@pafi-dev/issuer 0.3.0-beta.3 → 0.3.0-beta.4

package/dist/index.cjs

@@ -677,21 +677,11 @@ var RelayService = class {
     }
   }
   /**
-   * Submit a `mintAndSwap` transaction. Flow:
+   * Submit a `mintAndSwap` transaction (legacy v0.2 `/claim-and-swap`).
    *
-   *   1. (optional) pre-flight simulate via provider
-   *   2. writeContract through the operator wallet
-   *   3. (optional) wait for the receipt and surface gasUsed / status
-   *
-   * Throws a typed `RelayError` on any failure so the MintingGateway can
-   * decide whether to release the ledger lock (`SUBMIT_FAILED` and
-   * `SIMULATION_FAILED` are safe to release; `TX_REVERTED` and `TIMEOUT`
-   * need manual review because the tx may still land).
-   *
-   * @deprecated Since 0.3.0 — will be replaced by `prepareMint()` +
-   * `prepareBurn()` in the v1.4 sponsored-UserOp flow. The SC team
-   * still needs to finalize Relayer v2 ABI before the replacements
-   * can ship (blocker B1). Kept for v0.2.x consumers. Removed in 2.0.
+   * @deprecated Since 0.3.0 — replaced by `prepareMint` / `prepareBurn`
+   * in the v1.4 sponsored-UserOp flow. Kept for v0.2.x consumers;
+   * scheduled removal in 2.0.
    */
   async submitMintAndSwap(params) {
     if (this.simulateBeforeSubmit && this.provider) {
@@ -761,45 +751,24 @@ var RelayService = class {
     }
   }
   // ==========================================================================
-  // v1.4 — Sponsored UserOp preparation (beta with mocked SC contracts)
-  // ==========================================================================
-  //
-  // These two methods build unsigned `PartialUserOperation` payloads for
-  // the Frontend to sign (via Privy) and submit to the Bundler. The
-  // Issuer Backend no longer broadcasts — that's the Frontend's job.
-  //
-  // Uses mocked Relayer v2 + PointToken ABIs from `@pafi-dev/core/contracts`.
-  // When SC delivers real ABIs, the imports swap but these method bodies
-  // stay the same (calldata encoder is ABI-driven).
+  // v1.4 — Sponsored UserOp preparation (sig-gated mint + burn)
   // ==========================================================================
   /**
-   * Build an unsigned UserOp for Scenario 1 (Mint).
+   * Build an unsigned UserOp for Scenario 1 (Mint) — sig-gated
+   * `PointToken.mint(to, amount, deadline, minterSig)`.
    *
    * Flow:
-   *   1. Encode `Relayer.mint(request, userSig, issuerSig)` as the inner call
-   *   2. Optionally append a PT fee transfer from user → feeRecipient
-   *      (fee recovery happens on-chain via BatchExecutor, not via an
-   *      operator wallet)
-   *   3. Wrap all inner calls into `BatchExecutor.execute(calls[])`
-   *   4. Return a `PartialUserOperation` ready for:
-   *        - gas estimation (Bundler)
-   *        - paymaster sponsorship (PAFI Backend)
-   *        - user signature (Privy)
-   */
-  /**
-   * Build an unsigned UserOp for Scenario 1 (Mint) — direct
-   * `PointToken.mint(amount)` flow (v1.4 post-Relayer-removal).
-   *
-   * `msg.sender` inside the batch = user EOA via EIP-7702 delegation.
-   * `PointToken.mint` checks the caller is on its `minters` allowlist
-   * (gg56 BE pre-validates this off-chain to avoid wasted gas).
-   *
-   * Optional PT fee transfer is appended after the mint when
-   * `feeAmount > 0` — this is application-level fee recovery (no
-   * Relayer doing it for us). The user must end up with `amount - fee`
-   * net PT after the batch executes.
+   *   1. Issuer backend signs `MintRequest(to=user, amount, nonce, deadline)`
+   *      with its minter signer (HSM/KMS) → `minterSig`.
+   *   2. Encode `PointToken.mint(user, amount, deadline, minterSig)`.
+   *      On-chain, `msg.sender` must equal `to` — satisfied by EIP-7702
+   *      delegating the user EOA to BatchExecutor.
+   *   3. Optional PT fee transfer appended after mint (application-level
+   *      fee recovery since Relayer v2 no longer exists).
+   *   4. Return `PartialUserOperation` ready for Bundler gas estimate +
+   *      Paymaster sponsorship + user signature.
    */
-  prepareMint(params) {
+  async prepareMint(params) {
     if (!params.batchExecutorAddress) {
       throw new RelayError(
         "ENCODE_FAILED",
@@ -818,12 +787,41 @@ var RelayService = class {
     if (params.amount <= 0n) {
       throw new RelayError("ENCODE_FAILED", "prepareMint: amount must be positive");
     }
+    if (!params.issuerSignerWallet) {
+      throw new RelayError(
+        "ENCODE_FAILED",
+        "prepareMint: issuerSignerWallet required (for MintRequest EIP-712 signature)"
+      );
+    }
+    if (params.deadline <= 0n) {
+      throw new RelayError("ENCODE_FAILED", "prepareMint: deadline must be positive");
+    }
+    let minterSig;
+    try {
+      const sig = await (0, import_core3.signMintRequest)(
+        params.issuerSignerWallet,
+        params.domain,
+        {
+          to: params.userAddress,
+          amount: params.amount,
+          nonce: params.mintRequestNonce,
+          deadline: params.deadline
+        }
+      );
+      minterSig = sig.serialized;
+    } catch (err) {
+      throw new RelayError(
+        "ENCODE_FAILED",
+        `prepareMint: failed to sign MintRequest: ${errorMessage(err)}`,
+        err
+      );
+    }
     let mintCallData;
     try {
       mintCallData = (0, import_viem5.encodeFunctionData)({
         abi: import_core3.POINT_TOKEN_V2_ABI,
         functionName: "mint",
-        args: [params.amount]
+        args: [params.userAddress, params.amount, params.deadline, minterSig]
       });
     } catch (err) {
       throw new RelayError(
@@ -871,13 +869,13 @@ var RelayService = class {
    * Build an unsigned UserOp for Scenario 2 (Burn/Redeem).
    *
    * Two modes:
-   *   - `mode: 'burn'` — direct `PointToken.burn(amount)`; `msg.sender`
-   *     via EIP-7702 delegation is the user, so no signature needed
-   *     on-chain (the BurnConsent was already verified off-chain by
-   *     the issuer backend before we got here)
-   *   - `mode: 'burnWithSig'` — `PointToken.burnWithSig(consent, sig)`;
-   *     used when the issuer hasn't verified the consent and the
-   *     contract has to do it on-chain
+   *   - `mode: 'burn'` — direct `PointToken.burn(from, amount)`; only
+   *     usable if the user is a whitelisted burner. Not the typical
+   *     v1.4 path (users aren't burners); kept for admin/operator tools.
+   *   - `mode: 'burnWithSig'` — `PointToken.burn(from, amount, deadline,
+   *     burnerSig)`. Issuer signs `BurnRequest` off-chain; user submits
+   *     via EIP-7702. `msg.sender == from` enforced on-chain. This is
+   *     the user-initiated redeem path in v1.4.
    */
   prepareBurn(params) {
     if (!params.pointTokenAddress) {
@@ -892,19 +890,24 @@ var RelayService = class {
     let burnCallData;
     try {
       if (params.mode === "burnWithSig") {
-        if (!params.burnConsent || !params.consentSignature) {
-          throw new Error("burnWithSig requires burnConsent + consentSignature");
+        if (!params.burnRequest || !params.burnerSignature) {
+          throw new Error("burnWithSig requires burnRequest + burnerSignature");
         }
         burnCallData = (0, import_viem5.encodeFunctionData)({
           abi: import_core3.POINT_TOKEN_V2_ABI,
-          functionName: "burnWithSig",
-          args: [params.burnConsent, params.consentSignature]
+          functionName: "burn",
+          args: [
+            params.burnRequest.from,
+            params.burnRequest.amount,
+            params.burnRequest.deadline,
+            params.burnerSignature
+          ]
         });
       } else {
         burnCallData = (0, import_viem5.encodeFunctionData)({
           abi: import_core3.POINT_TOKEN_V2_ABI,
           functionName: "burn",
-          args: [params.amount]
+          args: [params.userAddress, params.amount]
         });
       }
     } catch (err) {
@@ -1817,6 +1820,7 @@ var IssuerApiHandlers = class {
 var import_viem9 = require("viem");
 var import_core6 = require("@pafi-dev/core");
 var DEFAULT_REDEEM_LOCK_MS = 15 * 60 * 1e3;
+var DEFAULT_SIG_DEADLINE_SEC = 15 * 60;
 var PTRedeemError = class extends Error {
   constructor(code, message) {
     super(message);
@@ -1828,11 +1832,14 @@ var PTRedeemError = class extends Error {
 var PTRedeemHandler = class {
   ledger;
   relayService;
+  provider;
   pointTokenAddress;
   batchExecutorAddress;
   chainId;
   domain;
+  burnerSignerWallet;
   redeemLockDurationMs;
+  signatureDeadlineSeconds;
   now;
   constructor(config) {
     if (!config.ledger.reservePendingCredit) {
@@ -1841,46 +1848,68 @@ var PTRedeemHandler = class {
         "PTRedeemHandler requires a ledger that implements reservePendingCredit() (v0.3.0+)"
       );
     }
+    if (!config.burnerSignerWallet) {
+      throw new PTRedeemError(
+        "SIGNING_FAILED",
+        "PTRedeemHandler requires burnerSignerWallet (issuer burner signer)"
+      );
+    }
     this.ledger = config.ledger;
     this.relayService = config.relayService;
+    this.provider = config.provider;
     this.pointTokenAddress = (0, import_viem9.getAddress)(config.pointTokenAddress);
     this.batchExecutorAddress = (0, import_viem9.getAddress)(config.batchExecutorAddress);
     this.chainId = config.chainId;
     this.domain = config.domain;
+    this.burnerSignerWallet = config.burnerSignerWallet;
     this.redeemLockDurationMs = config.redeemLockDurationMs ?? DEFAULT_REDEEM_LOCK_MS;
+    this.signatureDeadlineSeconds = config.signatureDeadlineSeconds ?? DEFAULT_SIG_DEADLINE_SEC;
     this.now = config.now ?? (() => Date.now());
   }
   async handle(request) {
     if (request.amount <= 0n) {
-      throw new PTRedeemError("INVALID_CONSENT", "redeem amount must be positive");
+      throw new PTRedeemError("INVALID_AMOUNT", "redeem amount must be positive");
     }
-    if (request.consent.amount !== request.amount) {
-      throw new PTRedeemError(
-        "AMOUNT_MISMATCH",
-        `consent.amount (${request.consent.amount}) must match request.amount (${request.amount})`
-      );
-    }
-    const nowSeconds = BigInt(Math.floor(this.now() / 1e3));
-    if (request.consent.deadline <= nowSeconds) {
+    let burnNonce;
+    try {
+      burnNonce = await this.provider.readContract({
+        address: this.pointTokenAddress,
+        abi: import_core6.POINT_TOKEN_V2_ABI,
+        functionName: "burnRequestNonces",
+        args: [request.userAddress]
+      });
+    } catch (err) {
       throw new PTRedeemError(
-        "EXPIRED_CONSENT",
-        `consent deadline (${request.consent.deadline}) already passed`
+        "NONCE_READ_FAILED",
+        `failed to read burnRequestNonces(${request.userAddress}): ${err instanceof Error ? err.message : String(err)}`
       );
     }
-    const verification = await (0, import_core6.verifyBurnConsent)(
-      {
-        name: this.domain.name,
-        chainId: this.chainId,
-        verifyingContract: this.domain.verifyingContract ?? this.pointTokenAddress
-      },
-      request.consent,
-      request.consentSignature,
-      request.userAddress
+    const deadline = BigInt(
+      Math.floor(this.now() / 1e3) + this.signatureDeadlineSeconds
     );
-    if (!verification.isValid) {
+    const domain = {
+      name: this.domain.name,
+      chainId: this.chainId,
+      verifyingContract: this.domain.verifyingContract ?? this.pointTokenAddress
+    };
+    const burnRequest = {
+      from: request.userAddress,
+      amount: request.amount,
+      nonce: burnNonce,
+      deadline
+    };
+    let burnerSignature;
+    try {
+      const sig = await (0, import_core6.signBurnRequest)(
+        this.burnerSignerWallet,
+        domain,
+        burnRequest
+      );
+      burnerSignature = sig.serialized;
+    } catch (err) {
       throw new PTRedeemError(
-        "SIGNATURE_MISMATCH",
-        `signer mismatch \u2014 expected ${request.userAddress}, got ${verification.recoveredAddress}`
+        "SIGNING_FAILED",
+        `failed to sign BurnRequest: ${err instanceof Error ? err.message : String(err)}`
       );
     }
     const lockId = await this.ledger.reservePendingCredit(
@@ -1895,29 +1924,17 @@ var PTRedeemHandler = class {
       aaNonce: request.aaNonce,
       pointTokenAddress: this.pointTokenAddress,
       batchExecutorAddress: this.batchExecutorAddress,
-      burnConsent: request.consent,
-      consentSignature: parseSigStruct(request.consentSignature)
+      burnRequest,
+      burnerSignature
     });
     return {
       lockId,
       userOp,
-      expiresInSeconds: Math.floor(this.redeemLockDurationMs / 1e3)
+      expiresInSeconds: Math.floor(this.redeemLockDurationMs / 1e3),
+      signatureDeadline: deadline
     };
   }
 };
-function parseSigStruct(serialized) {
-  const raw = serialized.slice(2);
-  if (raw.length !== 130) {
-    throw new PTRedeemError(
-      "INVALID_CONSENT",
-      `signature must be 65 bytes, got ${raw.length / 2}`
-    );
-  }
-  const r = `0x${raw.slice(0, 64)}`;
-  const s = `0x${raw.slice(64, 128)}`;
-  const v = parseInt(raw.slice(128, 130), 16);
-  return { v, r, s };
-}
 
 // src/api/handlers/topUpRedemptionHandler.ts
 var import_viem10 = require("viem");
@@ -1963,24 +1980,10 @@ var TopUpRedemptionHandler = class {
         shortfall
       };
     }
-    if (request.redeemRequest.consent.amount < shortfall) {
-      throw new TopUpRedemptionError(
-        "CONSENT_AMOUNT_TOO_LOW",
-        `consent.amount (${request.redeemRequest.consent.amount}) must cover shortfall (${shortfall})`
-      );
-    }
-    if (request.redeemRequest.consent.amount !== shortfall) {
-      throw new TopUpRedemptionError(
-        "CONSENT_AMOUNT_TOO_LOW",
-        `consent.amount (${request.redeemRequest.consent.amount}) must equal shortfall (${shortfall}) exactly \u2014 re-sign with correct amount`
-      );
-    }
     const redeem = await this.ptRedeemHandler.handle({
       userAddress: request.userAddress,
       amount: shortfall,
-      consent: request.redeemRequest.consent,
-      consentSignature: request.redeemRequest.consentSignature,
-      aaNonce: request.redeemRequest.aaNonce
+      aaNonce: request.aaNonce
     });
     return {
       action: "TOP_UP_STARTED",