moltspay 1.4.1 → 1.6.0

package/dist/index.mjs

@@ -236,6 +236,9 @@ var CDPFacilitator = class extends BaseFacilitator {
   }
 };
 
+// src/facilitators/tempo.ts
+import { ethers } from "ethers";
+
 // src/chains/index.ts
 var CHAINS = {
   // ============ Mainnet ============
@@ -431,15 +434,38 @@ var ERC20_ABI = [
 
 // src/facilitators/tempo.ts
 var TRANSFER_EVENT_TOPIC = "0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef";
+var TIP20_PERMIT_ABI = [
+  "function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s)",
+  "function transferFrom(address from, address to, uint256 value) returns (bool)"
+];
 var TempoFacilitator = class extends BaseFacilitator {
   name = "tempo";
   displayName = "Tempo Testnet";
   supportedNetworks = ["eip155:42431"];
   // Tempo Moderato
   rpcUrl;
+  settlerWallet = null;
   constructor() {
     super();
     this.rpcUrl = CHAINS.tempo_moderato.rpc;
+    const settlerKey = process.env.TEMPO_SETTLER_KEY;
+    if (settlerKey) {
+      try {
+        const provider = new ethers.JsonRpcProvider(this.rpcUrl);
+        this.settlerWallet = new ethers.Wallet(settlerKey, provider);
+      } catch (err) {
+        console.warn("[TempoFacilitator] Invalid TEMPO_SETTLER_KEY, permit settlement disabled:", err);
+        this.settlerWallet = null;
+      }
+    }
+  }
+  /**
+   * Settler EOA address advertised to clients via `X-Payment-Required.extra.tempoSpender`.
+   * Web Client uses this as the `spender` field in the signed EIP-2612 Permit.
+   * Returns null if no TEMPO_SETTLER_KEY is configured — permit settlement unavailable.
+   */
+  getSpenderAddress() {
+    return this.settlerWallet?.address ?? null;
   }
   async healthCheck() {
     const start = Date.now();
@@ -465,6 +491,44 @@ var TempoFacilitator = class extends BaseFacilitator {
     }
   }
   async verify(paymentPayload, requirements) {
+    const inner = paymentPayload.payload;
+    if (inner && "permit" in inner && inner.permit) {
+      return this.verifyPermit(inner, requirements);
+    }
+    return this.verifyTxHash(paymentPayload, requirements);
+  }
+  /**
+   * Structural validation of an EIP-2612 permit payload. Does NOT submit
+   * anything on-chain — actual submission happens in settlePermit().
+   */
+  async verifyPermit(payload, requirements) {
+    if (!this.settlerWallet) {
+      return { valid: false, error: "Permit settlement not configured (TEMPO_SETTLER_KEY missing)" };
+    }
+    const p = payload.permit;
+    if (!p || !p.owner || !p.spender || !p.value || !p.deadline) {
+      return { valid: false, error: "Invalid permit payload: missing fields" };
+    }
+    if (p.spender.toLowerCase() !== this.settlerWallet.address.toLowerCase()) {
+      return {
+        valid: false,
+        error: `Permit spender ${p.spender} does not match configured settler ${this.settlerWallet.address}`
+      };
+    }
+    const deadline = BigInt(p.deadline);
+    const now = BigInt(Math.floor(Date.now() / 1e3));
+    if (deadline <= now) {
+      return { valid: false, error: "Permit deadline has expired" };
+    }
+    if (BigInt(p.value) < BigInt(requirements.amount || "0")) {
+      return {
+        valid: false,
+        error: `Permit value ${p.value} is less than required ${requirements.amount}`
+      };
+    }
+    return { valid: true, details: { scheme: "permit", owner: p.owner } };
+  }
+  async verifyTxHash(paymentPayload, requirements) {
     try {
       const tempoPayload = paymentPayload.payload;
       if (!tempoPayload?.txHash) {
@@ -522,7 +586,11 @@ var TempoFacilitator = class extends BaseFacilitator {
     }
   }
   async settle(paymentPayload, requirements) {
-    const verifyResult = await this.verify(paymentPayload, requirements);
+    const inner = paymentPayload.payload;
+    if (inner && "permit" in inner && inner.permit) {
+      return this.settlePermit(inner, requirements);
+    }
+    const verifyResult = await this.verifyTxHash(paymentPayload, requirements);
     if (!verifyResult.valid) {
       return { success: false, error: verifyResult.error };
     }
@@ -533,6 +601,52 @@ var TempoFacilitator = class extends BaseFacilitator {
       status: "settled"
     };
   }
+  /**
+   * EIP-2612 permit settlement path. Submits two transactions on Tempo:
+   *   1. pathUSD.permit(owner, spender=settler, value, deadline, v, r, s)
+   *   2. pathUSD.transferFrom(owner, payTo, value)
+   *
+   * The settler EOA pays Tempo gas (via the TIP-20 `feeToken` mechanism — no
+   * native tTEMPO required; any held TIP-20 token balance covers fees).
+   */
+  async settlePermit(payload, requirements) {
+    if (!this.settlerWallet) {
+      return { success: false, error: "Permit settlement not configured (TEMPO_SETTLER_KEY missing)" };
+    }
+    if (!requirements.asset || !requirements.payTo) {
+      return { success: false, error: "Missing asset or payTo in requirements" };
+    }
+    const verifyResult = await this.verifyPermit(payload, requirements);
+    if (!verifyResult.valid) {
+      return { success: false, error: verifyResult.error };
+    }
+    const token = new ethers.Contract(requirements.asset, TIP20_PERMIT_ABI, this.settlerWallet);
+    const p = payload.permit;
+    try {
+      const permitTx = await token.permit(
+        p.owner,
+        p.spender,
+        p.value,
+        p.deadline,
+        p.v,
+        p.r,
+        p.s
+      );
+      await permitTx.wait();
+      const transferTx = await token.transferFrom(p.owner, requirements.payTo, p.value);
+      await transferTx.wait();
+      return {
+        success: true,
+        transaction: transferTx.hash,
+        status: "settled"
+      };
+    } catch (err) {
+      return {
+        success: false,
+        error: `Tempo permit settlement failed: ${err.message}`
+      };
+    }
+  }
   async getTransactionReceipt(txHash) {
     const response = await fetch(this.rpcUrl, {
       method: "POST",
@@ -775,12 +889,12 @@ var BNBFacilitator = class extends BaseFacilitator {
     return this.spenderAddress;
   }
   async getServerAddress() {
-    const { ethers: ethers5 } = await import("ethers");
-    const wallet = new ethers5.Wallet(this.serverPrivateKey);
+    const { ethers: ethers7 } = await import("ethers");
+    const wallet = new ethers7.Wallet(this.serverPrivateKey);
     return wallet.address;
   }
   async recoverIntentSigner(intent, chainId) {
-    const { ethers: ethers5 } = await import("ethers");
+    const { ethers: ethers7 } = await import("ethers");
     const domain = {
       ...EIP712_DOMAIN,
       chainId
@@ -794,7 +908,7 @@ var BNBFacilitator = class extends BaseFacilitator {
       nonce: intent.nonce,
       deadline: intent.deadline
     };
-    const recoveredAddress = ethers5.verifyTypedData(
+    const recoveredAddress = ethers7.verifyTypedData(
       domain,
       INTENT_TYPES,
       message,
@@ -838,10 +952,10 @@ var BNBFacilitator = class extends BaseFacilitator {
     return result.result || "0x0";
   }
   async executeTransferFrom(from, to, amount, token, rpcUrl) {
-    const { ethers: ethers5 } = await import("ethers");
-    const provider = new ethers5.JsonRpcProvider(rpcUrl);
-    const wallet = new ethers5.Wallet(this.serverPrivateKey, provider);
-    const tokenContract = new ethers5.Contract(token, [
+    const { ethers: ethers7 } = await import("ethers");
+    const provider = new ethers7.JsonRpcProvider(rpcUrl);
+    const wallet = new ethers7.Wallet(this.serverPrivateKey, provider);
+    const tokenContract = new ethers7.Contract(token, [
       "function transferFrom(address from, address to, uint256 amount) returns (bool)"
     ], wallet);
     const tx = await tokenContract.transferFrom(from, to, amount);
@@ -1077,16 +1191,16 @@ var SolanaFacilitator = class extends BaseFacilitator {
     return this.supportedNetworks.includes(network);
   }
 };
-async function createSolanaPaymentTransaction(senderPubkey, recipientPubkey, amount, chain, feePayerPubkey) {
+async function createSolanaPaymentTransaction(senderPubkey, recipientPubkey, amount, chain, feePayerPubkey, connection) {
   const chainConfig = SOLANA_CHAINS[chain];
-  const connection = new Connection2(chainConfig.rpc, "confirmed");
+  const conn = connection ?? new Connection2(chainConfig.rpc, "confirmed");
   const mint = new PublicKey2(chainConfig.tokens.USDC.mint);
   const actualFeePayer = feePayerPubkey || senderPubkey;
   const senderATA = await getAssociatedTokenAddress(mint, senderPubkey);
   const recipientATA = await getAssociatedTokenAddress(mint, recipientPubkey);
   const transaction = new Transaction();
   try {
-    await getAccount(connection, recipientATA);
+    await getAccount(conn, recipientATA);
   } catch {
     transaction.add(
       createAssociatedTokenAccountInstruction(
@@ -1117,7 +1231,7 @@ async function createSolanaPaymentTransaction(senderPubkey, recipientPubkey, amo
       // decimals
     )
   );
-  const { blockhash, lastValidBlockHeight } = await connection.getLatestBlockhash();
+  const { blockhash, lastValidBlockHeight } = await conn.getLatestBlockhash();
   transaction.recentBlockhash = blockhash;
   transaction.feePayer = actualFeePayer;
   return transaction;
@@ -1453,9 +1567,13 @@ var TOKEN_DOMAINS = {
     USDT: { name: "(PoS) Tether USD", version: "2" }
   },
   // Tempo Moderato testnet - TIP-20 stablecoins
+  // Domain names verified against on-chain DOMAIN_SEPARATOR values on 2026-04-21.
+  // See docs/TEMPO-WEB-SUPPORT.md Section 2 and test/server/tempo-domain.test.ts.
+  // All 4 Tempo TIP-20 tokens (pathUSD / AlphaUSD / BetaUSD / ThetaUSD) use
+  // the token symbol with first letter capitalized + version "1".
   "eip155:42431": {
-    USDC: { name: "pathUSD", version: "1" },
-    USDT: { name: "alphaUSD", version: "1" }
+    USDC: { name: "PathUSD", version: "1" },
+    USDT: { name: "AlphaUSD", version: "1" }
   },
   // BNB Smart Chain mainnet
   "eip155:56": {
@@ -1624,13 +1742,62 @@ var MoltsPayServer = class {
     });
   }
   /**
-   * Handle incoming request
+   * Apply CORS response headers according to the `cors` option.
+   *
+   * Default (`cors` unset or `true`): `Access-Control-Allow-Origin: *`. Matches 1.5.x behavior
+   * and works for every browser client whose origin does not need to send cookies.
+   *
+   * `cors: false`: emit no CORS headers. Same-origin only.
+   * `cors: string[]`: origin allowlist — echo the origin back iff it matches.
+   * `cors: CorsOptions`: full control (allowlist + credentials + maxAge).
+   *
+   * The required-for-Web response headers are always exposed when CORS is active:
+   * `X-Payment-Required, X-Payment-Response, WWW-Authenticate, Payment-Receipt`.
    */
-  async handleRequest(req, res) {
-    res.setHeader("Access-Control-Allow-Origin", "*");
+  applyCorsHeaders(req, res) {
+    const cors = this.options.cors;
+    if (cors === false) {
+      return;
+    }
+    const requestOrigin = req.headers.origin ?? "*";
+    if (cors === void 0 || cors === true) {
+      this.writeCorsHeaders(res, "*");
+      return;
+    }
+    if (Array.isArray(cors)) {
+      if (cors.includes(requestOrigin)) {
+        this.writeCorsHeaders(res, requestOrigin);
+        res.setHeader("Vary", "Origin");
+      }
+      return;
+    }
+    const opt = cors;
+    const isAllowed = typeof opt.origins === "function" ? opt.origins(requestOrigin) : opt.origins.includes(requestOrigin);
+    if (!isAllowed) {
+      return;
+    }
+    this.writeCorsHeaders(res, requestOrigin);
+    res.setHeader("Vary", "Origin");
+    if (opt.credentials) {
+      res.setHeader("Access-Control-Allow-Credentials", "true");
+    }
+    const maxAge = opt.maxAge ?? 600;
+    res.setHeader("Access-Control-Max-Age", String(maxAge));
+  }
+  writeCorsHeaders(res, origin) {
+    res.setHeader("Access-Control-Allow-Origin", origin);
     res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
     res.setHeader("Access-Control-Allow-Headers", "Content-Type, X-Payment, Authorization");
-    res.setHeader("Access-Control-Expose-Headers", "X-Payment-Required, X-Payment-Response, WWW-Authenticate, Payment-Receipt");
+    res.setHeader(
+      "Access-Control-Expose-Headers",
+      "X-Payment-Required, X-Payment-Response, WWW-Authenticate, Payment-Receipt"
+    );
+  }
+  /**
+   * Handle incoming request
+   */
+  async handleRequest(req, res) {
+    this.applyCorsHeaders(req, res);
     if (req.method === "OPTIONS") {
       res.writeHead(204);
       res.end();
@@ -1853,6 +2020,14 @@ var MoltsPayServer = class {
         console.log(`[MoltsPay] Payment settled by ${settlement.facilitator}: ${settlement.transaction || "pending"}`);
       } catch (err) {
         console.error("[MoltsPay] Settlement failed:", err.message);
+        settlement = { success: false, error: err.message, facilitator: "none" };
+      }
+      if (!settlement?.success) {
+        return this.sendJson(res, 402, {
+          error: "Payment settlement failed",
+          message: settlement?.error || "Settlement returned no success state",
+          facilitator: settlement?.facilitator
+        });
       }
     }
     const responseHeaders = {};
@@ -2107,7 +2282,7 @@ var MoltsPayServer = class {
     }
     const scheme = payment.accepted?.scheme || payment.scheme;
     const network = payment.accepted?.network || payment.network || this.networkId;
-    if (scheme !== "exact") {
+    if (scheme !== "exact" && scheme !== "permit") {
       return { valid: false, error: `Unsupported scheme: ${scheme}` };
     }
     if (!this.isNetworkAccepted(network)) {
@@ -2129,8 +2304,10 @@ var MoltsPayServer = class {
     const tokenAddresses = TOKEN_ADDRESSES[selectedNetwork] || {};
     const tokenAddress = tokenAddresses[selectedToken];
     const tokenDomain = getTokenDomain(selectedNetwork, selectedToken);
+    const isTempo = selectedNetwork === "eip155:42431";
+    const scheme = isTempo ? "permit" : "exact";
     const requirements = {
-      scheme: "exact",
+      scheme,
       network: selectedNetwork,
       asset: tokenAddress,
       amount: amountInUnits,
@@ -2158,6 +2335,16 @@ var MoltsPayServer = class {
         };
       }
     }
+    if (isTempo) {
+      const tempoFacilitator = this.registry.get("tempo");
+      const tempoSpender = tempoFacilitator?.getSpenderAddress?.();
+      if (tempoSpender) {
+        requirements.extra = {
+          ...requirements.extra || {},
+          tempoSpender
+        };
+      }
+    }
     return requirements;
   }
   /**
@@ -2292,7 +2479,7 @@ var MoltsPayServer = class {
     }
     const scheme = payment.accepted?.scheme || payment.scheme;
     const network = payment.accepted?.network || payment.network;
-    if (scheme !== "exact") {
+    if (scheme !== "exact" && scheme !== "permit") {
       return this.sendJson(res, 402, { error: `Unsupported scheme: ${scheme}` });
     }
     const expectedNetwork = chain ? CHAIN_TO_NETWORK[chain] || this.networkId : this.networkId;
@@ -2612,11 +2799,11 @@ var MoltsPayServer = class {
   }
 };
 
-// src/client/index.ts
+// src/client/node/index.ts
 import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2, statSync, chmodSync } from "fs";
 import { homedir as homedir2 } from "os";
 import { join as join4 } from "path";
-import { Wallet, ethers } from "ethers";
+import { Wallet as Wallet2, ethers as ethers3 } from "ethers";
 
 // src/wallet/solana.ts
 import { Keypair as Keypair3, PublicKey as PublicKey3, LAMPORTS_PER_SOL } from "@solana/web3.js";
@@ -2645,11 +2832,172 @@ function loadSolanaWallet(configDir = DEFAULT_CONFIG_DIR) {
   }
 }
 
-// src/client/index.ts
+// src/client/node/index.ts
 import { PublicKey as PublicKey4 } from "@solana/web3.js";
+
+// src/client/core/types.ts
 var X402_VERSION3 = 2;
 var PAYMENT_REQUIRED_HEADER2 = "x-payment-required";
 var PAYMENT_HEADER2 = "x-payment";
+
+// src/client/core/chain-map.ts
+var NETWORK_TO_CHAIN = {
+  "eip155:8453": "base",
+  "eip155:137": "polygon",
+  "eip155:84532": "base_sepolia",
+  "eip155:42431": "tempo_moderato",
+  "eip155:56": "bnb",
+  "eip155:97": "bnb_testnet",
+  "solana:mainnet": "solana",
+  "solana:devnet": "solana_devnet"
+};
+var CHAIN_TO_NETWORK2 = Object.fromEntries(
+  Object.entries(NETWORK_TO_CHAIN).map(([network, chain]) => [chain, network])
+);
+function networkToChainName(network) {
+  return NETWORK_TO_CHAIN[network] ?? null;
+}
+
+// src/client/core/base64.ts
+var BufferCtor = globalThis.Buffer;
+
+// src/client/core/eip3009.ts
+var EIP3009_TYPES = {
+  TransferWithAuthorization: [
+    { name: "from", type: "address" },
+    { name: "to", type: "address" },
+    { name: "value", type: "uint256" },
+    { name: "validAfter", type: "uint256" },
+    { name: "validBefore", type: "uint256" },
+    { name: "nonce", type: "bytes32" }
+  ]
+};
+function buildEIP3009TypedData(args) {
+  const validAfter = args.validAfter ?? "0";
+  const validBefore = args.validBefore ?? (Math.floor(Date.now() / 1e3) + 3600).toString();
+  const authorization = {
+    from: args.from,
+    to: args.to,
+    value: args.value,
+    validAfter,
+    validBefore,
+    nonce: args.nonce
+  };
+  return {
+    domain: {
+      name: args.tokenName,
+      version: args.tokenVersion,
+      chainId: args.chainId,
+      verifyingContract: args.tokenAddress
+    },
+    types: EIP3009_TYPES,
+    primaryType: "TransferWithAuthorization",
+    message: authorization
+  };
+}
+
+// src/client/core/bnb-intent.ts
+var BNB_INTENT_TYPES = {
+  PaymentIntent: [
+    { name: "from", type: "address" },
+    { name: "to", type: "address" },
+    { name: "amount", type: "uint256" },
+    { name: "token", type: "address" },
+    { name: "service", type: "string" },
+    { name: "nonce", type: "uint256" },
+    { name: "deadline", type: "uint256" }
+  ]
+};
+var BNB_DOMAIN_NAME = "MoltsPay";
+var BNB_DOMAIN_VERSION = "1";
+function buildBnbIntentTypedData(args) {
+  const intent = {
+    from: args.from,
+    to: args.to,
+    amount: args.amount,
+    token: args.tokenAddress,
+    service: args.service,
+    nonce: args.nonce,
+    deadline: args.deadline
+  };
+  return {
+    domain: {
+      name: BNB_DOMAIN_NAME,
+      version: BNB_DOMAIN_VERSION,
+      chainId: args.chainId
+    },
+    types: BNB_INTENT_TYPES,
+    primaryType: "PaymentIntent",
+    message: intent
+  };
+}
+
+// src/client/node/signer.ts
+import { ethers as ethers2 } from "ethers";
+import { Transaction as Transaction2 } from "@solana/web3.js";
+var NodeSigner = class {
+  evmWallet;
+  getSolanaKeypair;
+  constructor(evmWallet, options = {}) {
+    this.evmWallet = evmWallet;
+    this.getSolanaKeypair = options.getSolanaKeypair ?? (() => null);
+  }
+  async getEvmAddress() {
+    return this.evmWallet.address;
+  }
+  async getSolanaAddress() {
+    const kp = this.getSolanaKeypair();
+    return kp ? kp.publicKey.toBase58() : null;
+  }
+  async signTypedData(envelope) {
+    const mutableTypes = {};
+    for (const [key, fields] of Object.entries(envelope.types)) {
+      mutableTypes[key] = [...fields];
+    }
+    return this.evmWallet.signTypedData(
+      envelope.domain,
+      mutableTypes,
+      envelope.message
+    );
+  }
+  async sendEvmTransaction(args) {
+    const chain = findChainByChainId(args.chainId);
+    if (!chain) {
+      throw new Error(`sendEvmTransaction: unknown chainId ${args.chainId}`);
+    }
+    const provider = new ethers2.JsonRpcProvider(chain.rpc);
+    const connected = this.evmWallet.connect(provider);
+    const tx = await connected.sendTransaction({
+      to: args.to,
+      data: args.data,
+      value: args.value ? BigInt(args.value) : 0n
+    });
+    return tx.hash;
+  }
+  async signSolanaTransaction(args) {
+    const kp = this.getSolanaKeypair();
+    if (!kp) {
+      throw new Error("signSolanaTransaction: no Solana wallet configured");
+    }
+    const tx = Transaction2.from(Buffer.from(args.transactionBase64, "base64"));
+    if (args.partialSign) {
+      tx.partialSign(kp);
+    } else {
+      tx.sign(kp);
+    }
+    return tx.serialize({ requireAllSignatures: false }).toString("base64");
+  }
+};
+function findChainByChainId(chainId) {
+  for (const cfg of Object.values(CHAINS)) {
+    if (cfg.chainId === chainId) {
+      return cfg;
+    }
+  }
+  return void 0;
+}
+
+// src/client/node/index.ts
 var DEFAULT_CONFIG = {
   chain: "base",
   limits: {
@@ -2662,6 +3010,7 @@ var MoltsPayClient = class {
   config;
   walletData = null;
   wallet = null;
+  signer = null;
   todaySpending = 0;
   lastSpendingReset = 0;
   constructor(options = {}) {
@@ -2670,7 +3019,11 @@ var MoltsPayClient = class {
     this.walletData = this.loadWallet();
     this.loadSpending();
     if (this.walletData) {
-      this.wallet = new Wallet(this.walletData.privateKey);
+      this.wallet = new Wallet2(this.walletData.privateKey);
+      const configDir = this.configDir;
+      this.signer = new NodeSigner(this.wallet, {
+        getSolanaKeypair: () => loadSolanaWallet(configDir)
+      });
     }
   }
   /**
@@ -2798,20 +3151,6 @@ var MoltsPayClient = class {
     } catch {
       throw new Error("Invalid x-payment-required header");
     }
-    const networkToChainName = (network2) => {
-      if (network2 === "solana:mainnet") return "solana";
-      if (network2 === "solana:devnet") return "solana_devnet";
-      const match = network2.match(/^eip155:(\d+)$/);
-      if (!match) return null;
-      const chainId = parseInt(match[1]);
-      if (chainId === 8453) return "base";
-      if (chainId === 137) return "polygon";
-      if (chainId === 84532) return "base_sepolia";
-      if (chainId === 42431) return "tempo_moderato";
-      if (chainId === 56) return "bnb";
-      if (chainId === 97) return "bnb_testnet";
-      return null;
-    };
     const serverChains = requirements.map((r) => networkToChainName(r.network)).filter((c) => c !== null);
     const userSpecifiedChain = options.chain;
     let selectedChain;
@@ -3040,14 +3379,14 @@ Please specify: --chain <chain_name>`
   async handleBNBPayment(executeUrl, service, params, paymentDetails, options = {}) {
     const { to, amount, token, chainName, chain, spender } = paymentDetails;
     const tokenConfig = chain.tokens[token];
-    const provider = new ethers.JsonRpcProvider(chain.rpc);
+    const provider = new ethers3.JsonRpcProvider(chain.rpc);
     const allowance = await this.checkAllowance(tokenConfig.address, spender, provider);
     const amountWeiCheck = BigInt(Math.floor(amount * 10 ** tokenConfig.decimals));
     if (allowance < amountWeiCheck) {
       const nativeBalance = await provider.getBalance(this.wallet.address);
-      const minGasBalance = ethers.parseEther("0.0005");
+      const minGasBalance = ethers3.parseEther("0.0005");
       if (nativeBalance < minGasBalance) {
-        const nativeBNB = parseFloat(ethers.formatEther(nativeBalance)).toFixed(4);
+        const nativeBNB = parseFloat(ethers3.formatEther(nativeBalance)).toFixed(4);
         const isTestnet = chainName === "bnb_testnet";
         if (isTestnet) {
           throw new Error(
@@ -3081,35 +3420,21 @@ Run: npx moltspay approve --chain ${chainName} --spender ${spender}`
       );
     }
     const amountWei = BigInt(Math.floor(amount * 10 ** tokenConfig.decimals)).toString();
-    const intent = {
+    const intentNonce = Date.now();
+    const intentDeadline = Date.now() + 36e5;
+    const envelope = buildBnbIntentTypedData({
       from: this.wallet.address,
       to,
       amount: amountWei,
-      token: tokenConfig.address,
+      tokenAddress: tokenConfig.address,
       service,
-      nonce: Date.now(),
-      // Use timestamp as nonce for simplicity
-      deadline: Date.now() + 36e5
-      // 1 hour
-    };
-    const domain = {
-      name: "MoltsPay",
-      version: "1",
+      nonce: intentNonce,
+      deadline: intentDeadline,
       chainId: chain.chainId
-    };
-    const types = {
-      PaymentIntent: [
-        { name: "from", type: "address" },
-        { name: "to", type: "address" },
-        { name: "amount", type: "uint256" },
-        { name: "token", type: "address" },
-        { name: "service", type: "string" },
-        { name: "nonce", type: "uint256" },
-        { name: "deadline", type: "uint256" }
-      ]
-    };
+    });
     console.log(`[MoltsPay] Signing BNB payment intent...`);
-    const signature = await this.wallet.signTypedData(domain, types, intent);
+    const signature = await this.signer.signTypedData(envelope);
+    const intent = envelope.message;
     const network = `eip155:${chain.chainId}`;
     const payload = {
       x402Version: 2,
@@ -3183,12 +3508,11 @@ Run: npx moltspay approve --chain ${chainName} --spender ${spender}`
       feePayerPubkey
       // Optional fee payer for gasless mode
     );
-    if (feePayerPubkey) {
-      transaction.partialSign(solanaWallet);
-    } else {
-      transaction.sign(solanaWallet);
-    }
-    const signedTx = transaction.serialize({ requireAllSignatures: false }).toString("base64");
+    const unsignedBase64 = transaction.serialize({ requireAllSignatures: false, verifySignatures: false }).toString("base64");
+    const signedTx = await this.signer.signSolanaTransaction({
+      transactionBase64: unsignedBase64,
+      partialSign: !!feePayerPubkey
+    });
     console.log(`[MoltsPay] Transaction signed, sending to server...`);
     const network = chain === "solana" ? "solana:mainnet" : "solana:devnet";
     const payload = {
@@ -3235,7 +3559,7 @@ Run: npx moltspay approve --chain ${chainName} --spender ${spender}`
    * Check ERC20 allowance for a spender
    */
   async checkAllowance(tokenAddress, spender, provider) {
-    const contract = new ethers.Contract(
+    const contract = new ethers3.Contract(
       tokenAddress,
       ["function allowance(address owner, address spender) view returns (uint256)"],
       provider
@@ -3246,41 +3570,29 @@ Run: npx moltspay approve --chain ${chainName} --spender ${spender}`
    * Sign EIP-3009 transferWithAuthorization (GASLESS)
    * This only signs - no on-chain transaction, no gas needed.
    * Supports both USDC and USDT.
+   *
+   * Delegates typed-data construction to `core/eip3009.ts` and the signature
+   * itself to `this.signer`. That way Web Client (Phase 4) can reuse the same
+   * flow with an EIP-1193 signer without duplicating typed-data layout.
    */
   async signEIP3009(to, amount, chain, token = "USDC", domainOverride) {
-    const validAfter = 0;
-    const validBefore = Math.floor(Date.now() / 1e3) + 3600;
-    const nonce = ethers.hexlify(ethers.randomBytes(32));
     const tokenConfig = chain.tokens[token];
     const value = BigInt(Math.floor(amount * 10 ** tokenConfig.decimals)).toString();
-    const authorization = {
+    const nonce = ethers3.hexlify(ethers3.randomBytes(32));
+    const tokenName = domainOverride?.name || tokenConfig.eip712Name || (token === "USDC" ? "USD Coin" : "Tether USD");
+    const tokenVersion = domainOverride?.version || "2";
+    const envelope = buildEIP3009TypedData({
       from: this.wallet.address,
       to,
       value,
-      validAfter: validAfter.toString(),
-      validBefore: validBefore.toString(),
-      nonce
-    };
-    const tokenName = domainOverride?.name || tokenConfig.eip712Name || (token === "USDC" ? "USD Coin" : "Tether USD");
-    const tokenVersion = domainOverride?.version || "2";
-    const domain = {
-      name: tokenName,
-      version: tokenVersion,
+      nonce,
       chainId: chain.chainId,
-      verifyingContract: tokenConfig.address
-    };
-    const types = {
-      TransferWithAuthorization: [
-        { name: "from", type: "address" },
-        { name: "to", type: "address" },
-        { name: "value", type: "uint256" },
-        { name: "validAfter", type: "uint256" },
-        { name: "validBefore", type: "uint256" },
-        { name: "nonce", type: "bytes32" }
-      ]
-    };
-    const signature = await this.wallet.signTypedData(domain, types, authorization);
-    return { authorization, signature };
+      tokenAddress: tokenConfig.address,
+      tokenName,
+      tokenVersion
+    });
+    const signature = await this.signer.signTypedData(envelope);
+    return { authorization: envelope.message, signature };
   }
   /**
    * Check spending limits
@@ -3362,15 +3674,17 @@ Run: npx moltspay approve --chain ${chainName} --spender ${spender}`
   loadWallet() {
     const walletPath = join4(this.configDir, "wallet.json");
     if (existsSync4(walletPath)) {
-      try {
-        const stats = statSync(walletPath);
-        const mode = stats.mode & 511;
-        if (mode !== 384) {
-          console.warn(`[MoltsPay] WARNING: wallet.json has insecure permissions (${mode.toString(8)})`);
-          console.warn(`[MoltsPay] Fixing permissions to 0600...`);
-          chmodSync(walletPath, 384);
+      if (process.platform !== "win32") {
+        try {
+          const stats = statSync(walletPath);
+          const mode = stats.mode & 511;
+          if (mode !== 384) {
+            console.warn(`[MoltsPay] WARNING: wallet.json has insecure permissions (${mode.toString(8)})`);
+            console.warn(`[MoltsPay] Fixing permissions to 0600...`);
+            chmodSync(walletPath, 384);
+          }
+        } catch {
         }
-      } catch (err) {
       }
       const content = readFileSync4(walletPath, "utf-8");
       return JSON.parse(content);
@@ -3382,7 +3696,7 @@ Run: npx moltspay approve --chain ${chainName} --spender ${spender}`
    */
   static init(configDir, options) {
     mkdirSync2(configDir, { recursive: true });
-    const wallet = Wallet.createRandom();
+    const wallet = Wallet2.createRandom();
     const walletData = {
       address: wallet.address,
       privateKey: wallet.privateKey,
@@ -3414,17 +3728,17 @@ Run: npx moltspay approve --chain ${chainName} --spender ${spender}`
     } catch {
       throw new Error(`Unknown chain: ${this.config.chain}`);
     }
-    const provider = new ethers.JsonRpcProvider(chain.rpc);
+    const provider = new ethers3.JsonRpcProvider(chain.rpc);
     const tokenAbi = ["function balanceOf(address) view returns (uint256)"];
     const [nativeBalance, usdcBalance, usdtBalance] = await Promise.all([
       provider.getBalance(this.wallet.address),
-      new ethers.Contract(chain.tokens.USDC.address, tokenAbi, provider).balanceOf(this.wallet.address),
-      new ethers.Contract(chain.tokens.USDT.address, tokenAbi, provider).balanceOf(this.wallet.address)
+      new ethers3.Contract(chain.tokens.USDC.address, tokenAbi, provider).balanceOf(this.wallet.address),
+      new ethers3.Contract(chain.tokens.USDT.address, tokenAbi, provider).balanceOf(this.wallet.address)
     ]);
     return {
-      usdc: parseFloat(ethers.formatUnits(usdcBalance, chain.tokens.USDC.decimals)),
-      usdt: parseFloat(ethers.formatUnits(usdtBalance, chain.tokens.USDT.decimals)),
-      native: parseFloat(ethers.formatEther(nativeBalance))
+      usdc: parseFloat(ethers3.formatUnits(usdcBalance, chain.tokens.USDC.decimals)),
+      usdt: parseFloat(ethers3.formatUnits(usdtBalance, chain.tokens.USDT.decimals)),
+      native: parseFloat(ethers3.formatEther(nativeBalance))
     };
   }
   /**
@@ -3447,38 +3761,38 @@ Run: npx moltspay approve --chain ${chainName} --spender ${spender}`
       supportedChains.map(async (chainName) => {
         try {
           const chain = getChain(chainName);
-          const provider = new ethers.JsonRpcProvider(chain.rpc);
+          const provider = new ethers3.JsonRpcProvider(chain.rpc);
           if (chainName === "tempo_moderato") {
             const [nativeBalance, pathUSD, alphaUSD, betaUSD, thetaUSD] = await Promise.all([
               provider.getBalance(this.wallet.address),
-              new ethers.Contract(tempoTokens.pathUSD, tokenAbi, provider).balanceOf(this.wallet.address),
-              new ethers.Contract(tempoTokens.alphaUSD, tokenAbi, provider).balanceOf(this.wallet.address),
-              new ethers.Contract(tempoTokens.betaUSD, tokenAbi, provider).balanceOf(this.wallet.address),
-              new ethers.Contract(tempoTokens.thetaUSD, tokenAbi, provider).balanceOf(this.wallet.address)
+              new ethers3.Contract(tempoTokens.pathUSD, tokenAbi, provider).balanceOf(this.wallet.address),
+              new ethers3.Contract(tempoTokens.alphaUSD, tokenAbi, provider).balanceOf(this.wallet.address),
+              new ethers3.Contract(tempoTokens.betaUSD, tokenAbi, provider).balanceOf(this.wallet.address),
+              new ethers3.Contract(tempoTokens.thetaUSD, tokenAbi, provider).balanceOf(this.wallet.address)
             ]);
             results[chainName] = {
-              usdc: parseFloat(ethers.formatUnits(pathUSD, 6)),
+              usdc: parseFloat(ethers3.formatUnits(pathUSD, 6)),
               // pathUSD as default USDC
-              usdt: parseFloat(ethers.formatUnits(alphaUSD, 6)),
+              usdt: parseFloat(ethers3.formatUnits(alphaUSD, 6)),
               // alphaUSD as default USDT
-              native: parseFloat(ethers.formatEther(nativeBalance)),
+              native: parseFloat(ethers3.formatEther(nativeBalance)),
               tempo: {
-                pathUSD: parseFloat(ethers.formatUnits(pathUSD, 6)),
-                alphaUSD: parseFloat(ethers.formatUnits(alphaUSD, 6)),
-                betaUSD: parseFloat(ethers.formatUnits(betaUSD, 6)),
-                thetaUSD: parseFloat(ethers.formatUnits(thetaUSD, 6))
+                pathUSD: parseFloat(ethers3.formatUnits(pathUSD, 6)),
+                alphaUSD: parseFloat(ethers3.formatUnits(alphaUSD, 6)),
+                betaUSD: parseFloat(ethers3.formatUnits(betaUSD, 6)),
+                thetaUSD: parseFloat(ethers3.formatUnits(thetaUSD, 6))
               }
             };
           } else {
             const [nativeBalance, usdcBalance, usdtBalance] = await Promise.all([
               provider.getBalance(this.wallet.address),
-              new ethers.Contract(chain.tokens.USDC.address, tokenAbi, provider).balanceOf(this.wallet.address),
-              new ethers.Contract(chain.tokens.USDT.address, tokenAbi, provider).balanceOf(this.wallet.address)
+              new ethers3.Contract(chain.tokens.USDC.address, tokenAbi, provider).balanceOf(this.wallet.address),
+              new ethers3.Contract(chain.tokens.USDT.address, tokenAbi, provider).balanceOf(this.wallet.address)
             ]);
             results[chainName] = {
-              usdc: parseFloat(ethers.formatUnits(usdcBalance, chain.tokens.USDC.decimals)),
-              usdt: parseFloat(ethers.formatUnits(usdtBalance, chain.tokens.USDT.decimals)),
-              native: parseFloat(ethers.formatEther(nativeBalance))
+              usdc: parseFloat(ethers3.formatUnits(usdcBalance, chain.tokens.USDC.decimals)),
+              usdt: parseFloat(ethers3.formatUnits(usdtBalance, chain.tokens.USDT.decimals)),
+              native: parseFloat(ethers3.formatEther(nativeBalance))
             };
           }
         } catch (err) {
@@ -3606,10 +3920,10 @@ Run: npx moltspay approve --chain ${chainName} --spender ${spender}`
 };
 
 // src/wallet/Wallet.ts
-import { ethers as ethers2 } from "ethers";
+import { ethers as ethers4 } from "ethers";
 
 // src/wallet/createWallet.ts
-import { ethers as ethers3 } from "ethers";
+import { ethers as ethers5 } from "ethers";
 import { writeFileSync as writeFileSync3, readFileSync as readFileSync5, existsSync as existsSync5, mkdirSync as mkdirSync3 } from "fs";
 import { join as join5, dirname } from "path";
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
@@ -3654,7 +3968,7 @@ function createWallet(options = {}) {
     }
   }
   try {
-    const wallet = ethers3.Wallet.createRandom();
+    const wallet = ethers5.Wallet.createRandom();
     const walletData = {
       address: wallet.address,
       label: options.label,
@@ -3726,8 +4040,8 @@ function walletExists(storagePath) {
 }
 
 // src/verify/index.ts
-import { ethers as ethers4 } from "ethers";
-var TRANSFER_EVENT_TOPIC3 = ethers4.id("Transfer(address,address,uint256)");
+import { ethers as ethers6 } from "ethers";
+var TRANSFER_EVENT_TOPIC3 = ethers6.id("Transfer(address,address,uint256)");
 async function verifyPayment(params) {
   const { txHash, expectedAmount, expectedTo, expectedToken } = params;
   let chain;
@@ -3744,7 +4058,7 @@ async function verifyPayment(params) {
     return { verified: false, error: `Unsupported chain: ${params.chain}` };
   }
   try {
-    const provider = new ethers4.JsonRpcProvider(chain.rpc);
+    const provider = new ethers6.JsonRpcProvider(chain.rpc);
     const receipt = await provider.getTransactionReceipt(txHash);
     if (!receipt) {
       return { verified: false, error: "Transaction not found or not confirmed" };
@@ -3816,7 +4130,7 @@ async function getTransactionStatus(txHash, chain = "base") {
     return { status: "not_found" };
   }
   try {
-    const provider = new ethers4.JsonRpcProvider(chainConfig.rpc);
+    const provider = new ethers6.JsonRpcProvider(chainConfig.rpc);
     const receipt = await provider.getTransactionReceipt(txHash);
     if (!receipt) {
       const tx = await provider.getTransaction(txHash);
@@ -3853,7 +4167,7 @@ async function waitForTransaction(txHash, chain = "base", confirmations = 1, tim
   } catch (e) {
     return { verified: false, confirmed: false, error: `Unsupported chain: ${chain}` };
   }
-  const provider = new ethers4.JsonRpcProvider(chainConfig.rpc);
+  const provider = new ethers6.JsonRpcProvider(chainConfig.rpc);
   try {
     const receipt = await provider.waitForTransaction(txHash, confirmations, timeoutMs);
     if (!receipt) {
@@ -3993,9 +4307,9 @@ var CDPWallet = class {
    * Get USDC balance
    */
   async getBalance() {
-    const { ethers: ethers5 } = await import("ethers");
-    const provider = new ethers5.JsonRpcProvider(this.chainConfig.rpc);
-    const usdcContract = new ethers5.Contract(
+    const { ethers: ethers7 } = await import("ethers");
+    const provider = new ethers7.JsonRpcProvider(this.chainConfig.rpc);
+    const usdcContract = new ethers7.Contract(
       this.chainConfig.usdc,
       ["function balanceOf(address) view returns (uint256)"],
       provider
@@ -4006,7 +4320,7 @@ var CDPWallet = class {
     ]);
     return {
       usdc: (Number(usdcBalance) / 1e6).toFixed(2),
-      eth: ethers5.formatEther(ethBalance)
+      eth: ethers7.formatEther(ethBalance)
     };
   }
   /**
@@ -4024,7 +4338,7 @@ var CDPWallet = class {
     }
     try {
       const { CdpClient } = await import("@coinbase/cdp-sdk");
-      const { ethers: ethers5 } = await import("ethers");
+      const { ethers: ethers7 } = await import("ethers");
       const cdp = new CdpClient({
         apiKeyId: creds.apiKeyId,
         apiKeySecret: creds.apiKeySecret,
@@ -4032,7 +4346,7 @@ var CDPWallet = class {
       });
       const account = await cdp.evm.getAccount({ address: this.address });
       const amountWei = BigInt(Math.floor(params.amount * 1e6));
-      const iface = new ethers5.Interface([
+      const iface = new ethers7.Interface([
         "function transfer(address to, uint256 amount) returns (bool)"
       ]);
       const callData = iface.encodeFunctionData("transfer", [params.to, amountWei]);