@inco/lightning 0.2.17 → 0.3.2

package/src/test/TEELifecycle/TEELifecycleMockTest.t.sol

@@ -0,0 +1,145 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.0;
+
+import "@inco/lightning/src/lightning-parts/TEELifecycle.sol";
+import "@inco/lightning/src/lightning-parts/TEELifecycle.types.sol";
+import {MockRemoteAttestation} from "../FakeIncoInfra/MockRemoteAttestation.sol";
+import {FakeQuoteVerifier} from "../FakeIncoInfra/FakeQuoteVerifier.sol";
+
+import "forge-std/Vm.sol";
+import "forge-std/Test.sol";
+
+contract TEELifecycleMockTest is Test, MockRemoteAttestation, TEELifecycle {
+
+    function setUp() public {
+        quoteVerifier = new FakeQuoteVerifier();
+    }
+
+    function test_successfulBootstrap() public {
+        (BootstrapResult memory bootstrapResult, , , bytes memory quote, bytes memory signature, bytes memory mrtd) = successfulBootstrapResult();
+        vm.startPrank(this.owner());
+        this.approveNewTEEVersion(mrtd);
+        this.verifyBootstrapResult(
+            bootstrapResult,
+            quote,
+            signature
+        );
+        assertTrue(this.isBootstrapComplete(), "Bootstrap should be complete");
+        vm.stopPrank();
+    }
+    
+    function test_invalidMrtd() public {
+        bytes memory badMrtd = hex"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef";
+
+        (BootstrapResult memory bootstrapResult, , address bootstrapPartyAddress, bytes memory quote, bytes memory signature, bytes memory mrtd) = successfulBootstrapResult();
+
+        quote = createQuote(badMrtd, bootstrapPartyAddress); // Replace with bad MRTD
+        vm.startPrank(this.owner());
+        this.approveNewTEEVersion(mrtd);
+        vm.expectRevert(bytes("Invalid report MRTD"));
+        this.verifyBootstrapResult(
+            bootstrapResult,
+            quote,
+            signature
+        );
+        vm.stopPrank();
+    }
+
+    function test_invalidSignature() public {
+        (BootstrapResult memory bootstrapResult, , , bytes memory quote, , bytes memory mrtd) = successfulBootstrapResult();
+        (uint256 bootstrapPartyFakePrivkey, ) = getLabeledKeyPair("bootstrapPartyFake");
+        bytes memory signatureInvalid = signBootstrapResult(bootstrapResult, bootstrapPartyFakePrivkey);
+        vm.startPrank(this.owner());
+        this.approveNewTEEVersion(mrtd);
+        vm.expectRevert(bytes("Invalid signature for bootstrap data"));
+        this.verifyBootstrapResult(
+            bootstrapResult,
+            quote,
+            signatureInvalid
+        );
+        vm.stopPrank();
+    }
+
+    function test_bootstrapAlreadyComplete() public {
+        (BootstrapResult memory bootstrapResult, , , bytes memory quote, bytes memory signature, bytes memory mrtd) = successfulBootstrapResult();
+        vm.startPrank(this.owner());
+        this.approveNewTEEVersion(mrtd);
+        this.verifyBootstrapResult(
+            bootstrapResult,
+            quote,
+            signature
+        );
+        vm.expectRevert(bytes("Bootstrap already completed"));
+        this.verifyBootstrapResult(
+            bootstrapResult,
+            quote,
+            signature
+        );
+        vm.stopPrank();
+    }
+
+    function test_approveNewTEEInvalidMrtd() public {
+        bytes memory mrtd = hex"deadbeef";
+        vm.startPrank(this.owner());
+        vm.expectRevert(bytes("MRTD must be 48 bytes"));
+        this.approveNewTEEVersion(mrtd);
+        vm.stopPrank();
+    }
+
+    function test_bootstrapNotCompleteNewCoval() public {
+        bytes memory mrtd = hex"2a90c8fa38672cafd791d994beb6836b99383b2563736858632284f0f760a6446efd1e7ec457cf08b629ea630f7b4525";
+        (, address newCoval) = getLabeledKeyPair("newCoval");
+        bytes memory quote = createQuote(mrtd, newCoval);
+        vm.startPrank(this.owner());
+        vm.expectRevert(bytes("Bootstrap not complete"));
+        this.addNewCovalidator(quote);
+        vm.stopPrank();
+    }
+
+    function test_invalidMrtdNewCoval() public {
+        (BootstrapResult memory bootstrapResult, , , bytes memory quote, bytes memory signature, bytes memory mrtd) = successfulBootstrapResult();
+        vm.startPrank(this.owner());
+        this.approveNewTEEVersion(mrtd);
+        this.verifyBootstrapResult(
+            bootstrapResult,
+            quote,
+            signature
+        );
+        bytes memory badMrtd = hex"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef";
+        (, address newCoval) = getLabeledKeyPair("newCoval");
+        bytes memory quoteNew = createQuote(badMrtd, newCoval);
+        
+        vm.expectRevert(bytes("Invalid report MRTD"));
+        this.addNewCovalidator(quoteNew);
+        vm.stopPrank();
+    }
+
+    // Helper function to create a successful bootstrap result
+    function successfulBootstrapResult() internal returns (BootstrapResult memory bootstrapResult, uint256 bootstrapPartyPrivkey, address bootstrapPartyAddress, bytes memory quote, bytes memory signature, bytes memory mrtd) {
+        (bootstrapPartyPrivkey, bootstrapPartyAddress) = getLabeledKeyPair("bootstrapParty");
+        bytes memory eciesPubkey = hex"04ff5c6dd72ad7583288b84ee2598e081fe0bc6ef543c342e925a5dfcff9afb2444d25454d7d5dcfadc9ed99477c245efa93caf58d7f58143300d81cc948e7bdf5";
+        mrtd = hex"2a90c8fa38672cafd791d994beb6836b99383b2563736858632284f0f760a6446efd1e7ec457cf08b629ea630f7b4525";
+
+        bootstrapResult = BootstrapResult({
+            ecies_pubkey: eciesPubkey
+        });
+
+        quote = createQuote(
+            mrtd,
+            bootstrapPartyAddress
+        );
+        signature = signBootstrapResult(bootstrapResult, bootstrapPartyPrivkey);
+    }
+    
+    // Helper function to sign the bootstrap result
+    function signBootstrapResult(
+        BootstrapResult memory bootstrapResult,
+        uint256 privateKey
+    ) internal view returns (bytes memory) {
+        bytes32 bootstrapResultDigest = bootstrapResultDigest(
+            bootstrapResult
+        );
+        return getSignatureForDigest(bootstrapResultDigest, privateKey);
+    }
+
+}

package/src/test/TEELifecycle/addnode_data/eoa.txt

@@ -0,0 +1 @@
+0x32B70C13186E3B81137ec09c0CB3ee8e14e69f64

package/src/test/TEELifecycle/bootstrap_data/ecies_pubkey.bin

@@ -0,0 +1 @@
+�@��3��X���r�F��[s�X"�t��$��

package/src/test/TEELifecycle/bootstrap_data/eip712_signature.bin

@@ -0,0 +1 @@
+�a�[O$��������G�s#������@ZH �W#��3�-`�x'r�U�?G�)|H3}�K;

package/src/test/TEELifecycle/bootstrap_data/eoa.txt

@@ -0,0 +1 @@
+0x8461984E47D19e9B86702F398982a5c2747A734D

package/src/test/TEELifecycle/bootstrap_data/qe_identity

@@ -0,0 +1 @@
+{"id":"TD_QE","version":2,"issueDate":"2025-08-06T16:32:25Z","nextUpdate":"2025-09-05T16:32:25Z","tcbEvaluationDataNumber":17,"miscselect":"00000000","miscselectMask":"FFFFFFFF","attributes":"11000000000000000000000000000000","attributesMask":"FBFFFFFFFFFFFFFF0000000000000000","mrsigner":"DC9E2A7C6F948F17474E34A7FC43ED030F7C1563F1BABDDF6340C82E0E54A8C5","isvprodid":2,"tcbLevels":[{"tcb":{"isvsvn":4},"tcbDate":"2024-03-13T00:00:00Z","tcbStatus":"UpToDate"}]}

package/src/test/TEELifecycle/bootstrap_data/qe_identity_signature.bin

@@ -0,0 +1 @@
+ETw���bwޱ�˧����-ĭ�%u#O�Po�����'�ࣳE&T�d�.F�����|��

package/src/test/TEELifecycle/bootstrap_data/tcb_info

@@ -0,0 +1 @@
+{"id":"TDX","version":3,"issueDate":"2025-08-06T16:25:19Z","nextUpdate":"2025-09-05T16:25:19Z","fmspc":"00806F050000","pceId":"0000","tcbType":0,"tcbEvaluationDataNumber":17,"tdxModule":{"mrsigner":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","attributes":"0000000000000000","attributesMask":"FFFFFFFFFFFFFFFF"},"tdxModuleIdentities":[{"id":"TDX_03","mrsigner":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","attributes":"0000000000000000","attributesMask":"FFFFFFFFFFFFFFFF","tcbLevels":[{"tcb":{"isvsvn":3},"tcbDate":"2024-03-13T00:00:00Z","tcbStatus":"UpToDate"}]},{"id":"TDX_01","mrsigner":"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","attributes":"0000000000000000","attributesMask":"FFFFFFFFFFFFFFFF","tcbLevels":[{"tcb":{"isvsvn":4},"tcbDate":"2024-03-13T00:00:00Z","tcbStatus":"UpToDate"},{"tcb":{"isvsvn":2},"tcbDate":"2023-08-09T00:00:00Z","tcbStatus":"OutOfDate"}]}],"tcbLevels":[{"tcb":{"sgxtcbcomponents":[{"svn":7,"category":"BIOS","type":"Early Microcode Update"},{"svn":7,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":2,"category":"OS/VMM","type":"TXT SINIT"},{"svn":2,"category":"BIOS"},{"svn":3,"category":"BIOS"},{"svn":1,"category":"BIOS"},{"svn":0},{"svn":3,"category":"OS/VMM","type":"SEAMLDR ACM"},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":11,"tdxtcbcomponents":[{"svn":5,"category":"OS/VMM","type":"TDX Module"},{"svn":0,"category":"OS/VMM","type":"TDX Module"},{"svn":7,"category":"OS/VMM","type":"TDX Late Microcode Update"},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}]},"tcbDate":"2024-03-13T00:00:00Z","tcbStatus":"UpToDate"},{"tcb":{"sgxtcbcomponents":[{"svn":6,"category":"BIOS","type":"Early Microcode Update"},{"svn":6,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":2,"category":"OS/VMM","type":"TXT SINIT"},{"svn":2,"category":"BIOS"},{"svn":3,"category":"BIOS"},{"svn":1,"category":"BIOS"},{"svn":0},{"svn":3,"category":"OS/VMM","type":"SEAMLDR ACM"},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":11,"tdxtcbcomponents":[{"svn":3,"category":"OS/VMM","type":"TDX Module"},{"svn":0,"category":"OS/VMM","type":"TDX Module"},{"svn":6,"category":"OS/VMM","type":"TDX Late Microcode Update"},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}]},"tcbDate":"2023-08-09T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00960","INTEL-SA-00982","INTEL-SA-00986"]},{"tcb":{"sgxtcbcomponents":[{"svn":5,"category":"BIOS","type":"Early Microcode Update"},{"svn":5,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":2,"category":"OS/VMM","type":"TXT SINIT"},{"svn":2,"category":"BIOS"},{"svn":3,"category":"BIOS"},{"svn":1,"category":"BIOS"},{"svn":0},{"svn":3,"category":"OS/VMM","type":"SEAMLDR ACM"},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":11,"tdxtcbcomponents":[{"svn":3,"category":"OS/VMM","type":"TDX Module"},{"svn":0,"category":"OS/VMM","type":"TDX Module"},{"svn":5,"category":"OS/VMM","type":"TDX Late Microcode Update"},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}]},"tcbDate":"2023-02-15T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00837","INTEL-SA-00960","INTEL-SA-00982","INTEL-SA-00986"]},{"tcb":{"sgxtcbcomponents":[{"svn":5,"category":"BIOS","type":"Early Microcode Update"},{"svn":5,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":2,"category":"OS/VMM","type":"TXT SINIT"},{"svn":2,"category":"BIOS"},{"svn":3,"category":"BIOS"},{"svn":1,"category":"BIOS"},{"svn":0},{"svn":3,"category":"OS/VMM","type":"SEAMLDR ACM"},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":5,"tdxtcbcomponents":[{"svn":3,"category":"OS/VMM","type":"TDX Module"},{"svn":0,"category":"OS/VMM","type":"TDX Module"},{"svn":5,"category":"OS/VMM","type":"TDX Late Microcode Update"},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}]},"tcbDate":"2018-01-04T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00106","INTEL-SA-00115","INTEL-SA-00135","INTEL-SA-00203","INTEL-SA-00220","INTEL-SA-00233","INTEL-SA-00270","INTEL-SA-00293","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00837","INTEL-SA-00960","INTEL-SA-00982","INTEL-SA-00986"]}]}

package/src/test/TEELifecycle/bootstrap_data/tcb_info_signature.bin

@@ -0,0 +1 @@
+��e�3?��b� \���@E\�B���2���v3��KLm�C����

package/src/test/TestFakeInfra.t.sol

@@ -4,6 +4,11 @@ pragma solidity ^0.8;
 import {IncoTest} from "./IncoTest.sol";
 import {e, euint256, ebool, eaddress} from "../Lib.sol";
 import {SenderNotAllowedForHandle} from "../Types.sol";
+import {TEELifecycle} from "../lightning-parts/TEELifecycle.sol";
+import {MockRemoteAttestation} from "./FakeIncoInfra/MockRemoteAttestation.sol";
+
+import {MINIMUM_QUOTE_LENGTH} from "@automata-network/dcap-attestation/types/Constants.sol";
+import {TD10ReportBody} from "@automata-network/dcap-attestation/types/V4Structs.sol";
 
 contract TakesEInput {
     using e for bytes;
@@ -36,7 +41,7 @@ contract TakesEInput {
 }
 
 // its meta: this is testing correct behavior of our testing infrastructure
-contract TestFakeInfra is IncoTest {
+contract TestFakeInfra is IncoTest, MockRemoteAttestation {
     using e for euint256;
     using e for ebool;
     using e for uint256;
@@ -303,4 +308,16 @@ contract TestFakeInfra is IncoTest {
         );
         a.add(euint256.wrap(randomHandle));
     }
+
+    function testCreateQuote() public {
+        bytes memory mrtd = hex"1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef";
+        address signer = address(0x1234567890123456789012345678901234567890);
+        bytes memory quote = createQuote(mrtd, signer);
+        TEELifecycle lifecycle = new TEELifecycle();
+        TD10ReportBody memory tdReport = lifecycle.parseTD10ReportBody(quote);
+        (address reportDataSigner, bytes memory reportMrtd) = lifecycle.parseReport(tdReport);
+        assertEq(reportDataSigner, signer);
+        assertEq(keccak256(reportMrtd), keccak256(mrtd));
+        assertEq(quote.length, MINIMUM_QUOTE_LENGTH);
+    }
 }

package/src/test/TestUpgrade.t.sol

@@ -0,0 +1,314 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8.20;
+
+import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
+import {Safe} from "safe-smart-account/Safe.sol";
+import {SafeProxyFactory} from "safe-smart-account/proxies/SafeProxyFactory.sol";
+import {Enum} from "safe-smart-account/libraries/Enum.sol";
+import {IOwnerManager} from "safe-smart-account/interfaces/IOwnerManager.sol";
+import {IncoTest} from "./IncoTest.sol";
+import {inco} from "../Lib.sol";
+import {IncoLightning} from "../IncoLightning.sol";
+import {
+    MAJOR_VERSION,
+    MINOR_VERSION,
+    PATCH_VERSION
+} from "../version/IncoLightningConfig.sol";
+
+interface IUUPS {
+    function upgradeToAndCall(
+        address newImplementation,
+        bytes calldata data
+    ) external payable;
+}
+
+contract IncoLightningV2 is IncoLightning {
+    uint8 constant MAJOR_VERSION_MOCK = 255;
+    uint8 constant MINOR_VERSION_MOCK = 255;
+    uint8 constant PATCH_VERSION_MOCK = 255;
+
+    constructor(bytes32 salt) IncoLightning(salt) {}
+
+    function getVersion() public view virtual override returns (string memory) {
+        return
+            versionString(
+                MAJOR_VERSION_MOCK,
+                MINOR_VERSION_MOCK,
+                PATCH_VERSION_MOCK
+            );
+    }
+}
+
+contract TestUpgrade is IncoTest {
+    using Strings for uint256;
+
+    // EIP-1967 implementation slot
+    bytes32 private constant IMPLEMENTATION_SLOT =
+        0x360894A13BA1A3210667C828492DB98DCA3E2076CC3735A920A3CA505D382BBC;
+
+    address private incoProxyAddr;
+    IncoLightning private v1Impl;
+    IncoLightningV2 private v2Impl;
+
+    Safe private safe;
+
+    function setUp() public override {
+        super.setUp();
+        incoProxyAddr = address(inco);
+
+        Safe master = new Safe();
+        SafeProxyFactory factory = new SafeProxyFactory();
+
+        address[] memory owners = new address[](3);
+        owners[0] = alice;
+        owners[1] = bob;
+        owners[2] = carol;
+        uint256 threshold = 2;
+        bytes memory setupData = abi.encodeWithSelector(
+            Safe.setup.selector,
+            owners,
+            threshold,
+            address(0),
+            bytes(""),
+            address(0),
+            address(0),
+            0,
+            payable(address(0))
+        );
+        safe = Safe(
+            payable(factory.createProxyWithNonce(address(master), setupData, 0))
+        );
+
+        vm.prank(owner);
+        inco.transferOwnership(address(safe));
+
+        // Deploy V2
+        bytes32 salt = getSalt(
+            "IncoLightningV2",
+            255,
+            255,
+            255,
+            testDeployer,
+            "testnet"
+        );
+        v2Impl = new IncoLightningV2(salt);
+    }
+
+    function test_SafeUpgrade2of3_Succeeds() public {
+        string memory versionBefore = inco.getVersion();
+        assertEq(
+            versionBefore,
+            string.concat(
+                uint256(MAJOR_VERSION).toString(),
+                "_",
+                uint256(MINOR_VERSION).toString(),
+                "_",
+                uint256(PATCH_VERSION).toString()
+            )
+        );
+        // data to sign
+        bytes memory data = abi.encodeWithSelector(
+            IUUPS.upgradeToAndCall.selector,
+            address(v2Impl),
+            ""
+        );
+        // prepare txhash
+        bytes32 txHash = _txHash(safe, incoProxyAddr, 0, data);
+        // sign txHash
+        bytes memory sigA = _sign(alicePrivKey, txHash);
+        bytes memory sigB = _sign(bobPrivKey, txHash);
+        // sort signatures (asc)
+        bytes memory signatures = _packSortedTwo(sigA, alice, sigB, bob);
+        // execute tx with sorted signatures
+        _execSafe(safe, incoProxyAddr, 0, data, signatures);
+
+        address implAfter = address(
+            uint160(uint256(vm.load(incoProxyAddr, IMPLEMENTATION_SLOT)))
+        );
+        assertEq(implAfter, address(v2Impl));
+
+        string memory versionAfter = inco.getVersion();
+        assertEq(versionAfter, "255_255_255");
+    }
+
+    function test_SafeSingleSignature_Fails() public {
+        bytes memory data = abi.encodeWithSelector(
+            IUUPS.upgradeToAndCall.selector,
+            address(v2Impl),
+            ""
+        );
+        bytes32 txHash = _txHash(safe, incoProxyAddr, 0, data);
+        bytes memory sigA = _sign(alicePrivKey, txHash);
+        vm.expectRevert();
+        _execSafe(safe, incoProxyAddr, 0, data, sigA);
+    }
+
+    function test_Safe_UnsortedSignatures_Fails() public {
+        bytes memory data = abi.encodeWithSelector(
+            IUUPS.upgradeToAndCall.selector,
+            address(v2Impl),
+            ""
+        );
+        bytes32 txHash = _txHash(safe, incoProxyAddr, 0, data);
+        bytes memory sigA = _sign(alicePrivKey, txHash);
+        bytes memory sigC = _sign(carolPrivKey, txHash);
+        bytes memory signatures = bytes.concat(sigC, sigA); // unsorted
+        vm.expectRevert();
+        _execSafe(safe, incoProxyAddr, 0, data, signatures);
+    }
+
+    function test_Safe_WrongSigner_Fails() public {
+        bytes memory data = abi.encodeWithSelector(
+            IUUPS.upgradeToAndCall.selector,
+            address(v2Impl),
+            ""
+        );
+        bytes32 txHash = _txHash(safe, incoProxyAddr, 0, data);
+        bytes memory sigOwner = _sign(alicePrivKey, txHash);
+        bytes memory sigAttacker = _sign(davePrivKey, txHash);
+        bytes memory signatures = _packSortedTwo(
+            sigOwner,
+            alice,
+            sigAttacker,
+            dave
+        ); // dave not an owner
+        vm.expectRevert();
+        _execSafe(safe, incoProxyAddr, 0, data, signatures);
+    }
+
+    function test_Safe_ReplayNonce_Fails() public {
+        bytes memory data = abi.encodeWithSelector(
+            IUUPS.upgradeToAndCall.selector,
+            address(v2Impl),
+            ""
+        );
+        bytes32 txHash = _txHash(safe, incoProxyAddr, 0, data);
+        bytes memory sigA = _sign(alicePrivKey, txHash);
+        bytes memory sigB = _sign(bobPrivKey, txHash);
+        bytes memory signatures = _packSortedTwo(sigA, alice, sigB, bob);
+        _execSafe(safe, incoProxyAddr, 0, data, signatures);
+
+        string memory versionAfter = inco.getVersion();
+        assertEq(versionAfter, "255_255_255");
+
+        vm.expectRevert();
+        _execSafe(safe, incoProxyAddr, 0, data, signatures); // nonce advanced
+    }
+
+    function test_Safe_UpdateSigners_SwapOwner_ThenUpgrade() public {
+        // swap bob -> eve (prevOwner = alice since owners were [alice, bob, carol])
+        bytes memory change = abi.encodeWithSelector(
+            IOwnerManager.swapOwner.selector,
+            alice,
+            bob,
+            eve
+        );
+        bytes32 changeHash = _txHash(safe, address(safe), 0, change);
+        bytes memory changeSigA = _sign(alicePrivKey, changeHash);
+        bytes memory changeSigC = _sign(carolPrivKey, changeHash);
+        bytes memory changeSigs = _packSortedTwo(
+            changeSigA,
+            alice,
+            changeSigC,
+            carol
+        );
+        _execSafe(safe, address(safe), 0, change, changeSigs);
+
+        // assertions on owners/threshold
+        assertTrue(safe.isOwner(eve), "new owner not added");
+        assertFalse(safe.isOwner(bob), "old owner not removed");
+        assertEq(safe.getThreshold(), 2, "threshold changed unexpectedly");
+
+        // Attempt upgrade signed by removed owner should fail
+        bytes memory upg = abi.encodeWithSelector(
+            IUUPS.upgradeToAndCall.selector,
+            address(v2Impl),
+            ""
+        );
+        bytes32 upgHash = _txHash(safe, incoProxyAddr, 0, upg);
+        bytes memory badSigA = _sign(alicePrivKey, upgHash);
+        bytes memory badSigB = _sign(bobPrivKey, upgHash); // removed owner
+        bytes memory badSigs = _packSortedTwo(badSigA, alice, badSigB, bob);
+        vm.expectRevert();
+        _execSafe(safe, incoProxyAddr, 0, upg, badSigs);
+
+        // Now sign with new owner (owner4) and succeed
+        bytes memory goodSigA = _sign(alicePrivKey, upgHash);
+        bytes memory goodSigE = _sign(evePrivKey, upgHash);
+        bytes memory goodSigs = _packSortedTwo(goodSigA, alice, goodSigE, eve);
+        _execSafe(safe, incoProxyAddr, 0, upg, goodSigs);
+
+        address implAfter = address(
+            uint160(uint256(vm.load(incoProxyAddr, IMPLEMENTATION_SLOT)))
+        );
+        assertEq(implAfter, address(v2Impl));
+
+        string memory versionAfter = inco.getVersion();
+        assertEq(versionAfter, "255_255_255");
+    }
+
+    function test_Upgrade_NotBy_SafeWallet_Fails() public {
+        vm.prank(owner);
+        vm.expectRevert();
+        inco.upgradeToAndCall(address(v2Impl), "");
+    }
+
+    // Helpers
+    function _txHash(
+        Safe _safe,
+        address to,
+        uint256 value,
+        bytes memory data
+    ) internal view returns (bytes32) {
+        return
+            _safe.getTransactionHash(
+                to,
+                value,
+                data,
+                Enum.Operation.Call,
+                0,
+                0,
+                0,
+                address(0),
+                payable(address(0)),
+                _safe.nonce()
+            );
+    }
+    function _sign(
+        uint256 pk,
+        bytes32 txHash
+    ) internal view returns (bytes memory) {
+        (uint8 v, bytes32 r, bytes32 s) = vm.sign(pk, txHash);
+        if (v < 27) v += 27;
+        return abi.encodePacked(r, s, v);
+    }
+    function _packSortedTwo(
+        bytes memory sigA,
+        address addrA,
+        bytes memory sigB,
+        address addrB
+    ) internal pure returns (bytes memory) {
+        return
+            addrA < addrB ? bytes.concat(sigA, sigB) : bytes.concat(sigB, sigA);
+    }
+    function _execSafe(
+        Safe _safe,
+        address to,
+        uint256 value,
+        bytes memory data,
+        bytes memory signatures
+    ) internal {
+        _safe.execTransaction(
+            to,
+            value,
+            data,
+            Enum.Operation.Call,
+            0,
+            0,
+            0,
+            address(0),
+            payable(address(0)),
+            signatures
+        );
+    }
+}