feat: add tollgate_core component + market config wiring

- Add tollgate_core ESP-IDF component (skeleton: cashu, dns, firewall, session)
- Add tollgate_platform.c with SPIFFS config backend
- Wire market_enabled, market_scan_interval_s, client_auto_switch in config.c
- Add lwip_tollgate_hooks.h (updated from feature branch)
- Add E2E fix plan, tollgate_core design doc, WPA autodetect plan
- Add integration test network helpers
- Add CONSOLIDATION.md plan

Reverts the broken merge (be4788b) that gutted config.c/tollgate_main.c/tollgate_api.c
and replaces it with a clean addition on top of intact master.

9 files changed, 1306 insertions, 0 deletions

diff --git a/components/tollgate_core/src/tollgate_core.c b/components/tollgate_core/src/tollgate_core.c
new file mode 100644
index 0000000..a731f48
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core.c
@@ -0,0 +1,236 @@
+#include "tollgate_core.h"
+#include "tollgate_core_cashu.h"
+#include "tollgate_core_dns.h"
+#include "tollgate_core_firewall.h"
+#include "tollgate_core_session.h"
+#include "esp_log.h"
+#include "cJSON.h"
+#include <string.h>
+
+static const char *TAG = "tg_core";
+
+static const tollgate_platform_t *s_platform;
+static esp_ip4_addr_t s_ap_ip;
+
+static uint32_t s_owner_ip;
+static uint8_t s_owner_mac[6];
+static bool s_owner_connected;
+
+esp_err_t tollgate_core_init(const tollgate_platform_t *platform, esp_ip4_addr_t ap_ip)
+{
+    if (!platform) {
+        ESP_LOGE(TAG, "Platform callbacks required");
+        return ESP_FAIL;
+    }
+
+    s_platform = platform;
+    s_ap_ip = ap_ip;
+    s_owner_connected = false;
+    memset(s_owner_mac, 0, sizeof(s_owner_mac));
+
+    if (!platform->spend_proofs) {
+        ESP_LOGW(TAG, "spend_proofs is NULL — double-spend window open until wallet integrated");
+    }
+
+    tollgate_core_session_set_platform(platform);
+    tollgate_core_session_init();
+    tollgate_core_fw_init(ap_ip);
+
+    ESP_LOGI(TAG, "TollGate core initialized, AP IP=" IPSTR, IP2STR(&ap_ip));
+    return ESP_OK;
+}
+
+esp_err_t tollgate_core_dns_start(esp_ip4_addr_t upstream_dns)
+{
+    return tollgate_core_dns_start_internal(s_ap_ip, upstream_dns);
+}
+
+esp_err_t tollgate_core_process_payment(uint32_t client_ip, const char *token_str)
+{
+    if (!s_platform || !token_str) return ESP_FAIL;
+
+    const char *accepted_mint = s_platform->get_mint_url ? s_platform->get_mint_url() : NULL;
+    if (!accepted_mint || accepted_mint[0] == '\0') {
+        ESP_LOGE(TAG, "No mint URL configured");
+        return ESP_FAIL;
+    }
+
+    tg_cashu_token_t token;
+    esp_err_t ret = tollgate_core_cashu_decode_token(token_str, &token);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Token decode failed");
+        return ESP_FAIL;
+    }
+
+    if (!tollgate_core_cashu_is_mint_accepted(token.mint_url, accepted_mint)) {
+        ESP_LOGE(TAG, "Token mint '%s' not accepted (expected '%s')", token.mint_url, accepted_mint);
+        return ESP_FAIL;
+    }
+
+    tg_cashu_proof_state_t states[TG_CASHU_MAX_PROOFS];
+    int state_count = 0;
+    ret = tollgate_core_cashu_check_proof_states(token.mint_url, &token, states, &state_count);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Proof state check failed");
+        return ESP_FAIL;
+    }
+
+    for (int i = 0; i < state_count; i++) {
+        if (states[i].spent) {
+            ESP_LOGE(TAG, "Proof %d is SPENT — rejecting", i);
+            return ESP_FAIL;
+        }
+    }
+
+    if (s_platform->spend_proofs) {
+        if (!s_platform->spend_proofs(token_str)) {
+            ESP_LOGE(TAG, "spend_proofs rejected the token");
+            return ESP_FAIL;
+        }
+    }
+
+    const char *metric = s_platform->get_metric ? s_platform->get_metric() : "milliseconds";
+    uint64_t price = s_platform->get_price_sats ? s_platform->get_price_sats() : 21;
+    uint64_t step_size;
+
+    if (strcmp(metric, "bytes") == 0) {
+        step_size = s_platform->get_step_bytes ? (uint64_t)s_platform->get_step_bytes() : 22020096;
+    } else {
+        step_size = s_platform->get_step_ms ? (uint64_t)s_platform->get_step_ms() : 60000;
+    }
+
+    uint64_t allotment = tollgate_core_cashu_calculate_allotment(token.total_amount, price, step_size);
+    if (allotment == 0) {
+        ESP_LOGE(TAG, "Token amount %llu too small for price %llu",
+                 (unsigned long long)token.total_amount, (unsigned long long)price);
+        return ESP_FAIL;
+    }
+
+    if (strcmp(metric, "bytes") == 0) {
+        if (!tollgate_core_session_create_bytes(client_ip, allotment)) {
+            return ESP_FAIL;
+        }
+    } else {
+        if (!tollgate_core_session_create(client_ip, allotment)) {
+            return ESP_FAIL;
+        }
+    }
+
+    ESP_LOGI(TAG, "Payment processed: %llu sats → %llu %s allotment for client",
+             (unsigned long long)token.total_amount, (unsigned long long)allotment, metric);
+    return ESP_OK;
+}
+
+void tollgate_core_client_connected(const uint8_t *mac, uint32_t client_ip)
+{
+    if (!s_owner_connected) {
+        s_owner_connected = true;
+        s_owner_ip = client_ip;
+        if (mac) memcpy(s_owner_mac, mac, 6);
+
+        esp_ip4_addr_t ip = { .addr = client_ip };
+        ESP_LOGI(TAG, "First client = owner: " IPSTR, IP2STR(&ip));
+        return;
+    }
+
+    ESP_LOGI(TAG, "Client connected (non-owner): " IPSTR, IP2STR(&(esp_ip4_addr_t){.addr=client_ip}));
+}
+
+void tollgate_core_client_disconnected(const uint8_t *mac)
+{
+    if (!s_owner_connected) return;
+
+    if (mac && memcmp(s_owner_mac, mac, 6) == 0) {
+        ESP_LOGI(TAG, "Owner disconnected — reassigning");
+        s_owner_connected = false;
+        memset(s_owner_mac, 0, sizeof(s_owner_mac));
+
+        int fw_count = tollgate_core_fw_client_count();
+        if (fw_count > 0) {
+            tg_session_t *sessions = tollgate_core_session_get_array();
+            for (int i = 0; i < tollgate_core_session_get_array_size(); i++) {
+                if (sessions[i].active && sessions[i].mac[0] != '\0') {
+                    if (memcmp(sessions[i].mac, mac, 6) != 0) {
+                        s_owner_connected = true;
+                        s_owner_ip = sessions[i].client_ip;
+                        ESP_LOGI(TAG, "New owner: " IPSTR, IP2STR(&(esp_ip4_addr_t){.addr=s_owner_ip}));
+                        break;
+                    }
+                }
+            }
+        }
+        return;
+    }
+
+    ESP_LOGI(TAG, "Client disconnected");
+}
+
+void tollgate_core_tick(void)
+{
+    tollgate_core_session_tick();
+}
+
+bool tollgate_core_is_client_allowed(uint32_t client_ip)
+{
+    return tollgate_core_fw_is_allowed(client_ip);
+}
+
+bool tollgate_core_is_dns_running(void)
+{
+    return tollgate_core_dns_is_running();
+}
+
+char *tollgate_core_get_status_json(void)
+{
+    cJSON *root = cJSON_CreateObject();
+    cJSON_AddBoolToObject(root, "ownerConnected", s_owner_connected);
+    cJSON_AddNumberToObject(root, "activeSessions", tollgate_core_session_active_count());
+    cJSON_AddNumberToObject(root, "allowedClients", tollgate_core_fw_client_count());
+    cJSON_AddBoolToObject(root, "dnsRunning", tollgate_core_dns_is_running());
+
+    char *json = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+    return json;
+}
+
+char *tollgate_core_get_config_json(void)
+{
+    cJSON *root = cJSON_CreateObject();
+
+    if (s_platform) {
+        if (s_platform->get_price_sats)
+            cJSON_AddNumberToObject(root, "priceSats", s_platform->get_price_sats());
+        if (s_platform->get_step_ms)
+            cJSON_AddNumberToObject(root, "stepMs", s_platform->get_step_ms());
+        if (s_platform->get_mint_url)
+            cJSON_AddStringToObject(root, "mintUrl", s_platform->get_mint_url());
+        if (s_platform->get_metric)
+            cJSON_AddStringToObject(root, "metric", s_platform->get_metric());
+        if (s_platform->get_step_bytes)
+            cJSON_AddNumberToObject(root, "stepBytes", s_platform->get_step_bytes());
+    }
+
+    char *json = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+    return json;
+}
+
+int tollgate_core_active_session_count(void)
+{
+    return tollgate_core_session_active_count();
+}
+
+int tollgate_core_allowed_client_count(void)
+{
+    return tollgate_core_fw_client_count();
+}
+
+bool tollgate_core_is_owner(uint32_t client_ip)
+{
+    return s_owner_connected && s_owner_ip == client_ip;
+}
+
+bool tollgate_core_is_owner_connected(void)
+{
+    return s_owner_connected;
+}
diff --git a/components/tollgate_core/src/tollgate_core_cashu.c b/components/tollgate_core/src/tollgate_core_cashu.c
new file mode 100644
index 0000000..cf2bf5d
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_cashu.c
@@ -0,0 +1,262 @@
+#include "tollgate_core_cashu.h"
+#include "esp_log.h"
+#include "esp_http_client.h"
+#include "cJSON.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/sha256.h"
+#include "esp_crt_bundle.h"
+
+static const char *TAG = "tg_core_cashu";
+
+static const char V3_PREFIX[] = "cashuA";
+static const size_t V3_PREFIX_LEN = 6;
+
+static int b64url_decode(const char *input, size_t input_len, char *out, size_t out_size, size_t *out_len)
+{
+    char *b64 = malloc(input_len + 4);
+    if (!b64) return -1;
+    size_t b64_len = input_len;
+    memcpy(b64, input, b64_len);
+    b64[b64_len] = '\0';
+
+    for (size_t i = 0; i < b64_len; i++) {
+        if (b64[i] == '-') b64[i] = '+';
+        else if (b64[i] == '_') b64[i] = '/';
+    }
+    while (b64_len % 4 != 0) {
+        b64[b64_len++] = '=';
+    }
+    b64[b64_len] = '\0';
+
+    size_t olen = 0;
+    int ret = mbedtls_base64_decode((unsigned char *)out, out_size, &olen,
+                                     (const unsigned char *)b64, b64_len);
+    free(b64);
+    if (ret != 0) return -1;
+    *out_len = olen;
+    return 0;
+}
+
+static esp_err_t parse_proofs_array(cJSON *arr, tg_cashu_token_t *out)
+{
+    if (!cJSON_IsArray(arr)) return ESP_FAIL;
+    int count = cJSON_GetArraySize(arr);
+    if (count > TG_CASHU_MAX_PROOFS) return ESP_FAIL;
+
+    out->proof_count = 0;
+    out->total_amount = 0;
+    for (int i = 0; i < count; i++) {
+        cJSON *proof = cJSON_GetArrayItem(arr, i);
+        cJSON *amt = cJSON_GetObjectItemCaseSensitive(proof, "amount");
+        cJSON *id = cJSON_GetObjectItemCaseSensitive(proof, "id");
+        cJSON *secret = cJSON_GetObjectItemCaseSensitive(proof, "secret");
+        cJSON *c = cJSON_GetObjectItemCaseSensitive(proof, "C");
+
+        if (!amt || !cJSON_IsNumber(amt)) return ESP_FAIL;
+
+        out->proofs[i].amount = (uint64_t)amt->valuedouble;
+        out->total_amount += out->proofs[i].amount;
+
+        if (id && cJSON_IsString(id)) {
+            strncpy(out->proofs[i].id, id->valuestring, sizeof(out->proofs[i].id) - 1);
+        }
+        if (secret && cJSON_IsString(secret)) {
+            strncpy(out->proofs[i].secret, secret->valuestring, sizeof(out->proofs[i].secret) - 1);
+        }
+        if (c && cJSON_IsString(c)) {
+            strncpy(out->proofs[i].c, c->valuestring, sizeof(out->proofs[i].c) - 1);
+        }
+        out->proof_count++;
+    }
+    return ESP_OK;
+}
+
+esp_err_t tollgate_core_cashu_decode_token(const char *token_str, tg_cashu_token_t *out)
+{
+    if (!token_str || !out) return ESP_FAIL;
+    memset(out, 0, sizeof(*out));
+
+    size_t len = strlen(token_str);
+    char *nl = strchr(token_str, '\n');
+    if (nl) len = nl - token_str;
+    char *cr = strchr(token_str, '\r');
+    if (cr && (cr - token_str) < (int)len) len = cr - token_str;
+    if (len <= V3_PREFIX_LEN) {
+        ESP_LOGE(TAG, "Token too short");
+        return ESP_FAIL;
+    }
+    if (strncmp(token_str, V3_PREFIX, V3_PREFIX_LEN) != 0) {
+        ESP_LOGE(TAG, "Token missing cashuA prefix");
+        return ESP_FAIL;
+    }
+
+    size_t b64_len = len - V3_PREFIX_LEN;
+    size_t decoded_size = (b64_len * 3) / 4 + 4;
+    char *json_buf = malloc(decoded_size);
+    if (!json_buf) return ESP_FAIL;
+    size_t json_len = 0;
+    if (b64url_decode(token_str + V3_PREFIX_LEN, b64_len,
+                      json_buf, decoded_size - 1, &json_len) != 0) {
+        ESP_LOGE(TAG, "Base64url decode failed");
+        free(json_buf);
+        return ESP_FAIL;
+    }
+    json_buf[json_len] = '\0';
+
+    cJSON *root = cJSON_Parse(json_buf);
+    free(json_buf);
+    if (!root) {
+        ESP_LOGE(TAG, "JSON parse failed");
+        return ESP_FAIL;
+    }
+
+    cJSON *token_arr = cJSON_GetObjectItemCaseSensitive(root, "token");
+    if (token_arr && cJSON_IsArray(token_arr)) {
+        cJSON *first = cJSON_GetArrayItem(token_arr, 0);
+        if (!first) { cJSON_Delete(root); return ESP_FAIL; }
+
+        cJSON *mint = cJSON_GetObjectItemCaseSensitive(first, "mint");
+        if (mint && cJSON_IsString(mint)) {
+            strncpy(out->mint_url, mint->valuestring, sizeof(out->mint_url) - 1);
+        }
+
+        cJSON *proofs = cJSON_GetObjectItemCaseSensitive(first, "proofs");
+        if (proofs) {
+            esp_err_t ret = parse_proofs_array(proofs, out);
+            if (ret != ESP_OK) { cJSON_Delete(root); return ret; }
+        }
+    } else {
+        cJSON *mint = cJSON_GetObjectItemCaseSensitive(root, "mint");
+        if (mint && cJSON_IsString(mint)) {
+            strncpy(out->mint_url, mint->valuestring, sizeof(out->mint_url) - 1);
+        }
+
+        cJSON *proofs = cJSON_GetObjectItemCaseSensitive(root, "proofs");
+        if (proofs) {
+            esp_err_t ret = parse_proofs_array(proofs, out);
+            if (ret != ESP_OK) { cJSON_Delete(root); return ret; }
+        }
+    }
+
+    cJSON_Delete(root);
+
+    if (out->proof_count == 0) {
+        ESP_LOGE(TAG, "No proofs in token");
+        return ESP_FAIL;
+    }
+
+    ESP_LOGI(TAG, "Decoded token: %d proofs, total=%llu, mint=%s",
+             out->proof_count, (unsigned long long)out->total_amount, out->mint_url);
+    return ESP_OK;
+}
+
+static void sha256_hex(const char *data, size_t data_len, char *hex_out)
+{
+    uint8_t hash[32];
+    mbedtls_sha256((const unsigned char *)data, data_len, hash, 0);
+    for (int i = 0; i < 32; i++) {
+        sprintf(hex_out + i * 2, "%02x", hash[i]);
+    }
+    hex_out[64] = '\0';
+}
+
+esp_err_t tollgate_core_cashu_check_proof_states(const char *mint_url, const tg_cashu_token_t *token,
+                                                  tg_cashu_proof_state_t *states, int *state_count)
+{
+    cJSON *ys_arr = cJSON_CreateArray();
+    for (int i = 0; i < token->proof_count; i++) {
+        char y_hex[65];
+        sha256_hex(token->proofs[i].secret, strlen(token->proofs[i].secret), y_hex);
+        cJSON_AddItemToArray(ys_arr, cJSON_CreateString(y_hex));
+        strncpy(states[i].y_hex, y_hex, sizeof(states[i].y_hex) - 1);
+        states[i].spent = false;
+    }
+    *state_count = token->proof_count;
+
+    char *ys_json = cJSON_PrintUnformatted(ys_arr);
+    cJSON_Delete(ys_arr);
+
+    char *post_body = malloc(4096);
+    if (!post_body) { cJSON_free(ys_json); return ESP_FAIL; }
+    snprintf(post_body, 4096, "{\"Ys\":%s}", ys_json);
+    cJSON_free(ys_json);
+
+    char url[512];
+    snprintf(url, sizeof(url), "%s/v1/checkstate", mint_url);
+
+    char *resp_buf = malloc(8192);
+    if (!resp_buf) { free(post_body); return ESP_FAIL; }
+
+    esp_http_client_config_t config = {
+        .url = url,
+        .method = HTTP_METHOD_POST,
+        .timeout_ms = 15000,
+        .crt_bundle_attach = esp_crt_bundle_attach,
+    };
+    esp_http_client_handle_t client = esp_http_client_init(&config);
+    if (!client) { free(post_body); free(resp_buf); return ESP_FAIL; }
+
+    esp_http_client_set_header(client, "Content-Type", "application/json");
+    esp_err_t err = esp_http_client_open(client, strlen(post_body));
+    if (err != ESP_OK) {
+        ESP_LOGE(TAG, "checkstate open failed: %s", esp_err_to_name(err));
+        esp_http_client_cleanup(client);
+        free(post_body);
+        free(resp_buf);
+        return ESP_FAIL;
+    }
+    int written = esp_http_client_write(client, post_body, strlen(post_body));
+    free(post_body);
+    ESP_LOGI(TAG, "checkstate written %d bytes", written);
+
+    int content_length = esp_http_client_fetch_headers(client);
+    int status = esp_http_client_get_status_code(client);
+    ESP_LOGI(TAG, "checkstate headers: status=%d, content_length=%d", status, content_length);
+
+    int resp_len = esp_http_client_read(client, resp_buf, 8191);
+    ESP_LOGI(TAG, "checkstate read: resp_len=%d", resp_len);
+    esp_http_client_cleanup(client);
+
+    if (status != 200 || resp_len <= 0) {
+        ESP_LOGE(TAG, "checkstate failed: status=%d, resp_len=%d", status, resp_len);
+        free(resp_buf);
+        return ESP_FAIL;
+    }
+    resp_buf[resp_len] = '\0';
+
+    cJSON *root_resp = cJSON_Parse(resp_buf);
+    free(resp_buf);
+    if (!root_resp) return ESP_FAIL;
+
+    cJSON *states_arr = cJSON_GetObjectItemCaseSensitive(root_resp, "states");
+    if (!states_arr || !cJSON_IsArray(states_arr)) {
+        cJSON_Delete(root_resp);
+        return ESP_FAIL;
+    }
+
+    int n = cJSON_GetArraySize(states_arr);
+    for (int i = 0; i < n && i < token->proof_count; i++) {
+        cJSON *s = cJSON_GetArrayItem(states_arr, i);
+        cJSON *state = cJSON_GetObjectItemCaseSensitive(s, "state");
+        if (state && cJSON_IsString(state)) {
+            states[i].spent = (strcmp(state->valuestring, "SPENT") == 0);
+        }
+    }
+
+    cJSON_Delete(root_resp);
+    return ESP_OK;
+}
+
+uint64_t tollgate_core_cashu_calculate_allotment(uint64_t token_amount, uint64_t price_per_step,
+                                                  uint64_t step_size)
+{
+    if (price_per_step == 0) return 0;
+    return (token_amount / price_per_step) * step_size;
+}
+
+bool tollgate_core_cashu_is_mint_accepted(const char *mint_url, const char *accepted_mint_url)
+{
+    if (!mint_url || mint_url[0] == '\0') return false;
+    if (!accepted_mint_url || accepted_mint_url[0] == '\0') return false;
+    return (strcmp(mint_url, accepted_mint_url) == 0);
+}
diff --git a/components/tollgate_core/src/tollgate_core_cashu.h b/components/tollgate_core/src/tollgate_core_cashu.h
new file mode 100644
index 0000000..70d2a02
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_cashu.h
@@ -0,0 +1,42 @@
+#ifndef TOLLGATE_CORE_CASHU_H
+#define TOLLGATE_CORE_CASHU_H
+
+#include "esp_err.h"
+#include <stdint.h>
+#include <stdbool.h>
+
+#define TG_CASHU_MAX_PROOFS      10
+#define TG_CASHU_MAX_SECRET_LEN  128
+#define TG_CASHU_MAX_ID_LEN      68
+#define TG_CASHU_MAX_C_LEN       128
+
+typedef struct {
+    uint64_t amount;
+    char id[TG_CASHU_MAX_ID_LEN];
+    char secret[TG_CASHU_MAX_SECRET_LEN];
+    char c[TG_CASHU_MAX_C_LEN];
+} tg_cashu_proof_t;
+
+typedef struct {
+    tg_cashu_proof_t proofs[TG_CASHU_MAX_PROOFS];
+    int proof_count;
+    char mint_url[256];
+    uint64_t total_amount;
+} tg_cashu_token_t;
+
+typedef struct {
+    char y_hex[65];
+    bool spent;
+} tg_cashu_proof_state_t;
+
+esp_err_t tollgate_core_cashu_decode_token(const char *token_str, tg_cashu_token_t *out);
+
+esp_err_t tollgate_core_cashu_check_proof_states(const char *mint_url, const tg_cashu_token_t *token,
+                                                  tg_cashu_proof_state_t *states, int *state_count);
+
+uint64_t tollgate_core_cashu_calculate_allotment(uint64_t token_amount, uint64_t price_per_step,
+                                                  uint64_t step_size);
+
+bool tollgate_core_cashu_is_mint_accepted(const char *mint_url, const char *accepted_mint_url);
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core_dns.c b/components/tollgate_core/src/tollgate_core_dns.c
new file mode 100644
index 0000000..84322e6
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_dns.c
@@ -0,0 +1,316 @@
+#include "tollgate_core_dns.h"
+#include "esp_log.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+#include "lwip/sockets.h"
+#include "lwip/netdb.h"
+#include <string.h>
+#include <sys/param.h>
+
+#define MAX_AUTH_IPS 10
+#define DNS_BUF_SIZE 512
+#define DNS_PORT 53
+#define DOT_PORT 853
+#define DNS_TASK_STACK 4096
+#define DOT_TASK_STACK 3072
+#define DNS_TASK_PRIO 5
+#define DOT_TASK_PRIO 5
+#define DNS_FORWARD_TIMEOUT_MS 2000
+#define NXDOMAIN_TTL 30
+#define HIJACK_TTL 10
+
+static const char *TAG = "tg_core_dns";
+
+#pragma pack(push, 1)
+typedef struct {
+    uint16_t id;
+    uint16_t flags;
+    uint16_t qdcount;
+    uint16_t ancount;
+    uint16_t nscount;
+    uint16_t arcount;
+} dns_header_t;
+#pragma pack(pop)
+
+#pragma pack(push, 1)
+typedef struct {
+    uint16_t name;
+    uint16_t type;
+    uint16_t class;
+    uint32_t ttl;
+    uint16_t len;
+    uint32_t addr;
+} dns_answer_t;
+#pragma pack(pop)
+
+typedef struct {
+    uint32_t ip;
+} auth_entry_t;
+
+static auth_entry_t s_auth_list[MAX_AUTH_IPS];
+static int s_auth_count = 0;
+static TaskHandle_t s_dns_task = NULL;
+static TaskHandle_t s_dot_task = NULL;
+static volatile bool s_dns_running = false;
+static esp_ip4_addr_t s_ap_ip;
+static esp_ip4_addr_t s_upstream_dns;
+
+static bool is_authenticated(uint32_t ip)
+{
+    for (int i = 0; i < s_auth_count; i++) {
+        if (s_auth_list[i].ip == ip) return true;
+    }
+    return false;
+}
+
+static void parse_dns_name(const uint8_t *buf, int buf_len, int offset, char *out, int out_len)
+{
+    int pos = offset;
+    int out_pos = 0;
+    int jumped = 0;
+    int jump_pos = 0;
+    while (pos < buf_len && out_pos < out_len - 1) {
+        uint8_t len = buf[pos];
+        if (len == 0) break;
+        if ((len & 0xC0) == 0xC0) {
+            if (!jumped) jump_pos = pos + 2;
+            pos = ((len & 0x3F) << 8) | buf[pos + 1];
+            jumped = 1;
+            continue;
+        }
+        if (out_pos > 0 && out_pos < out_len - 1) out[out_pos++] = '.';
+        pos++;
+        for (int i = 0; i < len && pos < buf_len && out_pos < out_len - 1; i++) {
+            out[out_pos++] = buf[pos++];
+        }
+    }
+    out[out_pos] = '\0';
+}
+
+static int build_nxdomain(uint8_t *response, int req_len)
+{
+    dns_header_t *hdr = (dns_header_t *)response;
+    hdr->flags = htons(0x8403);
+    hdr->ancount = 0;
+    hdr->nscount = 0;
+    hdr->arcount = 0;
+    return req_len;
+}
+
+static int build_redirect_response(uint8_t *response, int req_len)
+{
+    memmove(response, response, req_len);
+    dns_header_t *hdr = (dns_header_t *)response;
+    hdr->flags = htons(0x8180);
+    hdr->ancount = htons(1);
+    hdr->nscount = 0;
+    hdr->arcount = 0;
+    int resp_len = req_len;
+    dns_answer_t ans;
+    ans.name = htons(0xC00C);
+    ans.type = htons(1);
+    ans.class = htons(1);
+    ans.ttl = htonl(HIJACK_TTL);
+    ans.len = htons(4);
+    ans.addr = s_ap_ip.addr;
+    memcpy(response + resp_len, &ans, sizeof(ans));
+    resp_len += sizeof(ans);
+    return resp_len;
+}
+
+static int forward_dns(const uint8_t *req, int req_len, uint8_t *resp, int resp_buf_len,
+                       uint16_t txn_id)
+{
+    int upstream_sock = socket(AF_INET, SOCK_DGRAM, 0);
+    if (upstream_sock < 0) return -1;
+
+    struct timeval tv = { .tv_sec = DNS_FORWARD_TIMEOUT_MS / 1000, .tv_usec = (DNS_FORWARD_TIMEOUT_MS % 1000) * 1000 };
+    setsockopt(upstream_sock, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
+
+    struct sockaddr_in upstream_addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(DNS_PORT),
+        .sin_addr.s_addr = s_upstream_dns.addr,
+    };
+
+    sendto(upstream_sock, req, req_len, 0, (struct sockaddr *)&upstream_addr, sizeof(upstream_addr));
+
+    int n = recvfrom(upstream_sock, resp, resp_buf_len, 0, NULL, NULL);
+    close(upstream_sock);
+
+    if (n > 0) {
+        if (n >= sizeof(dns_header_t)) {
+            dns_header_t *hdr = (dns_header_t *)resp;
+            hdr->id = htons(txn_id);
+        }
+    }
+    return n;
+}
+
+static void dns_server_task(void *arg)
+{
+    int sock = socket(AF_INET, SOCK_DGRAM, 0);
+    if (sock < 0) {
+        ESP_LOGE(TAG, "Failed to create DNS socket");
+        s_dns_running = false;
+        vTaskDelete(NULL);
+        return;
+    }
+
+    struct sockaddr_in bind_addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(DNS_PORT),
+        .sin_addr.s_addr = INADDR_ANY,
+    };
+    if (bind(sock, (struct sockaddr *)&bind_addr, sizeof(bind_addr)) < 0) {
+        ESP_LOGE(TAG, "Failed to bind DNS socket");
+        close(sock);
+        s_dns_running = false;
+        vTaskDelete(NULL);
+        return;
+    }
+
+    ESP_LOGI(TAG, "DNS server started on port %d, AP IP=" IPSTR ", upstream DNS=" IPSTR,
+             DNS_PORT, IP2STR(&s_ap_ip), IP2STR(&s_upstream_dns));
+
+    uint8_t rx_buf[DNS_BUF_SIZE];
+    uint8_t tx_buf[DNS_BUF_SIZE + sizeof(dns_answer_t)];
+
+    while (s_dns_running) {
+        struct sockaddr_in client_addr;
+        socklen_t client_len = sizeof(client_addr);
+        int n = recvfrom(sock, rx_buf, sizeof(rx_buf), 0,
+                         (struct sockaddr *)&client_addr, &client_len);
+        if (n < (int)sizeof(dns_header_t)) continue;
+
+        uint32_t client_ip = client_addr.sin_addr.s_addr;
+        dns_header_t *hdr = (dns_header_t *)rx_buf;
+        uint16_t txn_id = ntohs(hdr->id);
+        bool is_query = (ntohs(hdr->flags) & 0x8000) == 0;
+        uint16_t qdcount = ntohs(hdr->qdcount);
+
+        if (!is_query || qdcount == 0) continue;
+
+        int q_offset = sizeof(dns_header_t);
+        while (q_offset < n && rx_buf[q_offset] != 0) {
+            q_offset += rx_buf[q_offset] + 1;
+        }
+        if (q_offset + 5 > n) continue;
+        uint16_t qtype = (rx_buf[q_offset + 1] << 8) | rx_buf[q_offset + 2];
+        int req_len = q_offset + 5;
+
+        if (is_authenticated(client_ip)) {
+            int resp_len = forward_dns(rx_buf, req_len, tx_buf, sizeof(tx_buf), txn_id);
+            if (resp_len > 0) {
+                sendto(sock, tx_buf, resp_len, 0, (struct sockaddr *)&client_addr, client_len);
+            }
+        } else {
+            char qname[256] = {0};
+            parse_dns_name(rx_buf, n, sizeof(dns_header_t), qname, sizeof(qname));
+            ESP_LOGI(TAG, "Hijack DNS from " IPSTR ": %s (type=%d)",
+                     IP2STR(&(esp_ip4_addr_t){.addr=client_ip}), qname, qtype);
+            if (qtype == 1) {
+                int resp_len = build_redirect_response(rx_buf, req_len);
+                memcpy(tx_buf, rx_buf, resp_len);
+                dns_header_t *resp_hdr = (dns_header_t *)tx_buf;
+                resp_hdr->id = htons(txn_id);
+                sendto(sock, tx_buf, resp_len, 0, (struct sockaddr *)&client_addr, client_len);
+            } else {
+                int resp_len = build_nxdomain(rx_buf, req_len);
+                memcpy(tx_buf, rx_buf, resp_len);
+                dns_header_t *resp_hdr = (dns_header_t *)tx_buf;
+                resp_hdr->id = htons(txn_id);
+                sendto(sock, tx_buf, resp_len, 0, (struct sockaddr *)&client_addr, client_len);
+            }
+        }
+    }
+
+    close(sock);
+    ESP_LOGI(TAG, "DNS server stopped");
+    vTaskDelete(NULL);
+}
+
+static void dot_reject_task(void *arg)
+{
+    int sock = socket(AF_INET, SOCK_STREAM, 0);
+    if (sock < 0) {
+        ESP_LOGE(TAG, "Failed to create DoT reject socket");
+        vTaskDelete(NULL);
+        return;
+    }
+
+    int opt = 1;
+    setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
+
+    struct sockaddr_in bind_addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(DOT_PORT),
+        .sin_addr.s_addr = INADDR_ANY,
+    };
+    if (bind(sock, (struct sockaddr *)&bind_addr, sizeof(bind_addr)) < 0) {
+        ESP_LOGE(TAG, "Failed to bind DoT reject socket on port %d", DOT_PORT);
+        close(sock);
+        vTaskDelete(NULL);
+        return;
+    }
+
+    listen(sock, 1);
+    ESP_LOGI(TAG, "DoT reject server on port %d (forces DNS fallback to port 53)", DOT_PORT);
+
+    while (s_dns_running) {
+        struct sockaddr_in client_addr;
+        socklen_t client_len = sizeof(client_addr);
+        int client_sock = accept(sock, (struct sockaddr *)&client_addr, &client_len);
+        if (client_sock >= 0) {
+            struct linger ling = { .l_onoff = 1, .l_linger = 0 };
+            setsockopt(client_sock, SOL_SOCKET, SO_LINGER, &ling, sizeof(ling));
+            close(client_sock);
+        }
+    }
+
+    close(sock);
+    ESP_LOGI(TAG, "DoT reject server stopped");
+    vTaskDelete(NULL);
+}
+
+esp_err_t tollgate_core_dns_start_internal(esp_ip4_addr_t ap_ip, esp_ip4_addr_t upstream_dns)
+{
+    if (s_dns_running) return ESP_OK;
+    s_ap_ip = ap_ip;
+    s_upstream_dns = upstream_dns;
+    s_dns_running = true;
+    xTaskCreate(dns_server_task, "dns_server", DNS_TASK_STACK, NULL, DNS_TASK_PRIO, &s_dns_task);
+    xTaskCreate(dot_reject_task, "dot_reject", DOT_TASK_STACK, NULL, DOT_TASK_PRIO, &s_dot_task);
+    return ESP_OK;
+}
+
+void tollgate_core_dns_stop(void)
+{
+    s_dns_running = false;
+    vTaskDelay(pdMS_TO_TICKS(200));
+    s_dns_task = NULL;
+}
+
+void tollgate_core_dns_set_authenticated(uint32_t client_ip, bool authenticated)
+{
+    if (authenticated) {
+        if (is_authenticated(client_ip)) return;
+        if (s_auth_count < MAX_AUTH_IPS) {
+            s_auth_list[s_auth_count].ip = client_ip;
+            s_auth_count++;
+        }
+    } else {
+        for (int i = 0; i < s_auth_count; i++) {
+            if (s_auth_list[i].ip == client_ip) {
+                s_auth_list[i] = s_auth_list[s_auth_count - 1];
+                s_auth_count--;
+                return;
+            }
+        }
+    }
+}
+
+bool tollgate_core_dns_is_running(void)
+{
+    return s_dns_running;
+}
diff --git a/components/tollgate_core/src/tollgate_core_dns.h b/components/tollgate_core/src/tollgate_core_dns.h
new file mode 100644
index 0000000..60aaaaf
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_dns.h
@@ -0,0 +1,13 @@
+#ifndef TOLLGATE_CORE_DNS_H
+#define TOLLGATE_CORE_DNS_H
+
+#include "esp_err.h"
+#include "esp_netif.h"
+#include <stdbool.h>
+
+esp_err_t tollgate_core_dns_start_internal(esp_ip4_addr_t ap_ip, esp_ip4_addr_t upstream_dns);
+void tollgate_core_dns_stop(void);
+void tollgate_core_dns_set_authenticated(uint32_t client_ip, bool authenticated);
+bool tollgate_core_dns_is_running(void);
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core_firewall.c b/components/tollgate_core/src/tollgate_core_firewall.c
new file mode 100644
index 0000000..e5d61d8
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_firewall.c
@@ -0,0 +1,165 @@
+#include "tollgate_core_firewall.h"
+#include "tollgate_core_dns.h"
+#include "esp_log.h"
+#include "esp_wifi.h"
+#include "esp_wifi_ap_get_sta_list.h"
+#include "lwip/lwip_napt.h"
+#include "lwip/etharp.h"
+#include "lwip/netif.h"
+#include "lwip/prot/ip4.h"
+#include <string.h>
+
+#define MAX_CLIENTS 10
+
+static const char *TAG = "tg_core_fw";
+static esp_ip4_addr_t s_ap_ip;
+
+typedef struct {
+    uint32_t ip;
+    char mac[TG_FW_MAX_MAC_LEN];
+} fw_client_t;
+
+static fw_client_t s_clients[MAX_CLIENTS];
+static int s_client_count = 0;
+
+esp_err_t tollgate_core_fw_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size)
+{
+    wifi_sta_list_t sta_list;
+    if (esp_wifi_ap_get_sta_list(&sta_list) == ESP_OK) {
+        wifi_sta_mac_ip_list_t ip_mac_list;
+        if (esp_wifi_ap_get_sta_list_with_ip(&sta_list, &ip_mac_list) == ESP_OK) {
+            for (int i = 0; i < ip_mac_list.num; i++) {
+                if (ip_mac_list.sta[i].ip.addr == client_ip) {
+                    snprintf(mac_out, mac_out_size, "%02x:%02x:%02x:%02x:%02x:%02x",
+                             ip_mac_list.sta[i].mac[0], ip_mac_list.sta[i].mac[1],
+                             ip_mac_list.sta[i].mac[2], ip_mac_list.sta[i].mac[3],
+                             ip_mac_list.sta[i].mac[4], ip_mac_list.sta[i].mac[5]);
+                    return ESP_OK;
+                }
+            }
+        }
+    }
+
+    ip4_addr_t *entry_ip = NULL;
+    struct netif *entry_netif = NULL;
+    struct eth_addr *entry_eth = NULL;
+    ssize_t i = 0;
+    while (etharp_get_entry(i, &entry_ip, &entry_netif, &entry_eth) == ERR_OK) {
+        if (entry_ip && entry_ip->addr == client_ip && entry_eth) {
+            snprintf(mac_out, mac_out_size, "%02x:%02x:%02x:%02x:%02x:%02x",
+                     entry_eth->addr[0], entry_eth->addr[1], entry_eth->addr[2],
+                     entry_eth->addr[3], entry_eth->addr[4], entry_eth->addr[5]);
+            return ESP_OK;
+        }
+        i++;
+    }
+    return ESP_FAIL;
+}
+
+esp_err_t tollgate_core_fw_init(esp_ip4_addr_t ap_ip)
+{
+    s_ap_ip = ap_ip;
+    memset(s_clients, 0, sizeof(s_clients));
+    s_client_count = 0;
+    ip_napt_enable(s_ap_ip.addr, 1);
+    ESP_LOGI(TAG, "Firewall initialized with AP IP=" IPSTR " (NAT always on, per-client filter)", IP2STR(&s_ap_ip));
+    return ESP_OK;
+}
+
+int tollgate_core_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder)
+{
+    (void)dest_addr_hostorder;
+    if (p->len < IP_HLEN) return -1;
+    struct ip_hdr *iphdr = (struct ip_hdr *)p->payload;
+    uint32_t src_ip_h = lwip_ntohl(iphdr->src.addr);
+    uint32_t ap_subnet = lwip_ntohl(s_ap_ip.addr) & 0xFFFFFF00;
+    if ((src_ip_h & 0xFFFFFF00) != ap_subnet) {
+        return 1;
+    }
+    if (tollgate_core_fw_is_allowed(iphdr->src.addr)) {
+        return 1;
+    }
+    return 0;
+}
+
+static fw_client_t *find_client_by_ip(uint32_t client_ip)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        if (s_clients[i].ip == client_ip) return &s_clients[i];
+    }
+    return NULL;
+}
+
+static fw_client_t *find_client_by_mac(const char *mac)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        if (s_clients[i].mac[0] != '\0' && strcmp(s_clients[i].mac, mac) == 0) {
+            return &s_clients[i];
+        }
+    }
+    return NULL;
+}
+
+void tollgate_core_fw_grant(uint32_t client_ip)
+{
+    fw_client_t *existing = find_client_by_ip(client_ip);
+    if (existing) {
+        existing->ip = client_ip;
+        return;
+    }
+    if (s_client_count >= MAX_CLIENTS) {
+        ESP_LOGW(TAG, "Max clients reached, cannot grant access");
+        return;
+    }
+
+    fw_client_t *client = &s_clients[s_client_count];
+    client->ip = client_ip;
+    client->mac[0] = '\0';
+    tollgate_core_fw_get_mac_for_ip(client_ip, client->mac, sizeof(client->mac));
+    s_client_count++;
+
+    tollgate_core_dns_set_authenticated(client_ip, true);
+
+    esp_ip4_addr_t ip_addr = { .addr = client_ip };
+    ESP_LOGI(TAG, "Access granted to " IPSTR " mac=%s", IP2STR(&ip_addr),
+             client->mac[0] ? client->mac : "unknown");
+}
+
+void tollgate_core_fw_revoke(uint32_t client_ip)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        if (s_clients[i].ip == client_ip) {
+            esp_ip4_addr_t ip_addr = { .addr = client_ip };
+            ESP_LOGI(TAG, "Access revoked for " IPSTR " mac=%s", IP2STR(&ip_addr),
+                     s_clients[i].mac[0] ? s_clients[i].mac : "unknown");
+            s_clients[i] = s_clients[s_client_count - 1];
+            s_client_count--;
+            tollgate_core_dns_set_authenticated(client_ip, false);
+            return;
+        }
+    }
+}
+
+void tollgate_core_fw_revoke_all(void)
+{
+    for (int i = 0; i < s_client_count; i++) {
+        tollgate_core_dns_set_authenticated(s_clients[i].ip, false);
+    }
+    s_client_count = 0;
+    ESP_LOGI(TAG, "All client access revoked");
+}
+
+bool tollgate_core_fw_is_allowed(uint32_t client_ip)
+{
+    return find_client_by_ip(client_ip) != NULL;
+}
+
+bool tollgate_core_fw_is_mac_allowed(const char *mac)
+{
+    return find_client_by_mac(mac) != NULL;
+}
+
+int tollgate_core_fw_client_count(void)
+{
+    return s_client_count;
+}
diff --git a/components/tollgate_core/src/tollgate_core_firewall.h b/components/tollgate_core/src/tollgate_core_firewall.h
new file mode 100644
index 0000000..f06c801
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_firewall.h
@@ -0,0 +1,25 @@
+#ifndef TOLLGATE_CORE_FIREWALL_H
+#define TOLLGATE_CORE_FIREWALL_H
+
+#include "esp_err.h"
+#include "esp_netif.h"
+#include <stdbool.h>
+#include <stdint.h>
+
+struct pbuf;
+
+#define TG_FW_MAX_MAC_LEN 18
+
+esp_err_t tollgate_core_fw_init(esp_ip4_addr_t ap_ip);
+void tollgate_core_fw_grant(uint32_t client_ip);
+void tollgate_core_fw_revoke(uint32_t client_ip);
+void tollgate_core_fw_revoke_all(void);
+bool tollgate_core_fw_is_allowed(uint32_t client_ip);
+bool tollgate_core_fw_is_mac_allowed(const char *mac);
+int tollgate_core_fw_client_count(void);
+
+esp_err_t tollgate_core_fw_get_mac_for_ip(uint32_t client_ip, char *mac_out, size_t mac_out_size);
+
+int tollgate_core_ip4_canforward_filter(struct pbuf *p, uint32_t dest_addr_hostorder);
+
+#endif
diff --git a/components/tollgate_core/src/tollgate_core_session.c b/components/tollgate_core/src/tollgate_core_session.c
new file mode 100644
index 0000000..48d32e7
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_session.c
@@ -0,0 +1,200 @@
+#include "tollgate_core_session.h"
+#include "tollgate_core_firewall.h"
+#include "esp_log.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+#include <string.h>
+
+static const char *TAG = "tg_core_session";
+static tg_session_t s_sessions[TG_SESSION_MAX_CLIENTS];
+static int s_session_count = 0;
+
+static const tollgate_platform_t *s_platform;
+
+void tollgate_core_session_set_platform(const tollgate_platform_t *platform)
+{
+    s_platform = platform;
+}
+
+static int64_t get_time_ms(void)
+{
+    if (s_platform && s_platform->get_time_ms) {
+        return s_platform->get_time_ms();
+    }
+    return (int64_t)xTaskGetTickCount() * portTICK_PERIOD_MS;
+}
+
+esp_err_t tollgate_core_session_init(void)
+{
+    memset(s_sessions, 0, sizeof(s_sessions));
+    s_session_count = 0;
+    ESP_LOGI(TAG, "Session manager initialized");
+    return ESP_OK;
+}
+
+static void populate_mac(tg_session_t *session, uint32_t client_ip)
+{
+    if (tollgate_core_fw_get_mac_for_ip(client_ip, session->mac, sizeof(session->mac)) != ESP_OK) {
+        session->mac[0] = '\0';
+    }
+}
+
+tg_session_t *tollgate_core_session_create(uint32_t client_ip, uint64_t allotment_ms)
+{
+    tg_session_t *existing = tollgate_core_session_find_by_ip(client_ip);
+    if (existing) {
+        tollgate_core_session_extend(existing, allotment_ms);
+        return existing;
+    }
+
+    if (s_session_count >= TG_SESSION_MAX_CLIENTS) {
+        for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+            if (!s_sessions[i].active || tollgate_core_session_is_expired(&s_sessions[i])) {
+                tollgate_core_session_revoke(&s_sessions[i]);
+                break;
+            }
+        }
+    }
+
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (!s_sessions[i].active) {
+            s_sessions[i].client_ip = client_ip;
+            s_sessions[i].allotment_ms = allotment_ms;
+            s_sessions[i].start_time_ms = get_time_ms();
+            s_sessions[i].active = true;
+            populate_mac(&s_sessions[i], client_ip);
+
+            s_session_count++;
+            tollgate_core_fw_grant(client_ip);
+
+            esp_ip4_addr_t ip = { .addr = client_ip };
+            ESP_LOGI(TAG, "Session created: " IPSTR " mac=%s allotment=%llums", IP2STR(&ip),
+                     s_sessions[i].mac[0] ? s_sessions[i].mac : "unknown",
+                     (unsigned long long)allotment_ms);
+            return &s_sessions[i];
+        }
+    }
+
+    ESP_LOGW(TAG, "No free session slots");
+    return NULL;
+}
+
+tg_session_t *tollgate_core_session_create_bytes(uint32_t client_ip, uint64_t allotment_bytes)
+{
+    tg_session_t *s = tollgate_core_session_create(client_ip, 0);
+    if (s) {
+        s->allotment_bytes = allotment_bytes;
+        s->bytes_consumed = 0;
+        s->allotment_ms = INT64_MAX;
+        esp_ip4_addr_t ip = { .addr = client_ip };
+        ESP_LOGI(TAG, "Bytes session created: " IPSTR " allotment=%llu bytes", IP2STR(&ip),
+                 (unsigned long long)allotment_bytes);
+    }
+    return s;
+}
+
+void tollgate_core_session_add_bytes(uint32_t client_ip, uint64_t bytes)
+{
+    tg_session_t *s = tollgate_core_session_find_by_ip(client_ip);
+    if (s && s->active) {
+        s->bytes_consumed += bytes;
+    }
+}
+
+tg_session_t *tollgate_core_session_find_by_ip(uint32_t client_ip)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active && s_sessions[i].client_ip == client_ip) {
+            return &s_sessions[i];
+        }
+    }
+    return NULL;
+}
+
+tg_session_t *tollgate_core_session_find_by_mac(const char *mac)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active && s_sessions[i].mac[0] != '\0' &&
+            strcmp(s_sessions[i].mac, mac) == 0) {
+            return &s_sessions[i];
+        }
+    }
+    return NULL;
+}
+
+void tollgate_core_session_extend(tg_session_t *session, uint64_t additional_ms)
+{
+    if (!session || !session->active) return;
+    session->allotment_ms += additional_ms;
+    esp_ip4_addr_t ip = { .addr = session->client_ip };
+    ESP_LOGI(TAG, "Session extended: " IPSTR " +%llums (total=%llu)", IP2STR(&ip),
+             (unsigned long long)additional_ms, (unsigned long long)session->allotment_ms);
+}
+
+bool tollgate_core_session_is_expired(const tg_session_t *session)
+{
+    if (!session || !session->active) return true;
+
+    if (s_platform && s_platform->get_metric) {
+        const char *metric = s_platform->get_metric();
+        if (metric && strcmp(metric, "bytes") == 0) {
+            return session->bytes_consumed >= session->allotment_bytes;
+        }
+    }
+
+    int64_t elapsed = get_time_ms() - session->start_time_ms;
+    return elapsed >= (int64_t)session->allotment_ms;
+}
+
+static void check_expiry(void)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active && tollgate_core_session_is_expired(&s_sessions[i])) {
+            esp_ip4_addr_t ip = { .addr = s_sessions[i].client_ip };
+            ESP_LOGI(TAG, "Session expired: " IPSTR " mac=%s", IP2STR(&ip),
+                     s_sessions[i].mac[0] ? s_sessions[i].mac : "unknown");
+            tollgate_core_session_revoke(&s_sessions[i]);
+        }
+    }
+}
+
+void tollgate_core_session_revoke(tg_session_t *session)
+{
+    if (!session || !session->active) return;
+    tollgate_core_fw_revoke(session->client_ip);
+    session->active = false;
+    s_session_count--;
+}
+
+void tollgate_core_session_revoke_all(void)
+{
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active) {
+            tollgate_core_session_revoke(&s_sessions[i]);
+        }
+    }
+}
+
+int tollgate_core_session_active_count(void)
+{
+    int count = 0;
+    for (int i = 0; i < TG_SESSION_MAX_CLIENTS; i++) {
+        if (s_sessions[i].active) count++;
+    }
+    return count;
+}
+
+void tollgate_core_session_tick(void)
+{
+    check_expiry();
+}
+
+tg_session_t *tollgate_core_session_get_array(void)
+{
+    return s_sessions;
+}
+
+int tollgate_core_session_get_array_size(void)
+{
+    return TG_SESSION_MAX_CLIENTS;
+}
diff --git a/components/tollgate_core/src/tollgate_core_session.h b/components/tollgate_core/src/tollgate_core_session.h
new file mode 100644
index 0000000..444b9fa
--- /dev/null
+++ b/components/tollgate_core/src/tollgate_core_session.h
@@ -0,0 +1,47 @@
+#ifndef TOLLGATE_CORE_SESSION_H
+#define TOLLGATE_CORE_SESSION_H
+
+#include "esp_err.h"
+#include "tollgate_platform.h"
+#include <stdint.h>
+#include <stdbool.h>
+
+#define TG_SESSION_MAX_CLIENTS     10
+#define TG_SESSION_MAX_MAC_LEN     18
+
+typedef struct {
+    uint32_t client_ip;
+    char mac[TG_SESSION_MAX_MAC_LEN];
+    uint64_t allotment_ms;
+    int64_t start_time_ms;
+    uint64_t allotment_bytes;
+    uint64_t bytes_consumed;
+    bool active;
+} tg_session_t;
+
+esp_err_t tollgate_core_session_init(void);
+void tollgate_core_session_set_platform(const tollgate_platform_t *platform);
+
+tg_session_t *tollgate_core_session_create(uint32_t client_ip, uint64_t allotment_ms);
+tg_session_t *tollgate_core_session_create_bytes(uint32_t client_ip, uint64_t allotment_bytes);
+
+void tollgate_core_session_add_bytes(uint32_t client_ip, uint64_t bytes);
+
+tg_session_t *tollgate_core_session_find_by_ip(uint32_t client_ip);
+tg_session_t *tollgate_core_session_find_by_mac(const char *mac);
+
+void tollgate_core_session_extend(tg_session_t *session, uint64_t additional_ms);
+
+bool tollgate_core_session_is_expired(const tg_session_t *session);
+
+void tollgate_core_session_revoke(tg_session_t *session);
+void tollgate_core_session_revoke_all(void);
+
+int tollgate_core_session_active_count(void);
+
+void tollgate_core_session_tick(void);
+
+tg_session_t *tollgate_core_session_get_array(void);
+int tollgate_core_session_get_array_size(void);
+
+#endif