@pafi-dev/issuer 0.3.0-beta.10 → 0.3.0-beta.11

package/dist/index.cjs

@@ -28,7 +28,6 @@ __export(index_exports, {
   FeeManager: () => FeeManager,
   InMemoryCursorStore: () => InMemoryCursorStore,
   IssuerApiHandlers: () => IssuerApiHandlers,
-  MemoryPointLedger: () => MemoryPointLedger,
   MemorySessionStore: () => MemorySessionStore,
   NonceManager: () => NonceManager,
   PAFI_ISSUER_SDK_VERSION: () => PAFI_ISSUER_SDK_VERSION,
@@ -36,7 +35,6 @@ __export(index_exports, {
   PTRedeemHandler: () => PTRedeemHandler,
   PafiBackendError: () => PafiBackendError,
   PointIndexer: () => PointIndexer,
-  PrivateKeySigner: () => PrivateKeySigner,
   RelayError: () => RelayError,
   RelayService: () => RelayService,
   TopUpRedemptionError: () => TopUpRedemptionError,
@@ -48,204 +46,6 @@ __export(index_exports, {
 });
 module.exports = __toCommonJS(index_exports);
 
-// src/ledger/memoryLedger.ts
-var import_viem = require("viem");
-var MemoryPointLedger = class {
-  balances = /* @__PURE__ */ new Map();
-  locks = /* @__PURE__ */ new Map();
-  nextLockId = 1;
-  now;
-  constructor(opts = {}) {
-    this.now = opts.now ?? (() => Date.now());
-  }
-  // -------------------------------------------------------------------------
-  // Read
-  // -------------------------------------------------------------------------
-  async getBalance(userAddress, tokenAddress) {
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    this.purgeExpired();
-    const total = this.balances.get(balanceKey(user, token)) ?? 0n;
-    const locked = this.lockedTotalFor(user, token);
-    return total - locked;
-  }
-  async getLockedRequests(userAddress, tokenAddress) {
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    this.purgeExpired();
-    const out = [];
-    for (const lock of this.locks.values()) {
-      if (lock.userAddress === user && lock.status === "PENDING" && (lock.tokenAddress ?? DEFAULT_TOKEN_KEY) === token) {
-        out.push({ ...lock });
-      }
-    }
-    return out;
-  }
-  // -------------------------------------------------------------------------
-  // Write
-  // -------------------------------------------------------------------------
-  async creditBalance(userAddress, amount, _reason, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error("MemoryPointLedger: credit amount must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    const key = balanceKey(user, token);
-    const current = this.balances.get(key) ?? 0n;
-    this.balances.set(key, current + amount);
-  }
-  async lockForMinting(userAddress, amount, lockDurationMs, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error("MemoryPointLedger: lock amount must be positive");
-    }
-    if (lockDurationMs <= 0) {
-      throw new Error("MemoryPointLedger: lockDurationMs must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    this.purgeExpired();
-    const total = this.balances.get(balanceKey(user, token)) ?? 0n;
-    const alreadyLocked = this.lockedTotalFor(user, token);
-    const available = total - alreadyLocked;
-    if (available < amount) {
-      throw new Error(
-        `MemoryPointLedger: insufficient balance \u2014 available=${available}, requested=${amount}`
-      );
-    }
-    const lockId = `lock-${this.nextLockId++}`;
-    const now = this.now();
-    const lock = {
-      lockId,
-      userAddress: user,
-      amount,
-      status: "PENDING",
-      createdAt: now,
-      expiresAt: now + lockDurationMs
-    };
-    if (tokenAddress !== void 0) {
-      lock.tokenAddress = (0, import_viem.getAddress)(tokenAddress);
-    }
-    this.locks.set(lockId, lock);
-    return lockId;
-  }
-  async releaseLock(lockId) {
-    const lock = this.locks.get(lockId);
-    if (!lock) return;
-    if (lock.status === "PENDING") {
-      this.locks.delete(lockId);
-    }
-  }
-  async deductBalance(userAddress, amount, txHash, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error("MemoryPointLedger: deduct amount must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    const key = balanceKey(user, token);
-    const current = this.balances.get(key) ?? 0n;
-    if (current < amount) {
-      throw new Error(
-        `MemoryPointLedger: cannot deduct ${amount} from balance ${current}`
-      );
-    }
-    this.balances.set(key, current - amount);
-    for (const lock of this.locks.values()) {
-      if (lock.userAddress === user && lock.status === "PENDING" && lock.amount === amount && (lock.tokenAddress ?? DEFAULT_TOKEN_KEY) === token) {
-        lock.status = "MINTED";
-        lock.txHash = txHash;
-        return;
-      }
-    }
-  }
-  async updateMintStatus(lockId, status, txHash) {
-    const lock = this.locks.get(lockId);
-    if (!lock) {
-      throw new Error(`MemoryPointLedger: unknown lockId ${lockId}`);
-    }
-    lock.status = status;
-    if (txHash) lock.txHash = txHash;
-  }
-  // -------------------------------------------------------------------------
-  // v1.4 — Reverse flow (PT burn → off-chain credit)
-  // -------------------------------------------------------------------------
-  pendingCredits = /* @__PURE__ */ new Map();
-  nextCreditId = 1;
-  async reservePendingCredit(userAddress, amount, durationMs, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error(
-        "MemoryPointLedger: pending credit amount must be positive"
-      );
-    }
-    if (durationMs <= 0) {
-      throw new Error("MemoryPointLedger: durationMs must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const lockId = `credit-${this.nextCreditId++}`;
-    const now = this.now();
-    this.pendingCredits.set(lockId, {
-      lockId,
-      userAddress: user,
-      amount,
-      tokenAddress: tokenAddress !== void 0 ? (0, import_viem.getAddress)(tokenAddress) : void 0,
-      createdAt: now,
-      expiresAt: now + durationMs,
-      status: "PENDING"
-    });
-    return lockId;
-  }
-  async resolveCreditByBurnTx(lockId, txHash) {
-    const credit = this.pendingCredits.get(lockId);
-    if (!credit) {
-      throw new Error(
-        `MemoryPointLedger: unknown pending credit lockId ${lockId}`
-      );
-    }
-    if (credit.status === "RESOLVED") {
-      if (credit.txHash === txHash) return;
-      throw new Error(
-        `MemoryPointLedger: credit ${lockId} already resolved with a different txHash`
-      );
-    }
-    const token = normalizeToken(credit.tokenAddress);
-    const key = balanceKey(credit.userAddress, token);
-    const current = this.balances.get(key) ?? 0n;
-    this.balances.set(key, current + credit.amount);
-    credit.status = "RESOLVED";
-    credit.txHash = txHash;
-  }
-  // -------------------------------------------------------------------------
-  // Internal helpers
-  // -------------------------------------------------------------------------
-  /**
-   * Auto-expire any PENDING lock past its expiry. Called lazily on every
-   * read/write so the in-memory state stays self-cleaning without a timer.
-   */
-  purgeExpired() {
-    const now = this.now();
-    for (const lock of this.locks.values()) {
-      if (lock.status === "PENDING" && lock.expiresAt <= now) {
-        lock.status = "EXPIRED";
-      }
-    }
-  }
-  lockedTotalFor(userAddress, tokenKey) {
-    let total = 0n;
-    for (const lock of this.locks.values()) {
-      if (lock.userAddress === userAddress && lock.status === "PENDING" && (lock.tokenAddress ?? DEFAULT_TOKEN_KEY) === tokenKey) {
-        total += lock.amount;
-      }
-    }
-    return total;
-  }
-};
-var DEFAULT_TOKEN_KEY = "default";
-function normalizeToken(tokenAddress) {
-  return tokenAddress === void 0 ? DEFAULT_TOKEN_KEY : (0, import_viem.getAddress)(tokenAddress);
-}
-function balanceKey(user, tokenKey) {
-  return `${user}|${tokenKey}`;
-}
-
 // src/policy/defaultPolicy.ts
 var DefaultPolicyEngine = class {
   ledger;
@@ -261,6 +61,13 @@ var DefaultPolicyEngine = class {
     }
     if (opts.verifyMintCap) this.verifyMintCap = opts.verifyMintCap;
     if (opts.resolveIssuer) this.resolveIssuer = opts.resolveIssuer;
+    if (!opts.mintingOracleAddress || !opts.provider || !opts.verifyMintCap || !opts.resolveIssuer) {
+      if (process.env.NODE_ENV === "production") {
+        throw new Error(
+          "[PAFI] DefaultPolicyEngine: on-chain MintingOracle cap check is required in production. Configure mintingOracleAddress, provider, verifyMintCap, and resolveIssuer."
+        );
+      }
+    }
   }
   async evaluate(request) {
     if (request.amount <= 0n) {
@@ -297,32 +104,9 @@ var DefaultPolicyEngine = class {
   }
 };
 
-// src/signer/privateKeySigner.ts
-var import_viem2 = require("viem");
-var import_accounts = require("viem/accounts");
-var import_core = require("@pafi-dev/core");
-var PrivateKeySigner = class {
-  account;
-  walletClient;
-  constructor(opts) {
-    this.account = (0, import_accounts.privateKeyToAccount)(opts.privateKey);
-    this.walletClient = (0, import_viem2.createWalletClient)({
-      account: this.account,
-      chain: opts.chain,
-      transport: (0, import_viem2.http)(opts.rpcUrl)
-    });
-  }
-  async signMintRequest(domain, message) {
-    return (0, import_core.signMintRequest)(this.walletClient, domain, message);
-  }
-  async getAddress() {
-    return this.account.address;
-  }
-};
-
 // src/auth/memorySessionStore.ts
 var import_node_crypto = require("crypto");
-var import_viem3 = require("viem");
+var import_viem = require("viem");
 var DEFAULT_NONCE_TTL_MS = 5 * 60 * 1e3;
 var MemorySessionStore = class {
   nonces = /* @__PURE__ */ new Map();
@@ -332,6 +116,11 @@ var MemorySessionStore = class {
   nonceTtlMs;
   now;
   constructor(opts = {}) {
+    if (process.env.NODE_ENV === "production") {
+      console.error(
+        "[PAFI] MemorySessionStore is not safe for multi-process/K8s deployments. Session revocations are NOT propagated across pods. Use a Redis-backed session store in production."
+      );
+    }
     this.nonceTtlMs = opts.nonceTtlMs ?? DEFAULT_NONCE_TTL_MS;
     this.now = opts.now ?? (() => Date.now());
   }
@@ -358,7 +147,7 @@ var MemorySessionStore = class {
     this.purgeExpiredSessions();
     const normalized = {
       ...session,
-      userAddress: (0, import_viem3.getAddress)(session.userAddress)
+      userAddress: (0, import_viem.getAddress)(session.userAddress)
     };
     this.sessions.set(session.tokenId, normalized);
   }
@@ -376,7 +165,7 @@ var MemorySessionStore = class {
     this.sessions.delete(tokenId);
   }
   async revokeAllSessions(userAddress) {
-    const key = (0, import_viem3.getAddress)(userAddress);
+    const key = (0, import_viem.getAddress)(userAddress);
     for (const [tokenId, session] of this.sessions.entries()) {
       if (session.userAddress === key) {
         this.sessions.delete(tokenId);
@@ -422,8 +211,8 @@ var NonceManager = class {
 // src/auth/loginVerifier.ts
 var import_node_crypto2 = require("crypto");
 var import_jose = require("jose");
-var import_viem4 = require("viem");
-var import_core2 = require("@pafi-dev/core");
+var import_viem2 = require("viem");
+var import_core = require("@pafi-dev/core");
 
 // src/auth/errors.ts
 var AuthError = class extends Error {
@@ -446,8 +235,8 @@ var AuthService = class {
   nonceManager;
   now;
   constructor(config) {
-    if (!config.jwtSecret || config.jwtSecret.length < 16) {
-      throw new Error("AuthService: jwtSecret must be at least 16 chars");
+    if (!config.jwtSecret || config.jwtSecret.length < 32) {
+      throw new Error("AuthService: jwtSecret must be at least 32 characters for HS256 security");
     }
     this.sessionStore = config.sessionStore;
     this.jwtSecret = new TextEncoder().encode(config.jwtSecret);
@@ -471,11 +260,17 @@ var AuthService = class {
   async login(message, signature) {
     let parsed;
     try {
-      parsed = (0, import_core2.parseLoginMessage)(message);
+      parsed = (0, import_core.parseLoginMessage)(message);
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       throw new AuthError("INVALID_MESSAGE", `Could not parse login message: ${msg}`);
     }
+    if (parsed.expirationTime == null) {
+      throw new AuthError(
+        "INVALID_MESSAGE",
+        "login message must include expirationTime"
+      );
+    }
     if (parsed.domain !== this.domain) {
       throw new AuthError(
         "DOMAIN_MISMATCH",
@@ -498,7 +293,7 @@ var AuthService = class {
     if (parsed.expirationTime && parsed.expirationTime.getTime() <= now.getTime()) {
       throw new AuthError("MESSAGE_EXPIRED", "Login message has expired");
     }
-    const verifyResult = await (0, import_core2.verifyLoginMessage)(message, signature);
+    const verifyResult = await (0, import_core.verifyLoginMessage)(message, signature);
     if (!verifyResult.valid) {
       throw new AuthError(
         "SIGNATURE_INVALID",
@@ -512,7 +307,7 @@ var AuthService = class {
         "Nonce is unknown, expired, or already used"
       );
     }
-    const userAddress = (0, import_viem4.getAddress)(verifyResult.address);
+    const userAddress = (0, import_viem2.getAddress)(verifyResult.address);
     const tokenId = (0, import_node_crypto2.randomBytes)(16).toString("hex");
     const issuedAt = now;
     const expiresAt = parseExpiry(issuedAt, this.jwtExpiresIn);
@@ -540,7 +335,11 @@ var AuthService = class {
       if (payload.jti) {
         await this.sessionStore.revokeSession(payload.jti);
       }
-    } catch {
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (!msg.includes("not found") && !msg.includes("expired")) {
+        console.error("[PAFI] AuthService logout: session store error", err);
+      }
     }
   }
   /**
@@ -579,7 +378,7 @@ var AuthService = class {
       throw new AuthError("TOKEN_INVALID", "JWT payload is malformed");
     }
     return {
-      userAddress: (0, import_viem4.getAddress)(userAddress),
+      userAddress: (0, import_viem2.getAddress)(userAddress),
       chainId,
       tokenId
     };
@@ -630,8 +429,8 @@ var RelayError = class extends Error {
 };
 
 // src/relay/relayService.ts
-var import_viem5 = require("viem");
-var import_core3 = require("@pafi-dev/core");
+var import_viem3 = require("viem");
+var import_core2 = require("@pafi-dev/core");
 var RelayService = class {
   /**
    * Build an unsigned UserOp for Scenario 1 (Mint) — sig-gated
@@ -665,9 +464,20 @@ var RelayService = class {
     if (params.deadline <= 0n) {
       throw new RelayError("ENCODE_FAILED", "prepareMint: deadline must be positive");
     }
+    const nowSecs = BigInt(Math.floor(Date.now() / 1e3));
+    if (params.deadline <= nowSecs) {
+      throw new RelayError("ENCODE_FAILED", "prepareMint: deadline is in the past");
+    }
+    const MAX_DEADLINE_WINDOW = 3600n;
+    if (params.deadline > nowSecs + MAX_DEADLINE_WINDOW) {
+      throw new RelayError(
+        "ENCODE_FAILED",
+        "prepareMint: deadline exceeds maximum allowed window (1 hour)"
+      );
+    }
     let minterSig;
     try {
-      const sig = await (0, import_core3.signMintRequest)(
+      const sig = await (0, import_core2.signMintRequest)(
         params.issuerSignerWallet,
         params.domain,
         {
@@ -687,8 +497,8 @@ var RelayService = class {
     }
     let mintCallData;
     try {
-      mintCallData = (0, import_viem5.encodeFunctionData)({
-        abi: import_core3.POINT_TOKEN_V2_ABI,
+      mintCallData = (0, import_viem3.encodeFunctionData)({
+        abi: import_core2.POINT_TOKEN_V2_ABI,
         functionName: "mint",
         args: [params.userAddress, params.amount, params.deadline, minterSig]
       });
@@ -713,17 +523,23 @@ var RelayService = class {
           "prepareMint: feeRecipient required when feeAmount > 0"
         );
       }
+      if (params.feeRecipient === "0x0000000000000000000000000000000000000000") {
+        throw new RelayError(
+          "ENCODE_FAILED",
+          "prepareMint: feeRecipient must not be zero address"
+        );
+      }
       operations.push({
         target: params.pointTokenAddress,
         value: 0n,
-        data: (0, import_viem5.encodeFunctionData)({
-          abi: import_viem5.erc20Abi,
+        data: (0, import_viem3.encodeFunctionData)({
+          abi: import_viem3.erc20Abi,
           functionName: "transfer",
           args: [params.feeRecipient, params.feeAmount]
         })
       });
     }
-    return (0, import_core3.buildPartialUserOperation)({
+    return (0, import_core2.buildPartialUserOperation)({
       sender: params.userAddress,
       nonce: params.aaNonce,
       operations,
@@ -761,8 +577,8 @@ var RelayService = class {
         if (!params.burnRequest || !params.burnerSignature) {
           throw new Error("burnWithSig requires burnRequest + burnerSignature");
         }
-        burnCallData = (0, import_viem5.encodeFunctionData)({
-          abi: import_core3.POINT_TOKEN_V2_ABI,
+        burnCallData = (0, import_viem3.encodeFunctionData)({
+          abi: import_core2.POINT_TOKEN_V2_ABI,
           functionName: "burn",
           args: [
             params.burnRequest.from,
@@ -772,8 +588,8 @@ var RelayService = class {
           ]
         });
       } else {
-        burnCallData = (0, import_viem5.encodeFunctionData)({
-          abi: import_core3.POINT_TOKEN_V2_ABI,
+        burnCallData = (0, import_viem3.encodeFunctionData)({
+          abi: import_core2.POINT_TOKEN_V2_ABI,
           functionName: "burn",
           args: [params.userAddress, params.amount]
         });
@@ -792,7 +608,7 @@ var RelayService = class {
         data: burnCallData
       }
     ];
-    return (0, import_core3.buildPartialUserOperation)({
+    return (0, import_core2.buildPartialUserOperation)({
       sender: params.userAddress,
       nonce: params.aaNonce,
       operations,
@@ -811,11 +627,14 @@ function errorMessage(err) {
 // src/relay/feeManager.ts
 var DEFAULT_GAS_UNITS = 500000n;
 var DEFAULT_PREMIUM_BPS = 12e3;
-var FeeManager = class {
+var FeeManager = class _FeeManager {
   provider;
   gasUnits;
   gasPremiumBps;
   quoteNativeToFee;
+  cachedFee = null;
+  cacheExpiresAt = 0;
+  static CACHE_TTL_MS = 1e4;
   constructor(config) {
     if (!config.provider) throw new Error("FeeManager: provider required");
     if (!config.quoteNativeToFee)
@@ -838,10 +657,17 @@ var FeeManager = class {
    * currency depends on how the caller wired `quoteNativeToFee`.
    */
   async estimateGasFee() {
+    const now = Date.now();
+    if (this.cachedFee !== null && now < this.cacheExpiresAt) {
+      return this.cachedFee;
+    }
     const gasPrice = await this.provider.getGasPrice();
     const nativeCost = gasPrice * this.gasUnits;
     const withPremium = nativeCost * BigInt(this.gasPremiumBps) / 10000n;
-    return this.quoteNativeToFee(withPremium);
+    const fee = await this.quoteNativeToFee(withPremium);
+    this.cachedFee = fee;
+    this.cacheExpiresAt = now + _FeeManager.CACHE_TTL_MS;
+    return fee;
   }
 };
 
@@ -857,8 +683,8 @@ var InMemoryCursorStore = class {
 };
 
 // src/indexer/pointIndexer.ts
-var import_viem6 = require("viem");
-var TRANSFER_EVENT = (0, import_viem6.parseAbiItem)(
+var import_viem4 = require("viem");
+var TRANSFER_EVENT = (0, import_viem4.parseAbiItem)(
   "event Transfer(address indexed from, address indexed to, uint256 value)"
 );
 var ZERO_ADDRESS = "0x0000000000000000000000000000000000000000";
@@ -928,7 +754,8 @@ var PointIndexer = class {
         return;
       }
       await this.processBlockRange(from, safeHead);
-    } catch {
+    } catch (err) {
+      console.error("[PAFI] PointIndexer tick error:", err);
     }
     this.scheduleNext();
   }
@@ -978,10 +805,10 @@ var PointIndexer = class {
     for (const log of logs) {
       const args = log.args;
       if (!args.from || !args.to || args.value === void 0) continue;
-      if ((0, import_viem6.getAddress)(args.from) !== ZERO_ADDRESS) continue;
+      if ((0, import_viem4.getAddress)(args.from) !== ZERO_ADDRESS) continue;
       if (log.blockNumber === null || log.transactionHash === null) continue;
       out.push({
-        to: (0, import_viem6.getAddress)(args.to),
+        to: (0, import_viem4.getAddress)(args.to),
         amount: args.value,
         blockNumber: log.blockNumber,
         txHash: log.transactionHash,
@@ -1037,8 +864,8 @@ function pickMatchingLock(locks, amount) {
 }
 
 // src/indexer/burnIndexer.ts
-var import_viem7 = require("viem");
-var TRANSFER_EVENT2 = (0, import_viem7.parseAbiItem)(
+var import_viem5 = require("viem");
+var TRANSFER_EVENT2 = (0, import_viem5.parseAbiItem)(
   "event Transfer(address indexed from, address indexed to, uint256 value)"
 );
 var ZERO_ADDRESS2 = "0x0000000000000000000000000000000000000000";
@@ -1054,18 +881,7 @@ var BurnIndexer = class {
   confirmations;
   batchSize;
   pollIntervalMs;
-  /**
-   * Caller-supplied matcher. Return the lockId to resolve for a given
-   * burn event, or `undefined` to skip. Runs synchronously via the
-   * ledger's query path.
-   *
-   * Default: try `ledger.resolveCreditByBurnTx` keyed on a synthetic
-   * lock id `burn-${from}-${amount}` — the in-memory ledger assigns
-   * incrementing IDs so callers with the memory ledger must provide a
-   * custom matcher. Real DB-backed ledgers override this to JOIN on
-   * their `pending_credits` table.
-   */
-  matchLockId = async () => void 0;
+  matchLockId;
   running = false;
   timer;
   constructor(config) {
@@ -1083,6 +899,12 @@ var BurnIndexer = class {
     );
     this.batchSize = BigInt(config.batchSize ?? Number(DEFAULT_BATCH_SIZE2));
     this.pollIntervalMs = config.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS2;
+    if (!config.matchLockId) {
+      throw new Error(
+        "BurnIndexer: matchLockId is required. Provide a function that maps a burn event to its pending credit lockId. Without it, no on-chain burns will ever grant off-chain credits."
+      );
+    }
+    this.matchLockId = config.matchLockId;
   }
   start() {
     if (this.running) return;
@@ -1112,7 +934,8 @@ var BurnIndexer = class {
         return;
       }
       await this.processBlockRange(from, safeHead);
-    } catch {
+    } catch (err) {
+      console.error("[PAFI] BurnIndexer tick error:", err);
     }
     this.scheduleNext();
   }
@@ -1157,10 +980,10 @@ var BurnIndexer = class {
     for (const log of logs) {
       const args = log.args;
       if (!args.from || !args.to || args.value === void 0) continue;
-      if ((0, import_viem7.getAddress)(args.to) !== ZERO_ADDRESS2) continue;
+      if ((0, import_viem5.getAddress)(args.to) !== ZERO_ADDRESS2) continue;
       if (log.blockNumber === null || log.transactionHash === null) continue;
       out.push({
-        from: (0, import_viem7.getAddress)(args.from),
+        from: (0, import_viem5.getAddress)(args.from),
         amount: args.value,
         blockNumber: log.blockNumber,
         txHash: log.transactionHash,
@@ -1175,21 +998,28 @@ var BurnIndexer = class {
    * log + skip.
    */
   async finalize(evt) {
+    const txHash = evt.txHash;
     const lockId = await this.matchLockId(evt);
-    if (!lockId) return;
+    if (lockId === void 0) {
+      console.warn(
+        "[PAFI] BurnIndexer: matchLockId returned undefined for burn tx " + txHash + ". This burn will NOT be credited. Implement matchLockId to map burn events to lock IDs."
+      );
+      return;
+    }
     if (!this.ledger.resolveCreditByBurnTx) {
       return;
     }
     try {
       await this.ledger.resolveCreditByBurnTx(lockId, evt.txHash);
-    } catch {
+    } catch (err) {
+      console.error("[PAFI] BurnIndexer finalize error \u2014 credit may be lost:", err);
     }
   }
 };
 
 // src/api/handlers.ts
-var import_viem8 = require("viem");
-var import_core4 = require("@pafi-dev/core");
+var import_viem6 = require("viem");
+var import_core3 = require("@pafi-dev/core");
 var IssuerApiHandlers = class {
   authService;
   ledger;
@@ -1199,15 +1029,12 @@ var IssuerApiHandlers = class {
    * validate the request's `pointTokenAddress` against this set.
    */
   supportedTokens;
-  /** First supported token — used as default when a handler doesn't
-   * receive a `pointTokenAddress` in the request (shouldn't happen in
-   * practice, but keeps type-narrowing happy). */
-  defaultToken;
   chainId;
   contracts;
   pafiWebUrl;
   feeManager;
   poolsProvider;
+  claim;
   constructor(config) {
     this.authService = config.authService;
     this.ledger = config.ledger;
@@ -1218,14 +1045,14 @@ var IssuerApiHandlers = class {
         "IssuerApiHandlers: pointTokenAddress or pointTokenAddresses required"
       );
     }
-    const normalized = raw.map((a) => (0, import_viem8.getAddress)(a));
+    const normalized = raw.map((a) => (0, import_viem6.getAddress)(a));
     this.supportedTokens = new Set(normalized);
-    this.defaultToken = normalized[0];
     this.chainId = config.chainId;
     this.contracts = config.contracts;
     if (config.pafiWebUrl) this.pafiWebUrl = config.pafiWebUrl;
     if (config.feeManager) this.feeManager = config.feeManager;
     if (config.poolsProvider) this.poolsProvider = config.poolsProvider;
+    if (config.claim) this.claim = config.claim;
   }
   // =========================================================================
   // Public handlers (no auth required)
@@ -1240,6 +1067,12 @@ var IssuerApiHandlers = class {
     if (!body || typeof body.message !== "string" || body.message.length === 0 || typeof body.signature !== "string" || body.signature.length <= 2) {
       throw new Error("handleLogin: message and signature are required");
     }
+    if (body.message.length > 4096) {
+      throw new Error("message too long");
+    }
+    if (body.signature.length > 260) {
+      throw new Error("signature too long");
+    }
     const result = await this.authService.login(body.message, body.signature);
     return {
       token: result.token,
@@ -1254,9 +1087,12 @@ var IssuerApiHandlers = class {
    * needs to build EIP-712 messages and interact with on-chain.
    */
   async handleConfig(chainId) {
+    if (!Number.isInteger(chainId) || chainId <= 0) {
+      throw new Error("invalid chainId");
+    }
     if (chainId !== this.chainId) {
       throw new Error(
-        `handleConfig: unsupported chainId ${chainId}, issuer is configured for ${this.chainId}`
+        `handleConfig: unsupported chainId ${chainId}`
       );
     }
     const contracts = {
@@ -1319,25 +1155,25 @@ var IssuerApiHandlers = class {
         `handleUser: unsupported chainId ${request.chainId}`
       );
     }
-    const normalizedAuthed = (0, import_viem8.getAddress)(userAddress);
-    const normalizedRequest = (0, import_viem8.getAddress)(request.userAddress);
+    const normalizedAuthed = (0, import_viem6.getAddress)(userAddress);
+    const normalizedRequest = (0, import_viem6.getAddress)(request.userAddress);
     if (normalizedAuthed !== normalizedRequest) {
       throw new Error(
         "handleUser: request userAddress must match authenticated user"
       );
     }
-    const pointToken = (0, import_viem8.getAddress)(request.pointTokenAddress);
+    const pointToken = (0, import_viem6.getAddress)(request.pointTokenAddress);
     if (!this.supportedTokens.has(pointToken)) {
       throw new Error(
         `handleUser: unsupported pointToken ${pointToken}`
       );
     }
     const [mintRequestNonce, receiverConsentNonce, offChainBalance, onChainBalance, minter] = await Promise.all([
-      (0, import_core4.getMintRequestNonce)(this.provider, pointToken, normalizedAuthed),
-      (0, import_core4.getReceiverConsentNonce)(this.provider, pointToken, normalizedAuthed),
+      (0, import_core3.getMintRequestNonce)(this.provider, pointToken, normalizedAuthed),
+      (0, import_core3.getReceiverConsentNonce)(this.provider, pointToken, normalizedAuthed),
       this.ledger.getBalance(normalizedAuthed, pointToken),
-      (0, import_core4.getPointTokenBalance)(this.provider, pointToken, normalizedAuthed),
-      (0, import_core4.isMinter)(this.provider, pointToken, normalizedAuthed)
+      (0, import_core3.getPointTokenBalance)(this.provider, pointToken, normalizedAuthed),
+      (0, import_core3.isMinter)(this.provider, pointToken, normalizedAuthed)
     ]);
     return {
       mintRequestNonce,
@@ -1369,19 +1205,32 @@ var IssuerApiHandlers = class {
         `handleBuildConsentTypedData: unsupported chainId ${request.chainId}`
       );
     }
-    const pointToken = (0, import_viem8.getAddress)(request.pointTokenAddress);
+    const pointToken = (0, import_viem6.getAddress)(request.pointTokenAddress);
     if (!this.supportedTokens.has(pointToken)) {
       throw new Error(
         `handleBuildConsentTypedData: unsupported pointToken ${pointToken}`
       );
     }
-    const name = await (0, import_core4.getTokenName)(this.provider, pointToken);
+    const consent = request.receiverConsent;
+    if ((0, import_viem6.getAddress)(consent.originalReceiver) !== (0, import_viem6.getAddress)(userAddress)) {
+      throw new Error(
+        "handleBuildConsentTypedData: receiverConsent.originalReceiver must match authenticated user"
+      );
+    }
+    if (consent.amount <= 0n) {
+      throw new Error("handleBuildConsentTypedData: amount must be positive");
+    }
+    const nowSecs = BigInt(Math.floor(Date.now() / 1e3));
+    if (consent.deadline <= nowSecs) {
+      throw new Error("handleBuildConsentTypedData: deadline is in the past");
+    }
+    const name = await (0, import_core3.getTokenName)(this.provider, pointToken);
     const domain = {
       name,
       verifyingContract: pointToken,
       chainId: this.chainId
     };
-    const typedData = (0, import_core4.buildReceiverConsentTypedData)(domain, request.receiverConsent);
+    const typedData = (0, import_core3.buildReceiverConsentTypedData)(domain, consent);
     return {
       typedData: {
         domain: typedData.domain,
@@ -1391,11 +1240,96 @@ var IssuerApiHandlers = class {
       }
     };
   }
+  /**
+   * `POST /claim`
+   *
+   * Policy gate + ledger lock + MintRequest signing in a single atomic
+   * step. Returns an unsigned UserOp the frontend attaches paymaster data
+   * to and submits via EIP-7702 + Bundler.
+   *
+   * Order of operations:
+   *   1. Validate request fields.
+   *   2. policy.evaluate() — throws if denied; cannot be bypassed.
+   *   3. ledger.lockForMinting() — reserves the balance.
+   *   4. Read on-chain mintRequestNonce + token name in parallel.
+   *   5. relayService.prepareMint() — sign MintRequest + encode UserOp.
+   *   6. On any error after step 3, release the lock before re-throwing.
+   */
+  async handleClaim(userAddress, request) {
+    if (!this.claim) {
+      throw new Error("handleClaim: claim is not configured on this issuer");
+    }
+    if (request.chainId !== this.chainId) {
+      throw new Error(`handleClaim: unsupported chainId ${request.chainId}`);
+    }
+    const pointToken = (0, import_viem6.getAddress)(request.pointTokenAddress);
+    if (!this.supportedTokens.has(pointToken)) {
+      throw new Error(`handleClaim: unsupported pointToken ${pointToken}`);
+    }
+    if (request.amount <= 0n) {
+      throw new Error("handleClaim: amount must be positive");
+    }
+    const nowSecs = BigInt(Math.floor(Date.now() / 1e3));
+    if (request.deadline <= nowSecs) {
+      throw new Error("handleClaim: deadline is in the past");
+    }
+    const { policy, relayService, issuerSignerWallet, batchExecutorAddress } = this.claim;
+    const lockDurationMs = this.claim.lockDurationMs ?? 15 * 60 * 1e3;
+    const normalizedUser = (0, import_viem6.getAddress)(userAddress);
+    const decision = await policy.evaluate({
+      userAddress: normalizedUser,
+      amount: request.amount,
+      pointTokenAddress: pointToken,
+      chainId: this.chainId
+    });
+    if (!decision.approved) {
+      throw new Error(`handleClaim: policy denied \u2014 ${decision.reason ?? "no reason given"}`);
+    }
+    const lockId = await this.ledger.lockForMinting(
+      normalizedUser,
+      request.amount,
+      lockDurationMs,
+      pointToken
+    );
+    try {
+      const [mintRequestNonce, tokenName] = await Promise.all([
+        (0, import_core3.getMintRequestNonce)(this.provider, pointToken, normalizedUser),
+        (0, import_core3.getTokenName)(this.provider, pointToken)
+      ]);
+      const domain = {
+        name: tokenName,
+        verifyingContract: pointToken,
+        chainId: this.chainId
+      };
+      const userOp = await relayService.prepareMint({
+        userAddress: normalizedUser,
+        aaNonce: request.aaNonce,
+        batchExecutorAddress,
+        pointTokenAddress: pointToken,
+        amount: request.amount,
+        issuerSignerWallet,
+        domain,
+        mintRequestNonce,
+        deadline: request.deadline,
+        feeAmount: request.feeAmount,
+        feeRecipient: request.feeRecipient
+      });
+      return {
+        lockId,
+        userOp,
+        expiresInSeconds: Math.floor(lockDurationMs / 1e3)
+      };
+    } catch (err) {
+      await this.ledger.releaseLock(lockId).catch(() => {
+      });
+      throw err;
+    }
+  }
 };
 
 // src/api/handlers/ptRedeemHandler.ts
-var import_viem9 = require("viem");
-var import_core5 = require("@pafi-dev/core");
+var import_viem7 = require("viem");
+var import_core4 = require("@pafi-dev/core");
 var DEFAULT_REDEEM_LOCK_MS = 15 * 60 * 1e3;
 var DEFAULT_SIG_DEADLINE_SEC = 15 * 60;
 var PTRedeemError = class extends Error {
@@ -1434,16 +1368,25 @@ var PTRedeemHandler = class {
     this.ledger = config.ledger;
     this.relayService = config.relayService;
     this.provider = config.provider;
-    this.pointTokenAddress = (0, import_viem9.getAddress)(config.pointTokenAddress);
-    this.batchExecutorAddress = (0, import_viem9.getAddress)(config.batchExecutorAddress);
+    this.pointTokenAddress = (0, import_viem7.getAddress)(config.pointTokenAddress);
+    this.batchExecutorAddress = (0, import_viem7.getAddress)(config.batchExecutorAddress);
     this.chainId = config.chainId;
     this.domain = config.domain;
     this.burnerSignerWallet = config.burnerSignerWallet;
+    if (this.burnerSignerWallet?.account?.type === "local") {
+      console.warn("[PAFI] PTRedeemHandler: burnerSignerWallet uses a local (private key) account. Use a KMS-backed signer in production.");
+    }
     this.redeemLockDurationMs = config.redeemLockDurationMs ?? DEFAULT_REDEEM_LOCK_MS;
     this.signatureDeadlineSeconds = config.signatureDeadlineSeconds ?? DEFAULT_SIG_DEADLINE_SEC;
     this.now = config.now ?? (() => Date.now());
   }
   async handle(request) {
+    if ((0, import_viem7.getAddress)(request.authenticatedAddress) !== (0, import_viem7.getAddress)(request.userAddress)) {
+      throw new PTRedeemError(
+        "UNAUTHORIZED",
+        `userAddress (${request.userAddress}) does not match authenticated session (${request.authenticatedAddress})`
+      );
+    }
     if (request.amount <= 0n) {
       throw new PTRedeemError("INVALID_AMOUNT", "redeem amount must be positive");
     }
@@ -1451,7 +1394,7 @@ var PTRedeemHandler = class {
     try {
       burnNonce = await this.provider.readContract({
         address: this.pointTokenAddress,
-        abi: import_core5.POINT_TOKEN_V2_ABI,
+        abi: import_core4.POINT_TOKEN_V2_ABI,
         functionName: "burnRequestNonces",
         args: [request.userAddress]
       });
@@ -1461,6 +1404,17 @@ var PTRedeemHandler = class {
         `failed to read burnRequestNonces(${request.userAddress}): ${err instanceof Error ? err.message : String(err)}`
       );
     }
+    const onChainBalance = await (0, import_core4.getPointTokenBalance)(
+      this.provider,
+      this.pointTokenAddress,
+      request.userAddress
+    );
+    if (onChainBalance < request.amount) {
+      throw new PTRedeemError(
+        "INVALID_AMOUNT",
+        `insufficient on-chain PT balance: have ${onChainBalance}, need ${request.amount}`
+      );
+    }
     const deadline = BigInt(
       Math.floor(this.now() / 1e3) + this.signatureDeadlineSeconds
     );
@@ -1477,7 +1431,7 @@ var PTRedeemHandler = class {
     };
     let burnerSignature;
     try {
-      const sig = await (0, import_core5.signBurnRequest)(
+      const sig = await (0, import_core4.signBurnRequest)(
         this.burnerSignerWallet,
         domain,
         burnRequest
@@ -1514,8 +1468,8 @@ var PTRedeemHandler = class {
 };
 
 // src/api/handlers/topUpRedemptionHandler.ts
-var import_viem10 = require("viem");
-var import_core6 = require("@pafi-dev/core");
+var import_viem8 = require("viem");
+var import_core5 = require("@pafi-dev/core");
 var TopUpRedemptionError = class extends Error {
   constructor(code, message) {
     super(message);
@@ -1533,9 +1487,15 @@ var TopUpRedemptionHandler = class {
     this.ledger = config.ledger;
     this.ptRedeemHandler = config.ptRedeemHandler;
     this.provider = config.provider;
-    this.pointTokenAddress = (0, import_viem10.getAddress)(config.pointTokenAddress);
+    this.pointTokenAddress = (0, import_viem8.getAddress)(config.pointTokenAddress);
   }
   async handle(request) {
+    if ((0, import_viem8.getAddress)(request.authenticatedAddress) !== (0, import_viem8.getAddress)(request.userAddress)) {
+      throw new TopUpRedemptionError(
+        "UNAUTHORIZED",
+        `userAddress (${request.userAddress}) does not match authenticated session (${request.authenticatedAddress})`
+      );
+    }
     const offChainBalance = await this.ledger.getBalance(
       request.userAddress,
       this.pointTokenAddress
@@ -1544,7 +1504,7 @@ var TopUpRedemptionHandler = class {
       return { action: "NO_TOP_UP_NEEDED", offChainBalance };
     }
     const shortfall = request.requiredAmount - offChainBalance;
-    const onChainBalance = await (0, import_core6.getPointTokenBalance)(
+    const onChainBalance = await (0, import_core5.getPointTokenBalance)(
       this.provider,
       this.pointTokenAddress,
       request.userAddress
@@ -1558,6 +1518,7 @@ var TopUpRedemptionHandler = class {
       };
     }
     const redeem = await this.ptRedeemHandler.handle({
+      authenticatedAddress: request.authenticatedAddress,
       userAddress: request.userAddress,
       amount: shortfall,
       aaNonce: request.aaNonce
@@ -1571,6 +1532,7 @@ var TopUpRedemptionHandler = class {
 };
 
 // src/pools/subgraphPoolsProvider.ts
+var import_viem9 = require("viem");
 var DEFAULT_CACHE_TTL_MS = 3e4;
 var POOL_QUERY = `
   query GetPoolForPointToken($id: ID!) {
@@ -1593,6 +1555,19 @@ function createSubgraphPoolsProvider(config) {
       "createSubgraphPoolsProvider: subgraphUrl is required"
     );
   }
+  try {
+    const parsed = new URL(config.subgraphUrl);
+    if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
+      throw new Error("subgraphUrl must use HTTPS in production");
+    }
+  } catch (err) {
+    if (err instanceof TypeError) {
+      throw new Error(
+        `subgraphPoolsProvider: invalid subgraphUrl: ${config.subgraphUrl}`
+      );
+    }
+    throw err;
+  }
   const cacheTtl = config.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
   const fetchImpl = config.fetchImpl ?? globalThis.fetch;
   const now = config.now ?? (() => Date.now());
@@ -1661,6 +1636,26 @@ async function fetchPoolsFromSubgraph(fetchImpl, subgraphUrl, pointTokenAddress)
     return [];
   }
   const { pool } = token;
+  if (!(0, import_viem9.isAddress)(pool.hooks)) {
+    console.error(
+      "[PAFI] SubgraphPoolsProvider: invalid hooks address in response:",
+      pool.hooks,
+      "\u2014 skipping pool"
+    );
+    return [];
+  }
+  if (!(0, import_viem9.isAddress)(pool.token0.id) || !(0, import_viem9.isAddress)(pool.token1.id)) {
+    console.error(
+      "[PAFI] SubgraphPoolsProvider: invalid token address in response \u2014 skipping pool"
+    );
+    return [];
+  }
+  if (!Number.isFinite(Number(pool.feeTier)) || !Number.isFinite(Number(pool.tickSpacing))) {
+    console.error(
+      "[PAFI] SubgraphPoolsProvider: invalid feeTier/tickSpacing \u2014 skipping pool"
+    );
+    return [];
+  }
   const [currency0, currency1] = sortCurrencies(
     pool.token0.id,
     pool.token1.id
@@ -1696,6 +1691,19 @@ function createSubgraphNativeUsdtQuoter(config) {
       "createSubgraphNativeUsdtQuoter: subgraphUrl is required"
     );
   }
+  try {
+    const parsed = new URL(config.subgraphUrl);
+    if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
+      throw new Error("subgraphUrl must use HTTPS in production");
+    }
+  } catch (err) {
+    if (err instanceof TypeError) {
+      throw new Error(
+        `subgraphPoolsProvider: invalid subgraphUrl: ${config.subgraphUrl}`
+      );
+    }
+    throw err;
+  }
   const usdtDecimals = config.usdtDecimals ?? DEFAULT_USDT_DECIMALS;
   const nativeDecimals = config.nativeDecimals ?? DEFAULT_NATIVE_DECIMALS;
   const cacheTtl = config.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS2;
@@ -1772,6 +1780,14 @@ async function fetchEthPriceFromSubgraph(fetchImpl, subgraphUrl) {
     );
     return null;
   }
+  const MIN_REASONABLE_ETH_PRICE = 100;
+  const MAX_REASONABLE_ETH_PRICE = 1e5;
+  if (parsed < MIN_REASONABLE_ETH_PRICE || parsed > MAX_REASONABLE_ETH_PRICE) {
+    console.warn(
+      `[PAFI] SubgraphNativeUsdtQuoter: ETH/USD price ${parsed} is outside reasonable range. Using fallback.`
+    );
+    return null;
+  }
   return parsed;
 }
 function toUsdtPerNative(priceFloat, usdtDecimals) {
@@ -1782,7 +1798,7 @@ function toUsdtPerNative(priceFloat, usdtDecimals) {
 }
 
 // src/balance/balanceAggregator.ts
-var import_core7 = require("@pafi-dev/core");
+var import_core6 = require("@pafi-dev/core");
 var BalanceAggregator = class {
   provider;
   ledger;
@@ -1803,7 +1819,7 @@ var BalanceAggregator = class {
   async getCombinedBalance(user, pointToken) {
     const [offChain, onChain] = await Promise.all([
       this.ledger.getBalance(user, pointToken),
-      (0, import_core7.getPointTokenBalance)(this.provider, pointToken, user)
+      (0, import_core6.getPointTokenBalance)(this.provider, pointToken, user)
     ]);
     return {
       offChain,
@@ -1863,11 +1879,14 @@ var PafiBackendError = class extends Error {
 };
 
 // src/config.ts
-var import_viem11 = require("viem");
+var import_viem10 = require("viem");
 function createIssuerService(config) {
   if (!config.provider) {
     throw new Error("createIssuerService: provider is required");
   }
+  if (!config.ledger) {
+    throw new Error("createIssuerService: ledger is required");
+  }
   if (!config.auth?.jwtSecret) {
     throw new Error("createIssuerService: auth.jwtSecret is required");
   }
@@ -1880,8 +1899,8 @@ function createIssuerService(config) {
       "createIssuerService: at least one of pointTokenAddress / pointTokenAddresses is required"
     );
   }
-  const tokenAddresses = rawAddresses.map((a) => (0, import_viem11.getAddress)(a));
-  const ledger = config.ledger ?? new MemoryPointLedger();
+  const tokenAddresses = rawAddresses.map((a) => (0, import_viem10.getAddress)(a));
+  const ledger = config.ledger;
   const sessionStore = config.sessionStore ?? new MemorySessionStore();
   const policy = config.policy ?? new DefaultPolicyEngine({ ledger });
   const authServiceConfig = {
@@ -1937,6 +1956,15 @@ function createIssuerService(config) {
   };
   if (feeManager) handlersConfig.feeManager = feeManager;
   if (config.poolsProvider) handlersConfig.poolsProvider = config.poolsProvider;
+  if (config.claim) {
+    handlersConfig.claim = {
+      policy,
+      relayService,
+      issuerSignerWallet: config.claim.issuerSignerWallet,
+      batchExecutorAddress: config.claim.batchExecutorAddress,
+      lockDurationMs: config.claim.lockDurationMs
+    };
+  }
   const handlers = new IssuerApiHandlers(handlersConfig);
   if (config.indexer?.autoStart) {
     for (const idx of indexers.values()) {
@@ -1968,7 +1996,6 @@ var PAFI_ISSUER_SDK_VERSION = "0.1.0";
   FeeManager,
   InMemoryCursorStore,
   IssuerApiHandlers,
-  MemoryPointLedger,
   MemorySessionStore,
   NonceManager,
   PAFI_ISSUER_SDK_VERSION,
@@ -1976,7 +2003,6 @@ var PAFI_ISSUER_SDK_VERSION = "0.1.0";
   PTRedeemHandler,
   PafiBackendError,
   PointIndexer,
-  PrivateKeySigner,
   RelayError,
   RelayService,
   TopUpRedemptionError,