@layerzerolabs/protocol-stellar-v2 0.2.29 → 0.2.30

package/contracts/sac-manager/src/tests/sac_manager/admin_mint.rs

@@ -0,0 +1,206 @@
+//! authorized_mint Integration Tests
+//!
+//! Core mint logic (supply control, redistribution, events) is tested via
+//! MintBurnable tests in `mint.rs`. These tests focus on authorized_mint-specific
+//! behavior: auth, owner fallback, and supply controllers calling directly.
+
+use super::test_helper::{mock_authorized_mint_auth, mock_set_authorized_auth, mock_set_supply_controller_auth};
+use crate::errors::SacManagerError;
+use crate::extensions::redistribution::RedistributeFunds;
+use crate::extensions::supply_control::SupplyIncreased;
+use crate::extensions::supply_control::{LimitConfig, SupplyControlError, SupplyControllerConfig};
+use crate::tests::test_helper::TestSetup;
+use soroban_sdk::{testutils::IssuerFlags, Vec};
+use utils::testing_utils::{assert_contains_event, assert_contains_events};
+
+// =========================================================================
+// authorized_mint Tests (without Supply Control — owner only)
+// =========================================================================
+
+#[test]
+fn test_authorized_mint_by_owner() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+    let recipient = setup.generate_address();
+
+    mock_authorized_mint_auth(&setup, &setup.owner, &recipient, 1000_i128);
+    setup.sac_manager_client.authorized_mint(&setup.owner, &recipient, &1000);
+    assert_eq!(setup.sac_client.balance(&recipient), 1000);
+}
+
+#[test]
+fn test_authorized_mint_redistributes_when_recipient_blacklisted() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_redistribution_enabled().build();
+    let blacklisted_recipient = setup.generate_address();
+
+    // Enable issuer flags required for blacklist and clawback behavior in SAC tests.
+    setup.sac_contract.issuer().set_flag(IssuerFlags::RevocableFlag);
+    setup.sac_contract.issuer().set_flag(IssuerFlags::ClawbackEnabledFlag);
+
+    mock_set_authorized_auth(&setup, &blacklisted_recipient, false);
+    setup.sac_manager_client.set_authorized(&blacklisted_recipient, &false);
+    assert!(!setup.sac_client.authorized(&blacklisted_recipient));
+
+    let owner_balance_before = setup.sac_client.balance(&setup.owner);
+    let blacklisted_balance_before = setup.sac_client.balance(&blacklisted_recipient);
+
+    // authorized_mint resolves recipient to owner when target is blacklisted (redistribution path).
+    mock_authorized_mint_auth(&setup, &setup.owner, &blacklisted_recipient, 700_i128);
+    setup.sac_manager_client.authorized_mint(&setup.owner, &blacklisted_recipient, &700);
+
+    // No SupplyIncreased when supply control is off; only RedistributeFunds is emitted.
+    let expected = RedistributeFunds { user: blacklisted_recipient.clone(), amount: 700 };
+    assert_contains_event(&setup.env, &setup.sac_manager, expected);
+
+    assert_eq!(setup.sac_client.balance(&blacklisted_recipient), blacklisted_balance_before);
+    assert_eq!(setup.sac_client.balance(&setup.owner), owner_balance_before + 700);
+}
+
+#[test]
+fn test_authorized_mint_by_non_owner_fails_without_supply_control() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+    let recipient = setup.generate_address();
+    let random = setup.generate_address();
+
+    // Supply control is off — only owner can call
+    mock_authorized_mint_auth(&setup, &random, &recipient, 1000_i128);
+    let result = setup.sac_manager_client.try_authorized_mint(&random, &recipient, &1000);
+    assert_eq!(result.err().unwrap().unwrap(), SacManagerError::Unauthorized.into());
+}
+
+// =========================================================================
+// authorized_mint Tests (with Supply Control)
+// =========================================================================
+
+#[test]
+fn test_authorized_mint_by_supply_controller() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let recipient = setup.generate_address();
+    let controller = setup.generate_address();
+
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 10_000, refill_per_second: 0 },
+        allow_any_mint_burn: true,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &controller, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &controller, &Some(config.clone()));
+
+    mock_authorized_mint_auth(&setup, &controller, &recipient, 1000_i128);
+    setup.sac_manager_client.authorized_mint(&controller, &recipient, &1000);
+    assert_eq!(setup.sac_client.balance(&recipient), 1000);
+}
+
+#[test]
+fn test_authorized_mint_by_owner_fails_with_supply_control_without_config() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let recipient = setup.generate_address();
+
+    // Owner is not auto-authorized when supply control is enabled and has no controller config.
+    mock_authorized_mint_auth(&setup, &setup.owner, &recipient, 1000_i128);
+    let result = setup.sac_manager_client.try_authorized_mint(&setup.owner, &recipient, &1000);
+    assert_eq!(result.err().unwrap().unwrap(), SupplyControlError::NotFound.into());
+}
+
+#[test]
+fn test_authorized_mint_redistributes_with_supply_control_enabled() {
+    let setup = TestSetup::new()
+        .with_manager_as_sac_admin()
+        .with_supply_control_enabled()
+        .with_redistribution_enabled()
+        .build();
+    let controller = setup.generate_address();
+    let blacklisted_recipient = setup.generate_address();
+
+    setup.sac_contract.issuer().set_flag(IssuerFlags::RevocableFlag);
+    setup.sac_contract.issuer().set_flag(IssuerFlags::ClawbackEnabledFlag);
+
+    // Force redistribution path by blacklisting recipient.
+    mock_set_authorized_auth(&setup, &blacklisted_recipient, false);
+    setup.sac_manager_client.set_authorized(&blacklisted_recipient, &false);
+    assert!(!setup.sac_client.authorized(&blacklisted_recipient));
+
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 10_000, refill_per_second: 0 },
+        allow_any_mint_burn: true,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &controller, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &controller, &Some(config));
+
+    let owner_balance_before = setup.sac_client.balance(&setup.owner);
+    let blacklisted_balance_before = setup.sac_client.balance(&blacklisted_recipient);
+
+    mock_authorized_mint_auth(&setup, &controller, &blacklisted_recipient, 700_i128);
+    setup.sac_manager_client.authorized_mint(&controller, &blacklisted_recipient, &700);
+
+    let expected = SupplyIncreased { controller: controller.clone(), to: blacklisted_recipient.clone(), amount: 700 };
+    let expected2 = RedistributeFunds { user: blacklisted_recipient.clone(), amount: 700 };
+    assert_contains_events(&setup.env, &setup.sac_manager, &[&expected, &expected2]);
+
+    assert_eq!(setup.sac_client.balance(&blacklisted_recipient), blacklisted_balance_before);
+    assert_eq!(setup.sac_client.balance(&setup.owner), owner_balance_before + 700);
+}
+
+#[test]
+fn test_authorized_mint_succeeds_when_amount_equals_rate_limit() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let recipient = setup.generate_address();
+    let controller = setup.generate_address();
+
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 1_000, refill_per_second: 1 },
+        allow_any_mint_burn: true,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &controller, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &controller, &Some(config));
+
+    mock_authorized_mint_auth(&setup, &controller, &recipient, 1000_i128);
+    setup.sac_manager_client.authorized_mint(&controller, &recipient, &1000);
+    assert_eq!(setup.sac_client.balance(&recipient), 1000);
+}
+
+#[test]
+fn test_authorized_mint_fails_when_amount_exceeds_rate_limit() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let recipient = setup.generate_address();
+    let controller = setup.generate_address();
+
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 1_000, refill_per_second: 1 },
+        allow_any_mint_burn: true,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &controller, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &controller, &Some(config));
+
+    mock_authorized_mint_auth(&setup, &controller, &recipient, 1001_i128);
+    let result = setup.sac_manager_client.try_authorized_mint(&controller, &recipient, &1001);
+    assert_eq!(result.err().unwrap().unwrap(), SupplyControlError::RateLimitExceeded.into());
+}
+
+#[test]
+fn test_authorized_mint_fails_without_supply_controller_config() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let recipient = setup.generate_address();
+    let random = setup.generate_address();
+
+    // Supply control enabled but sender is NOT a supply controller
+    mock_authorized_mint_auth(&setup, &random, &recipient, 1000_i128);
+    let result = setup.sac_manager_client.try_authorized_mint(&random, &recipient, &1000);
+    assert_eq!(result.err().unwrap().unwrap(), SupplyControlError::NotFound.into());
+}
+
+// =========================================================================
+// authorized_mint Auth Tests
+// =========================================================================
+
+#[test]
+#[should_panic(expected = "Error(Auth, InvalidAction)")]
+fn test_authorized_mint_without_auth() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+    let recipient = setup.generate_address();
+
+    // No auth mocked — sender.require_auth() fails
+    setup.sac_manager_client.authorized_mint(&setup.owner, &recipient, &1000);
+}

package/contracts/sac-manager/src/tests/sac_manager/burn.rs

@@ -0,0 +1,215 @@
+//! Burn (MintBurnable) Integration Tests
+//!
+//! Burn tests use explicit mock_auth setup so nested auth for `sac.burn`
+//! (`from.require_auth()`) is asserted deterministically.
+
+use super::test_helper::{mock_sac_owner_mint_auth, mock_set_mint_whitelist_auth, mock_set_supply_controller_auth};
+use crate::errors::SacManagerError;
+use crate::extensions::supply_control::{LimitConfig, SupplyControlClient, SupplyControlError, SupplyControllerConfig};
+use crate::tests::sac_manager::test_helper::mock_burn_auth;
+use crate::tests::test_helper::{mock_auth, mock_oft_mint_auth, TestSetup};
+use crate::extensions::supply_control::SupplyDecreased;
+use soroban_sdk::Vec;
+use utils::testing_utils::assert_contains_event;
+
+// =========================================================================
+// Burn Tests (with Supply Control)
+// =========================================================================
+
+#[test]
+fn test_burn_by_oft_with_supply_control() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 10_000, refill_per_second: 0 },
+        allow_any_mint_burn: true,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &setup.oft, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &setup.oft, &Some(config.clone()));
+
+    // Mint tokens to OFT
+    mock_oft_mint_auth(&setup, &setup.oft, 1000_i128);
+    setup.sac_manager_client.mint(&setup.oft, &1000);
+    assert_eq!(setup.sac_client.balance(&setup.oft), 1000);
+
+    // OFT burns its own tokens
+    mock_burn_auth(&setup, &setup.oft, 500_i128);
+    setup.sac_manager_client.burn(&setup.oft, &500);
+    let expected = SupplyDecreased { controller: setup.oft.clone(), from: setup.oft.clone(), amount: 500 };
+    assert_contains_event(&setup.env, &setup.sac_manager, expected);
+    assert_eq!(setup.sac_client.balance(&setup.oft), 500);
+}
+
+#[test]
+fn test_burn_from_user_by_oft() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let user = setup.generate_address();
+
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 10_000, refill_per_second: 0 },
+        allow_any_mint_burn: true,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &setup.oft, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &setup.oft, &Some(config.clone()));
+
+    // Mint tokens to user
+    mock_oft_mint_auth(&setup, &user, 1000_i128);
+    setup.sac_manager_client.mint(&user, &1000);
+    assert_eq!(setup.sac_client.balance(&user), 1000);
+
+    // OFT burns tokens from user (user authorizes at SAC level)
+    mock_burn_auth(&setup, &user, 500_i128);
+    setup.sac_manager_client.burn(&user, &500);
+    let expected = SupplyDecreased { controller: setup.oft.clone(), from: user.clone(), amount: 500 };
+    assert_contains_event(&setup.env, &setup.sac_manager, expected);
+    assert_eq!(setup.sac_client.balance(&user), 500);
+}
+
+#[test]
+fn test_burn_from_self_fails_when_allow_any_mint_burn_is_false() {
+    let setup = TestSetup::new().with_supply_control_enabled().build();
+
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 10_000, refill_per_second: 0 },
+        allow_any_mint_burn: false,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &setup.oft, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &setup.oft, &Some(config.clone()));
+
+    // Mint to OFT directly via SAC owner
+    mock_sac_owner_mint_auth(&setup, &setup.oft, 1000_i128);
+    setup.sac_client.mint(&setup.oft, &1000);
+    assert_eq!(setup.sac_client.balance(&setup.oft), 1000);
+
+    // Burn-from-self should fail when allow_any_mint_burn is false
+    mock_burn_auth(&setup, &setup.oft, 500_i128);
+    let result = setup.sac_manager_client.try_burn(&setup.oft, &500);
+    assert_eq!(result.err().unwrap().unwrap(), SupplyControlError::CannotBurnFromAddress.into());
+}
+
+// =========================================================================
+// Burn Error Cases (Supply Control)
+// =========================================================================
+
+#[test]
+fn test_burn_fails_when_oft_not_supply_controller() {
+    let setup = TestSetup::new().with_supply_control_enabled().build();
+    let user = setup.generate_address();
+
+    // Mint tokens to user directly via SAC (bypassing supply control).
+    // Here SAC admin is still owner (not sac_manager), so owner can mint.
+    mock_sac_owner_mint_auth(&setup, &user, 1000_i128);
+    setup.sac_client.mint(&user, &1000);
+
+    // OFT is NOT added as supply controller — burn should fail
+    mock_burn_auth(&setup, &user, 500_i128);
+    let result = setup.sac_manager_client.try_burn(&user, &500);
+    assert_eq!(result.err().unwrap().unwrap(), SupplyControlError::NotFound.into());
+}
+
+#[test]
+fn test_burn_fails_when_controller_cannot_burn_from_address() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let user = setup.generate_address();
+
+    // OFT as controller WITHOUT allow_any_mint_burn
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 10_000, refill_per_second: 0 },
+        allow_any_mint_burn: false,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &setup.oft, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &setup.oft, &Some(config.clone()));
+
+    // Whitelist user for OFT controller to allow minting (allow_any=false)
+    let sc_client = SupplyControlClient::new(&setup.env, &setup.sac_manager);
+    mock_set_mint_whitelist_auth(&setup, &setup.sc_manager, &setup.oft, &user, true);
+    sc_client.set_mint_whitelist(&setup.sc_manager, &setup.oft, &user, &true);
+
+    // Mint tokens to user
+    mock_oft_mint_auth(&setup, &user, 1000_i128);
+    setup.sac_manager_client.mint(&user, &1000);
+
+    // OFT tries to burn from user without allow_any_mint_burn - should fail
+    mock_burn_auth(&setup, &user, 500_i128);
+    let result = setup.sac_manager_client.try_burn(&user, &500);
+    assert_eq!(result.err().unwrap().unwrap(), SupplyControlError::CannotBurnFromAddress.into());
+}
+
+// =========================================================================
+// Burn Tests (without Supply Control) — OFT calls burn
+// =========================================================================
+
+#[test]
+fn test_burn_by_oft_without_supply_control() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+
+    // Supply control is disabled by default
+    assert!(!setup.sac_manager_client.supply_control_enabled());
+
+    // Mint tokens to OFT first
+    mock_oft_mint_auth(&setup, &setup.oft, 1000_i128);
+    setup.sac_manager_client.mint(&setup.oft, &1000);
+    assert_eq!(setup.sac_client.balance(&setup.oft), 1000);
+
+    // OFT can burn when supply control is disabled
+    mock_burn_auth(&setup, &setup.oft, 500_i128);
+    setup.sac_manager_client.burn(&setup.oft, &500);
+    assert_eq!(setup.sac_client.balance(&setup.oft), 500);
+}
+
+#[test]
+fn test_burn_fails_when_amount_exceeds_balance() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+
+    mock_oft_mint_auth(&setup, &setup.oft, 100_i128);
+    setup.sac_manager_client.mint(&setup.oft, &100);
+    assert_eq!(setup.sac_client.balance(&setup.oft), 100);
+
+    mock_burn_auth(&setup, &setup.oft, 200_i128);
+    let result = setup.sac_manager_client.try_burn(&setup.oft, &200);
+    assert!(result.is_err());
+}
+
+#[test]
+fn test_burn_fails_when_oft_not_set() {
+    let setup = TestSetup::new().without_oft().build();
+    let user = setup.generate_address();
+
+    // Mock from auth so we pass from.require_auth() and reach the OFT address check
+    mock_auth(&setup.env, &setup.sac_manager, &user, "burn", (&user, 500_i128));
+    let result = setup.sac_manager_client.try_burn(&user, &500);
+    assert_eq!(result.err().unwrap().unwrap(), SacManagerError::OftAddressNotSet.into());
+}
+
+// =========================================================================
+// Burn Auth Tests
+// =========================================================================
+
+#[test]
+#[should_panic(expected = "Error(Auth, InvalidAction)")]
+fn test_burn_fails_without_oft_auth() {
+    // No mock_burn_auth — the OFT address won't be authorized
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+    let user = setup.generate_address();
+
+    setup.sac_manager_client.burn(&user, &500);
+}
+
+#[test]
+#[should_panic(expected = "Error(Auth, InvalidAction)")]
+fn test_burn_fails_without_from_auth_even_if_oft_auth_present() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+    let user = setup.generate_address();
+
+    mock_oft_mint_auth(&setup, &user, 1000_i128);
+    setup.sac_manager_client.mint(&user, &1000);
+    assert_eq!(setup.sac_client.balance(&user), 1000);
+
+    // Only root OFT auth is mocked; nested SAC burn auth for `from` is intentionally missing.
+    mock_auth(&setup.env, &setup.sac_manager, &setup.oft, "burn", (&user, 500_i128));
+    setup.sac_manager_client.burn(&user, &500);
+}

package/contracts/sac-manager/src/tests/sac_manager/clawback.rs

@@ -0,0 +1,209 @@
+//! Clawback Integration Tests
+//!
+//! Tests for admin-initiated clawback functionality via `clawback`.
+//! The clawback operation uses SAC clawback, which requires AUTH_CLAWBACK_ENABLED
+//! flag on the SAC issuer.
+//!
+//! Core burn logic (supply control validation) is shared with MintBurnable::burn
+//! in `burn.rs`. These tests focus on clawback-specific behavior: auth, owner
+//! fallback, clawback mechanics, and supply controllers calling directly.
+
+use super::test_helper::{mock_authorized_mint_auth, mock_clawback_auth, mock_set_supply_controller_auth};
+use crate::errors::SacManagerError;
+use crate::extensions::supply_control::{LimitConfig, SupplyControlError, SupplyControllerConfig, SupplyDecreased};
+use crate::tests::test_helper::TestSetup;
+use soroban_sdk::{testutils::IssuerFlags, Vec};
+use utils::testing_utils::assert_contains_event;
+
+// =========================================================================
+// clawback Tests (without Supply Control — owner only)
+// =========================================================================
+
+#[test]
+fn test_clawback_by_owner() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+    let user = setup.generate_address();
+
+    setup.sac_contract.issuer().set_flag(IssuerFlags::RevocableFlag);
+    setup.sac_contract.issuer().set_flag(IssuerFlags::ClawbackEnabledFlag);
+
+    // Mint tokens to user first
+    mock_authorized_mint_auth(&setup, &setup.owner, &user, 1000_i128);
+    setup.sac_manager_client.authorized_mint(&setup.owner, &user, &1000);
+    assert_eq!(setup.sac_client.balance(&user), 1000);
+
+    // Owner clawbacks tokens from user (no SupplyDecreased event when supply control is off)
+    mock_clawback_auth(&setup, &setup.owner, &user, 500_i128);
+    setup.sac_manager_client.clawback(&setup.owner, &user, &500);
+    assert_eq!(setup.sac_client.balance(&user), 500);
+}
+
+#[test]
+fn test_clawback_full_balance() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+    let user = setup.generate_address();
+
+    setup.sac_contract.issuer().set_flag(IssuerFlags::RevocableFlag);
+    setup.sac_contract.issuer().set_flag(IssuerFlags::ClawbackEnabledFlag);
+
+    mock_authorized_mint_auth(&setup, &setup.owner, &user, 1000_i128);
+    setup.sac_manager_client.authorized_mint(&setup.owner, &user, &1000);
+
+    // Clawback full balance (boundary case: amount == balance)
+    mock_clawback_auth(&setup, &setup.owner, &user, 1000_i128);
+    setup.sac_manager_client.clawback(&setup.owner, &user, &1000);
+    assert_eq!(setup.sac_client.balance(&user), 0);
+}
+
+#[test]
+fn test_clawback_fails_when_amount_exceeds_balance() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+    let user = setup.generate_address();
+
+    setup.sac_contract.issuer().set_flag(IssuerFlags::RevocableFlag);
+    setup.sac_contract.issuer().set_flag(IssuerFlags::ClawbackEnabledFlag);
+
+    mock_authorized_mint_auth(&setup, &setup.owner, &user, 100_i128);
+    setup.sac_manager_client.authorized_mint(&setup.owner, &user, &100);
+
+    mock_clawback_auth(&setup, &setup.owner, &user, 200_i128);
+    let result = setup.sac_manager_client.try_clawback(&setup.owner, &user, &200);
+    assert!(result.is_err());
+}
+
+#[test]
+fn test_clawback_by_non_owner_fails_without_supply_control() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().build();
+    let user = setup.generate_address();
+    let random = setup.generate_address();
+
+    // Supply control is off — only owner can call
+    mock_clawback_auth(&setup, &random, &user, 500_i128);
+    let result = setup.sac_manager_client.try_clawback(&random, &user, &500);
+    assert_eq!(result.err().unwrap().unwrap(), SacManagerError::Unauthorized.into());
+}
+
+// =========================================================================
+// clawback Tests (with Supply Control)
+// =========================================================================
+
+#[test]
+fn test_clawback_by_supply_controller() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let user = setup.generate_address();
+    let controller = setup.generate_address();
+
+    setup.sac_contract.issuer().set_flag(IssuerFlags::RevocableFlag);
+    setup.sac_contract.issuer().set_flag(IssuerFlags::ClawbackEnabledFlag);
+
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 10_000, refill_per_second: 0 },
+        allow_any_mint_burn: true,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &controller, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &controller, &Some(config));
+
+    // Mint tokens to user via controller
+    mock_authorized_mint_auth(&setup, &controller, &user, 1000_i128);
+    setup.sac_manager_client.authorized_mint(&controller, &user, &1000);
+    assert_eq!(setup.sac_client.balance(&user), 1000);
+
+    // Controller clawbacks from user
+    mock_clawback_auth(&setup, &controller, &user, 500_i128);
+    setup.sac_manager_client.clawback(&controller, &user, &500);
+
+    let expected = SupplyDecreased { controller: controller.clone(), from: user.clone(), amount: 500 };
+    assert_contains_event(&setup.env, &setup.sac_manager, expected);
+
+    assert_eq!(setup.sac_client.balance(&user), 500);
+}
+
+#[test]
+fn test_clawback_by_owner_fails_with_supply_control_without_config() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let user = setup.generate_address();
+
+    setup.sac_contract.issuer().set_flag(IssuerFlags::RevocableFlag);
+    setup.sac_contract.issuer().set_flag(IssuerFlags::ClawbackEnabledFlag);
+
+    // Owner is not auto-authorized when supply control is enabled and has no controller config.
+    mock_clawback_auth(&setup, &setup.owner, &user, 500_i128);
+    let result = setup.sac_manager_client.try_clawback(&setup.owner, &user, &500);
+    assert_eq!(result.err().unwrap().unwrap(), SupplyControlError::NotFound.into());
+}
+
+#[test]
+fn test_clawback_fails_without_supply_controller_config() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let user = setup.generate_address();
+    let random = setup.generate_address();
+
+    // Supply control enabled but sender is NOT a supply controller
+    mock_clawback_auth(&setup, &random, &user, 500_i128);
+    let result = setup.sac_manager_client.try_clawback(&random, &user, &500);
+    assert_eq!(result.err().unwrap().unwrap(), SupplyControlError::NotFound.into());
+}
+
+#[test]
+fn test_clawback_fails_when_controller_cannot_burn_from_address() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let user = setup.generate_address();
+    let controller = setup.generate_address();
+
+    // Controller WITHOUT allow_any_mint_burn
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 10_000, refill_per_second: 0 },
+        allow_any_mint_burn: false,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &controller, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &controller, &Some(config));
+
+    // Controller tries to burn from user without allow_any_mint_burn — should fail
+    mock_clawback_auth(&setup, &controller, &user, 500_i128);
+    let result = setup.sac_manager_client.try_clawback(&controller, &user, &500);
+    assert_eq!(result.err().unwrap().unwrap(), SupplyControlError::CannotBurnFromAddress.into());
+}
+
+#[test]
+fn test_clawback_by_controller_from_self() {
+    let setup = TestSetup::new().with_manager_as_sac_admin().with_supply_control_enabled().build();
+    let controller = setup.generate_address();
+
+    setup.sac_contract.issuer().set_flag(IssuerFlags::RevocableFlag);
+    setup.sac_contract.issuer().set_flag(IssuerFlags::ClawbackEnabledFlag);
+
+    // Controller WITH allow_any_mint_burn — required for any burn including from self
+    let config = SupplyControllerConfig {
+        limit_config: LimitConfig { limit_capacity: 10_000, refill_per_second: 0 },
+        allow_any_mint_burn: true,
+        whitelist_addresses: Vec::new(&setup.env),
+    };
+    mock_set_supply_controller_auth(&setup, &setup.sc_manager, &controller, &Some(config.clone()));
+    setup.sac_manager_client.set_supply_controller(&setup.sc_manager, &controller, &Some(config));
+
+    // Mint tokens to controller itself
+    mock_authorized_mint_auth(&setup, &controller, &controller, 1000_i128);
+    setup.sac_manager_client.authorized_mint(&controller, &controller, &1000);
+    assert_eq!(setup.sac_client.balance(&controller), 1000);
+
+    // Controller clawbacks from self — requires allow_any_mint_burn
+    mock_clawback_auth(&setup, &controller, &controller, 500_i128);
+    setup.sac_manager_client.clawback(&controller, &controller, &500);
+    assert_eq!(setup.sac_client.balance(&controller), 500);
+}
+
+// =========================================================================
+// clawback Auth Tests
+// =========================================================================
+
+#[test]
+#[should_panic(expected = "Error(Auth, InvalidAction)")]
+fn test_clawback_fails_without_auth() {
+    let setup = TestSetup::new().build();
+    let user = setup.generate_address();
+
+    // Should panic because sender doesn't authorize the call
+    setup.sac_manager_client.clawback(&setup.owner, &user, &300);
+}