@layerzerolabs/protocol-stellar-v2 0.2.39 → 0.2.41

package/contracts/endpoint-v2/src/tests/endpoint_v2/verify.rs

@@ -63,35 +63,6 @@ fn test_verify_success() {
 }
 
 // Storage & Nonce Behavior
-#[test]
-fn test_verify_stores_payload_hash() {
-    let context = setup();
-    let env = &context.env;
-    let endpoint_client = &context.endpoint_client;
-
-    let src_eid = 2u32;
-    let sender = BytesN::from_array(env, &[1u8; 32]);
-    let receiver = env.register(MockReceiver, ());
-    let nonce = 1u64;
-
-    // Setup receive library
-    let receive_lib = context.setup_default_receive_lib(src_eid, 0);
-
-    // Create payload hash
-    let payload_hash = default_payload_hash(env);
-
-    let origin = Origin { src_eid, sender: sender.clone(), nonce };
-
-    // Mock auth for receive_lib
-    context.mock_auth(&receive_lib, "verify", (&receive_lib, &origin, &receiver, &payload_hash));
-
-    endpoint_client.verify(&receive_lib, &origin, &receiver, &payload_hash);
-
-    // Verify inbound payload hash was stored
-    let stored_hash = endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce);
-    assert_eq!(stored_hash, Some(payload_hash));
-}
-
 #[test]
 fn test_verify_overwrites_payload_hash_for_same_nonce() {
     let context = setup();
@@ -262,7 +233,7 @@ fn test_verify_path_not_initializable() {
     context.mock_auth(&receive_lib, "verify", (&receive_lib, &origin, &receiver, &payload_hash));
 
     // Library validation passes (receive_lib matches default)
-    // initializable checks: lazy_inbound_nonce == 0, and receiver.allow_initialize_path(origin) == false
+    // initializable checks: inbound_nonce == 0, and receiver.allow_initialize_path(origin) == false
     // So initializable returns false, should panic with PathNotInitializable error
     let result = endpoint_client.try_verify(&receive_lib, &origin, &receiver, &payload_hash);
     assert_eq!(result.err().unwrap().ok().unwrap(), EndpointError::PathNotInitializable.into());
@@ -281,7 +252,7 @@ fn test_verify_path_not_verifiable() {
     // Setup receive library and set as default (so library validation passes)
     let receive_lib = context.setup_default_receive_lib(src_eid, 0);
 
-    // Skip nonce 1 to set lazy_inbound_nonce to 1 (so initializable passes: lazy_nonce > 0)
+    // Skip nonce 1 to advance inbound_nonce to 1 (so initializable passes: inbound_nonce > 0)
     context.mock_auth(&receiver, "skip", (&receiver, &receiver, &src_eid, &sender, &1u64));
     endpoint_client.skip(&receiver, &receiver, &src_eid, &sender, &1);
 
@@ -291,15 +262,15 @@ fn test_verify_path_not_verifiable() {
     let payload = build_payload(env, &guid, &message);
     let payload_hash = keccak256(env, &payload);
 
-    // Try to verify nonce 1, but lazy_nonce is already 1, so nonce 1 is not verifiable
-    // verifiable checks: nonce > lazy_inbound_nonce (1 > 1 is false) OR has payload hash (false)
+    // Try to verify nonce 1, but inbound_nonce is already 1, so nonce 1 is not verifiable
+    // verifiable checks: nonce > inbound_nonce (1 > 1 is false) OR has payload hash (false)
     let origin = Origin { src_eid, sender, nonce: 1 };
 
     // Mock auth for receive_lib
     context.mock_auth(&receive_lib, "verify", (&receive_lib, &origin, &receiver, &payload_hash));
 
-    // Library validation passes, initializable passes (lazy_nonce > 0)
-    // verifiable fails (nonce <= lazy_nonce and no payload hash), should panic with PathNotVerifiable error
+    // Library validation passes, initializable passes (inbound_nonce > 0)
+    // verifiable fails (nonce <= inbound_nonce and no payload hash), should panic with PathNotVerifiable error
     let result = endpoint_client.try_verify(&receive_lib, &origin, &receiver, &payload_hash);
     assert_eq!(result.err().unwrap().ok().unwrap(), EndpointError::PathNotVerifiable.into());
 }

package/contracts/endpoint-v2/src/tests/messaging_channel/burn.rs

@@ -258,9 +258,9 @@ fn test_burn_payload_hash_not_found_when_storage_none() {
     assert_eq!(result.err().unwrap().ok().unwrap(), EndpointError::PayloadHashNotFound.into());
 }
 
-// Failure when nonce is greater than lazy nonce
+// Failure when nonce is greater than `inbound_nonce`
 #[test]
-fn test_burn_invalid_nonce_when_greater_than_lazy_nonce() {
+fn test_burn_invalid_nonce_when_greater_than_inbound_nonce() {
     let context = setup();
     let env = &context.env;
 

package/contracts/endpoint-v2/src/tests/messaging_channel/clear_payload.rs

@@ -52,6 +52,8 @@ fn test_clear_payload_success() {
     let payload_hash = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, nonce, &payload);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
 
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), nonce);
+
     clear_payload(&context, &receiver, src_eid, &sender, nonce, &payload);
 
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), None);
@@ -88,6 +90,42 @@ fn test_clear_payload_keeps_other_payload_hashes_intact() {
     let _ = hash3; // hash3 is only used to ensure it was computed and stored for nonce 3.
 }
 
+#[test]
+fn test_clear_payload_does_not_change_pending_inbound_nonces() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Verify 1 and 2 consecutively, then verify 4 out-of-order.
+    // This produces: inbound_nonce = 2, pending_inbound_nonces = [4].
+    let payload1 = Bytes::from_array(env, &[0x01]);
+    let payload2 = Bytes::from_array(env, &[0x02]);
+    let payload4 = Bytes::from_array(env, &[0x04]);
+
+    let hash1 = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 1, &payload1);
+    let hash2 = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 2, &payload2);
+    let hash4 = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 4, &payload4);
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 4u64]);
+
+    // Clear nonce 2. This must not affect pending nonces (which are > inbound_nonce).
+    clear_payload(&context, &receiver, src_eid, &sender, 2, &payload2);
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 4u64]);
+
+    // Only nonce 2 is cleared; others remain.
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2), None);
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &1), Some(hash1));
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &4), Some(hash4));
+    let _ = hash2; // hash2 is only used to ensure it was computed and stored for nonce 2.
+}
+
 // Clearing a nonce <= inbound nonce does not update inbound nonce
 #[test]
 fn test_clear_payload_does_not_update_inbound_nonce_when_nonce_is_not_greater() {
@@ -132,7 +170,7 @@ fn test_clear_payload_payload_hash_not_found_when_nonce_is_checkpointed_but_miss
     let src_eid = 2;
     let sender = BytesN::from_array(env, &[1u8; 32]);
 
-    // nonce <= lazy_nonce, so clear_payload will NOT run the "has_payload for all intermediate nonces" check.
+    // nonce <= inbound_nonce, so clear_payload will NOT run the "has_payload for all intermediate nonces" check.
     // It should fail at the payload hash check instead.
     env.as_contract(&endpoint_client.address, || {
         storage::EndpointStorage::set_inbound_nonce(env, &receiver, src_eid, &sender, &5u64)
@@ -186,6 +224,7 @@ fn test_clear_payload_not_stored() {
 fn test_clear_payload_missing_intermediate_nonce() {
     let context = setup();
     let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
 
     let receiver = Address::generate(env);
     let src_eid = 2;
@@ -198,9 +237,19 @@ fn test_clear_payload_missing_intermediate_nonce() {
     let _ = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 1, &payload1);
     let _ = inbound_as_verified_from_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 
+    // inbound_nonce should be 1 (nonce 2 is missing), and nonce 3 should be pending.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 3u64]
+    );
+
     // Clearing nonce 1 succeeds.
     clear_payload(&context, &receiver, src_eid, &sender, 1, &payload1);
 
+    // clear_payload does not advance inbound_nonce; it remains 1.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
+
     // Try to clear nonce 3 - should panic because inbound_nonce is still 1 (nonce 3 is out-of-order).
     clear_payload(&context, &receiver, src_eid, &sender, 3, &payload3);
 }

package/contracts/endpoint-v2/src/tests/messaging_channel/inbound.rs

@@ -123,6 +123,36 @@ fn test_inbound_out_of_order_populates_pending_and_drains_when_gap_closed() {
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64), Some(hash_2));
 }
 
+#[test]
+fn test_inbound_when_nonce_already_pending_does_not_advance_inbound_nonce() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // First inbound at nonce 2 adds it to pending (gap at nonce 1).
+    let hash_2_a = BytesN::from_array(env, &[0x22u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 2u64, &hash_2_a)
+    });
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 2u64]);
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64), Some(hash_2_a.clone()));
+
+    // Re-inbound at the same nonce should overwrite the payload hash, but should NOT duplicate pending
+    // entries nor advance inbound_nonce (gap at nonce 1 still exists).
+    let hash_2_b = BytesN::from_array(env, &[0x23u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 2u64, &hash_2_b)
+    });
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 2u64]);
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64), Some(hash_2_b));
+}
+
 #[test]
 #[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
 fn test_inbound_rejects_nonce_beyond_pending_window() {
@@ -141,6 +171,52 @@ fn test_inbound_rejects_nonce_beyond_pending_window() {
     });
 }
 
+#[test]
+fn test_inbound_accepts_upper_bound_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Set inbound_nonce to 100 so the upper bound is 356 (= 100 + 256).
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 100);
+
+    let hash = BytesN::from_array(env, &[0xabu8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 356u64, &hash)
+    });
+
+    // Nonce 356 is not consecutive to 100, so it stays pending and inbound_nonce does not advance.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 100);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 356u64]
+    );
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &356u64), Some(hash));
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_inbound_rejects_beyond_upper_bound_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 100);
+
+    let hash = BytesN::from_array(env, &[0xabu8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 357u64, &hash)
+    });
+}
+
 #[test]
 #[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
 fn test_inbound_rejects_reverify_when_nonce_leq_inbound_and_payload_missing() {
@@ -184,4 +260,6 @@ fn test_inbound_allows_reverify_when_nonce_leq_inbound_and_payload_exists() {
         EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 1u64, &new_hash)
     });
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &1u64), Some(new_hash));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 }

package/contracts/endpoint-v2/src/tests/messaging_channel/insert_and_drain_pending_nonces.rs

@@ -0,0 +1,272 @@
+use soroban_sdk::{testutils::Address as _, Address, BytesN};
+
+use crate::{endpoint_v2::EndpointV2, tests::endpoint_setup::setup};
+
+fn insert_and_drain(
+    context: &crate::tests::endpoint_setup::TestSetup,
+    receiver: &Address,
+    src_eid: u32,
+    sender: &BytesN<32>,
+    nonce: u64,
+) {
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::insert_and_drain_pending_nonces_for_test(env, receiver, src_eid, sender, nonce)
+    });
+}
+
+#[test]
+fn test_insert_and_drain_inserts_sorted_and_dedupes() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Start with inbound_nonce = 0.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+
+    // Insert out of order: 3 then 2. Pending should remain sorted.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 3);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 2u64, 3u64]
+    );
+
+    // Re-inserting an already pending nonce should be a no-op (no duplicates, no drain).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 2u64, 3u64]
+    );
+
+    insert_and_drain(&context, &receiver, src_eid, &sender, 1);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_insert_and_drain_drains_consecutive_sequence() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Insert 2 and 3, then insert 1. Inserting 1 should drain 1,2,3 and advance inbound_nonce to 3.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 2);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 3);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 2u64, 3u64]
+    );
+
+    insert_and_drain(&context, &receiver, src_eid, &sender, 1);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_insert_and_drain_leaves_nonconsecutive_tail_pending() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Insert 2 and 4, then insert 1. Drain should advance to 2 but leave 4 pending (gap at 3).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 2);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 4);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 1);
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 4u64]);
+}
+
+#[test]
+fn test_insert_and_drain_accepts_upper_bound_when_inbound_nonce_zero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // inbound_nonce == 0: 256 is allowed.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 256);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 256u64]);
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_insert_and_drain_rejects_beyond_upper_bound_when_inbound_nonce_zero() {
+    let context = setup();
+    let env = &context.env;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // inbound_nonce == 0: 257 is out of range (max is 256).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 257);
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_insert_and_drain_rejects_nonce_leq_inbound_nonce() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Advance inbound_nonce to 5 via storage utility.
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 5);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
+
+    // Calling with new_nonce == inbound_nonce should panic InvalidNonce.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 5);
+}
+
+#[test]
+fn test_insert_and_drain_accepts_upper_bound_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // inbound_nonce == 100: upper bound is 356 (= 100 + 256).
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 100);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 356);
+
+    // Not consecutive to 100, so it remains pending and inbound_nonce does not advance.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 100);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 356u64]);
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_insert_and_drain_rejects_beyond_upper_bound_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 100);
+
+    // inbound_nonce == 100: 357 is out of range (max is 356).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 357);
+}
+
+#[test]
+fn test_insert_and_drain_drains_across_existing_pending_tail_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Set inbound_nonce to 2.
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+
+    // Insert 4 first -> pending [4], inbound_nonce remains 2 (missing 3).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 4);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 4u64]);
+
+    // Insert 3 -> should drain 3 then 4 and advance inbound_nonce to 4.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 3);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 4);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_insert_and_drain_drains_single_next_nonce_when_no_pending() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 5);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+
+    // Insert exactly inbound_nonce + 1. This should drain immediately and leave pending empty.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 6);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 6);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_insert_and_drain_window_holds_255_when_inbound_plus_one_missing_then_drains() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Fill the pending window with 2..=256 while nonce 1 is still missing.
+    // This creates 255 pending nonces and inbound_nonce remains 0.
+    for nonce in 2u64..=256u64 {
+        insert_and_drain(&context, &receiver, src_eid, &sender, nonce);
+    }
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    let pending = endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender);
+    assert_eq!(pending.len(), 255);
+    assert_eq!(pending.get(0).unwrap(), 2u64);
+    assert_eq!(pending.get(254).unwrap(), 256u64);
+
+    // Inserting nonce 1 closes the gap and drains the entire window.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 1);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 256);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_insert_and_drain_rejects_257_when_missing_inbound_plus_one() {
+    let context = setup();
+    let env = &context.env;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Keep inbound_nonce at 0 and fill 2..=256 into pending.
+    for nonce in 2u64..=256u64 {
+        insert_and_drain(&context, &receiver, src_eid, &sender, nonce);
+    }
+
+    // 257 is outside the allowed range (0, 256] while inbound_nonce is still 0.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 257);
+}

package/contracts/endpoint-v2/src/tests/messaging_channel/mod.rs

@@ -3,6 +3,7 @@ mod clear_payload;
 mod inbound;
 mod inbound_nonce;
 mod inbound_payload_hash;
+mod insert_and_drain_pending_nonces;
 mod pending_inbound_nonces;
 mod next_guid;
 mod nilify;

package/contracts/endpoint-v2/src/tests/messaging_channel/nilify.rs

@@ -92,6 +92,7 @@ fn test_nilify_success_with_stored_payload() {
 
     // Verify payload hash is stored.
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
 
     // Nilify the payload.
     let payload_hash_opt = Some(payload_hash.clone());
@@ -114,9 +115,10 @@ fn test_nilify_success_with_stored_payload() {
     let nilified_hash = endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce);
     let expected_nil_hash = nil_hash(&context);
     assert_eq!(nilified_hash, Some(expected_nil_hash));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
 }
 
-// Successful nilify with None (non-verified nonce) when nonce > lazy nonce
+// Successful nilify with None (no existing payload hash) when nonce > inbound_nonce
 #[test]
 fn test_nilify_success_with_empty_payload() {
     let context = setup();
@@ -150,9 +152,9 @@ fn test_nilify_success_with_empty_payload() {
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 }
 
-// Nilify with None counts as "verified" for inbound_nonce (but does not change lazy nonce)
+// Nilify with None counts toward `inbound_nonce` advancement (via pending-nonce draining).
 #[test]
-fn test_nilify_with_none_advances_inbound_nonce_without_changing_lazy_nonce() {
+fn test_nilify_with_none_advances_inbound_nonce_without_changing_payload_hashes() {
     let context = setup();
     let env = &context.env;
     let endpoint_client = &context.endpoint_client;
@@ -211,7 +213,7 @@ fn test_nilify_closes_gap_and_drains_pending_nonces() {
     );
 }
 
-// Nilify is allowed when nonce <= lazy nonce if a payload hash exists
+// Nilify is allowed when nonce <= inbound_nonce if an `inbound_payload_hash` exists
 #[test]
 fn test_nilify_allows_when_nonce_is_checkpointed_if_payload_exists() {
     let context = setup();
@@ -232,7 +234,7 @@ fn test_nilify_allows_when_nonce_is_checkpointed_if_payload_exists() {
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 10);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
 
-    // Even though nonce <= lazy_nonce, this should succeed because a payload hash exists.
+    // Even though nonce <= inbound_nonce, this should succeed because a payload hash exists.
     let payload_hash_opt = Some(payload_hash.clone());
     nilify_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &payload_hash_opt);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(nil_hash(&context)));
@@ -253,16 +255,19 @@ fn test_nilify_allows_repeated_call_when_already_nilified() {
 
     // First nilify: verified payload hash -> nil hash.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
     let payload_hash_opt = Some(payload_hash);
     nilify_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &payload_hash_opt);
 
     let nil = nil_hash(&context);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(nil.clone()));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
 
     // Second nilify: passing the current stored nil hash should succeed.
     let nil_opt = Some(nil.clone());
     nilify_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &nil_opt);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(nil));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
 }
 
 // Delegate authorization (delegate(receiver) is allowed)

package/contracts/endpoint-v2/src/tests/messaging_channel/skip.rs

@@ -248,6 +248,36 @@ fn test_skip_closes_gap_and_advances_inbound_nonce() {
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2), Some(payload_hash_2));
 }
 
+// Skipping a missing nonce can close *part* of the gap while leaving later gaps pending.
+#[test]
+fn test_skip_closes_gap_but_pending_inbound_nonces_not_empty() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Verify nonce 2 and 4 out-of-order. inbound_nonce stays 0 because nonce 1 is missing, and
+    // pending list contains [2, 4] (gap at 1 and 3).
+    let payload_hash_2 = BytesN::from_array(env, &[0x11u8; 32]);
+    let payload_hash_4 = BytesN::from_array(env, &[0x22u8; 32]);
+    context.inbound_as_verified(&receiver, src_eid, &sender, 2, &payload_hash_2);
+    context.inbound_as_verified(&receiver, src_eid, &sender, 4, &payload_hash_4);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+
+    // Skip nonce 1 closes the first gap and drains consecutive pending nonces up to 2,
+    // but nonce 4 remains pending because nonce 3 is still missing.
+    skip_with_auth(&context, &receiver, &receiver, src_eid, &sender, 1);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 4u64]);
+
+    // Payload hashes remain intact.
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2), Some(payload_hash_2));
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &4), Some(payload_hash_4));
+}
+
 // Repeated skip of the same nonce is rejected
 #[test]
 fn test_skip_rejects_repeated_same_nonce() {