@antseed/node 0.2.27 → 0.2.29

package/dist/payments/seller-payment-manager.js

@@ -1,293 +1,528 @@
-import { createHash } from 'node:crypto';
 import { verifyTypedData } from 'ethers';
-import { BaseEscrowClient } from './evm/escrow-client.js';
-import { identityToEvmWallet, identityToEvmAddress } from './evm/keypair.js';
-import { SPENDING_AUTH_TYPES, makeEscrowDomain, buildReceiptMessage, buildAckMessage, signMessageEd25519, verifyMessageEd25519, } from './evm/signatures.js';
-import { bytesToHex, hexToBytes } from '../utils/hex.js';
+import { ChannelsClient } from './evm/channels-client.js';
+import { SPENDING_AUTH_TYPES, RESERVE_AUTH_TYPES, makeChannelsDomain, encodeMetadata, ZERO_METADATA, } from './evm/signatures.js';
 import { debugLog, debugWarn } from '../utils/debug.js';
-/** Default settle timeout: 24 hours. */
-const DEFAULT_SETTLE_TIMEOUT_SECS = 86400;
+import { peerIdToAddress } from '../types/peer.js';
+import { classifyOnChainChannel, matchesChannelParties } from './channel-session-state.js';
+/** Default minimum budget per request: $0.50 USDC (base units). */
+const DEFAULT_MIN_BUDGET_PER_REQUEST = '500000';
 /**
- * Manages seller-side payment sessions using the settle-then-reserve
- * atomic flow with persistent session storage.
+ * Manages seller-side payment sessions.
+ * The buyer sends a single SpendingAuth signature with a monotonically
+ * increasing cumulativeAmount on every request.
+ * The seller tracks spending locally and settles/closes via the contract at session end.
  */
 export class SellerPaymentManager {
     _identity;
     _signer;
-    _escrowClient;
+    _channelsClient;
     _config;
-    _sessionStore;
+    _channelStore;
     /** In-memory cache of active buyer peerIds for fast has-session checks. */
     _activeBuyers = new Set();
-    /** Debounce: track sessions that already sent a top-up request. */
-    _topUpRequested = new Set();
-    /** Cached seller tokenRate (fetched once from escrow, used for top-up threshold). */
-    _tokenRate = null;
-    /** Cached FIRST_SIGN_CAP from escrow contract. */
-    _firstSignCap = null;
     /** Per-buyer mutex to prevent concurrent handleSpendingAuth for the same buyer. */
     _buyerLocks = new Map();
-    constructor(identity, config, sessionStore) {
+    /** channelId -> highest accepted cumulativeAmount from buyer's SpendingAuth */
+    _acceptedCumulative = new Map();
+    /** channelId -> total USDC spent so far (sum of recordSpend calls) */
+    _spent = new Map();
+    /** channelId -> on-chain reserveMaxAmount (budget ceiling from ReserveAuth) */
+    _reserveMax = new Map();
+    /** channelId -> latest buyer-signed auth (both sigs + cumulative values + metadata) for settle/close */
+    _latestAuth = new Map();
+    /** channelId -> number of failed close() attempts. In-memory only; resets on node restart. */
+    _closeRetryCount = new Map();
+    /** Max close() retries before giving up (buyer must requestClose on-chain) */
+    static MAX_CLOSE_RETRIES = 3;
+    constructor(identity, config, channelStore) {
         this._identity = identity;
         this._config = config;
-        this._signer = identityToEvmWallet(identity);
-        this._escrowClient = new BaseEscrowClient({
+        this._signer = identity.wallet;
+        this._channelsClient = new ChannelsClient({
             rpcUrl: config.rpcUrl,
-            contractAddress: config.contractAddress,
-            usdcAddress: config.usdcAddress,
+            contractAddress: config.channelsContractAddress,
         });
-        this._sessionStore = sessionStore;
-        // Hydrate _activeBuyers from persisted sessions so hasSession() works after restart
-        const activeSessions = this._sessionStore.getActiveSessions('seller');
-        for (const session of activeSessions) {
-            this._activeBuyers.add(session.peerId);
+        this._channelStore = channelStore;
+        // Hydrate from persisted channels
+        const activeChannels = this._channelStore.getActiveChannels('seller');
+        for (const channel of activeChannels) {
+            this._activeBuyers.add(channel.peerId);
+            this._acceptedCumulative.set(channel.sessionId, BigInt(channel.authMax));
+            this._spent.set(channel.sessionId, BigInt(channel.tokensDelivered));
+            // Hydrate reserveMax from previousConsumption (repurposed field)
+            const storedReserveMax = BigInt(channel.previousConsumption || '0');
+            if (storedReserveMax > 0n) {
+                this._reserveMax.set(channel.sessionId, storedReserveMax);
+            }
+            // Hydrate latest auth sigs so close() works after restart
+            if (channel.latestSpendingAuthSig) {
+                this._latestAuth.set(channel.sessionId, {
+                    spendingAuthSig: channel.latestSpendingAuthSig,
+                    cumulativeAmount: BigInt(channel.authMax),
+                    metadataHash: '',
+                    metadata: channel.latestMetadata ?? '',
+                });
+            }
         }
     }
-    get escrowClient() {
-        return this._escrowClient;
+    get channelsClient() {
+        return this._channelsClient;
     }
-    // ── SpendingAuth handler (settle-then-reserve) ────────────────
+    // ── SpendingAuth handler ─────────────────────────────────────
     /**
      * Handle incoming SpendingAuth from a buyer.
-     * 1. Verify EIP-712 signature
-     * 2. Settle prior session if one exists
-     * 3. Reserve new session on-chain
-     * 4. Store and send AuthAck
+     * First auth: verify SpendingAuth, reserve on-chain, send AuthAck.
+     * Subsequent: verify SpendingAuth signature, validate monotonic increase, persist.
      */
-    async handleSpendingAuth(buyerPeerId, buyerEvmAddr, payload, paymentMux) {
+    async handleSpendingAuth(buyerPeerId, payload, paymentMux) {
         // Per-buyer mutex: serialize concurrent auths for the same buyer
         const existing = this._buyerLocks.get(buyerPeerId);
-        const lock = (existing ?? Promise.resolve()).then(() => this._handleSpendingAuthInner(buyerPeerId, buyerEvmAddr, payload, paymentMux));
+        let result = 'rejected';
+        const lock = (existing ?? Promise.resolve()).then(async () => {
+            result = await this._handleSpendingAuthInner(buyerPeerId, payload, paymentMux);
+        });
         this._buyerLocks.set(buyerPeerId, lock.catch(() => { }));
-        return lock;
+        await lock;
+        return result;
     }
-    async _handleSpendingAuthInner(buyerPeerId, buyerEvmAddr, payload, paymentMux) {
+    async _handleSpendingAuthInner(buyerPeerId, payload, paymentMux) {
+        const buyerEvmAddr = peerIdToAddress(buyerPeerId);
         try {
-            // 1. Verify EIP-712 signature
-            const domain = makeEscrowDomain(this._config.chainId, this._config.contractAddress);
-            const msg = {
-                seller: identityToEvmAddress(this._identity),
-                sessionId: payload.sessionId,
-                maxAmount: BigInt(payload.maxAmountUsdc),
-                nonce: payload.nonce,
-                deadline: payload.deadline,
-                previousConsumption: BigInt(payload.previousConsumption),
-                previousSessionId: payload.previousSessionId,
-            };
-            const recoveredAddr = verifyTypedData(domain, SPENDING_AUTH_TYPES, msg, payload.buyerSig);
-            if (recoveredAddr.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
-                debugWarn(`[SellerPayment] Invalid SpendingAuth signature: recovered=${recoveredAddr} expected=${buyerEvmAddr}`);
-                return;
-            }
-            debugLog(`[SellerPayment] SpendingAuth verified for buyer ${buyerPeerId.slice(0, 12)}...`);
-            // 2. Settle prior session if exists
-            const priorSession = this._sessionStore.getActiveSessionByPeer(buyerPeerId, 'seller');
-            if (priorSession && priorSession.status === 'active') {
-                const buyerClaimed = BigInt(payload.previousConsumption);
-                const sellerDelivered = BigInt(priorSession.tokensDelivered);
-                // Settle with buyer's claimed value — proof chain requires
-                // previousConsumption == settledTokenCount on-chain.
-                // We do NOT use max(seller, buyer) because that would let the seller
-                // overcharge the buyer for tokens the buyer may not have received.
-                try {
-                    debugLog(`[SellerPayment] Settling prior session ${priorSession.sessionId.slice(0, 18)}... tokens=${buyerClaimed} (seller delivered=${sellerDelivered})`);
-                    await this._escrowClient.settle(this._signer, priorSession.sessionId, buyerClaimed);
-                    this._sessionStore.updateSessionStatus(priorSession.sessionId, 'settled', buyerClaimed.toString());
-                    this._topUpRequested.delete(priorSession.sessionId);
+            const channelId = payload.channelId;
+            const cumulativeAmount = BigInt(payload.cumulativeAmount);
+            const existingCumulative = this._acceptedCumulative.get(channelId);
+            const channelsDomain = makeChannelsDomain(this._config.chainId, this._config.channelsContractAddress);
+            if (existingCumulative === undefined) {
+                const hasReserveFields = payload.reserveSalt != null
+                    || payload.reserveMaxAmount != null
+                    || payload.reserveDeadline != null;
+                if (!hasReserveFields) {
+                    const recovered = await this._recoverOnChainSession(buyerPeerId, buyerEvmAddr, payload, cumulativeAmount, paymentMux, channelsDomain);
+                    if (recovered) {
+                        return 'accepted';
+                    }
                 }
-                catch (err) {
-                    debugWarn(`[SellerPayment] Failed to settle prior session: ${err instanceof Error ? err.message : err}`);
-                    // Do NOT proceed to reserve — proof chain is broken. Buyer will timeout and retry.
-                    return;
+                // ── First SpendingAuth: verify ReserveAuth and reserve on-chain ──
+                // The buyer signs ReserveAuth(channelId, maxAmount, deadline) to bind escrow terms.
+                const reserveMaxAmount = payload.reserveMaxAmount ? BigInt(payload.reserveMaxAmount) : cumulativeAmount;
+                const reserveDeadline = payload.reserveDeadline ?? (Math.floor(Date.now() / 1000) + 3600);
+                const reserveMsg = {
+                    channelId,
+                    maxAmount: reserveMaxAmount,
+                    deadline: BigInt(reserveDeadline),
+                };
+                const reserveRecovered = verifyTypedData(channelsDomain, RESERVE_AUTH_TYPES, reserveMsg, payload.spendingAuthSig);
+                if (reserveRecovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+                    debugWarn(`[SellerPayment] Invalid ReserveAuth signature: recovered=${reserveRecovered} expected=${buyerEvmAddr}`);
+                    return 'rejected';
+                }
+                debugLog(`[SellerPayment] ReserveAuth verified for buyer ${buyerPeerId.slice(0, 12)}...`);
+                debugLog(`[SellerPayment] Reserving channel ${channelId.slice(0, 18)}... on-chain`);
+                const reserveSalt = payload.reserveSalt ?? channelId;
+                await this._channelsClient.reserve(this._signer, buyerEvmAddr, reserveSalt, reserveMaxAmount, BigInt(reserveDeadline), payload.spendingAuthSig);
+                // Store new session (sessionId field stores channelId for backward compat)
+                const now = Date.now();
+                const sellerEvmAddr = this._identity.wallet.address;
+                const session = {
+                    sessionId: channelId,
+                    peerId: buyerPeerId,
+                    role: 'seller',
+                    sellerEvmAddr,
+                    buyerEvmAddr,
+                    nonce: 0,
+                    authMax: payload.cumulativeAmount,
+                    previousConsumption: reserveMaxAmount.toString(), // repurposed: stores reserveMax
+                    deadline: reserveDeadline,
+                    previousSessionId: '',
+                    tokensDelivered: '0',
+                    requestCount: 0,
+                    reservedAt: now,
+                    settledAt: null,
+                    settledAmount: null,
+                    status: 'active',
+                    latestBuyerSig: payload.spendingAuthSig,
+                    latestSpendingAuthSig: payload.spendingAuthSig,
+                    latestMetadata: payload.metadata,
+                    createdAt: now,
+                    updatedAt: now,
+                };
+                // Note: do NOT store the ReserveAuth sig as spendingAuthSig in _latestAuth.
+                // The ReserveAuth uses a different EIP-712 type and will fail
+                // _verifySpendingAuth in close(). A real SpendingAuth will arrive
+                // per-request and update this entry.
+                this._activateSession(session, buyerPeerId, cumulativeAmount, reserveMaxAmount, 0n, {
+                    spendingAuthSig: '',
+                    cumulativeAmount,
+                    metadataHash: payload.metadataHash,
+                    metadata: payload.metadata,
+                });
+                // Send AuthAck
+                paymentMux.sendAuthAck({
+                    channelId,
+                });
+                debugLog(`[SellerPayment] AuthAck sent for channel ${channelId.slice(0, 18)}...`);
+                return 'reserved';
+            }
+            else if (payload.reserveMaxAmount
+                && BigInt(payload.reserveMaxAmount) > (this._reserveMax.get(channelId) ?? 0n)) {
+                // ── Top-up: buyer is extending the reserve ceiling ──
+                const newMaxAmount = BigInt(payload.reserveMaxAmount);
+                const topUpDeadline = payload.reserveDeadline ?? (Math.floor(Date.now() / 1000) + 3600);
+                const currentReserveMax = this._reserveMax.get(channelId) ?? 0n;
+                // Verify as ReserveAuth (not SpendingAuth)
+                const reserveMsg = {
+                    channelId,
+                    maxAmount: newMaxAmount,
+                    deadline: BigInt(topUpDeadline),
+                };
+                const recovered = verifyTypedData(channelsDomain, RESERVE_AUTH_TYPES, reserveMsg, payload.spendingAuthSig);
+                if (recovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+                    debugWarn(`[SellerPayment] Invalid top-up ReserveAuth signature: recovered=${recovered} expected=${buyerEvmAddr}`);
+                    return 'rejected';
                 }
-                // If buyer significantly understated consumption (> 20% gap), reject the
-                // new SpendingAuth. Seller accepts the loss on this session but refuses to
-                // continue serving a dishonest buyer. The 20% tolerance accounts for receipt
-                // delivery timing (buyer may not have received the final receipt).
-                if (sellerDelivered > 0n && buyerClaimed < sellerDelivered * 80n / 100n) {
-                    debugWarn(`[SellerPayment] Rejecting SpendingAuth — buyer under-reports consumption: ` +
-                        `claimed=${buyerClaimed} delivered=${sellerDelivered}`);
-                    return;
+                // Call topUp() on-chain
+                debugLog(`[SellerPayment] Top-up verified: channel=${channelId.slice(0, 18)}... ceiling ${currentReserveMax} → ${newMaxAmount}`);
+                await this._channelsClient.topUp(this._signer, channelId, newMaxAmount, BigInt(topUpDeadline), payload.spendingAuthSig);
+                // Update tracking
+                this._reserveMax.set(channelId, newMaxAmount);
+                const session = this._channelStore.getChannel(channelId);
+                if (session) {
+                    session.previousConsumption = newMaxAmount.toString(); // repurposed: stores reserveMax
+                    session.deadline = topUpDeadline;
+                    session.updatedAt = Date.now();
+                    this._channelStore.upsertChannel(session);
                 }
+                debugLog(`[SellerPayment] Top-up completed: channel=${channelId.slice(0, 18)}... new ceiling=${newMaxAmount}`);
+                return 'accepted';
             }
-            // 3. Fetch tokenRate BEFORE reserve so a failure here doesn't orphan
-            //    an on-chain reservation the seller can't serve.
-            const sellerEvmAddr = identityToEvmAddress(this._identity);
-            const account = await this._escrowClient.getSellerAccount(sellerEvmAddr);
-            this._tokenRate = account.tokenRate;
-            if (this._tokenRate === 0n) {
-                throw new Error('Token rate is 0 — set rate with antseed setTokenRate before serving');
+            else {
+                // ── Subsequent SpendingAuth: verify SpendingAuth signature ──
+                const metadataMsg = {
+                    channelId,
+                    cumulativeAmount,
+                    metadataHash: payload.metadataHash,
+                };
+                const metadataRecovered = verifyTypedData(channelsDomain, SPENDING_AUTH_TYPES, metadataMsg, payload.spendingAuthSig);
+                if (metadataRecovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+                    debugWarn(`[SellerPayment] Invalid SpendingAuth signature: recovered=${metadataRecovered} expected=${buyerEvmAddr}`);
+                    return 'rejected';
+                }
+                // Validate monotonic (equal = idempotent retransmit)
+                if (cumulativeAmount < existingCumulative) {
+                    debugWarn(`[SellerPayment] Rejecting non-monotonic SpendingAuth: ` +
+                        `new=${cumulativeAmount} existing=${existingCumulative} channel=${channelId.slice(0, 18)}...`);
+                    return 'rejected';
+                }
+                if (cumulativeAmount === existingCumulative) {
+                    debugLog(`[SellerPayment] Idempotent SpendingAuth (same cumulative=${cumulativeAmount}) — accepted`);
+                    return 'accepted';
+                }
+                // Reject if buyer's cumulative doesn't cover what the seller has already spent
+                const spent = this._spent.get(channelId) ?? 0n;
+                if (cumulativeAmount < spent) {
+                    debugWarn(`[SellerPayment] Rejecting underfunded SpendingAuth: ` +
+                        `cumulative=${cumulativeAmount} < spent=${spent} channel=${channelId.slice(0, 18)}...`);
+                    return 'rejected';
+                }
+                // Update tracking
+                this._acceptedCumulative.set(channelId, cumulativeAmount);
+                this._latestAuth.set(channelId, {
+                    spendingAuthSig: payload.spendingAuthSig,
+                    cumulativeAmount,
+                    metadataHash: payload.metadataHash,
+                    metadata: payload.metadata,
+                });
+                // Persist latest auth + sigs to ChannelStore
+                const session = this._channelStore.getChannel(channelId);
+                if (session) {
+                    session.authMax = payload.cumulativeAmount;
+                    session.latestBuyerSig = payload.spendingAuthSig;
+                    session.latestSpendingAuthSig = payload.spendingAuthSig;
+                    session.latestMetadata = payload.metadata;
+                    session.updatedAt = Date.now();
+                    this._channelStore.upsertChannel(session);
+                }
+                debugLog(`[SellerPayment] Budget updated: channel=${channelId.slice(0, 18)}... cumulative=${cumulativeAmount}`);
+                return 'accepted';
             }
-            // 4. Reserve new session on-chain
-            debugLog(`[SellerPayment] Reserving session ${payload.sessionId.slice(0, 18)}... on-chain`);
-            await this._escrowClient.reserve(this._signer, buyerEvmAddr, payload.sessionId, BigInt(payload.maxAmountUsdc), BigInt(payload.nonce), BigInt(payload.deadline), BigInt(payload.previousConsumption), payload.previousSessionId, payload.buyerSig);
-            // 5. Store new session
-            const now = Date.now();
-            const session = {
-                sessionId: payload.sessionId,
-                peerId: buyerPeerId,
-                role: 'seller',
-                sellerEvmAddr,
-                buyerEvmAddr,
-                nonce: payload.nonce,
-                authMax: payload.maxAmountUsdc,
-                deadline: payload.deadline,
-                previousSessionId: payload.previousSessionId,
-                previousConsumption: payload.previousConsumption,
-                tokensDelivered: '0',
-                requestCount: 0,
-                reservedAt: now,
-                settledAt: null,
-                settledAmount: null,
-                status: 'active',
-                createdAt: now,
-                updatedAt: now,
-            };
-            this._sessionStore.upsertSession(session);
-            this._activeBuyers.add(buyerPeerId);
-            // 6. Send AuthAck
-            paymentMux.sendAuthAck({
-                sessionId: payload.sessionId,
-                nonce: payload.nonce,
-            });
-            debugLog(`[SellerPayment] AuthAck sent for session ${payload.sessionId.slice(0, 18)}...`);
         }
         catch (err) {
             debugWarn(`[SellerPayment] Failed to process SpendingAuth: ${err instanceof Error ? err.message : err}`);
+            return 'rejected';
+        }
+    }
+    async _recoverOnChainSession(buyerPeerId, buyerEvmAddr, payload, cumulativeAmount, paymentMux, channelsDomain) {
+        const channelId = payload.channelId;
+        const onChainState = classifyOnChainChannel(await this._channelsClient.getSession(channelId));
+        const sellerEvmAddr = this._identity.wallet.address;
+        if (!onChainState.exists || onChainState.status !== 'active')
+            return false;
+        if (!matchesChannelParties(onChainState.channel, buyerEvmAddr, sellerEvmAddr))
+            return false;
+        const onChain = onChainState.channel;
+        const metadataMsg = {
+            channelId,
+            cumulativeAmount,
+            metadataHash: payload.metadataHash,
+        };
+        const metadataRecovered = verifyTypedData(channelsDomain, SPENDING_AUTH_TYPES, metadataMsg, payload.spendingAuthSig);
+        if (metadataRecovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+            debugWarn(`[SellerPayment] Invalid recovered SpendingAuth during channel recovery: recovered=${metadataRecovered} expected=${buyerEvmAddr}`);
+            return false;
         }
+        if (cumulativeAmount < onChain.settled) {
+            debugWarn(`[SellerPayment] Rejecting recovered SpendingAuth below on-chain settled amount: ` +
+                `cumulative=${cumulativeAmount} settled=${onChain.settled} channel=${channelId.slice(0, 18)}...`);
+            return false;
+        }
+        const now = Date.now();
+        const session = {
+            sessionId: channelId,
+            peerId: buyerPeerId,
+            role: 'seller',
+            sellerEvmAddr,
+            buyerEvmAddr,
+            nonce: 0,
+            authMax: payload.cumulativeAmount,
+            previousConsumption: onChain.deposit.toString(),
+            deadline: Number(onChain.deadline),
+            previousSessionId: '',
+            tokensDelivered: onChain.settled.toString(),
+            requestCount: 0,
+            reservedAt: now,
+            settledAt: null,
+            settledAmount: onChain.settled > 0n ? onChain.settled.toString() : null,
+            status: 'active',
+            latestBuyerSig: payload.spendingAuthSig,
+            latestSpendingAuthSig: payload.spendingAuthSig,
+            latestMetadata: payload.metadata,
+            createdAt: now,
+            updatedAt: now,
+        };
+        this._activateSession(session, buyerPeerId, cumulativeAmount, onChain.deposit, onChain.settled, {
+            spendingAuthSig: payload.spendingAuthSig,
+            cumulativeAmount,
+            metadataHash: payload.metadataHash,
+            metadata: payload.metadata,
+        });
+        paymentMux.sendAuthAck({ channelId });
+        debugLog(`[SellerPayment] Recovered active on-chain channel ${channelId.slice(0, 18)}... for buyer ${buyerPeerId.slice(0, 12)}...`);
+        return true;
+    }
+    _activateSession(session, buyerPeerId, cumulativeAmount, reserveMaxAmount, spent, latestAuth) {
+        this._channelStore.upsertChannel(session);
+        this._acceptedCumulative.set(session.sessionId, cumulativeAmount);
+        this._reserveMax.set(session.sessionId, reserveMaxAmount);
+        this._spent.set(session.sessionId, spent);
+        this._latestAuth.set(session.sessionId, latestAuth);
+        this._activeBuyers.add(buyerPeerId);
     }
-    // ── Receipt sending ───────────────────────────────────────────
+    // ── Per-request validation ──────────────────────────────────
     /**
-     * Send a bilateral receipt to the buyer after processing a request.
-     * Also triggers TopUpRequest if consumption exceeds 80% of authMax.
+     * Validate and accept a SpendingAuth attached to an incoming request.
+     * Returns true if the buyer has sufficient budget to serve this request.
      */
-    async sendReceipt(buyerPeerId, paymentMux, responseBody, tokensDelivered) {
-        const session = this._sessionStore.getActiveSessionByPeer(buyerPeerId, 'seller');
+    async validateAndAcceptAuth(buyerPeerId, auth) {
+        // Look up active session for this buyer
+        const session = this._channelStore.getActiveChannelByPeer(buyerPeerId, 'seller');
         if (!session) {
-            debugWarn(`[SellerPayment] No active session for buyer ${buyerPeerId.slice(0, 12)}... — skipping receipt`);
-            return;
+            debugWarn(`[SellerPayment] validateAndAcceptAuth: no active session for buyer ${buyerPeerId.slice(0, 12)}...`);
+            return false;
         }
-        // Update tokens — cap at the effective token limit so the receipt total
-        // always matches what settle() will store as settledTokenCount on-chain.
-        // Without this cap, the buyer's previousConsumption (from tokensDelivered)
-        // would exceed settledTokenCount (= maxAmount / tokenRate), breaking the
-        // proof chain with InvalidProofChain on the next reserve().
-        const authMax = BigInt(session.authMax);
-        const tokenRate = this._tokenRate;
-        if (tokenRate === null || tokenRate === 0n) {
-            throw new Error('Token rate unavailable — cannot send receipt without on-chain rate');
+        const channelId = session.sessionId; // sessionId field stores channelId
+        const existingCumulative = this._acceptedCumulative.get(channelId);
+        if (existingCumulative === undefined) {
+            debugWarn(`[SellerPayment] validateAndAcceptAuth: no tracked cumulative for channel ${channelId.slice(0, 18)}...`);
+            return false;
         }
-        const effectiveTokenCap = authMax / tokenRate;
-        let newTotal = BigInt(session.tokensDelivered) + tokensDelivered;
-        if (newTotal > effectiveTokenCap) {
-            newTotal = effectiveTokenCap;
+        // Verify AntSeed SpendingAuth signature
+        const channelsDomain = makeChannelsDomain(this._config.chainId, this._config.channelsContractAddress);
+        const metadataMsg = {
+            channelId: auth.channelId,
+            cumulativeAmount: BigInt(auth.cumulativeAmount),
+            metadataHash: auth.metadataHash,
+        };
+        const buyerEvmAddr = peerIdToAddress(buyerPeerId);
+        try {
+            const recovered = verifyTypedData(channelsDomain, SPENDING_AUTH_TYPES, metadataMsg, auth.spendingAuthSig);
+            if (recovered.toLowerCase() !== buyerEvmAddr.toLowerCase()) {
+                debugWarn(`[SellerPayment] validateAndAcceptAuth: invalid SpendingAuth signature`);
+                return false;
+            }
         }
-        const newRequestCount = session.requestCount + 1;
-        this._sessionStore.updateTokensDelivered(session.sessionId, newTotal.toString(), newRequestCount);
-        // SHA-256 hash of response body
-        const responseHash = createHash('sha256').update(responseBody).digest();
-        // Build receipt message and sign with Ed25519
-        const sessionIdBytes = hexToBytes(session.sessionId.replace(/^0x/, ''));
-        const receiptMsg = buildReceiptMessage(sessionIdBytes, newTotal, newRequestCount, new Uint8Array(responseHash));
-        const sellerSig = await signMessageEd25519(this._identity, receiptMsg);
-        paymentMux.sendSellerReceipt({
-            sessionId: session.sessionId,
-            runningTotal: newTotal.toString(),
-            requestCount: newRequestCount,
-            responseHash: bytesToHex(new Uint8Array(responseHash)),
-            sellerSig: bytesToHex(sellerSig),
-        });
-        // Store receipt
-        this._sessionStore.insertReceipt({
-            sessionId: session.sessionId,
-            runningTotal: newTotal.toString(),
-            requestCount: newRequestCount,
-            responseHash: bytesToHex(new Uint8Array(responseHash)),
-            sellerSig: bytesToHex(sellerSig),
-            buyerAckSig: null,
-            createdAt: Date.now(),
-        });
-        debugLog(`[SellerPayment] Receipt sent: session=${session.sessionId.slice(0, 18)}... total=${newTotal} count=${newRequestCount}`);
-        // TopUpRequest if > 80% of USDC cap consumed (send at most once per session)
-        const usdcConsumed = newTotal * tokenRate;
-        if (authMax > 0n && usdcConsumed * 100n > authMax * 80n && !this._topUpRequested.has(session.sessionId)) {
-            this._topUpRequested.add(session.sessionId);
-            const additionalAmount = authMax; // Request same amount again
-            paymentMux.sendTopUpRequest({
-                sessionId: session.sessionId,
-                currentUsed: newTotal.toString(),
-                currentMax: authMax.toString(),
-                requestedAdditional: additionalAmount.toString(),
+        catch {
+            debugWarn(`[SellerPayment] validateAndAcceptAuth: SpendingAuth verification failed`);
+            return false;
+        }
+        // Check monotonic: strictly greater, or equal (idempotent retransmit)
+        const newCumulative = BigInt(auth.cumulativeAmount);
+        if (newCumulative < existingCumulative) {
+            debugWarn(`[SellerPayment] validateAndAcceptAuth: cumulative decreased from ${existingCumulative} to ${newCumulative}`);
+            return false;
+        }
+        // Update if strictly greater
+        if (newCumulative > existingCumulative) {
+            this._acceptedCumulative.set(channelId, newCumulative);
+            this._latestAuth.set(channelId, {
+                spendingAuthSig: auth.spendingAuthSig,
+                cumulativeAmount: newCumulative,
+                metadataHash: auth.metadataHash,
+                metadata: auth.metadata,
             });
-            debugLog(`[SellerPayment] TopUpRequest sent: session=${session.sessionId.slice(0, 18)}... (${newTotal}/${authMax})`);
+            // Persist latest auth + sigs to ChannelStore
+            const storedSession = this._channelStore.getChannel(channelId);
+            if (storedSession) {
+                storedSession.authMax = auth.cumulativeAmount;
+                storedSession.latestBuyerSig = auth.spendingAuthSig;
+                storedSession.latestSpendingAuthSig = auth.spendingAuthSig;
+                storedSession.latestMetadata = auth.metadata;
+                storedSession.updatedAt = Date.now();
+                this._channelStore.upsertChannel(storedSession);
+            }
+        }
+        // Check available budget
+        const accepted = this._acceptedCumulative.get(channelId);
+        const spent = this._spent.get(channelId) ?? 0n;
+        return accepted >= spent;
+    }
+    // ── Spend tracking ──────────────────────────────────────────
+    /**
+     * Record USDC consumption after serving a request.
+     */
+    recordSpend(sessionId, costUsdc) {
+        const current = this._spent.get(sessionId);
+        if (current === undefined) {
+            debugWarn(`[SellerPayment] recordSpend: unknown channelId ${sessionId.slice(0, 18)}...`);
+            return;
         }
+        const newSpent = current + costUsdc;
+        this._spent.set(sessionId, newSpent);
+        // Persist spent amount to ChannelStore (using tokensDelivered field)
+        this._channelStore.updateTokensDelivered(sessionId, newSpent.toString(), 0);
     }
-    // ── BuyerAck handler ──────────────────────────────────────────
-    async handleBuyerAck(buyerPeerId, payload) {
-        const session = this._sessionStore.getActiveSessionByPeer(buyerPeerId, 'seller');
+    // ── Settlement ──────────────────────────────────────────────
+    /**
+     * Close a completed session on-chain using the latest buyer-signed dual signatures.
+     * Uses close() for final settlement (releases remaining deposit to buyer).
+     */
+    async settleSession(buyerPeerId, { cleanupOnFailure = false } = {}) {
+        const session = this._channelStore.getActiveChannelByPeer(buyerPeerId, 'seller');
         if (!session) {
-            debugWarn(`[SellerPayment] BuyerAck for unknown buyer: ${buyerPeerId.slice(0, 12)}...`);
+            debugWarn(`[SellerPayment] settleSession: no active session for buyer ${buyerPeerId.slice(0, 12)}...`);
             return;
         }
-        try {
-            // Verify buyer's Ed25519 ack signature
-            const buyerPublicKey = hexToBytes(buyerPeerId);
-            const sessionIdBytes = hexToBytes(session.sessionId.replace(/^0x/, ''));
-            const ackMsg = buildAckMessage(sessionIdBytes, BigInt(payload.runningTotal), payload.requestCount);
-            const sigBytes = hexToBytes(payload.buyerSig);
-            const valid = await verifyMessageEd25519(buyerPublicKey, sigBytes, ackMsg);
-            if (!valid) {
-                debugWarn(`[SellerPayment] Invalid BuyerAck signature from ${buyerPeerId.slice(0, 12)}...`);
-                return;
-            }
-            // Store the ack directly via targeted UPDATE (no-op if no matching receipt)
-            this._sessionStore.updateReceiptAck(session.sessionId, payload.runningTotal, payload.requestCount, payload.buyerSig);
-            debugLog(`[SellerPayment] BuyerAck received: session=${session.sessionId.slice(0, 18)}... count=${payload.requestCount} total=${payload.runningTotal}`);
+        const channelId = session.sessionId;
+        const accepted = this._acceptedCumulative.get(channelId) ?? 0n;
+        if (accepted === 0n) {
+            // Session opened but no requests served — cannot close without a voucher.
+            // Leave it for checkTimeouts(); buyer must call requestClose → withdraw on-chain.
+            debugLog(`[SellerPayment] Zero-cumulative channel ${channelId.slice(0, 18)}... — deferring to timeout checker`);
         }
-        catch (err) {
-            debugWarn(`[SellerPayment] Failed to process BuyerAck: ${err instanceof Error ? err.message : err}`);
+        else {
+            const retries = this._closeRetryCount.get(channelId) ?? 0;
+            if (retries >= SellerPaymentManager.MAX_CLOSE_RETRIES) {
+                // Exhausted retries — give up on close(), fall back to timeout path
+                debugWarn(`[SellerPayment] close() failed ${retries} times for ${channelId.slice(0, 18)}... — falling back to timeout path`);
+                // Fall through to general cleanup below; buyer must requestClose on-chain
+            }
+            else {
+                // Close with the latest buyer-signed auth (final settlement)
+                const latestAuth = this._latestAuth.get(channelId);
+                const hasSpendingAuth = latestAuth && latestAuth.spendingAuthSig.length > 0;
+                if (!hasSpendingAuth) {
+                    // No real SpendingAuth received (only ReserveAuth from session setup).
+                    // Close with finalAmount=0 so the contract skips signature verification.
+                    // The seller forfeits unproven spend but the channel is properly closed.
+                    debugLog(`[SellerPayment] No SpendingAuth for channel ${channelId.slice(0, 18)}... — closing with finalAmount=0 (forfeiting unproven spend)`);
+                }
+                else {
+                    debugLog(`[SellerPayment] Closing channel ${channelId.slice(0, 18)}... cumulative=${latestAuth.cumulativeAmount} (attempt ${retries + 1}/${SellerPaymentManager.MAX_CLOSE_RETRIES})`);
+                }
+                const closeAmount = hasSpendingAuth ? latestAuth.cumulativeAmount : 0n;
+                const closeMetadata = hasSpendingAuth
+                    ? (latestAuth.metadata || encodeMetadata(ZERO_METADATA))
+                    : encodeMetadata(ZERO_METADATA);
+                const closeSig = hasSpendingAuth ? latestAuth.spendingAuthSig : '0x';
+                try {
+                    await this._channelsClient.close(this._signer, channelId, closeAmount, closeMetadata, closeSig);
+                    this._channelStore.updateChannelStatus(channelId, 'settled', closeAmount.toString());
+                    this._closeRetryCount.delete(channelId);
+                }
+                catch (err) {
+                    debugWarn(`[SellerPayment] Failed to close channel (attempt ${retries + 1}): ${err instanceof Error ? err.message : err}`);
+                    this._closeRetryCount.set(channelId, retries + 1);
+                    if (!cleanupOnFailure) {
+                        // Keep maps intact so checkTimeouts can retry
+                        return;
+                    }
+                    // Caller requested cleanup even on failure (e.g., disconnect handler)
+                }
+            }
         }
+        // Clean up maps after successful close, zero-cumulative deferral, or exhausted retries
+        this._acceptedCumulative.delete(channelId);
+        this._spent.delete(channelId);
+        this._latestAuth.delete(channelId);
+        this._closeRetryCount.delete(channelId);
+        this._activeBuyers.delete(buyerPeerId);
     }
     // ── Disconnect handling ───────────────────────────────────────
     onBuyerDisconnect(buyerPeerId) {
-        const session = this._sessionStore.getActiveSessionByPeer(buyerPeerId, 'seller');
+        const session = this._channelStore.getActiveChannelByPeer(buyerPeerId, 'seller');
         if (!session)
             return;
-        // Don't settle immediately — wait for buyer to return with next auth.
-        // Session persists in store; timeout checker will handle ghost scenarios.
+        const settleOnDisconnect = this._config.settleOnDisconnect ?? true;
+        if (settleOnDisconnect) {
+            const accepted = this._acceptedCumulative.get(session.sessionId) ?? 0n;
+            if (accepted > 0n) {
+                debugLog(`[SellerPayment] Buyer ${buyerPeerId.slice(0, 12)}... disconnected — closing channel immediately`);
+                // Fire and forget settlement — clean up maps even if close() fails
+                this.settleSession(buyerPeerId, { cleanupOnFailure: true }).catch((err) => {
+                    debugWarn(`[SellerPayment] Failed to close on disconnect: ${err instanceof Error ? err.message : err}`);
+                });
+                return;
+            }
+        }
+        // Preserve session for reconnect; timeout checker handles ghost scenarios
         this._activeBuyers.delete(buyerPeerId);
-        debugLog(`[SellerPayment] Buyer ${buyerPeerId.slice(0, 12)}... disconnected — session ${session.sessionId.slice(0, 18)}... preserved for reconnect`);
+        debugLog(`[SellerPayment] Buyer ${buyerPeerId.slice(0, 12)}... disconnected — channel ${session.sessionId.slice(0, 18)}... preserved for reconnect`);
     }
-    // ── Timeout management ────────────────────────────────────────
+    // ── Stale session cleanup ────────────────────────────────────
     /**
-     * Check for and settle timed-out sessions.
+     * Check for stale sessions and attempt to close them.
+     * The seller can only close() with a valid SpendingAuth — it cannot
+     * requestClose or withdraw (those are buyer-only on-chain).
+     * If the seller has no auths, the session remains open until the buyer
+     * calls requestClose → withdraw on-chain.
      * Called periodically and on startup for recovery.
      */
     async checkTimeouts() {
-        const timeoutSecs = this._config.settleTimeoutSecs ?? DEFAULT_SETTLE_TIMEOUT_SECS;
-        const timedOut = this._sessionStore.getTimedOutSessions(timeoutSecs);
-        for (const session of timedOut) {
-            if (session.status !== 'active')
-                continue;
+        const nowSecs = Math.floor(Date.now() / 1000);
+        const activeChannels = this._channelStore.getActiveChannels('seller');
+        for (const channel of activeChannels) {
+            const accepted = this._acceptedCumulative.get(channel.sessionId) ?? 0n;
             try {
-                const delivered = BigInt(session.tokensDelivered);
-                if (delivered > 0n) {
-                    // Seller delivered tokens — settle normally to get paid and avoid ghost penalty
-                    debugLog(`[SellerPayment] Settling timed-out session ${session.sessionId.slice(0, 18)}... with ${delivered} tokens delivered`);
-                    await this._escrowClient.settle(this._signer, session.sessionId, delivered);
-                    this._sessionStore.updateSessionStatus(session.sessionId, 'settled', delivered.toString());
+                // If we have auths and the buyer is disconnected, try to close
+                if (accepted > 0n && !this._activeBuyers.has(channel.peerId)) {
+                    debugLog(`[SellerPayment] Channel ${channel.sessionId.slice(0, 18)}... buyer disconnected — attempting close`);
+                    await this.settleSession(channel.peerId);
                 }
-                else {
-                    // No delivery — use settleTimeout (records ghost, releases buyer funds)
-                    debugLog(`[SellerPayment] Settling timed-out session ${session.sessionId.slice(0, 18)}... (no delivery)`);
-                    await this._escrowClient.settleTimeout(this._signer, session.sessionId);
-                    this._sessionStore.updateSessionStatus(session.sessionId, 'timeout');
+                // If no auths and buyer disconnected, nothing the seller can do on-chain.
+                // The buyer must call requestClose → withdraw. We just clean up locally
+                // after a reasonable period (e.g. deadline passed).
+                if (accepted === 0n && !this._activeBuyers.has(channel.peerId) && nowSecs > channel.deadline) {
+                    debugLog(`[SellerPayment] Channel ${channel.sessionId.slice(0, 18)}... no auths, past deadline — cleaning up locally`);
+                    this._channelStore.updateChannelStatus(channel.sessionId, 'timeout');
+                    this._acceptedCumulative.delete(channel.sessionId);
+                    this._spent.delete(channel.sessionId);
+                    this._latestAuth.delete(channel.sessionId);
+                    this._closeRetryCount.delete(channel.sessionId);
+                    this._reserveMax.delete(channel.sessionId);
+                    this._activeBuyers.delete(channel.peerId);
                 }
-                this._activeBuyers.delete(session.peerId);
-                this._topUpRequested.delete(session.sessionId);
             }
             catch (err) {
-                debugWarn(`[SellerPayment] Failed to settle timeout for ${session.sessionId.slice(0, 18)}...: ${err instanceof Error ? err.message : err}`);
+                debugWarn(`[SellerPayment] Failed to process channel ${channel.sessionId.slice(0, 18)}...: ${err instanceof Error ? err.message : err}`);
             }
         }
     }
@@ -295,76 +530,124 @@ export class SellerPaymentManager {
     hasSession(buyerPeerId) {
         return this._activeBuyers.has(buyerPeerId);
     }
-    /** Minimum interval between init retry attempts. */
-    _lastInitAttemptMs = 0;
-    static INIT_RETRY_INTERVAL_MS = 30_000;
-    /**
-     * Pre-fetch on-chain data (tokenRate, FIRST_SIGN_CAP) so PaymentRequired
-     * messages can be sent without blocking on RPC calls.
-     */
-    async init() {
-        this._lastInitAttemptMs = Date.now();
-        try {
-            const sellerEvmAddr = identityToEvmAddress(this._identity);
-            const [account, firstSignCap] = await Promise.all([
-                this._escrowClient.getSellerAccount(sellerEvmAddr),
-                this._escrowClient.getFirstSignCap(),
-            ]);
-            this._tokenRate = account.tokenRate;
-            this._firstSignCap = firstSignCap;
-            debugLog(`[SellerPayment] Cached on-chain data: tokenRate=${this._tokenRate} firstSignCap=${this._firstSignCap}`);
-        }
-        catch (err) {
-            debugWarn(`[SellerPayment] Failed to pre-fetch on-chain data: ${err instanceof Error ? err.message : err}`);
-        }
+    /** Get the active session for a buyer peer, or null. */
+    getChannelByPeer(buyerPeerId) {
+        return this._channelStore.getActiveChannelByPeer(buyerPeerId, 'seller');
     }
-    /** Retry init if on-chain data is missing and enough time has passed. */
-    async ensureInitialized() {
-        if (this._tokenRate !== null && this._firstSignCap !== null)
-            return;
-        if (Date.now() - this._lastInitAttemptMs < SellerPaymentManager.INIT_RETRY_INTERVAL_MS)
-            return;
-        await this.init();
+    /** Get total USDC spent for a session (sum of recordSpend calls). */
+    getCumulativeSpend(sessionId) {
+        return this._spent.get(sessionId) ?? 0n;
+    }
+    /** Get the highest accepted cumulative amount for a session. */
+    getAcceptedCumulative(sessionId) {
+        return this._acceptedCumulative.get(sessionId) ?? 0n;
     }
-    static DEFAULT_SUGGESTED_AMOUNT = 100000n; // $0.10
+    /** Get the on-chain reserve budget ceiling for a session. */
+    getReserveMax(sessionId) {
+        return this._reserveMax.get(sessionId) ?? 0n;
+    }
+    static DEFAULT_SUGGESTED_AMOUNT = 1000000n; // $1.00 — matches contract FIRST_SIGN_CAP and buyer default
     /**
      * Build the PaymentRequired payload for a buyer that doesn't have a session.
-     * Returns null if on-chain data isn't available yet.
-     * For returning buyers (proven-sign eligible), uses the configured proven-sign
-     * amount instead of the first-sign amount (both default to $0.10).
      */
     getPaymentRequirements(requestId, buyerPeerId, pricing) {
-        const sellerEvmAddr = identityToEvmAddress(this._identity);
-        const tokenRate = this._tokenRate;
-        const firstSignCap = this._firstSignCap;
-        if (tokenRate === null || firstSignCap === null) {
-            return null;
-        }
-        const defaultAmount = SellerPaymentManager.DEFAULT_SUGGESTED_AMOUNT;
-        const firstSignAmount = this._config.firstSignAmountUsdc
-            ? BigInt(this._config.firstSignAmountUsdc) : defaultAmount;
-        const provenSignAmount = this._config.provenSignAmountUsdc
-            ? BigInt(this._config.provenSignAmountUsdc) : defaultAmount;
-        let suggestedAmount = firstSignAmount;
+        const minBudgetPerRequest = this._config.minBudgetPerRequest ?? DEFAULT_MIN_BUDGET_PER_REQUEST;
+        let suggestedAmount = SellerPaymentManager.DEFAULT_SUGGESTED_AMOUNT;
         if (buyerPeerId) {
-            const priorSession = this._sessionStore.getLatestSession(buyerPeerId, 'seller');
-            if (priorSession && BigInt(priorSession.tokensDelivered) > 0n) {
-                suggestedAmount = provenSignAmount;
+            const priorSession = this._channelStore.getLatestChannel(buyerPeerId, 'seller');
+            if (priorSession && priorSession.status === 'settled') {
+                // Returning buyer with proven history — could use a different amount
+                // For now, use the same default; config can override later
+                suggestedAmount = SellerPaymentManager.DEFAULT_SUGGESTED_AMOUNT;
             }
         }
         return {
-            sellerEvmAddr,
-            tokenRate: tokenRate.toString(),
-            firstSignCap: firstSignCap.toString(),
+            minBudgetPerRequest,
             suggestedAmount: suggestedAmount.toString(),
             requestId,
             ...(pricing?.inputUsdPerMillion != null ? { inputUsdPerMillion: pricing.inputUsdPerMillion } : {}),
             ...(pricing?.outputUsdPerMillion != null ? { outputUsdPerMillion: pricing.outputUsdPerMillion } : {}),
         };
     }
+    // ── CloseRequested handling ───────────────────────────────────
+    /**
+     * Handle a CloseRequested event for a channel this seller manages.
+     * If the seller has a stored SpendingAuth, immediately close the channel
+     * on-chain to claim earnings before the grace period expires.
+     */
+    async handleCloseRequested(channelId) {
+        const latestAuth = this._latestAuth.get(channelId);
+        const accepted = this._acceptedCumulative.get(channelId) ?? 0n;
+        const hasSpendingAuth = latestAuth && latestAuth.spendingAuthSig.length > 0;
+        if (accepted > 0n && hasSpendingAuth) {
+            debugLog(`[SellerPayment] CloseRequested for channel ${channelId.slice(0, 18)}... — closing with cumulative=${latestAuth.cumulativeAmount}`);
+            try {
+                await this._channelsClient.close(this._signer, channelId, latestAuth.cumulativeAmount, latestAuth.metadata || encodeMetadata(ZERO_METADATA), latestAuth.spendingAuthSig);
+                this._channelStore.updateChannelStatus(channelId, 'settled', latestAuth.cumulativeAmount.toString());
+                debugLog(`[SellerPayment] Channel ${channelId.slice(0, 18)}... closed successfully after CloseRequested`);
+            }
+            catch (err) {
+                debugWarn(`[SellerPayment] Failed to close channel ${channelId.slice(0, 18)}... after CloseRequested: ${err instanceof Error ? err.message : err}`);
+                // Early return: preserve in-memory maps so the next poll cycle can retry close()
+                return;
+            }
+        }
+        else if (accepted > 0n) {
+            // Had spend but no SpendingAuth (only ReserveAuth) — close with 0 to release deposit
+            debugLog(`[SellerPayment] CloseRequested for channel ${channelId.slice(0, 18)}... — no SpendingAuth, closing with finalAmount=0`);
+            try {
+                await this._channelsClient.close(this._signer, channelId, 0n, encodeMetadata(ZERO_METADATA), '0x');
+                this._channelStore.updateChannelStatus(channelId, 'settled', '0');
+            }
+            catch (err) {
+                debugWarn(`[SellerPayment] Failed to close channel ${channelId.slice(0, 18)}... with finalAmount=0: ${err instanceof Error ? err.message : err}`);
+                return;
+            }
+        }
+        else {
+            // No voucher — seller can't claim anything. Clean up locally;
+            // buyer will withdraw after grace period.
+            debugLog(`[SellerPayment] CloseRequested for channel ${channelId.slice(0, 18)}... — no SpendingAuth, cleaning up locally`);
+            this._channelStore.updateChannelStatus(channelId, 'timeout');
+        }
+        // Clean up in-memory state
+        this._acceptedCumulative.delete(channelId);
+        this._spent.delete(channelId);
+        this._latestAuth.delete(channelId);
+        this._closeRetryCount.delete(channelId);
+        this._reserveMax.delete(channelId);
+        // Find and remove buyer from active set
+        const channel = this._channelStore.getChannel(channelId);
+        if (channel) {
+            this._activeBuyers.delete(channel.peerId);
+        }
+    }
+    /**
+     * Poll for CloseRequested events and handle any that match active channels.
+     * Returns the block number to use as the next fromBlock cursor.
+     */
+    async pollCloseRequested(fromBlock) {
+        try {
+            // Fetch block number first and pin as toBlock to avoid race:
+            // if blocks are mined between the two calls, events in the gap would be missed.
+            const latestBlock = await this._channelsClient.getBlockNumber();
+            const events = await this._channelsClient.getCloseRequestedEvents(fromBlock, latestBlock);
+            for (const event of events) {
+                // Only handle channels this seller is actively tracking
+                if (this._acceptedCumulative.has(event.channelId) || this._channelStore.getChannel(event.channelId)?.status === 'active') {
+                    await this.handleCloseRequested(event.channelId);
+                }
+            }
+            return latestBlock + 1;
+        }
+        catch (err) {
+            debugWarn(`[SellerPayment] Failed to poll CloseRequested events: ${err instanceof Error ? err.message : err}`);
+            return fromBlock; // Retry from same block on next poll
+        }
+    }
     // ── Lifecycle ─────────────────────────────────────────────────
     close() {
-        // SessionStore is shared with BuyerPaymentManager, closed from node.ts
+        // ChannelStore is shared with BuyerPaymentManager, closed from node.ts
     }
 }
 //# sourceMappingURL=seller-payment-manager.js.map