@layerzerolabs/protocol-stellar-v2 0.2.40 → 0.2.43

package/contracts/endpoint-v2/src/tests/messaging_channel/inbound.rs

@@ -123,6 +123,36 @@ fn test_inbound_out_of_order_populates_pending_and_drains_when_gap_closed() {
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64), Some(hash_2));
 }
 
+#[test]
+fn test_inbound_when_nonce_already_pending_does_not_advance_inbound_nonce() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // First inbound at nonce 2 adds it to pending (gap at nonce 1).
+    let hash_2_a = BytesN::from_array(env, &[0x22u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 2u64, &hash_2_a)
+    });
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 2u64]);
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64), Some(hash_2_a.clone()));
+
+    // Re-inbound at the same nonce should overwrite the payload hash, but should NOT duplicate pending
+    // entries nor advance inbound_nonce (gap at nonce 1 still exists).
+    let hash_2_b = BytesN::from_array(env, &[0x23u8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 2u64, &hash_2_b)
+    });
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 2u64]);
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2u64), Some(hash_2_b));
+}
+
 #[test]
 #[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
 fn test_inbound_rejects_nonce_beyond_pending_window() {
@@ -141,6 +171,52 @@ fn test_inbound_rejects_nonce_beyond_pending_window() {
     });
 }
 
+#[test]
+fn test_inbound_accepts_upper_bound_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Set inbound_nonce to 100 so the upper bound is 356 (= 100 + 256).
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 100);
+
+    let hash = BytesN::from_array(env, &[0xabu8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 356u64, &hash)
+    });
+
+    // Nonce 356 is not consecutive to 100, so it stays pending and inbound_nonce does not advance.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 100);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 356u64]
+    );
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &356u64), Some(hash));
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_inbound_rejects_beyond_upper_bound_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 100);
+
+    let hash = BytesN::from_array(env, &[0xabu8; 32]);
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 357u64, &hash)
+    });
+}
+
 #[test]
 #[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
 fn test_inbound_rejects_reverify_when_nonce_leq_inbound_and_payload_missing() {
@@ -184,4 +260,6 @@ fn test_inbound_allows_reverify_when_nonce_leq_inbound_and_payload_exists() {
         EndpointV2::inbound_for_test(env, &receiver, src_eid, &sender, 1u64, &new_hash)
     });
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &1u64), Some(new_hash));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
 }

package/contracts/endpoint-v2/src/tests/messaging_channel/insert_and_drain_pending_nonces.rs

@@ -0,0 +1,272 @@
+use soroban_sdk::{testutils::Address as _, Address, BytesN};
+
+use crate::{endpoint_v2::EndpointV2, tests::endpoint_setup::setup};
+
+fn insert_and_drain(
+    context: &crate::tests::endpoint_setup::TestSetup,
+    receiver: &Address,
+    src_eid: u32,
+    sender: &BytesN<32>,
+    nonce: u64,
+) {
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+    env.as_contract(&endpoint_client.address, || {
+        EndpointV2::insert_and_drain_pending_nonces_for_test(env, receiver, src_eid, sender, nonce)
+    });
+}
+
+#[test]
+fn test_insert_and_drain_inserts_sorted_and_dedupes() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Start with inbound_nonce = 0.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+
+    // Insert out of order: 3 then 2. Pending should remain sorted.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 3);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 2u64, 3u64]
+    );
+
+    // Re-inserting an already pending nonce should be a no-op (no duplicates, no drain).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 2u64, 3u64]
+    );
+
+    insert_and_drain(&context, &receiver, src_eid, &sender, 1);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_insert_and_drain_drains_consecutive_sequence() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Insert 2 and 3, then insert 1. Inserting 1 should drain 1,2,3 and advance inbound_nonce to 3.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 2);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 3);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(
+        endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender),
+        soroban_sdk::vec![env, 2u64, 3u64]
+    );
+
+    insert_and_drain(&context, &receiver, src_eid, &sender, 1);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 3);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_insert_and_drain_leaves_nonconsecutive_tail_pending() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Insert 2 and 4, then insert 1. Drain should advance to 2 but leave 4 pending (gap at 3).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 2);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 4);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 1);
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 4u64]);
+}
+
+#[test]
+fn test_insert_and_drain_accepts_upper_bound_when_inbound_nonce_zero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // inbound_nonce == 0: 256 is allowed.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 256);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 256u64]);
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_insert_and_drain_rejects_beyond_upper_bound_when_inbound_nonce_zero() {
+    let context = setup();
+    let env = &context.env;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // inbound_nonce == 0: 257 is out of range (max is 256).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 257);
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_insert_and_drain_rejects_nonce_leq_inbound_nonce() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Advance inbound_nonce to 5 via storage utility.
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 5);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
+
+    // Calling with new_nonce == inbound_nonce should panic InvalidNonce.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 5);
+}
+
+#[test]
+fn test_insert_and_drain_accepts_upper_bound_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // inbound_nonce == 100: upper bound is 356 (= 100 + 256).
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 100);
+    insert_and_drain(&context, &receiver, src_eid, &sender, 356);
+
+    // Not consecutive to 100, so it remains pending and inbound_nonce does not advance.
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 100);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 356u64]);
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_insert_and_drain_rejects_beyond_upper_bound_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 100);
+
+    // inbound_nonce == 100: 357 is out of range (max is 356).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 357);
+}
+
+#[test]
+fn test_insert_and_drain_drains_across_existing_pending_tail_when_inbound_nonce_nonzero() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Set inbound_nonce to 2.
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 2);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+
+    // Insert 4 first -> pending [4], inbound_nonce remains 2 (missing 3).
+    insert_and_drain(&context, &receiver, src_eid, &sender, 4);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 4u64]);
+
+    // Insert 3 -> should drain 3 then 4 and advance inbound_nonce to 4.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 3);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 4);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_insert_and_drain_drains_single_next_nonce_when_no_pending() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    context.set_inbound_nonce(&receiver, src_eid, &sender, 5);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 5);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+
+    // Insert exactly inbound_nonce + 1. This should drain immediately and leave pending empty.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 6);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 6);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+fn test_insert_and_drain_window_holds_255_when_inbound_plus_one_missing_then_drains() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Fill the pending window with 2..=256 while nonce 1 is still missing.
+    // This creates 255 pending nonces and inbound_nonce remains 0.
+    for nonce in 2u64..=256u64 {
+        insert_and_drain(&context, &receiver, src_eid, &sender, nonce);
+    }
+
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+    let pending = endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender);
+    assert_eq!(pending.len(), 255);
+    assert_eq!(pending.get(0).unwrap(), 2u64);
+    assert_eq!(pending.get(254).unwrap(), 256u64);
+
+    // Inserting nonce 1 closes the gap and drains the entire window.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 1);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 256);
+    assert!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender).is_empty());
+}
+
+#[test]
+#[should_panic(expected = "Error(Contract, #11)")] // EndpointError::InvalidNonce
+fn test_insert_and_drain_rejects_257_when_missing_inbound_plus_one() {
+    let context = setup();
+    let env = &context.env;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2u32;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Keep inbound_nonce at 0 and fill 2..=256 into pending.
+    for nonce in 2u64..=256u64 {
+        insert_and_drain(&context, &receiver, src_eid, &sender, nonce);
+    }
+
+    // 257 is outside the allowed range (0, 256] while inbound_nonce is still 0.
+    insert_and_drain(&context, &receiver, src_eid, &sender, 257);
+}

package/contracts/endpoint-v2/src/tests/messaging_channel/mod.rs

@@ -3,6 +3,7 @@ mod clear_payload;
 mod inbound;
 mod inbound_nonce;
 mod inbound_payload_hash;
+mod insert_and_drain_pending_nonces;
 mod pending_inbound_nonces;
 mod next_guid;
 mod nilify;

package/contracts/endpoint-v2/src/tests/messaging_channel/nilify.rs

@@ -92,6 +92,7 @@ fn test_nilify_success_with_stored_payload() {
 
     // Verify payload hash is stored.
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
 
     // Nilify the payload.
     let payload_hash_opt = Some(payload_hash.clone());
@@ -114,9 +115,10 @@ fn test_nilify_success_with_stored_payload() {
     let nilified_hash = endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce);
     let expected_nil_hash = nil_hash(&context);
     assert_eq!(nilified_hash, Some(expected_nil_hash));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
 }
 
-// Successful nilify with None (non-verified nonce) when nonce > lazy nonce
+// Successful nilify with None (no existing payload hash) when nonce > inbound_nonce
 #[test]
 fn test_nilify_success_with_empty_payload() {
     let context = setup();
@@ -150,9 +152,9 @@ fn test_nilify_success_with_empty_payload() {
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
 }
 
-// Nilify with None counts as "verified" for inbound_nonce (but does not change lazy nonce)
+// Nilify with None counts toward `inbound_nonce` advancement (via pending-nonce draining).
 #[test]
-fn test_nilify_with_none_advances_inbound_nonce_without_changing_lazy_nonce() {
+fn test_nilify_with_none_advances_inbound_nonce_without_changing_payload_hashes() {
     let context = setup();
     let env = &context.env;
     let endpoint_client = &context.endpoint_client;
@@ -211,7 +213,7 @@ fn test_nilify_closes_gap_and_drains_pending_nonces() {
     );
 }
 
-// Nilify is allowed when nonce <= lazy nonce if a payload hash exists
+// Nilify is allowed when nonce <= inbound_nonce if an `inbound_payload_hash` exists
 #[test]
 fn test_nilify_allows_when_nonce_is_checkpointed_if_payload_exists() {
     let context = setup();
@@ -232,7 +234,7 @@ fn test_nilify_allows_when_nonce_is_checkpointed_if_payload_exists() {
     assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 10);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(payload_hash.clone()));
 
-    // Even though nonce <= lazy_nonce, this should succeed because a payload hash exists.
+    // Even though nonce <= inbound_nonce, this should succeed because a payload hash exists.
     let payload_hash_opt = Some(payload_hash.clone());
     nilify_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &payload_hash_opt);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(nil_hash(&context)));
@@ -253,16 +255,19 @@ fn test_nilify_allows_repeated_call_when_already_nilified() {
 
     // First nilify: verified payload hash -> nil hash.
     context.inbound_as_verified(&receiver, src_eid, &sender, nonce, &payload_hash);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
     let payload_hash_opt = Some(payload_hash);
     nilify_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &payload_hash_opt);
 
     let nil = nil_hash(&context);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(nil.clone()));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
 
     // Second nilify: passing the current stored nil hash should succeed.
     let nil_opt = Some(nil.clone());
     nilify_with_auth(&context, &receiver, &receiver, src_eid, &sender, nonce, &nil_opt);
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &nonce), Some(nil));
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 1);
 }
 
 // Delegate authorization (delegate(receiver) is allowed)

package/contracts/endpoint-v2/src/tests/messaging_channel/skip.rs

@@ -248,6 +248,36 @@ fn test_skip_closes_gap_and_advances_inbound_nonce() {
     assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2), Some(payload_hash_2));
 }
 
+// Skipping a missing nonce can close *part* of the gap while leaving later gaps pending.
+#[test]
+fn test_skip_closes_gap_but_pending_inbound_nonces_not_empty() {
+    let context = setup();
+    let env = &context.env;
+    let endpoint_client = &context.endpoint_client;
+
+    let receiver = Address::generate(env);
+    let src_eid = 2;
+    let sender = BytesN::from_array(env, &[1u8; 32]);
+
+    // Verify nonce 2 and 4 out-of-order. inbound_nonce stays 0 because nonce 1 is missing, and
+    // pending list contains [2, 4] (gap at 1 and 3).
+    let payload_hash_2 = BytesN::from_array(env, &[0x11u8; 32]);
+    let payload_hash_4 = BytesN::from_array(env, &[0x22u8; 32]);
+    context.inbound_as_verified(&receiver, src_eid, &sender, 2, &payload_hash_2);
+    context.inbound_as_verified(&receiver, src_eid, &sender, 4, &payload_hash_4);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 0);
+
+    // Skip nonce 1 closes the first gap and drains consecutive pending nonces up to 2,
+    // but nonce 4 remains pending because nonce 3 is still missing.
+    skip_with_auth(&context, &receiver, &receiver, src_eid, &sender, 1);
+    assert_eq!(endpoint_client.inbound_nonce(&receiver, &src_eid, &sender), 2);
+    assert_eq!(endpoint_client.pending_inbound_nonces(&receiver, &src_eid, &sender), soroban_sdk::vec![env, 4u64]);
+
+    // Payload hashes remain intact.
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &2), Some(payload_hash_2));
+    assert_eq!(endpoint_client.inbound_payload_hash(&receiver, &src_eid, &sender, &4), Some(payload_hash_4));
+}
+
 // Repeated skip of the same nonce is rejected
 #[test]
 fn test_skip_rejects_repeated_same_nonce() {

package/contracts/macro-integration-tests/tests/runtime/oapp/mod.rs

@@ -1,7 +1,12 @@
 use endpoint_v2::Origin;
+use oapp::oapp_core::OAPP_ADMIN_ROLE;
 use oapp::oapp_receiver::LzReceiveInternal;
 use oapp_macros::oapp;
-use soroban_sdk::{contractimpl, symbol_short, Address, Bytes, BytesN, Env};
+use soroban_sdk::{
+    contractimpl, symbol_short,
+    testutils::{MockAuth, MockAuthInvoke},
+    Address, Bytes, BytesN, Env, IntoVal, Symbol,
+};
 
 mod oapp_core;
 mod options_type3;
@@ -11,12 +16,10 @@ mod sender;
 /// Shared contract used by oapp-macros runtime tests.
 ///
 /// Notes:
-/// - `#[oapp]` expands to `#[common_macros::lz_contract]` + default trait impls for:
-///   - `oapp::oapp_core::OAppCore` (contract trait)
-///   - `oapp::oapp_receiver::OAppReceiver` (contract trait)
-///   - `oapp::oapp_options_type3::OAppOptionsType3` (contract trait)
-///   - `oapp::oapp_sender::OAppSenderInternal` (internal trait)
+/// - `#[oapp]` generates only trait impls. User must apply `#[lz_contract]` (or similar) for contract + TTL + Auth.
+/// - Default trait impls: `OAppCore`, `OAppReceiver`, `OAppOptionsType3`, `OAppSenderInternal`
 #[oapp]
+#[common_macros::lz_contract]
 pub struct TestOApp;
 
 impl LzReceiveInternal for TestOApp {
@@ -46,3 +49,19 @@ impl TestOApp {
         env.storage().instance().get(&symbol_short!("lzr_c")).unwrap_or(false)
     }
 }
+
+/// Grants `OAPP_ADMIN_ROLE` to `owner` via the public `grant_role` interface.
+/// Call after `init()` in tests that exercise RBAC-protected entrypoints.
+pub fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
+    let role = Symbol::new(env, OAPP_ADMIN_ROLE);
+    env.mock_auths(&[MockAuth {
+        address: owner,
+        invoke: &MockAuthInvoke {
+            contract,
+            fn_name: "grant_role",
+            args: (owner, &role, owner).into_val(env),
+            sub_invokes: &[],
+        },
+    }]);
+    utils::rbac::RoleBasedAccessControlClient::new(env, contract).grant_role(owner, &role, owner);
+}

package/contracts/macro-integration-tests/tests/runtime/oapp/oapp_core.rs

@@ -1,6 +1,6 @@
 // Runtime tests: OAppCore behavior generated by `#[oapp]`.
 
-use super::{TestOApp, TestOAppClient};
+use super::{grant_oapp_admin, TestOApp, TestOAppClient};
 use oapp::oapp_core::{OAppCoreStorage, PeerSet};
 use soroban_sdk::{
     contract, contractimpl,
@@ -64,6 +64,7 @@ fn set_peer_requires_auth_and_updates_storage() {
     let owner = Address::generate(&env);
     let endpoint = Address::generate(&env);
     client.init(&owner, &endpoint);
+    grant_oapp_admin(&env, &contract_id, &owner);
 
     let eid: u32 = 101;
     let peer = Some(BytesN::<32>::from_array(&env, &[7u8; 32]));
@@ -72,7 +73,7 @@ fn set_peer_requires_auth_and_updates_storage() {
     assert_eq!(client.peer(&eid), None);
 
     // Unauthorized set should fail.
-    let unauthorized = client.try_set_peer(&eid, &peer);
+    let unauthorized = client.try_set_peer(&eid, &peer, &owner);
     assert_eq!(
         unauthorized.unwrap_err().unwrap(),
         Error::from_type_and_code(ScErrorType::Context, ScErrorCode::InvalidAction)
@@ -85,11 +86,11 @@ fn set_peer_requires_auth_and_updates_storage() {
             invoke: &MockAuthInvoke {
                 contract: &contract_id,
                 fn_name: "set_peer",
-                args: (&eid, &peer).into_val(&env),
+                args: (&eid, &peer, &owner).into_val(&env),
                 sub_invokes: &[],
             },
         }])
-        .set_peer(&eid, &peer);
+        .set_peer(&eid, &peer, &owner);
 
     // Assert event before any other contract call (Soroban events are per-call).
     assert_contains_event(&env, &contract_id, PeerSet { eid, peer: peer.clone() });
@@ -106,11 +107,11 @@ fn set_peer_requires_auth_and_updates_storage() {
         invoke: &MockAuthInvoke {
             contract: &contract_id,
             fn_name: "set_peer",
-            args: (&eid, &none).into_val(&env),
+            args: (&eid, &none, &owner).into_val(&env),
             sub_invokes: &[],
         },
     }]);
-    client.set_peer(&eid, &none);
+    client.set_peer(&eid, &none, &owner);
     assert_contains_event(&env, &contract_id, PeerSet { eid, peer: None });
     env.as_contract(&contract_id, || {
         assert_eq!(OAppCoreStorage::peer(&env, eid), None);
@@ -128,10 +129,11 @@ fn set_delegate_requires_auth_and_updates_endpoint() {
 
     let owner = Address::generate(&env);
     client.init(&owner, &endpoint_id);
+    grant_oapp_admin(&env, &contract_id, &owner);
 
     // Unauthorized set should fail.
     let delegate = Some(Address::generate(&env));
-    let unauthorized = client.try_set_delegate(&delegate);
+    let unauthorized = client.try_set_delegate(&delegate, &owner);
     assert_eq!(
         unauthorized.unwrap_err().unwrap(),
         Error::from_type_and_code(ScErrorType::Context, ScErrorCode::InvalidAction)
@@ -144,11 +146,11 @@ fn set_delegate_requires_auth_and_updates_endpoint() {
             invoke: &MockAuthInvoke {
                 contract: &contract_id,
                 fn_name: "set_delegate",
-                args: (&delegate,).into_val(&env),
+                args: (&delegate, &owner).into_val(&env),
                 sub_invokes: &[],
             },
         }])
-        .set_delegate(&delegate);
+        .set_delegate(&delegate, &owner);
 
     assert_eq!(endpoint_client.delegate(&contract_id), delegate);
 
@@ -160,11 +162,11 @@ fn set_delegate_requires_auth_and_updates_endpoint() {
             invoke: &MockAuthInvoke {
                 contract: &contract_id,
                 fn_name: "set_delegate",
-                args: (&none,).into_val(&env),
+                args: (&none, &owner).into_val(&env),
                 sub_invokes: &[],
             },
         }])
-        .set_delegate(&none);
+        .set_delegate(&none, &owner);
 
     assert_eq!(endpoint_client.delegate(&contract_id), None);
 }