@novasamatech/statement-store 0.8.7-1 → 0.8.7-3

package/dist/index.d.ts

@@ -19,5 +19,11 @@ export { createInMemoryStatementStore } from './adapter/inMemory.js';
 export type { StatementStoreAdapter } from './adapter/types.js';
 export { AccountFullError, AlreadyExpiredError, BadProofError, DataTooLargeError, EncodingTooLargeError, ExpiryTooLowError, InternalStoreError, KnownExpiredError, NoAllowanceError, NoProofError, StorageFullError, } from './adapter/types.js';
 export { createPapiStatementStoreAdapter } from './adapter/rpc.js';
+export type { ExpiryAllocator } from './submit/allocator.js';
+export { PRIORITY_EPOCH_OFFSET, createExpiryAllocator } from './submit/allocator.js';
+export type { SubmitRetryOptions } from './submit/retry.js';
+export { isPriorityTooLow, submitWithRetry } from './submit/retry.js';
+export type { SubmitStatementParams } from './submit/submitStatement.js';
+export { signAndSubmitStatement, submitStatementOnce } from './submit/submitStatement.js';
 export { createSr25519Derivation, createSr25519Secret, deriveSlotAccountPublicKey, deriveSr25519PublicKey, ensureSubstrateSlotSr25519Ready, ensureSubstrateSr25519Ready, khash, signSlotAccountSecret, signWithSr25519Secret, verifySlotAccountSignature, verifySr25519Signature, } from './crypto.js';
 export { substrateSr25519PublicKey } from './substrateSr25519.js';

package/dist/index.js

@@ -9,5 +9,8 @@ export { createLazyClient } from './adapter/lazyClient.js';
 export { createInMemoryStatementStore } from './adapter/inMemory.js';
 export { AccountFullError, AlreadyExpiredError, BadProofError, DataTooLargeError, EncodingTooLargeError, ExpiryTooLowError, InternalStoreError, KnownExpiredError, NoAllowanceError, NoProofError, StorageFullError, } from './adapter/types.js';
 export { createPapiStatementStoreAdapter } from './adapter/rpc.js';
+export { PRIORITY_EPOCH_OFFSET, createExpiryAllocator } from './submit/allocator.js';
+export { isPriorityTooLow, submitWithRetry } from './submit/retry.js';
+export { signAndSubmitStatement, submitStatementOnce } from './submit/submitStatement.js';
 export { createSr25519Derivation, createSr25519Secret, deriveSlotAccountPublicKey, deriveSr25519PublicKey, ensureSubstrateSlotSr25519Ready, ensureSubstrateSr25519Ready, khash, signSlotAccountSecret, signWithSr25519Secret, verifySlotAccountSignature, verifySr25519Signature, } from './crypto.js';
 export { substrateSr25519PublicKey } from './substrateSr25519.js';

package/dist/session/priority.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Priority epoch base: seconds at 2025-11-15T00:00:00Z. The low word is a u32 priority counted FROM
+ * this epoch (spec §1), not the raw Unix timestamp. iOS (StatementPriorityFactory.unixOffset) and
+ * Android subtract the same offset; omitting it makes the TS low word ~1.76e9 larger than every
+ * mobile client's, so any cross-client or shared-channel priority comparison would always rank a
+ * TS-written statement above a mobile-written one. Keeping the base aligned removes that landmine.
+ */
+export declare const PRIORITY_EPOCH_OFFSET = 1763164800n;
+export declare function nextExpiry(current: bigint): bigint;

package/dist/session/priority.js

@@ -0,0 +1,22 @@
+/**
+ * Statement expiry/priority, u64 = (expiration_epoch << 32) | priority (spec layout).
+ * We pin the high word to 0xFFFFFFFF (max → effectively non-expiring, matching iOS &
+ * Android) and use the low word as a wall-clock-floored monotonic priority, so channel
+ * supersession is driven by the priority regardless of how the store compares the field.
+ * Returns a value strictly greater than `current` (i.e. `max(current + 1, now-priority)`).
+ */
+const NEVER_EXPIRE_HIGH = 0xffffffffn;
+/**
+ * Priority epoch base: seconds at 2025-11-15T00:00:00Z. The low word is a u32 priority counted FROM
+ * this epoch (spec §1), not the raw Unix timestamp. iOS (StatementPriorityFactory.unixOffset) and
+ * Android subtract the same offset; omitting it makes the TS low word ~1.76e9 larger than every
+ * mobile client's, so any cross-client or shared-channel priority comparison would always rank a
+ * TS-written statement above a mobile-written one. Keeping the base aligned removes that landmine.
+ */
+export const PRIORITY_EPOCH_OFFSET = 1763164800n;
+export function nextExpiry(current) {
+    const nowSecs = BigInt(Math.floor(Date.now() / 1000));
+    const priority = nowSecs > PRIORITY_EPOCH_OFFSET ? nowSecs - PRIORITY_EPOCH_OFFSET : 0n;
+    const timestampPriority = (NEVER_EXPIRE_HIGH << 32n) | priority;
+    return timestampPriority > current ? timestampPriority : current + 1n;
+}

package/dist/session/priority.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/session/priority.spec.js

@@ -0,0 +1,43 @@
+import { describe, expect, it, vi } from 'vitest';
+import { nextExpiry } from './priority.js';
+// Statement expiry/priority: u64 = (expiration_epoch << 32) | priority. The high word is pinned
+// to 0xFFFFFFFF (non-expiring) and the low word is a wall-clock-floored monotonic priority that
+// drives channel supersession. (Spec §1; matches iOS/Android.)
+describe('expiry priority', () => {
+    it('encodes a non-expiring statement (high word pinned to 0xFFFFFFFF)', () => {
+        expect(nextExpiry(0n) >> 32n).toBe(0xffffffffn);
+    });
+    it('carries a wall-clock priority in the low word', () => {
+        const result = nextExpiry(0n);
+        expect(result & 0xffffffffn).toBeGreaterThan(0n);
+    });
+    it('counts the low word from the 2025-11-15 priority epoch (matches iOS/Android)', () => {
+        // iOS StatementPriorityFactory: priority = unixSeconds - 1_763_164_800 (the 2025-11-15 base,
+        // spec §1). The TS SDK must use the SAME base; otherwise its low word is ~1.76e9 larger than
+        // every mobile client's, so any cross-client/shared-channel priority comparison would rank a
+        // TS-written statement above a mobile-written one regardless of real time.
+        const PRIORITY_EPOCH_OFFSET = 1763164800n;
+        vi.useFakeTimers();
+        try {
+            const fixedMs = 1_780_000_000_000;
+            vi.setSystemTime(fixedMs);
+            const expected = BigInt(Math.floor(fixedMs / 1000)) - PRIORITY_EPOCH_OFFSET;
+            expect(nextExpiry(0n) & 0xffffffffn).toBe(expected);
+        }
+        finally {
+            vi.useRealTimers();
+        }
+    });
+    it('increments by one when the current value already exceeds the wall-clock priority', () => {
+        const high = (0xffffffffn << 32n) | 0xffffffffn; // max u64
+        expect(nextExpiry(high)).toBe(high + 1n);
+    });
+    it('is strictly monotonic across repeated calls', () => {
+        let expiry = 0n;
+        for (let i = 0; i < 5; i++) {
+            const next = nextExpiry(expiry);
+            expect(next).toBeGreaterThan(expiry);
+            expiry = next;
+        }
+    });
+});

package/dist/session/session.d.ts

@@ -1,5 +1,6 @@
 import type { StatementStoreAdapter } from '../adapter/types.js';
 import type { LocalSessionAccount, RemoteSessionAccount } from '../model/sessionAccount.js';
+import type { ExpiryAllocator } from '../submit/allocator.js';
 import type { Encryption } from './encyption.js';
 import type { StatementProver } from './statementProver.js';
 import type { Session } from './types.js';
@@ -23,6 +24,13 @@ export type SessionParams = {
      * throw.
      */
     sessionKey: Uint8Array;
+    /**
+     * Expiry source for this session's submits. Inject ONE shared allocator when
+     * several writers (sessions, raw submits) sign with the same account, so
+     * same-second submits cannot tie. Defaults to a private allocator —
+     * identical to the previous per-session behavior.
+     */
+    allocator?: ExpiryAllocator;
     maxRequestSize?: number;
 };
 /**
@@ -32,5 +40,4 @@ export type SessionParams = {
  * `maxStatementSize - overhead` rather than the raw statement limit.
  */
 export declare const STATEMENT_OVERHEAD: number;
-export declare function nextExpiry(current: bigint): bigint;
-export declare function createSession({ localAccount, remoteAccount, statementStore, encryption, prover, sessionKey, maxRequestSize, }: SessionParams): Session;
+export declare function createSession({ localAccount, remoteAccount, statementStore, encryption, prover, sessionKey, allocator, maxRequestSize, }: SessionParams): Session;

package/dist/session/session.js

@@ -1,15 +1,20 @@
+import { toHex } from '@novasamatech/scale';
 import { nanoid } from 'nanoid';
 import { ResultAsync, err, errAsync, fromPromise, fromThrowable, ok, okAsync } from 'neverthrow';
-import { toHex } from 'polkadot-api/utils';
 import { Struct, str } from 'scale-ts';
-import { ExpiryTooLowError } from '../adapter/types.js';
 import { khash, stringToBytes } from '../crypto.js';
 import { nonNullable, toError } from '../helpers.js';
 import { createSessionId } from '../model/session.js';
+import { createExpiryAllocator } from '../submit/allocator.js';
+import { isPriorityTooLow, submitWithRetry } from '../submit/retry.js';
+import { submitStatementOnce } from '../submit/submitStatement.js';
 import { DecodingError, DecryptionError, UnknownError } from './error.js';
 import { toMessage } from './messageMapper.js';
 import { StatementData } from './scale/statementData.js';
 const DEFAULT_MAX_REQUEST_SIZE = 4096;
+// Rejection reason shared by dispose() and the disposed guards on submit*, so a torn-down session
+// always fails new and in-flight work the same way.
+const SESSION_DISPOSED = 'Session disposed';
 // Bounded retry for transient transport failures (the spec mandates retrying queries
 // and submit_statement on connection failure). The TS adapter doesn't expose connection
 // state, so we approximate with a short fixed backoff and an attempt cap.
@@ -23,19 +28,6 @@ const RETRY_DELAY_MS = 25;
  * `maxStatementSize - overhead` rather than the raw statement limit.
  */
 export const STATEMENT_OVERHEAD = 32 + 32 + 8 + 64 + 32; // 168 bytes
-/**
- * Statement expiry/priority, u64 = (expiration_epoch << 32) | priority (spec layout).
- * We pin the high word to 0xFFFFFFFF (max → effectively non-expiring, matching iOS &
- * Android) and use the low word as a wall-clock-floored monotonic priority, so channel
- * supersession is driven by the priority regardless of how the store compares the field.
- * Returns a value strictly greater than `current` (i.e. `max(current + 1, now-priority)`).
- */
-const NEVER_EXPIRE_HIGH = 0xffffffffn;
-export function nextExpiry(current) {
-    const nowSecs = BigInt(Math.floor(Date.now() / 1000));
-    const timestampPriority = (NEVER_EXPIRE_HIGH << 32n) | nowSecs;
-    return timestampPriority > current ? timestampPriority : current + 1n;
-}
 // Encode/decode a StatementData envelope, surfacing scale-ts throws as a Result.
 const encodeStatementData = fromThrowable(StatementData.enc, toError);
 const decodeStatementData = fromThrowable(StatementData.dec, toError);
@@ -77,26 +69,17 @@ function makeDeferred() {
     promise.catch(() => undefined);
     return { resolve, reject, promise };
 }
-// Retry a submit on failure with a short backoff, up to `attemptsLeft` extra attempts.
-// A successful submit returns immediately (no delay on the happy path). `shouldRetry` is
-// re-checked before each retry: once the submission is superseded, aborted, or the session
-// is disposed it returns false, so a stale retry can never resurrect an old statement.
-function submitWithRetry(submit, attemptsLeft, shouldRetry) {
-    return submit().orElse(error => {
-        if (attemptsLeft <= 0 || !shouldRetry())
-            return errAsync(error);
-        return ResultAsync.fromSafePromise(new Promise(resolve => setTimeout(resolve, RETRY_DELAY_MS))).andThen(() => !shouldRetry() ? errAsync(error) : submitWithRetry(submit, attemptsLeft - 1, shouldRetry));
-    });
-}
-export function createSession({ localAccount, remoteAccount, statementStore, encryption, prover, sessionKey, maxRequestSize = DEFAULT_MAX_REQUEST_SIZE, }) {
+export function createSession({ localAccount, remoteAccount, statementStore, encryption, prover, sessionKey, allocator = createExpiryAllocator(), maxRequestSize = DEFAULT_MAX_REQUEST_SIZE, }) {
     const outgoingSessionId = createSessionId(sessionKey, localAccount, remoteAccount);
     const incomingSessionId = createSessionId(sessionKey, remoteAccount, localAccount);
+    // Session-constant channel hashes — derived once so retries don't re-hash them per attempt.
+    const requestChannel = createRequestChannel(outgoingSessionId);
+    const responseChannel = createResponseChannel(outgoingSessionId);
     // Message bytes must fit within the statement limit minus the fixed wire overhead.
     const maxPayloadSize = Math.max(0, maxRequestSize - STATEMENT_OVERHEAD);
     const state = {
         phase: 'initialization',
         initError: null,
-        expiry: 0n,
         outgoingRequest: null,
         incomingRequests: new Map(),
         messageQueue: [],
@@ -115,28 +98,13 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
     // Id of the most recent response we initiated (responses share one channel, so only the
     // latest is live — a retry for an older one must not resurrect it).
     let lastResponseRequestId = null;
-    // Submit on `channel`/`topicSessionId` at the next (strictly increasing) expiry.
+    // Encrypt, then submit on `channel`/`topicSessionId` at the allocator's next (strictly
+    // increasing) expiry. On a priority rejection submitStatementOnce resyncs the allocator to the
+    // chain-reported minimum before propagating, so the retry — and every later submit — clears it.
     function submitStatementData(channel, topicSessionId, data) {
-        state.expiry = nextExpiry(state.expiry);
-        const expiry = state.expiry;
         return encryption
             .encrypt(data)
-            .map(encrypted => ({
-            expiry,
-            channel: toHex(channel),
-            topics: [toHex(topicSessionId)],
-            data: encrypted,
-        }))
-            .asyncAndThen(prover.generateMessageProof)
-            .andThen(statementStore.submitStatement)
-            .orElse(error => {
-            // The chain is the source of truth for a channel's priority. If our in-memory counter
-            // drifted behind it (a prior run, another writer, or propagation lag), resync to the
-            // reported minimum so the retry — and every later submit — clears it.
-            if (error instanceof ExpiryTooLowError && error.min > state.expiry)
-                state.expiry = error.min;
-            return errAsync(error);
-        });
+            .asyncAndThen(encrypted => submitStatementOnce({ statementStore, prover, allocator, channel, topics: [topicSessionId], data: encrypted }));
     }
     // Settle and remove the pending-delivery entries for the given tokens.
     function settleTokens(tokens, settle) {
@@ -148,26 +116,39 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
             }
         }
     }
+    // Session retry policy (this and every submitWithRetry call below): priority errors
+    // (ExpiryTooLow / AccountFull) are retried with `priorityAttempts: 'unbounded'` — they never
+    // consume the transient-failure budget, because submitStatementData has already resynced the
+    // allocator above the chain-reported minimum, so the next attempt submits higher. We keep at it
+    // until the statement lands or the submission is superseded; once superseded, a priority
+    // rejection is swallowed as success (it merely lost the channel race to a newer, higher-priority
+    // statement). The upshot: priority errors never surface to session callers. Other errors keep
+    // the bounded retry and propagate when exhausted. `shouldRetry` is re-checked before each retry:
+    // once the submission is superseded, aborted, or the session is disposed it returns false, so a
+    // stale retry can never resurrect an old statement.
     function encodeAndSubmitRequest(requestId, messages) {
         encodeStatementData({ tag: 'request', value: { requestId, data: messages } })
-            .asyncAndThen(data => submitWithRetry(() => submitStatementData(createRequestChannel(outgoingSessionId), outgoingSessionId, data), MAX_SUBMIT_RETRIES, 
-        // Only keep retrying while this is still the live submission (not superseded by a
-        // newer retransmit, aborted via clearOutgoingStatement, or disposed).
-        () => !disposed && state.outgoingRequest?.requestIds.at(-1) === requestId))
+            .asyncAndThen(data => submitWithRetry(() => submitStatementData(requestChannel, outgoingSessionId, data), {
+            attempts: MAX_SUBMIT_RETRIES,
+            priorityAttempts: 'unbounded',
+            delaysMs: RETRY_DELAY_MS,
+            // Only keep retrying while this is still the live submission (not superseded by a
+            // newer retransmit, aborted via clearOutgoingStatement, or disposed).
+            shouldRetry: () => !disposed && state.outgoingRequest?.requestIds.at(-1) === requestId,
+        }))
             .mapErr(e => {
-            if (disposed)
+            // Priority errors never reach here (see the policy note above), so this is a genuine
+            // failure. If this submission was already superseded by a newer retransmit (same tokens)
+            // it is not the live request's concern — drop it silently; the newer one carries the
+            // waiters. Otherwise the bounded retries are exhausted on the LIVE submission: the
+            // request never landed, so fail its waiters rather than let them hang.
+            const outgoing = state.outgoingRequest;
+            if (disposed || !outgoing || outgoing.requestIds.at(-1) !== requestId)
                 return;
             console.error('submitRequest failed:', e);
-            // Retries are exhausted. If this is still the live submission (not already
-            // superseded by a newer retransmit), the request never landed — fail its
-            // waiters rather than let them hang. A superseded older submission failing
-            // is expected and must NOT reject, since the newer one carries the same tokens.
-            const outgoing = state.outgoingRequest;
-            if (outgoing && outgoing.requestIds[outgoing.requestIds.length - 1] === requestId) {
-                settleTokens(outgoing.tokens, deferred => deferred.reject(e));
-                state.outgoingRequest = null;
-                processMessageQueue();
-            }
+            settleTokens(outgoing.tokens, deferred => deferred.reject(e));
+            state.outgoingRequest = null;
+            processMessageQueue();
         });
     }
     function deliverStatementData(statementData) {
@@ -365,20 +346,20 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
             if (s.expiry !== undefined && s.expiry > maxExpiry)
                 maxExpiry = s.expiry;
         }
-        // Never regress the counter. The query is a snapshot taken when init() began; a statement
-        // submitted while init was in flight (e.g. an auto-ACK for a peer request that arrived during
-        // the query) has already advanced both state.expiry and the on-chain channel past that
-        // snapshot. Overwriting unconditionally would drop the counter below the on-chain priority,
-        // making the next submit collide at an equal expiry.
-        const seeded = nextExpiry(maxExpiry);
-        if (seeded > state.expiry)
-            state.expiry = seeded;
+        // Adopt the snapshot's maximum as the allocator floor. raiseFloor is monotonic — the floor
+        // never regresses — so a statement submitted while init was in flight (e.g. an auto-ACK for a
+        // peer request that arrived during the query) keeps the counter ahead of this snapshot, the
+        // same guarantee the old conditional seeding gave. The next submit then draws strictly above
+        // the seen on-chain maximum and at least the wall-clock priority, so it cannot collide at an equal expiry.
+        allocator.raiseFloor(maxExpiry);
         for (const s of [...ownStatements, ...peerStatements]) {
             if (s.data)
                 state.seenStatements.add(toHex(s.data));
         }
         const decodeAll = (statements) => Promise.all(statements.map(s => tryDecodeStatement(s).unwrapOr({ kind: 'undecodable', requestId: null }))).then(outcomes => outcomes.map(o => (o.kind === 'decoded' ? o.data : null)).filter(nonNullable));
         const [ownDecoded, peerDecoded] = await Promise.all([decodeAll(ownStatements), decodeAll(peerStatements)]);
+        if (disposed)
+            return;
         // Both parties publish on their own outgoing topic, so the OUTGOING query returns our
         // requests + OUR responses, and the INCOMING query returns the peer's requests + the
         // PEER's responses. Hence: our request is answered by a PEER response (incoming), and we
@@ -421,6 +402,8 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
                 .andThen(({ requestId }) => session.waitForResponseMessage(requestId).andThen(({ responseCode }) => mapResponseCode(responseCode)));
         },
         submitRequestMessage(codec, message) {
+            if (disposed)
+                return errAsync(new Error(SESSION_DISPOSED));
             const encode = fromThrowable(codec.enc, toError);
             const encodedResult = encode(message);
             if (encodedResult.isErr())
@@ -448,6 +431,8 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
             return okAsync({ requestId: token });
         },
         submitResponseMessage(requestId, responseCode) {
+            if (disposed)
+                return errAsync(new Error(SESSION_DISPOSED));
             const incoming = state.incomingRequests.get(requestId);
             if (!incoming)
                 return errAsync(new Error(`No incoming request with id ${requestId}`));
@@ -465,15 +450,29 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
             lastResponseRequestId = requestId;
             // Responses go on OUR outgoing topic/response-channel (per spec: the responder
             // publishes on SessionId(self, peer)); the requester reads them from its incoming topic.
-            return (submitWithRetry(() => submitStatementData(createResponseChannel(outgoingSessionId), outgoingSessionId, encoded.value), MAX_SUBMIT_RETRIES, 
-            // Stop retrying once a newer response supersedes this one (shared response channel) or disposed.
-            () => !disposed && lastResponseRequestId === requestId)
-                // Answered: it no longer needs replaying to future subscribers.
-                .andTee(() => pruneBufferedRequest(requestId))
+            return (submitWithRetry(() => submitStatementData(responseChannel, outgoingSessionId, encoded.value), {
+                attempts: MAX_SUBMIT_RETRIES,
+                priorityAttempts: 'unbounded',
+                delaysMs: RETRY_DELAY_MS,
+                // Stop retrying once a newer response supersedes this one (shared response channel) or disposed.
+                shouldRetry: () => !disposed && lastResponseRequestId === requestId,
+            })
                 .orElse(error => {
+                // Priority errors never reach here (see the policy note above), so this is a genuine
+                // failure. If this is no longer the latest response (superseded) or the session is
+                // disposed, keep the request marked answered — re-answering would only clobber the
+                // newer response — and absorb the error. NOTE: the shared response channel still only
+                // exposes the latest response to the peer, so reliably ACKing several outstanding
+                // requests needs the protocol-level fix tracked separately.
+                if (disposed || lastResponseRequestId !== requestId)
+                    return okAsync(undefined);
+                // The live response genuinely failed after exhausting retries — roll back so a later
+                // peer retransmit can still be answered, and surface the error.
                 incoming.responded = false;
                 return errAsync(error);
-            }));
+            })
+                // Answered (or absorbed as such): it no longer needs replaying to future subscribers.
+                .andTee(() => pruneBufferedRequest(requestId)));
         },
         waitForRequestMessage(codec, filter) {
             const promise = new Promise((resolve, reject) => {
@@ -573,9 +572,12 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
                 return errAsync(encoded.error);
             // Supersede the live batch with an empty one. Use submitStatementData so the
             // empty statement goes out at a STRICTLY higher expiry — the store rejects an
-            // equal-or-lower expiry on the same channel, so reusing state.expiry would
-            // leave the original request live on-chain.
-            return submitStatementData(createRequestChannel(outgoingSessionId), outgoingSessionId, encoded.value);
+            // equal-or-lower expiry on the same channel, so reusing the last allocated expiry
+            // would leave the original request live on-chain. One shot, no retry (clearing is a
+            // supersede, not a request that must land); a priority rejection (ExpiryTooLow /
+            // AccountFull) means the channel already advanced past us, so the clear already
+            // happened → absorb it as success.
+            return submitStatementData(requestChannel, outgoingSessionId, encoded.value).orElse(error => isPriorityTooLow(error) ? okAsync(undefined) : errAsync(error));
         },
         dispose() {
             disposed = true;
@@ -592,9 +594,9 @@ export function createSession({ localAccount, remoteAccount, statementStore, enc
             // Settle any waitForRequestMessage() promises so callers unwind instead of
             // hanging forever. Snapshot first — rejecting mutates the set.
             for (const rejectWaiter of [...requestWaiters])
-                rejectWaiter(new Error('Session disposed'));
+                rejectWaiter(new Error(SESSION_DISPOSED));
             requestWaiters.clear();
-            rejectAllPending(new Error('Session disposed'));
+            rejectAllPending(new Error(SESSION_DISPOSED));
         },
     };
     void init();

package/dist/session/session.spec.js

@@ -1,13 +1,13 @@
 import { createExpiryFromDuration } from '@novasamatech/sdk-statement';
-import { ResultAsync, errAsync, ok, okAsync } from 'neverthrow';
+import { ResultAsync, err, errAsync, ok, okAsync } from 'neverthrow';
 import { Bytes, Struct, str } from 'scale-ts';
 import { describe, expect, it, vi } from 'vitest';
 import { createInMemoryStatementStore } from '../adapter/inMemory.js';
-import { ExpiryTooLowError } from '../adapter/types.js';
+import { AccountFullError, ExpiryTooLowError } from '../adapter/types.js';
 import { createAccountId, createLocalSessionAccount, createRemoteSessionAccount } from '../model/sessionAccount.js';
 import { DecodingError, UnknownError } from './error.js';
 import { StatementData } from './scale/statementData.js';
-import { STATEMENT_OVERHEAD, createSession, nextExpiry } from './session.js';
+import { STATEMENT_OVERHEAD, createSession } from './session.js';
 // Real signature work belongs in statementProver tests; this stub stamps a
 // non-empty proof so submitted statements are well-formed.
 const mockProver = {
@@ -91,6 +91,20 @@ function lastSubmittedRequestId(adapter) {
     const decoded = StatementData.dec(lastSubmitted(adapter).data);
     return decoded.tag === 'request' ? decoded.value.requestId : '';
 }
+// A submitStatement mock that defers every submission instead of resolving: each call records a
+// `{ requestId, settle }` entry in `pendings`, letting a test land or reject submissions in a chosen
+// order (used to drive shared-channel supersession races). Works for request and response payloads.
+function deferredSubmit() {
+    const pendings = [];
+    const submitStatement = vi.fn((stmt) => {
+        const decoded = StatementData.dec(stmt.data);
+        const requestId = decoded.tag === 'request' || decoded.tag === 'response' ? decoded.value.requestId : '';
+        return ResultAsync.fromPromise(new Promise((resolve, reject) => {
+            pendings.push({ requestId, settle: r => (r.isOk() ? resolve() : reject(r.error)) });
+        }), e => e);
+    });
+    return { submitStatement, pendings };
+}
 // Encoded size of the request payload (the statement `data` field) for these messages —
 // what the session sizes batches against. Includes the requestId (a fixed-length nanoid)
 // and the SCALE vector framing, so it is larger than the raw message bytes alone.
@@ -139,30 +153,6 @@ function makeMobile(adapter) {
 }
 describe('session', () => {
     const rawCodec = Bytes();
-    // Statement expiry/priority: u64 = (expiration_epoch << 32) | priority. The high word is pinned
-    // to 0xFFFFFFFF (non-expiring) and the low word is a wall-clock-floored monotonic priority that
-    // drives channel supersession. (Spec §1; matches iOS/Android.)
-    describe('expiry priority', () => {
-        it('encodes a non-expiring statement (high word pinned to 0xFFFFFFFF)', () => {
-            expect(nextExpiry(0n) >> 32n).toBe(0xffffffffn);
-        });
-        it('carries a wall-clock priority in the low word', () => {
-            const result = nextExpiry(0n);
-            expect(result & 0xffffffffn).toBeGreaterThan(0n);
-        });
-        it('increments by one when the current value already exceeds the wall-clock priority', () => {
-            const high = (0xffffffffn << 32n) | 0xffffffffn; // max u64
-            expect(nextExpiry(high)).toBe(high + 1n);
-        });
-        it('is strictly monotonic across repeated calls', () => {
-            let expiry = 0n;
-            for (let i = 0; i < 5; i++) {
-                const next = nextExpiry(expiry);
-                expect(next).toBeGreaterThan(expiry);
-                expiry = next;
-            }
-        });
-    });
     // On creation a session queries both of its topics, derives the starting expiry, and buffers
     // anything it finds until it goes active. (Spec §5 initialization.)
     describe('initialization', () => {
@@ -757,6 +747,43 @@ describe('session', () => {
             expect(second.isOk()).toBe(true);
             expect(adapter.submitStatement.mock.calls.length).toBeGreaterThan(submitsBefore);
         }, 3000);
+        it.each([
+            ['ExpiryTooLow', ExpiryTooLowError],
+            ['AccountFull', AccountFullError],
+        ])('absorbs a superseded response rejected as %s and keeps the request answered', async (_name, PriorityError) => {
+            // Two incoming requests are answered on the SHARED response channel. The response to A is in
+            // flight when the response to B takes over the channel; A then lands at a now-lower expiry and
+            // the store rejects it with a priority error. That supersession is expected: B's response owns
+            // the channel, so A's rejection must be absorbed (not surfaced) and A must stay marked
+            // answered — re-answering would only clobber B. (Returning ok here is also what stops
+            // respondToRequests from logging it as a failed response.)
+            const reqA = makeStatement({ tag: 'request', value: { requestId: 'A', data: [] } });
+            const { subscribeStatements, callbacks } = capturingSubscribe();
+            const { submitStatement, pendings } = deferredSubmit();
+            const { session, adapter } = makeSession({ peer: [reqA], subscribeStatements, submitStatement });
+            await delay();
+            session.subscribe(rawCodec, vi.fn()); // activate the store subscription
+            const reqB = makeStatement({ tag: 'request', value: { requestId: 'B', data: [] } });
+            callbacks[0]({ statements: [reqB], isComplete: true });
+            await delay();
+            const resAPromise = session.submitResponseMessage('A', 'success'); // in flight on the shared channel
+            const resBPromise = session.submitResponseMessage('B', 'success'); // supersedes A
+            await delay(); // both reach submitStatement
+            expect(pendings).toHaveLength(2);
+            pendings.find(p => p.requestId === 'B').settle(ok(undefined)); // B lands, owns the channel
+            pendings.find(p => p.requestId === 'A').settle(err(new PriorityError(0n, 0n))); // A lands late, rejected
+            const resA = await resAPromise;
+            const resB = await resBPromise;
+            expect(resB.isOk()).toBe(true);
+            expect(resA.isOk()).toBe(true); // superseded rejection absorbed, not surfaced as an error
+            // A stays answered: re-answering it must NOT submit again (which would clobber B's response).
+            const submitsBefore = adapter.submitStatement.mock.calls.length;
+            const reAnswer = await session.submitResponseMessage('A', 'success');
+            await delay();
+            expect(reAnswer.isOk()).toBe(true);
+            expect(adapter.submitStatement.mock.calls.length).toBe(submitsBefore); // deduped → no resubmit
+            session.dispose();
+        }, 3000);
     });
     // clearOutgoingStatement aborts the in-flight request: it drops local state, rejects waiters, and
     // supersedes the on-chain request with an empty batch at a strictly higher expiry.
@@ -769,6 +796,22 @@ describe('session', () => {
             expect(result.isOk()).toBe(true);
             expect(adapter.submitStatement.mock.calls.length).toBe(before);
         });
+        it('absorbs an ExpiryTooLow on the superseding empty batch as success', async () => {
+            // clearOutgoingStatement runs a single direct submit (no submitWithRetry). If the empty batch
+            // is rejected ExpiryTooLow, the channel already advanced past us — the request is already gone
+            // — so the clear has effectively happened. The caller must see success, not the sync artifact.
+            let calls = 0;
+            const submitStatement = vi.fn((stmt) => ++calls === 1
+                ? okAsync(undefined) // the request itself lands
+                : errAsync(new ExpiryTooLowError(stmt.expiry ?? 0n, (0xffffffffn << 32n) | 9000000000n)));
+            const { session } = makeSession({ submitStatement });
+            await delay();
+            void session.submitRequestMessage(rawCodec, new Uint8Array([1]));
+            await delay();
+            const cleared = await session.clearOutgoingStatement();
+            expect(cleared.isOk()).toBe(true); // ExpiryTooLow suppressed
+            session.dispose();
+        }, 3000);
         it('submits an empty batch on the same channel at a higher expiry and clears local state', async () => {
             const { session, adapter } = makeSession();
             await delay();
@@ -910,14 +953,18 @@ describe('session', () => {
             expect(adapter.submitStatement.mock.calls.length).toBeGreaterThanOrEqual(2); // 1 failure + ≥1 retry
             session.dispose();
         }, 3000);
-        it('resyncs its expiry above the chain minimum after an ExpiryTooLow rejection', async () => {
-            // The in-memory expiry counter has drifted behind the channel's real priority (prior run /
-            // other writer / propagation lag). The chain reports the minimum; the retry must clear it.
+        it.each([
+            ['ExpiryTooLow', ExpiryTooLowError],
+            ['AccountFull', AccountFullError],
+        ])('resyncs its expiry above the chain minimum after an %s rejection', async (_name, PriorityError) => {
+            // The in-memory expiry counter has drifted behind the chain's real priority floor (prior run /
+            // other writer / propagation lag / account full of higher-priority statements). The chain
+            // reports the minimum; the retry must clear it.
             const CHAIN_MIN = (0xffffffffn << 32n) | 4000000000n; // well above the wall-clock priority
             let calls = 0;
             const submitStatement = vi.fn((stmt) => {
                 calls++;
-                return calls === 1 ? errAsync(new ExpiryTooLowError(stmt.expiry ?? 0n, CHAIN_MIN)) : okAsync(undefined);
+                return calls === 1 ? errAsync(new PriorityError(stmt.expiry ?? 0n, CHAIN_MIN)) : okAsync(undefined);
             });
             const { session, adapter } = makeSession({ submitStatement });
             await delay();
@@ -928,6 +975,34 @@ describe('session', () => {
             expect(retried.expiry ?? 0n).toBeGreaterThan(CHAIN_MIN); // healed past the chain minimum
             session.dispose();
         }, 3000);
+        it.each([
+            ['ExpiryTooLow', ExpiryTooLowError],
+            ['AccountFull', AccountFullError],
+        ])('keeps retrying a live %s past the transient-retry cap until it lands', async (_name, PriorityError) => {
+            // Priority errors are sync artifacts, not chain failures: while the submission is still live
+            // the session keeps retrying (resyncing each time) BEYOND MAX_SUBMIT_RETRIES until it lands,
+            // and never surfaces the error to the caller. (A non-priority error gives up at the cap —
+            // see the test below.)
+            const CHAIN_MIN = (0xffffffffn << 32n) | 4000000000n;
+            let calls = 0;
+            const submitStatement = vi.fn((stmt) => ++calls <= 6 ? errAsync(new PriorityError(stmt.expiry ?? 0n, CHAIN_MIN)) : okAsync(undefined));
+            const { session } = makeSession({ submitStatement });
+            await delay();
+            const errorSpy = vi.spyOn(console, 'error').mockImplementation(() => undefined);
+            try {
+                const submit = await session.submitRequestMessage(rawCodec, new Uint8Array([1]));
+                let waiterRejected = false;
+                void session.waitForResponseMessage(submit._unsafeUnwrap().requestId).mapErr(() => (waiterRejected = true));
+                await new Promise(resolve => setTimeout(resolve, 300)); // 6 retries × 25ms backoff + slack
+                expect(calls).toBeGreaterThanOrEqual(7); // retried well past the 3-attempt cap, then landed
+                expect(errorSpy).not.toHaveBeenCalledWith('submitRequest failed:', expect.anything());
+                expect(waiterRejected).toBe(false); // the priority error never surfaced to the caller
+            }
+            finally {
+                errorSpy.mockRestore();
+                session.dispose();
+            }
+        }, 3000);
         it('rejects the pending waiter once request-submission retries are exhausted', async () => {
             const { session } = makeSession({
                 submitStatement: vi.fn().mockReturnValue(errAsync(new Error('store rejected'))),
@@ -938,6 +1013,40 @@ describe('session', () => {
             const waited = await session.waitForResponseMessage(requestId);
             expect(waited.isErr()).toBe(true);
         }, 2000);
+        it('absorbs a superseded older submission rejected as ExpiryTooLow without surfacing an error', async () => {
+            // Two messages batch onto one outgoing request: the first submission (requestId A) is in
+            // flight when the second (requestId B, higher expiry, SAME tokens) is sent. B lands first and
+            // sets the channel priority; A then lands at a now-lower expiry and the store rejects it with
+            // ExpiryTooLow. A is superseded, so its rejection is expected protocol behaviour — it must not
+            // be logged as an error and must not reject the shared waiters (B carries them).
+            const { submitStatement, pendings } = deferredSubmit();
+            const { session, adapter } = makeSession({ submitStatement });
+            await delay();
+            const errorSpy = vi.spyOn(console, 'error').mockImplementation(() => undefined);
+            try {
+                const first = (await session.submitRequestMessage(rawCodec, new Uint8Array([1])))._unsafeUnwrap();
+                void session.submitRequestMessage(rawCodec, new Uint8Array([2])); // batches onto the same outgoing request
+                await delay(); // let both submissions reach submitStatement
+                expect(pendings).toHaveLength(2);
+                const liveRequestId = lastSubmittedRequestId(adapter); // the newer (B) submission
+                const live = pendings.find(p => p.requestId === liveRequestId);
+                const superseded = pendings.find(p => p.requestId !== liveRequestId);
+                let firstWaiterRejected = false;
+                void session.waitForResponseMessage(first.requestId).mapErr(() => {
+                    firstWaiterRejected = true;
+                });
+                live.settle(ok(undefined)); // B lands, claims the channel priority
+                await delay();
+                superseded.settle(err(new ExpiryTooLowError(0n, 0n))); // A lands late and is rejected
+                await delay();
+                expect(errorSpy).not.toHaveBeenCalledWith('submitRequest failed:', expect.anything());
+                expect(firstWaiterRejected).toBe(false); // superseded failure must not reject the shared waiter
+            }
+            finally {
+                errorSpy.mockRestore();
+                session.dispose();
+            }
+        }, 3000);
     });
     describe('dispose', () => {
         it('rejects pending waitForRequestMessage waiters', async () => {
@@ -957,6 +1066,37 @@ describe('session', () => {
             await new Promise(resolve => setTimeout(resolve, 100)); // retry window elapses
             expect(queryStatements.mock.calls.length).toBe(callsBeforeDispose); // disposed → no further init queries
         }, 3000);
+        it('rejects submitRequestMessage after dispose instead of hanging', async () => {
+            const { session, adapter } = makeSession();
+            await delay();
+            session.dispose();
+            const result = await session.submitRequestMessage(rawCodec, new Uint8Array([1]));
+            expect(result.isErr()).toBe(true); // surfaced immediately, not a token left pending forever
+            expect(adapter.submitStatement).not.toHaveBeenCalled();
+        });
+        it('rejects submitResponseMessage after dispose', async () => {
+            const { session } = makeSession();
+            await delay();
+            session.dispose();
+            const result = await session.submitResponseMessage('any-id', 'success');
+            expect(result.isErr()).toBe(true);
+        });
+        it('does not re-activate when disposed while init is in flight', async () => {
+            // dispose() lands during init's query await; init must bail before restoring state / flipping
+            // phase to 'active', otherwise a torn-down session looks alive and accepts new work.
+            let resolveQueries;
+            const gate = new Promise(resolve => (resolveQueries = resolve));
+            const queryStatements = vi.fn(() => ResultAsync.fromSafePromise(gate));
+            const { session, adapter } = makeSession({ queryStatements });
+            const queued = await session.submitRequestMessage(rawCodec, new Uint8Array([1])); // queued during init
+            expect(queued.isOk()).toBe(true);
+            session.dispose(); // dispose mid-init
+            resolveQueries([]); // init resumes — must bail before draining the queue / activating
+            await settle();
+            expect(adapter.submitStatement).not.toHaveBeenCalled(); // no resurrection-driven submit
+            const after = await session.submitRequestMessage(rawCodec, new Uint8Array([2]));
+            expect(after.isErr()).toBe(true); // session stays disposed
+        }, 3000);
     });
     // The in-memory adapter replicates the store's observable contract; `fidelity` pins the double's
     // behaviour, then end-to-end flows run two mirrored sessions (host + mobile) over ONE shared store.

package/dist/session/statementProver.js

@@ -1,7 +1,7 @@
+import { fromHex } from '@novasamatech/scale';
 import { getStatementSigner, statementCodec } from '@novasamatech/sdk-statement';
-import { compact } from '@polkadot-api/substrate-bindings';
 import { errAsync, fromPromise, fromThrowable, okAsync } from 'neverthrow';
-import { fromHex } from 'polkadot-api/utils';
+import { compact } from 'scale-ts';
 import { deriveSlotAccountPublicKey, deriveSr25519PublicKey, signSlotAccountSecret, signWithSr25519Secret, verifySlotAccountSignature, verifySr25519Signature, } from '../crypto.js';
 import { toError } from '../helpers.js';
 function createSr25519SchemeProver(secret, scheme) {

package/dist/submit/allocator.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Priority epoch base: seconds at 2025-11-15T00:00:00Z. The low word is a u32 priority counted FROM
+ * this epoch (spec §1), not the raw Unix timestamp. iOS (StatementPriorityFactory.unixOffset) and
+ * Android subtract the same offset; omitting it makes the TS low word ~1.76e9 larger than every
+ * mobile client's, so any cross-client or shared-channel priority comparison would always rank a
+ * TS-written statement above a mobile-written one. Keeping the base aligned removes that landmine.
+ */
+export declare const PRIORITY_EPOCH_OFFSET = 1763164800n;
+/**
+ * Strictly-increasing source of statement expiries for one signing account,
+ * with a floor that can be raised to a chain-reported minimum.
+ *
+ * Layout: u64 = (0xFFFFFFFF << 32) | priority — see the module doc above.
+ * Supersession and account-quota eviction compare the whole u64 with
+ * strictly-greater semantics, so every writer signing with the SAME account
+ * must draw from ONE allocator instance: independent counters produce
+ * same-second priority ties that the store rejects.
+ */
+export type ExpiryAllocator = {
+    /** Next expiry: wall-clock-floored priority, bumped to stay strictly increasing. */
+    next(): bigint;
+    /**
+     * Adopt a chain-reported minimum (`AccountFullError` / `ExpiryTooLowError`
+     * `.min`, or the max expiry seen in channel history) so the next `next()`
+     * clears it. The chain is the source of truth for the floor; recomputing
+     * from the wall clock can never clear a pinned-high minimum.
+     */
+    raiseFloor(min: bigint): void;
+};
+export declare function createExpiryAllocator(): ExpiryAllocator;

package/dist/submit/allocator.js

@@ -0,0 +1,35 @@
+/**
+ * Statement expiry/priority, u64 = (expiration_epoch << 32) | priority (spec layout).
+ * We pin the high word to 0xFFFFFFFF (max → effectively non-expiring, matching iOS &
+ * Android) and use the low word as a wall-clock-floored monotonic priority, so channel
+ * supersession is driven by the priority regardless of how the store compares the field.
+ */
+const NEVER_EXPIRE_HIGH = 0xffffffffn;
+/**
+ * Priority epoch base: seconds at 2025-11-15T00:00:00Z. The low word is a u32 priority counted FROM
+ * this epoch (spec §1), not the raw Unix timestamp. iOS (StatementPriorityFactory.unixOffset) and
+ * Android subtract the same offset; omitting it makes the TS low word ~1.76e9 larger than every
+ * mobile client's, so any cross-client or shared-channel priority comparison would always rank a
+ * TS-written statement above a mobile-written one. Keeping the base aligned removes that landmine.
+ */
+export const PRIORITY_EPOCH_OFFSET = 1763164800n;
+/** Returns a value strictly greater than `current` (i.e. `max(current + 1, now-priority)`). */
+function nextExpiry(current) {
+    const nowSecs = BigInt(Math.floor(Date.now() / 1000));
+    const priority = nowSecs > PRIORITY_EPOCH_OFFSET ? nowSecs - PRIORITY_EPOCH_OFFSET : 0n;
+    const timestampPriority = (NEVER_EXPIRE_HIGH << 32n) | priority;
+    return timestampPriority > current ? timestampPriority : current + 1n;
+}
+export function createExpiryAllocator() {
+    let current = 0n;
+    return {
+        next() {
+            current = nextExpiry(current);
+            return current;
+        },
+        raiseFloor(min) {
+            if (min > current)
+                current = min;
+        },
+    };
+}

package/dist/submit/allocator.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/submit/allocator.spec.js

@@ -0,0 +1,42 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { PRIORITY_EPOCH_OFFSET, createExpiryAllocator } from './allocator.js';
+const NOW_SECS = 1_790_000_000; // 2026-09-22, safely past the 2025-11-15 priority epoch
+describe('createExpiryAllocator', () => {
+    beforeEach(() => {
+        vi.useFakeTimers();
+        vi.setSystemTime(NOW_SECS * 1000);
+    });
+    afterEach(() => {
+        vi.useRealTimers();
+    });
+    it('pins the high 32 bits to 0xFFFFFFFF and counts the low word from the priority epoch', () => {
+        const allocator = createExpiryAllocator();
+        const expiry = allocator.next();
+        expect(expiry >> 32n).toBe(0xffffffffn);
+        expect(expiry & 0xffffffffn).toBe(BigInt(NOW_SECS) - PRIORITY_EPOCH_OFFSET);
+    });
+    it('is strictly monotonic within the same second', () => {
+        const allocator = createExpiryAllocator();
+        const first = allocator.next();
+        const second = allocator.next();
+        expect(second).toBe(first + 1n);
+    });
+    it('jumps above a raised floor so the next submit clears the chain minimum', () => {
+        const allocator = createExpiryAllocator();
+        const chainMin = (0xffffffffn << 32n) | 4000000000n; // a poisoned account's minimum
+        allocator.raiseFloor(chainMin);
+        expect(allocator.next()).toBeGreaterThan(chainMin);
+    });
+    it('ignores a floor below the current value', () => {
+        const allocator = createExpiryAllocator();
+        const before = allocator.next();
+        allocator.raiseFloor(0n);
+        expect(allocator.next()).toBeGreaterThan(before);
+    });
+    it('keeps independent instances independent', () => {
+        const a = createExpiryAllocator();
+        const b = createExpiryAllocator();
+        a.raiseFloor((0xffffffffn << 32n) | 4000000000n);
+        expect(b.next() & 0xffffffffn).toBe(BigInt(NOW_SECS) - PRIORITY_EPOCH_OFFSET);
+    });
+});

package/dist/submit/retry.d.ts

@@ -0,0 +1,32 @@
+import { ResultAsync } from 'neverthrow';
+import { AccountFullError, ExpiryTooLowError } from '../adapter/types.js';
+/**
+ * AccountFull / ExpiryTooLow are priority errors: never a chain/statement
+ * failure, only a sign the submitter's expiry lagged the chain's priority
+ * floor (channel supersession for ExpiryTooLow, account-quota eviction for
+ * AccountFull — both report the minimum to clear).
+ */
+export declare function isPriorityTooLow(error: unknown): error is ExpiryTooLowError | AccountFullError;
+export type SubmitRetryOptions = {
+    /** Retry budget for non-priority (transient infra) errors. 0 = propagate immediately. */
+    attempts: number;
+    /**
+     * Retry budget for priority errors. A number gives bounded retries then
+     * propagation (for callers with their own outer retry/outbox). 'unbounded'
+     * retries while `shouldRetry()` holds and, once it no longer does, settles a
+     * priority rejection as success — the submission lost the channel race to a
+     * newer statement, which is benign (session semantics).
+     */
+    priorityAttempts: number | 'unbounded';
+    /** Backoff before each retry: a constant, or a per-retry schedule (last entry repeats). */
+    delaysMs: number | number[];
+    /** Liveness gate, re-checked before every retry. Default: always live. */
+    shouldRetry?: () => boolean;
+    /** Observe each scheduled retry (logging hook). `attempt` is 0-based. */
+    onRetry?: (info: {
+        attempt: number;
+        delayMs: number;
+        error: Error;
+    }) => void;
+};
+export declare function submitWithRetry(submit: () => ResultAsync<void, Error>, options: SubmitRetryOptions): ResultAsync<void, Error>;

package/dist/submit/retry.js

@@ -0,0 +1,52 @@
+import { ResultAsync, err, ok } from 'neverthrow';
+import { AccountFullError, ExpiryTooLowError } from '../adapter/types.js';
+/**
+ * AccountFull / ExpiryTooLow are priority errors: never a chain/statement
+ * failure, only a sign the submitter's expiry lagged the chain's priority
+ * floor (channel supersession for ExpiryTooLow, account-quota eviction for
+ * AccountFull — both report the minimum to clear).
+ */
+export function isPriorityTooLow(error) {
+    return error instanceof ExpiryTooLowError || error instanceof AccountFullError;
+}
+function delayFor(delaysMs, attempt) {
+    if (typeof delaysMs === 'number')
+        return delaysMs;
+    return delaysMs[Math.min(attempt, delaysMs.length - 1)] ?? 0;
+}
+export function submitWithRetry(submit, options) {
+    const { attempts, priorityAttempts, delaysMs, shouldRetry = () => true, onRetry } = options;
+    // How to settle once we stop retrying: under the 'unbounded' policy a
+    // no-longer-live submission rejected with a priority error simply lost the
+    // channel race to a newer, higher-priority statement — benign, so report success.
+    const settle = (error) => priorityAttempts === 'unbounded' && !shouldRetry() && isPriorityTooLow(error) ? ok() : err(error);
+    // Iterative on purpose: a recursive ResultAsync chain holds one pending wrapper
+    // promise per attempt, which grows without bound under 'unbounded' retries.
+    const run = async () => {
+        let attemptsLeft = attempts;
+        let priorityLeft = priorityAttempts;
+        for (let attempt = 0;; attempt++) {
+            const result = await submit();
+            if (result.isOk())
+                return result;
+            const error = result.error;
+            const priority = isPriorityTooLow(error);
+            const budgetLeft = priority ? priorityLeft : attemptsLeft;
+            if (!shouldRetry() || (typeof budgetLeft === 'number' && budgetLeft <= 0))
+                return settle(error);
+            const delayMs = delayFor(delaysMs, attempt);
+            onRetry?.({ attempt, delayMs, error });
+            if (priority) {
+                if (priorityLeft !== 'unbounded')
+                    priorityLeft -= 1;
+            }
+            else {
+                attemptsLeft -= 1;
+            }
+            await new Promise(resolve => setTimeout(resolve, delayMs));
+            if (!shouldRetry())
+                return settle(error);
+        }
+    };
+    return new ResultAsync(run());
+}

package/dist/submit/retry.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/submit/retry.spec.js

@@ -0,0 +1,105 @@
+import { errAsync, okAsync } from 'neverthrow';
+import { describe, expect, it, vi } from 'vitest';
+import { AccountFullError, ExpiryTooLowError } from '../adapter/types.js';
+import { isPriorityTooLow, submitWithRetry } from './retry.js';
+const FAST = { delaysMs: 1 }; // keep wall-clock time negligible
+describe('isPriorityTooLow', () => {
+    it('matches exactly the two priority error classes', () => {
+        expect(isPriorityTooLow(new AccountFullError(0n, 1n))).toBe(true);
+        expect(isPriorityTooLow(new ExpiryTooLowError(0n, 1n))).toBe(true);
+        expect(isPriorityTooLow(new Error('store rejected'))).toBe(false);
+    });
+});
+describe('submitWithRetry', () => {
+    it("priorityAttempts 'unbounded': priority errors retry past the non-priority budget until they land", async () => {
+        let calls = 0;
+        const submit = vi.fn(() => ++calls <= 6 ? errAsync(new AccountFullError(0n, 1n)) : okAsync(undefined));
+        const result = await submitWithRetry(submit, { ...FAST, attempts: 3, priorityAttempts: 'unbounded' });
+        expect(result.isOk()).toBe(true);
+        expect(calls).toBe(7);
+    });
+    it("priorityAttempts 'unbounded': a no-longer-live priority rejection settles as success", async () => {
+        const submit = vi.fn(() => errAsync(new ExpiryTooLowError(0n, 1n)));
+        const result = await submitWithRetry(submit, {
+            ...FAST,
+            attempts: 3,
+            priorityAttempts: 'unbounded',
+            shouldRetry: () => false,
+        });
+        expect(result.isOk()).toBe(true); // lost the channel race — benign
+        expect(submit).toHaveBeenCalledTimes(1);
+    });
+    it('priorityAttempts budgeted: priority errors consume their budget then propagate', async () => {
+        const submit = vi.fn(() => errAsync(new AccountFullError(0n, 1n)));
+        const result = await submitWithRetry(submit, { ...FAST, attempts: 0, priorityAttempts: 3 });
+        expect(result.isErr()).toBe(true);
+        expect(result._unsafeUnwrapErr()).toBeInstanceOf(AccountFullError);
+        expect(submit).toHaveBeenCalledTimes(4); // 1 initial + 3 retries
+    });
+    it('attempts 0: a non-priority error propagates immediately', async () => {
+        const submit = vi.fn(() => errAsync(new Error('store rejected')));
+        const result = await submitWithRetry(submit, { ...FAST, attempts: 0, priorityAttempts: 3 });
+        expect(result.isErr()).toBe(true);
+        expect(submit).toHaveBeenCalledTimes(1);
+    });
+    it('non-priority errors consume the attempts budget then propagate', async () => {
+        const submit = vi.fn(() => errAsync(new Error('store rejected')));
+        const result = await submitWithRetry(submit, { ...FAST, attempts: 2, priorityAttempts: 'unbounded' });
+        expect(result.isErr()).toBe(true);
+        expect(submit).toHaveBeenCalledTimes(3); // 1 initial + 2 retries
+    });
+    it('per-attempt delay schedule is honored and reported via onRetry', async () => {
+        let calls = 0;
+        const submit = vi.fn(() => ++calls <= 2 ? errAsync(new AccountFullError(0n, 1n)) : okAsync(undefined));
+        const seen = [];
+        const result = await submitWithRetry(submit, {
+            attempts: 0,
+            priorityAttempts: 3,
+            delaysMs: [1, 2, 3],
+            onRetry: ({ attempt, delayMs }) => seen.push({ attempt, delayMs }),
+        });
+        expect(result.isOk()).toBe(true);
+        expect(seen).toEqual([
+            { attempt: 0, delayMs: 1 },
+            { attempt: 1, delayMs: 2 },
+        ]);
+    });
+    it('a negative budget propagates immediately instead of looping', async () => {
+        const submit = vi.fn(() => errAsync(new Error('store rejected')));
+        const result = await submitWithRetry(submit, { ...FAST, attempts: -1, priorityAttempts: 3 });
+        expect(result.isErr()).toBe(true);
+        expect(submit).toHaveBeenCalledTimes(1);
+    });
+    it('a shouldRetry flip during the backoff settles a priority rejection as success', async () => {
+        let live = true;
+        const submit = vi.fn(() => {
+            queueMicrotask(() => {
+                live = false; // superseded while the backoff sleep is pending
+            });
+            return errAsync(new ExpiryTooLowError(0n, 1n));
+        });
+        const result = await submitWithRetry(submit, {
+            ...FAST,
+            attempts: 0,
+            priorityAttempts: 'unbounded',
+            shouldRetry: () => live,
+        });
+        expect(result.isOk()).toBe(true); // settled after the delay, no second attempt
+        expect(submit).toHaveBeenCalledTimes(1);
+    });
+    it('shouldRetry is re-checked before each retry and stops the loop', async () => {
+        let live = true;
+        const submit = vi.fn(() => {
+            live = false; // superseded after the first attempt
+            return errAsync(new Error('store rejected'));
+        });
+        const result = await submitWithRetry(submit, {
+            ...FAST,
+            attempts: 3,
+            priorityAttempts: 'unbounded',
+            shouldRetry: () => live,
+        });
+        expect(result.isErr()).toBe(true); // non-priority + not live → propagate, no settle
+        expect(submit).toHaveBeenCalledTimes(1);
+    });
+});

package/dist/submit/submitStatement.d.ts

@@ -0,0 +1,28 @@
+import type { ResultAsync } from 'neverthrow';
+import type { StatementStoreAdapter } from '../adapter/types.js';
+import type { StatementProver } from '../session/statementProver.js';
+import type { ExpiryAllocator } from './allocator.js';
+import type { SubmitRetryOptions } from './retry.js';
+export type SubmitStatementParams = {
+    statementStore: StatementStoreAdapter;
+    prover: StatementProver;
+    /**
+     * Shared per-signing-account expiry source
+     **/
+    allocator: ExpiryAllocator;
+    channel: Uint8Array;
+    topics: Uint8Array[];
+    /**
+     * Opaque payload — encryption (if any) is the caller's concern.
+     **/
+    data: Uint8Array;
+};
+/**
+ * One submit attempt: allocate the next expiry, build and prove the
+ * statement, submit it, and on a priority rejection adopt the chain-reported
+ * minimum into the allocator so the NEXT attempt clears it.
+ */
+export declare function submitStatementOnce(params: SubmitStatementParams): ResultAsync<void, Error>;
+export declare function signAndSubmitStatement(params: SubmitStatementParams & {
+    retry: SubmitRetryOptions;
+}): ResultAsync<void, Error>;

package/dist/submit/submitStatement.js

@@ -0,0 +1,28 @@
+import { toHex } from '@novasamatech/scale';
+import { isPriorityTooLow, submitWithRetry } from './retry.js';
+/**
+ * One submit attempt: allocate the next expiry, build and prove the
+ * statement, submit it, and on a priority rejection adopt the chain-reported
+ * minimum into the allocator so the NEXT attempt clears it.
+ */
+export function submitStatementOnce(params) {
+    const { statementStore, prover, allocator, channel, topics, data } = params;
+    const unsigned = {
+        expiry: allocator.next(),
+        channel: toHex(channel),
+        topics: topics.map(toHex),
+        data,
+    };
+    return prover
+        .generateMessageProof(unsigned)
+        .andThen(statementStore.submitStatement)
+        .orTee(error => {
+        // The chain is the source of truth for the account/channel priority floor.
+        if (isPriorityTooLow(error)) {
+            allocator.raiseFloor(error.min);
+        }
+    });
+}
+export function signAndSubmitStatement(params) {
+    return submitWithRetry(() => submitStatementOnce(params), params.retry);
+}

package/dist/submit/submitStatement.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/submit/submitStatement.spec.js

@@ -0,0 +1,99 @@
+import { errAsync, okAsync } from 'neverthrow';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { AccountFullError } from '../adapter/types.js';
+import { createExpiryAllocator } from './allocator.js';
+import { signAndSubmitStatement, submitStatementOnce } from './submitStatement.js';
+const NOW_SECS = 1_790_000_000;
+// Passthrough prover: "signs" by returning the statement unchanged.
+const fakeProver = {
+    generateMessageProof: (stmt) => okAsync(stmt),
+};
+function makeStore(failFirstWithMin) {
+    const submitted = [];
+    let calls = 0;
+    const adapter = {
+        submitStatement: vi.fn((stmt) => {
+            submitted.push(stmt);
+            calls += 1;
+            return failFirstWithMin !== undefined && calls === 1
+                ? errAsync(new AccountFullError(stmt.expiry ?? 0n, failFirstWithMin))
+                : okAsync(undefined);
+        }),
+    };
+    return { adapter, submitted };
+}
+const baseParams = (adapter) => ({
+    statementStore: adapter,
+    prover: fakeProver,
+    allocator: createExpiryAllocator(),
+    channel: new Uint8Array(32),
+    topics: [new Uint8Array(32)],
+    data: new Uint8Array([1]),
+});
+describe('submitStatementOnce', () => {
+    beforeEach(() => {
+        vi.useFakeTimers();
+        vi.setSystemTime(NOW_SECS * 1000);
+    });
+    afterEach(() => {
+        vi.useRealTimers();
+    });
+    it('submits with the pinned-high expiry layout', async () => {
+        const { adapter, submitted } = makeStore();
+        const result = await submitStatementOnce(baseParams(adapter));
+        expect(result.isOk()).toBe(true);
+        expect(submitted).toHaveLength(1);
+        expect((submitted[0].expiry ?? 0n) >> 32n).toBe(0xffffffffn);
+    });
+    it('raises the allocator floor on a priority rejection so the next attempt clears the minimum', async () => {
+        const chainMin = (0xffffffffn << 32n) | 4000000000n;
+        const { adapter, submitted } = makeStore(chainMin);
+        const params = baseParams(adapter);
+        const first = await submitStatementOnce(params);
+        const second = await submitStatementOnce(params);
+        expect(first.isErr()).toBe(true);
+        expect(second.isOk()).toBe(true);
+        expect(submitted[1].expiry ?? 0n).toBeGreaterThan(chainMin); // adopted min, not wall clock
+    });
+});
+describe('signAndSubmitStatement', () => {
+    beforeEach(() => {
+        vi.useFakeTimers();
+        vi.setSystemTime(NOW_SECS * 1000);
+    });
+    afterEach(() => {
+        vi.useRealTimers();
+    });
+    it('retries a priority rejection above the chain-reported minimum within the priority budget', async () => {
+        const chainMin = (0xffffffffn << 32n) | 4000000000n;
+        const { adapter, submitted } = makeStore(chainMin);
+        const promise = signAndSubmitStatement({
+            ...baseParams(adapter),
+            retry: { attempts: 0, priorityAttempts: 3, delaysMs: [500, 1500, 3000] },
+        });
+        await vi.advanceTimersByTimeAsync(600); // cover the 500ms first backoff
+        const result = await promise;
+        expect(result.isOk()).toBe(true);
+        expect(submitted).toHaveLength(2);
+        expect(submitted[1].expiry ?? 0n).toBeGreaterThan(chainMin);
+    });
+    it('propagates after exhausting the priority budget on a persistent rejection', async () => {
+        const submitted = [];
+        const adapter = {
+            submitStatement: vi.fn((stmt) => {
+                submitted.push(stmt);
+                // Chain min keeps rising above whatever we submit — never lands.
+                return errAsync(new AccountFullError(stmt.expiry ?? 0n, (stmt.expiry ?? 0n) + 1000000n));
+            }),
+        };
+        const promise = signAndSubmitStatement({
+            ...baseParams(adapter),
+            retry: { attempts: 0, priorityAttempts: 3, delaysMs: 1 },
+        });
+        await vi.advanceTimersByTimeAsync(50);
+        const result = await promise;
+        expect(result.isErr()).toBe(true);
+        expect(result._unsafeUnwrapErr()).toBeInstanceOf(AccountFullError);
+        expect(submitted).toHaveLength(4); // 1 initial + 3 priority retries
+    });
+});

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@novasamatech/statement-store",
   "type": "module",
-  "version": "0.8.7-1",
+  "version": "0.8.7-3",
   "description": "Statement store integration",
   "license": "Apache-2.0",
   "repository": {
@@ -25,9 +25,9 @@
     "README.md"
   ],
   "dependencies": {
-    "@novasamatech/scale": "0.8.7-1",
+    "@novasamatech/scale": "0.8.7-3",
     "@novasamatech/sdk-statement": "^0.6.0",
-    "@novasamatech/substrate-slot-sr25519-wasm": "0.8.7-1",
+    "@novasamatech/substrate-slot-sr25519-wasm": "0.8.7-3",
     "@polkadot-api/substrate-bindings": "^0.20.3",
     "@polkadot-api/substrate-client": "^0.7.0",
     "@polkadot-labs/hdkd-helpers": "^0.0.30",