mppx 0.6.27 → 0.6.29

package/src/tempo/session/Chain.test.ts

@@ -310,7 +310,7 @@ describe.runIf(isLocalnet)('on-chain', () => {
       expect(result.onChain.finalized).toBe(false)
     })
 
-    test('fee-payer: rejects unauthorized calls', async () => {
+    test('fee-payer relay: rejects unauthorized open calls', async () => {
       const salt = nextSalt()
       const deposit = 5_000_000n
 
@@ -349,7 +349,7 @@ describe.runIf(isLocalnet)('on-chain', () => {
           channelId,
           recipient,
           currency,
-          feePayer: accounts[0],
+          isSponsored: true,
         }),
       ).rejects.toThrow('fee-sponsored open transaction contains an unauthorized call')
     })
@@ -798,7 +798,7 @@ describe.runIf(isLocalnet)('on-chain', () => {
       expect(result.newDeposit).toBe(deposit + topUpAmount)
     })
 
-    test('fee-payer: rejects unauthorized calls', async () => {
+    test('fee-payer relay: rejects unauthorized topUp calls', async () => {
       const salt = nextSalt()
       const deposit = 5_000_000n
       const topUpAmount = 3_000_000n
@@ -847,7 +847,7 @@ describe.runIf(isLocalnet)('on-chain', () => {
           currency: asset,
           declaredDeposit: topUpAmount,
           previousDeposit: deposit,
-          feePayer: accounts[0],
+          isSponsored: true,
         }),
       ).rejects.toThrow('fee-sponsored topUp transaction contains an unauthorized call')
     })

package/src/tempo/session/Chain.ts

@@ -466,6 +466,7 @@ export async function broadcastOpenTransaction(parameters: {
   challengeExpires?: string | undefined
   feePayerPolicy?: Partial<FeePayer.Policy> | undefined
   feePayer?: Account | undefined
+  isSponsored?: boolean | undefined
   beforeBroadcast?: ((onChain: OnChainChannel) => Promise<void> | void) | undefined
   /** When false, simulates instead of waiting for confirmation and returns derived on-chain state. @default true */
   waitForConfirmation?: boolean | undefined
@@ -480,11 +481,12 @@ export async function broadcastOpenTransaction(parameters: {
     challengeExpires,
     feePayerPolicy,
     feePayer,
+    isSponsored = Boolean(feePayer),
     beforeBroadcast,
     waitForConfirmation = true,
   } = parameters
 
-  if (feePayer && !FeePayer.isTempoTransaction(serializedTransaction))
+  if (isSponsored && !FeePayer.isTempoTransaction(serializedTransaction))
     throw new BadRequestError({
       reason: 'Only Tempo (0x76/0x78) transactions are supported',
     })
@@ -493,11 +495,11 @@ export async function broadcastOpenTransaction(parameters: {
     serializedTransaction as Transaction.TransactionSerializedTempo,
   )
 
-  if (feePayer) assertSenderSigned(transaction)
+  if (isSponsored) assertSenderSigned(transaction)
 
   const calls = transaction.calls ?? []
 
-  const sponsoredOpenCall = feePayer
+  const sponsoredOpenCall = isSponsored
     ? validateSponsoredOpenCalls({
         calls,
         currency,
@@ -669,6 +671,7 @@ export async function broadcastTopUpTransaction(parameters: {
   challengeExpires?: string | undefined
   feePayerPolicy?: Partial<FeePayer.Policy> | undefined
   feePayer?: Account | undefined
+  isSponsored?: boolean | undefined
 }): Promise<{ txHash: Hex; newDeposit: bigint }> {
   const {
     client,
@@ -681,9 +684,10 @@ export async function broadcastTopUpTransaction(parameters: {
     challengeExpires,
     feePayerPolicy,
     feePayer,
+    isSponsored = Boolean(feePayer),
   } = parameters
 
-  if (feePayer && !FeePayer.isTempoTransaction(serializedTransaction))
+  if (isSponsored && !FeePayer.isTempoTransaction(serializedTransaction))
     throw new BadRequestError({
       reason: 'Only Tempo (0x76/0x78) transactions are supported',
     })
@@ -692,11 +696,11 @@ export async function broadcastTopUpTransaction(parameters: {
     serializedTransaction as Transaction.TransactionSerializedTempo,
   )
 
-  if (feePayer) assertSenderSigned(transaction)
+  if (isSponsored) assertSenderSigned(transaction)
 
   const calls = transaction.calls ?? []
 
-  const sponsoredTopUpCall = feePayer
+  const sponsoredTopUpCall = isSponsored
     ? validateSponsoredTopUpCalls({
         calls,
         currency,

package/src/tempo/session/ChannelStore.test.ts

@@ -117,6 +117,27 @@ describe('channelStore', () => {
       expect(typeof loaded!.createdAt).toBe('string')
     })
 
+    test('prefixes backing store keys when configured', async () => {
+      const rawStore = Store.memory()
+      const cs = ChannelStore.fromStore(Store.from(rawStore, { keyPrefix: 'tenant:' }))
+      await cs.updateChannel(channelId, () => makeChannel())
+
+      expect(await rawStore.get(`tenant:${channelId}`)).not.toBeNull()
+      expect(await rawStore.get(channelId)).toBeNull()
+      expect((await cs.getChannel(channelId))?.channelId).toBe(channelId)
+    })
+
+    test('isolates prefixed store wrappers', async () => {
+      const rawStore = Store.memory()
+      const first = ChannelStore.fromStore(Store.from(rawStore, { keyPrefix: 'tenant-a:' }))
+      const second = ChannelStore.fromStore(Store.from(rawStore, { keyPrefix: 'tenant-b:' }))
+      await first.updateChannel(channelId, () => makeChannel())
+
+      expect(await second.getChannel(channelId)).toBeNull()
+      expect(await rawStore.get(`tenant-a:${channelId}`)).not.toBeNull()
+      expect(await rawStore.get(`tenant-b:${channelId}`)).toBeNull()
+    })
+
     test('treats case-variant channelIds as the same record', async () => {
       const cs = ChannelStore.fromStore(Store.memory())
       await cs.updateChannel(mixedCaseAliasChannelId, () =>

package/src/tempo/session/Voucher.test.ts

@@ -1,5 +1,8 @@
-import { createClient, http } from 'viem'
+import { P256, Secp256k1, Signature } from 'ox'
+import { SignatureEnvelope } from 'ox/tempo'
+import { createClient, http, type Account, type Hex } from 'viem'
 import { privateKeyToAccount } from 'viem/accounts'
+import { Account as TempoAccount, WebCryptoP256 } from 'viem/tempo'
 import { describe, expect, test } from 'vp/test'
 
 import { parseVoucherFromPayload, signVoucher, verifyVoucher } from './Voucher.js'
@@ -39,6 +42,232 @@ describe('Voucher', () => {
     expect(isValid).toBe(true)
   })
 
+  test('signVoucher rejects direct WebCrypto P256 voucher signatures', async () => {
+    const keyPair = await WebCryptoP256.createKeyPair()
+    const p256Account = TempoAccount.fromWebCryptoP256(keyPair)
+    const p256Client = createClient({
+      account: p256Account,
+      transport: http('http://127.0.0.1'),
+    })
+
+    await expect(
+      signVoucher(
+        p256Client,
+        p256Account,
+        { channelId, cumulativeAmount },
+        escrowContract,
+        chainId,
+      ),
+    ).rejects.toThrow('Session vouchers only support secp256k1 signatures')
+  })
+
+  test('signVoucher rejects direct WebAuthn voucher signatures', async () => {
+    const webAuthnAccount = TempoAccount.fromHeadlessWebAuthn(P256.randomPrivateKey(), {
+      origin: 'https://example.com',
+      rpId: 'example.com',
+    })
+    const webAuthnClient = createClient({
+      account: webAuthnAccount,
+      transport: http('http://127.0.0.1'),
+    })
+
+    await expect(
+      signVoucher(
+        webAuthnClient,
+        webAuthnAccount,
+        { channelId, cumulativeAmount },
+        escrowContract,
+        chainId,
+      ),
+    ).rejects.toThrow('Session vouchers only support secp256k1 signatures')
+  })
+
+  test('signVoucher signs v1 secp256k1 access keys with raw signatures', async () => {
+    const accessKey = TempoAccount.fromSecp256k1(
+      '0x59c6995e998f97a5a0044966f09453863d462d2b3f1446a99f0a3d7b5d0f5a0d',
+      { access: account, internal_version: 'v1' },
+    )
+    const accessKeyClient = createClient({
+      account: accessKey,
+      transport: http('http://127.0.0.1'),
+    })
+
+    const signature = await signVoucher(
+      accessKeyClient,
+      accessKey,
+      { channelId, cumulativeAmount },
+      escrowContract,
+      chainId,
+    )
+    const envelope = SignatureEnvelope.from(signature as SignatureEnvelope.Serialized)
+
+    expect(envelope.type).toBe('secp256k1')
+    expect(signature.length).toBe(132)
+
+    const isValid = await verifyVoucher(
+      escrowContract,
+      chainId,
+      { channelId, cumulativeAmount, signature },
+      accessKey.accessKeyAddress,
+    )
+    expect(isValid).toBe(true)
+  })
+
+  test('signVoucher unwraps legacy secp256k1 keychain signatures', async () => {
+    const privateKey = '0x59c6995e998f97a5a0044966f09453863d462d2b3f1446a99f0a3d7b5d0f5a0d'
+    const rawAccessKey = TempoAccount.fromSecp256k1(privateKey)
+    const keychainSigner = {
+      accessKeyAddress: rawAccessKey.address,
+      address: account.address,
+      async sign({ hash }: { hash: Hex }) {
+        const inner = SignatureEnvelope.from(
+          Signature.toHex(Secp256k1.sign({ payload: hash, privateKey })),
+        )
+        return SignatureEnvelope.serialize({
+          type: 'keychain',
+          version: 'v1',
+          userAddress: account.address,
+          inner,
+        })
+      },
+    } as unknown as Account
+
+    const signature = await signVoucher(
+      client,
+      keychainSigner,
+      { channelId, cumulativeAmount },
+      escrowContract,
+      chainId,
+    )
+    const envelope = SignatureEnvelope.from(signature as SignatureEnvelope.Serialized)
+
+    expect(envelope.type).toBe('secp256k1')
+    expect(signature.length).toBe(132)
+
+    const isValid = await verifyVoucher(
+      escrowContract,
+      chainId,
+      { channelId, cumulativeAmount, signature },
+      rawAccessKey.address,
+    )
+    expect(isValid).toBe(true)
+  })
+
+  test('signVoucher signs v2 secp256k1 access keys with raw signatures', async () => {
+    const accessKey = TempoAccount.fromSecp256k1(
+      '0x59c6995e998f97a5a0044966f09453863d462d2b3f1446a99f0a3d7b5d0f5a0d',
+      { access: account },
+    )
+    const accessKeyClient = createClient({
+      account: accessKey,
+      transport: http('http://127.0.0.1'),
+    })
+
+    const signature = await signVoucher(
+      accessKeyClient,
+      accessKey,
+      { channelId, cumulativeAmount },
+      escrowContract,
+      chainId,
+    )
+    const envelope = SignatureEnvelope.from(signature as SignatureEnvelope.Serialized)
+
+    expect(envelope.type).toBe('secp256k1')
+    expect(signature.length).toBe(132)
+
+    const isValid = await verifyVoucher(
+      escrowContract,
+      chainId,
+      { channelId, cumulativeAmount, signature },
+      accessKey.accessKeyAddress,
+    )
+    expect(isValid).toBe(true)
+  })
+
+  test('verifyVoucher rejects keychain envelopes', async () => {
+    const privateKey = '0x59c6995e998f97a5a0044966f09453863d462d2b3f1446a99f0a3d7b5d0f5a0d'
+    const inner = SignatureEnvelope.from(
+      Signature.toHex(Secp256k1.sign({ payload: channelId, privateKey })),
+    )
+    const keychainSignature = SignatureEnvelope.serialize({
+      type: 'keychain',
+      version: 'v2',
+      userAddress: account.address,
+      inner,
+    })
+
+    const isValid = await verifyVoucher(
+      escrowContract,
+      chainId,
+      { channelId, cumulativeAmount, signature: keychainSignature },
+      account.address,
+    )
+    expect(isValid).toBe(false)
+  })
+
+  test('signVoucher signs non-secp256k1 access keys without keychain envelopes', async () => {
+    const accessKey = TempoAccount.fromP256(P256.randomPrivateKey(), {
+      access: account,
+      internal_version: 'v1',
+    })
+    const accessKeyClient = createClient({
+      account: accessKey,
+      transport: http('http://127.0.0.1'),
+    })
+
+    await expect(
+      signVoucher(
+        accessKeyClient,
+        accessKey,
+        { channelId, cumulativeAmount },
+        escrowContract,
+        chainId,
+      ),
+    ).rejects.toThrow('Session vouchers only support secp256k1 signatures')
+  })
+
+  test('verifyVoucher rejects magic-suffixed secp256k1 signatures', async () => {
+    const signature = await signVoucher(
+      client,
+      account,
+      { channelId, cumulativeAmount },
+      escrowContract,
+      chainId,
+    )
+    const signatureWithMagic = SignatureEnvelope.serialize(SignatureEnvelope.from(signature), {
+      magic: true,
+    })
+
+    const isValid = await verifyVoucher(
+      escrowContract,
+      chainId,
+      { channelId, cumulativeAmount, signature: signatureWithMagic },
+      account.address,
+    )
+    expect(isValid).toBe(false)
+  })
+
+  test('verifyVoucher rejects EIP-155-style secp256k1 v values', async () => {
+    const signature = await signVoucher(
+      client,
+      account,
+      { channelId, cumulativeAmount },
+      escrowContract,
+      chainId,
+    )
+    const signatureWithEip155V = `${signature.slice(0, -2)}${
+      signature.endsWith('1b') ? '23' : '24'
+    }` as `0x${string}`
+
+    const isValid = await verifyVoucher(
+      escrowContract,
+      chainId,
+      { channelId, cumulativeAmount, signature: signatureWithEip155V },
+      account.address,
+    )
+    expect(isValid).toBe(false)
+  })
+
   test('verifyVoucher rejects wrong signer', async () => {
     const signature = await signVoucher(
       client,

package/src/tempo/session/Voucher.ts

@@ -1,10 +1,10 @@
-import { type Address, Signature } from 'ox'
+import { Signature, type Address } from 'ox'
 import { SignatureEnvelope } from 'ox/tempo'
 import type { Account, Client, Hex } from 'viem'
-import { recoverTypedDataAddress } from 'viem'
+import { hashTypedData } from 'viem'
 import { signTypedData } from 'viem/actions'
 
-import * as TempoAddress from '../internal/address.js'
+import { getAccountSignerAddress, isAccessKeyAccount } from '../internal/account.js'
 import type { SignedVoucher, Voucher } from './Types.js'
 
 /** Must match the on-chain TempoStreamChannel DOMAIN_SEPARATOR name. */
@@ -35,48 +35,110 @@ const voucherTypes = {
   ],
 } as const
 
-/**
- * Sign a voucher with an account.
- */
-export async function signVoucher(
+const acceptTip1020VoucherSignatures = false
+
+function getVoucherMessage(message: Voucher) {
+  return {
+    channelId: message.channelId,
+    cumulativeAmount: message.cumulativeAmount,
+  }
+}
+
+function getVoucherDigest(escrowContract: Address.Address, chainId: number, message: Voucher) {
+  return hashTypedData({
+    domain: getVoucherDomain(escrowContract, chainId),
+    types: voucherTypes,
+    primaryType: 'Voucher',
+    message: getVoucherMessage(message),
+  })
+}
+
+async function signVoucherTypedData(
   client: Client,
   account: Account,
   message: Voucher,
   escrowContract: Address.Address,
   chainId: number,
-  authorizedSigner?: Address.Address | undefined,
 ): Promise<Hex> {
-  const signature = await signTypedData(client, {
+  return signTypedData(client, {
     account,
     domain: getVoucherDomain(escrowContract, chainId),
     types: voucherTypes,
     primaryType: 'Voucher',
-    message: {
-      channelId: message.channelId,
-      cumulativeAmount: message.cumulativeAmount,
-    },
+    message: getVoucherMessage(message),
   })
+}
+
+function normalizeVoucherSignature(signature: Hex): Hex {
+  const envelope = SignatureEnvelope.from(signature as SignatureEnvelope.Serialized)
 
-  // When a separate authorizedSigner is used (e.g. access key), unwrap the
-  // keychain envelope — the escrow contract verifies raw ECDSA signatures
-  // against authorizedSigner, not keychain-wrapped ones.
-  // TODO: when TIP-1020 is implemented, we can remove this.
-  if (authorizedSigner) {
-    try {
-      const envelope = SignatureEnvelope.from(signature as SignatureEnvelope.Serialized)
-      if (envelope.type === 'keychain' && envelope.inner.type === 'secp256k1')
-        return Signature.toHex(envelope.inner.signature)
-    } catch {}
+  if (envelope.type === 'keychain') {
+    if (envelope.inner.type !== 'secp256k1')
+      throw new Error(
+        'Session vouchers only unwrap secp256k1 keychain signatures; pass a direct voucherSigner for other key types.',
+      )
+
+    return Signature.toHex(envelope.inner.signature)
   }
 
-  return signature
+  // Tempo local accounts may append signature-envelope magic bytes for RPC
+  // routing. Voucher signatures are direct envelopes without magic bytes.
+  return SignatureEnvelope.serialize(envelope)
+}
+
+function acceptsVoucherEnvelope(envelope: SignatureEnvelope.SignatureEnvelope): boolean {
+  if (envelope.type === 'keychain') return false
+  if (envelope.type === 'secp256k1') return true
+  return acceptTip1020VoucherSignatures
+}
+
+function assertSupportedVoucherEnvelope(envelope: SignatureEnvelope.SignatureEnvelope) {
+  if (acceptsVoucherEnvelope(envelope)) return
+
+  throw new Error(
+    'Session vouchers only support secp256k1 signatures until TIP-1020 voucher verification is enabled.',
+  )
+}
+
+/**
+ * Sign a voucher with an account.
+ */
+export async function signVoucher(
+  client: Client,
+  account: Account,
+  message: Voucher,
+  escrowContract: Address.Address,
+  chainId: number,
+  voucherSigner?: Account | undefined,
+): Promise<Hex> {
+  const signer = voucherSigner ?? account
+  const expectedSigner = getAccountSignerAddress(signer)
+
+  const digest = getVoucherDigest(escrowContract, chainId, message)
+  const signature = isAccessKeyAccount(signer)
+    ? await signer.sign({ hash: digest, raw: true })
+    : await signVoucherTypedData(client, signer, message, escrowContract, chainId)
+  const normalized = normalizeVoucherSignature(signature)
+  const envelope = SignatureEnvelope.from(normalized as SignatureEnvelope.Serialized)
+  assertSupportedVoucherEnvelope(envelope)
+
+  if (
+    !SignatureEnvelope.verify(envelope, {
+      address: expectedSigner,
+      payload: digest,
+    })
+  )
+    throw new Error('voucher signature does not match voucher signer')
+
+  return normalized
 }
 
 /**
  * Verify a voucher signature matches the expected signer.
  *
- * Only accepts raw secp256k1 signatures — the escrow contract verifies
- * via ecrecover. Keychain, p256, and webAuthn signatures are rejected.
+ * Accepts canonical raw secp256k1 voucher signatures.
+ *
+ * TIP-1020 voucher signatures will be enabled when onchain escrow verification ships.
  */
 export async function verifyVoucher(
   escrowContract: Address.Address,
@@ -85,31 +147,17 @@ export async function verifyVoucher(
   expectedSigner: Address.Address,
 ): Promise<boolean> {
   try {
-    const domain = getVoucherDomain(escrowContract, chainId)
-    const message = {
-      channelId: voucher.channelId,
-      cumulativeAmount: voucher.cumulativeAmount,
-    }
-
     const envelope = SignatureEnvelope.from(voucher.signature)
 
-    // Reject keychain signatures — the escrow contract verifies raw ECDSA
-    // signatures against authorizedSigner, not keychain-wrapped ones.
-    if (envelope.type === 'keychain') return false
-
-    // Reject non-secp256k1 signatures (p256, webAuthn) — the escrow contract
-    // only supports ecrecover-based verification.
-    // TODO: remove this once TIP-1020 is implemented
-    if (envelope.type !== 'secp256k1') return false
-
-    const signer = await recoverTypedDataAddress({
-      domain,
-      types: voucherTypes,
-      primaryType: 'Voucher',
-      message,
-      signature: voucher.signature,
+    if (!acceptsVoucherEnvelope(envelope)) return false
+
+    const canonical = SignatureEnvelope.serialize(envelope)
+    if (canonical.toLowerCase() !== voucher.signature.toLowerCase()) return false
+
+    return SignatureEnvelope.verify(envelope, {
+      address: expectedSigner,
+      payload: getVoucherDigest(escrowContract, chainId, voucher),
     })
-    return TempoAddress.isEqual(signer, expectedSigner)
   } catch {
     return false
   }

package/src/tempo/session/Ws.test.ts

@@ -407,4 +407,75 @@ describe('isows', () => {
     expect(channel?.spent).toBe(0n)
     expect(channel?.units).toBe(0)
   })
+
+  test('does not meter or emit application messages after close is requested on-chain', async () => {
+    const socket = new MockSocket()
+    const store = memoryChannelStore()
+    await store.updateChannel(channelId, () => ({
+      channelId,
+      payer: '0x0000000000000000000000000000000000000001' as Address,
+      payee: '0x0000000000000000000000000000000000000002' as Address,
+      token: '0x0000000000000000000000000000000000000003' as Address,
+      authorizedSigner: '0x0000000000000000000000000000000000000004' as Address,
+      chainId: 42431,
+      escrowContract: '0x0000000000000000000000000000000000000005' as Address,
+      deposit: 1n,
+      settledOnChain: 0n,
+      highestVoucherAmount: 1n,
+      highestVoucher: null,
+      spent: 0n,
+      units: 0,
+      closeRequestedAt: 1n,
+      finalized: false,
+      createdAt: new Date().toISOString(),
+    }))
+
+    await Ws.serve({
+      socket,
+      store,
+      url: 'ws://example.test/stream',
+      route: async () => ({
+        status: 200,
+        withReceipt(response = new Response(null, { status: 204 })) {
+          response.headers.set(
+            'Payment-Receipt',
+            serializeSessionReceipt(
+              createSessionReceipt({
+                challengeId: challenge.id,
+                channelId,
+                acceptedCumulative: 1n,
+                spent: 0n,
+                units: 0,
+              }),
+            ),
+          )
+          return response
+        },
+      }),
+      generate: (async function* () {
+        yield 'should-not-reach'
+      })(),
+    })
+
+    socket.receive(
+      Ws.formatAuthorizationMessage(
+        makeCredential({
+          action: 'open',
+          channelId,
+          cumulativeAmount: '1',
+          signature: `0x${'77'.repeat(65)}`,
+          transaction: '0x01',
+          type: 'transaction',
+        }),
+      ),
+    )
+
+    await sleep(100)
+
+    expect(socket.closed).toBe(true)
+    expect(socket.sent.some((message) => message.includes('should-not-reach'))).toBe(false)
+    const channel = await store.getChannel(channelId)
+    expect(channel?.spent).toBe(0n)
+    expect(channel?.units).toBe(0)
+  })
 })

package/src/tempo/session/Ws.ts

@@ -1,4 +1,5 @@
 import * as Credential from '../../Credential.js'
+import { ChannelClosedError } from '../../Errors.js'
 import * as ChannelStore from './ChannelStore.js'
 import { deserializeSessionReceipt } from './Receipt.js'
 import { createSessionReceipt } from './Receipt.js'
@@ -405,6 +406,7 @@ async function reserveChargeOrWait(options: {
 
   let channel = await store.getChannel(channelId)
   if (!channel) throw new Error('channel not found')
+  throwIfChannelClosed(channel)
 
   const hasHeadroom = (state: ChannelStore.State) =>
     state.highestVoucherAmount - state.spent - reservedAmount >= amount
@@ -424,6 +426,7 @@ async function reserveChargeOrWait(options: {
     await waitForUpdate(store, channelId, pollIntervalMs, signal)
     channel = await store.getChannel(channelId)
     if (!channel) throw new Error('channel not found')
+    throwIfChannelClosed(channel)
   }
 }
 
@@ -440,6 +443,7 @@ async function commitReservedCharges(options: {
   const channel = await store.updateChannel(channelId, (current) => {
     if (!current) return null
     if (current.finalized) return current
+    if (current.closeRequestedAt !== 0n) return current
     if (current.highestVoucherAmount - current.spent < amount) return current
     committed = true
     return {
@@ -450,9 +454,18 @@ async function commitReservedCharges(options: {
   })
 
   if (!channel) throw new Error('channel not found')
+  if (channel.finalized) throw new ChannelClosedError({ reason: 'channel is finalized' })
+  if (channel.closeRequestedAt !== 0n)
+    throw new ChannelClosedError({ reason: 'channel has a pending close request' })
   if (!committed) throw new Error('reserved voucher coverage is no longer available')
 }
 
+function throwIfChannelClosed(channel: ChannelStore.State): void {
+  if (channel.finalized) throw new ChannelClosedError({ reason: 'channel is finalized' })
+  if (channel.closeRequestedAt !== 0n)
+    throw new ChannelClosedError({ reason: 'channel has a pending close request' })
+}
+
 async function waitForUpdate(
   store: ChannelStore.ChannelStore,
   channelId: SessionCredentialPayload['channelId'],