpdateWatermark>,
        agent_authorizations: HashMap<WalletAddress, Vec<(WalletAddress, Option<u64>)>>,
        agent_auth_loaded: bool,
        nonce_watermarks: HashMap<WalletAddress, u64>,
        nonce_sets: HashMap<WalletAddress, Vec<u64>>,
        hypercore_account_equity: HashMap<WalletAddress, Decimal>,
        hypercore_equity_timestamps: HashMap<WalletAddress, u64>,
        perp_positions: HashMap<(String, String), crate::hypercore::PerpPosition>,
        spot_prices: HashMap<String, Decimal>,
        iv_surfaces: HashMap<String, VolatilitySurfaceSnapshot>,
        iv_source_timestamps: HashMap<String, i64>,
        instrument_trading_modes: HashMap<String, hypercall_types::TradingModes>,
        mmp_state: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EngineMmpState>,
        liquidation_states: HashMap<WalletAddress, hypercall_types::LiquidationStateType>,
        wallet_margin_modes: HashMap<WalletAddress, crate::rsm::margin_mode::MarginMode>,
        mmp_enabled: HashMap<(WalletAddress, String), bool>,
        wallet_trading_limits: HashMap<WalletAddress, hypercall_types::api_models::TradingLimits>,
        default_trading_limits: hypercall_types::api_models::TradingLimits,
        wallet_tiers: HashMap<WalletAddress, String>,
        rsm_signer_nonces: HashMap<WalletAddress, u64>,
    }

    #[derive(Debug, Serialize)]
    struct LegacyV2SnapshotPreAppendOnlySourceHashes {
        version: u32,
        last_command_id: i64,
        last_l2_seq: i64,
        next_order_id: u64,
        next_trade_id: u64,
        expired_instruments: HashMap<String, bool>,
        orderbooks: HashMap<String, Vec<LegacyOrderSnapshotEntry>>,
        engine_positions: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EnginePosition>,
        balance_ledger: HashMap<WalletAddress, Decimal>,
        deposit_update_watermarks:
            HashMap<WalletAddress, crate::rsm::engine_deps::DepositUpdateWatermark>,
        applied_deposit_source_event_hashes:
            std::collections::BTreeSet<alloy::primitives::FixedBytes<32>>,
        agent_authorizations: HashMap<WalletAddress, Vec<(WalletAddress, Option<u64>)>>,
        agent_auth_loaded: bool,
        nonce_watermarks: HashMap<WalletAddress, u64>,
        nonce_sets: HashMap<WalletAddress, Vec<u64>>,
        hypercore_account_equity: HashMap<WalletAddress, Decimal>,
        hypercore_equity_timestamps: HashMap<WalletAddress, u64>,
        perp_positions: HashMap<(String, String), crate::hypercore::PerpPosition>,
        spot_prices: HashMap<String, Decimal>,
        iv_surfaces: HashMap<String, VolatilitySurfaceSnapshot>,
        iv_source_timestamps: HashMap<String, i64>,
        instrument_trading_modes: HashMap<String, hypercall_types::TradingModes>,
        mmp_state: HashMap<(WalletAddress, String), crate::rsm::engine_deps::EngineMmpState>,
        liquidation_states: HashMap<WalletAddress, hypercall_types::LiquidationStateType>,
        wallet_margin_modes: HashMap<WalletAddress, crate::rsm::margin_mode::MarginMode>,
        mmp_enabled: HashMap<(WalletAddress, String), bool>,
        wallet_trading_limits: HashMap<WalletAddress, hypercall_types::api_models::TradingLimits>,
        default_trading_limits: hypercall_types::api_models::TradingLimits,
        wallet_tiers: HashMap<WalletAddress, String>,
        rsm_signer_nonces: HashMap<WalletAddress, u64>,
    }

    fn serialize_snapshot_without_hypercore_equity_timestamps(
        snapshot: &EngineStateSnapshot,
    ) -> Vec<u8> {
        let mut value =
            rmp_serde::to_vec_named(snapshot).expect("serialize snapshot to named msgpack");
        let mut json: serde_json::Value =
            rmp_serde::from_slice(&value).expect("deserialize snapshot into json");
        let object = json
            .as_object_mut()
            .expect("named snapshot encoding must deserialize as an object");
        let removed = object.remove("hypercore_equity_timestamps");
        assert!(
            removed.is_some(),
            "test snapshot must contain hypercore_equity_timestamps"
        );
        value.clear();
        rmp_serde::encode::write_named(&mut value, &json)
            .expect("re-encode named snapshot without watermarks");
        value
    }

    #[test]
    fn legacy_snapshot_without_balance_update_seq_restores_as_migration_base() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir.path().join("old.engine_snapshot");
        let wallet = WalletAddress::from(alloy::primitives::Address::repeat_byte(0x42));

        let mut orderbooks = HashMap::new();
        orderbooks.insert(
            "ETH-20260131-4000-C".to_string(),
            vec![LegacyOrderSnapshotEntry {
                order_id: 1,
                price: Decimal::new(1000, 1),
                quantity: Decimal::new(50, 1),
                side: Side::Buy,
                wallet: WalletAddress::from(alloy::primitives::Address::repeat_byte(1)),
                timestamp: 1000,
            }],
        );
        let mut balance_ledger = HashMap::new();
        balance_ledger.insert(wallet, Decimal::new(2500, 0));

        let legacy = MinimalLegacyEngineStateSnapshot {
            version: LEGACY_SNAPSHOT_VERSION_V1,
            last_command_id: 42,
            last_l2_seq: 99,
            next_order_id: 100,
            next_trade_id: 50,
            expired_instruments: HashMap::new(),
            orderbooks,
            engine_positions: HashMap::new(),
            balance_ledger,
        };

        // Write using raw msgpack + CRC (same file format, but legacy struct)
        let payload = rmp_serde::to_vec(&legacy).expect("serialize legacy");
        let crc = SNAPSHOT_CRC.checksum(&payload);
        let mut data = payload;
        data.extend_from_slice(&crc.to_le_bytes());
        std::fs::write(&path, &data).expect("write legacy snapshot");

        let loaded = read_snapshot(&path)
            .expect("legacy snapshot should migrate")
            .expect("legacy snapshot should be present after migration");

        assert_eq!(loaded.version, SNAPSHOT_VERSION);
        assert_eq!(loaded.last_command_id, 42);
        assert_eq!(loaded.last_l2_seq, 99);
        assert_eq!(
            loaded.last_balance_update_seq, LEGACY_BALANCE_UPDATE_SEQ_MIGRATION_EPOCH,
            "legacy snapshots enter CALL-1707 migration at balance update sequence zero"
        );
        assert_eq!(
            loaded.balance_ledger.get(&wallet),
            Some(&Decimal::new(2500, 0))
        );
        let orders = loaded
            .orderbooks
            .get("ETH-20260131-4000-C")
            .expect("legacy orderbook should be restored");
        assert_eq!(orders.len(), 1);
        assert_eq!(orders[0].order_id, 1);
        assert_eq!(orders[0].client_id, None);
        assert_eq!(orders[0].original_size, None);
    }

    #[test]
    fn temp_call_1707_legacy_snapshot_tail_replay_e2e_allows_archived_prefix() {
        // Temporary CALL-1707 e2e-style regression: remove this with the
        // legacy snapshot migration hook after every environment writes v3
        // snapshots. This simulates staging retaining only the hot journal tail
        // after a legacy snapshot checkpoint.
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir.path().join("legacy-tail-replay.engine_snapshot");
        let legacy = MinimalLegacyEngineStateSnapshot {
            version: LEGACY_SNAPSHOT_VERSION_V2,
            last_command_id: 407_647_670,
            last_l2_seq: 200_000_000,
            next_order_id: 100,
            next_trade_id: 50,
            expired_instruments: HashMap::new(),
            orderbooks: HashMap::new(),
            engine_positions: HashMap::new(),
            balance_ledger: HashMap::new(),
        };

        let payload = rmp_serde::to_vec(&legacy).expect("serialize legacy");
        let crc = SNAPSHOT_CRC.checksum(&payload);
        let mut data = payload;
        data.extend_from_slice(&crc.to_le_bytes());
        std::fs::write(&path, &data).expect("write legacy snapshot");

        let loaded = read_snapshot(&path)
            .expect("legacy snapshot should migrate")
            .expect("legacy snapshot should be present after migration");
        assert_eq!(loaded.last_command_id, 407_647_670);
        assert_eq!(
            loaded.last_balance_update_seq,
            LEGACY_BALANCE_UPDATE_SEQ_MIGRATION_EPOCH
        );

        crate::rsm::unified_engine::validate_hot_journal_covers_base_replay(
            416_984_317,
            Some(hypercall_db::JournalCommandIdBounds {
                min_command_id: 407_647_671,
                max_command_id: 416_984_317,
            }),
            loaded.last_command_id + 1,
            None,
        )
        .expect("legacy snapshot migration should allow replay from the retained hot journal tail");

        let error = crate::rsm::unified_engine::validate_hot_journal_covers_base_replay(
            416_984_317,
            Some(hypercall_db::JournalCommandIdBounds {
                min_command_id: 407_647_672,
                max_command_id: 416_984_317,
            }),
            loaded.last_command_id + 1,
            None,
        )
        .expect_err("a missing first tail command must still fail closed");
        assert!(
            error.contains("requires replay from command_id 407647671"),
            "error should identify the missing post-snapshot tail command: {error}"
        );
    }

    #[test]
    fn legacy_map_snapshot_without_version_is_ignored() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir.path().join("legacy-map.engine_snapshot");

        let mut payload = Vec::new();
        rmp_serde::encode::write_named(
            &mut payload,
            &serde_json::json!({
                "legacy_snapshot": true
            }),
        )
        .expect("serialize legacy map snapshot");
        let crc = SNAPSHOT_CRC.checksum(&payload);
        let mut data = payload;
        data.extend_from_slice(&crc.to_le_bytes());
        std::fs::write(&path, &data).expect("write legacy map snapshot");

        assert!(
            read_snapshot(&path)
                .expect("legacy map snapshot should be ignored")
                .is_none(),
            "legacy map-shaped snapshot must be discarded so WAL replay rebuilds engine state"
        );
    }

    #[test]
    fn legacy_v2_snapshot_pre_append_only_source_hash_layout_migrates() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir
            .path()
            .join("legacy-v2-pre-append-source-hash.engine_snapshot");
        let owner = WalletAddress::from(alloy::primitives::Address::repeat_byte(0x22));
        let agent = WalletAddress::from(alloy::primitives::Address::repeat_byte(0x23));
        let source_event_hash = alloy::primitives::FixedBytes::<32>::from([0x7a; 32]);
        let mut source_event_hashes = std::collections::BTreeSet::new();
        source_event_hashes.insert(source_event_hash);
        let mut agent_authorizations = HashMap::new();
        agent_authorizations.insert(owner, vec![(agent, Some(5555))]);

        let legacy = LegacyV2SnapshotPreAppendOnlySourceHashes {
            version: LEGACY_SNAPSHOT_VERSION_V2,
            last_command_id: 407_647_670,
            last_l2_seq: 200_000_000,
            next_order_id: 100,
            next_trade_id: 50,
            expired_instruments: HashMap::new(),
            orderbooks: HashMap::new(),
            engine_positions: HashMap::new(),
            balance_ledger: HashMap::new(),
            deposit_update_watermarks: HashMap::new(),
            applied_deposit_source_event_hashes: source_event_hashes,
            agent_authorizations,
            agent_auth_loaded: true,
            nonce_watermarks: HashMap::new(),
            nonce_sets: HashMap::new(),
            hypercore_account_equity: HashMap::new(),
            hypercore_equity_timestamps: HashMap::new(),
            perp_positions: HashMap::new(),
            spot_prices: HashMap::new(),
            iv_surfaces: HashMap::new(),
            iv_source_timestamps: HashMap::new(),
            instrument_trading_modes: HashMap::new(),
            mmp_state: HashMap::new(),
            liquidation_states: HashMap::new(),
            wallet_margin_modes: HashMap::new(),
            mmp_enabled: HashMap::new(),
            wallet_trading_limits: HashMap::new(),
            default_trading_limits: Default::default(),
            wallet_tiers: HashMap::new(),
            rsm_signer_nonces: HashMap::new(),
        };

        let payload = rmp_serde::to_vec(&legacy).expect("serialize pre-append legacy v2 snapshot");
        let crc = SNAPSHOT_CRC.checksum(&payload);
        let mut data = payload;
        data.extend_from_slice(&crc.to_le_bytes());
        std::fs::write(&path, &data).expect("write legacy snapshot");

        let loaded = read_snapshot(&path)
            .expect("pre-append legacy v2 snapshot should migrate")
            .expect("legacy snapshot should be present after migration");

        assert_eq!(loaded.version, SNAPSHOT_VERSION);
        assert_eq!(loaded.last_command_id, 407_647_670);
        assert_eq!(
            loaded.last_balance_update_seq, LEGACY_BALANCE_UPDATE_SEQ_MIGRATION_EPOCH,
            "pre-append legacy snapshots enter CALL-1707 migration at balance update sequence zero"
        );
        assert!(
            loaded
                .applied_deposit_source_event_hashes
                .contains(&source_event_hash),
            "fallback decoder must preserve source event hash state from the old positional slot"
        );
        assert_eq!(
            loaded.agent_authorizations.get(&owner),
            Some(&vec![(agent, Some(5555))]),
            "fallback decoder must not shift source hashes into agent authorizations"
        );
    }

    #[test]
    fn snapshot_backwards_compat_deposit_source_hash_field_appended() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir
            .path()
            .join("old-v3-before-deposit-source-hash.engine_snapshot");
        let owner = WalletAddress::from(alloy::primitives::Address::repeat_byte(2));
        let agent = WalletAddress::from(alloy::primitives::Address::repeat_byte(3));
        let mut agent_authorizations = HashMap::new();
        agent_authorizations.insert(owner, vec![(agent, Some(1234))]);

        let legacy = SnapshotBeforeDepositSourceHashField {
            version: SNAPSHOT_VERSION,
            last_command_id: 622489,
            last_l2_seq: 16735,
            next_order_id: 8478,
            next_trade_id: 8486,
            expired_instruments: HashMap::new(),
            orderbooks: HashMap::new(),
            engine_positions: HashMap::new(),
            balance_ledger: HashMap::new(),
            last_balance_update_seq: 12,
            deposit_update_watermarks: HashMap::new(),
            agent_authorizations,
            agent_auth_loaded: true,
            nonce_watermarks: HashMap::new(),
            nonce_sets: HashMap::new(),
            hypercore_account_equity: HashMap::new(),
            hypercore_equity_timestamps: HashMap::new(),
            perp_positions: HashMap::new(),
            spot_prices: HashMap::new(),
            iv_surfaces: HashMap::new(),
            iv_source_timestamps: HashMap::new(),
            instrument_trading_modes: HashMap::new(),
            mmp_state: HashMap::new(),
            liquidation_states: HashMap::new(),
            wallet_margin_modes: HashMap::new(),
            mmp_enabled: HashMap::new(),
            wallet_trading_limits: HashMap::new(),
            default_trading_limits: Default::default(),
            wallet_tiers: HashMap::new(),
            rsm_signer_nonces: HashMap::new(),
        };

        let payload = rmp_serde::to_vec(&legacy).expect("serialize legacy v2 snapshot");
        let crc = SNAPSHOT_CRC.checksum(&payload);
        let mut data = payload;
        data.extend_from_slice(&crc.to_le_bytes());
        std::fs::write(&path, &data).expect("write legacy v2 snapshot");

        let loaded = read_snapshot(&path).expect("read").expect("should exist");

        assert_eq!(loaded.last_command_id, 622489);
        assert_eq!(loaded.last_balance_update_seq, 12);
        assert_eq!(
            loaded.agent_authorizations.get(&owner),
            Some(&vec![(agent, Some(1234))])
        );
        assert!(loaded.applied_deposit_source_event_hashes.is_empty());
    }

    #[test]
    fn snapshot_missing_balance_ledger_fails_fast() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir.path().join("missing-balance-ledger.engine_snapshot");

        let missing_balance = MissingBalanceLedgerSnapshot {
            version: SNAPSHOT_VERSION,
            last_command_id: 42,
            last_l2_seq: 99,
            next_order_id: 100,
            next_trade_id: 50,
            expired_instruments: HashMap::new(),
            orderbooks: HashMap::new(),
            engine_positions: HashMap::new(),
            last_balance_update_seq: 0,
        };

        let payload = rmp_serde::to_vec(&missing_balance).expect("serialize missing balance");
        let crc = SNAPSHOT_CRC.checksum(&payload);
        let mut data = payload;
        data.extend_from_slice(&crc.to_le_bytes());
        std::fs::write(&path, &data).expect("write missing balance snapshot");

        let err = read_snapshot(&path).expect_err("missing balance_ledger must fail");
        assert!(
            err.contains("failed to deserialize snapshot"),
            "unexpected error: {}",
            err
        );
    }

    #[test]
    fn snapshot_hypercore_equity_without_watermarks_fails_fast() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir
            .path()
            .join("missing-hypercore-equity-watermarks.engine_snapshot");
        let wallet = WalletAddress::from(alloy::primitives::Address::repeat_byte(0x13));
        let mut snapshot = make_test_snapshot();
        snapshot.version = SNAPSHOT_VERSION;
        snapshot.last_command_id = 42;
        snapshot.last_l2_seq = 99;
        snapshot.next_order_id = 100;
        snapshot.next_trade_id = 50;
        snapshot.balance_ledger.clear();
        snapshot.orderbooks.clear();
        snapshot.engine_positions.clear();
        snapshot.hypercore_account_equity.clear();
        snapshot.hypercore_equity_timestamps.clear();
        snapshot
            .hypercore_account_equity
            .insert(wallet, Decimal::new(5000, 0));

        let payload = serialize_snapshot_without_hypercore_equity_timestamps(&snapshot);
        let crc = SNAPSHOT_CRC.checksum(&payload);
        let mut data = payload;
        data.extend_from_slice(&crc.to_le_bytes());
        std::fs::write(&path, &data).expect("write missing watermarks snapshot");

        let err = read_snapshot(&path).expect_err("missing equity watermarks must fail");
        assert!(
            err.contains("HyperCore equity entries without timestamp watermarks")
                || err.contains("failed to deserialize snapshot"),
            "unexpected error: {}",
            err
        );
    }

    #[test]
    fn legacy_v1_snapshot_hypercore_equity_without_watermarks_migrates_zero_watermarks() {
        let dir = tempfile::tempdir().expect("create tempdir");
        let path = dir
            .path()
            .join("legacy-v1-hypercore-equity.engine_snapshot");
        let wallet = WalletAddress::from(alloy::primitives::Address::repeat_byte(0x14));
        let mut snapshot = make_test_snapshot();
        snapshot.version = LEGACY_SNAPSHOT_VERSION_V1;
        snapshot.last_command_id = 42;
        snapshot.last_l2_seq = 99;
        snapshot.next_order_id = 100;
        snapshot.next_trade_id = 50;
        snapshot.balance_ledger.clear();
        snapshot.orderbooks.clear();
        snapshot.engine_positions.clear();
        snapshot.hypercore_account_equity.clear();
        snapshot.hypercore_equity_timestamps.clear();
        snapshot
            .hypercore_account_equity
            .insert(wallet, Decimal::new(5000, 0));

        let payload = serialize_snapshot_without_hypercore_equity_timestamps(&snapshot);
        let crc = SNAPSHOT_CRC.checksum(&payload);
        let mut data = payload;
        data.extend_from_slice(&crc.to_le_bytes());
        std::fs::write(&path, &data).expect("write legacy snapshot");

        let loaded = read_snapshot(&path)
            .expect("legacy snapshot should migrate")
            .expect("legacy snapshot should be present after migration");

        assert_eq!(loaded.version, SNAPSHOT_VERSION);
        assert_eq!(
            loaded.hypercore_equity_timestamps.get(&wallet),
            Some(&0),
            "temporary legacy migration seeds missing HyperCore equity timestamps at zero"
        );
    }
}