@pafi-dev/issuer 0.3.0-beta.1 → 0.3.0-beta.11

package/dist/index.cjs

@@ -28,18 +28,13 @@ __export(index_exports, {
   FeeManager: () => FeeManager,
   InMemoryCursorStore: () => InMemoryCursorStore,
   IssuerApiHandlers: () => IssuerApiHandlers,
-  MemoryPointLedger: () => MemoryPointLedger,
   MemorySessionStore: () => MemorySessionStore,
-  MintingGateway: () => MintingGateway,
-  MintingGatewayError: () => MintingGatewayError,
   NonceManager: () => NonceManager,
   PAFI_ISSUER_SDK_VERSION: () => PAFI_ISSUER_SDK_VERSION,
   PTRedeemError: () => PTRedeemError,
   PTRedeemHandler: () => PTRedeemHandler,
-  PafiBackendClient: () => PafiBackendClient,
   PafiBackendError: () => PafiBackendError,
   PointIndexer: () => PointIndexer,
-  PrivateKeySigner: () => PrivateKeySigner,
   RelayError: () => RelayError,
   RelayService: () => RelayService,
   TopUpRedemptionError: () => TopUpRedemptionError,
@@ -47,209 +42,10 @@ __export(index_exports, {
   authenticateRequest: () => authenticateRequest,
   createIssuerService: () => createIssuerService,
   createSubgraphNativeUsdtQuoter: () => createSubgraphNativeUsdtQuoter,
-  createSubgraphPoolsProvider: () => createSubgraphPoolsProvider,
-  encodeExtData: () => import_core4.encodeExtData
+  createSubgraphPoolsProvider: () => createSubgraphPoolsProvider
 });
 module.exports = __toCommonJS(index_exports);
 
-// src/ledger/memoryLedger.ts
-var import_viem = require("viem");
-var MemoryPointLedger = class {
-  balances = /* @__PURE__ */ new Map();
-  locks = /* @__PURE__ */ new Map();
-  nextLockId = 1;
-  now;
-  constructor(opts = {}) {
-    this.now = opts.now ?? (() => Date.now());
-  }
-  // -------------------------------------------------------------------------
-  // Read
-  // -------------------------------------------------------------------------
-  async getBalance(userAddress, tokenAddress) {
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    this.purgeExpired();
-    const total = this.balances.get(balanceKey(user, token)) ?? 0n;
-    const locked = this.lockedTotalFor(user, token);
-    return total - locked;
-  }
-  async getLockedRequests(userAddress, tokenAddress) {
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    this.purgeExpired();
-    const out = [];
-    for (const lock of this.locks.values()) {
-      if (lock.userAddress === user && lock.status === "PENDING" && (lock.tokenAddress ?? DEFAULT_TOKEN_KEY) === token) {
-        out.push({ ...lock });
-      }
-    }
-    return out;
-  }
-  // -------------------------------------------------------------------------
-  // Write
-  // -------------------------------------------------------------------------
-  async creditBalance(userAddress, amount, _reason, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error("MemoryPointLedger: credit amount must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    const key = balanceKey(user, token);
-    const current = this.balances.get(key) ?? 0n;
-    this.balances.set(key, current + amount);
-  }
-  async lockForMinting(userAddress, amount, lockDurationMs, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error("MemoryPointLedger: lock amount must be positive");
-    }
-    if (lockDurationMs <= 0) {
-      throw new Error("MemoryPointLedger: lockDurationMs must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    this.purgeExpired();
-    const total = this.balances.get(balanceKey(user, token)) ?? 0n;
-    const alreadyLocked = this.lockedTotalFor(user, token);
-    const available = total - alreadyLocked;
-    if (available < amount) {
-      throw new Error(
-        `MemoryPointLedger: insufficient balance \u2014 available=${available}, requested=${amount}`
-      );
-    }
-    const lockId = `lock-${this.nextLockId++}`;
-    const now = this.now();
-    const lock = {
-      lockId,
-      userAddress: user,
-      amount,
-      status: "PENDING",
-      createdAt: now,
-      expiresAt: now + lockDurationMs
-    };
-    if (tokenAddress !== void 0) {
-      lock.tokenAddress = (0, import_viem.getAddress)(tokenAddress);
-    }
-    this.locks.set(lockId, lock);
-    return lockId;
-  }
-  async releaseLock(lockId) {
-    const lock = this.locks.get(lockId);
-    if (!lock) return;
-    if (lock.status === "PENDING") {
-      this.locks.delete(lockId);
-    }
-  }
-  async deductBalance(userAddress, amount, txHash, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error("MemoryPointLedger: deduct amount must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    const key = balanceKey(user, token);
-    const current = this.balances.get(key) ?? 0n;
-    if (current < amount) {
-      throw new Error(
-        `MemoryPointLedger: cannot deduct ${amount} from balance ${current}`
-      );
-    }
-    this.balances.set(key, current - amount);
-    for (const lock of this.locks.values()) {
-      if (lock.userAddress === user && lock.status === "PENDING" && lock.amount === amount && (lock.tokenAddress ?? DEFAULT_TOKEN_KEY) === token) {
-        lock.status = "MINTED";
-        lock.txHash = txHash;
-        return;
-      }
-    }
-  }
-  async updateMintStatus(lockId, status, txHash) {
-    const lock = this.locks.get(lockId);
-    if (!lock) {
-      throw new Error(`MemoryPointLedger: unknown lockId ${lockId}`);
-    }
-    lock.status = status;
-    if (txHash) lock.txHash = txHash;
-  }
-  // -------------------------------------------------------------------------
-  // v1.4 — Reverse flow (PT burn → off-chain credit)
-  // -------------------------------------------------------------------------
-  pendingCredits = /* @__PURE__ */ new Map();
-  nextCreditId = 1;
-  async reservePendingCredit(userAddress, amount, durationMs, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error(
-        "MemoryPointLedger: pending credit amount must be positive"
-      );
-    }
-    if (durationMs <= 0) {
-      throw new Error("MemoryPointLedger: durationMs must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const lockId = `credit-${this.nextCreditId++}`;
-    const now = this.now();
-    this.pendingCredits.set(lockId, {
-      lockId,
-      userAddress: user,
-      amount,
-      tokenAddress: tokenAddress !== void 0 ? (0, import_viem.getAddress)(tokenAddress) : void 0,
-      createdAt: now,
-      expiresAt: now + durationMs,
-      status: "PENDING"
-    });
-    return lockId;
-  }
-  async resolveCreditByBurnTx(lockId, txHash) {
-    const credit = this.pendingCredits.get(lockId);
-    if (!credit) {
-      throw new Error(
-        `MemoryPointLedger: unknown pending credit lockId ${lockId}`
-      );
-    }
-    if (credit.status === "RESOLVED") {
-      if (credit.txHash === txHash) return;
-      throw new Error(
-        `MemoryPointLedger: credit ${lockId} already resolved with a different txHash`
-      );
-    }
-    const token = normalizeToken(credit.tokenAddress);
-    const key = balanceKey(credit.userAddress, token);
-    const current = this.balances.get(key) ?? 0n;
-    this.balances.set(key, current + credit.amount);
-    credit.status = "RESOLVED";
-    credit.txHash = txHash;
-  }
-  // -------------------------------------------------------------------------
-  // Internal helpers
-  // -------------------------------------------------------------------------
-  /**
-   * Auto-expire any PENDING lock past its expiry. Called lazily on every
-   * read/write so the in-memory state stays self-cleaning without a timer.
-   */
-  purgeExpired() {
-    const now = this.now();
-    for (const lock of this.locks.values()) {
-      if (lock.status === "PENDING" && lock.expiresAt <= now) {
-        lock.status = "EXPIRED";
-      }
-    }
-  }
-  lockedTotalFor(userAddress, tokenKey) {
-    let total = 0n;
-    for (const lock of this.locks.values()) {
-      if (lock.userAddress === userAddress && lock.status === "PENDING" && (lock.tokenAddress ?? DEFAULT_TOKEN_KEY) === tokenKey) {
-        total += lock.amount;
-      }
-    }
-    return total;
-  }
-};
-var DEFAULT_TOKEN_KEY = "default";
-function normalizeToken(tokenAddress) {
-  return tokenAddress === void 0 ? DEFAULT_TOKEN_KEY : (0, import_viem.getAddress)(tokenAddress);
-}
-function balanceKey(user, tokenKey) {
-  return `${user}|${tokenKey}`;
-}
-
 // src/policy/defaultPolicy.ts
 var DefaultPolicyEngine = class {
   ledger;
@@ -265,6 +61,13 @@ var DefaultPolicyEngine = class {
     }
     if (opts.verifyMintCap) this.verifyMintCap = opts.verifyMintCap;
     if (opts.resolveIssuer) this.resolveIssuer = opts.resolveIssuer;
+    if (!opts.mintingOracleAddress || !opts.provider || !opts.verifyMintCap || !opts.resolveIssuer) {
+      if (process.env.NODE_ENV === "production") {
+        throw new Error(
+          "[PAFI] DefaultPolicyEngine: on-chain MintingOracle cap check is required in production. Configure mintingOracleAddress, provider, verifyMintCap, and resolveIssuer."
+        );
+      }
+    }
   }
   async evaluate(request) {
     if (request.amount <= 0n) {
@@ -301,32 +104,9 @@ var DefaultPolicyEngine = class {
   }
 };
 
-// src/signer/privateKeySigner.ts
-var import_viem2 = require("viem");
-var import_accounts = require("viem/accounts");
-var import_core = require("@pafi-dev/core");
-var PrivateKeySigner = class {
-  account;
-  walletClient;
-  constructor(opts) {
-    this.account = (0, import_accounts.privateKeyToAccount)(opts.privateKey);
-    this.walletClient = (0, import_viem2.createWalletClient)({
-      account: this.account,
-      chain: opts.chain,
-      transport: (0, import_viem2.http)(opts.rpcUrl)
-    });
-  }
-  async signMintRequest(domain, message) {
-    return (0, import_core.signMintRequest)(this.walletClient, domain, message);
-  }
-  async getAddress() {
-    return this.account.address;
-  }
-};
-
 // src/auth/memorySessionStore.ts
 var import_node_crypto = require("crypto");
-var import_viem3 = require("viem");
+var import_viem = require("viem");
 var DEFAULT_NONCE_TTL_MS = 5 * 60 * 1e3;
 var MemorySessionStore = class {
   nonces = /* @__PURE__ */ new Map();
@@ -336,6 +116,11 @@ var MemorySessionStore = class {
   nonceTtlMs;
   now;
   constructor(opts = {}) {
+    if (process.env.NODE_ENV === "production") {
+      console.error(
+        "[PAFI] MemorySessionStore is not safe for multi-process/K8s deployments. Session revocations are NOT propagated across pods. Use a Redis-backed session store in production."
+      );
+    }
     this.nonceTtlMs = opts.nonceTtlMs ?? DEFAULT_NONCE_TTL_MS;
     this.now = opts.now ?? (() => Date.now());
   }
@@ -362,7 +147,7 @@ var MemorySessionStore = class {
     this.purgeExpiredSessions();
     const normalized = {
       ...session,
-      userAddress: (0, import_viem3.getAddress)(session.userAddress)
+      userAddress: (0, import_viem.getAddress)(session.userAddress)
     };
     this.sessions.set(session.tokenId, normalized);
   }
@@ -380,7 +165,7 @@ var MemorySessionStore = class {
     this.sessions.delete(tokenId);
   }
   async revokeAllSessions(userAddress) {
-    const key = (0, import_viem3.getAddress)(userAddress);
+    const key = (0, import_viem.getAddress)(userAddress);
     for (const [tokenId, session] of this.sessions.entries()) {
       if (session.userAddress === key) {
         this.sessions.delete(tokenId);
@@ -426,8 +211,8 @@ var NonceManager = class {
 // src/auth/loginVerifier.ts
 var import_node_crypto2 = require("crypto");
 var import_jose = require("jose");
-var import_viem4 = require("viem");
-var import_core2 = require("@pafi-dev/core");
+var import_viem2 = require("viem");
+var import_core = require("@pafi-dev/core");
 
 // src/auth/errors.ts
 var AuthError = class extends Error {
@@ -450,8 +235,8 @@ var AuthService = class {
   nonceManager;
   now;
   constructor(config) {
-    if (!config.jwtSecret || config.jwtSecret.length < 16) {
-      throw new Error("AuthService: jwtSecret must be at least 16 chars");
+    if (!config.jwtSecret || config.jwtSecret.length < 32) {
+      throw new Error("AuthService: jwtSecret must be at least 32 characters for HS256 security");
     }
     this.sessionStore = config.sessionStore;
     this.jwtSecret = new TextEncoder().encode(config.jwtSecret);
@@ -475,11 +260,17 @@ var AuthService = class {
   async login(message, signature) {
     let parsed;
     try {
-      parsed = (0, import_core2.parseLoginMessage)(message);
+      parsed = (0, import_core.parseLoginMessage)(message);
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       throw new AuthError("INVALID_MESSAGE", `Could not parse login message: ${msg}`);
     }
+    if (parsed.expirationTime == null) {
+      throw new AuthError(
+        "INVALID_MESSAGE",
+        "login message must include expirationTime"
+      );
+    }
     if (parsed.domain !== this.domain) {
       throw new AuthError(
         "DOMAIN_MISMATCH",
@@ -502,7 +293,7 @@ var AuthService = class {
     if (parsed.expirationTime && parsed.expirationTime.getTime() <= now.getTime()) {
       throw new AuthError("MESSAGE_EXPIRED", "Login message has expired");
     }
-    const verifyResult = await (0, import_core2.verifyLoginMessage)(message, signature);
+    const verifyResult = await (0, import_core.verifyLoginMessage)(message, signature);
     if (!verifyResult.valid) {
       throw new AuthError(
         "SIGNATURE_INVALID",
@@ -516,7 +307,7 @@ var AuthService = class {
         "Nonce is unknown, expired, or already used"
       );
     }
-    const userAddress = (0, import_viem4.getAddress)(verifyResult.address);
+    const userAddress = (0, import_viem2.getAddress)(verifyResult.address);
     const tokenId = (0, import_node_crypto2.randomBytes)(16).toString("hex");
     const issuedAt = now;
     const expiresAt = parseExpiry(issuedAt, this.jwtExpiresIn);
@@ -544,7 +335,11 @@ var AuthService = class {
       if (payload.jti) {
         await this.sessionStore.revokeSession(payload.jti);
       }
-    } catch {
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (!msg.includes("not found") && !msg.includes("expired")) {
+        console.error("[PAFI] AuthService logout: session store error", err);
+      }
     }
   }
   /**
@@ -583,7 +378,7 @@ var AuthService = class {
       throw new AuthError("TOKEN_INVALID", "JWT payload is malformed");
     }
     return {
-      userAddress: (0, import_viem4.getAddress)(userAddress),
+      userAddress: (0, import_viem2.getAddress)(userAddress),
       chainId,
       tokenId
     };
@@ -634,210 +429,122 @@ var RelayError = class extends Error {
 };
 
 // src/relay/relayService.ts
-var import_viem5 = require("viem");
-var import_core3 = require("@pafi-dev/core");
-var DEFAULT_CONFIRMATION_TIMEOUT_MS = 6e4;
+var import_viem3 = require("viem");
+var import_core2 = require("@pafi-dev/core");
 var RelayService = class {
-  relayAddress;
-  operatorWallet;
-  provider;
-  confirmationTimeoutMs;
-  simulateBeforeSubmit;
-  constructor(config) {
-    if (!config.relayAddress) {
-      throw new Error("RelayService: relayAddress is required");
-    }
-    if (!config.operatorWallet) {
-      throw new Error("RelayService: operatorWallet is required");
-    }
-    this.relayAddress = config.relayAddress;
-    this.operatorWallet = config.operatorWallet;
-    if (config.provider) this.provider = config.provider;
-    this.confirmationTimeoutMs = config.confirmationTimeoutMs ?? DEFAULT_CONFIRMATION_TIMEOUT_MS;
-    this.simulateBeforeSubmit = config.simulateBeforeSubmit ?? config.provider !== void 0;
-  }
-  /** Address the operator wallet is broadcasting from (for logging). */
-  operatorAddress() {
-    return this.operatorWallet.account?.address;
-  }
   /**
-   * Build calldata for the Relay `mintAndSwap` function. Kept public so
-   * callers (e.g. the MintingGateway) can log or persist the encoded call
-   * for audit before broadcasting.
+   * Build an unsigned UserOp for Scenario 1 (Mint) — sig-gated
+   * `PointToken.mint(to, amount, deadline, minterSig)`.
    */
-  encodeCall(params) {
-    try {
-      return (0, import_core3.encodeMintAndSwap)(params.mint, params.swap);
-    } catch (err) {
+  async prepareMint(params) {
+    if (!params.batchExecutorAddress) {
       throw new RelayError(
         "ENCODE_FAILED",
-        `Failed to encode mintAndSwap calldata: ${errorMessage(err)}`,
-        err
+        "prepareMint: batchExecutorAddress required"
       );
     }
-  }
-  /**
-   * Submit a `mintAndSwap` transaction. Flow:
-   *
-   *   1. (optional) pre-flight simulate via provider
-   *   2. writeContract through the operator wallet
-   *   3. (optional) wait for the receipt and surface gasUsed / status
-   *
-   * Throws a typed `RelayError` on any failure so the MintingGateway can
-   * decide whether to release the ledger lock (`SUBMIT_FAILED` and
-   * `SIMULATION_FAILED` are safe to release; `TX_REVERTED` and `TIMEOUT`
-   * need manual review because the tx may still land).
-   *
-   * @deprecated Since 0.3.0 — will be replaced by `prepareMint()` +
-   * `prepareBurn()` in the v1.4 sponsored-UserOp flow. The SC team
-   * still needs to finalize Relayer v2 ABI before the replacements
-   * can ship (blocker B1). Kept for v0.2.x consumers. Removed in 2.0.
-   */
-  async submitMintAndSwap(params) {
-    if (this.simulateBeforeSubmit && this.provider) {
-      const operatorAddr = this.operatorWallet.account?.address;
-      if (operatorAddr) {
-        try {
-          await (0, import_core3.simulateMintAndSwap)(
-            this.provider,
-            this.relayAddress,
-            params.mint,
-            params.swap,
-            operatorAddr
-          );
-        } catch (err) {
-          const reason = err instanceof import_core3.SimulationError ? err.reason : errorMessage(err);
-          throw new RelayError(
-            "SIMULATION_FAILED",
-            `mintAndSwap would revert: ${reason}`,
-            err
-          );
-        }
-      }
+    if (!params.userAddress) {
+      throw new RelayError("ENCODE_FAILED", "prepareMint: userAddress required");
     }
-    let txHash;
-    try {
-      txHash = await this.operatorWallet.writeContract({
-        address: this.relayAddress,
-        abi: import_core3.relayAbi,
-        functionName: "mintAndSwap",
-        args: [params.mint, params.swap],
-        ...this.operatorWallet.account ? { account: this.operatorWallet.account } : {}
-      });
-    } catch (err) {
+    if (!params.pointTokenAddress) {
       throw new RelayError(
-        "SUBMIT_FAILED",
-        `Failed to broadcast mintAndSwap: ${errorMessage(err)}`,
-        err
+        "ENCODE_FAILED",
+        "prepareMint: pointTokenAddress required"
       );
     }
-    if (!this.provider) {
-      return { txHash };
+    if (params.amount <= 0n) {
+      throw new RelayError("ENCODE_FAILED", "prepareMint: amount must be positive");
     }
-    try {
-      const receipt = await this.provider.waitForTransactionReceipt({
-        hash: txHash,
-        timeout: this.confirmationTimeoutMs
-      });
-      if (receipt.status !== "success") {
-        throw new RelayError(
-          "TX_REVERTED",
-          `mintAndSwap reverted on-chain (tx=${txHash})`
-        );
-      }
-      return {
-        txHash,
-        blockNumber: receipt.blockNumber,
-        gasUsed: receipt.gasUsed,
-        status: receipt.status
-      };
-    } catch (err) {
-      if (err instanceof RelayError) throw err;
+    if (!params.issuerSignerWallet) {
       throw new RelayError(
-        "TIMEOUT",
-        `Timed out waiting for mintAndSwap receipt (tx=${txHash}): ${errorMessage(err)}`,
-        err
+        "ENCODE_FAILED",
+        "prepareMint: issuerSignerWallet required (for MintRequest EIP-712 signature)"
       );
     }
-  }
-  // ==========================================================================
-  // v1.4 — Sponsored UserOp preparation (beta with mocked SC contracts)
-  // ==========================================================================
-  //
-  // These two methods build unsigned `PartialUserOperation` payloads for
-  // the Frontend to sign (via Privy) and submit to the Bundler. The
-  // Issuer Backend no longer broadcasts — that's the Frontend's job.
-  //
-  // Uses mocked Relayer v2 + PointToken ABIs from `@pafi-dev/core/contracts`.
-  // When SC delivers real ABIs, the imports swap but these method bodies
-  // stay the same (calldata encoder is ABI-driven).
-  // ==========================================================================
-  /**
-   * Build an unsigned UserOp for Scenario 1 (Mint).
-   *
-   * Flow:
-   *   1. Encode `Relayer.mint(request, userSig, issuerSig)` as the inner call
-   *   2. Optionally append a PT fee transfer from user → feeRecipient
-   *      (fee recovery happens on-chain via BatchExecutor, not via an
-   *      operator wallet)
-   *   3. Wrap all inner calls into `BatchExecutor.execute(calls[])`
-   *   4. Return a `PartialUserOperation` ready for:
-   *        - gas estimation (Bundler)
-   *        - paymaster sponsorship (PAFI Backend)
-   *        - user signature (Privy)
-   */
-  prepareMint(params) {
-    if (!params.relayerAddress) {
-      throw new RelayError("ENCODE_FAILED", "prepareMint: relayerAddress required");
+    if (params.deadline <= 0n) {
+      throw new RelayError("ENCODE_FAILED", "prepareMint: deadline must be positive");
     }
-    if (!params.batchExecutorAddress) {
+    const nowSecs = BigInt(Math.floor(Date.now() / 1e3));
+    if (params.deadline <= nowSecs) {
+      throw new RelayError("ENCODE_FAILED", "prepareMint: deadline is in the past");
+    }
+    const MAX_DEADLINE_WINDOW = 3600n;
+    if (params.deadline > nowSecs + MAX_DEADLINE_WINDOW) {
       throw new RelayError(
         "ENCODE_FAILED",
-        "prepareMint: batchExecutorAddress required"
+        "prepareMint: deadline exceeds maximum allowed window (1 hour)"
       );
     }
-    if (!params.userAddress) {
-      throw new RelayError("ENCODE_FAILED", "prepareMint: userAddress required");
+    let minterSig;
+    try {
+      const sig = await (0, import_core2.signMintRequest)(
+        params.issuerSignerWallet,
+        params.domain,
+        {
+          to: params.userAddress,
+          amount: params.amount,
+          nonce: params.mintRequestNonce,
+          deadline: params.deadline
+        }
+      );
+      minterSig = sig.serialized;
+    } catch (err) {
+      throw new RelayError(
+        "ENCODE_FAILED",
+        `prepareMint: failed to sign MintRequest: ${errorMessage(err)}`,
+        err
+      );
     }
     let mintCallData;
     try {
-      mintCallData = (0, import_viem5.encodeFunctionData)({
-        abi: import_core3.RELAYER_V2_ABI,
+      mintCallData = (0, import_viem3.encodeFunctionData)({
+        abi: import_core2.POINT_TOKEN_V2_ABI,
         functionName: "mint",
-        args: [params.mintRequest, params.userSignature, params.issuerSignature]
+        args: [params.userAddress, params.amount, params.deadline, minterSig]
       });
     } catch (err) {
       throw new RelayError(
         "ENCODE_FAILED",
-        `prepareMint: failed to encode Relayer.mint: ${errorMessage(err)}`,
+        `prepareMint: failed to encode PointToken.mint: ${errorMessage(err)}`,
         err
       );
     }
     const operations = [
       {
-        target: params.relayerAddress,
+        target: params.pointTokenAddress,
         value: 0n,
         data: mintCallData
       }
     ];
-    if (params.mintRequest.feeAmount > 0n) {
+    if (params.feeAmount && params.feeAmount > 0n) {
+      if (!params.feeRecipient) {
+        throw new RelayError(
+          "ENCODE_FAILED",
+          "prepareMint: feeRecipient required when feeAmount > 0"
+        );
+      }
+      if (params.feeRecipient === "0x0000000000000000000000000000000000000000") {
+        throw new RelayError(
+          "ENCODE_FAILED",
+          "prepareMint: feeRecipient must not be zero address"
+        );
+      }
       operations.push({
         target: params.pointTokenAddress,
         value: 0n,
-        data: (0, import_viem5.encodeFunctionData)({
-          abi: import_core3.POINT_TOKEN_V2_ABI,
-          functionName: "balanceOf",
-          // placeholder — real impl uses transfer
-          args: [params.mintRequest.feeRecipient]
+        data: (0, import_viem3.encodeFunctionData)({
+          abi: import_viem3.erc20Abi,
+          functionName: "transfer",
+          args: [params.feeRecipient, params.feeAmount]
         })
       });
     }
-    return (0, import_core3.buildPartialUserOperation)({
+    return (0, import_core2.buildPartialUserOperation)({
       sender: params.userAddress,
       nonce: params.aaNonce,
       operations,
       gasLimits: {
-        callGasLimit: params.callGasLimit ?? 500000n,
+        callGasLimit: params.callGasLimit ?? 300000n,
         verificationGasLimit: params.verificationGasLimit ?? 150000n,
         preVerificationGas: params.preVerificationGas ?? 50000n
       }
@@ -847,13 +554,12 @@ var RelayService = class {
    * Build an unsigned UserOp for Scenario 2 (Burn/Redeem).
    *
    * Two modes:
-   *   - `mode: 'burn'` — direct `PointToken.burn(amount)`; `msg.sender`
-   *     via EIP-7702 delegation is the user, so no signature needed
-   *     on-chain (the BurnConsent was already verified off-chain by
-   *     the issuer backend before we got here)
-   *   - `mode: 'burnWithSig'` — `PointToken.burnWithSig(consent, sig)`;
-   *     used when the issuer hasn't verified the consent and the
-   *     contract has to do it on-chain
+   *   - `mode: 'burn'` — direct `PointToken.burn(from, amount)`; only
+   *     usable if the caller (via EIP-7702) is whitelisted as a burner.
+   *     Rare in v1.4; kept for admin/operator tools.
+   *   - `mode: 'burnWithSig'` — `PointToken.burn(from, amount, deadline,
+   *     burnerSig)`. Caller provides a pre-signed `BurnRequest` + sig
+   *     bytes (typically from `PTRedeemHandler`).
    */
   prepareBurn(params) {
     if (!params.pointTokenAddress) {
@@ -868,19 +574,24 @@ var RelayService = class {
     let burnCallData;
     try {
       if (params.mode === "burnWithSig") {
-        if (!params.burnConsent || !params.consentSignature) {
-          throw new Error("burnWithSig requires burnConsent + consentSignature");
+        if (!params.burnRequest || !params.burnerSignature) {
+          throw new Error("burnWithSig requires burnRequest + burnerSignature");
         }
-        burnCallData = (0, import_viem5.encodeFunctionData)({
-          abi: import_core3.POINT_TOKEN_V2_ABI,
-          functionName: "burnWithSig",
-          args: [params.burnConsent, params.consentSignature]
+        burnCallData = (0, import_viem3.encodeFunctionData)({
+          abi: import_core2.POINT_TOKEN_V2_ABI,
+          functionName: "burn",
+          args: [
+            params.burnRequest.from,
+            params.burnRequest.amount,
+            params.burnRequest.deadline,
+            params.burnerSignature
+          ]
         });
       } else {
-        burnCallData = (0, import_viem5.encodeFunctionData)({
-          abi: import_core3.POINT_TOKEN_V2_ABI,
+        burnCallData = (0, import_viem3.encodeFunctionData)({
+          abi: import_core2.POINT_TOKEN_V2_ABI,
           functionName: "burn",
-          args: [params.amount]
+          args: [params.userAddress, params.amount]
         });
       }
     } catch (err) {
@@ -897,7 +608,7 @@ var RelayService = class {
         data: burnCallData
       }
     ];
-    return (0, import_core3.buildPartialUserOperation)({
+    return (0, import_core2.buildPartialUserOperation)({
       sender: params.userAddress,
       nonce: params.aaNonce,
       operations,
@@ -916,11 +627,14 @@ function errorMessage(err) {
 // src/relay/feeManager.ts
 var DEFAULT_GAS_UNITS = 500000n;
 var DEFAULT_PREMIUM_BPS = 12e3;
-var FeeManager = class {
+var FeeManager = class _FeeManager {
   provider;
   gasUnits;
   gasPremiumBps;
   quoteNativeToFee;
+  cachedFee = null;
+  cacheExpiresAt = 0;
+  static CACHE_TTL_MS = 1e4;
   constructor(config) {
     if (!config.provider) throw new Error("FeeManager: provider required");
     if (!config.quoteNativeToFee)
@@ -943,259 +657,20 @@ var FeeManager = class {
    * currency depends on how the caller wired `quoteNativeToFee`.
    */
   async estimateGasFee() {
+    const now = Date.now();
+    if (this.cachedFee !== null && now < this.cacheExpiresAt) {
+      return this.cachedFee;
+    }
     const gasPrice = await this.provider.getGasPrice();
     const nativeCost = gasPrice * this.gasUnits;
     const withPremium = nativeCost * BigInt(this.gasPremiumBps) / 10000n;
-    return this.quoteNativeToFee(withPremium);
-  }
-};
-
-// src/gateway/types.ts
-var MintingGatewayError = class extends Error {
-  code;
-  /**
-   * True if the ledger lock was released before this error was thrown,
-   * meaning the user can safely retry. False means the funds are still
-   * locked (e.g. tx may still land on-chain) and retry would double-spend.
-   */
-  safeToRetry;
-  cause;
-  constructor(code, message, opts) {
-    super(message);
-    this.name = "MintingGatewayError";
-    this.code = code;
-    this.safeToRetry = opts.safeToRetry;
-    if (opts.cause !== void 0) this.cause = opts.cause;
+    const fee = await this.quoteNativeToFee(withPremium);
+    this.cachedFee = fee;
+    this.cacheExpiresAt = now + _FeeManager.CACHE_TTL_MS;
+    return fee;
   }
 };
 
-// src/gateway/mintingGateway.ts
-var import_core4 = require("@pafi-dev/core");
-var DEFAULT_LOCK_BUFFER_MS = 6e4;
-var MintingGateway = class {
-  ledger;
-  policy;
-  signer;
-  relayService;
-  now;
-  defaultLockBufferMs;
-  constructor(config) {
-    if (!config.ledger) throw new Error("MintingGateway: ledger required");
-    if (!config.policy) throw new Error("MintingGateway: policy required");
-    if (!config.signer) throw new Error("MintingGateway: signer required");
-    if (!config.relayService)
-      throw new Error("MintingGateway: relayService required");
-    this.ledger = config.ledger;
-    this.policy = config.policy;
-    this.signer = config.signer;
-    this.relayService = config.relayService;
-    this.now = config.now ?? (() => Date.now());
-    this.defaultLockBufferMs = config.defaultLockBufferMs ?? DEFAULT_LOCK_BUFFER_MS;
-  }
-  /**
-   * @deprecated Since 0.3.0 — will be renamed to `processMint()` once
-   * the SC team finalizes Relayer v2 ABI. The new flow drops the
-   * swap steps entirely (no more single-call mint+swap); users swap
-   * separately on PAFI Web. Kept here for v0.2.x consumers. Removed in 2.0.
-   */
-  async processMintAndCashOut(request) {
-    const { receiverConsent, receiverSignature } = request;
-    if (!receiverConsent || !receiverSignature) {
-      throw new MintingGatewayError(
-        "INVALID_REQUEST",
-        "receiverConsent and receiverSignature are required",
-        { safeToRetry: true }
-      );
-    }
-    if (receiverConsent.amount <= 0n) {
-      throw new MintingGatewayError(
-        "INVALID_REQUEST",
-        "consent amount must be positive",
-        { safeToRetry: true }
-      );
-    }
-    if (receiverConsent.originalReceiver !== request.userAddress) {
-      throw new MintingGatewayError(
-        "INVALID_REQUEST",
-        "consent.originalReceiver must equal request.userAddress",
-        { safeToRetry: true }
-      );
-    }
-    const nowSec = BigInt(Math.floor(this.now() / 1e3));
-    if (receiverConsent.deadline <= nowSec) {
-      throw new MintingGatewayError(
-        "CONSENT_EXPIRED",
-        "ReceiverConsent deadline has already passed",
-        { safeToRetry: true }
-      );
-    }
-    const consentResult = await (0, import_core4.verifyReceiverConsent)(
-      request.domain,
-      receiverConsent,
-      receiverSignature,
-      request.userAddress
-    );
-    if (!consentResult.isValid) {
-      throw new MintingGatewayError(
-        "INVALID_CONSENT_SIGNATURE",
-        `ReceiverConsent signature did not recover to ${request.userAddress}`,
-        { safeToRetry: true }
-      );
-    }
-    const policyDecision = await this.policy.evaluate({
-      userAddress: request.userAddress,
-      amount: receiverConsent.amount,
-      pointTokenAddress: request.pointTokenAddress,
-      chainId: request.chainId
-    });
-    if (!policyDecision.approved) {
-      const code = policyDecision.reason?.toLowerCase().includes("insufficient") ? "INSUFFICIENT_BALANCE" : "POLICY_REJECTED";
-      throw new MintingGatewayError(
-        code,
-        policyDecision.reason ?? "Minting request rejected by policy engine",
-        { safeToRetry: true }
-      );
-    }
-    const lockDurationMs = request.lockDurationMs ?? this.computeLockDurationMs(receiverConsent.deadline);
-    let lockId;
-    try {
-      lockId = await this.ledger.lockForMinting(
-        request.userAddress,
-        receiverConsent.amount,
-        lockDurationMs,
-        request.pointTokenAddress
-      );
-    } catch (err) {
-      throw new MintingGatewayError(
-        "INSUFFICIENT_BALANCE",
-        `Failed to lock ledger balance: ${errorMessage2(err)}`,
-        { safeToRetry: true, cause: err }
-      );
-    }
-    try {
-      let minterSignature;
-      try {
-        minterSignature = await this.signer.signMintRequest(request.domain, {
-          to: request.userAddress,
-          amount: receiverConsent.amount,
-          nonce: receiverConsent.nonce,
-          deadline: receiverConsent.deadline
-        });
-      } catch (err) {
-        await this.releaseLockSafely(lockId);
-        throw new MintingGatewayError(
-          "SIGNER_FAILED",
-          `Issuer signer failed: ${errorMessage2(err)}`,
-          { safeToRetry: true, cause: err }
-        );
-      }
-      const mintParams = {
-        pointToken: request.pointTokenAddress,
-        receiver: request.userAddress,
-        amount: receiverConsent.amount,
-        deadline: receiverConsent.deadline,
-        minterSig: minterSignature.serialized,
-        receiverSig: receiverSignature,
-        extData: receiverConsent.extData
-      };
-      const swapParams = {
-        path: request.swapPath,
-        deadline: request.swapDeadline
-      };
-      let relayResult;
-      try {
-        relayResult = await this.relayService.submitMintAndSwap({
-          mint: mintParams,
-          swap: swapParams
-        });
-      } catch (err) {
-        await this.handleRelayFailure(err, lockId);
-      }
-      const result = {
-        txHash: relayResult.txHash,
-        lockId
-      };
-      if (relayResult.blockNumber !== void 0) {
-        result.blockNumber = relayResult.blockNumber;
-      }
-      if (relayResult.gasUsed !== void 0) {
-        result.gasUsed = relayResult.gasUsed;
-      }
-      return result;
-    } catch (err) {
-      if (err instanceof MintingGatewayError) throw err;
-      await this.releaseLockSafely(lockId);
-      throw new MintingGatewayError(
-        "RELAY_SUBMIT_FAILED",
-        `Unexpected error: ${errorMessage2(err)}`,
-        { safeToRetry: true, cause: err }
-      );
-    }
-  }
-  // ---------------------------------------------------------------------------
-  // Internals
-  // ---------------------------------------------------------------------------
-  computeLockDurationMs(consentDeadlineSec) {
-    const nowMs = this.now();
-    const deadlineMs = Number(consentDeadlineSec) * 1e3;
-    const remaining = Math.max(0, deadlineMs - nowMs);
-    return remaining + this.defaultLockBufferMs;
-  }
-  /**
-   * Map a RelayError to a MintingGatewayError, releasing the lock only
-   * when the tx definitely did not land. `TX_REVERTED` and `TIMEOUT`
-   * leave the lock in place because the tx may still be in the mempool
-   * or already mined — releasing would enable a double-spend on retry.
-   * Always throws.
-   */
-  async handleRelayFailure(err, lockId) {
-    if (err instanceof RelayError) {
-      switch (err.code) {
-        case "ENCODE_FAILED":
-        case "SIMULATION_FAILED":
-        case "SUBMIT_FAILED":
-        case "NOT_CONFIGURED":
-          await this.releaseLockSafely(lockId);
-          throw new MintingGatewayError(
-            err.code === "SIMULATION_FAILED" ? "RELAY_SIMULATION_FAILED" : "RELAY_SUBMIT_FAILED",
-            err.message,
-            { safeToRetry: true, cause: err }
-          );
-        case "TX_REVERTED":
-          throw new MintingGatewayError("RELAY_REVERTED", err.message, {
-            safeToRetry: false,
-            cause: err
-          });
-        case "TIMEOUT":
-          throw new MintingGatewayError("RELAY_TIMEOUT", err.message, {
-            safeToRetry: false,
-            cause: err
-          });
-      }
-    }
-    await this.releaseLockSafely(lockId);
-    throw new MintingGatewayError(
-      "RELAY_SUBMIT_FAILED",
-      `Unexpected relay error: ${errorMessage2(err)}`,
-      { safeToRetry: true, cause: err }
-    );
-  }
-  /**
-   * Release a lock, swallowing any secondary error. We never want a lock
-   * release failure to mask the original error — the lock will auto-expire
-   * via TTL anyway.
-   */
-  async releaseLockSafely(lockId) {
-    try {
-      await this.ledger.releaseLock(lockId);
-    } catch {
-    }
-  }
-};
-function errorMessage2(err) {
-  return err instanceof Error ? err.message : String(err);
-}
-
 // src/indexer/types.ts
 var InMemoryCursorStore = class {
   cursor;
@@ -1208,8 +683,8 @@ var InMemoryCursorStore = class {
 };
 
 // src/indexer/pointIndexer.ts
-var import_viem6 = require("viem");
-var TRANSFER_EVENT = (0, import_viem6.parseAbiItem)(
+var import_viem4 = require("viem");
+var TRANSFER_EVENT = (0, import_viem4.parseAbiItem)(
   "event Transfer(address indexed from, address indexed to, uint256 value)"
 );
 var ZERO_ADDRESS = "0x0000000000000000000000000000000000000000";
@@ -1279,7 +754,8 @@ var PointIndexer = class {
         return;
       }
       await this.processBlockRange(from, safeHead);
-    } catch {
+    } catch (err) {
+      console.error("[PAFI] PointIndexer tick error:", err);
     }
     this.scheduleNext();
   }
@@ -1329,10 +805,10 @@ var PointIndexer = class {
     for (const log of logs) {
       const args = log.args;
       if (!args.from || !args.to || args.value === void 0) continue;
-      if ((0, import_viem6.getAddress)(args.from) !== ZERO_ADDRESS) continue;
+      if ((0, import_viem4.getAddress)(args.from) !== ZERO_ADDRESS) continue;
       if (log.blockNumber === null || log.transactionHash === null) continue;
       out.push({
-        to: (0, import_viem6.getAddress)(args.to),
+        to: (0, import_viem4.getAddress)(args.to),
         amount: args.value,
         blockNumber: log.blockNumber,
         txHash: log.transactionHash,
@@ -1388,8 +864,8 @@ function pickMatchingLock(locks, amount) {
 }
 
 // src/indexer/burnIndexer.ts
-var import_viem7 = require("viem");
-var TRANSFER_EVENT2 = (0, import_viem7.parseAbiItem)(
+var import_viem5 = require("viem");
+var TRANSFER_EVENT2 = (0, import_viem5.parseAbiItem)(
   "event Transfer(address indexed from, address indexed to, uint256 value)"
 );
 var ZERO_ADDRESS2 = "0x0000000000000000000000000000000000000000";
@@ -1405,18 +881,7 @@ var BurnIndexer = class {
   confirmations;
   batchSize;
   pollIntervalMs;
-  /**
-   * Caller-supplied matcher. Return the lockId to resolve for a given
-   * burn event, or `undefined` to skip. Runs synchronously via the
-   * ledger's query path.
-   *
-   * Default: try `ledger.resolveCreditByBurnTx` keyed on a synthetic
-   * lock id `burn-${from}-${amount}` — the in-memory ledger assigns
-   * incrementing IDs so callers with the memory ledger must provide a
-   * custom matcher. Real DB-backed ledgers override this to JOIN on
-   * their `pending_credits` table.
-   */
-  matchLockId = async () => void 0;
+  matchLockId;
   running = false;
   timer;
   constructor(config) {
@@ -1434,6 +899,12 @@ var BurnIndexer = class {
     );
     this.batchSize = BigInt(config.batchSize ?? Number(DEFAULT_BATCH_SIZE2));
     this.pollIntervalMs = config.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS2;
+    if (!config.matchLockId) {
+      throw new Error(
+        "BurnIndexer: matchLockId is required. Provide a function that maps a burn event to its pending credit lockId. Without it, no on-chain burns will ever grant off-chain credits."
+      );
+    }
+    this.matchLockId = config.matchLockId;
   }
   start() {
     if (this.running) return;
@@ -1463,7 +934,8 @@ var BurnIndexer = class {
         return;
       }
       await this.processBlockRange(from, safeHead);
-    } catch {
+    } catch (err) {
+      console.error("[PAFI] BurnIndexer tick error:", err);
     }
     this.scheduleNext();
   }
@@ -1508,10 +980,10 @@ var BurnIndexer = class {
     for (const log of logs) {
       const args = log.args;
       if (!args.from || !args.to || args.value === void 0) continue;
-      if ((0, import_viem7.getAddress)(args.to) !== ZERO_ADDRESS2) continue;
+      if ((0, import_viem5.getAddress)(args.to) !== ZERO_ADDRESS2) continue;
       if (log.blockNumber === null || log.transactionHash === null) continue;
       out.push({
-        from: (0, import_viem7.getAddress)(args.from),
+        from: (0, import_viem5.getAddress)(args.from),
         amount: args.value,
         blockNumber: log.blockNumber,
         txHash: log.transactionHash,
@@ -1526,24 +998,30 @@ var BurnIndexer = class {
    * log + skip.
    */
   async finalize(evt) {
+    const txHash = evt.txHash;
     const lockId = await this.matchLockId(evt);
-    if (!lockId) return;
+    if (lockId === void 0) {
+      console.warn(
+        "[PAFI] BurnIndexer: matchLockId returned undefined for burn tx " + txHash + ". This burn will NOT be credited. Implement matchLockId to map burn events to lock IDs."
+      );
+      return;
+    }
     if (!this.ledger.resolveCreditByBurnTx) {
       return;
     }
     try {
       await this.ledger.resolveCreditByBurnTx(lockId, evt.txHash);
-    } catch {
+    } catch (err) {
+      console.error("[PAFI] BurnIndexer finalize error \u2014 credit may be lost:", err);
     }
   }
 };
 
 // src/api/handlers.ts
-var import_viem8 = require("viem");
-var import_core5 = require("@pafi-dev/core");
+var import_viem6 = require("viem");
+var import_core3 = require("@pafi-dev/core");
 var IssuerApiHandlers = class {
   authService;
-  gateway;
   ledger;
   provider;
   /**
@@ -1551,18 +1029,14 @@ var IssuerApiHandlers = class {
    * validate the request's `pointTokenAddress` against this set.
    */
   supportedTokens;
-  /** First supported token — used as default when a handler doesn't
-   * receive a `pointTokenAddress` in the request (shouldn't happen in
-   * practice, but keeps type-narrowing happy). */
-  defaultToken;
   chainId;
   contracts;
   pafiWebUrl;
   feeManager;
   poolsProvider;
+  claim;
   constructor(config) {
     this.authService = config.authService;
-    this.gateway = config.gateway;
     this.ledger = config.ledger;
     this.provider = config.provider;
     const raw = config.pointTokenAddresses && config.pointTokenAddresses.length > 0 ? config.pointTokenAddresses : config.pointTokenAddress ? [config.pointTokenAddress] : [];
@@ -1571,14 +1045,14 @@ var IssuerApiHandlers = class {
         "IssuerApiHandlers: pointTokenAddress or pointTokenAddresses required"
       );
     }
-    const normalized = raw.map((a) => (0, import_viem8.getAddress)(a));
+    const normalized = raw.map((a) => (0, import_viem6.getAddress)(a));
     this.supportedTokens = new Set(normalized);
-    this.defaultToken = normalized[0];
     this.chainId = config.chainId;
     this.contracts = config.contracts;
     if (config.pafiWebUrl) this.pafiWebUrl = config.pafiWebUrl;
     if (config.feeManager) this.feeManager = config.feeManager;
     if (config.poolsProvider) this.poolsProvider = config.poolsProvider;
+    if (config.claim) this.claim = config.claim;
   }
   // =========================================================================
   // Public handlers (no auth required)
@@ -1593,6 +1067,12 @@ var IssuerApiHandlers = class {
     if (!body || typeof body.message !== "string" || body.message.length === 0 || typeof body.signature !== "string" || body.signature.length <= 2) {
       throw new Error("handleLogin: message and signature are required");
     }
+    if (body.message.length > 4096) {
+      throw new Error("message too long");
+    }
+    if (body.signature.length > 260) {
+      throw new Error("signature too long");
+    }
     const result = await this.authService.login(body.message, body.signature);
     return {
       token: result.token,
@@ -1607,9 +1087,12 @@ var IssuerApiHandlers = class {
    * needs to build EIP-712 messages and interact with on-chain.
    */
   async handleConfig(chainId) {
+    if (!Number.isInteger(chainId) || chainId <= 0) {
+      throw new Error("invalid chainId");
+    }
     if (chainId !== this.chainId) {
       throw new Error(
-        `handleConfig: unsupported chainId ${chainId}, issuer is configured for ${this.chainId}`
+        `handleConfig: unsupported chainId ${chainId}`
       );
     }
     const contracts = {
@@ -1672,25 +1155,25 @@ var IssuerApiHandlers = class {
         `handleUser: unsupported chainId ${request.chainId}`
       );
     }
-    const normalizedAuthed = (0, import_viem8.getAddress)(userAddress);
-    const normalizedRequest = (0, import_viem8.getAddress)(request.userAddress);
+    const normalizedAuthed = (0, import_viem6.getAddress)(userAddress);
+    const normalizedRequest = (0, import_viem6.getAddress)(request.userAddress);
     if (normalizedAuthed !== normalizedRequest) {
       throw new Error(
         "handleUser: request userAddress must match authenticated user"
       );
     }
-    const pointToken = (0, import_viem8.getAddress)(request.pointTokenAddress);
+    const pointToken = (0, import_viem6.getAddress)(request.pointTokenAddress);
     if (!this.supportedTokens.has(pointToken)) {
       throw new Error(
         `handleUser: unsupported pointToken ${pointToken}`
       );
     }
     const [mintRequestNonce, receiverConsentNonce, offChainBalance, onChainBalance, minter] = await Promise.all([
-      (0, import_core5.getMintRequestNonce)(this.provider, pointToken, normalizedAuthed),
-      (0, import_core5.getReceiverConsentNonce)(this.provider, pointToken, normalizedAuthed),
+      (0, import_core3.getMintRequestNonce)(this.provider, pointToken, normalizedAuthed),
+      (0, import_core3.getReceiverConsentNonce)(this.provider, pointToken, normalizedAuthed),
       this.ledger.getBalance(normalizedAuthed, pointToken),
-      (0, import_core5.getPointTokenBalance)(this.provider, pointToken, normalizedAuthed),
-      (0, import_core5.isMinter)(this.provider, pointToken, normalizedAuthed)
+      (0, import_core3.getPointTokenBalance)(this.provider, pointToken, normalizedAuthed),
+      (0, import_core3.isMinter)(this.provider, pointToken, normalizedAuthed)
     ]);
     return {
       mintRequestNonce,
@@ -1722,19 +1205,32 @@ var IssuerApiHandlers = class {
         `handleBuildConsentTypedData: unsupported chainId ${request.chainId}`
       );
     }
-    const pointToken = (0, import_viem8.getAddress)(request.pointTokenAddress);
+    const pointToken = (0, import_viem6.getAddress)(request.pointTokenAddress);
     if (!this.supportedTokens.has(pointToken)) {
       throw new Error(
         `handleBuildConsentTypedData: unsupported pointToken ${pointToken}`
       );
     }
-    const name = await (0, import_core5.getTokenName)(this.provider, pointToken);
+    const consent = request.receiverConsent;
+    if ((0, import_viem6.getAddress)(consent.originalReceiver) !== (0, import_viem6.getAddress)(userAddress)) {
+      throw new Error(
+        "handleBuildConsentTypedData: receiverConsent.originalReceiver must match authenticated user"
+      );
+    }
+    if (consent.amount <= 0n) {
+      throw new Error("handleBuildConsentTypedData: amount must be positive");
+    }
+    const nowSecs = BigInt(Math.floor(Date.now() / 1e3));
+    if (consent.deadline <= nowSecs) {
+      throw new Error("handleBuildConsentTypedData: deadline is in the past");
+    }
+    const name = await (0, import_core3.getTokenName)(this.provider, pointToken);
     const domain = {
       name,
       verifyingContract: pointToken,
       chainId: this.chainId
     };
-    const typedData = (0, import_core5.buildReceiverConsentTypedData)(domain, request.receiverConsent);
+    const typedData = (0, import_core3.buildReceiverConsentTypedData)(domain, consent);
     return {
       typedData: {
         domain: typedData.domain,
@@ -1745,54 +1241,97 @@ var IssuerApiHandlers = class {
     };
   }
   /**
-   * `POST /claim-and-swap`
+   * `POST /claim`
    *
-   * @deprecated Since 0.3.0 — the single-call mint-then-swap flow is
-   * retired in v1.4. Use the new `handleClaim()` (mint only) and let
-   * the user swap separately on PAFI Web. See
-   * [V1.4_V1.5_OVERVIEW.md §4] for the new scenario model. Will be
-   * removed in 2.0.
+   * Policy gate + ledger lock + MintRequest signing in a single atomic
+   * step. Returns an unsigned UserOp the frontend attaches paymaster data
+   * to and submits via EIP-7702 + Bundler.
    *
-   * Legacy behavior: the terminal handler forwards the verified
-   * consent to the MintingGateway, which runs the 11-step flow.
+   * Order of operations:
+   *   1. Validate request fields.
+   *   2. policy.evaluate() — throws if denied; cannot be bypassed.
+   *   3. ledger.lockForMinting() — reserves the balance.
+   *   4. Read on-chain mintRequestNonce + token name in parallel.
+   *   5. relayService.prepareMint() — sign MintRequest + encode UserOp.
+   *   6. On any error after step 3, release the lock before re-throwing.
    */
-  async handleClaimAndSwap(userAddress, request) {
+  async handleClaim(userAddress, request) {
+    if (!this.claim) {
+      throw new Error("handleClaim: claim is not configured on this issuer");
+    }
     if (request.chainId !== this.chainId) {
-      throw new Error(
-        `handleClaimAndSwap: unsupported chainId ${request.chainId}`
-      );
+      throw new Error(`handleClaim: unsupported chainId ${request.chainId}`);
     }
-    const pointToken = (0, import_viem8.getAddress)(request.pointTokenAddress);
+    const pointToken = (0, import_viem6.getAddress)(request.pointTokenAddress);
     if (!this.supportedTokens.has(pointToken)) {
-      throw new Error(
-        `handleClaimAndSwap: unsupported pointToken ${pointToken}`
-      );
+      throw new Error(`handleClaim: unsupported pointToken ${pointToken}`);
     }
-    const result = await this.gateway.processMintAndCashOut({
-      userAddress: (0, import_viem8.getAddress)(userAddress),
+    if (request.amount <= 0n) {
+      throw new Error("handleClaim: amount must be positive");
+    }
+    const nowSecs = BigInt(Math.floor(Date.now() / 1e3));
+    if (request.deadline <= nowSecs) {
+      throw new Error("handleClaim: deadline is in the past");
+    }
+    const { policy, relayService, issuerSignerWallet, batchExecutorAddress } = this.claim;
+    const lockDurationMs = this.claim.lockDurationMs ?? 15 * 60 * 1e3;
+    const normalizedUser = (0, import_viem6.getAddress)(userAddress);
+    const decision = await policy.evaluate({
+      userAddress: normalizedUser,
+      amount: request.amount,
       pointTokenAddress: pointToken,
-      chainId: request.chainId,
-      domain: request.domain,
-      receiverConsent: request.receiverConsent,
-      receiverSignature: request.receiverSignature,
-      swapPath: request.swapPath,
-      swapDeadline: request.swapDeadline
+      chainId: this.chainId
     });
-    const response = {
-      txHash: result.txHash,
-      lockId: result.lockId
-    };
-    if (result.blockNumber !== void 0)
-      response.blockNumber = result.blockNumber;
-    if (result.gasUsed !== void 0) response.gasUsed = result.gasUsed;
-    return response;
+    if (!decision.approved) {
+      throw new Error(`handleClaim: policy denied \u2014 ${decision.reason ?? "no reason given"}`);
+    }
+    const lockId = await this.ledger.lockForMinting(
+      normalizedUser,
+      request.amount,
+      lockDurationMs,
+      pointToken
+    );
+    try {
+      const [mintRequestNonce, tokenName] = await Promise.all([
+        (0, import_core3.getMintRequestNonce)(this.provider, pointToken, normalizedUser),
+        (0, import_core3.getTokenName)(this.provider, pointToken)
+      ]);
+      const domain = {
+        name: tokenName,
+        verifyingContract: pointToken,
+        chainId: this.chainId
+      };
+      const userOp = await relayService.prepareMint({
+        userAddress: normalizedUser,
+        aaNonce: request.aaNonce,
+        batchExecutorAddress,
+        pointTokenAddress: pointToken,
+        amount: request.amount,
+        issuerSignerWallet,
+        domain,
+        mintRequestNonce,
+        deadline: request.deadline,
+        feeAmount: request.feeAmount,
+        feeRecipient: request.feeRecipient
+      });
+      return {
+        lockId,
+        userOp,
+        expiresInSeconds: Math.floor(lockDurationMs / 1e3)
+      };
+    } catch (err) {
+      await this.ledger.releaseLock(lockId).catch(() => {
+      });
+      throw err;
+    }
   }
 };
 
 // src/api/handlers/ptRedeemHandler.ts
-var import_viem9 = require("viem");
-var import_core6 = require("@pafi-dev/core");
+var import_viem7 = require("viem");
+var import_core4 = require("@pafi-dev/core");
 var DEFAULT_REDEEM_LOCK_MS = 15 * 60 * 1e3;
+var DEFAULT_SIG_DEADLINE_SEC = 15 * 60;
 var PTRedeemError = class extends Error {
   constructor(code, message) {
     super(message);
@@ -1804,11 +1343,14 @@ var PTRedeemError = class extends Error {
 var PTRedeemHandler = class {
   ledger;
   relayService;
+  provider;
   pointTokenAddress;
   batchExecutorAddress;
   chainId;
   domain;
+  burnerSignerWallet;
   redeemLockDurationMs;
+  signatureDeadlineSeconds;
   now;
   constructor(config) {
     if (!config.ledger.reservePendingCredit) {
@@ -1817,46 +1359,88 @@ var PTRedeemHandler = class {
         "PTRedeemHandler requires a ledger that implements reservePendingCredit() (v0.3.0+)"
       );
     }
+    if (!config.burnerSignerWallet) {
+      throw new PTRedeemError(
+        "SIGNING_FAILED",
+        "PTRedeemHandler requires burnerSignerWallet (issuer burner signer)"
+      );
+    }
     this.ledger = config.ledger;
     this.relayService = config.relayService;
-    this.pointTokenAddress = (0, import_viem9.getAddress)(config.pointTokenAddress);
-    this.batchExecutorAddress = (0, import_viem9.getAddress)(config.batchExecutorAddress);
+    this.provider = config.provider;
+    this.pointTokenAddress = (0, import_viem7.getAddress)(config.pointTokenAddress);
+    this.batchExecutorAddress = (0, import_viem7.getAddress)(config.batchExecutorAddress);
     this.chainId = config.chainId;
     this.domain = config.domain;
+    this.burnerSignerWallet = config.burnerSignerWallet;
+    if (this.burnerSignerWallet?.account?.type === "local") {
+      console.warn("[PAFI] PTRedeemHandler: burnerSignerWallet uses a local (private key) account. Use a KMS-backed signer in production.");
+    }
     this.redeemLockDurationMs = config.redeemLockDurationMs ?? DEFAULT_REDEEM_LOCK_MS;
+    this.signatureDeadlineSeconds = config.signatureDeadlineSeconds ?? DEFAULT_SIG_DEADLINE_SEC;
     this.now = config.now ?? (() => Date.now());
   }
   async handle(request) {
+    if ((0, import_viem7.getAddress)(request.authenticatedAddress) !== (0, import_viem7.getAddress)(request.userAddress)) {
+      throw new PTRedeemError(
+        "UNAUTHORIZED",
+        `userAddress (${request.userAddress}) does not match authenticated session (${request.authenticatedAddress})`
+      );
+    }
     if (request.amount <= 0n) {
-      throw new PTRedeemError("INVALID_CONSENT", "redeem amount must be positive");
+      throw new PTRedeemError("INVALID_AMOUNT", "redeem amount must be positive");
     }
-    if (request.consent.amount !== request.amount) {
+    let burnNonce;
+    try {
+      burnNonce = await this.provider.readContract({
+        address: this.pointTokenAddress,
+        abi: import_core4.POINT_TOKEN_V2_ABI,
+        functionName: "burnRequestNonces",
+        args: [request.userAddress]
+      });
+    } catch (err) {
       throw new PTRedeemError(
-        "AMOUNT_MISMATCH",
-        `consent.amount (${request.consent.amount}) must match request.amount (${request.amount})`
+        "NONCE_READ_FAILED",
+        `failed to read burnRequestNonces(${request.userAddress}): ${err instanceof Error ? err.message : String(err)}`
       );
     }
-    const nowSeconds = BigInt(Math.floor(this.now() / 1e3));
-    if (request.consent.deadline <= nowSeconds) {
+    const onChainBalance = await (0, import_core4.getPointTokenBalance)(
+      this.provider,
+      this.pointTokenAddress,
+      request.userAddress
+    );
+    if (onChainBalance < request.amount) {
       throw new PTRedeemError(
-        "EXPIRED_CONSENT",
-        `consent deadline (${request.consent.deadline}) already passed`
+        "INVALID_AMOUNT",
+        `insufficient on-chain PT balance: have ${onChainBalance}, need ${request.amount}`
       );
     }
-    const verification = await (0, import_core6.verifyBurnConsent)(
-      {
-        name: this.domain.name,
-        chainId: this.chainId,
-        verifyingContract: this.domain.verifyingContract ?? this.pointTokenAddress
-      },
-      request.consent,
-      request.consentSignature,
-      request.userAddress
+    const deadline = BigInt(
+      Math.floor(this.now() / 1e3) + this.signatureDeadlineSeconds
     );
-    if (!verification.isValid) {
+    const domain = {
+      name: this.domain.name,
+      chainId: this.chainId,
+      verifyingContract: this.domain.verifyingContract ?? this.pointTokenAddress
+    };
+    const burnRequest = {
+      from: request.userAddress,
+      amount: request.amount,
+      nonce: burnNonce,
+      deadline
+    };
+    let burnerSignature;
+    try {
+      const sig = await (0, import_core4.signBurnRequest)(
+        this.burnerSignerWallet,
+        domain,
+        burnRequest
+      );
+      burnerSignature = sig.serialized;
+    } catch (err) {
       throw new PTRedeemError(
-        "SIGNATURE_MISMATCH",
-        `signer mismatch \u2014 expected ${request.userAddress}, got ${verification.recoveredAddress}`
+        "SIGNING_FAILED",
+        `failed to sign BurnRequest: ${err instanceof Error ? err.message : String(err)}`
       );
     }
     const lockId = await this.ledger.reservePendingCredit(
@@ -1871,33 +1455,21 @@ var PTRedeemHandler = class {
       aaNonce: request.aaNonce,
       pointTokenAddress: this.pointTokenAddress,
       batchExecutorAddress: this.batchExecutorAddress,
-      burnConsent: request.consent,
-      consentSignature: parseSigStruct(request.consentSignature)
+      burnRequest,
+      burnerSignature
     });
     return {
       lockId,
       userOp,
-      expiresInSeconds: Math.floor(this.redeemLockDurationMs / 1e3)
+      expiresInSeconds: Math.floor(this.redeemLockDurationMs / 1e3),
+      signatureDeadline: deadline
     };
   }
 };
-function parseSigStruct(serialized) {
-  const raw = serialized.slice(2);
-  if (raw.length !== 130) {
-    throw new PTRedeemError(
-      "INVALID_CONSENT",
-      `signature must be 65 bytes, got ${raw.length / 2}`
-    );
-  }
-  const r = `0x${raw.slice(0, 64)}`;
-  const s = `0x${raw.slice(64, 128)}`;
-  const v = parseInt(raw.slice(128, 130), 16);
-  return { v, r, s };
-}
 
 // src/api/handlers/topUpRedemptionHandler.ts
-var import_viem10 = require("viem");
-var import_core7 = require("@pafi-dev/core");
+var import_viem8 = require("viem");
+var import_core5 = require("@pafi-dev/core");
 var TopUpRedemptionError = class extends Error {
   constructor(code, message) {
     super(message);
@@ -1915,9 +1487,15 @@ var TopUpRedemptionHandler = class {
     this.ledger = config.ledger;
     this.ptRedeemHandler = config.ptRedeemHandler;
     this.provider = config.provider;
-    this.pointTokenAddress = (0, import_viem10.getAddress)(config.pointTokenAddress);
+    this.pointTokenAddress = (0, import_viem8.getAddress)(config.pointTokenAddress);
   }
   async handle(request) {
+    if ((0, import_viem8.getAddress)(request.authenticatedAddress) !== (0, import_viem8.getAddress)(request.userAddress)) {
+      throw new TopUpRedemptionError(
+        "UNAUTHORIZED",
+        `userAddress (${request.userAddress}) does not match authenticated session (${request.authenticatedAddress})`
+      );
+    }
     const offChainBalance = await this.ledger.getBalance(
       request.userAddress,
       this.pointTokenAddress
@@ -1926,7 +1504,7 @@ var TopUpRedemptionHandler = class {
       return { action: "NO_TOP_UP_NEEDED", offChainBalance };
     }
     const shortfall = request.requiredAmount - offChainBalance;
-    const onChainBalance = await (0, import_core7.getPointTokenBalance)(
+    const onChainBalance = await (0, import_core5.getPointTokenBalance)(
       this.provider,
       this.pointTokenAddress,
       request.userAddress
@@ -1939,24 +1517,11 @@ var TopUpRedemptionHandler = class {
         shortfall
       };
     }
-    if (request.redeemRequest.consent.amount < shortfall) {
-      throw new TopUpRedemptionError(
-        "CONSENT_AMOUNT_TOO_LOW",
-        `consent.amount (${request.redeemRequest.consent.amount}) must cover shortfall (${shortfall})`
-      );
-    }
-    if (request.redeemRequest.consent.amount !== shortfall) {
-      throw new TopUpRedemptionError(
-        "CONSENT_AMOUNT_TOO_LOW",
-        `consent.amount (${request.redeemRequest.consent.amount}) must equal shortfall (${shortfall}) exactly \u2014 re-sign with correct amount`
-      );
-    }
     const redeem = await this.ptRedeemHandler.handle({
+      authenticatedAddress: request.authenticatedAddress,
       userAddress: request.userAddress,
       amount: shortfall,
-      consent: request.redeemRequest.consent,
-      consentSignature: request.redeemRequest.consentSignature,
-      aaNonce: request.redeemRequest.aaNonce
+      aaNonce: request.aaNonce
     });
     return {
       action: "TOP_UP_STARTED",
@@ -1967,6 +1532,7 @@ var TopUpRedemptionHandler = class {
 };
 
 // src/pools/subgraphPoolsProvider.ts
+var import_viem9 = require("viem");
 var DEFAULT_CACHE_TTL_MS = 3e4;
 var POOL_QUERY = `
   query GetPoolForPointToken($id: ID!) {
@@ -1989,6 +1555,19 @@ function createSubgraphPoolsProvider(config) {
       "createSubgraphPoolsProvider: subgraphUrl is required"
     );
   }
+  try {
+    const parsed = new URL(config.subgraphUrl);
+    if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
+      throw new Error("subgraphUrl must use HTTPS in production");
+    }
+  } catch (err) {
+    if (err instanceof TypeError) {
+      throw new Error(
+        `subgraphPoolsProvider: invalid subgraphUrl: ${config.subgraphUrl}`
+      );
+    }
+    throw err;
+  }
   const cacheTtl = config.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
   const fetchImpl = config.fetchImpl ?? globalThis.fetch;
   const now = config.now ?? (() => Date.now());
@@ -2057,6 +1636,26 @@ async function fetchPoolsFromSubgraph(fetchImpl, subgraphUrl, pointTokenAddress)
     return [];
   }
   const { pool } = token;
+  if (!(0, import_viem9.isAddress)(pool.hooks)) {
+    console.error(
+      "[PAFI] SubgraphPoolsProvider: invalid hooks address in response:",
+      pool.hooks,
+      "\u2014 skipping pool"
+    );
+    return [];
+  }
+  if (!(0, import_viem9.isAddress)(pool.token0.id) || !(0, import_viem9.isAddress)(pool.token1.id)) {
+    console.error(
+      "[PAFI] SubgraphPoolsProvider: invalid token address in response \u2014 skipping pool"
+    );
+    return [];
+  }
+  if (!Number.isFinite(Number(pool.feeTier)) || !Number.isFinite(Number(pool.tickSpacing))) {
+    console.error(
+      "[PAFI] SubgraphPoolsProvider: invalid feeTier/tickSpacing \u2014 skipping pool"
+    );
+    return [];
+  }
   const [currency0, currency1] = sortCurrencies(
     pool.token0.id,
     pool.token1.id
@@ -2092,6 +1691,19 @@ function createSubgraphNativeUsdtQuoter(config) {
       "createSubgraphNativeUsdtQuoter: subgraphUrl is required"
     );
   }
+  try {
+    const parsed = new URL(config.subgraphUrl);
+    if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
+      throw new Error("subgraphUrl must use HTTPS in production");
+    }
+  } catch (err) {
+    if (err instanceof TypeError) {
+      throw new Error(
+        `subgraphPoolsProvider: invalid subgraphUrl: ${config.subgraphUrl}`
+      );
+    }
+    throw err;
+  }
   const usdtDecimals = config.usdtDecimals ?? DEFAULT_USDT_DECIMALS;
   const nativeDecimals = config.nativeDecimals ?? DEFAULT_NATIVE_DECIMALS;
   const cacheTtl = config.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS2;
@@ -2168,6 +1780,14 @@ async function fetchEthPriceFromSubgraph(fetchImpl, subgraphUrl) {
     );
     return null;
   }
+  const MIN_REASONABLE_ETH_PRICE = 100;
+  const MAX_REASONABLE_ETH_PRICE = 1e5;
+  if (parsed < MIN_REASONABLE_ETH_PRICE || parsed > MAX_REASONABLE_ETH_PRICE) {
+    console.warn(
+      `[PAFI] SubgraphNativeUsdtQuoter: ETH/USD price ${parsed} is outside reasonable range. Using fallback.`
+    );
+    return null;
+  }
   return parsed;
 }
 function toUsdtPerNative(priceFloat, usdtDecimals) {
@@ -2178,7 +1798,7 @@ function toUsdtPerNative(priceFloat, usdtDecimals) {
 }
 
 // src/balance/balanceAggregator.ts
-var import_core8 = require("@pafi-dev/core");
+var import_core6 = require("@pafi-dev/core");
 var BalanceAggregator = class {
   provider;
   ledger;
@@ -2199,7 +1819,7 @@ var BalanceAggregator = class {
   async getCombinedBalance(user, pointToken) {
     const [offChain, onChain] = await Promise.all([
       this.ledger.getBalance(user, pointToken),
-      (0, import_core8.getPointTokenBalance)(this.provider, pointToken, user)
+      (0, import_core6.getPointTokenBalance)(this.provider, pointToken, user)
     ]);
     return {
       offChain,
@@ -2237,28 +1857,11 @@ var PafiBackendError = class extends Error {
   code;
   httpStatus;
   details;
-  /**
-   * Seconds to wait before retry. Populated from the server body
-   * (e.g. rate limit returns the number of seconds until UTC midnight).
-   */
   retryAfter;
-  /**
-   * `safeToRetry` as reported by the server body. Prefer this over the
-   * code-based heuristic when available — the server knows more about
-   * whether the same request will succeed on retry.
-   */
   serverSafeToRetry;
-  /**
-   * Whether the caller can safely retry the same request.
-   *
-   * If the server provided `safeToRetry` in the body, trust that.
-   * Otherwise fall back to a code-based heuristic.
-   */
   get safeToRetry() {
     if (this.serverSafeToRetry !== void 0) return this.serverSafeToRetry;
     switch (this.code) {
-      case "PAYMASTER_UNAVAILABLE":
-      case "PAYMASTER_TIMEOUT":
       case "RATE_LIMITER_UNAVAILABLE":
       case "INTERNAL_ERROR":
       case "TIMEOUT":
@@ -2267,196 +1870,22 @@ var PafiBackendError = class extends Error {
       case "RATE_LIMIT_EXCEEDED":
       case "RATE_LIMIT_EXCEEDED_DAILY":
       case "RATE_LIMIT_EXCEEDED_PER_USER":
+      case "ISSUER_BUDGET_EXCEEDED":
         return true;
-      // after retryAfter
       default:
         return false;
     }
   }
 };
 
-// src/pafi-backend/pafiBackendClient.ts
-var DEFAULT_TIMEOUT_MS = 1e4;
-var RETRY_DEFAULTS = {
-  maxAttempts: 1,
-  initialDelayMs: 500,
-  maxDelayMs: 1e4,
-  maxRetryAfterMs: 3e4
-};
-var PafiBackendClient = class {
-  url;
-  issuerId;
-  apiKey;
-  fetchImpl;
-  timeoutMs;
-  retry;
-  constructor(config) {
-    if (!config.url) {
-      throw new Error("PafiBackendClient: url is required");
-    }
-    if (!config.issuerId) {
-      throw new Error("PafiBackendClient: issuerId is required");
-    }
-    if (!config.apiKey) {
-      throw new Error("PafiBackendClient: apiKey is required");
-    }
-    this.url = config.url.replace(/\/+$/, "");
-    this.issuerId = config.issuerId;
-    this.apiKey = config.apiKey;
-    this.fetchImpl = config.fetchImpl ?? globalThis.fetch;
-    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
-    this.retry = { ...RETRY_DEFAULTS, ...config.retry ?? {} };
-    if (!this.fetchImpl) {
-      throw new Error(
-        "PafiBackendClient: no fetch implementation available \u2014 pass `fetchImpl` or run on Node 18+"
-      );
-    }
-    if (this.retry.maxAttempts < 1) {
-      throw new Error("PafiBackendClient: retry.maxAttempts must be >= 1");
-    }
-  }
-  /**
-   * Request paymaster sponsorship for a pre-built UserOperation.
-   * See [SPONSORED_PATH_FLOW.md §4.1] for the API contract.
-   *
-   * Retries automatically on transient failures (5xx, timeouts, network
-   * errors, and errors the server flags with `safeToRetry: true`) up to
-   * `retry.maxAttempts`. 4xx errors that are not `safeToRetry` fail fast.
-   *
-   * @throws PafiBackendError on final failure after exhausting retries
-   */
-  async requestSponsorship(req) {
-    return this.postWithRetry(
-      "/paymaster/sponsor",
-      req
-    );
-  }
-  // -------------------------------------------------------------------------
-  // Internals
-  // -------------------------------------------------------------------------
-  async postWithRetry(path, body) {
-    let lastError;
-    for (let attempt = 1; attempt <= this.retry.maxAttempts; attempt++) {
-      try {
-        return await this.post(path, body);
-      } catch (err) {
-        if (!(err instanceof PafiBackendError)) throw err;
-        lastError = err;
-        const isLastAttempt = attempt >= this.retry.maxAttempts;
-        if (isLastAttempt || !err.safeToRetry) throw err;
-        const delay = this.computeBackoff(attempt, err.retryAfter);
-        if (delay === null) throw err;
-        await this.sleep(delay);
-      }
-    }
-    throw lastError;
-  }
-  /**
-   * Pick the delay before the next retry.
-   * - If the server sent `retryAfter` (seconds), honor it (capped by
-   *   `maxRetryAfterMs`) — returns null if the server wait exceeds the
-   *   cap, signalling the caller should give up.
-   * - Otherwise: exponential backoff with ±20% jitter, capped at
-   *   `maxDelayMs`.
-   */
-  computeBackoff(attempt, retryAfter) {
-    if (retryAfter !== void 0) {
-      const serverMs = retryAfter * 1e3;
-      if (serverMs > this.retry.maxRetryAfterMs) return null;
-      return serverMs;
-    }
-    const exp = this.retry.initialDelayMs * 2 ** (attempt - 1);
-    const capped = Math.min(exp, this.retry.maxDelayMs);
-    const jitter = capped * (0.8 + Math.random() * 0.4);
-    return Math.round(jitter);
-  }
-  sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
-  }
-  async post(path, body) {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
-    let response;
-    try {
-      response = await this.fetchImpl(`${this.url}${path}`, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          "Authorization": `Bearer ${this.apiKey}`,
-          "X-Issuer-Id": this.issuerId
-        },
-        body: JSON.stringify(body, this.bigintReplacer),
-        signal: controller.signal
-      });
-    } catch (err) {
-      if (err.name === "AbortError") {
-        throw new PafiBackendError(
-          "TIMEOUT",
-          `PAFI Backend request timed out after ${this.timeoutMs}ms`,
-          0
-        );
-      }
-      throw new PafiBackendError(
-        "NETWORK_ERROR",
-        `PAFI Backend unreachable: ${err.message}`,
-        0
-      );
-    } finally {
-      clearTimeout(timeoutId);
-    }
-    const text = await response.text();
-    if (!response.ok) {
-      let code = "INTERNAL_ERROR";
-      let message = text || response.statusText;
-      let details;
-      let retryAfter;
-      let serverSafeToRetry;
-      try {
-        const parsed = JSON.parse(text);
-        code = parsed.code ?? code;
-        message = parsed.message ?? message;
-        details = parsed.details;
-        if (typeof parsed.retryAfter === "number") retryAfter = parsed.retryAfter;
-        if (typeof parsed.safeToRetry === "boolean") serverSafeToRetry = parsed.safeToRetry;
-      } catch {
-      }
-      throw new PafiBackendError(code, message, response.status, details, {
-        ...retryAfter !== void 0 ? { retryAfter } : {},
-        ...serverSafeToRetry !== void 0 ? { safeToRetry: serverSafeToRetry } : {}
-      });
-    }
-    return JSON.parse(text, this.bigintReviver);
-  }
-  /** JSON replacer that stringifies bigints. Paired with bigintReviver. */
-  bigintReplacer = (_key, value) => {
-    return typeof value === "bigint" ? value.toString() : value;
-  };
-  /**
-   * JSON reviver that coerces specific numeric-string fields back to
-   * bigint. The server must send these fields as decimal strings.
-   */
-  bigintReviver = (key, value) => {
-    if (typeof value === "string" && (key.endsWith("GasLimit") || key === "nonce" || key === "callGasLimit" || key === "verificationGasLimit" || key === "preVerificationGas" || key === "maxFeePerGas" || key === "maxPriorityFeePerGas" || key === "paymasterVerificationGasLimit" || key === "paymasterPostOpGasLimit") && /^\d+$/.test(value)) {
-      return BigInt(value);
-    }
-    return value;
-  };
-};
-
 // src/config.ts
-var import_viem11 = require("viem");
+var import_viem10 = require("viem");
 function createIssuerService(config) {
   if (!config.provider) {
     throw new Error("createIssuerService: provider is required");
   }
-  if (!config.operatorWallet) {
-    throw new Error("createIssuerService: operatorWallet is required");
-  }
-  if (!config.signer) {
-    throw new Error("createIssuerService: signer is required");
-  }
-  if (!config.relayAddress) {
-    throw new Error("createIssuerService: relayAddress is required");
+  if (!config.ledger) {
+    throw new Error("createIssuerService: ledger is required");
   }
   if (!config.auth?.jwtSecret) {
     throw new Error("createIssuerService: auth.jwtSecret is required");
@@ -2470,8 +1899,8 @@ function createIssuerService(config) {
       "createIssuerService: at least one of pointTokenAddress / pointTokenAddresses is required"
     );
   }
-  const tokenAddresses = rawAddresses.map((a) => (0, import_viem11.getAddress)(a));
-  const ledger = config.ledger ?? new MemoryPointLedger();
+  const tokenAddresses = rawAddresses.map((a) => (0, import_viem10.getAddress)(a));
+  const ledger = config.ledger;
   const sessionStore = config.sessionStore ?? new MemorySessionStore();
   const policy = config.policy ?? new DefaultPolicyEngine({ ledger });
   const authServiceConfig = {
@@ -2484,18 +1913,7 @@ function createIssuerService(config) {
     authServiceConfig.jwtExpiresIn = config.auth.jwtExpiresIn;
   }
   const authService = new AuthService(authServiceConfig);
-  const relayServiceConfig = {
-    relayAddress: config.relayAddress,
-    operatorWallet: config.operatorWallet,
-    provider: config.provider
-  };
-  if (config.relay?.simulateBeforeSubmit !== void 0) {
-    relayServiceConfig.simulateBeforeSubmit = config.relay.simulateBeforeSubmit;
-  }
-  if (config.relay?.confirmationTimeoutMs !== void 0) {
-    relayServiceConfig.confirmationTimeoutMs = config.relay.confirmationTimeoutMs;
-  }
-  const relayService = new RelayService(relayServiceConfig);
+  const relayService = new RelayService();
   let feeManager;
   if (config.fee) {
     feeManager = new FeeManager({
@@ -2503,16 +1921,6 @@ function createIssuerService(config) {
       provider: config.provider
     });
   }
-  const gatewayConfig = {
-    ledger,
-    policy,
-    signer: config.signer,
-    relayService
-  };
-  if (config.gateway?.defaultLockBufferMs !== void 0) {
-    gatewayConfig.defaultLockBufferMs = config.gateway.defaultLockBufferMs;
-  }
-  const gateway = new MintingGateway(gatewayConfig);
   const indexers = /* @__PURE__ */ new Map();
   for (const tokenAddress of tokenAddresses) {
     const indexerConfig = {
@@ -2540,7 +1948,6 @@ function createIssuerService(config) {
   const firstIndexer = indexers.get(tokenAddresses[0]);
   const handlersConfig = {
     authService,
-    gateway,
     ledger,
     provider: config.provider,
     pointTokenAddresses: tokenAddresses,
@@ -2549,6 +1956,15 @@ function createIssuerService(config) {
   };
   if (feeManager) handlersConfig.feeManager = feeManager;
   if (config.poolsProvider) handlersConfig.poolsProvider = config.poolsProvider;
+  if (config.claim) {
+    handlersConfig.claim = {
+      policy,
+      relayService,
+      issuerSignerWallet: config.claim.issuerSignerWallet,
+      batchExecutorAddress: config.claim.batchExecutorAddress,
+      lockDurationMs: config.claim.lockDurationMs
+    };
+  }
   const handlers = new IssuerApiHandlers(handlersConfig);
   if (config.indexer?.autoStart) {
     for (const idx of indexers.values()) {
@@ -2560,10 +1976,8 @@ function createIssuerService(config) {
     sessionStore,
     ledger,
     policy,
-    signer: config.signer,
     relayService,
     feeManager,
-    gateway,
     indexers,
     indexer: firstIndexer,
     handlers
@@ -2582,18 +1996,13 @@ var PAFI_ISSUER_SDK_VERSION = "0.1.0";
   FeeManager,
   InMemoryCursorStore,
   IssuerApiHandlers,
-  MemoryPointLedger,
   MemorySessionStore,
-  MintingGateway,
-  MintingGatewayError,
   NonceManager,
   PAFI_ISSUER_SDK_VERSION,
   PTRedeemError,
   PTRedeemHandler,
-  PafiBackendClient,
   PafiBackendError,
   PointIndexer,
-  PrivateKeySigner,
   RelayError,
   RelayService,
   TopUpRedemptionError,
@@ -2601,7 +2010,6 @@ var PAFI_ISSUER_SDK_VERSION = "0.1.0";
   authenticateRequest,
   createIssuerService,
   createSubgraphNativeUsdtQuoter,
-  createSubgraphPoolsProvider,
-  encodeExtData
+  createSubgraphPoolsProvider
 });
 //# sourceMappingURL=index.cjs.map