@pafi-dev/issuer 0.3.0-beta.0 → 0.3.0-beta.10

package/dist/index.d.ts

@@ -1,6 +1,5 @@
-import { Address, Hex, PublicClient, Chain } from 'viem';
-import { PointTokenDomainConfig, MintRequest, EIP712Signature, MintParams, SwapParams, MintRequestV2, SignatureStruct, PartialUserOperation, BurnConsent, ReceiverConsent, PathKey, PoolKey, SponsorshipScenario } from '@pafi-dev/core';
-export { encodeExtData } from '@pafi-dev/core';
+import { Address, Hex, PublicClient, Chain, WalletClient } from 'viem';
+import { PointTokenDomainConfig, MintRequest, EIP712Signature, PartialUserOperation, BurnRequest, ReceiverConsent, PathKey, PoolKey } from '@pafi-dev/core';
 
 /**
  * Lifecycle of a minting request as tracked by the issuer's point ledger.
@@ -449,168 +448,93 @@ declare class AuthError extends Error {
 }
 
 /**
- * Parameters for a single `mintAndSwap` relay submission. This is the
- * exact shape the Relay contract expects, with the two structs the
- * `@pafi/core` calldata helpers build. The RelayService wires these
- * through viem's `writeContract`.
- */
-interface SubmitMintAndSwapParams {
-    mint: MintParams;
-    swap: SwapParams;
-}
-/**
- * Result of a relay submission. `txHash` is returned immediately after
- * the tx is broadcast; `receipt` is present only when the caller opted to
- * wait for confirmation.
- */
-interface RelayResult {
-    txHash: Hex;
-    blockNumber?: bigint;
-    gasUsed?: bigint;
-    status?: "success" | "reverted";
-}
-/**
- * Errors raised by RelayService carry a `code` so the MintingGateway (or
- * any caller) can decide whether to release the ledger lock.
+ * Errors raised by RelayService carry a `code` so callers (handlers /
+ * gateway-less HTTP wrappers) can decide how to map them to HTTP status.
+ *
+ * v1.4 trimmed the error space to just encoding failures — the service
+ * no longer broadcasts transactions, so `SUBMIT_FAILED`, `TX_REVERTED`,
+ * `SIMULATION_FAILED`, and `TIMEOUT` all went away with the operator
+ * wallet. Paymaster/Bundler errors surface out-of-band on the FE.
  */
-type RelayErrorCode = "NOT_CONFIGURED" | "ENCODE_FAILED" | "SIMULATION_FAILED" | "SUBMIT_FAILED" | "TX_REVERTED" | "TIMEOUT";
+type RelayErrorCode = "NOT_CONFIGURED" | "ENCODE_FAILED";
 declare class RelayError extends Error {
     readonly code: RelayErrorCode;
     readonly cause?: unknown;
     constructor(code: RelayErrorCode, message: string, cause?: unknown);
 }
-/**
- * Interface an operator wallet must satisfy for the RelayService. Matches
- * the subset of viem's `WalletClient` we actually call, so tests can pass
- * a minimal mock instead of a full client.
- */
-interface OperatorWalletLike {
-    writeContract: (args: {
-        address: Address;
-        abi: readonly unknown[];
-        functionName: string;
-        args: readonly unknown[];
-        account?: {
-            address: Address;
-        };
-    }) => Promise<Hex>;
-    account?: {
-        address: Address;
-    } | undefined;
-}
 
-interface RelayServiceConfig {
-    /** Address of the deployed Relay contract (chain-specific). */
-    relayAddress: Address;
-    /** Operator wallet that pays gas and receives the operator fee. */
-    operatorWallet: OperatorWalletLike;
-    /**
-     * Provider used for pre-flight simulation and receipt waiting. Optional —
-     * if omitted, the service still broadcasts but returns only `txHash`
-     * (caller is responsible for confirmation tracking).
-     */
-    provider?: PublicClient;
-    /**
-     * If a provider is supplied, wait up to this many milliseconds for a
-     * receipt before timing out. Default: 60_000 (one minute).
-     */
-    confirmationTimeoutMs?: number;
-    /**
-     * Whether to run `simulateContract` before submitting. Catches most
-     * reverts locally without wasting gas. Default: true (when provider is
-     * supplied).
-     */
-    simulateBeforeSubmit?: boolean;
-}
 /**
- * Submits `mintAndSwap` transactions to the Relay contract on behalf of
- * the issuer. This is the single place the operator wallet is touched; the
- * MintingGateway calls into `submitMintAndSwap()` after it has signed the
- * MintRequest and verified the ReceiverConsent.
+ * Builds unsigned `PartialUserOperation` payloads for the v1.4 sponsored
+ * flow. The service is stateless and HTTP-client-free:
  *
- * The service is intentionally thin: calldata encoding stays in `@pafi/core`
- * (`encodeMintAndSwap`), so on-chain ABI changes only ripple through one
- * package.
+ *   - `prepareMint` signs a `MintRequest` EIP-712 with the caller-supplied
+ *     issuer signer wallet, then encodes `PointToken.mint(to, amount,
+ *     deadline, minterSig)` into a UserOp the frontend submits via
+ *     EIP-7702 + Paymaster.
+ *   - `prepareBurn` mirrors the above on the burn side using a
+ *     pre-signed `BurnRequest` + `PointToken.burn(from, amount,
+ *     deadline, burnerSig)`.
+ *
+ * There is no broadcasting, no operator wallet, no simulation — those
+ * concerns moved to the Bundler + Paymaster in v1.4.
  */
 declare class RelayService {
-    private readonly relayAddress;
-    private readonly operatorWallet;
-    private readonly provider?;
-    private readonly confirmationTimeoutMs;
-    private readonly simulateBeforeSubmit;
-    constructor(config: RelayServiceConfig);
-    /** Address the operator wallet is broadcasting from (for logging). */
-    operatorAddress(): Address | undefined;
     /**
-     * Build calldata for the Relay `mintAndSwap` function. Kept public so
-     * callers (e.g. the MintingGateway) can log or persist the encoded call
-     * for audit before broadcasting.
+     * Build an unsigned UserOp for Scenario 1 (Mint) — sig-gated
+     * `PointToken.mint(to, amount, deadline, minterSig)`.
      */
-    encodeCall(params: SubmitMintAndSwapParams): Hex;
-    /**
-     * Submit a `mintAndSwap` transaction. Flow:
-     *
-     *   1. (optional) pre-flight simulate via provider
-     *   2. writeContract through the operator wallet
-     *   3. (optional) wait for the receipt and surface gasUsed / status
-     *
-     * Throws a typed `RelayError` on any failure so the MintingGateway can
-     * decide whether to release the ledger lock (`SUBMIT_FAILED` and
-     * `SIMULATION_FAILED` are safe to release; `TX_REVERTED` and `TIMEOUT`
-     * need manual review because the tx may still land).
-     *
-     * @deprecated Since 0.3.0 — will be replaced by `prepareMint()` +
-     * `prepareBurn()` in the v1.4 sponsored-UserOp flow. The SC team
-     * still needs to finalize Relayer v2 ABI before the replacements
-     * can ship (blocker B1). Kept for v0.2.x consumers. Removed in 2.0.
-     */
-    submitMintAndSwap(params: SubmitMintAndSwapParams): Promise<RelayResult>;
-    /**
-     * Build an unsigned UserOp for Scenario 1 (Mint).
-     *
-     * Flow:
-     *   1. Encode `Relayer.mint(request, userSig, issuerSig)` as the inner call
-     *   2. Optionally append a PT fee transfer from user → feeRecipient
-     *      (fee recovery happens on-chain via BatchExecutor, not via an
-     *      operator wallet)
-     *   3. Wrap all inner calls into `BatchExecutor.execute(calls[])`
-     *   4. Return a `PartialUserOperation` ready for:
-     *        - gas estimation (Bundler)
-     *        - paymaster sponsorship (PAFI Backend)
-     *        - user signature (Privy)
-     */
-    prepareMint(params: PrepareMintParams): PartialUserOperation;
+    prepareMint(params: PrepareMintParams): Promise<PartialUserOperation>;
     /**
      * Build an unsigned UserOp for Scenario 2 (Burn/Redeem).
      *
      * Two modes:
-     *   - `mode: 'burn'` — direct `PointToken.burn(amount)`; `msg.sender`
-     *     via EIP-7702 delegation is the user, so no signature needed
-     *     on-chain (the BurnConsent was already verified off-chain by
-     *     the issuer backend before we got here)
-     *   - `mode: 'burnWithSig'` — `PointToken.burnWithSig(consent, sig)`;
-     *     used when the issuer hasn't verified the consent and the
-     *     contract has to do it on-chain
+     *   - `mode: 'burn'` — direct `PointToken.burn(from, amount)`; only
+     *     usable if the caller (via EIP-7702) is whitelisted as a burner.
+     *     Rare in v1.4; kept for admin/operator tools.
+     *   - `mode: 'burnWithSig'` — `PointToken.burn(from, amount, deadline,
+     *     burnerSig)`. Caller provides a pre-signed `BurnRequest` + sig
+     *     bytes (typically from `PTRedeemHandler`).
      */
     prepareBurn(params: PrepareBurnParams): PartialUserOperation;
 }
+/**
+ * v1.4 — sig-gated `PointToken.mint(to, amount, deadline, minterSig)`.
+ *
+ * The issuer backend validates off-chain (balance, policy, KYC), signs
+ * a `MintRequest` EIP-712 with its minter signer, and packages the
+ * whole thing into a UserOp for the user to submit via EIP-7702 +
+ * Paymaster. On confirmation, PointIndexer watches `Transfer(0x0, user,
+ * amount)` and resolves the ledger lock.
+ */
 interface PrepareMintParams {
     /** User EOA that will send the UserOp (via EIP-7702 delegation). */
     userAddress: Address;
-    /** ERC-4337 account nonce (not the MintRequest nonce — different namespace). */
+    /** ERC-4337 account nonce. Caller fetches from EntryPoint v0.7. */
     aaNonce: bigint;
-    /** Deployed Relayer v2 contract address (chain-specific). */
-    relayerAddress: Address;
     /** BatchExecutor delegation target (chain-specific). */
     batchExecutorAddress: Address;
-    /** PointToken being minted — used for optional fee transfer call. */
+    /** PointToken contract — the call target + EIP-712 verifying contract. */
     pointTokenAddress: Address;
-    /** EIP-712-signed MintRequest fields. */
-    mintRequest: MintRequestV2;
-    /** User's EIP-712 signature over `mintRequest`. */
-    userSignature: SignatureStruct;
-    /** Issuer's EIP-712 signature over `mintRequest`. */
-    issuerSignature: SignatureStruct;
+    /** PT amount to mint to `userAddress`. */
+    amount: bigint;
+    /**
+     * Issuer minter signer wallet — signs the `MintRequest` EIP-712.
+     * Must be added to `PointToken.minters[]` via `addMinter(signerAddr)`
+     * at provisioning time. Typically HSM/KMS-backed in prod.
+     */
+    issuerSignerWallet: WalletClient;
+    /** EIP-712 domain for MintRequest. */
+    domain: PointTokenDomainConfig;
+    /** Current `mintRequestNonces[userAddress]` — caller reads from contract. */
+    mintRequestNonce: bigint;
+    /** Unix timestamp after which the signature expires. */
+    deadline: bigint;
+    /**
+     * Optional — application-level fee transfer appended after mint.
+     * Set both `feeAmount` and `feeRecipient` together.
+     */
+    feeAmount?: bigint;
+    feeRecipient?: Address;
     /** Gas limits — defaults are conservative; caller can tighten. */
     callGasLimit?: bigint;
     verificationGasLimit?: bigint;
@@ -632,8 +556,10 @@ interface PrepareBurnDirectParams extends PrepareBurnCommonParams {
 }
 interface PrepareBurnWithSigParams extends PrepareBurnCommonParams {
     mode: "burnWithSig";
-    burnConsent: BurnConsent;
-    consentSignature: SignatureStruct;
+    /** BurnRequest message the issuer burner signer signed. */
+    burnRequest: BurnRequest;
+    /** Serialized EIP-712 signature (bytes) over `burnRequest`. */
+    burnerSignature: Hex;
 }
 
 interface FeeManagerConfig {
@@ -699,156 +625,6 @@ declare class FeeManager {
     estimateGasFee(): Promise<bigint>;
 }
 
-/**
- * End-user request for a full "burn points → receive USDT" flow. The
- * receiver has already signed the `ReceiverConsent` EIP-712 message on
- * the frontend; the issuer backend runs everything else.
- */
-interface MintAndCashOutRequest {
-    /** Address owning the off-chain points (== receiver in the consent). */
-    userAddress: Address;
-    /** Point token contract to mint. */
-    pointTokenAddress: Address;
-    /** Chain id the relay will submit on. */
-    chainId: number;
-    /**
-     * EIP-712 domain for `pointTokenAddress`. The gateway passes this
-     * straight through to `@pafi/core` `verifyReceiverConsent` and the
-     * issuer signer. Callers typically fetch it once via
-     * `PafiSDK.getDomain()` and cache it.
-     */
-    domain: PointTokenDomainConfig;
-    /**
-     * Receiver consent message + signature, pre-built by the frontend. The
-     * message specifies `onBehalfOf = relay contract` and
-     * `originalReceiver = userAddress`, plus the amount, nonce, deadline,
-     * and encoded extData.
-     */
-    receiverConsent: ReceiverConsent;
-    receiverSignature: Hex;
-    /**
-     * Swap path for the USDT output. Empty array = "no swap" (rare — only
-     * useful for testing). Normally a single hop pointToken → USDT.
-     */
-    swapPath: PathKey[];
-    /** Swap deadline (unix seconds). */
-    swapDeadline: bigint;
-    /**
-     * Lock TTL (ms) to apply to the off-chain balance. The gateway computes
-     * a safe default from `receiverConsent.deadline` if omitted.
-     */
-    lockDurationMs?: number;
-}
-/**
- * Result returned to the caller after a successful `processMintAndCashOut`.
- * The `lockId` is preserved so the indexer can correlate the on-chain
- * Mint event back to the ledger row (though that correlation is typically
- * done by `(userAddress, amount)` in the default `MemoryPointLedger`).
- */
-interface MintAndCashOutResponse {
-    txHash: Hex;
-    lockId: string;
-    blockNumber?: bigint;
-    gasUsed?: bigint;
-}
-/**
- * Error codes a MintingGateway can surface. Callers (API handlers) map
- * these to HTTP status codes. The `SAFE_TO_RETRY` field tells the caller
- * whether the underlying lock was released — if not, the user should
- * wait before retrying to avoid double-spend.
- */
-type MintingGatewayErrorCode = "INVALID_REQUEST" | "INVALID_CONSENT_SIGNATURE" | "CONSENT_EXPIRED" | "POLICY_REJECTED" | "INSUFFICIENT_BALANCE" | "SIGNER_FAILED" | "RELAY_SIMULATION_FAILED" | "RELAY_SUBMIT_FAILED" | "RELAY_REVERTED" | "RELAY_TIMEOUT";
-declare class MintingGatewayError extends Error {
-    readonly code: MintingGatewayErrorCode;
-    /**
-     * True if the ledger lock was released before this error was thrown,
-     * meaning the user can safely retry. False means the funds are still
-     * locked (e.g. tx may still land on-chain) and retry would double-spend.
-     */
-    readonly safeToRetry: boolean;
-    readonly cause?: unknown;
-    constructor(code: MintingGatewayErrorCode, message: string, opts: {
-        safeToRetry: boolean;
-        cause?: unknown;
-    });
-}
-
-interface MintingGatewayConfig {
-    ledger: IPointLedger;
-    policy: IPolicyEngine;
-    signer: IIssuerSigner;
-    relayService: RelayService;
-    /**
-     * Clock override for tests. Defaults to `() => Date.now()`. Used to
-     * compute safe lock TTLs and to check consent deadlines.
-     */
-    now?: () => number;
-    /**
-     * Extra buffer (ms) added on top of `(consent.deadline - now)` when the
-     * caller doesn't supply a `lockDurationMs`. Default: 60_000 (one minute
-     * — roughly 2× the Base L2 block confirmation time).
-     */
-    defaultLockBufferMs?: number;
-}
-/**
- * The MintingGateway is the central orchestrator that turns a user's
- * signed ReceiverConsent into an on-chain `mintAndSwap` tx and a
- * consistent off-chain ledger update.
- *
- * 11-step flow (per `PAFI_ISSUER_SDK_SPEC.md` §4.3):
- *
- *   1. Field validation (cheap rejects before any crypto)
- *   2. Verify ReceiverConsent signature via `@pafi/core`
- *   3. Check off-chain balance via ledger
- *   4. Check locked requests via ledger
- *   5. Run policy engine (balance + on-chain cap + issuer rules)
- *   6. Lock the requested amount in the ledger
- *   7. Sign MintRequest as issuer
- *   8. Build MintParams + SwapParams
- *   9. Submit via RelayService (encode + simulate + broadcast + wait)
- *  10. Return { txHash, lockId, receipt fields }
- *  11. On any failure, release the lock IF it's safe to retry — i.e. we
- *      know the tx cannot still land on-chain. If the tx may have made
- *      it (`TX_REVERTED` or `TIMEOUT`), we leave the lock alone and
- *      surface `safeToRetry: false` so the caller doesn't double-spend.
- *
- * The gateway deliberately does NOT deduct the balance here. Deduction
- * happens in the `PointIndexer` when the on-chain Mint event is observed,
- * which is what makes the system crash-safe: if the gateway dies between
- * broadcast and receipt, the indexer will still finalize the ledger.
- */
-declare class MintingGateway {
-    private readonly ledger;
-    private readonly policy;
-    private readonly signer;
-    private readonly relayService;
-    private readonly now;
-    private readonly defaultLockBufferMs;
-    constructor(config: MintingGatewayConfig);
-    /**
-     * @deprecated Since 0.3.0 — will be renamed to `processMint()` once
-     * the SC team finalizes Relayer v2 ABI. The new flow drops the
-     * swap steps entirely (no more single-call mint+swap); users swap
-     * separately on PAFI Web. Kept here for v0.2.x consumers. Removed in 2.0.
-     */
-    processMintAndCashOut(request: MintAndCashOutRequest): Promise<MintAndCashOutResponse>;
-    private computeLockDurationMs;
-    /**
-     * Map a RelayError to a MintingGatewayError, releasing the lock only
-     * when the tx definitely did not land. `TX_REVERTED` and `TIMEOUT`
-     * leave the lock in place because the tx may still be in the mempool
-     * or already mined — releasing would enable a double-spend on retry.
-     * Always throws.
-     */
-    private handleRelayFailure;
-    /**
-     * Release a lock, swallowing any secondary error. We never want a lock
-     * release failure to mask the original error — the lock will auto-expire
-     * via TTL anyway.
-     */
-    private releaseLockSafely;
-}
-
 /** Decoded Transfer(from=0x0 → to) event used to finalize a mint. */
 interface MintEvent {
     /** Destination address (the user who received the minted points) */
@@ -1093,6 +869,18 @@ interface ApiConfigResponse {
         mintingOracle?: Address;
         poolManager?: Address;
         usdt?: Address;
+        /**
+         * EIP-7702 delegation target — the single contract every user's
+         * EOA must delegate to before submitting sponsored UserOps. On
+         * Base mainnet this is Coinbase Smart Wallet v2.
+         */
+        batchExecutor?: Address;
+        /**
+         * Uniswap V4 hook that enforces the 10% fee on PT→USDT swaps
+         * (USDT→PT is free). FE uses this in `PoolKey.hooks` when building
+         * a swap; the pool is only discoverable when the hook matches.
+         */
+        pafiHook?: Address;
     };
     /**
      * Absolute URL that the Issuer App opens after a successful claim to
@@ -1211,7 +999,6 @@ type PoolsProvider = (request: ApiPoolsRequest) => Promise<ApiPoolsResponse>;
 
 interface IssuerApiHandlersConfig {
     authService: AuthService;
-    gateway: MintingGateway;
     ledger: IPointLedger;
     /** Used by `handleUser` to read on-chain nonces and minter status. */
     provider: PublicClient;
@@ -1242,8 +1029,7 @@ interface IssuerApiHandlersConfig {
  * Framework-agnostic HTTP handlers that match the endpoints a `PafiSDK`
  * frontend expects to call. Issuers wrap these in Express / Fastify /
  * Hono / whatever — the handlers take plain inputs and return plain
- * outputs, with `AuthError` / `MintingGatewayError` surfaced as typed
- * exceptions.
+ * outputs, with `AuthError` surfaced as typed exceptions.
  *
  * Every protected handler takes a pre-verified `userAddress` as its first
  * argument. The issuer's middleware wraps `authenticateRequest()` from
@@ -1252,7 +1038,6 @@ interface IssuerApiHandlersConfig {
  */
 declare class IssuerApiHandlers {
     private readonly authService;
-    private readonly gateway;
     private readonly ledger;
     private readonly provider;
     /**
@@ -1314,33 +1099,32 @@ declare class IssuerApiHandlers {
      * mobile apps — no app store review needed.
      */
     handleBuildConsentTypedData(userAddress: Address, request: ApiBuildConsentTypedDataRequest): Promise<ApiBuildConsentTypedDataResponse>;
-    /**
-     * `POST /claim-and-swap`
-     *
-     * @deprecated Since 0.3.0 — the single-call mint-then-swap flow is
-     * retired in v1.4. Use the new `handleClaim()` (mint only) and let
-     * the user swap separately on PAFI Web. See
-     * [V1.4_V1.5_OVERVIEW.md §4] for the new scenario model. Will be
-     * removed in 2.0.
-     *
-     * Legacy behavior: the terminal handler forwards the verified
-     * consent to the MintingGateway, which runs the 11-step flow.
-     */
-    handleClaimAndSwap(userAddress: Address, request: ApiClaimAndSwapRequest): Promise<ApiClaimAndSwapResponse>;
 }
 
 /**
- * v1.4 reverse flow — **Variant A**: user-initiated PT redeem.
+ * v1.4 reverse flow — user-initiated PT redeem.
+ *
+ * User has on-chain PT, wants to convert back to off-chain points. The
+ * issuer backend signs a `BurnRequest` with its burner signer, reserves
+ * an off-chain pending credit, and returns an unsigned UserOp. The FE
+ * submits the UserOp via EIP-7702 + Coinbase Paymaster. On confirmation,
+ * `Transfer(user → 0x0)` is emitted; `BurnIndexer` resolves the pending
+ * credit to a real off-chain credit.
  *
- * User has on-chain PT, wants to convert back to off-chain points. They
- * sign a `BurnConsent`, the issuer backend verifies it, reserves an
- * off-chain credit, and returns an unsigned UserOp that the frontend
- * submits via the Bundler. When the burn lands, the `BurnIndexer`
- * (elsewhere) resolves the credit.
+ * Contract path (mock ABI — matches deployed PointToken):
  *
- * **Mocked SC contracts** — this handler compiles + wires end-to-end
- * against `@pafi-dev/core/contracts` mock ABIs. When SC ships real
- * ABIs, no changes here — only `contracts/index.ts` re-export flips.
+ *   burn(address from, uint256 amount, uint256 deadline, bytes burnerSig)
+ *
+ * On-chain checks:
+ *   - msg.sender == from (enforced via EIP-7702 delegation on user EOA)
+ *   - burnerSig signer ∈ burners[]
+ *   - nonce == burnRequestNonces[from]
+ *   - now <= deadline
+ *
+ * The user never signs an EIP-712 message in this flow. Their only
+ * signature is the ERC-4337 UserOp signature, which the AA wallet
+ * handles. Consent is implicit: by submitting the UserOp they authorize
+ * the burn.
  */
 interface PTRedeemHandlerConfig {
     ledger: IPointLedger;
@@ -1350,32 +1134,41 @@ interface PTRedeemHandlerConfig {
     pointTokenAddress: Address;
     /** BatchExecutor delegation target (chain-specific). */
     batchExecutorAddress: Address;
-    /** Chain id — used for domain separator when verifying BurnConsent. */
+    /** Chain id — used for the BurnRequest EIP-712 domain. */
     chainId: number;
     /**
      * EIP-712 domain fields. Must match the on-chain PointToken's domain
-     * separator exactly, or signature verification fails. `name` is
-     * typically the PointToken's ERC-20 name (e.g. "PAFI Starbucks
-     * Points"). `verifyingContract` defaults to `pointTokenAddress`.
+     * separator, or on-chain signature recovery fails. `name` is
+     * typically the PointToken's ERC-20 name. `verifyingContract`
+     * defaults to `pointTokenAddress`.
      */
     domain: {
         name: string;
         verifyingContract?: Address;
     };
+    /**
+     * Issuer burner signer wallet — signs the `BurnRequest` EIP-712.
+     * Must be whitelisted via `PointToken.addBurner(signerAddr)` at
+     * provisioning time. Typically HSM/KMS-backed in prod.
+     */
+    burnerSignerWallet: WalletClient;
     /**
      * How long the pending credit stays reserved if the burn never lands.
      * Default: 15 min — long enough for a bundler submission + confirmation.
      */
     redeemLockDurationMs?: number;
+    /**
+     * How far ahead of `now` to set the BurnRequest deadline. Default:
+     * 15 min. Must be long enough for Bundler + EntryPoint to execute;
+     * short enough to prevent replay if the UserOp is abandoned.
+     */
+    signatureDeadlineSeconds?: number;
     /** Clock injection for tests; defaults to `Date.now`. */
     now?: () => number;
 }
 interface PTRedeemRequest {
     userAddress: Address;
     amount: bigint;
-    /** Serialized EIP-712 signature over the BurnConsent. */
-    consentSignature: Hex;
-    consent: BurnConsent;
     /** ERC-4337 account nonce for the user's EOA. */
     aaNonce: bigint;
 }
@@ -1386,19 +1179,24 @@ interface PTRedeemResponse {
     userOp: PartialUserOperation;
     /** Seconds until the lock expires if the burn doesn't land. */
     expiresInSeconds: number;
+    /** The BurnRequest deadline (unix seconds) — FE uses this to surface a countdown. */
+    signatureDeadline: bigint;
 }
 declare class PTRedeemError extends Error {
-    code: "INVALID_CONSENT" | "SIGNATURE_MISMATCH" | "AMOUNT_MISMATCH" | "EXPIRED_CONSENT" | "LEDGER_NOT_SUPPORTED";
-    constructor(code: "INVALID_CONSENT" | "SIGNATURE_MISMATCH" | "AMOUNT_MISMATCH" | "EXPIRED_CONSENT" | "LEDGER_NOT_SUPPORTED", message: string);
+    code: "INVALID_AMOUNT" | "NONCE_READ_FAILED" | "LEDGER_NOT_SUPPORTED" | "SIGNING_FAILED";
+    constructor(code: "INVALID_AMOUNT" | "NONCE_READ_FAILED" | "LEDGER_NOT_SUPPORTED" | "SIGNING_FAILED", message: string);
 }
 declare class PTRedeemHandler {
     private readonly ledger;
     private readonly relayService;
+    private readonly provider;
     private readonly pointTokenAddress;
     private readonly batchExecutorAddress;
     private readonly chainId;
     private readonly domain;
+    private readonly burnerSignerWallet;
     private readonly redeemLockDurationMs;
+    private readonly signatureDeadlineSeconds;
     private readonly now;
     constructor(config: PTRedeemHandlerConfig);
     handle(request: PTRedeemRequest): Promise<PTRedeemResponse>;
@@ -1419,8 +1217,12 @@ declare class PTRedeemHandler {
  *   → burn 200 PT, credit 200 off-chain, voucher proceeds with 500
  *
  * Delegates the actual burn construction to {@link PTRedeemHandler}
- * — this handler is pure business logic (calculating shortfall +
- * checking on-chain balance) on top.
+ * — this handler is pure business logic (shortfall math + on-chain
+ * balance check) on top.
+ *
+ * v1.4 note: user no longer pre-signs a `BurnConsent`. The issuer
+ * backend signs a `BurnRequest` itself (see `PTRedeemHandler`), so
+ * this handler only needs `userAddress + requiredAmount + aaNonce`.
  */
 interface TopUpRedemptionHandlerConfig {
     ledger: IPointLedger;
@@ -1433,12 +1235,8 @@ interface TopUpRedemptionRequest {
     userAddress: Address;
     /** Total points the voucher redemption requires off-chain. */
     requiredAmount: bigint;
-    /**
-     * The user's pre-signed `BurnConsent` + signature, prepared by the FE
-     * with amount set to a worst-case upper bound. Handler inspects the
-     * shortfall and uses the consent if the shortfall ≤ consent.amount.
-     */
-    redeemRequest: Pick<PTRedeemRequest, "consent" | "consentSignature" | "aaNonce">;
+    /** ERC-4337 account nonce for the user's EOA. */
+    aaNonce: bigint;
 }
 type TopUpRedemptionResponse = {
     action: "NO_TOP_UP_NEEDED";
@@ -1454,8 +1252,8 @@ type TopUpRedemptionResponse = {
     redeem: PTRedeemResponse;
 };
 declare class TopUpRedemptionError extends Error {
-    code: "INSUFFICIENT_ONCHAIN_BALANCE" | "CONSENT_AMOUNT_TOO_LOW" | "LEDGER_NOT_SUPPORTED";
-    constructor(code: "INSUFFICIENT_ONCHAIN_BALANCE" | "CONSENT_AMOUNT_TOO_LOW" | "LEDGER_NOT_SUPPORTED", message: string);
+    code: "INSUFFICIENT_ONCHAIN_BALANCE" | "LEDGER_NOT_SUPPORTED";
+    constructor(code: "INSUFFICIENT_ONCHAIN_BALANCE" | "LEDGER_NOT_SUPPORTED", message: string);
 }
 declare class TopUpRedemptionHandler {
     private readonly ledger;
@@ -1640,185 +1438,52 @@ declare class BalanceAggregator {
 }
 
 interface RetryConfig {
-    /**
-     * Max total attempts including the first try. Default: 1 (no retry).
-     * Set to 3 to get 2 retries after the initial call.
-     *
-     * Only applies when the server error body carries `safeToRetry: true`
-     * or the failure is a transient network/timeout error.
-     */
     maxAttempts?: number;
-    /**
-     * Initial backoff delay in ms. Default: 500. Each subsequent retry
-     * doubles this (exponential backoff) and adds ±20% jitter.
-     */
     initialDelayMs?: number;
-    /**
-     * Hard ceiling for a single backoff (ms). Default: 10_000.
-     */
     maxDelayMs?: number;
-    /**
-     * Upper bound on `retryAfter` from the server. If the server asks us
-     * to wait longer than this (e.g. rate limit until UTC midnight), the
-     * client gives up rather than blocking. Default: 30_000.
-     */
     maxRetryAfterMs?: number;
 }
 interface PafiBackendConfig {
-    /**
-     * PAFI Backend API base URL. Example:
-     *   https://api.pacificfinance.org
-     *   https://staging-api.pacificfinance.org
-     */
     url: string;
-    /** PAFI-assigned issuer ID (e.g., "gg56"). Sent in X-Issuer-Id header. */
     issuerId: string;
-    /** Per-issuer API key (or JWT) for the Authorization header. */
     apiKey: string;
-    /** Optional fetch override for tests. */
     fetchImpl?: typeof fetch;
-    /**
-     * Timeout (ms) for each request. Default: 10_000. PAFI Backend should
-     * respond in <1s for the happy path; this is just the sanity bound.
-     */
     timeoutMs?: number;
-    /**
-     * Retry policy for transient failures (5xx, 429, timeouts, network).
-     * Omit or pass `{ maxAttempts: 1 }` to disable retry entirely.
-     */
     retry?: RetryConfig;
 }
-/** Paired with `POST /paymaster/sponsor`. See SPONSORED_PATH_FLOW.md §4.1 */
-interface SponsorshipRequest {
-    chainId: number;
-    scenario: SponsorshipScenario;
-    userOp: PartialUserOperation;
-    target: {
-        /** The allowlisted contract this batch call targets. */
-        contract: Address;
-        /** Function selector / name — validated against allowlist. */
-        function: string;
-        /** The PointToken involved (for scenario context). */
-        pointToken?: Address;
-    };
-}
-interface SponsorshipResponse {
-    paymaster: Address;
-    paymasterData: Hex;
-    paymasterVerificationGasLimit: bigint;
-    paymasterPostOpGasLimit: bigint;
-    /** Unix seconds when this sponsorship expires. Re-request after. */
-    expiresAt: number;
-}
-/**
- * Machine-readable error codes returned by PAFI Backend.
- *
- * Source of truth: `apps/paymaster-proxy` `CalldataValidationError`,
- * `RateLimitError`, `CoinbaseClientError`. Keep in sync.
- */
-type PafiBackendErrorCode = "MISSING_ISSUER_ID" | "MISSING_API_KEY" | "ISSUER_UNAUTHORIZED" | "CALLDATA_INVALID" | "CALLDATA_EMPTY_BATCH" | "TARGET_NOT_ALLOWLISTED" | "FUNCTION_NOT_ALLOWED" | "SCENARIO_MISMATCH" | "SCENARIO_DISABLED" | "RATE_LIMIT_EXCEEDED" | "RATE_LIMIT_EXCEEDED_DAILY" | "RATE_LIMIT_EXCEEDED_PER_USER" | "RATE_LIMITER_UNAVAILABLE" | "PAYMASTER_REJECTED" | "PAYMASTER_UNAVAILABLE" | "PAYMASTER_TIMEOUT" | "BAD_REQUEST" | "INTERNAL_ERROR" | "TIMEOUT" | "NETWORK_ERROR";
+type PafiBackendErrorCode = "MISSING_ISSUER_ID" | "MISSING_API_KEY" | "ISSUER_UNAUTHORIZED" | "USER_UNAUTHORIZED" | "INTENT_REJECTED" | "MINT_CAP_EXCEEDED" | "ISSUER_INACTIVE" | "BROKER_NOT_WHITELISTED" | "RATE_LIMIT_EXCEEDED" | "RATE_LIMIT_EXCEEDED_DAILY" | "RATE_LIMIT_EXCEEDED_PER_USER" | "ISSUER_BUDGET_EXCEEDED" | "RATE_LIMITER_UNAVAILABLE" | "BAD_REQUEST" | "INTERNAL_ERROR" | "TIMEOUT" | "NETWORK_ERROR";
 declare class PafiBackendError extends Error {
     code: PafiBackendErrorCode;
     httpStatus: number;
     details?: unknown | undefined;
-    /**
-     * Seconds to wait before retry. Populated from the server body
-     * (e.g. rate limit returns the number of seconds until UTC midnight).
-     */
     readonly retryAfter?: number;
-    /**
-     * `safeToRetry` as reported by the server body. Prefer this over the
-     * code-based heuristic when available — the server knows more about
-     * whether the same request will succeed on retry.
-     */
     private readonly serverSafeToRetry?;
     constructor(code: PafiBackendErrorCode, message: string, httpStatus: number, details?: unknown | undefined, opts?: {
         retryAfter?: number;
         safeToRetry?: boolean;
     });
-    /**
-     * Whether the caller can safely retry the same request.
-     *
-     * If the server provided `safeToRetry` in the body, trust that.
-     * Otherwise fall back to a code-based heuristic.
-     */
     get safeToRetry(): boolean;
 }
 
 /**
- * HTTP client for the PAFI Backend paymaster proxy service. See
- * [SPONSORED_PATH_FLOW.md] for the full flow + API contract.
+ * Top-level configuration for `createIssuerService`.
  *
- * This client sits between `@pafi/issuer`'s RelayService and the
- * PAFI Backend. It does NOT talk to Coinbase Paymaster directly —
- * PAFI Backend holds that integration.
- */
-declare class PafiBackendClient {
-    private readonly url;
-    private readonly issuerId;
-    private readonly apiKey;
-    private readonly fetchImpl;
-    private readonly timeoutMs;
-    private readonly retry;
-    constructor(config: PafiBackendConfig);
-    /**
-     * Request paymaster sponsorship for a pre-built UserOperation.
-     * See [SPONSORED_PATH_FLOW.md §4.1] for the API contract.
-     *
-     * Retries automatically on transient failures (5xx, timeouts, network
-     * errors, and errors the server flags with `safeToRetry: true`) up to
-     * `retry.maxAttempts`. 4xx errors that are not `safeToRetry` fail fast.
-     *
-     * @throws PafiBackendError on final failure after exhausting retries
-     */
-    requestSponsorship(req: SponsorshipRequest): Promise<SponsorshipResponse>;
-    private postWithRetry;
-    /**
-     * Pick the delay before the next retry.
-     * - If the server sent `retryAfter` (seconds), honor it (capped by
-     *   `maxRetryAfterMs`) — returns null if the server wait exceeds the
-     *   cap, signalling the caller should give up.
-     * - Otherwise: exponential backoff with ±20% jitter, capped at
-     *   `maxDelayMs`.
-     */
-    private computeBackoff;
-    private sleep;
-    private post;
-    /** JSON replacer that stringifies bigints. Paired with bigintReviver. */
-    private bigintReplacer;
-    /**
-     * JSON reviver that coerces specific numeric-string fields back to
-     * bigint. The server must send these fields as decimal strings.
-     */
-    private bigintReviver;
-}
-
-/**
- * Top-level configuration for `createIssuerService`. Everything except
- * the chain metadata, wallets, auth secret, and `signer` is optional and
- * falls back to the in-memory dev defaults — that makes the happy path
- * a single-call wire-up while still letting production issuers plug in
- * their own ledger, session store, policy engine, and KMS signer.
+ * In v1.4 the SDK is HTTP-client-free: it signs EIP-712 messages, reads
+ * on-chain state, builds unsigned UserOperations, and maintains the
+ * off-chain ledger. It never broadcasts transactions — that's the
+ * frontend's responsibility via Bundler + Paymaster.
  *
- * **Multi-token (0.2.0):** Pass `pointTokenAddresses: Address[]` to
+ * **Multi-token (0.2.0+):** Pass `pointTokenAddresses: Address[]` to
  * support multiple PointTokens under a single issuer backend. Legacy
  * `pointTokenAddress: Address` still works for single-token deployments.
  * When both are provided, `pointTokenAddresses` takes precedence.
  */
 interface IssuerServiceConfig {
     chainId: number;
-    /**
-     * Address of the deployed PointToken. Legacy single-token shortcut;
-     * prefer `pointTokenAddresses` for multi-token issuers.
-     */
+    /** Legacy single-token shortcut; prefer `pointTokenAddresses`. */
     pointTokenAddress?: Address;
-    /**
-     * All PointToken addresses this issuer supports. Takes precedence over
-     * `pointTokenAddress`. Factory creates one `PointIndexer` per address.
-     */
+    /** All PointToken addresses this issuer supports. */
     pointTokenAddresses?: Address[];
-    /** Address of the deployed Relay contract. */
-    relayAddress: Address;
     /**
      * Full contract address bundle returned verbatim by `handleConfig` so
      * the frontend SDK can pick them up.
@@ -1829,8 +1494,6 @@ interface IssuerServiceConfig {
      * polling, and gas-price lookups. Must be pointed at the target chain.
      */
     provider: PublicClient;
-    /** Operator wallet — pays gas, receives the operator fee. */
-    operatorWallet: OperatorWalletLike;
     auth: {
         jwtSecret: string;
         /** SIWE-style login-message domain, e.g. `"app.example.com"`. */
@@ -1838,19 +1501,12 @@ interface IssuerServiceConfig {
         /** Passed straight to `jose` (`"24h"`, `"7d"`, …). Default `"24h"`. */
         jwtExpiresIn?: string;
     };
-    /**
-     * Issuer signer. No default — production issuers MUST plug in an
-     * HSM/KMS-backed implementation. For local development use
-     * `PrivateKeySigner` directly.
-     */
-    signer: IIssuerSigner;
     ledger?: IPointLedger;
     policy?: IPolicyEngine;
     sessionStore?: ISessionStore;
     /**
      * Fee management config. If omitted the `handleGasFee` endpoint will
-     * throw "not configured" at request time. Pass any subset of fields
-     * to opt in — `provider` is inherited from the outer config.
+     * throw "not configured" at request time.
      */
     fee?: Omit<FeeManagerConfig, "provider">;
     /**
@@ -1870,32 +1526,18 @@ interface IssuerServiceConfig {
          */
         autoStart?: boolean;
     };
-    relay?: {
-        simulateBeforeSubmit?: boolean;
-        confirmationTimeoutMs?: number;
-    };
-    gateway?: {
-        /** Extra lock TTL buffer beyond consent deadline. Default 60_000 ms. */
-        defaultLockBufferMs?: number;
-    };
 }
 interface IssuerService {
     authService: AuthService;
     sessionStore: ISessionStore;
     ledger: IPointLedger;
     policy: IPolicyEngine;
-    signer: IIssuerSigner;
     relayService: RelayService;
     feeManager: FeeManager | undefined;
-    gateway: MintingGateway;
-    /**
-     * All indexers keyed by PointToken address. For multi-token issuers there
-     * is one per configured token. Single-token issuers will find one entry.
-     */
+    /** All indexers keyed by PointToken address. */
     indexers: Map<Address, PointIndexer>;
     /**
-     * First indexer. Kept for backward compat with 0.1.x callers that
-     * expected `service.indexer` to be a single instance.
+     * First indexer. Kept for backward compat with 0.1.x callers.
      * @deprecated use `indexers.get(tokenAddress)` for multi-token.
      */
     indexer: PointIndexer;
@@ -1903,8 +1545,6 @@ interface IssuerService {
 }
 /**
  * Wire a fully-functional issuer service from a single config object.
- * Returns every constructed collaborator so the caller can also use the
- * indexer or relay service directly outside the HTTP layer.
  *
  * Defaults:
  *  - `ledger`          → `MemoryPointLedger`
@@ -1914,12 +1554,11 @@ interface IssuerService {
  *  - `poolsProvider`   → undefined (handlePools throws until configured)
  *  - `indexer.autoStart` → false
  *
- * Throws synchronously if any required field (`signer`, `provider`,
- * `operatorWallet`, `auth.jwtSecret`, at least one point token) is missing.
+ * Throws synchronously if any required field is missing.
  */
 declare function createIssuerService(config: IssuerServiceConfig): IssuerService;
 
 /** SDK package version — bumped on every release */
 declare const PAFI_ISSUER_SDK_VERSION = "0.1.0";
 
-export { type ApiBuildConsentTypedDataRequest, type ApiBuildConsentTypedDataResponse, type ApiClaimAndSwapRequest, type ApiClaimAndSwapResponse, type ApiConfigResponse, type ApiGasFeeResponse, type ApiLoginRequest, type ApiLoginResponse, type ApiNonceResponse, type ApiPoolsRequest, type ApiPoolsResponse, type ApiUserRequest, type ApiUserResponse, type AuthContext, AuthError, type AuthErrorCode, AuthService, type AuthServiceConfig, BalanceAggregator, type BalanceAggregatorConfig, type BurnEvent, BurnIndexer, type BurnIndexerConfig, type CombinedBalance, DefaultPolicyEngine, type DefaultPolicyEngineOptions, FeeManager, type FeeManagerConfig, type IIndexerCursorStore, type IIssuerSigner, type IPointLedger, type IPolicyEngine, type ISessionStore, InMemoryCursorStore, IssuerApiHandlers, type IssuerApiHandlersConfig, type IssuerService, type IssuerServiceConfig, type LockedMintRequest, type LoginResult, MemoryPointLedger, MemorySessionStore, type MemorySessionStoreOptions, type MintAndCashOutRequest, type MintAndCashOutResponse, type MintEvent, MintingGateway, type MintingGatewayConfig, MintingGatewayError, type MintingGatewayErrorCode, type MintingStatus, NonceManager, type OperatorWalletLike, PAFI_ISSUER_SDK_VERSION, PTRedeemError, PTRedeemHandler, type PTRedeemHandlerConfig, type PTRedeemRequest, type PTRedeemResponse, PafiBackendClient, type PafiBackendConfig, PafiBackendError, type PafiBackendErrorCode, PointIndexer, type PointIndexerConfig, type PolicyDecision, type PolicyEvalRequest, type PoolsProvider, PrivateKeySigner, type PrivateKeySignerOptions, RelayError, type RelayErrorCode, type RelayResult, RelayService, type RelayServiceConfig, type Session, type SponsorshipRequest, type SponsorshipResponse, type SubgraphNativeUsdtQuoterConfig, type SubgraphPoolsProviderConfig, type SubmitMintAndSwapParams, TopUpRedemptionError, TopUpRedemptionHandler, type TopUpRedemptionHandlerConfig, type TopUpRedemptionRequest, type TopUpRedemptionResponse, authenticateRequest, createIssuerService, createSubgraphNativeUsdtQuoter, createSubgraphPoolsProvider };
+export { type ApiBuildConsentTypedDataRequest, type ApiBuildConsentTypedDataResponse, type ApiClaimAndSwapRequest, type ApiClaimAndSwapResponse, type ApiConfigResponse, type ApiGasFeeResponse, type ApiLoginRequest, type ApiLoginResponse, type ApiNonceResponse, type ApiPoolsRequest, type ApiPoolsResponse, type ApiUserRequest, type ApiUserResponse, type AuthContext, AuthError, type AuthErrorCode, AuthService, type AuthServiceConfig, BalanceAggregator, type BalanceAggregatorConfig, type BurnEvent, BurnIndexer, type BurnIndexerConfig, type CombinedBalance, DefaultPolicyEngine, type DefaultPolicyEngineOptions, FeeManager, type FeeManagerConfig, type IIndexerCursorStore, type IIssuerSigner, type IPointLedger, type IPolicyEngine, type ISessionStore, InMemoryCursorStore, IssuerApiHandlers, type IssuerApiHandlersConfig, type IssuerService, type IssuerServiceConfig, type LockedMintRequest, type LoginResult, MemoryPointLedger, MemorySessionStore, type MemorySessionStoreOptions, type MintEvent, type MintingStatus, NonceManager, PAFI_ISSUER_SDK_VERSION, PTRedeemError, PTRedeemHandler, type PTRedeemHandlerConfig, type PTRedeemRequest, type PTRedeemResponse, type PafiBackendConfig, PafiBackendError, type PafiBackendErrorCode, PointIndexer, type PointIndexerConfig, type PolicyDecision, type PolicyEvalRequest, type PoolsProvider, type PrepareBurnDirectParams, type PrepareBurnParams, type PrepareBurnWithSigParams, type PrepareMintParams, PrivateKeySigner, type PrivateKeySignerOptions, RelayError, type RelayErrorCode, RelayService, type RetryConfig, type Session, type SubgraphNativeUsdtQuoterConfig, type SubgraphPoolsProviderConfig, TopUpRedemptionError, TopUpRedemptionHandler, type TopUpRedemptionHandlerConfig, type TopUpRedemptionRequest, type TopUpRedemptionResponse, authenticateRequest, createIssuerService, createSubgraphNativeUsdtQuoter, createSubgraphPoolsProvider };