Prepare a new escrow transfer end-to-end: validate the sender identity,
allocate the on-chain nonce, build the partially-prepared create_escrow
transaction against the caller-supplied self-custody senderWallet,
persist a PENDING row, and return the row plus the wire-form
unsignedTransaction the sender client must sign.
The persisted metadata.unsignedTransaction is the all-signatures-zeroed
wire bytes — submitCreateEscrowTransaction zeroes the client-submitted
tx's signatures and byte-compares against it, so signing PAYER /
NONCE_AUTHORITY here would silently break the tamper guard. CFX
signatures are added at broadcast time only.
Look up a single escrow transfer by id, scoped to the calling customer.
Returns null for both "missing" and "owned by a different customer" —
never leaks existence of another customer's row. Controllers map null
to 404 at the edge.
Customer-scoped search. Mirrors the admin search shape minus the
customerIds filter — the customer-scope is applied as a hard WHERE so
no filter combination can leak rows across tenants.
OptionalcreatedAt?: DbTimestampCriteriaOptionalexpiresAt?: DbTimestampCriteriaOptionalids?: string[]OptionalorderBy?: DbOrderByCriterion<Optionalpage?: numberDefaults to 1
OptionalpageSize?: numberDefaults to 50
OptionalrecipientId?: stringOptionalrecipientPhone?: stringOptionalsenderId?: stringOptionalstatuses?: EscrowTransferStatus[]OptionalupdatedAt?: DbTimestampCriteria
Customer-scoped escrow transfer operations. Reads (
get/search) take acustomerId(the API caller's customer external id resolved fromrequest.customerId) and filter all queries on it so one customer can never read another's data.createQuoteis the one customer-facing write that runs inline (rather than via a Temporal workflow): it resolves the sender, allocates the on-chain nonce, and builds thecreate_escrowtransaction so a quote row can exist with the unsigned wire form for the sender to sign. It requires the optionaldepsto be wired (the privileged Solana signers live behind those collaborators). Accepting the quote (submitting the signed tx) and the remaining write paths (accept / claim / reject / cancel / recipient-update) are Temporal workflows kicked off by the controller via the workflow client.