@pafi-dev/issuer 0.3.0-beta.8 → 0.4.0

package/dist/index.cjs

@@ -28,7 +28,6 @@ __export(index_exports, {
   FeeManager: () => FeeManager,
   InMemoryCursorStore: () => InMemoryCursorStore,
   IssuerApiHandlers: () => IssuerApiHandlers,
-  MemoryPointLedger: () => MemoryPointLedger,
   MemorySessionStore: () => MemorySessionStore,
   NonceManager: () => NonceManager,
   PAFI_ISSUER_SDK_VERSION: () => PAFI_ISSUER_SDK_VERSION,
@@ -37,7 +36,6 @@ __export(index_exports, {
   PafiBackendClient: () => PafiBackendClient,
   PafiBackendError: () => PafiBackendError,
   PointIndexer: () => PointIndexer,
-  PrivateKeySigner: () => PrivateKeySigner,
   RelayError: () => RelayError,
   RelayService: () => RelayService,
   TopUpRedemptionError: () => TopUpRedemptionError,
@@ -49,204 +47,6 @@ __export(index_exports, {
 });
 module.exports = __toCommonJS(index_exports);
 
-// src/ledger/memoryLedger.ts
-var import_viem = require("viem");
-var MemoryPointLedger = class {
-  balances = /* @__PURE__ */ new Map();
-  locks = /* @__PURE__ */ new Map();
-  nextLockId = 1;
-  now;
-  constructor(opts = {}) {
-    this.now = opts.now ?? (() => Date.now());
-  }
-  // -------------------------------------------------------------------------
-  // Read
-  // -------------------------------------------------------------------------
-  async getBalance(userAddress, tokenAddress) {
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    this.purgeExpired();
-    const total = this.balances.get(balanceKey(user, token)) ?? 0n;
-    const locked = this.lockedTotalFor(user, token);
-    return total - locked;
-  }
-  async getLockedRequests(userAddress, tokenAddress) {
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    this.purgeExpired();
-    const out = [];
-    for (const lock of this.locks.values()) {
-      if (lock.userAddress === user && lock.status === "PENDING" && (lock.tokenAddress ?? DEFAULT_TOKEN_KEY) === token) {
-        out.push({ ...lock });
-      }
-    }
-    return out;
-  }
-  // -------------------------------------------------------------------------
-  // Write
-  // -------------------------------------------------------------------------
-  async creditBalance(userAddress, amount, _reason, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error("MemoryPointLedger: credit amount must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    const key = balanceKey(user, token);
-    const current = this.balances.get(key) ?? 0n;
-    this.balances.set(key, current + amount);
-  }
-  async lockForMinting(userAddress, amount, lockDurationMs, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error("MemoryPointLedger: lock amount must be positive");
-    }
-    if (lockDurationMs <= 0) {
-      throw new Error("MemoryPointLedger: lockDurationMs must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    this.purgeExpired();
-    const total = this.balances.get(balanceKey(user, token)) ?? 0n;
-    const alreadyLocked = this.lockedTotalFor(user, token);
-    const available = total - alreadyLocked;
-    if (available < amount) {
-      throw new Error(
-        `MemoryPointLedger: insufficient balance \u2014 available=${available}, requested=${amount}`
-      );
-    }
-    const lockId = `lock-${this.nextLockId++}`;
-    const now = this.now();
-    const lock = {
-      lockId,
-      userAddress: user,
-      amount,
-      status: "PENDING",
-      createdAt: now,
-      expiresAt: now + lockDurationMs
-    };
-    if (tokenAddress !== void 0) {
-      lock.tokenAddress = (0, import_viem.getAddress)(tokenAddress);
-    }
-    this.locks.set(lockId, lock);
-    return lockId;
-  }
-  async releaseLock(lockId) {
-    const lock = this.locks.get(lockId);
-    if (!lock) return;
-    if (lock.status === "PENDING") {
-      this.locks.delete(lockId);
-    }
-  }
-  async deductBalance(userAddress, amount, txHash, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error("MemoryPointLedger: deduct amount must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const token = normalizeToken(tokenAddress);
-    const key = balanceKey(user, token);
-    const current = this.balances.get(key) ?? 0n;
-    if (current < amount) {
-      throw new Error(
-        `MemoryPointLedger: cannot deduct ${amount} from balance ${current}`
-      );
-    }
-    this.balances.set(key, current - amount);
-    for (const lock of this.locks.values()) {
-      if (lock.userAddress === user && lock.status === "PENDING" && lock.amount === amount && (lock.tokenAddress ?? DEFAULT_TOKEN_KEY) === token) {
-        lock.status = "MINTED";
-        lock.txHash = txHash;
-        return;
-      }
-    }
-  }
-  async updateMintStatus(lockId, status, txHash) {
-    const lock = this.locks.get(lockId);
-    if (!lock) {
-      throw new Error(`MemoryPointLedger: unknown lockId ${lockId}`);
-    }
-    lock.status = status;
-    if (txHash) lock.txHash = txHash;
-  }
-  // -------------------------------------------------------------------------
-  // v1.4 — Reverse flow (PT burn → off-chain credit)
-  // -------------------------------------------------------------------------
-  pendingCredits = /* @__PURE__ */ new Map();
-  nextCreditId = 1;
-  async reservePendingCredit(userAddress, amount, durationMs, tokenAddress) {
-    if (amount <= 0n) {
-      throw new Error(
-        "MemoryPointLedger: pending credit amount must be positive"
-      );
-    }
-    if (durationMs <= 0) {
-      throw new Error("MemoryPointLedger: durationMs must be positive");
-    }
-    const user = (0, import_viem.getAddress)(userAddress);
-    const lockId = `credit-${this.nextCreditId++}`;
-    const now = this.now();
-    this.pendingCredits.set(lockId, {
-      lockId,
-      userAddress: user,
-      amount,
-      tokenAddress: tokenAddress !== void 0 ? (0, import_viem.getAddress)(tokenAddress) : void 0,
-      createdAt: now,
-      expiresAt: now + durationMs,
-      status: "PENDING"
-    });
-    return lockId;
-  }
-  async resolveCreditByBurnTx(lockId, txHash) {
-    const credit = this.pendingCredits.get(lockId);
-    if (!credit) {
-      throw new Error(
-        `MemoryPointLedger: unknown pending credit lockId ${lockId}`
-      );
-    }
-    if (credit.status === "RESOLVED") {
-      if (credit.txHash === txHash) return;
-      throw new Error(
-        `MemoryPointLedger: credit ${lockId} already resolved with a different txHash`
-      );
-    }
-    const token = normalizeToken(credit.tokenAddress);
-    const key = balanceKey(credit.userAddress, token);
-    const current = this.balances.get(key) ?? 0n;
-    this.balances.set(key, current + credit.amount);
-    credit.status = "RESOLVED";
-    credit.txHash = txHash;
-  }
-  // -------------------------------------------------------------------------
-  // Internal helpers
-  // -------------------------------------------------------------------------
-  /**
-   * Auto-expire any PENDING lock past its expiry. Called lazily on every
-   * read/write so the in-memory state stays self-cleaning without a timer.
-   */
-  purgeExpired() {
-    const now = this.now();
-    for (const lock of this.locks.values()) {
-      if (lock.status === "PENDING" && lock.expiresAt <= now) {
-        lock.status = "EXPIRED";
-      }
-    }
-  }
-  lockedTotalFor(userAddress, tokenKey) {
-    let total = 0n;
-    for (const lock of this.locks.values()) {
-      if (lock.userAddress === userAddress && lock.status === "PENDING" && (lock.tokenAddress ?? DEFAULT_TOKEN_KEY) === tokenKey) {
-        total += lock.amount;
-      }
-    }
-    return total;
-  }
-};
-var DEFAULT_TOKEN_KEY = "default";
-function normalizeToken(tokenAddress) {
-  return tokenAddress === void 0 ? DEFAULT_TOKEN_KEY : (0, import_viem.getAddress)(tokenAddress);
-}
-function balanceKey(user, tokenKey) {
-  return `${user}|${tokenKey}`;
-}
-
 // src/policy/defaultPolicy.ts
 var DefaultPolicyEngine = class {
   ledger;
@@ -262,6 +62,13 @@ var DefaultPolicyEngine = class {
     }
     if (opts.verifyMintCap) this.verifyMintCap = opts.verifyMintCap;
     if (opts.resolveIssuer) this.resolveIssuer = opts.resolveIssuer;
+    if (!opts.mintingOracleAddress || !opts.provider || !opts.verifyMintCap || !opts.resolveIssuer) {
+      if (process.env.NODE_ENV === "production") {
+        throw new Error(
+          "[PAFI] DefaultPolicyEngine: on-chain MintingOracle cap check is required in production. Configure mintingOracleAddress, provider, verifyMintCap, and resolveIssuer."
+        );
+      }
+    }
   }
   async evaluate(request) {
     if (request.amount <= 0n) {
@@ -298,32 +105,9 @@ var DefaultPolicyEngine = class {
   }
 };
 
-// src/signer/privateKeySigner.ts
-var import_viem2 = require("viem");
-var import_accounts = require("viem/accounts");
-var import_core = require("@pafi-dev/core");
-var PrivateKeySigner = class {
-  account;
-  walletClient;
-  constructor(opts) {
-    this.account = (0, import_accounts.privateKeyToAccount)(opts.privateKey);
-    this.walletClient = (0, import_viem2.createWalletClient)({
-      account: this.account,
-      chain: opts.chain,
-      transport: (0, import_viem2.http)(opts.rpcUrl)
-    });
-  }
-  async signMintRequest(domain, message) {
-    return (0, import_core.signMintRequest)(this.walletClient, domain, message);
-  }
-  async getAddress() {
-    return this.account.address;
-  }
-};
-
 // src/auth/memorySessionStore.ts
 var import_node_crypto = require("crypto");
-var import_viem3 = require("viem");
+var import_viem = require("viem");
 var DEFAULT_NONCE_TTL_MS = 5 * 60 * 1e3;
 var MemorySessionStore = class {
   nonces = /* @__PURE__ */ new Map();
@@ -333,6 +117,11 @@ var MemorySessionStore = class {
   nonceTtlMs;
   now;
   constructor(opts = {}) {
+    if (process.env.NODE_ENV === "production") {
+      console.error(
+        "[PAFI] MemorySessionStore is not safe for multi-process/K8s deployments. Session revocations are NOT propagated across pods. Use a Redis-backed session store in production."
+      );
+    }
     this.nonceTtlMs = opts.nonceTtlMs ?? DEFAULT_NONCE_TTL_MS;
     this.now = opts.now ?? (() => Date.now());
   }
@@ -359,7 +148,7 @@ var MemorySessionStore = class {
     this.purgeExpiredSessions();
     const normalized = {
       ...session,
-      userAddress: (0, import_viem3.getAddress)(session.userAddress)
+      userAddress: (0, import_viem.getAddress)(session.userAddress)
     };
     this.sessions.set(session.tokenId, normalized);
   }
@@ -377,7 +166,7 @@ var MemorySessionStore = class {
     this.sessions.delete(tokenId);
   }
   async revokeAllSessions(userAddress) {
-    const key = (0, import_viem3.getAddress)(userAddress);
+    const key = (0, import_viem.getAddress)(userAddress);
     for (const [tokenId, session] of this.sessions.entries()) {
       if (session.userAddress === key) {
         this.sessions.delete(tokenId);
@@ -423,8 +212,8 @@ var NonceManager = class {
 // src/auth/loginVerifier.ts
 var import_node_crypto2 = require("crypto");
 var import_jose = require("jose");
-var import_viem4 = require("viem");
-var import_core2 = require("@pafi-dev/core");
+var import_viem2 = require("viem");
+var import_core = require("@pafi-dev/core");
 
 // src/auth/errors.ts
 var AuthError = class extends Error {
@@ -447,8 +236,8 @@ var AuthService = class {
   nonceManager;
   now;
   constructor(config) {
-    if (!config.jwtSecret || config.jwtSecret.length < 16) {
-      throw new Error("AuthService: jwtSecret must be at least 16 chars");
+    if (!config.jwtSecret || config.jwtSecret.length < 32) {
+      throw new Error("AuthService: jwtSecret must be at least 32 characters for HS256 security");
     }
     this.sessionStore = config.sessionStore;
     this.jwtSecret = new TextEncoder().encode(config.jwtSecret);
@@ -472,11 +261,17 @@ var AuthService = class {
   async login(message, signature) {
     let parsed;
     try {
-      parsed = (0, import_core2.parseLoginMessage)(message);
+      parsed = (0, import_core.parseLoginMessage)(message);
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       throw new AuthError("INVALID_MESSAGE", `Could not parse login message: ${msg}`);
     }
+    if (parsed.expirationTime == null) {
+      throw new AuthError(
+        "INVALID_MESSAGE",
+        "login message must include expirationTime"
+      );
+    }
     if (parsed.domain !== this.domain) {
       throw new AuthError(
         "DOMAIN_MISMATCH",
@@ -499,7 +294,7 @@ var AuthService = class {
     if (parsed.expirationTime && parsed.expirationTime.getTime() <= now.getTime()) {
       throw new AuthError("MESSAGE_EXPIRED", "Login message has expired");
     }
-    const verifyResult = await (0, import_core2.verifyLoginMessage)(message, signature);
+    const verifyResult = await (0, import_core.verifyLoginMessage)(message, signature);
     if (!verifyResult.valid) {
       throw new AuthError(
         "SIGNATURE_INVALID",
@@ -513,7 +308,7 @@ var AuthService = class {
         "Nonce is unknown, expired, or already used"
       );
     }
-    const userAddress = (0, import_viem4.getAddress)(verifyResult.address);
+    const userAddress = (0, import_viem2.getAddress)(verifyResult.address);
     const tokenId = (0, import_node_crypto2.randomBytes)(16).toString("hex");
     const issuedAt = now;
     const expiresAt = parseExpiry(issuedAt, this.jwtExpiresIn);
@@ -541,7 +336,11 @@ var AuthService = class {
       if (payload.jti) {
         await this.sessionStore.revokeSession(payload.jti);
       }
-    } catch {
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      if (!msg.includes("not found") && !msg.includes("expired")) {
+        console.error("[PAFI] AuthService logout: session store error", err);
+      }
     }
   }
   /**
@@ -580,7 +379,7 @@ var AuthService = class {
       throw new AuthError("TOKEN_INVALID", "JWT payload is malformed");
     }
     return {
-      userAddress: (0, import_viem4.getAddress)(userAddress),
+      userAddress: (0, import_viem2.getAddress)(userAddress),
       chainId,
       tokenId
     };
@@ -631,8 +430,8 @@ var RelayError = class extends Error {
 };
 
 // src/relay/relayService.ts
-var import_viem5 = require("viem");
-var import_core3 = require("@pafi-dev/core");
+var import_viem3 = require("viem");
+var import_core2 = require("@pafi-dev/core");
 var RelayService = class {
   /**
    * Build an unsigned UserOp for Scenario 1 (Mint) — sig-gated
@@ -666,9 +465,20 @@ var RelayService = class {
     if (params.deadline <= 0n) {
       throw new RelayError("ENCODE_FAILED", "prepareMint: deadline must be positive");
     }
+    const nowSecs = BigInt(Math.floor(Date.now() / 1e3));
+    if (params.deadline <= nowSecs) {
+      throw new RelayError("ENCODE_FAILED", "prepareMint: deadline is in the past");
+    }
+    const MAX_DEADLINE_WINDOW = 3600n;
+    if (params.deadline > nowSecs + MAX_DEADLINE_WINDOW) {
+      throw new RelayError(
+        "ENCODE_FAILED",
+        "prepareMint: deadline exceeds maximum allowed window (1 hour)"
+      );
+    }
     let minterSig;
     try {
-      const sig = await (0, import_core3.signMintRequest)(
+      const sig = await (0, import_core2.signMintRequest)(
         params.issuerSignerWallet,
         params.domain,
         {
@@ -688,8 +498,8 @@ var RelayService = class {
     }
     let mintCallData;
     try {
-      mintCallData = (0, import_viem5.encodeFunctionData)({
-        abi: import_core3.POINT_TOKEN_V2_ABI,
+      mintCallData = (0, import_viem3.encodeFunctionData)({
+        abi: import_core2.POINT_TOKEN_V2_ABI,
         functionName: "mint",
         args: [params.userAddress, params.amount, params.deadline, minterSig]
       });
@@ -714,17 +524,23 @@ var RelayService = class {
           "prepareMint: feeRecipient required when feeAmount > 0"
         );
       }
+      if (params.feeRecipient === "0x0000000000000000000000000000000000000000") {
+        throw new RelayError(
+          "ENCODE_FAILED",
+          "prepareMint: feeRecipient must not be zero address"
+        );
+      }
       operations.push({
         target: params.pointTokenAddress,
         value: 0n,
-        data: (0, import_viem5.encodeFunctionData)({
-          abi: import_viem5.erc20Abi,
+        data: (0, import_viem3.encodeFunctionData)({
+          abi: import_viem3.erc20Abi,
           functionName: "transfer",
           args: [params.feeRecipient, params.feeAmount]
         })
       });
     }
-    return (0, import_core3.buildPartialUserOperation)({
+    return (0, import_core2.buildPartialUserOperation)({
       sender: params.userAddress,
       nonce: params.aaNonce,
       operations,
@@ -762,8 +578,8 @@ var RelayService = class {
         if (!params.burnRequest || !params.burnerSignature) {
           throw new Error("burnWithSig requires burnRequest + burnerSignature");
         }
-        burnCallData = (0, import_viem5.encodeFunctionData)({
-          abi: import_core3.POINT_TOKEN_V2_ABI,
+        burnCallData = (0, import_viem3.encodeFunctionData)({
+          abi: import_core2.POINT_TOKEN_V2_ABI,
           functionName: "burn",
           args: [
             params.burnRequest.from,
@@ -773,8 +589,8 @@ var RelayService = class {
           ]
         });
       } else {
-        burnCallData = (0, import_viem5.encodeFunctionData)({
-          abi: import_core3.POINT_TOKEN_V2_ABI,
+        burnCallData = (0, import_viem3.encodeFunctionData)({
+          abi: import_core2.POINT_TOKEN_V2_ABI,
           functionName: "burn",
           args: [params.userAddress, params.amount]
         });
@@ -793,7 +609,7 @@ var RelayService = class {
         data: burnCallData
       }
     ];
-    return (0, import_core3.buildPartialUserOperation)({
+    return (0, import_core2.buildPartialUserOperation)({
       sender: params.userAddress,
       nonce: params.aaNonce,
       operations,
@@ -812,11 +628,14 @@ function errorMessage(err) {
 // src/relay/feeManager.ts
 var DEFAULT_GAS_UNITS = 500000n;
 var DEFAULT_PREMIUM_BPS = 12e3;
-var FeeManager = class {
+var FeeManager = class _FeeManager {
   provider;
   gasUnits;
   gasPremiumBps;
   quoteNativeToFee;
+  cachedFee = null;
+  cacheExpiresAt = 0;
+  static CACHE_TTL_MS = 1e4;
   constructor(config) {
     if (!config.provider) throw new Error("FeeManager: provider required");
     if (!config.quoteNativeToFee)
@@ -839,10 +658,17 @@ var FeeManager = class {
    * currency depends on how the caller wired `quoteNativeToFee`.
    */
   async estimateGasFee() {
+    const now = Date.now();
+    if (this.cachedFee !== null && now < this.cacheExpiresAt) {
+      return this.cachedFee;
+    }
     const gasPrice = await this.provider.getGasPrice();
     const nativeCost = gasPrice * this.gasUnits;
     const withPremium = nativeCost * BigInt(this.gasPremiumBps) / 10000n;
-    return this.quoteNativeToFee(withPremium);
+    const fee = await this.quoteNativeToFee(withPremium);
+    this.cachedFee = fee;
+    this.cacheExpiresAt = now + _FeeManager.CACHE_TTL_MS;
+    return fee;
   }
 };
 
@@ -858,8 +684,8 @@ var InMemoryCursorStore = class {
 };
 
 // src/indexer/pointIndexer.ts
-var import_viem6 = require("viem");
-var TRANSFER_EVENT = (0, import_viem6.parseAbiItem)(
+var import_viem4 = require("viem");
+var TRANSFER_EVENT = (0, import_viem4.parseAbiItem)(
   "event Transfer(address indexed from, address indexed to, uint256 value)"
 );
 var ZERO_ADDRESS = "0x0000000000000000000000000000000000000000";
@@ -929,7 +755,8 @@ var PointIndexer = class {
         return;
       }
       await this.processBlockRange(from, safeHead);
-    } catch {
+    } catch (err) {
+      console.error("[PAFI] PointIndexer tick error:", err);
     }
     this.scheduleNext();
   }
@@ -979,10 +806,10 @@ var PointIndexer = class {
     for (const log of logs) {
       const args = log.args;
       if (!args.from || !args.to || args.value === void 0) continue;
-      if ((0, import_viem6.getAddress)(args.from) !== ZERO_ADDRESS) continue;
+      if ((0, import_viem4.getAddress)(args.from) !== ZERO_ADDRESS) continue;
       if (log.blockNumber === null || log.transactionHash === null) continue;
       out.push({
-        to: (0, import_viem6.getAddress)(args.to),
+        to: (0, import_viem4.getAddress)(args.to),
         amount: args.value,
         blockNumber: log.blockNumber,
         txHash: log.transactionHash,
@@ -1038,8 +865,8 @@ function pickMatchingLock(locks, amount) {
 }
 
 // src/indexer/burnIndexer.ts
-var import_viem7 = require("viem");
-var TRANSFER_EVENT2 = (0, import_viem7.parseAbiItem)(
+var import_viem5 = require("viem");
+var TRANSFER_EVENT2 = (0, import_viem5.parseAbiItem)(
   "event Transfer(address indexed from, address indexed to, uint256 value)"
 );
 var ZERO_ADDRESS2 = "0x0000000000000000000000000000000000000000";
@@ -1055,18 +882,7 @@ var BurnIndexer = class {
   confirmations;
   batchSize;
   pollIntervalMs;
-  /**
-   * Caller-supplied matcher. Return the lockId to resolve for a given
-   * burn event, or `undefined` to skip. Runs synchronously via the
-   * ledger's query path.
-   *
-   * Default: try `ledger.resolveCreditByBurnTx` keyed on a synthetic
-   * lock id `burn-${from}-${amount}` — the in-memory ledger assigns
-   * incrementing IDs so callers with the memory ledger must provide a
-   * custom matcher. Real DB-backed ledgers override this to JOIN on
-   * their `pending_credits` table.
-   */
-  matchLockId = async () => void 0;
+  matchLockId;
   running = false;
   timer;
   constructor(config) {
@@ -1084,6 +900,12 @@ var BurnIndexer = class {
     );
     this.batchSize = BigInt(config.batchSize ?? Number(DEFAULT_BATCH_SIZE2));
     this.pollIntervalMs = config.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS2;
+    if (!config.matchLockId) {
+      throw new Error(
+        "BurnIndexer: matchLockId is required. Provide a function that maps a burn event to its pending credit lockId. Without it, no on-chain burns will ever grant off-chain credits."
+      );
+    }
+    this.matchLockId = config.matchLockId;
   }
   start() {
     if (this.running) return;
@@ -1113,7 +935,8 @@ var BurnIndexer = class {
         return;
       }
       await this.processBlockRange(from, safeHead);
-    } catch {
+    } catch (err) {
+      console.error("[PAFI] BurnIndexer tick error:", err);
     }
     this.scheduleNext();
   }
@@ -1158,10 +981,10 @@ var BurnIndexer = class {
     for (const log of logs) {
       const args = log.args;
       if (!args.from || !args.to || args.value === void 0) continue;
-      if ((0, import_viem7.getAddress)(args.to) !== ZERO_ADDRESS2) continue;
+      if ((0, import_viem5.getAddress)(args.to) !== ZERO_ADDRESS2) continue;
       if (log.blockNumber === null || log.transactionHash === null) continue;
       out.push({
-        from: (0, import_viem7.getAddress)(args.from),
+        from: (0, import_viem5.getAddress)(args.from),
         amount: args.value,
         blockNumber: log.blockNumber,
         txHash: log.transactionHash,
@@ -1176,21 +999,28 @@ var BurnIndexer = class {
    * log + skip.
    */
   async finalize(evt) {
+    const txHash = evt.txHash;
     const lockId = await this.matchLockId(evt);
-    if (!lockId) return;
+    if (lockId === void 0) {
+      console.warn(
+        "[PAFI] BurnIndexer: matchLockId returned undefined for burn tx " + txHash + ". This burn will NOT be credited. Implement matchLockId to map burn events to lock IDs."
+      );
+      return;
+    }
     if (!this.ledger.resolveCreditByBurnTx) {
       return;
     }
     try {
       await this.ledger.resolveCreditByBurnTx(lockId, evt.txHash);
-    } catch {
+    } catch (err) {
+      console.error("[PAFI] BurnIndexer finalize error \u2014 credit may be lost:", err);
     }
   }
 };
 
 // src/api/handlers.ts
-var import_viem8 = require("viem");
-var import_core4 = require("@pafi-dev/core");
+var import_viem6 = require("viem");
+var import_core3 = require("@pafi-dev/core");
 var IssuerApiHandlers = class {
   authService;
   ledger;
@@ -1200,15 +1030,12 @@ var IssuerApiHandlers = class {
    * validate the request's `pointTokenAddress` against this set.
    */
   supportedTokens;
-  /** First supported token — used as default when a handler doesn't
-   * receive a `pointTokenAddress` in the request (shouldn't happen in
-   * practice, but keeps type-narrowing happy). */
-  defaultToken;
   chainId;
   contracts;
   pafiWebUrl;
   feeManager;
   poolsProvider;
+  claim;
   constructor(config) {
     this.authService = config.authService;
     this.ledger = config.ledger;
@@ -1219,14 +1046,14 @@ var IssuerApiHandlers = class {
         "IssuerApiHandlers: pointTokenAddress or pointTokenAddresses required"
       );
     }
-    const normalized = raw.map((a) => (0, import_viem8.getAddress)(a));
+    const normalized = raw.map((a) => (0, import_viem6.getAddress)(a));
     this.supportedTokens = new Set(normalized);
-    this.defaultToken = normalized[0];
     this.chainId = config.chainId;
     this.contracts = config.contracts;
     if (config.pafiWebUrl) this.pafiWebUrl = config.pafiWebUrl;
     if (config.feeManager) this.feeManager = config.feeManager;
     if (config.poolsProvider) this.poolsProvider = config.poolsProvider;
+    if (config.claim) this.claim = config.claim;
   }
   // =========================================================================
   // Public handlers (no auth required)
@@ -1241,6 +1068,12 @@ var IssuerApiHandlers = class {
     if (!body || typeof body.message !== "string" || body.message.length === 0 || typeof body.signature !== "string" || body.signature.length <= 2) {
       throw new Error("handleLogin: message and signature are required");
     }
+    if (body.message.length > 4096) {
+      throw new Error("message too long");
+    }
+    if (body.signature.length > 260) {
+      throw new Error("signature too long");
+    }
     const result = await this.authService.login(body.message, body.signature);
     return {
       token: result.token,
@@ -1255,9 +1088,12 @@ var IssuerApiHandlers = class {
    * needs to build EIP-712 messages and interact with on-chain.
    */
   async handleConfig(chainId) {
+    if (!Number.isInteger(chainId) || chainId <= 0) {
+      throw new Error("invalid chainId");
+    }
     if (chainId !== this.chainId) {
       throw new Error(
-        `handleConfig: unsupported chainId ${chainId}, issuer is configured for ${this.chainId}`
+        `handleConfig: unsupported chainId ${chainId}`
       );
     }
     const contracts = {
@@ -1320,25 +1156,25 @@ var IssuerApiHandlers = class {
         `handleUser: unsupported chainId ${request.chainId}`
       );
     }
-    const normalizedAuthed = (0, import_viem8.getAddress)(userAddress);
-    const normalizedRequest = (0, import_viem8.getAddress)(request.userAddress);
+    const normalizedAuthed = (0, import_viem6.getAddress)(userAddress);
+    const normalizedRequest = (0, import_viem6.getAddress)(request.userAddress);
     if (normalizedAuthed !== normalizedRequest) {
       throw new Error(
         "handleUser: request userAddress must match authenticated user"
       );
     }
-    const pointToken = (0, import_viem8.getAddress)(request.pointTokenAddress);
+    const pointToken = (0, import_viem6.getAddress)(request.pointTokenAddress);
     if (!this.supportedTokens.has(pointToken)) {
       throw new Error(
         `handleUser: unsupported pointToken ${pointToken}`
       );
     }
     const [mintRequestNonce, receiverConsentNonce, offChainBalance, onChainBalance, minter] = await Promise.all([
-      (0, import_core4.getMintRequestNonce)(this.provider, pointToken, normalizedAuthed),
-      (0, import_core4.getReceiverConsentNonce)(this.provider, pointToken, normalizedAuthed),
+      (0, import_core3.getMintRequestNonce)(this.provider, pointToken, normalizedAuthed),
+      (0, import_core3.getReceiverConsentNonce)(this.provider, pointToken, normalizedAuthed),
       this.ledger.getBalance(normalizedAuthed, pointToken),
-      (0, import_core4.getPointTokenBalance)(this.provider, pointToken, normalizedAuthed),
-      (0, import_core4.isMinter)(this.provider, pointToken, normalizedAuthed)
+      (0, import_core3.getPointTokenBalance)(this.provider, pointToken, normalizedAuthed),
+      (0, import_core3.isMinter)(this.provider, pointToken, normalizedAuthed)
     ]);
     return {
       mintRequestNonce,
@@ -1370,19 +1206,32 @@ var IssuerApiHandlers = class {
         `handleBuildConsentTypedData: unsupported chainId ${request.chainId}`
       );
     }
-    const pointToken = (0, import_viem8.getAddress)(request.pointTokenAddress);
+    const pointToken = (0, import_viem6.getAddress)(request.pointTokenAddress);
     if (!this.supportedTokens.has(pointToken)) {
       throw new Error(
         `handleBuildConsentTypedData: unsupported pointToken ${pointToken}`
       );
     }
-    const name = await (0, import_core4.getTokenName)(this.provider, pointToken);
+    const consent = request.receiverConsent;
+    if ((0, import_viem6.getAddress)(consent.originalReceiver) !== (0, import_viem6.getAddress)(userAddress)) {
+      throw new Error(
+        "handleBuildConsentTypedData: receiverConsent.originalReceiver must match authenticated user"
+      );
+    }
+    if (consent.amount <= 0n) {
+      throw new Error("handleBuildConsentTypedData: amount must be positive");
+    }
+    const nowSecs = BigInt(Math.floor(Date.now() / 1e3));
+    if (consent.deadline <= nowSecs) {
+      throw new Error("handleBuildConsentTypedData: deadline is in the past");
+    }
+    const name = await (0, import_core3.getTokenName)(this.provider, pointToken);
     const domain = {
       name,
       verifyingContract: pointToken,
       chainId: this.chainId
     };
-    const typedData = (0, import_core4.buildReceiverConsentTypedData)(domain, request.receiverConsent);
+    const typedData = (0, import_core3.buildReceiverConsentTypedData)(domain, consent);
     return {
       typedData: {
         domain: typedData.domain,
@@ -1392,11 +1241,96 @@ var IssuerApiHandlers = class {
       }
     };
   }
+  /**
+   * `POST /claim`
+   *
+   * Policy gate + ledger lock + MintRequest signing in a single atomic
+   * step. Returns an unsigned UserOp the frontend attaches paymaster data
+   * to and submits via EIP-7702 + Bundler.
+   *
+   * Order of operations:
+   *   1. Validate request fields.
+   *   2. policy.evaluate() — throws if denied; cannot be bypassed.
+   *   3. ledger.lockForMinting() — reserves the balance.
+   *   4. Read on-chain mintRequestNonce + token name in parallel.
+   *   5. relayService.prepareMint() — sign MintRequest + encode UserOp.
+   *   6. On any error after step 3, release the lock before re-throwing.
+   */
+  async handleClaim(userAddress, request) {
+    if (!this.claim) {
+      throw new Error("handleClaim: claim is not configured on this issuer");
+    }
+    if (request.chainId !== this.chainId) {
+      throw new Error(`handleClaim: unsupported chainId ${request.chainId}`);
+    }
+    const pointToken = (0, import_viem6.getAddress)(request.pointTokenAddress);
+    if (!this.supportedTokens.has(pointToken)) {
+      throw new Error(`handleClaim: unsupported pointToken ${pointToken}`);
+    }
+    if (request.amount <= 0n) {
+      throw new Error("handleClaim: amount must be positive");
+    }
+    const nowSecs = BigInt(Math.floor(Date.now() / 1e3));
+    if (request.deadline <= nowSecs) {
+      throw new Error("handleClaim: deadline is in the past");
+    }
+    const { policy, relayService, issuerSignerWallet, batchExecutorAddress } = this.claim;
+    const lockDurationMs = this.claim.lockDurationMs ?? 15 * 60 * 1e3;
+    const normalizedUser = (0, import_viem6.getAddress)(userAddress);
+    const decision = await policy.evaluate({
+      userAddress: normalizedUser,
+      amount: request.amount,
+      pointTokenAddress: pointToken,
+      chainId: this.chainId
+    });
+    if (!decision.approved) {
+      throw new Error(`handleClaim: policy denied \u2014 ${decision.reason ?? "no reason given"}`);
+    }
+    const lockId = await this.ledger.lockForMinting(
+      normalizedUser,
+      request.amount,
+      lockDurationMs,
+      pointToken
+    );
+    try {
+      const [mintRequestNonce, tokenName] = await Promise.all([
+        (0, import_core3.getMintRequestNonce)(this.provider, pointToken, normalizedUser),
+        (0, import_core3.getTokenName)(this.provider, pointToken)
+      ]);
+      const domain = {
+        name: tokenName,
+        verifyingContract: pointToken,
+        chainId: this.chainId
+      };
+      const userOp = await relayService.prepareMint({
+        userAddress: normalizedUser,
+        aaNonce: request.aaNonce,
+        batchExecutorAddress,
+        pointTokenAddress: pointToken,
+        amount: request.amount,
+        issuerSignerWallet,
+        domain,
+        mintRequestNonce,
+        deadline: request.deadline,
+        feeAmount: request.feeAmount,
+        feeRecipient: request.feeRecipient
+      });
+      return {
+        lockId,
+        userOp,
+        expiresInSeconds: Math.floor(lockDurationMs / 1e3)
+      };
+    } catch (err) {
+      await this.ledger.releaseLock(lockId).catch(() => {
+      });
+      throw err;
+    }
+  }
 };
 
 // src/api/handlers/ptRedeemHandler.ts
-var import_viem9 = require("viem");
-var import_core5 = require("@pafi-dev/core");
+var import_viem7 = require("viem");
+var import_core4 = require("@pafi-dev/core");
 var DEFAULT_REDEEM_LOCK_MS = 15 * 60 * 1e3;
 var DEFAULT_SIG_DEADLINE_SEC = 15 * 60;
 var PTRedeemError = class extends Error {
@@ -1435,16 +1369,25 @@ var PTRedeemHandler = class {
     this.ledger = config.ledger;
     this.relayService = config.relayService;
     this.provider = config.provider;
-    this.pointTokenAddress = (0, import_viem9.getAddress)(config.pointTokenAddress);
-    this.batchExecutorAddress = (0, import_viem9.getAddress)(config.batchExecutorAddress);
+    this.pointTokenAddress = (0, import_viem7.getAddress)(config.pointTokenAddress);
+    this.batchExecutorAddress = (0, import_viem7.getAddress)(config.batchExecutorAddress);
     this.chainId = config.chainId;
     this.domain = config.domain;
     this.burnerSignerWallet = config.burnerSignerWallet;
+    if (this.burnerSignerWallet?.account?.type === "local") {
+      console.warn("[PAFI] PTRedeemHandler: burnerSignerWallet uses a local (private key) account. Use a KMS-backed signer in production.");
+    }
     this.redeemLockDurationMs = config.redeemLockDurationMs ?? DEFAULT_REDEEM_LOCK_MS;
     this.signatureDeadlineSeconds = config.signatureDeadlineSeconds ?? DEFAULT_SIG_DEADLINE_SEC;
     this.now = config.now ?? (() => Date.now());
   }
   async handle(request) {
+    if ((0, import_viem7.getAddress)(request.authenticatedAddress) !== (0, import_viem7.getAddress)(request.userAddress)) {
+      throw new PTRedeemError(
+        "UNAUTHORIZED",
+        `userAddress (${request.userAddress}) does not match authenticated session (${request.authenticatedAddress})`
+      );
+    }
     if (request.amount <= 0n) {
       throw new PTRedeemError("INVALID_AMOUNT", "redeem amount must be positive");
     }
@@ -1452,7 +1395,7 @@ var PTRedeemHandler = class {
     try {
       burnNonce = await this.provider.readContract({
         address: this.pointTokenAddress,
-        abi: import_core5.POINT_TOKEN_V2_ABI,
+        abi: import_core4.POINT_TOKEN_V2_ABI,
         functionName: "burnRequestNonces",
         args: [request.userAddress]
       });
@@ -1462,6 +1405,17 @@ var PTRedeemHandler = class {
         `failed to read burnRequestNonces(${request.userAddress}): ${err instanceof Error ? err.message : String(err)}`
       );
     }
+    const onChainBalance = await (0, import_core4.getPointTokenBalance)(
+      this.provider,
+      this.pointTokenAddress,
+      request.userAddress
+    );
+    if (onChainBalance < request.amount) {
+      throw new PTRedeemError(
+        "INVALID_AMOUNT",
+        `insufficient on-chain PT balance: have ${onChainBalance}, need ${request.amount}`
+      );
+    }
     const deadline = BigInt(
       Math.floor(this.now() / 1e3) + this.signatureDeadlineSeconds
     );
@@ -1478,7 +1432,7 @@ var PTRedeemHandler = class {
     };
     let burnerSignature;
     try {
-      const sig = await (0, import_core5.signBurnRequest)(
+      const sig = await (0, import_core4.signBurnRequest)(
         this.burnerSignerWallet,
         domain,
         burnRequest
@@ -1515,8 +1469,8 @@ var PTRedeemHandler = class {
 };
 
 // src/api/handlers/topUpRedemptionHandler.ts
-var import_viem10 = require("viem");
-var import_core6 = require("@pafi-dev/core");
+var import_viem8 = require("viem");
+var import_core5 = require("@pafi-dev/core");
 var TopUpRedemptionError = class extends Error {
   constructor(code, message) {
     super(message);
@@ -1534,9 +1488,15 @@ var TopUpRedemptionHandler = class {
     this.ledger = config.ledger;
     this.ptRedeemHandler = config.ptRedeemHandler;
     this.provider = config.provider;
-    this.pointTokenAddress = (0, import_viem10.getAddress)(config.pointTokenAddress);
+    this.pointTokenAddress = (0, import_viem8.getAddress)(config.pointTokenAddress);
   }
   async handle(request) {
+    if ((0, import_viem8.getAddress)(request.authenticatedAddress) !== (0, import_viem8.getAddress)(request.userAddress)) {
+      throw new TopUpRedemptionError(
+        "UNAUTHORIZED",
+        `userAddress (${request.userAddress}) does not match authenticated session (${request.authenticatedAddress})`
+      );
+    }
     const offChainBalance = await this.ledger.getBalance(
       request.userAddress,
       this.pointTokenAddress
@@ -1545,7 +1505,7 @@ var TopUpRedemptionHandler = class {
       return { action: "NO_TOP_UP_NEEDED", offChainBalance };
     }
     const shortfall = request.requiredAmount - offChainBalance;
-    const onChainBalance = await (0, import_core6.getPointTokenBalance)(
+    const onChainBalance = await (0, import_core5.getPointTokenBalance)(
       this.provider,
       this.pointTokenAddress,
       request.userAddress
@@ -1559,6 +1519,7 @@ var TopUpRedemptionHandler = class {
       };
     }
     const redeem = await this.ptRedeemHandler.handle({
+      authenticatedAddress: request.authenticatedAddress,
       userAddress: request.userAddress,
       amount: shortfall,
       aaNonce: request.aaNonce
@@ -1572,6 +1533,7 @@ var TopUpRedemptionHandler = class {
 };
 
 // src/pools/subgraphPoolsProvider.ts
+var import_viem9 = require("viem");
 var DEFAULT_CACHE_TTL_MS = 3e4;
 var POOL_QUERY = `
   query GetPoolForPointToken($id: ID!) {
@@ -1594,6 +1556,19 @@ function createSubgraphPoolsProvider(config) {
       "createSubgraphPoolsProvider: subgraphUrl is required"
     );
   }
+  try {
+    const parsed = new URL(config.subgraphUrl);
+    if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
+      throw new Error("subgraphUrl must use HTTPS in production");
+    }
+  } catch (err) {
+    if (err instanceof TypeError) {
+      throw new Error(
+        `subgraphPoolsProvider: invalid subgraphUrl: ${config.subgraphUrl}`
+      );
+    }
+    throw err;
+  }
   const cacheTtl = config.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
   const fetchImpl = config.fetchImpl ?? globalThis.fetch;
   const now = config.now ?? (() => Date.now());
@@ -1662,6 +1637,26 @@ async function fetchPoolsFromSubgraph(fetchImpl, subgraphUrl, pointTokenAddress)
     return [];
   }
   const { pool } = token;
+  if (!(0, import_viem9.isAddress)(pool.hooks)) {
+    console.error(
+      "[PAFI] SubgraphPoolsProvider: invalid hooks address in response:",
+      pool.hooks,
+      "\u2014 skipping pool"
+    );
+    return [];
+  }
+  if (!(0, import_viem9.isAddress)(pool.token0.id) || !(0, import_viem9.isAddress)(pool.token1.id)) {
+    console.error(
+      "[PAFI] SubgraphPoolsProvider: invalid token address in response \u2014 skipping pool"
+    );
+    return [];
+  }
+  if (!Number.isFinite(Number(pool.feeTier)) || !Number.isFinite(Number(pool.tickSpacing))) {
+    console.error(
+      "[PAFI] SubgraphPoolsProvider: invalid feeTier/tickSpacing \u2014 skipping pool"
+    );
+    return [];
+  }
   const [currency0, currency1] = sortCurrencies(
     pool.token0.id,
     pool.token1.id
@@ -1697,6 +1692,19 @@ function createSubgraphNativeUsdtQuoter(config) {
       "createSubgraphNativeUsdtQuoter: subgraphUrl is required"
     );
   }
+  try {
+    const parsed = new URL(config.subgraphUrl);
+    if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
+      throw new Error("subgraphUrl must use HTTPS in production");
+    }
+  } catch (err) {
+    if (err instanceof TypeError) {
+      throw new Error(
+        `subgraphPoolsProvider: invalid subgraphUrl: ${config.subgraphUrl}`
+      );
+    }
+    throw err;
+  }
   const usdtDecimals = config.usdtDecimals ?? DEFAULT_USDT_DECIMALS;
   const nativeDecimals = config.nativeDecimals ?? DEFAULT_NATIVE_DECIMALS;
   const cacheTtl = config.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS2;
@@ -1773,6 +1781,14 @@ async function fetchEthPriceFromSubgraph(fetchImpl, subgraphUrl) {
     );
     return null;
   }
+  const MIN_REASONABLE_ETH_PRICE = 100;
+  const MAX_REASONABLE_ETH_PRICE = 1e5;
+  if (parsed < MIN_REASONABLE_ETH_PRICE || parsed > MAX_REASONABLE_ETH_PRICE) {
+    console.warn(
+      `[PAFI] SubgraphNativeUsdtQuoter: ETH/USD price ${parsed} is outside reasonable range. Using fallback.`
+    );
+    return null;
+  }
   return parsed;
 }
 function toUsdtPerNative(priceFloat, usdtDecimals) {
@@ -1783,7 +1799,7 @@ function toUsdtPerNative(priceFloat, usdtDecimals) {
 }
 
 // src/balance/balanceAggregator.ts
-var import_core7 = require("@pafi-dev/core");
+var import_core6 = require("@pafi-dev/core");
 var BalanceAggregator = class {
   provider;
   ledger;
@@ -1804,7 +1820,7 @@ var BalanceAggregator = class {
   async getCombinedBalance(user, pointToken) {
     const [offChain, onChain] = await Promise.all([
       this.ledger.getBalance(user, pointToken),
-      (0, import_core7.getPointTokenBalance)(this.provider, pointToken, user)
+      (0, import_core6.getPointTokenBalance)(this.provider, pointToken, user)
     ]);
     return {
       offChain,
@@ -1842,37 +1858,16 @@ var PafiBackendError = class extends Error {
   code;
   httpStatus;
   details;
-  /**
-   * Seconds to wait before retry. Populated from the server body
-   * (e.g. rate limit returns the number of seconds until UTC midnight).
-   */
   retryAfter;
-  /**
-   * `safeToRetry` as reported by the server body. Prefer this over the
-   * code-based heuristic when available — the server knows more about
-   * whether the same request will succeed on retry.
-   */
   serverSafeToRetry;
-  /**
-   * Whether the caller can safely retry the same request.
-   *
-   * If the server provided `safeToRetry` in the body, trust that.
-   * Otherwise fall back to a code-based heuristic.
-   */
   get safeToRetry() {
     if (this.serverSafeToRetry !== void 0) return this.serverSafeToRetry;
     switch (this.code) {
-      // Transient infra
-      case "PAYMASTER_UNAVAILABLE":
-      case "PAYMASTER_TIMEOUT":
       case "RATE_LIMITER_UNAVAILABLE":
-      case "KMS_UNAVAILABLE":
-      case "SPONSOR_AUTH_SIGNING_FAILED":
       case "INTERNAL_ERROR":
       case "TIMEOUT":
       case "NETWORK_ERROR":
         return true;
-      // Rate-limited — safe to retry after retryAfter window
       case "RATE_LIMIT_EXCEEDED":
       case "RATE_LIMIT_EXCEEDED_DAILY":
       case "RATE_LIMIT_EXCEEDED_PER_USER":
@@ -1884,201 +1879,104 @@ var PafiBackendError = class extends Error {
   }
 };
 
-// src/pafi-backend/pafiBackendClient.ts
-var DEFAULT_TIMEOUT_MS = 1e4;
-var RETRY_DEFAULTS = {
-  maxAttempts: 1,
-  initialDelayMs: 500,
-  maxDelayMs: 1e4,
-  maxRetryAfterMs: 3e4
-};
+// src/pafi-backend/client.ts
+function serializeBigInt(_key, value) {
+  return typeof value === "bigint" ? value.toString(10) : value;
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
 var PafiBackendClient = class {
-  url;
-  issuerId;
-  apiKey;
-  fetchImpl;
-  timeoutMs;
-  retry;
+  config;
   constructor(config) {
-    if (!config.url) {
-      throw new Error("PafiBackendClient: url is required");
-    }
-    if (!config.issuerId) {
-      throw new Error("PafiBackendClient: issuerId is required");
-    }
-    if (!config.apiKey) {
-      throw new Error("PafiBackendClient: apiKey is required");
-    }
-    this.url = config.url.replace(/\/+$/, "");
-    this.issuerId = config.issuerId;
-    this.apiKey = config.apiKey;
-    this.fetchImpl = config.fetchImpl ?? globalThis.fetch;
-    this.timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
-    this.retry = { ...RETRY_DEFAULTS, ...config.retry ?? {} };
-    if (!this.fetchImpl) {
-      throw new Error(
-        "PafiBackendClient: no fetch implementation available \u2014 pass `fetchImpl` or run on Node 18+"
-      );
-    }
-    if (this.retry.maxAttempts < 1) {
-      throw new Error("PafiBackendClient: retry.maxAttempts must be >= 1");
-    }
-  }
-  /**
-   * Request a SponsorAuth signature from PAFI sponsor-relayer (beta.8+).
-   *
-   * The relayer:
-   *   1. Authenticates user (JWT) + issuer (API key)
-   *   2. Per-(user, scenario) rate limit + per-issuer daily budget
-   *   3. Scenario-specific intent validation (mint cap, KYC, etc.)
-   *   4. Allocates nonce + signs SponsorAuth payload via KMS PAFI key
-   *   5. Returns `{ sponsorAuth, payload }` for the FE to forward to
-   *      Privy's `signUserOperation({ sponsorAuth, payload })`.
-   *
-   * Retries on transient failures (5xx, timeouts, KMS unavailable,
-   * rate-limit-with-retryAfter). 4xx that are not `safeToRetry` fail fast.
-   *
-   * See `pafi-backend/docs/SPONSOR_AUTH_DESIGN.md` for the full spec.
-   *
-   * @throws PafiBackendError on final failure after exhausting retries
-   */
-  async requestSponsorAuth(req) {
-    return this.postWithRetry(
-      "/sponsor-auth",
-      req
-    );
-  }
-  /**
-   * @deprecated Coinbase paymaster path — replaced by `requestSponsorAuth`
-   * in beta.8. Will be removed in 1.0. Migrate by:
-   *   1. Switch to `requestSponsorAuth` returning `{ sponsorAuth, payload }`
-   *   2. Pass both to Privy `signUserOperation` instead of merging
-   *      paymasterData into the UserOp callData
-   */
-  async requestSponsorship(req) {
-    return this.postWithRetry(
-      "/paymaster/sponsor",
-      req
-    );
-  }
-  // -------------------------------------------------------------------------
-  // Internals
-  // -------------------------------------------------------------------------
-  async postWithRetry(path, body) {
+    if (!config.url) throw new Error("PafiBackendClient: url is required");
+    if (!config.issuerId) throw new Error("PafiBackendClient: issuerId is required");
+    this.config = config;
+  }
+  async requestSponsorship(request) {
+    const maxAttempts = this.config.retry?.maxAttempts ?? 1;
+    const initialDelayMs = this.config.retry?.initialDelayMs ?? 100;
+    const maxDelayMs = this.config.retry?.maxDelayMs ?? 1e4;
+    const maxRetryAfterMs = this.config.retry?.maxRetryAfterMs;
     let lastError;
-    for (let attempt = 1; attempt <= this.retry.maxAttempts; attempt++) {
+    let delay = initialDelayMs;
+    for (let attempt = 1; attempt <= maxAttempts; attempt++) {
       try {
-        return await this.post(path, body);
+        return await this._doRequest(request);
       } catch (err) {
         if (!(err instanceof PafiBackendError)) throw err;
         lastError = err;
-        const isLastAttempt = attempt >= this.retry.maxAttempts;
-        if (isLastAttempt || !err.safeToRetry) throw err;
-        const delay = this.computeBackoff(attempt, err.retryAfter);
-        if (delay === null) throw err;
-        await this.sleep(delay);
+        if (attempt >= maxAttempts) break;
+        if (!err.safeToRetry) break;
+        const retryAfterMs = err.retryAfter !== void 0 ? err.retryAfter * 1e3 : void 0;
+        if (maxRetryAfterMs !== void 0 && retryAfterMs !== void 0 && retryAfterMs > maxRetryAfterMs) {
+          break;
+        }
+        await sleep(retryAfterMs ?? delay);
+        delay = Math.min(delay * 2, maxDelayMs);
       }
     }
     throw lastError;
   }
-  /**
-   * Pick the delay before the next retry.
-   * - If the server sent `retryAfter` (seconds), honor it (capped by
-   *   `maxRetryAfterMs`) — returns null if the server wait exceeds the
-   *   cap, signalling the caller should give up.
-   * - Otherwise: exponential backoff with ±20% jitter, capped at
-   *   `maxDelayMs`.
-   */
-  computeBackoff(attempt, retryAfter) {
-    if (retryAfter !== void 0) {
-      const serverMs = retryAfter * 1e3;
-      if (serverMs > this.retry.maxRetryAfterMs) return null;
-      return serverMs;
-    }
-    const exp = this.retry.initialDelayMs * 2 ** (attempt - 1);
-    const capped = Math.min(exp, this.retry.maxDelayMs);
-    const jitter = capped * (0.8 + Math.random() * 0.4);
-    return Math.round(jitter);
-  }
-  sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
-  }
-  async post(path, body) {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+  async _doRequest(request) {
+    const fetchFn = this.config.fetchImpl ?? fetch;
+    const url = `${this.config.url}/paymaster/sponsor`;
+    const body = JSON.stringify(request, serializeBigInt);
     let response;
     try {
-      response = await this.fetchImpl(`${this.url}${path}`, {
+      response = await fetchFn(url, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
-          "Authorization": `Bearer ${this.apiKey}`,
-          "X-Issuer-Id": this.issuerId
+          Authorization: `Bearer ${this.config.apiKey}`,
+          "X-Issuer-Id": this.config.issuerId
         },
-        body: JSON.stringify(body, this.bigintReplacer),
-        signal: controller.signal
+        body
       });
     } catch (err) {
-      if (err.name === "AbortError") {
-        throw new PafiBackendError(
-          "TIMEOUT",
-          `PAFI Backend request timed out after ${this.timeoutMs}ms`,
-          0
-        );
-      }
       throw new PafiBackendError(
         "NETWORK_ERROR",
-        `PAFI Backend unreachable: ${err.message}`,
+        `Network error: ${err instanceof Error ? err.message : String(err)}`,
         0
       );
-    } finally {
-      clearTimeout(timeoutId);
     }
     const text = await response.text();
+    let json = {};
+    try {
+      json = JSON.parse(text);
+    } catch {
+    }
     if (!response.ok) {
-      let code = "INTERNAL_ERROR";
-      let message = text || response.statusText;
-      let details;
-      let retryAfter;
-      let serverSafeToRetry;
-      try {
-        const parsed = JSON.parse(text);
-        code = parsed.code ?? code;
-        message = parsed.message ?? message;
-        details = parsed.details;
-        if (typeof parsed.retryAfter === "number") retryAfter = parsed.retryAfter;
-        if (typeof parsed.safeToRetry === "boolean") serverSafeToRetry = parsed.safeToRetry;
-      } catch {
-      }
-      throw new PafiBackendError(code, message, response.status, details, {
-        ...retryAfter !== void 0 ? { retryAfter } : {},
-        ...serverSafeToRetry !== void 0 ? { safeToRetry: serverSafeToRetry } : {}
+      const code = json.code ?? "INTERNAL_ERROR";
+      const message = json.message ?? `HTTP ${response.status}`;
+      const retryAfter = typeof json.retryAfter === "number" ? json.retryAfter : void 0;
+      const safeToRetry = typeof json.safeToRetry === "boolean" ? json.safeToRetry : void 0;
+      throw new PafiBackendError(code, message, response.status, json, {
+        retryAfter,
+        safeToRetry
       });
     }
-    return JSON.parse(text, this.bigintReviver);
+    return {
+      paymaster: json.paymaster,
+      paymasterData: json.paymasterData,
+      paymasterVerificationGasLimit: BigInt(
+        json.paymasterVerificationGasLimit
+      ),
+      paymasterPostOpGasLimit: BigInt(json.paymasterPostOpGasLimit),
+      expiresAt: json.expiresAt
+    };
   }
-  /** JSON replacer that stringifies bigints. Paired with bigintReviver. */
-  bigintReplacer = (_key, value) => {
-    return typeof value === "bigint" ? value.toString() : value;
-  };
-  /**
-   * JSON reviver that coerces specific numeric-string fields back to
-   * bigint. The server must send these fields as decimal strings.
-   */
-  bigintReviver = (key, value) => {
-    if (typeof value === "string" && (key.endsWith("GasLimit") || key === "nonce" || key === "callGasLimit" || key === "verificationGasLimit" || key === "preVerificationGas" || key === "maxFeePerGas" || key === "maxPriorityFeePerGas" || key === "paymasterVerificationGasLimit" || key === "paymasterPostOpGasLimit") && /^\d+$/.test(value)) {
-      return BigInt(value);
-    }
-    return value;
-  };
 };
 
 // src/config.ts
-var import_viem11 = require("viem");
+var import_viem10 = require("viem");
 function createIssuerService(config) {
   if (!config.provider) {
     throw new Error("createIssuerService: provider is required");
   }
+  if (!config.ledger) {
+    throw new Error("createIssuerService: ledger is required");
+  }
   if (!config.auth?.jwtSecret) {
     throw new Error("createIssuerService: auth.jwtSecret is required");
   }
@@ -2091,8 +1989,8 @@ function createIssuerService(config) {
       "createIssuerService: at least one of pointTokenAddress / pointTokenAddresses is required"
     );
   }
-  const tokenAddresses = rawAddresses.map((a) => (0, import_viem11.getAddress)(a));
-  const ledger = config.ledger ?? new MemoryPointLedger();
+  const tokenAddresses = rawAddresses.map((a) => (0, import_viem10.getAddress)(a));
+  const ledger = config.ledger;
   const sessionStore = config.sessionStore ?? new MemorySessionStore();
   const policy = config.policy ?? new DefaultPolicyEngine({ ledger });
   const authServiceConfig = {
@@ -2148,6 +2046,15 @@ function createIssuerService(config) {
   };
   if (feeManager) handlersConfig.feeManager = feeManager;
   if (config.poolsProvider) handlersConfig.poolsProvider = config.poolsProvider;
+  if (config.claim) {
+    handlersConfig.claim = {
+      policy,
+      relayService,
+      issuerSignerWallet: config.claim.issuerSignerWallet,
+      batchExecutorAddress: config.claim.batchExecutorAddress,
+      lockDurationMs: config.claim.lockDurationMs
+    };
+  }
   const handlers = new IssuerApiHandlers(handlersConfig);
   if (config.indexer?.autoStart) {
     for (const idx of indexers.values()) {
@@ -2179,7 +2086,6 @@ var PAFI_ISSUER_SDK_VERSION = "0.1.0";
   FeeManager,
   InMemoryCursorStore,
   IssuerApiHandlers,
-  MemoryPointLedger,
   MemorySessionStore,
   NonceManager,
   PAFI_ISSUER_SDK_VERSION,
@@ -2188,7 +2094,6 @@ var PAFI_ISSUER_SDK_VERSION = "0.1.0";
   PafiBackendClient,
   PafiBackendError,
   PointIndexer,
-  PrivateKeySigner,
   RelayError,
   RelayService,
   TopUpRedemptionError,