@antseed/node 0.2.26 → 0.2.28

package/dist/payments/seller-payment-manager.js

@@ -1,161 +1,653 @@
 import { verifyTypedData } from 'ethers';
-import { EscrowClient } from './evm/escrow-client.js';
-import { identityToEvmWallet } from './evm/keypair.js';
-import { makeEscrowDomain, SPENDING_AUTH_V2_TYPES } from './evm/signatures.js';
+import { ChannelsClient } from './evm/channels-client.js';
+import { SPENDING_AUTH_TYPES, RESERVE_AUTH_TYPES, makeChannelsDomain, encodeMetadata, ZERO_METADATA, } from './evm/signatures.js';
 import { debugLog, debugWarn } from '../utils/debug.js';
+import { peerIdToAddress } from '../types/peer.js';
+import { classifyOnChainChannel, matchesChannelParties } from './channel-session-state.js';
+/** Default minimum budget per request: $0.50 USDC (base units). */
+const DEFAULT_MIN_BUDGET_PER_REQUEST = '500000';
+/**
+ * Manages seller-side payment sessions.
+ * The buyer sends a single SpendingAuth signature with a monotonically
+ * increasing cumulativeAmount on every request.
+ * The seller tracks spending locally and settles/closes via the contract at session end.
+ */
 export class SellerPaymentManager {
+    _identity;
     _signer;
-    _escrow;
+    _channelsClient;
     _config;
-    _sessions = new Map();
-    constructor(identity, config) {
+    _channelStore;
+    /** In-memory cache of active buyer peerIds for fast has-session checks. */
+    _activeBuyers = new Set();
+    /** Per-buyer mutex to prevent concurrent handleSpendingAuth for the same buyer. */
+    _buyerLocks = new Map();
+    /** channelId -> highest accepted cumulativeAmount from buyer's SpendingAuth */
+    _acceptedCumulative = new Map();
+    /** channelId -> total USDC spent so far (sum of recordSpend calls) */
+    _spent = new Map();
+    /** channelId -> on-chain reserveMaxAmount (budget ceiling from ReserveAuth) */
+    _reserveMax = new Map();
+    /** channelId -> latest buyer-signed auth (both sigs + cumulative values + metadata) for settle/close */
+    _latestAuth = new Map();
+    /** channelId -> number of failed close() attempts. In-memory only; resets on node restart. */
+    _closeRetryCount = new Map();
+    /** Max close() retries before giving up (buyer must requestClose on-chain) */
+    static MAX_CLOSE_RETRIES = 3;
+    constructor(identity, config, channelStore) {
+        this._identity = identity;
         this._config = config;
-        this._signer = identityToEvmWallet(identity);
-        this._escrow = new EscrowClient({
+        this._signer = identity.wallet;
+        this._channelsClient = new ChannelsClient({
             rpcUrl: config.rpcUrl,
-            contractAddress: config.contractAddress,
-            usdcAddress: config.usdcAddress,
-            chainId: config.chainId,
+            contractAddress: config.channelsContractAddress,
         });
+        this._channelStore = channelStore;
+        // Hydrate from persisted channels
+        const activeChannels = this._channelStore.getActiveChannels('seller');
+        for (const channel of activeChannels) {
+            this._activeBuyers.add(channel.peerId);
+            this._acceptedCumulative.set(channel.sessionId, BigInt(channel.authMax));
+            this._spent.set(channel.sessionId, BigInt(channel.tokensDelivered));
+            // Hydrate reserveMax from previousConsumption (repurposed field)
+            const storedReserveMax = BigInt(channel.previousConsumption || '0');
+            if (storedReserveMax > 0n) {
+                this._reserveMax.set(channel.sessionId, storedReserveMax);
+            }
+            // Hydrate latest auth sigs so close() works after restart
+            if (channel.latestSpendingAuthSig) {
+                this._latestAuth.set(channel.sessionId, {
+                    spendingAuthSig: channel.latestSpendingAuthSig,
+                    cumulativeAmount: BigInt(channel.authMax),
+                    metadataHash: '',
+                    metadata: channel.latestMetadata ?? '',
+                });
+            }
+        }
     }
-    get signer() { return this._signer; }
-    get escrowClient() { return this._escrow; }
-    hasSession(buyerPeerId) {
-        const s = this._sessions.get(buyerPeerId);
-        return !!s && !s.settled;
-    }
-    setBuyerEvmAddress(buyerPeerId, evmAddress) {
-        const session = this._sessions.get(buyerPeerId);
-        if (session)
-            session.buyerEvmAddr = evmAddress;
-    }
-    async handleSpendingAuthV2(buyerPeerId, buyerEvmAddr, payload, paymentMux) {
-        const now = Math.floor(Date.now() / 1000);
-        if (!payload.deadline || payload.deadline <= now) {
-            debugWarn(`[SellerPayment] Expired SpendingAuthV2 from ${buyerPeerId.slice(0, 12)}... deadline=${payload.deadline}`);
-            return;
+    get channelsClient() {
+        return this._channelsClient;
+    }
+    // ── SpendingAuth handler ─────────────────────────────────────
+    /**
+     * Handle incoming SpendingAuth from a buyer.
+     * First auth: verify SpendingAuth, reserve on-chain, send AuthAck.
+     * Subsequent: verify SpendingAuth signature, validate monotonic increase, persist.
+     */
+    async handleSpendingAuth(buyerPeerId, payload, paymentMux) {
+        // Per-buyer mutex: serialize concurrent auths for the same buyer
+        const existing = this._buyerLocks.get(buyerPeerId);
+        let result = 'rejected';
+        const lock = (existing ?? Promise.resolve()).then(async () => {
+            result = await this._handleSpendingAuthInner(buyerPeerId, payload, paymentMux);
+        });
+        this._buyerLocks.set(buyerPeerId, lock.catch(() => { }));
+        await lock;
+        return result;
+    }
+    async _handleSpendingAuthInner(buyerPeerId, payload, paymentMux) {
+        const buyerEvmAddr = peerIdToAddress(buyerPeerId);
+        try {
+            const channelId = payload.channelId;
+            const cumulativeAmount = BigInt(payload.cumulativeAmount);
+            const existingCumulative = this._acceptedCumulative.get(channelId);
+            const channelsDomain = makeChannelsDomain(this._config.chainId, this._config.channelsContractAddress);
+            if (existingCumulative === undefined) {
+                const hasReserveFields = payload.reserveSalt != null
+                    || payload.reserveMaxAmount != null
+                    || payload.reserveDeadline != null;
+                if (!hasReserveFields) {
+                    const recovered = await this._recoverOnChainSession(buyerPeerId, buyerEvmAddr, payload, cumulativeAmount, paymentMux, channelsDomain);
+                    if (recovered) {
+                        return 'accepted';
+                    }
+                }
+                // ── First SpendingAuth: verify ReserveAuth and reserve on-chain ──
+                // The buyer signs ReserveAuth(channelId, maxAmount, deadline) to bind escrow terms.
+                const reserveMaxAmount = payload.reserveMaxAmount ? BigInt(payload.reserveMaxAmount) : cumulativeAmount;
+                const reserveDeadline = payload.reserveDeadline ?? (Math.floor(Date.now() / 1000) + 3600);
+                const reserveMsg = {
+                    channelId,
+                    maxAmount: reserveMaxAmount,
+                    deadline: BigInt(reserveDeadline),
+                };
+                const reserveRecovered = verifyTypedData(channelsDomain, RESERVE_AUTH_TYPES, reserveMsg, payload.spendingAuthSig);
+                if (reserveRecovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+                    debugWarn(`[SellerPayment] Invalid ReserveAuth signature: recovered=${reserveRecovered} expected=${buyerEvmAddr}`);
+                    return 'rejected';
+                }
+                debugLog(`[SellerPayment] ReserveAuth verified for buyer ${buyerPeerId.slice(0, 12)}...`);
+                debugLog(`[SellerPayment] Reserving channel ${channelId.slice(0, 18)}... on-chain`);
+                const reserveSalt = payload.reserveSalt ?? channelId;
+                await this._channelsClient.reserve(this._signer, buyerEvmAddr, reserveSalt, reserveMaxAmount, BigInt(reserveDeadline), payload.spendingAuthSig);
+                // Store new session (sessionId field stores channelId for backward compat)
+                const now = Date.now();
+                const sellerEvmAddr = this._identity.wallet.address;
+                const session = {
+                    sessionId: channelId,
+                    peerId: buyerPeerId,
+                    role: 'seller',
+                    sellerEvmAddr,
+                    buyerEvmAddr,
+                    nonce: 0,
+                    authMax: payload.cumulativeAmount,
+                    previousConsumption: reserveMaxAmount.toString(), // repurposed: stores reserveMax
+                    deadline: reserveDeadline,
+                    previousSessionId: '',
+                    tokensDelivered: '0',
+                    requestCount: 0,
+                    reservedAt: now,
+                    settledAt: null,
+                    settledAmount: null,
+                    status: 'active',
+                    latestBuyerSig: payload.spendingAuthSig,
+                    latestSpendingAuthSig: payload.spendingAuthSig,
+                    latestMetadata: payload.metadata,
+                    createdAt: now,
+                    updatedAt: now,
+                };
+                // Note: do NOT store the ReserveAuth sig as spendingAuthSig in _latestAuth.
+                // The ReserveAuth uses a different EIP-712 type and will fail
+                // _verifySpendingAuth in close(). A real SpendingAuth will arrive
+                // per-request and update this entry.
+                this._activateSession(session, buyerPeerId, cumulativeAmount, reserveMaxAmount, 0n, {
+                    spendingAuthSig: '',
+                    cumulativeAmount,
+                    metadataHash: payload.metadataHash,
+                    metadata: payload.metadata,
+                });
+                // Send AuthAck
+                paymentMux.sendAuthAck({
+                    channelId,
+                });
+                debugLog(`[SellerPayment] AuthAck sent for channel ${channelId.slice(0, 18)}...`);
+                return 'reserved';
+            }
+            else if (payload.reserveMaxAmount
+                && BigInt(payload.reserveMaxAmount) > (this._reserveMax.get(channelId) ?? 0n)) {
+                // ── Top-up: buyer is extending the reserve ceiling ──
+                const newMaxAmount = BigInt(payload.reserveMaxAmount);
+                const topUpDeadline = payload.reserveDeadline ?? (Math.floor(Date.now() / 1000) + 3600);
+                const currentReserveMax = this._reserveMax.get(channelId) ?? 0n;
+                // Verify as ReserveAuth (not SpendingAuth)
+                const reserveMsg = {
+                    channelId,
+                    maxAmount: newMaxAmount,
+                    deadline: BigInt(topUpDeadline),
+                };
+                const recovered = verifyTypedData(channelsDomain, RESERVE_AUTH_TYPES, reserveMsg, payload.spendingAuthSig);
+                if (recovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+                    debugWarn(`[SellerPayment] Invalid top-up ReserveAuth signature: recovered=${recovered} expected=${buyerEvmAddr}`);
+                    return 'rejected';
+                }
+                // Call topUp() on-chain
+                debugLog(`[SellerPayment] Top-up verified: channel=${channelId.slice(0, 18)}... ceiling ${currentReserveMax} → ${newMaxAmount}`);
+                await this._channelsClient.topUp(this._signer, channelId, newMaxAmount, BigInt(topUpDeadline), payload.spendingAuthSig);
+                // Update tracking
+                this._reserveMax.set(channelId, newMaxAmount);
+                const session = this._channelStore.getChannel(channelId);
+                if (session) {
+                    session.previousConsumption = newMaxAmount.toString(); // repurposed: stores reserveMax
+                    session.deadline = topUpDeadline;
+                    session.updatedAt = Date.now();
+                    this._channelStore.upsertChannel(session);
+                }
+                debugLog(`[SellerPayment] Top-up completed: channel=${channelId.slice(0, 18)}... new ceiling=${newMaxAmount}`);
+                return 'accepted';
+            }
+            else {
+                // ── Subsequent SpendingAuth: verify SpendingAuth signature ──
+                const metadataMsg = {
+                    channelId,
+                    cumulativeAmount,
+                    metadataHash: payload.metadataHash,
+                };
+                const metadataRecovered = verifyTypedData(channelsDomain, SPENDING_AUTH_TYPES, metadataMsg, payload.spendingAuthSig);
+                if (metadataRecovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+                    debugWarn(`[SellerPayment] Invalid SpendingAuth signature: recovered=${metadataRecovered} expected=${buyerEvmAddr}`);
+                    return 'rejected';
+                }
+                // Validate monotonic (equal = idempotent retransmit)
+                if (cumulativeAmount < existingCumulative) {
+                    debugWarn(`[SellerPayment] Rejecting non-monotonic SpendingAuth: ` +
+                        `new=${cumulativeAmount} existing=${existingCumulative} channel=${channelId.slice(0, 18)}...`);
+                    return 'rejected';
+                }
+                if (cumulativeAmount === existingCumulative) {
+                    debugLog(`[SellerPayment] Idempotent SpendingAuth (same cumulative=${cumulativeAmount}) — accepted`);
+                    return 'accepted';
+                }
+                // Reject if buyer's cumulative doesn't cover what the seller has already spent
+                const spent = this._spent.get(channelId) ?? 0n;
+                if (cumulativeAmount < spent) {
+                    debugWarn(`[SellerPayment] Rejecting underfunded SpendingAuth: ` +
+                        `cumulative=${cumulativeAmount} < spent=${spent} channel=${channelId.slice(0, 18)}...`);
+                    return 'rejected';
+                }
+                // Update tracking
+                this._acceptedCumulative.set(channelId, cumulativeAmount);
+                this._latestAuth.set(channelId, {
+                    spendingAuthSig: payload.spendingAuthSig,
+                    cumulativeAmount,
+                    metadataHash: payload.metadataHash,
+                    metadata: payload.metadata,
+                });
+                // Persist latest auth + sigs to ChannelStore
+                const session = this._channelStore.getChannel(channelId);
+                if (session) {
+                    session.authMax = payload.cumulativeAmount;
+                    session.latestBuyerSig = payload.spendingAuthSig;
+                    session.latestSpendingAuthSig = payload.spendingAuthSig;
+                    session.latestMetadata = payload.metadata;
+                    session.updatedAt = Date.now();
+                    this._channelStore.upsertChannel(session);
+                }
+                debugLog(`[SellerPayment] Budget updated: channel=${channelId.slice(0, 18)}... cumulative=${cumulativeAmount}`);
+                return 'accepted';
+            }
+        }
+        catch (err) {
+            debugWarn(`[SellerPayment] Failed to process SpendingAuth: ${err instanceof Error ? err.message : err}`);
+            return 'rejected';
+        }
+    }
+    async _recoverOnChainSession(buyerPeerId, buyerEvmAddr, payload, cumulativeAmount, paymentMux, channelsDomain) {
+        const channelId = payload.channelId;
+        const onChainState = classifyOnChainChannel(await this._channelsClient.getSession(channelId));
+        const sellerEvmAddr = this._identity.wallet.address;
+        if (!onChainState.exists || onChainState.status !== 'active')
+            return false;
+        if (!matchesChannelParties(onChainState.channel, buyerEvmAddr, sellerEvmAddr))
+            return false;
+        const onChain = onChainState.channel;
+        const metadataMsg = {
+            channelId,
+            cumulativeAmount,
+            metadataHash: payload.metadataHash,
+        };
+        const metadataRecovered = verifyTypedData(channelsDomain, SPENDING_AUTH_TYPES, metadataMsg, payload.spendingAuthSig);
+        if (metadataRecovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+            debugWarn(`[SellerPayment] Invalid recovered SpendingAuth during channel recovery: recovered=${metadataRecovered} expected=${buyerEvmAddr}`);
+            return false;
+        }
+        if (cumulativeAmount < onChain.settled) {
+            debugWarn(`[SellerPayment] Rejecting recovered SpendingAuth below on-chain settled amount: ` +
+                `cumulative=${cumulativeAmount} settled=${onChain.settled} channel=${channelId.slice(0, 18)}...`);
+            return false;
         }
-        let maxAmount;
-        let previousConsumption;
+        const now = Date.now();
+        const session = {
+            sessionId: channelId,
+            peerId: buyerPeerId,
+            role: 'seller',
+            sellerEvmAddr,
+            buyerEvmAddr,
+            nonce: 0,
+            authMax: payload.cumulativeAmount,
+            previousConsumption: onChain.deposit.toString(),
+            deadline: Number(onChain.deadline),
+            previousSessionId: '',
+            tokensDelivered: onChain.settled.toString(),
+            requestCount: 0,
+            reservedAt: now,
+            settledAt: null,
+            settledAmount: onChain.settled > 0n ? onChain.settled.toString() : null,
+            status: 'active',
+            latestBuyerSig: payload.spendingAuthSig,
+            latestSpendingAuthSig: payload.spendingAuthSig,
+            latestMetadata: payload.metadata,
+            createdAt: now,
+            updatedAt: now,
+        };
+        this._activateSession(session, buyerPeerId, cumulativeAmount, onChain.deposit, onChain.settled, {
+            spendingAuthSig: payload.spendingAuthSig,
+            cumulativeAmount,
+            metadataHash: payload.metadataHash,
+            metadata: payload.metadata,
+        });
+        paymentMux.sendAuthAck({ channelId });
+        debugLog(`[SellerPayment] Recovered active on-chain channel ${channelId.slice(0, 18)}... for buyer ${buyerPeerId.slice(0, 12)}...`);
+        return true;
+    }
+    _activateSession(session, buyerPeerId, cumulativeAmount, reserveMaxAmount, spent, latestAuth) {
+        this._channelStore.upsertChannel(session);
+        this._acceptedCumulative.set(session.sessionId, cumulativeAmount);
+        this._reserveMax.set(session.sessionId, reserveMaxAmount);
+        this._spent.set(session.sessionId, spent);
+        this._latestAuth.set(session.sessionId, latestAuth);
+        this._activeBuyers.add(buyerPeerId);
+    }
+    // ── Per-request validation ──────────────────────────────────
+    /**
+     * Validate and accept a SpendingAuth attached to an incoming request.
+     * Returns true if the buyer has sufficient budget to serve this request.
+     */
+    async validateAndAcceptAuth(buyerPeerId, auth) {
+        // Look up active session for this buyer
+        const session = this._channelStore.getActiveChannelByPeer(buyerPeerId, 'seller');
+        if (!session) {
+            debugWarn(`[SellerPayment] validateAndAcceptAuth: no active session for buyer ${buyerPeerId.slice(0, 12)}...`);
+            return false;
+        }
+        const channelId = session.sessionId; // sessionId field stores channelId
+        const existingCumulative = this._acceptedCumulative.get(channelId);
+        if (existingCumulative === undefined) {
+            debugWarn(`[SellerPayment] validateAndAcceptAuth: no tracked cumulative for channel ${channelId.slice(0, 18)}...`);
+            return false;
+        }
+        // Verify AntSeed SpendingAuth signature
+        const channelsDomain = makeChannelsDomain(this._config.chainId, this._config.channelsContractAddress);
+        const metadataMsg = {
+            channelId: auth.channelId,
+            cumulativeAmount: BigInt(auth.cumulativeAmount),
+            metadataHash: auth.metadataHash,
+        };
+        const buyerEvmAddr = peerIdToAddress(buyerPeerId);
         try {
-            maxAmount = BigInt(payload.maxAmountUsdc);
-            previousConsumption = BigInt(payload.previousConsumption ?? '0');
+            const recovered = verifyTypedData(channelsDomain, SPENDING_AUTH_TYPES, metadataMsg, auth.spendingAuthSig);
+            if (recovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+                debugWarn(`[SellerPayment] validateAndAcceptAuth: invalid SpendingAuth signature`);
+                return false;
+            }
         }
         catch {
-            debugWarn(`[SellerPayment] Invalid amounts in SpendingAuthV2 from ${buyerPeerId.slice(0, 12)}...`);
+            debugWarn(`[SellerPayment] validateAndAcceptAuth: SpendingAuth verification failed`);
+            return false;
+        }
+        // Check monotonic: strictly greater, or equal (idempotent retransmit)
+        const newCumulative = BigInt(auth.cumulativeAmount);
+        if (newCumulative < existingCumulative) {
+            debugWarn(`[SellerPayment] validateAndAcceptAuth: cumulative decreased from ${existingCumulative} to ${newCumulative}`);
+            return false;
+        }
+        // Update if strictly greater
+        if (newCumulative > existingCumulative) {
+            this._acceptedCumulative.set(channelId, newCumulative);
+            this._latestAuth.set(channelId, {
+                spendingAuthSig: auth.spendingAuthSig,
+                cumulativeAmount: newCumulative,
+                metadataHash: auth.metadataHash,
+                metadata: auth.metadata,
+            });
+            // Persist latest auth + sigs to ChannelStore
+            const storedSession = this._channelStore.getChannel(channelId);
+            if (storedSession) {
+                storedSession.authMax = auth.cumulativeAmount;
+                storedSession.latestBuyerSig = auth.spendingAuthSig;
+                storedSession.latestSpendingAuthSig = auth.spendingAuthSig;
+                storedSession.latestMetadata = auth.metadata;
+                storedSession.updatedAt = Date.now();
+                this._channelStore.upsertChannel(storedSession);
+            }
+        }
+        // Check available budget
+        const accepted = this._acceptedCumulative.get(channelId);
+        const spent = this._spent.get(channelId) ?? 0n;
+        return accepted >= spent;
+    }
+    // ── Spend tracking ──────────────────────────────────────────
+    /**
+     * Record USDC consumption after serving a request.
+     */
+    recordSpend(sessionId, costUsdc) {
+        const current = this._spent.get(sessionId);
+        if (current === undefined) {
+            debugWarn(`[SellerPayment] recordSpend: unknown channelId ${sessionId.slice(0, 18)}...`);
             return;
         }
-        const previousSessionId = payload.previousSessionId ?? ('0x' + '00'.repeat(32));
-        const sellerAddr = await this._signer.getAddress();
-        const domain = makeEscrowDomain(this._config.chainId, this._config.contractAddress);
-        const recovered = verifyTypedData(domain, SPENDING_AUTH_V2_TYPES, {
-            seller: sellerAddr,
-            sessionId: payload.sessionId,
-            maxAmount,
-            nonce: payload.nonce,
-            deadline: payload.deadline,
-            previousConsumption,
-            previousSessionId,
-        }, payload.buyerSig);
-        if (recovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
-            debugWarn(`[SellerPayment] Invalid V2 sig from ${buyerPeerId.slice(0, 12)}... recovered=${recovered.slice(0, 10)}... expected=${buyerEvmAddr.slice(0, 10)}...`);
+        const newSpent = current + costUsdc;
+        this._spent.set(sessionId, newSpent);
+        // Persist spent amount to ChannelStore (using tokensDelivered field)
+        this._channelStore.updateTokensDelivered(sessionId, newSpent.toString(), 0);
+    }
+    // ── Settlement ──────────────────────────────────────────────
+    /**
+     * Close a completed session on-chain using the latest buyer-signed dual signatures.
+     * Uses close() for final settlement (releases remaining deposit to buyer).
+     */
+    async settleSession(buyerPeerId, { cleanupOnFailure = false } = {}) {
+        const session = this._channelStore.getActiveChannelByPeer(buyerPeerId, 'seller');
+        if (!session) {
+            debugWarn(`[SellerPayment] settleSession: no active session for buyer ${buyerPeerId.slice(0, 12)}...`);
             return;
         }
-        const prevSession = this._sessions.get(buyerPeerId);
-        if (prevSession && !prevSession.settled) {
-            debugLog(`[SellerPayment] Settling previous session ${prevSession.sessionId.slice(0, 18)}... before reserve()`);
-            try {
-                const chargeAmount = this._computeChargeAmount(prevSession);
-                await this._escrow.settle(this._signer, prevSession.sessionId, chargeAmount);
-                prevSession.settled = true;
+        const channelId = session.sessionId;
+        const accepted = this._acceptedCumulative.get(channelId) ?? 0n;
+        if (accepted === 0n) {
+            // Session opened but no requests served — cannot close without a voucher.
+            // Leave it for checkTimeouts(); buyer must call requestClose → withdraw on-chain.
+            debugLog(`[SellerPayment] Zero-cumulative channel ${channelId.slice(0, 18)}... — deferring to timeout checker`);
+        }
+        else {
+            const retries = this._closeRetryCount.get(channelId) ?? 0;
+            if (retries >= SellerPaymentManager.MAX_CLOSE_RETRIES) {
+                // Exhausted retries — give up on close(), fall back to timeout path
+                debugWarn(`[SellerPayment] close() failed ${retries} times for ${channelId.slice(0, 18)}... — falling back to timeout path`);
+                // Fall through to general cleanup below; buyer must requestClose on-chain
             }
-            catch (err) {
-                debugWarn(`[SellerPayment] Failed to settle previous session: ${err}`);
+            else {
+                // Close with the latest buyer-signed auth (final settlement)
+                const latestAuth = this._latestAuth.get(channelId);
+                const hasSpendingAuth = latestAuth && latestAuth.spendingAuthSig.length > 0;
+                if (!hasSpendingAuth) {
+                    // No real SpendingAuth received (only ReserveAuth from session setup).
+                    // Close with finalAmount=0 so the contract skips signature verification.
+                    // The seller forfeits unproven spend but the channel is properly closed.
+                    debugLog(`[SellerPayment] No SpendingAuth for channel ${channelId.slice(0, 18)}... — closing with finalAmount=0 (forfeiting unproven spend)`);
+                }
+                else {
+                    debugLog(`[SellerPayment] Closing channel ${channelId.slice(0, 18)}... cumulative=${latestAuth.cumulativeAmount} (attempt ${retries + 1}/${SellerPaymentManager.MAX_CLOSE_RETRIES})`);
+                }
+                const closeAmount = hasSpendingAuth ? latestAuth.cumulativeAmount : 0n;
+                const closeMetadata = hasSpendingAuth
+                    ? (latestAuth.metadata || encodeMetadata(ZERO_METADATA))
+                    : encodeMetadata(ZERO_METADATA);
+                const closeSig = hasSpendingAuth ? latestAuth.spendingAuthSig : '0x';
+                try {
+                    await this._channelsClient.close(this._signer, channelId, closeAmount, closeMetadata, closeSig);
+                    this._channelStore.updateChannelStatus(channelId, 'settled', closeAmount.toString());
+                    this._closeRetryCount.delete(channelId);
+                }
+                catch (err) {
+                    debugWarn(`[SellerPayment] Failed to close channel (attempt ${retries + 1}): ${err instanceof Error ? err.message : err}`);
+                    this._closeRetryCount.set(channelId, retries + 1);
+                    if (!cleanupOnFailure) {
+                        // Keep maps intact so checkTimeouts can retry
+                        return;
+                    }
+                    // Caller requested cleanup even on failure (e.g., disconnect handler)
+                }
             }
         }
-        try {
-            await this._escrow.reserve(this._signer, payload.sessionId, buyerEvmAddr, maxAmount, payload.nonce, payload.deadline, previousConsumption, previousSessionId, payload.buyerSig);
-        }
-        catch (err) {
-            debugWarn(`[SellerPayment] reserve() failed for ${buyerPeerId.slice(0, 12)}...: ${err}`);
+        // Clean up maps after successful close, zero-cumulative deferral, or exhausted retries
+        this._acceptedCumulative.delete(channelId);
+        this._spent.delete(channelId);
+        this._latestAuth.delete(channelId);
+        this._closeRetryCount.delete(channelId);
+        this._activeBuyers.delete(buyerPeerId);
+    }
+    // ── Disconnect handling ───────────────────────────────────────
+    onBuyerDisconnect(buyerPeerId) {
+        const session = this._channelStore.getActiveChannelByPeer(buyerPeerId, 'seller');
+        if (!session)
             return;
+        const settleOnDisconnect = this._config.settleOnDisconnect ?? true;
+        if (settleOnDisconnect) {
+            const accepted = this._acceptedCumulative.get(session.sessionId) ?? 0n;
+            if (accepted > 0n) {
+                debugLog(`[SellerPayment] Buyer ${buyerPeerId.slice(0, 12)}... disconnected — closing channel immediately`);
+                // Fire and forget settlement — clean up maps even if close() fails
+                this.settleSession(buyerPeerId, { cleanupOnFailure: true }).catch((err) => {
+                    debugWarn(`[SellerPayment] Failed to close on disconnect: ${err instanceof Error ? err.message : err}`);
+                });
+                return;
+            }
         }
-        this._sessions.set(buyerPeerId, {
-            sessionId: payload.sessionId,
-            buyerPeerId,
-            buyerEvmAddr,
-            nonce: payload.nonce,
-            authMax: maxAmount,
-            deadline: payload.deadline,
-            buyerSig: payload.buyerSig,
-            previousConsumption,
-            previousSessionId,
-            tokensDelivered: 0n,
-            reservedAt: Date.now(),
-            settled: false,
-        });
-        paymentMux.sendAuthAck({ sessionId: payload.sessionId, nonce: payload.nonce });
-        debugLog(`[SellerPayment] AuthAck sent for session=${payload.sessionId.slice(0, 18)}...`);
+        // Preserve session for reconnect; timeout checker handles ghost scenarios
+        this._activeBuyers.delete(buyerPeerId);
+        debugLog(`[SellerPayment] Buyer ${buyerPeerId.slice(0, 12)}... disconnected — channel ${session.sessionId.slice(0, 18)}... preserved for reconnect`);
     }
-    addTokensDelivered(buyerPeerId, tokens) {
-        const session = this._sessions.get(buyerPeerId);
-        if (!session || session.settled)
-            return;
-        session.tokensDelivered += tokens;
-        debugLog(`[SellerPayment] Tokens accrued for ${buyerPeerId.slice(0, 12)}...: ${session.tokensDelivered}`);
+    // ── Stale session cleanup ────────────────────────────────────
+    /**
+     * Check for stale sessions and attempt to close them.
+     * The seller can only close() with a valid SpendingAuth — it cannot
+     * requestClose or withdraw (those are buyer-only on-chain).
+     * If the seller has no auths, the session remains open until the buyer
+     * calls requestClose → withdraw on-chain.
+     * Called periodically and on startup for recovery.
+     */
+    async checkTimeouts() {
+        const nowSecs = Math.floor(Date.now() / 1000);
+        const activeChannels = this._channelStore.getActiveChannels('seller');
+        for (const channel of activeChannels) {
+            const accepted = this._acceptedCumulative.get(channel.sessionId) ?? 0n;
+            try {
+                // If we have auths and the buyer is disconnected, try to close
+                if (accepted > 0n && !this._activeBuyers.has(channel.peerId)) {
+                    debugLog(`[SellerPayment] Channel ${channel.sessionId.slice(0, 18)}... buyer disconnected — attempting close`);
+                    await this.settleSession(channel.peerId);
+                }
+                // If no auths and buyer disconnected, nothing the seller can do on-chain.
+                // The buyer must call requestClose → withdraw. We just clean up locally
+                // after a reasonable period (e.g. deadline passed).
+                if (accepted === 0n && !this._activeBuyers.has(channel.peerId) && nowSecs > channel.deadline) {
+                    debugLog(`[SellerPayment] Channel ${channel.sessionId.slice(0, 18)}... no auths, past deadline — cleaning up locally`);
+                    this._channelStore.updateChannelStatus(channel.sessionId, 'timeout');
+                    this._acceptedCumulative.delete(channel.sessionId);
+                    this._spent.delete(channel.sessionId);
+                    this._latestAuth.delete(channel.sessionId);
+                    this._closeRetryCount.delete(channel.sessionId);
+                    this._reserveMax.delete(channel.sessionId);
+                    this._activeBuyers.delete(channel.peerId);
+                }
+            }
+            catch (err) {
+                debugWarn(`[SellerPayment] Failed to process channel ${channel.sessionId.slice(0, 18)}...: ${err instanceof Error ? err.message : err}`);
+            }
+        }
     }
-    async onBuyerDisconnect(buyerPeerId) {
-        const session = this._sessions.get(buyerPeerId);
-        if (!session || session.settled) {
-            this._sessions.delete(buyerPeerId);
-            return;
+    // ── Queries ───────────────────────────────────────────────────
+    hasSession(buyerPeerId) {
+        return this._activeBuyers.has(buyerPeerId);
+    }
+    /** Get the active session for a buyer peer, or null. */
+    getChannelByPeer(buyerPeerId) {
+        return this._channelStore.getActiveChannelByPeer(buyerPeerId, 'seller');
+    }
+    /** Get total USDC spent for a session (sum of recordSpend calls). */
+    getCumulativeSpend(sessionId) {
+        return this._spent.get(sessionId) ?? 0n;
+    }
+    /** Get the highest accepted cumulative amount for a session. */
+    getAcceptedCumulative(sessionId) {
+        return this._acceptedCumulative.get(sessionId) ?? 0n;
+    }
+    /** Get the on-chain reserve budget ceiling for a session. */
+    getReserveMax(sessionId) {
+        return this._reserveMax.get(sessionId) ?? 0n;
+    }
+    static DEFAULT_SUGGESTED_AMOUNT = 1000000n; // $1.00 — matches contract FIRST_SIGN_CAP and buyer default
+    /**
+     * Build the PaymentRequired payload for a buyer that doesn't have a session.
+     */
+    getPaymentRequirements(requestId, buyerPeerId, pricing) {
+        const minBudgetPerRequest = this._config.minBudgetPerRequest ?? DEFAULT_MIN_BUDGET_PER_REQUEST;
+        let suggestedAmount = SellerPaymentManager.DEFAULT_SUGGESTED_AMOUNT;
+        if (buyerPeerId) {
+            const priorSession = this._channelStore.getLatestChannel(buyerPeerId, 'seller');
+            if (priorSession && priorSession.status === 'settled') {
+                // Returning buyer with proven history — could use a different amount
+                // For now, use the same default; config can override later
+                suggestedAmount = SellerPaymentManager.DEFAULT_SUGGESTED_AMOUNT;
+            }
         }
-        const settleTimeoutMs = 24 * 60 * 60 * 1000;
-        const elapsed = Date.now() - session.reservedAt;
-        if (elapsed >= settleTimeoutMs) {
-            debugLog(`[SellerPayment] settleTimeout() for ghost session ${session.sessionId.slice(0, 18)}...`);
+        return {
+            minBudgetPerRequest,
+            suggestedAmount: suggestedAmount.toString(),
+            requestId,
+            ...(pricing?.inputUsdPerMillion != null ? { inputUsdPerMillion: pricing.inputUsdPerMillion } : {}),
+            ...(pricing?.outputUsdPerMillion != null ? { outputUsdPerMillion: pricing.outputUsdPerMillion } : {}),
+        };
+    }
+    // ── CloseRequested handling ───────────────────────────────────
+    /**
+     * Handle a CloseRequested event for a channel this seller manages.
+     * If the seller has a stored SpendingAuth, immediately close the channel
+     * on-chain to claim earnings before the grace period expires.
+     */
+    async handleCloseRequested(channelId) {
+        const latestAuth = this._latestAuth.get(channelId);
+        const accepted = this._acceptedCumulative.get(channelId) ?? 0n;
+        const hasSpendingAuth = latestAuth && latestAuth.spendingAuthSig.length > 0;
+        if (accepted > 0n && hasSpendingAuth) {
+            debugLog(`[SellerPayment] CloseRequested for channel ${channelId.slice(0, 18)}... — closing with cumulative=${latestAuth.cumulativeAmount}`);
             try {
-                await this._escrow.settleTimeout(this._signer, session.sessionId);
-                session.settled = true;
+                await this._channelsClient.close(this._signer, channelId, latestAuth.cumulativeAmount, latestAuth.metadata || encodeMetadata(ZERO_METADATA), latestAuth.spendingAuthSig);
+                this._channelStore.updateChannelStatus(channelId, 'settled', latestAuth.cumulativeAmount.toString());
+                debugLog(`[SellerPayment] Channel ${channelId.slice(0, 18)}... closed successfully after CloseRequested`);
             }
             catch (err) {
-                debugWarn(`[SellerPayment] settleTimeout() failed: ${err}`);
+                debugWarn(`[SellerPayment] Failed to close channel ${channelId.slice(0, 18)}... after CloseRequested: ${err instanceof Error ? err.message : err}`);
+                // Early return: preserve in-memory maps so the next poll cycle can retry close()
+                return;
+            }
+        }
+        else if (accepted > 0n) {
+            // Had spend but no SpendingAuth (only ReserveAuth) — close with 0 to release deposit
+            debugLog(`[SellerPayment] CloseRequested for channel ${channelId.slice(0, 18)}... — no SpendingAuth, closing with finalAmount=0`);
+            try {
+                await this._channelsClient.close(this._signer, channelId, 0n, encodeMetadata(ZERO_METADATA), '0x');
+                this._channelStore.updateChannelStatus(channelId, 'settled', '0');
+            }
+            catch (err) {
+                debugWarn(`[SellerPayment] Failed to close channel ${channelId.slice(0, 18)}... with finalAmount=0: ${err instanceof Error ? err.message : err}`);
+                return;
             }
         }
         else {
-            debugLog('[SellerPayment] Buyer disconnected, session not yet timeout-eligible. Will settle on next SpendingAuthV2.');
+            // No voucher — seller can't claim anything. Clean up locally;
+            // buyer will withdraw after grace period.
+            debugLog(`[SellerPayment] CloseRequested for channel ${channelId.slice(0, 18)}... — no SpendingAuth, cleaning up locally`);
+            this._channelStore.updateChannelStatus(channelId, 'timeout');
+        }
+        // Clean up in-memory state
+        this._acceptedCumulative.delete(channelId);
+        this._spent.delete(channelId);
+        this._latestAuth.delete(channelId);
+        this._closeRetryCount.delete(channelId);
+        this._reserveMax.delete(channelId);
+        // Find and remove buyer from active set
+        const channel = this._channelStore.getChannel(channelId);
+        if (channel) {
+            this._activeBuyers.delete(channel.peerId);
         }
-        this._sessions.delete(buyerPeerId);
     }
-    async settleSession(buyerPeerId, chargeAmount) {
-        const session = this._sessions.get(buyerPeerId);
-        if (!session || session.settled)
-            return;
+    /**
+     * Poll for CloseRequested events and handle any that match active channels.
+     * Returns the block number to use as the next fromBlock cursor.
+     */
+    async pollCloseRequested(fromBlock) {
         try {
-            await this._escrow.settle(this._signer, session.sessionId, chargeAmount);
-            session.settled = true;
-            debugLog(`[SellerPayment] Settled session ${session.sessionId.slice(0, 18)}... charged=${chargeAmount}`);
+            // Fetch block number first and pin as toBlock to avoid race:
+            // if blocks are mined between the two calls, events in the gap would be missed.
+            const latestBlock = await this._channelsClient.getBlockNumber();
+            const events = await this._channelsClient.getCloseRequestedEvents(fromBlock, latestBlock);
+            for (const event of events) {
+                // Only handle channels this seller is actively tracking
+                if (this._acceptedCumulative.has(event.channelId) || this._channelStore.getChannel(event.channelId)?.status === 'active') {
+                    await this.handleCloseRequested(event.channelId);
+                }
+            }
+            return latestBlock + 1;
         }
         catch (err) {
-            debugWarn(`[SellerPayment] settle() failed: ${err}`);
-            throw err;
+            debugWarn(`[SellerPayment] Failed to poll CloseRequested events: ${err instanceof Error ? err.message : err}`);
+            return fromBlock; // Retry from same block on next poll
         }
     }
-    async claimEarnings() {
-        return this._escrow.claimEarnings(this._signer);
-    }
-    async stake(amount) {
-        return this._escrow.stake(this._signer, amount);
-    }
-    async unstake(amount) {
-        return this._escrow.unstake(this._signer, amount);
-    }
-    async getPendingEarnings() {
-        const addr = await this._signer.getAddress();
-        return this._escrow.getSellerPendingEarnings(addr);
-    }
-    _computeChargeAmount(session) {
-        return session.authMax;
+    // ── Lifecycle ─────────────────────────────────────────────────
+    close() {
+        // ChannelStore is shared with BuyerPaymentManager, closed from node.ts
     }
 }
 //# sourceMappingURL=seller-payment-manager.js.map