@novasamatech/statement-store 0.8.7-1 → 0.8.7-2

package/dist/session/priority.d.ts

@@ -0,0 +1 @@
+export declare function nextExpiry(current: bigint): bigint;

package/dist/session/priority.js

@@ -0,0 +1,22 @@
+/**
+ * Statement expiry/priority, u64 = (expiration_epoch << 32) | priority (spec layout).
+ * We pin the high word to 0xFFFFFFFF (max → effectively non-expiring, matching iOS &
+ * Android) and use the low word as a wall-clock-floored monotonic priority, so channel
+ * supersession is driven by the priority regardless of how the store compares the field.
+ * Returns a value strictly greater than `current` (i.e. `max(current + 1, now-priority)`).
+ */
+const NEVER_EXPIRE_HIGH = 0xffffffffn;
+/**
+ * Priority epoch base: seconds at 2025-11-15T00:00:00Z. The low word is a u32 priority counted FROM
+ * this epoch (spec §1), not the raw Unix timestamp. iOS (StatementPriorityFactory.unixOffset) and
+ * Android subtract the same offset; omitting it makes the TS low word ~1.76e9 larger than every
+ * mobile client's, so any cross-client or shared-channel priority comparison would always rank a
+ * TS-written statement above a mobile-written one. Keeping the base aligned removes that landmine.
+ */
+const PRIORITY_EPOCH_OFFSET = 1763164800n;
+export function nextExpiry(current) {
+    const nowSecs = BigInt(Math.floor(Date.now() / 1000));
+    const priority = nowSecs > PRIORITY_EPOCH_OFFSET ? nowSecs - PRIORITY_EPOCH_OFFSET : 0n;
+    const timestampPriority = (NEVER_EXPIRE_HIGH << 32n) | priority;
+    return timestampPriority > current ? timestampPriority : current + 1n;
+}

package/dist/session/priority.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/session/priority.spec.js

@@ -0,0 +1,43 @@
+import { describe, expect, it, vi } from 'vitest';
+import { nextExpiry } from './priority.js';
+// Statement expiry/priority: u64 = (expiration_epoch << 32) | priority. The high word is pinned
+// to 0xFFFFFFFF (non-expiring) and the low word is a wall-clock-floored monotonic priority that
+// drives channel supersession. (Spec §1; matches iOS/Android.)
+describe('expiry priority', () => {
+    it('encodes a non-expiring statement (high word pinned to 0xFFFFFFFF)', () => {
+        expect(nextExpiry(0n) >> 32n).toBe(0xffffffffn);
+    });
+    it('carries a wall-clock priority in the low word', () => {
+        const result = nextExpiry(0n);
+        expect(result & 0xffffffffn).toBeGreaterThan(0n);
+    });
+    it('counts the low word from the 2025-11-15 priority epoch (matches iOS/Android)', () => {
+        // iOS StatementPriorityFactory: priority = unixSeconds - 1_763_164_800 (the 2025-11-15 base,
+        // spec §1). The TS SDK must use the SAME base; otherwise its low word is ~1.76e9 larger than
+        // every mobile client's, so any cross-client/shared-channel priority comparison would rank a
+        // TS-written statement above a mobile-written one regardless of real time.
+        const PRIORITY_EPOCH_OFFSET = 1763164800n;
+        vi.useFakeTimers();
+        try {
+            const fixedMs = 1_780_000_000_000;
+            vi.setSystemTime(fixedMs);
+            const expected = BigInt(Math.floor(fixedMs / 1000)) - PRIORITY_EPOCH_OFFSET;
+            expect(nextExpiry(0n) & 0xffffffffn).toBe(expected);
+        }
+        finally {
+            vi.useRealTimers();
+        }
+    });
+    it('increments by one when the current value already exceeds the wall-clock priority', () => {
+        const high = (0xffffffffn << 32n) | 0xffffffffn; // max u64
+        expect(nextExpiry(high)).toBe(high + 1n);
+    });
+    it('is strictly monotonic across repeated calls', () => {
+        let expiry = 0n;
+        for (let i = 0; i < 5; i++) {
+            const next = nextExpiry(expiry);
+            expect(next).toBeGreaterThan(expiry);
+            expiry = next;
+        }
+    });
+});

package/dist/session/session.d.ts

@@ -32,5 +32,4 @@ export type SessionParams = {
  * `maxStatementSize - overhead` rather than the raw statement limit.
  */
 export declare const STATEMENT_OVERHEAD: number;
-export declare function nextExpiry(current: bigint): bigint;
 export declare function createSession({ localAccount, remoteAccount, statementStore, encryption, prover, sessionKey, maxRequestSize, }: SessionParams): Session;

package/dist/session/session.js

@@ -8,8 +8,12 @@ import { nonNullable, toError } from '../helpers.js';
 import { createSessionId } from '../model/session.js';
 import { DecodingError, DecryptionError, UnknownError } from './error.js';
 import { toMessage } from './messageMapper.js';
+import { nextExpiry } from './priority.js';
 import { StatementData } from './scale/statementData.js';
 const DEFAULT_MAX_REQUEST_SIZE = 4096;
+// Rejection reason shared by dispose() and the disposed guards on submit*, so a torn-down session
+// always fails new and in-flight work the same way.
+const SESSION_DISPOSED = 'Session disposed';
 // Bounded retry for transient transport failures (the spec mandates retrying queries
 // and submit_statement on connection failure). The TS adapter doesn't expose connection
 // state, so we approximate with a short fixed backoff and an attempt cap.
@@ -23,19 +27,6 @@ const RETRY_DELAY_MS = 25;
  * `maxStatementSize - overhead` rather than the raw statement limit.
  */
 export const STATEMENT_OVERHEAD = 32 + 32 + 8 + 64 + 32; // 168 bytes
-/**
- * Statement expiry/priority, u64 = (expiration_epoch << 32) | priority (spec layout).
- * We pin the high word to 0xFFFFFFFF (max → effectively non-expiring, matching iOS &
- * Android) and use the low word as a wall-clock-floored monotonic priority, so channel
- * supersession is driven by the priority regardless of how the store compares the field.
- * Returns a value strictly greater than `current` (i.e. `max(current + 1, now-priority)`).
- */
-const NEVER_EXPIRE_HIGH = 0xffffffffn;
-export function nextExpiry(current) {
-    const nowSecs = BigInt(Math.floor(Date.now() / 1000));
-    const timestampPriority = (NEVER_EXPIRE_HIGH << 32n) | nowSecs;
-    return timestampPriority > current ? timestampPriority : current + 1n;
-}
 // Encode/decode a StatementData envelope, surfacing scale-ts throws as a Result.
 const encodeStatementData = fromThrowable(StatementData.enc, toError);
 const decodeStatementData = fromThrowable(StatementData.dec, toError);
@@ -77,15 +68,27 @@ function makeDeferred() {
     promise.catch(() => undefined);
     return { resolve, reject, promise };
 }
-// Retry a submit on failure with a short backoff, up to `attemptsLeft` extra attempts.
-// A successful submit returns immediately (no delay on the happy path). `shouldRetry` is
-// re-checked before each retry: once the submission is superseded, aborted, or the session
-// is disposed it returns false, so a stale retry can never resurrect an old statement.
+// Retry a submit on failure with a short backoff. `shouldRetry` is re-checked before each retry:
+// once the submission is superseded, aborted, or the session is disposed it returns false, so a
+// stale retry can never resurrect an old statement.
+//
+// ExpiryTooLow is treated specially: it is never a chain/statement failure, only a sign our
+// in-memory expiry lagged the channel's on-chain priority. submitStatementData has already resynced
+// us above the reported minimum, so the next attempt submits higher. We therefore retry ExpiryTooLow
+// WITHOUT spending the `attemptsLeft` transient-failure budget — keeping at it until it lands or the
+// submission is superseded — and, once superseded, swallow it as success. The upshot: ExpiryTooLow
+// never surfaces to callers. (Other errors keep the bounded retry and propagate when exhausted.)
 function submitWithRetry(submit, attemptsLeft, shouldRetry) {
+    // How to settle once we stop retrying: a no-longer-live submission rejected with ExpiryTooLow
+    // simply lost the channel race to a newer, higher-priority statement — benign, so report success.
+    const settle = (error) => !shouldRetry() && error instanceof ExpiryTooLowError ? okAsync(undefined) : errAsync(error);
     return submit().orElse(error => {
-        if (attemptsLeft <= 0 || !shouldRetry())
-            return errAsync(error);
-        return ResultAsync.fromSafePromise(new Promise(resolve => setTimeout(resolve, RETRY_DELAY_MS))).andThen(() => !shouldRetry() ? errAsync(error) : submitWithRetry(submit, attemptsLeft - 1, shouldRetry));
+        const expiryTooLow = error instanceof ExpiryTooLowError;
+        if (!shouldRetry() || (!expiryTooLow && attemptsLeft <= 0))
+            return settle(error);
+        // ExpiryTooLow is always recoverable while live, so it doesn't consume the retry budget.
+        const nextAttempts = expiryTooLow ? attemptsLeft : attemptsLeft - 1;
+        return ResultAsync.fromSafePromise(new Promise(resolve => setTimeout(resolve, RETRY_DELAY_MS))).andThen(() => shouldRetry() ? submitWithRetry(submit, nextAttempts, shouldRetry) : settle(error));
     });
 }
 export function createSession({ localAccount, remoteAccount, statementStore, encryption, prover, sessionKey, maxRequestSize = DEFAULT_MAX_REQUEST_SIZE, }) {
@@ -155,19 +158,19 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
         // newer retransmit, aborted via clearOutgoingStatement, or disposed).
         () => !disposed && state.outgoingRequest?.requestIds.at(-1) === requestId))
             .mapErr(e => {
-            if (disposed)
+            // ExpiryTooLow is handled in submitWithRetry (retried until it lands, swallowed once
+            // superseded), so an error reaching here is a different, genuine failure. If this submission
+            // was already superseded by a newer retransmit (same tokens) it is not the live request's
+            // concern — drop it silently; the newer one carries the waiters. Otherwise the bounded
+            // retries are exhausted on the LIVE submission: the request never landed, so fail its
+            // waiters rather than let them hang.
+            const outgoing = state.outgoingRequest;
+            if (disposed || !outgoing || outgoing.requestIds.at(-1) !== requestId)
                 return;
             console.error('submitRequest failed:', e);
-            // Retries are exhausted. If this is still the live submission (not already
-            // superseded by a newer retransmit), the request never landed — fail its
-            // waiters rather than let them hang. A superseded older submission failing
-            // is expected and must NOT reject, since the newer one carries the same tokens.
-            const outgoing = state.outgoingRequest;
-            if (outgoing && outgoing.requestIds[outgoing.requestIds.length - 1] === requestId) {
-                settleTokens(outgoing.tokens, deferred => deferred.reject(e));
-                state.outgoingRequest = null;
-                processMessageQueue();
-            }
+            settleTokens(outgoing.tokens, deferred => deferred.reject(e));
+            state.outgoingRequest = null;
+            processMessageQueue();
         });
     }
     function deliverStatementData(statementData) {
@@ -379,6 +382,8 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
         }
         const decodeAll = (statements) => Promise.all(statements.map(s => tryDecodeStatement(s).unwrapOr({ kind: 'undecodable', requestId: null }))).then(outcomes => outcomes.map(o => (o.kind === 'decoded' ? o.data : null)).filter(nonNullable));
         const [ownDecoded, peerDecoded] = await Promise.all([decodeAll(ownStatements), decodeAll(peerStatements)]);
+        if (disposed)
+            return;
         // Both parties publish on their own outgoing topic, so the OUTGOING query returns our
         // requests + OUR responses, and the INCOMING query returns the peer's requests + the
         // PEER's responses. Hence: our request is answered by a PEER response (incoming), and we
@@ -421,6 +426,8 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
                 .andThen(({ requestId }) => session.waitForResponseMessage(requestId).andThen(({ responseCode }) => mapResponseCode(responseCode)));
         },
         submitRequestMessage(codec, message) {
+            if (disposed)
+                return errAsync(new Error(SESSION_DISPOSED));
             const encode = fromThrowable(codec.enc, toError);
             const encodedResult = encode(message);
             if (encodedResult.isErr())
@@ -448,6 +455,8 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
             return okAsync({ requestId: token });
         },
         submitResponseMessage(requestId, responseCode) {
+            if (disposed)
+                return errAsync(new Error(SESSION_DISPOSED));
             const incoming = state.incomingRequests.get(requestId);
             if (!incoming)
                 return errAsync(new Error(`No incoming request with id ${requestId}`));
@@ -471,6 +480,19 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
                 // Answered: it no longer needs replaying to future subscribers.
                 .andTee(() => pruneBufferedRequest(requestId))
                 .orElse(error => {
+                // ExpiryTooLow is handled in submitWithRetry (swallowed once a newer response supersedes
+                // this one on the shared channel), so an error here is a different failure. If this is no
+                // longer the latest response (superseded) or the session is disposed, keep the request
+                // marked answered — re-answering would only clobber the newer response — and absorb the
+                // error. NOTE: the shared response channel still only exposes the latest response to the
+                // peer, so reliably ACKing several outstanding requests needs the protocol-level fix
+                // tracked separately.
+                if (disposed || lastResponseRequestId !== requestId) {
+                    pruneBufferedRequest(requestId);
+                    return okAsync(undefined);
+                }
+                // The live response genuinely failed after exhausting retries — roll back so a later
+                // peer retransmit can still be answered, and surface the error.
                 incoming.responded = false;
                 return errAsync(error);
             }));
@@ -574,8 +596,11 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
             // Supersede the live batch with an empty one. Use submitStatementData so the
             // empty statement goes out at a STRICTLY higher expiry — the store rejects an
             // equal-or-lower expiry on the same channel, so reusing state.expiry would
-            // leave the original request live on-chain.
-            return submitStatementData(createRequestChannel(outgoingSessionId), outgoingSessionId, encoded.value);
+            // leave the original request live on-chain. Route through submitWithRetry with
+            // shouldRetry:()=>false so it inherits the single ExpiryTooLow policy — a rejection
+            // means the channel already advanced past us, so the clear already happened → absorb it —
+            // without retrying (clearing is a one-shot supersede, not a request that must land).
+            return submitWithRetry(() => submitStatementData(createRequestChannel(outgoingSessionId), outgoingSessionId, encoded.value), 0, () => false);
         },
         dispose() {
             disposed = true;
@@ -592,9 +617,9 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
             // Settle any waitForRequestMessage() promises so callers unwind instead of
             // hanging forever. Snapshot first — rejecting mutates the set.
             for (const rejectWaiter of [...requestWaiters])
-                rejectWaiter(new Error('Session disposed'));
+                rejectWaiter(new Error(SESSION_DISPOSED));
             requestWaiters.clear();
-            rejectAllPending(new Error('Session disposed'));
+            rejectAllPending(new Error(SESSION_DISPOSED));
         },
     };
     void init();

package/dist/session/session.spec.js

@@ -1,5 +1,5 @@
 import { createExpiryFromDuration } from '@novasamatech/sdk-statement';
-import { ResultAsync, errAsync, ok, okAsync } from 'neverthrow';
+import { ResultAsync, err, errAsync, ok, okAsync } from 'neverthrow';
 import { Bytes, Struct, str } from 'scale-ts';
 import { describe, expect, it, vi } from 'vitest';
 import { createInMemoryStatementStore } from '../adapter/inMemory.js';
@@ -7,7 +7,7 @@ import { ExpiryTooLowError } from '../adapter/types.js';
 import { createAccountId, createLocalSessionAccount, createRemoteSessionAccount } from '../model/sessionAccount.js';
 import { DecodingError, UnknownError } from './error.js';
 import { StatementData } from './scale/statementData.js';
-import { STATEMENT_OVERHEAD, createSession, nextExpiry } from './session.js';
+import { STATEMENT_OVERHEAD, createSession } from './session.js';
 // Real signature work belongs in statementProver tests; this stub stamps a
 // non-empty proof so submitted statements are well-formed.
 const mockProver = {
@@ -91,6 +91,20 @@ function lastSubmittedRequestId(adapter) {
     const decoded = StatementData.dec(lastSubmitted(adapter).data);
     return decoded.tag === 'request' ? decoded.value.requestId : '';
 }
+// A submitStatement mock that defers every submission instead of resolving: each call records a
+// `{ requestId, settle }` entry in `pendings`, letting a test land or reject submissions in a chosen
+// order (used to drive shared-channel supersession races). Works for request and response payloads.
+function deferredSubmit() {
+    const pendings = [];
+    const submitStatement = vi.fn((stmt) => {
+        const decoded = StatementData.dec(stmt.data);
+        const requestId = decoded.tag === 'request' || decoded.tag === 'response' ? decoded.value.requestId : '';
+        return ResultAsync.fromPromise(new Promise((resolve, reject) => {
+            pendings.push({ requestId, settle: r => (r.isOk() ? resolve() : reject(r.error)) });
+        }), e => e);
+    });
+    return { submitStatement, pendings };
+}
 // Encoded size of the request payload (the statement `data` field) for these messages —
 // what the session sizes batches against. Includes the requestId (a fixed-length nanoid)
 // and the SCALE vector framing, so it is larger than the raw message bytes alone.
@@ -139,30 +153,6 @@ function makeMobile(adapter) {
 }
 describe('session', () => {
     const rawCodec = Bytes();
-    // Statement expiry/priority: u64 = (expiration_epoch << 32) | priority. The high word is pinned
-    // to 0xFFFFFFFF (non-expiring) and the low word is a wall-clock-floored monotonic priority that
-    // drives channel supersession. (Spec §1; matches iOS/Android.)
-    describe('expiry priority', () => {
-        it('encodes a non-expiring statement (high word pinned to 0xFFFFFFFF)', () => {
-            expect(nextExpiry(0n) >> 32n).toBe(0xffffffffn);
-        });
-        it('carries a wall-clock priority in the low word', () => {
-            const result = nextExpiry(0n);
-            expect(result & 0xffffffffn).toBeGreaterThan(0n);
-        });
-        it('increments by one when the current value already exceeds the wall-clock priority', () => {
-            const high = (0xffffffffn << 32n) | 0xffffffffn; // max u64
-            expect(nextExpiry(high)).toBe(high + 1n);
-        });
-        it('is strictly monotonic across repeated calls', () => {
-            let expiry = 0n;
-            for (let i = 0; i < 5; i++) {
-                const next = nextExpiry(expiry);
-                expect(next).toBeGreaterThan(expiry);
-                expiry = next;
-            }
-        });
-    });
     // On creation a session queries both of its topics, derives the starting expiry, and buffers
     // anything it finds until it goes active. (Spec §5 initialization.)
     describe('initialization', () => {
@@ -757,6 +747,40 @@ describe('session', () => {
             expect(second.isOk()).toBe(true);
             expect(adapter.submitStatement.mock.calls.length).toBeGreaterThan(submitsBefore);
         }, 3000);
+        it('absorbs a superseded response rejected as ExpiryTooLow and keeps the request answered', async () => {
+            // Two incoming requests are answered on the SHARED response channel. The response to A is in
+            // flight when the response to B takes over the channel; A then lands at a now-lower expiry and
+            // the store rejects it (ExpiryTooLow). That supersession is expected: B's response owns the
+            // channel, so A's rejection must be absorbed (not surfaced) and A must stay marked answered —
+            // re-answering would only clobber B. (Returning ok here is also what stops respondToRequests
+            // from logging it as a failed response.)
+            const reqA = makeStatement({ tag: 'request', value: { requestId: 'A', data: [] } });
+            const { subscribeStatements, callbacks } = capturingSubscribe();
+            const { submitStatement, pendings } = deferredSubmit();
+            const { session, adapter } = makeSession({ peer: [reqA], subscribeStatements, submitStatement });
+            await delay();
+            session.subscribe(rawCodec, vi.fn()); // activate the store subscription
+            const reqB = makeStatement({ tag: 'request', value: { requestId: 'B', data: [] } });
+            callbacks[0]({ statements: [reqB], isComplete: true });
+            await delay();
+            const resAPromise = session.submitResponseMessage('A', 'success'); // in flight on the shared channel
+            const resBPromise = session.submitResponseMessage('B', 'success'); // supersedes A
+            await delay(); // both reach submitStatement
+            expect(pendings).toHaveLength(2);
+            pendings.find(p => p.requestId === 'B').settle(ok(undefined)); // B lands, owns the channel
+            pendings.find(p => p.requestId === 'A').settle(err(new ExpiryTooLowError(0n, 0n))); // A lands late, rejected
+            const resA = await resAPromise;
+            const resB = await resBPromise;
+            expect(resB.isOk()).toBe(true);
+            expect(resA.isOk()).toBe(true); // superseded rejection absorbed, not surfaced as an error
+            // A stays answered: re-answering it must NOT submit again (which would clobber B's response).
+            const submitsBefore = adapter.submitStatement.mock.calls.length;
+            const reAnswer = await session.submitResponseMessage('A', 'success');
+            await delay();
+            expect(reAnswer.isOk()).toBe(true);
+            expect(adapter.submitStatement.mock.calls.length).toBe(submitsBefore); // deduped → no resubmit
+            session.dispose();
+        }, 3000);
     });
     // clearOutgoingStatement aborts the in-flight request: it drops local state, rejects waiters, and
     // supersedes the on-chain request with an empty batch at a strictly higher expiry.
@@ -769,6 +793,22 @@ describe('session', () => {
             expect(result.isOk()).toBe(true);
             expect(adapter.submitStatement.mock.calls.length).toBe(before);
         });
+        it('absorbs an ExpiryTooLow on the superseding empty batch as success', async () => {
+            // clearOutgoingStatement runs a single direct submit (no submitWithRetry). If the empty batch
+            // is rejected ExpiryTooLow, the channel already advanced past us — the request is already gone
+            // — so the clear has effectively happened. The caller must see success, not the sync artifact.
+            let calls = 0;
+            const submitStatement = vi.fn((stmt) => ++calls === 1
+                ? okAsync(undefined) // the request itself lands
+                : errAsync(new ExpiryTooLowError(stmt.expiry ?? 0n, (0xffffffffn << 32n) | 9000000000n)));
+            const { session } = makeSession({ submitStatement });
+            await delay();
+            void session.submitRequestMessage(rawCodec, new Uint8Array([1]));
+            await delay();
+            const cleared = await session.clearOutgoingStatement();
+            expect(cleared.isOk()).toBe(true); // ExpiryTooLow suppressed
+            session.dispose();
+        }, 3000);
         it('submits an empty batch on the same channel at a higher expiry and clears local state', async () => {
             const { session, adapter } = makeSession();
             await delay();
@@ -928,6 +968,31 @@ describe('session', () => {
             expect(retried.expiry ?? 0n).toBeGreaterThan(CHAIN_MIN); // healed past the chain minimum
             session.dispose();
         }, 3000);
+        it('keeps retrying a live ExpiryTooLow past the transient-retry cap until it lands', async () => {
+            // ExpiryTooLow is a sync artifact, not a chain failure: while the submission is still live the
+            // session keeps retrying (resyncing each time) BEYOND MAX_SUBMIT_RETRIES until it lands, and
+            // never surfaces ExpiryTooLow to the caller. (A non-ExpiryTooLow error gives up at the cap —
+            // see the test below.)
+            const CHAIN_MIN = (0xffffffffn << 32n) | 4000000000n;
+            let calls = 0;
+            const submitStatement = vi.fn((stmt) => ++calls <= 6 ? errAsync(new ExpiryTooLowError(stmt.expiry ?? 0n, CHAIN_MIN)) : okAsync(undefined));
+            const { session } = makeSession({ submitStatement });
+            await delay();
+            const errorSpy = vi.spyOn(console, 'error').mockImplementation(() => undefined);
+            try {
+                const submit = await session.submitRequestMessage(rawCodec, new Uint8Array([1]));
+                let waiterRejected = false;
+                void session.waitForResponseMessage(submit._unsafeUnwrap().requestId).mapErr(() => (waiterRejected = true));
+                await new Promise(resolve => setTimeout(resolve, 300)); // 6 retries × 25ms backoff + slack
+                expect(calls).toBeGreaterThanOrEqual(7); // retried well past the 3-attempt cap, then landed
+                expect(errorSpy).not.toHaveBeenCalledWith('submitRequest failed:', expect.anything());
+                expect(waiterRejected).toBe(false); // ExpiryTooLow never surfaced to the caller
+            }
+            finally {
+                errorSpy.mockRestore();
+                session.dispose();
+            }
+        }, 3000);
         it('rejects the pending waiter once request-submission retries are exhausted', async () => {
             const { session } = makeSession({
                 submitStatement: vi.fn().mockReturnValue(errAsync(new Error('store rejected'))),
@@ -938,6 +1003,40 @@ describe('session', () => {
             const waited = await session.waitForResponseMessage(requestId);
             expect(waited.isErr()).toBe(true);
         }, 2000);
+        it('absorbs a superseded older submission rejected as ExpiryTooLow without surfacing an error', async () => {
+            // Two messages batch onto one outgoing request: the first submission (requestId A) is in
+            // flight when the second (requestId B, higher expiry, SAME tokens) is sent. B lands first and
+            // sets the channel priority; A then lands at a now-lower expiry and the store rejects it with
+            // ExpiryTooLow. A is superseded, so its rejection is expected protocol behaviour — it must not
+            // be logged as an error and must not reject the shared waiters (B carries them).
+            const { submitStatement, pendings } = deferredSubmit();
+            const { session, adapter } = makeSession({ submitStatement });
+            await delay();
+            const errorSpy = vi.spyOn(console, 'error').mockImplementation(() => undefined);
+            try {
+                const first = (await session.submitRequestMessage(rawCodec, new Uint8Array([1])))._unsafeUnwrap();
+                void session.submitRequestMessage(rawCodec, new Uint8Array([2])); // batches onto the same outgoing request
+                await delay(); // let both submissions reach submitStatement
+                expect(pendings).toHaveLength(2);
+                const liveRequestId = lastSubmittedRequestId(adapter); // the newer (B) submission
+                const live = pendings.find(p => p.requestId === liveRequestId);
+                const superseded = pendings.find(p => p.requestId !== liveRequestId);
+                let firstWaiterRejected = false;
+                void session.waitForResponseMessage(first.requestId).mapErr(() => {
+                    firstWaiterRejected = true;
+                });
+                live.settle(ok(undefined)); // B lands, claims the channel priority
+                await delay();
+                superseded.settle(err(new ExpiryTooLowError(0n, 0n))); // A lands late and is rejected
+                await delay();
+                expect(errorSpy).not.toHaveBeenCalledWith('submitRequest failed:', expect.anything());
+                expect(firstWaiterRejected).toBe(false); // superseded failure must not reject the shared waiter
+            }
+            finally {
+                errorSpy.mockRestore();
+                session.dispose();
+            }
+        }, 3000);
     });
     describe('dispose', () => {
         it('rejects pending waitForRequestMessage waiters', async () => {
@@ -957,6 +1056,37 @@ describe('session', () => {
             await new Promise(resolve => setTimeout(resolve, 100)); // retry window elapses
             expect(queryStatements.mock.calls.length).toBe(callsBeforeDispose); // disposed → no further init queries
         }, 3000);
+        it('rejects submitRequestMessage after dispose instead of hanging', async () => {
+            const { session, adapter } = makeSession();
+            await delay();
+            session.dispose();
+            const result = await session.submitRequestMessage(rawCodec, new Uint8Array([1]));
+            expect(result.isErr()).toBe(true); // surfaced immediately, not a token left pending forever
+            expect(adapter.submitStatement).not.toHaveBeenCalled();
+        });
+        it('rejects submitResponseMessage after dispose', async () => {
+            const { session } = makeSession();
+            await delay();
+            session.dispose();
+            const result = await session.submitResponseMessage('any-id', 'success');
+            expect(result.isErr()).toBe(true);
+        });
+        it('does not re-activate when disposed while init is in flight', async () => {
+            // dispose() lands during init's query await; init must bail before restoring state / flipping
+            // phase to 'active', otherwise a torn-down session looks alive and accepts new work.
+            let resolveQueries;
+            const gate = new Promise(resolve => (resolveQueries = resolve));
+            const queryStatements = vi.fn(() => ResultAsync.fromSafePromise(gate));
+            const { session, adapter } = makeSession({ queryStatements });
+            const queued = await session.submitRequestMessage(rawCodec, new Uint8Array([1])); // queued during init
+            expect(queued.isOk()).toBe(true);
+            session.dispose(); // dispose mid-init
+            resolveQueries([]); // init resumes — must bail before draining the queue / activating
+            await settle();
+            expect(adapter.submitStatement).not.toHaveBeenCalled(); // no resurrection-driven submit
+            const after = await session.submitRequestMessage(rawCodec, new Uint8Array([2]));
+            expect(after.isErr()).toBe(true); // session stays disposed
+        }, 3000);
     });
     // The in-memory adapter replicates the store's observable contract; `fidelity` pins the double's
     // behaviour, then end-to-end flows run two mirrored sessions (host + mobile) over ONE shared store.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@novasamatech/statement-store",
   "type": "module",
-  "version": "0.8.7-1",
+  "version": "0.8.7-2",
   "description": "Statement store integration",
   "license": "Apache-2.0",
   "repository": {
@@ -25,9 +25,9 @@
     "README.md"
   ],
   "dependencies": {
-    "@novasamatech/scale": "0.8.7-1",
+    "@novasamatech/scale": "0.8.7-2",
     "@novasamatech/sdk-statement": "^0.6.0",
-    "@novasamatech/substrate-slot-sr25519-wasm": "0.8.7-1",
+    "@novasamatech/substrate-slot-sr25519-wasm": "0.8.7-2",
     "@polkadot-api/substrate-bindings": "^0.20.3",
     "@polkadot-api/substrate-client": "^0.7.0",
     "@polkadot-labs/hdkd-helpers": "^0.0.30",