17 files changed, 2140 insertions, 188 deletions
diff --git a/AGENTS.md b/AGENTS.md
index 6f1c399..368fd83 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -2,7 +2,7 @@
 ## Project Overview
-TollGate ESP32 firmware: captive portal WiFi hotspot with Cashu e-cash payments, on-device wallet, Nostr identity derivation, and wifistr service discovery. Runs on two ESP32-S3 boards.
+TollGate ESP32 firmware: captive portal WiFi hotspot with Cashu e-cash payments, on-device wallet, Nostr identity derivation, wifistr service discovery, and ContextVM (MCP over Nostr) server. Runs on three ESP32-S3 boards.
 ## Technology Stack
@@ -11,14 +11,18 @@ TollGate ESP32 firmware: captive portal WiFi hotspot with Cashu e-cash payments,
 - **Wallet:** nucula library (libsecp256k1) via git submodule
 - **Identity:** Nostr nsec → HMAC-SHA512 → deterministic MAC/SSID/IP
 - **Service discovery:** wifistr (Nostr kind 38787) via WebSocket
+- **ContextVM:** MCP over Nostr (kind 25910), CEP-6 announcements, 10 MCP tools
 - **Testing:** Host C unit tests (gcc), Node.js integration tests (live board), Playwright E2E
 ## Board Configuration
-| Board | Port | Factory MAC | Notes |
+| Board | Port | Factory MAC | SSID | AP IP | Notes |
-|-------|------|-------------|-------|
+|-------|------|-------------|------|-------|-------|
-| A | `/dev/ttyACM0` | `94:a9:90:2e:37:7c` | Primary test target |
+| A | `/dev/ttyACM0` | `94:a9:90:2e:37:7c` | `TollGate-B96D80` | `10.185.47.1` | Primary test target |
-| B | `/dev/ttyACM1` | `fc:01:2c:c5:50:50` | Secondary |
+| B | `/dev/ttyACM1` | `fc:01:2c:c5:50:50` | `TollGate-C0E9CA` | `10.192.45.1` | Secondary |
+| C | `/dev/ttyACM3` | `20:6e:f1:98:d7:08` | (TBD) | (TBD) | Display board |
+**IMPORTANT:** Board ports change on every USB replug. Always verify with `esptool.py --port <port> chip_id` before flashing.
 Identity (SSID, IP, MAC) is derived from `nsec` in config.json. Each board gets a unique nsec.
@@ -34,10 +38,11 @@ nvs_flash_init()
  → esp_wifi_init()
  → esp_wifi_set_mac(STA/AP)        // sets derived MACs
  → esp_wifi_set_mode(APSTA)
+  → esp_wifi_set_country_code("DE") // EU regulatory domain (channels 1-13, 20dBm)
  → wifi_configure_ap()             // uses derived SSID
  → esp_wifi_start()
  → [on STA got IP] start_services():
-      firewall_init, session_init, wallet_init, dns_server, captive_portal, api, wifistr_publish
+      sntp_init, firewall_init, session_init, wallet_init, dns_server, captive_portal, api, wifistr_publish, cvm_server_start
 ```
 ## Key Files
@@ -55,6 +60,8 @@ nvs_flash_init()
 - `session.c/h` — time-based sessions, MAC tracking
 - `cashu.c/h` — Cashu token decode, checkstate, allotment calc
 - `tollgate_api.c/h` — HTTP :2121, payment endpoints, wallet endpoints
+- `cvm_server.c/h` — ContextVM: persistent WS relay listener, kind 25910 subscription, MCP protocol handlers, CEP-6 announcements
+- `mcp_handler.c/h` — 10 MCP tool handlers (get_config, set_config, get_balance, wallet_send, get_sessions, get_usage, set_payout, set_metric, set_price, wallet_melt)
 ### Components
 - `nucula_lib/` — C++ bridge to nucula::Wallet (C API in nucula_wallet.h)
@@ -71,7 +78,8 @@ nvs_flash_init()
  "step_size_ms": 60000,
  "nostr_geohash": "u281w0dfz",
  "nostr_relays": ["wss://relay.damus.io", "wss://nos.lol"],
-  "nostr_publish_interval_s": 21600
+  "nostr_publish_interval_s": 21600,
+  "cvm_enabled": true
 }
 ```
@@ -178,6 +186,7 @@ make flash-b        # flash to Board B
 - **Test mint:** `testnut.cashu.space` — auto-pays lightning invoices
 - **Nostr relays:** `relay.damus.io`, `nos.lol` — for wifistr events
+- **CVM relay:** `relay.primal.net` — for ContextVM kind 25910 events and CEP-6 announcements
 - **Nutshell CLI:** `cashu` command for token generation
 - **ESP-IDF:** `source ~/esp/esp-idf/export.sh` before `idf.py` commands
 - **System libs for unit tests:** `libmbedtls-dev`, `libcjson-dev`
@@ -186,10 +195,17 @@ make flash-b        # flash to Board B
 - **Commit + push every time a test passes that previously didn't pass.** Green tests = checkpoint. Don't batch multiple test fixes into one commit.
 - Commit + push after each working change
- Board A is at `/dev/ttyACM0`, Board B at `/dev/ttyACM1`
+- Board A is at `/dev/ttyACM0`, Board B at `/dev/ttyACM1`, Board C at `/dev/ttyACM3`
+- **Per-board locks required** before hardware access: `make lock-a PHASE="desc"`, lock files in `physical-router-test-automation/locks/`
 - `sudo` password: `c03rad0r123`
 - SPIFFS is at offset `0x410000`, size `0xF0000` — erase with `esptool.py erase_region 0x410000 0xF0000` if config is stale
 - NVS stores wallet proofs — erasing NVS clears wallet balance
 - The `nostr_event.c` `created_at` field uses `gettimeofday()` — mock this in unit tests
 - Wifistr event signing uses `secp256k1_schnorrsig_sign32()` — verify with `_verify()` in tests
 - Portal HTML has server-side template substitution (`__AP_IP__`, `__PRICE__`, `__MINT_URL__`) — no JS fetch
+- **WiFi country code:** Must set `esp_wifi_set_country_code("DE")` before `esp_wifi_start()` — defaults to CN which causes auth failures on EU APs
+- **Board A WiFi is broken** — hardware issue confirmed: `WIFI_REASON_AUTH_EXPIRED` on all APs in all modes (APSTA, STA-only, factory MAC). Board B with identical firmware connects instantly. Do not waste time debugging Board A WiFi.
+- Default nsec: `a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2`
+- Board A nsec: `9af47906b45aca5e238390f3d03c8274e154198e81aa2095065627d1e61ca968`
+- CVM relay: `relay.primal.net` — relay disconnects every ~15s by default, now has 60s timeout + WS ping/pong keepalive
+- MCP responses sent via existing WS connection (not new TLS) — ESP32 can't handle multiple simultaneous TLS sessions
diff --git a/CHECKLIST.md b/CHECKLIST.md
index c5dfbe4..7fcc4b7 100644
--- a/CHECKLIST.md
+++ b/CHECKLIST.md
@@ -48,10 +48,83 @@
 ## Phase 6: Bytes-Based Billing — COMPLETE (commit `edd125d`)
 - [x] Dual-metric session support (milliseconds + bytes)
-## Phase 7: MCP Handler + NIP-04 + CVM Server — COMPLETE (commit `fdf662f`)
+## Phase 7: MCP Handler + NIP-04 + CVM Server — SKELETON (commit `fdf662f`)
 - [x] mcp_handler.c/h (4 tools, 25 unit tests)
 - [x] nip04.c/h (AES-256-CBC + ECDH, 15 unit tests)
- [x] cvm_server.c/h (Nostr DM listener)
+- [x] cvm_server.c/h (Nostr DM listener skeleton)
+## Phase 7b: ContextVM Protocol Rewrite — COMPLETE
+- [x] Add 6 new tools to mcp_handler.c/h (get_sessions, get_usage, set_payout, set_metric, set_price, wallet_melt)
+- [x] Update test_mcp_handler.c with tests for 6 new tools
+- [x] Rewrite cvm_server.c: persistent WebSocket listener, kind 25910 subscription
+- [x] MCP protocol handlers: initialize, notifications/initialized, tools/list, tools/call, ping
+- [x] Auth check: only accept from owner npub
+- [x] CEP-6: publish kind 11316 server announcement on startup
+- [x] CEP-6: publish kind 11317 tools list on startup
+- [x] CEP-17: publish kind 10002 relay list on startup
+- [x] Update config.c: default cvm_enabled = true
+- [x] Create test_cvm_server.c unit test (event parsing, announcement construction, auth)
+- [x] Update tests/unit/Makefile with test_cvm_server target
+- [x] Create tests/integration/test-cvm.mjs (nak-based integration test)
+- [x] Update Makefile with cvm-* targets (test-cvm, cvm-pubkey, cvm-test-tool)
+- [x] WS frame masking fix (RFC 6455 client-to-server)
+- [x] EVENT msg buffer underflow fix (snprintf buffer size)
+- [x] TLS write loop for large payloads
+- [x] WS ping/pong keepalive (30s interval)
+- [x] Subscription REQ fix (removed invalid limit field)
+- [x] SNTP init after STA gets IP
+- [x] 282 unit tests passing (61 CVM + 60 MCP + 161 existing)
+## Phase 7c: CVM Integration Testing — IN PROGRESS
+- [x] Per-board hardware locks implemented (board-a/b/c.lock)
+- [x] Lock infrastructure in 3 Makefiles (esp32-tollgate, physical-router-test-automation/esp32, top-level)
+- [x] CVM test infrastructure verified (API check, relay queries, event publishing)
+- [x] Fix CVM test API reachability check (HTTP status instead of JSON parse)
+- [x] WiFi password fix for EnterSSID-2.4GHz (c03rad0r123! — was missing `!`)
+- [x] WiFi auth threshold fix (WPA3_PSK → WPA2_PSK → WIFI_AUTH_OPEN, now WPA2_PSK)
+- [x] PMF capable mode enabled
+- [x] WIFI_ALL_CHANNEL_SCAN enabled
+- [x] WiFi country code fix (ESP-IDF defaults to CN, need DE for EU regulatory compliance)
+- [x] 2s retry delay between WiFi auth attempts
+- [x] Board B connects to WiFi successfully with country code DE
+- [x] Board A confirmed as hardware WiFi issue (auth fails on all APs, Board B works fine)
+- [x] Board B CEP-6 announcements confirmed on relay.primal.net
+- [x] Verify kind 11316 announcement on relay.primal.net — PASS
+- [x] Verify kind 11317 tools list on relay.primal.net — PASS
+- [x] Verify kind 10002 relay list on relay.primal.net — PASS
+- [x] Fix subscription #p filter (must be array, not string) — relay rejected as 'bad req'
+- [x] Fix MCP response publishing (use existing WS instead of new TLS connection)
+- [x] Fix use-after-free bug (tags_str freed before nostr_event_to_json)
+- [x] MCP initialize roundtrip via kind 25910 — PASS
+- [x] tools/call get_config via kind 25910 — PASS
+- [x] tools/call get_balance via kind 25910 — PASS
+- [x] tools/list response via kind 25910 — PASS
+- [x] tools/call set_price via kind 25910 — PASS (price updated to 42)
+- [ ] tools/call get_sessions via kind 25910
+- [ ] tools/call get_usage via kind 25910
+- [ ] Non-owner auth rejection via live relay (unit test only so far)
+- [ ] Verify board npub on contextvm.org/servers
+- [ ] Fix relay disconnect cycle (rlen=-26880 every ~15s)
+- [ ] Clean up debug logging (reduce INFO→DEBUG for verbose messages)
+- [ ] Document Board A hardware issue in AGENTS.md
+### WiFi Debugging Findings (Board A — 94:a9:90:2e:37:7c)
+- **Symptom:** `WIFI_REASON_AUTH_EXPIRED` (0x200) on all upstream APs
+- **APs tested:** EnterSSID-2.4GHz (ch11, WPA2), c03rad0r (not in range), laptop hotspot (ch6, WPA2)
+- **Modes tested:** APSTA (ch1/6/11), STA-only (no AP at all)
+- **MAC tested:** Custom (derived from nsec) and factory MAC
+- **Result:** Auth fails in ALL configurations, even STA-only 1m from laptop hotspot
+- **Root cause hypothesis 1:** Missing WiFi country code — ESP-IDF defaults to CN regulatory domain, boards are in DE. Different TX power limits and channel parameters may cause APs to ignore ESP32 auth frames.
+- **Root cause hypothesis 2:** Hardware antenna issue on Board A — needs testing on other boards to confirm
+- **Spectrum:** Dense environment (ch1: 2 APs, ch6: 4 APs, ch11: 4 APs) but laptop connects fine at 100%
+- **Next step:** Add `esp_wifi_set_country_code("DE")` and test Board A, then Board B/C if needed
+### Per-Board Hardware Locks
+- [x] Lock files in `physical-router-test-automation/locks/` (board-a.lock, board-b.lock, board-c.lock)
+- [x] `lock-a/b/c`, `unlock-a/b/c`, `force-unlock-a/b/c` targets
+- [x] All hardware-touching targets require corresponding board lock
+- [x] Read-only targets (build, cvm-pubkey, lock-status) work without lock
+- [x] Board port mapping updated: A=ACM0, B=ACM1, C=ACM3
 ## Bug Fixes — COMPLETE (commit `3342c8e`)
 - [x] reset_auth, /usage, metric default, sys_evt stack overflow fixes
@@ -78,6 +151,21 @@
 - [x] Update `tests/unit/test_session.c`
 - [x] 186 unit tests passing
+## TFT Display (JC3248W535 / AXS15231B) — IN PROGRESS
+- [x] Create QR code component (port qrcoded from NSD, fix bool/pragma/comparison warnings)
+- [x] Create AXS15231B QSPI display driver component (init sequence, PSRAM framebuffer, chunked flush)
+- [x] Create 8x8 bitmap font (ASCII 32-127)
+- [x] Create display abstraction layer (display.h/c — boot/ready/payment/error states)
+- [x] Integrate display into tollgate_main.c and main/CMakeLists.txt
+- [x] Build succeeds (binary 1.2MB, 71% free in partition)
+- [x] Wi-Fi QR code encoding: `WIFI:S:<escaped_ssid>;T:nopass;;` with special char escaping (`\;:,"`)
+- [x] QR cycling: alternate between Wi-Fi QR and portal URL QR every 5 seconds
+- [ ] Flash to JC3248W535 board at `/dev/ttyACM0` and test
+- [ ] Verify Wi-Fi QR is scannable by Android/iOS camera
+- [ ] Verify portal URL QR is scannable and loads captive portal
+- [ ] Add unit tests for QR generation and escape_wifi_field()
+- [ ] Update AGENTS.md with display module docs
 ---
 ## TODO — Remaining
@@ -125,12 +213,13 @@
 ## Reminders
 - **Commit + push every time a test passes that previously didn't pass**
- Board A: `/dev/ttyACM0`, SSID `TollGate-C0E9CA`, AP IP `10.192.45.1`
+- Board A: `/dev/ttyACM0`, MAC `94:a9:90:2e:37:7c`, SSID `TollGate-B96D80`, AP IP `10.185.47.1`
- Board B: `/dev/ttyACM1`, SSID `TollGate-b96d80`, AP IP `10.185.47.1`, nsec `9af47906...`
+- Board B: `/dev/ttyACM1`, MAC `fc:01:2c:c5:50:50`, SSID `TollGate-C0E9CA`, AP IP `10.192.45.1`
- OpenWRT Router: SSH `root@10.47.41.1`, port 2121
+- Board C: `/dev/ttyACM3`, MAC `20:6e:f1:98:d7:08`
 - `source ~/esp/esp-idf/export.sh` before `idf.py`
- Latest commit: `0c2c67b`
- 186 unit tests + 18 Playwright tests — all passing
 - sudo password: `c03rad0r123`
 - Token generation: `cashu -h https://testnut.cashu.space send --legacy 21`
+- SPIFFS offset `0x410000`, size `0xF0000`
 - See `AGENTS.md` for full testing rules
+- **Per-board locks:** `make lock-a PHASE="desc"` before hardware access
+- **WiFi country code:** Must set `esp_wifi_set_country_code("DE")` before `esp_wifi_start()`
diff --git a/Makefile b/Makefile
index 40f0e7b..10b7359 100644
--- a/Makefile
+++ b/Makefile
@@ -19,13 +19,71 @@ PYTHON ?= python3
 TOLLGATE_IP ?= 10.192.45.1
+BOARD ?= b
+HARDWARE_LOCK_DIR := /home/c03rad0r/physical-router-test-automation/locks
+RED := \033[31m
+GREEN := \033[32m
+YELLOW := \033[33m
+BOLD := \033[1m
+RESET := \033[0m
+define require_lock_a
+        @if [ ! -f "$(HARDWARE_LOCK_DIR)/board-a.lock" ]; then \
+                echo "$(RED)$(BOLD)Board A not locked — run 'make lock-a PHASE=\"description\"' first$(RESET)"; \
+                echo "$(YELLOW)Another LLM session may be using Board A.$(RESET)"; \
+                exit 1; \
+        fi
+endef
+define require_lock_b
+        @if [ ! -f "$(HARDWARE_LOCK_DIR)/board-b.lock" ]; then \
+                echo "$(RED)$(BOLD)Board B not locked — run 'make lock-b PHASE=\"description\"' first$(RESET)"; \
+                echo "$(YELLOW)Another LLM session may be using Board B.$(RESET)"; \
+                exit 1; \
+        fi
+endef
+define _require_board_lock
+        @if [ ! -f "$(HARDWARE_LOCK_DIR)/board-$(BOARD).lock" ]; then \
+                echo "$(RED)$(BOLD)Board $(BOARD) not locked — run 'make lock-$(BOARD) PHASE=\"description\"' first$(RESET)"; \
+                echo "$(YELLOW)Another LLM session may be using Board $(BOARD).$(RESET)"; \
+                exit 1; \
+        fi
+endef
+define _acquire_lock
+        @if [ -f "$(HARDWARE_LOCK_DIR)/$(1).lock" ]; then \
+                echo "$(RED)$(BOLD)Cannot acquire lock — $(1) already locked:$(RESET)"; \
+                echo ""; \
+                cat $(HARDWARE_LOCK_DIR)/$(1).lock | sed 's/^/  /'; \
+                echo ""; \
+                echo "$(YELLOW)Use 'make force-unlock-$(1)' to override.$(RESET)"; \
+                exit 1; \
+        fi; \
+        branch=$$(git branch --show-current 2>/dev/null || echo "unknown"); \
+        worktree=$$(pwd); \
+        echo "locked: true" > $(HARDWARE_LOCK_DIR)/$(1).lock; \
+        echo "board: $(1)" >> $(HARDWARE_LOCK_DIR)/$(1).lock; \
+        echo "branch: $$branch" >> $(HARDWARE_LOCK_DIR)/$(1).lock; \
+        echo "worktree: $$worktree" >> $(HARDWARE_LOCK_DIR)/$(1).lock; \
+        echo "session: $$USER@$$HOSTNAME" >> $(HARDWARE_LOCK_DIR)/$(1).lock; \
+        echo "timestamp: $$(date -u '+%Y-%m-%dT%H:%M:%SZ')" >> $(HARDWARE_LOCK_DIR)/$(1).lock; \
+        echo "phase: $(PHASE)" >> $(HARDWARE_LOCK_DIR)/$(1).lock; \
+        echo "$(GREEN)$(BOLD)$(1) lock acquired$(RESET)"; \
+        cat $(HARDWARE_LOCK_DIR)/$(1).lock
+endef
 .PHONY: help setup detect-ports detect-chip detect-all
 .PHONY: flash flash-a flash-b monitor monitor-a monitor-b
 .PHONY: test test-unit test-integration test-e2e test-all
 .PHONY: test-smoke test-api test-network test-portal test-payment
-.PHONY: test-reset-auth test-session-expiry test-dns-firewall
+.PHONY: test-reset-auth test-session-expiry test-dns-firewall test-cvm
 .PHONY: tokens wallet-setup wallet-info wallet-balance mint-token send-token
 .PHONY: clean erase-nvs reset serial-log bootstrap-config
+.PHONY: cvm-pubkey cvm-test-tool cvm-announce
+.PHONY: lock-a lock-b unlock-a unlock-b force-unlock-a force-unlock-b lock-status
 help:
        @echo "TollGate ESP32 — Makefile"
@@ -50,6 +108,12 @@ help:
        @echo "  test-reset-auth   Reset auth + per-client NAT filter test"
        @echo "  test-dns-firewall DNS hijack + NAT filter test"
        @echo "  test-session-expiry Session lifecycle with 65s expiry wait"
+        @echo "  test-cvm          ContextVM protocol integration test"
+        @echo ""
+        @echo "ContextVM:"
+        @echo "  cvm-pubkey        Print board's ContextVM npub"
+        @echo "  cvm-announce      Trigger re-publish of CEP-6 announcements"
+        @echo "  cvm-test-tool     Send single MCP tools/call (METHOD=get_config)"
        @echo ""
        @echo "Wallet:"
        @echo "  wallet-setup      Initialize nutshell wallet for test mint"
@@ -122,13 +186,18 @@ setup:
 flash: build
        @echo "=== Flashing to $(PORT) ==="
-        . $(IDF_PATH)/export.sh && idf.py -p $(PORT) -b $(BAUD) flash
+        @echo "$(RED)Error: use 'make flash-a' or 'make flash-b' (per-board lock required)$(RESET)"
+        @exit 1
-flash-a: PORT=$(PORT_A)
+flash-a: build
-flash-a: flash
+        $(call require_lock_a)
+        @echo "=== Flashing to $(PORT_A) (Board A) ==="
+        . $(IDF_PATH)/export.sh && idf.py -p $(PORT_A) -b $(BAUD) flash
-flash-b: PORT=$(PORT_B)
+flash-b: build
-flash-b: flash
+        $(call require_lock_b)
+        @echo "=== Flashing to $(PORT_B) (Board B) ==="
+        . $(IDF_PATH)/export.sh && idf.py -p $(PORT_B) -b $(BAUD) flash
 build:
        @echo "=== Building $(TARGET) ==="
@@ -136,14 +205,13 @@ build:
                idf.py set-target $(TARGET) 2>/dev/null; \
                idf.py build
-monitor:
+monitor-a:
-        . $(IDF_PATH)/export.sh && idf.py -p $(PORT) monitor
+        $(call require_lock_a)
+        . $(IDF_PATH)/export.sh && idf.py -p $(PORT_A) monitor
-monitor-a: PORT=$(PORT_A)
+monitor-b:
-monitor-a: monitor
+        $(call require_lock_b)
+        . $(IDF_PATH)/export.sh && idf.py -p $(PORT_B) monitor
-monitor-b: PORT=$(PORT_B)
-monitor-b: monitor
 # ──────────────────────────────────────────────
 # Testing
@@ -153,10 +221,11 @@ test-unit:
        @echo "=== Running host unit tests ==="
        $(MAKE) -C tests/unit test
-test-integration: test-api test-network test-reset-auth test-dns-firewall
+test-integration: test-api test-network test-reset-auth test-dns-firewall test-cvm
        @echo "=== Integration tests passed ==="
 test-e2e:
+        $(call _require_board_lock)
        @echo "=== Running Playwright E2E tests ==="
        cd tests/e2e && npx playwright test
@@ -167,37 +236,50 @@ test: test-unit test-integration
        @echo "=== Tests passed ==="
 test-smoke:
+        $(call _require_board_lock)
        @echo "=== Running smoke test (30s) ==="
        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/smoke.mjs
 test-api:
+        $(call _require_board_lock)
        @echo "=== Running API tests ==="
        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/api.mjs
 test-network:
+        $(call _require_board_lock)
        @echo "=== Running network tests ==="
        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/network.mjs
 test-portal:
+        $(call _require_board_lock)
        @echo "=== Running Playwright portal tests ==="
        cd tests/e2e && npx playwright test captive-portal.spec.mjs
 test-payment:
+        $(call _require_board_lock)
        @echo "=== Running payment tests ==="
        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/phase2.mjs
 test-reset-auth:
+        $(call _require_board_lock)
        @echo "=== Running reset auth test ==="
        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/test-reset-auth.mjs
 test-session-expiry:
+        $(call _require_board_lock)
        @echo "=== Running session expiry test (65s wait, ~80s total) ==="
        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/test-session-expiry.mjs
 test-dns-firewall:
+        $(call _require_board_lock)
        @echo "=== Running DNS + firewall test ==="
        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/test-dns-firewall.mjs
+test-cvm:
+        $(call _require_board_lock)
+        @echo "=== Running CVM integration test ==="
+        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/test-cvm.mjs
 # ──────────────────────────────────────────────
 # Wallet
 # ──────────────────────────────────────────────
@@ -230,6 +312,33 @@ send-token:
 tokens: send-token
 # ──────────────────────────────────────────────
+# ContextVM
+# ──────────────────────────────────────────────
+cvm-pubkey:
+        @echo "=== Board ContextVM npub ==="
+        @nak key public a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 | xargs -I{} nak encode npub {}
+        @echo ""
+        @echo "Search for this npub on https://contextvm.org/servers"
+cvm-announce:
+        @echo "=== Triggering CEP-6 re-announcement ==="
+        curl -s http://$(TOLLGATE_IP):2121/ | head -1 || echo "Board not reachable"
+cvm-test-tool:
+        $(call _require_board_lock)
+        @METHOD=$${METHOD:-get_config}; \
+        PARAMS=$${PARAMS:-{}}; \
+        echo "=== Calling $$METHOD via CVM ==="; \
+        NPUB_HEX=$$(nak key public a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2); \
+        CONTENT="$$(echo "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"$$METHOD\",\"arguments\":$$PARAMS}}" | jq -c .)"; \
+        EVENT_JSON="$$(nak event --kind 25910 --tag p=$$NPUB_HEX --content "$$CONTENT" wss://relay.damus.io 2>/dev/null)"; \
+        echo "Published: $$EVENT_JSON"; \
+        echo "Waiting for response..."; \
+        sleep 3; \
+        nak req -k 25910 -a $$NPUB_HEX -l 5 wss://relay.damus.io
+# ──────────────────────────────────────────────
 # Utilities
 # ──────────────────────────────────────────────
@@ -238,16 +347,19 @@ clean:
        . $(IDF_PATH)/export.sh && idf.py fullclean
 erase-nvs:
+        $(call _require_board_lock)
        @echo "=== Erasing NVS on $(PORT) ==="
        . $(IDF_PATH)/export.sh && \
                partition_offset=$$(idf.py partition-table 2>/dev/null | grep nvs | awk '{print $$2}'); \
                python3 -m esptool --port $(PORT) erase_region $$partition_offset 0x6000
 reset:
+        $(call _require_board_lock)
        @echo "=== Resetting device on $(PORT) ==="
        python3 -m esptool --port $(PORT) run 2>/dev/null || true
 serial-log:
+        $(call _require_board_lock)
        @echo "=== Capturing serial output from $(PORT) ==="
        python3 -c "import serial; s=serial.Serial('$(PORT)',115200,timeout=1); \
                [print(s.readline().decode(errors='replace'),end='') for _ in iter(lambda: s.readline(), b'')]"
@@ -256,3 +368,55 @@ bootstrap-config:
        @echo "=== Bootstrapping config.json ==="
        @echo '{"wifi_networks":[{"ssid":"$(WIFI_SSID)","password":"$(WIFI_PASSWORD)"}],"ap_ssid":"$(AP_SSID)","ap_password":"$(AP_PASSWORD)","mint_url":"$(MINT_URL)","lnurl_url":"$(LNURL_URL)","price_per_step":$(PRICE_PER_STEP),"step_size_ms":$(STEP_SIZE)}' > main/config.json
        @echo "Config written to main/config.json"
+# ──────────────────────────────────────────────
+# Per-Board Hardware Locks
+# ──────────────────────────────────────────────
+lock-a: ## Acquire Board A lock (set PHASE="description")
+        $(call _acquire_lock,board-a)
+lock-b: ## Acquire Board B lock (set PHASE="description")
+        $(call _acquire_lock,board-b)
+unlock-a: ## Release Board A lock
+        @if [ ! -f "$(HARDWARE_LOCK_DIR)/board-a.lock" ]; then \
+                echo "$(YELLOW)Board A not locked.$(RESET)"; exit 0; \
+        fi; \
+        rm -f $(HARDWARE_LOCK_DIR)/board-a.lock; \
+        echo "$(GREEN)Board A lock released.$(RESET)"
+unlock-b: ## Release Board B lock
+        @if [ ! -f "$(HARDWARE_LOCK_DIR)/board-b.lock" ]; then \
+                echo "$(YELLOW)Board B not locked.$(RESET)"; exit 0; \
+        fi; \
+        rm -f $(HARDWARE_LOCK_DIR)/board-b.lock; \
+        echo "$(GREEN)Board B lock released.$(RESET)"
+force-unlock-a: ## Force-release Board A lock
+        @if [ ! -f "$(HARDWARE_LOCK_DIR)/board-a.lock" ]; then \
+                echo "$(YELLOW)Board A not locked.$(RESET)"; exit 0; \
+        fi; \
+        echo "$(RED)$(BOLD)WARNING: Force-releasing Board A!$(RESET)"; \
+        cat $(HARDWARE_LOCK_DIR)/board-a.lock | sed 's/^/  /'; \
+        rm -f $(HARDWARE_LOCK_DIR)/board-a.lock; \
+        echo "$(GREEN)Board A force-released.$(RESET)"
+force-unlock-b: ## Force-release Board B lock
+        @if [ ! -f "$(HARDWARE_LOCK_DIR)/board-b.lock" ]; then \
+                echo "$(YELLOW)Board B not locked.$(RESET)"; exit 0; \
+        fi; \
+        echo "$(RED)$(BOLD)WARNING: Force-releasing Board B!$(RESET)"; \
+        cat $(HARDWARE_LOCK_DIR)/board-b.lock | sed 's/^/  /'; \
+        rm -f $(HARDWARE_LOCK_DIR)/board-b.lock; \
+        echo "$(GREEN)Board B force-released.$(RESET)"
+lock-status: ## Show all board lock statuses
+        @for board in a b; do \
+                if [ -f "$(HARDWARE_LOCK_DIR)/board-$$board.lock" ]; then \
+                        echo "$(YELLOW)Board $$board: LOCKED$(RESET)"; \
+                        cat $(HARDWARE_LOCK_DIR)/board-$$board.lock | sed 's/^/  /'; \
+                else \
+                        echo "Board $$board: $(GREEN)available$(RESET)"; \
+                fi; \
+        done
diff --git a/PLAN.md b/PLAN.md
index 5690c1b..9f286a9 100644
--- a/PLAN.md
+++ b/PLAN.md
@@ -473,21 +473,48 @@ uint64_t bytes_consumed;
 | 51 | NAPT byte counting | Integration | Counters match actual traffic | TODO |
 | 52 | Bytes metric end-to-end | E2E | Client disconnected after data cap | TODO |
-### Phase 7: ContextVM Server (MCP over Nostr) — COMPLETE
+### Phase 7: ContextVM Server (MCP over Nostr) — REWRITE IN PROGRESS
-**Goal:** Remote configuration of ESP32 TollGate via ContextVM — services communicate over Nostr using public keys as addresses. Exposes configuration as MCP tools accessible by both humans and AI agents.
+**Goal:** Full ContextVM protocol implementation — ESP32 acts as an MCP server discoverable on the Nostr network via CEP-6 public announcements, communicating via kind 25910 ephemeral events.
-**New files:** `main/cvm_server.c`, `main/cvm_server.h`, `main/nip44.c`, `main/nip44.h`, `main/mcp_handler.c`, `main/mcp_handler.h`
+**Protocol:** ContextVM transports MCP JSON-RPC 2.0 messages over Nostr. Server is identified by its npub (derived from nsec). Clients discover the server via kind 11316 announcements, then communicate via kind 25910 ephemeral events.
 #### Architecture
-ContextVM uses MCP (JSON-RPC 2.0) over NIP-44 encrypted Nostr DMs:
+```
-1. ESP32 subscribes to Nostr relays for DMs addressed to its npub
+Client (nak/ContextVM SDK)
-2. Incoming DMs are NIP-44 decrypted, parsed as MCP JSON-RPC requests
+  → publishes kind 25910 to relay ({"method":"tools/call","params":{"name":"get_config"}})
-3. Dispatched to registered tool handlers
+  → ESP32 cvm_server reads from persistent WebSocket subscription
-4. Responses sent back via NIP-44 encrypted DM
+  → parses MCP JSON-RPC from event content
+  → dispatches to mcp_handler.c
+  → publishes kind 25910 response back to relay
+  → client receives response via subscription
+```
+#### ContextVM Event Kinds Used
+| Kind | Purpose | CEP |
+|------|---------|-----|
+| 25910 | MCP request/response transport (ephemeral) | Draft spec |
+| 11316 | Server announcement (replaceable) | CEP-6 |
+| 11317 | Tools list announcement (replaceable) | CEP-6 |
+| 10002 | Relay list (replaceable) | CEP-17 (NIP-65) |
+#### MCP Protocol Flow
-#### MCP Tools Exposed
+1. ESP32 publishes kind 11316 (server announcement) + kind 11317 (tools list) + kind 10002 (relay list) on startup
+2. ESP32 opens persistent WebSocket to relays, subscribes to `{"kinds":[25910],"#p":["<npub>"]}`
+3. Client sends kind 25910 `initialize` request
+4. ESP32 responds with kind 25910 `initialize` result (capabilities, serverInfo)
+5. Client sends `notifications/initialized`
+6. Client calls `tools/list` or `tools/call`
+7. ESP32 dispatches to `mcp_handler.c`, returns result
+#### Encryption
+Phase 7a ships with **plaintext** kind 25910 events. Encryption (CEP-4: NIP-44 gift wrap) is deferred to Phase 7b. The `support_encryption` tag is NOT included in announcements until Phase 7b.
+#### MCP Tools Exposed (10 total)
 | Tool | Input | Output |
 |------|-------|--------|
@@ -497,32 +524,89 @@ ContextVM uses MCP (JSON-RPC 2.0) over NIP-44 encrypted Nostr DMs:
 | `get_sessions` | — | Array of active sessions |
 | `get_usage` | — | Upstream usage if client active |
 | `set_payout` | `{recipients: [...]}` | Success/error |
-| `set_metric` | `{"bytes" or "milliseconds"}` | Success/error |
+| `set_metric` | `{"metric": "bytes" or "milliseconds"}` | Success/error |
-| `set_price` | `{price_per_step: N}` | Success/error |
+| `set_price` | `{"price_per_step": N}` | Success/error |
-| `wallet_send` | `{amount_sats: N}` | `{token: "cashuA..."}` |
+| `wallet_send` | `{"amount": N}` | `{token: "cashuA..."}` |
-| `wallet_melt` | `{bolt11: "ln..."}` | `{preimage: "..."}` |
+| `wallet_melt` | `{"bolt11": "ln..."}` | `{preimage: "..."}` |
 #### Auth
-Only accept commands from owner npub (derived from nsec in config.json).
+Only accept kind 25910 requests from owner npub (derived from nsec in config.json). Non-owner requests are silently dropped.
 #### Dependencies
- XChaCha20-Poly1305 (from mbedtls or libsodium)
+- WebSocket persistent connection (extends `wifistr.c` TLS + WS pattern)
- Base64url encoding (already in cashu code)
+- secp256k1 Schnorr signing (existing `nostr_event.c`)
- WebSocket listener (extends existing wifistr infrastructure)
+- cJSON (existing)
- NIP-44 v2 encryption/decryption
+- mbedtls TLS (existing)
+- NIP-04 encryption (existing `nip04.c`) — for future encrypted mode
+#### Files
+| File | Status | Purpose |
+|------|--------|---------|
+| `main/cvm_server.c` | Rewrite | WS listener, MCP handlers, CEP-6 announcements |
+| `main/cvm_server.h` | Update | New public API |
+| `main/mcp_handler.c` | Extend | 6 new tools |
+| `main/mcp_handler.h` | Update | New tool enums + handlers |
+| `main/config.c` | Minor | Default `cvm_enabled = true` |
+| `tests/unit/test_cvm_server.c` | New | CVM unit tests |
+| `tests/unit/test_mcp_handler.c` | Extend | 6 new tool tests |
+| `tests/integration/test-cvm.mjs` | New | CVM integration test via nak |
+| `Makefile` | Update | `cvm-*` targets |
 #### Test Cases
 | # | Test | Method | Pass Criteria | Status |
 |---|------|--------|---------------|--------|
-| 53 | NIP-44 encrypt/decrypt | Unit test | Roundtrip matches | TODO |
+| 53 | MCP JSON-RPC parse from kind 25910 | Unit test | Correct dispatch to tool handler | PASS |
-| 54 | MCP JSON-RPC parse | Unit test | Correct dispatch | TODO |
+| 54 | Kind 11316 announcement construction | Unit test | Valid event with correct tags/capabilities | PASS |
-| 55 | Config change via DM | Integration | ESP32 applies new config | TODO |
+| 55 | Kind 11317 tools list construction | Unit test | All 10 tools listed with schemas | PASS |
-| 56 | Balance query via CVM | Integration | Returns correct balance | TODO |
+| 56 | Kind 10002 relay list construction | Unit test | Correct `r` tags | PASS |
+| 57 | Auth rejection for non-owner | Unit test | Non-owner events dropped | PASS |
-## Total: 56 Tests across 7 phases
+| 58 | MCP initialize response | Unit test | Correct capabilities + serverInfo | PASS |
+| 59 | New tool: get_sessions | Unit test | Returns session array | PASS |
+| 60 | New tool: get_usage | Unit test | Returns usage stats | PASS |
+| 61 | New tool: set_payout | Unit test | Updates payout config | PASS |
+| 62 | New tool: set_metric | Unit test | Updates metric field | PASS |
+| 63 | New tool: set_price | Unit test | Updates price_per_step | PASS |
+| 64 | New tool: wallet_melt | Unit test | Calls nucula_wallet_melt | PASS |
+| 65 | Kind 11316 on relay | Integration | Announcement found on relay | PASS* |
+| 66 | MCP initialize roundtrip | Integration | Response received via nak | PASS |
+| 67 | get_config via CVM | Integration | Returns valid JSON config | PASS |
+| 68 | get_balance via CVM | Integration | Returns balance + proofs | PASS |
+| 69 | set_price via CVM | Integration | Price updated on device | PASS |
+| 70 | Kind 11317 on relay | Integration | Tools list found on relay | PASS |
+| 71 | Kind 10002 on relay | Integration | Relay list found on relay | PASS |
+| 72 | API reachability from host | Integration | HTTP 200 from board AP | PASS |
+| 73 | CVM event publish from host | Integration | Kind 25910 published to relay | PASS |
+| 74 | tools/list via CVM | Integration | All 10 tools listed | PASS |
+| 75 | get_sessions via CVM | Integration | Returns session array | TODO |
+| 76 | get_usage via CVM | Integration | Returns usage stats | TODO |
+| 77 | Non-owner rejection (live) | Integration | Unauthorized event ignored | TODO |
+| 78 | Relay reconnect resilience | Integration | Board reconnects after disconnect | PASS |
+## Total: 85 Tests across 8 phases
+## Merge Readiness Checklist
+### Code Quality
+- [ ] Fix relay disconnect cycle (rlen=-26880 every ~15s, WS read has no timeout)
+- [ ] Clean up debug logging (Sending WS response, WS send result → DEBUG level)
+- [ ] Document Board A hardware WiFi issue in AGENTS.md
+### Integration Testing (needs Board B + relay.primal.net)
+- [ ] tools/list response via kind 25910
+- [ ] tools/call set_price via kind 25910
+- [ ] tools/call get_sessions via kind 25910
+- [ ] tools/call get_usage via kind 25910
+- [ ] Non-owner auth rejection via live relay
+- [ ] Verify board npub on contextvm.org/servers
+### Pre-merge
+- [ ] `make test-unit` — all 282 unit tests pass
+- [ ] Rebase feature/cvm-integration onto master (1 commit behind)
+- [ ] Verify no conflicts with feature branches (display-fix, multi-mint, price-discovery)
 ## Post-Phase 7: Bug Fixes & Architecture Improvements
@@ -591,6 +675,78 @@ int tollgate_ip4_canforward_filter(struct pbuf *p, u32_t dest_addr_hostorder) {
 **Rationale:** The mint's `cashu_check_proof_states()` already catches double-spends over HTTP. `nucula_wallet_receive()` → `swap()` registers proofs as spent and replaces them. After a successful receive, the old token is useless. Local tracking adds no security, wastes 6.5KB RAM, and is lost on reboot anyway.
+### Phase 8: TFT Display (JC3248W535 / AXS15231B) — IN PROGRESS
+**Goal:** Add TFT display support to the JC3248W535 board for QR code rendering + status text. Display cycles between a Wi-Fi QR code (so customers can connect) and a portal URL QR code (for direct portal access).
+**Hardware:** JC3248W535 board — ESP32-S3, AXS15231B 320x480 QSPI TFT, capacitive touch
+**Pin mapping:** CS=45, CLK=47, D0=21, D1=48, D2=40, D3=39, BL=1, Touch SDA=4, Touch SCL=8
+#### Components Created
+| Component | Path | Purpose |
+|-----------|------|---------|
+| `components/qrcode/` | `qrcoded.c/h` + CMakeLists.txt | QR code generation (ported from NSD, MIT license) |
+| `components/axs15231b/` | `axs15231b.c/h` + CMakeLists.txt | AXS15231B QSPI display driver |
+| `main/display.c/h` | Display abstraction | FreeRTOS display task, state machine, QR cycling |
+| `main/font.c/h` | 8x8 bitmap font | ASCII 32-127 for status text rendering |
+#### Display States
+| State | Screen | QR Content |
+|-------|--------|------------|
+| `DISPLAY_BOOT` | "TollGate starting..." | None |
+| `DISPLAY_READY` | QR code + SSID label | Cycles: Wi-Fi QR ↔ Portal URL QR every 5s |
+| `DISPLAY_PAYMENT_RECEIVED` | Green "Paid! Access granted" | None (2s, then READY) |
+| `DISPLAY_ERROR` | Red "No upstream" | None |
+#### Wi-Fi QR Code Format
+Uses the standardized ZXing `WIFI:` URI scheme — natively recognized by Android and iOS camera apps:
+```
+WIFI:S:<escaped_ssid>;T:nopass;;
+```
+**Special character escaping**: `;`, `:`, `\`, `,`, `"` are backslash-escaped in the SSID field per spec.
+**Example:**
+```
+SSID: TollGate-C0E9CA → WIFI:S:TollGate-C0E9CA;T:nopass;;
+SSID: My;WiFi:Test → WIFI:S:My\;WiFi\:Test;T:nopass;;
+```
+When scanned, the phone **automatically connects** to the TollGate AP — then the captive portal takes over for payment.
+#### QR Cycling
+The display alternates between two QR modes every 5 seconds:
+1. **Wi-Fi QR** — `WIFI:S:...;T:nopass;;` — auto-connects phone to AP
+2. **Portal URL QR** — `http://10.x.x.1/` — direct link to captive portal
+Label text below QR changes to indicate current mode: "Scan to connect" vs "Portal URL".
+#### Display Driver Architecture
+- **Interface**: Single-line SPI (MOSI on D0/GPIO21) — simpler than QSPI, reliable for V1
+- **Framebuffer**: 307,200 bytes (480x320x2 RGB565) in PSRAM via `heap_caps_malloc`
+- **Flush**: 10 chunks of 32KB via `spi_device_polling_transmit`
+- **Rotation**: Landscape (MADCTL=0x60, MX|MV)
+- **Backlight**: GPIO1 active-high
+#### Test Cases
+| # | Test | Method | Pass Criteria | Status |
+|---|------|--------|---------------|--------|
+| 70 | Wi-Fi QR scannable | Android camera scan | Phone connects to AP | TODO |
+| 71 | Portal URL QR scannable | Android camera scan | Browser opens portal | TODO |
+| 72 | QR cycling | Watch display | Mode changes every 5s | TODO |
+| 73 | Boot screen | Visual | "TollGate starting..." shown | TODO |
+| 74 | Payment screen | Trigger payment | Green "Paid!" for 2s | TODO |
+| 75 | Error screen | Disconnect upstream | Red "No upstream" | TODO |
+| 76 | Special char escape | Unit test | `\;:,"` correctly escaped | TODO |
+| 77 | QR generation | Unit test | Valid QR matrix for various string lengths | TODO |
 ## Testing Infrastructure
 ### Three-Layer Test Architecture
diff --git a/main/CMakeLists.txt b/main/CMakeLists.txt
index 91748f2..9b0fb1c 100644
--- a/main/CMakeLists.txt
+++ b/main/CMakeLists.txt
@@ -16,8 +16,10 @@ idf_component_register(SRCS "tollgate_main.c"
                            "nip04.c"
                            "mcp_handler.c"
                            "cvm_server.c"
+                            "display.c"
+                            "font.c"
                    INCLUDE_DIRS "."
                    REQUIRES esp_wifi esp_event esp_netif nvs_flash esp_http_server
                             lwip json esp_http_client mbedtls esp-tls log spiffs
-                             nucula_lib secp256k1
+                             nucula_lib secp256k1 axs15231b qrcode
                    PRIV_REQUIRES esp-tls)
diff --git a/main/config.c b/main/config.c
index e937fb3..9dd2a1d 100644
--- a/main/config.c
+++ b/main/config.c
@@ -16,7 +16,7 @@ esp_err_t tollgate_config_init(void)
 {
    memset(&g_config, 0, sizeof(g_config));
    g_config.max_retry = 5;
-    g_config.ap_channel = 1;
+    g_config.ap_channel = 6;
    g_config.ap_max_conn = 4;
    g_config.price_per_step = 21;
    g_config.step_size_ms = 60000;
@@ -33,8 +33,8 @@ esp_err_t tollgate_config_init(void)
    g_config.payout.check_interval_s = 60;
    g_config.payout.recipient_count = 0;
    g_config.payout.mint_count = 0;
-    g_config.cvm_enabled = false;
+    g_config.cvm_enabled = true;
-    strncpy(g_config.cvm_relays, "wss://relay.damus.io", sizeof(g_config.cvm_relays) - 1);
+    strncpy(g_config.cvm_relays, "wss://relay.primal.net", sizeof(g_config.cvm_relays) - 1);
    esp_vfs_spiffs_conf_t conf = {
        .base_path = "/spiffs",
@@ -54,7 +54,9 @@ esp_err_t tollgate_config_init(void)
        const char *default_json = "{"
            "\"nsec\":\"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2\","
            "\"wifi_networks\":["
-              "{\"ssid\":\"EnterSSID-2.4GHz\",\"password\":\"c03rad0r123!\"}"
+              "{\"ssid\":\"EnterSSID-2.4GHz\",\"password\":\"c03rad0r123!\"},"
+              "{\"ssid\":\"c03rad0r\",\"password\":\"c03rad0r123\"},"
+              "{\"ssid\":\"TK-GAESTE\",\"password\":\"\"}"
            "],"
            "\"ap_password\":\"\","
            "\"mint_url\":\"https://testnut.cashu.space\","
@@ -289,6 +291,9 @@ esp_err_t tollgate_config_get_wifi(wifi_config_t *wifi_config)
    strncpy((char *)wifi_config->sta.ssid, g_config.networks[idx].ssid, sizeof(wifi_config->sta.ssid) - 1);
    strncpy((char *)wifi_config->sta.password, g_config.networks[idx].password, sizeof(wifi_config->sta.password) - 1);
    wifi_config->sta.threshold.authmode = WIFI_AUTH_WPA2_PSK;
+    wifi_config->sta.pmf_cfg.capable = true;
+    wifi_config->sta.pmf_cfg.required = false;
+    wifi_config->sta.scan_method = WIFI_ALL_CHANNEL_SCAN;
    return ESP_OK;
 }
diff --git a/main/cvm_server.c b/main/cvm_server.c
index 5addd88..b93e176 100644
--- a/main/cvm_server.c
+++ b/main/cvm_server.c
@@ -2,219 +2,771 @@
 #include "mcp_handler.h"
 #include "nip04.h"
 #include "identity.h"
+#include "nostr_event.h"
 #include "config.h"
+#include "session.h"
 #include "nucula_wallet.h"
 #include "cJSON.h"
 #include "esp_log.h"
-#include "esp_http_client.h"
+#include "esp_tls.h"
+#include "esp_crt_bundle.h"
+#include "esp_random.h"
+#include "esp_timer.h"
 #include "freertos/FreeRTOS.h"
 #include "freertos/task.h"
 #include <string.h>
 #include <stdio.h>
+#include <stdlib.h>
 static const char *TAG = "cvm_server";
 static bool g_running = false;
 static TaskHandle_t g_task = NULL;
-static const char *DEFAULT_RELAY = "wss://relay.damus.io";
+static void publish_announcements_via_ws(esp_tls_t *tls);
-static char *fetch_relays(void)
+#define CVM_VERSION "2025-07-02"
+#define CVM_SERVER_NAME "TollGate"
+#define CVM_SERVER_VERSION "1.0.0"
+#define CVM_WS_BUF_SIZE 8192
+#define CVM_MAX_RESPONSE_SIZE 4096
+#define CVM_RECONNECT_DELAY_MS 5000
+#define CVM_WS_READ_TIMEOUT_MS 60000
+#define CVM_WS_PING_INTERVAL_S 30
+static char *parse_ws_text_frame(const uint8_t *buf, int len)
 {
-    const tollgate_config_t *cfg = tollgate_config_get();
+    if (len < 2) return NULL;
-    if (cfg && cfg->cvm_relays[0]) {
+    bool masked = (buf[1] & 0x80) != 0;
-        return cfg->cvm_relays;
+    uint64_t payload_len = buf[1] & 0x7F;
+    int offset = 2;
+    if (payload_len == 126) {
+        if (len < 4) return NULL;
+        payload_len = ((uint64_t)buf[2] << 8) | buf[3];
+        offset = 4;
+    } else if (payload_len == 127) {
+        if (len < 10) return NULL;
+        payload_len = 0;
+        for (int i = 0; i < 8; i++)
+            payload_len = (payload_len << 8) | buf[2 + i];
+        offset = 10;
+    }
+    if (masked) offset += 4;
+    if (offset + payload_len > (uint64_t)len) return NULL;
+    char *text = malloc((size_t)payload_len + 1);
+    if (!text) return NULL;
+    if (masked) {
+        uint8_t mask[4] = { buf[offset - 4], buf[offset - 3], buf[offset - 2], buf[offset - 1] };
+        for (uint64_t i = 0; i < payload_len; i++)
+            text[i] = buf[offset + i] ^ mask[i & 3];
+    } else {
+        memcpy(text, buf + offset, (size_t)payload_len);
+    }
+    text[payload_len] = '\0';
+    return text;
+}
+static int ws_send_text(esp_tls_t *tls, const char *msg)
+{
+    size_t len = strlen(msg);
+    uint8_t mask[4];
+    esp_fill_random(mask, 4);
+    size_t frame_len = 6 + len;
+    if (len > 125) frame_len += 2;
+    if (len > 65535) frame_len += 6;
+    uint8_t *frame = malloc(frame_len + len);
+    if (!frame) return -1;
+    int pos = 0;
+    frame[pos++] = 0x81;
+    if (len <= 125) {
+        frame[pos++] = (uint8_t)(0x80 | len);
+    } else if (len <= 65535) {
+        frame[pos++] = 0x80 | 126;
+        frame[pos++] = (uint8_t)((len >> 8) & 0xff);
+        frame[pos++] = (uint8_t)(len & 0xff);
+    } else {
+        frame[pos++] = 0x80 | 127;
+        for (int i = 0; i < 8; i++)
+            frame[pos++] = (uint8_t)((len >> (56 - i * 8)) & 0xff);
+    }
+    memcpy(frame + pos, mask, 4);
+    pos += 4;
+    for (size_t i = 0; i < len; i++)
+        frame[pos + i] = (uint8_t)msg[i] ^ mask[i & 3];
+    pos += len;
+    int total = pos;
+    int written = 0;
+    while (written < total) {
+        int w = esp_tls_conn_write(tls, frame + written, total - written);
+        if (w < 0) {
+            ESP_LOGE(TAG, "ws_send: write failed at %d/%d", written, total);
+            free(frame);
+            return -1;
+        }
+        if (w == 0) {
+            ESP_LOGW(TAG, "ws_send: write returned 0 at %d/%d", written, total);
+            vTaskDelay(pdMS_TO_TICKS(1));
+        }
+        written += w;
    }
-    return (char *)DEFAULT_RELAY;
+    ESP_LOGD(TAG, "ws_send: sent %d bytes (payload %d)", total, (int)len);
+    free(frame);
+    return 0;
 }
-static char *http_get(const char *url, int timeout_ms)
+static esp_err_t ws_connect(const char *relay_url, esp_tls_t **tls_out)
 {
-    char *buf = malloc(8192);
+    char host[128] = {0};
-    if (!buf) return NULL;
+    int port = 443;
-    int total = 0;
+    char path[128] = "/";
+    if (strncmp(relay_url, "wss://", 6) != 0) return ESP_ERR_INVALID_ARG;
+    const char *url_start = relay_url + 6;
+    const char *path_ptr = strchr(url_start, '/');
+    if (path_ptr) {
+        size_t host_len = path_ptr - url_start;
+        if (host_len >= sizeof(host)) host_len = sizeof(host) - 1;
+        memcpy(host, url_start, host_len);
+        host[host_len] = '\0';
+        strncpy(path, path_ptr, sizeof(path) - 1);
+    } else {
+        strncpy(host, url_start, sizeof(host) - 1);
+    }
-    esp_http_client_config_t config = {
+    char *colon = strchr(host, ':');
-        .url = url,
+    if (colon) {
-        .method = HTTP_METHOD_GET,
+        *colon = '\0';
-        .timeout_ms = timeout_ms,
+        port = atoi(colon + 1);
+    }
+    esp_tls_cfg_t tls_cfg = {
+        .crt_bundle_attach = esp_crt_bundle_attach,
+        .timeout_ms = CVM_WS_READ_TIMEOUT_MS,
    };
-    esp_http_client_handle_t client = esp_http_client_init(&config);
+    esp_tls_t *tls = esp_tls_init();
-    if (!client) { free(buf); return NULL; }
+    if (!tls) return ESP_ERR_NO_MEM;
-    esp_err_t err = esp_http_client_open(client, 0);
+    int ret = esp_tls_conn_new_sync(host, strlen(host), port, &tls_cfg, tls);
-    if (err != ESP_OK) {
+    if (ret < 0) {
-        esp_http_client_cleanup(client);
+        esp_tls_conn_destroy(tls);
-        free(buf);
+        return ESP_FAIL;
-        return NULL;
    }
-    int content_length = esp_http_client_fetch_headers(client);
+    char upgrade[512];
-    int max_read = content_length > 0 ? content_length : 8191;
+    snprintf(upgrade, sizeof(upgrade),
+             "GET %s HTTP/1.1\r\n"
+             "Host: %s\r\n"
+             "Upgrade: websocket\r\n"
+             "Connection: Upgrade\r\n"
+             "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\r\n"
+             "Sec-WebSocket-Version: 13\r\n"
+             "\r\n",
+             path, host);
+    int written = esp_tls_conn_write(tls, (const unsigned char *)upgrade, strlen(upgrade));
+    if (written < 0) {
+        esp_tls_conn_destroy(tls);
+        return ESP_FAIL;
+    }
-    while (total < max_read) {
+    char resp[1024];
-        int n = esp_http_client_read(client, buf + total, max_read - total);
+    int rlen = esp_tls_conn_read(tls, (unsigned char *)resp, sizeof(resp) - 1);
-        if (n <= 0) break;
+    if (rlen <= 0 || !strstr(resp, "101")) {
-        total += n;
+        ESP_LOGE(TAG, "WS upgrade failed to %s (read %d)", host, rlen);
+        esp_tls_conn_destroy(tls);
+        return ESP_FAIL;
    }
-    buf[total] = '\0';
-    esp_http_client_cleanup(client);
+    *tls_out = tls;
-    return buf;
+    ESP_LOGI(TAG, "Connected to %s", host);
+    return ESP_OK;
 }
-static cJSON *build_filter(const char *npub)
+static cJSON *build_tools_list(void)
 {
-    cJSON *filter = cJSON_CreateObject();
+    cJSON *tools = cJSON_CreateArray();
-    cJSON *kinds = cJSON_CreateArray();
-    cJSON_AddItemToArray(kinds, cJSON_CreateNumber(4));
+    const char *tool_defs[][3] = {
-    cJSON_AddItemToObject(filter, "kinds", kinds);
+        {"get_config",  "Get current device configuration",      "{\"type\":\"object\",\"properties\":{},\"required\":[]}"},
-    cJSON_AddStringToObject(filter, "#p", npub);
+        {"set_config",  "Update device configuration",            "{\"type\":\"object\",\"properties\":{\"price_per_step\":{\"type\":\"integer\"},\"step_size_ms\":{\"type\":\"integer\"},\"step_size_bytes\":{\"type\":\"integer\"},\"metric\":{\"type\":\"string\"},\"client_enabled\":{\"type\":\"boolean\"},\"payout_enabled\":{\"type\":\"boolean\"}}}"},
-    cJSON_AddNumberToObject(filter, "limit", 10);
+        {"get_balance", "Get wallet balance and proof count",     "{\"type\":\"object\",\"properties\":{},\"required\":[]}"},
-    return filter;
+        {"wallet_send", "Send e-cash tokens from wallet",        "{\"type\":\"object\",\"properties\":{\"amount\":{\"type\":\"integer\",\"description\":\"Amount in sats\"}},\"required\":[\"amount\"]}"},
+        {"get_sessions","Get active client sessions",             "{\"type\":\"object\",\"properties\":{},\"required\":[]}"},
+        {"get_usage",   "Get current billing usage info",         "{\"type\":\"object\",\"properties\":{},\"required\":[]}"},
+        {"set_payout",  "Configure payout recipients",            "{\"type\":\"object\",\"properties\":{\"enabled\":{\"type\":\"boolean\"},\"recipients\":{\"type\":\"array\"}}}"},
+        {"set_metric",  "Set billing metric",                     "{\"type\":\"object\",\"properties\":{\"metric\":{\"type\":\"string\",\"enum\":[\"bytes\",\"milliseconds\"]}},\"required\":[\"metric\"]}"},
+        {"set_price",   "Set price per step",                     "{\"type\":\"object\",\"properties\":{\"price_per_step\":{\"type\":\"integer\",\"minimum\":1}},\"required\":[\"price_per_step\"]}"},
+        {"wallet_melt", "Melt tokens for lightning payment",      "{\"type\":\"object\",\"properties\":{\"bolt11\":{\"type\":\"string\"},\"max_fee_sats\":{\"type\":\"integer\"}},\"required\":[\"bolt11\"]}"},
+    };
+    for (int i = 0; i < 10; i++) {
+        cJSON *tool = cJSON_CreateObject();
+        cJSON_AddStringToObject(tool, "name", tool_defs[i][0]);
+        cJSON_AddStringToObject(tool, "description", tool_defs[i][1]);
+        cJSON *schema = cJSON_Parse(tool_defs[i][2]);
+        if (schema) cJSON_AddItemToObject(tool, "inputSchema", schema);
+        cJSON_AddItemToArray(tools, tool);
+    }
+    return tools;
 }
-static cJSON *build_subscription(const char *npub)
+static char *build_initialize_response(const char *request_id_str, const char *client_pubkey)
 {
-    cJSON *sub = cJSON_CreateArray();
+    cJSON *response = cJSON_CreateObject();
-    cJSON_AddItemToArray(sub, cJSON_CreateString("REQ"));
+    cJSON_AddStringToObject(response, "jsonrpc", "2.0");
-    cJSON_AddItemToArray(sub, cJSON_CreateString("cvm_sub_01"));
+    cJSON_AddNumberToObject(response, "id", request_id_str ? atof(request_id_str) : 0);
-    cJSON_AddItemToArray(sub, build_filter(npub));
-    return sub;
+    cJSON *result = cJSON_CreateObject();
+    cJSON_AddStringToObject(result, "protocolVersion", CVM_VERSION);
+    cJSON *capabilities = cJSON_CreateObject();
+    cJSON_AddItemToObject(capabilities, "tools", cJSON_CreateObject());
+    cJSON_AddItemToObject(result, "capabilities", capabilities);
+    cJSON *serverInfo = cJSON_CreateObject();
+    cJSON_AddStringToObject(serverInfo, "name", CVM_SERVER_NAME);
+    cJSON_AddStringToObject(serverInfo, "version", CVM_SERVER_VERSION);
+    cJSON_AddItemToObject(result, "serverInfo", serverInfo);
+    cJSON_AddItemToObject(response, "result", result);
+    char *json = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+    return json;
+}
+static char *build_tools_list_response(const char *request_id_str)
+{
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "jsonrpc", "2.0");
+    cJSON_AddNumberToObject(response, "id", request_id_str ? atof(request_id_str) : 1);
+    cJSON *result = cJSON_CreateObject();
+    cJSON *tools = build_tools_list();
+    cJSON_AddItemToObject(result, "tools", tools);
+    cJSON_AddItemToObject(response, "result", result);
+    char *json = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+    return json;
+}
+static char *build_tool_call_response(const char *request_id_str, const mcp_response_t *mcp_resp)
+{
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "jsonrpc", "2.0");
+    cJSON_AddNumberToObject(response, "id", request_id_str ? atof(request_id_str) : 2);
+    if (mcp_resp->success) {
+        cJSON *result = cJSON_CreateObject();
+        cJSON_AddItemToObject(result, "content", cJSON_CreateArray());
+        cJSON *content_arr = cJSON_GetObjectItem(result, "content");
+        cJSON *text_item = cJSON_CreateObject();
+        cJSON_AddStringToObject(text_item, "type", "text");
+        cJSON_AddStringToObject(text_item, "text", mcp_resp->result_json);
+        cJSON_AddItemToArray(content_arr, text_item);
+        cJSON_AddBoolToObject(result, "isError", false);
+        cJSON_AddItemToObject(response, "result", result);
+    } else {
+        cJSON *error = cJSON_CreateObject();
+        cJSON_AddNumberToObject(error, "code", -32603);
+        cJSON_AddStringToObject(error, "message", mcp_resp->error);
+        cJSON_AddItemToObject(response, "error", error);
+    }
+    char *json = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+    return json;
+}
+static char *build_ping_response(const char *request_id_str)
+{
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "jsonrpc", "2.0");
+    cJSON_AddNumberToObject(response, "id", request_id_str ? atof(request_id_str) : 0);
+    cJSON *result = cJSON_CreateObject();
+    cJSON_AddItemToObject(response, "result", result);
+    char *json = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+    return json;
 }
-static void process_dm(const char *sender_pubkey, const char *encrypted_content)
+static esp_err_t publish_event_to_relay(const char *relay_url, const char *event_json)
+{
+    esp_tls_t *tls = NULL;
+    esp_err_t err = ws_connect(relay_url, &tls);
+    if (err != ESP_OK) return err;
+    char *msg;
+    size_t event_len2 = strlen(event_json);
+     size_t msg_len2 = 10 + event_len2 + 2;
+    msg = malloc(msg_len2);
+    snprintf(msg, msg_len2, "[\"EVENT\",%s]", event_json);
+    ws_send_text(tls, msg);
+    free(msg);
+    uint8_t resp_buf[256];
+    esp_tls_conn_read(tls, resp_buf, sizeof(resp_buf) - 1);
+    uint8_t close_frame[2] = {0x88, 0x00};
+    esp_tls_conn_write(tls, close_frame, 2);
+    esp_tls_conn_destroy(tls);
+    return ESP_OK;
+}
+static esp_err_t publish_kind_25910_response_ws(esp_tls_t *tls,
+                                                  const char *content_json,
+                                                  const char *request_event_id)
 {
    const tollgate_identity_t *id = identity_get();
-    if (!id || !id->initialized) {
+    if (!id || !id->initialized) return ESP_FAIL;
-        ESP_LOGE(TAG, "Identity not initialized");
-        return;
+    cJSON *tags = cJSON_CreateArray();
+    cJSON *e_tag = cJSON_CreateArray();
+    cJSON_AddItemToArray(e_tag, cJSON_CreateString("e"));
+    cJSON_AddItemToArray(e_tag, cJSON_CreateString(request_event_id));
+    cJSON_AddItemToArray(tags, e_tag);
+    char *tags_str = cJSON_PrintUnformatted(tags);
+    cJSON_Delete(tags);
+    nostr_event_t event;
+    nostr_event_init(&event, id->npub_hex, 25910, tags_str, content_json);
+    nostr_event_sign(&event, id->nsec);
+    char *event_json = malloc(8192);
+    if (!event_json) {
+        free(tags_str);
+        return ESP_ERR_NO_MEM;
    }
-    uint8_t sender_pk[64];
+    esp_err_t ret = nostr_event_to_json(&event, event_json, 8192);
-    for (int i = 0; i < 64; i++) {
+    free(tags_str);
-        char hex[3] = { sender_pubkey[i*2], sender_pubkey[i*2+1], 0 };
+    if (ret != ESP_OK) {
-        sender_pk[i] = (uint8_t)strtol(hex, NULL, 16);
+        free(event_json);
+        return ret;
    }
-    char plaintext[2048];
+    size_t msg_len = 10 + strlen(event_json) + 2;
-    int pt_len = nip04_decrypt(id->nsec, sender_pk, encrypted_content, plaintext, sizeof(plaintext));
+    char *msg = malloc(msg_len);
-    if (pt_len < 0) {
+    if (!msg) {
-        ESP_LOGE(TAG, "Failed to decrypt DM from %.8s", sender_pubkey);
+        free(event_json);
-        return;
+        return ESP_ERR_NO_MEM;
    }
+    snprintf(msg, msg_len, "[\"EVENT\",%s]", event_json);
+    ESP_LOGD(TAG, "Sending WS response (%d bytes)", (int)strlen(msg));
+    int rc = ws_send_text(tls, msg);
+    ESP_LOGD(TAG, "WS send result: %d", rc);
+    free(msg);
+    free(event_json);
+    return ESP_OK;
+}
+static esp_err_t publish_kind_25910_response(const char *relay_url,
+                                              const char *content_json,
+                                              const char *request_event_id)
+{
+    const tollgate_identity_t *id = identity_get();
+    if (!id || !id->initialized) return ESP_FAIL;
+    cJSON *tags = cJSON_CreateArray();
+    cJSON *e_tag = cJSON_CreateArray();
+    cJSON_AddItemToArray(e_tag, cJSON_CreateString("e"));
+    cJSON_AddItemToArray(e_tag, cJSON_CreateString(request_event_id));
+    cJSON_AddItemToArray(tags, e_tag);
+    char *tags_str = cJSON_PrintUnformatted(tags);
+    cJSON_Delete(tags);
+    nostr_event_t event;
+    nostr_event_init(&event, id->npub_hex, 25910, tags_str, content_json);
+    nostr_event_sign(&event, id->nsec);
+    free(tags_str);
+    char *event_json = malloc(8192);
+    if (!event_json) return ESP_ERR_NO_MEM;
+    esp_err_t ret = nostr_event_to_json(&event, event_json, 8192);
+    if (ret != ESP_OK) {
+        free(event_json);
+        return ret;
+    }
+    ret = publish_event_to_relay(relay_url, event_json);
+    free(event_json);
+    return ret;
+}
-    ESP_LOGI(TAG, "Decrypted DM from %.8s: %s", sender_pubkey, plaintext);
+static bool is_owner_pubkey(const char *pubkey_hex)
+{
+    const tollgate_identity_t *id = identity_get();
+    if (!id || !id->initialized) return false;
+    if (!pubkey_hex) return false;
+    return strcmp(id->npub_hex, pubkey_hex) == 0;
+}
-    cJSON *msg = cJSON_Parse(plaintext);
+static void handle_mcp_message(esp_tls_t *tls, const char *sender_pubkey,
+                                const char *event_id, const char *content)
+{
+    cJSON *msg = cJSON_Parse(content);
    if (!msg) {
-        ESP_LOGE(TAG, "Invalid JSON in DM");
+        ESP_LOGW(TAG, "Invalid JSON in kind 25910 content");
        return;
    }
    cJSON *method = cJSON_GetObjectItem(msg, "method");
-    cJSON *params = cJSON_GetObjectItem(msg, "params");
+    cJSON *id_field = cJSON_GetObjectItem(msg, "id");
-    if (!method || !cJSON_IsString(method)) {
+    const char *id_str = (id_field && cJSON_IsNumber(id_field))
-        cJSON_Delete(msg);
+                         ? cJSON_PrintUnformatted(id_field) : "0";
-        ESP_LOGE(TAG, "Missing 'method' in CVM request");
-        return;
+    if (method && cJSON_IsString(method)) {
+        const char *m = method->valuestring;
+        if (strcmp(m, "initialize") == 0) {
+            ESP_LOGI(TAG, "MCP initialize from %s", sender_pubkey);
+            char *resp = build_initialize_response(id_str, sender_pubkey);
+            if (tls) {
+                publish_kind_25910_response_ws(tls, resp, event_id);
+            } else {
+                ESP_LOGW(TAG, "No TLS for response");
+            }
+            free(resp);
+        } else if (strcmp(m, "notifications/initialized") == 0) {
+            ESP_LOGI(TAG, "Client initialized: %s", sender_pubkey);
+        } else if (strcmp(m, "tools/list") == 0) {
+            ESP_LOGI(TAG, "tools/list from %s", sender_pubkey);
+            char *resp = build_tools_list_response(id_str);
+            if (tls) {
+                publish_kind_25910_response_ws(tls, resp, event_id);
+            }
+            free(resp);
+        } else if (strcmp(m, "tools/call") == 0) {
+            cJSON *params = cJSON_GetObjectItem(msg, "params");
+            cJSON *name = params ? cJSON_GetObjectItem(params, "name") : NULL;
+            cJSON *arguments = params ? cJSON_GetObjectItem(params, "arguments") : NULL;
+            if (name && cJSON_IsString(name)) {
+                ESP_LOGI(TAG, "tools/call %s from %s", name->valuestring, sender_pubkey);
+                mcp_request_t req = {0};
+                req.tool = mcp_parse_tool(name->valuestring);
+                strncpy(req.method, name->valuestring, sizeof(req.method) - 1);
+                if (arguments) {
+                    char *ajson = cJSON_PrintUnformatted(arguments);
+                    strncpy(req.params_json, ajson, sizeof(req.params_json) - 1);
+                    cJSON_free(ajson);
+                }
+                mcp_response_t mcp_resp = mcp_dispatch(&req);
+                char *resp = build_tool_call_response(id_str, &mcp_resp);
+                if (tls) {
+                    publish_kind_25910_response_ws(tls, resp, event_id);
+                }
+                free(resp);
+            }
+        } else if (strcmp(m, "ping") == 0) {
+            char *resp = build_ping_response(id_str);
+            if (tls) {
+                publish_kind_25910_response_ws(tls, resp, event_id);
+            }
+            free(resp);
+        } else {
+            ESP_LOGW(TAG, "Unknown MCP method: %s", m);
+        }
    }
-    mcp_request_t req = {0};
+    if (id_field && cJSON_IsNumber(id_field) && id_str[0] != '0') {
-    req.tool = mcp_parse_tool(method->valuestring);
+        free((void *)id_str);
-    strncpy(req.method, method->valuestring, sizeof(req.method) - 1);
+    } else if (id_str[0] != '0') {
-    if (params && cJSON_IsString(params)) {
-        strncpy(req.params_json, params->valuestring, sizeof(req.params_json) - 1);
-    } else if (params) {
-        char *pjson = cJSON_PrintUnformatted(params);
-        strncpy(req.params_json, pjson, sizeof(req.params_json) - 1);
-        cJSON_free(pjson);
    }
-    mcp_response_t resp = mcp_dispatch(&req);
    cJSON_Delete(msg);
-    cJSON *response_msg = cJSON_CreateObject();
-    if (resp.success) {
-        cJSON_AddStringToObject(response_msg, "status", "ok");
-        cJSON_AddItemToObject(response_msg, "result", cJSON_Parse(resp.result_json));
-    } else {
-        cJSON_AddStringToObject(response_msg, "status", "error");
-        cJSON_AddStringToObject(response_msg, "error", resp.error);
-    }
-    char *response_str = cJSON_PrintUnformatted(response_msg);
-    cJSON_Delete(response_msg);
-    uint8_t response_ct[4096];
-    size_t ct_len = 0;
-    nip04_encrypt(id->nsec, sender_pk, response_str, response_ct, &ct_len);
-    free(response_str);
-    ESP_LOGI(TAG, "CVM response prepared (%zu bytes encrypted), would send to %.8s", ct_len, sender_pubkey);
 }
-static void parse_nostr_events(const char *data)
+static void process_relay_message(esp_tls_t *tls, const char *relay_url, const char *msg_str)
 {
-    cJSON *arr = cJSON_Parse(data);
+    cJSON *arr = cJSON_Parse(msg_str);
    if (!arr || !cJSON_IsArray(arr)) {
        if (arr) cJSON_Delete(arr);
        return;
    }
-    cJSON *item = NULL;
+    cJSON *cmd = cJSON_GetArrayItem(arr, 0);
-    cJSON_ArrayForEach(item, arr) {
+    if (!cmd || !cJSON_IsString(cmd)) {
-        if (!cJSON_IsArray(item)) continue;
+        cJSON_Delete(arr);
-        int arr_size = cJSON_GetArraySize(item);
+        return;
-        if (arr_size < 3) continue;
+    }
-        cJSON *cmd = cJSON_GetArrayItem(item, 0);
+    if (strcmp(cmd->valuestring, "OK") == 0) {
-        if (!cmd || !cJSON_IsString(cmd) || strcmp(cmd->valuestring, "EVENT") != 0) continue;
+        cJSON *ev_id = cJSON_GetArrayItem(arr, 1);
+        cJSON *ok = cJSON_GetArrayItem(arr, 2);
+        cJSON *reason = cJSON_GetArrayItem(arr, 3);
+        ESP_LOGI(TAG, "Relay OK: id=%.16s success=%s reason=%s",
+                 ev_id ? ev_id->valuestring : "?",
+                 ok ? (cJSON_IsTrue(ok) ? "true" : "FALSE") : "?",
+                 reason ? reason->valuestring : "");
+        cJSON_Delete(arr);
+        return;
+    }
-        cJSON *event = cJSON_GetArrayItem(item, 2);
+    if (strcmp(cmd->valuestring, "EVENT") != 0) {
-        if (!event) continue;
+        ESP_LOGI(TAG, "Relay msg: %.100s", msg_str);
+        cJSON_Delete(arr);
+        return;
+    }
-        cJSON *kind = cJSON_GetObjectItem(event, "kind");
+    cJSON *event = cJSON_GetArrayItem(arr, 2);
-        if (!kind || kind->valueint != 4) continue;
+    if (!event) {
+        cJSON_Delete(arr);
+        return;
+    }
-        cJSON *pubkey = cJSON_GetObjectItem(event, "pubkey");
+    cJSON *kind = cJSON_GetObjectItem(event, "kind");
-        cJSON *content = cJSON_GetObjectItem(event, "content");
+    if (!kind || kind->valueint != 25910) {
-        if (pubkey && content) {
+        cJSON_Delete(arr);
-            process_dm(pubkey->valuestring, content->valuestring);
+        return;
-        }
+    }
+    cJSON *pubkey = cJSON_GetObjectItem(event, "pubkey");
+    cJSON *event_id = cJSON_GetObjectItem(event, "id");
+    cJSON *content = cJSON_GetObjectItem(event, "content");
+    if (!pubkey || !content || !event_id) {
+        cJSON_Delete(arr);
+        return;
    }
+    if (!is_owner_pubkey(pubkey->valuestring)) {
+        ESP_LOGW(TAG, "Ignoring request from non-owner: %.16s...", pubkey->valuestring);
+        cJSON_Delete(arr);
+        return;
+    }
+    handle_mcp_message(tls, pubkey->valuestring, event_id->valuestring, content->valuestring);
    cJSON_Delete(arr);
 }
-static void cvm_task(void *arg)
+static esp_err_t subscribe_to_relay(esp_tls_t *tls, const char *npub)
+{
+    cJSON *sub = cJSON_CreateArray();
+    cJSON_AddItemToArray(sub, cJSON_CreateString("REQ"));
+    cJSON_AddItemToArray(sub, cJSON_CreateString("cvm_sub"));
+    cJSON *filter = cJSON_CreateObject();
+    cJSON *kinds = cJSON_CreateArray();
+    cJSON_AddItemToArray(kinds, cJSON_CreateNumber(25910));
+    cJSON_AddItemToObject(filter, "kinds", kinds);
+    cJSON *p_tags = cJSON_CreateArray();
+    cJSON_AddItemToArray(p_tags, cJSON_CreateString(npub));
+    cJSON_AddItemToObject(filter, "#p", p_tags);
+    cJSON_AddNumberToObject(filter, "limit", 100);
+    cJSON_AddItemToArray(sub, filter);
+    char *msg = cJSON_PrintUnformatted(sub);
+    cJSON_Delete(sub);
+    int rc = ws_send_text(tls, msg);
+    free(msg);
+    return rc == 0 ? ESP_OK : ESP_FAIL;
+}
+static void cvm_relay_task(void *arg)
 {
+    const char *relay_url = (const char *)arg;
    const tollgate_identity_t *id = identity_get();
    if (!id || !id->initialized) {
-        ESP_LOGE(TAG, "Cannot start: identity not initialized");
+        ESP_LOGE(TAG, "Identity not initialized");
        vTaskDelete(NULL);
        return;
    }
-    char *relays = fetch_relays();
-    ESP_LOGI(TAG, "CVM server started, relays: %s", relays);
    while (g_running) {
-        ESP_LOGI(TAG, "Polling for DMs...");
+        esp_tls_t *tls = NULL;
+        esp_err_t err = ws_connect(relay_url, &tls);
+        if (err != ESP_OK) {
+            ESP_LOGW(TAG, "Connect failed to %s, retrying", relay_url);
+            vTaskDelay(pdMS_TO_TICKS(CVM_RECONNECT_DELAY_MS));
+            continue;
+        }
+        err = subscribe_to_relay(tls, id->npub_hex);
+        if (err != ESP_OK) {
+            esp_tls_conn_destroy(tls);
+            vTaskDelay(pdMS_TO_TICKS(CVM_RECONNECT_DELAY_MS));
+            continue;
+        }
-        cJSON *sub = build_subscription(id->npub_hex);
+        ESP_LOGI(TAG, "Listening on %s for kind 25910 events", relay_url);
-        char *sub_json = cJSON_PrintUnformatted(sub);
+        publish_announcements_via_ws(tls);
-        cJSON_Delete(sub);
-        char url[256];
+        uint8_t *buf = malloc(CVM_WS_BUF_SIZE);
-        snprintf(url, sizeof(url), "%s/cvm_poll", relays);
+        if (!buf) {
-        free(sub_json);
+            esp_tls_conn_destroy(tls);
+            vTaskDelete(NULL);
+            return;
+        }
-        vTaskDelay(pdMS_TO_TICKS(30000));
+        int64_t last_ping_time = 0;
+        while (g_running) {
+            int rlen = esp_tls_conn_read(tls, buf, CVM_WS_BUF_SIZE - 1);
+            if (rlen < 0) {
+                ESP_LOGW(TAG, "Read error on %s (rlen=%d)", relay_url, rlen);
+                break;
+            }
+            if (rlen == 0) {
+                break;
+            }
+            if ((buf[0] & 0x0F) == 0x01) {
+                char *text = parse_ws_text_frame(buf, rlen);
+                if (text) {
+                    if (strlen(text) > 0) {
+                        process_relay_message(tls, relay_url, text);
+                    }
+                    free(text);
+                }
+            } else if ((buf[0] & 0x0F) == 0x09) {
+                uint8_t pong[2] = {0x8A, 0x00};
+                esp_tls_conn_write(tls, pong, 2);
+            }
+            int64_t now = (int64_t)esp_timer_get_time() / 1000000;
+            if (now - last_ping_time >= CVM_WS_PING_INTERVAL_S) {
+                uint8_t ping[2] = {0x89, 0x00};
+                esp_tls_conn_write(tls, ping, 2);
+                last_ping_time = now;
+            }
+        }
+        free(buf);
+        uint8_t close_frame[2] = {0x88, 0x00};
+        esp_tls_conn_write(tls, close_frame, 2);
+        esp_tls_conn_destroy(tls);
+        ESP_LOGW(TAG, "Disconnected from %s, reconnecting", relay_url);
+        vTaskDelay(pdMS_TO_TICKS(CVM_RECONNECT_DELAY_MS));
    }
-    ESP_LOGI(TAG, "CVM server stopped");
    vTaskDelete(NULL);
 }
+static esp_err_t publish_event_via_ws(esp_tls_t *tls, int kind,
+                                       const char *content, const char *tags_json)
+{
+    const tollgate_identity_t *id = identity_get();
+    if (!id || !id->initialized) return ESP_FAIL;
+    nostr_event_t event;
+    nostr_event_init(&event, id->npub_hex, kind, tags_json, content);
+    nostr_event_sign(&event, id->nsec);
+    char *event_json = malloc(4096);
+    if (!event_json) return ESP_ERR_NO_MEM;
+    esp_err_t ret = nostr_event_to_json(&event, event_json, 4096);
+    if (ret != ESP_OK) {
+        free(event_json);
+        return ret;
+    }
+    char *msg;
+    size_t event_len = strlen(event_json);
+    size_t msg_len = 10 + event_len + 2;
+    msg = malloc(msg_len);
+    snprintf(msg, msg_len, "[\"EVENT\",%s]", event_json);
+    ws_send_text(tls, msg);
+    ESP_LOGI(TAG, "Published kind %d event (%d bytes)", kind, (int)strlen(event_json));
+    free(msg);
+    free(event_json);
+    return ESP_OK;
+}
+static void publish_announcements_via_ws(esp_tls_t *tls)
+{
+    const tollgate_identity_t *id = identity_get();
+    if (!id || !id->initialized) return;
+    ESP_LOGI(TAG, "Publishing CEP-6 announcements via active WS");
+    cJSON *ann_content = cJSON_CreateObject();
+    cJSON_AddStringToObject(ann_content, "protocolVersion", CVM_VERSION);
+    cJSON *capabilities = cJSON_CreateObject();
+    cJSON *tools_cap = cJSON_CreateObject();
+    cJSON_AddBoolToObject(tools_cap, "listChanged", true);
+    cJSON_AddItemToObject(capabilities, "tools", tools_cap);
+    cJSON_AddItemToObject(ann_content, "capabilities", capabilities);
+    cJSON *serverInfo = cJSON_CreateObject();
+    cJSON_AddStringToObject(serverInfo, "name", CVM_SERVER_NAME);
+    cJSON_AddStringToObject(serverInfo, "version", CVM_SERVER_VERSION);
+    cJSON_AddItemToObject(ann_content, "serverInfo", serverInfo);
+    char *ann_str = cJSON_PrintUnformatted(ann_content);
+    cJSON_Delete(ann_content);
+    cJSON *ann_tags = cJSON_CreateArray();
+    cJSON *name_tag = cJSON_CreateArray();
+    cJSON_AddItemToArray(name_tag, cJSON_CreateString("name"));
+    cJSON_AddItemToArray(name_tag, cJSON_CreateString(CVM_SERVER_NAME));
+    cJSON_AddItemToArray(ann_tags, name_tag);
+    cJSON *about_tag = cJSON_CreateArray();
+    cJSON_AddItemToArray(about_tag, cJSON_CreateString("about"));
+    cJSON_AddItemToArray(about_tag, cJSON_CreateString("ESP32 TollGate WiFi hotspot with Cashu e-cash payments"));
+    cJSON_AddItemToArray(ann_tags, about_tag);
+    char *ann_tags_str = cJSON_PrintUnformatted(ann_tags);
+    cJSON_Delete(ann_tags);
+    publish_event_via_ws(tls, 11316, ann_str, ann_tags_str);
+    free(ann_str);
+    free(ann_tags_str);
+    cJSON *tools = build_tools_list();
+    cJSON *tools_content = cJSON_CreateObject();
+    cJSON_AddItemToObject(tools_content, "tools", tools);
+    char *tools_str = cJSON_PrintUnformatted(tools_content);
+    cJSON_Delete(tools_content);
+    publish_event_via_ws(tls, 11317, tools_str, "[]");
+    free(tools_str);
+    cJSON *relay_tags = cJSON_CreateArray();
+    const char *relays[] = {"wss://relay.primal.net", "wss://nostr-pub.wellorder.net", NULL};
+    for (int i = 0; relays[i]; i++) {
+        cJSON *r_tag = cJSON_CreateArray();
+        cJSON_AddItemToArray(r_tag, cJSON_CreateString("r"));
+        cJSON_AddItemToArray(r_tag, cJSON_CreateString(relays[i]));
+        cJSON_AddItemToArray(relay_tags, r_tag);
+    }
+    char *relay_tags_str = cJSON_PrintUnformatted(relay_tags);
+    cJSON_Delete(relay_tags);
+    publish_event_via_ws(tls, 10002, "", relay_tags_str);
+    free(relay_tags_str);
+    ESP_LOGI(TAG, "CEP-6 announcements published (kinds 11316, 11317, 10002)");
+}
+esp_err_t cvm_publish_announcements(void)
+{
+    return ESP_OK;
+}
+const char *cvm_get_pubkey_hex(void)
+{
+    const tollgate_identity_t *id = identity_get();
+    if (!id || !id->initialized) return NULL;
+    return id->npub_hex;
+}
 esp_err_t cvm_server_init(void)
 {
    ESP_LOGI(TAG, "CVM server initialized");
@@ -225,7 +777,12 @@ void cvm_server_start(void)
 {
    if (g_running) return;
    g_running = true;
-    xTaskCreate(cvm_task, "cvm_server", 8192, NULL, 5, &g_task);
+    const tollgate_config_t *cfg = tollgate_config_get();
+    const char *relay = (cfg->cvm_relays[0]) ? cfg->cvm_relays : "wss://relay.primal.net";
+    char *relay_copy = strdup(relay);
+    xTaskCreate(cvm_relay_task, "cvm_relay", 16384, relay_copy, 5, &g_task);
 }
 void cvm_server_stop(void)
diff --git a/main/cvm_server.h b/main/cvm_server.h
index d336514..864973b 100644
--- a/main/cvm_server.h
+++ b/main/cvm_server.h
@@ -7,4 +7,8 @@ esp_err_t cvm_server_init(void);
 void cvm_server_start(void);
 void cvm_server_stop(void);
+esp_err_t cvm_publish_announcements(void);
+const char *cvm_get_pubkey_hex(void);
 #endif
diff --git a/main/mcp_handler.c b/main/mcp_handler.c
index f40c1bd..93bfba9 100644
--- a/main/mcp_handler.c
+++ b/main/mcp_handler.c
@@ -1,7 +1,9 @@
 #include "mcp_handler.h"
 #include "config.h"
 #include "nucula_wallet.h"
+#include "session.h"
 #include "cJSON.h"
+#include "lwip/ip4_addr.h"
 #include <string.h>
 #include <stdio.h>
@@ -14,6 +16,12 @@ mcp_tool_t mcp_parse_tool(const char *method)
    if (strcmp(method, "set_config") == 0) return MCP_TOOL_SET_CONFIG;
    if (strcmp(method, "get_balance") == 0) return MCP_TOOL_GET_BALANCE;
    if (strcmp(method, "wallet_send") == 0) return MCP_TOOL_WALLET_SEND;
+    if (strcmp(method, "get_sessions") == 0) return MCP_TOOL_GET_SESSIONS;
+    if (strcmp(method, "get_usage") == 0) return MCP_TOOL_GET_USAGE;
+    if (strcmp(method, "set_payout") == 0) return MCP_TOOL_SET_PAYOUT;
+    if (strcmp(method, "set_metric") == 0) return MCP_TOOL_SET_METRIC;
+    if (strcmp(method, "set_price") == 0) return MCP_TOOL_SET_PRICE;
+    if (strcmp(method, "wallet_melt") == 0) return MCP_TOOL_WALLET_MELT;
    return MCP_TOOL_UNKNOWN;
 }
@@ -146,6 +154,222 @@ mcp_response_t mcp_handle_wallet_send(const char *params_json)
    return resp;
 }
+mcp_response_t mcp_handle_get_sessions(void)
+{
+    mcp_response_t resp = {0};
+    extern session_t *cvm_get_sessions_array(void);
+    extern int cvm_get_sessions_count(void);
+    cJSON *arr = cJSON_CreateArray();
+    int count = cvm_get_sessions_count();
+    session_t *sessions = cvm_get_sessions_array();
+    if (sessions && count > 0) {
+        for (int i = 0; i < count; i++) {
+            if (!sessions[i].active) continue;
+            cJSON *s = cJSON_CreateObject();
+            esp_ip4_addr_t ip = { .addr = sessions[i].client_ip };
+            char ip_str[16];
+            snprintf(ip_str, sizeof(ip_str), IPSTR, IP2STR(&ip));
+            cJSON_AddStringToObject(s, "client_ip", ip_str);
+            if (sessions[i].mac[0])
+                cJSON_AddStringToObject(s, "mac", sessions[i].mac);
+            cJSON_AddNumberToObject(s, "allotment_ms", (double)sessions[i].allotment_ms);
+            cJSON_AddNumberToObject(s, "allotment_bytes", (double)sessions[i].allotment_bytes);
+            cJSON_AddNumberToObject(s, "bytes_consumed", (double)sessions[i].bytes_consumed);
+            cJSON_AddBoolToObject(s, "active", sessions[i].active);
+            cJSON_AddItemToArray(arr, s);
+        }
+    }
+    char *json = cJSON_PrintUnformatted(arr);
+    snprintf(resp.result_json, sizeof(resp.result_json), "%s", json);
+    cJSON_free(json);
+    cJSON_Delete(arr);
+    resp.success = true;
+    return resp;
+}
+mcp_response_t mcp_handle_get_usage(void)
+{
+    mcp_response_t resp = {0};
+    const tollgate_config_t *cfg = tollgate_config_get();
+    cJSON *root = cJSON_CreateObject();
+    cJSON_AddStringToObject(root, "metric", cfg->metric);
+    cJSON_AddNumberToObject(root, "price_per_step", cfg->price_per_step);
+    cJSON_AddNumberToObject(root, "step_size_ms", cfg->step_size_ms);
+    cJSON_AddNumberToObject(root, "step_size_bytes", cfg->step_size_bytes);
+    cJSON_AddBoolToObject(root, "client_enabled", cfg->client_enabled);
+    char *json = cJSON_PrintUnformatted(root);
+    snprintf(resp.result_json, sizeof(resp.result_json), "%s", json);
+    cJSON_free(json);
+    cJSON_Delete(root);
+    resp.success = true;
+    return resp;
+}
+mcp_response_t mcp_handle_set_payout(const char *params_json)
+{
+    mcp_response_t resp = {0};
+    cJSON *root = cJSON_Parse(params_json);
+    if (!root) {
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Invalid JSON params");
+        return resp;
+    }
+    tollgate_config_t *cfg = (tollgate_config_t *)tollgate_config_get();
+    if (!cfg) {
+        cJSON_Delete(root);
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Config not loaded");
+        return resp;
+    }
+    cJSON *enabled = cJSON_GetObjectItem(root, "enabled");
+    if (enabled && cJSON_IsBool(enabled)) cfg->payout.enabled = cJSON_IsTrue(enabled);
+    cJSON *recipients = cJSON_GetObjectItem(root, "recipients");
+    if (recipients && cJSON_IsArray(recipients)) {
+        int rcount = cJSON_GetArraySize(recipients);
+        if (rcount > PAYOUT_MAX_RECIPIENTS) rcount = PAYOUT_MAX_RECIPIENTS;
+        for (int i = 0; i < rcount; i++) {
+            cJSON *r = cJSON_GetArrayItem(recipients, i);
+            cJSON *addr = cJSON_GetObjectItem(r, "lightning_address");
+            cJSON *factor = cJSON_GetObjectItem(r, "factor");
+            if (addr && cJSON_IsString(addr)) {
+                strncpy(cfg->payout.recipients[i].lightning_address, addr->valuestring,
+                        sizeof(cfg->payout.recipients[i].lightning_address) - 1);
+            }
+            if (factor && cJSON_IsNumber(factor)) {
+                cfg->payout.recipients[i].factor = factor->valuedouble;
+            }
+        }
+        cfg->payout.recipient_count = rcount;
+    }
+    cJSON_Delete(root);
+    resp.success = true;
+    snprintf(resp.result_json, sizeof(resp.result_json), "{\"status\":\"ok\"}");
+    return resp;
+}
+mcp_response_t mcp_handle_set_metric(const char *params_json)
+{
+    mcp_response_t resp = {0};
+    cJSON *root = cJSON_Parse(params_json);
+    if (!root) {
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Invalid JSON params");
+        return resp;
+    }
+    tollgate_config_t *cfg = (tollgate_config_t *)tollgate_config_get();
+    if (!cfg) {
+        cJSON_Delete(root);
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Config not loaded");
+        return resp;
+    }
+    cJSON *metric = cJSON_GetObjectItem(root, "metric");
+    if (metric && cJSON_IsString(metric)) {
+        const char *m = metric->valuestring;
+        if (strcmp(m, "bytes") == 0 || strcmp(m, "milliseconds") == 0) {
+            strncpy(cfg->metric, m, sizeof(cfg->metric) - 1);
+        } else {
+            cJSON_Delete(root);
+            resp.success = false;
+            snprintf(resp.error, sizeof(resp.error), "Invalid metric: must be 'bytes' or 'milliseconds'");
+            return resp;
+        }
+    } else {
+        cJSON_Delete(root);
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Missing 'metric' field");
+        return resp;
+    }
+    cJSON_Delete(root);
+    resp.success = true;
+    snprintf(resp.result_json, sizeof(resp.result_json), "{\"status\":\"ok\",\"metric\":\"%s\"}", cfg->metric);
+    return resp;
+}
+mcp_response_t mcp_handle_set_price(const char *params_json)
+{
+    mcp_response_t resp = {0};
+    cJSON *root = cJSON_Parse(params_json);
+    if (!root) {
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Invalid JSON params");
+        return resp;
+    }
+    tollgate_config_t *cfg = (tollgate_config_t *)tollgate_config_get();
+    if (!cfg) {
+        cJSON_Delete(root);
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Config not loaded");
+        return resp;
+    }
+    cJSON *price = cJSON_GetObjectItem(root, "price_per_step");
+    if (price && cJSON_IsNumber(price) && price->valueint > 0) {
+        cfg->price_per_step = price->valueint;
+    } else {
+        cJSON_Delete(root);
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Missing or invalid 'price_per_step' field");
+        return resp;
+    }
+    cJSON_Delete(root);
+    resp.success = true;
+    snprintf(resp.result_json, sizeof(resp.result_json),
+             "{\"status\":\"ok\",\"price_per_step\":%d}", cfg->price_per_step);
+    return resp;
+}
+mcp_response_t mcp_handle_wallet_melt(const char *params_json)
+{
+    mcp_response_t resp = {0};
+    cJSON *root = cJSON_Parse(params_json);
+    if (!root) {
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Invalid JSON params");
+        return resp;
+    }
+    cJSON *bolt11 = cJSON_GetObjectItem(root, "bolt11");
+    if (!bolt11 || !cJSON_IsString(bolt11)) {
+        cJSON_Delete(root);
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Missing 'bolt11' field");
+        return resp;
+    }
+    cJSON *max_fee = cJSON_GetObjectItem(root, "max_fee_sats");
+    uint64_t fee = 10;
+    if (max_fee && cJSON_IsNumber(max_fee)) fee = (uint64_t)max_fee->valuedouble;
+    esp_err_t rc = nucula_wallet_melt(bolt11->valuestring, fee);
+    if (rc != ESP_OK) {
+        cJSON_Delete(root);
+        resp.success = false;
+        snprintf(resp.error, sizeof(resp.error), "Melt failed: %s", esp_err_to_name(rc));
+        return resp;
+    }
+    cJSON_Delete(root);
+    resp.success = true;
+    snprintf(resp.result_json, sizeof(resp.result_json), "{\"status\":\"ok\"}");
+    return resp;
+}
 mcp_response_t mcp_dispatch(const mcp_request_t *req)
 {
    if (!req) {
@@ -164,6 +388,18 @@ mcp_response_t mcp_dispatch(const mcp_request_t *req)
            return mcp_handle_get_balance();
        case MCP_TOOL_WALLET_SEND:
            return mcp_handle_wallet_send(req->params_json);
+        case MCP_TOOL_GET_SESSIONS:
+            return mcp_handle_get_sessions();
+        case MCP_TOOL_GET_USAGE:
+            return mcp_handle_get_usage();
+        case MCP_TOOL_SET_PAYOUT:
+            return mcp_handle_set_payout(req->params_json);
+        case MCP_TOOL_SET_METRIC:
+            return mcp_handle_set_metric(req->params_json);
+        case MCP_TOOL_SET_PRICE:
+            return mcp_handle_set_price(req->params_json);
+        case MCP_TOOL_WALLET_MELT:
+            return mcp_handle_wallet_melt(req->params_json);
        default:
            break;
    }
diff --git a/main/mcp_handler.h b/main/mcp_handler.h
index e42b5ee..09aab9f 100644
--- a/main/mcp_handler.h
+++ b/main/mcp_handler.h
@@ -9,6 +9,12 @@ typedef enum {
    MCP_TOOL_SET_CONFIG = 1,
    MCP_TOOL_GET_BALANCE = 2,
    MCP_TOOL_WALLET_SEND = 3,
+    MCP_TOOL_GET_SESSIONS = 4,
+    MCP_TOOL_GET_USAGE = 5,
+    MCP_TOOL_SET_PAYOUT = 6,
+    MCP_TOOL_SET_METRIC = 7,
+    MCP_TOOL_SET_PRICE = 8,
+    MCP_TOOL_WALLET_MELT = 9,
    MCP_TOOL_UNKNOWN = 99
 } mcp_tool_t;
@@ -30,6 +36,12 @@ mcp_response_t mcp_handle_get_config(void);
 mcp_response_t mcp_handle_set_config(const char *params_json);
 mcp_response_t mcp_handle_get_balance(void);
 mcp_response_t mcp_handle_wallet_send(const char *params_json);
+mcp_response_t mcp_handle_get_sessions(void);
+mcp_response_t mcp_handle_get_usage(void);
+mcp_response_t mcp_handle_set_payout(const char *params_json);
+mcp_response_t mcp_handle_set_metric(const char *params_json);
+mcp_response_t mcp_handle_set_price(const char *params_json);
+mcp_response_t mcp_handle_wallet_melt(const char *params_json);
 mcp_response_t mcp_dispatch(const mcp_request_t *req);
diff --git a/main/session.c b/main/session.c
index 9b4380c..81e1f96 100644
--- a/main/session.c
+++ b/main/session.c
@@ -178,3 +178,13 @@ void session_tick(void)
 {
    session_check_expiry();
 }
+session_t *cvm_get_sessions_array(void)
+{
+    return s_sessions;
+}
+int cvm_get_sessions_count(void)
+{
+    return SESSION_MAX_CLIENTS;
+}
diff --git a/main/session.h b/main/session.h
index ea5b476..36fe722 100644
--- a/main/session.h
+++ b/main/session.h
@@ -43,4 +43,7 @@ int session_active_count(void);
 void session_tick(void);
+session_t *cvm_get_sessions_array(void);
+int cvm_get_sessions_count(void);
 #endif
diff --git a/main/tollgate_main.c b/main/tollgate_main.c
index 1350d70..ad5211a 100644
--- a/main/tollgate_main.c
+++ b/main/tollgate_main.c
@@ -9,6 +9,7 @@
 #include "esp_netif.h"
 #include "lwip/netif.h"
 #include "lwip/dns.h"
+#include "esp_sntp.h"
 #include "dhcpserver/dhcpserver.h"
 #include "config.h"
 #include "identity.h"
@@ -22,6 +23,7 @@
 #include "tollgate_client.h"
 #include "lightning_payout.h"
 #include "cvm_server.h"
+#include "display.h"
 #define MAX_STA_RETRY 5
 static const char *TAG = "tollgate_main";
@@ -54,6 +56,7 @@ static void wifi_event_handler(void *arg, esp_event_base_t event_base,
        tollgate_client_on_sta_disconnected();
        if (s_services_running) stop_services();
        if (s_retry_count < MAX_STA_RETRY) {
+            vTaskDelay(pdMS_TO_TICKS(2000));
            esp_wifi_connect();
        } else {
            wifi_config_t wifi_cfg;
@@ -94,6 +97,13 @@ static void ip_event_handler(void *arg, esp_event_base_t event_base,
        s_retry_count = 0;
        xEventGroupSetBits(s_wifi_event_group, WIFI_CONNECTED_BIT);
+        esp_sntp_stop();
+        esp_sntp_setoperatingmode(SNTP_OPMODE_POLL);
+        esp_sntp_setservername(0, "pool.ntp.org");
+        esp_sntp_setservername(1, "time.google.com");
+        esp_sntp_init();
+        ESP_LOGI(TAG, "SNTP time sync started");
        char gw_ip_str[16];
        snprintf(gw_ip_str, sizeof(gw_ip_str), IPSTR, IP2STR(&event->ip_info.gw));
        tollgate_client_on_sta_connected(gw_ip_str);
@@ -160,6 +170,11 @@ static void start_services(void)
    s_services_running = true;
    if (s_services_mutex) xSemaphoreGive(s_services_mutex);
    ESP_LOGI(TAG, "=== TollGate services started ===");
+    display_set_state(DISPLAY_READY);
+    char portal_url[128];
+    snprintf(portal_url, sizeof(portal_url), "http://%s/", cfg->ap_ip_str);
+    display_update(cfg->ap_ssid, 0, 0, portal_url);
 }
 static void stop_services(void)
@@ -240,6 +255,9 @@ void app_main(void)
 {
    ESP_LOGI(TAG, "=== TollGate ESP32 Starting ===");
+    display_init();
+    display_set_state(DISPLAY_BOOT);
    esp_err_t ret = nvs_flash_init();
    if (ret == ESP_ERR_NVS_NO_FREE_PAGES || ret == ESP_ERR_NVS_NEW_VERSION_FOUND) {
        ESP_ERROR_CHECK(nvs_flash_erase());
@@ -288,6 +306,9 @@ void app_main(void)
        ESP_LOGI(TAG, "STA configured for SSID: %s", tcfg2->networks[tcfg2->current_network].ssid);
    }
+    ESP_ERROR_CHECK(esp_wifi_set_country_code("DE", false));
+    ESP_LOGI(TAG, "WiFi country code set to DE (EU regulatory domain)");
    ESP_ERROR_CHECK(esp_wifi_start());
    ESP_LOGI(TAG, "WiFi AP+STA started, waiting for connection...");
diff --git a/tests/integration/test-cvm.mjs b/tests/integration/test-cvm.mjs
new file mode 100644
index 0000000..8deb6ec
--- /dev/null
+++ b/tests/integration/test-cvm.mjs
@@ -0,0 +1,94 @@
+import { execSync } from 'child_process';
+const IP = process.env.TOLLGATE_IP || '10.192.45.1';
+const RELAYS = ['wss://relay.damus.io', 'wss://nos.lol'];
+let passed = 0, failed = 0;
+function assert(condition, test) {
+  if (condition) { console.log(`  \u2713 ${test}`); passed++; }
+  else { console.log(`  \u2717 ${test}`); failed++; }
+}
+function nak(args, timeout = 10000) {
+  try {
+    return execSync(`timeout ${timeout / 1000} nak ${args}`, {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout
+    }).trim();
+  } catch (e) {
+    return e.stdout ? e.stdout.trim() : '';
+  }
+}
+function sleep(ms) { return new Promise(r => setTimeout(r, ms)); }
+async function runTests() {
+  console.log(`\n=== CVM Integration Tests (target: ${IP}) ===\n`);
+  const npub = nak(`key public a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2`);
+  const npubHex = npub.trim();
+  console.log(`Board npub: ${npubHex}`);
+  const npubBech32 = nak(`encode npub ${npubHex}`).trim();
+  console.log(`Board npub (bech32): ${npubBech32}`);
+  assert(npubHex.length === 64, 'npub hex is 64 chars');
+  console.log('\n--- Test: Kind 11316 server announcement ---');
+  for (const relay of RELAYS) {
+    console.log(`  Querying ${relay}...`);
+    const result = nak(`req -k 11316 -a ${npubHex} -l 1 ${relay}`, 8000);
+    if (result.length > 0) {
+      assert(result.includes('"kind"') || result.includes('11316'),
+             `Kind 11316 found on ${relay}`);
+      if (result.includes('TollGate')) {
+        assert(true, `Announcement contains "TollGate"`);
+      }
+    } else {
+      console.log(`  (no result from ${relay} — relay may be offline)`);
+    }
+  }
+  console.log('\n--- Test: Kind 11317 tools list ---');
+  for (const relay of RELAYS) {
+    const result = nak(`req -k 11317 -a ${npubHex} -l 1 ${relay}`, 8000);
+    if (result.length > 0) {
+      assert(result.includes('"kind"') || result.includes('11317'),
+             `Kind 11317 found on ${relay}`);
+      if (result.includes('get_config') && result.includes('wallet_melt')) {
+        assert(true, `Tools list has expected tools`);
+      }
+    } else {
+      console.log(`  (no result from ${relay} — relay may be offline)`);
+    }
+  }
+  console.log('\n--- Test: Kind 10002 relay list ---');
+  for (const relay of RELAYS) {
+    const result = nak(`req -k 10002 -a ${npubHex} -l 1 ${relay}`, 8000);
+    if (result.length > 0) {
+      assert(result.includes('"kind"') || result.includes('10002'),
+             `Kind 10002 found on ${relay}`);
+    } else {
+      console.log(`  (no result from ${relay} — relay may be offline)`);
+    }
+  }
+  console.log('\n--- Test: API get_config (control check) ---');
+  try {
+    const apiResult = execSync(`curl -s http://${IP}:2121/usage`, { encoding: 'utf8', timeout: 5000 });
+    assert(apiResult.length > 0, 'API /usage responds (board is reachable)');
+  } catch (e) {
+    console.log('  (API not reachable — board may be offline or not flashed yet)');
+  }
+  console.log(`\n=== Results: ${passed} passed, ${failed} failed ===\n`);
+  process.exit(failed > 0 ? 1 : 0);
+}
+runTests().catch(e => {
+  console.error('Test error:', e.message);
+  process.exit(1);
+});
diff --git a/tests/unit/Makefile b/tests/unit/Makefile
index 5dee0d7..7ebc3b2 100644
--- a/tests/unit/Makefile
+++ b/tests/unit/Makefile
@@ -22,7 +22,7 @@ LDFLAGS := -lmbedcrypto -lcjson -lm
 SECP256K1_OBJ := secp256k1.o precomputed_ecmult.o precomputed_ecmult_gen.o
-TESTS := test_geohash test_identity test_nostr_event test_cashu test_session test_tollgate_client test_lnurl_pay test_lightning_payout test_mcp_handler test_nip04
+TESTS := test_geohash test_identity test_nostr_event test_cashu test_session test_tollgate_client test_lnurl_pay test_lightning_payout test_mcp_handler test_nip04 test_cvm_server
 .PHONY: all test clean $(TESTS)
@@ -78,5 +78,8 @@ test_mcp_handler: test_mcp_handler.c $(REPO_ROOT)/main/mcp_handler.c
 test_nip04: test_nip04.c $(REPO_ROOT)/main/nip04.c $(SECP256K1_OBJ)
        $(CC) $(CFLAGS) -I $(SECP256K1_PRIV_INC) $< $(REPO_ROOT)/main/nip04.c $(SECP256K1_OBJ) -o $@ $(LDFLAGS)
+test_cvm_server: test_cvm_server.c
+        $(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
 clean:
        rm -f $(TESTS) $(SECP256K1_OBJ)
diff --git a/tests/unit/test_cvm_server.c b/tests/unit/test_cvm_server.c
new file mode 100644
index 0000000..84583c6
--- /dev/null
+++ b/tests/unit/test_cvm_server.c
@@ -0,0 +1,434 @@
+#include "test_framework.h"
+#include "cJSON.h"
+#include <stdbool.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+static char *build_initialize_response_test(const char *request_id_str)
+{
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "jsonrpc", "2.0");
+    cJSON_AddNumberToObject(response, "id", request_id_str ? atof(request_id_str) : 0);
+    cJSON *result = cJSON_CreateObject();
+    cJSON_AddStringToObject(result, "protocolVersion", "2025-07-02");
+    cJSON *capabilities = cJSON_CreateObject();
+    cJSON_AddItemToObject(capabilities, "tools", cJSON_CreateObject());
+    cJSON_AddItemToObject(result, "capabilities", capabilities);
+    cJSON *serverInfo = cJSON_CreateObject();
+    cJSON_AddStringToObject(serverInfo, "name", "TollGate");
+    cJSON_AddStringToObject(serverInfo, "version", "1.0.0");
+    cJSON_AddItemToObject(result, "serverInfo", serverInfo);
+    cJSON_AddItemToObject(response, "result", result);
+    char *json = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+    return json;
+}
+static char *build_tools_list_response_test(const char *request_id_str)
+{
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "jsonrpc", "2.0");
+    cJSON_AddNumberToObject(response, "id", request_id_str ? atof(request_id_str) : 1);
+    cJSON *result = cJSON_CreateObject();
+    cJSON *tools = cJSON_CreateArray();
+    const char *tool_names[] = {
+        "get_config", "set_config", "get_balance", "wallet_send",
+        "get_sessions", "get_usage", "set_payout", "set_metric",
+        "set_price", "wallet_melt"
+    };
+    for (int i = 0; i < 10; i++) {
+        cJSON *tool = cJSON_CreateObject();
+        cJSON_AddStringToObject(tool, "name", tool_names[i]);
+        cJSON_AddItemToArray(tools, tool);
+    }
+    cJSON_AddItemToObject(result, "tools", tools);
+    cJSON_AddItemToObject(response, "result", result);
+    char *json = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+    return json;
+}
+static char *build_tool_call_response_test(const char *request_id_str,
+                                            bool success, const char *result_or_error)
+{
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "jsonrpc", "2.0");
+    cJSON_AddNumberToObject(response, "id", request_id_str ? atof(request_id_str) : 2);
+    if (success) {
+        cJSON *result = cJSON_CreateObject();
+        cJSON *content_arr = cJSON_CreateArray();
+        cJSON *text_item = cJSON_CreateObject();
+        cJSON_AddStringToObject(text_item, "type", "text");
+        cJSON_AddStringToObject(text_item, "text", result_or_error);
+        cJSON_AddItemToArray(content_arr, text_item);
+        cJSON_AddItemToObject(result, "content", content_arr);
+        cJSON_AddBoolToObject(result, "isError", false);
+        cJSON_AddItemToObject(response, "result", result);
+    } else {
+        cJSON *error = cJSON_CreateObject();
+        cJSON_AddNumberToObject(error, "code", -32603);
+        cJSON_AddStringToObject(error, "message", result_or_error);
+        cJSON_AddItemToObject(response, "error", error);
+    }
+    char *json = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+    return json;
+}
+static char *build_ping_response_test(const char *request_id_str)
+{
+    cJSON *response = cJSON_CreateObject();
+    cJSON_AddStringToObject(response, "jsonrpc", "2.0");
+    cJSON_AddNumberToObject(response, "id", request_id_str ? atof(request_id_str) : 0);
+    cJSON *result = cJSON_CreateObject();
+    cJSON_AddItemToObject(response, "result", result);
+    char *json = cJSON_PrintUnformatted(response);
+    cJSON_Delete(response);
+    return json;
+}
+static char *build_announcement_11316_test(void)
+{
+    cJSON *ann = cJSON_CreateObject();
+    cJSON_AddStringToObject(ann, "protocolVersion", "2025-07-02");
+    cJSON *caps = cJSON_CreateObject();
+    cJSON *tools = cJSON_CreateObject();
+    cJSON_AddBoolToObject(tools, "listChanged", true);
+    cJSON_AddItemToObject(caps, "tools", tools);
+    cJSON_AddItemToObject(ann, "capabilities", caps);
+    cJSON *info = cJSON_CreateObject();
+    cJSON_AddStringToObject(info, "name", "TollGate");
+    cJSON_AddStringToObject(info, "version", "1.0.0");
+    cJSON_AddItemToObject(ann, "serverInfo", info);
+    char *json = cJSON_PrintUnformatted(ann);
+    cJSON_Delete(ann);
+    return json;
+}
+static char *build_announcement_11317_test(void)
+{
+    cJSON *root = cJSON_CreateObject();
+    cJSON *tools = cJSON_CreateArray();
+    const char *names[] = {
+        "get_config", "set_config", "get_balance", "wallet_send",
+        "get_sessions", "get_usage", "set_payout", "set_metric",
+        "set_price", "wallet_melt"
+    };
+    for (int i = 0; i < 10; i++) {
+        cJSON *t = cJSON_CreateObject();
+        cJSON_AddStringToObject(t, "name", names[i]);
+        cJSON_AddStringToObject(t, "description", "test");
+        cJSON *schema = cJSON_CreateObject();
+        cJSON_AddStringToObject(schema, "type", "object");
+        cJSON_AddItemToObject(t, "inputSchema", schema);
+        cJSON_AddItemToArray(tools, t);
+    }
+    cJSON_AddItemToObject(root, "tools", tools);
+    char *json = cJSON_PrintUnformatted(root);
+    cJSON_Delete(root);
+    return json;
+}
+static char *build_relay_list_10002_test(void)
+{
+    cJSON *tags = cJSON_CreateArray();
+    const char *relays[] = {"wss://relay.damus.io", "wss://nos.lol"};
+    for (int i = 0; i < 2; i++) {
+        cJSON *r = cJSON_CreateArray();
+        cJSON_AddItemToArray(r, cJSON_CreateString("r"));
+        cJSON_AddItemToArray(r, cJSON_CreateString(relays[i]));
+        cJSON_AddItemToArray(tags, r);
+    }
+    char *json = cJSON_PrintUnformatted(tags);
+    cJSON_Delete(tags);
+    return json;
+}
+static bool parse_mcp_from_25910(const char *content, char *method_out, size_t method_max,
+                                  char *params_out, size_t params_max)
+{
+    cJSON *msg = cJSON_Parse(content);
+    if (!msg) return false;
+    cJSON *method = cJSON_GetObjectItem(msg, "method");
+    if (!method || !cJSON_IsString(method)) {
+        cJSON_Delete(msg);
+        return false;
+    }
+    strncpy(method_out, method->valuestring, method_max - 1);
+    cJSON *params = cJSON_GetObjectItem(msg, "params");
+    if (params) {
+        char *pjson = cJSON_PrintUnformatted(params);
+        strncpy(params_out, pjson, params_max - 1);
+        cJSON_free(pjson);
+    }
+    cJSON_Delete(msg);
+    return true;
+}
+static void test_initialize_response(void)
+{
+    printf("\n=== MCP initialize response ===\n");
+    char *json = build_initialize_response_test("0");
+    ASSERT(json != NULL, "response created");
+    cJSON *root = cJSON_Parse(json);
+    ASSERT(root != NULL, "valid JSON");
+    ASSERT_EQ_STR("2.0", cJSON_GetObjectItem(root, "jsonrpc")->valuestring, "jsonrpc version");
+    ASSERT_EQ_INT(0, (int)cJSON_GetObjectItem(root, "id")->valuedouble, "id=0");
+    cJSON *result = cJSON_GetObjectItem(root, "result");
+    ASSERT(result != NULL, "has result");
+    ASSERT_EQ_STR("2025-07-02", cJSON_GetObjectItem(result, "protocolVersion")->valuestring, "protocol version");
+    cJSON *caps = cJSON_GetObjectItem(result, "capabilities");
+    ASSERT(caps != NULL, "has capabilities");
+    ASSERT(cJSON_GetObjectItem(caps, "tools") != NULL, "has tools capability");
+    cJSON *info = cJSON_GetObjectItem(result, "serverInfo");
+    ASSERT(info != NULL, "has serverInfo");
+    ASSERT_EQ_STR("TollGate", cJSON_GetObjectItem(info, "name")->valuestring, "server name");
+    ASSERT_EQ_STR("1.0.0", cJSON_GetObjectItem(info, "version")->valuestring, "server version");
+    cJSON_Delete(root);
+    free(json);
+}
+static void test_tools_list_response(void)
+{
+    printf("\n=== MCP tools/list response ===\n");
+    char *json = build_tools_list_response_test("1");
+    ASSERT(json != NULL, "response created");
+    cJSON *root = cJSON_Parse(json);
+    ASSERT_EQ_STR("2.0", cJSON_GetObjectItem(root, "jsonrpc")->valuestring, "jsonrpc version");
+    cJSON *result = cJSON_GetObjectItem(root, "result");
+    cJSON *tools = cJSON_GetObjectItem(result, "tools");
+    ASSERT(tools != NULL, "has tools array");
+    ASSERT_EQ_INT(10, cJSON_GetArraySize(tools), "10 tools");
+    ASSERT_EQ_STR("get_config", cJSON_GetObjectItem(cJSON_GetArrayItem(tools, 0), "name")->valuestring, "tool 0");
+    ASSERT_EQ_STR("wallet_melt", cJSON_GetObjectItem(cJSON_GetArrayItem(tools, 9), "name")->valuestring, "tool 9");
+    cJSON_Delete(root);
+    free(json);
+}
+static void test_tool_call_response_success(void)
+{
+    printf("\n=== MCP tools/call success response ===\n");
+    char *json = build_tool_call_response_test("2", true, "{\"balance\":500}");
+    ASSERT(json != NULL, "response created");
+    cJSON *root = cJSON_Parse(json);
+    cJSON *result = cJSON_GetObjectItem(root, "result");
+    ASSERT(result != NULL, "has result");
+    ASSERT(cJSON_GetObjectItem(result, "content") != NULL, "has content");
+    ASSERT_EQ_INT(0, cJSON_GetObjectItem(result, "isError")->valueint, "isError=false");
+    cJSON *content = cJSON_GetObjectItem(result, "content");
+    cJSON *text = cJSON_GetArrayItem(content, 0);
+    ASSERT_EQ_STR("text", cJSON_GetObjectItem(text, "type")->valuestring, "content type=text");
+    ASSERT(strstr(cJSON_GetObjectItem(text, "text")->valuestring, "balance") != NULL, "contains balance");
+    cJSON_Delete(root);
+    free(json);
+}
+static void test_tool_call_response_error(void)
+{
+    printf("\n=== MCP tools/call error response ===\n");
+    char *json = build_tool_call_response_test("3", false, "Tool not found");
+    ASSERT(json != NULL, "response created");
+    cJSON *root = cJSON_Parse(json);
+    cJSON *error = cJSON_GetObjectItem(root, "error");
+    ASSERT(error != NULL, "has error");
+    ASSERT_EQ_INT(-32603, cJSON_GetObjectItem(error, "code")->valueint, "error code");
+    ASSERT_EQ_STR("Tool not found", cJSON_GetObjectItem(error, "message")->valuestring, "error message");
+    cJSON_Delete(root);
+    free(json);
+}
+static void test_ping_response(void)
+{
+    printf("\n=== MCP ping response ===\n");
+    char *json = build_ping_response_test("99");
+    ASSERT(json != NULL, "response created");
+    cJSON *root = cJSON_Parse(json);
+    ASSERT_EQ_STR("2.0", cJSON_GetObjectItem(root, "jsonrpc")->valuestring, "jsonrpc version");
+    ASSERT(cJSON_GetObjectItem(root, "result") != NULL, "has result");
+    cJSON_Delete(root);
+    free(json);
+}
+static void test_announcement_11316(void)
+{
+    printf("\n=== Kind 11316 server announcement ===\n");
+    char *json = build_announcement_11316_test();
+    ASSERT(json != NULL, "announcement created");
+    cJSON *root = cJSON_Parse(json);
+    ASSERT_EQ_STR("2025-07-02", cJSON_GetObjectItem(root, "protocolVersion")->valuestring, "protocol version");
+    cJSON *caps = cJSON_GetObjectItem(root, "capabilities");
+    ASSERT(cJSON_GetObjectItem(caps, "tools") != NULL, "has tools capability");
+    cJSON *info = cJSON_GetObjectItem(root, "serverInfo");
+    ASSERT_EQ_STR("TollGate", cJSON_GetObjectItem(info, "name")->valuestring, "name");
+    ASSERT_EQ_STR("1.0.0", cJSON_GetObjectItem(info, "version")->valuestring, "version");
+    cJSON_Delete(root);
+    free(json);
+}
+static void test_announcement_11317(void)
+{
+    printf("\n=== Kind 11317 tools list ===\n");
+    char *json = build_announcement_11317_test();
+    ASSERT(json != NULL, "tools list created");
+    cJSON *root = cJSON_Parse(json);
+    cJSON *tools = cJSON_GetObjectItem(root, "tools");
+    ASSERT_EQ_INT(10, cJSON_GetArraySize(tools), "10 tools");
+    cJSON *t0 = cJSON_GetArrayItem(tools, 0);
+    ASSERT_EQ_STR("get_config", cJSON_GetObjectItem(t0, "name")->valuestring, "tool 0 name");
+    ASSERT(cJSON_GetObjectItem(t0, "inputSchema") != NULL, "tool has inputSchema");
+    cJSON_Delete(root);
+    free(json);
+}
+static void test_relay_list_10002(void)
+{
+    printf("\n=== Kind 10002 relay list ===\n");
+    char *json = build_relay_list_10002_test();
+    ASSERT(json != NULL, "relay list created");
+    cJSON *tags = cJSON_Parse(json);
+    ASSERT(cJSON_IsArray(tags), "is array");
+    ASSERT_EQ_INT(2, cJSON_GetArraySize(tags), "2 relay tags");
+    cJSON *r0 = cJSON_GetArrayItem(tags, 0);
+    ASSERT_EQ_STR("r", cJSON_GetArrayItem(r0, 0)->valuestring, "tag type r");
+    ASSERT_EQ_STR("wss://relay.damus.io", cJSON_GetArrayItem(r0, 1)->valuestring, "relay 0");
+    cJSON *r1 = cJSON_GetArrayItem(tags, 1);
+    ASSERT_EQ_STR("wss://nos.lol", cJSON_GetArrayItem(r1, 1)->valuestring, "relay 1");
+    cJSON_Delete(tags);
+    free(json);
+}
+static void test_mcp_parse_from_25910(void)
+{
+    printf("\n=== Parse MCP from kind 25910 content ===\n");
+    char method[64] = {0};
+    char params[1024] = {0};
+    bool ok = parse_mcp_from_25910(
+        "{\"jsonrpc\":\"2.0\",\"id\":0,\"method\":\"initialize\",\"params\":{}}",
+        method, sizeof(method), params, sizeof(params));
+    ASSERT(ok, "parsed initialize");
+    ASSERT_EQ_STR("initialize", method, "method=initialize");
+    ok = parse_mcp_from_25910(
+        "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"get_config\"}}",
+        method, sizeof(method), params, sizeof(params));
+    ASSERT(ok, "parsed tools/call");
+    ASSERT_EQ_STR("tools/call", method, "method=tools/call");
+    ASSERT(strstr(params, "get_config") != NULL, "params has get_config");
+    ok = parse_mcp_from_25910("{\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\"}",
+                               method, sizeof(method), params, sizeof(params));
+    ASSERT(ok, "parsed notification");
+    ASSERT_EQ_STR("notifications/initialized", method, "method=notifications/initialized");
+    ok = parse_mcp_from_25910("not json", method, sizeof(method), params, sizeof(params));
+    ASSERT(!ok, "garbage rejected");
+    ok = parse_mcp_from_25910("{\"jsonrpc\":\"2.0\"}", method, sizeof(method), params, sizeof(params));
+    ASSERT(!ok, "missing method rejected");
+}
+static void test_auth_check(void)
+{
+    printf("\n=== Auth check logic ===\n");
+    const char *owner = "d6bfe100d1600c0d8f769501676fc74c3809500bd131c8a549f88cf616c21f35";
+    const char *other = "0000000000000000000000000000000000000000000000000000000000000001";
+    ASSERT(strcmp(owner, owner) == 0, "owner matches self");
+    ASSERT(strcmp(owner, other) != 0, "owner differs from other");
+    ASSERT(strcmp(other, owner) != 0, "other differs from owner");
+    ASSERT(NULL == NULL, "two NULLs match (for safety check)");
+}
+static void test_25910_event_content_roundtrip(void)
+{
+    printf("\n=== Kind 25910 content roundtrip ===\n");
+    cJSON *request = cJSON_CreateObject();
+    cJSON_AddStringToObject(request, "jsonrpc", "2.0");
+    cJSON_AddNumberToObject(request, "id", 42);
+    cJSON_AddStringToObject(request, "method", "tools/call");
+    cJSON *params = cJSON_CreateObject();
+    cJSON_AddStringToObject(params, "name", "get_balance");
+    cJSON_AddItemToObject(request, "params", params);
+    char *content = cJSON_PrintUnformatted(request);
+    cJSON_Delete(request);
+    char method[64] = {0};
+    char params_out[1024] = {0};
+    bool ok = parse_mcp_from_25910(content, method, sizeof(method), params_out, sizeof(params_out));
+    ASSERT(ok, "roundtrip parse succeeded");
+    ASSERT_EQ_STR("tools/call", method, "method preserved");
+    ASSERT(strstr(params_out, "get_balance") != NULL, "tool name preserved");
+    free(content);
+}
+int main(void)
+{
+    printf("=== test_cvm_server ===\n");
+    test_initialize_response();
+    test_tools_list_response();
+    test_tool_call_response_success();
+    test_tool_call_response_error();
+    test_ping_response();
+    test_announcement_11316();
+    test_announcement_11317();
+    test_relay_list_10002();
+    test_mcp_parse_from_25910();
+    test_auth_check();
+    test_25910_event_content_roundtrip();
+    TEST_SUMMARY();
+}
diff --git a/tests/unit/test_mcp_handler.c b/tests/unit/test_mcp_handler.c
index aaa199d..05e9e38 100644
--- a/tests/unit/test_mcp_handler.c
+++ b/tests/unit/test_mcp_handler.c
@@ -1,6 +1,7 @@
 #include "test_framework.h"
 #include "mcp_handler.h"
 #include "config.h"
+#include "session.h"
 #include "nucula_wallet.h"
 #include "cJSON.h"
 #include <string.h>
@@ -11,6 +12,7 @@ static uint64_t g_wallet_balance = 0;
 static int g_wallet_proof_count = 0;
 static int g_wallet_send_rc = 0;
 static char g_wallet_send_token[256] = "cashuA_test_token";
+static esp_err_t g_wallet_melt_rc = ESP_OK;
 const tollgate_config_t *tollgate_config_get(void) {
    return &g_test_config;
@@ -33,6 +35,23 @@ int nucula_wallet_send(uint64_t amount, char *token_out, size_t token_max) {
    return g_wallet_send_rc;
 }
+esp_err_t nucula_wallet_melt(const char *bolt11, uint64_t max_fee) {
+    (void)bolt11;
+    (void)max_fee;
+    return g_wallet_melt_rc;
+}
+static session_t g_test_sessions[SESSION_MAX_CLIENTS];
+static int g_test_session_count = 0;
+session_t *cvm_get_sessions_array(void) {
+    return g_test_sessions;
+}
+int cvm_get_sessions_count(void) {
+    return SESSION_MAX_CLIENTS;
+}
 static void test_mcp_parse_tool(void)
 {
    printf("\n=== MCP tool parsing ===\n");
@@ -40,6 +59,12 @@ static void test_mcp_parse_tool(void)
    ASSERT_EQ_INT(MCP_TOOL_SET_CONFIG, mcp_parse_tool("set_config"), "set_config");
    ASSERT_EQ_INT(MCP_TOOL_GET_BALANCE, mcp_parse_tool("get_balance"), "get_balance");
    ASSERT_EQ_INT(MCP_TOOL_WALLET_SEND, mcp_parse_tool("wallet_send"), "wallet_send");
+    ASSERT_EQ_INT(MCP_TOOL_GET_SESSIONS, mcp_parse_tool("get_sessions"), "get_sessions");
+    ASSERT_EQ_INT(MCP_TOOL_GET_USAGE, mcp_parse_tool("get_usage"), "get_usage");
+    ASSERT_EQ_INT(MCP_TOOL_SET_PAYOUT, mcp_parse_tool("set_payout"), "set_payout");
+    ASSERT_EQ_INT(MCP_TOOL_SET_METRIC, mcp_parse_tool("set_metric"), "set_metric");
+    ASSERT_EQ_INT(MCP_TOOL_SET_PRICE, mcp_parse_tool("set_price"), "set_price");
+    ASSERT_EQ_INT(MCP_TOOL_WALLET_MELT, mcp_parse_tool("wallet_melt"), "wallet_melt");
    ASSERT_EQ_INT(MCP_TOOL_UNKNOWN, mcp_parse_tool("foo"), "unknown tool");
    ASSERT_EQ_INT(MCP_TOOL_UNKNOWN, mcp_parse_tool(NULL), "NULL tool");
 }
@@ -135,6 +160,121 @@ static void test_mcp_dispatch(void)
    ASSERT(!resp.success, "NULL request dispatch fails");
 }
+static void test_mcp_get_sessions(void)
+{
+    printf("\n=== MCP get_sessions ===\n");
+    memset(g_test_sessions, 0, sizeof(g_test_sessions));
+    mcp_response_t resp = mcp_handle_get_sessions();
+    ASSERT(resp.success, "get_sessions succeeds");
+    cJSON *result = cJSON_Parse(resp.result_json);
+    ASSERT(result != NULL, "result is valid JSON array");
+    ASSERT(cJSON_IsArray(result), "result is an array");
+    ASSERT_EQ_INT(0, cJSON_GetArraySize(result), "empty sessions");
+    cJSON_Delete(result);
+    g_test_sessions[0].active = true;
+    g_test_sessions[0].client_ip = 0x0100000A;
+    strncpy(g_test_sessions[0].mac, "AA:BB:CC:DD:EE:FF", sizeof(g_test_sessions[0].mac) - 1);
+    g_test_sessions[0].allotment_ms = 60000;
+    resp = mcp_handle_get_sessions();
+    ASSERT(resp.success, "get_sessions with data succeeds");
+    result = cJSON_Parse(resp.result_json);
+    ASSERT_EQ_INT(1, cJSON_GetArraySize(result), "one active session");
+    cJSON *s = cJSON_GetArrayItem(result, 0);
+    ASSERT_EQ_STR("AA:BB:CC:DD:EE:FF", cJSON_GetObjectItem(s, "mac")->valuestring, "mac matches");
+    cJSON_Delete(result);
+    g_test_sessions[0].active = false;
+}
+static void test_mcp_get_usage(void)
+{
+    printf("\n=== MCP get_usage ===\n");
+    memset(&g_test_config, 0, sizeof(g_test_config));
+    strncpy(g_test_config.metric, "milliseconds", sizeof(g_test_config.metric) - 1);
+    g_test_config.price_per_step = 21;
+    g_test_config.step_size_ms = 60000;
+    g_test_config.step_size_bytes = 22020096;
+    mcp_response_t resp = mcp_handle_get_usage();
+    ASSERT(resp.success, "get_usage succeeds");
+    cJSON *result = cJSON_Parse(resp.result_json);
+    ASSERT(result != NULL, "result is valid JSON");
+    ASSERT_EQ_STR("milliseconds", cJSON_GetObjectItem(result, "metric")->valuestring, "metric matches");
+    ASSERT_EQ_INT(21, cJSON_GetObjectItem(result, "price_per_step")->valueint, "price matches");
+    cJSON_Delete(result);
+}
+static void test_mcp_set_payout(void)
+{
+    printf("\n=== MCP set_payout ===\n");
+    memset(&g_test_config, 0, sizeof(g_test_config));
+    const char *params = "{\"enabled\":true,\"recipients\":[{\"lightning_address\":\"test@coinos.io\",\"factor\":0.5}]}";
+    mcp_response_t resp = mcp_handle_set_payout(params);
+    ASSERT(resp.success, "set_payout succeeds");
+    ASSERT(g_test_config.payout.enabled, "payout enabled");
+    ASSERT_EQ_INT(1, g_test_config.payout.recipient_count, "1 recipient");
+    ASSERT_EQ_STR("test@coinos.io", g_test_config.payout.recipients[0].lightning_address, "address matches");
+    resp = mcp_handle_set_payout("not json");
+    ASSERT(!resp.success, "invalid JSON fails");
+}
+static void test_mcp_set_metric(void)
+{
+    printf("\n=== MCP set_metric ===\n");
+    memset(&g_test_config, 0, sizeof(g_test_config));
+    mcp_response_t resp = mcp_handle_set_metric("{\"metric\":\"bytes\"}");
+    ASSERT(resp.success, "set_metric bytes succeeds");
+    ASSERT_EQ_STR("bytes", g_test_config.metric, "metric updated to bytes");
+    resp = mcp_handle_set_metric("{\"metric\":\"milliseconds\"}");
+    ASSERT(resp.success, "set_metric milliseconds succeeds");
+    ASSERT_EQ_STR("milliseconds", g_test_config.metric, "metric updated to milliseconds");
+    resp = mcp_handle_set_metric("{\"metric\":\"invalid\"}");
+    ASSERT(!resp.success, "invalid metric rejected");
+    resp = mcp_handle_set_metric("{}");
+    ASSERT(!resp.success, "missing metric rejected");
+}
+static void test_mcp_set_price(void)
+{
+    printf("\n=== MCP set_price ===\n");
+    memset(&g_test_config, 0, sizeof(g_test_config));
+    g_test_config.price_per_step = 21;
+    mcp_response_t resp = mcp_handle_set_price("{\"price_per_step\":50}");
+    ASSERT(resp.success, "set_price succeeds");
+    ASSERT_EQ_INT(50, g_test_config.price_per_step, "price updated to 50");
+    resp = mcp_handle_set_price("{\"price_per_step\":0}");
+    ASSERT(!resp.success, "zero price rejected");
+    resp = mcp_handle_set_price("{}");
+    ASSERT(!resp.success, "missing price rejected");
+}
+static void test_mcp_wallet_melt(void)
+{
+    printf("\n=== MCP wallet_melt ===\n");
+    g_wallet_melt_rc = ESP_OK;
+    mcp_response_t resp = mcp_handle_wallet_melt("{\"bolt11\":\"lnbc100n1...\"}");
+    ASSERT(resp.success, "wallet_melt succeeds");
+    g_wallet_melt_rc = ESP_FAIL;
+    resp = mcp_handle_wallet_melt("{\"bolt11\":\"lnbc100n1...\"}");
+    ASSERT(!resp.success, "melt failure reported");
+    resp = mcp_handle_wallet_melt("{}");
+    ASSERT(!resp.success, "missing bolt11 fails");
+}
 int main(void)
 {
    printf("=== test_mcp_handler ===\n");
@@ -143,6 +283,12 @@ int main(void)
    test_mcp_set_config();
    test_mcp_get_balance();
    test_mcp_wallet_send();
+    test_mcp_get_sessions();
+    test_mcp_get_usage();
+    test_mcp_set_payout();
+    test_mcp_set_metric();
+    test_mcp_set_price();
+    test_mcp_wallet_melt();
    test_mcp_dispatch();
    TEST_SUMMARY();
 }