diff --git a/bitspire.py b/bitspire.py
index 59192b2..e40c230 100644
--- a/bitspire.py
+++ b/bitspire.py
@@ -17,10 +17,7 @@ from __future__ import annotations
 import json
 from typing import Any, Optional
 
-from loguru import logger
-
-from .calculations import split_principal_based
-from .models import CreateDcaSettlementData, Machine, SuperConfig
+from .models import CreateDcaSettlementData, Machine
 
 # Sentinel value bitSpire sets in Payment.extra.source so we know an inbound
 # payment originated from an ATM cash-out and not some other extension or
@@ -222,30 +219,23 @@ def parse_settlement(
     payment_hash: str,
     wire_sats: int,
     extra: dict,
-    super_config: SuperConfig,
+    super_fee_fraction: float,
 ) -> CreateDcaSettlementData:
     """Build a CreateDcaSettlementData for an inbound payment landing on
     `machine`'s wallet.
 
-    Splits the fee on a principal-based, direction-aware model
-    (aiolabs/satmachineadmin#37,#38):
-
-      platform_fee_sats = round(principal_sats * super_cash_{type}_fee_fraction)
-      operator_fee_sats = round(principal_sats * operator_cash_{type}_fee_fraction)
-
-    where the directional super fraction comes from `super_config` and
-    the operator fraction comes from `machine`. The bitspire-reported
-    `fee_sats` field is preserved on the settlement as the customer's
-    actual paid total, but is NOT used as input to the split.
-
     Requires bitSpire's canonical Payment.extra stamp (source="bitspire"
     plus the absolute sat amounts) per aiolabs/lamassu-next#44. Raises
     `SettlementMetadataError` on missing/partial stamp — caller records
     the settlement as 'rejected' for upstream investigation. Raises
     `SettlementInvariantError` if the stamped values violate the
     canonical sat-amount invariants (range + sum, see
-    `_assert_sat_invariants`) or `tx_type` is unknown.
+    `_assert_sat_invariants`).
     """
+    if not (0.0 <= super_fee_fraction <= 1.0):
+        raise SettlementInvariantError(
+            f"super_fee_fraction must be in [0, 1], got {super_fee_fraction}"
+        )
     if not is_bitspire_payment(extra):
         raise SettlementMetadataError(
             f"Payment.extra missing `source: \"bitspire\"` marker on machine "
@@ -263,39 +253,8 @@ def parse_settlement(
             f"(lamassu-next#44) requires both. Investigate the ATM "
             f"firmware on machine {machine.machine_npub[:12]}..."
         )
-    tx_type = _coerce_str(extra.get("type")) or "cash_out"
-    if tx_type == "cash_in":
-        super_frac = float(super_config.super_cash_in_fee_fraction)
-        operator_frac = float(machine.operator_cash_in_fee_fraction)
-    elif tx_type == "cash_out":
-        super_frac = float(super_config.super_cash_out_fee_fraction)
-        operator_frac = float(machine.operator_cash_out_fee_fraction)
-    else:
-        raise SettlementInvariantError(
-            f"unknown tx_type={tx_type!r}; expected 'cash_in' or 'cash_out'"
-        )
-    platform_fee_sats, operator_fee_sats = split_principal_based(
-        principal_sats, super_frac, operator_frac
-    )
-    # Phase-1 observability per aiolabs/satmachineadmin#38 + coord-log
-    # §2026-06-01T07:00Z (option A locked): compare bitspire's reported
-    # fee_sats against satmachineadmin's recompute, log on out-of-
-    # tolerance drift, record the delta unconditionally for triage.
-    # Phase 2 (settlement-reject) lands after observability data.
-    fee_mismatch_sats = fee_sats - (platform_fee_sats + operator_fee_sats)
-    tolerance = max(1, int(principal_sats * 0.001))
-    if abs(fee_mismatch_sats) > tolerance:
-        logger.warning(
-            f"bitspire fee mismatch on payment {payment_hash[:12]}...: "
-            f"bitspire_fee_sats={fee_sats} expected={platform_fee_sats + operator_fee_sats} "
-            f"delta={fee_mismatch_sats} tolerance={tolerance} "
-            f"principal={principal_sats} super_frac={super_frac:.4f} "
-            f"operator_frac={operator_frac:.4f} tx_type={tx_type} "
-            f"machine={machine.machine_npub[:12]}... — "
-            "Phase 1 observability only, no behavior change. Pre-Layer-3 "
-            "(lamassu-next#57) the ATM still hardcodes fee fractions, so "
-            "large deltas here are expected until that ships."
-        )
+    platform_fee_sats = round(fee_sats * super_fee_fraction)
+    operator_fee_sats = fee_sats - platform_fee_sats
     exchange_rate = _coerce_float(extra.get("exchange_rate"))
     if exchange_rate is None or exchange_rate <= 0:
         # Without exchange rate we can't compute fiat. Use 1.0 as a stand-in
@@ -309,6 +268,7 @@ def parse_settlement(
     # in BTC today, but the cash side has its own ground truth).
     fiat_amount = _coerce_float(extra.get("fiat_amount")) or 0.0
     fiat_code = _coerce_str(extra.get("currency")) or machine.fiat_code
+    tx_type = _coerce_str(extra.get("type")) or "cash_out"
     data = CreateDcaSettlementData(
         machine_id=machine.id,
         payment_hash=payment_hash,
@@ -322,7 +282,6 @@ def parse_settlement(
         fee_sats=fee_sats,
         platform_fee_sats=platform_fee_sats,
         operator_fee_sats=operator_fee_sats,
-        fee_mismatch_sats=fee_mismatch_sats,
         tx_type=tx_type,
         bills_json=_json_dumps(extra.get("bills")),
         cassettes_json=_json_dumps(extra.get("cassettes")),
diff --git a/calculations.py b/calculations.py
index c76600b..5bfadab 100644
--- a/calculations.py
+++ b/calculations.py
@@ -106,49 +106,36 @@ def calculate_distribution(
     return distributions
 
 
-def split_principal_based(
-    principal_sats: int,
-    super_frac: float,
-    operator_frac: float,
+def split_two_stage_commission(
+    fee_sats: int, super_fee_fraction: float
 ) -> Tuple[int, int]:
-    """Compute platform + operator fee shares as independent fractions of
-    `principal_sats`. Both shares are derived from the customer's
-    principal (the canonical source of truth), NOT back-derived from
-    `fee_sats`.
+    """Stage-1 of the v2 commission split: super takes `super_fee_fraction`
+    of the total fee; the remainder is what the operator's own ruleset
+    acts on.
 
-    Returns (platform_fee_sats, operator_fee_sats). Both are rounded
-    independently; rounding remainders do NOT compound — the customer
-    pays whatever bitspire collected, and any drift between (super +
-    operator) and the bitspire-reported `fee_sats` surfaces via
-    `dca_settlements.fee_mismatch_sats`.
+    Returns (platform_fee_sats, operator_fee_sats). Platform is rounded;
+    operator absorbs the rounding remainder so platform_fee + operator_fee
+    == fee_sats exactly.
 
     Examples:
-        >>> split_principal_based(100_000, 0.03, 0.05)
-        (3000, 5000)
-        >>> split_principal_based(266_800, 0.03, 0.0)
-        (8004, 0)
-        >>> split_principal_based(100_000, 0.0, 0.0)
-        (0, 0)
-        >>> split_principal_based(100_000, 0.15, 0.0)
-        (15000, 0)
-
-    The pre-#38 bug this corrects: the old math interpreted the super
-    fee as `fraction_of_fee` rather than `fraction_of_principal`. On a
-    100_000-sat principal with an 8% total bitspire fee (= 8_000 sats
-    fee_sats) and super_fraction=0.03, the bug paid the super
-    `round(8_000 * 0.03) = 240` sats — ~13× below the intended
-    `100_000 * 0.03 = 3_000` sats per-settlement. Repeated on every
-    cash-out since the bitspire wire-shape landed. See
-    aiolabs/satmachineadmin#37 (parent) + #38 (this layer).
+        >>> split_two_stage_commission(100, 0.30)
+        (30, 70)
+        >>> split_two_stage_commission(7965, 0.30)
+        (2390, 5575)
+        >>> split_two_stage_commission(100, 0.0)
+        (0, 100)
+        >>> split_two_stage_commission(100, 1.0)
+        (100, 0)
     """
-    if not (0.0 <= super_frac <= 1.0):
-        raise ValueError(f"super_frac must be in [0, 1], got {super_frac}")
-    if not (0.0 <= operator_frac <= 1.0):
-        raise ValueError(f"operator_frac must be in [0, 1], got {operator_frac}")
-    if principal_sats <= 0:
+    if not (0.0 <= super_fee_fraction <= 1.0):
+        raise ValueError(
+            f"super_fee_fraction must be in [0, 1], got {super_fee_fraction}"
+        )
+    if fee_sats <= 0:
         return 0, 0
-    platform = max(0, round(principal_sats * super_frac))
-    operator = max(0, round(principal_sats * operator_frac))
+    platform = round(fee_sats * super_fee_fraction)
+    platform = max(0, min(platform, fee_sats))
+    operator = fee_sats - platform
     return platform, operator
 
 
diff --git a/cassette_transport.py b/cassette_transport.py
index 7d98906..1725dde 100644
--- a/cassette_transport.py
+++ b/cassette_transport.py
@@ -41,61 +41,57 @@ centralises the canonicalisation via lnbits.utils.nostr.normalize_public_key.
 from __future__ import annotations
 
 import json
+import time
 
+from lnbits.core.crud.users import get_account
 from lnbits.core.services.nip46_bunker_client import (
     NsecBunkerRpcError,
     NsecBunkerTimeoutError,
 )
+from lnbits.core.signers import resolve_signer
 from lnbits.core.signers.base import (
     NostrSigner,
+    SignerError,
     SignerUnavailableError,
 )
 from lnbits.utils.nostr import normalize_public_key
+from loguru import logger
 
 from .models import Machine, PublishCassettesPayload
 from .nip44 import Nip44Error
-from .nostr_publish import (
-    NostrPublishError,
-    OperatorIdentityMissing,  # re-export for callers that catch this
-    RelayUnavailable,  # re-export
-    SignerUnavailable,  # re-export
-    nip44_decrypt_via_signer,
-    publish_encrypted_kind_30078,
-)
-
-# Re-exported so external callers (views_api etc.) can keep importing
-# from cassette_transport without breakage. Same for the public
-# constants below.
-__all__ = [
-    "CassetteTransportError",
-    "CassetteEventDecodeError",
-    "CassetteEventTransientError",
-    "OperatorIdentityMissing",
-    "SignerUnavailable",
-    "RelayUnavailable",
-    "build_state_d_tags_for_machines",
-    "decrypt_and_parse_state_event",
-    "publish_to_atm",
-]
+from .nip44 import decrypt_from as _nip44_local_decrypt
+from .nip44 import encrypt_for as _nip44_local_encrypt
 
+_KIND_NIP78 = 30078
 _D_TAG_CONFIG_PREFIX = "bitspire-cassettes:"  # operator → ATM
 _D_TAG_STATE_PREFIX = "bitspire-cassettes-state:"  # ATM → operator
 
 
 # =============================================================================
-# Errors — cassette-specific subclasses of the generic NostrPublishError
+# Errors
 # =============================================================================
 
 
-class CassetteTransportError(NostrPublishError):
-    """Generic cassette-transport error. Subclasses distinguish failure
-    modes so the API can surface meaningful HTTP statuses + the consumer
-    task can log + skip without crashing.
+class CassetteTransportError(Exception):
+    """Generic transport-layer error. Subclasses distinguish failure modes
+    so the API can surface meaningful HTTP statuses + the consumer task
+    can log + skip without crashing."""
 
-    Bridges back-compat with pre-extraction callers that catch this
-    class — now equivalent to NostrPublishError plus the two consumer-
-    side decode/transient distinctions below.
-    """
+
+class OperatorIdentityMissing(CassetteTransportError):
+    """Operator account has no Nostr pubkey on file, or no signer is
+    available (pre-bunker rollout — operator hasn't onboarded via
+    Nostr-login)."""
+
+
+class SignerUnavailable(CassetteTransportError):
+    """Resolved signer can't sign server-side (client-side-only signer,
+    or transient bunker unreachability post-lnbits#18). Publish skipped."""
+
+
+class RelayUnavailable(CassetteTransportError):
+    """nostrclient extension isn't installed or its relay manager isn't
+    reachable. Treated as soft-fail; publish skipped + logged."""
 
 
 class CassetteEventDecodeError(CassetteTransportError):
@@ -145,11 +141,139 @@ def build_state_d_tags_for_machines(machines: list[Machine]) -> list[str]:
     return [_state_d_tag(_atm_hex_pubkey(m)) for m in machines]
 
 
+# =============================================================================
+# Sign-as-operator — hybrid path (resolve_signer post #17, prvkey fallback)
+# =============================================================================
+
+
+async def _resolve_operator_signer(operator_user_id: str):
+    """Fetch the operator's account + resolve to a NostrSigner.
+
+    Single source of truth for "give me the signer for this operator,
+    or raise an operator-facing error if we can't." Returns
+    `(account, signer)` so callers that need both (publish path needs
+    `account.pubkey` for the event author and the signer for both
+    encrypt + sign) don't double-fetch.
+
+    Raises:
+      - OperatorIdentityMissing — no account, or no pubkey on file
+      - SignerUnavailable — signer resolve failed, or signer can't sign
+        server-side (ClientSideOnly)
+    """
+    account = await get_account(operator_user_id)
+    if account is None or not account.pubkey:
+        raise OperatorIdentityMissing(
+            f"operator {operator_user_id[:8]}... has no Nostr pubkey on file. "
+            "Onboard via the LNbits Nostr-login flow to publish cassette "
+            "config to your ATMs."
+        )
+    try:
+        signer = resolve_signer(account)
+    except SignerError as exc:
+        raise SignerUnavailable(
+            f"signer resolve failed for operator {operator_user_id[:8]}...: " f"{exc}"
+        ) from exc
+    if not signer.can_sign():
+        raise SignerUnavailable(
+            f"operator {operator_user_id[:8]}... has a client-side-only "
+            "signer; server can't sign or NIP-44-encrypt on their behalf. "
+            "Operator must hold their nsec via a NIP-46 bunker (lnbits#18) "
+            "or migrate to a server-signing account."
+        )
+    return account, signer
+
+
+async def _sign_as_operator(operator_user_id: str, event: dict) -> dict | None:
+    """Sign `event` using the operator's signer (LocalSigner or
+    RemoteBunkerSigner). Mutates `event` to add `created_at` (now),
+    `pubkey`, `id`, and `sig`.
+
+    Raises typed CassetteTransportError subclasses on hard failure
+    (the publish endpoint maps these to HTTP statuses); never returns
+    None on the publish path.
+    """
+    _account, signer = await _resolve_operator_signer(operator_user_id)
+    # created_at is part of the BIP-340 event-id hash; set before signing.
+    event["created_at"] = int(time.time())
+    try:
+        return await signer.sign_event(event)
+    except SignerUnavailableError as exc:
+        raise SignerUnavailable(
+            f"signer unavailable for operator {operator_user_id[:8]}...: " f"{exc}"
+        ) from exc
+
+
+async def _nip44_encrypt_via_signer(
+    account, signer: NostrSigner, plaintext: str, peer_pubkey_hex: str
+) -> str:
+    """NIP-44 v2 encrypt via the signer abstraction, with a transitional
+    fallback to direct-prvkey for LocalSigner accounts.
+
+    The bunker (RemoteBunkerSigner) implements `nip44_encrypt` natively —
+    the operator's nsec never leaves the bunker process. LocalSigner's
+    `nip44_encrypt` stub explicitly raises SignerUnavailableError
+    ("LocalSigner does not implement nip44_encrypt") per the
+    post-PR-#38 ABC — the spec is "migrate to bunker." For the
+    transitional window where some operators are still on LocalSigner
+    + their `account.prvkey` is intact, we catch that signal and use
+    our hand-rolled NIP-44 v2 impl against the stored prvkey. Same
+    wire output either way.
+
+    Removed once every operator account on this instance is bunker-
+    backed (S7 fully landed). At that point this helper collapses to
+    `return await signer.nip44_encrypt(plaintext, peer_pubkey_hex)`.
+    """
+    try:
+        return await signer.nip44_encrypt(plaintext, peer_pubkey_hex)
+    except SignerUnavailableError:
+        if account.signer_type == "LocalSigner" and account.prvkey:
+            return _nip44_local_encrypt(plaintext, account.prvkey, peer_pubkey_hex)
+        # ClientSideOnly, or RemoteBunkerSigner with bunker comms failure
+        # at config time — re-raise without wrapping; caller maps it.
+        raise
+
+
+async def _nip44_decrypt_via_signer(
+    account, signer: NostrSigner, ciphertext: str, peer_pubkey_hex: str
+) -> str:
+    """Decrypt mirror of `_nip44_encrypt_via_signer`. Same LocalSigner
+    transitional fallback."""
+    try:
+        return await signer.nip44_decrypt(ciphertext, peer_pubkey_hex)
+    except SignerUnavailableError:
+        if account.signer_type == "LocalSigner" and account.prvkey:
+            return _nip44_local_decrypt(ciphertext, account.prvkey, peer_pubkey_hex)
+        raise
+
+
 # =============================================================================
 # Publish — operator → ATM (the satmachineadmin API path)
 # =============================================================================
 
 
+async def _publish_signed_event(signed_event: dict) -> None:
+    """Send a signed Nostr event to all relays via the nostrclient
+    extension's singleton RelayManager.
+
+    Lazy import + typed-error so the API can surface "your LNbits doesn't
+    have nostrclient installed" as a 503 rather than a 500. Pattern
+    matches the cross-extension import guards in
+    `lnbits.core.services.users` (nostrmarket / nostrrelay).
+    """
+    try:
+        from nostrclient.router import (  # type: ignore[import-not-found]
+            nostr_client,
+        )
+    except ImportError as exc:
+        raise RelayUnavailable(
+            "nostrclient extension is not installed; cassette config "
+            "publish requires it. Install + activate the nostrclient "
+            "extension on this LNbits instance."
+        ) from exc
+    msg = json.dumps(["EVENT", signed_event])
+    nostr_client.relay_manager.publish_message(msg)
+
+
 async def publish_to_atm(
     machine: Machine,
     payload: PublishCassettesPayload,
@@ -159,20 +283,63 @@ async def publish_to_atm(
     from the operator to the target ATM.
 
     Returns the signed event dict on success (caller may log event.id for
-    audit). Raises NostrPublishError subclasses (re-exported here as
-    CassetteTransportError, OperatorIdentityMissing, SignerUnavailable,
-    RelayUnavailable) on hard failures.
+    audit). Raises CassetteTransportError subclasses on hard failures:
+      - OperatorIdentityMissing → 400: operator hasn't onboarded
+      - SignerUnavailable → 503: signer offline / client-side-only / bunker
+        timeout at the encrypt or sign step
+      - RelayUnavailable → 503: nostrclient not installed
+      - CassetteTransportError → 500: anything else
     """
     atm_pubkey_hex = _atm_hex_pubkey(machine)
-    signed = await publish_encrypted_kind_30078(
-        operator_user_id=operator_user_id,
-        recipient_pubkey_hex=atm_pubkey_hex,
-        d_tag=_config_d_tag(atm_pubkey_hex),
-        payload=payload.to_wire_dict(),
-        log_context=(
-            f"cassette config (machine={machine.id}, "
-            f"positions={sorted(payload.positions.keys())})"
-        ),
+
+    # Single fetch + resolve — same signer is used for both encrypt and sign.
+    account, signer = await _resolve_operator_signer(operator_user_id)
+
+    # NIP-44 v2 encrypt the wire payload. Bunker round-trip on
+    # RemoteBunkerSigner; direct prvkey on LocalSigner (transitional).
+    plaintext = json.dumps(payload.to_wire_dict(), separators=(",", ":"))
+    try:
+        content = await _nip44_encrypt_via_signer(
+            account, signer, plaintext, atm_pubkey_hex
+        )
+    except NsecBunkerTimeoutError as exc:
+        raise SignerUnavailable(
+            f"bunker unreachable while encrypting cassette config for "
+            f"operator {operator_user_id[:8]}...: {exc}"
+        ) from exc
+    except NsecBunkerRpcError as exc:
+        raise SignerUnavailable(
+            f"bunker rejected nip44_encrypt for operator "
+            f"{operator_user_id[:8]}... (policy / MAC / config issue): "
+            f"{exc}"
+        ) from exc
+    except SignerUnavailableError as exc:
+        raise SignerUnavailable(
+            f"signer cannot nip44-encrypt for operator "
+            f"{operator_user_id[:8]}...: {exc}"
+        ) from exc
+
+    event: dict = {
+        "kind": _KIND_NIP78,
+        "tags": [
+            ["d", _config_d_tag(atm_pubkey_hex)],
+            ["p", atm_pubkey_hex],
+        ],
+        "content": content,
+        # created_at is set inside _sign_as_operator before signing.
+    }
+    signed = await _sign_as_operator(operator_user_id, event)
+    if signed is None:
+        raise CassetteTransportError(
+            "sign_as_operator returned None unexpectedly — soft-fail path "
+            "shouldn't be reachable on a publish-initiated flow"
+        )
+
+    await _publish_signed_event(signed)
+    logger.info(
+        f"satmachineadmin: published kind-30078 cassette config to ATM "
+        f"{atm_pubkey_hex[:12]}... (event_id={signed['id'][:12]}..., "
+        f"machine_id={machine.id}, positions={sorted(payload.positions.keys())})"
     )
     return signed
 
@@ -217,7 +384,7 @@ async def decrypt_and_parse_state_event(
         )
 
     try:
-        plaintext = await nip44_decrypt_via_signer(
+        plaintext = await _nip44_decrypt_via_signer(
             account, signer, content, sender_pubkey
         )
     except NsecBunkerTimeoutError as exc:
diff --git a/crud.py b/crud.py
index 444a984..1144b0c 100644
--- a/crud.py
+++ b/crud.py
@@ -80,13 +80,9 @@ async def create_machine(operator_user_id: str, data: CreateMachineData) -> Mach
         """
         INSERT INTO satoshimachine.dca_machines
         (id, operator_user_id, machine_npub, wallet_id, name, location,
-         fiat_code, is_active,
-         operator_cash_in_fee_fraction, operator_cash_out_fee_fraction,
-         created_at, updated_at)
+         fiat_code, is_active, created_at, updated_at)
         VALUES (:id, :operator_user_id, :machine_npub, :wallet_id, :name,
-                :location, :fiat_code, :is_active,
-                :operator_cash_in_fee_fraction, :operator_cash_out_fee_fraction,
-                :created_at, :updated_at)
+                :location, :fiat_code, :is_active, :created_at, :updated_at)
         """,
         {
             "id": machine_id,
@@ -97,8 +93,6 @@ async def create_machine(operator_user_id: str, data: CreateMachineData) -> Mach
             "location": data.location,
             "fiat_code": data.fiat_code,
             "is_active": True,
-            "operator_cash_in_fee_fraction": data.operator_cash_in_fee_fraction,
-            "operator_cash_out_fee_fraction": data.operator_cash_out_fee_fraction,
             "created_at": now,
             "updated_at": now,
         },
@@ -601,13 +595,13 @@ async def create_settlement_idempotent(
         INSERT INTO satoshimachine.dca_settlements
         (id, machine_id, payment_hash, bitspire_event_id, bitspire_txid,
          wire_sats, fiat_amount, fiat_code, exchange_rate, principal_sats,
-         fee_sats, platform_fee_sats, operator_fee_sats, fee_mismatch_sats,
+         fee_sats, platform_fee_sats, operator_fee_sats,
          tx_type, bills_json, cassettes_json,
          status, error_message, created_at)
         VALUES (:id, :machine_id, :payment_hash, :bitspire_event_id,
                 :bitspire_txid, :wire_sats, :fiat_amount, :fiat_code,
                 :exchange_rate, :principal_sats, :fee_sats,
-                :platform_fee_sats, :operator_fee_sats, :fee_mismatch_sats,
+                :platform_fee_sats, :operator_fee_sats,
                 :tx_type, :bills_json, :cassettes_json, :status,
                 :error_message, :created_at)
         """,
@@ -625,7 +619,6 @@ async def create_settlement_idempotent(
             "fee_sats": data.fee_sats,
             "platform_fee_sats": data.platform_fee_sats,
             "operator_fee_sats": data.operator_fee_sats,
-            "fee_mismatch_sats": data.fee_mismatch_sats,
             "tx_type": data.tx_type,
             "bills_json": data.bills_json,
             "cassettes_json": data.cassettes_json,
diff --git a/docs/security-pathway-v1.md b/docs/security-pathway-v1.md
index 2b7cc8b..f7696d8 100644
--- a/docs/security-pathway-v1.md
+++ b/docs/security-pathway-v1.md
@@ -256,7 +256,7 @@ What we **do not** adopt and why (from the NIP survey):
                        │  Lightning settles
                        ▼
 ┌─────────────────────────────────────────────────────────────────────────────────────────────┐
-│  Settlement attestation (NIP-57-style receipt — see kind-rotation note in §6 / S3 row)      │
+│  Settlement attestation (NIP-57-style receipt — kind:9735 or our own kind:21001)            │
 │                                                                                             │
 │   LNbits publishes (signed by the LNbits server key):                                       │
 │     { kind: 9735,                                                                           │
@@ -303,7 +303,7 @@ None of those need to change. The new layers slot in *above* them.
 | **S0 — Seed‑URL pairing + ATM keypair separation** | Provisioning script generates a fresh `nsec` for the ATM (already does — we just stop overwriting it with the operator's). Operator pastes a one‑shot QR/seed URL containing `{atm_npub, operator_npub, relay_list, signed_delegation_token}` at ATM first boot. | G3 (most of it), G9 | 1 week | None — purely on our side. Use existing NIP‑26 spec. |
 | **S1 — NIP‑40 expiration on all kind‑21000** | Every RPC carries `["expiration", now+5min]`. Handler refuses past‑expiration. ATM clock check on boot (warn if drift > 60s). | G4 | 1–2 days | Relay must support NIP‑40 (most do). |
 | **S2 — NIP‑26 delegation enforcement in nostr‑transport** | Handler parses `delegation` tag, validates sig over conditions, checks conditions match the event, looks up operator pubkey in roster. Reject events without a valid delegation. | G3 (rest), G7 (partially) | 1–2 weeks | LNbits PR upstream (or vendored fork on `aiolabs/lnbits` branch `nostr-transport-nip26`). |
-| **S3 — NIP‑57‑style settlement receipts** | After LNbits internal payment legs complete, publish a signed receipt event per settlement (and per leg if we want leg‑level audit). ATM subscribes; operator dashboard renders receipts side‑by‑side with `dca_settlements`. | G2, G7 | 1–2 weeks | **Kind allocation — DO NOT USE `kind:21001`.** That kind is claimed by CLINK (Offers) — collision caught during the 2026‑06‑02 CLINK primer review. Rotation off 21001 is tracked at `aiolabs/satmachineadmin#44`; target is the aiolabs reserved band **`22000–22099`** per the workspace rule in `~/dev/CLAUDE.md` (§ "Nostr kind allocations — avoid the CLINK band"). The earlier 21001 lock across `aiolabs/lnbits#22`, `aiolabs/satmachineadmin#17`, and the satmachine ATM is **SUPERSEDED** — pick the new kind before any of those land. Reusing `kind:9735` (zap receipt) is also off the table: NIP‑57 semantics don't apply to bitSpire cash‑out settlements. |
+| **S3 — NIP‑57‑style settlement receipts** | After LNbits internal payment legs complete, publish a signed receipt event per settlement (and per leg if we want leg‑level audit). ATM subscribes; operator dashboard renders receipts side‑by‑side with `dca_settlements`. | G2, G7 | 1–2 weeks | Decide kind: `9735` (semantic abuse for non‑zap) vs. our own kind in `21001`/`21002` range. |
 | **S4 — NIP‑78 per‑machine config + fleet roster** | Operator publishes `kind:30078` config + `kind:30000` fleet list. Handler cross‑checks ATM npub ∈ fleet; reads max‑withdraw/fee policy from config. | G1, G9 | 1 week | Define config schema; backwards‑compat path for pre‑NIP‑78 machines. |
 | **S5 — `sender_pubkey` persistence + signed metadata in Payment.extra** | When the dispatcher writes a Payment row, it stamps `Payment.extra.sender_pubkey`, `delegation_root`, and an HMAC over the key fields keyed by the LNbits server's own secret. Mutation post‑write breaks the HMAC. | G2 (DB‑side), G5, G6 | 3–5 days | LNbits PR — fairly localised. |
 | **S6 — Rate limiting + roster‑gated auto‑account** | Auto‑account‑from‑npub only fires if the npub appears in some operator's NIP‑78 fleet OR if an explicit "open enrollment" flag is set. Relay/handler‑level rate limit per pubkey. | G8, G9 | 1 week | LNbits PR. |
diff --git a/fee_transport.py b/fee_transport.py
deleted file mode 100644
index 1dc0ec7..0000000
--- a/fee_transport.py
+++ /dev/null
@@ -1,151 +0,0 @@
-"""
-Fee-config Nostr transport — operator → ATM kind-30078 publish.
-
-Layer 2 of the operator-configurable fee architecture
-(aiolabs/satmachineadmin#37 parent, #39 this layer). Pairs with the
-bitspire consumer at `aiolabs/lamassu-next#57`.
-
-Wire format locked at coord-log §2026-06-01T14:25Z:
-
-  kind = 30078 (NIP-78, replaceable)
-  tags = [
-    ["d", "bitspire-fees:<atm_pubkey_hex>"],
-    ["p", "<atm_pubkey_hex>"],
-  ]
-  content = NIP-44 v2 encrypted JSON of FeeConfigPayload.to_wire_dict()
-  pubkey  = operator pubkey
-  sig     = operator signature
-
-Producer-side invariants (enforced via FeeConfigPayload validators):
-  - cash_*_fee_fraction ≤ 0.15 (cap, mirrored on bitspire consumer)
-  - |total - components sum| < 1e-6 (consistency assert)
-  - schema_version integer ≥ 1
-
-Soft-fail discipline (matches `cassette_transport.publish_to_atm`):
-relay/signer/bunker hiccups log + return None rather than raising,
-so a fee-config trigger from a CRUD endpoint can't break the
-underlying machine create/update on a transient transport failure.
-Hard-raises on configuration errors (cap exceeded, operator has no
-pubkey) since those indicate a bug, not a transient.
-"""
-
-from __future__ import annotations
-
-from loguru import logger
-
-from .models import FeeConfigPayload, FeePayloadComponents, Machine, SuperConfig
-from .nostr_publish import (
-    NostrPublishError,
-    OperatorIdentityMissing,
-    RelayUnavailable,
-    SignerUnavailable,
-    publish_encrypted_kind_30078,
-)
-
-_D_TAG_FEES_PREFIX = "bitspire-fees:"
-
-
-def _atm_hex_pubkey(machine: Machine) -> str:
-    """Canonicalise machine.machine_npub to lowercase hex. Used for both
-    the d-tag suffix and the NIP-44 v2 recipient pubkey. Same shape as
-    cassette_transport's local helper — kept module-local since it's a
-    one-liner over `normalize_public_key` and inlining would invert the
-    abstraction direction (transport-module-knows-about-Machine is
-    correct; nostr_publish doesn't know about Machine)."""
-    from lnbits.utils.nostr import normalize_public_key
-
-    return normalize_public_key(machine.machine_npub).lower()
-
-
-def _fees_d_tag(atm_pubkey_hex: str) -> str:
-    return f"{_D_TAG_FEES_PREFIX}{atm_pubkey_hex}"
-
-
-def build_fee_payload(
-    super_config: SuperConfig, machine: Machine
-) -> FeeConfigPayload:
-    """Compose a FeeConfigPayload from current super-config + per-machine
-    fractions. FeeConfigPayload's validators enforce the cap +
-    consistency invariants — this function constructs and validates
-    in one step; a returned payload is wire-shippable.
-
-    Raises ValueError (via Pydantic) if any directional total exceeds
-    the 0.15 cap. That's a hard error because the upstream API layer
-    (views_api._assert_machine_fee_cap_safe + _assert_super_config_cap_safe)
-    should have rejected the create/update that produced this state.
-    If we reach here with a cap-violating state, something bypassed the
-    API guards and we'd rather refuse-to-publish than ship a malformed
-    event.
-    """
-    super_in = float(super_config.super_cash_in_fee_fraction)
-    super_out = float(super_config.super_cash_out_fee_fraction)
-    op_in = float(machine.operator_cash_in_fee_fraction)
-    op_out = float(machine.operator_cash_out_fee_fraction)
-
-    return FeeConfigPayload(
-        schema_version=1,
-        cash_in_fee_fraction=round(super_in + op_in, 4),
-        cash_out_fee_fraction=round(super_out + op_out, 4),
-        components=FeePayloadComponents(
-            super_cash_in=super_in,
-            super_cash_out=super_out,
-            operator_cash_in=op_in,
-            operator_cash_out=op_out,
-        ),
-    )
-
-
-async def publish_fee_config(
-    machine: Machine,
-    super_config: SuperConfig,
-    operator_user_id: str,
-) -> dict | None:
-    """Build, validate, encrypt, sign, publish the fee-config event for
-    `machine` to the ATM at `machine.machine_npub`.
-
-    Returns the signed event dict on success (caller may log event.id
-    for audit). Returns None on soft-fail (transport-layer errors:
-    relay unreachable, signer offline, bunker timeout) — these are
-    transient and the caller's underlying CRUD operation should succeed
-    independent of publish success. Logs WARNING on soft-fail.
-
-    Raises on hard configuration error:
-      - OperatorIdentityMissing — operator has no Nostr pubkey on file
-        (caller's API layer should refuse the operation before we get
-        here, but we propagate as HTTP 400 if it slips through)
-      - ValueError (from FeeConfigPayload validators) — cap violation
-        or sum/components mismatch, indicates an API-guard bypass
-    """
-    payload = build_fee_payload(super_config, machine)
-    atm_pubkey_hex = _atm_hex_pubkey(machine)
-    try:
-        signed = await publish_encrypted_kind_30078(
-            operator_user_id=operator_user_id,
-            recipient_pubkey_hex=atm_pubkey_hex,
-            d_tag=_fees_d_tag(atm_pubkey_hex),
-            payload=payload.to_wire_dict(),
-            log_context=(
-                f"fee config (machine={machine.id}, "
-                f"cash_in={payload.cash_in_fee_fraction}, "
-                f"cash_out={payload.cash_out_fee_fraction})"
-            ),
-        )
-    except (SignerUnavailable, RelayUnavailable) as exc:
-        logger.warning(
-            f"satmachineadmin: fee-config publish soft-fail for machine "
-            f"{machine.id} ({machine.name or machine.machine_npub[:12]}): "
-            f"{type(exc).__name__}: {exc}. Underlying CRUD operation "
-            "succeeded; operator can re-trigger publish via the next "
-            "machine edit or super-config save."
-        )
-        return None
-    except NostrPublishError as exc:
-        # Truly unexpected transport error — log + soft-fail. We still
-        # don't break the caller's CRUD path; a future publish attempt
-        # (next machine edit / next super edit) will retry.
-        logger.warning(
-            f"satmachineadmin: fee-config publish unexpected transport "
-            f"error for machine {machine.id}: {type(exc).__name__}: {exc}"
-        )
-        return None
-    return signed
diff --git a/migrations.py b/migrations.py
index 97e4a68..5e0b3ec 100644
--- a/migrations.py
+++ b/migrations.py
@@ -682,11 +682,9 @@ async def m009_split_fee_fractions_by_direction(db):
                             lnbits advisory; option A locked).
 
     Idempotency via column-probe pattern (same shape as m006's rename
-    sweep). The deprecated `super_config.super_fee_fraction` singleton
-    is backfilled into the new directional fields, then dropped in the
-    same migration — strict-from-the-start per workspace CLAUDE.md
-    "Backwards-compatibility on pre-public-launch code" (v2-bitspire
-    hasn't shipped to public users).
+    sweep). The existing `super_config.super_fee_fraction` column is
+    NOT dropped here — deprecated, removed in a follow-up release after
+    callers migrate to the directional fields.
     """
     additions = [
         ("super_config", "super_cash_in_fee_fraction", "DECIMAL(10,4) NOT NULL DEFAULT 0.0000"),
@@ -706,32 +704,17 @@ async def m009_split_fee_fractions_by_direction(db):
             f"ALTER TABLE satoshimachine.{table} ADD COLUMN {col} {coltype}"
         )
 
-    # Backfill + drop the legacy singleton, gated on the column still
-    # existing. Once dropped, a re-run of this migration skips both
-    # steps cleanly.
-    try:
-        await db.fetchone(
-            "SELECT super_fee_fraction FROM satoshimachine.super_config LIMIT 1"
-        )
-        legacy_present = True
-    except Exception:
-        legacy_present = False
-
-    if legacy_present:
-        # Carry the live deployment's super_fee_fraction setting forward
-        # into both directional fields, but only when the operator hasn't
-        # already explicitly set per-direction values (i.e., both are
-        # still at DEFAULT 0).
-        await db.execute(
-            """
-            UPDATE satoshimachine.super_config
-               SET super_cash_in_fee_fraction = super_fee_fraction,
-                   super_cash_out_fee_fraction = super_fee_fraction
-             WHERE super_cash_in_fee_fraction = 0
-               AND super_cash_out_fee_fraction = 0
-               AND super_fee_fraction > 0
-            """
-        )
-        await db.execute(
-            "ALTER TABLE satoshimachine.super_config DROP COLUMN super_fee_fraction"
-        )
+    # Backfill super-config directional fractions from the legacy singleton
+    # so the live deployment's super_fee_fraction setting carries forward.
+    # Guarded WHERE clause: only fire when both new fields are still at
+    # their DEFAULT 0 (i.e., this is a first migrate-up, not a repeat).
+    await db.execute(
+        """
+        UPDATE satoshimachine.super_config
+           SET super_cash_in_fee_fraction = super_fee_fraction,
+               super_cash_out_fee_fraction = super_fee_fraction
+         WHERE super_cash_in_fee_fraction = 0
+           AND super_cash_out_fee_fraction = 0
+           AND super_fee_fraction > 0
+        """
+    )
diff --git a/models.py b/models.py
index f7f84e4..1ec2ec4 100644
--- a/models.py
+++ b/models.py
@@ -449,6 +449,10 @@ class TelemetrySnapshot(BaseModel):
 
 class SuperConfig(BaseModel):
     id: str
+    # Deprecated singleton fee fraction — retained for one release while
+    # callers migrate to the per-direction fields below. The new math
+    # (bitspire.py:parse_settlement) only reads the directional fields.
+    super_fee_fraction: float
     super_cash_in_fee_fraction: float = 0.0
     super_cash_out_fee_fraction: float = 0.0
     super_fee_wallet_id: str | None
@@ -456,11 +460,15 @@ class SuperConfig(BaseModel):
 
 
 class UpdateSuperConfigData(BaseModel):
+    # Deprecated; setting either directional field is the supported path.
+    # Writes here continue to apply for one release for migration safety.
+    super_fee_fraction: float | None = None
     super_cash_in_fee_fraction: float | None = None
     super_cash_out_fee_fraction: float | None = None
     super_fee_wallet_id: str | None = None
 
     @validator(
+        "super_fee_fraction",
         "super_cash_in_fee_fraction",
         "super_cash_out_fee_fraction",
     )
@@ -721,107 +729,3 @@ class PublishCassettesPayload(BaseModel):
                 for pos, row in self.positions.items()
             }
         }
-
-
-# =============================================================================
-# Fee-config Nostr payload — operator → ATM (aiolabs/satmachineadmin#39)
-# =============================================================================
-# Locked wire format per coord-log §2026-06-01T14:25Z:
-#   {
-#     "schema_version": 1,
-#     "cash_in_fee_fraction":  super_cash_in  + operator_cash_in,
-#     "cash_out_fee_fraction": super_cash_out + operator_cash_out,
-#     "components": {
-#       "super_cash_in":    float,
-#       "super_cash_out":   float,
-#       "operator_cash_in": float,
-#       "operator_cash_out": float
-#     }
-#   }
-#
-# Producer invariants (refuse-to-publish if violated):
-#   - cash_*_fee_fraction ≤ 0.15 (cap, defense in depth — bitspire
-#     consumer enforces the same)
-#   - |cash_in_fee_fraction - (super_cash_in + operator_cash_in)| < 1e-6
-#   - |cash_out_fee_fraction - (super_cash_out + operator_cash_out)| < 1e-6
-#   - All six fractions in [0.0, 0.15]
-#   - schema_version is integer ≥ 1
-# v1 consumers ignore unknown top-level keys per the locked spec.
-
-
-class FeePayloadComponents(BaseModel):
-    """The producer-mandatory `components` sub-object that splits the
-    summed `cash_*_fee_fraction` totals back into their super + operator
-    halves. Audit + future-promo substrate; consumer-optional in v1."""
-
-    super_cash_in: float
-    super_cash_out: float
-    operator_cash_in: float
-    operator_cash_out: float
-
-
-class FeeConfigPayload(BaseModel):
-    """The decrypted JSON content of a kind-30078 fee-config event
-    (operator → ATM, d-tag `bitspire-fees:<atm_pubkey_hex>`).
-
-    Built from a Machine row + the SuperConfig singleton via
-    `fee_transport.build_fee_payload`. Validates the cap +
-    sum-vs-components consistency at construction time so any caller
-    that holds a FeeConfigPayload instance has a wire-shippable payload.
-    """
-
-    schema_version: int = 1
-    cash_in_fee_fraction: float
-    cash_out_fee_fraction: float
-    components: FeePayloadComponents
-
-    @validator("schema_version")
-    def _schema_version_at_least_v1(cls, v):
-        if v < 1:
-            raise ValueError(f"schema_version must be >= 1, got {v}")
-        return v
-
-    @validator("cash_in_fee_fraction", "cash_out_fee_fraction")
-    def _total_in_unit_range(cls, v):
-        # Imported here rather than at module top to avoid a circular
-        # import (calculations imports nothing from models, but keep the
-        # dependency direction explicit at the call site).
-        from .calculations import MAX_FEE_FRACTION_PER_DIRECTION
-
-        if v < 0 or v > MAX_FEE_FRACTION_PER_DIRECTION:
-            raise ValueError(
-                f"fee fraction must be in [0, {MAX_FEE_FRACTION_PER_DIRECTION}], "
-                f"got {v}"
-            )
-        return round(float(v), 4)
-
-    @validator("components", always=True)
-    def _components_sum_matches_totals(cls, v, values):
-        sum_in = round(v.super_cash_in + v.operator_cash_in, 4)
-        sum_out = round(v.super_cash_out + v.operator_cash_out, 4)
-        total_in = values.get("cash_in_fee_fraction")
-        total_out = values.get("cash_out_fee_fraction")
-        if total_in is not None and abs(total_in - sum_in) > 1e-6:
-            raise ValueError(
-                f"cash_in_fee_fraction={total_in} doesn't match components "
-                f"sum super({v.super_cash_in}) + operator({v.operator_cash_in}) = {sum_in}"
-            )
-        if total_out is not None and abs(total_out - sum_out) > 1e-6:
-            raise ValueError(
-                f"cash_out_fee_fraction={total_out} doesn't match components "
-                f"sum super({v.super_cash_out}) + operator({v.operator_cash_out}) = {sum_out}"
-            )
-        return v
-
-    def to_wire_dict(self) -> dict:
-        return {
-            "schema_version": self.schema_version,
-            "cash_in_fee_fraction": self.cash_in_fee_fraction,
-            "cash_out_fee_fraction": self.cash_out_fee_fraction,
-            "components": {
-                "super_cash_in": self.components.super_cash_in,
-                "super_cash_out": self.components.super_cash_out,
-                "operator_cash_in": self.components.operator_cash_in,
-                "operator_cash_out": self.components.operator_cash_out,
-            },
-        }
diff --git a/nostr_publish.py b/nostr_publish.py
deleted file mode 100644
index b36b39c..0000000
--- a/nostr_publish.py
+++ /dev/null
@@ -1,295 +0,0 @@
-"""
-Shared kind-30078 (NIP-78 addressable app data) Nostr publish primitives.
-
-Extracted from cassette_transport.py once the second consumer landed
-(fee_transport.py for aiolabs/satmachineadmin#39). Both modules
-share the operator-signer resolution, NIP-44 v2 encrypt/decrypt path,
-event signing, and nostrclient-relay publish path; only the d-tag
-prefix + payload model differ per document type.
-
-Architecture:
-
-  fee_transport / cassette_transport
-       │
-       ▼
-  publish_encrypted_kind_30078  ← high-level wrapper (build event + sign + publish)
-       │
-       ├── resolve_operator_signer
-       ├── nip44_encrypt_via_signer
-       ├── sign_as_operator
-       └── publish_signed_event
-
-`resolve_operator_signer` and the NIP-44 helpers honor the
-transitional LocalSigner → RemoteBunkerSigner cascade (lnbits#17/#18):
-the bunker is the endgame for every operator account on this instance,
-but pre-migration LocalSigner accounts still work via direct-prvkey
-NIP-44 v2 from our hand-rolled `nip44` module.
-
-This module is intentionally domain-agnostic — it knows nothing about
-cassettes, fees, or any specific d-tag prefix. The caller supplies
-the recipient pubkey, the d-tag, and the payload dict.
-"""
-
-from __future__ import annotations
-
-import json
-import time
-from typing import Any
-
-from lnbits.core.crud.users import get_account
-from lnbits.core.services.nip46_bunker_client import (
-    NsecBunkerRpcError,
-    NsecBunkerTimeoutError,
-)
-from lnbits.core.signers import resolve_signer
-from lnbits.core.signers.base import (
-    NostrSigner,
-    SignerError,
-    SignerUnavailableError,
-)
-from loguru import logger
-
-from .nip44 import decrypt_from as _nip44_local_decrypt
-from .nip44 import encrypt_for as _nip44_local_encrypt
-
-KIND_NIP78 = 30078
-
-
-# =============================================================================
-# Errors — typed so API endpoints can map to specific HTTP statuses
-# =============================================================================
-
-
-class NostrPublishError(Exception):
-    """Base class for kind-30078 publish errors. Sub-modules
-    (cassette_transport, fee_transport) typically subclass further
-    for domain-specific 'this couldn't be applied' errors that have
-    no analog in the transport layer."""
-
-
-class OperatorIdentityMissing(NostrPublishError):
-    """Operator account has no Nostr pubkey on file, or no signer is
-    available (pre-bunker onboarding — operator hasn't logged in via
-    Nostr-login flow)."""
-
-
-class SignerUnavailable(NostrPublishError):
-    """Resolved signer can't sign server-side (client-side-only signer,
-    or transient bunker unreachability post-lnbits#18). Publish skipped
-    or soft-failed by the caller."""
-
-
-class RelayUnavailable(NostrPublishError):
-    """nostrclient extension isn't installed or its relay manager isn't
-    reachable. Treated as soft-fail by callers; publish skipped + logged."""
-
-
-# =============================================================================
-# Operator signer resolution + NIP-44 v2 encrypt/decrypt
-# =============================================================================
-
-
-async def resolve_operator_signer(operator_user_id: str):
-    """Fetch the operator's account + resolve to a NostrSigner.
-
-    Single source of truth for "give me the signer for this operator,
-    or raise an operator-facing error if we can't." Returns
-    `(account, signer)` so callers that need both (publish path needs
-    `account.pubkey` for the event author and the signer for both
-    encrypt + sign) don't double-fetch.
-
-    Raises:
-      - OperatorIdentityMissing — no account, or no pubkey on file
-      - SignerUnavailable — signer resolve failed, or signer can't sign
-        server-side (ClientSideOnly)
-    """
-    account = await get_account(operator_user_id)
-    if account is None or not account.pubkey:
-        raise OperatorIdentityMissing(
-            f"operator {operator_user_id[:8]}... has no Nostr pubkey on file. "
-            "Onboard via the LNbits Nostr-login flow to publish operator "
-            "config to your ATMs."
-        )
-    try:
-        signer = resolve_signer(account)
-    except SignerError as exc:
-        raise SignerUnavailable(
-            f"signer resolve failed for operator {operator_user_id[:8]}...: {exc}"
-        ) from exc
-    if not signer.can_sign():
-        raise SignerUnavailable(
-            f"operator {operator_user_id[:8]}... has a client-side-only "
-            "signer; server can't sign or NIP-44-encrypt on their behalf. "
-            "Operator must hold their nsec via a NIP-46 bunker (lnbits#18) "
-            "or migrate to a server-signing account."
-        )
-    return account, signer
-
-
-async def sign_as_operator(operator_user_id: str, event: dict) -> dict:
-    """Sign `event` using the operator's signer (LocalSigner or
-    RemoteBunkerSigner). Mutates `event` to add `created_at` (now),
-    `pubkey`, `id`, and `sig`. Returns the signed event.
-
-    Raises typed NostrPublishError subclasses on hard failure (caller
-    maps to HTTP status / decides soft-fail).
-    """
-    _account, signer = await resolve_operator_signer(operator_user_id)
-    # created_at is part of the BIP-340 event-id hash; set before signing.
-    event["created_at"] = int(time.time())
-    try:
-        signed = await signer.sign_event(event)
-    except SignerUnavailableError as exc:
-        raise SignerUnavailable(
-            f"signer unavailable for operator {operator_user_id[:8]}...: {exc}"
-        ) from exc
-    if signed is None:
-        raise NostrPublishError(
-            f"signer returned None for operator {operator_user_id[:8]}... "
-            "— shouldn't be reachable on a server-signing path"
-        )
-    return signed
-
-
-async def nip44_encrypt_via_signer(
-    account, signer: NostrSigner, plaintext: str, peer_pubkey_hex: str
-) -> str:
-    """NIP-44 v2 encrypt via the signer abstraction, with a transitional
-    fallback to direct-prvkey for LocalSigner accounts.
-
-    The bunker (RemoteBunkerSigner) implements `nip44_encrypt` natively —
-    the operator's nsec never leaves the bunker process. LocalSigner's
-    `nip44_encrypt` stub explicitly raises SignerUnavailableError per
-    the post-PR-#38 ABC — the spec is "migrate to bunker." For the
-    transitional window where some operators are still on LocalSigner +
-    their `account.prvkey` is intact, we catch that signal and use our
-    hand-rolled NIP-44 v2 impl against the stored prvkey. Same wire
-    output either way.
-
-    Removed once every operator account on this instance is bunker-
-    backed (S7 fully landed). At that point this helper collapses to
-    `return await signer.nip44_encrypt(plaintext, peer_pubkey_hex)`.
-    """
-    try:
-        return await signer.nip44_encrypt(plaintext, peer_pubkey_hex)
-    except SignerUnavailableError:
-        if account.signer_type == "LocalSigner" and account.prvkey:
-            return _nip44_local_encrypt(plaintext, account.prvkey, peer_pubkey_hex)
-        # ClientSideOnly, or RemoteBunkerSigner with bunker comms failure
-        # at encrypt time — re-raise without wrapping; caller maps it.
-        raise
-
-
-async def nip44_decrypt_via_signer(
-    account, signer: NostrSigner, ciphertext: str, peer_pubkey_hex: str
-) -> str:
-    """Decrypt mirror of `nip44_encrypt_via_signer`. Same LocalSigner
-    transitional fallback."""
-    try:
-        return await signer.nip44_decrypt(ciphertext, peer_pubkey_hex)
-    except SignerUnavailableError:
-        if account.signer_type == "LocalSigner" and account.prvkey:
-            return _nip44_local_decrypt(ciphertext, account.prvkey, peer_pubkey_hex)
-        raise
-
-
-# =============================================================================
-# Relay publish
-# =============================================================================
-
-
-async def publish_signed_event(signed_event: dict) -> None:
-    """Send a signed Nostr event to all relays via the nostrclient
-    extension's singleton RelayManager.
-
-    Lazy import + typed-error so the API can surface "your LNbits doesn't
-    have nostrclient installed" as a 503 rather than a 500. Pattern
-    matches the cross-extension import guards in
-    `lnbits.core.services.users` (nostrmarket / nostrrelay).
-    """
-    try:
-        from nostrclient.router import (  # type: ignore[import-not-found]
-            nostr_client,
-        )
-    except ImportError as exc:
-        raise RelayUnavailable(
-            "nostrclient extension is not installed; kind-30078 publish "
-            "requires it. Install + activate the nostrclient extension on "
-            "this LNbits instance."
-        ) from exc
-    msg = json.dumps(["EVENT", signed_event])
-    nostr_client.relay_manager.publish_message(msg)
-
-
-# =============================================================================
-# High-level: build + encrypt + sign + publish in one call
-# =============================================================================
-
-
-async def publish_encrypted_kind_30078(
-    *,
-    operator_user_id: str,
-    recipient_pubkey_hex: str,
-    d_tag: str,
-    payload: dict[str, Any],
-    log_context: str = "",
-) -> dict:
-    """Build, NIP-44-v2-encrypt, sign-as-operator, and publish a
-    kind-30078 event addressed to `recipient_pubkey_hex` under `d_tag`.
-
-    Centralised so cassette_transport + fee_transport (+ any future
-    operator-pushed document type) share the same wire-format guarantees.
-
-    Returns the signed event dict on success. Raises typed
-    NostrPublishError subclasses on hard failure:
-      - OperatorIdentityMissing → 400: operator hasn't onboarded
-      - SignerUnavailable → 503: signer offline / client-side-only /
-        bunker timeout at encrypt or sign step
-      - RelayUnavailable → 503: nostrclient not installed
-      - NostrPublishError → 500: anything else
-
-    `log_context` is a short string prefixed to the success log line for
-    triage ("cassette", "fee", etc.).
-    """
-    account, signer = await resolve_operator_signer(operator_user_id)
-
-    plaintext = json.dumps(payload, separators=(",", ":"))
-    try:
-        content = await nip44_encrypt_via_signer(
-            account, signer, plaintext, recipient_pubkey_hex
-        )
-    except NsecBunkerTimeoutError as exc:
-        raise SignerUnavailable(
-            f"bunker unreachable while encrypting kind-30078 ({d_tag}) for "
-            f"operator {operator_user_id[:8]}...: {exc}"
-        ) from exc
-    except NsecBunkerRpcError as exc:
-        raise SignerUnavailable(
-            f"bunker rejected nip44_encrypt for operator "
-            f"{operator_user_id[:8]}... (policy / MAC / config issue): {exc}"
-        ) from exc
-    except SignerUnavailableError as exc:
-        raise SignerUnavailable(
-            f"signer cannot nip44-encrypt for operator "
-            f"{operator_user_id[:8]}...: {exc}"
-        ) from exc
-
-    event: dict = {
-        "kind": KIND_NIP78,
-        "tags": [
-            ["d", d_tag],
-            ["p", recipient_pubkey_hex],
-        ],
-        "content": content,
-        # created_at is set inside sign_as_operator before signing.
-    }
-    signed = await sign_as_operator(operator_user_id, event)
-
-    await publish_signed_event(signed)
-    prefix = f"{log_context}: " if log_context else ""
-    logger.info(
-        f"satmachineadmin: {prefix}published kind-30078 to ATM "
-        f"{recipient_pubkey_hex[:12]}... d-tag={d_tag} "
-        f"event_id={signed['id'][:12]}..."
-    )
-    return signed
diff --git a/static/js/index.js b/static/js/index.js
index 4da7ee6..96b98ef 100644
--- a/static/js/index.js
+++ b/static/js/index.js
@@ -100,11 +100,7 @@ window.app = Vue.createApp({
       superFeeDialog: {
         show: false,
         saving: false,
-        data: {
-          super_cash_in_fee_fraction: 0,
-          super_cash_out_fee_fraction: 0,
-          super_fee_wallet_id: ''
-        }
+        data: {super_fee_fraction: 0, super_fee_wallet_id: ''}
       },
 
       // UI configuration -----------------------------------------------
@@ -270,17 +266,6 @@ window.app = Vue.createApp({
   },
 
   computed: {
-    superAnyFee() {
-      // Banner styling key — true when either directional super fee is
-      // non-zero, so the banner reads as "active platform fee" instead
-      // of the muted grey "free instance" state.
-      const c = this.superConfig
-      if (!c) return 0
-      return (
-        Number(c.super_cash_in_fee_fraction || 0) +
-        Number(c.super_cash_out_fee_fraction || 0)
-      )
-    },
     walletOptions() {
       // g.user is sometimes null on initial mount in LNbits 1.4 — guard it.
       const wallets = this.g?.user?.wallets || []
@@ -564,10 +549,7 @@ window.app = Vue.createApp({
     // -----------------------------------------------------------------
     openSuperFeeDialog() {
       this.superFeeDialog.data = {
-        super_cash_in_fee_fraction:
-          this.superConfig?.super_cash_in_fee_fraction ?? 0,
-        super_cash_out_fee_fraction:
-          this.superConfig?.super_cash_out_fee_fraction ?? 0,
+        super_fee_fraction: this.superConfig?.super_fee_fraction ?? 0,
         super_fee_wallet_id: this.superConfig?.super_fee_wallet_id || ''
       }
       this.superFeeDialog.show = true
@@ -580,8 +562,7 @@ window.app = Vue.createApp({
         const {data} = await LNbits.api.request(
           'PUT', SUPER_FEE_PATH, null,
           {
-            super_cash_in_fee_fraction: Number(d.super_cash_in_fee_fraction),
-            super_cash_out_fee_fraction: Number(d.super_cash_out_fee_fraction),
+            super_fee_fraction: Number(d.super_fee_fraction),
             super_fee_wallet_id: (d.super_fee_wallet_id || '').trim() || null
           }
         )
@@ -724,9 +705,7 @@ window.app = Vue.createApp({
         location: machine.location || '',
         wallet_id: machine.wallet_id,
         fiat_code: machine.fiat_code,
-        is_active: machine.is_active,
-        operator_cash_in_fee_fraction: machine.operator_cash_in_fee_fraction ?? 0,
-        operator_cash_out_fee_fraction: machine.operator_cash_out_fee_fraction ?? 0
+        is_active: machine.is_active
       }
       this.editMachineDialog.show = true
     },
@@ -744,9 +723,7 @@ window.app = Vue.createApp({
             location: d.location,
             wallet_id: d.wallet_id,
             fiat_code: d.fiat_code,
-            is_active: d.is_active,
-            operator_cash_in_fee_fraction: Number(d.operator_cash_in_fee_fraction) || 0,
-            operator_cash_out_fee_fraction: Number(d.operator_cash_out_fee_fraction) || 0
+            is_active: d.is_active
           }
         )
         const idx = this.machines.findIndex(m => m.id === data.id)
@@ -1498,9 +1475,7 @@ window.app = Vue.createApp({
         wallet_id: null,
         name: '',
         location: '',
-        fiat_code: 'GTQ',
-        operator_cash_in_fee_fraction: 0,
-        operator_cash_out_fee_fraction: 0
+        fiat_code: 'GTQ'
       }
     },
 
@@ -1510,9 +1485,7 @@ window.app = Vue.createApp({
         wallet_id: d.wallet_id,
         name: (d.name || '').trim() || null,
         location: (d.location || '').trim() || null,
-        fiat_code: (d.fiat_code || 'GTQ').trim(),
-        operator_cash_in_fee_fraction: Number(d.operator_cash_in_fee_fraction) || 0,
-        operator_cash_out_fee_fraction: Number(d.operator_cash_out_fee_fraction) || 0
+        fiat_code: (d.fiat_code || 'GTQ').trim()
       }
     },
 
diff --git a/tasks.py b/tasks.py
index 314c244..7f2a276 100644
--- a/tasks.py
+++ b/tasks.py
@@ -125,14 +125,14 @@ async def _handle_payment(payment: Payment) -> None:
     # stamp is missing, SettlementInvariantError on any range/sum
     # breach.
     super_config = await get_super_config()
-    assert super_config is not None  # m001 inserts the default singleton
+    super_fee_fraction = float(super_config.super_fee_fraction) if super_config else 0.0
     try:
         data = parse_settlement(
             machine=machine,
             payment_hash=payment.payment_hash,
             wire_sats=payment.sat,
             extra=extra,
-            super_config=super_config,
+            super_fee_fraction=super_fee_fraction,
         )
     except (SettlementMetadataError, SettlementInvariantError) as exc:
         await _record_rejected(payment, machine, exc)
@@ -408,9 +408,9 @@ async def _handle_cassette_state_event(
         CassetteEventDecodeError,
         CassetteEventTransientError,
         CassetteTransportError,
+        _resolve_operator_signer,
         decrypt_and_parse_state_event,
     )
-    from .nostr_publish import resolve_operator_signer
 
     event_raw = event_message.event
     if isinstance(event_raw, str):
@@ -444,7 +444,7 @@ async def _handle_cassette_state_event(
         return
 
     try:
-        account, signer = await resolve_operator_signer(machine.operator_user_id)
+        account, signer = await _resolve_operator_signer(machine.operator_user_id)
     except CassetteTransportError as exc:
         # OperatorIdentityMissing / SignerUnavailable — log + skip.
         logger.warning(
diff --git a/templates/satmachineadmin/index.html b/templates/satmachineadmin/index.html
index ffdb730..8b3ddf3 100644
--- a/templates/satmachineadmin/index.html
+++ b/templates/satmachineadmin/index.html
@@ -31,19 +31,17 @@
     <q-banner
       v-if="superConfig"
       class="q-mb-md"
-      :class="superAnyFee > 0 ? 'bg-blue-1 text-grey-9' : 'bg-grey-2 text-grey-9'">
+      :class="superConfig.super_fee_fraction > 0 ? 'bg-blue-1 text-grey-9' : 'bg-grey-2 text-grey-9'">
       <template v-slot:avatar>
-        <q-icon name="account_balance" :color="superAnyFee > 0 ? 'blue' : 'grey'"></q-icon>
+        <q-icon name="account_balance" :color="superConfig.super_fee_fraction > 0 ? 'blue' : 'grey'"></q-icon>
       </template>
       <span :style="{fontWeight: 500}">
         LNbits platform fee:
-        <span :style="{color: '#1976d2'}">cash-in ${ (superConfig.super_cash_in_fee_fraction * 100).toFixed(2) }%</span>
-        ·
-        <span :style="{color: '#1976d2'}">cash-out ${ (superConfig.super_cash_out_fee_fraction * 100).toFixed(2) }%</span>
-        of each transaction's principal.
+        <span :style="{color: '#1976d2'}">${ (superConfig.super_fee_fraction * 100).toFixed(2) }%</span>
+        of each transaction's commission.
       </span>
       <span :style="{opacity: 0.7, fontSize: '0.85em'}" class="q-ml-sm">
-        Operator's per-machine fee rides on top of these.
+        Your remainder splits per the rules below.
       </span>
       <template v-slot:action>
         <q-btn v-if="g?.user?.super_user"
@@ -794,22 +792,6 @@
             hint="Currency the ATM dispenses (GTQ / USD / MXN / etc.)"
             class="q-mb-md"
             dense outlined></q-input>
-
-          <q-input
-            v-model.number="addMachineDialog.data.operator_cash_in_fee_fraction"
-            label="Operator cash-in fee % (decimal, 0..0.15)"
-            hint="Your per-machine cut on cash-in. Sits on top of the platform fee; cap is 15% total per direction."
-            type="number" step="0.0001" min="0" max="0.15"
-            class="q-mb-md"
-            dense outlined></q-input>
-
-          <q-input
-            v-model.number="addMachineDialog.data.operator_cash_out_fee_fraction"
-            label="Operator cash-out fee % (decimal, 0..0.15)"
-            hint="Your per-machine cut on cash-out. Sits on top of the platform fee; cap is 15% total per direction."
-            type="number" step="0.0001" min="0" max="0.15"
-            class="q-mb-md"
-            dense outlined></q-input>
         </q-card-section>
         <q-card-actions align="right" class="text-primary">
           <q-btn flat label="Cancel" v-close-popup></q-btn>
@@ -1244,21 +1226,14 @@
         </q-card-section>
         <q-card-section>
           <p class="text-caption q-mb-md" :style="{opacity: 0.7}">
-            Charged on every transaction's principal across the LNbits
-            instance. Independent per direction. Each direction's total
-            (super + operator) is capped at 15%. Operators see these as a
-            read-only banner. Wallet ID is where the collected fee lands;
-            typically a wallet you (the super) own.
+            Charged on every operator's commission across the LNbits instance.
+            Operators see this as a read-only banner. Wallet ID is where the
+            collected fee lands; typically a wallet you (the super) own.
           </p>
-          <q-input v-model.number="superFeeDialog.data.super_cash_in_fee_fraction"
-            label="Cash-in fee % (decimal, 0..0.15)"
-            hint="0.03 = 3% of principal on cash-in transactions"
-            type="number" step="0.0001" min="0" max="0.15"
-            class="q-mb-md" dense outlined></q-input>
-          <q-input v-model.number="superFeeDialog.data.super_cash_out_fee_fraction"
-            label="Cash-out fee % (decimal, 0..0.15)"
-            hint="0.03 = 3% of principal on cash-out transactions"
-            type="number" step="0.0001" min="0" max="0.15"
+          <q-input v-model.number="superFeeDialog.data.super_fee_fraction"
+            label="Fee % (decimal, 0..1)"
+            hint="0.30 = 30% of every operator's commission"
+            type="number" step="0.0001" min="0" max="1"
             class="q-mb-md" dense outlined></q-input>
           <q-input v-model="superFeeDialog.data.super_fee_wallet_id"
             label="Super fee destination wallet_id"
@@ -1509,16 +1484,6 @@
             dense outlined></q-select>
           <q-input v-model="editMachineDialog.data.fiat_code"
             label="Fiat code" class="q-mb-md" dense outlined></q-input>
-          <q-input v-model.number="editMachineDialog.data.operator_cash_in_fee_fraction"
-            label="Operator cash-in fee % (decimal, 0..0.15)"
-            hint="Sits on top of the platform cash-in fee. Cap 15% total per direction."
-            type="number" step="0.0001" min="0" max="0.15"
-            class="q-mb-md" dense outlined></q-input>
-          <q-input v-model.number="editMachineDialog.data.operator_cash_out_fee_fraction"
-            label="Operator cash-out fee % (decimal, 0..0.15)"
-            hint="Sits on top of the platform cash-out fee. Cap 15% total per direction."
-            type="number" step="0.0001" min="0" max="0.15"
-            class="q-mb-md" dense outlined></q-input>
           <q-toggle v-model="editMachineDialog.data.is_active"
             label="Active (receives settlements)" class="q-mb-md"></q-toggle>
         </q-card-section>
diff --git a/tests/conftest.py b/tests/conftest.py
deleted file mode 100644
index 39fe975..0000000
--- a/tests/conftest.py
+++ /dev/null
@@ -1,32 +0,0 @@
-"""
-Pytest configuration for the satmachineadmin extension test suite.
-
-Provides a `loguru_capture` fixture for tests that need to verify
-loguru WARN/ERROR side-effects. Loguru attaches its default sink to
-sys.stderr at import time, before pytest's `capsys` wraps stderr, so
-neither `caplog` (stdlib logging only) nor `capsys` reliably sees
-loguru output. The fixture adds a list-sink for the test's duration
-and removes it on teardown.
-"""
-
-from typing import Generator, List
-
-import pytest
-from loguru import logger
-
-
-@pytest.fixture
-def loguru_capture() -> Generator[List[str], None, None]:
-    """Capture loguru log records into a list for the test's duration.
-
-    Usage:
-        def test_warns_on_X(loguru_capture):
-            do_thing_that_warns()
-            assert any("expected message" in msg for msg in loguru_capture)
-    """
-    captured: List[str] = []
-    handler_id = logger.add(
-        captured.append, level="WARNING", format="{level} {message}"
-    )
-    yield captured
-    logger.remove(handler_id)
diff --git a/tests/test_fee_cap_validation.py b/tests/test_fee_cap_validation.py
deleted file mode 100644
index 25b4927..0000000
--- a/tests/test_fee_cap_validation.py
+++ /dev/null
@@ -1,208 +0,0 @@
-"""
-Tests for `views_api._assert_machine_fee_cap_safe` and
-`_assert_super_config_cap_safe` (aiolabs/satmachineadmin#38, Layer 1).
-
-Per-direction cap is locked at 15% (super + operator) per coord-log
-§2026-06-01T07:22Z. Both helpers enforce the same cap from the
-opposite direction:
-
-- machine_fee_cap_safe runs at machine create/update; pairs candidate
-  operator fractions against the current super-config
-- super_config_cap_safe runs at super-config update; pairs candidate
-  super fractions against every active machine's operator fractions
-  and names the first offender so the super-admin can fix the
-  triggering machine
-
-Tests monkeypatch the CRUD lookups directly — same shape as
-test_collision_guard.py — so the validators are unit-testable without
-a live LNbits DB.
-"""
-
-import asyncio
-from types import SimpleNamespace
-
-import pytest
-
-from .. import views_api
-from ..views_api import (
-    _assert_machine_fee_cap_safe,
-    _assert_super_config_cap_safe,
-)
-
-
-def _super_config(in_frac: float = 0.0, out_frac: float = 0.0):
-    """Duck-typed super-config row carrying just the two directional fields
-    the cap helpers read."""
-    return SimpleNamespace(
-        super_cash_in_fee_fraction=in_frac,
-        super_cash_out_fee_fraction=out_frac,
-    )
-
-
-def _machine(
-    machine_id: str,
-    op_in: float,
-    op_out: float,
-    name: str | None = None,
-    npub: str = "a" * 64,
-):
-    return SimpleNamespace(
-        id=machine_id,
-        operator_cash_in_fee_fraction=op_in,
-        operator_cash_out_fee_fraction=op_out,
-        name=name,
-        machine_npub=npub,
-    )
-
-
-def _patch_super(monkeypatch, value):
-    async def fake_get():
-        return value
-
-    monkeypatch.setattr(views_api, "get_super_config", fake_get)
-
-
-def _patch_machines(monkeypatch, machines: list):
-    async def fake_list():
-        return machines
-
-    monkeypatch.setattr(views_api, "list_all_active_machines", fake_list)
-
-
-# ---------------------------------------------------------------------------
-# _assert_machine_fee_cap_safe — candidate operator fractions vs current super
-# ---------------------------------------------------------------------------
-
-
-class TestMachineFeeCapSafe:
-    def test_cash_in_cap_exceeded_raises(self, monkeypatch):
-        _patch_super(monkeypatch, _super_config(in_frac=0.10, out_frac=0.05))
-        # 0.10 + 0.06 = 0.16 > 0.15 → reject
-        with pytest.raises(Exception) as exc:
-            asyncio.run(_assert_machine_fee_cap_safe(0.06, 0.05))
-        assert exc.value.status_code == 400
-        assert "cash-in fee cap exceeded" in exc.value.detail
-
-    def test_cash_out_cap_exceeded_raises(self, monkeypatch):
-        _patch_super(monkeypatch, _super_config(in_frac=0.05, out_frac=0.10))
-        # 0.10 + 0.06 = 0.16 > 0.15 → reject
-        with pytest.raises(Exception) as exc:
-            asyncio.run(_assert_machine_fee_cap_safe(0.05, 0.06))
-        assert exc.value.status_code == 400
-        assert "cash-out fee cap exceeded" in exc.value.detail
-
-    def test_at_exact_cap_passes(self, monkeypatch):
-        """The cap check is `>`, not `>=` — operators may set exactly
-        15% on either direction without rejection."""
-        _patch_super(monkeypatch, _super_config(in_frac=0.10, out_frac=0.10))
-        asyncio.run(_assert_machine_fee_cap_safe(0.05, 0.05))
-
-    def test_no_super_config_treats_super_as_zero(self, monkeypatch):
-        """Uninitialised instance (super_config = None) → only operator
-        counts. Cap then degenerates to a pure operator-fee check."""
-        _patch_super(monkeypatch, None)
-        # 0.14 alone is under cap → pass
-        asyncio.run(_assert_machine_fee_cap_safe(0.14, 0.14))
-        # 0.16 alone exceeds cap → reject
-        with pytest.raises(Exception) as exc:
-            asyncio.run(_assert_machine_fee_cap_safe(0.16, 0.05))
-        assert exc.value.status_code == 400
-
-    def test_well_under_cap_passes_silently(self, monkeypatch):
-        _patch_super(monkeypatch, _super_config(in_frac=0.03, out_frac=0.03))
-        # Should not raise.
-        asyncio.run(_assert_machine_fee_cap_safe(0.0333, 0.0777))
-
-    def test_zero_operator_under_zero_super_passes(self, monkeypatch):
-        """Free-charge ATM corner case — operator deliberately sets 0
-        on both directions, super is 0 on both. Cap of 0 ≤ 0.15."""
-        _patch_super(monkeypatch, _super_config(in_frac=0.0, out_frac=0.0))
-        asyncio.run(_assert_machine_fee_cap_safe(0.0, 0.0))
-
-    def test_error_detail_includes_cap_value(self, monkeypatch):
-        _patch_super(monkeypatch, _super_config(in_frac=0.10, out_frac=0.0))
-        with pytest.raises(Exception) as exc:
-            asyncio.run(_assert_machine_fee_cap_safe(0.10, 0.0))
-        # 0.10 + 0.10 = 0.20 > 0.15
-        assert "0.15" in exc.value.detail
-
-
-# ---------------------------------------------------------------------------
-# _assert_super_config_cap_safe — candidate super fractions vs all machines
-# ---------------------------------------------------------------------------
-
-
-class TestSuperConfigCapSafe:
-    def test_offending_machine_raises_and_is_named(self, monkeypatch):
-        """When a super-fee bump pushes one machine over the cap, the
-        rejection names that machine so the super-admin knows which
-        operator's per-machine config blocks the change."""
-        _patch_super(monkeypatch, _super_config(in_frac=0.03, out_frac=0.03))
-        _patch_machines(
-            monkeypatch,
-            [
-                _machine("m1", op_in=0.01, op_out=0.02, name="Cafe A"),
-                _machine("m2", op_in=0.10, op_out=0.02, name="Greedy ATM"),
-            ],
-        )
-        # New super_in = 0.06. m2 has op_in 0.10 → 0.16 > cap.
-        with pytest.raises(Exception) as exc:
-            asyncio.run(_assert_super_config_cap_safe(0.06, None))
-        assert exc.value.status_code == 400
-        assert "Greedy ATM" in exc.value.detail or "m2" in exc.value.detail
-
-    def test_all_machines_under_cap_passes(self, monkeypatch):
-        _patch_super(monkeypatch, _super_config(in_frac=0.03, out_frac=0.03))
-        _patch_machines(
-            monkeypatch,
-            [
-                _machine("m1", op_in=0.05, op_out=0.05, name="Cafe A"),
-                _machine("m2", op_in=0.03, op_out=0.03, name="Cafe B"),
-            ],
-        )
-        # Bump super to 0.08/0.08 → max total = 0.13 + 0.13 = both under cap.
-        asyncio.run(_assert_super_config_cap_safe(0.08, 0.08))
-
-    def test_none_direction_pulls_current_value(self, monkeypatch):
-        """Caller passes new_super_in=None → check uses current super_in
-        value. Confirms partial-update semantics — caller can change
-        cash-out alone without retransmitting cash-in."""
-        _patch_super(monkeypatch, _super_config(in_frac=0.10, out_frac=0.03))
-        _patch_machines(monkeypatch, [_machine("m1", op_in=0.06, op_out=0.0)])
-        # Skipping in (None) but op_in=0.06 + current super_in=0.10 = 0.16 > cap.
-        with pytest.raises(Exception) as exc:
-            asyncio.run(_assert_super_config_cap_safe(None, 0.05))
-        assert exc.value.status_code == 400
-
-    def test_no_machines_passes(self, monkeypatch):
-        """Cap check across an empty fleet is vacuously safe."""
-        _patch_super(monkeypatch, _super_config(in_frac=0.10, out_frac=0.10))
-        _patch_machines(monkeypatch, [])
-        asyncio.run(_assert_super_config_cap_safe(0.12, 0.12))
-
-    def test_no_super_config_with_machines_uses_zero(self, monkeypatch):
-        """Uninitialised super + new fractions → cap check still runs
-        against the candidate new values + each machine's operator
-        fractions."""
-        _patch_super(monkeypatch, None)
-        _patch_machines(
-            monkeypatch,
-            [_machine("m1", op_in=0.10, op_out=0.0, name="Cafe A")],
-        )
-        # 0.06 + 0.10 = 0.16 > cap.
-        with pytest.raises(Exception) as exc:
-            asyncio.run(_assert_super_config_cap_safe(0.06, 0.0))
-        assert exc.value.status_code == 400
-
-    def test_uses_machine_id_when_name_missing(self, monkeypatch):
-        """Machines without a `name` set fall back to the id (or npub
-        prefix) for the error message — operator-actionable in either
-        case."""
-        _patch_super(monkeypatch, _super_config(in_frac=0.03, out_frac=0.03))
-        _patch_machines(
-            monkeypatch,
-            [_machine("unnamed-machine-id", op_in=0.10, op_out=0.0, name=None)],
-        )
-        with pytest.raises(Exception) as exc:
-            asyncio.run(_assert_super_config_cap_safe(0.06, None))
-        assert "unnamed-machine-id" in exc.value.detail
diff --git a/tests/test_fee_mismatch_recording.py b/tests/test_fee_mismatch_recording.py
deleted file mode 100644
index 7e5bb80..0000000
--- a/tests/test_fee_mismatch_recording.py
+++ /dev/null
@@ -1,179 +0,0 @@
-"""
-Tests for `dca_settlements.fee_mismatch_sats` Phase-1 observability
-(aiolabs/satmachineadmin#38, coord-log §2026-06-01T07:00Z — option A
-locked: always record, no enforce_fee_match gate).
-
-Each settlement records:
-
-    fee_mismatch_sats = bitspire_fee_sats - (platform_fee_sats + operator_fee_sats)
-
-Positive = bitspire over-reported (claimed more fee than satmachineadmin
-recomputed against principal). Negative = bitspire under-reported.
-Zero = exact match.
-
-Tolerance for the WARN log is `max(1, int(principal_sats * 0.001))` —
-1-sat floor, 0.1% relative ceiling. Sub-tolerance drift records the
-delta silently; over-tolerance drift logs a WARNING. The delta is
-recorded unconditionally regardless of tolerance — sub-tolerance data
-is still useful triage data once aggregated.
-
-Phase 2 (settlement-reject on out-of-tolerance) is a follow-up; this
-layer is observability-only.
-"""
-
-from datetime import datetime
-
-from ..bitspire import parse_settlement
-from ..models import Machine, SuperConfig
-
-
-_NOW = datetime(2026, 6, 1, 12, 0, 0)
-
-
-def _machine(op_out: float = 0.0) -> Machine:
-    return Machine(
-        id="m1",
-        operator_user_id="op1",
-        machine_npub="a" * 64,
-        wallet_id="w1",
-        name="Test",
-        location=None,
-        fiat_code="EUR",
-        is_active=True,
-        operator_cash_in_fee_fraction=0.0,
-        operator_cash_out_fee_fraction=op_out,
-        created_at=_NOW,
-        updated_at=_NOW,
-    )
-
-
-def _super_config(out_frac: float = 0.0) -> SuperConfig:
-    return SuperConfig(
-        id="default",
-        super_cash_in_fee_fraction=0.0,
-        super_cash_out_fee_fraction=out_frac,
-        super_fee_wallet_id="super-wallet",
-        updated_at=_NOW,
-    )
-
-
-def _bitspire_extra(principal_sats: int, fee_sats: int) -> dict:
-    return {
-        "source": "bitspire",
-        "type": "cash_out",
-        "principal_sats": principal_sats,
-        "fee_sats": fee_sats,
-        "fee_fraction": fee_sats / principal_sats if principal_sats else 0.0,
-        "exchange_rate": 0.00001,
-        "fiat_amount": 100.0,
-        "currency": "EUR",
-        "txid": "fake-txid",
-        "nostr_sender_pubkey": "a" * 64,
-    }
-
-
-def _parse(machine, super_cfg, principal_sats, fee_sats):
-    """Helper: build extra + invoke parse_settlement with cash-out wire
-    invariant (wire = principal + fee)."""
-    extra = _bitspire_extra(principal_sats, fee_sats)
-    return parse_settlement(
-        machine=machine,
-        payment_hash="ph_test",
-        wire_sats=principal_sats + fee_sats,
-        extra=extra,
-        super_config=super_cfg,
-    )
-
-
-class TestFeeMismatchSatsRecording:
-    def test_zero_mismatch_when_bitspire_matches_recompute(self):
-        """super=3%, operator=5%, total=8%. Bitspire reports
-        principal=100_000 fee=8_000 → 100_000 * 0.08 = 8_000 → mismatch=0."""
-        machine = _machine(op_out=0.05)
-        super_cfg = _super_config(out_frac=0.03)
-        data = _parse(machine, super_cfg, principal_sats=100_000, fee_sats=8_000)
-        assert data.platform_fee_sats == 3_000
-        assert data.operator_fee_sats == 5_000
-        assert data.fee_mismatch_sats == 0
-
-    def test_positive_mismatch_when_bitspire_over_reports(self):
-        """super=3%, operator=5% → expected=8_000. Bitspire claims 9_000.
-        Delta = +1_000 (over-reported)."""
-        machine = _machine(op_out=0.05)
-        super_cfg = _super_config(out_frac=0.03)
-        data = _parse(machine, super_cfg, principal_sats=100_000, fee_sats=9_000)
-        assert data.fee_mismatch_sats == 1_000
-
-    def test_negative_mismatch_when_bitspire_under_reports(self):
-        """super=3%, operator=5% → expected=8_000. Bitspire claims 7_000.
-        Delta = -1_000 (under-reported)."""
-        machine = _machine(op_out=0.05)
-        super_cfg = _super_config(out_frac=0.03)
-        data = _parse(machine, super_cfg, principal_sats=100_000, fee_sats=7_000)
-        assert data.fee_mismatch_sats == -1_000
-
-    def test_pre_layer3_records_large_delta(self):
-        """Real-world Phase-1 scenario before Layer 3 (lamassu-next#57)
-        ships: ATM hardcodes 7.77% cash-out; operator configures 5%
-        operator + 3% super = 8% total. Bitspire reports
-        100_000 * 0.0777 = 7_770 sats; satmachineadmin recomputes 8_000.
-        Delta is large and visible for triage; behavior unchanged."""
-        machine = _machine(op_out=0.05)
-        super_cfg = _super_config(out_frac=0.03)
-        data = _parse(machine, super_cfg, principal_sats=100_000, fee_sats=7_770)
-        # Expected = 3_000 + 5_000 = 8_000; bitspire claims 7_770.
-        assert data.fee_mismatch_sats == -230
-
-
-class TestFeeMismatchWarningLogging:
-    """Tolerance = max(1, int(principal_sats * 0.001)).
-    For principal=100_000 → tolerance=100. For principal=500 → tolerance=1.
-
-    Uses the `loguru_capture` fixture (defined in conftest.py) to read
-    the WARN log line — pytest's `caplog` only sees stdlib logging,
-    and `capsys` misses loguru's pre-bound stderr sink.
-    """
-
-    def test_within_tolerance_does_not_warn(self, loguru_capture):
-        """1-sat delta at principal=100_000 → tolerance=100 → no warn."""
-        machine = _machine(op_out=0.05)
-        super_cfg = _super_config(out_frac=0.03)
-        data = _parse(machine, super_cfg, principal_sats=100_000, fee_sats=8_001)
-        assert data.fee_mismatch_sats == 1
-        # Still recorded — the delta is small, the WARN is suppressed.
-        assert not any("fee mismatch" in m.lower() for m in loguru_capture)
-
-    def test_outside_tolerance_logs_warning(self, loguru_capture):
-        """101-sat delta at principal=100_000 → tolerance=100 → warns."""
-        machine = _machine(op_out=0.05)
-        super_cfg = _super_config(out_frac=0.03)
-        # bitspire claims 8_101 (= expected 8_000 + 101 over)
-        data = _parse(machine, super_cfg, principal_sats=100_000, fee_sats=8_101)
-        assert data.fee_mismatch_sats == 101
-        assert any("fee mismatch" in m.lower() for m in loguru_capture)
-
-    def test_warning_includes_diagnostic_fields(self, loguru_capture):
-        """WARN log line must carry the fields a triage-time operator
-        needs: bitspire's claim, the expected total, the delta, the
-        principal, both fractions, and tx_type."""
-        machine = _machine(op_out=0.05)
-        super_cfg = _super_config(out_frac=0.03)
-        _parse(machine, super_cfg, principal_sats=100_000, fee_sats=9_000)
-        log_text = "".join(loguru_capture)
-        assert "bitspire_fee_sats=9000" in log_text
-        assert "expected=8000" in log_text
-        assert "delta=1000" in log_text
-        assert "principal=100000" in log_text
-        assert "tx_type=cash_out" in log_text
-
-    def test_one_sat_floor_warns_on_tiny_principal(self, loguru_capture):
-        """At principal=500, tolerance=max(1, 0.5)=1. A 2-sat delta
-        triggers the warning — the floor exists so tiny-principal
-        settlements don't go un-policed."""
-        machine = _machine(op_out=0.05)
-        super_cfg = _super_config(out_frac=0.03)
-        # principal=500 → expected fee = 500 * 0.08 = 40 sats.
-        # Bitspire claims 42 → delta=2. Tolerance=max(1, 0)=1. Warns.
-        data = _parse(machine, super_cfg, principal_sats=500, fee_sats=42)
-        assert data.fee_mismatch_sats == 2
-        assert any("fee mismatch" in m.lower() for m in loguru_capture)
diff --git a/tests/test_fee_publish_triggers.py b/tests/test_fee_publish_triggers.py
deleted file mode 100644
index 650bd73..0000000
--- a/tests/test_fee_publish_triggers.py
+++ /dev/null
@@ -1,391 +0,0 @@
-"""
-Tests for the three views_api trigger points that publish fee config
-to ATMs via fee_transport (aiolabs/satmachineadmin#39 Layer 2):
-
-1. api_create_machine — publish always after create (so ATM unblocks
-   past `awaiting-fees` maintenance, even with default 0/0 operator
-   fees that produce a super-only payload)
-2. api_update_machine — publish only when either operator fee fraction
-   changes (skip on name/location/wallet_id/is_active-only edits)
-3. api_update_super_config — publish to every active machine when
-   either super fraction changes, signed by each machine's operator
-
-Tests monkeypatch `views_api.publish_fee_config` with a recording stub
-to verify the trigger fired (or not) and what arguments it received.
-The publisher itself is exercised by test_fee_transport.py — these
-tests are about the wiring.
-"""
-
-import asyncio
-from datetime import datetime
-
-from .. import views_api
-from ..models import CreateMachineData, Machine, SuperConfig, UpdateMachineData
-
-_NOW = datetime(2026, 6, 1, 12, 0, 0)
-_ATM_PUBKEY_HEX = (
-    "522a4538f1df96508d9ee8b14072344dd4a566acfe03c25a92a39179c6fca891"
-)
-_OP_USER_ID = "ac35c9fc842f40f0a0e9809347cd24d1"
-
-
-def _machine(
-    machine_id: str = "m1",
-    npub: str = _ATM_PUBKEY_HEX,
-    op_in: float = 0.0,
-    op_out: float = 0.0,
-    operator_user_id: str = _OP_USER_ID,
-) -> Machine:
-    return Machine(
-        id=machine_id,
-        operator_user_id=operator_user_id,
-        machine_npub=npub,
-        wallet_id="w1",
-        name=f"machine-{machine_id}",
-        location=None,
-        fiat_code="EUR",
-        is_active=True,
-        operator_cash_in_fee_fraction=op_in,
-        operator_cash_out_fee_fraction=op_out,
-        created_at=_NOW,
-        updated_at=_NOW,
-    )
-
-
-def _super(in_frac: float = 0.03, out_frac: float = 0.03) -> SuperConfig:
-    return SuperConfig(
-        id="default",
-        super_cash_in_fee_fraction=in_frac,
-        super_cash_out_fee_fraction=out_frac,
-        super_fee_wallet_id="super-wallet",
-        updated_at=_NOW,
-    )
-
-
-class _PublishRecorder:
-    """Records every (machine.id, super_in, super_out, operator) tuple
-    publish_fee_config was called with. Drop-in stub for monkeypatching
-    `views_api.publish_fee_config`."""
-
-    def __init__(self):
-        self.calls: list[tuple[str, float, float, float, float, str]] = []
-
-    async def __call__(self, machine, super_config, operator_user_id):
-        self.calls.append(
-            (
-                machine.id,
-                float(super_config.super_cash_in_fee_fraction),
-                float(super_config.super_cash_out_fee_fraction),
-                float(machine.operator_cash_in_fee_fraction),
-                float(machine.operator_cash_out_fee_fraction),
-                operator_user_id,
-            )
-        )
-        return {"id": f"evt_{machine.id}", "kind": 30078}
-
-
-# ---------------------------------------------------------------------------
-# Trigger 1: api_create_machine
-# ---------------------------------------------------------------------------
-
-
-class TestCreateMachineTrigger:
-    def test_publishes_on_create_with_default_operator_fees(self, monkeypatch):
-        """Default 0/0 operator fees — payload carries super-only totals.
-        Publish fires anyway so the ATM gets initial config and can
-        boot past maintenance."""
-        recorder = _PublishRecorder()
-        machine = _machine(op_in=0.0, op_out=0.0)
-
-        async def fake_assert_wallet(*args, **kwargs):
-            return None
-
-        async def fake_assert_collision(*args, **kwargs):
-            return None
-
-        async def fake_assert_fee_cap(*args, **kwargs):
-            return None
-
-        async def fake_create_machine(user_id, data):
-            return machine
-
-        async def fake_get_super():
-            return _super()
-
-        monkeypatch.setattr(views_api, "_assert_wallet_owned_by", fake_assert_wallet)
-        monkeypatch.setattr(views_api, "_assert_no_pubkey_collision", fake_assert_collision)
-        monkeypatch.setattr(views_api, "_assert_machine_fee_cap_safe", fake_assert_fee_cap)
-        monkeypatch.setattr(views_api, "create_machine", fake_create_machine)
-        monkeypatch.setattr(views_api, "get_super_config", fake_get_super)
-        monkeypatch.setattr(views_api, "publish_fee_config", recorder)
-
-        # Build a CreateMachineData + fake User and invoke the endpoint.
-        from types import SimpleNamespace
-
-        data = CreateMachineData(
-            machine_npub=_ATM_PUBKEY_HEX,
-            wallet_id="w1",
-            name="sintra",
-        )
-        user = SimpleNamespace(id=_OP_USER_ID)
-        result = asyncio.run(views_api.api_create_machine(data=data, user=user))
-
-        assert result is machine
-        assert len(recorder.calls) == 1
-        assert recorder.calls[0] == ("m1", 0.03, 0.03, 0.0, 0.0, _OP_USER_ID)
-
-    def test_publishes_on_create_with_nonzero_operator_fees(self, monkeypatch):
-        recorder = _PublishRecorder()
-        machine = _machine(op_in=0.05, op_out=0.05)
-
-        async def passthrough(*args, **kwargs):
-            return None
-
-        async def fake_create_machine(user_id, data):
-            return machine
-
-        async def fake_get_super():
-            return _super(0.03, 0.03)
-
-        monkeypatch.setattr(views_api, "_assert_wallet_owned_by", passthrough)
-        monkeypatch.setattr(views_api, "_assert_no_pubkey_collision", passthrough)
-        monkeypatch.setattr(views_api, "_assert_machine_fee_cap_safe", passthrough)
-        monkeypatch.setattr(views_api, "create_machine", fake_create_machine)
-        monkeypatch.setattr(views_api, "get_super_config", fake_get_super)
-        monkeypatch.setattr(views_api, "publish_fee_config", recorder)
-
-        from types import SimpleNamespace
-
-        data = CreateMachineData(
-            machine_npub=_ATM_PUBKEY_HEX,
-            wallet_id="w1",
-            operator_cash_in_fee_fraction=0.05,
-            operator_cash_out_fee_fraction=0.05,
-        )
-        user = SimpleNamespace(id=_OP_USER_ID)
-        asyncio.run(views_api.api_create_machine(data=data, user=user))
-
-        assert recorder.calls == [("m1", 0.03, 0.03, 0.05, 0.05, _OP_USER_ID)]
-
-    def test_no_super_config_skips_publish(self, monkeypatch):
-        """If the super-config singleton is missing (impossible in
-        practice since m001 inserts it), skip the publish rather than
-        crash the create. Machine still created."""
-        recorder = _PublishRecorder()
-        machine = _machine()
-
-        async def passthrough(*args, **kwargs):
-            return None
-
-        async def fake_create_machine(user_id, data):
-            return machine
-
-        async def fake_get_super():
-            return None
-
-        monkeypatch.setattr(views_api, "_assert_wallet_owned_by", passthrough)
-        monkeypatch.setattr(views_api, "_assert_no_pubkey_collision", passthrough)
-        monkeypatch.setattr(views_api, "_assert_machine_fee_cap_safe", passthrough)
-        monkeypatch.setattr(views_api, "create_machine", fake_create_machine)
-        monkeypatch.setattr(views_api, "get_super_config", fake_get_super)
-        monkeypatch.setattr(views_api, "publish_fee_config", recorder)
-
-        from types import SimpleNamespace
-
-        data = CreateMachineData(machine_npub=_ATM_PUBKEY_HEX, wallet_id="w1")
-        user = SimpleNamespace(id=_OP_USER_ID)
-        result = asyncio.run(views_api.api_create_machine(data=data, user=user))
-
-        assert result is machine
-        assert recorder.calls == []
-
-
-# ---------------------------------------------------------------------------
-# Trigger 2: api_update_machine
-# ---------------------------------------------------------------------------
-
-
-def _wire_update_machine_patches(
-    monkeypatch, existing_machine, updated_machine, recorder
-):
-    """Common setup for api_update_machine tests."""
-
-    async def passthrough(*args, **kwargs):
-        return None
-
-    async def fake_get_machine(machine_id):
-        return existing_machine
-
-    async def fake_update_machine(machine_id, data):
-        return updated_machine
-
-    async def fake_get_super():
-        return _super(0.03, 0.03)
-
-    monkeypatch.setattr(views_api, "_assert_wallet_owned_by", passthrough)
-    monkeypatch.setattr(views_api, "_assert_machine_fee_cap_safe", passthrough)
-    monkeypatch.setattr(views_api, "get_machine", fake_get_machine)
-    monkeypatch.setattr(views_api, "update_machine", fake_update_machine)
-    monkeypatch.setattr(views_api, "get_super_config", fake_get_super)
-    monkeypatch.setattr(views_api, "publish_fee_config", recorder)
-
-
-class TestUpdateMachineTrigger:
-    def test_publishes_when_operator_cash_in_changes(self, monkeypatch):
-        recorder = _PublishRecorder()
-        existing = _machine(op_in=0.05, op_out=0.05)
-        updated = _machine(op_in=0.07, op_out=0.05)
-        _wire_update_machine_patches(monkeypatch, existing, updated, recorder)
-
-        from types import SimpleNamespace
-
-        data = UpdateMachineData(operator_cash_in_fee_fraction=0.07)
-        user = SimpleNamespace(id=_OP_USER_ID)
-        asyncio.run(
-            views_api.api_update_machine(machine_id="m1", data=data, user=user)
-        )
-
-        assert len(recorder.calls) == 1
-        assert recorder.calls[0] == ("m1", 0.03, 0.03, 0.07, 0.05, _OP_USER_ID)
-
-    def test_publishes_when_operator_cash_out_changes(self, monkeypatch):
-        recorder = _PublishRecorder()
-        existing = _machine(op_in=0.05, op_out=0.05)
-        updated = _machine(op_in=0.05, op_out=0.08)
-        _wire_update_machine_patches(monkeypatch, existing, updated, recorder)
-
-        from types import SimpleNamespace
-
-        data = UpdateMachineData(operator_cash_out_fee_fraction=0.08)
-        user = SimpleNamespace(id=_OP_USER_ID)
-        asyncio.run(
-            views_api.api_update_machine(machine_id="m1", data=data, user=user)
-        )
-
-        assert len(recorder.calls) == 1
-        assert recorder.calls[0] == ("m1", 0.03, 0.03, 0.05, 0.08, _OP_USER_ID)
-
-    def test_no_publish_when_only_name_changes(self, monkeypatch):
-        """Name / location / fiat_code / is_active / wallet_id changes
-        don't affect the fee model the ATM enforces — skip the
-        republish to avoid relay churn."""
-        recorder = _PublishRecorder()
-        existing = _machine()
-        updated = _machine()  # same fees
-        _wire_update_machine_patches(monkeypatch, existing, updated, recorder)
-
-        from types import SimpleNamespace
-
-        data = UpdateMachineData(name="new name")
-        user = SimpleNamespace(id=_OP_USER_ID)
-        asyncio.run(
-            views_api.api_update_machine(machine_id="m1", data=data, user=user)
-        )
-
-        assert recorder.calls == []
-
-    def test_no_publish_when_only_is_active_changes(self, monkeypatch):
-        recorder = _PublishRecorder()
-        _wire_update_machine_patches(monkeypatch, _machine(), _machine(), recorder)
-
-        from types import SimpleNamespace
-
-        data = UpdateMachineData(is_active=False)
-        user = SimpleNamespace(id=_OP_USER_ID)
-        asyncio.run(
-            views_api.api_update_machine(machine_id="m1", data=data, user=user)
-        )
-
-        assert recorder.calls == []
-
-
-# ---------------------------------------------------------------------------
-# Trigger 3: api_update_super_config
-# ---------------------------------------------------------------------------
-
-
-class TestSuperConfigUpdateTrigger:
-    def test_publishes_to_every_active_machine_on_super_fraction_change(
-        self, monkeypatch
-    ):
-        """A super-fee change ripples to every active machine since each
-        machine's total = super + machine.operator. Republish per-machine
-        with that machine's operator as the signer (machines owned by
-        different operators sign with different keys)."""
-        recorder = _PublishRecorder()
-        new_super = _super(in_frac=0.04, out_frac=0.04)
-
-        machines = [
-            _machine(machine_id="m1", operator_user_id="op_A"),
-            _machine(machine_id="m2", operator_user_id="op_B", op_in=0.05, op_out=0.07),
-            _machine(machine_id="m3", operator_user_id="op_A", op_in=0.02, op_out=0.02),
-        ]
-
-        async def fake_assert_cap(*args, **kwargs):
-            return None
-
-        async def fake_update_super(data):
-            return new_super
-
-        async def fake_list_active():
-            return machines
-
-        monkeypatch.setattr(
-            views_api, "_assert_super_config_cap_safe", fake_assert_cap
-        )
-        monkeypatch.setattr(views_api, "update_super_config", fake_update_super)
-        monkeypatch.setattr(
-            views_api, "list_all_active_machines", fake_list_active
-        )
-        monkeypatch.setattr(views_api, "publish_fee_config", recorder)
-
-        from types import SimpleNamespace
-        from ..models import UpdateSuperConfigData
-
-        data = UpdateSuperConfigData(super_cash_in_fee_fraction=0.04)
-        user = SimpleNamespace(id="super_admin")
-        asyncio.run(views_api.api_update_super_config(data=data, _user=user))
-
-        assert len(recorder.calls) == 3
-        # Verify each call carries the NEW super fractions + that
-        # machine's operator + own fees
-        assert recorder.calls[0] == ("m1", 0.04, 0.04, 0.0, 0.0, "op_A")
-        assert recorder.calls[1] == ("m2", 0.04, 0.04, 0.05, 0.07, "op_B")
-        assert recorder.calls[2] == ("m3", 0.04, 0.04, 0.02, 0.02, "op_A")
-
-    def test_no_publish_when_only_wallet_id_changes(self, monkeypatch):
-        """Changing super_fee_wallet_id without touching either fraction
-        doesn't affect any ATM's fee model — skip the fleet-wide
-        republish."""
-        recorder = _PublishRecorder()
-        new_super = _super(in_frac=0.03, out_frac=0.03)
-
-        async def fake_assert_cap(*args, **kwargs):
-            return None
-
-        async def fake_update_super(data):
-            return new_super
-
-        async def fake_list_active():
-            raise AssertionError(
-                "list_all_active_machines should not be called when "
-                "no fraction changed"
-            )
-
-        monkeypatch.setattr(
-            views_api, "_assert_super_config_cap_safe", fake_assert_cap
-        )
-        monkeypatch.setattr(views_api, "update_super_config", fake_update_super)
-        monkeypatch.setattr(
-            views_api, "list_all_active_machines", fake_list_active
-        )
-        monkeypatch.setattr(views_api, "publish_fee_config", recorder)
-
-        from types import SimpleNamespace
-        from ..models import UpdateSuperConfigData
-
-        data = UpdateSuperConfigData(super_fee_wallet_id="new-wallet")
-        user = SimpleNamespace(id="super_admin")
-        asyncio.run(views_api.api_update_super_config(data=data, _user=user))
-
-        assert recorder.calls == []
diff --git a/tests/test_fee_transport.py b/tests/test_fee_transport.py
deleted file mode 100644
index 58bbf03..0000000
--- a/tests/test_fee_transport.py
+++ /dev/null
@@ -1,325 +0,0 @@
-"""
-Tests for `fee_transport.py` and `models.FeeConfigPayload` —
-Layer 2 of the operator-configurable fee architecture
-(aiolabs/satmachineadmin#39).
-
-Three concerns covered:
-
-1. FeeConfigPayload — validators enforce the locked wire-format
-   invariants (cap ≤ 0.15 per direction, components sum matches totals,
-   schema_version ≥ 1).
-2. `build_fee_payload(super_config, machine)` — composes a payload
-   from current DB rows. Wraps construction + validation in one call.
-3. `publish_fee_config(machine, super_config, operator_user_id)` —
-   soft-fail discipline: transport errors log + return None, hard
-   errors (cap-violating state) propagate.
-"""
-
-from datetime import datetime
-
-import pytest
-
-from .. import fee_transport
-from ..fee_transport import build_fee_payload, publish_fee_config
-from ..models import FeeConfigPayload, FeePayloadComponents, Machine, SuperConfig
-from ..nostr_publish import (
-    OperatorIdentityMissing,
-    RelayUnavailable,
-    SignerUnavailable,
-)
-
-_NOW = datetime(2026, 6, 1, 12, 0, 0)
-_ATM_PUBKEY_HEX = (
-    "522a4538f1df96508d9ee8b14072344dd4a566acfe03c25a92a39179c6fca891"
-)
-
-
-def _machine(op_in: float = 0.05, op_out: float = 0.05) -> Machine:
-    return Machine(
-        id="m1",
-        operator_user_id="op1",
-        machine_npub=_ATM_PUBKEY_HEX,
-        wallet_id="w1",
-        name="sintra",
-        location=None,
-        fiat_code="EUR",
-        is_active=True,
-        operator_cash_in_fee_fraction=op_in,
-        operator_cash_out_fee_fraction=op_out,
-        created_at=_NOW,
-        updated_at=_NOW,
-    )
-
-
-def _super(in_frac: float = 0.03, out_frac: float = 0.03) -> SuperConfig:
-    return SuperConfig(
-        id="default",
-        super_cash_in_fee_fraction=in_frac,
-        super_cash_out_fee_fraction=out_frac,
-        super_fee_wallet_id="super-wallet",
-        updated_at=_NOW,
-    )
-
-
-# ---------------------------------------------------------------------------
-# FeeConfigPayload — wire-format validators
-# ---------------------------------------------------------------------------
-
-
-class TestFeeConfigPayloadValidators:
-    def _components(
-        self, s_in: float = 0.03, s_out: float = 0.03, o_in: float = 0.05, o_out: float = 0.05
-    ) -> FeePayloadComponents:
-        return FeePayloadComponents(
-            super_cash_in=s_in,
-            super_cash_out=s_out,
-            operator_cash_in=o_in,
-            operator_cash_out=o_out,
-        )
-
-    def test_well_formed_payload_accepts(self):
-        payload = FeeConfigPayload(
-            schema_version=1,
-            cash_in_fee_fraction=0.08,
-            cash_out_fee_fraction=0.08,
-            components=self._components(),
-        )
-        assert payload.schema_version == 1
-        assert payload.cash_in_fee_fraction == 0.08
-        assert payload.cash_out_fee_fraction == 0.08
-
-    def test_to_wire_dict_round_trips(self):
-        original = FeeConfigPayload(
-            schema_version=1,
-            cash_in_fee_fraction=0.08,
-            cash_out_fee_fraction=0.1077,
-            components=self._components(o_out=0.0777),
-        )
-        wire = original.to_wire_dict()
-        rebuilt = FeeConfigPayload(**wire)
-        assert rebuilt.cash_in_fee_fraction == 0.08
-        assert rebuilt.cash_out_fee_fraction == 0.1077
-        assert rebuilt.components.operator_cash_out == 0.0777
-
-    def test_cap_violation_cash_in_rejects(self):
-        # cap is 0.15 per direction.
-        with pytest.raises(ValueError, match="fee fraction must be in"):
-            FeeConfigPayload(
-                schema_version=1,
-                cash_in_fee_fraction=0.16,
-                cash_out_fee_fraction=0.08,
-                components=self._components(s_in=0.10, o_in=0.06),
-            )
-
-    def test_cap_violation_cash_out_rejects(self):
-        with pytest.raises(ValueError, match="fee fraction must be in"):
-            FeeConfigPayload(
-                schema_version=1,
-                cash_in_fee_fraction=0.08,
-                cash_out_fee_fraction=0.20,
-                components=self._components(s_out=0.10, o_out=0.10),
-            )
-
-    def test_exact_cap_accepted(self):
-        """0.15 exactly is the upper bound — must accept."""
-        FeeConfigPayload(
-            schema_version=1,
-            cash_in_fee_fraction=0.15,
-            cash_out_fee_fraction=0.15,
-            components=self._components(s_in=0.10, s_out=0.10, o_in=0.05, o_out=0.05),
-        )
-
-    def test_inconsistent_total_vs_components_rejects_cash_in(self):
-        """sum(super_cash_in + operator_cash_in) must equal
-        cash_in_fee_fraction within 1e-6."""
-        with pytest.raises(ValueError, match="cash_in_fee_fraction"):
-            FeeConfigPayload(
-                schema_version=1,
-                cash_in_fee_fraction=0.09,  # claims 9%
-                cash_out_fee_fraction=0.08,
-                components=self._components(),  # actually 0.03 + 0.05 = 0.08
-            )
-
-    def test_inconsistent_total_vs_components_rejects_cash_out(self):
-        with pytest.raises(ValueError, match="cash_out_fee_fraction"):
-            FeeConfigPayload(
-                schema_version=1,
-                cash_in_fee_fraction=0.08,
-                cash_out_fee_fraction=0.10,  # claims 10%
-                components=self._components(),  # actually 0.08
-            )
-
-    def test_schema_version_zero_rejects(self):
-        with pytest.raises(ValueError, match="schema_version must be"):
-            FeeConfigPayload(
-                schema_version=0,
-                cash_in_fee_fraction=0.08,
-                cash_out_fee_fraction=0.08,
-                components=self._components(),
-            )
-
-    def test_zero_fractions_accepted(self):
-        """Free-charge ATM — both super + operator at 0 → totals 0."""
-        FeeConfigPayload(
-            schema_version=1,
-            cash_in_fee_fraction=0.0,
-            cash_out_fee_fraction=0.0,
-            components=self._components(s_in=0.0, s_out=0.0, o_in=0.0, o_out=0.0),
-        )
-
-
-# ---------------------------------------------------------------------------
-# build_fee_payload — composition from SuperConfig + Machine
-# ---------------------------------------------------------------------------
-
-
-class TestBuildFeePayload:
-    def test_basic_composition(self):
-        payload = build_fee_payload(_super(0.03, 0.03), _machine(0.05, 0.05))
-        assert payload.cash_in_fee_fraction == 0.08
-        assert payload.cash_out_fee_fraction == 0.08
-        assert payload.components.super_cash_in == 0.03
-        assert payload.components.operator_cash_in == 0.05
-
-    def test_different_directions(self):
-        """Cash-in and cash-out can differ — payload preserves both."""
-        payload = build_fee_payload(_super(0.03, 0.05), _machine(0.0333, 0.0777))
-        assert payload.cash_in_fee_fraction == 0.0633
-        assert payload.cash_out_fee_fraction == 0.1277
-
-    def test_super_only_no_operator(self):
-        """Pre-Layer-2 default — machine has 0/0 operator fees; payload
-        carries super-only totals. This is the 'publish on machine create'
-        path's expected shape."""
-        payload = build_fee_payload(_super(0.03, 0.03), _machine(0.0, 0.0))
-        assert payload.cash_in_fee_fraction == 0.03
-        assert payload.cash_out_fee_fraction == 0.03
-
-    def test_cap_violation_at_build_time_raises(self):
-        """If the API guards were bypassed and the DB has a cap-violating
-        state, build_fee_payload refuses rather than ship a bad payload."""
-        with pytest.raises(ValueError, match="fee fraction must be in"):
-            build_fee_payload(_super(0.10, 0.03), _machine(0.10, 0.0))
-            # 0.10 + 0.10 = 0.20 > 0.15
-
-
-# ---------------------------------------------------------------------------
-# publish_fee_config — soft-fail discipline
-# ---------------------------------------------------------------------------
-
-
-class TestPublishFeeConfigSoftFail:
-    def test_relay_unavailable_returns_none_logs_warning(
-        self, monkeypatch, loguru_capture
-    ):
-        async def fake_publish(**kwargs):
-            raise RelayUnavailable("nostrclient extension is not installed")
-
-        monkeypatch.setattr(
-            fee_transport, "publish_encrypted_kind_30078", fake_publish
-        )
-        import asyncio
-
-        result = asyncio.run(publish_fee_config(_machine(), _super(), "op1"))
-        assert result is None
-        assert any(
-            "soft-fail" in m and "RelayUnavailable" in m for m in loguru_capture
-        )
-
-    def test_signer_unavailable_returns_none_logs_warning(
-        self, monkeypatch, loguru_capture
-    ):
-        async def fake_publish(**kwargs):
-            raise SignerUnavailable("bunker unreachable")
-
-        monkeypatch.setattr(
-            fee_transport, "publish_encrypted_kind_30078", fake_publish
-        )
-        import asyncio
-
-        result = asyncio.run(publish_fee_config(_machine(), _super(), "op1"))
-        assert result is None
-        assert any(
-            "soft-fail" in m and "SignerUnavailable" in m for m in loguru_capture
-        )
-
-    def test_operator_identity_missing_returns_none_logs_warning(
-        self, monkeypatch, loguru_capture
-    ):
-        """OperatorIdentityMissing is a NostrPublishError but not a
-        transport one — currently soft-fails at the same layer. The
-        caller may want to convert this to HTTP 400 in future if the
-        operator-facing UX needs a hard signal, but v1 keeps it soft
-        because a partially-onboarded operator shouldn't crash machine
-        create."""
-
-        async def fake_publish(**kwargs):
-            raise OperatorIdentityMissing("no pubkey on file")
-
-        monkeypatch.setattr(
-            fee_transport, "publish_encrypted_kind_30078", fake_publish
-        )
-        import asyncio
-
-        result = asyncio.run(publish_fee_config(_machine(), _super(), "op1"))
-        assert result is None
-
-    def test_publish_success_returns_signed_event(self, monkeypatch):
-        signed = {
-            "id": "ev1",
-            "kind": 30078,
-            "pubkey": "op_pubkey",
-            "content": "ciphertext",
-            "tags": [["d", f"bitspire-fees:{_ATM_PUBKEY_HEX}"], ["p", _ATM_PUBKEY_HEX]],
-            "created_at": 1780000000,
-            "sig": "ff" * 32,
-        }
-
-        captured = {}
-
-        async def fake_publish(**kwargs):
-            captured.update(kwargs)
-            return signed
-
-        monkeypatch.setattr(
-            fee_transport, "publish_encrypted_kind_30078", fake_publish
-        )
-        import asyncio
-
-        result = asyncio.run(publish_fee_config(_machine(), _super(), "op1"))
-        assert result is signed
-        # Verify d-tag matches the locked spec
-        assert captured["d_tag"] == f"bitspire-fees:{_ATM_PUBKEY_HEX}"
-        assert captured["recipient_pubkey_hex"] == _ATM_PUBKEY_HEX
-        # Payload shape carries components per the §14:25Z lock
-        payload = captured["payload"]
-        assert payload["schema_version"] == 1
-        assert payload["cash_in_fee_fraction"] == 0.08
-        assert "components" in payload
-
-    def test_cap_violation_raises_does_not_soft_fail(self, monkeypatch):
-        """build_fee_payload raises ValueError at construction time on
-        cap-violating state. That's a hard configuration error (API
-        guards bypassed), not a transient transport issue, so it
-        propagates. publish_encrypted_kind_30078 is never reached."""
-
-        called = {"count": 0}
-
-        async def fake_publish(**kwargs):
-            called["count"] += 1
-            return {}
-
-        monkeypatch.setattr(
-            fee_transport, "publish_encrypted_kind_30078", fake_publish
-        )
-        import asyncio
-
-        with pytest.raises(ValueError, match="fee fraction must be in"):
-            asyncio.run(
-                publish_fee_config(
-                    _machine(op_in=0.10, op_out=0.0),
-                    _super(in_frac=0.10, out_frac=0.0),
-                    "op1",
-                )
-            )
-        assert called["count"] == 0
diff --git a/tests/test_operator_split_legs.py b/tests/test_operator_split_legs.py
deleted file mode 100644
index 1e0bbca..0000000
--- a/tests/test_operator_split_legs.py
+++ /dev/null
@@ -1,150 +0,0 @@
-"""
-Tests for `allocate_operator_split_legs` (operator's commission-leg
-distribution) and the partial-dispense ratio math in
-`apply_partial_dispense_and_redistribute`.
-
-Both are split-arithmetic concerns that survive the post-#38
-principal-based-math refactor:
-
-  - `allocate_operator_split_legs` slices the operator's share across
-    their commission legs by their per-leg fractions. Function-level,
-    no fee-model coupling.
-  - Partial-dispense ratio math (in distribution.py) preserves the
-    ORIGINAL platform/operator ratio recorded against a settlement at
-    land time when an operator partial-dispenses post-hoc. The ratio
-    comes from the absolute platform_fee_sats / fee_sats recorded on
-    the settlement row, NOT the current super-config fractions — the
-    contract is locked at landing.
-
-Pre-#38 tests for `split_two_stage_commission` lived here; that
-function was removed when the principal-based math landed
-(aiolabs/satmachineadmin#38).
-"""
-
-import pytest
-
-from ..calculations import allocate_operator_split_legs
-
-
-class TestAllocateOperatorSplitLegs:
-    """Operator's remaining share split into commission legs by fraction."""
-
-    def test_plan_example_50_30_20_on_70(self):
-        amounts = allocate_operator_split_legs(70, [0.5, 0.3, 0.2])
-        assert amounts == [35, 21, 14]
-
-    def test_realistic_50_30_20_on_5575(self):
-        amounts = allocate_operator_split_legs(5575, [0.5, 0.3, 0.2])
-        # Plan-scale: 5575 * (0.5, 0.3, 0.2) = (2787.5, 1672.5, 1115)
-        # Last leg absorbs rounding remainders so sum == 5575 exactly.
-        assert sum(amounts) == 5575
-        assert amounts[0] == round(5575 * 0.5)
-        assert amounts[1] == round(5575 * 0.3)
-        # Last leg absorbs the remainder.
-        assert amounts[2] == 5575 - amounts[0] - amounts[1]
-
-    def test_single_leg_full_remainder(self):
-        amounts = allocate_operator_split_legs(7965, [1.0])
-        assert amounts == [7965]
-
-    def test_zero_operator_fee_zeros_all_legs(self):
-        amounts = allocate_operator_split_legs(0, [0.5, 0.3, 0.2])
-        assert amounts == [0, 0, 0]
-
-    def test_empty_legs_list_returns_empty(self):
-        amounts = allocate_operator_split_legs(100, [])
-        assert amounts == []
-
-    def test_last_leg_absorbs_rounding_remainder(self):
-        # 100 sats split [1/3, 1/3, 1/3] — last leg absorbs the +1 remainder.
-        amounts = allocate_operator_split_legs(100, [1 / 3, 1 / 3, 1 / 3])
-        assert sum(amounts) == 100
-        assert amounts[0] == round(100 / 3)  # 33
-        assert amounts[1] == round(100 / 3)  # 33
-        # Last leg absorbs the rounding (34, not 33) so total == 100.
-        assert amounts[2] == 100 - amounts[0] - amounts[1]
-
-    @pytest.mark.parametrize(
-        "operator_fee,fractions",
-        [
-            (1, [0.5, 0.5]),
-            (7, [0.5, 0.3, 0.2]),
-            (100, [0.5, 0.5]),
-            (5575, [0.5, 0.3, 0.2]),
-            (1_000_000, [0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1]),
-        ],
-    )
-    def test_invariant_sum_equals_operator_fee(self, operator_fee, fractions):
-        amounts = allocate_operator_split_legs(operator_fee, fractions)
-        assert sum(amounts) == operator_fee
-        assert all(a >= 0 for a in amounts)
-
-
-class TestPartialDispenseSplitRatio:
-    """Partial-dispense recompute (closes #11 H6) must preserve the
-    ORIGINAL platform/operator ratio recorded on the settlement row at
-    land time. Super raising or lowering a global rate post-hoc must
-    NOT retroactively change an existing settlement's share split.
-
-    The math is inlined in `apply_partial_dispense_and_redistribute`
-    (distribution.py) rather than in a standalone function. These tests
-    mirror the inline math so a future refactor doesn't silently change
-    the invariant.
-    """
-
-    def _recompute(self, original_fee, original_platform_fee, new_fee):
-        """Mirror of the ratio math in apply_partial_dispense_and_redistribute."""
-        if original_fee > 0:
-            ratio = original_platform_fee / original_fee
-        else:
-            ratio = 0.0
-        new_platform = round(new_fee * ratio)
-        new_platform = max(0, min(new_platform, new_fee))
-        new_operator = new_fee - new_platform
-        return new_platform, new_operator
-
-    def test_30pct_lands_then_partial(self):
-        # Landed at platform ratio 30/100 = 0.30; new fee = 50.
-        # Original ratio preserved → new_platform = round(50 * 0.30) = 15.
-        new_platform, new_operator = self._recompute(100, 30, 50)
-        assert new_platform == 15
-        assert new_operator == 35
-        assert new_platform + new_operator == 50
-
-    def test_super_changed_rate_doesnt_affect_existing_settlement(self):
-        # Landed with platform=2390, fee=7965 (ratio ≈ 0.30). Super then
-        # bumps the global rate to 50%. Operator partial-dispenses to
-        # 50% gross → new_fee = round(7965 * 0.5) = 3982. The 30% ratio
-        # at land time MUST persist regardless of the new super rate.
-        new_platform, new_operator = self._recompute(7965, 2390, 3982)
-        # Expected with original ratio: round(3982 * 0.30006...) = 1195
-        # With (broken) current rate of 50%: would be 1991 — much higher.
-        assert 1190 <= new_platform <= 1200
-        assert new_platform + new_operator == 3982
-        # Original platform share was ~30%; preserved within rounding.
-        assert abs(new_platform / 3982 - 2390 / 7965) < 0.001
-
-    def test_zero_original_fee_yields_zero_platform(self):
-        new_platform, new_operator = self._recompute(0, 0, 0)
-        assert new_platform == 0
-        assert new_operator == 0
-
-    def test_invariant_sum_equals_new_fee(self):
-        # Random-ish parameter sweep over realistic values.
-        cases = [
-            (100, 30, 50),
-            (100, 0, 50),       # original platform_fee was 0
-            (100, 100, 50),     # original platform_fee was full fee
-            (7965, 2390, 3982),
-            (7965, 7965, 3982),
-            (1_000_000, 333_333, 250_000),
-        ]
-        for orig_comm, orig_plat, new_comm in cases:
-            new_platform, new_operator = self._recompute(
-                orig_comm, orig_plat, new_comm
-            )
-            assert new_platform + new_operator == new_comm, (
-                f"sum invariant violated: {orig_comm=} {orig_plat=} "
-                f"{new_comm=} → {new_platform=} {new_operator=}"
-            )
-            assert 0 <= new_platform <= new_comm
diff --git a/tests/test_principal_based_fees.py b/tests/test_principal_based_fees.py
deleted file mode 100644
index ebdd040..0000000
--- a/tests/test_principal_based_fees.py
+++ /dev/null
@@ -1,270 +0,0 @@
-"""
-Tests for the post-#38 principal-based fee split:
-
-  - `calculations.split_principal_based(principal_sats, super_frac,
-    operator_frac)` — pure-function math
-  - `bitspire.parse_settlement` — directional dispatch by tx_type
-    ("cash_in" → super_cash_in + operator_cash_in;
-     "cash_out" → super_cash_out + operator_cash_out)
-
-The bug this layer closes: pre-#38 math interpreted super_fee_fraction
-as fraction-of-fee instead of fraction-of-principal, under-paying the
-super by ~13× per cashout. Tests below pin the new math to the
-intended fraction-of-principal model and verify the per-direction
-routing through parse_settlement.
-
-Fee mismatch recording (`fee_mismatch_sats` column, Phase 1
-observability per coord-log §2026-06-01T07:00Z) lands in the next
-commit; those tests live in `test_fee_mismatch_recording.py`.
-"""
-
-from datetime import datetime
-
-import pytest
-
-from ..bitspire import SettlementInvariantError, parse_settlement
-from ..calculations import split_principal_based
-from ..models import Machine, SuperConfig
-
-
-# ---------------------------------------------------------------------------
-# split_principal_based — pure-function math
-# ---------------------------------------------------------------------------
-
-
-class TestSplitPrincipalBased:
-    def test_super_fraction_only(self):
-        """Operator at 0% — super takes exactly super_frac of principal,
-        operator gets 0."""
-        platform, operator = split_principal_based(100_000, 0.03, 0.0)
-        assert platform == 3_000
-        assert operator == 0
-
-    def test_operator_fraction_only(self):
-        """Super at 0% — operator takes exactly operator_frac of
-        principal, platform gets 0."""
-        platform, operator = split_principal_based(100_000, 0.0, 0.05)
-        assert platform == 0
-        assert operator == 5_000
-
-    def test_both_fractions(self):
-        """Both shares independently computed against principal — total
-        is super + operator, not anchored to any fee_sats input."""
-        platform, operator = split_principal_based(100_000, 0.03, 0.05)
-        assert platform == 3_000
-        assert operator == 5_000
-
-    def test_zero_principal_yields_zero_shares(self):
-        platform, operator = split_principal_based(0, 0.03, 0.05)
-        assert platform == 0
-        assert operator == 0
-
-    def test_negative_principal_yields_zero_shares(self):
-        """Defensive: negative principal can't happen in production but
-        the function should not produce negative outputs if it ever does."""
-        platform, operator = split_principal_based(-100, 0.03, 0.05)
-        assert platform == 0
-        assert operator == 0
-
-    def test_rounding_does_not_compound(self):
-        """The two shares round independently — there is no carryover.
-        On a 1_000_000-sat principal with super=0.0333, operator=0.0777,
-        each share rounds against principal individually."""
-        platform, operator = split_principal_based(1_000_000, 0.0333, 0.0777)
-        assert platform == round(1_000_000 * 0.0333)  # 33_300
-        assert operator == round(1_000_000 * 0.0777)  # 77_700
-
-    def test_super_frac_out_of_range_raises(self):
-        with pytest.raises(ValueError, match="super_frac"):
-            split_principal_based(100_000, 1.5, 0.0)
-        with pytest.raises(ValueError, match="super_frac"):
-            split_principal_based(100_000, -0.1, 0.0)
-
-    def test_operator_frac_out_of_range_raises(self):
-        with pytest.raises(ValueError, match="operator_frac"):
-            split_principal_based(100_000, 0.0, 1.5)
-        with pytest.raises(ValueError, match="operator_frac"):
-            split_principal_based(100_000, 0.0, -0.1)
-
-    def test_super_under_payment_bug_regression(self):
-        """Direct regression test for the bug this layer closes.
-
-        Pre-#38 math (deleted): `round(fee_sats * super_fraction)` with
-        fee_sats=8_000 (= 8% of 100_000 principal) and super_fraction=0.03
-        produced platform_fee_sats=240 — ~13× below intent.
-
-        Post-#38 math: split_principal_based(100_000, 0.03, 0.05) gives
-        platform=3_000, which IS the intended 3% of principal."""
-        platform, operator = split_principal_based(100_000, 0.03, 0.05)
-        # Post-#38: super gets intended 3% of principal (3_000 sats)
-        # Pre-#38 would have produced ~240 sats from round(8000 * 0.03).
-        assert platform == 3_000
-
-
-# ---------------------------------------------------------------------------
-# parse_settlement — directional dispatch via tx_type
-# ---------------------------------------------------------------------------
-
-
-def _bitspire_extra(
-    *,
-    tx_type: str = "cash_out",
-    principal_sats: int = 100_000,
-    fee_sats: int = 8_000,
-    exchange_rate: float = 0.00001,
-    fiat_amount: float = 100.0,
-    currency: str = "EUR",
-    nostr_sender_pubkey: str = "a" * 64,
-    extra_overrides: dict | None = None,
-):
-    """Canonical bitspire-stamped Payment.extra dict for tests. Mirrors
-    the shape required by `is_bitspire_payment` + the canonical sat-
-    amount invariants in `_assert_sat_invariants`."""
-    base = {
-        "source": "bitspire",
-        "type": tx_type,
-        "principal_sats": principal_sats,
-        "fee_sats": fee_sats,
-        "fee_fraction": fee_sats / principal_sats if principal_sats else 0.0,
-        "exchange_rate": exchange_rate,
-        "fiat_amount": fiat_amount,
-        "currency": currency,
-        "txid": "fake-txid",
-        "nostr_sender_pubkey": nostr_sender_pubkey,
-    }
-    if extra_overrides:
-        base.update(extra_overrides)
-    return base
-
-
-_NOW = datetime(2026, 6, 1, 12, 0, 0)
-
-
-def _machine(
-    machine_id: str = "m1",
-    machine_npub: str = "a" * 64,
-    op_in: float = 0.0,
-    op_out: float = 0.0,
-    fiat_code: str = "EUR",
-) -> Machine:
-    return Machine(
-        id=machine_id,
-        operator_user_id="op1",
-        machine_npub=machine_npub,
-        wallet_id="w1",
-        name="Test",
-        location=None,
-        fiat_code=fiat_code,
-        is_active=True,
-        operator_cash_in_fee_fraction=op_in,
-        operator_cash_out_fee_fraction=op_out,
-        created_at=_NOW,
-        updated_at=_NOW,
-    )
-
-
-def _super_config(in_frac: float = 0.0, out_frac: float = 0.0) -> SuperConfig:
-    return SuperConfig(
-        id="default",
-        super_cash_in_fee_fraction=in_frac,
-        super_cash_out_fee_fraction=out_frac,
-        super_fee_wallet_id="super-wallet",
-        updated_at=_NOW,
-    )
-
-
-class TestParseSettlementDirectional:
-    def test_cash_out_uses_cash_out_fractions(self):
-        """tx_type='cash_out' must route to super_cash_out +
-        operator_cash_out fractions."""
-        machine = _machine(op_in=0.10, op_out=0.05)
-        super_cfg = _super_config(in_frac=0.10, out_frac=0.03)
-        extra = _bitspire_extra(tx_type="cash_out", principal_sats=100_000)
-
-        data = parse_settlement(
-            machine=machine,
-            payment_hash="ph1",
-            wire_sats=108_000,
-            extra=extra,
-            super_config=super_cfg,
-        )
-        # super_cash_out=0.03, operator_cash_out=0.05 against 100_000 principal
-        assert data.platform_fee_sats == 3_000
-        assert data.operator_fee_sats == 5_000
-        assert data.tx_type == "cash_out"
-
-    def test_cash_in_uses_cash_in_fractions(self):
-        """tx_type='cash_in' must route to super_cash_in +
-        operator_cash_in fractions (not cash_out)."""
-        machine = _machine(op_in=0.04, op_out=0.10)
-        super_cfg = _super_config(in_frac=0.02, out_frac=0.10)
-        extra = _bitspire_extra(tx_type="cash_in", principal_sats=100_000)
-
-        # cash-in wire invariant: wire = principal - fee
-        data = parse_settlement(
-            machine=machine,
-            payment_hash="ph2",
-            wire_sats=92_000,
-            extra=extra,
-            super_config=super_cfg,
-        )
-        # super_cash_in=0.02, operator_cash_in=0.04 against 100_000 principal
-        assert data.platform_fee_sats == 2_000
-        assert data.operator_fee_sats == 4_000
-        assert data.tx_type == "cash_in"
-
-    def test_unknown_tx_type_raises(self):
-        machine = _machine()
-        super_cfg = _super_config()
-        extra = _bitspire_extra(
-            tx_type="cash_out",
-            extra_overrides={"type": "withdrawal"},  # not a known direction
-        )
-        with pytest.raises(SettlementInvariantError, match="unknown tx_type"):
-            parse_settlement(
-                machine=machine,
-                payment_hash="ph3",
-                wire_sats=108_000,
-                extra=extra,
-                super_config=super_cfg,
-            )
-
-    def test_zero_fractions_zero_split(self):
-        """Free-charge ATM: both super + operator at 0 → platform and
-        operator fees are both 0, principal is the full take."""
-        machine = _machine(op_in=0.0, op_out=0.0)
-        super_cfg = _super_config(in_frac=0.0, out_frac=0.0)
-        extra = _bitspire_extra(
-            tx_type="cash_out", principal_sats=100_000, fee_sats=0
-        )
-
-        data = parse_settlement(
-            machine=machine,
-            payment_hash="ph4",
-            wire_sats=100_000,
-            extra=extra,
-            super_config=super_cfg,
-        )
-        assert data.platform_fee_sats == 0
-        assert data.operator_fee_sats == 0
-        assert data.principal_sats == 100_000
-
-    def test_cash_in_does_not_use_cash_out_config(self):
-        """Cross-direction guard: cash-in must NOT pick up cash-out's
-        super or operator fractions even when they're set differently.
-        Pin both directions concretely to prove the dispatch."""
-        machine = _machine(op_in=0.01, op_out=0.10)
-        super_cfg = _super_config(in_frac=0.01, out_frac=0.10)
-        extra = _bitspire_extra(tx_type="cash_in", principal_sats=100_000)
-
-        # cash-in wire invariant: wire = principal - fee
-        data = parse_settlement(
-            machine=machine,
-            payment_hash="ph5",
-            wire_sats=92_000,
-            extra=extra,
-            super_config=super_cfg,
-        )
-        # Cash-in totals = 0.01 + 0.01 = 0.02; not 0.10 + 0.10 = 0.20
-        assert data.platform_fee_sats == 1_000  # 100_000 * 0.01
-        assert data.operator_fee_sats == 1_000  # 100_000 * 0.01
diff --git a/tests/test_two_stage_split.py b/tests/test_two_stage_split.py
new file mode 100644
index 0000000..d48cb07
--- /dev/null
+++ b/tests/test_two_stage_split.py
@@ -0,0 +1,214 @@
+"""
+Tests for the v2 two-stage commission split (super first, operator remainder).
+
+The plan calls out a verification scenario explicitly:
+  super_fee_fraction=0.30 (i.e. 30%), operator splits [0.5, 0.3, 0.2] on a
+  100-sat fee → super_wallet gets 30, operator legs get 35 / 21 / 14.
+
+Also covers the edge cases: super_fee_fraction=0.0 (no super takes the
+whole fee), super_fee_fraction=1.0 (super takes everything), single-leg
+operator ruleset, zero operator fee.
+"""
+
+import pytest
+
+from ..calculations import (
+    allocate_operator_split_legs,
+    split_two_stage_commission,
+)
+
+
+class TestSplitTwoStageCommission:
+    """Stage-1: super takes super_fee_fraction of the fee; operator gets rest."""
+
+    def test_plan_example_100sats_30pct(self):
+        platform, operator = split_two_stage_commission(100, 0.30)
+        assert platform == 30
+        assert operator == 70
+        assert platform + operator == 100
+
+    def test_realistic_7965sats_30pct(self):
+        # From the plan's 2000 GTQ → 266800 sats @ 3% commission example.
+        platform, operator = split_two_stage_commission(7965, 0.30)
+        assert platform == 2390  # round(7965 * 0.30) = 2389.5 → 2390
+        assert operator == 5575  # 7965 - 2390
+        assert platform + operator == 7965
+
+    def test_super_fraction_zero_leaves_all_to_operator(self):
+        platform, operator = split_two_stage_commission(7965, 0.0)
+        assert platform == 0
+        assert operator == 7965
+
+    def test_super_fraction_one_takes_everything(self):
+        platform, operator = split_two_stage_commission(7965, 1.0)
+        assert platform == 7965
+        assert operator == 0
+
+    def test_zero_commission(self):
+        platform, operator = split_two_stage_commission(0, 0.30)
+        assert platform == 0
+        assert operator == 0
+
+    def test_negative_commission_clamps_to_zero(self):
+        # Defensive: should never happen, but verify we don't go negative.
+        platform, operator = split_two_stage_commission(-100, 0.30)
+        assert platform == 0
+        assert operator == 0
+
+    @pytest.mark.parametrize("fee_sats", [1, 7, 100, 7965, 1_000_000])
+    @pytest.mark.parametrize("super_fraction", [0.0, 0.1, 0.30, 0.5, 0.777, 1.0])
+    def test_invariant_sum_equals_commission(self, fee_sats, super_fraction):
+        platform, operator = split_two_stage_commission(fee_sats, super_fraction)
+        assert platform + operator == fee_sats
+        assert 0 <= platform <= fee_sats
+        assert 0 <= operator <= fee_sats
+
+
+class TestAllocateOperatorSplitLegs:
+    """Stage-2: operator's remainder split across N leg wallets per pct rules."""
+
+    def test_plan_example_50_30_20_on_70(self):
+        amounts = allocate_operator_split_legs(70, [0.5, 0.3, 0.2])
+        assert amounts == [35, 21, 14]
+        assert sum(amounts) == 70
+
+    def test_realistic_50_30_20_on_5575(self):
+        amounts = allocate_operator_split_legs(5575, [0.5, 0.3, 0.2])
+        # 50%: round(2787.5) = 2788; 30%: round(1672.5) = 1672; last absorbs
+        # remainder: 5575 - 2788 - 1672 = 1115.
+        # Note: round() uses banker's rounding so 2787.5 → 2788 actually
+        # because 2788 is even. Confirm by total invariant.
+        assert sum(amounts) == 5575
+        assert len(amounts) == 3
+
+    def test_single_leg_full_remainder(self):
+        amounts = allocate_operator_split_legs(100, [1.0])
+        assert amounts == [100]
+
+    def test_zero_operator_fee_zeros_all_legs(self):
+        amounts = allocate_operator_split_legs(0, [0.5, 0.5])
+        assert amounts == [0, 0]
+
+    def test_empty_legs_list_returns_empty(self):
+        amounts = allocate_operator_split_legs(100, [])
+        assert amounts == []
+
+    def test_last_leg_absorbs_rounding_remainder(self):
+        # 100 / 3 ≈ 33.33 each; rounding makes the first two 33 and last 34.
+        amounts = allocate_operator_split_legs(100, [1 / 3, 1 / 3, 1 / 3])
+        assert sum(amounts) == 100
+        assert amounts[0] == round(100 / 3)  # 33
+        assert amounts[1] == round(100 / 3)  # 33
+        # Last leg absorbs the rounding (34, not 33) so total == 100.
+        assert amounts[2] == 100 - amounts[0] - amounts[1]
+
+    @pytest.mark.parametrize(
+        "operator_fee,fractions",
+        [
+            (1, [0.5, 0.5]),
+            (7, [0.5, 0.3, 0.2]),
+            (100, [0.5, 0.5]),
+            (5575, [0.5, 0.3, 0.2]),
+            (1_000_000, [0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1, 0.1]),
+        ],
+    )
+    def test_invariant_sum_equals_operator_fee(self, operator_fee, fractions):
+        amounts = allocate_operator_split_legs(operator_fee, fractions)
+        assert sum(amounts) == operator_fee
+        assert all(a >= 0 for a in amounts)
+
+
+class TestEndToEndScenarios:
+    """The full two-stage split — super then operator legs — composed."""
+
+    def test_plan_example_full(self):
+        # 100 sats fee, super_fee_fraction=0.30, operator splits [0.5, 0.3, 0.2].
+        platform, operator = split_two_stage_commission(100, 0.30)
+        legs = allocate_operator_split_legs(operator, [0.5, 0.3, 0.2])
+        assert platform == 30
+        assert legs == [35, 21, 14]
+        assert platform + sum(legs) == 100
+
+    def test_super_fraction_zero_full_pipeline(self):
+        platform, operator = split_two_stage_commission(7965, 0.0)
+        legs = allocate_operator_split_legs(operator, [1.0])
+        assert platform == 0
+        assert legs == [7965]
+        assert platform + sum(legs) == 7965
+
+    def test_super_fraction_one_full_pipeline(self):
+        platform, operator = split_two_stage_commission(7965, 1.0)
+        legs = allocate_operator_split_legs(operator, [0.5, 0.5])
+        assert platform == 7965
+        # Operator has zero to distribute; both legs get zero.
+        assert legs == [0, 0]
+        assert platform + sum(legs) == 7965
+
+
+class TestPartialDispenseSplitRatio:
+    """The partial-dispense recompute (H6 fix) must preserve the ORIGINAL
+    platform/operator ratio from the landed settlement — NOT re-derive
+    from the current super_fee_fraction.
+
+    These tests cover the math; the actual function lives in distribution.py
+    and is exercised end-to-end via integration testing. Here we verify the
+    invariant a future maintainer should never break.
+    """
+
+    def _recompute(self, original_fee, original_platform_fee, new_fee):
+        """Mirror of the ratio math in apply_partial_dispense_and_redistribute."""
+        if original_fee > 0:
+            ratio = original_platform_fee / original_fee
+        else:
+            ratio = 0.0
+        new_platform = round(new_fee * ratio)
+        new_platform = max(0, min(new_platform, new_fee))
+        new_operator = new_fee - new_platform
+        return new_platform, new_operator
+
+    def test_plan_scenario_30pct_lands_then_partial(self):
+        # Landed at super_fee_fraction=0.30: 100-sat fee → 30 / 70.
+        # Partial-dispense to 50% gross → new_fee = 50.
+        # Original ratio (30/100 = 0.30) preserved.
+        new_platform, new_operator = self._recompute(100, 30, 50)
+        assert new_platform == 15
+        assert new_operator == 35
+        assert new_platform + new_operator == 50
+
+    def test_super_changed_rate_doesnt_affect_existing_settlement(self):
+        # Landed at super_fee_fraction=0.30 (fee 7965, platform 2390).
+        # Super then raises rate to 50% globally. Operator partial-dispenses
+        # to 50% gross → new_fee = 3982 (round(7965 * 0.5)).
+        # Original ratio (2390/7965 ≈ 0.30) MUST still apply, not 50%.
+        new_platform, new_operator = self._recompute(7965, 2390, 3982)
+        # Expected with original ratio: round(3982 * 0.30006...) = 1195
+        # With (broken) current rate of 50%: would be 1991 — much higher.
+        assert 1190 <= new_platform <= 1200
+        assert new_platform + new_operator == 3982
+        # Original platform share was ~30%; preserved within rounding.
+        assert abs(new_platform / 3982 - 2390 / 7965) < 0.001
+
+    def test_zero_original_fee_yields_zero_platform(self):
+        new_platform, new_operator = self._recompute(0, 0, 0)
+        assert new_platform == 0
+        assert new_operator == 0
+
+    def test_invariant_sum_equals_new_fee(self):
+        # Random-ish parameter sweep over realistic values.
+        cases = [
+            (100, 30, 50),
+            (100, 0, 50),       # original platform_fee was 0 (super_fraction=0)
+            (100, 100, 50),     # original platform_fee was 100 (super_fraction=100)
+            (7965, 2390, 3982),
+            (7965, 7965, 3982),
+            (1_000_000, 333_333, 250_000),
+        ]
+        for orig_comm, orig_plat, new_comm in cases:
+            new_platform, new_operator = self._recompute(
+                orig_comm, orig_plat, new_comm
+            )
+            assert new_platform + new_operator == new_comm, (
+                f"sum invariant violated: {orig_comm=} {orig_plat=} "
+                f"{new_comm=} → {new_platform=} {new_operator=}"
+            )
+            assert 0 <= new_platform <= new_comm
diff --git a/views_api.py b/views_api.py
index 3c4c6cc..6889803 100644
--- a/views_api.py
+++ b/views_api.py
@@ -14,7 +14,6 @@ from lnbits.core.models import User
 from lnbits.decorators import check_super_user, check_user_exists
 from lnbits.utils.nostr import normalize_public_key
 
-from .calculations import MAX_FEE_FRACTION_PER_DIRECTION
 from .cassette_transport import (
     CassetteTransportError,
     OperatorIdentityMissing,
@@ -22,7 +21,6 @@ from .cassette_transport import (
     SignerUnavailable,
     publish_to_atm,
 )
-from .fee_transport import publish_fee_config
 from .crud import (
     append_settlement_note,
     count_completed_legs_for_settlement,
@@ -50,7 +48,6 @@ from .crud import (
     get_settlements_for_operator,
     get_stuck_settlements_for_operator,
     get_super_config,
-    list_all_active_machines,
     list_cassette_configs_for_machine,
     lp_is_onboarded,
     replace_commission_splits,
@@ -150,105 +147,6 @@ async def _assert_no_pubkey_collision(machine_npub: str) -> None:
         )
 
 
-async def _assert_machine_fee_cap_safe(
-    operator_in: float,
-    operator_out: float,
-) -> None:
-    """Reject create/update if (super_X + operator_X) > 0.15 for either
-    direction. Locked at 15% per coord-log §2026-06-01T07:22Z; defense in
-    depth — the bitspire consumer enforces the same cap on the wire-format
-    side (aiolabs/lamassu-next#57).
-
-    Fetches the current super-config singleton to pair against the
-    candidate per-machine fractions. NULL super-config (uninitialised
-    instance) treats super contribution as 0 — the cap then degenerates
-    to a pure operator-fee check.
-    """
-    super_config = await get_super_config()
-    super_in = (
-        float(super_config.super_cash_in_fee_fraction) if super_config else 0.0
-    )
-    super_out = (
-        float(super_config.super_cash_out_fee_fraction) if super_config else 0.0
-    )
-    # Fields are stored as DECIMAL(10,4) and Pydantic validators round to
-    # 4 decimals on the way in, so the source-of-truth precision is 1e-4.
-    # Round the float-arithmetic sum to that precision before comparison so
-    # `0.10 + 0.05 = 0.15000000000000002` (IEEE 754) doesn't trip the cap.
-    total_in = round(super_in + operator_in, 4)
-    total_out = round(super_out + operator_out, 4)
-    if total_in > MAX_FEE_FRACTION_PER_DIRECTION:
-        raise HTTPException(
-            HTTPStatus.BAD_REQUEST,
-            (
-                f"cash-in fee cap exceeded: super {super_in:.4f} + operator "
-                f"{operator_in:.4f} = {total_in:.4f} > {MAX_FEE_FRACTION_PER_DIRECTION}"
-            ),
-        )
-    if total_out > MAX_FEE_FRACTION_PER_DIRECTION:
-        raise HTTPException(
-            HTTPStatus.BAD_REQUEST,
-            (
-                f"cash-out fee cap exceeded: super {super_out:.4f} + operator "
-                f"{operator_out:.4f} = {total_out:.4f} > {MAX_FEE_FRACTION_PER_DIRECTION}"
-            ),
-        )
-
-
-async def _assert_super_config_cap_safe(
-    new_super_in: float | None,
-    new_super_out: float | None,
-) -> None:
-    """Reject super-config update if any active machine's
-    (new_super + operator) > 0.15 for either direction. Same cap policy
-    as _assert_machine_fee_cap_safe but checked across the fleet because
-    a super update affects every machine.
-
-    `None` for a direction means "no change" — pulls the current value
-    from super-config so the cap check still runs against the resulting
-    post-update state.
-    """
-    current = await get_super_config()
-    effective_in = (
-        float(new_super_in)
-        if new_super_in is not None
-        else (float(current.super_cash_in_fee_fraction) if current else 0.0)
-    )
-    effective_out = (
-        float(new_super_out)
-        if new_super_out is not None
-        else (float(current.super_cash_out_fee_fraction) if current else 0.0)
-    )
-    machines = await list_all_active_machines()
-    for m in machines:
-        op_in = float(m.operator_cash_in_fee_fraction)
-        op_out = float(m.operator_cash_out_fee_fraction)
-        # Round to DECIMAL(10,4) precision — see _assert_machine_fee_cap_safe
-        # for the IEEE 754 motivation.
-        total_in = round(effective_in + op_in, 4)
-        total_out = round(effective_out + op_out, 4)
-        if total_in > MAX_FEE_FRACTION_PER_DIRECTION:
-            raise HTTPException(
-                HTTPStatus.BAD_REQUEST,
-                (
-                    f"super cash-in fee {effective_in:.4f} would exceed cap "
-                    f"on machine {m.id} ({m.name or m.machine_npub[:12]}): "
-                    f"+ operator {op_in:.4f} = "
-                    f"{total_in:.4f} > {MAX_FEE_FRACTION_PER_DIRECTION}"
-                ),
-            )
-        if total_out > MAX_FEE_FRACTION_PER_DIRECTION:
-            raise HTTPException(
-                HTTPStatus.BAD_REQUEST,
-                (
-                    f"super cash-out fee {effective_out:.4f} would exceed cap "
-                    f"on machine {m.id} ({m.name or m.machine_npub[:12]}): "
-                    f"+ operator {op_out:.4f} = "
-                    f"{total_out:.4f} > {MAX_FEE_FRACTION_PER_DIRECTION}"
-                ),
-            )
-
-
 # =============================================================================
 # Machines
 # =============================================================================
@@ -260,17 +158,7 @@ async def api_create_machine(
 ) -> Machine:
     await _assert_wallet_owned_by(data.wallet_id, user.id)
     await _assert_no_pubkey_collision(data.machine_npub)
-    await _assert_machine_fee_cap_safe(
-        data.operator_cash_in_fee_fraction,
-        data.operator_cash_out_fee_fraction,
-    )
     machine = await create_machine(user.id, data)
-    # Layer 2 (#39): publish initial fee config to the ATM so it can
-    # unblock past its `awaiting-fees` maintenance gate. Soft-fails on
-    # transport errors — machine creation has already succeeded.
-    super_config = await get_super_config()
-    if super_config is not None:
-        await publish_fee_config(machine, super_config, user.id)
     return machine
 
 
@@ -306,38 +194,9 @@ async def api_update_machine(
         raise HTTPException(HTTPStatus.NOT_FOUND, "Machine not found")
     if data.wallet_id is not None:
         await _assert_wallet_owned_by(data.wallet_id, user.id)
-    # Cap check against post-update state — partial PATCH semantics:
-    # unset directional fields keep the machine's current value.
-    if (
-        data.operator_cash_in_fee_fraction is not None
-        or data.operator_cash_out_fee_fraction is not None
-    ):
-        candidate_in = (
-            data.operator_cash_in_fee_fraction
-            if data.operator_cash_in_fee_fraction is not None
-            else float(machine.operator_cash_in_fee_fraction)
-        )
-        candidate_out = (
-            data.operator_cash_out_fee_fraction
-            if data.operator_cash_out_fee_fraction is not None
-            else float(machine.operator_cash_out_fee_fraction)
-        )
-        await _assert_machine_fee_cap_safe(candidate_in, candidate_out)
     updated = await update_machine(machine_id, data)
     if updated is None:
         raise HTTPException(HTTPStatus.NOT_FOUND, "Machine not found")
-    # Layer 2 (#39): if either operator fee fraction changed, publish a
-    # fresh kind-30078 to the ATM so it picks up the new total. Skip
-    # otherwise — name/location/wallet_id/is_active edits don't change
-    # the fee model the ATM enforces.
-    fees_changed = (
-        data.operator_cash_in_fee_fraction is not None
-        or data.operator_cash_out_fee_fraction is not None
-    )
-    if fees_changed:
-        super_config = await get_super_config()
-        if super_config is not None:
-            await publish_fee_config(updated, super_config, user.id)
     return updated
 
 
@@ -949,29 +808,11 @@ async def api_update_super_config(
     commission, plus the destination wallet for collecting it. The fee is
     enforced before the operator's own commission_splits ruleset fires
     (see distribution.process_settlement)."""
-    await _assert_super_config_cap_safe(
-        data.super_cash_in_fee_fraction,
-        data.super_cash_out_fee_fraction,
-    )
     config = await update_super_config(data)
     if config is None:
         raise HTTPException(
             HTTPStatus.INTERNAL_SERVER_ERROR, "Failed to update super config"
         )
-    # Layer 2 (#39): a super-fee change ripples to every active machine
-    # since each machine's total = super + machine.operator. Republish
-    # per-machine with that machine's operator as the signer.
-    # Soft-fails per machine independently; partial success is acceptable
-    # (the operator whose publish failed can re-trigger via a machine
-    # edit). Skip if neither directional fraction was touched in this
-    # update (e.g. caller only changed super_fee_wallet_id).
-    super_fractions_changed = (
-        data.super_cash_in_fee_fraction is not None
-        or data.super_cash_out_fee_fraction is not None
-    )
-    if super_fractions_changed:
-        for machine in await list_all_active_machines():
-            await publish_fee_config(machine, config, machine.operator_user_id)
     return config