Release an EXPIRED split / merge lock after verifying on-chain absence
User-initiated recovery for an EXPIRED dual-signed operation when the backend’s automatic sweeper is disabled in observation-only mode. Releases the off-chain lock back to the caller’s balance after PG-side chain verification that the operation did NOT execute on-chain.
Supported op_kind: SPLIT and MERGE. CONVERT / REDEEM follow in subsequent releases.
Gates checked in order (any failure short-circuits with no balance movement):
- Ownership — caller’s
X-User-Walletmust resolve to the samevault_addressrecorded on the signed op (else403 vault_owner_mismatch). - Op kind — must be
SPLITorMERGE(else400 op_kind_unsupported). - Already terminal — if the op is already
EXPIRED/CANCELLED/REVERTED/REJECTED/FAILED(i.e. refunded by some other path), the call is a200no-op withrefundAppliedNow=falsefor idempotent client retries. - Age —
now - deadline >= 90s(else425 op_too_recent). The 90s safety buffer matches the auto-sweeper’sSAFETY_SEC_DEFAULTso a tx mined just after the off-chain deadline cannot be double-counted. - Chain-watcher liveness — exchange-service probes chain-watcher’s own
/health/chain-syncendpoint and refuses the release if the indexer is lagging (else503 chain_watcher_lagging/chain_watcher_unreachable/chain_watcher_url_unset). Without this gate, an unindexed chain-confirmed split/merge would falsely look like a no-execute and double-credit the vault. - Chain-row absence —
LEFT JOINagainst the per-kind events table (chain_watcher.vault_position_split_eventsforSPLIT,chain_watcher.vault_positions_merged_eventsforMERGE) keyed by(vault, conditionId, amount). If a matching row exists the call returns409 op_confirmed_on_chainwith the chainevent_key/tx_hash/blockNumberin the errordetailspayload so operators can re-drive the chain-event-router manually instead of unlocking duplicate funds.
On success the op transitions to EXPIRED, refunded=true, and a single balance_events row is appended with reason split_user_refund_verified (SPLIT) or merge_user_refund_verified (MERGE) — distinct from the sweeper’s *_expired_refund so audit / reconcile queries can attribute the unlock to the user-driven path.
Authorizations
Partner / integrator key — format ps_live_<keyId>_<secret>. Issued by PredictStreet ops on request; never self-service. Never ship to a browser. multi_wallet partners must additionally send X-User-Wallet: 0x<40-hex> on every authenticated request to declare the acting wallet. See the API keys guide for scope taxonomy, partner kinds, rate limits, and rotation procedure.
Headers
Required for multi_wallet partners on every authenticated request; ignored for single_wallet. Declares the acting end-user wallet for this request — drives KYC checks, balances/positions/orders attribution, rate-limit buckets, and audit. Lower-cased server-side. Missing on a multi_wallet key → 401 api_key_user_wallet_required; malformed → 401 api_key_user_wallet_invalid. The on-chain CTFExchange/Vault contracts still verify EIP-712 signer ↔ vault binding, so loosening API-layer attribution is safe by construction.
^0x[a-fA-F0-9]{40}$"0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb3"
Path Parameters
signed_ops.id UUID returned by the original split / merge / convert signature endpoint.
Response
Refund applied, or no-op snapshot of an already-terminal op (use refundAppliedNow to distinguish).
signed_ops.id — same UUID the original signature endpoint returned.
Operation kind. Always SPLIT or MERGE on success — other kinds short-circuit with 400 op_kind_unsupported.
SPLIT, MERGE Post-call status. EXPIRED after a successful refund; whatever the row was already in (EXPIRED / CANCELLED / REVERTED / REJECTED / FAILED) on an idempotent re-request.
^0x[a-fA-F0-9]{40}$"0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb3"
Unix seconds the op was signed against. Always more than 90s in the past on a successful response.
signed_ops.refunded after this call — true for any EXPIRED/CANCELLED/REVERTED/REJECTED/FAILED terminal.
true if this call performed the refund transition; false for an idempotent re-request against an already-terminal op (the row is returned unchanged).
ISO-8601 timestamp of the last signed_ops mutation.
signed_ops.reason audit string — set to user:<vaultAddress> after a successful refund by this endpoint; may be sweeper / cosigner / etc. on rows refunded by other paths.
signed_ops.tx_hash. Always null on this endpoint's responses — the op never confirmed on-chain by definition.