15 files changed, 479 insertions, 166 deletions
diff --git a/AGENTS.md b/AGENTS.md
index f5d4f7e..6f1c399 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -51,8 +51,8 @@ nvs_flash_init()
 - `wifistr.c/h` — kind 38787 event builder + WebSocket relay publish
 - `captive_portal.c/h` — HTTP :80 portal, captive detection, grant/reset
 - `dns_server.c/h` — DNS hijack/forward per-client, DoT reject
- `firewall.c/h` — NAPT on/off per-client, MAC resolution
+- `firewall.c/h` — per-client NAT filter via LWIP_HOOK_IP4_CANFORWARD, MAC resolution
- `session.c/h` — time-based sessions, spent-secret tracking
+- `session.c/h` — time-based sessions, MAC tracking
 - `cashu.c/h` — Cashu token decode, checkstate, allotment calc
 - `tollgate_api.c/h` — HTTP :2121, payment endpoints, wallet endpoints
diff --git a/CHECKLIST.md b/CHECKLIST.md
index b71bd14..c5dfbe4 100644
--- a/CHECKLIST.md
+++ b/CHECKLIST.md
@@ -22,158 +22,115 @@
 - [x] Tests 1-14: ALL PASSING
 ## Phase 2: E-Cash Payments — COMPLETE
-### Code Written
+- [x] Implement cashu.c/h, session.c/h, tollgate_api.c/h
- [x] Implement cashu.c/h (Cashu token parse, base64url, checkstate, mint validation)
+- [x] Update captive portal HTML with payment form
- [x] Implement session.c/h (time-based allotment, expiry, secret tracking, MAC tracking)
+- [x] Wire into tollgate_main.c
- [x] Implement tollgate_api.c/h (:2121 server, GET/POST /, /usage, /whoami)
+- [x] Per-MAC access tracking, two httpd instances
- [x] Update captive portal HTML with payment form (Cashu token textarea + "Pay & Connect")
+- [x] Bug fixes: stack overflow, heap allocations, TLS, token decode
- [x] Wire into tollgate_main.c (session_init, api_start, session_tick loop)
- [x] Per-MAC access tracking: `firewall_get_mac_for_ip()` using `esp_wifi_ap_get_sta_list_with_ip()` + ARP fallback
- [x] Two httpd instances: port 80 (captive portal) and port 2121 (TollGate API)
-### Bug Fixes
- [x] Stack overflow: httpd stack_size increased to 32768 (TLS+mbedTLS needs ~20KB)
- [x] Heap allocations: cashu_token_t, cashu_proof_state_t, json_buf, post_body all heap-allocated
- [x] TLS to mint: `esp_crt_bundle_attach` + `esp-tls` in CMakeLists.txt REQUIRES
- [x] HTTP client: `open/write/fetch_headers/read` pattern (not `perform`)
- [x] Token decode: dynamic `json_buf` sizing `malloc((b64_len * 3) / 4 + 4)`, strip trailing `\n`/`\r`
- [x] POST body recv: loop `httpd_req_recv` until all `content_len` bytes read
- [x] `secret_count` bug: capped at `MIN(proof_count, 5)` before `session_create`
- [x] `config.c` default mint URL fixed to `testnut.cashu.space`
- [x] Makefile: nutshell wallet targets (wallet-setup, wallet-info, mint-token, send-token)
- [x] `tests/phase2.mjs`: `/whoami` test checks `includes('mac=')`
-### Tests Passing
 - [x] Tests 15-24: ALL PASSING
 ## Phase 3: On-Device Wallet + Nostr Identity + Wifistr — COMPLETE
-### nucula Wallet Integration
+- [x] nucula wallet integration (git submodule, C++ bridge, C API)
- [x] Add nucula as git submodule (`nucula_src/`)
+- [x] Nostr identity derivation (HMAC-SHA512, MAC/SSID/IP)
- [x] Create `components/secp256k1/` (symlink to nucula's libsecp256k1)
+- [x] Nostr event signing (NIP-01, Schnorr)
- [x] Create `components/nucula_lib/` (C++ bridge + C API)
+- [x] Geohash encoding
- [x] C bridge: `nucula_wallet.h` (init, receive, send, swap_all, balance, proofs_json)
+- [x] Wifistr service discovery (kind 38787)
- [x] All wallet operations tested on Board A: pay, swap, send, persistence
+- [x] 58 unit tests passing
-### Nostr Identity Derivation (identity.c/h)
- [x] HMAC-SHA512 derivation via mbedtls, npub via secp256k1
- [x] Derive STA/AP MAC, SSID, AP IP from nsec
- [x] Set MACs via `esp_wifi_set_mac()` in boot sequence
- [x] 24/24 unit tests passing
-### Nostr Event Signing (nostr_event.c/h)
- [x] NIP-01 canonical JSON, SHA-256 ID, Schnorr signature
- [x] 23/23 unit tests passing
-### Geohash Encoding (geohash.c/h)
- [x] Standard base-32 geohash encoding
- [x] 11/11 unit tests passing
-### Wifistr Service Discovery (wifistr.c/h)
- [x] kind 38787 event builder + WebSocket relay publish
- [x] Publish on boot + periodic timer (6h default)
- [x] Verified published to relay.damus.io and nos.lol
 ## Phase 4: ESP32 TollGate Client Detection + Auto-Payment — COMPLETE (commit `78dd599`)
 - [x] tollgate_client.c/h — detection, payment, monitoring, state machine
- [x] Config fields: client_enabled, client_steps_to_buy, etc.
- [x] Integration into tollgate_main.c
 - [x] 30/30 unit tests passing
 ## Phase 5: Lightning Auto-Payout — COMPLETE (commit `cb4bd7d`)
- [x] lnurl_pay.c/h — LNURL-pay HTTP flow
+- [x] lnurl_pay.c/h, lightning_payout.c/h, nucula_wallet_melt()
- [x] lightning_payout.c/h — periodic balance check, threshold, multi-recipient split, melt
+- [x] 18 unit tests passing
- [x] nucula_wallet_melt() bridge for NUT-05
- [x] Config: payout.enabled, recipients, mints, fee_tolerance, etc.
- [x] 7/7 lnurl_pay + 11/11 lightning_payout = 18 unit tests passing
 ## Phase 6: Bytes-Based Billing — COMPLETE (commit `edd125d`)
 - [x] Dual-metric session support (milliseconds + bytes)
- [x] session_create_bytes(), session_add_bytes()
- [x] Config: metric, step_size_bytes
- [x] Discovery endpoint advertises correct metric
- [x] Unit tests: bytes session lifecycle, mixed metrics
 ## Phase 7: MCP Handler + NIP-04 + CVM Server — COMPLETE (commit `fdf662f`)
- [x] mcp_handler.c/h — 4 tools (get_config, set_config, get_balance, wallet_send), 25 unit tests
+- [x] mcp_handler.c/h (4 tools, 25 unit tests)
- [x] nip04.c/h — AES-256-CBC + ECDH with 0x02 compressed pubkey prefix, 15 unit tests
+- [x] nip04.c/h (AES-256-CBC + ECDH, 15 unit tests)
- [x] cvm_server.c/h — Nostr DM listener skeleton with FreeRTOS task
+- [x] cvm_server.c/h (Nostr DM listener)
- [x] Fixed NIP-04 IV bug: mbedtls_aes_crypt_cbc modifies IV in-place
- [x] Fixed missing esp_random.h include in nip04.c
- [x] 156 total unit tests passing across 10 test binaries
 ## Bug Fixes — COMPLETE (commit `3342c8e`)
- [x] reset_auth_handler now calls session_revoke_all() before firewall_revoke_all()
+- [x] reset_auth, /usage, metric default, sys_evt stack overflow fixes
- [x] Port 80 /usage shows real session data (remaining/total) instead of "0/0"
- [x] Config metric defaults to "milliseconds" (ESP32 can't track per-client bytes from NAT)
- [x] Fixed sys_evt stack overflow: deferred start_services() to dedicated 32KB task
 ## Playwright Interop Tests — COMPLETE (commit `4fb44e7`)
 - [x] 18/18 tests passing (11 ESP32 + 7 ESP32↔OpenWRT interop)
- [x] 7 screenshots generated
- [x] Double-spend rejection verified on live hardware
+## Per-Client NAT Filtering — COMPLETE (commit `0c2c67b`)
+- [x] Create `main/lwip_tollgate_hooks.h` — LWIP_HOOK_IP4_CANFORWARD definition
+- [x] Update `CMakeLists.txt` — inject hook header into lwIP compilation
+- [x] Add `tollgate_ip4_canforward_filter()` to `firewall.c` — filter by source IP, network byte order
+- [x] NAT always ON, per-client filter in lwIP forwarding path
+- [x] Remove `update_nat()`, `firewall_enable_nat()`, `firewall_disable_nat()`
+- [x] Subnet-aware: only filter AP subnet packets, allow internet responses
+- [x] Fix byte order bug: firewall stores IPs in network byte order
+- [x] Reduce API server stack 32KB→16KB (fixes ESP_ERR_HTTPD_TASK)
+- [x] E2E verified: block→pay→allow→revoke→block on live hardware
+## Spent-Secret Cleanup — COMPLETE (commit `0c2c67b`)
+- [x] Remove `s_spent_secrets[]`, `session_is_secret_spent()` from session.c
+- [x] Remove `spent_secrets`/`spent_secret_count` from `session_t`
+- [x] Remove spent-secret params from `session_create()`/`session_create_bytes()`
+- [x] Remove local spent-secret check in `tollgate_api.c`
+- [x] Update `tests/unit/test_session.c`
+- [x] 186 unit tests passing
 ---
-## TODO — In Progress
+## TODO — Remaining
-### Per-Client NAT Filtering (Multi-Client Fix)
- [ ] Create `main/lwip_tollgate_hooks.h` — LWIP_HOOK_IP4_CANFORWARD definition
- [ ] Update `CMakeLists.txt` — inject hook header into lwIP compilation
- [ ] Add `tollgate_ip4_canforward_filter()` to `firewall.c` — filter forwarded packets by source IP
- [ ] Change firewall strategy: NAT always ON, per-client filter in lwIP forwarding path
- [ ] Remove `update_nat()`, `firewall_enable_nat()`, `firewall_disable_nat()` from firewall.c
- [ ] Update `stop_services()` in tollgate_main.c — remove `firewall_disable_nat()` call
- [ ] Add unit test for filter function
- [ ] Build, flash, test on Board A
- [ ] Verify multi-client isolation: expire one client while other is active
-### Spent-Secret Cleanup
- [ ] Remove `s_spent_secrets[]` and `session_is_secret_spent()` from `session.c`
- [ ] Remove `spent_secrets` field from `session_t` struct in `session.h`
- [ ] Remove `spent_secrets` params from `session_create()` and `session_create_bytes()`
- [ ] Remove local spent-secret check in `tollgate_api.c` (lines 227-239)
- [ ] Remove `secrets[]` array construction in `tollgate_api.c`
- [ ] Update `tests/unit/test_session.c` — remove secret-tracking tests
- [ ] Run `make test-unit` — all tests pass
-### Integration Tests (tests/integration/)
- [ ] Create `tests/integration/` directory
- [ ] Move existing tests (api.mjs, network.mjs, smoke.mjs, phase2.mjs) into integration/
- [ ] Write `test-reset-auth.mjs` — verify sessions cleared after reset
- [ ] Write `test-session-lifecycle.mjs` — pay → verify usage → wait expiry → verify blocked (65s)
- [ ] Write `test-dns-firewall.mjs` — DNS hijack before auth, forward after auth
- [ ] Update Makefile targets for new paths
- [ ] All integration tests passing
 ### Test Reorganization
- [ ] Fix all hardcoded IPs → `process.env.TOLLGATE_IP`
+- [ ] Fix hardcoded IP fallbacks: `192.168.4.1` → `10.192.45.1` in test files
- [ ] Move `tests/captive-portal.spec.mjs` → `tests/e2e/`
+- [ ] Create `tests/integration/` and `tests/e2e/` directories
- [ ] Move `tests/interop-happy-path.spec.mjs` → `tests/e2e/` or `tests/integration/`
+- [ ] Move `api.mjs`, `network.mjs`, `phase2.mjs`, `smoke.mjs` → `tests/integration/`
- [ ] Move `tests/playwright.config.mjs` → `tests/e2e/`
+- [ ] Move `captive-portal.spec.mjs`, `interop-happy-path.spec.mjs` → `tests/e2e/`
+- [ ] Move `playwright.config.mjs` → `tests/e2e/`
+### New Integration Tests
+- [ ] Write `tests/integration/test-reset-auth.mjs` — reset → verify blocked → pay → verify allowed → reset → verify blocked
+- [ ] Write `tests/integration/test-session-expiry.mjs` — pay → wait 65s → verify blocked (slow test)
+- [ ] Write `tests/integration/test-dns-firewall.mjs` — DNS hijack before auth, forward after auth, per-client NAT filter
+### Makefile & Package Updates
+- [ ] Add `test-unit`, `test-integration`, `test-e2e`, `test-all`, `test-session-expiry` targets
+- [ ] Update `package.json` scripts for new paths
+- [ ] Update existing targets to new paths
 ### Playwright Video Recording Fix
- [ ] Per-test context isolation (not shared serial context)
+- [ ] Per-test context isolation in playwright.config.mjs
- [ ] Verify `.webm` files generated in test-results/
+- [ ] Verify `.webm` files generated in `tests/e2e/test-results/`
-### OpenWRT Interop
+### AGENTS.md Update
- [ ] Investigate `nofee.testnut.cashu.space` API compatibility issues
+- [ ] Update firewall description: "per-client NAT filter via LWIP_HOOK_IP4_CANFORWARD"
- [ ] Fix cashu CLI v0.19.2 Pydantic validation failures with missing `active` field
+- [ ] Update session.c description: remove "spent-secret tracking"
-### Board B
+### OpenWRT Interop
- [ ] Flash Board B with current firmware (different nsec)
+- [ ] SSH to `root@10.47.41.1`, verify `tollgate-wrt` still running
- [ ] Cross-board payment test: Board B → Board A
+- [ ] Test `curl http://10.47.41.1:2121/` — kind=10021 response
- [ ] ESP32→ESP32 auto-payment (Scenario 5)
+- [ ] Investigate `nofee.testnut.cashu.space` API compatibility
+- [ ] Document findings
+### Board B — Flash + Cross-Board Test
+- [x] Generate nsec for Board B: `9af47906b45aca5e238390f3d03c8274e154198e81aa2095065627d1e61ca968`
+- [x] Derived identity: SSID `TollGate-b96d80`, AP IP `10.185.47.1`, AP MAC `fe:08:f7:b9:6d:80`
+- [ ] Create Board B config.json with new nsec
+- [ ] Flash Board B at `/dev/ttyACM1`
+- [ ] Verify Board B boots with different SSID/IP
+- [ ] Cross-board payment test: Board B pays Board A (Scenario 5)
 ---
 ## Reminders
 - **Commit + push every time a test passes that previously didn't pass**
- Board A: `/dev/ttyACM0`, MAC `94:a9:90:2e:37:7c`, SSID `TollGate-C0E9CA`, AP IP `10.192.45.1`
+- Board A: `/dev/ttyACM0`, SSID `TollGate-C0E9CA`, AP IP `10.192.45.1`
- Board B: `/dev/ttyACM1`, MAC `fc:01:2c:c5:50:50`
+- Board B: `/dev/ttyACM1`, SSID `TollGate-b96d80`, AP IP `10.185.47.1`, nsec `9af47906...`
 - OpenWRT Router: SSH `root@10.47.41.1`, port 2121
 - `source ~/esp/esp-idf/export.sh` before `idf.py`
- Latest commit: `3342c8e`
+- Latest commit: `0c2c67b`
- 156 unit tests + 18 Playwright tests — all passing
+- 186 unit tests + 18 Playwright tests — all passing
 - sudo password: `c03rad0r123`
 - Token generation: `cashu -h https://testnut.cashu.space send --legacy 21`
 - See `AGENTS.md` for full testing rules
diff --git a/Makefile b/Makefile
index 2ed8e07..40f0e7b 100644
--- a/Makefile
+++ b/Makefile
@@ -17,12 +17,15 @@ NODE ?= node
 NPM ?= npm
 PYTHON ?= python3
+TOLLGATE_IP ?= 10.192.45.1
 .PHONY: help setup detect-ports detect-chip detect-all
 .PHONY: flash flash-a flash-b monitor monitor-a monitor-b
-.PHONY: test smoke test-api test-portal test-network test-full
+.PHONY: test test-unit test-integration test-e2e test-all
-.PHONY: tokens test-payment wallet-setup wallet-info wallet-balance mint-token send-token
+.PHONY: test-smoke test-api test-network test-portal test-payment
-.PHONY: clean erase-nvs reset serial-log
+.PHONY: test-reset-auth test-session-expiry test-dns-firewall
-.PHONY: bootstrap-config
+.PHONY: tokens wallet-setup wallet-info wallet-balance mint-token send-token
+.PHONY: clean erase-nvs reset serial-log bootstrap-config
 help:
        @echo "TollGate ESP32 — Makefile"
@@ -38,25 +41,24 @@ help:
        @echo "  flash-b           Flash to PORT_B"
        @echo "  monitor           Serial monitor on PORT"
        @echo ""
-        @echo "Test (Phase 1):"
+        @echo "Testing:"
-        @echo "  test              Run all Phase 1 tests"
+        @echo "  test-unit         Host C unit tests (no hardware)"
-        @echo "  smoke             Quick 30s smoke test"
+        @echo "  test-integration  Node.js integration tests (live board)"
-        @echo "  test-api          curl API endpoint tests"
+        @echo "  test-e2e          Playwright browser E2E tests"
-        @echo "  test-portal       Playwright captive portal tests"
+        @echo "  test-all          Run all three test layers"
-        @echo "  test-network      DNS/NAT connectivity tests"
+        @echo "  test-smoke        Quick 30s smoke test"
-        @echo "  test-full         All 14 Phase 1 tests"
+        @echo "  test-reset-auth   Reset auth + per-client NAT filter test"
+        @echo "  test-dns-firewall DNS hijack + NAT filter test"
+        @echo "  test-session-expiry Session lifecycle with 65s expiry wait"
        @echo ""
-        @echo "Test (Phase 2):"
+        @echo "Wallet:"
        @echo "  wallet-setup      Initialize nutshell wallet for test mint"
        @echo "  wallet-info       Show mint info"
        @echo "  wallet-balance    Show wallet balance"
        @echo "  mint-token        Invoice + send test token (AMOUNT=21)"
        @echo "  send-token        Send cashuA token (AMOUNT=21)"
-        @echo "  tokens            Alias for send-token"
-        @echo "  test-payment      Payment flow tests"
        @echo ""
        @echo "Utilities:"
-        @echo "  setup             One-time: install esptool, deps"
        @echo "  clean             Clean build"
        @echo "  erase-nvs         Erase NVS partition on PORT"
        @echo "  reset             Hardware reset on PORT"
@@ -144,33 +146,60 @@ monitor-b: PORT=$(PORT_B)
 monitor-b: monitor
 # ──────────────────────────────────────────────
-# Test Infrastructure
+# Testing
 # ──────────────────────────────────────────────
-test: test-api test-network
+test-unit:
-        @echo "=== All tests passed ==="
+        @echo "=== Running host unit tests ==="
+        $(MAKE) -C tests/unit test
+test-integration: test-api test-network test-reset-auth test-dns-firewall
+        @echo "=== Integration tests passed ==="
+test-e2e:
+        @echo "=== Running Playwright E2E tests ==="
+        cd tests/e2e && npx playwright test
+test-all: test-unit test-integration test-e2e
+        @echo "=== All test layers passed ==="
+test: test-unit test-integration
+        @echo "=== Tests passed ==="
-smoke:
+test-smoke:
        @echo "=== Running smoke test (30s) ==="
-        $(NODE) tests/smoke.mjs $(PORT)
+        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/smoke.mjs
 test-api:
        @echo "=== Running API tests ==="
-        $(NODE) tests/api.mjs
+        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/api.mjs
+test-network:
+        @echo "=== Running network tests ==="
+        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/network.mjs
 test-portal:
        @echo "=== Running Playwright portal tests ==="
-        npx playwright test tests/captive-portal.spec.mjs
+        cd tests/e2e && npx playwright test captive-portal.spec.mjs
-test-network:
+test-payment:
-        @echo "=== Running network tests ==="
+        @echo "=== Running payment tests ==="
-        $(NODE) tests/network.mjs
+        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/phase2.mjs
+test-reset-auth:
+        @echo "=== Running reset auth test ==="
+        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/test-reset-auth.mjs
-test-full: test-api test-portal test-network
+test-session-expiry:
-        @echo "=== Full test suite passed ==="
+        @echo "=== Running session expiry test (65s wait, ~80s total) ==="
+        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/test-session-expiry.mjs
+test-dns-firewall:
+        @echo "=== Running DNS + firewall test ==="
+        TOLLGATE_IP=$(TOLLGATE_IP) $(NODE) tests/integration/test-dns-firewall.mjs
 # ──────────────────────────────────────────────
-# Phase 2: Payment Testing (Nutshell wallet)
+# Wallet
 # ──────────────────────────────────────────────
 wallet-setup:
@@ -187,8 +216,8 @@ wallet-balance:
        cashu --env-mint $(TEST_MINT) balance
 mint-token:
-        @echo "=== Minting test token (AMOUNT=$(or $(AMOUNT),21)) ==="
        @AMOUNT=$${AMOUNT:-21}; \
+        echo "=== Minting test token ($$AMOUNT sats) ==="; \
        cashu --env-mint $(TEST_MINT) invoice $$AMOUNT && \
        echo "--- Token (cashuA legacy) ---" && \
        cashu --env-mint $(TEST_MINT) send --legacy $$AMOUNT
@@ -200,10 +229,6 @@ send-token:
 tokens: send-token
-test-payment:
-        @echo "=== Running payment tests ==="
-        $(NODE) tests/phase2.mjs
 # ──────────────────────────────────────────────
 # Utilities
 # ──────────────────────────────────────────────
diff --git a/package.json b/package.json
index dd61cd9..fe1daee 100644
--- a/package.json
+++ b/package.json
@@ -3,14 +3,18 @@
  "version": "1.0.0",
  "private": true,
  "scripts": {
-    "test": "node tests/api.mjs && node tests/network.mjs",
+    "test": "node tests/integration/api.mjs && node tests/integration/network.mjs",
-    "test:api": "node tests/api.mjs",
+    "test:api": "node tests/integration/api.mjs",
-    "test:network": "node tests/network.mjs",
+    "test:network": "node tests/integration/network.mjs",
-    "test:portal": "npx playwright test tests/captive-portal.spec.mjs",
+    "test:smoke": "node tests/integration/smoke.mjs",
-    "test:happy-path": "npx playwright test tests/interop-happy-path.spec.mjs",
+    "test:payment": "node tests/integration/phase2.mjs",
-    "test:interop": "npx playwright test tests/interop-esp32-openwrt.spec.mjs",
+    "test:reset-auth": "node tests/integration/test-reset-auth.mjs",
-    "test:smoke": "node tests/smoke.mjs",
+    "test:session-expiry": "node tests/integration/test-session-expiry.mjs",
-    "test:playwright": "npx playwright test"
+    "test:dns-firewall": "node tests/integration/test-dns-firewall.mjs",
+    "test:portal": "npx playwright test -c tests/e2e/playwright.config.mjs captive-portal.spec.mjs",
+    "test:happy-path": "npx playwright test -c tests/e2e/playwright.config.mjs interop-happy-path.spec.mjs",
+    "test:e2e": "npx playwright test -c tests/e2e/playwright.config.mjs",
+    "test:playwright": "npx playwright test -c tests/e2e/playwright.config.mjs"
  },
  "devDependencies": {
    "@playwright/test": "^1.52.0"
diff --git a/tests/captive-portal.spec.mjs b/tests/e2e/captive-portal.spec.mjs
index 9411183..ab9d4f1 100644
--- a/tests/captive-portal.spec.mjs
+++ b/tests/e2e/captive-portal.spec.mjs
@@ -1,6 +1,6 @@
 import { test, expect } from '@playwright/test';
-const PORTAL_IP = process.env.TOLLGATE_IP || '192.168.4.1';
+const PORTAL_IP = process.env.TOLLGATE_IP || '10.192.45.1';
 const PORTAL_URL = `http://${PORTAL_IP}`;
 const API_URL = `http://${PORTAL_IP}:2121`;
diff --git a/tests/interop-happy-path.spec.mjs b/tests/e2e/interop-happy-path.spec.mjs
index fe4fd78..fe4fd78 100644
--- a/tests/interop-happy-path.spec.mjs
+++ b/tests/e2e/interop-happy-path.spec.mjs
diff --git a/tests/playwright.config.mjs b/tests/e2e/playwright.config.mjs
index d4118b8..f4cbe01 100644
--- a/tests/playwright.config.mjs
+++ b/tests/e2e/playwright.config.mjs
@@ -9,7 +9,7 @@ export default defineConfig({
    headless: true,
    viewport: { width: 1280, height: 900 },
    screenshot: 'on',
-    video: 'on',
+    video: 'retain-on-failure',
    trace: 'on-first-retry',
  },
  reporter: [['list'], ['html', { open: 'never' }]],
diff --git a/tests/helpers/network.mjs b/tests/helpers/network.mjs
index e4d5086..a2d889e 100644
--- a/tests/helpers/network.mjs
+++ b/tests/helpers/network.mjs
@@ -1,6 +1,6 @@
 import { execSync } from 'child_process';
-const ESP32_IP = process.env.TOLLGATE_IP || '192.168.4.1';
+const ESP32_IP = process.env.TOLLGATE_IP || '10.192.45.1';
 const TIMEOUT = 5000;
 export function curl(args, expectStatus = null) {
diff --git a/tests/api.mjs b/tests/integration/api.mjs
index 5218d7b..5218d7b 100644
--- a/tests/api.mjs
+++ b/tests/integration/api.mjs
diff --git a/tests/network.mjs b/tests/integration/network.mjs
index 2d302ef..dcd7a9a 100644
--- a/tests/network.mjs
+++ b/tests/integration/network.mjs
@@ -1,6 +1,6 @@
 import { execSync } from 'child_process';
-const IP = process.env.TOLLGATE_IP || '192.168.4.1';
+const IP = process.env.TOLLGATE_IP || '10.192.45.1';
 let passed = 0, failed = 0;
 function assert(condition, test) {
diff --git a/tests/phase2.mjs b/tests/integration/phase2.mjs
index 91891e7..9eaa7d7 100644
--- a/tests/phase2.mjs
+++ b/tests/integration/phase2.mjs
@@ -1,6 +1,6 @@
 import { execSync } from 'child_process';
-const IP = process.env.TOLLGATE_IP || '192.168.4.1';
+const IP = process.env.TOLLGATE_IP || '10.192.45.1';
 const API = `http://${IP}:2121`;
 let passed = 0, failed = 0;
diff --git a/tests/smoke.mjs b/tests/integration/smoke.mjs
index 19f96de..f89eeac 100644
--- a/tests/smoke.mjs
+++ b/tests/integration/smoke.mjs
@@ -1,7 +1,7 @@
 import { execSync } from 'child_process';
 const PORT = process.argv[2] || '/dev/ttyACM0';
-const IP = process.env.TOLLGATE_IP || '192.168.4.1';
+const IP = process.env.TOLLGATE_IP || '10.192.45.1';
 const SSID = process.env.AP_SSID || 'TollGate';
 console.log(`\n=== Smoke Test (30s) ===`);
diff --git a/tests/integration/test-dns-firewall.mjs b/tests/integration/test-dns-firewall.mjs
new file mode 100644
index 0000000..b69b524
--- /dev/null
+++ b/tests/integration/test-dns-firewall.mjs
@@ -0,0 +1,123 @@
+import { execSync } from 'child_process';
+const IP = process.env.TOLLGATE_IP || '10.192.45.1';
+const API = `http://${IP}:2121`;
+let passed = 0, failed = 0;
+function assert(cond, msg) {
+  if (cond) { console.log(`  ✓ ${msg}`); passed++; }
+  else { console.log(`  ✗ ${msg}`); failed++; }
+}
+function run(cmd) {
+  try { return execSync(cmd, { encoding: 'utf8', timeout: 15000 }); }
+  catch { return null; }
+}
+function runJson(cmd) {
+  const out = run(cmd);
+  try { return out ? JSON.parse(out) : null; }
+  catch { return null; }
+}
+function sleep(ms) { return new Promise(r => setTimeout(r, ms)); }
+function mintToken(amount = 21) {
+  run('cashu -h https://testnut.cashu.space invoice ' + amount + ' 2>&1');
+  const out = run('cashu -h https://testnut.cashu.space send --legacy ' + amount + ' 2>&1');
+  const match = out && out.match(/cashuA[a-zA-Z0-9_-]+/);
+  return match ? match[0] : null;
+}
+function dnsResolves(domain, server) {
+  const result = run(`nslookup -timeout=3 ${domain} ${server} 2>&1`);
+  return result && result.includes('Address') && !result.includes('NXDOMAIN');
+}
+function dnsResolvesToSelf(domain) {
+  try {
+    const result = run(`nslookup ${domain} ${IP} 2>&1`);
+    return result && result.includes(IP);
+  } catch {
+    return false;
+  }
+}
+function canPing(host = '8.8.8.8') {
+  const result = run(`ping -c 1 -W 2 -I wlp59s0 ${host} 2>/dev/null`);
+  return result && !result.includes('100% packet loss');
+}
+console.log(`\n=== DNS + Firewall Integration Test (target: ${IP}) ===\n`);
+console.log('--- Part 1: Before Authentication ---\n');
+console.log('1. DNS hijack: resolves to ESP32 AP IP');
+assert(dnsResolvesToSelf('google.com'), 'google.com resolves to AP IP');
+assert(dnsResolvesToSelf('random-test.example.com'), 'random domain resolves to AP IP');
+console.log('\n2. DNS hijack: upstream DNS not reachable');
+const upstreamResolve = run(`nslookup -timeout=3 google.com 8.8.8.8 2>&1`);
+assert(!upstreamResolve || upstreamResolve.includes('connection timed out') || upstreamResolve.includes('no servers'), 'Upstream DNS unreachable before auth');
+console.log('\n3. Per-client NAT filter: ping blocked');
+assert(!canPing(), 'Ping to 8.8.8.8 blocked by NAT filter');
+console.log('\n4. Per-client NAT filter: HTTP blocked');
+const httpBefore = run(`curl -s --connect-timeout 5 -m 5 --interface wlp59s0 http://1.1.1.1/ 2>/dev/null`);
+assert(!httpBefore || httpBefore.length === 0, 'HTTP blocked before auth');
+console.log('\n5. Captive portal and API still accessible');
+const portal = run(`curl -s --connect-timeout 5 http://${IP}/`);
+assert(portal && portal.includes('TollGate'), 'Portal HTML accessible');
+const apiDisc = runJson(`curl -s --connect-timeout 5 ${API}/`);
+assert(apiDisc && apiDisc.kind === 10021, 'API discovery accessible');
+console.log('\n--- Part 2: After Authentication ---\n');
+console.log('6. Reset + Pay');
+run(`curl -s --connect-timeout 10 http://${IP}/reset_authentication`);
+await sleep(1000);
+const token = mintToken(21);
+assert(token !== null, 'Token generated');
+if (token) {
+  const payResult = runJson(`curl -s --connect-timeout 20 -X POST --data-binary '${token}' -H "Content-Type: application/cashu" ${API}/`);
+  assert(payResult && payResult.kind === 1022, 'Payment accepted');
+}
+await sleep(1000);
+console.log('\n7. DNS now forwards to upstream');
+assert(dnsResolveWorks('google.com'), 'DNS resolves to real IPs after auth');
+console.log('\n8. Per-client NAT filter: ping allowed');
+assert(canPing(), 'Ping to 8.8.8.8 allowed after auth');
+console.log('\n9. Per-client NAT filter: HTTP allowed');
+const httpAfter = run(`curl -s --connect-timeout 10 -m 10 --interface wlp59s0 http://1.1.1.1/ 2>/dev/null`);
+assert(httpAfter && httpAfter.length > 0, 'HTTP allowed after auth');
+console.log('\n--- Part 3: After Revocation ---\n');
+console.log('10. Reset auth');
+run(`curl -s --connect-timeout 10 http://${IP}/reset_authentication`);
+await sleep(1000);
+console.log('\n11. DNS goes back to hijack');
+assert(dnsResolvesToSelf('google.com'), 'DNS hijack restored after revoke');
+console.log('\n12. Per-client NAT filter: ping blocked again');
+assert(!canPing(), 'Ping blocked after revoke');
+console.log('\n13. Per-client NAT filter: HTTP blocked again');
+const httpRevoke = run(`curl -s --connect-timeout 5 -m 5 --interface wlp59s0 http://1.1.1.1/ 2>/dev/null`);
+assert(!httpRevoke || httpRevoke.length === 0, 'HTTP blocked after revoke');
+function dnsResolveWorks(domain) {
+  const result = run(`nslookup -timeout=3 ${domain} 2>&1`);
+  return result && result.includes('Address') && !result.includes(IP) && !result.includes('NXDOMAIN');
+}
+console.log(`\n=== Results: ${passed} passed, ${failed} failed ===\n`);
+process.exit(failed > 0 ? 1 : 0);
diff --git a/tests/integration/test-reset-auth.mjs b/tests/integration/test-reset-auth.mjs
new file mode 100644
index 0000000..279b2f9
--- /dev/null
+++ b/tests/integration/test-reset-auth.mjs
@@ -0,0 +1,101 @@
+import { execSync } from 'child_process';
+const IP = process.env.TOLLGATE_IP || '10.192.45.1';
+const API = `http://${IP}:2121`;
+const SUDO_PW = process.env.SUDO_PW || 'c03rad0r123';
+let passed = 0, failed = 0;
+function assert(cond, msg) {
+  if (cond) { console.log(`  ✓ ${msg}`); passed++; }
+  else { console.log(`  ✗ ${msg}`); failed++; }
+}
+function run(cmd) {
+  try { return execSync(cmd, { encoding: 'utf8', timeout: 15000 }); }
+  catch { return null; }
+}
+function runJson(cmd) {
+  const out = run(cmd);
+  try { return out ? JSON.parse(out) : null; }
+  catch { return null; }
+}
+function sleep(ms) { return new Promise(r => setTimeout(r, ms)); }
+function mintToken(amount = 21) {
+  run('cashu -h https://testnut.cashu.space invoice ' + amount + ' 2>&1');
+  const out = run('cashu -h https://testnut.cashu.space send --legacy ' + amount + ' 2>&1');
+  const match = out && out.match(/cashuA[a-zA-Z0-9_-]+/);
+  return match ? match[0] : null;
+}
+function canPing(host = '8.8.8.8') {
+  const result = run(`ping -c 1 -W 2 -I wlp59s0 ${host} 2>/dev/null`);
+  return result && !result.includes('100% packet loss');
+}
+console.log(`\n=== Reset Auth Integration Test (target: ${IP}) ===\n`);
+console.log('1. Reset auth to clear state');
+const reset1 = run(`curl -s --connect-timeout 10 http://${IP}/reset_authentication`);
+assert(reset1 && reset1.includes('reset'), 'Reset returns {"status":"reset"}');
+await sleep(1000);
+console.log('\n2. Verify no session');
+const usage1 = run(`curl -s --connect-timeout 10 ${API}/usage`);
+assert(usage1 && usage1.includes('-1/-1'), 'Usage is -1/-1 before payment');
+console.log('\n3. Verify internet blocked');
+assert(!canPing(), 'Ping blocked before payment');
+console.log('\n4. Pay with valid token');
+const token = mintToken(21);
+assert(token !== null, 'Token generated');
+if (token) {
+  const payResult = runJson(`curl -s --connect-timeout 20 -X POST --data-binary '${token}' -H "Content-Type: application/cashu" ${API}/`);
+  assert(payResult && payResult.kind === 1022, 'Payment accepted (kind=1022)');
+  const allotment = payResult && payResult.tags && payResult.tags.find(t => t[0] === 'allotment');
+  assert(allotment && parseInt(allotment[1]) > 0, `Allotment: ${allotment ? allotment[1] : 'N/A'}ms`);
+}
+await sleep(1000);
+console.log('\n5. Verify session active');
+const usage2 = run(`curl -s --connect-timeout 10 ${API}/usage`);
+assert(usage2 && !usage2.includes('-1/-1'), `Usage: ${usage2}`);
+console.log('\n6. Verify internet allowed');
+assert(canPing(), 'Ping works with active session');
+console.log('\n7. Reset auth while session active');
+const reset2 = run(`curl -s --connect-timeout 10 http://${IP}/reset_authentication`);
+assert(reset2 && reset2.includes('reset'), 'Reset returns {"status":"reset"}');
+await sleep(1000);
+console.log('\n8. Verify session cleared');
+const usage3 = run(`curl -s --connect-timeout 10 ${API}/usage`);
+assert(usage3 && usage3.includes('-1/-1'), 'Usage is -1/-1 after reset');
+console.log('\n9. Verify internet blocked again');
+assert(!canPing(), 'Ping blocked after reset');
+console.log('\n10. Pay again (new token)');
+const token2 = mintToken(21);
+if (token2) {
+  const pay2 = runJson(`curl -s --connect-timeout 20 -X POST --data-binary '${token2}' -H "Content-Type: application/cashu" ${API}/`);
+  assert(pay2 && pay2.kind === 1022, 'Second payment accepted');
+}
+await sleep(1000);
+console.log('\n11. Verify internet works again');
+assert(canPing(), 'Ping works with new session');
+console.log('\n12. Final reset');
+run(`curl -s --connect-timeout 10 http://${IP}/reset_authentication`);
+console.log(`\n=== Results: ${passed} passed, ${failed} failed ===\n`);
+process.exit(failed > 0 ? 1 : 0);
diff --git a/tests/integration/test-session-expiry.mjs b/tests/integration/test-session-expiry.mjs
new file mode 100644
index 0000000..c8334ab
--- /dev/null
+++ b/tests/integration/test-session-expiry.mjs
@@ -0,0 +1,103 @@
+import { execSync } from 'child_process';
+const IP = process.env.TOLLGATE_IP || '10.192.45.1';
+const API = `http://${IP}:2121`;
+let passed = 0, failed = 0;
+function assert(cond, msg) {
+  if (cond) { console.log(`  ✓ ${msg}`); passed++; }
+  else { console.log(`  ✗ ${msg}`); failed++; }
+}
+function run(cmd) {
+  try { return execSync(cmd, { encoding: 'utf8', timeout: 15000 }); }
+  catch { return null; }
+}
+function runJson(cmd) {
+  const out = run(cmd);
+  try { return out ? JSON.parse(out) : null; }
+  catch { return null; }
+}
+function sleep(ms) { return new Promise(r => setTimeout(r, ms)); }
+function mintToken(amount = 21) {
+  run('cashu -h https://testnut.cashu.space invoice ' + amount + ' 2>&1');
+  const out = run('cashu -h https://testnut.cashu.space send --legacy ' + amount + ' 2>&1');
+  const match = out && out.match(/cashuA[a-zA-Z0-9_-]+/);
+  return match ? match[0] : null;
+}
+function canPing(host = '8.8.8.8') {
+  const result = run(`ping -c 1 -W 2 -I wlp59s0 ${host} 2>/dev/null`);
+  return result && !result.includes('100% packet loss');
+}
+console.log(`\n=== Session Expiry Integration Test (target: ${IP}) ===`);
+console.log(`NOTE: This test waits 65s for session expiry. Total runtime ~80s.\n`);
+console.log('1. Reset auth');
+run(`curl -s --connect-timeout 10 http://${IP}/reset_authentication`);
+await sleep(1000);
+console.log('\n2. Verify blocked before payment');
+assert(!canPing(), 'Ping blocked before payment');
+const usage0 = run(`curl -s --connect-timeout 10 ${API}/usage`);
+assert(usage0 && usage0.includes('-1/-1'), 'Usage is -1/-1');
+console.log('\n3. Pay with valid token (21 sats = 60000ms)');
+const token = mintToken(21);
+assert(token !== null, 'Token generated');
+if (token) {
+  const payResult = runJson(`curl -s --connect-timeout 20 -X POST --data-binary '${token}' -H "Content-Type: application/cashu" ${API}/`);
+  assert(payResult && payResult.kind === 1022, 'Payment accepted');
+}
+await sleep(1000);
+console.log('\n4. Verify session active');
+const usage1 = run(`curl -s --connect-timeout 10 ${API}/usage`);
+assert(usage1 && !usage1.includes('-1/-1'), `Usage: ${usage1}`);
+console.log('\n5. Verify internet works');
+assert(canPing(), 'Ping works with active session');
+const httpResult = run(`curl -s --connect-timeout 10 -m 10 --interface wlp59s0 http://1.1.1.1/ 2>/dev/null`);
+assert(httpResult && httpResult.length > 0, 'HTTP request reaches internet');
+console.log('\n6. Waiting 65s for session expiry (allotment=60000ms)...');
+for (let i = 65; i > 0; i -= 5) {
+  process.stdout.write(`\r  ${i}s remaining...`);
+  await sleep(Math.min(5000, i * 1000));
+}
+console.log('\r  Session should be expired now.         ');
+console.log('\n7. Verify session expired');
+const usage2 = run(`curl -s --connect-timeout 10 ${API}/usage`);
+assert(usage2 && usage2.includes('-1/-1'), `Usage after expiry: ${usage2}`);
+console.log('\n8. Verify internet blocked after expiry');
+assert(!canPing(), 'Ping blocked after session expiry');
+const httpResult2 = run(`curl -s --connect-timeout 5 -m 5 --interface wlp59s0 http://1.1.1.1/ 2>/dev/null`);
+assert(!httpResult2 || httpResult2.length === 0, 'HTTP blocked after expiry');
+console.log('\n9. Pay again to verify renewal works');
+const token2 = mintToken(21);
+if (token2) {
+  const pay2 = runJson(`curl -s --connect-timeout 20 -X POST --data-binary '${token2}' -H "Content-Type: application/cashu" ${API}/`);
+  assert(pay2 && pay2.kind === 1022, 'Renewal payment accepted');
+}
+await sleep(1000);
+console.log('\n10. Verify internet works after renewal');
+assert(canPing(), 'Ping works after renewal');
+run(`curl -s --connect-timeout 10 http://${IP}/reset_authentication`);
+console.log(`\n=== Results: ${passed} passed, ${failed} failed ===\n`);
+process.exit(failed > 0 ? 1 : 0);