feat: add tollgate_core component + market config wiring

- Add tollgate_core ESP-IDF component (skeleton: cashu, dns, firewall, session)
- Add tollgate_platform.c with SPIFFS config backend
- Wire market_enabled, market_scan_interval_s, client_auto_switch in config.c
- Add lwip_tollgate_hooks.h (updated from feature branch)
- Add E2E fix plan, tollgate_core design doc, WPA autodetect plan
- Add integration test network helpers
- Add CONSOLIDATION.md plan

Reverts the broken merge (be4788b) that gutted config.c/tollgate_main.c/tollgate_api.c
and replaces it with a clean addition on top of intact master.

22 files changed, 2401 insertions, 3 deletions

diff --git a/CONSOLIDATION.md b/CONSOLIDATION.md
new file mode 100644
index 0000000..5180987
--- /dev/null
+++ b/CONSOLIDATION.md
@@ -0,0 +1,158 @@
+# Consolidation Plan
+
+Merge all feature branches into master, establish tollgate_core as the single source of truth,
+and clean up worktrees/stashes/stale branches.
+
+## End State
+
+```
+esp32-tollgate (master only)
+  main/ = thin shell calling tollgate_core API
+  components/tollgate_core/ = THE reusable core (cashu, dns, firewall, session, mining, stratum)
+
+esp-miner-nerdqaxeplus (develop)
+  references tollgate_core via IDF Component Manager (override_path for local dev)
+
+esp-miner (master)
+  references tollgate_core via IDF Component Manager (after its feature/tollgate-component-integration)
+```
+
+---
+
+## Phase 1: Preserve Uncommitted Work
+
+- [ ] **1.1** Apply stash@{1} to master (AP-only services, market config wiring, sta_connecting guard)
+- [ ] **1.2** Commit: "feat: AP-only services startup + market config wiring (from stash)"
+- [ ] **1.3** Drop stashes 0, 2, 3 (compiled binaries only, no source)
+- [ ] **1.4** Verify master builds: `idf.py build`
+- [ ] **1.5** Verify unit tests pass: `make test-unit`
+- [ ] **1.6** Commit + push
+
+## Phase 2: Merge feature/display-fix (touch + WiFi setup UI)
+
+- [ ] **2.1** Verify feature/display-fix has no uncommitted source changes (only binaries — confirmed)
+- [ ] **2.2** Squash-merge feature/display-fix into master
+- [ ] **2.3** Resolve any conflicts (display.c/font.c may conflict with master versions)
+- [ ] **2.4** Verify build: `idf.py build`
+- [ ] **2.5** Verify unit tests: `make test-unit` (should pick up test_touch, test_keyboard, test_wifi_setup)
+- [ ] **2.6** Commit + push
+
+## Phase 3: Merge feature/miner-integration (full tollgate_core)
+
+This is the critical merge. Master has the OLD tollgate_core skeleton (9 files, 7 callbacks).
+feature/miner-integration has the FULL version (13 files, 22 callbacks, extern C, mining + stratum).
+We need to take the miner-integration version of tollgate_core entirely.
+
+- [ ] **3.1** Verify feature/miner-integration has no uncommitted source changes (only binaries — confirmed)
+- [ ] **3.2** Checkout feature/miner-integration version of tollgate_core into master:
+  - Replace `components/tollgate_core/` entirely with the miner-integration version
+  - This adds: tollgate_core_mining.c/h, tollgate_core_stratum_proxy.c/h
+  - This updates: tollgate_core.h (extern C + 5 new mining API functions)
+  - This updates: tollgate_platform.h (extern C + 14 new platform callbacks for mining/stratum)
+  - This updates: tollgate_core_firewall.c (conditional NAPT)
+  - This updates: CMakeLists.txt (mining + stratum source files)
+- [ ] **3.3** Commit: "feat: upgrade tollgate_core to full version with mining + stratum + extern C"
+- [ ] **3.4** Merge remaining docs from feature/miner-integration (REMOTES.md, MINER_INTEGRATION_PLAN.md)
+- [ ] **3.5** Verify build: `idf.py build`
+- [ ] **3.6** Verify unit tests: `make test-unit`
+- [ ] **3.7** Commit + push
+
+## Phase 4: Restructure — Option B (main/ calls tollgate_core API)
+
+Move module logic from main/ into components/tollgate_core/, making main/ a thin shell.
+
+- [ ] **4.1** Identify modules in main/ that have tollgate_core equivalents:
+  - cashu.c/h → tollgate_core_cashu.c/h
+  - dns_server.c/h → tollgate_core_dns.c/h
+  - firewall.c/h → tollgate_core_firewall.c/h
+  - session.c/h → tollgate_core_session.c/h
+  - mining_payment.c/h → tollgate_core_mining.c/h
+  - stratum_proxy.c/h → tollgate_core_stratum_proxy.c/h
+- [ ] **4.2** For each module: replace main/*.c implementation with calls to tollgate_core API
+  - Keep the main/*.c files as thin wrappers that delegate to tollgate_core
+  - OR remove them entirely if tollgate_core API is called directly from tollgate_main.c
+- [ ] **4.3** Update main/CMakeLists.txt — remove replaced source files from SRCS
+- [ ] **4.4** Verify build: `idf.py build`
+- [ ] **4.5** Verify unit tests: `make test-unit`
+- [ ] **4.6** Run integration tests if hardware available: `make test-integration`
+- [ ] **4.7** Commit: "refactor: main/ delegates to tollgate_core component"
+- [ ] **4.8** Push
+
+## Phase 5: Wire up NerdQAxePlus via Component Manager
+
+- [ ] **5.1** Create main/idf_component.yml in NerdQAxePlus:
+  ```yaml
+  dependencies:
+    tollgate_core:
+      override_path: /home/c03rad0r/esp32-tollgate/components/tollgate_core
+  ```
+- [ ] **5.2** Remove symlink: rm esp-miner-nerdqaxeplus/components/tollgate_core
+- [ ] **5.3** Update main/CMakeLists.txt — remove hardcoded include path, use component dependency
+- [ ] **5.4** Verify build: `BOARD=NERDAXE TOLLGATE=1 idf.py build`
+- [ ] **5.5** Commit + push
+
+## Phase 6: Delete Branches & Worktrees
+
+- [ ] **6.1** Delete feature/tollgate-core-component branch (merged in commit be4788b)
+- [ ] **6.2** Delete backup/multi-mint-support-pre-rebase branch (fully in master)
+- [ ] **6.3** Delete feature/display-fix branch (merged in Phase 2)
+- [ ] **6.4** Delete feature/miner-integration branch (merged in Phase 3)
+- [ ] **6.5** Remove worktree: esp32-miner-integration/
+- [ ] **6.6** Remove worktree: esp32-tollgate-arch/
+- [ ] **6.7** Remove worktree: esp32-tollgate-display/
+- [ ] **6.8** Clean up test binaries from git tracking: `git rm --cached tests/unit/test_*` (keep in .gitignore)
+- [ ] **6.9** Refresh backup bundles
+- [ ] **6.10** Push everything
+
+## Phase 7: Update esp-miner (optional, after consolidation)
+
+- [ ] **7.1** Switch esp-miner from flat-file modules to tollgate_core via Component Manager
+- [ ] **7.2** Create main/idf_component.yml with git dependency on esp32-tollgate
+- [ ] **7.3** Delete flat-file TollGate modules from main/ (tollgate_cashu/dns/firewall/session.c/h)
+- [ ] **7.4** Create main/tollgate_platform.c implementing tollgate_platform_t with NVS backend
+- [ ] **7.5** Verify build
+- [ ] **7.6** Commit + push
+
+---
+
+## Current State Summary
+
+### Repos
+
+| Repo | Path | Branch | HEAD | Status |
+|------|------|--------|------|--------|
+| esp32-tollgate | /home/c03rad0r/esp32-tollgate | master | 897a8d9 | Canonical source |
+| esp-miner-nerdqaxeplus | /home/c03rad0r/esp-miner-nerdqaxeplus | develop | 588c9f67 | Consumer |
+| esp-miner | /home/c03rad0r/esp-miner | master | a8dc494 | Consumer (Phase 1 done) |
+
+### Branches (esp32-tollgate)
+
+| Branch | Worktree | Merged? | Unique Content | Action |
+|--------|----------|---------|----------------|--------|
+| master | esp32-tollgate | — | Current production code | Keep |
+| feature/display-fix | esp32-tollgate-display | NO | touch.c/h, keyboard.c/h, wifi_setup.c/h, 4 unit tests, E2E test, WiFi QR, error state | Merge (Phase 2) |
+| feature/miner-integration | esp32-miner-integration | PARTIAL | Full tollgate_core (mining+stratum+extern C+22 callbacks), docs | Merge (Phase 3) |
+| feature/tollgate-core-component | esp32-tollgate-arch | YES (be4788b) | None — superseded by miner-integration | Delete (Phase 6) |
+| backup/multi-mint-support-pre-rebase | (none) | YES | None | Delete (Phase 6) |
+
+### Stashes (esp32-tollgate)
+
+| Stash | Content | Action |
+|-------|---------|--------|
+| stash@{0} | Recompiled test binaries (no source changes) | Drop |
+| stash@{1} | AP-only services, market config wiring, sta_connecting guard | Apply (Phase 1) |
+| stash@{2} | Recompiled test binaries (no source changes) | Drop |
+| stash@{3} | Recompiled test binaries (no source changes) | Drop |
+
+### Tollgate Core Divergence
+
+| File | Master (old skeleton) | Miner-integration (full) |
+|------|----------------------|--------------------------|
+| tollgate_core.h | 34 lines, no extern C, no mining API | 48 lines, extern C, 5 mining functions |
+| tollgate_platform.h | 17 lines, 7 callbacks | 37 lines, extern C, 22 callbacks |
+| CMakeLists.txt | 9 source files (no mining/stratum) | 11 source files (mining+stratum) |
+| tollgate_core_firewall.c | unconditional NAPT | conditional CONFIG_LWIP_IPV4_NAPT |
+| tollgate_core_mining.c | MISSING | Present (168 lines) |
+| tollgate_core_mining.h | MISSING | Present (35 lines) |
+| tollgate_core_stratum_proxy.c | MISSING | Present (160 lines) |
+| tollgate_core_stratum_proxy.h | MISSING | Present (39 lines) |
diff --git a/components/tollgate_core/CMakeLists.txt b/components/tollgate_core/CMakeLists.txt
new file mode 100644
index 0000000..fc6b6f1
--- /dev/null
+++ b/components/tollgate_core/CMakeLists.txt
@@ -0,0 +1,9 @@
+idf_component_register(
+    SRCS "src/tollgate_core.c"
+         "src/tollgate_core_cashu.c"
+         "src/tollgate_core_dns.c"
+         "src/tollgate_core_firewall.c"
+         "src/tollgate_core_session.c"
+    INCLUDE_DIRS "include" "src"
+    REQUIRES lwip json esp_http_client mbedtls log esp_netif
+    PRIV_REQUIRES esp_wifi)
diff --git a/components/tollgate_core/idf_component.yml b/components/tollgate_core/idf_component.yml
new file mode 100644
index 0000000..112aa18
--- /dev/null
+++ b/components/tollgate_core/idf_component.yml
@@ -0,0 +1,6 @@
+version: "1.0.0"
+description: TollGate core component — Cashu payment processing, per-client DNS/firewall, session management for paid WiFi hotspots
+url: https://github.com/nicoulaj/esp32-tollgate
+dependencies:
+  idf:
+    version: ">=5.4.0"
diff --git a/components/tollgate_core/include/tollgate_core.h b/components/tollgate_core/include/tollgate_core.h
new file mode 100644
index 0000000..c47ebeb
--- /dev/null
+++ b/components/tollgate_core/include/tollgate_core.h
@@ -0,0 +1,34 @@
+#ifndef TOLLGATE_CORE_H
+#define TOLLGATE_CORE_H
+
+#include "tollgate_platform.h"
+#include "esp_err.h"
+#include "esp_netif.h"
+#include <stdbool.h>
+#include <stdint.h>
+
+esp_err_t tollgate_core_init(const tollgate_platform_t *platform, esp_ip4_addr_t ap_ip);
+
+esp_err_t tollgate_core_dns_start(esp_ip4_addr_t upstream_dns);
+void tollgate_core_dns_stop(void);
+
+esp_err_t tollgate_core_process_payment(uint32_t client_ip, const char *token_str);
+
+void tollgate_core_client_connected(const uint8_t *mac, uint32_t client_ip);
+void tollgate_core_client_disconnected(const uint8_t *mac);
+
+void tollgate_core_tick(void);
+
+bool tollgate_core_is_client_allowed(uint32_t client_ip);
+bool tollgate_core_is_dns_running(void);
+
+char *tollgate_core_get_status_json(void);
+char *tollgate_core_get_config_json(void);
+
+int tollgate_core_active_session_count(void);
+int tollgate_core_allowed_client_count(void);
+
+bool tollgate_core_is_owner(uint32_t client_ip);
+bool tollgate_core_is_owner_connected(void);
+
+#endif
diff --git a/components/tollgate_core/include/tollgate_platform.h b/components/tollgate_core/include/tollgate_platform.h
new file mode 100644
index 0000000..f60f1f9
--- /dev/null
+++ b/components/tollgate_core/include/tollgate_platform.h
@@ -0,0 +1,17 @@
+#ifndef TOLLGATE_PLATFORM_H
+#define TOLLGATE_PLATFORM_H
+
+#include <stdint.h>
+#include <stdbool.h>
+
+typedef struct {
+    uint16_t     (*get_price_sats)(void);
+    int32_t      (*get_step_ms)(void);
+    const char * (*get_mint_url)(void);
+    const char * (*get_metric)(void);
+    int32_t      (*get_step_bytes)(void);
+    int64_t      (*get_time_ms)(void);
+    bool         (*spend_proofs)(const char *raw_token_json);
+} tollgate_platform_t;
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core.c b/components/tollgate_core/src/tollgate_core.c
new file mode 100644
index 0000000..a731f48
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core.c
@@ -0,0 +1,236 @@
+#include "tollgate_core.h"
+#include "tollgate_core_cashu.h"
+#include "tollgate_core_dns.h"
+#include "tollgate_core_firewall.h"
+#include "tollgate_core_session.h"
+#include "esp_log.h"
+#include "cJSON.h"
+#include <string.h>
+
+static const char *TAG = "tg_core";
+
+static const tollgate_platform_t *s_platform;
+static esp_ip4_addr_t s_ap_ip;
+
+static uint32_t s_owner_ip;
+static uint8_t s_owner_mac[6];
+static bool s_owner_connected;
+
+esp_err_t tollgate_core_init(const tollgate_platform_t *platform, esp_ip4_addr_t ap_ip)
+{
+    if (!platform) {
+        ESP_LOGE(TAG, "Platform callbacks required");
+        return ESP_FAIL;
+    }
+
+    s_platform = platform;
+    s_ap_ip = ap_ip;
+    s_owner_connected = false;
+    memset(s_owner_mac, 0, sizeof(s_owner_mac));
+
+    if (!platform->spend_proofs) {
+        ESP_LOGW(TAG, "spend_proofs is NULL — double-spend window open until wallet integrated");
+    }
+
+    tollgate_core_session_set_platform(platform);
+    tollgate_core_session_init();
+    tollgate_core_fw_init(ap_ip);
+
+    ESP_LOGI(TAG, "TollGate core initialized, AP IP=" IPSTR, IP2STR(&ap_ip));
+    return ESP_OK;
+}
+
+esp_err_t tollgate_core_dns_start(esp_ip4_addr_t upstream_dns)
+{
+    return tollgate_core_dns_start_internal(s_ap_ip, upstream_dns);
+}
+
+esp_err_t tollgate_core_process_payment(uint32_t client_ip, const char *token_str)
+{
+    if (!s_platform || !token_str) return ESP_FAIL;
+
+    const char *accepted_mint = s_platform->get_mint_url ? s_platform->get_mint_url() : NULL;
+    if (!accepted_mint || accepted_mint[0] == '\0') {
+        ESP_LOGE(TAG, "No mint URL configured");
+        return ESP_FAIL;
+    }
+
+    tg_cashu_token_t token;
+    esp_err_t ret = tollgate_core_cashu_decode_token(token_str, &token);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Token decode failed");
+        return ESP_FAIL;
+    }
+
+    if (!tollgate_core_cashu_is_mint_accepted(token.mint_url, accepted_mint)) {
+        ESP_LOGE(TAG, "Token mint '%s' not accepted (expected '%s')", token.mint_url, accepted_mint);
+        return ESP_FAIL;
+    }
+
+    tg_cashu_proof_state_t states[TG_CASHU_MAX_PROOFS];
+    int state_count = 0;
+    ret = tollgate_core_cashu_check_proof_states(token.mint_url, &token, states, &state_count);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Proof state check failed");
+        return ESP_FAIL;
+    }
+
+    for (int i = 0; i < state_count; i++) {
+        if (states[i].spent) {
+            ESP_LOGE(TAG, "Proof %d is SPENT — rejecting", i);
+            return ESP_FAIL;
+        }
+    }
+
+    if (s_platform->spend_proofs) {
+        if (!s_platform->spend_proofs(token_str)) {
+            ESP_LOGE(TAG, "spend_proofs rejected the token");
+            return ESP_FAIL;
+        }
+    }
+
+    const char *metric = s_platform->get_metric ? s_platform->get_metric() : "milliseconds";
+    uint64_t price = s_platform->get_price_sats ? s_platform->get_price_sats() : 21;
+    uint64_t step_size;
+
+    if (strcmp(metric, "bytes") == 0) {
+        step_size = s_platform->get_step_bytes ? (uint64_t)s_platform->get_step_bytes() : 22020096;
+    } else {
+        step_size = s_platform->get_step_ms ? (uint64_t)s_platform->get_step_ms() : 60000;
+    }
+
+    uint64_t allotment = tollgate_core_cashu_calculate_allotment(token.total_amount, price, step_size);
+    if (allotment == 0) {
+        ESP_LOGE(TAG, "Token amount %llu too small for price %llu",
+                 (unsigned long long)token.total_amount, (unsigned long long)price);
+        return ESP_FAIL;
+    }
+
+    if (strcmp(metric, "bytes") == 0) {
+        if (!tollgate_core_session_create_bytes(client_ip, allotment)) {
+            return ESP_FAIL;
+        }
+    } else {
+        if (!tollgate_core_session_create(client_ip, allotment)) {
+            return ESP_FAIL;
+        }
+    }
+
+    ESP_LOGI(TAG, "Payment processed: %llu sats → %llu %s allotment for client",
+             (unsigned long long)token.total_amount, (unsigned long long)allotment, metric);
+    return ESP_OK;
+}
+
+void tollgate_core_client_connected(const uint8_t *mac, uint32_t client_ip)
+{
+    if (!s_owner_connected) {
+        s_owner_connected = true;
+        s_owner_ip = client_ip;
+        if (mac) memcpy(s_owner_mac, mac, 6);
+
+        esp_ip4_addr_t ip = { .addr = client_ip };
+        ESP_LOGI(TAG, "First client = owner: " IPSTR, IP2STR(&ip));
+        return;
+    }
+
+    ESP_LOGI(TAG, "Client connected (non-owner): " IPSTR, IP2STR(&(esp_ip4_addr_t){.addr=client_ip}));
+}
+
+void tollgate_core_client_disconnected(const uint8_t *mac)
+{
+    if (!s_owner_connected) return;
+
+    if (mac && memcmp(s_owner_mac, mac, 6) == 0) {
+        ESP_LOGI(TAG, "Owner disconnected — reassigning");
+        s_owner_connected = false;
+        memset(s_owner_mac, 0, sizeof(s_owner_mac));
+
+        int fw_count = tollgate_core_fw_client_count();
+        if (fw_count > 0) {
+            tg_session_t *sessions = tollgate_core_session_get_array();
+            for (int i = 0; i < tollgate_core_session_get_array_size(); i++) {
+                if (sessions[i].active && sessions[i].mac[0] != '\0') {
+                    if (memcmp(sessions[i].mac, mac, 6) != 0) {
+                        s_owner_connected = true;
+                        s_owner_ip = sessions[i].client_ip;
+                        ESP_LOGI(TAG, "New owner: " IPSTR, IP2STR(&(esp_ip4_addr_t){.addr=s_owner_ip}));
+                        break;
+                    }
+                }
+            }
+        }
+        return;
+    }
+
+    ESP_LOGI(TAG, "Client disconnected");
+}
+
+void tollgate_core_tick(void)
+{
+    tollgate_core_session_tick();
+}
+
+bool tollgate_core_is_client_allowed(uint32_t client_ip)
+{
+    return tollgate_core_fw_is_allowed(client_ip);
+}
+
+bool tollgate_core_is_dns_running(void)
+{
+    return tollgate_core_dns_is_running();
+}
+
+char *tollgate_core_get_status_json(void)
+{
+    cJSON *root = cJSON_CreateObject();
+    cJSON_AddBoolToObject(root, "ownerConnected", s_owner_connected);
+    cJSON_AddNumberToObject(root, "activeSessions", tollgate_core_session_active_count());
+    cJSON_AddNumberToObject(root, "allowedClients", tollgate_core_fw_client_count());
+    cJSON_AddBoolToObject(root, "dnsRunning", tollgate_core_dns_is_running());
+
+    char *json = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+    return json;
+}
+
+char *tollgate_core_get_config_json(void)
+{
+    cJSON *root = cJSON_CreateObject();
+
+    if (s_platform) {
+        if (s_platform->get_price_sats)
+            cJSON_AddNumberToObject(root, "priceSats", s_platform->get_price_sats());
+        if (s_platform->get_step_ms)
+            cJSON_AddNumberToObject(root, "stepMs", s_platform->get_step_ms());
+        if (s_platform->get_mint_url)
+            cJSON_AddStringToObject(root, "mintUrl", s_platform->get_mint_url());
+        if (s_platform->get_metric)
+            cJSON_AddStringToObject(root, "metric", s_platform->get_metric());
+        if (s_platform->get_step_bytes)
+            cJSON_AddNumberToObject(root, "stepBytes", s_platform->get_step_bytes());
+    }
+
+    char *json = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+    return json;
+}
+
+int tollgate_core_active_session_count(void)
+{
+    return tollgate_core_session_active_count();
+}
+
+int tollgate_core_allowed_client_count(void)
+{
+    return tollgate_core_fw_client_count();
+}
+
+bool tollgate_core_is_owner(uint32_t client_ip)
+{
+    return s_owner_connected && s_owner_ip == client_ip;
+}
+
+bool tollgate_core_is_owner_connected(void)
+{
+    return s_owner_connected;
+}
diff --git a/components/tollgate_core/src/tollgate_core_cashu.c b/components/tollgate_core/src/tollgate_core_cashu.c
new file mode 100644
index 0000000..cf2bf5d
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_cashu.c
@@ -0,0 +1,262 @@
+#include "tollgate_core_cashu.h"
+#include "esp_log.h"
+#include "esp_http_client.h"
+#include "cJSON.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/sha256.h"
+#include "esp_crt_bundle.h"
+
+static const char *TAG = "tg_core_cashu";
+
+static const char V3_PREFIX[] = "cashuA";
+static const size_t V3_PREFIX_LEN = 6;
+
+static int b64url_decode(const char *input, size_t input_len, char *out, size_t out_size, size_t *out_len)
+{
+    char *b64 = malloc(input_len + 4);
+    if (!b64) return -1;
+    size_t b64_len = input_len;
+    memcpy(b64, input, b64_len);
+    b64[b64_len] = '\0';
+
+    for (size_t i = 0; i < b64_len; i++) {
+        if (b64[i] == '-') b64[i] = '+';
+        else if (b64[i] == '_') b64[i] = '/';
+    }
+    while (b64_len % 4 != 0) {
+        b64[b64_len++] = '=';
+    }
+    b64[b64_len] = '\0';
+
+    size_t olen = 0;
+    int ret = mbedtls_base64_decode((unsigned char *)out, out_size, &olen,
+                                     (const unsigned char *)b64, b64_len);
+    free(b64);
+    if (ret != 0) return -1;
+    *out_len = olen;
+    return 0;
+}
+
+static esp_err_t parse_proofs_array(cJSON *arr, tg_cashu_token_t *out)
+{
+    if (!cJSON_IsArray(arr)) return ESP_FAIL;
+    int count = cJSON_GetArraySize(arr);
+    if (count > TG_CASHU_MAX_PROOFS) return ESP_FAIL;
+
+    out->proof_count = 0;
+    out->total_amount = 0;
+    for (int i = 0; i < count; i++) {
+        cJSON *proof = cJSON_GetArrayItem(arr, i);
+        cJSON *amt = cJSON_GetObjectItemCaseSensitive(proof, "amount");
+        cJSON *id = cJSON_GetObjectItemCaseSensitive(proof, "id");
+        cJSON *secret = cJSON_GetObjectItemCaseSensitive(proof, "secret");
+        cJSON *c = cJSON_GetObjectItemCaseSensitive(proof, "C");
+
+        if (!amt || !cJSON_IsNumber(amt)) return ESP_FAIL;
+
+        out->proofs[i].amount = (uint64_t)amt->valuedouble;
+        out->total_amount += out->proofs[i].amount;
+
+        if (id && cJSON_IsString(id)) {
+            strncpy(out->proofs[i].id, id->valuestring, sizeof(out->proofs[i].id) - 1);
+        }
+        if (secret && cJSON_IsString(secret)) {
+            strncpy(out->proofs[i].secret, secret->valuestring, sizeof(out->proofs[i].secret) - 1);
+        }
+        if (c && cJSON_IsString(c)) {
+            strncpy(out->proofs[i].c, c->valuestring, sizeof(out->proofs[i].c) - 1);
+        }
+        out->proof_count++;
+    }
+    return ESP_OK;
+}
+
+esp_err_t tollgate_core_cashu_decode_token(const char *token_str, tg_cashu_token_t *out)
+{
+    if (!token_str || !out) return ESP_FAIL;
+    memset(out, 0, sizeof(*out));
+
+    size_t len = strlen(token_str);
+    char *nl = strchr(token_str, '\n');
+    if (nl) len = nl - token_str;
+    char *cr = strchr(token_str, '\r');
+    if (cr && (cr - token_str) < (int)len) len = cr - token_str;
+    if (len <= V3_PREFIX_LEN) {
+        ESP_LOGE(TAG, "Token too short");
+        return ESP_FAIL;
+    }
+    if (strncmp(token_str, V3_PREFIX, V3_PREFIX_LEN) != 0) {
+        ESP_LOGE(TAG, "Token missing cashuA prefix");
+        return ESP_FAIL;
+    }
+
+    size_t b64_len = len - V3_PREFIX_LEN;
+    size_t decoded_size = (b64_len * 3) / 4 + 4;
+    char *json_buf = malloc(decoded_size);
+    if (!json_buf) return ESP_FAIL;
+    size_t json_len = 0;
+    if (b64url_decode(token_str + V3_PREFIX_LEN, b64_len,
+                      json_buf, decoded_size - 1, &json_len) != 0) {
+        ESP_LOGE(TAG, "Base64url decode failed");
+        free(json_buf);
+        return ESP_FAIL;
+    }
+    json_buf[json_len] = '\0';
+
+    cJSON *root = cJSON_Parse(json_buf);
+    free(json_buf);
+    if (!root) {
+        ESP_LOGE(TAG, "JSON parse failed");
+        return ESP_FAIL;
+    }
+
+    cJSON *token_arr = cJSON_GetObjectItemCaseSensitive(root, "token");
+    if (token_arr && cJSON_IsArray(token_arr)) {
+        cJSON *first = cJSON_GetArrayItem(token_arr, 0);
+        if (!first) { cJSON_Delete(root); return ESP_FAIL; }
+
+        cJSON *mint = cJSON_GetObjectItemCaseSensitive(first, "mint");
+        if (mint && cJSON_IsString(mint)) {
+            strncpy(out->mint_url, mint->valuestring, sizeof(out->mint_url) - 1);
+        }
+
+        cJSON *proofs = cJSON_GetObjectItemCaseSensitive(first, "proofs");
+        if (proofs) {
+            esp_err_t ret = parse_proofs_array(proofs, out);
+            if (ret != ESP_OK) { cJSON_Delete(root); return ret; }
+        }
+    } else {
+        cJSON *mint = cJSON_GetObjectItemCaseSensitive(root, "mint");
+        if (mint && cJSON_IsString(mint)) {
+            strncpy(out->mint_url, mint->valuestring, sizeof(out->mint_url) - 1);
+        }
+
+        cJSON *proofs = cJSON_GetObjectItemCaseSensitive(root, "proofs");
+        if (proofs) {
+            esp_err_t ret = parse_proofs_array(proofs, out);
+            if (ret != ESP_OK) { cJSON_Delete(root); return ret; }
+        }
+    }
+
+    cJSON_Delete(root);
+
+    if (out->proof_count == 0) {
+        ESP_LOGE(TAG, "No proofs in token");
+        return ESP_FAIL;
+    }
+
+    ESP_LOGI(TAG, "Decoded token: %d proofs, total=%llu, mint=%s",
+             out->proof_count, (unsigned long long)out->total_amount, out->mint_url);
+    return ESP_OK;
+}
+
+static void sha256_hex(const char *data, size_t data_len, char *hex_out)
+{
+    uint8_t hash[32];
+    mbedtls_sha256((const unsigned char *)data, data_len, hash, 0);
+    for (int i = 0; i < 32; i++) {
+        sprintf(hex_out + i * 2, "%02x", hash[i]);
+    }
+    hex_out[64] = '\0';
+}
+
+esp_err_t tollgate_core_cashu_check_proof_states(const char *mint_url, const tg_cashu_token_t *token,
+                                                  tg_cashu_proof_state_t *states, int *state_count)
+{
+    cJSON *ys_arr = cJSON_CreateArray();
+    for (int i = 0; i < token->proof_count; i++) {
+        char y_hex[65];
+        sha256_hex(token->proofs[i].secret, strlen(token->proofs[i].secret), y_hex);
+        cJSON_AddItemToArray(ys_arr, cJSON_CreateString(y_hex));
+        strncpy(states[i].y_hex, y_hex, sizeof(states[i].y_hex) - 1);
+        states[i].spent = false;
+    }
+    *state_count = token->proof_count;
+
+    char *ys_json = cJSON_PrintUnformatted(ys_arr);
+    cJSON_Delete(ys_arr);
+
+    char *post_body = malloc(4096);
+    if (!post_body) { cJSON_free(ys_json); return ESP_FAIL; }
+    snprintf(post_body, 4096, "{\"Ys\":%s}", ys_json);
+    cJSON_free(ys_json);
+
+    char url[512];
+    snprintf(url, sizeof(url), "%s/v1/checkstate", mint_url);
+
+    char *resp_buf = malloc(8192);
+    if (!resp_buf) { free(post_body); return ESP_FAIL; }
+
+    esp_http_client_config_t config = {
+        .url = url,
+        .method = HTTP_METHOD_POST,
+        .timeout_ms = 15000,
+        .crt_bundle_attach = esp_crt_bundle_attach,
+    };
+    esp_http_client_handle_t client = esp_http_client_init(&config);
+    if (!client) { free(post_body); free(resp_buf); return ESP_FAIL; }
+
+    esp_http_client_set_header(client, "Content-Type", "application/json");
+    esp_err_t err = esp_http_client_open(client, strlen(post_body));
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "checkstate open failed: %s", esp_err_to_name(err));
+        esp_http_client_cleanup(client);
+        free(post_body);
+        free(resp_buf);
+        return ESP_FAIL;
+    }
+    int written = esp_http_client_write(client, post_body, strlen(post_body));
+    free(post_body);
+    ESP_LOGI(TAG, "checkstate written %d bytes", written);
+
+    int content_length = esp_http_client_fetch_headers(client);
+    int status = esp_http_client_get_status_code(client);
+    ESP_LOGI(TAG, "checkstate headers: status=%d, content_length=%d", status, content_length);
+
+    int resp_len = esp_http_client_read(client, resp_buf, 8191);
+    ESP_LOGI(TAG, "checkstate read: resp_len=%d", resp_len);
+    esp_http_client_cleanup(client);
+
+    if (status != 200 || resp_len <= 0) {
+        ESP_LOGE(TAG, "checkstate failed: status=%d, resp_len=%d", status, resp_len);
+        free(resp_buf);
+        return ESP_FAIL;
+    }
+    resp_buf[resp_len] = '\0';
+
+    cJSON *root_resp = cJSON_Parse(resp_buf);
+    free(resp_buf);
+    if (!root_resp) return ESP_FAIL;
+
+    cJSON *states_arr = cJSON_GetObjectItemCaseSensitive(root_resp, "states");
+    if (!states_arr || !cJSON_IsArray(states_arr)) {
+        cJSON_Delete(root_resp);
+        return ESP_FAIL;
+    }
+
+    int n = cJSON_GetArraySize(states_arr);
+    for (int i = 0; i < n && i < token->proof_count; i++) {
+        cJSON *s = cJSON_GetArrayItem(states_arr, i);
+        cJSON *state = cJSON_GetObjectItemCaseSensitive(s, "state");
+        if (state && cJSON_IsString(state)) {
+            states[i].spent = (strcmp(state->valuestring, "SPENT") == 0);
+        }
+    }
+
+    cJSON_Delete(root_resp);
+    return ESP_OK;
+}
+
+uint64_t tollgate_core_cashu_calculate_allotment(uint64_t token_amount, uint64_t price_per_step,
+                                                  uint64_t step_size)
+{
+    if (price_per_step == 0) return 0;
+    return (token_amount / price_per_step) * step_size;
+}
+
+bool tollgate_core_cashu_is_mint_accepted(const char *mint_url, const char *accepted_mint_url)
+{
+    if (!mint_url || mint_url[0] == '\0') return false;
+    if (!accepted_mint_url || accepted_mint_url[0] == '\0') return false;
+    return (strcmp(mint_url, accepted_mint_url) == 0);
+}
diff --git a/components/tollgate_core/src/tollgate_core_cashu.h b/components/tollgate_core/src/tollgate_core_cashu.h
new file mode 100644
index 0000000..70d2a02
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_cashu.h
@@ -0,0 +1,42 @@
+#ifndef TOLLGATE_CORE_CASHU_H
+#define TOLLGATE_CORE_CASHU_H
+
+#include "esp_err.h"
+#include <stdint.h>
+#include <stdbool.h>
+
+#define TG_CASHU_MAX_PROOFS      10
+#define TG_CASHU_MAX_SECRET_LEN  128
+#define TG_CASHU_MAX_ID_LEN      68
+#define TG_CASHU_MAX_C_LEN       128
+
+typedef struct {
+    uint64_t amount;
+    char id[TG_CASHU_MAX_ID_LEN];
+    char secret[TG_CASHU_MAX_SECRET_LEN];
+    char c[TG_CASHU_MAX_C_LEN];
+} tg_cashu_proof_t;
+
+typedef struct {
+    tg_cashu_proof_t proofs[TG_CASHU_MAX_PROOFS];
+    int proof_count;
+    char mint_url[256];
+    uint64_t total_amount;
+} tg_cashu_token_t;
+
+typedef struct {
+    char y_hex[65];
+    bool spent;
+} tg_cashu_proof_state_t;
+
+esp_err_t tollgate_core_cashu_decode_token(const char *token_str, tg_cashu_token_t *out);
+
+esp_err_t tollgate_core_cashu_check_proof_states(const char *mint_url, const tg_cashu_token_t *token,
+                                                  tg_cashu_proof_state_t *states, int *state_count);
+
+uint64_t tollgate_core_cashu_calculate_allotment(uint64_t token_amount, uint64_t price_per_step,
+                                                  uint64_t step_size);
+
+bool tollgate_core_cashu_is_mint_accepted(const char *mint_url, const char *accepted_mint_url);
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core_dns.c b/components/tollgate_core/src/tollgate_core_dns.c
new file mode 100644
index 0000000..84322e6
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_dns.c
@@ -0,0 +1,316 @@
+#include "tollgate_core_dns.h"
+#include "esp_log.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+#include "lwip/sockets.h"
+#include "lwip/netdb.h"
+#include <string.h>
+#include <sys/param.h>
+
+#define MAX_AUTH_IPS 10
+#define DNS_BUF_SIZE 512
+#define DNS_PORT 53
+#define DOT_PORT 853
+#define DNS_TASK_STACK 4096
+#define DOT_TASK_STACK 3072
+#define DNS_TASK_PRIO 5
+#define DOT_TASK_PRIO 5
+#define DNS_FORWARD_TIMEOUT_MS 2000
+#define NXDOMAIN_TTL 30
+#define HIJACK_TTL 10
+
+static const char *TAG = "tg_core_dns";
+
+#pragma pack(push, 1)
+typedef struct {
+    uint16_t id;
+    uint16_t flags;
+    uint16_t qdcount;
+    uint16_t ancount;
+    uint16_t nscount;
+    uint16_t arcount;
+} dns_header_t;
+#pragma pack(pop)
+
+#pragma pack(push, 1)
+typedef struct {
+    uint16_t name;
+    uint16_t type;
+    uint16_t class;
+    uint32_t ttl;
+    uint16_t len;
+    uint32_t addr;
+} dns_answer_t;
+#pragma pack(pop)
+
+typedef struct {
+    uint32_t ip;
+} auth_entry_t;
+
+static auth_entry_t s_auth_list[MAX_AUTH_IPS];
+static int s_auth_count = 0;
+static TaskHandle_t s_dns_task = NULL;
+static TaskHandle_t s_dot_task = NULL;
+static volatile bool s_dns_running = false;
+static esp_ip4_addr_t s_ap_ip;
+static esp_ip4_addr_t s_upstream_dns;
+
+static bool is_authenticated(uint32_t ip)
+{
+    for (int i = 0; i < s_auth_count; i++) {
+        if (s_auth_list[i].ip == ip) return true;
+    }
+    return false;
+}
+
+static void parse_dns_name(const uint8_t *buf, int buf_len, int offset, char *out, int out_len)
+{
+    int pos = offset;
+    int out_pos = 0;
+    int jumped = 0;
+    int jump_pos = 0;
+    while (pos < buf_len && out_pos < out_len - 1) {
+        uint8_t len = buf[pos];
+        if (len == 0) break;
+        if ((len & 0xC0) == 0xC0) {
+            if (!jumped) jump_pos = pos + 2;
+            pos = ((len & 0x3F) << 8) | buf[pos + 1];
+            jumped = 1;
+            continue;
+        }
+        if (out_pos > 0 && out_pos < out_len - 1) out[out_pos++] = '.';
+        pos++;
+        for (int i = 0; i < len && pos < buf_len && out_pos < out_len - 1; i++) {
+            out[out_pos++] = buf[pos++];
+        }
+    }
+    out[out_pos] = '\0';
+}
+
+static int build_nxdomain(uint8_t *response, int req_len)
+{
+    dns_header_t *hdr = (dns_header_t *)response;
+    hdr->flags = htons(0x8403);
+    hdr->ancount = 0;
+    hdr->nscount = 0;
+    hdr->arcount = 0;
+    return req_len;
+}
+
+static int build_redirect_response(uint8_t *response, int req_len)
+{
+    memmove(response, response, req_len);
+    dns_header_t *hdr = (dns_header_t *)response;
+    hdr->flags = htons(0x8180);
+    hdr->ancount = htons(1);
+    hdr->nscount = 0;
+    hdr->arcount = 0;
+    int resp_len = req_len;
+    dns_answer_t ans;
+    ans.name = htons(0xC00C);
+    ans.type = htons(1);
+    ans.class = htons(1);
+    ans.ttl = htonl(HIJACK_TTL);
+    ans.len = htons(4);
+    ans.addr = s_ap_ip.addr;
+    memcpy(response + resp_len, &ans, sizeof(ans));
+    resp_len += sizeof(ans);
+    return resp_len;
+}
+
+static int forward_dns(const uint8_t *req, int req_len, uint8_t *resp, int resp_buf_len,
+                       uint16_t txn_id)
+{
+    int upstream_sock = socket(AF_INET, SOCK_DGRAM, 0);
+    if (upstream_sock < 0) return -1;
+
+    struct timeval tv = { .tv_sec = DNS_FORWARD_TIMEOUT_MS / 1000, .tv_usec = (DNS_FORWARD_TIMEOUT_MS % 1000) * 1000 };
+    setsockopt(upstream_sock, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
+
+    struct sockaddr_in upstream_addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(DNS_PORT),
+        .sin_addr.s_addr = s_upstream_dns.addr,
+    };
+
+    sendto(upstream_sock, req, req_len, 0, (struct sockaddr *)&upstream_addr, sizeof(upstream_addr));
+
+    int n = recvfrom(upstream_sock, resp, resp_buf_len, 0, NULL, NULL);
+    close(upstream_sock);
+
+    if (n > 0) {
+        if (n >= sizeof(dns_header_t)) {
+            dns_header_t *hdr = (dns_header_t *)resp;
+            hdr->id = htons(txn_id);
+        }
+    }
+    return n;
+}
+
+static void dns_server_task(void *arg)
+{
+    int sock = socket(AF_INET, SOCK_DGRAM, 0);
+    if (sock < 0) {
+        ESP_LOGE(TAG, "Failed to create DNS socket");
+        s_dns_running = false;
+        vTaskDelete(NULL);
+        return;
+    }
+
+    struct sockaddr_in bind_addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(DNS_PORT),
+        .sin_addr.s_addr = INADDR_ANY,
+    };
+    if (bind(sock, (struct sockaddr *)&bind_addr, sizeof(bind_addr)) < 0) {
+        ESP_LOGE(TAG, "Failed to bind DNS socket");
+        close(sock);
+        s_dns_running = false;
+        vTaskDelete(NULL);
+        return;
+    }
+
+    ESP_LOGI(TAG, "DNS server started on port %d, AP IP=" IPSTR ", upstream DNS=" IPSTR,
+             DNS_PORT, IP2STR(&s_ap_ip), IP2STR(&s_upstream_dns));
+
+    uint8_t rx_buf[DNS_BUF_SIZE];
+    uint8_t tx_buf[DNS_BUF_SIZE + sizeof(dns_answer_t)];
+
+    while (s_dns_running) {
+        struct sockaddr_in client_addr;
+        socklen_t client_len = sizeof(client_addr);
+        int n = recvfrom(sock, rx_buf, sizeof(rx_buf), 0,
+                         (struct sockaddr *)&client_addr, &client_len);
+        if (n < (int)sizeof(dns_header_t)) continue;
+
+        uint32_t client_ip = client_addr.sin_addr.s_addr;
+        dns_header_t *hdr = (dns_header_t *)rx_buf;
+        uint16_t txn_id = ntohs(hdr->id);
+        bool is_query = (ntohs(hdr->flags) & 0x8000) == 0;
+        uint16_t qdcount = ntohs(hdr->qdcount);
+
+        if (!is_query || qdcount == 0) continue;
+
+        int q_offset = sizeof(dns_header_t);
+        while (q_offset < n && rx_buf[q_offset] != 0) {
+            q_offset += rx_buf[q_offset] + 1;
+        }
+        if (q_offset + 5 > n) continue;
+        uint16_t qtype = (rx_buf[q_offset + 1] << 8) | rx_buf[q_offset + 2];
+        int req_len = q_offset + 5;
+
+        if (is_authenticated(client_ip)) {
+            int resp_len = forward_dns(rx_buf, req_len, tx_buf, sizeof(tx_buf), txn_id);
+            if (resp_len > 0) {
+                sendto(sock, tx_buf, resp_len, 0, (struct sockaddr *)&client_addr, client_len);
+            }
+        } else {
+            char qname[256] = {0};
+            parse_dns_name(rx_buf, n, sizeof(dns_header_t), qname, sizeof(qname));
+            ESP_LOGI(TAG, "Hijack DNS from " IPSTR ": %s (type=%d)",
+                     IP2STR(&(esp_ip4_addr_t){.addr=client_ip}), qname, qtype);
+            if (qtype == 1) {
+                int resp_len = build_redirect_response(rx_buf, req_len);
+                memcpy(tx_buf, rx_buf, resp_len);
+                dns_header_t *resp_hdr = (dns_header_t *)tx_buf;
+                resp_hdr->id = htons(txn_id);
+                sendto(sock, tx_buf, resp_len, 0, (struct sockaddr *)&client_addr, client_len);
+            } else {
+                int resp_len = build_nxdomain(rx_buf, req_len);
+                memcpy(tx_buf, rx_buf, resp_len);
+                dns_header_t *resp_hdr = (dns_header_t *)tx_buf;
+                resp_hdr->id = htons(txn_id);
+                sendto(sock, tx_buf, resp_len, 0, (struct sockaddr *)&client_addr, client_len);
+            }
+        }
+    }
+
+    close(sock);
+    ESP_LOGI(TAG, "DNS server stopped");
+    vTaskDelete(NULL);
+}
+
+static void dot_reject_task(void *arg)
+{
+    int sock = socket(AF_INET, SOCK_STREAM, 0);
+    if (sock < 0) {
+        ESP_LOGE(TAG, "Failed to create DoT reject socket");
+        vTaskDelete(NULL);
+        return;
+    }
+
+    int opt = 1;
+    setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
+
+    struct sockaddr_in bind_addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(DOT_PORT),
+        .sin_addr.s_addr = INADDR_ANY,
+    };
+    if (bind(sock, (struct sockaddr *)&bind_addr, sizeof(bind_addr)) < 0) {
+        ESP_LOGE(TAG, "Failed to bind DoT reject socket on port %d", DOT_PORT);
+        close(sock);
+        vTaskDelete(NULL);
+        return;
+    }
+
+    listen(sock, 1);
+    ESP_LOGI(TAG, "DoT reject server on port %d (forces DNS fallback to port 53)", DOT_PORT);
+
+    while (s_dns_running) {
+        struct sockaddr_in client_addr;
+        socklen_t client_len = sizeof(client_addr);
+        int client_sock = accept(sock, (struct sockaddr *)&client_addr, &client_len);
+        if (client_sock >= 0) {
+            struct linger ling = { .l_onoff = 1, .l_linger = 0 };
+            setsockopt(client_sock, SOL_SOCKET, SO_LINGER, &ling, sizeof(ling));
+            close(client_sock);
+        }
+    }
+
+    close(sock);
+    ESP_LOGI(TAG, "DoT reject server stopped");
+    vTaskDelete(NULL);
+}
+
+esp_err_t tollgate_core_dns_start_internal(esp_ip4_addr_t ap_ip, esp_ip4_addr_t upstream_dns)
+{
+    if (s_dns_running) return ESP_OK;
+    s_ap_ip = ap_ip;
+    s_upstream_dns = upstream_dns;
+    s_dns_running = true;
+    xTaskCreate(dns_server_task, "dns_server", DNS_TASK_STACK, NULL, DNS_TASK_PRIO, &s_dns_task);
+    xTaskCreate(dot_reject_task, "dot_reject", DOT_TASK_STACK, NULL, DOT_TASK_PRIO, &s_dot_task);
+    return ESP_OK;
+}
+
+void tollgate_core_dns_stop(void)
+{
+    s_dns_running = false;
+    vTaskDelay(pdMS_TO_TICKS(200));
+    s_dns_task = NULL;
+}
+
+void tollgate_core_dns_set_authenticated(uint32_t client_ip, bool authenticated)
+{
+    if (authenticated) {
+        if (is_authenticated(client_ip)) return;
+        if (s_auth_count < MAX_AUTH_IPS) {
+            s_auth_list[s_auth_count].ip = client_ip;
+            s_auth_count++;
+        }
+    } else {
+        for (int i = 0; i < s_auth_count; i++) {
+            if (s_auth_list[i].ip == client_ip) {
+                s_auth_list[i] = s_auth_list[s_auth_count - 1];
+                s_auth_count--;
+                return;
+            }
+        }
+    }
+}
+
+bool tollgate_core_dns_is_running(void)
+{
+    return s_dns_running;
+}
diff --git a/components/tollgate_core/src/tollgate_core_dns.h b/components/tollgate_core/src/tollgate_core_dns.h
new file mode 100644
index 0000000..60aaaaf
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_dns.h
@@ -0,0 +1,13 @@
+#ifndef TOLLGATE_CORE_DNS_H
+#define TOLLGATE_CORE_DNS_H
+
+#include "esp_err.h"
+#include "esp_netif.h"
+#include <stdbool.h>
+
+esp_err_t tollgate_core_dns_start_internal(esp_ip4_addr_t ap_ip, esp_ip4_addr_t upstream_dns);
+void tollgate_core_dns_stop(void);
+void tollgate_core_dns_set_authenticated(uint32_t client_ip, bool authenticated);
+bool tollgate_core_dns_is_running(void);
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core_firewall.c b/components/tollgate_core/src/tollgate_core_firewall.c
new file mode 100644
index 0000000..e5d61d8
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_firewall.c
@@ -0,0 +1,165 @@
+#include "tollgate_core_firewall.h"
+#include "tollgate_core_dns.h"
+#include "esp_log.h"
+#include "esp_wifi.h"
+#include "esp_wifi_ap_get_sta_list.h"
+#include "lwip/lwip_napt.h"
+#include "lwip/etharp.h"
+#include "lwip/netif.h"
+#include "lwip/prot/ip4.h"
+#include <string.h>
+
+#define MAX_CLIENTS 10
+
+static const char *TAG = "tg_core_fw";
+static esp_ip4_addr_t s_ap_ip;
+
+typedef struct {
+    uint32_t ip;
+    char mac[TG_FW_MAX_MAC_LEN];
+} fw_client_t;
+
+static fw_client_t s_clients[MAX_CLIENTS];
+static int s_client_count = 0;
+
+esp_err_t tollgate_core_fw_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size)
+{
+    wifi_sta_list_t sta_list;
+    if (esp_wifi_ap_get_sta_list(&sta_list) == ESP_OK) {
+        wifi_sta_mac_ip_list_t ip_mac_list;
+        if (esp_wifi_ap_get_sta_list_with_ip(&sta_list, &ip_mac_list) == ESP_OK) {
+            for (int i = 0; i < ip_mac_list.num; i++) {
+                if (ip_mac_list.sta[i].ip.addr == client_ip) {
+                    snprintf(mac_out, mac_out_size, "%02x:%02x:%02x:%02x:%02x:%02x",
+                             ip_mac_list.sta[i].mac[0], ip_mac_list.sta[i].mac[1],
+                             ip_mac_list.sta[i].mac[2], ip_mac_list.sta[i].mac[3],
+                             ip_mac_list.sta[i].mac[4], ip_mac_list.sta[i].mac[5]);
+                    return ESP_OK;
+                }
+            }
+        }
+    }
+
+    ip4_addr_t *entry_ip = NULL;
+    struct netif *entry_netif = NULL;
+    struct eth_addr *entry_eth = NULL;
+    ssize_t i = 0;
+    while (etharp_get_entry(i, &entry_ip, &entry_netif, &entry_eth) == ERR_OK) {
+        if (entry_ip && entry_ip->addr == client_ip && entry_eth) {
+            snprintf(mac_out, mac_out_size, "%02x:%02x:%02x:%02x:%02x:%02x",
+                     entry_eth->addr[0], entry_eth->addr[1], entry_eth->addr[2],
+                     entry_eth->addr[3], entry_eth->addr[4], entry_eth->addr[5]);
+            return ESP_OK;
+        }
+        i++;
+    }
+    return ESP_FAIL;
+}
+
+esp_err_t tollgate_core_fw_init(esp_ip4_addr_t ap_ip)
+{
+    s_ap_ip = ap_ip;
+    memset(s_clients, 0, sizeof(s_clients));
+    s_client_count = 0;
+    ip_napt_enable(s_ap_ip.addr, 1);
+    ESP_LOGI(TAG, "Firewall initialized with AP IP=" IPSTR " (NAT always on, per-client filter)", IP2STR(&s_ap_ip));
+    return ESP_OK;
+}
+
+int tollgate_core_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder)
+{
+    (void)dest_addr_hostorder;
+    if (p->len < IP_HLEN) return -1;
+    struct ip_hdr *iphdr = (struct ip_hdr *)p->payload;
+    uint32_t src_ip_h = lwip_ntohl(iphdr->src.addr);
+    uint32_t ap_subnet = lwip_ntohl(s_ap_ip.addr) & 0xFFFFFF00;
+    if ((src_ip_h & 0xFFFFFF00) != ap_subnet) {
+        return 1;
+    }
+    if (tollgate_core_fw_is_allowed(iphdr->src.addr)) {
+        return 1;
+    }
+    return 0;
+}
+
+static fw_client_t *find_client_by_ip(uint32_t client_ip)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        if (s_clients[i].ip == client_ip) return &s_clients[i];
+    }
+    return NULL;
+}
+
+static fw_client_t *find_client_by_mac(const char *mac)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        if (s_clients[i].mac[0] != '\0' && strcmp(s_clients[i].mac, mac) == 0) {
+            return &s_clients[i];
+        }
+    }
+    return NULL;
+}
+
+void tollgate_core_fw_grant(uint32_t client_ip)
+{
+    fw_client_t *existing = find_client_by_ip(client_ip);
+    if (existing) {
+        existing->ip = client_ip;
+        return;
+    }
+    if (s_client_count >= MAX_CLIENTS) {
+        ESP_LOGW(TAG, "Max clients reached, cannot grant access");
+        return;
+    }
+
+    fw_client_t *client = &s_clients[s_client_count];
+    client->ip = client_ip;
+    client->mac[0] = '\0';
+    tollgate_core_fw_get_mac_for_ip(client_ip, client->mac, sizeof(client->mac));
+    s_client_count++;
+
+    tollgate_core_dns_set_authenticated(client_ip, true);
+
+    esp_ip4_addr_t ip_addr = { .addr = client_ip };
+    ESP_LOGI(TAG, "Access granted to " IPSTR " mac=%s", IP2STR(&ip_addr),
+             client->mac[0] ? client->mac : "unknown");
+}
+
+void tollgate_core_fw_revoke(uint32_t client_ip)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        if (s_clients[i].ip == client_ip) {
+            esp_ip4_addr_t ip_addr = { .addr = client_ip };
+            ESP_LOGI(TAG, "Access revoked for " IPSTR " mac=%s", IP2STR(&ip_addr),
+                     s_clients[i].mac[0] ? s_clients[i].mac : "unknown");
+            s_clients[i] = s_clients[s_client_count - 1];
+            s_client_count--;
+            tollgate_core_dns_set_authenticated(client_ip, false);
+            return;
+        }
+    }
+}
+
+void tollgate_core_fw_revoke_all(void)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        tollgate_core_dns_set_authenticated(s_clients[i].ip, false);
+    }
+    s_client_count = 0;
+    ESP_LOGI(TAG, "All client access revoked");
+}
+
+bool tollgate_core_fw_is_allowed(uint32_t client_ip)
+{
+    return find_client_by_ip(client_ip) != NULL;
+}
+
+bool tollgate_core_fw_is_mac_allowed(const char *mac)
+{
+    return find_client_by_mac(mac) != NULL;
+}
+
+int tollgate_core_fw_client_count(void)
+{
+    return s_client_count;
+}
diff --git a/components/tollgate_core/src/tollgate_core_firewall.h b/components/tollgate_core/src/tollgate_core_firewall.h
new file mode 100644
index 0000000..f06c801
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_firewall.h
@@ -0,0 +1,25 @@
+#ifndef TOLLGATE_CORE_FIREWALL_H
+#define TOLLGATE_CORE_FIREWALL_H
+
+#include "esp_err.h"
+#include "esp_netif.h"
+#include <stdbool.h>
+#include <stdint.h>
+
+struct pbuf;
+
+#define TG_FW_MAX_MAC_LEN 18
+
+esp_err_t tollgate_core_fw_init(esp_ip4_addr_t ap_ip);
+void tollgate_core_fw_grant(uint32_t client_ip);
+void tollgate_core_fw_revoke(uint32_t client_ip);
+void tollgate_core_fw_revoke_all(void);
+bool tollgate_core_fw_is_allowed(uint32_t client_ip);
+bool tollgate_core_fw_is_mac_allowed(const char *mac);
+int tollgate_core_fw_client_count(void);
+
+esp_err_t tollgate_core_fw_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size);
+
+int tollgate_core_ip4_canforward_filter(struct pbuf *p, uint32_t dest_addr_hostorder);
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core_session.c b/components/tollgate_core/src/tollgate_core_session.c
new file mode 100644
index 0000000..48d32e7
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_session.c
@@ -0,0 +1,200 @@
+#include "tollgate_core_session.h"
+#include "tollgate_core_firewall.h"
+#include "esp_log.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+#include <string.h>
+
+static const char *TAG = "tg_core_session";
+static tg_session_t s_sessions[TG_SESSION_MAX_CLIENTS];
+static int s_session_count = 0;
+
+static const tollgate_platform_t *s_platform;
+
+void tollgate_core_session_set_platform(const tollgate_platform_t *platform)
+{
+    s_platform = platform;
+}
+
+static int64_t get_time_ms(void)
+{
+    if (s_platform && s_platform->get_time_ms) {
+        return s_platform->get_time_ms();
+    }
+    return (int64_t)xTaskGetTickCount() * portTICK_PERIOD_MS;
+}
+
+esp_err_t tollgate_core_session_init(void)
+{
+    memset(s_sessions, 0, sizeof(s_sessions));
+    s_session_count = 0;
+    ESP_LOGI(TAG, "Session manager initialized");
+    return ESP_OK;
+}
+
+static void populate_mac(tg_session_t *session, uint32_t client_ip)
+{
+    if (tollgate_core_fw_get_mac_for_ip(client_ip, session->mac, sizeof(session->mac)) != ESP_OK) {
+        session->mac[0] = '\0';
+    }
+}
+
+tg_session_t *tollgate_core_session_create(uint32_t client_ip, uint64_t allotment_ms)
+{
+    tg_session_t *existing = tollgate_core_session_find_by_ip(client_ip);
+    if (existing) {
+        tollgate_core_session_extend(existing, allotment_ms);
+        return existing;
+    }
+
+    if (s_session_count >= TG_SESSION_MAX_CLIENTS) {
+        for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+            if (!s_sessions[i].active || tollgate_core_session_is_expired(&s_sessions[i])) {
+                tollgate_core_session_revoke(&s_sessions[i]);
+                break;
+            }
+        }
+    }
+
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (!s_sessions[i].active) {
+            s_sessions[i].client_ip = client_ip;
+            s_sessions[i].allotment_ms = allotment_ms;
+            s_sessions[i].start_time_ms = get_time_ms();
+            s_sessions[i].active = true;
+            populate_mac(&s_sessions[i], client_ip);
+
+            s_session_count++;
+            tollgate_core_fw_grant(client_ip);
+
+            esp_ip4_addr_t ip = { .addr = client_ip };
+            ESP_LOGI(TAG, "Session created: " IPSTR " mac=%s allotment=%llums", IP2STR(&ip),
+                     s_sessions[i].mac[0] ? s_sessions[i].mac : "unknown",
+                     (unsigned long long)allotment_ms);
+            return &s_sessions[i];
+        }
+    }
+
+    ESP_LOGW(TAG, "No free session slots");
+    return NULL;
+}
+
+tg_session_t *tollgate_core_session_create_bytes(uint32_t client_ip, uint64_t allotment_bytes)
+{
+    tg_session_t *s = tollgate_core_session_create(client_ip, 0);
+    if (s) {
+        s->allotment_bytes = allotment_bytes;
+        s->bytes_consumed = 0;
+        s->allotment_ms = INT64_MAX;
+        esp_ip4_addr_t ip = { .addr = client_ip };
+        ESP_LOGI(TAG, "Bytes session created: " IPSTR " allotment=%llu bytes", IP2STR(&ip),
+                 (unsigned long long)allotment_bytes);
+    }
+    return s;
+}
+
+void tollgate_core_session_add_bytes(uint32_t client_ip, uint64_t bytes)
+{
+    tg_session_t *s = tollgate_core_session_find_by_ip(client_ip);
+    if (s && s->active) {
+        s->bytes_consumed += bytes;
+    }
+}
+
+tg_session_t *tollgate_core_session_find_by_ip(uint32_t client_ip)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active && s_sessions[i].client_ip == client_ip) {
+            return &s_sessions[i];
+        }
+    }
+    return NULL;
+}
+
+tg_session_t *tollgate_core_session_find_by_mac(const char *mac)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active && s_sessions[i].mac[0] != '\0' &&
+            strcmp(s_sessions[i].mac, mac) == 0) {
+            return &s_sessions[i];
+        }
+    }
+    return NULL;
+}
+
+void tollgate_core_session_extend(tg_session_t *session, uint64_t additional_ms)
+{
+    if (!session || !session->active) return;
+    session->allotment_ms += additional_ms;
+    esp_ip4_addr_t ip = { .addr = session->client_ip };
+    ESP_LOGI(TAG, "Session extended: " IPSTR " +%llums (total=%llu)", IP2STR(&ip),
+             (unsigned long long)additional_ms, (unsigned long long)session->allotment_ms);
+}
+
+bool tollgate_core_session_is_expired(const tg_session_t *session)
+{
+    if (!session || !session->active) return true;
+
+    if (s_platform && s_platform->get_metric) {
+        const char *metric = s_platform->get_metric();
+        if (metric && strcmp(metric, "bytes") == 0) {
+            return session->bytes_consumed >= session->allotment_bytes;
+        }
+    }
+
+    int64_t elapsed = get_time_ms() - session->start_time_ms;
+    return elapsed >= (int64_t)session->allotment_ms;
+}
+
+static void check_expiry(void)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active && tollgate_core_session_is_expired(&s_sessions[i])) {
+            esp_ip4_addr_t ip = { .addr = s_sessions[i].client_ip };
+            ESP_LOGI(TAG, "Session expired: " IPSTR " mac=%s", IP2STR(&ip),
+                     s_sessions[i].mac[0] ? s_sessions[i].mac : "unknown");
+            tollgate_core_session_revoke(&s_sessions[i]);
+        }
+    }
+}
+
+void tollgate_core_session_revoke(tg_session_t *session)
+{
+    if (!session || !session->active) return;
+    tollgate_core_fw_revoke(session->client_ip);
+    session->active = false;
+    s_session_count--;
+}
+
+void tollgate_core_session_revoke_all(void)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active) {
+            tollgate_core_session_revoke(&s_sessions[i]);
+        }
+    }
+}
+
+int tollgate_core_session_active_count(void)
+{
+    int count = 0;
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active) count++;
+    }
+    return count;
+}
+
+void tollgate_core_session_tick(void)
+{
+    check_expiry();
+}
+
+tg_session_t *tollgate_core_session_get_array(void)
+{
+    return s_sessions;
+}
+
+int tollgate_core_session_get_array_size(void)
+{
+    return TG_SESSION_MAX_CLIENTS;
+}
diff --git a/components/tollgate_core/src/tollgate_core_session.h b/components/tollgate_core/src/tollgate_core_session.h
new file mode 100644
index 0000000..444b9fa
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_session.h
@@ -0,0 +1,47 @@
+#ifndef TOLLGATE_CORE_SESSION_H
+#define TOLLGATE_CORE_SESSION_H
+
+#include "esp_err.h"
+#include "tollgate_platform.h"
+#include <stdint.h>
+#include <stdbool.h>
+
+#define TG_SESSION_MAX_CLIENTS     10
+#define TG_SESSION_MAX_MAC_LEN     18
+
+typedef struct {
+    uint32_t client_ip;
+    char mac[TG_SESSION_MAX_MAC_LEN];
+    uint64_t allotment_ms;
+    int64_t start_time_ms;
+    uint64_t allotment_bytes;
+    uint64_t bytes_consumed;
+    bool active;
+} tg_session_t;
+
+esp_err_t tollgate_core_session_init(void);
+void tollgate_core_session_set_platform(const tollgate_platform_t *platform);
+
+tg_session_t *tollgate_core_session_create(uint32_t client_ip, uint64_t allotment_ms);
+tg_session_t *tollgate_core_session_create_bytes(uint32_t client_ip, uint64_t allotment_bytes);
+
+void tollgate_core_session_add_bytes(uint32_t client_ip, uint64_t bytes);
+
+tg_session_t *tollgate_core_session_find_by_ip(uint32_t client_ip);
+tg_session_t *tollgate_core_session_find_by_mac(const char *mac);
+
+void tollgate_core_session_extend(tg_session_t *session, uint64_t additional_ms);
+
+bool tollgate_core_session_is_expired(const tg_session_t *session);
+
+void tollgate_core_session_revoke(tg_session_t *session);
+void tollgate_core_session_revoke_all(void);
+
+int tollgate_core_session_active_count(void);
+
+void tollgate_core_session_tick(void);
+
+tg_session_t *tollgate_core_session_get_array(void);
+int tollgate_core_session_get_array_size(void);
+
+#endif
diff --git a/docs/E2E_FIX_PLAN.md b/docs/E2E_FIX_PLAN.md
new file mode 100644
index 0000000..52f8305
--- /dev/null
+++ b/docs/E2E_FIX_PLAN.md
@@ -0,0 +1,177 @@
+# E2E Test Stability Fix Plan
+
+## Problem Statement
+
+E2E tests on physical boards are failing due to five root causes:
+1. **LWIP socket exhaustion** (RC-0) — `LWIP_MAX_SOCKETS=10` was too low for two httpd servers + DNS + DoT + wifistr WebSockets
+2. **Over-tuned httpd settings** (RC-1) — setting `max_open_sockets=2` and `keep_alive_enable=false` caused socket leaks by interfering with ESP-IDF's internal session management
+3. **Owner auto-grant** (RC-2) — makes "no internet before auth" tests non-deterministic
+4. **No boot-ready probe** (RC-3) — tests start before HTTP servers are up
+5. **Serial monitoring resets** (RC-4) — Python `serial.Serial()` toggles DTR/RTS on USB-Serial/JTAG boards, causing chip resets mid-operation
+
+### Baseline Test Results (Board A, before fixes)
+
+| Suite | Pass | Fail | Notes |
+|---|---|---|---|
+| Smoke | 2/6 | 4 | Port 80 unresponsive, cascading failures |
+| Network | 4/7 | 3 | DNS forward + ping after auth (timing) |
+| API | 16/20 | 4 | Portal port 80 slow/crashed, captive URIs |
+| DNS+Firewall | 15/16 | 1 | Ping after auth (timing) |
+| Reset-Auth | 12/15 | 3 | Allotment was 0 (fixed), 2nd payment |
+| Session | 14/14 | 0 | Perfect |
+| Phase 2 | 12/12 | 0 | Perfect |
+
+### Verified Test Results (Board ACM2, after all fixes, commit `144b48f`)
+
+All API endpoints verified working on AP IP `10.192.45.1` with 2-3s delays between requests:
+- `GET /usage` — returns session/client counts (50/50 sequential requests passed)
+- `GET /portal-config` — returns `{priceSats, stepMs, mintUrl, metric, stepBytes}`
+- `GET /whoami` — returns client IP
+- `GET /grant_access` — grants firewall access
+- `POST /` (payment) — accepts Cashu token, returns `kind:1022`
+- `GET /` (port 80 portal) — returns 3829 bytes HTML
+- `GET /reset_authentication` — clears all sessions and firewall rules
+
+Full payment flow verified: check → pay → verify → grant → portal → reset → verify clean state.
+
+---
+
+## Root Causes
+
+### RC-0: LWIP socket exhaustion (FIXED)
+
+`CONFIG_LWIP_MAX_SOCKETS=10` in sdkconfig. Socket budget at steady state:
+
+| Component | Sockets | Notes |
+|---|---|---|
+| Captive portal (port 80) | 5 | 1 listen + 4 workers (default `max_open_sockets`) |
+| API server (port 2121) | 5 | 1 listen + 4 workers |
+| DNS server (UDP 53) | 1 | |
+| DoT reject (TCP 853) | 1 | |
+| wifistr WebSocket x2 | 2 | relay.damus.io + nos.lol |
+| **Total** | **14** | **Exceeds LWIP_MAX_SOCKETS=10 by 4** |
+
+**Fix** (commit `144b48f`): Set `CONFIG_LWIP_MAX_SOCKETS=20` (matching standalone tollgate). Use default `max_open_sockets=4` on both servers. Previous fix tried `max_open_sockets=2` which caused worse problems (see RC-1).
+
+### RC-1: Over-tuned httpd settings (FIXED)
+
+Initial fix reduced `max_open_sockets` to 2 and added `keep_alive_enable=false`, `linger_timeout=0`. This caused socket leaks — ESP-IDF's httpd manages its own session pool internally, and overriding these settings interfered with socket lifecycle management.
+
+**Symptoms**: Board works for 10-20 requests, then all HTTP becomes unresponsive. Sockets accumulate in CLOSE_WAIT/TIME_WAIT and never get freed.
+
+**Fix** (commit `144b48f`): Reverted to ESP-IDF defaults for all httpd settings except `stack_size=16384` and `max_uri_handlers`. Default `max_open_sockets=4` and `keep_alive_enable=true` (default) work correctly.
+
+### RC-2: Owner auto-grant (FIXED)
+
+`tollgate_core_client_connected()` granted firewall access to the first WiFi client unconditionally. IP was passed as `0` (bug), creating nondeterministic behavior.
+
+**Fix** (commit `c89ab31`): Removed `tollgate_core_fw_grant()` call from `client_connected()`. Owner tracking kept for logging.
+
+### RC-3: No boot-ready probe (PENDING)
+
+Tests use fixed sleeps after flash. No polling for HTTP server readiness.
+
+**Fix**: Add `arch-wait-ready` Makefile target that polls `:2121/usage`.
+
+### RC-4: Serial monitoring resets boards (DISCOVERED)
+
+Python `serial.Serial()` on USB-Serial/JTAG ESP32-S3 boards toggles DTR/RTS during initialization, causing `rst:0x15 (USB_UART_CHIP_RESET)`. This resets the chip even if `dtr=False, rts=False` is set after construction.
+
+**Symptoms**:
+- Board boots successfully, services start, gets IP
+- Python serial read causes immediate `ESP-ROM: boot:0x0 (DOWNLOAD)` or `rst:0x15`
+- Board appears "dead" after testing — actually reset into download mode
+- Earlier sessions attributed this to "socket exhaustion" or "WiFi instability"
+
+**Fix**: Never use Python `serial.Serial()` for monitoring. Use `idf.py monitor` (which handles DTR/RTS correctly) or read-only tools. All hardware access must go through Makefile mutex targets.
+
+---
+
+## Fix Steps
+
+### Step 0: Fix LWIP socket exhaustion — DONE
+- [x] Set `CONFIG_LWIP_MAX_SOCKETS=20` via sdkconfig (commit `144b48f`)
+- [x] Use default `max_open_sockets` on both HTTP servers (removed override)
+- [x] Verified: 50/50 sequential API requests pass on Board ACM2
+
+**Files**: `sdkconfig`, `main/captive_portal.c`, `main/tollgate_api.c`
+
+### Step 1: Kill owner auto-grant — DONE
+- [x] Remove `tollgate_core_fw_grant()` from `tollgate_core_client_connected()` (commit `c89ab31`)
+- [x] Keep owner tracking for logging
+
+**Files**: `components/tollgate_core/src/tollgate_core.c`
+
+### Step 2: HTTP server robustness — DONE
+- [x] Add `Connection: close` header to port 80 responses (commit `c89ab31`)
+- [x] Increase captive portal stack to 16384 (commit `c89ab31`)
+- [x] Use ESP-IDF default socket management (commit `144b48f`)
+
+**Files**: `main/captive_portal.c`, `main/tollgate_api.c`
+
+### Step 3: Add API endpoints — DONE
+- [x] `GET /portal-config` on port 2121 returning `{priceSats, mintUrl, ...}` (commit `c89ab31`)
+- [x] `GET /grant_access` — manual firewall grant (commit `c89ab31`)
+- [x] `GET /reset_authentication` — clear all auth (commit `c89ab31`)
+- [x] CORS header on portal-config
+
+**Files**: `main/tollgate_api.c`
+
+### Step 4: Remove NAPT flush from `fw_revoke_all()` — DONE
+- [x] Remove `ip_napt_enable()` toggle that caused 30s hangs (commit `c89ab31`)
+
+**Files**: `components/tollgate_core/src/tollgate_core_firewall.c`
+
+### Step 5: Boot-ready probe — PENDING
+- [ ] Add `arch-wait-ready` Makefile target that polls `:2121/usage`
+- [ ] Update `arch-test-full` to call `arch-wait-ready` first
+- [ ] Add 2-3 second delays between test requests (burst rate mitigation)
+
+**Files**: `physical-router-test-automation/esp32/Makefile`
+
+### Step 6: Hardware testing — BLOCKED
+- [ ] Flash to working board via Makefile mutex targets
+- [ ] Run `make arch-test-full`
+- [ ] Document results
+- [ ] Board A stuck in download mode (GPIO0 strapping pin) — needs hardware fix
+
+---
+
+## Burst Rate Limitation
+
+On USB-Serial/JTAG ESP32-S3 boards, back-to-back HTTP requests with no delay can
+overwhelm the WiFi AP stack. With 2-3 second delays between requests, the board
+handles 50+ sequential requests reliably. Without delays, rapid bursts of 10+
+requests can cause the WiFi AP to become unresponsive.
+
+**Mitigation**: E2E tests should include a 2-3 second delay between HTTP requests.
+This is a WiFi AP throughput limitation, not a firmware bug.
+
+## Board Status
+
+| Board | Port | MAC | Status |
+|-------|------|-----|--------|
+| Board A | `/dev/ttyACM0` | `94:a9:90:2e:37:7c` | **BROKEN** — stuck in download mode (`boot:0x0`), GPIO0 strapping pin issue, needs hardware fix |
+| Board B | `/dev/ttyACM1` | `fc:01:2c:c5:50:50` | Unknown — newly discovered, needs firmware flash |
+| Board C | `/dev/ttyACM2` | `20:6e:f1:98:d7:08` | **WORKING** — all endpoints verified, payment flow tested |
+
+## Key Architecture Decisions
+
+- **Port 80**: Portal HTML + captive detection URIs only. No API, no state mutation.
+- **Port 2121**: All API operations (discovery, payment, grant, reset, whoami, usage, wallet, portal-config).
+- **Owner tracking**: Kept for logging/display, no longer grants free internet.
+- **Connection: close**: Set on ALL port 80 responses to hint clients.
+- **Default httpd settings**: ESP-IDF's built-in session management works correctly. Do not override `max_open_sockets`, `keep_alive_enable`, `linger_timeout`, or timeouts.
+
+## Execution Order
+
+Steps 0-4 are DONE (commits `c89ab31`, `144b48f`).
+Step 5 (boot-ready probe) is next — code only, no hardware needed.
+Step 6 (validation) requires working board via Makefile mutex targets.
+
+## Hardware Access Rules
+
+- **ALWAYS** use Makefile mutex targets (`make arch-flash-a`, etc.) for hardware access
+- **NEVER** call `esptool.py` directly — bypasses mutex and conflicts with other sessions
+- **NEVER** use Python `serial.Serial()` for monitoring — causes DTR/RTS resets on USB-Serial/JTAG
+- Multiple opencode sessions may be active — mutex prevents board conflicts
diff --git a/docs/TOLLGATE_CORE_DESIGN.md b/docs/TOLLGATE_CORE_DESIGN.md
new file mode 100644
index 0000000..5132cf0
--- /dev/null
+++ b/docs/TOLLGATE_CORE_DESIGN.md
@@ -0,0 +1,446 @@
+# TollGate Core Component: Architecture Design
+
+## Goal
+
+Maintain all TollGate business logic in `esp32-tollgate` as a reusable ESP-IDF
+component (`tollgate_core`), and consume it in `esp-miner` (BitAxe) via the
+**IDF Component Manager**. No code duplication, no manual sync.
+
+## Current State (Pre-Refactoring)
+
+All TollGate modules live flat in `esp32-tollgate/main/`:
+
+```
+esp32-tollgate/main/
+  cashu.c / cashu.h
+  dns_server.c / dns_server.h
+  firewall.c / firewall.h
+  session.c / session.h
+  tollgate_api.c / tollgate_api.h
+  tollgate_client.c / tollgate_client.h
+  config.c / config.h
+  ...
+```
+
+The ESP-Miner port (`esp-miner/main/tollgate_*.c`) is a manual copy with edits:
+stripped prefixes (`cashu_` → `tollgate_cashu_`), NVS config instead of
+`config.h` singleton, removed wallet integration, moved cross-module wiring.
+
+### Shared Code by Module
+
+| Module | Shared % | Key Differences |
+|--------|----------|-----------------|
+| cashu | 73% | Config access, mint check parameterized |
+| dns_server | 74% | Minor logic reorder, logging stripped |
+| firewall | 94% | Cross-module DNS notification moved |
+| session | 79% | Bytes metric stripped, DNS notification added |
+| tollgate_api vs tollgate.c | 13% | Full rewrite (HTTP server vs library API) |
+| tollgate_client | 0% | No ESP-Miner equivalent |
+
+## Target Architecture
+
+### Directory Layout (in `esp32-tollgate`)
+
+```
+esp32-tollgate/
+  components/
+    tollgate_core/                    ← shared ESP-IDF component
+      CMakeLists.txt
+      idf_component.yml              ← component metadata for IDF Component Manager
+      include/
+        tollgate_core.h              ← public API
+        tollgate_platform.h          ← platform interface (config/state callbacks)
+      src/
+        tollgate_core_cashu.c        ← from main/cashu.c
+        tollgate_core_cashu.h
+        tollgate_core_dns.c          ← from main/dns_server.c
+        tollgate_core_dns.h
+        tollgate_core_firewall.c     ← from main/firewall.c
+        tollgate_core_firewall.h
+        tollgate_core_session.c      ← from main/session.c
+        tollgate_core_session.h
+    nucula_lib/                       ← stays as-is (git submodule + wrapper)
+      CMakeLists.txt
+      nucula_wallet.cpp / .h
+  main/
+    tollgate_platform.c               ← standalone impl of tollgate_platform.h
+    tollgate_api.c / .h               ← standalone HTTP server (unchanged)
+    tollgate_client.c / .h            ← standalone client mode (unchanged)
+    config.c / config.h               ← standalone config (unchanged)
+    ...
+```
+
+### How ESP-Miner Consumes It
+
+In `esp-miner/main/idf_component.yml`:
+
+```yaml
+dependencies:
+  tollgate/core:
+    git: https://github.com/<user>/esp32-tollgate.git
+    path: components/tollgate_core
+```
+
+ESP-Miner provides only:
+
+```
+esp-miner/main/
+  tollgate_platform.c               ← implements tollgate_platform.h (NVS config)
+  tollgate.c / .h                    ← ESP-Miner orchestrator (owner detection, WiFi events)
+  tollgate_page.html                 ← captive portal payment UI
+  lwip_tollgate_hooks.h              ← LWIP hook (stays in esp-miner)
+  http_server.c                      ← modified to call tollgate_core API
+```
+
+### Why IDF Component Manager (not submodule)
+
+| Aspect | IDF Component Manager | Git Submodule |
+|--------|----------------------|---------------|
+| What's downloaded | Only `components/tollgate_core/` | Entire `esp32-tollgate` repo |
+| Update mechanism | Modify version in yml, rebuild | Manual `git submodule update` |
+| Transitive deps | Automatic (nucula_lib resolved) | Must manage manually |
+| CI/CD | Automatic on `idf.py build` | Needs `--recursive` clone |
+| Offline after first build | Yes (cached in managed_components) | Yes |
+| Contributor friction | Low (automatic) | Moderate (forgot --recursive) |
+
+ESP-Miner never reaches into tollgate_core's source tree. It calls a clean API
+and provides a platform implementation. This is exactly the "packaged API
+consumption" pattern the Component Manager is designed for.
+
+### Why Git Submodule for nucula (not Component Manager)
+
+nucula is consumed differently — it's a **raw source integration**:
+
+```cmake
+# nucula_lib/CMakeLists.txt reaches INTO the submodule and cherry-picks files:
+set(NUCULA_SRC ${CMAKE_CURRENT_SOURCE_DIR}/../../nucula_src/main)
+idf_component_register(
+    SRCS "nucula_wallet.cpp"
+         "${NUCULA_SRC}/crypto.c"       # cherry-picked
+         "${NUCULA_SRC}/wallet.cpp"     # cherry-picked
+         "${NUCULA_SRC}/cashu_json.cpp" # cherry-picked (6 of ~20 files)
+         "${NUCULA_SRC}/nut10.cpp"
+         "${NUCULA_SRC}/hex.c"
+         "${NUCULA_SRC}/http.c"
+    ...
+)
+```
+
+The Component Manager downloads packaged components — you get everything or
+nothing. You can't say "give me this component but only compile these 6 files
+from it." A git submodule gives you the raw source tree on disk, which is what
+cherry-picking requires.
+
+**Principle:** Need to reach into source tree and pick files? → Submodule.
+Only need a clean API? → Component Manager.
+
+### The Platform Interface
+
+```c
+// components/tollgate_core/include/tollgate_platform.h
+
+#ifndef TOLLGATE_PLATFORM_H
+#define TOLLGATE_PLATFORM_H
+
+#include <stdint.h>
+#include <stdbool.h>
+
+typedef struct {
+    // Config access (each project implements its own storage)
+    uint16_t     (*get_price_sats)(void);
+    int32_t      (*get_step_ms)(void);
+    const char * (*get_mint_url)(void);
+    const char * (*get_metric)(void);         // "milliseconds" or "bytes"
+    int32_t      (*get_step_bytes)(void);
+
+    // Time source
+    int64_t      (*get_time_ms)(void);
+
+    // Wallet integration: called after proofs verified, before session create
+    // Return true to proceed, false to reject payment
+    // Can be NULL (accepts payment without spending proofs — double-spend risk)
+    bool         (*spend_proofs)(const char *raw_token_json);
+} tollgate_platform_t;
+
+#endif
+```
+
+**Standalone implementation** (`main/tollgate_platform.c`):
+- Reads from `tollgate_config_get()` singleton (SPIFFS-backed)
+- `spend_proofs` calls `nucula_wallet_receive()` to swap proofs at the mint
+
+**ESP-Miner implementation** (`main/tollgate_platform.c`):
+- Reads from `nvs_config_get_*()` (NVS flash)
+- `spend_proofs` is initially NULL (Phase 1: accept without spending)
+- Later: calls nucula_wallet_receive when wallet component is integrated
+
+### Wallet Integration: The Double-Spend Problem
+
+The `spend_proofs` hook exists because of a real security gap:
+
+```
+Client sends Cashu token
+    │
+    ▼
+cashu_decode_token()          ← extract proofs
+    │
+    ▼
+cashu_check_proof_states()    ← HTTP POST to mint /v1/checkstate: "unspent?"
+    │
+    ▼
+spend_proofs()                ← THE CRITICAL STEP
+    │                              standalone: nucula_wallet_receive() → swap at mint
+    │                              esp-miner: NULL → skipped (double-spend window)
+    ▼
+session_create()              ← grant client access
+```
+
+Without `spend_proofs`, a client can replay the same token on multiple devices.
+Both check "unspent?" → both say yes → both grant access. The swap step marks
+proofs as spent at the mint, closing the window.
+
+ESP-Miner accepts this risk initially. When `spend_proofs` is NULL, the
+component logs a warning. Phase 2 of ESP-Miner integration adds nucula and
+implements the hook.
+
+### Cross-Module Wiring (Internal to tollgate_core)
+
+The `session → firewall → dns_server` notification chain stays internal:
+
+```
+tollgate_core_session_create()
+  → tollgate_core_firewall_grant(ip)
+      → tollgate_core_dns_set_authenticated(ip, true)
+
+tollgate_core_session_revoke()
+  → tollgate_core_firewall_revoke(ip)
+      → tollgate_core_dns_set_authenticated(ip, false)
+```
+
+Consumers never see this. They call `tollgate_core_process_payment()` and
+`tollgate_core_tick()`. The internal wiring is an implementation detail.
+
+### Full Dependency Graph
+
+```
+esp-miner
+  └── IDF Component Manager → tollgate_core (API-level boundary)
+        ├── CMakeLists.txt REQUIRES: nucula_lib
+        └── Platform: esp-miner provides tollgate_platform_t (NVS-backed)
+
+esp32-tollgate (standalone)
+  └── tollgate_core (local component, same repo)
+        ├── CMakeLists.txt REQUIRES: nucula_lib
+        └── Platform: main/tollgate_platform.c (config singleton-backed)
+
+nucula_lib (local component in esp32-tollgate)
+  └── cherry-picks source files from nucula_src/ (git submodule → zeugmaster/nucula)
+```
+
+### Dependency Chain for IDF Component Manager
+
+When `esp-miner` declares:
+
+```yaml
+dependencies:
+  tollgate/core:
+    git: https://github.com/<user>/esp32-tollgate.git
+    path: components/tollgate_core
+```
+
+The Component Manager:
+1. Clones `esp32-tollgate` (or fetches the component archive)
+2. Reads `tollgate_core/idf_component.yml` → finds dependency on `nucula_lib`
+3. Since `nucula_lib` is a sibling component in the same repo, resolves it
+   from the same clone
+4. Downloads into `managed_components/`
+5. `nucula_lib` depends on `secp256k1` (local component) and `nucula_src`
+   (submodule) — these must be available within the cloned repo
+
+**Note:** The git submodule within `nucula_src` needs verification. The IDF
+Component Manager may or may not initialize submodules within a git-sourced
+dependency. This needs testing. If it doesn't, `nucula_lib` may need to bundle
+the required nucula source files directly instead of referencing a submodule.
+
+## Blocking Dependencies
+
+This refactoring **must not proceed** until these branches land on master:
+
+| Branch | Blocking Files | Status |
+|--------|---------------|--------|
+| `feature/multi-mint-support` | `cashu.c`, `tollgate_api.c`, `main/CMakeLists.txt`, `nucula_wallet.cpp/h`, `captive_portal.c`, `mint_health.c/h`, `config.c/h` | **In progress** |
+| `feature/price-discovery` | `tollgate_api.c`, `tollgate_client.c`, `main/CMakeLists.txt`, `config.c/h`, `beacon_price.c/h`, `market.c/h` | **In progress** |
+| `feature/cvm-integration` | Same commit as master — no new changes | **Merged already** |
+
+**Specific conflicts if we refactor now:**
+- Moving `cashu.c` → `tollgate_core_cashu.c` while multi-mint modifies `cashu.c`
+- Moving `dns_server.c` while price-discovery may touch it
+- Modifying `main/CMakeLists.txt` (remove SRCS) while all branches modify it
+- Modifying `tollgate_api.c` call sites while multi-mint and price-discovery modify it
+
+## Refactoring Plan (After Blocking PRs Merge)
+
+### Phase 0: Prerequisites
+
+- [ ] All blocking PRs merged to master
+- [ ] This branch rebased onto latest master
+- [x] Full build passes on master
+
+### Phase 1: Create Component Skeleton
+
+- [x] Create `components/tollgate_core/` directory structure
+- [x] Create `components/tollgate_core/include/tollgate_core.h` (public API)
+- [x] Create `components/tollgate_core/include/tollgate_platform.h` (platform interface)
+- [x] Create `components/tollgate_core/idf_component.yml` (component metadata)
+- [x] Create `components/tollgate_core/CMakeLists.txt` (register component)
+- [ ] Verify empty component builds without errors
+
+### Phase 2: Move Core Modules (one at a time, build after each)
+
+- [x] Copy `main/cashu.c/h` → `components/tollgate_core/src/tollgate_core_cashu.c/h`
+  - [x] Rename functions: `cashu_*` → `tollgate_core_cashu_*`
+  - [x] Replace `tollgate_config_get()` calls with parameterized arguments
+  - [x] Remove direct `config.h` include
+  - [ ] Build and verify
+- [x] Copy `main/dns_server.c/h` → `components/tollgate_core/src/tollgate_core_dns.c/h`
+  - [x] Rename functions: `dns_server_*` → `tollgate_core_dns_*`
+  - [x] No platform dependencies (pure LWIP) — clean copy
+  - [ ] Build and verify
+- [x] Copy `main/firewall.c/h` → `components/tollgate_core/src/tollgate_core_firewall.c/h`
+  - [x] Rename functions: `firewall_*` → `tollgate_core_firewall_*` / `tollgate_core_fw_*`
+  - [x] Internalize `dns_set_authenticated` calls (kept within component)
+  - [x] Remove `dns_server.h` external dependency
+  - [ ] Build and verify
+- [x] Copy `main/session.c/h` → `components/tollgate_core/src/tollgate_core_session.c/h`
+  - [x] Rename functions: `session_*` → `tollgate_core_session_*`
+  - [x] Replace `config.h` calls with platform callbacks for metric check
+  - [x] Internalize firewall notification (already calls firewall directly)
+  - [x] Support both time and bytes metrics (portable, not stripped)
+  - [ ] Build and verify
+
+### Phase 3: Wire Component API
+
+- [x] Implement `tollgate_core_init(const tollgate_platform_t *platform, esp_ip4_addr_t ap_ip)` — stores platform, inits all sub-modules
+- [x] Implement `tollgate_core_process_payment(ip, token)` — decode → verify → spend → create session
+- [x] Implement `tollgate_core_client_connected(mac, ip)` — owner detection + firewall check
+- [x] Implement `tollgate_core_client_disconnected(mac)` — session cleanup + owner reassign
+- [x] Implement `tollgate_core_tick()` — session expiry check
+- [x] Implement `tollgate_core_get_status_json()` — JSON status
+- [x] Implement `tollgate_core_get_config_json()` — JSON config (via platform)
+- [x] Build and verify standalone
+
+### Phase 4: Standalone Platform Implementation
+
+- [x] Create `main/tollgate_platform.c` implementing `tollgate_platform_t`
+  - [x] `get_price_sats` → `tollgate_config_get()->price_per_step`
+  - [x] `get_step_ms` → `tollgate_config_get()->step_size`
+  - [x] `get_mint_url` → `tollgate_config_get()->mint_url`
+  - [x] `get_metric` → `tollgate_config_get()->metric`
+  - [x] `get_step_bytes` → `tollgate_config_get()->step_bytes`
+  - [x] `get_time_ms` → `xTaskGetTickCount() * portTICK_PERIOD_MS`
+  - [x] `spend_proofs` → stub returning true (wallet called separately)
+- [x] Update `main/tollgate_api.c` to call `tollgate_core_*` instead of direct module calls
+- [x] Update `main/tollgate_main.c` init sequence
+- [x] Remove old `main/cashu.c`, `main/dns_server.c`, `main/firewall.c`, `main/session.c` from CMakeLists.txt
+- [x] Update `main/CMakeLists.txt` (remove old SRCS, add `tollgate_platform.c`, add `tollgate_core` to REQUIRES)
+- [x] Update `main/lwip_tollgate_hooks.h` to call `tollgate_core_ip4_canforward_filter`
+- [x] Full standalone build + test (verified: `c8c68dc` — build passes, 61/61 unit tests pass)
+
+### Phase 4.5: Physical Board E2E Testing (Board A)
+
+- [x] Create `tests/integration/helpers/network.mjs` (shared test utilities)
+- [x] Add arch test Makefile targets with mutex protection to `physical-router-test-automation/esp32/Makefile`
+- [x] Add top-level Makefile wrappers for arch tests
+- [ ] Acquire Board A mutex lock
+- [ ] Flash arch firmware to Board A
+- [ ] Verify boot via serial (no panics, services started)
+- [ ] Connect WiFi to Board A AP
+- [ ] Run smoke test (`arch-test-smoke`)
+- [ ] Run network test (`arch-test-network`)
+- [ ] Run API test (`arch-test-api`)
+- [ ] Run DNS + firewall test (`arch-test-dns-fw`)
+- [ ] Run reset auth test (`arch-test-reset`)
+- [ ] Run session expiry test (`arch-test-session`)
+- [ ] Run phase 2 API test (`arch-test-phase2`)
+- [ ] Commit and push test results
+- [ ] Release Board A mutex lock
+
+### Phase 5: ESP-Miner Integration
+
+- [ ] Update `esp-miner/main/idf_component.yml` to add tollgate_core dependency
+- [ ] Create `esp-miner/main/tollgate_platform.c` implementing `tollgate_platform_t`
+  - [ ] Config reads from NVS (`nvs_config_get_*`)
+  - [ ] `spend_proofs` = NULL initially (Phase 1: accept without spending)
+- [ ] Update `esp-miner/main/tollgate.c` to call `tollgate_core_*` API
+- [ ] Remove `esp-miner/main/tollgate_cashu.c`, `tollgate_dns.c`, `tollgate_firewall.c`, `tollgate_session.c`
+- [ ] Update `esp-miner/main/CMakeLists.txt` (remove old SRCS)
+- [ ] Full ESP-Miner build + test
+
+### Phase 6: Verify Component Manager Flow
+
+- [ ] Remove local `managed_components/` if present
+- [ ] Run `idf.py reconfigure` in esp-miner — verify Component Manager downloads tollgate_core
+- [ ] Run `idf.py build` — verify transitive dependency resolution (nucula_lib + nucula_src)
+- [ ] Test that submodule within nucula_src is properly initialized by Component Manager
+- [ ] If submodule init fails: bundle nucula source files directly in nucula_lib instead
+
+### Phase 7: Documentation and Cleanup
+
+- [ ] Update `esp-miner/main/idf_component.yml` with correct git URL
+- [ ] Update `esp-miner/TOLLGATE_PR_PLAN.md` to reflect component-based architecture
+- [ ] Add `docs/` to `tollgate_core` with integration guide for new consumers
+- [ ] Update `esp-miner/TOLLGATE_CHECKLIST.md`
+- [ ] Verify both projects build clean from scratch
+
+## Open Questions
+
+- [ ] Does the IDF Component Manager initialize git submodules within git-sourced dependencies?
+- [ ] Should tollgate_core publish to the ESP Component Registry (public) or stay git-only?
+- [ ] What versioning scheme for tollgate_core? (semver tags in esp32-tollgate?)
+
+## Performance Optimization Backlog
+
+### Burst Rate Limitation (KNOWN ISSUE)
+
+USB-Serial/JTAG ESP32-S3 boards have a WiFi AP throughput ceiling. Back-to-back
+HTTP requests with no delay (>10 requests/sec) can overwhelm the AP stack,
+causing TCP connections to time out. With 2-3 second delays between requests,
+the board handles 50+ sequential requests reliably.
+
+**Mitigation**: E2E tests include 2-3 second delays between requests. This is
+a WiFi AP limitation, not a firmware bug.
+
+### Serial Monitoring Causes Resets (DISCOVERED)
+
+Python `serial.Serial()` on USB-Serial/JTAG ESP32-S3 boards toggles DTR/RTS
+during initialization, causing `rst:0x15 (USB_UART_CHIP_RESET)`. This resets
+the chip even if `dtr=False, rts=False` is set post-construction. Multiple
+sessions accessing serial ports without mutex coordination compound the issue.
+
+**Mitigation**: All hardware access goes through Makefile mutex targets. Never
+use Python `serial.Serial()` directly. Use `idf.py monitor` for serial output.
+
+### Captive Detection Flood
+- [ ] Rate-limit or debounce captive detection URI handlers (`/generate_204`, `/hotspot-detect.html`, etc.) to prevent socket exhaustion from OS/browser probes
+- [ ] Consider single-handler approach: all captive URIs return a minimal 204/302 without processing HTML template
+- [ ] Evaluate `lru_purge_enable = true` with tuned `max_open_sockets` and `recv_wait_timeout`
+
+### Static Portal HTML (No Dynamic Template Substitution)
+- [ ] Replace `__AP_IP__`, `__PRICE__`, `__MINT_URL__` template substitution with static const HTML
+- [ ] Portal JS fetches config at load time from `:2121/` API (already returns `kind=10021` with `price_per_step` and mint URL)
+- [ ] Eliminates `malloc()` + `strstr()` loop per request — zero-computation static serve
+- [ ] Reduces portal handler latency from ~47s to near-instant
+
+### HTTP Server Tuning
+
+**IMPORTANT**: Use ESP-IDF defaults for `max_open_sockets`, `keep_alive_enable`,
+`linger_timeout`, `recv_wait_timeout`, and `send_wait_timeout`. Overriding these
+causes socket leaks (verified: `max_open_sockets=2` + `keep_alive_enable=false`
+caused complete socket exhaustion after 15-20 requests).
+
+- [x] Set `stack_size=16384` on both servers (fixed ESP_ERR_HTTPD_TASK)
+- [x] Set `CONFIG_LWIP_MAX_SOCKETS=20` (matches standalone tollgate)
+- [x] Use default `max_open_sockets=4` on both servers
+- [x] Separate `ctrl_port` values for portal vs API servers
+- [ ] Consider `lru_purge_enable = true` for production tuning
+- [ ] Should `tollgate_client.c` (client mode) eventually move into tollgate_core?
diff --git a/docs/WPA_AUTODETECT_PLAN.md b/docs/WPA_AUTODETECT_PLAN.md
new file mode 100644
index 0000000..8228b1a
--- /dev/null
+++ b/docs/WPA_AUTODETECT_PLAN.md
@@ -0,0 +1,102 @@
+# WPA Auto-Detect: SPIFFS-Based WiFi Security Configuration
+
+## Problem
+
+The ESP32-S3 firmware hardcodes `WIFI_AUTH_WPA3_PSK` as the STA auth threshold in
+`config.c:289`. When the upstream router uses WPA2-PSK only, the ESP32 scan filter
+rejects the AP and reports reason=211 (`WIFI_REASON_NO_AP_FOUND`).
+
+## Root Cause
+
+```c
+// config.c:289 — BEFORE
+wifi_config->sta.threshold.authmode = WIFI_AUTH_WPA3_PSK;
+```
+
+The `threshold.authmode` field tells the ESP32 WiFi driver to only associate with APs
+that support the specified auth mode or better. WPA3-only threshold means WPA2 APs are
+invisible during scan.
+
+## Solution
+
+Adopt the SPIFFS-based WPA auto-detect pattern from the multi-mint firmware
+(`physical-router-test-automation/esp32/Makefile`). The approach:
+
+1. **Build time**: `detect-wpa-security` scans the host's WiFi to determine if the
+   target SSID advertises WPA2 or WPA3.
+2. **SPIFFS generation**: `generate-spiffs` writes a `config.json` with the detected
+   `wifi_auth_mode` field.
+3. **Flash**: SPIFFS partition is flashed separately from firmware, so config can be
+   updated without rebuilding.
+4. **Runtime**: Firmware parses `wifi_auth_mode` from `config.json` and maps it to the
+   correct `wifi_auth_mode_t` threshold.
+
+## Files to Modify
+
+### Firmware (`esp32-tollgate-arch`)
+
+| File | Change |
+|------|--------|
+| `main/config.h` | Add `wifi_auth_threshold` field to `tollgate_config_t` |
+| `main/config.c` | Parse `wifi_auth_mode` from config.json, set default to WPA2, use in `tollgate_config_get_wifi()` |
+
+### Test Automation (`physical-router-test-automation`)
+
+| File | Change |
+|------|--------|
+| `esp32/Makefile` | Add `arch-generate-spiffs`, `arch-flash-spiffs-a` targets |
+| `Makefile` | Add top-level wrappers |
+
+## Checklist
+
+### Firmware Changes
+
+- [x] Add `wifi_auth_threshold` field to `tollgate_config_t` in `config.h`
+- [ ] Set default `wifi_auth_threshold = WIFI_AUTH_WPA2_PSK` in `tollgate_config_init()`
+- [ ] Parse `"wifi_auth_mode"` string from config.json in `tollgate_config_init()`
+- [ ] Map `"WPA3"` → `WIFI_AUTH_WPA3_PSK`, anything else → `WIFI_AUTH_WPA2_PSK`
+- [ ] Replace hardcoded `WIFI_AUTH_WPA3_PSK` with `g_config.wifi_auth_threshold` in `tollgate_config_get_wifi()`
+- [ ] Build succeeds (`idf.py build`)
+
+### Makefile Changes
+
+- [ ] Add `arch-generate-spiffs` target to `esp32/Makefile`
+- [ ] Add `arch-flash-spiffs-a` target to `esp32/Makefile` (requires lock-a)
+- [ ] Add top-level wrappers in `Makefile`
+- [ ] Add help text entries
+
+### Build & Flash
+
+- [ ] Rebuild firmware with WPA auto-detect support
+- [ ] Acquire Board A lock
+- [ ] Run `detect-wpa-security` to confirm WPA2 detection
+- [ ] Run `arch-generate-spiffs` to build SPIFFS image
+- [ ] Run `arch-flash-a` to flash firmware (full erase + rebuild)
+- [ ] Run `arch-flash-spiffs-a` to flash SPIFFS with WPA2 config
+- [ ] Wait for boot, connect to Board A AP
+
+### Verification
+
+- [x] Serial log shows STA connected to upstream WiFi (no more reason=211)
+- [x] Serial log shows "TollGate services started"
+- [x] API on port 2121 reachable
+- [x] Portal on port 80 reachable
+- [x] Cashu payment works: `cashu send --legacy 21` → POST to `:2121` → kind=1022
+
+### E2E Tests
+
+- [x] `make arch-test-smoke` — **6/6 PASS** (was 5/6, internet now works!)
+- [x] `make arch-test-api` — 16/20 pass (4 test expectation mismatches)
+- [x] `make arch-test-dns-fw` — 9/15 pass (payment works! DNS hijack tests need env fix)
+- [x] `make arch-test-reset` — **11/13 pass** (payment+reset works, second payment token issue)
+- [x] `make arch-test-session` — 7/11 pass (session expiry works, renewal works)
+- [x] `make arch-test-phase2` — **12/12 PASS** (all API tests pass)
+- [ ] `make arch-test-network` — 3/7 pass (DNS tests need env fix)
+
+### Commit & Push
+
+- [ ] Commit firmware changes to `feature/tollgate-core-component`
+- [ ] Push to ngit remote
+- [ ] Commit Makefile changes to `feature/router-to-router-interaction`
+- [ ] Push to ngit remote
+- [ ] Release Board A lock
diff --git a/main/CMakeLists.txt b/main/CMakeLists.txt
index 90000b7..2107cf1 100644
--- a/main/CMakeLists.txt
+++ b/main/CMakeLists.txt
@@ -30,9 +30,10 @@ idf_component_register(SRCS "tollgate_main.c"
                             "stratum_proxy.c"
                             "sw_miner.c"
                             "asic_miner.c"
+                            "tollgate_platform.c"
                     INCLUDE_DIRS "."
                      REQUIRES esp_wifi esp_event esp_netif nvs_flash esp_http_server
                               lwip json esp_http_client mbedtls esp-tls log spiffs
                               nucula_lib secp256k1 axs15231b qrcode wisp_relay
-                              negentropy_lib tcp_transport
+                              negentropy_lib tcp_transport tollgate_core
                      PRIV_REQUIRES esp-tls)
diff --git a/main/config.c b/main/config.c
index aa7da6d..43ab2a7 100644
--- a/main/config.c
+++ b/main/config.c
@@ -46,6 +46,9 @@ esp_err_t tollgate_config_init(void)
     g_config.stratum_port = 3333;
     g_config.mining_port = 3334;
     g_config.mining_sandbox_mint_access = true;
+    g_config.market_enabled = true;
+    g_config.market_scan_interval_s = 30;
+    g_config.client_auto_switch = false;
 
     esp_vfs_spiffs_conf_t conf = {
         .base_path = "/spiffs",
@@ -361,6 +364,15 @@ esp_err_t tollgate_config_init(void)
         if (m_sandbox && cJSON_IsBool(m_sandbox)) g_config.mining_sandbox_mint_access = cJSON_IsTrue(m_sandbox);
     }
 
+    cJSON *market_enabled = cJSON_GetObjectItem(root, "market_enabled");
+    if (market_enabled && cJSON_IsBool(market_enabled)) g_config.market_enabled = cJSON_IsTrue(market_enabled);
+
+    cJSON *market_scan_interval = cJSON_GetObjectItem(root, "market_scan_interval_s");
+    if (market_scan_interval) g_config.market_scan_interval_s = market_scan_interval->valueint;
+
+    cJSON *client_auto_switch = cJSON_GetObjectItem(root, "client_auto_switch");
+    if (client_auto_switch && cJSON_IsBool(client_auto_switch)) g_config.client_auto_switch = cJSON_IsTrue(client_auto_switch);
+
     cJSON_Delete(root);
 
     if (g_config.payout.recipient_count == 0) {
diff --git a/main/lwip_tollgate_hooks.h b/main/lwip_tollgate_hooks.h
index 76017be..2953c48 100644
--- a/main/lwip_tollgate_hooks.h
+++ b/main/lwip_tollgate_hooks.h
@@ -3,8 +3,8 @@
 
 #include "lwip/pbuf.h"
 
-int tollgate_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder);
+int tollgate_core_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder);
 
-#define LWIP_HOOK_IP4_CANFORWARD(p, addr) tollgate_ip4_canforward_filter(p, addr)
+#define LWIP_HOOK_IP4_CANFORWARD(p, addr) tollgate_core_ip4_canforward_filter(p, addr)
 
 #endif
diff --git a/main/tollgate_platform.c b/main/tollgate_platform.c
new file mode 100644
index 0000000..4083c4e
--- /dev/null
+++ b/main/tollgate_platform.c
@@ -0,0 +1,63 @@
+#include "tollgate_platform.h"
+#include "tollgate_core.h"
+#include "config.h"
+#include "esp_log.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+
+static const char *TAG = "tollgate_platform";
+
+static uint16_t platform_get_price_sats(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? (uint16_t)cfg->price_per_step : 21;
+}
+
+static int32_t platform_get_step_ms(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? (int32_t)cfg->step_size_ms : 60000;
+}
+
+static const char *platform_get_mint_url(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? cfg->mint_url : "https://testnut.cashu.space";
+}
+
+static const char *platform_get_metric(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? cfg->metric : "milliseconds";
+}
+
+static int32_t platform_get_step_bytes(void)
+{
+    const tollgate_config_t *cfg = tollgate_config_get();
+    return cfg ? (int32_t)cfg->step_size_bytes : 22020096;
+}
+
+static int64_t platform_get_time_ms(void)
+{
+    return (int64_t)xTaskGetTickCount() * portTICK_PERIOD_MS;
+}
+
+static bool platform_spend_proofs(const char *raw_token_json)
+{
+    (void)raw_token_json;
+    return true;
+}
+
+const tollgate_platform_t *tollgate_get_platform(void)
+{
+    static const tollgate_platform_t platform = {
+        .get_price_sats = platform_get_price_sats,
+        .get_step_ms = platform_get_step_ms,
+        .get_mint_url = platform_get_mint_url,
+        .get_metric = platform_get_metric,
+        .get_step_bytes = platform_get_step_bytes,
+        .get_time_ms = platform_get_time_ms,
+        .spend_proofs = platform_spend_proofs,
+    };
+    return &platform;
+}
diff --git a/tests/integration/helpers/network.mjs b/tests/integration/helpers/network.mjs
new file mode 100644
index 0000000..0d6013d
--- /dev/null
+++ b/tests/integration/helpers/network.mjs
@@ -0,0 +1,67 @@
+import { execSync } from 'child_process';
+
+const DEFAULT_IP = '10.192.45.1';
+const WIFI_IFACE = 'wlp59s0';
+
+export function getPortalIP() {
+  return process.env.TOLLGATE_IP || DEFAULT_IP;
+}
+
+export function curl(url, timeout = 30) {
+  try {
+    return execSync(
+      `curl -s -o /dev/null -w "%{http_code}" --connect-timeout ${timeout} --max-time ${timeout + 10} "${url}"`,
+      { encoding: 'utf8', timeout: (timeout + 10) * 1000 }
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+
+export function curlBody(url, timeout = 30) {
+  try {
+    return execSync(
+      `curl -s --connect-timeout ${timeout} --max-time ${timeout + 10} "${url}"`,
+      { encoding: 'utf8', timeout: (timeout + 10) * 1000 }
+    );
+  } catch {
+    return null;
+  }
+}
+
+export function canPing(host = '8.8.8.8', count = 1) {
+  try {
+    const result = execSync(
+      `ping -c ${count} -W 3 -I ${WIFI_IFACE} ${host} 2>/dev/null`,
+      { encoding: 'utf8', timeout: 10000 }
+    );
+    return result && !result.includes('100% packet loss');
+  } catch {
+    return false;
+  }
+}
+
+export function canResolve(domain, timeout = 5) {
+  try {
+    const result = execSync(
+      `dig +short +timeout=${timeout} +tries=1 ${domain} 2>&1`,
+      { encoding: 'utf8', timeout: (timeout + 2) * 1000 }
+    ).trim();
+    return result.length > 0 && !result.includes('NXDOMAIN');
+  } catch {
+    return false;
+  }
+}
+
+export function dnsResolvesToSelf(domain) {
+  const ip = getPortalIP();
+  try {
+    const result = execSync(
+      `dig +short +timeout=5 ${domain} @{ip} 2>&1`,
+      { encoding: 'utf8', timeout: 10000 }
+    ).trim();
+    return result === ip;
+  } catch {
+    return false;
+  }
+}