hypercall_db_diesel/

event_handler.rs

//! Engine event handler: persists `EngineMessage` variants to Postgres.
//!
//! This module contains the core event-to-SQL logic that was previously
//! embedded in the root crate's `DieselEventHandler`. It operates on a
//! bare `&mut PgConnection` so callers can wrap calls in their own
//! transactions.

use anyhow::{anyhow, Result};
use diesel::pg::PgConnection;
use diesel::prelude::*;
use diesel::sql_types::{BigInt, Numeric};
use diesel::OptionalExtension;
use rust_decimal::Decimal;

use hypercall_types::engine_messages::{
    EngineMessage, LiquidationStateMessage, LiquidationStateType,
};
use hypercall_types::liquidation_state::{AccountLiquidationStatus, LiquidationState};
use hypercall_types::{
    utils::is_option_symbol, MarketUpdateStatus, OptionType, OrderUpdateStatus, WalletAddress,
};

use crate::database_handler::{current_option_token_deployment, DatabaseHandler};
use crate::models::*;
use crate::order_status_materialization::upsert_materialized_order_state;
use crate::schema;

/// Portable representation of an expired order that needs a synthetic cancel.
///
/// This mirrors `StartupExpiredOrderCancel` from the root crate but lives in
/// `hypercall-db-diesel` so the batch cancel logic can be called from outside
/// the root crate.
pub struct ExpiredOrderCancel {
    pub order_id: u64,
    pub wallet: WalletAddress,
    pub symbol: String,
    pub price: Decimal,
    pub size: Decimal,
    pub side: hypercall_types::Side,
    pub tif: hypercall_types::TimeInForce,
    pub is_perp: bool,
    pub underlying: Option<String>,
    pub reduce_only: Option<bool>,
    pub nonce: Option<u64>,
    pub signature: Option<String>,
    pub mmp_enabled: bool,
    pub filled_size: Decimal,
    pub client_id: Option<String>,
    pub timestamp: u64,
}

// ---------------------------------------------------------------------------
// Free helpers (module-private unless noted)
// ---------------------------------------------------------------------------

/// Convert an `AccountLiquidationStatus` to a `LiquidationStateRecord` for
/// database storage.
///
/// This was previously `LiquidationCache::status_to_new_state` in the root
/// crate. All the types it touches live in `hypercall_types` / `hypercall_db`,
/// so it belongs here.
pub fn status_to_liquidation_state_record(
    status: &AccountLiquidationStatus,
) -> hypercall_db::LiquidationStateRecord {
    use serde_json::Value as JsonValue;

    fn json_string_values(values: &[String]) -> Vec<JsonValue> {
        values.iter().cloned().map(JsonValue::String).collect()
    }

    let mut record = hypercall_db::LiquidationStateRecord {
        wallet_address: status.wallet,
        state: status.state.db_str().to_string(),
        margin_mode: status.margin_mode.as_str().to_string(),
        equity: status.equity,
        mm_required: status.mm_required,
        maintenance_margin: status.maintenance_margin,
        liquidation_mode: status
            .liquidation_mode()
            .map(|mode| mode.as_str().to_string()),
        target_equity: None,
        entered_pre_liq_at: None,
        mm_shortfall: None,
        escalation_deadline: None,
        last_reprice_at: None,
        partial_order_request_ids: None,
        partial_order_client_ids: None,
        partial_bonus_bps: None,
        auction_id: None,
        request_id: None,
        tx_hash: None,
        auction_started_at: None,
        chain_start_time: None,
        margin_needed: None,
        stop_request_id: None,
        stop_tx_hash: None,
        liquidated_at: None,
        resolved_winner: None,
        resolved_bonus: None,
        resolution_tx_hash: None,
        last_observed_block: None,
        updated_at_ms: Some(status.updated_at as i64),
        created_at: None,
        updated_at: None,
    };

    match &status.state {
        LiquidationState::Healthy => {}
        LiquidationState::PreLiquidation(metadata) => {
            record.target_equity = Some(metadata.target_equity);
            record.entered_pre_liq_at = Some(metadata.entered_at as i64);
            record.mm_shortfall = Some(metadata.mm_shortfall);
            record.escalation_deadline = Some(metadata.escalation_deadline as i64);
            record.last_reprice_at = metadata.last_reprice_at.map(|value| value as i64);
            record.partial_order_request_ids = Some(JsonValue::Array(json_string_values(
                &metadata.active_order_request_ids,
            )));
            record.partial_order_client_ids = Some(JsonValue::Array(json_string_values(
                &metadata.active_order_client_ids,
            )));
            record.partial_bonus_bps = Some(metadata.bonus_bps as i32);
            record.auction_id = metadata.pending_full_auction_id.clone();
            record.request_id = metadata.pending_full_request_id.clone();
            record.tx_hash = metadata.pending_full_tx_hash.clone();
            record.margin_needed = metadata.pending_full_margin_needed;
        }
        LiquidationState::InLiquidation(metadata) => {
            record.auction_id = Some(metadata.auction_id.clone());
            record.request_id = metadata.request_id.clone();
            record.tx_hash = metadata.tx_hash.clone();
            record.auction_started_at = Some(metadata.started_at as i64);
            record.chain_start_time = metadata.chain_start_time.map(|value| value as i64);
            record.margin_needed = Some(metadata.margin_needed);
            record.stop_request_id = metadata.stop_request_id.clone();
            record.stop_tx_hash = metadata.stop_tx_hash.clone();
        }
        LiquidationState::Liquidated(metadata) => {
            record.auction_id = Some(metadata.auction_id.clone());
            record.liquidated_at = Some(metadata.completed_at as i64);
            record.resolved_winner = metadata.winner;
            record.resolved_bonus = Some(metadata.bonus);
            record.resolution_tx_hash = metadata.tx_hash.clone();
        }
    }

    record
}

/// Convert a domain `LiquidationStateRecord` into the Diesel `NewLiquidationState` insertable.
fn new_liquidation_state_from_domain(
    d: &hypercall_db::LiquidationStateRecord,
) -> NewLiquidationState {
    NewLiquidationState {
        wallet_address: d.wallet_address,
        state: d.state.clone(),
        margin_mode: d.margin_mode.clone(),
        equity: d.equity,
        mm_required: d.mm_required,
        maintenance_margin: d.maintenance_margin,
        liquidation_mode: d.liquidation_mode.clone(),
        target_equity: d.target_equity,
        entered_pre_liq_at: d.entered_pre_liq_at,
        mm_shortfall: d.mm_shortfall,
        escalation_deadline: d.escalation_deadline,
        last_reprice_at: d.last_reprice_at,
        partial_order_request_ids: d.partial_order_request_ids.clone(),
        partial_order_client_ids: d.partial_order_client_ids.clone(),
        partial_bonus_bps: d.partial_bonus_bps,
        auction_id: d.auction_id.clone(),
        request_id: d.request_id.clone(),
        tx_hash: d.tx_hash.clone(),
        auction_started_at: d.auction_started_at,
        chain_start_time: d.chain_start_time,
        margin_needed: d.margin_needed,
        stop_request_id: d.stop_request_id.clone(),
        stop_tx_hash: d.stop_tx_hash.clone(),
        liquidated_at: d.liquidated_at,
        resolved_winner: d.resolved_winner,
        resolved_bonus: d.resolved_bonus,
        resolution_tx_hash: d.resolution_tx_hash.clone(),
        last_observed_block: d.last_observed_block,
        updated_at_ms: d.updated_at_ms,
    }
}

fn liquidation_history_from_message(
    message: &LiquidationStateMessage,
) -> Result<NewLiquidationHistory> {
    let (request_id, tx_hash, margin_needed, winner_address, bonus) = match &message.status.state {
        LiquidationState::Healthy => (None, None, None, None, None),
        LiquidationState::PreLiquidation(metadata) => (
            metadata.pending_full_request_id.clone(),
            metadata.pending_full_tx_hash.clone(),
            metadata.pending_full_margin_needed,
            None,
            None,
        ),
        LiquidationState::InLiquidation(metadata) => (
            metadata.request_id.clone(),
            metadata.tx_hash.clone(),
            Some(metadata.margin_needed),
            None,
            None,
        ),
        LiquidationState::Liquidated(metadata) => (
            None,
            metadata.tx_hash.clone(),
            None,
            metadata.winner,
            Some(metadata.bonus),
        ),
    };

    let details = serde_json::to_value(&message.status)
        .map_err(|e| anyhow!("failed to serialize liquidation status snapshot: {}", e))?;

    Ok(NewLiquidationHistory {
        wallet_address: message.wallet,
        previous_state: message.previous_state.to_string(),
        new_state: message.new_state.to_string(),
        liquidation_mode: message.liquidation_mode.clone(),
        equity: message.equity,
        mm_required: message.mm_required,
        maintenance_margin: message.maintenance_margin,
        shortfall: message.shortfall,
        auction_id: message.auction_id.clone(),
        request_id,
        tx_hash,
        margin_needed,
        winner_address,
        bonus,
        details,
        timestamp: i64::try_from(message.timestamp).map_err(|_| {
            anyhow!(
                "liquidation timestamp {} exceeds i64 range",
                message.timestamp
            )
        })?,
    })
}

fn liquidation_auction_from_status(
    status: &AccountLiquidationStatus,
) -> Result<Option<NewLiquidationAuction>> {
    match &status.state {
        LiquidationState::PreLiquidation(metadata) => {
            let Some(auction_id) = metadata.pending_full_auction_id.clone() else {
                return Ok(None);
            };
            Ok(Some(NewLiquidationAuction {
                auction_id,
                wallet_address: status.wallet,
                status: "pending".to_string(),
                positions: serde_json::Value::Array(Vec::new()),
                equity_at_start: status.equity,
                mm_shortfall_at_start: status.shortfall(),
                target_equity: Some(metadata.target_equity),
                request_id: metadata.pending_full_request_id.clone(),
                tx_hash: metadata.pending_full_tx_hash.clone(),
                started_at: i64::try_from(metadata.entered_at).map_err(|_| {
                    anyhow!(
                        "pre-liquidation entered_at {} exceeds i64 range",
                        metadata.entered_at
                    )
                })?,
                chain_start_time: None,
                margin_needed: metadata.pending_full_margin_needed,
                stop_request_id: None,
                stop_tx_hash: None,
                completed_at: None,
                liquidator_address: None,
                bonus: None,
                settlement_value: None,
                last_observed_block: None,
            }))
        }
        LiquidationState::InLiquidation(metadata) => Ok(Some(NewLiquidationAuction {
            auction_id: metadata.auction_id.clone(),
            wallet_address: status.wallet,
            status: "active".to_string(),
            positions: serde_json::Value::Array(Vec::new()),
            equity_at_start: status.equity,
            mm_shortfall_at_start: status.shortfall(),
            target_equity: None,
            request_id: metadata.request_id.clone(),
            tx_hash: metadata.tx_hash.clone(),
            started_at: i64::try_from(metadata.started_at).map_err(|_| {
                anyhow!(
                    "auction started_at {} exceeds i64 range",
                    metadata.started_at
                )
            })?,
            chain_start_time: metadata
                .chain_start_time
                .map(i64::try_from)
                .transpose()
                .map_err(|_| anyhow!("chain_start_time exceeds i64 range"))?,
            margin_needed: Some(metadata.margin_needed),
            stop_request_id: metadata.stop_request_id.clone(),
            stop_tx_hash: metadata.stop_tx_hash.clone(),
            completed_at: None,
            liquidator_address: None,
            bonus: None,
            settlement_value: None,
            last_observed_block: None,
        })),
        LiquidationState::Liquidated(metadata) => Ok(Some(NewLiquidationAuction {
            auction_id: metadata.auction_id.clone(),
            wallet_address: status.wallet,
            status: "completed".to_string(),
            positions: serde_json::Value::Array(Vec::new()),
            equity_at_start: status.equity,
            mm_shortfall_at_start: status.shortfall(),
            target_equity: None,
            request_id: None,
            tx_hash: None,
            // A resolved-only replay can land before the corresponding
            // start row exists. Preserve the original started_at when an
            // existing row is present; otherwise store an explicit
            // "unknown start" sentinel instead of fabricating a zero-
            // duration auction from completed_at.
            started_at: 0,
            chain_start_time: None,
            margin_needed: None,
            stop_request_id: None,
            stop_tx_hash: None,
            completed_at: Some(i64::try_from(metadata.completed_at).map_err(|_| {
                anyhow!(
                    "liquidated completed_at {} exceeds i64 range",
                    metadata.completed_at
                )
            })?),
            liquidator_address: metadata.winner,
            bonus: Some(metadata.bonus),
            settlement_value: None,
            last_observed_block: None,
        })),
        _ => Ok(None),
    }
}

fn liquidation_auction_update_from_message(
    message: &LiquidationStateMessage,
) -> Result<Option<UpdateLiquidationAuction>> {
    if message.auction_id.is_none() {
        return Ok(None);
    }

    let cancelled_update = || -> Result<Option<UpdateLiquidationAuction>> {
        Ok(Some(UpdateLiquidationAuction {
            status: Some("cancelled".to_string()),
            request_id: None,
            tx_hash: None,
            chain_start_time: None,
            margin_needed: None,
            stop_request_id: None,
            stop_tx_hash: None,
            completed_at: Some(
                i64::try_from(message.timestamp)
                    .map_err(|_| anyhow!("liquidation timestamp exceeds i64 range"))?,
            ),
            liquidator_address: None,
            bonus: None,
            settlement_value: None,
            last_observed_block: None,
        }))
    };

    match (&message.previous_state, &message.new_state) {
        (LiquidationStateType::InLiquidation, LiquidationStateType::Healthy) => cancelled_update(),
        // A pending StartLiquidation directive failed or expired while still
        // in PreLiquidation. The previous_liquidation_mode was "full" (pending
        // full request existed) but has reverted to partial/none. Cancel the
        // orphaned "pending" auction row so it does not stay pending forever.
        (LiquidationStateType::PreLiquidation, LiquidationStateType::PreLiquidation)
            if message.previous_liquidation_mode.as_deref() == Some("full")
                && message.liquidation_mode.as_deref() != Some("full") =>
        {
            cancelled_update()
        }
        _ => Ok(None),
    }
}

// ---------------------------------------------------------------------------
// Fill persistence helpers
// ---------------------------------------------------------------------------

/// Persist a fill (trade + taker/maker fill rows) and apply ledger side effects
/// in the caller's transaction.
///
/// Returns `(taker_inserted, maker_inserted)` booleans -- `false` means
/// the row already existed (idempotent ON CONFLICT DO NOTHING).
pub fn persist_fill_with_side_effects_in_tx(
    conn: &mut PgConnection,
    fill: &hypercall_types::Fill,
    side_effects: &FillSideEffect,
) -> Result<(bool, bool)> {
    persist_fill_with_side_effects_in_tx_with_validation(
        conn,
        fill,
        side_effects,
        FillUnderlyingNotionalValidation::Strict,
    )
}

/// Persist a journaled fill while preserving replay compatibility for
/// pre-cutover WAL payloads that did not carry `underlying_notional`.
pub fn persist_legacy_replay_fill_with_side_effects_in_tx(
    conn: &mut PgConnection,
    fill: &hypercall_types::Fill,
    side_effects: &FillSideEffect,
) -> Result<(bool, bool)> {
    persist_fill_with_side_effects_in_tx_with_validation(
        conn,
        fill,
        side_effects,
        FillUnderlyingNotionalValidation::LegacyReplay,
    )
}

fn persist_fill_with_side_effects_in_tx_with_validation(
    conn: &mut PgConnection,
    fill: &hypercall_types::Fill,
    side_effects: &FillSideEffect,
    validation: FillUnderlyingNotionalValidation,
) -> Result<(bool, bool)> {
    use diesel::sql_types::{BigInt, Binary, Bool, Text};
    use rust_decimal_macros::dec;

    assert_eq!(
        side_effects.trade_id, fill.trade_id,
        "CRITICAL: journal fill side effects trade_id mismatch for fill {}",
        fill.trade_id
    );
    let underlying_notional =
        validate_fill_underlying_notional(fill, side_effects.underlying_notional, validation)?;
    let taker_realized_pnl = fill
        .taker_realized_pnl
        .unwrap_or(side_effects.taker_ledger_delta);
    let maker_realized_pnl = fill
        .maker_realized_pnl
        .unwrap_or(side_effects.maker_ledger_delta);

    diesel::sql_query(
        "INSERT INTO trades (trade_id, symbol, price, size, maker_address, taker_address, maker_fee, taker_fee, timestamp)
         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
         ON CONFLICT (trade_id) DO NOTHING",
    )
    .bind::<BigInt, _>(fill.trade_id as i64)
    .bind::<Text, _>(&fill.symbol)
    .bind::<Numeric, _>(fill.price)
    .bind::<Numeric, _>(fill.size)
    .bind::<Binary, _>(&fill.maker_wallet_address)
    .bind::<Binary, _>(&fill.taker_wallet_address)
    .bind::<Numeric, _>(dec!(0))
    .bind::<Numeric, _>(fill.fee)
    .bind::<BigInt, _>(fill.timestamp as i64)
    .execute(conn)?;

    let taker_rows: usize = diesel::sql_query(
        "INSERT INTO fills (trade_id, wallet_address, symbol, price, size, fee, is_taker, timestamp, builder_code_address, builder_code_fee, realized_pnl, underlying_notional)
         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
         ON CONFLICT (trade_id, wallet_address, is_taker) DO NOTHING",
    )
    .bind::<BigInt, _>(fill.trade_id as i64)
    .bind::<Binary, _>(&fill.taker_wallet_address)
    .bind::<Text, _>(&fill.symbol)
    .bind::<Numeric, _>(fill.price)
    .bind::<Numeric, _>(fill.size)
    .bind::<Numeric, _>(fill.fee)
    .bind::<Bool, _>(true)
    .bind::<BigInt, _>(fill.timestamp as i64)
    .bind::<diesel::sql_types::Nullable<Binary>, _>(fill.builder_code_address.as_ref())
    .bind::<diesel::sql_types::Nullable<Numeric>, _>(fill.builder_code_fee)
    .bind::<diesel::sql_types::Nullable<Numeric>, _>(Some(taker_realized_pnl))
    .bind::<diesel::sql_types::Nullable<Numeric>, _>(underlying_notional)
    .execute(conn)?;
    let taker_inserted = taker_rows > 0;

    if taker_inserted {
        apply_fill_ledger_side_effects(
            conn,
            &fill.taker_wallet_address,
            fill,
            side_effects.taker_ledger_delta,
            side_effects.taker_premium_delta,
        )?;
    }

    let maker_rows: usize = diesel::sql_query(
        "INSERT INTO fills (trade_id, wallet_address, symbol, price, size, fee, is_taker, timestamp, builder_code_address, builder_code_fee, realized_pnl, underlying_notional)
         VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
         ON CONFLICT (trade_id, wallet_address, is_taker) DO NOTHING",
    )
    .bind::<BigInt, _>(fill.trade_id as i64)
    .bind::<Binary, _>(&fill.maker_wallet_address)
    .bind::<Text, _>(&fill.symbol)
    .bind::<Numeric, _>(fill.price)
    .bind::<Numeric, _>(fill.size)
    .bind::<Numeric, _>(dec!(0))
    .bind::<Bool, _>(false)
    .bind::<BigInt, _>(fill.timestamp as i64)
    .bind::<diesel::sql_types::Nullable<Binary>, _>(
        Option::<hypercall_types::WalletAddress>::None,
    )
    .bind::<diesel::sql_types::Nullable<Numeric>, _>(Option::<Decimal>::None)
    .bind::<diesel::sql_types::Nullable<Numeric>, _>(Some(maker_realized_pnl))
    .bind::<diesel::sql_types::Nullable<Numeric>, _>(underlying_notional)
    .execute(conn)?;
    let maker_inserted = maker_rows > 0;

    if maker_inserted {
        apply_fill_ledger_side_effects(
            conn,
            &fill.maker_wallet_address,
            fill,
            side_effects.maker_ledger_delta,
            side_effects.maker_premium_delta,
        )?;
    }

    Ok((taker_inserted, maker_inserted))
}

fn apply_fill_ledger_side_effects(
    conn: &mut PgConnection,
    wallet: &WalletAddress,
    fill: &hypercall_types::Fill,
    realized_delta: Decimal,
    premium_delta: Decimal,
) -> Result<()> {
    use diesel::sql_types::{BigInt, Binary, Text};

    let _total_delta = realized_delta + premium_delta;

    if realized_delta != Decimal::ZERO {
        let inserted = diesel::sql_query(
            "INSERT INTO ledger_events
             (wallet, event_ts_ms, delta, event_type, reference_trade_id, reference_symbol)
             VALUES ($1, $2, $3, $4, $5, $6)
             ON CONFLICT (wallet, reference_trade_id, event_type)
             WHERE reference_trade_id IS NOT NULL
             DO NOTHING",
        )
        .bind::<Binary, _>(wallet)
        .bind::<BigInt, _>(fill.timestamp as i64)
        .bind::<Numeric, _>(realized_delta)
        .bind::<Text, _>("fill_realized_pnl")
        .bind::<BigInt, _>(fill.trade_id as i64)
        .bind::<diesel::sql_types::Nullable<Text>, _>(Some(fill.symbol.as_str()))
        .execute(conn)?;
        assert_eq!(
            inserted, 1,
            "CRITICAL: missing fill_realized_pnl ledger event for trade {} wallet {}",
            fill.trade_id, wallet
        );
    }

    if premium_delta != Decimal::ZERO {
        let inserted = diesel::sql_query(
            "INSERT INTO ledger_events
             (wallet, event_ts_ms, delta, event_type, reference_trade_id, reference_symbol)
             VALUES ($1, $2, $3, $4, $5, $6)
             ON CONFLICT (wallet, reference_trade_id, event_type)
             WHERE reference_trade_id IS NOT NULL
             DO NOTHING",
        )
        .bind::<Binary, _>(wallet)
        .bind::<BigInt, _>(fill.timestamp as i64)
        .bind::<Numeric, _>(premium_delta)
        .bind::<Text, _>("fill_premium")
        .bind::<BigInt, _>(fill.trade_id as i64)
        .bind::<diesel::sql_types::Nullable<Text>, _>(Some(fill.symbol.as_str()))
        .execute(conn)?;
        assert_eq!(
            inserted, 1,
            "CRITICAL: missing fill_premium ledger event for trade {} wallet {}",
            fill.trade_id, wallet
        );
    }

    Ok(())
}

// ---------------------------------------------------------------------------
// Portable fill side-effect struct
// ---------------------------------------------------------------------------

/// Journal-only accounting deltas for a single OrderFilled event.
///
/// This is the portable version of `JournalFillSideEffect` from the root
/// crate's journal batcher.
pub struct FillSideEffect {
    pub trade_id: u64,
    pub taker_ledger_delta: Decimal,
    pub maker_ledger_delta: Decimal,
    pub taker_premium_delta: Decimal,
    pub maker_premium_delta: Decimal,
    pub underlying_notional: Option<Decimal>,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
enum FillUnderlyingNotionalValidation {
    Strict,
    LegacyReplay,
}

fn validate_fill_underlying_notional(
    fill: &hypercall_types::Fill,
    side_effect_underlying_notional: Option<Decimal>,
    validation: FillUnderlyingNotionalValidation,
) -> Result<Option<Decimal>> {
    if !is_option_symbol(&fill.symbol) {
        return Ok(fill.underlying_notional.or(side_effect_underlying_notional));
    }

    if validation == FillUnderlyingNotionalValidation::LegacyReplay {
        if let (Some(fill_notional), Some(side_effect_notional)) =
            (fill.underlying_notional, side_effect_underlying_notional)
        {
            anyhow::ensure!(
                fill_notional == side_effect_notional,
                "CRITICAL: option fill underlying_notional mismatch for trade {}: fill={} side_effect={}",
                fill.trade_id,
                fill_notional,
                side_effect_notional
            );
        }
        return Ok(fill.underlying_notional.or(side_effect_underlying_notional));
    }

    let fill_notional = fill.underlying_notional.ok_or_else(|| {
        anyhow!(
            "CRITICAL: option fill {} for trade {} is missing underlying_notional",
            fill.symbol,
            fill.trade_id
        )
    })?;
    let side_effect_notional = side_effect_underlying_notional.ok_or_else(|| {
        anyhow!(
            "CRITICAL: option fill side effects for trade {} are missing underlying_notional",
            fill.trade_id
        )
    })?;
    anyhow::ensure!(
        fill_notional == side_effect_notional,
        "CRITICAL: option fill underlying_notional mismatch for trade {}: fill={} side_effect={}",
        fill.trade_id,
        fill_notional,
        side_effect_notional
    );
    Ok(Some(fill_notional))
}

impl FillSideEffect {
    pub fn from_fill_accounting(accounting: &hypercall_types::FillAccounting) -> Self {
        accounting.assert_cash_decomposition();
        Self {
            trade_id: accounting.trade_id,
            taker_ledger_delta: accounting.taker_ledger_residual_delta(),
            maker_ledger_delta: accounting.maker_ledger_residual_delta(),
            taker_premium_delta: accounting.taker_premium_delta(),
            maker_premium_delta: accounting.maker_premium_delta(),
            underlying_notional: None,
        }
    }
}

// ---------------------------------------------------------------------------
// DatabaseHandler event methods
// ---------------------------------------------------------------------------

impl DatabaseHandler {
    /// Upsert static order info into order_infos. Used by `handle_event_with_conn`
    /// and the `OrderWriter` trait impl.
    pub(crate) fn upsert_order_info(conn: &mut PgConnection, info: &NewOrderInfo) -> Result<()> {
        use diesel::upsert::excluded;

        diesel::insert_into(schema::order_infos::table)
            .values(info)
            .on_conflict(schema::order_infos::order_id)
            .do_update()
            .set((
                schema::order_infos::wallet_address
                    .eq(excluded(schema::order_infos::wallet_address)),
                schema::order_infos::symbol.eq(excluded(schema::order_infos::symbol)),
                schema::order_infos::side.eq(excluded(schema::order_infos::side)),
                schema::order_infos::price.eq(excluded(schema::order_infos::price)),
                schema::order_infos::size.eq(excluded(schema::order_infos::size)),
                schema::order_infos::tif.eq(excluded(schema::order_infos::tif)),
                schema::order_infos::client_id.eq(excluded(schema::order_infos::client_id)),
                schema::order_infos::is_perp.eq(excluded(schema::order_infos::is_perp)),
                schema::order_infos::underlying.eq(excluded(schema::order_infos::underlying)),
                schema::order_infos::reduce_only.eq(excluded(schema::order_infos::reduce_only)),
                schema::order_infos::nonce.eq(excluded(schema::order_infos::nonce)),
                schema::order_infos::signature.eq(excluded(schema::order_infos::signature)),
                schema::order_infos::mmp_enabled.eq(excluded(schema::order_infos::mmp_enabled)),
                schema::order_infos::timestamp.eq(excluded(schema::order_infos::timestamp)),
            ))
            .execute(conn)?;
        Ok(())
    }

    /// Insert an order action audit trail entry. Used by `handle_event_with_conn`
    /// and the `OrderWriter` trait impl.
    pub(crate) fn insert_order_action(
        conn: &mut PgConnection,
        action: &NewOrderAction,
    ) -> Result<()> {
        diesel::insert_into(schema::order_actions::table)
            .values(action)
            .execute(conn)?;
        Ok(())
    }

    /// Persist a single engine event, acquiring a connection from the pool.
    pub fn handle_event_sync(&self, event: &EngineMessage) -> Result<()> {
        let mut conn = self.pool().get()?;
        self.handle_event_with_conn(&mut conn, event)
    }

    /// Persist a batch of engine events in a single transaction.
    pub fn handle_event_batch_sync(&self, events: &[EngineMessage]) -> Result<()> {
        let mut conn = self.pool().get()?;

        (*conn).transaction::<_, anyhow::Error, _>(|conn| {
            for event in events {
                self.handle_event_with_conn(conn, event)?;
            }
            Ok(())
        })?;

        Ok(())
    }

    /// Persist a single engine event using the provided connection.
    pub fn handle_event_with_conn(
        &self,
        conn: &mut PgConnection,
        event: &EngineMessage,
    ) -> Result<()> {
        match event {
            EngineMessage::OrderInfo(order_info_msg) => {
                let new_order_info = NewOrderInfo {
                    order_id: order_info_msg.order_id as i64,
                    wallet_address: order_info_msg.wallet,
                    symbol: order_info_msg.info.symbol.clone(),
                    side: format!("{:?}", order_info_msg.info.side),
                    price: order_info_msg.info.price,
                    size: order_info_msg.info.size,
                    tif: format!("{:?}", order_info_msg.info.tif),
                    client_id: order_info_msg.info.client_id.clone(),
                    is_perp: order_info_msg.info.is_perp,
                    underlying: order_info_msg.info.underlying.clone(),
                    reduce_only: order_info_msg.info.reduce_only,
                    nonce: order_info_msg.info.nonce.map(|n| n as i64),
                    signature: order_info_msg.info.signature.clone(),
                    mmp_enabled: order_info_msg.info.mmp_enabled,
                    timestamp: order_info_msg.timestamp as i64,
                    status: "ACKED".to_string(),
                    filled_size: Decimal::ZERO,
                    last_materialized_order_update_id: 0,
                };
                Self::upsert_order_info(conn, &new_order_info)?;
            }
            EngineMessage::OrderAction(action) => {
                let new_action = NewOrderAction {
                    timestamp: action.timestamp as i64,
                    wallet: action.wallet,
                    action: format!("{:?}", action.action),
                    symbol: action.info.symbol.clone(),
                    price: action.info.price,
                    size: action.info.size,
                    side: format!("{:?}", action.info.side),
                    tif: format!("{:?}", action.info.tif),
                    client_id: action.info.client_id.clone(),
                };
                Self::insert_order_action(conn, &new_action)?;
            }
            EngineMessage::OrderUpdate(update) => {
                let current_status = Self::order_update_status_to_db(update.status).to_string();

                // Store the raw order update
                let new_order_update = NewOrderUpdate {
                    timestamp: update.timestamp as i64,
                    order_id: update.order_id.map(|id| id as i64),
                    status: current_status.clone(),
                    reason: update.reason.clone(),
                    filled_size: update.filled_size,
                    symbol: update.info.symbol.clone(),
                    price: update.info.price,
                    size: update.info.size,
                    side: format!("{:?}", update.info.side),
                    tif: format!("{:?}", update.info.tif),
                    client_id: update.info.client_id.clone(),
                };

                let order_update_id = diesel::insert_into(schema::order_updates::table)
                    .values(&new_order_update)
                    .returning(schema::order_updates::id)
                    .get_result::<Option<i32>>(conn)?
                    .expect("order_updates.id should be populated after insert");

                if let Some(order_id) = update.order_id {
                    let materialized_order_info = NewOrderInfo {
                        order_id: order_id as i64,
                        wallet_address: update.wallet_address,
                        symbol: update.info.symbol.clone(),
                        side: format!("{:?}", update.info.side),
                        price: update.info.price,
                        size: update.info.size,
                        tif: format!("{:?}", update.info.tif),
                        client_id: update.info.client_id.clone(),
                        is_perp: update.info.is_perp,
                        underlying: update.info.underlying.clone(),
                        reduce_only: update.info.reduce_only,
                        nonce: update.info.nonce.map(|n| n as i64),
                        signature: update.info.signature.clone(),
                        mmp_enabled: update.info.mmp_enabled,
                        timestamp: update.timestamp as i64,
                        status: current_status,
                        filled_size: update.filled_size,
                        last_materialized_order_update_id: order_update_id,
                    };

                    upsert_materialized_order_state(conn, &materialized_order_info)?;
                }

                // Handle rejected orders
                if let OrderUpdateStatus::Rejected = update.status {
                    let new_rejected = NewRejectedOrder {
                        wallet_address: update.wallet_address,
                        symbol: update.info.symbol.clone(),
                        side: format!("{:?}", update.info.side),
                        price: update.info.price,
                        size: update.info.size,
                        reason: update
                            .reason
                            .clone()
                            .unwrap_or_else(|| "Unknown".to_string()),
                        timestamp: update.timestamp as i64,
                    };

                    diesel::insert_into(schema::rejected_orders::table)
                        .values(&new_rejected)
                        .execute(conn)?;
                }
            }
            EngineMessage::OrderFilled { .. } => {
                // No-op: fills and trades are now written inline by the journal
                // batcher (insert_batch) in the same transaction as engine_commands
                // and engine_events. Publishing of OrderFilled events to the event bus
                // still happens so market_stats_cache receives real-time volume updates.
            }
            EngineMessage::OrderbookUpdated(_update) => {
                // OrderbookUpdated events are no longer persisted (snapshot tables removed)
            }
            EngineMessage::MarketAction(action) => {
                // Store the market action
                let new_action = NewMarketAction {
                    timestamp: action.timestamp as i64,
                    action: format!("{:?}", action.action),
                    symbol: action.market.symbol.clone(),
                    underlying: action.market.underlying.clone(),
                    expiry: action.market.expiry as i64,
                    strike: action.market.strike,
                    option_type: match action.market.option_type {
                        OptionType::Call => "call".to_string(),
                        OptionType::Put => "put".to_string(),
                    },
                };

                diesel::insert_into(schema::market_actions::table)
                    .values(&new_action)
                    .execute(conn)?;
            }
            EngineMessage::MarketUpdate(update) => {
                // Store the raw market update
                let new_market_update = NewMarketUpdate {
                    timestamp: update.timestamp as i64,
                    status: format!("{:?}", update.status),
                    symbol: update.market.symbol.clone(),
                    underlying: update.market.underlying.clone(),
                    expiry: update.market.expiry as i64,
                    strike: update.market.strike,
                    option_type: match update.market.option_type {
                        OptionType::Call => "call".to_string(),
                        OptionType::Put => "put".to_string(),
                    },
                };

                diesel::insert_into(schema::market_updates::table)
                    .values(&new_market_update)
                    .execute(conn)?;

                match update.status {
                    MarketUpdateStatus::MarketCreated | MarketUpdateStatus::MarketAlreadyExists => {
                        // Insert market if not exists (idempotent - ON CONFLICT DO NOTHING)
                        let new_market = Market {
                            underlying: update.market.underlying.clone(),
                            expiry: update.market.expiry as i64,
                        };

                        // Use INSERT ON CONFLICT DO NOTHING for PostgreSQL
                        diesel::sql_query(
                            "INSERT INTO markets (underlying, expiry) VALUES ($1, $2) ON CONFLICT (underlying, expiry) DO NOTHING"
                        )
                        .bind::<diesel::sql_types::Text, _>(&new_market.underlying)
                        .bind::<diesel::sql_types::BigInt, _>(new_market.expiry)
                        .execute(conn)?;

                        // Insert instrument
                        let option_type = match update.market.option_type {
                            OptionType::Call => "call",
                            OptionType::Put => "put",
                        };

                        let instrument_strike = update.market.strike;
                        let deployment = current_option_token_deployment()?;
                        let option_token_address = hypercall_types::derive_option_token_address(
                            deployment,
                            &update.market.underlying,
                            update.market.expiry,
                            instrument_strike,
                            option_type,
                        )?;

                        let new_instrument = Instrument {
                            instrument_numeric_id: 0,
                            id: update.market.symbol.clone(),
                            underlying: update.market.underlying.clone(),
                            strike: instrument_strike,
                            expiry: update.market.expiry as i64,
                            option_type: option_type.to_string(),
                            option_token_address: Some(option_token_address),
                            status: "ACTIVE".to_string(),
                            trading_mode: "orderbook".to_string(),
                        };

                        // Use INSERT ON CONFLICT DO NOTHING for PostgreSQL
                        if let Err(err) = diesel::sql_query(
                            "INSERT INTO instruments (id, underlying, strike, expiry, option_type, status, option_token_address, trading_mode) VALUES ($1, $2, $3, $4, $5, $6, $7, $8) ON CONFLICT (id) DO NOTHING"
                        )
                        .bind::<diesel::sql_types::Text, _>(&new_instrument.id)
                        .bind::<diesel::sql_types::Text, _>(&new_instrument.underlying)
                        .bind::<diesel::sql_types::Numeric, _>(instrument_strike)
                        .bind::<diesel::sql_types::BigInt, _>(new_instrument.expiry)
                        .bind::<diesel::sql_types::Text, _>(&new_instrument.option_type)
                        .bind::<diesel::sql_types::Text, _>(&new_instrument.status)
                        .bind::<diesel::sql_types::Bytea, _>(option_token_address)
                        .bind::<diesel::sql_types::Text, _>(&new_instrument.trading_mode)
                        .execute(conn) {
                            Self::observe_diesel_option_token_violation(&err);
                            return Err(err.into());
                        }
                    }
                    MarketUpdateStatus::MarketDeleted | MarketUpdateStatus::MarketExpired => {
                        diesel::delete(schema::instruments::table)
                            .filter(schema::instruments::id.eq(&update.market.symbol))
                            .execute(conn)?;
                    }
                    MarketUpdateStatus::MarketPendingSettlement => {
                        // Transition-to-pending updates instrument status directly via ExpiryManager.
                        // Keep instrument row until settlement completes.
                    }
                    MarketUpdateStatus::MarketCreationFailed
                    | MarketUpdateStatus::MarketDeletionFailed => {
                        // Market lifecycle update failed - no database mutation needed here.
                        // No database action needed
                    }
                }
            }
            EngineMessage::L2Update(_) => {
                // L2 updates are incremental orderbook changes - not persisted here
            }
            EngineMessage::Trade(_trade_msg) => {
                // Trade messages are public broadcast messages
                // We store them but they don't have buyer/seller info
                // The actual trade with buyer/seller is handled in OrderFilled
                // For now, we skip this as the real trade is saved in OrderFilled
            }
            EngineMessage::TransactionRequest(tx_req) => {
                // TODO: Store transaction requests in database
                tracing::info!("Persisting transaction request: {}", tx_req.request_id);
            }
            EngineMessage::TransactionUpdate(tx_update) => {
                Self::persist_transaction_update(conn, tx_update)?;
                tracing::info!(
                    "Persisting transaction update: {} -> {:?}",
                    tx_update.request_id,
                    tx_update.status
                );
            }
            EngineMessage::MmpTriggered(mmp_msg) => {
                tracing::warn!(
                    "Persisting MMP trigger: wallet={}, currency={}, reason={}",
                    mmp_msg.wallet,
                    mmp_msg.currency,
                    mmp_msg.reason
                );
            }
            EngineMessage::PositionExpired(expiry_msg) => {
                // Idempotent settlement: try to insert, skip if already exists
                // This prevents double-crediting on replay/restart
                let intent =
                    hypercall_settlement::SettlementPersistenceIntent::from_position_expired(
                        expiry_msg,
                    )
                    .map_err(|e| anyhow!("{}", e))?;
                let context = format!("{}/{}", expiry_msg.wallet_address, expiry_msg.symbol);
                let settlement_entry_price = intent
                    .economics
                    .map(|economics| economics.settlement_entry_price);
                let cost_basis = intent.economics.map(|economics| economics.cost_basis);
                let net_pnl = intent.economics.map(|economics| economics.net_pnl);

                let new_expiration = NewPositionExpiration {
                    wallet: intent.wallet,
                    symbol: intent.symbol.clone(),
                    expiry_ts: intent.expiry_ts,
                    settlement_price: intent.settlement_price,
                    settlement_value: intent.settlement_value,
                };

                let payout = NewSettlementPayout {
                    wallet: intent.wallet,
                    symbol: intent.symbol.clone(),
                    expiry_ts: intent.expiry_ts,
                    position_size: intent.position_size,
                    settlement_price: intent.settlement_price,
                    payout_amount: intent.settlement_value,
                    ledger_applied: true,
                    settlement_entry_price,
                    cost_basis,
                    net_pnl,
                };

                let settlement_cashflow =
                    crate::settlement_ops::settlement_ledger_delta_for_margin_mode(
                        intent.margin_mode,
                        intent.settlement_value,
                        net_pnl,
                        &context,
                    )?;

                let outcome = conn.transaction::<_, anyhow::Error, _>(|tx_conn| {
                    crate::settlement_ops::claim_settlement_in_tx(
                        tx_conn,
                        &new_expiration,
                        &payout,
                        settlement_cashflow,
                        expiry_msg.timestamp as i64,
                    )
                })?;

                if !outcome.newly_persisted {
                    tracing::info!(
                        "Settlement already applied for {}/{}, skipping (idempotency)",
                        expiry_msg.wallet_address,
                        expiry_msg.symbol
                    );
                } else {
                    tracing::info!(
                        "Settlement persisted: wallet={}, symbol={}, size={}, payout={}",
                        expiry_msg.wallet_address,
                        expiry_msg.symbol,
                        expiry_msg.position_size,
                        expiry_msg.settlement_value
                    );
                }
            }
            EngineMessage::TierUpdate(_tier_msg) => {
                // TierUpdates are for cross-process cache sync.
                // DB is already updated via tier_cache.set_margin_mode() before publishing.
                // No persistence action needed here.
            }
            EngineMessage::HypercorePositionUpdate(update) => {
                // HypercorePositionUpdate is handled by PortfolioService, not persisted here
                tracing::debug!(
                    "DieselHandler: Hypercore position update - account={}, coin={}, size={}",
                    update.account,
                    update.coin,
                    update.size
                );
            }
            EngineMessage::LiquidationStateChange(liq_msg) => {
                if let Some(mut auction_row) = liquidation_auction_from_status(&liq_msg.status)? {
                    if let Some(existing_auction) =
                        self.get_liquidation_auction_with_conn(conn, &auction_row.auction_id)?
                    {
                        if auction_row.stop_request_id.is_none() {
                            auction_row.stop_request_id = existing_auction.stop_request_id.clone();
                        }
                        if auction_row.stop_tx_hash.is_none() {
                            auction_row.stop_tx_hash = existing_auction.stop_tx_hash.clone();
                        }
                        if auction_row.last_observed_block.is_none() {
                            auction_row.last_observed_block = existing_auction.last_observed_block;
                        }
                        // Preserve target_equity from the existing row when the
                        // new state (e.g. InLiquidation) does not carry it.
                        if auction_row.target_equity.is_none() {
                            auction_row.target_equity = existing_auction.target_equity;
                        }

                        if matches!(liq_msg.status.state, LiquidationState::Liquidated(..)) {
                            if auction_row.request_id.is_none() {
                                auction_row.request_id = existing_auction.request_id;
                            }
                            if auction_row.tx_hash.is_none() {
                                auction_row.tx_hash = existing_auction.tx_hash;
                            }
                            auction_row.started_at = existing_auction.started_at;
                            if auction_row.chain_start_time.is_none() {
                                auction_row.chain_start_time = existing_auction.chain_start_time;
                            }
                            if auction_row.margin_needed.is_none() {
                                auction_row.margin_needed = existing_auction.margin_needed;
                            }
                            if auction_row.settlement_value.is_none() {
                                auction_row.settlement_value = existing_auction.settlement_value;
                            }
                        }
                    }
                    self.upsert_liquidation_auction_with_conn(conn, &auction_row)?;
                } else if let Some(update) = liquidation_auction_update_from_message(liq_msg)? {
                    self.update_liquidation_auction_with_conn(
                        conn,
                        liq_msg
                            .auction_id
                            .as_deref()
                            .expect("auction update requires auction_id"),
                        &update,
                    )?;
                }

                let domain_state = status_to_liquidation_state_record(&liq_msg.status);
                let state_row = new_liquidation_state_from_domain(&domain_state);
                self.save_liquidation_state_with_conn(conn, &state_row)?;

                let should_persist_history =
                    liq_msg.previous_state != liq_msg.new_state || liq_msg.projection_changed;
                if should_persist_history {
                    let history_row = liquidation_history_from_message(liq_msg)?;
                    self.insert_liquidation_history_with_conn(conn, &history_row)?;
                }
                tracing::info!(
                    "DieselHandler: persisted liquidation state change - wallet={}, {} -> {}",
                    liq_msg.wallet,
                    liq_msg.previous_state,
                    liq_msg.new_state
                );
            }
            EngineMessage::RfqFilled(msg) => {
                tracing::info!(
                    "DieselHandler: RFQ filled - rfq_id={}, taker={}, qp={}",
                    msg.rfq_id,
                    msg.taker_wallet,
                    msg.qp_wallet
                );
                // Persist the executed RFQ fill so the durable audit trail
                // (rfq_id / quote_id / taker accept signature) survives
                // restart and can be queried from DB.
                diesel::sql_query(
                    "INSERT INTO rfq_fills (fill_id, rfq_id, quote_id, taker_wallet, qp_wallet, net_premium, taker_accept_signature)
                     VALUES ($1::uuid, $2::uuid, $3::uuid, $4, $5, $6, $7)
                     ON CONFLICT (rfq_id, quote_id) DO NOTHING",
                )
                .bind::<diesel::sql_types::Text, _>(msg.fill_id.as_str())
                .bind::<diesel::sql_types::Text, _>(msg.rfq_id.as_str())
                .bind::<diesel::sql_types::Text, _>(msg.quote_id.as_str())
                .bind::<diesel::sql_types::Binary, _>(msg.taker_wallet.as_bytes())
                .bind::<diesel::sql_types::Binary, _>(msg.qp_wallet.as_bytes())
                .bind::<diesel::sql_types::Numeric, _>(msg.net_premium)
                .bind::<diesel::sql_types::Text, _>(msg.taker_accept_signature.as_str())
                .execute(conn)?;
            }
        }
        Ok(())
    }

    // ===== Batch cancel for expired orders =====

    /// Batch-insert CANCELED rows into order_updates for orders on expired instruments.
    /// Skips orders that already have a terminal status (CANCELED, FILLED, REJECTED)
    /// in order_infos for idempotency.
    ///
    /// Runs as a single serializable transaction with retry.
    pub fn batch_cancel_expired_orders_sync(
        &self,
        cancels: &[ExpiredOrderCancel],
        reason: &str,
    ) -> Result<usize> {
        if cancels.is_empty() {
            return Ok(0);
        }

        let mut conn = self.pool().get()?;

        let now_ms = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .map_err(|e| {
                anyhow::anyhow!(
                    "System clock before UNIX_EPOCH during startup cancel flush: {}",
                    e
                )
            })?
            .as_millis() as i64;

        const SERIALIZATION_RETRY_LIMIT: usize = 3;
        let candidate_ids: Vec<i64> = cancels.iter().map(|c| c.order_id as i64).collect();

        #[derive(QueryableByName)]
        struct TerminalId {
            #[diesel(sql_type = diesel::sql_types::BigInt)]
            order_id: i64,
        }

        #[derive(Queryable)]
        struct InsertedOrderUpdateId {
            id: Option<i32>,
            order_id: Option<i64>,
        }

        for attempt in 0..SERIALIZATION_RETRY_LIMIT {
            let tx_result = conn
                .build_transaction()
                .serializable()
                .run::<_, diesel::result::Error, _>(|conn| {
                    // Read terminal state and synthetic-cancel writes in the same
                    // serializable transaction so a concurrent real terminal write
                    // forces a retry instead of silently appending a stale cancel.
                    let terminal_ids: std::collections::HashSet<i64> = diesel::sql_query(
                        "SELECT order_id FROM ( \
                             SELECT oi.order_id \
                             FROM order_infos oi \
                             WHERE oi.order_id = ANY($1) \
                             AND oi.status IN ('CANCELED', 'FILLED', 'REJECTED') \
                             UNION \
                             SELECT ou.order_id \
                             FROM order_updates ou \
                             WHERE ou.order_id = ANY($1) \
                             AND ou.status IN ('CANCELED', 'FILLED', 'REJECTED') \
                         ) terminal_orders",
                    )
                    .bind::<diesel::sql_types::Array<BigInt>, _>(&candidate_ids)
                    .load::<TerminalId>(conn)?
                    .into_iter()
                    .map(|r| r.order_id)
                    .collect();

                    let active_cancels: Vec<&ExpiredOrderCancel> = cancels
                        .iter()
                        .filter(|c| !terminal_ids.contains(&(c.order_id as i64)))
                        .collect();

                    let new_updates: Vec<NewOrderUpdate> = active_cancels
                        .iter()
                        .map(|cancel| NewOrderUpdate {
                            timestamp: now_ms,
                            order_id: Some(cancel.order_id as i64),
                            status: "CANCELED".to_string(),
                            reason: Some(reason.to_string()),
                            filled_size: cancel.filled_size,
                            symbol: cancel.symbol.clone(),
                            price: cancel.price,
                            size: cancel.size,
                            side: format!("{:?}", cancel.side),
                            tif: "GTC".to_string(),
                            client_id: cancel.client_id.clone(),
                        })
                        .collect();

                    if new_updates.is_empty() {
                        return Ok(0);
                    }

                    let inserted_updates: Vec<InsertedOrderUpdateId> =
                        diesel::insert_into(schema::order_updates::table)
                            .values(&new_updates)
                            .returning((schema::order_updates::id, schema::order_updates::order_id))
                            .get_results(conn)?;

                    let inserted = inserted_updates.len();

                    let inserted_update_ids: std::collections::HashMap<i64, i32> =
                        inserted_updates
                            .into_iter()
                            .map(|row| {
                                let order_id = row.order_id.expect(
                                    "startup expired cancel insert returned NULL order_id; persisted data invariant broken",
                                );
                                let update_id = row.id.expect(
                                    "startup expired cancel insert returned NULL update id; persisted data invariant broken",
                                );
                                (order_id, update_id)
                            })
                            .collect();

                    // Keep the materialized hard-cutover state in sync so replayed
                    // startup cancels remain idempotent even before any later
                    // reader/backfill pass.
                    for cancel in active_cancels {
                        let order_update_id = *inserted_update_ids
                            .get(&(cancel.order_id as i64))
                            .expect("missing inserted startup cancel update id for order");

                        let materialized_order_info = NewOrderInfo {
                            order_id: cancel.order_id as i64,
                            wallet_address: cancel.wallet,
                            symbol: cancel.symbol.clone(),
                            side: format!("{:?}", cancel.side),
                            price: cancel.price,
                            size: cancel.size,
                            tif: format!("{:?}", cancel.tif),
                            client_id: cancel.client_id.clone(),
                            is_perp: cancel.is_perp,
                            underlying: cancel.underlying.clone(),
                            reduce_only: cancel.reduce_only,
                            nonce: cancel.nonce.map(|nonce| nonce as i64),
                            signature: cancel.signature.clone(),
                            mmp_enabled: cancel.mmp_enabled,
                            timestamp: cancel.timestamp as i64,
                            status: "CANCELED".to_string(),
                            filled_size: cancel.filled_size,
                            last_materialized_order_update_id: order_update_id,
                        };

                        upsert_materialized_order_state(conn, &materialized_order_info)?;
                    }

                    Ok(inserted)
                });

            match tx_result {
                Ok(inserted) => return Ok(inserted),
                Err(diesel::result::Error::DatabaseError(
                    diesel::result::DatabaseErrorKind::SerializationFailure,
                    _,
                )) if attempt + 1 < SERIALIZATION_RETRY_LIMIT => {
                    tracing::warn!(
                        attempt = attempt + 1,
                        "Retrying startup expired cancel batch after serialization failure"
                    );
                }
                Err(err) => return Err(err.into()),
            }
        }

        Err(anyhow::anyhow!(
            "startup expired cancel batch exceeded serialization retry budget"
        ))
    }

    // ===== Liquidation CRUD helpers (sync _with_conn for engine event loop) =====

    fn save_liquidation_state_with_conn(
        &self,
        conn: &mut PgConnection,
        state: &NewLiquidationState,
    ) -> Result<()> {
        diesel::insert_into(schema::liquidation_states::table)
            .values(state)
            .on_conflict(schema::liquidation_states::wallet_address)
            .do_update()
            .set(state)
            .execute(conn)?;
        Ok(())
    }

    fn insert_liquidation_history_with_conn(
        &self,
        conn: &mut PgConnection,
        entry: &NewLiquidationHistory,
    ) -> Result<i64> {
        use schema::liquidation_history::dsl as lh;

        let inserted_id = diesel::insert_into(schema::liquidation_history::table)
            .values(entry)
            .on_conflict_do_nothing()
            .returning(lh::id)
            .get_result::<i64>(conn)
            .optional()?
            .unwrap_or(0);

        Ok(inserted_id)
    }

    fn upsert_liquidation_auction_with_conn(
        &self,
        conn: &mut PgConnection,
        auction: &NewLiquidationAuction,
    ) -> Result<()> {
        let query = diesel::insert_into(schema::liquidation_auctions::table)
            .values(auction)
            .on_conflict(schema::liquidation_auctions::auction_id)
            .do_update();

        if auction.completed_at.is_some() {
            query
                .set((
                    schema::liquidation_auctions::status.eq(&auction.status),
                    schema::liquidation_auctions::positions.eq(&auction.positions),
                    schema::liquidation_auctions::target_equity.eq(auction.target_equity),
                    schema::liquidation_auctions::request_id.eq(&auction.request_id),
                    schema::liquidation_auctions::tx_hash.eq(&auction.tx_hash),
                    schema::liquidation_auctions::chain_start_time.eq(auction.chain_start_time),
                    schema::liquidation_auctions::margin_needed.eq(auction.margin_needed),
                    schema::liquidation_auctions::stop_request_id.eq(&auction.stop_request_id),
                    schema::liquidation_auctions::stop_tx_hash.eq(&auction.stop_tx_hash),
                    schema::liquidation_auctions::completed_at.eq(auction.completed_at),
                    schema::liquidation_auctions::liquidator_address.eq(auction.liquidator_address),
                    schema::liquidation_auctions::bonus.eq(auction.bonus),
                    schema::liquidation_auctions::settlement_value.eq(auction.settlement_value),
                    schema::liquidation_auctions::last_observed_block
                        .eq(auction.last_observed_block),
                ))
                .execute(conn)?;
        } else {
            query
                .set((
                    schema::liquidation_auctions::status.eq(&auction.status),
                    schema::liquidation_auctions::positions.eq(&auction.positions),
                    schema::liquidation_auctions::target_equity.eq(auction.target_equity),
                    schema::liquidation_auctions::request_id.eq(&auction.request_id),
                    schema::liquidation_auctions::tx_hash.eq(&auction.tx_hash),
                    schema::liquidation_auctions::started_at.eq(auction.started_at),
                    schema::liquidation_auctions::chain_start_time.eq(auction.chain_start_time),
                    schema::liquidation_auctions::margin_needed.eq(auction.margin_needed),
                    schema::liquidation_auctions::stop_request_id.eq(&auction.stop_request_id),
                    schema::liquidation_auctions::stop_tx_hash.eq(&auction.stop_tx_hash),
                    schema::liquidation_auctions::completed_at.eq(auction.completed_at),
                    schema::liquidation_auctions::liquidator_address.eq(auction.liquidator_address),
                    schema::liquidation_auctions::bonus.eq(auction.bonus),
                    schema::liquidation_auctions::settlement_value.eq(auction.settlement_value),
                    schema::liquidation_auctions::last_observed_block
                        .eq(auction.last_observed_block),
                ))
                .execute(conn)?;
        }
        Ok(())
    }

    fn update_liquidation_auction_with_conn(
        &self,
        conn: &mut PgConnection,
        auction_id: &str,
        update: &UpdateLiquidationAuction,
    ) -> Result<()> {
        diesel::update(
            schema::liquidation_auctions::table
                .filter(schema::liquidation_auctions::auction_id.eq(auction_id)),
        )
        .set(update)
        .execute(conn)?;

        Ok(())
    }

    fn get_liquidation_auction_with_conn(
        &self,
        conn: &mut PgConnection,
        auction_id: &str,
    ) -> Result<Option<LiquidationAuctionRecord>> {
        let result = schema::liquidation_auctions::table
            .filter(schema::liquidation_auctions::auction_id.eq(auction_id))
            .first::<LiquidationAuctionRecord>(conn)
            .optional()?;

        Ok(result)
    }

    /// Update directive outbox status from a transaction lifecycle event.
    /// Withdrawal failures are not auto-refunded here. Until withdrawal proofs
    /// are user-driven, terminal withdrawal states require manual reconciliation.
    fn persist_transaction_update(
        conn: &mut PgConnection,
        tx_update: &hypercall_types::engine_messages::TransactionUpdate,
    ) -> Result<()> {
        use diesel::sql_types::{Nullable, Text};
        use hypercall_types::engine_messages::TransactionStatus;

        let (domain_status, delivery_status) = match tx_update.status {
            TransactionStatus::Submitted => (None, Some("pending")),
            TransactionStatus::Pending => (None, Some("pending")),
            TransactionStatus::Confirmed => (Some("completed"), Some("finalized")),
            TransactionStatus::Failed => (Some("failed"), Some("reverted")),
            TransactionStatus::Expired => (Some("failed"), Some("expired")),
        };

        if let Some(domain_status) = domain_status {
            let delivery_error = tx_update.error.as_deref();

            #[derive(diesel::QueryableByName)]
            struct ActionKeyRow {
                #[diesel(sql_type = crate::engine_enums::DirectiveActionKeySql)]
                action_key: crate::engine_enums::DirectiveActionKeyDb,
            }

            let updated_row: Option<ActionKeyRow> = diesel::sql_query(
                r#"
                WITH updated_outbox AS (
                    UPDATE directive_outbox
                    SET domain_status = $2,
                        delivery_status = $3,
                        tx_hash = COALESCE($4, tx_hash),
                        last_delivery_error = $5,
                        updated_at = CURRENT_TIMESTAMP
                    WHERE directive_id = $1
                      AND delivery_status NOT IN ('finalized', 'reverted', 'expired', 'dead_lettered')
                    RETURNING directive_id, action_key
                )
                SELECT action_key FROM updated_outbox
                "#,
            )
            .bind::<Text, _>(&tx_update.request_id)
            .bind::<Text, _>(domain_status)
            .bind::<Text, _>(delivery_status.expect("terminal update must have delivery status"))
            .bind::<Nullable<Text>, _>(tx_update.tx_hash.as_deref())
            .bind::<Nullable<Text>, _>(delivery_error)
            .get_result(conn)
            .optional()?;

            if matches!(
                tx_update.status,
                TransactionStatus::Failed | TransactionStatus::Expired
            ) {
                if let Some(row) = updated_row {
                    let action_key: hypercall_types::directives::ActionKey = row.action_key.into();
                    if matches!(
                        action_key,
                        hypercall_types::directives::ActionKey::SystemWithdrawToken
                            | hypercall_types::directives::ActionKey::SystemCreditOption
                    ) {
                        metrics::counter!(
                            "ht_withdrawal_manual_reconciliation_required_total",
                            "action_key" => action_key.as_str(),
                        )
                        .increment(1);
                        tracing::warn!(
                            directive_id = %tx_update.request_id,
                            action_key = ?action_key,
                            "Withdrawal directive reached terminal delivery status; automatic refunds are disabled and operator reconciliation is required"
                        );
                    }
                }
            }
        } else if let Some(delivery_status) = delivery_status {
            diesel::sql_query(
                r#"
                UPDATE directive_outbox
                    SET delivery_status = $2,
                        tx_hash = COALESCE($3, tx_hash),
                    last_delivery_error = $4,
                    updated_at = CURRENT_TIMESTAMP
                WHERE directive_id = $1
                  AND delivery_status NOT IN ('finalized', 'reverted', 'expired', 'dead_lettered')
                "#,
            )
            .bind::<Text, _>(&tx_update.request_id)
            .bind::<Text, _>(delivery_status)
            .bind::<Nullable<Text>, _>(tx_update.tx_hash.as_deref())
            .bind::<Nullable<Text>, _>(tx_update.error.as_deref())
            .execute(conn)?;
        }

        Ok(())
    }
}

#[cfg(test)]
#[path = "event_handler_tests.rs"]
mod tests;