npm - @pafi-dev/issuer - Versions diffs - 0.3.0-beta.1 → 0.3.0-beta.11 - Mend

@pafi-dev/issuer 0.3.0-beta.1 → 0.3.0-beta.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,5 @@
-import { Address, Hex, PublicClient, Chain } from 'viem';
-import { PointTokenDomainConfig, MintRequest, EIP712Signature, MintParams, SwapParams, MintRequestV2, SignatureStruct, PartialUserOperation, BurnConsent, ReceiverConsent, PathKey, PoolKey, SponsorshipScenario } from '@pafi-dev/core';
-export { encodeExtData } from '@pafi-dev/core';
+import { Address, Hex, PublicClient, WalletClient } from 'viem';
+import { PointTokenDomainConfig, PartialUserOperation, BurnRequest, ReceiverConsent, PathKey, PoolKey } from '@pafi-dev/core';
 /**
  * Lifecycle of a minting request as tracked by the issuer's point ledger.
@@ -63,11 +62,7 @@ interface IPointLedger {
     lockForMinting(userAddress: Address, amount: bigint, lockDurationMs: number, tokenAddress?: Address): Promise<string>;
     /** Release a previously created lock (e.g. on tx failure / cancel). */
     releaseLock(lockId: string): Promise<void>;
-    /**
-     * Permanently deduct an amount from a user's balance after the on-chain
-     * mint has been observed by the indexer. Should also resolve any matching
-     * lock so the funds aren't double-counted.
-     */
+    /** Deduct balance after a confirmed on-chain mint. Idempotent on `txHash`. */
     deductBalance(userAddress: Address, amount: bigint, txHash: Hex, tokenAddress?: Address): Promise<void>;
     /** Credit points to a user's balance (e.g. from merchant activity). */
     creditBalance(userAddress: Address, amount: bigint, reason: string, tokenAddress?: Address): Promise<void>;
@@ -98,47 +93,6 @@ interface IPointLedger {
     resolveCreditByBurnTx?(lockId: string, txHash: Hex): Promise<void>;
 }
-/**
- * In-memory IPointLedger implementation for development and tests.
- *
- * NOT for production — state is lost on restart. Issuers should ship their
- * own database-backed implementation.
- *
- * Concurrency model: single-process, single-threaded (Node.js event loop).
- * The lock check + insert is atomic within a tick because no awaits sit
- * between balance read and lock write.
- *
- * **Multi-token (0.2.0):** Balances are keyed by `(user, token)`. If callers
- * omit `tokenAddress`, the literal string "default" is used — that keeps
- * single-token usage working exactly like 0.1.x.
- */
-declare class MemoryPointLedger implements IPointLedger {
-    private balances;
-    private locks;
-    private nextLockId;
-    private now;
-    constructor(opts?: {
-        now?: () => number;
-    });
-    getBalance(userAddress: Address, tokenAddress?: Address): Promise<bigint>;
-    getLockedRequests(userAddress: Address, tokenAddress?: Address): Promise<LockedMintRequest[]>;
-    creditBalance(userAddress: Address, amount: bigint, _reason: string, tokenAddress?: Address): Promise<void>;
-    lockForMinting(userAddress: Address, amount: bigint, lockDurationMs: number, tokenAddress?: Address): Promise<string>;
-    releaseLock(lockId: string): Promise<void>;
-    deductBalance(userAddress: Address, amount: bigint, txHash: Hex, tokenAddress?: Address): Promise<void>;
-    updateMintStatus(lockId: string, status: MintingStatus, txHash?: Hex): Promise<void>;
-    private pendingCredits;
-    private nextCreditId;
-    reservePendingCredit(userAddress: Address, amount: bigint, durationMs: number, tokenAddress?: Address): Promise<string>;
-    resolveCreditByBurnTx(lockId: string, txHash: Hex): Promise<void>;
-    /**
-     * Auto-expire any PENDING lock past its expiry. Called lazily on every
-     * read/write so the in-memory state stays self-cleaning without a timer.
-     */
-    private purgeExpired;
-    private lockedTotalFor;
-}
 /**
  * Input to a policy evaluation. Policy engines use this to decide whether
  * a user's mint request should be approved.
@@ -214,56 +168,6 @@ declare class DefaultPolicyEngine implements IPolicyEngine {
     evaluate(request: PolicyEvalRequest): Promise<PolicyDecision>;
 }
-/**
- * Issuer signer — produces the MintRequest EIP-712 signature that the Relay
- * contract verifies against the issuer's on-chain authorized minter.
- *
- * This is a trust boundary: the default `PrivateKeySigner` holds the key in
- * process memory and is intended for local development only. Production
- * issuers replace this with an HSM/KMS/MPC integration.
- */
-interface IIssuerSigner {
-    /**
-     * Sign a `MintRequest` message against the point token's EIP-712 domain.
-     * The returned signature is what the Relay contract passes to
-     * `PointToken.verify` during `mintAndSwap`.
-     */
-    signMintRequest(domain: PointTokenDomainConfig, message: MintRequest): Promise<EIP712Signature>;
-    /** Get the signer's on-chain address (used for verification / logging). */
-    getAddress(): Promise<Address>;
-}
-interface PrivateKeySignerOptions {
-    /** 0x-prefixed 32-byte hex private key */
-    privateKey: Hex;
-    /**
-     * Chain metadata for the viem WalletClient. Only the chain id is actually
-     * used for signing; a minimal stub is acceptable (it does not need to
-     * match the deployed chain config beyond id).
-     */
-    chain: Chain;
-    /**
-     * Optional RPC URL. `signTypedData` is offline, so this can usually be
-     * left unset — viem only requires a transport to construct the client.
-     */
-    rpcUrl?: string;
-}
-/**
- * Local-key implementation of `IIssuerSigner`. Wraps viem's `signTypedData`
- * via the shared `@pafi/core` `signMintRequest` helper.
- *
- * ⚠️ **NOT for production use.** The private key lives in process memory
- * and is trivially extractable from a compromised host. Replace with an
- * HSM/KMS/MPC-backed `IIssuerSigner` before deployment.
- */
-declare class PrivateKeySigner implements IIssuerSigner {
-    private readonly account;
-    private readonly walletClient;
-    constructor(opts: PrivateKeySignerOptions);
-    signMintRequest(domain: PointTokenDomainConfig, message: MintRequest): Promise<EIP712Signature>;
-    getAddress(): Promise<Address>;
-}
 /**
  * A server-issued session created after a successful wallet login. The
  * token id is embedded in the JWT so sessions can be revoked without
@@ -449,168 +353,93 @@ declare class AuthError extends Error {
 }
 /**
- * Parameters for a single `mintAndSwap` relay submission. This is the
- * exact shape the Relay contract expects, with the two structs the
- * `@pafi/core` calldata helpers build. The RelayService wires these
- * through viem's `writeContract`.
- */
-interface SubmitMintAndSwapParams {
-    mint: MintParams;
-    swap: SwapParams;
-}
-/**
- * Result of a relay submission. `txHash` is returned immediately after
- * the tx is broadcast; `receipt` is present only when the caller opted to
- * wait for confirmation.
- */
-interface RelayResult {
-    txHash: Hex;
-    blockNumber?: bigint;
-    gasUsed?: bigint;
-    status?: "success" | "reverted";
-}
-/**
- * Errors raised by RelayService carry a `code` so the MintingGateway (or
- * any caller) can decide whether to release the ledger lock.
+ * Errors raised by RelayService carry a `code` so callers (handlers /
+ * gateway-less HTTP wrappers) can decide how to map them to HTTP status.
+ *
+ * v1.4 trimmed the error space to just encoding failures — the service
+ * no longer broadcasts transactions, so `SUBMIT_FAILED`, `TX_REVERTED`,
+ * `SIMULATION_FAILED`, and `TIMEOUT` all went away with the operator
+ * wallet. Paymaster/Bundler errors surface out-of-band on the FE.
  */
-type RelayErrorCode = "NOT_CONFIGURED" | "ENCODE_FAILED" | "SIMULATION_FAILED" | "SUBMIT_FAILED" | "TX_REVERTED" | "TIMEOUT";
+type RelayErrorCode = "NOT_CONFIGURED" | "ENCODE_FAILED";
 declare class RelayError extends Error {
     readonly code: RelayErrorCode;
     readonly cause?: unknown;
     constructor(code: RelayErrorCode, message: string, cause?: unknown);
 }
-/**
- * Interface an operator wallet must satisfy for the RelayService. Matches
- * the subset of viem's `WalletClient` we actually call, so tests can pass
- * a minimal mock instead of a full client.
- */
-interface OperatorWalletLike {
-    writeContract: (args: {
-        address: Address;
-        abi: readonly unknown[];
-        functionName: string;
-        args: readonly unknown[];
-        account?: {
-            address: Address;
-        };
-    }) => Promise<Hex>;
-    account?: {
-        address: Address;
-    } | undefined;
-}
-interface RelayServiceConfig {
-    /** Address of the deployed Relay contract (chain-specific). */
-    relayAddress: Address;
-    /** Operator wallet that pays gas and receives the operator fee. */
-    operatorWallet: OperatorWalletLike;
-    /**
-     * Provider used for pre-flight simulation and receipt waiting. Optional —
-     * if omitted, the service still broadcasts but returns only `txHash`
-     * (caller is responsible for confirmation tracking).
-     */
-    provider?: PublicClient;
-    /**
-     * If a provider is supplied, wait up to this many milliseconds for a
-     * receipt before timing out. Default: 60_000 (one minute).
-     */
-    confirmationTimeoutMs?: number;
-    /**
-     * Whether to run `simulateContract` before submitting. Catches most
-     * reverts locally without wasting gas. Default: true (when provider is
-     * supplied).
-     */
-    simulateBeforeSubmit?: boolean;
-}
 /**
- * Submits `mintAndSwap` transactions to the Relay contract on behalf of
- * the issuer. This is the single place the operator wallet is touched; the
- * MintingGateway calls into `submitMintAndSwap()` after it has signed the
- * MintRequest and verified the ReceiverConsent.
+ * Builds unsigned `PartialUserOperation` payloads for the v1.4 sponsored
+ * flow. The service is stateless and HTTP-client-free:
  *
- * The service is intentionally thin: calldata encoding stays in `@pafi/core`
- * (`encodeMintAndSwap`), so on-chain ABI changes only ripple through one
- * package.
+ *   - `prepareMint` signs a `MintRequest` EIP-712 with the caller-supplied
+ *     issuer signer wallet, then encodes `PointToken.mint(to, amount,
+ *     deadline, minterSig)` into a UserOp the frontend submits via
+ *     EIP-7702 + Paymaster.
+ *   - `prepareBurn` mirrors the above on the burn side using a
+ *     pre-signed `BurnRequest` + `PointToken.burn(from, amount,
+ *     deadline, burnerSig)`.
+ *
+ * There is no broadcasting, no operator wallet, no simulation — those
+ * concerns moved to the Bundler + Paymaster in v1.4.
  */
 declare class RelayService {
-    private readonly relayAddress;
-    private readonly operatorWallet;
-    private readonly provider?;
-    private readonly confirmationTimeoutMs;
-    private readonly simulateBeforeSubmit;
-    constructor(config: RelayServiceConfig);
-    /** Address the operator wallet is broadcasting from (for logging). */
-    operatorAddress(): Address | undefined;
-    /**
-     * Build calldata for the Relay `mintAndSwap` function. Kept public so
-     * callers (e.g. the MintingGateway) can log or persist the encoded call
-     * for audit before broadcasting.
-     */
-    encodeCall(params: SubmitMintAndSwapParams): Hex;
     /**
-     * Submit a `mintAndSwap` transaction. Flow:
-     *
-     *   1. (optional) pre-flight simulate via provider
-     *   2. writeContract through the operator wallet
-     *   3. (optional) wait for the receipt and surface gasUsed / status
-     *
-     * Throws a typed `RelayError` on any failure so the MintingGateway can
-     * decide whether to release the ledger lock (`SUBMIT_FAILED` and
-     * `SIMULATION_FAILED` are safe to release; `TX_REVERTED` and `TIMEOUT`
-     * need manual review because the tx may still land).
-     *
-     * @deprecated Since 0.3.0 — will be replaced by `prepareMint()` +
-     * `prepareBurn()` in the v1.4 sponsored-UserOp flow. The SC team
-     * still needs to finalize Relayer v2 ABI before the replacements
-     * can ship (blocker B1). Kept for v0.2.x consumers. Removed in 2.0.
+     * Build an unsigned UserOp for Scenario 1 (Mint) — sig-gated
+     * `PointToken.mint(to, amount, deadline, minterSig)`.
      */
-    submitMintAndSwap(params: SubmitMintAndSwapParams): Promise<RelayResult>;
-    /**
-     * Build an unsigned UserOp for Scenario 1 (Mint).
-     *
-     * Flow:
-     *   1. Encode `Relayer.mint(request, userSig, issuerSig)` as the inner call
-     *   2. Optionally append a PT fee transfer from user → feeRecipient
-     *      (fee recovery happens on-chain via BatchExecutor, not via an
-     *      operator wallet)
-     *   3. Wrap all inner calls into `BatchExecutor.execute(calls[])`
-     *   4. Return a `PartialUserOperation` ready for:
-     *        - gas estimation (Bundler)
-     *        - paymaster sponsorship (PAFI Backend)
-     *        - user signature (Privy)
-     */
-    prepareMint(params: PrepareMintParams): PartialUserOperation;
+    prepareMint(params: PrepareMintParams): Promise<PartialUserOperation>;
     /**
      * Build an unsigned UserOp for Scenario 2 (Burn/Redeem).
      *
      * Two modes:
-     *   - `mode: 'burn'` — direct `PointToken.burn(amount)`; `msg.sender`
-     *     via EIP-7702 delegation is the user, so no signature needed
-     *     on-chain (the BurnConsent was already verified off-chain by
-     *     the issuer backend before we got here)
-     *   - `mode: 'burnWithSig'` — `PointToken.burnWithSig(consent, sig)`;
-     *     used when the issuer hasn't verified the consent and the
-     *     contract has to do it on-chain
+     *   - `mode: 'burn'` — direct `PointToken.burn(from, amount)`; only
+     *     usable if the caller (via EIP-7702) is whitelisted as a burner.
+     *     Rare in v1.4; kept for admin/operator tools.
+     *   - `mode: 'burnWithSig'` — `PointToken.burn(from, amount, deadline,
+     *     burnerSig)`. Caller provides a pre-signed `BurnRequest` + sig
+     *     bytes (typically from `PTRedeemHandler`).
      */
     prepareBurn(params: PrepareBurnParams): PartialUserOperation;
 }
+/**
+ * v1.4 — sig-gated `PointToken.mint(to, amount, deadline, minterSig)`.
+ *
+ * The issuer backend validates off-chain (balance, policy, KYC), signs
+ * a `MintRequest` EIP-712 with its minter signer, and packages the
+ * whole thing into a UserOp for the user to submit via EIP-7702 +
+ * Paymaster. On confirmation, PointIndexer watches `Transfer(0x0, user,
+ * amount)` and resolves the ledger lock.
+ */
 interface PrepareMintParams {
     /** User EOA that will send the UserOp (via EIP-7702 delegation). */
     userAddress: Address;
-    /** ERC-4337 account nonce (not the MintRequest nonce — different namespace). */
+    /** ERC-4337 account nonce. Caller fetches from EntryPoint v0.7. */
     aaNonce: bigint;
-    /** Deployed Relayer v2 contract address (chain-specific). */
-    relayerAddress: Address;
     /** BatchExecutor delegation target (chain-specific). */
     batchExecutorAddress: Address;
-    /** PointToken being minted — used for optional fee transfer call. */
+    /** PointToken contract — the call target + EIP-712 verifying contract. */
     pointTokenAddress: Address;
-    /** EIP-712-signed MintRequest fields. */
-    mintRequest: MintRequestV2;
-    /** User's EIP-712 signature over `mintRequest`. */
-    userSignature: SignatureStruct;
-    /** Issuer's EIP-712 signature over `mintRequest`. */
-    issuerSignature: SignatureStruct;
+    /** PT amount to mint to `userAddress`. */
+    amount: bigint;
+    /**
+     * Issuer minter signer wallet — signs the `MintRequest` EIP-712.
+     * Must be added to `PointToken.minters[]` via `addMinter(signerAddr)`
+     * at provisioning time. Typically HSM/KMS-backed in prod.
+     */
+    issuerSignerWallet: WalletClient;
+    /** EIP-712 domain for MintRequest. */
+    domain: PointTokenDomainConfig;
+    /** Current `mintRequestNonces[userAddress]` — caller reads from contract. */
+    mintRequestNonce: bigint;
+    /** Unix timestamp after which the signature expires. */
+    deadline: bigint;
+    /**
+     * Optional — application-level fee transfer appended after mint.
+     * Set both `feeAmount` and `feeRecipient` together.
+     */
+    feeAmount?: bigint;
+    feeRecipient?: Address;
     /** Gas limits — defaults are conservative; caller can tighten. */
     callGasLimit?: bigint;
     verificationGasLimit?: bigint;
@@ -632,8 +461,10 @@ interface PrepareBurnDirectParams extends PrepareBurnCommonParams {
 }
 interface PrepareBurnWithSigParams extends PrepareBurnCommonParams {
     mode: "burnWithSig";
-    burnConsent: BurnConsent;
-    consentSignature: SignatureStruct;
+    /** BurnRequest message the issuer burner signer signed. */
+    burnRequest: BurnRequest;
+    /** Serialized EIP-712 signature (bytes) over `burnRequest`. */
+    burnerSignature: Hex;
 }
 interface FeeManagerConfig {
@@ -683,6 +514,9 @@ declare class FeeManager {
     private readonly gasUnits;
     private readonly gasPremiumBps;
     private readonly quoteNativeToFee;
+    private cachedFee;
+    private cacheExpiresAt;
+    private static readonly CACHE_TTL_MS;
     constructor(config: FeeManagerConfig);
     /**
      * Estimate the fee (in the caller's fee currency) to charge for the
@@ -699,156 +533,6 @@ declare class FeeManager {
     estimateGasFee(): Promise<bigint>;
 }
-/**
- * End-user request for a full "burn points → receive USDT" flow. The
- * receiver has already signed the `ReceiverConsent` EIP-712 message on
- * the frontend; the issuer backend runs everything else.
- */
-interface MintAndCashOutRequest {
-    /** Address owning the off-chain points (== receiver in the consent). */
-    userAddress: Address;
-    /** Point token contract to mint. */
-    pointTokenAddress: Address;
-    /** Chain id the relay will submit on. */
-    chainId: number;
-    /**
-     * EIP-712 domain for `pointTokenAddress`. The gateway passes this
-     * straight through to `@pafi/core` `verifyReceiverConsent` and the
-     * issuer signer. Callers typically fetch it once via
-     * `PafiSDK.getDomain()` and cache it.
-     */
-    domain: PointTokenDomainConfig;
-    /**
-     * Receiver consent message + signature, pre-built by the frontend. The
-     * message specifies `onBehalfOf = relay contract` and
-     * `originalReceiver = userAddress`, plus the amount, nonce, deadline,
-     * and encoded extData.
-     */
-    receiverConsent: ReceiverConsent;
-    receiverSignature: Hex;
-    /**
-     * Swap path for the USDT output. Empty array = "no swap" (rare — only
-     * useful for testing). Normally a single hop pointToken → USDT.
-     */
-    swapPath: PathKey[];
-    /** Swap deadline (unix seconds). */
-    swapDeadline: bigint;
-    /**
-     * Lock TTL (ms) to apply to the off-chain balance. The gateway computes
-     * a safe default from `receiverConsent.deadline` if omitted.
-     */
-    lockDurationMs?: number;
-}
-/**
- * Result returned to the caller after a successful `processMintAndCashOut`.
- * The `lockId` is preserved so the indexer can correlate the on-chain
- * Mint event back to the ledger row (though that correlation is typically
- * done by `(userAddress, amount)` in the default `MemoryPointLedger`).
- */
-interface MintAndCashOutResponse {
-    txHash: Hex;
-    lockId: string;
-    blockNumber?: bigint;
-    gasUsed?: bigint;
-}
-/**
- * Error codes a MintingGateway can surface. Callers (API handlers) map
- * these to HTTP status codes. The `SAFE_TO_RETRY` field tells the caller
- * whether the underlying lock was released — if not, the user should
- * wait before retrying to avoid double-spend.
- */
-type MintingGatewayErrorCode = "INVALID_REQUEST" | "INVALID_CONSENT_SIGNATURE" | "CONSENT_EXPIRED" | "POLICY_REJECTED" | "INSUFFICIENT_BALANCE" | "SIGNER_FAILED" | "RELAY_SIMULATION_FAILED" | "RELAY_SUBMIT_FAILED" | "RELAY_REVERTED" | "RELAY_TIMEOUT";
-declare class MintingGatewayError extends Error {
-    readonly code: MintingGatewayErrorCode;
-    /**
-     * True if the ledger lock was released before this error was thrown,
-     * meaning the user can safely retry. False means the funds are still
-     * locked (e.g. tx may still land on-chain) and retry would double-spend.
-     */
-    readonly safeToRetry: boolean;
-    readonly cause?: unknown;
-    constructor(code: MintingGatewayErrorCode, message: string, opts: {
-        safeToRetry: boolean;
-        cause?: unknown;
-    });
-}
-interface MintingGatewayConfig {
-    ledger: IPointLedger;
-    policy: IPolicyEngine;
-    signer: IIssuerSigner;
-    relayService: RelayService;
-    /**
-     * Clock override for tests. Defaults to `() => Date.now()`. Used to
-     * compute safe lock TTLs and to check consent deadlines.
-     */
-    now?: () => number;
-    /**
-     * Extra buffer (ms) added on top of `(consent.deadline - now)` when the
-     * caller doesn't supply a `lockDurationMs`. Default: 60_000 (one minute
-     * — roughly 2× the Base L2 block confirmation time).
-     */
-    defaultLockBufferMs?: number;
-}
-/**
- * The MintingGateway is the central orchestrator that turns a user's
- * signed ReceiverConsent into an on-chain `mintAndSwap` tx and a
- * consistent off-chain ledger update.
- *
- * 11-step flow (per `PAFI_ISSUER_SDK_SPEC.md` §4.3):
- *
- *   1. Field validation (cheap rejects before any crypto)
- *   2. Verify ReceiverConsent signature via `@pafi/core`
- *   3. Check off-chain balance via ledger
- *   4. Check locked requests via ledger
- *   5. Run policy engine (balance + on-chain cap + issuer rules)
- *   6. Lock the requested amount in the ledger
- *   7. Sign MintRequest as issuer
- *   8. Build MintParams + SwapParams
- *   9. Submit via RelayService (encode + simulate + broadcast + wait)
- *  10. Return { txHash, lockId, receipt fields }
- *  11. On any failure, release the lock IF it's safe to retry — i.e. we
- *      know the tx cannot still land on-chain. If the tx may have made
- *      it (`TX_REVERTED` or `TIMEOUT`), we leave the lock alone and
- *      surface `safeToRetry: false` so the caller doesn't double-spend.
- *
- * The gateway deliberately does NOT deduct the balance here. Deduction
- * happens in the `PointIndexer` when the on-chain Mint event is observed,
- * which is what makes the system crash-safe: if the gateway dies between
- * broadcast and receipt, the indexer will still finalize the ledger.
- */
-declare class MintingGateway {
-    private readonly ledger;
-    private readonly policy;
-    private readonly signer;
-    private readonly relayService;
-    private readonly now;
-    private readonly defaultLockBufferMs;
-    constructor(config: MintingGatewayConfig);
-    /**
-     * @deprecated Since 0.3.0 — will be renamed to `processMint()` once
-     * the SC team finalizes Relayer v2 ABI. The new flow drops the
-     * swap steps entirely (no more single-call mint+swap); users swap
-     * separately on PAFI Web. Kept here for v0.2.x consumers. Removed in 2.0.
-     */
-    processMintAndCashOut(request: MintAndCashOutRequest): Promise<MintAndCashOutResponse>;
-    private computeLockDurationMs;
-    /**
-     * Map a RelayError to a MintingGatewayError, releasing the lock only
-     * when the tx definitely did not land. `TX_REVERTED` and `TIMEOUT`
-     * leave the lock in place because the tx may still be in the mempool
-     * or already mined — releasing would enable a double-spend on retry.
-     * Always throws.
-     */
-    private handleRelayFailure;
-    /**
-     * Release a lock, swallowing any secondary error. We never want a lock
-     * release failure to mask the original error — the lock will auto-expire
-     * via TTL anyway.
-     */
-    private releaseLockSafely;
-}
 /** Decoded Transfer(from=0x0 → to) event used to finalize a mint. */
 interface MintEvent {
     /** Destination address (the user who received the minted points) */
@@ -1008,6 +692,15 @@ interface BurnIndexerConfig {
     /** Polling interval (ms). Default: 5000. */
     pollIntervalMs?: number;
     now?: () => number;
+    /**
+     * Map a burn event to the pending credit lockId that should be resolved.
+     * Return `undefined` to skip this burn event (no credit granted).
+     *
+     * REQUIRED — there is no default implementation. Issuers with a Postgres
+     * ledger typically JOIN on `(from, amount, status=PENDING)`. The in-memory
+     * ledger uses a lookup by lockId supplied out-of-band from the claim flow.
+     */
+    matchLockId: (event: BurnEvent) => Promise<string | undefined>;
 }
 /**
  * Mirror of `PointIndexer` for the reverse direction — watches
@@ -1038,17 +731,6 @@ declare class BurnIndexer {
     private readonly confirmations;
     private readonly batchSize;
     private readonly pollIntervalMs;
-    /**
-     * Caller-supplied matcher. Return the lockId to resolve for a given
-     * burn event, or `undefined` to skip. Runs synchronously via the
-     * ledger's query path.
-     *
-     * Default: try `ledger.resolveCreditByBurnTx` keyed on a synthetic
-     * lock id `burn-${from}-${amount}` — the in-memory ledger assigns
-     * incrementing IDs so callers with the memory ledger must provide a
-     * custom matcher. Real DB-backed ledgers override this to JOIN on
-     * their `pending_credits` table.
-     */
     matchLockId: (event: BurnEvent) => Promise<string | undefined>;
     private running;
     private timer;
@@ -1093,6 +775,18 @@ interface ApiConfigResponse {
         mintingOracle?: Address;
         poolManager?: Address;
         usdt?: Address;
+        /**
+         * EIP-7702 delegation target — the single contract every user's
+         * EOA must delegate to before submitting sponsored UserOps. On
+         * Base mainnet this is Coinbase Smart Wallet v2.
+         */
+        batchExecutor?: Address;
+        /**
+         * Uniswap V4 hook that enforces the 10% fee on PT→USDT swaps
+         * (USDT→PT is free). FE uses this in `PoolKey.hooks` when building
+         * a swap; the pool is only discoverable when the hook matches.
+         */
+        pafiHook?: Address;
     };
     /**
      * Absolute URL that the Issuer App opens after a successful claim to
@@ -1186,6 +880,27 @@ interface ApiClaimAndSwapResponse {
     blockNumber?: bigint;
     gasUsed?: bigint;
 }
+interface ApiClaimRequest {
+    chainId: number;
+    pointTokenAddress: Address;
+    /** PT amount to mint. */
+    amount: bigint;
+    /** ERC-4337 account nonce for the user's EOA (from EntryPoint). */
+    aaNonce: bigint;
+    /** Unix seconds — when the MintRequest signature expires. */
+    deadline: bigint;
+    /** Optional operator fee (PT) deducted inside the same UserOp batch. */
+    feeAmount?: bigint;
+    feeRecipient?: Address;
+}
+interface ApiClaimResponse {
+    /** Off-chain lock id — poll `/user` to track PENDING → MINTED. */
+    lockId: string;
+    /** Unsigned UserOp — attach paymaster data + user signature, then submit. */
+    userOp: PartialUserOperation;
+    /** Seconds until the off-chain lock expires if the UserOp is not submitted. */
+    expiresInSeconds: number;
+}
 interface ApiBuildConsentTypedDataRequest {
     chainId: number;
     pointTokenAddress: Address;
@@ -1211,7 +926,6 @@ type PoolsProvider = (request: ApiPoolsRequest) => Promise<ApiPoolsResponse>;
 interface IssuerApiHandlersConfig {
     authService: AuthService;
-    gateway: MintingGateway;
     ledger: IPointLedger;
     /** Used by `handleUser` to read on-chain nonces and minter status. */
     provider: PublicClient;
@@ -1237,13 +951,26 @@ interface IssuerApiHandlersConfig {
     feeManager?: FeeManager;
     /** Required by `handlePools`; omit to disable the endpoint. */
     poolsProvider?: PoolsProvider;
+    /**
+     * Required by `handleClaim`; omit to disable the endpoint.
+     * Wires policy evaluation + ledger locking + MintRequest signing
+     * into a single atomic handler so callers cannot accidentally skip
+     * the policy check.
+     */
+    claim?: {
+        policy: IPolicyEngine;
+        relayService: RelayService;
+        issuerSignerWallet: WalletClient;
+        batchExecutorAddress: Address;
+        /** How long to hold the off-chain lock while the UserOp is in flight. Default: 15 min. */
+        lockDurationMs?: number;
+    };
 }
 /**
  * Framework-agnostic HTTP handlers that match the endpoints a `PafiSDK`
  * frontend expects to call. Issuers wrap these in Express / Fastify /
  * Hono / whatever — the handlers take plain inputs and return plain
- * outputs, with `AuthError` / `MintingGatewayError` surfaced as typed
- * exceptions.
+ * outputs, with `AuthError` surfaced as typed exceptions.
  *
  * Every protected handler takes a pre-verified `userAddress` as its first
  * argument. The issuer's middleware wraps `authenticateRequest()` from
@@ -1252,7 +979,6 @@ interface IssuerApiHandlersConfig {
  */
 declare class IssuerApiHandlers {
     private readonly authService;
-    private readonly gateway;
     private readonly ledger;
     private readonly provider;
     /**
@@ -1260,15 +986,12 @@ declare class IssuerApiHandlers {
      * validate the request's `pointTokenAddress` against this set.
      */
     private readonly supportedTokens;
-    /** First supported token — used as default when a handler doesn't
-     * receive a `pointTokenAddress` in the request (shouldn't happen in
-     * practice, but keeps type-narrowing happy). */
-    private readonly defaultToken;
     private readonly chainId;
     private readonly contracts;
     private readonly pafiWebUrl?;
     private readonly feeManager?;
     private readonly poolsProvider?;
+    private readonly claim?;
     constructor(config: IssuerApiHandlersConfig);
     /** `GET /auth/nonce` */
     handleGetNonce(): Promise<ApiNonceResponse>;
@@ -1315,32 +1038,47 @@ declare class IssuerApiHandlers {
      */
     handleBuildConsentTypedData(userAddress: Address, request: ApiBuildConsentTypedDataRequest): Promise<ApiBuildConsentTypedDataResponse>;
     /**
-     * `POST /claim-and-swap`
+     * `POST /claim`
      *
-     * @deprecated Since 0.3.0 — the single-call mint-then-swap flow is
-     * retired in v1.4. Use the new `handleClaim()` (mint only) and let
-     * the user swap separately on PAFI Web. See
-     * [V1.4_V1.5_OVERVIEW.md §4] for the new scenario model. Will be
-     * removed in 2.0.
+     * Policy gate + ledger lock + MintRequest signing in a single atomic
+     * step. Returns an unsigned UserOp the frontend attaches paymaster data
+     * to and submits via EIP-7702 + Bundler.
      *
-     * Legacy behavior: the terminal handler forwards the verified
-     * consent to the MintingGateway, which runs the 11-step flow.
+     * Order of operations:
+     *   1. Validate request fields.
+     *   2. policy.evaluate() — throws if denied; cannot be bypassed.
+     *   3. ledger.lockForMinting() — reserves the balance.
+     *   4. Read on-chain mintRequestNonce + token name in parallel.
+     *   5. relayService.prepareMint() — sign MintRequest + encode UserOp.
+     *   6. On any error after step 3, release the lock before re-throwing.
      */
-    handleClaimAndSwap(userAddress: Address, request: ApiClaimAndSwapRequest): Promise<ApiClaimAndSwapResponse>;
+    handleClaim(userAddress: Address, request: ApiClaimRequest): Promise<ApiClaimResponse>;
 }
 /**
- * v1.4 reverse flow — **Variant A**: user-initiated PT redeem.
+ * v1.4 reverse flow — user-initiated PT redeem.
  *
- * User has on-chain PT, wants to convert back to off-chain points. They
- * sign a `BurnConsent`, the issuer backend verifies it, reserves an
- * off-chain credit, and returns an unsigned UserOp that the frontend
- * submits via the Bundler. When the burn lands, the `BurnIndexer`
- * (elsewhere) resolves the credit.
+ * User has on-chain PT, wants to convert back to off-chain points. The
+ * issuer backend signs a `BurnRequest` with its burner signer, reserves
+ * an off-chain pending credit, and returns an unsigned UserOp. The FE
+ * submits the UserOp via EIP-7702 + Coinbase Paymaster. On confirmation,
+ * `Transfer(user → 0x0)` is emitted; `BurnIndexer` resolves the pending
+ * credit to a real off-chain credit.
  *
- * **Mocked SC contracts** — this handler compiles + wires end-to-end
- * against `@pafi-dev/core/contracts` mock ABIs. When SC ships real
- * ABIs, no changes here — only `contracts/index.ts` re-export flips.
+ * Contract path (mock ABI — matches deployed PointToken):
+ *
+ *   burn(address from, uint256 amount, uint256 deadline, bytes burnerSig)
+ *
+ * On-chain checks:
+ *   - msg.sender == from (enforced via EIP-7702 delegation on user EOA)
+ *   - burnerSig signer ∈ burners[]
+ *   - nonce == burnRequestNonces[from]
+ *   - now <= deadline
+ *
+ * The user never signs an EIP-712 message in this flow. Their only
+ * signature is the ERC-4337 UserOp signature, which the AA wallet
+ * handles. Consent is implicit: by submitting the UserOp they authorize
+ * the burn.
  */
 interface PTRedeemHandlerConfig {
     ledger: IPointLedger;
@@ -1350,32 +1088,43 @@ interface PTRedeemHandlerConfig {
     pointTokenAddress: Address;
     /** BatchExecutor delegation target (chain-specific). */
     batchExecutorAddress: Address;
-    /** Chain id — used for domain separator when verifying BurnConsent. */
+    /** Chain id — used for the BurnRequest EIP-712 domain. */
     chainId: number;
     /**
      * EIP-712 domain fields. Must match the on-chain PointToken's domain
-     * separator exactly, or signature verification fails. `name` is
-     * typically the PointToken's ERC-20 name (e.g. "PAFI Starbucks
-     * Points"). `verifyingContract` defaults to `pointTokenAddress`.
+     * separator, or on-chain signature recovery fails. `name` is
+     * typically the PointToken's ERC-20 name. `verifyingContract`
+     * defaults to `pointTokenAddress`.
      */
     domain: {
         name: string;
         verifyingContract?: Address;
     };
+    /**
+     * Issuer burner signer wallet — signs the `BurnRequest` EIP-712.
+     * Must be whitelisted via `PointToken.addBurner(signerAddr)` at
+     * provisioning time. Typically HSM/KMS-backed in prod.
+     */
+    burnerSignerWallet: WalletClient;
     /**
      * How long the pending credit stays reserved if the burn never lands.
      * Default: 15 min — long enough for a bundler submission + confirmation.
      */
     redeemLockDurationMs?: number;
+    /**
+     * How far ahead of `now` to set the BurnRequest deadline. Default:
+     * 15 min. Must be long enough for Bundler + EntryPoint to execute;
+     * short enough to prevent replay if the UserOp is abandoned.
+     */
+    signatureDeadlineSeconds?: number;
     /** Clock injection for tests; defaults to `Date.now`. */
     now?: () => number;
 }
 interface PTRedeemRequest {
+    /** Address extracted from the verified JWT — must match `userAddress`. */
+    authenticatedAddress: Address;
     userAddress: Address;
     amount: bigint;
-    /** Serialized EIP-712 signature over the BurnConsent. */
-    consentSignature: Hex;
-    consent: BurnConsent;
     /** ERC-4337 account nonce for the user's EOA. */
     aaNonce: bigint;
 }
@@ -1386,19 +1135,24 @@ interface PTRedeemResponse {
     userOp: PartialUserOperation;
     /** Seconds until the lock expires if the burn doesn't land. */
     expiresInSeconds: number;
+    /** The BurnRequest deadline (unix seconds) — FE uses this to surface a countdown. */
+    signatureDeadline: bigint;
 }
 declare class PTRedeemError extends Error {
-    code: "INVALID_CONSENT" | "SIGNATURE_MISMATCH" | "AMOUNT_MISMATCH" | "EXPIRED_CONSENT" | "LEDGER_NOT_SUPPORTED";
-    constructor(code: "INVALID_CONSENT" | "SIGNATURE_MISMATCH" | "AMOUNT_MISMATCH" | "EXPIRED_CONSENT" | "LEDGER_NOT_SUPPORTED", message: string);
+    code: "UNAUTHORIZED" | "INVALID_AMOUNT" | "NONCE_READ_FAILED" | "LEDGER_NOT_SUPPORTED" | "SIGNING_FAILED";
+    constructor(code: "UNAUTHORIZED" | "INVALID_AMOUNT" | "NONCE_READ_FAILED" | "LEDGER_NOT_SUPPORTED" | "SIGNING_FAILED", message: string);
 }
 declare class PTRedeemHandler {
     private readonly ledger;
     private readonly relayService;
+    private readonly provider;
     private readonly pointTokenAddress;
     private readonly batchExecutorAddress;
     private readonly chainId;
     private readonly domain;
+    private readonly burnerSignerWallet;
     private readonly redeemLockDurationMs;
+    private readonly signatureDeadlineSeconds;
     private readonly now;
     constructor(config: PTRedeemHandlerConfig);
     handle(request: PTRedeemRequest): Promise<PTRedeemResponse>;
@@ -1419,8 +1173,12 @@ declare class PTRedeemHandler {
  *   → burn 200 PT, credit 200 off-chain, voucher proceeds with 500
  *
  * Delegates the actual burn construction to {@link PTRedeemHandler}
- * — this handler is pure business logic (calculating shortfall +
- * checking on-chain balance) on top.
+ * — this handler is pure business logic (shortfall math + on-chain
+ * balance check) on top.
+ *
+ * v1.4 note: user no longer pre-signs a `BurnConsent`. The issuer
+ * backend signs a `BurnRequest` itself (see `PTRedeemHandler`), so
+ * this handler only needs `userAddress + requiredAmount + aaNonce`.
  */
 interface TopUpRedemptionHandlerConfig {
     ledger: IPointLedger;
@@ -1430,15 +1188,13 @@ interface TopUpRedemptionHandlerConfig {
     pointTokenAddress: Address;
 }
 interface TopUpRedemptionRequest {
+    /** Address extracted from the verified JWT — must match `userAddress`. */
+    authenticatedAddress: Address;
     userAddress: Address;
     /** Total points the voucher redemption requires off-chain. */
     requiredAmount: bigint;
-    /**
-     * The user's pre-signed `BurnConsent` + signature, prepared by the FE
-     * with amount set to a worst-case upper bound. Handler inspects the
-     * shortfall and uses the consent if the shortfall ≤ consent.amount.
-     */
-    redeemRequest: Pick<PTRedeemRequest, "consent" | "consentSignature" | "aaNonce">;
+    /** ERC-4337 account nonce for the user's EOA. */
+    aaNonce: bigint;
 }
 type TopUpRedemptionResponse = {
     action: "NO_TOP_UP_NEEDED";
@@ -1454,8 +1210,8 @@ type TopUpRedemptionResponse = {
     redeem: PTRedeemResponse;
 };
 declare class TopUpRedemptionError extends Error {
-    code: "INSUFFICIENT_ONCHAIN_BALANCE" | "CONSENT_AMOUNT_TOO_LOW" | "LEDGER_NOT_SUPPORTED";
-    constructor(code: "INSUFFICIENT_ONCHAIN_BALANCE" | "CONSENT_AMOUNT_TOO_LOW" | "LEDGER_NOT_SUPPORTED", message: string);
+    code: "UNAUTHORIZED" | "INSUFFICIENT_ONCHAIN_BALANCE" | "LEDGER_NOT_SUPPORTED";
+    constructor(code: "UNAUTHORIZED" | "INSUFFICIENT_ONCHAIN_BALANCE" | "LEDGER_NOT_SUPPORTED", message: string);
 }
 declare class TopUpRedemptionHandler {
     private readonly ledger;
@@ -1640,185 +1396,52 @@ declare class BalanceAggregator {
 }
 interface RetryConfig {
-    /**
-     * Max total attempts including the first try. Default: 1 (no retry).
-     * Set to 3 to get 2 retries after the initial call.
-     *
-     * Only applies when the server error body carries `safeToRetry: true`
-     * or the failure is a transient network/timeout error.
-     */
     maxAttempts?: number;
-    /**
-     * Initial backoff delay in ms. Default: 500. Each subsequent retry
-     * doubles this (exponential backoff) and adds ±20% jitter.
-     */
     initialDelayMs?: number;
-    /**
-     * Hard ceiling for a single backoff (ms). Default: 10_000.
-     */
     maxDelayMs?: number;
-    /**
-     * Upper bound on `retryAfter` from the server. If the server asks us
-     * to wait longer than this (e.g. rate limit until UTC midnight), the
-     * client gives up rather than blocking. Default: 30_000.
-     */
     maxRetryAfterMs?: number;
 }
 interface PafiBackendConfig {
-    /**
-     * PAFI Backend API base URL. Example:
-     *   https://api.pacificfinance.org
-     *   https://staging-api.pacificfinance.org
-     */
     url: string;
-    /** PAFI-assigned issuer ID (e.g., "gg56"). Sent in X-Issuer-Id header. */
     issuerId: string;
-    /** Per-issuer API key (or JWT) for the Authorization header. */
     apiKey: string;
-    /** Optional fetch override for tests. */
     fetchImpl?: typeof fetch;
-    /**
-     * Timeout (ms) for each request. Default: 10_000. PAFI Backend should
-     * respond in <1s for the happy path; this is just the sanity bound.
-     */
     timeoutMs?: number;
-    /**
-     * Retry policy for transient failures (5xx, 429, timeouts, network).
-     * Omit or pass `{ maxAttempts: 1 }` to disable retry entirely.
-     */
     retry?: RetryConfig;
 }
-/** Paired with `POST /paymaster/sponsor`. See SPONSORED_PATH_FLOW.md §4.1 */
-interface SponsorshipRequest {
-    chainId: number;
-    scenario: SponsorshipScenario;
-    userOp: PartialUserOperation;
-    target: {
-        /** The allowlisted contract this batch call targets. */
-        contract: Address;
-        /** Function selector / name — validated against allowlist. */
-        function: string;
-        /** The PointToken involved (for scenario context). */
-        pointToken?: Address;
-    };
-}
-interface SponsorshipResponse {
-    paymaster: Address;
-    paymasterData: Hex;
-    paymasterVerificationGasLimit: bigint;
-    paymasterPostOpGasLimit: bigint;
-    /** Unix seconds when this sponsorship expires. Re-request after. */
-    expiresAt: number;
-}
-/**
- * Machine-readable error codes returned by PAFI Backend.
- *
- * Source of truth: `apps/paymaster-proxy` `CalldataValidationError`,
- * `RateLimitError`, `CoinbaseClientError`. Keep in sync.
- */
-type PafiBackendErrorCode = "MISSING_ISSUER_ID" | "MISSING_API_KEY" | "ISSUER_UNAUTHORIZED" | "CALLDATA_INVALID" | "CALLDATA_EMPTY_BATCH" | "TARGET_NOT_ALLOWLISTED" | "FUNCTION_NOT_ALLOWED" | "SCENARIO_MISMATCH" | "SCENARIO_DISABLED" | "RATE_LIMIT_EXCEEDED" | "RATE_LIMIT_EXCEEDED_DAILY" | "RATE_LIMIT_EXCEEDED_PER_USER" | "RATE_LIMITER_UNAVAILABLE" | "PAYMASTER_REJECTED" | "PAYMASTER_UNAVAILABLE" | "PAYMASTER_TIMEOUT" | "BAD_REQUEST" | "INTERNAL_ERROR" | "TIMEOUT" | "NETWORK_ERROR";
+type PafiBackendErrorCode = "MISSING_ISSUER_ID" | "MISSING_API_KEY" | "ISSUER_UNAUTHORIZED" | "USER_UNAUTHORIZED" | "INTENT_REJECTED" | "MINT_CAP_EXCEEDED" | "ISSUER_INACTIVE" | "BROKER_NOT_WHITELISTED" | "RATE_LIMIT_EXCEEDED" | "RATE_LIMIT_EXCEEDED_DAILY" | "RATE_LIMIT_EXCEEDED_PER_USER" | "ISSUER_BUDGET_EXCEEDED" | "RATE_LIMITER_UNAVAILABLE" | "BAD_REQUEST" | "INTERNAL_ERROR" | "TIMEOUT" | "NETWORK_ERROR";
 declare class PafiBackendError extends Error {
     code: PafiBackendErrorCode;
     httpStatus: number;
     details?: unknown | undefined;
-    /**
-     * Seconds to wait before retry. Populated from the server body
-     * (e.g. rate limit returns the number of seconds until UTC midnight).
-     */
     readonly retryAfter?: number;
-    /**
-     * `safeToRetry` as reported by the server body. Prefer this over the
-     * code-based heuristic when available — the server knows more about
-     * whether the same request will succeed on retry.
-     */
     private readonly serverSafeToRetry?;
     constructor(code: PafiBackendErrorCode, message: string, httpStatus: number, details?: unknown | undefined, opts?: {
         retryAfter?: number;
         safeToRetry?: boolean;
     });
-    /**
-     * Whether the caller can safely retry the same request.
-     *
-     * If the server provided `safeToRetry` in the body, trust that.
-     * Otherwise fall back to a code-based heuristic.
-     */
     get safeToRetry(): boolean;
 }
 /**
- * HTTP client for the PAFI Backend paymaster proxy service. See
- * [SPONSORED_PATH_FLOW.md] for the full flow + API contract.
+ * Top-level configuration for `createIssuerService`.
  *
- * This client sits between `@pafi/issuer`'s RelayService and the
- * PAFI Backend. It does NOT talk to Coinbase Paymaster directly —
- * PAFI Backend holds that integration.
- */
-declare class PafiBackendClient {
-    private readonly url;
-    private readonly issuerId;
-    private readonly apiKey;
-    private readonly fetchImpl;
-    private readonly timeoutMs;
-    private readonly retry;
-    constructor(config: PafiBackendConfig);
-    /**
-     * Request paymaster sponsorship for a pre-built UserOperation.
-     * See [SPONSORED_PATH_FLOW.md §4.1] for the API contract.
-     *
-     * Retries automatically on transient failures (5xx, timeouts, network
-     * errors, and errors the server flags with `safeToRetry: true`) up to
-     * `retry.maxAttempts`. 4xx errors that are not `safeToRetry` fail fast.
-     *
-     * @throws PafiBackendError on final failure after exhausting retries
-     */
-    requestSponsorship(req: SponsorshipRequest): Promise<SponsorshipResponse>;
-    private postWithRetry;
-    /**
-     * Pick the delay before the next retry.
-     * - If the server sent `retryAfter` (seconds), honor it (capped by
-     *   `maxRetryAfterMs`) — returns null if the server wait exceeds the
-     *   cap, signalling the caller should give up.
-     * - Otherwise: exponential backoff with ±20% jitter, capped at
-     *   `maxDelayMs`.
-     */
-    private computeBackoff;
-    private sleep;
-    private post;
-    /** JSON replacer that stringifies bigints. Paired with bigintReviver. */
-    private bigintReplacer;
-    /**
-     * JSON reviver that coerces specific numeric-string fields back to
-     * bigint. The server must send these fields as decimal strings.
-     */
-    private bigintReviver;
-}
-/**
- * Top-level configuration for `createIssuerService`. Everything except
- * the chain metadata, wallets, auth secret, and `signer` is optional and
- * falls back to the in-memory dev defaults — that makes the happy path
- * a single-call wire-up while still letting production issuers plug in
- * their own ledger, session store, policy engine, and KMS signer.
+ * In v1.4 the SDK is HTTP-client-free: it signs EIP-712 messages, reads
+ * on-chain state, builds unsigned UserOperations, and maintains the
+ * off-chain ledger. It never broadcasts transactions — that's the
+ * frontend's responsibility via Bundler + Paymaster.
  *
- * **Multi-token (0.2.0):** Pass `pointTokenAddresses: Address[]` to
+ * **Multi-token (0.2.0+):** Pass `pointTokenAddresses: Address[]` to
  * support multiple PointTokens under a single issuer backend. Legacy
  * `pointTokenAddress: Address` still works for single-token deployments.
  * When both are provided, `pointTokenAddresses` takes precedence.
  */
 interface IssuerServiceConfig {
     chainId: number;
-    /**
-     * Address of the deployed PointToken. Legacy single-token shortcut;
-     * prefer `pointTokenAddresses` for multi-token issuers.
-     */
+    /** Legacy single-token shortcut; prefer `pointTokenAddresses`. */
     pointTokenAddress?: Address;
-    /**
-     * All PointToken addresses this issuer supports. Takes precedence over
-     * `pointTokenAddress`. Factory creates one `PointIndexer` per address.
-     */
+    /** All PointToken addresses this issuer supports. */
     pointTokenAddresses?: Address[];
-    /** Address of the deployed Relay contract. */
-    relayAddress: Address;
     /**
      * Full contract address bundle returned verbatim by `handleConfig` so
      * the frontend SDK can pick them up.
@@ -1829,8 +1452,6 @@ interface IssuerServiceConfig {
      * polling, and gas-price lookups. Must be pointed at the target chain.
      */
     provider: PublicClient;
-    /** Operator wallet — pays gas, receives the operator fee. */
-    operatorWallet: OperatorWalletLike;
     auth: {
         jwtSecret: string;
         /** SIWE-style login-message domain, e.g. `"app.example.com"`. */
@@ -1839,18 +1460,23 @@ interface IssuerServiceConfig {
         jwtExpiresIn?: string;
     };
     /**
-     * Issuer signer. No default — production issuers MUST plug in an
-     * HSM/KMS-backed implementation. For local development use
-     * `PrivateKeySigner` directly.
+     * Off-chain point ledger — the source of truth for user balances and
+     * in-flight minting locks. Every issuer provides their own database-backed
+     * implementation (Postgres, Redis, etc.) that implements `IPointLedger`.
+     * The SDK does not ship a production ledger; each issuer's data model and
+     * infrastructure are different.
+     */
+    ledger: IPointLedger;
+    /**
+     * Policy engine — optional, defaults to `DefaultPolicyEngine` which checks
+     * off-chain balance. Extend or replace to add KYC, volume caps, etc.
      */
-    signer: IIssuerSigner;
-    ledger?: IPointLedger;
     policy?: IPolicyEngine;
+    /** Session store — optional, defaults to `MemorySessionStore` (dev/test only). */
     sessionStore?: ISessionStore;
     /**
      * Fee management config. If omitted the `handleGasFee` endpoint will
-     * throw "not configured" at request time. Pass any subset of fields
-     * to opt in — `provider` is inherited from the outer config.
+     * throw "not configured" at request time.
      */
     fee?: Omit<FeeManagerConfig, "provider">;
     /**
@@ -1858,6 +1484,16 @@ interface IssuerServiceConfig {
      * throws "not configured" at request time.
      */
     poolsProvider?: PoolsProvider;
+    /**
+     * Enables `handleClaim`. The factory combines these with the shared
+     * `policy` + `relayService` instances already wired by the factory.
+     * Omit to disable the `/claim` endpoint.
+     */
+    claim?: {
+        issuerSignerWallet: WalletClient;
+        batchExecutorAddress: Address;
+        lockDurationMs?: number;
+    };
     indexer?: {
         fromBlock?: bigint;
         cursorStore?: IIndexerCursorStore;
@@ -1870,32 +1506,18 @@ interface IssuerServiceConfig {
          */
         autoStart?: boolean;
     };
-    relay?: {
-        simulateBeforeSubmit?: boolean;
-        confirmationTimeoutMs?: number;
-    };
-    gateway?: {
-        /** Extra lock TTL buffer beyond consent deadline. Default 60_000 ms. */
-        defaultLockBufferMs?: number;
-    };
 }
 interface IssuerService {
     authService: AuthService;
     sessionStore: ISessionStore;
     ledger: IPointLedger;
     policy: IPolicyEngine;
-    signer: IIssuerSigner;
     relayService: RelayService;
     feeManager: FeeManager | undefined;
-    gateway: MintingGateway;
-    /**
-     * All indexers keyed by PointToken address. For multi-token issuers there
-     * is one per configured token. Single-token issuers will find one entry.
-     */
+    /** All indexers keyed by PointToken address. */
     indexers: Map<Address, PointIndexer>;
     /**
-     * First indexer. Kept for backward compat with 0.1.x callers that
-     * expected `service.indexer` to be a single instance.
+     * First indexer. Kept for backward compat with 0.1.x callers.
      * @deprecated use `indexers.get(tokenAddress)` for multi-token.
      */
     indexer: PointIndexer;
@@ -1903,23 +1525,19 @@ interface IssuerService {
 }
 /**
  * Wire a fully-functional issuer service from a single config object.
- * Returns every constructed collaborator so the caller can also use the
- * indexer or relay service directly outside the HTTP layer.
  *
  * Defaults:
- *  - `ledger`          → `MemoryPointLedger`
- *  - `sessionStore`    → `MemorySessionStore`
+ *  - `sessionStore`    → `MemorySessionStore` (dev/test only — replace in prod)
  *  - `policy`          → `DefaultPolicyEngine({ ledger })`
  *  - `feeManager`      → undefined (handleGasFee throws until configured)
  *  - `poolsProvider`   → undefined (handlePools throws until configured)
  *  - `indexer.autoStart` → false
  *
- * Throws synchronously if any required field (`signer`, `provider`,
- * `operatorWallet`, `auth.jwtSecret`, at least one point token) is missing.
+ * Throws synchronously if any required field is missing.
  */
 declare function createIssuerService(config: IssuerServiceConfig): IssuerService;
 /** SDK package version — bumped on every release */
 declare const PAFI_ISSUER_SDK_VERSION = "0.1.0";
-export { type ApiBuildConsentTypedDataRequest, type ApiBuildConsentTypedDataResponse, type ApiClaimAndSwapRequest, type ApiClaimAndSwapResponse, type ApiConfigResponse, type ApiGasFeeResponse, type ApiLoginRequest, type ApiLoginResponse, type ApiNonceResponse, type ApiPoolsRequest, type ApiPoolsResponse, type ApiUserRequest, type ApiUserResponse, type AuthContext, AuthError, type AuthErrorCode, AuthService, type AuthServiceConfig, BalanceAggregator, type BalanceAggregatorConfig, type BurnEvent, BurnIndexer, type BurnIndexerConfig, type CombinedBalance, DefaultPolicyEngine, type DefaultPolicyEngineOptions, FeeManager, type FeeManagerConfig, type IIndexerCursorStore, type IIssuerSigner, type IPointLedger, type IPolicyEngine, type ISessionStore, InMemoryCursorStore, IssuerApiHandlers, type IssuerApiHandlersConfig, type IssuerService, type IssuerServiceConfig, type LockedMintRequest, type LoginResult, MemoryPointLedger, MemorySessionStore, type MemorySessionStoreOptions, type MintAndCashOutRequest, type MintAndCashOutResponse, type MintEvent, MintingGateway, type MintingGatewayConfig, MintingGatewayError, type MintingGatewayErrorCode, type MintingStatus, NonceManager, type OperatorWalletLike, PAFI_ISSUER_SDK_VERSION, PTRedeemError, PTRedeemHandler, type PTRedeemHandlerConfig, type PTRedeemRequest, type PTRedeemResponse, PafiBackendClient, type PafiBackendConfig, PafiBackendError, type PafiBackendErrorCode, PointIndexer, type PointIndexerConfig, type PolicyDecision, type PolicyEvalRequest, type PoolsProvider, PrivateKeySigner, type PrivateKeySignerOptions, RelayError, type RelayErrorCode, type RelayResult, RelayService, type RelayServiceConfig, type Session, type SponsorshipRequest, type SponsorshipResponse, type SubgraphNativeUsdtQuoterConfig, type SubgraphPoolsProviderConfig, type SubmitMintAndSwapParams, TopUpRedemptionError, TopUpRedemptionHandler, type TopUpRedemptionHandlerConfig, type TopUpRedemptionRequest, type TopUpRedemptionResponse, authenticateRequest, createIssuerService, createSubgraphNativeUsdtQuoter, createSubgraphPoolsProvider };
+export { type ApiBuildConsentTypedDataRequest, type ApiBuildConsentTypedDataResponse, type ApiClaimAndSwapRequest, type ApiClaimAndSwapResponse, type ApiClaimRequest, type ApiClaimResponse, type ApiConfigResponse, type ApiGasFeeResponse, type ApiLoginRequest, type ApiLoginResponse, type ApiNonceResponse, type ApiPoolsRequest, type ApiPoolsResponse, type ApiUserRequest, type ApiUserResponse, type AuthContext, AuthError, type AuthErrorCode, AuthService, type AuthServiceConfig, BalanceAggregator, type BalanceAggregatorConfig, type BurnEvent, BurnIndexer, type BurnIndexerConfig, type CombinedBalance, DefaultPolicyEngine, type DefaultPolicyEngineOptions, FeeManager, type FeeManagerConfig, type IIndexerCursorStore, type IPointLedger, type IPolicyEngine, type ISessionStore, InMemoryCursorStore, IssuerApiHandlers, type IssuerApiHandlersConfig, type IssuerService, type IssuerServiceConfig, type LockedMintRequest, type LoginResult, MemorySessionStore, type MemorySessionStoreOptions, type MintEvent, type MintingStatus, NonceManager, PAFI_ISSUER_SDK_VERSION, PTRedeemError, PTRedeemHandler, type PTRedeemHandlerConfig, type PTRedeemRequest, type PTRedeemResponse, type PafiBackendConfig, PafiBackendError, type PafiBackendErrorCode, PointIndexer, type PointIndexerConfig, type PolicyDecision, type PolicyEvalRequest, type PoolsProvider, type PrepareBurnDirectParams, type PrepareBurnParams, type PrepareBurnWithSigParams, type PrepareMintParams, RelayError, type RelayErrorCode, RelayService, type RetryConfig, type Session, type SubgraphNativeUsdtQuoterConfig, type SubgraphPoolsProviderConfig, TopUpRedemptionError, TopUpRedemptionHandler, type TopUpRedemptionHandlerConfig, type TopUpRedemptionRequest, type TopUpRedemptionResponse, authenticateRequest, createIssuerService, createSubgraphNativeUsdtQuoter, createSubgraphPoolsProvider };