javascript-solid-server 0.0.100 → 0.0.102

package/test/idp.test.js

@@ -8,28 +8,42 @@ import { createServer } from '../src/server.js';
 import fs from 'fs-extra';
 import path from 'path';
 
-const TEST_PORT = 3099;
 const TEST_HOST = 'localhost';
-const BASE_URL = `http://${TEST_HOST}:${TEST_PORT}`;
-const DATA_DIR = './test-data-idp';
+import { createServer as createNetServer } from 'net';
+
+/** Get an available port by briefly binding to port 0 */
+async function getAvailablePort() {
+  return new Promise((resolve, reject) => {
+    const srv = createNetServer();
+    srv.on('error', (err) => reject(err));
+    srv.listen(0, TEST_HOST, () => {
+      const port = srv.address().port;
+      srv.close(() => resolve(port));
+    });
+  });
+}
 
 describe('Identity Provider', () => {
   let server;
+  let baseUrl;
+  const DATA_DIR = './test-data-idp';
 
   before(async () => {
-    // Clean up any existing test data
     await fs.remove(DATA_DIR);
     await fs.ensureDir(DATA_DIR);
 
-    // Create server with IdP enabled
+    const port = await getAvailablePort();
+    baseUrl = `http://${TEST_HOST}:${port}`;
+
     server = createServer({
       logger: false,
       root: DATA_DIR,
       idp: true,
-      idpIssuer: BASE_URL,
+      idpIssuer: baseUrl,
+      forceCloseConnections: true,
     });
 
-    await server.listen({ port: TEST_PORT, host: TEST_HOST });
+    await server.listen({ port, host: TEST_HOST });
   });
 
   after(async () => {
@@ -39,19 +53,19 @@ describe('Identity Provider', () => {
 
   describe('OIDC Discovery', () => {
     it('should serve /.well-known/openid-configuration', async () => {
-      const res = await fetch(`${BASE_URL}/.well-known/openid-configuration`);
+      const res = await fetch(`${baseUrl}/.well-known/openid-configuration`);
       assert.strictEqual(res.status, 200);
 
       const config = await res.json();
       // Issuer has trailing slash for CTH compatibility
-      assert.strictEqual(config.issuer, BASE_URL + '/');
+      assert.strictEqual(config.issuer, baseUrl + '/');
       assert.ok(config.authorization_endpoint);
       assert.ok(config.token_endpoint);
       assert.ok(config.jwks_uri);
     });
 
     it('should include required Solid-OIDC endpoints', async () => {
-      const res = await fetch(`${BASE_URL}/.well-known/openid-configuration`);
+      const res = await fetch(`${baseUrl}/.well-known/openid-configuration`);
       const config = await res.json();
 
       assert.ok(config.registration_endpoint, 'should have registration endpoint');
@@ -60,7 +74,7 @@ describe('Identity Provider', () => {
     });
 
     it('should serve /.well-known/jwks.json', async () => {
-      const res = await fetch(`${BASE_URL}/.well-known/jwks.json`);
+      const res = await fetch(`${baseUrl}/.well-known/jwks.json`);
       assert.strictEqual(res.status, 200);
 
       const jwks = await res.json();
@@ -73,7 +87,7 @@ describe('Identity Provider', () => {
 
   describe('Pod Creation with IdP', () => {
     it('should require email when IdP is enabled', async () => {
-      const res = await fetch(`${BASE_URL}/.pods`, {
+      const res = await fetch(`${baseUrl}/.pods`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ name: 'noemail' }),
@@ -85,7 +99,7 @@ describe('Identity Provider', () => {
     });
 
     it('should require password when IdP is enabled', async () => {
-      const res = await fetch(`${BASE_URL}/.pods`, {
+      const res = await fetch(`${baseUrl}/.pods`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ name: 'nopass', email: 'test@example.com' }),
@@ -98,7 +112,7 @@ describe('Identity Provider', () => {
 
     it('should create pod with account', async () => {
       const uniqueId = Date.now();
-      const res = await fetch(`${BASE_URL}/.pods`, {
+      const res = await fetch(`${baseUrl}/.pods`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -125,7 +139,7 @@ describe('Identity Provider', () => {
       const duplicateEmail = `duplicate${uniqueId}@example.com`;
 
       // First user
-      await fetch(`${BASE_URL}/.pods`, {
+      await fetch(`${baseUrl}/.pods`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -136,7 +150,7 @@ describe('Identity Provider', () => {
       });
 
       // Second user with same email
-      const res = await fetch(`${BASE_URL}/.pods`, {
+      const res = await fetch(`${baseUrl}/.pods`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -154,15 +168,10 @@ describe('Identity Provider', () => {
 
   describe('Login Interaction', () => {
     it('should respond to authorization endpoint', async () => {
-      // Start an authorization flow
-      // Various responses are acceptable - 302/303 (redirect), 400 (bad request), 404 (no route)
-      // This just verifies the server handles the request
-      const res = await fetch(`${BASE_URL}/idp/auth?client_id=test&redirect_uri=http://localhost&response_type=code&scope=openid`, {
+      const res = await fetch(`${baseUrl}/idp/auth?client_id=test&redirect_uri=http://localhost&response_type=code&scope=openid`, {
         redirect: 'manual',
       });
 
-      // oidc-provider mounted via middie may return different status codes
-      // The important thing is it doesn't crash and returns a valid HTTP response
       assert.ok(res.status >= 200 && res.status < 600, `got valid HTTP status ${res.status}`);
     });
   });
@@ -170,20 +179,25 @@ describe('Identity Provider', () => {
 
 describe('Identity Provider - Accounts', () => {
   let server;
+  let accountsUrl;
   const ACCOUNTS_DATA_DIR = './test-data-idp-accounts';
 
   before(async () => {
     await fs.remove(ACCOUNTS_DATA_DIR);
     await fs.ensureDir(ACCOUNTS_DATA_DIR);
 
+    const port = await getAvailablePort();
+    accountsUrl = `http://${TEST_HOST}:${port}`;
+
     server = createServer({
       logger: false,
       root: ACCOUNTS_DATA_DIR,
       idp: true,
-      idpIssuer: `http://${TEST_HOST}:${TEST_PORT + 1}`,
+      idpIssuer: accountsUrl,
+      forceCloseConnections: true,
     });
 
-    await server.listen({ port: TEST_PORT + 1, host: TEST_HOST });
+    await server.listen({ port, host: TEST_HOST });
   });
 
   after(async () => {
@@ -195,7 +209,7 @@ describe('Identity Provider - Accounts', () => {
     const uniqueName = `stored${Date.now()}`;
     const uniqueEmail = `stored${Date.now()}@example.com`;
 
-    const res = await fetch(`http://${TEST_HOST}:${TEST_PORT + 1}/.pods`, {
+    const res = await fetch(`${accountsUrl}/.pods`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({
@@ -221,7 +235,7 @@ describe('Identity Provider - Accounts', () => {
     const uniqueName = `hashed${Date.now()}`;
     const uniqueEmail = `hashed${Date.now()}@example.com`;
 
-    const res = await fetch(`http://${TEST_HOST}:${TEST_PORT + 1}/.pods`, {
+    const res = await fetch(`${accountsUrl}/.pods`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({
@@ -248,24 +262,26 @@ describe('Identity Provider - Accounts', () => {
 
 describe('Identity Provider - Credentials Endpoint', () => {
   let server;
-  // Use same data dir as other tests (DATA_ROOT is cached at module load)
+  let credsUrl;
   const CREDS_DATA_DIR = './data';
-  const CREDS_PORT = 3101;
-  const CREDS_URL = `http://${TEST_HOST}:${CREDS_PORT}`;
 
   before(async () => {
     await fs.emptyDir(CREDS_DATA_DIR);
 
+    const port = await getAvailablePort();
+    credsUrl = `http://${TEST_HOST}:${port}`;
+
     server = createServer({
       logger: false,
       idp: true,
-      idpIssuer: CREDS_URL,
+      idpIssuer: credsUrl,
+      forceCloseConnections: true,
     });
 
-    await server.listen({ port: CREDS_PORT, host: TEST_HOST });
+    await server.listen({ port, host: TEST_HOST });
 
     // Create a test user
-    const res = await fetch(`${CREDS_URL}/.pods`, {
+    const res = await fetch(`${credsUrl}/.pods`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({
@@ -286,7 +302,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
 
   describe('GET /idp/credentials', () => {
     it('should return endpoint info', async () => {
-      const res = await fetch(`${CREDS_URL}/idp/credentials`);
+      const res = await fetch(`${credsUrl}/idp/credentials`);
       assert.strictEqual(res.status, 200);
 
       const info = await res.json();
@@ -299,7 +315,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
 
   describe('POST /idp/credentials', () => {
     it('should return 400 for missing credentials', async () => {
-      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+      const res = await fetch(`${credsUrl}/idp/credentials`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({}),
@@ -311,7 +327,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
     });
 
     it('should return 401 for wrong password', async () => {
-      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+      const res = await fetch(`${credsUrl}/idp/credentials`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -326,7 +342,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
     });
 
     it('should return 401 for unknown email', async () => {
-      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+      const res = await fetch(`${credsUrl}/idp/credentials`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -339,7 +355,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
     });
 
     it('should return access token for valid credentials', async () => {
-      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+      const res = await fetch(`${credsUrl}/idp/credentials`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -358,7 +374,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
     });
 
     it('should return JWT token with webid claim', async () => {
-      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+      const res = await fetch(`${credsUrl}/idp/credentials`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -382,7 +398,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
     });
 
     it('should work with form-encoded body', async () => {
-      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+      const res = await fetch(`${credsUrl}/idp/credentials`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
         body: 'email=credtest%40example.com&password=testpassword123',
@@ -395,7 +411,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
 
     it('should allow using token to access protected resource', async () => {
       // Get access token
-      const tokenRes = await fetch(`${CREDS_URL}/idp/credentials`, {
+      const tokenRes = await fetch(`${credsUrl}/idp/credentials`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
@@ -407,7 +423,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
       const { access_token } = await tokenRes.json();
 
       // Try to access private resource
-      const res = await fetch(`${CREDS_URL}/credtest/private/`, {
+      const res = await fetch(`${credsUrl}/credtest/private/`, {
         headers: { 'Authorization': `Bearer ${access_token}` },
       });
 

package/test/{live-reload.test.js → live-reload.standalone.js}

@@ -255,6 +255,7 @@ async function runTests() {
     console.log('Test 2 result: PASSED');
 
     console.log('\n=== All tests passed ===');
+    process.exit(0);
   } catch (err) {
     console.error('\n=== Test FAILED ===');
     console.error(err.message);

package/test/mrc20.test.js

@@ -0,0 +1,343 @@
+/**
+ * MRC20 Token Verification tests
+ */
+
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import {
+  jcs,
+  sha256Hex,
+  verifyStateLink,
+  validateMrc20State,
+  extractTransfersTo,
+  totalTransferredTo,
+  verifyMrc20Deposit,
+  btAddress,
+  verifyMrc20Anchor
+} from '../src/mrc20.js';
+import { secp256k1 } from '@noble/curves/secp256k1';
+
+const PROFILE = 'mono.mrc20.v0.1';
+
+// Helper: create a valid state chain pair
+function createStatePair(ops, toAddress) {
+  const prevState = {
+    profile: PROFILE,
+    prev: '0'.repeat(64),
+    seq: 0,
+    ticker: 'TEST',
+    name: 'Test Token',
+    decimals: 0,
+    supply: 1000,
+    balances: { creator: 1000 },
+    ops: []
+  };
+
+  const state = {
+    profile: PROFILE,
+    prev: sha256Hex(jcs(prevState)),
+    seq: 1,
+    ticker: 'TEST',
+    name: 'Test Token',
+    decimals: 0,
+    supply: 1000,
+    balances: { creator: 900, [toAddress]: 100 },
+    ops: ops || [{ op: 'urn:mono:op:transfer', from: 'creator', to: toAddress, amt: 100 }]
+  };
+
+  return { prevState, state };
+}
+
+describe('MRC20 Verification', () => {
+  describe('jcs', () => {
+    it('should sort keys alphabetically', () => {
+      assert.strictEqual(jcs({ b: 1, a: 2 }), '{"a":2,"b":1}');
+    });
+
+    it('should handle nested objects', () => {
+      assert.strictEqual(jcs({ z: { b: 1, a: 2 }, a: 3 }), '{"a":3,"z":{"a":2,"b":1}}');
+    });
+
+    it('should handle arrays', () => {
+      assert.strictEqual(jcs([3, 1, 2]), '[3,1,2]');
+    });
+
+    it('should handle null and primitives', () => {
+      assert.strictEqual(jcs(null), 'null');
+      assert.strictEqual(jcs(42), '42');
+      assert.strictEqual(jcs('hello'), '"hello"');
+      assert.strictEqual(jcs(true), 'true');
+    });
+
+    it('should be deterministic', () => {
+      const obj = { name: 'TEST', profile: PROFILE, seq: 0, prev: '0'.repeat(64) };
+      assert.strictEqual(jcs(obj), jcs(obj));
+    });
+  });
+
+  describe('sha256Hex', () => {
+    it('should return 64-char hex string', () => {
+      const hash = sha256Hex('hello');
+      assert.strictEqual(hash.length, 64);
+      assert.ok(/^[0-9a-f]{64}$/.test(hash));
+    });
+
+    it('should be deterministic', () => {
+      assert.strictEqual(sha256Hex('test'), sha256Hex('test'));
+    });
+  });
+
+  describe('verifyStateLink', () => {
+    it('should verify valid state chain link', () => {
+      const { prevState, state } = createStatePair();
+      const result = verifyStateLink(state, prevState);
+      assert.strictEqual(result.valid, true);
+    });
+
+    it('should reject invalid prev hash', () => {
+      const { prevState, state } = createStatePair();
+      state.prev = 'bad' + state.prev.slice(3);
+      const result = verifyStateLink(state, prevState);
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error.includes('State chain break'));
+    });
+
+    it('should reject wrong sequence number', () => {
+      const { prevState, state } = createStatePair();
+      state.seq = 5; // should be 1
+      const result = verifyStateLink(state, prevState);
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error.includes('Sequence mismatch'));
+    });
+
+    it('should reject missing states', () => {
+      assert.strictEqual(verifyStateLink(null, {}).valid, false);
+      assert.strictEqual(verifyStateLink({}, null).valid, false);
+    });
+  });
+
+  describe('validateMrc20State', () => {
+    it('should accept valid MRC20 state', () => {
+      const { state } = createStatePair();
+      assert.strictEqual(validateMrc20State(state).valid, true);
+    });
+
+    it('should reject wrong profile', () => {
+      const { state } = createStatePair();
+      state.profile = 'wrong.profile';
+      assert.strictEqual(validateMrc20State(state).valid, false);
+    });
+
+    it('should reject missing ops', () => {
+      const { state } = createStatePair();
+      delete state.ops;
+      assert.strictEqual(validateMrc20State(state).valid, false);
+    });
+
+    it('should reject non-object', () => {
+      assert.strictEqual(validateMrc20State(null).valid, false);
+      assert.strictEqual(validateMrc20State('string').valid, false);
+    });
+  });
+
+  describe('extractTransfersTo', () => {
+    it('should extract transfers to specific address', () => {
+      const { state } = createStatePair(
+        [
+          { op: 'urn:mono:op:transfer', from: 'alice', to: 'pod', amt: 50 },
+          { op: 'urn:mono:op:transfer', from: 'bob', to: 'other', amt: 30 },
+          { op: 'urn:mono:op:transfer', from: 'carol', to: 'pod', amt: 25 }
+        ],
+        'pod'
+      );
+      const transfers = extractTransfersTo(state, 'pod');
+      assert.strictEqual(transfers.length, 2);
+      assert.strictEqual(transfers[0].amt, 50);
+      assert.strictEqual(transfers[1].amt, 25);
+    });
+
+    it('should return empty for no matching transfers', () => {
+      const { state } = createStatePair();
+      const transfers = extractTransfersTo(state, 'nobody');
+      assert.strictEqual(transfers.length, 0);
+    });
+
+    it('should ignore non-transfer ops', () => {
+      const { state } = createStatePair(
+        [{ op: 'urn:mono:op:mint', to: 'pod', amt: 100 }],
+        'pod'
+      );
+      const transfers = extractTransfersTo(state, 'pod');
+      assert.strictEqual(transfers.length, 0);
+    });
+  });
+
+  describe('totalTransferredTo', () => {
+    it('should sum all transfers to address', () => {
+      const { state } = createStatePair(
+        [
+          { op: 'urn:mono:op:transfer', from: 'a', to: 'pod', amt: 50 },
+          { op: 'urn:mono:op:transfer', from: 'b', to: 'pod', amt: 25 }
+        ],
+        'pod'
+      );
+      assert.strictEqual(totalTransferredTo(state, 'pod'), 75);
+    });
+  });
+
+  describe('verifyMrc20Deposit', () => {
+    it('should verify valid deposit', () => {
+      const { prevState, state } = createStatePair(
+        [{ op: 'urn:mono:op:transfer', from: 'user', to: 'mypod', amt: 200 }],
+        'mypod'
+      );
+      const result = verifyMrc20Deposit({ state, prevState, toAddress: 'mypod' });
+      assert.strictEqual(result.valid, true);
+      assert.strictEqual(result.amount, 200);
+      assert.strictEqual(result.ticker, 'TEST');
+    });
+
+    it('should reject broken state chain', () => {
+      const { prevState, state } = createStatePair(
+        [{ op: 'urn:mono:op:transfer', from: 'user', to: 'pod', amt: 100 }],
+        'pod'
+      );
+      state.prev = 'tampered';
+      const result = verifyMrc20Deposit({ state, prevState, toAddress: 'pod' });
+      assert.strictEqual(result.valid, false);
+    });
+
+    it('should reject deposit to wrong address', () => {
+      const { prevState, state } = createStatePair(
+        [{ op: 'urn:mono:op:transfer', from: 'user', to: 'other-pod', amt: 100 }],
+        'other-pod'
+      );
+      const result = verifyMrc20Deposit({ state, prevState, toAddress: 'my-pod' });
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error.includes('No transfers'));
+    });
+
+    it('should reject invalid MRC20 profile', () => {
+      const { prevState, state } = createStatePair();
+      state.profile = 'wrong';
+      const result = verifyMrc20Deposit({ state, prevState, toAddress: 'pod' });
+      assert.strictEqual(result.valid, false);
+    });
+
+    it('should sum multiple transfers in same state', () => {
+      const { prevState, state } = createStatePair(
+        [
+          { op: 'urn:mono:op:transfer', from: 'a', to: 'pod', amt: 100 },
+          { op: 'urn:mono:op:transfer', from: 'b', to: 'pod', amt: 50 }
+        ],
+        'pod'
+      );
+      const result = verifyMrc20Deposit({ state, prevState, toAddress: 'pod' });
+      assert.strictEqual(result.valid, true);
+      assert.strictEqual(result.amount, 150);
+    });
+  });
+
+  describe('btAddress', () => {
+    // Use a known keypair for deterministic tests
+    const testPriv = Buffer.alloc(32, 1); // 0x0101...01
+    const testPub = Buffer.from(secp256k1.getPublicKey(testPriv, true)).toString('hex');
+
+    it('should derive a valid testnet bech32m address', () => {
+      const addr = btAddress(testPub, ['state0'], 'testnet4');
+      assert.ok(addr.startsWith('tb1p'), `Expected tb1p prefix, got ${addr}`);
+      assert.ok(addr.length >= 62, `Address too short: ${addr.length}`);
+    });
+
+    it('should derive a valid mainnet bech32m address', () => {
+      const addr = btAddress(testPub, ['state0'], 'mainnet');
+      assert.ok(addr.startsWith('bc1p'), `Expected bc1p prefix, got ${addr}`);
+    });
+
+    it('should be deterministic', () => {
+      const a1 = btAddress(testPub, ['s1', 's2']);
+      const a2 = btAddress(testPub, ['s1', 's2']);
+      assert.strictEqual(a1, a2);
+    });
+
+    it('should produce different addresses for different states', () => {
+      const a1 = btAddress(testPub, ['state-a']);
+      const a2 = btAddress(testPub, ['state-b']);
+      assert.notStrictEqual(a1, a2);
+    });
+
+    it('should produce different addresses for different pubkeys', () => {
+      const priv2 = Buffer.alloc(32, 2);
+      const pub2 = Buffer.from(secp256k1.getPublicKey(priv2, true)).toString('hex');
+      const a1 = btAddress(testPub, ['state']);
+      const a2 = btAddress(pub2, ['state']);
+      assert.notStrictEqual(a1, a2);
+    });
+
+    it('should chain multiple states', () => {
+      const a1 = btAddress(testPub, ['s1']);
+      const a2 = btAddress(testPub, ['s1', 's2']);
+      assert.notStrictEqual(a1, a2);
+    });
+  });
+
+  describe('verifyMrc20Anchor', () => {
+    const testPriv = Buffer.alloc(32, 1);
+    const testPub = Buffer.from(secp256k1.getPublicKey(testPriv, true)).toString('hex');
+
+    it('should reject missing stateStrings', async () => {
+      const { prevState, state } = createStatePair(
+        [{ op: 'urn:mono:op:transfer', from: 'user', to: 'pod', amt: 100 }],
+        'pod'
+      );
+      const result = await verifyMrc20Anchor({
+        state, prevState, toAddress: 'pod',
+        pubkey: testPub, stateStrings: []
+      });
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error.includes('stateStrings'));
+    });
+
+    it('should reject bad pubkey', async () => {
+      const { prevState, state } = createStatePair(
+        [{ op: 'urn:mono:op:transfer', from: 'user', to: 'pod', amt: 100 }],
+        'pod'
+      );
+      const result = await verifyMrc20Anchor({
+        state, prevState, toAddress: 'pod',
+        pubkey: 'short', stateStrings: [jcs(state)]
+      });
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error.includes('pubkey'));
+    });
+
+    it('should reject mismatched last stateString', async () => {
+      const { prevState, state } = createStatePair(
+        [{ op: 'urn:mono:op:transfer', from: 'user', to: 'pod', amt: 100 }],
+        'pod'
+      );
+      const result = await verifyMrc20Anchor({
+        state, prevState, toAddress: 'pod',
+        pubkey: testPub, stateStrings: ['wrong-jcs']
+      });
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error.includes('Last stateString'));
+    });
+
+    it('should reject when no UTXO exists (mempool returns empty)', async () => {
+      const { prevState, state } = createStatePair(
+        [{ op: 'urn:mono:op:transfer', from: 'user', to: 'pod', amt: 100 }],
+        'pod'
+      );
+      // Use a fake mempool URL that will fail
+      const result = await verifyMrc20Anchor({
+        state, prevState, toAddress: 'pod',
+        pubkey: testPub,
+        stateStrings: [jcs(prevState), jcs(state)],
+        mempoolUrl: 'http://127.0.0.1:1' // will fail to connect
+      });
+      assert.strictEqual(result.valid, false);
+      assert.ok(result.error.includes('Mempool') || result.error.includes('failed'));
+    });
+  });
+});