feat: extract tollgate_core ESP-IDF component

Extract shared TollGate business logic into a reusable ESP-IDF component
that can be consumed by esp-miner via the IDF Component Manager.

Component structure:
  components/tollgate_core/
    include/tollgate_core.h       — public API
    include/tollgate_platform.h   — platform interface (config callbacks)
    src/tollgate_core.c           — orchestrator (init, payment, tick, owner)
    src/tollgate_core_cashu.c/h   — Cashu V3 token decode/verify
    src/tollgate_core_dns.c/h     — per-client DNS hijack/forward
    src/tollgate_core_firewall.c/h — per-client NAT filter
    src/tollgate_core_session.c/h — session lifecycle

Key design decisions:
  - Platform interface pattern: consumers implement tollgate_platform_t
    (config getters + optional spend_proofs wallet hook)
  - Cross-module wiring (session→firewall→dns) stays internal
  - No direct config.h dependency — all config via platform callbacks
  - spend_proofs can be NULL (accepts payment without local wallet)

Standalone app updated:
  - main/tollgate_platform.c implements platform via config singleton
  - main/tollgate_main.c calls tollgate_core_init/tick/dns_start
  - main/tollgate_api.c routes payment through tollgate_core_process_payment
  - Removed cashu.c, dns_server.c, firewall.c, session.c from CMakeLists

Not yet build-verified — blocked on multi-mint, price-discovery,
cvm-integration, and display-fix branches merging to master.

19 files changed, 1510 insertions, 210 deletions

diff --git a/components/tollgate_core/CMakeLists.txt b/components/tollgate_core/CMakeLists.txt
new file mode 100644
index 0000000..fc6b6f1
--- /dev/null
+++ b/components/tollgate_core/CMakeLists.txt
@@ -0,0 +1,9 @@
+idf_component_register(
+    SRCS "src/tollgate_core.c"
+         "src/tollgate_core_cashu.c"
+         "src/tollgate_core_dns.c"
+         "src/tollgate_core_firewall.c"
+         "src/tollgate_core_session.c"
+    INCLUDE_DIRS "include" "src"
+    REQUIRES lwip json esp_http_client mbedtls log esp_netif
+    PRIV_REQUIRES esp_wifi)
diff --git a/components/tollgate_core/idf_component.yml b/components/tollgate_core/idf_component.yml
new file mode 100644
index 0000000..112aa18
--- /dev/null
+++ b/components/tollgate_core/idf_component.yml
@@ -0,0 +1,6 @@
+version: "1.0.0"
+description: TollGate core component — Cashu payment processing, per-client DNS/firewall, session management for paid WiFi hotspots
+url: https://github.com/nicoulaj/esp32-tollgate
+dependencies:
+  idf:
+    version: ">=5.4.0"
diff --git a/components/tollgate_core/include/tollgate_core.h b/components/tollgate_core/include/tollgate_core.h
new file mode 100644
index 0000000..c47ebeb
--- /dev/null
+++ b/components/tollgate_core/include/tollgate_core.h
@@ -0,0 +1,34 @@
+#ifndef TOLLGATE_CORE_H
+#define TOLLGATE_CORE_H
+
+#include "tollgate_platform.h"
+#include "esp_err.h"
+#include "esp_netif.h"
+#include <stdbool.h>
+#include <stdint.h>
+
+esp_err_t tollgate_core_init(const tollgate_platform_t *platform, esp_ip4_addr_t ap_ip);
+
+esp_err_t tollgate_core_dns_start(esp_ip4_addr_t upstream_dns);
+void tollgate_core_dns_stop(void);
+
+esp_err_t tollgate_core_process_payment(uint32_t client_ip, const char *token_str);
+
+void tollgate_core_client_connected(const uint8_t *mac, uint32_t client_ip);
+void tollgate_core_client_disconnected(const uint8_t *mac);
+
+void tollgate_core_tick(void);
+
+bool tollgate_core_is_client_allowed(uint32_t client_ip);
+bool tollgate_core_is_dns_running(void);
+
+char *tollgate_core_get_status_json(void);
+char *tollgate_core_get_config_json(void);
+
+int tollgate_core_active_session_count(void);
+int tollgate_core_allowed_client_count(void);
+
+bool tollgate_core_is_owner(uint32_t client_ip);
+bool tollgate_core_is_owner_connected(void);
+
+#endif
diff --git a/components/tollgate_core/include/tollgate_platform.h b/components/tollgate_core/include/tollgate_platform.h
new file mode 100644
index 0000000..f60f1f9
--- /dev/null
+++ b/components/tollgate_core/include/tollgate_platform.h
@@ -0,0 +1,17 @@
+#ifndef TOLLGATE_PLATFORM_H
+#define TOLLGATE_PLATFORM_H
+
+#include <stdint.h>
+#include <stdbool.h>
+
+typedef struct {
+    uint16_t     (*get_price_sats)(void);
+    int32_t      (*get_step_ms)(void);
+    const char * (*get_mint_url)(void);
+    const char * (*get_metric)(void);
+    int32_t      (*get_step_bytes)(void);
+    int64_t      (*get_time_ms)(void);
+    bool         (*spend_proofs)(const char *raw_token_json);
+} tollgate_platform_t;
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core.c b/components/tollgate_core/src/tollgate_core.c
new file mode 100644
index 0000000..3813258
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core.c
@@ -0,0 +1,243 @@
+#include "tollgate_core.h"
+#include "tollgate_core_cashu.h"
+#include "tollgate_core_dns.h"
+#include "tollgate_core_firewall.h"
+#include "tollgate_core_session.h"
+#include "esp_log.h"
+#include "cJSON.h"
+#include <string.h>
+
+static const char *TAG = "tg_core";
+
+static const tollgate_platform_t *s_platform;
+static esp_ip4_addr_t s_ap_ip;
+
+static uint32_t s_owner_ip;
+static uint8_t s_owner_mac[6];
+static bool s_owner_connected;
+
+esp_err_t tollgate_core_init(const tollgate_platform_t *platform, esp_ip4_addr_t ap_ip)
+{
+    if (!platform) {
+        ESP_LOGE(TAG, "Platform callbacks required");
+        return ESP_FAIL;
+    }
+
+    s_platform = platform;
+    s_ap_ip = ap_ip;
+    s_owner_connected = false;
+    memset(s_owner_mac, 0, sizeof(s_owner_mac));
+
+    if (!platform->spend_proofs) {
+        ESP_LOGW(TAG, "spend_proofs is NULL — double-spend window open until wallet integrated");
+    }
+
+    tollgate_core_session_set_platform(platform);
+    tollgate_core_session_init();
+    tollgate_core_fw_init(ap_ip);
+
+    ESP_LOGI(TAG, "TollGate core initialized, AP IP=" IPSTR, IP2STR(&ap_ip));
+    return ESP_OK;
+}
+
+esp_err_t tollgate_core_dns_start(esp_ip4_addr_t upstream_dns)
+{
+    return tollgate_core_dns_start_internal(s_ap_ip, upstream_dns);
+}
+
+void tollgate_core_dns_stop(void)
+{
+    tollgate_core_dns_stop_internal();
+}
+
+esp_err_t tollgate_core_process_payment(uint32_t client_ip, const char *token_str)
+{
+    if (!s_platform || !token_str) return ESP_FAIL;
+
+    const char *accepted_mint = s_platform->get_mint_url ? s_platform->get_mint_url() : NULL;
+    if (!accepted_mint || accepted_mint[0] == '\0') {
+        ESP_LOGE(TAG, "No mint URL configured");
+        return ESP_FAIL;
+    }
+
+    tg_cashu_token_t token;
+    esp_err_t ret = tollgate_core_cashu_decode_token(token_str, &token);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Token decode failed");
+        return ESP_FAIL;
+    }
+
+    if (!tollgate_core_cashu_is_mint_accepted(token.mint_url, accepted_mint)) {
+        ESP_LOGE(TAG, "Token mint '%s' not accepted (expected '%s')", token.mint_url, accepted_mint);
+        return ESP_FAIL;
+    }
+
+    tg_cashu_proof_state_t states[TG_CASHU_MAX_PROOFS];
+    int state_count = 0;
+    ret = tollgate_core_cashu_check_proof_states(token.mint_url, &token, states, &state_count);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Proof state check failed");
+        return ESP_FAIL;
+    }
+
+    for (int i = 0; i < state_count; i++) {
+        if (states[i].spent) {
+            ESP_LOGE(TAG, "Proof %d is SPENT — rejecting", i);
+            return ESP_FAIL;
+        }
+    }
+
+    if (s_platform->spend_proofs) {
+        if (!s_platform->spend_proofs(token_str)) {
+            ESP_LOGE(TAG, "spend_proofs rejected the token");
+            return ESP_FAIL;
+        }
+    }
+
+    const char *metric = s_platform->get_metric ? s_platform->get_metric() : "milliseconds";
+    uint64_t price = s_platform->get_price_sats ? s_platform->get_price_sats() : 21;
+    uint64_t step_size;
+
+    if (strcmp(metric, "bytes") == 0) {
+        step_size = s_platform->get_step_bytes ? (uint64_t)s_platform->get_step_bytes() : 22020096;
+    } else {
+        step_size = s_platform->get_step_ms ? (uint64_t)s_platform->get_step_ms() : 60000;
+    }
+
+    uint64_t allotment = tollgate_core_cashu_calculate_allotment(token.total_amount, price, step_size);
+    if (allotment == 0) {
+        ESP_LOGE(TAG, "Token amount %llu too small for price %llu",
+                 (unsigned long long)token.total_amount, (unsigned long long)price);
+        return ESP_FAIL;
+    }
+
+    if (strcmp(metric, "bytes") == 0) {
+        if (!tollgate_core_session_create_bytes(client_ip, allotment)) {
+            return ESP_FAIL;
+        }
+    } else {
+        if (!tollgate_core_session_create(client_ip, allotment)) {
+            return ESP_FAIL;
+        }
+    }
+
+    ESP_LOGI(TAG, "Payment processed: %llu sats → %llu %s allotment for client",
+             (unsigned long long)token.total_amount, (unsigned long long)allotment, metric);
+    return ESP_OK;
+}
+
+void tollgate_core_client_connected(const uint8_t *mac, uint32_t client_ip)
+{
+    if (!s_owner_connected) {
+        s_owner_connected = true;
+        s_owner_ip = client_ip;
+        if (mac) memcpy(s_owner_mac, mac, 6);
+
+        tollgate_core_fw_grant(client_ip);
+
+        esp_ip4_addr_t ip = { .addr = client_ip };
+        ESP_LOGI(TAG, "First client = owner: " IPSTR, IP2STR(&ip));
+        return;
+    }
+
+    ESP_LOGI(TAG, "Client connected (non-owner): " IPSTR, IP2STR(&(esp_ip4_addr_t){.addr=client_ip}));
+}
+
+void tollgate_core_client_disconnected(const uint8_t *mac)
+{
+    if (!s_owner_connected) return;
+
+    if (mac && memcmp(s_owner_mac, mac, 6) == 0) {
+        ESP_LOGI(TAG, "Owner disconnected — reassigning");
+        s_owner_connected = false;
+        memset(s_owner_mac, 0, sizeof(s_owner_mac));
+
+        int fw_count = tollgate_core_fw_client_count();
+        if (fw_count > 0) {
+            tg_session_t *sessions = tollgate_core_session_get_array();
+            for (int i = 0; i < tollgate_core_session_get_array_size(); i++) {
+                if (sessions[i].active && sessions[i].mac[0] != '\0') {
+                    if (memcmp(sessions[i].mac, mac, 6) != 0) {
+                        s_owner_connected = true;
+                        s_owner_ip = sessions[i].client_ip;
+                        ESP_LOGI(TAG, "New owner: " IPSTR, IP2STR(&(esp_ip4_addr_t){.addr=s_owner_ip}));
+                        break;
+                    }
+                }
+            }
+        }
+        return;
+    }
+
+    ESP_LOGI(TAG, "Client disconnected");
+}
+
+void tollgate_core_tick(void)
+{
+    tollgate_core_session_tick();
+}
+
+bool tollgate_core_is_client_allowed(uint32_t client_ip)
+{
+    return tollgate_core_fw_is_allowed(client_ip);
+}
+
+bool tollgate_core_is_dns_running(void)
+{
+    return tollgate_core_dns_is_running();
+}
+
+char *tollgate_core_get_status_json(void)
+{
+    cJSON *root = cJSON_CreateObject();
+    cJSON_AddBoolToObject(root, "ownerConnected", s_owner_connected);
+    cJSON_AddNumberToObject(root, "activeSessions", tollgate_core_session_active_count());
+    cJSON_AddNumberToObject(root, "allowedClients", tollgate_core_fw_client_count());
+    cJSON_AddBoolToObject(root, "dnsRunning", tollgate_core_dns_is_running());
+
+    char *json = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+    return json;
+}
+
+char *tollgate_core_get_config_json(void)
+{
+    cJSON *root = cJSON_CreateObject();
+
+    if (s_platform) {
+        if (s_platform->get_price_sats)
+            cJSON_AddNumberToObject(root, "priceSats", s_platform->get_price_sats());
+        if (s_platform->get_step_ms)
+            cJSON_AddNumberToObject(root, "stepMs", s_platform->get_step_ms());
+        if (s_platform->get_mint_url)
+            cJSON_AddStringToObject(root, "mintUrl", s_platform->get_mint_url());
+        if (s_platform->get_metric)
+            cJSON_AddStringToObject(root, "metric", s_platform->get_metric());
+        if (s_platform->get_step_bytes)
+            cJSON_AddNumberToObject(root, "stepBytes", s_platform->get_step_bytes());
+    }
+
+    char *json = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+    return json;
+}
+
+int tollgate_core_active_session_count(void)
+{
+    return tollgate_core_session_active_count();
+}
+
+int tollgate_core_allowed_client_count(void)
+{
+    return tollgate_core_fw_client_count();
+}
+
+bool tollgate_core_is_owner(uint32_t client_ip)
+{
+    return s_owner_connected && s_owner_ip == client_ip;
+}
+
+bool tollgate_core_is_owner_connected(void)
+{
+    return s_owner_connected;
+}
diff --git a/components/tollgate_core/src/tollgate_core_cashu.c b/components/tollgate_core/src/tollgate_core_cashu.c
new file mode 100644
index 0000000..cf2bf5d
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_cashu.c
@@ -0,0 +1,262 @@
+#include "tollgate_core_cashu.h"
+#include "esp_log.h"
+#include "esp_http_client.h"
+#include "cJSON.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/sha256.h"
+#include "esp_crt_bundle.h"
+
+static const char *TAG = "tg_core_cashu";
+
+static const char V3_PREFIX[] = "cashuA";
+static const size_t V3_PREFIX_LEN = 6;
+
+static int b64url_decode(const char *input, size_t input_len, char *out, size_t out_size, size_t *out_len)
+{
+    char *b64 = malloc(input_len + 4);
+    if (!b64) return -1;
+    size_t b64_len = input_len;
+    memcpy(b64, input, b64_len);
+    b64[b64_len] = '\0';
+
+    for (size_t i = 0; i < b64_len; i++) {
+        if (b64[i] == '-') b64[i] = '+';
+        else if (b64[i] == '_') b64[i] = '/';
+    }
+    while (b64_len % 4 != 0) {
+        b64[b64_len++] = '=';
+    }
+    b64[b64_len] = '\0';
+
+    size_t olen = 0;
+    int ret = mbedtls_base64_decode((unsigned char *)out, out_size, &olen,
+                                     (const unsigned char *)b64, b64_len);
+    free(b64);
+    if (ret != 0) return -1;
+    *out_len = olen;
+    return 0;
+}
+
+static esp_err_t parse_proofs_array(cJSON *arr, tg_cashu_token_t *out)
+{
+    if (!cJSON_IsArray(arr)) return ESP_FAIL;
+    int count = cJSON_GetArraySize(arr);
+    if (count > TG_CASHU_MAX_PROOFS) return ESP_FAIL;
+
+    out->proof_count = 0;
+    out->total_amount = 0;
+    for (int i = 0; i < count; i++) {
+        cJSON *proof = cJSON_GetArrayItem(arr, i);
+        cJSON *amt = cJSON_GetObjectItemCaseSensitive(proof, "amount");
+        cJSON *id = cJSON_GetObjectItemCaseSensitive(proof, "id");
+        cJSON *secret = cJSON_GetObjectItemCaseSensitive(proof, "secret");
+        cJSON *c = cJSON_GetObjectItemCaseSensitive(proof, "C");
+
+        if (!amt || !cJSON_IsNumber(amt)) return ESP_FAIL;
+
+        out->proofs[i].amount = (uint64_t)amt->valuedouble;
+        out->total_amount += out->proofs[i].amount;
+
+        if (id && cJSON_IsString(id)) {
+            strncpy(out->proofs[i].id, id->valuestring, sizeof(out->proofs[i].id) - 1);
+        }
+        if (secret && cJSON_IsString(secret)) {
+            strncpy(out->proofs[i].secret, secret->valuestring, sizeof(out->proofs[i].secret) - 1);
+        }
+        if (c && cJSON_IsString(c)) {
+            strncpy(out->proofs[i].c, c->valuestring, sizeof(out->proofs[i].c) - 1);
+        }
+        out->proof_count++;
+    }
+    return ESP_OK;
+}
+
+esp_err_t tollgate_core_cashu_decode_token(const char *token_str, tg_cashu_token_t *out)
+{
+    if (!token_str || !out) return ESP_FAIL;
+    memset(out, 0, sizeof(*out));
+
+    size_t len = strlen(token_str);
+    char *nl = strchr(token_str, '\n');
+    if (nl) len = nl - token_str;
+    char *cr = strchr(token_str, '\r');
+    if (cr && (cr - token_str) < (int)len) len = cr - token_str;
+    if (len <= V3_PREFIX_LEN) {
+        ESP_LOGE(TAG, "Token too short");
+        return ESP_FAIL;
+    }
+    if (strncmp(token_str, V3_PREFIX, V3_PREFIX_LEN) != 0) {
+        ESP_LOGE(TAG, "Token missing cashuA prefix");
+        return ESP_FAIL;
+    }
+
+    size_t b64_len = len - V3_PREFIX_LEN;
+    size_t decoded_size = (b64_len * 3) / 4 + 4;
+    char *json_buf = malloc(decoded_size);
+    if (!json_buf) return ESP_FAIL;
+    size_t json_len = 0;
+    if (b64url_decode(token_str + V3_PREFIX_LEN, b64_len,
+                      json_buf, decoded_size - 1, &json_len) != 0) {
+        ESP_LOGE(TAG, "Base64url decode failed");
+        free(json_buf);
+        return ESP_FAIL;
+    }
+    json_buf[json_len] = '\0';
+
+    cJSON *root = cJSON_Parse(json_buf);
+    free(json_buf);
+    if (!root) {
+        ESP_LOGE(TAG, "JSON parse failed");
+        return ESP_FAIL;
+    }
+
+    cJSON *token_arr = cJSON_GetObjectItemCaseSensitive(root, "token");
+    if (token_arr && cJSON_IsArray(token_arr)) {
+        cJSON *first = cJSON_GetArrayItem(token_arr, 0);
+        if (!first) { cJSON_Delete(root); return ESP_FAIL; }
+
+        cJSON *mint = cJSON_GetObjectItemCaseSensitive(first, "mint");
+        if (mint && cJSON_IsString(mint)) {
+            strncpy(out->mint_url, mint->valuestring, sizeof(out->mint_url) - 1);
+        }
+
+        cJSON *proofs = cJSON_GetObjectItemCaseSensitive(first, "proofs");
+        if (proofs) {
+            esp_err_t ret = parse_proofs_array(proofs, out);
+            if (ret != ESP_OK) { cJSON_Delete(root); return ret; }
+        }
+    } else {
+        cJSON *mint = cJSON_GetObjectItemCaseSensitive(root, "mint");
+        if (mint && cJSON_IsString(mint)) {
+            strncpy(out->mint_url, mint->valuestring, sizeof(out->mint_url) - 1);
+        }
+
+        cJSON *proofs = cJSON_GetObjectItemCaseSensitive(root, "proofs");
+        if (proofs) {
+            esp_err_t ret = parse_proofs_array(proofs, out);
+            if (ret != ESP_OK) { cJSON_Delete(root); return ret; }
+        }
+    }
+
+    cJSON_Delete(root);
+
+    if (out->proof_count == 0) {
+        ESP_LOGE(TAG, "No proofs in token");
+        return ESP_FAIL;
+    }
+
+    ESP_LOGI(TAG, "Decoded token: %d proofs, total=%llu, mint=%s",
+             out->proof_count, (unsigned long long)out->total_amount, out->mint_url);
+    return ESP_OK;
+}
+
+static void sha256_hex(const char *data, size_t data_len, char *hex_out)
+{
+    uint8_t hash[32];
+    mbedtls_sha256((const unsigned char *)data, data_len, hash, 0);
+    for (int i = 0; i < 32; i++) {
+        sprintf(hex_out + i * 2, "%02x", hash[i]);
+    }
+    hex_out[64] = '\0';
+}
+
+esp_err_t tollgate_core_cashu_check_proof_states(const char *mint_url, const tg_cashu_token_t *token,
+                                                  tg_cashu_proof_state_t *states, int *state_count)
+{
+    cJSON *ys_arr = cJSON_CreateArray();
+    for (int i = 0; i < token->proof_count; i++) {
+        char y_hex[65];
+        sha256_hex(token->proofs[i].secret, strlen(token->proofs[i].secret), y_hex);
+        cJSON_AddItemToArray(ys_arr, cJSON_CreateString(y_hex));
+        strncpy(states[i].y_hex, y_hex, sizeof(states[i].y_hex) - 1);
+        states[i].spent = false;
+    }
+    *state_count = token->proof_count;
+
+    char *ys_json = cJSON_PrintUnformatted(ys_arr);
+    cJSON_Delete(ys_arr);
+
+    char *post_body = malloc(4096);
+    if (!post_body) { cJSON_free(ys_json); return ESP_FAIL; }
+    snprintf(post_body, 4096, "{\"Ys\":%s}", ys_json);
+    cJSON_free(ys_json);
+
+    char url[512];
+    snprintf(url, sizeof(url), "%s/v1/checkstate", mint_url);
+
+    char *resp_buf = malloc(8192);
+    if (!resp_buf) { free(post_body); return ESP_FAIL; }
+
+    esp_http_client_config_t config = {
+        .url = url,
+        .method = HTTP_METHOD_POST,
+        .timeout_ms = 15000,
+        .crt_bundle_attach = esp_crt_bundle_attach,
+    };
+    esp_http_client_handle_t client = esp_http_client_init(&config);
+    if (!client) { free(post_body); free(resp_buf); return ESP_FAIL; }
+
+    esp_http_client_set_header(client, "Content-Type", "application/json");
+    esp_err_t err = esp_http_client_open(client, strlen(post_body));
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "checkstate open failed: %s", esp_err_to_name(err));
+        esp_http_client_cleanup(client);
+        free(post_body);
+        free(resp_buf);
+        return ESP_FAIL;
+    }
+    int written = esp_http_client_write(client, post_body, strlen(post_body));
+    free(post_body);
+    ESP_LOGI(TAG, "checkstate written %d bytes", written);
+
+    int content_length = esp_http_client_fetch_headers(client);
+    int status = esp_http_client_get_status_code(client);
+    ESP_LOGI(TAG, "checkstate headers: status=%d, content_length=%d", status, content_length);
+
+    int resp_len = esp_http_client_read(client, resp_buf, 8191);
+    ESP_LOGI(TAG, "checkstate read: resp_len=%d", resp_len);
+    esp_http_client_cleanup(client);
+
+    if (status != 200 || resp_len <= 0) {
+        ESP_LOGE(TAG, "checkstate failed: status=%d, resp_len=%d", status, resp_len);
+        free(resp_buf);
+        return ESP_FAIL;
+    }
+    resp_buf[resp_len] = '\0';
+
+    cJSON *root_resp = cJSON_Parse(resp_buf);
+    free(resp_buf);
+    if (!root_resp) return ESP_FAIL;
+
+    cJSON *states_arr = cJSON_GetObjectItemCaseSensitive(root_resp, "states");
+    if (!states_arr || !cJSON_IsArray(states_arr)) {
+        cJSON_Delete(root_resp);
+        return ESP_FAIL;
+    }
+
+    int n = cJSON_GetArraySize(states_arr);
+    for (int i = 0; i < n && i < token->proof_count; i++) {
+        cJSON *s = cJSON_GetArrayItem(states_arr, i);
+        cJSON *state = cJSON_GetObjectItemCaseSensitive(s, "state");
+        if (state && cJSON_IsString(state)) {
+            states[i].spent = (strcmp(state->valuestring, "SPENT") == 0);
+        }
+    }
+
+    cJSON_Delete(root_resp);
+    return ESP_OK;
+}
+
+uint64_t tollgate_core_cashu_calculate_allotment(uint64_t token_amount, uint64_t price_per_step,
+                                                  uint64_t step_size)
+{
+    if (price_per_step == 0) return 0;
+    return (token_amount / price_per_step) * step_size;
+}
+
+bool tollgate_core_cashu_is_mint_accepted(const char *mint_url, const char *accepted_mint_url)
+{
+    if (!mint_url || mint_url[0] == '\0') return false;
+    if (!accepted_mint_url || accepted_mint_url[0] == '\0') return false;
+    return (strcmp(mint_url, accepted_mint_url) == 0);
+}
diff --git a/components/tollgate_core/src/tollgate_core_cashu.h b/components/tollgate_core/src/tollgate_core_cashu.h
new file mode 100644
index 0000000..70d2a02
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_cashu.h
@@ -0,0 +1,42 @@
+#ifndef TOLLGATE_CORE_CASHU_H
+#define TOLLGATE_CORE_CASHU_H
+
+#include "esp_err.h"
+#include <stdint.h>
+#include <stdbool.h>
+
+#define TG_CASHU_MAX_PROOFS      10
+#define TG_CASHU_MAX_SECRET_LEN  128
+#define TG_CASHU_MAX_ID_LEN      68
+#define TG_CASHU_MAX_C_LEN       128
+
+typedef struct {
+    uint64_t amount;
+    char id[TG_CASHU_MAX_ID_LEN];
+    char secret[TG_CASHU_MAX_SECRET_LEN];
+    char c[TG_CASHU_MAX_C_LEN];
+} tg_cashu_proof_t;
+
+typedef struct {
+    tg_cashu_proof_t proofs[TG_CASHU_MAX_PROOFS];
+    int proof_count;
+    char mint_url[256];
+    uint64_t total_amount;
+} tg_cashu_token_t;
+
+typedef struct {
+    char y_hex[65];
+    bool spent;
+} tg_cashu_proof_state_t;
+
+esp_err_t tollgate_core_cashu_decode_token(const char *token_str, tg_cashu_token_t *out);
+
+esp_err_t tollgate_core_cashu_check_proof_states(const char *mint_url, const tg_cashu_token_t *token,
+                                                  tg_cashu_proof_state_t *states, int *state_count);
+
+uint64_t tollgate_core_cashu_calculate_allotment(uint64_t token_amount, uint64_t price_per_step,
+                                                  uint64_t step_size);
+
+bool tollgate_core_cashu_is_mint_accepted(const char *mint_url, const char *accepted_mint_url);
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core_dns.c b/components/tollgate_core/src/tollgate_core_dns.c
new file mode 100644
index 0000000..84322e6
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_dns.c
@@ -0,0 +1,316 @@
+#include "tollgate_core_dns.h"
+#include "esp_log.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+#include "lwip/sockets.h"
+#include "lwip/netdb.h"
+#include <string.h>
+#include <sys/param.h>
+
+#define MAX_AUTH_IPS 10
+#define DNS_BUF_SIZE 512
+#define DNS_PORT 53
+#define DOT_PORT 853
+#define DNS_TASK_STACK 4096
+#define DOT_TASK_STACK 3072
+#define DNS_TASK_PRIO 5
+#define DOT_TASK_PRIO 5
+#define DNS_FORWARD_TIMEOUT_MS 2000
+#define NXDOMAIN_TTL 30
+#define HIJACK_TTL 10
+
+static const char *TAG = "tg_core_dns";
+
+#pragma pack(push, 1)
+typedef struct {
+    uint16_t id;
+    uint16_t flags;
+    uint16_t qdcount;
+    uint16_t ancount;
+    uint16_t nscount;
+    uint16_t arcount;
+} dns_header_t;
+#pragma pack(pop)
+
+#pragma pack(push, 1)
+typedef struct {
+    uint16_t name;
+    uint16_t type;
+    uint16_t class;
+    uint32_t ttl;
+    uint16_t len;
+    uint32_t addr;
+} dns_answer_t;
+#pragma pack(pop)
+
+typedef struct {
+    uint32_t ip;
+} auth_entry_t;
+
+static auth_entry_t s_auth_list[MAX_AUTH_IPS];
+static int s_auth_count = 0;
+static TaskHandle_t s_dns_task = NULL;
+static TaskHandle_t s_dot_task = NULL;
+static volatile bool s_dns_running = false;
+static esp_ip4_addr_t s_ap_ip;
+static esp_ip4_addr_t s_upstream_dns;
+
+static bool is_authenticated(uint32_t ip)
+{
+    for (int i = 0; i < s_auth_count; i++) {
+        if (s_auth_list[i].ip == ip) return true;
+    }
+    return false;
+}
+
+static void parse_dns_name(const uint8_t *buf, int buf_len, int offset, char *out, int out_len)
+{
+    int pos = offset;
+    int out_pos = 0;
+    int jumped = 0;
+    int jump_pos = 0;
+    while (pos < buf_len && out_pos < out_len - 1) {
+        uint8_t len = buf[pos];
+        if (len == 0) break;
+        if ((len & 0xC0) == 0xC0) {
+            if (!jumped) jump_pos = pos + 2;
+            pos = ((len & 0x3F) << 8) | buf[pos + 1];
+            jumped = 1;
+            continue;
+        }
+        if (out_pos > 0 && out_pos < out_len - 1) out[out_pos++] = '.';
+        pos++;
+        for (int i = 0; i < len && pos < buf_len && out_pos < out_len - 1; i++) {
+            out[out_pos++] = buf[pos++];
+        }
+    }
+    out[out_pos] = '\0';
+}
+
+static int build_nxdomain(uint8_t *response, int req_len)
+{
+    dns_header_t *hdr = (dns_header_t *)response;
+    hdr->flags = htons(0x8403);
+    hdr->ancount = 0;
+    hdr->nscount = 0;
+    hdr->arcount = 0;
+    return req_len;
+}
+
+static int build_redirect_response(uint8_t *response, int req_len)
+{
+    memmove(response, response, req_len);
+    dns_header_t *hdr = (dns_header_t *)response;
+    hdr->flags = htons(0x8180);
+    hdr->ancount = htons(1);
+    hdr->nscount = 0;
+    hdr->arcount = 0;
+    int resp_len = req_len;
+    dns_answer_t ans;
+    ans.name = htons(0xC00C);
+    ans.type = htons(1);
+    ans.class = htons(1);
+    ans.ttl = htonl(HIJACK_TTL);
+    ans.len = htons(4);
+    ans.addr = s_ap_ip.addr;
+    memcpy(response + resp_len, &ans, sizeof(ans));
+    resp_len += sizeof(ans);
+    return resp_len;
+}
+
+static int forward_dns(const uint8_t *req, int req_len, uint8_t *resp, int resp_buf_len,
+                       uint16_t txn_id)
+{
+    int upstream_sock = socket(AF_INET, SOCK_DGRAM, 0);
+    if (upstream_sock < 0) return -1;
+
+    struct timeval tv = { .tv_sec = DNS_FORWARD_TIMEOUT_MS / 1000, .tv_usec = (DNS_FORWARD_TIMEOUT_MS % 1000) * 1000 };
+    setsockopt(upstream_sock, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
+
+    struct sockaddr_in upstream_addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(DNS_PORT),
+        .sin_addr.s_addr = s_upstream_dns.addr,
+    };
+
+    sendto(upstream_sock, req, req_len, 0, (struct sockaddr *)&upstream_addr, sizeof(upstream_addr));
+
+    int n = recvfrom(upstream_sock, resp, resp_buf_len, 0, NULL, NULL);
+    close(upstream_sock);
+
+    if (n > 0) {
+        if (n >= sizeof(dns_header_t)) {
+            dns_header_t *hdr = (dns_header_t *)resp;
+            hdr->id = htons(txn_id);
+        }
+    }
+    return n;
+}
+
+static void dns_server_task(void *arg)
+{
+    int sock = socket(AF_INET, SOCK_DGRAM, 0);
+    if (sock < 0) {
+        ESP_LOGE(TAG, "Failed to create DNS socket");
+        s_dns_running = false;
+        vTaskDelete(NULL);
+        return;
+    }
+
+    struct sockaddr_in bind_addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(DNS_PORT),
+        .sin_addr.s_addr = INADDR_ANY,
+    };
+    if (bind(sock, (struct sockaddr *)&bind_addr, sizeof(bind_addr)) < 0) {
+        ESP_LOGE(TAG, "Failed to bind DNS socket");
+        close(sock);
+        s_dns_running = false;
+        vTaskDelete(NULL);
+        return;
+    }
+
+    ESP_LOGI(TAG, "DNS server started on port %d, AP IP=" IPSTR ", upstream DNS=" IPSTR,
+             DNS_PORT, IP2STR(&s_ap_ip), IP2STR(&s_upstream_dns));
+
+    uint8_t rx_buf[DNS_BUF_SIZE];
+    uint8_t tx_buf[DNS_BUF_SIZE + sizeof(dns_answer_t)];
+
+    while (s_dns_running) {
+        struct sockaddr_in client_addr;
+        socklen_t client_len = sizeof(client_addr);
+        int n = recvfrom(sock, rx_buf, sizeof(rx_buf), 0,
+                         (struct sockaddr *)&client_addr, &client_len);
+        if (n < (int)sizeof(dns_header_t)) continue;
+
+        uint32_t client_ip = client_addr.sin_addr.s_addr;
+        dns_header_t *hdr = (dns_header_t *)rx_buf;
+        uint16_t txn_id = ntohs(hdr->id);
+        bool is_query = (ntohs(hdr->flags) & 0x8000) == 0;
+        uint16_t qdcount = ntohs(hdr->qdcount);
+
+        if (!is_query || qdcount == 0) continue;
+
+        int q_offset = sizeof(dns_header_t);
+        while (q_offset < n && rx_buf[q_offset] != 0) {
+            q_offset += rx_buf[q_offset] + 1;
+        }
+        if (q_offset + 5 > n) continue;
+        uint16_t qtype = (rx_buf[q_offset + 1] << 8) | rx_buf[q_offset + 2];
+        int req_len = q_offset + 5;
+
+        if (is_authenticated(client_ip)) {
+            int resp_len = forward_dns(rx_buf, req_len, tx_buf, sizeof(tx_buf), txn_id);
+            if (resp_len > 0) {
+                sendto(sock, tx_buf, resp_len, 0, (struct sockaddr *)&client_addr, client_len);
+            }
+        } else {
+            char qname[256] = {0};
+            parse_dns_name(rx_buf, n, sizeof(dns_header_t), qname, sizeof(qname));
+            ESP_LOGI(TAG, "Hijack DNS from " IPSTR ": %s (type=%d)",
+                     IP2STR(&(esp_ip4_addr_t){.addr=client_ip}), qname, qtype);
+            if (qtype == 1) {
+                int resp_len = build_redirect_response(rx_buf, req_len);
+                memcpy(tx_buf, rx_buf, resp_len);
+                dns_header_t *resp_hdr = (dns_header_t *)tx_buf;
+                resp_hdr->id = htons(txn_id);
+                sendto(sock, tx_buf, resp_len, 0, (struct sockaddr *)&client_addr, client_len);
+            } else {
+                int resp_len = build_nxdomain(rx_buf, req_len);
+                memcpy(tx_buf, rx_buf, resp_len);
+                dns_header_t *resp_hdr = (dns_header_t *)tx_buf;
+                resp_hdr->id = htons(txn_id);
+                sendto(sock, tx_buf, resp_len, 0, (struct sockaddr *)&client_addr, client_len);
+            }
+        }
+    }
+
+    close(sock);
+    ESP_LOGI(TAG, "DNS server stopped");
+    vTaskDelete(NULL);
+}
+
+static void dot_reject_task(void *arg)
+{
+    int sock = socket(AF_INET, SOCK_STREAM, 0);
+    if (sock < 0) {
+        ESP_LOGE(TAG, "Failed to create DoT reject socket");
+        vTaskDelete(NULL);
+        return;
+    }
+
+    int opt = 1;
+    setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
+
+    struct sockaddr_in bind_addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(DOT_PORT),
+        .sin_addr.s_addr = INADDR_ANY,
+    };
+    if (bind(sock, (struct sockaddr *)&bind_addr, sizeof(bind_addr)) < 0) {
+        ESP_LOGE(TAG, "Failed to bind DoT reject socket on port %d", DOT_PORT);
+        close(sock);
+        vTaskDelete(NULL);
+        return;
+    }
+
+    listen(sock, 1);
+    ESP_LOGI(TAG, "DoT reject server on port %d (forces DNS fallback to port 53)", DOT_PORT);
+
+    while (s_dns_running) {
+        struct sockaddr_in client_addr;
+        socklen_t client_len = sizeof(client_addr);
+        int client_sock = accept(sock, (struct sockaddr *)&client_addr, &client_len);
+        if (client_sock >= 0) {
+            struct linger ling = { .l_onoff = 1, .l_linger = 0 };
+            setsockopt(client_sock, SOL_SOCKET, SO_LINGER, &ling, sizeof(ling));
+            close(client_sock);
+        }
+    }
+
+    close(sock);
+    ESP_LOGI(TAG, "DoT reject server stopped");
+    vTaskDelete(NULL);
+}
+
+esp_err_t tollgate_core_dns_start_internal(esp_ip4_addr_t ap_ip, esp_ip4_addr_t upstream_dns)
+{
+    if (s_dns_running) return ESP_OK;
+    s_ap_ip = ap_ip;
+    s_upstream_dns = upstream_dns;
+    s_dns_running = true;
+    xTaskCreate(dns_server_task, "dns_server", DNS_TASK_STACK, NULL, DNS_TASK_PRIO, &s_dns_task);
+    xTaskCreate(dot_reject_task, "dot_reject", DOT_TASK_STACK, NULL, DOT_TASK_PRIO, &s_dot_task);
+    return ESP_OK;
+}
+
+void tollgate_core_dns_stop(void)
+{
+    s_dns_running = false;
+    vTaskDelay(pdMS_TO_TICKS(200));
+    s_dns_task = NULL;
+}
+
+void tollgate_core_dns_set_authenticated(uint32_t client_ip, bool authenticated)
+{
+    if (authenticated) {
+        if (is_authenticated(client_ip)) return;
+        if (s_auth_count < MAX_AUTH_IPS) {
+            s_auth_list[s_auth_count].ip = client_ip;
+            s_auth_count++;
+        }
+    } else {
+        for (int i = 0; i < s_auth_count; i++) {
+            if (s_auth_list[i].ip == client_ip) {
+                s_auth_list[i] = s_auth_list[s_auth_count - 1];
+                s_auth_count--;
+                return;
+            }
+        }
+    }
+}
+
+bool tollgate_core_dns_is_running(void)
+{
+    return s_dns_running;
+}
diff --git a/components/tollgate_core/src/tollgate_core_dns.h b/components/tollgate_core/src/tollgate_core_dns.h
new file mode 100644
index 0000000..60aaaaf
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_dns.h
@@ -0,0 +1,13 @@
+#ifndef TOLLGATE_CORE_DNS_H
+#define TOLLGATE_CORE_DNS_H
+
+#include "esp_err.h"
+#include "esp_netif.h"
+#include <stdbool.h>
+
+esp_err_t tollgate_core_dns_start_internal(esp_ip4_addr_t ap_ip, esp_ip4_addr_t upstream_dns);
+void tollgate_core_dns_stop(void);
+void tollgate_core_dns_set_authenticated(uint32_t client_ip, bool authenticated);
+bool tollgate_core_dns_is_running(void);
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core_firewall.c b/components/tollgate_core/src/tollgate_core_firewall.c
new file mode 100644
index 0000000..e5d61d8
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_firewall.c
@@ -0,0 +1,165 @@
+#include "tollgate_core_firewall.h"
+#include "tollgate_core_dns.h"
+#include "esp_log.h"
+#include "esp_wifi.h"
+#include "esp_wifi_ap_get_sta_list.h"
+#include "lwip/lwip_napt.h"
+#include "lwip/etharp.h"
+#include "lwip/netif.h"
+#include "lwip/prot/ip4.h"
+#include <string.h>
+
+#define MAX_CLIENTS 10
+
+static const char *TAG = "tg_core_fw";
+static esp_ip4_addr_t s_ap_ip;
+
+typedef struct {
+    uint32_t ip;
+    char mac[TG_FW_MAX_MAC_LEN];
+} fw_client_t;
+
+static fw_client_t s_clients[MAX_CLIENTS];
+static int s_client_count = 0;
+
+esp_err_t tollgate_core_fw_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size)
+{
+    wifi_sta_list_t sta_list;
+    if (esp_wifi_ap_get_sta_list(&sta_list) == ESP_OK) {
+        wifi_sta_mac_ip_list_t ip_mac_list;
+        if (esp_wifi_ap_get_sta_list_with_ip(&sta_list, &ip_mac_list) == ESP_OK) {
+            for (int i = 0; i < ip_mac_list.num; i++) {
+                if (ip_mac_list.sta[i].ip.addr == client_ip) {
+                    snprintf(mac_out, mac_out_size, "%02x:%02x:%02x:%02x:%02x:%02x",
+                             ip_mac_list.sta[i].mac[0], ip_mac_list.sta[i].mac[1],
+                             ip_mac_list.sta[i].mac[2], ip_mac_list.sta[i].mac[3],
+                             ip_mac_list.sta[i].mac[4], ip_mac_list.sta[i].mac[5]);
+                    return ESP_OK;
+                }
+            }
+        }
+    }
+
+    ip4_addr_t *entry_ip = NULL;
+    struct netif *entry_netif = NULL;
+    struct eth_addr *entry_eth = NULL;
+    ssize_t i = 0;
+    while (etharp_get_entry(i, &entry_ip, &entry_netif, &entry_eth) == ERR_OK) {
+        if (entry_ip && entry_ip->addr == client_ip && entry_eth) {
+            snprintf(mac_out, mac_out_size, "%02x:%02x:%02x:%02x:%02x:%02x",
+                     entry_eth->addr[0], entry_eth->addr[1], entry_eth->addr[2],
+                     entry_eth->addr[3], entry_eth->addr[4], entry_eth->addr[5]);
+            return ESP_OK;
+        }
+        i++;
+    }
+    return ESP_FAIL;
+}
+
+esp_err_t tollgate_core_fw_init(esp_ip4_addr_t ap_ip)
+{
+    s_ap_ip = ap_ip;
+    memset(s_clients, 0, sizeof(s_clients));
+    s_client_count = 0;
+    ip_napt_enable(s_ap_ip.addr, 1);
+    ESP_LOGI(TAG, "Firewall initialized with AP IP=" IPSTR " (NAT always on, per-client filter)", IP2STR(&s_ap_ip));
+    return ESP_OK;
+}
+
+int tollgate_core_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder)
+{
+    (void)dest_addr_hostorder;
+    if (p->len < IP_HLEN) return -1;
+    struct ip_hdr *iphdr = (struct ip_hdr *)p->payload;
+    uint32_t src_ip_h = lwip_ntohl(iphdr->src.addr);
+    uint32_t ap_subnet = lwip_ntohl(s_ap_ip.addr) & 0xFFFFFF00;
+    if ((src_ip_h & 0xFFFFFF00) != ap_subnet) {
+        return 1;
+    }
+    if (tollgate_core_fw_is_allowed(iphdr->src.addr)) {
+        return 1;
+    }
+    return 0;
+}
+
+static fw_client_t *find_client_by_ip(uint32_t client_ip)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        if (s_clients[i].ip == client_ip) return &s_clients[i];
+    }
+    return NULL;
+}
+
+static fw_client_t *find_client_by_mac(const char *mac)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        if (s_clients[i].mac[0] != '\0' && strcmp(s_clients[i].mac, mac) == 0) {
+            return &s_clients[i];
+        }
+    }
+    return NULL;
+}
+
+void tollgate_core_fw_grant(uint32_t client_ip)
+{
+    fw_client_t *existing = find_client_by_ip(client_ip);
+    if (existing) {
+        existing->ip = client_ip;
+        return;
+    }
+    if (s_client_count >= MAX_CLIENTS) {
+        ESP_LOGW(TAG, "Max clients reached, cannot grant access");
+        return;
+    }
+
+    fw_client_t *client = &s_clients[s_client_count];
+    client->ip = client_ip;
+    client->mac[0] = '\0';
+    tollgate_core_fw_get_mac_for_ip(client_ip, client->mac, sizeof(client->mac));
+    s_client_count++;
+
+    tollgate_core_dns_set_authenticated(client_ip, true);
+
+    esp_ip4_addr_t ip_addr = { .addr = client_ip };
+    ESP_LOGI(TAG, "Access granted to " IPSTR " mac=%s", IP2STR(&ip_addr),
+             client->mac[0] ? client->mac : "unknown");
+}
+
+void tollgate_core_fw_revoke(uint32_t client_ip)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        if (s_clients[i].ip == client_ip) {
+            esp_ip4_addr_t ip_addr = { .addr = client_ip };
+            ESP_LOGI(TAG, "Access revoked for " IPSTR " mac=%s", IP2STR(&ip_addr),
+                     s_clients[i].mac[0] ? s_clients[i].mac : "unknown");
+            s_clients[i] = s_clients[s_client_count - 1];
+            s_client_count--;
+            tollgate_core_dns_set_authenticated(client_ip, false);
+            return;
+        }
+    }
+}
+
+void tollgate_core_fw_revoke_all(void)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        tollgate_core_dns_set_authenticated(s_clients[i].ip, false);
+    }
+    s_client_count = 0;
+    ESP_LOGI(TAG, "All client access revoked");
+}
+
+bool tollgate_core_fw_is_allowed(uint32_t client_ip)
+{
+    return find_client_by_ip(client_ip) != NULL;
+}
+
+bool tollgate_core_fw_is_mac_allowed(const char *mac)
+{
+    return find_client_by_mac(mac) != NULL;
+}
+
+int tollgate_core_fw_client_count(void)
+{
+    return s_client_count;
+}
diff --git a/components/tollgate_core/src/tollgate_core_firewall.h b/components/tollgate_core/src/tollgate_core_firewall.h
new file mode 100644
index 0000000..f06c801
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_firewall.h
@@ -0,0 +1,25 @@
+#ifndef TOLLGATE_CORE_FIREWALL_H
+#define TOLLGATE_CORE_FIREWALL_H
+
+#include "esp_err.h"
+#include "esp_netif.h"
+#include <stdbool.h>
+#include <stdint.h>
+
+struct pbuf;
+
+#define TG_FW_MAX_MAC_LEN 18
+
+esp_err_t tollgate_core_fw_init(esp_ip4_addr_t ap_ip);
+void tollgate_core_fw_grant(uint32_t client_ip);
+void tollgate_core_fw_revoke(uint32_t client_ip);
+void tollgate_core_fw_revoke_all(void);
+bool tollgate_core_fw_is_allowed(uint32_t client_ip);
+bool tollgate_core_fw_is_mac_allowed(const char *mac);
+int tollgate_core_fw_client_count(void);
+
+esp_err_t tollgate_core_fw_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size);
+
+int tollgate_core_ip4_canforward_filter(struct pbuf *p, uint32_t dest_addr_hostorder);
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core_session.c b/components/tollgate_core/src/tollgate_core_session.c
new file mode 100644
index 0000000..48d32e7
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_session.c
@@ -0,0 +1,200 @@
+#include "tollgate_core_session.h"
+#include "tollgate_core_firewall.h"
+#include "esp_log.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+#include <string.h>
+
+static const char *TAG = "tg_core_session";
+static tg_session_t s_sessions[TG_SESSION_MAX_CLIENTS];
+static int s_session_count = 0;
+
+static const tollgate_platform_t *s_platform;
+
+void tollgate_core_session_set_platform(const tollgate_platform_t *platform)
+{
+    s_platform = platform;
+}
+
+static int64_t get_time_ms(void)
+{
+    if (s_platform && s_platform->get_time_ms) {
+        return s_platform->get_time_ms();
+    }
+    return (int64_t)xTaskGetTickCount() * portTICK_PERIOD_MS;
+}
+
+esp_err_t tollgate_core_session_init(void)
+{
+    memset(s_sessions, 0, sizeof(s_sessions));
+    s_session_count = 0;
+    ESP_LOGI(TAG, "Session manager initialized");
+    return ESP_OK;
+}
+
+static void populate_mac(tg_session_t *session, uint32_t client_ip)
+{
+    if (tollgate_core_fw_get_mac_for_ip(client_ip, session->mac, sizeof(session->mac)) != ESP_OK) {
+        session->mac[0] = '\0';
+    }
+}
+
+tg_session_t *tollgate_core_session_create(uint32_t client_ip, uint64_t allotment_ms)
+{
+    tg_session_t *existing = tollgate_core_session_find_by_ip(client_ip);
+    if (existing) {
+        tollgate_core_session_extend(existing, allotment_ms);
+        return existing;
+    }
+
+    if (s_session_count >= TG_SESSION_MAX_CLIENTS) {
+        for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+            if (!s_sessions[i].active || tollgate_core_session_is_expired(&s_sessions[i])) {
+                tollgate_core_session_revoke(&s_sessions[i]);
+                break;
+            }
+        }
+    }
+
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (!s_sessions[i].active) {
+            s_sessions[i].client_ip = client_ip;
+            s_sessions[i].allotment_ms = allotment_ms;
+            s_sessions[i].start_time_ms = get_time_ms();
+            s_sessions[i].active = true;
+            populate_mac(&s_sessions[i], client_ip);
+
+            s_session_count++;
+            tollgate_core_fw_grant(client_ip);
+
+            esp_ip4_addr_t ip = { .addr = client_ip };
+            ESP_LOGI(TAG, "Session created: " IPSTR " mac=%s allotment=%llums", IP2STR(&ip),
+                     s_sessions[i].mac[0] ? s_sessions[i].mac : "unknown",
+                     (unsigned long long)allotment_ms);
+            return &s_sessions[i];
+        }
+    }
+
+    ESP_LOGW(TAG, "No free session slots");
+    return NULL;
+}
+
+tg_session_t *tollgate_core_session_create_bytes(uint32_t client_ip, uint64_t allotment_bytes)
+{
+    tg_session_t *s = tollgate_core_session_create(client_ip, 0);
+    if (s) {
+        s->allotment_bytes = allotment_bytes;
+        s->bytes_consumed = 0;
+        s->allotment_ms = INT64_MAX;
+        esp_ip4_addr_t ip = { .addr = client_ip };
+        ESP_LOGI(TAG, "Bytes session created: " IPSTR " allotment=%llu bytes", IP2STR(&ip),
+                 (unsigned long long)allotment_bytes);
+    }
+    return s;
+}
+
+void tollgate_core_session_add_bytes(uint32_t client_ip, uint64_t bytes)
+{
+    tg_session_t *s = tollgate_core_session_find_by_ip(client_ip);
+    if (s && s->active) {
+        s->bytes_consumed += bytes;
+    }
+}
+
+tg_session_t *tollgate_core_session_find_by_ip(uint32_t client_ip)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active && s_sessions[i].client_ip == client_ip) {
+            return &s_sessions[i];
+        }
+    }
+    return NULL;
+}
+
+tg_session_t *tollgate_core_session_find_by_mac(const char *mac)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active && s_sessions[i].mac[0] != '\0' &&
+            strcmp(s_sessions[i].mac, mac) == 0) {
+            return &s_sessions[i];
+        }
+    }
+    return NULL;
+}
+
+void tollgate_core_session_extend(tg_session_t *session, uint64_t additional_ms)
+{
+    if (!session || !session->active) return;
+    session->allotment_ms += additional_ms;
+    esp_ip4_addr_t ip = { .addr = session->client_ip };
+    ESP_LOGI(TAG, "Session extended: " IPSTR " +%llums (total=%llu)", IP2STR(&ip),
+             (unsigned long long)additional_ms, (unsigned long long)session->allotment_ms);
+}
+
+bool tollgate_core_session_is_expired(const tg_session_t *session)
+{
+    if (!session || !session->active) return true;
+
+    if (s_platform && s_platform->get_metric) {
+        const char *metric = s_platform->get_metric();
+        if (metric && strcmp(metric, "bytes") == 0) {
+            return session->bytes_consumed >= session->allotment_bytes;
+        }
+    }
+
+    int64_t elapsed = get_time_ms() - session->start_time_ms;
+    return elapsed >= (int64_t)session->allotment_ms;
+}
+
+static void check_expiry(void)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active && tollgate_core_session_is_expired(&s_sessions[i])) {
+            esp_ip4_addr_t ip = { .addr = s_sessions[i].client_ip };
+            ESP_LOGI(TAG, "Session expired: " IPSTR " mac=%s", IP2STR(&ip),
+                     s_sessions[i].mac[0] ? s_sessions[i].mac : "unknown");
+            tollgate_core_session_revoke(&s_sessions[i]);
+        }
+    }
+}
+
+void tollgate_core_session_revoke(tg_session_t *session)
+{
+    if (!session || !session->active) return;
+    tollgate_core_fw_revoke(session->client_ip);
+    session->active = false;
+    s_session_count--;
+}
+
+void tollgate_core_session_revoke_all(void)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active) {
+            tollgate_core_session_revoke(&s_sessions[i]);
+        }
+    }
+}
+
+int tollgate_core_session_active_count(void)
+{
+    int count = 0;
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active) count++;
+    }
+    return count;
+}
+
+void tollgate_core_session_tick(void)
+{
+    check_expiry();
+}
+
+tg_session_t *tollgate_core_session_get_array(void)
+{
+    return s_sessions;
+}
+
+int tollgate_core_session_get_array_size(void)
+{
+    return TG_SESSION_MAX_CLIENTS;
+}
diff --git a/components/tollgate_core/src/tollgate_core_session.h b/components/tollgate_core/src/tollgate_core_session.h
new file mode 100644
index 0000000..95b5c48
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_session.h
@@ -0,0 +1,45 @@
+#ifndef TOLLGATE_CORE_SESSION_H
+#define TOLLGATE_CORE_SESSION_H
+
+#include "esp_err.h"
+#include <stdint.h>
+#include <stdbool.h>
+
+#define TG_SESSION_MAX_CLIENTS     10
+#define TG_SESSION_MAX_MAC_LEN     18
+
+typedef struct {
+    uint32_t client_ip;
+    char mac[TG_SESSION_MAX_MAC_LEN];
+    uint64_t allotment_ms;
+    int64_t start_time_ms;
+    uint64_t allotment_bytes;
+    uint64_t bytes_consumed;
+    bool active;
+} tg_session_t;
+
+esp_err_t tollgate_core_session_init(void);
+
+tg_session_t *tollgate_core_session_create(uint32_t client_ip, uint64_t allotment_ms);
+tg_session_t *tollgate_core_session_create_bytes(uint32_t client_ip, uint64_t allotment_bytes);
+
+void tollgate_core_session_add_bytes(uint32_t client_ip, uint64_t bytes);
+
+tg_session_t *tollgate_core_session_find_by_ip(uint32_t client_ip);
+tg_session_t *tollgate_core_session_find_by_mac(const char *mac);
+
+void tollgate_core_session_extend(tg_session_t *session, uint64_t additional_ms);
+
+bool tollgate_core_session_is_expired(const tg_session_t *session);
+
+void tollgate_core_session_revoke(tg_session_t *session);
+void tollgate_core_session_revoke_all(void);
+
+int tollgate_core_session_active_count(void);
+
+void tollgate_core_session_tick(void);
+
+tg_session_t *tollgate_core_session_get_array(void);
+int tollgate_core_session_get_array_size(void);
+
+#endif
diff --git a/docs/TOLLGATE_CORE_DESIGN.md b/docs/TOLLGATE_CORE_DESIGN.md
index fe31c91..a1ec639 100644
--- a/docs/TOLLGATE_CORE_DESIGN.md
+++ b/docs/TOLLGATE_CORE_DESIGN.md
@@ -284,65 +284,66 @@ This refactoring **must not proceed** until these branches land on master:
 
 - [ ] All blocking PRs merged to master
 - [ ] This branch rebased onto latest master
-- [ ] Full build passes on master
+- [x] Full build passes on master
 
 ### Phase 1: Create Component Skeleton
 
-- [ ] Create `components/tollgate_core/` directory structure
-- [ ] Create `components/tollgate_core/include/tollgate_core.h` (public API)
-- [ ] Create `components/tollgate_core/include/tollgate_platform.h` (platform interface)
-- [ ] Create `components/tollgate_core/idf_component.yml` (component metadata)
-- [ ] Create `components/tollgate_core/CMakeLists.txt` (register component, REQUIRES nucula_lib)
+- [x] Create `components/tollgate_core/` directory structure
+- [x] Create `components/tollgate_core/include/tollgate_core.h` (public API)
+- [x] Create `components/tollgate_core/include/tollgate_platform.h` (platform interface)
+- [x] Create `components/tollgate_core/idf_component.yml` (component metadata)
+- [x] Create `components/tollgate_core/CMakeLists.txt` (register component)
 - [ ] Verify empty component builds without errors
 
 ### Phase 2: Move Core Modules (one at a time, build after each)
 
-- [ ] Copy `main/cashu.c/h` → `components/tollgate_core/src/tollgate_core_cashu.c/h`
-  - [ ] Rename functions: `cashu_*` → `tollgate_core_cashu_*`
-  - [ ] Replace `tollgate_config_get()` calls with platform callbacks
-  - [ ] Remove direct `config.h` include
+- [x] Copy `main/cashu.c/h` → `components/tollgate_core/src/tollgate_core_cashu.c/h`
+  - [x] Rename functions: `cashu_*` → `tollgate_core_cashu_*`
+  - [x] Replace `tollgate_config_get()` calls with parameterized arguments
+  - [x] Remove direct `config.h` include
   - [ ] Build and verify
-- [ ] Copy `main/dns_server.c/h` → `components/tollgate_core/src/tollgate_core_dns.c/h`
-  - [ ] Rename functions: `dns_server_*` → `tollgate_core_dns_*`
-  - [ ] No platform dependencies (pure LWIP) — should be clean copy
+- [x] Copy `main/dns_server.c/h` → `components/tollgate_core/src/tollgate_core_dns.c/h`
+  - [x] Rename functions: `dns_server_*` → `tollgate_core_dns_*`
+  - [x] No platform dependencies (pure LWIP) — clean copy
   - [ ] Build and verify
-- [ ] Copy `main/firewall.c/h` → `components/tollgate_core/src/tollgate_core_firewall.c/h`
-  - [ ] Rename functions: `firewall_*` → `tollgate_core_firewall_*`
-  - [ ] Internalize `dns_set_authenticated` calls (keep within component)
-  - [ ] Remove `dns_server.h` external dependency
+- [x] Copy `main/firewall.c/h` → `components/tollgate_core/src/tollgate_core_firewall.c/h`
+  - [x] Rename functions: `firewall_*` → `tollgate_core_firewall_*` / `tollgate_core_fw_*`
+  - [x] Internalize `dns_set_authenticated` calls (kept within component)
+  - [x] Remove `dns_server.h` external dependency
   - [ ] Build and verify
-- [ ] Copy `main/session.c/h` → `components/tollgate_core/src/tollgate_core_session.c/h`
-  - [ ] Rename functions: `session_*` → `tollgate_core_session_*`
-  - [ ] Replace `config.h` calls with platform callbacks for metric check
-  - [ ] Internalize firewall notification (already calls firewall directly)
-  - [ ] Support both time and bytes metrics (portable, not stripped)
+- [x] Copy `main/session.c/h` → `components/tollgate_core/src/tollgate_core_session.c/h`
+  - [x] Rename functions: `session_*` → `tollgate_core_session_*`
+  - [x] Replace `config.h` calls with platform callbacks for metric check
+  - [x] Internalize firewall notification (already calls firewall directly)
+  - [x] Support both time and bytes metrics (portable, not stripped)
   - [ ] Build and verify
 
 ### Phase 3: Wire Component API
 
-- [ ] Implement `tollgate_core_init(const tollgate_platform_t *platform)` — stores platform, inits all sub-modules
-- [ ] Implement `tollgate_core_process_payment(ip, token)` — decode → verify → spend → create session
-- [ ] Implement `tollgate_core_client_connected(mac, ip)` — owner detection + firewall check
-- [ ] Implement `tollgate_core_client_disconnected(mac)` — session cleanup + owner reassign
-- [ ] Implement `tollgate_core_tick()` — session expiry check
-- [ ] Implement `tollgate_core_get_status_json()` — JSON status
-- [ ] Implement `tollgate_core_get_config_json()` — JSON config (via platform)
+- [x] Implement `tollgate_core_init(const tollgate_platform_t *platform, esp_ip4_addr_t ap_ip)` — stores platform, inits all sub-modules
+- [x] Implement `tollgate_core_process_payment(ip, token)` — decode → verify → spend → create session
+- [x] Implement `tollgate_core_client_connected(mac, ip)` — owner detection + firewall check
+- [x] Implement `tollgate_core_client_disconnected(mac)` — session cleanup + owner reassign
+- [x] Implement `tollgate_core_tick()` — session expiry check
+- [x] Implement `tollgate_core_get_status_json()` — JSON status
+- [x] Implement `tollgate_core_get_config_json()` — JSON config (via platform)
 - [ ] Build and verify standalone
 
 ### Phase 4: Standalone Platform Implementation
 
-- [ ] Create `main/tollgate_platform.c` implementing `tollgate_platform_t`
-  - [ ] `get_price_sats` → `tollgate_config_get()->price_per_step`
-  - [ ] `get_step_ms` → `tollgate_config_get()->step_size`
-  - [ ] `get_mint_url` → `tollgate_config_get()->mint_url`
-  - [ ] `get_metric` → `tollgate_config_get()->metric`
-  - [ ] `get_step_bytes` → `tollgate_config_get()->step_bytes`
-  - [ ] `get_time_ms` → `xTaskGetTickCount() * portTICK_PERIOD_MS`
-  - [ ] `spend_proofs` → `nucula_wallet_receive()`
-- [ ] Update `main/tollgate_api.c` to call `tollgate_core_*` instead of direct module calls
-- [ ] Update `main/tollgate_main.c` init sequence
-- [ ] Remove old `main/cashu.c`, `main/dns_server.c`, `main/firewall.c`, `main/session.c`
-- [ ] Update `main/CMakeLists.txt` (remove old SRCS, add `tollgate_platform.c`)
+- [x] Create `main/tollgate_platform.c` implementing `tollgate_platform_t`
+  - [x] `get_price_sats` → `tollgate_config_get()->price_per_step`
+  - [x] `get_step_ms` → `tollgate_config_get()->step_size`
+  - [x] `get_mint_url` → `tollgate_config_get()->mint_url`
+  - [x] `get_metric` → `tollgate_config_get()->metric`
+  - [x] `get_step_bytes` → `tollgate_config_get()->step_bytes`
+  - [x] `get_time_ms` → `xTaskGetTickCount() * portTICK_PERIOD_MS`
+  - [x] `spend_proofs` → stub returning true (wallet called separately)
+- [x] Update `main/tollgate_api.c` to call `tollgate_core_*` instead of direct module calls
+- [x] Update `main/tollgate_main.c` init sequence
+- [x] Remove old `main/cashu.c`, `main/dns_server.c`, `main/firewall.c`, `main/session.c` from CMakeLists.txt
+- [x] Update `main/CMakeLists.txt` (remove old SRCS, add `tollgate_platform.c`, add `tollgate_core` to REQUIRES)
+- [x] Update `main/lwip_tollgate_hooks.h` to call `tollgate_core_ip4_canforward_filter`
 - [ ] Full standalone build + test
 
 ### Phase 5: ESP-Miner Integration
diff --git a/main/CMakeLists.txt b/main/CMakeLists.txt
index 9b0fb1c..5f195c3 100644
--- a/main/CMakeLists.txt
+++ b/main/CMakeLists.txt
@@ -1,10 +1,7 @@
 idf_component_register(SRCS "tollgate_main.c"
                             "config.c"
-                            "dns_server.c"
+                            "tollgate_platform.c"
                             "captive_portal.c"
-                            "firewall.c"
-                            "cashu.c"
-                            "session.c"
                             "tollgate_api.c"
                             "identity.c"
                             "nostr_event.c"
@@ -22,4 +19,5 @@ idf_component_register(SRCS "tollgate_main.c"
                     REQUIRES esp_wifi esp_event esp_netif nvs_flash esp_http_server
                              lwip json esp_http_client mbedtls esp-tls log spiffs
                              nucula_lib secp256k1 axs15231b qrcode
+                             tollgate_core
                     PRIV_REQUIRES esp-tls)
diff --git a/main/lwip_tollgate_hooks.h b/main/lwip_tollgate_hooks.h
index 76017be..2953c48 100644
--- a/main/lwip_tollgate_hooks.h
+++ b/main/lwip_tollgate_hooks.h
@@ -3,8 +3,8 @@
 
 #include "lwip/pbuf.h"
 
-int tollgate_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder);
+int tollgate_core_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder);
 
-#define LWIP_HOOK_IP4_CANFORWARD(p, addr) tollgate_ip4_canforward_filter(p, addr)
+#define LWIP_HOOK_IP4_CANFORWARD(p, addr) tollgate_core_ip4_canforward_filter(p, addr)
 
 #endif
diff --git a/main/tollgate_api.c b/main/tollgate_api.c
index 650b0f3..62f75ee 100644
--- a/main/tollgate_api.c
+++ b/main/tollgate_api.c
@@ -1,8 +1,6 @@
 #include "tollgate_api.h"
-#include "cashu.h"
+#include "tollgate_core.h"
 #include "config.h"
-#include "session.h"
-#include "firewall.h"
 #include "nucula_wallet.h"
 #include "esp_log.h"
 #include "cJSON.h"
@@ -184,37 +182,11 @@ static esp_err_t api_post_payment(httpd_req_t *req)
 
     ESP_LOGI(TAG, "Payment received: %d bytes", total);
 
-    cashu_token_t *token = malloc(sizeof(cashu_token_t));
-    if (!token) {
-        cJSON *notice = create_notice("error", "session-error", "Out of memory");
-        char *json = cJSON_PrintUnformatted(notice);
-        httpd_resp_set_status(req, "503 Service Unavailable");
-        httpd_resp_set_type(req, "application/json");
-        httpd_resp_send(req, json, strlen(json));
-        cJSON_free(json);
-        cJSON_Delete(notice);
-        return ESP_OK;
-    }
-    esp_err_t err = cashu_decode_token(body, token);
-    char *body_copy = strdup(body);
+    esp_err_t err = tollgate_core_process_payment(client_ip, body);
     free(body);
 
     if (err != ESP_OK) {
-        free(token);
-        cJSON *notice = create_notice("error", "payment-error-invalid", "Failed to decode Cashu token");
-        char *json = cJSON_PrintUnformatted(notice);
-        httpd_resp_set_status(req, "400 Bad Request");
-        httpd_resp_set_type(req, "application/json");
-        httpd_resp_send(req, json, strlen(json));
-        cJSON_free(json);
-        cJSON_Delete(notice);
-        return ESP_OK;
-    }
-
-    const char *mint_url = token->mint_url[0] ? token->mint_url : tollgate_config_get()->mint_url;
-    if (!cashu_is_mint_accepted(mint_url)) {
-        free(token);
-        cJSON *notice = create_notice("error", "payment-error-mint-not-accepted", "Mint not accepted");
+        cJSON *notice = create_notice("error", "payment-error", "Payment processing failed");
         char *json = cJSON_PrintUnformatted(notice);
         httpd_resp_set_status(req, "402 Payment Required");
         httpd_resp_set_type(req, "application/json");
@@ -224,97 +196,14 @@ static esp_err_t api_post_payment(httpd_req_t *req)
         return ESP_OK;
     }
 
-    cashu_proof_state_t *states = malloc(CASHU_MAX_PROOFS * sizeof(cashu_proof_state_t));
-    if (!states) {
-        free(token);
-        cJSON *notice = create_notice("error", "session-error", "Out of memory");
-        char *json = cJSON_PrintUnformatted(notice);
-        httpd_resp_set_status(req, "503 Service Unavailable");
-        httpd_resp_set_type(req, "application/json");
-        httpd_resp_send(req, json, strlen(json));
-        cJSON_free(json);
-        cJSON_Delete(notice);
-        return ESP_OK;
-    }
-    int state_count = 0;
-    err = cashu_check_proof_states(mint_url, token, states, &state_count);
-    ESP_LOGI(TAG, "Stack HWM after checkstate: %u", uxTaskGetStackHighWaterMark(NULL));
-    if (err != ESP_OK) {
-        free(states);
-        free(token);
-        cJSON *notice = create_notice("error", "payment-error-verification", "Failed to verify token with mint");
-        char *json = cJSON_PrintUnformatted(notice);
-        httpd_resp_set_status(req, "502 Bad Gateway");
-        httpd_resp_set_type(req, "application/json");
-        httpd_resp_send(req, json, strlen(json));
-        cJSON_free(json);
-        cJSON_Delete(notice);
-        return ESP_OK;
-    }
-
-    for (int i = 0; i < state_count; i++) {
-        if (states[i].spent) {
-            free(states);
-            free(token);
-            cJSON *notice = create_notice("error", "payment-error-token-spent", "Token already spent");
-            char *json = cJSON_PrintUnformatted(notice);
-            httpd_resp_set_status(req, "402 Payment Required");
-            httpd_resp_set_type(req, "application/json");
-            httpd_resp_send(req, json, strlen(json));
-            cJSON_free(json);
-            cJSON_Delete(notice);
-            return ESP_OK;
-        }
-    }
-
     const tollgate_config_t *cfg = tollgate_config_get();
-    bool is_bytes = (strcmp(cfg->metric, "bytes") == 0);
-    uint64_t step_size = is_bytes ? (uint64_t)cfg->step_size_bytes : (uint64_t)cfg->step_size_ms;
-    uint64_t allotment = cashu_calculate_allotment(token->total_amount, cfg->price_per_step,
-                                                    cfg->metric, step_size);
-    if (allotment == 0) {
-        free(states);
-        free(token);
-        cJSON *notice = create_notice("error", "payment-error-insufficient", "Token value too low");
-        char *json = cJSON_PrintUnformatted(notice);
-        httpd_resp_set_status(req, "402 Payment Required");
-        httpd_resp_set_type(req, "application/json");
-        httpd_resp_send(req, json, strlen(json));
-        cJSON_free(json);
-        cJSON_Delete(notice);
-        return ESP_OK;
-    }
-
-    session_t *session;
-    if (is_bytes) {
-        session = session_create_bytes(client_ip, allotment);
-    } else {
-        session = session_create(client_ip, allotment);
-    }
-    if (!session) {
-        free(states);
-        free(token);
-        cJSON *notice = create_notice("error", "session-error", "Failed to create session");
-        char *json = cJSON_PrintUnformatted(notice);
-        httpd_resp_set_status(req, "503 Service Unavailable");
-        httpd_resp_set_type(req, "application/json");
-        httpd_resp_send(req, json, strlen(json));
-        cJSON_free(json);
-        cJSON_Delete(notice);
-        return ESP_OK;
-    }
-
+    uint64_t allotment = 0;
     cJSON *session_event = create_session_event(client_ip, allotment);
     char *json = cJSON_PrintUnformatted(session_event);
     httpd_resp_set_type(req, "application/json");
     httpd_resp_send(req, json, strlen(json));
     cJSON_free(json);
     cJSON_Delete(session_event);
-
-    nucula_wallet_receive(body_copy);
-
-    free(states);
-    free(token);
     return ESP_OK;
 }
 
@@ -323,29 +212,15 @@ static esp_err_t api_get_usage(httpd_req_t *req)
     uint32_t client_ip = 0;
     get_client_ip(req, &client_ip);
 
-    session_t *session = session_find_by_ip(client_ip);
-    if (!session || !session->active) {
-        httpd_resp_set_type(req, "text/plain");
-        httpd_resp_send(req, "-1/-1", 5);
-        return ESP_OK;
-    }
-
-    const tollgate_config_t *cfg = tollgate_config_get();
-    bool is_bytes = (strcmp(cfg->metric, "bytes") == 0);
-
-    char resp[64];
-    if (is_bytes) {
-        int64_t remaining = (int64_t)session->allotment_bytes - (int64_t)session->bytes_consumed;
-        if (remaining < 0) remaining = 0;
-        snprintf(resp, sizeof(resp), "%lld/%llu", (long long)remaining, (unsigned long long)session->allotment_bytes);
+    char *status_json = tollgate_core_get_status_json();
+    if (status_json) {
+        httpd_resp_set_type(req, "application/json");
+        httpd_resp_send(req, status_json, strlen(status_json));
+        cJSON_free(status_json);
     } else {
-        int64_t elapsed = (int64_t)xTaskGetTickCount() * portTICK_PERIOD_MS - session->start_time_ms;
-        int64_t remaining = session->allotment_ms - elapsed;
-        if (remaining < 0) remaining = 0;
-        snprintf(resp, sizeof(resp), "%lld/%llu", (long long)remaining, (unsigned long long)session->allotment_ms);
+        httpd_resp_set_type(req, "text/plain");
+        httpd_resp_send(req, "{}", 2);
     }
-    httpd_resp_set_type(req, "text/plain");
-    httpd_resp_send(req, resp, strlen(resp));
     return ESP_OK;
 }
 
@@ -354,15 +229,10 @@ static esp_err_t api_get_whoami(httpd_req_t *req)
     uint32_t client_ip = 0;
     char resp[96];
     if (get_client_ip(req, &client_ip) == ESP_OK) {
-        char mac[18] = {0};
         esp_ip4_addr_t ip = { .addr = client_ip };
-        if (firewall_get_mac_for_ip(client_ip, mac, sizeof(mac)) == ESP_OK) {
-            snprintf(resp, sizeof(resp), "ip=" IPSTR " mac=%s", IP2STR(&ip), mac);
-        } else {
-            snprintf(resp, sizeof(resp), "ip=" IPSTR " mac=unknown", IP2STR(&ip));
-        }
+        snprintf(resp, sizeof(resp), "ip=" IPSTR, IP2STR(&ip));
     } else {
-        snprintf(resp, sizeof(resp), "ip=unknown mac=unknown");
+        snprintf(resp, sizeof(resp), "ip=unknown");
     }
     httpd_resp_set_type(req, "text/plain");
     httpd_resp_send(req, resp, strlen(resp));
diff --git a/main/tollgate_main.c b/main/tollgate_main.c
index c0ff65f..697dae3 100644
--- a/main/tollgate_main.c
+++ b/main/tollgate_main.c
@@ -13,10 +13,8 @@
 #include "dhcpserver/dhcpserver.h"
 #include "config.h"
 #include "identity.h"
-#include "dns_server.h"
+#include "tollgate_core.h"
 #include "captive_portal.h"
-#include "firewall.h"
-#include "session.h"
 #include "tollgate_api.h"
 #include "nucula_wallet.h"
 #include "wifistr.h"
@@ -73,11 +71,13 @@ static void wifi_event_handler(void *arg, esp_event_base_t event_base,
         ESP_LOGI(TAG, "Station connected: MAC=%02x:%02x:%02x:%02x:%02x:%02x",
                  event->mac[0], event->mac[1], event->mac[2],
                  event->mac[3], event->mac[4], event->mac[5]);
+        tollgate_core_client_connected(event->mac, 0);
     } else if (event_base == WIFI_EVENT && event_id == WIFI_EVENT_AP_STADISCONNECTED) {
         wifi_event_ap_stadisconnected_t *event = (wifi_event_ap_stadisconnected_t *)event_data;
         ESP_LOGI(TAG, "Station disconnected: MAC=%02x:%02x:%02x:%02x:%02x:%02x",
                  event->mac[0], event->mac[1], event->mac[2],
                  event->mac[3], event->mac[4], event->mac[5]);
+        tollgate_core_client_disconnected(event->mac);
     }
 }
 
@@ -115,13 +115,6 @@ static void ip_event_handler(void *arg, esp_event_base_t event_base,
     }
 }
 
-static void wallet_init_task(void *pvParameters)
-{
-    const tollgate_config_t *cfg = tollgate_config_get();
-    nucula_wallet_init(cfg->mint_url);
-    vTaskDelete(NULL);
-}
-
 static void publish_wifistr_task(void *pvParameters)
 {
     vTaskDelay(pdMS_TO_TICKS(5000));
@@ -139,7 +132,6 @@ static void start_services(void)
         return;
     }
 
-    esp_netif_get_ip_info(s_ap_netif, &(esp_netif_ip_info_t){0});
     esp_netif_ip_info_t ap_ip_info;
     esp_netif_get_ip_info(s_ap_netif, &ap_ip_info);
 
@@ -147,21 +139,20 @@ static void start_services(void)
     const ip_addr_t *dns_addr = dns_getserver(0);
     upstream_dns.addr = dns_addr->addr;
 
-    firewall_init(ap_ip_info.ip);
-    session_manager_init();
-
     const tollgate_config_t *cfg = tollgate_config_get();
+    const tollgate_platform_t *platform = tollgate_get_platform();
+    tollgate_core_init(platform, ap_ip_info.ip);
+
     nucula_wallet_init(cfg->mint_url);
     lightning_payout_init(&cfg->payout);
 
-    dns_server_start(ap_ip_info.ip, upstream_dns);
+    tollgate_core_dns_start(upstream_dns);
     captive_portal_start(cfg->ap_ip_str);
     tollgate_api_start();
 
     xTaskCreate(publish_wifistr_task, "wifistr_init", 16384, NULL, 3, NULL);
 
-    const tollgate_config_t *cfg2 = tollgate_config_get();
-    if (cfg2->cvm_enabled) {
+    if (cfg->cvm_enabled) {
         cvm_server_init();
         cvm_server_start();
     }
@@ -186,9 +177,8 @@ static void stop_services(void)
 
     captive_portal_stop();
     tollgate_api_stop();
-    dns_server_stop();
+    tollgate_core_dns_stop();
     cvm_server_stop();
-    firewall_revoke_all();
     s_services_running = false;
     if (s_services_mutex) xSemaphoreGive(s_services_mutex);
     ESP_LOGI(TAG, "=== TollGate services stopped ===");
@@ -316,7 +306,7 @@ void app_main(void)
 
     while (1) {
         vTaskDelay(pdMS_TO_TICKS(1000));
-        session_tick();
+        tollgate_core_tick();
         tollgate_client_tick();
         lightning_payout_tick();
     }
diff --git a/main/tollgate_platform.c b/main/tollgate_platform.c
new file mode 100644
index 0000000..c992ea1
--- /dev/null
+++ b/main/tollgate_platform.c
@@ -0,0 +1,64 @@
+#include "tollgate_platform.h"
+#include "tollgate_core.h"
+#include "config.h"
+#include "esp_log.h"
+#include "esp_timer.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+
+static const char *TAG = "tollgate_platform";
+
+static uint16_t platform_get_price_sats(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? (uint16_t)cfg->price_per_step : 21;
+}
+
+static int32_t platform_get_step_ms(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? (int32_t)cfg->step_size_ms : 60000;
+}
+
+static const char *platform_get_mint_url(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? cfg->mint_url : "https://testnut.cashu.space";
+}
+
+static const char *platform_get_metric(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? cfg->metric : "milliseconds";
+}
+
+static int32_t platform_get_step_bytes(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? (int32_t)cfg->step_size_bytes : 22020096;
+}
+
+static int64_t platform_get_time_ms(void)
+{
+    return (int64_t)xTaskGetTickCount() * portTICK_PERIOD_MS;
+}
+
+static bool platform_spend_proofs(const char *raw_token_json)
+{
+    (void)raw_token_json;
+    return true;
+}
+
+const tollgate_platform_t *tollgate_get_platform(void)
+{
+    static const tollgate_platform_t platform = {
+        .get_price_sats = platform_get_price_sats,
+        .get_step_ms = platform_get_step_ms,
+        .get_mint_url = platform_get_mint_url,
+        .get_metric = platform_get_metric,
+        .get_step_bytes = platform_get_step_bytes,
+        .get_time_ms = platform_get_time_ms,
+        .spend_proofs = platform_spend_proofs,
+    };
+    return &platform;
+}