@layerzerolabs/protocol-stellar-v2 0.2.44 → 0.2.46

package/LICENSE

@@ -0,0 +1,42 @@
+LayerZero Business License 1.2
+LZBL-1.2
+
+Notes
+
+The LayerZero Business License (this "Agreement", or the "License") is not an open source license. However, the Licensed Work (as defined below) will eventually be made available under an open source license, as stated in this License, for Permissionless Applications. Permissioned Applications may not use the Licensed Work.  The license parameters are: restrictions on usage, a Change Date, and the open source license that will govern usage of the Licensed Work after the Change Date.
+
+Terms
+
+Licensor hereby grants you the right to copy, modify, create derivative works, redistribute, and make non-production use of the Licensed Work.
+
+On the Change Date (as defined below), this License shall covert into the Change License (as defined below), and the rights granted in the paragraph above terminate. You may not modify this License in any other way.
+
+If your use of the Licensed Work does not comply with the requirements currently in effect as described in this License, you must purchase a commercial license from the Licensor, its affiliated entities, or authorized resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works of the Licensed Work, are subject to this License. This License applies separately for each version of the Licensed Work and the Change Date may vary for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License and the License Text (defined below) on each original or modified copy of the Licensed Work. If you receive the Licensed Work in original or modified form from a third party, the terms and conditions set forth in this License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically terminate your rights under this License for the current and all other versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of Licensor or its affiliates.
+
+THE LICENSED WORK IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE.
+
+
+Definitions
+Change Date means 4 years from December 14, 2023 with respect to Permissionless Applications.  Permissioned Applications shall not have a Change Date and may not use the Licensed Work.
+
+Change License means the GPL Version 2.0 or any later version, or a license that is compatible with GPL Version 2.0 or a later version, where "compatible" means that software provided under the Change License can be included in a program with software provided under GPL Version 2.0 or a later version.
+
+Licensor means LayerZero Labs Ltd.
+
+License Text means:
+LayerZero Business License 1.2
+License text copyright © 2023 LayerZero Labs Ltd., All Rights Reserved.
+
+Licensed Work means LayerZero as described in Whitepaper "LayerZero" published on December 14, 2023.
+
+Permissionless Applications means blockchain networks or applications that users can freely join, interact with, or participate in without first obtaining permission, approval, or authorization and excludes Permissionless Applications.
+
+Permissioned Applications means blockchain networks or applications that are limited only to designated participants or that limit who is allows allowed to participate in financial (or other) activities, and excludes Permissionless Applications.

package/contracts/common-macros/src/lib.rs

@@ -244,6 +244,16 @@ pub fn only_auth(_attr: TokenStream, item: TokenStream) -> TokenStream {
 /// Injects a role check at the start of the function. Panics with
 /// `RbacError::Unauthorized` if the account does not have the role (aligns with OpenZeppelin).
 ///
+/// # Security Warning
+///
+/// **IMPORTANT**: This macro checks role membership but does NOT call
+/// `require_auth()`. Use this macro when:
+///
+/// 1. Your function already contains a `require_auth()` call for the account
+/// 2. You need role-based access control without authorization enforcement
+///
+/// If you need both role checking AND authorization, use `#[only_role]` instead.
+///
 /// # Requirements
 /// - The function must have an `Env` parameter
 /// - The function must have a parameter matching the first macro arg (of type `Address` or `&Address`)
@@ -264,7 +274,7 @@ pub fn only_auth(_attr: TokenStream, item: TokenStream) -> TokenStream {
 /// ```ignore
 /// pub fn mint(env: Env, caller: Address, amount: i128) {
 ///     utils::rbac::ensure_role(&env, &soroban_sdk::Symbol::new(&env, "minter"), &caller);
-///     // Original function body
+///     // Original function body (no require_auth)
 /// }
 /// ```
 #[proc_macro_attribute]
@@ -277,6 +287,12 @@ pub fn has_role(attr: TokenStream, item: TokenStream) -> TokenStream {
 /// Same as `#[has_role]` but also calls `account.require_auth()` to ensure
 /// the caller has authorized the transaction.
 ///
+/// **IMPORTANT**: This macro both checks role membership AND enforces
+/// authorization. In Stellar contracts, duplicate `require_auth()` calls for
+/// the same account will cause panics. If your function already contains a
+/// `require_auth()` call for the same account, use `#[has_role]` instead to
+/// avoid duplicate authorization checks.
+///
 /// # Requirements
 /// Same as `#[has_role]`.
 ///

package/contracts/macro-integration-tests/tests/runtime/oapp/mod.rs

@@ -1,5 +1,5 @@
 use endpoint_v2::Origin;
-use oapp::oapp_core::OAPP_ADMIN_ROLE;
+use oapp::oapp_core::OAPP_MANAGER_ROLE;
 use oapp::oapp_receiver::LzReceiveInternal;
 use oapp_macros::oapp;
 use soroban_sdk::{
@@ -50,10 +50,10 @@ impl TestOApp {
     }
 }
 
-/// Grants `OAPP_ADMIN_ROLE` to `owner` via the public `grant_role` interface.
+/// Grants `OAPP_MANAGER_ROLE` to `owner` via the public `grant_role` interface.
 /// Call after `init()` in tests that exercise RBAC-protected entrypoints.
 pub fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
-    let role = Symbol::new(env, OAPP_ADMIN_ROLE);
+    let role = Symbol::new(env, OAPP_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: owner,
         invoke: &MockAuthInvoke {

package/contracts/oapps/counter/src/tests/mod.rs

@@ -1,4 +1,4 @@
-use oapp::oapp_core::OAPP_ADMIN_ROLE;
+use oapp::oapp_core::OAPP_MANAGER_ROLE;
 use soroban_sdk::{
     testutils::{MockAuth, MockAuthInvoke},
     token::StellarAssetClient,
@@ -25,7 +25,7 @@ pub fn mint_to(env: &Env, owner: &Address, native_token: &Address, to: &Address,
 }
 
 pub fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
-    let role = Symbol::new(env, OAPP_ADMIN_ROLE);
+    let role = Symbol::new(env, OAPP_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: owner,
         invoke: &MockAuthInvoke {

package/contracts/oapps/oapp/src/oapp_core.rs

@@ -9,7 +9,7 @@ use utils::{
 };
 
 /// Role for OApp administrative actions (set_peer, set_delegate, set_enforced_options).
-pub const OAPP_ADMIN_ROLE: &str = "OAPP_ADMIN_ROLE";
+pub const OAPP_MANAGER_ROLE: &str = "OAPP_MANAGER_ROLE";
 
 // =====================================================
 // OAppCore Storage and Events
@@ -73,8 +73,8 @@ pub trait OAppCore: Ownable + RoleBasedAccessControl {
     /// # Arguments
     /// * `eid` - The endpoint ID
     /// * `peer` - The address of the peer to be associated with the corresponding endpoint, or None to remove the peer
-    /// * `operator` - The address that must have OAPP_ADMIN_ROLE
-    #[only_role(operator, OAPP_ADMIN_ROLE)]
+    /// * `operator` - The address that must have OAPP_MANAGER_ROLE
+    #[only_role(operator, OAPP_MANAGER_ROLE)]
     fn set_peer(
         env: &soroban_sdk::Env,
         eid: u32,
@@ -89,8 +89,8 @@ pub trait OAppCore: Ownable + RoleBasedAccessControl {
     ///
     /// # Arguments
     /// * `delegate` - The address of the delegate to be set, or None to remove the delegate
-    /// * `operator` - The address that must have OAPP_ADMIN_ROLE
-    #[only_role(operator, OAPP_ADMIN_ROLE)]
+    /// * `operator` - The address that must have OAPP_MANAGER_ROLE
+    #[only_role(operator, OAPP_MANAGER_ROLE)]
     fn set_delegate(env: &soroban_sdk::Env, delegate: &Option<soroban_sdk::Address>, operator: &soroban_sdk::Address) {
         endpoint_client::<Self>(env).set_delegate(&env.current_contract_address(), delegate);
     }

package/contracts/oapps/oapp/src/oapp_options_type3.rs

@@ -1,4 +1,4 @@
-use crate::{self as oapp, errors::OAppError, oapp_core::OAPP_ADMIN_ROLE};
+use crate::{self as oapp, errors::OAppError, oapp_core::OAPP_MANAGER_ROLE};
 use common_macros::{contract_trait, only_role, storage};
 use soroban_sdk::{assert_with_error, contractevent, contracttype, panic_with_error, Bytes, Env, Vec};
 use utils::{buffer_reader::BufferReader, rbac::RoleBasedAccessControl};
@@ -53,8 +53,8 @@ pub trait OAppOptionsType3: RoleBasedAccessControl {
     ///
     /// # Arguments
     /// * `options` - A vector of EnforcedOptionParam structures specifying enforced options
-    /// * `operator` - The address that must have OAPP_ADMIN_ROLE
-    #[only_role(operator, OAPP_ADMIN_ROLE)]
+    /// * `operator` - The address that must have OAPP_MANAGER_ROLE
+    #[only_role(operator, OAPP_MANAGER_ROLE)]
     fn set_enforced_options(
         env: &soroban_sdk::Env,
         options: &soroban_sdk::Vec<oapp::oapp_options_type3::EnforcedOptionParam>,

package/contracts/oapps/oapp/src/tests/mod.rs

@@ -4,15 +4,15 @@ mod oapp_receiver;
 mod oapp_sender;
 mod test_macros;
 
-use crate::oapp_core::OAPP_ADMIN_ROLE;
+use crate::oapp_core::OAPP_MANAGER_ROLE;
 use soroban_sdk::{
     testutils::{MockAuth, MockAuthInvoke},
     Address, Env, IntoVal, Symbol,
 };
 
-/// Grants `OAPP_ADMIN_ROLE` to `owner` via the public `grant_role` interface.
+/// Grants `OAPP_MANAGER_ROLE` to `owner` via the public `grant_role` interface.
 pub(super) fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
-    let role = Symbol::new(env, OAPP_ADMIN_ROLE);
+    let role = Symbol::new(env, OAPP_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: owner,
         invoke: &MockAuthInvoke {

package/contracts/oapps/oft/integration-tests/setup.rs

@@ -10,7 +10,7 @@ use crate::{
     oft_types::OftType,
 };
 use endpoint_v2::{EndpointV2, EndpointV2Client};
-use oapp::oapp_core::OAPP_ADMIN_ROLE;
+use oapp::oapp_core::OAPP_MANAGER_ROLE;
 use simple_message_lib::{SimpleMessageLib, SimpleMessageLibClient};
 use soroban_sdk::{
     contract, contractimpl, contracttype, log,
@@ -215,7 +215,7 @@ pub fn wire_oft(env: &Env, chains: &[&ChainSetup<'_>]) {
 }
 
 fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
-    let role = Symbol::new(env, OAPP_ADMIN_ROLE);
+    let role = Symbol::new(env, OAPP_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: owner,
         invoke: &MockAuthInvoke {

package/contracts/oapps/oft/integration-tests/utils.rs

@@ -1,7 +1,7 @@
 //! Utility functions for OFT-STD integration tests.
 
-use crate::extensions::rate_limiter::{Direction, Mode, RateLimitConfig, RATE_LIMITER_ADMIN_ROLE};
-use crate::extensions::oft_fee::FEE_ADMIN_ROLE;
+use crate::extensions::rate_limiter::{Direction, Mode, RateLimitConfig, RATE_LIMITER_MANAGER_ROLE};
+use crate::extensions::oft_fee::FEE_MANAGER_ROLE;
 use crate::extensions::pausable::{PAUSER_ROLE, UNPAUSER_ROLE};
 use crate::integration_tests::setup::{decode_packet, ChainSetup};
 use crate::MintableClient;
@@ -406,8 +406,8 @@ pub fn is_paused(chain: &ChainSetup<'_>) -> bool {
 // ============================================================================
 
 pub fn set_fee_deposit_address(env: &Env, chain: &ChainSetup<'_>, deposit_address: &Address) {
-    // `set_fee_deposit_address` is protected by RBAC (`FEE_ADMIN_ROLE`). Grant it to owner for tests.
-    let role = Symbol::new(env, FEE_ADMIN_ROLE);
+    // `set_fee_deposit_address` is protected by RBAC (`FEE_MANAGER_ROLE`). Grant it to owner for tests.
+    let role = Symbol::new(env, FEE_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: &chain.owner,
         invoke: &MockAuthInvoke {
@@ -433,8 +433,8 @@ pub fn set_fee_deposit_address(env: &Env, chain: &ChainSetup<'_>, deposit_addres
 }
 
 pub fn set_default_fee_bps(env: &Env, chain: &ChainSetup<'_>, fee_bps: u32) {
-    // `set_default_fee_bps` is protected by RBAC (`FEE_ADMIN_ROLE`). Grant it to owner for tests.
-    let role = Symbol::new(env, FEE_ADMIN_ROLE);
+    // `set_default_fee_bps` is protected by RBAC (`FEE_MANAGER_ROLE`). Grant it to owner for tests.
+    let role = Symbol::new(env, FEE_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: &chain.owner,
         invoke: &MockAuthInvoke {
@@ -460,8 +460,8 @@ pub fn set_default_fee_bps(env: &Env, chain: &ChainSetup<'_>, fee_bps: u32) {
 }
 
 pub fn set_fee_bps(env: &Env, chain: &ChainSetup<'_>, dst_eid: u32, fee_bps: u32) {
-    // `set_fee_bps` is protected by RBAC (`FEE_ADMIN_ROLE`). Grant it to owner for tests.
-    let role = Symbol::new(env, FEE_ADMIN_ROLE);
+    // `set_fee_bps` is protected by RBAC (`FEE_MANAGER_ROLE`). Grant it to owner for tests.
+    let role = Symbol::new(env, FEE_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: &chain.owner,
         invoke: &MockAuthInvoke {
@@ -510,8 +510,8 @@ pub fn set_rate_limit_with_mode(
     window_seconds: u64,
     mode: Mode,
 ) {
-    // `set_rate_limit` is protected by RBAC (`RATE_LIMITER_ADMIN_ROLE`). Grant it to owner for tests.
-    let role = Symbol::new(env, RATE_LIMITER_ADMIN_ROLE);
+    // `set_rate_limit` is protected by RBAC (`RATE_LIMITER_MANAGER_ROLE`). Grant it to owner for tests.
+    let role = Symbol::new(env, RATE_LIMITER_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: &chain.owner,
         invoke: &MockAuthInvoke {

package/contracts/oapps/oft/src/extensions/oft_fee.rs

@@ -3,7 +3,7 @@ use soroban_sdk::{assert_with_error, contractevent, token::TokenClient, Address,
 use utils::{option_ext::OptionExt, rbac::RoleBasedAccessControl};
 
 /// Role for fee configuration (set_default_fee_bps, set_fee_bps, set_fee_deposit_address).
-pub const FEE_ADMIN_ROLE: &str = "FEE_ADMIN_ROLE";
+pub const FEE_MANAGER_ROLE: &str = "FEE_MANAGER_ROLE";
 
 /// Base fee in basis points (10,000 BPS = 100%)
 /// Used as denominator in fee calculations
@@ -82,8 +82,8 @@ pub trait OFTFee: OFTFeeInternal + RoleBasedAccessControl {
     /// - `Some(n)`: sets the default fee to `n` basis points (must be >0 and <=10,000).
     /// - `Some(0)`: rejected — use `None` to remove the default fee instead.
     /// - `None`: removes the default fee (effective rate becomes 0).
-    /// * `operator` - The address that must have FEE_ADMIN_ROLE
-    #[only_role(operator, FEE_ADMIN_ROLE)]
+    /// * `operator` - The address that must have FEE_MANAGER_ROLE
+    #[only_role(operator, FEE_MANAGER_ROLE)]
     fn set_default_fee_bps(env: &soroban_sdk::Env, default_fee_bps: &Option<u32>, operator: &soroban_sdk::Address) {
         Self::__set_default_fee_bps(env, default_fee_bps);
     }
@@ -96,8 +96,8 @@ pub trait OFTFee: OFTFeeInternal + RoleBasedAccessControl {
     /// # Arguments
     /// * `dst_eid` - The destination endpoint ID
     /// * `fee_bps` - The fee rate (0-10,000), or None to remove the fee configuration
-    /// * `operator` - The address that must have FEE_ADMIN_ROLE
-    #[only_role(operator, FEE_ADMIN_ROLE)]
+    /// * `operator` - The address that must have FEE_MANAGER_ROLE
+    #[only_role(operator, FEE_MANAGER_ROLE)]
     fn set_fee_bps(env: &soroban_sdk::Env, dst_eid: u32, fee_bps: &Option<u32>, operator: &soroban_sdk::Address) {
         Self::__set_fee_bps(env, dst_eid, fee_bps);
     }
@@ -106,8 +106,8 @@ pub trait OFTFee: OFTFeeInternal + RoleBasedAccessControl {
     ///
     /// # Arguments
     /// * `fee_deposit_address` - The address to deposit fees to, or None to remove the fee deposit address
-    /// * `operator` - The address that must have FEE_ADMIN_ROLE
-    #[only_role(operator, FEE_ADMIN_ROLE)]
+    /// * `operator` - The address that must have FEE_MANAGER_ROLE
+    #[only_role(operator, FEE_MANAGER_ROLE)]
     fn set_fee_deposit_address(
         env: &soroban_sdk::Env,
         fee_deposit_address: &Option<soroban_sdk::Address>,

package/contracts/oapps/oft/src/extensions/rate_limiter.rs

@@ -4,7 +4,7 @@ use soroban_sdk::{assert_with_error, contractevent, contracttype, Env};
 use utils::rbac::RoleBasedAccessControl;
 
 /// Role for rate limiter configuration (set_rate_limit).
-pub const RATE_LIMITER_ADMIN_ROLE: &str = "RATE_LIMITER_ADMIN_ROLE";
+pub const RATE_LIMITER_MANAGER_ROLE: &str = "RATE_LIMITER_MANAGER_ROLE";
 
 // =========================================================================
 // Types
@@ -108,8 +108,8 @@ pub trait RateLimiter: RateLimiterInternal + RoleBasedAccessControl {
     /// * `direction` - The direction (Inbound or Outbound)
     /// * `eid` - The endpoint ID
     /// * `config` - The rate limit configuration, or None to remove the rate limit
-    /// * `operator` - The address that must have RATE_LIMITER_ADMIN_ROLE
-    #[only_role(operator, RATE_LIMITER_ADMIN_ROLE)]
+    /// * `operator` - The address that must have RATE_LIMITER_MANAGER_ROLE
+    #[only_role(operator, RATE_LIMITER_MANAGER_ROLE)]
     fn set_rate_limit(
         env: &soroban_sdk::Env,
         direction: &oft::rate_limiter::Direction,
@@ -279,7 +279,7 @@ fn calculate_decayed_in_flight(env: &Env, state: &RateLimitState) -> i128 {
     assert_with_error!(env, timestamp >= state.last_update, RateLimitError::InvalidTimestamp);
 
     let elapsed = timestamp - state.last_update;
-    let decay = (elapsed as i128) * state.config.limit / (state.config.window_seconds as i128);
+    let decay = (elapsed as i128).saturating_mul(state.config.limit) / (state.config.window_seconds as i128);
 
     // Ensure the decayed in-flight amount is not negative
     (state.in_flight_on_last_update - decay).max(0)

package/contracts/oapps/oft/src/tests/extensions/oft_fee.rs

@@ -1,7 +1,7 @@
 extern crate std;
 
 use crate::extensions::oft_fee::{OFTFee, OFTFeeError, OFTFeeInternal};
-use crate::extensions::oft_fee::FEE_ADMIN_ROLE;
+use crate::extensions::oft_fee::FEE_MANAGER_ROLE;
 use soroban_sdk::{
     contract, contractimpl,
     testutils::{Address as _, MockAuth, MockAuthInvoke},
@@ -34,10 +34,10 @@ impl RoleBasedAccessControl for FeeTestContract {}
 
 #[contractimpl]
 impl FeeTestContract {
-    /// Test-only: grants FEE_ADMIN_ROLE to the contract.
+    /// Test-only: grants FEE_MANAGER_ROLE to the contract.
     pub fn init_roles(env: Env) {
         let contract_id = env.current_contract_address();
-        grant_role_no_auth(&env, &contract_id, &Symbol::new(&env, FEE_ADMIN_ROLE), &contract_id);
+        grant_role_no_auth(&env, &contract_id, &Symbol::new(&env, FEE_MANAGER_ROLE), &contract_id);
     }
 
     pub fn fee_view(env: Env, dst_eid: u32, amount_ld: i128) -> i128 {

package/contracts/oapps/oft/src/tests/extensions/rate_limiter.rs

@@ -4,7 +4,7 @@ use crate as oft;
 use crate::extensions::rate_limiter::{
     Direction, Mode, RateLimitConfig, RateLimitError, RateLimiter, RateLimiterInternal,
 };
-use crate::extensions::rate_limiter::RATE_LIMITER_ADMIN_ROLE;
+use crate::extensions::rate_limiter::RATE_LIMITER_MANAGER_ROLE;
 use soroban_sdk::{contract, contractimpl, testutils::Ledger as _, Address, Env, Symbol};
 use utils::auth::Auth;
 use utils::rbac::{grant_role_no_auth, RoleBasedAccessControl};
@@ -32,13 +32,13 @@ impl RoleBasedAccessControl for RateLimiterTestContract {}
 
 #[contractimpl]
 impl RateLimiterTestContract {
-    /// Test-only: grants RATE_LIMITER_ADMIN_ROLE to the contract.
+    /// Test-only: grants RATE_LIMITER_MANAGER_ROLE to the contract.
     pub fn init_roles(env: Env) {
         let contract_id = env.current_contract_address();
         grant_role_no_auth(
             &env,
             &contract_id,
-            &Symbol::new(&env, RATE_LIMITER_ADMIN_ROLE),
+            &Symbol::new(&env, RATE_LIMITER_MANAGER_ROLE),
             &contract_id,
         );
     }

package/contracts/oapps/oft-core/integration-tests/setup.rs

@@ -20,7 +20,7 @@ use soroban_sdk::{
     token::{StellarAssetClient, TokenClient},
     Address, Bytes, BytesN, Env, IntoVal, Symbol,
 };
-use oapp::oapp_core::OAPP_ADMIN_ROLE;
+use oapp::oapp_core::OAPP_MANAGER_ROLE;
 use utils::rbac::grant_role_no_auth;
 
 // ============================================================================
@@ -182,9 +182,9 @@ fn setup_chain<'a>(env: &Env) -> ChainSetup<'a> {
     let shared_decimals: u32 = 6; // Default shared decimals
     let oft_address = env.register(TestOFT, (&oft_token, &owner, &endpoint_address, &delegate, &shared_decimals));
 
-    // Grant OAPP_ADMIN_ROLE to owner so they can call set_peer, set_delegate, set_msg_inspector, etc.
+    // Grant OAPP_MANAGER_ROLE to owner so they can call set_peer, set_delegate, set_msg_inspector, etc.
     env.as_contract(&oft_address, || {
-        grant_role_no_auth(env, &owner, &Symbol::new(env, OAPP_ADMIN_ROLE), &owner);
+        grant_role_no_auth(env, &owner, &Symbol::new(env, OAPP_MANAGER_ROLE), &owner);
     });
     let composer_address = env.register(DummyComposer, (&endpoint_address,));
 
@@ -264,7 +264,7 @@ pub fn wire_oft(env: &Env, chains: &[&ChainSetup<'_>]) {
 }
 
 fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
-    let role = soroban_sdk::Symbol::new(env, oapp::oapp_core::OAPP_ADMIN_ROLE);
+    let role = soroban_sdk::Symbol::new(env, oapp::oapp_core::OAPP_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: owner,
         invoke: &MockAuthInvoke {

package/contracts/oapps/oft-core/src/oft_core.rs

@@ -58,7 +58,7 @@ use crate::{
 use common_macros::{contract_trait, only_role};
 use endpoint_v2::{MessagingComposerClient, MessagingFee, MessagingReceipt};
 use oapp::{
-    oapp_core::{init_ownable_oapp, OAPP_ADMIN_ROLE},
+    oapp_core::{init_ownable_oapp, OAPP_MANAGER_ROLE},
     oapp_options_type3::OAppOptionsType3,
     oapp_receiver::OAppReceiver,
     oapp_sender::{FeePayer, OAppSenderInternal},
@@ -448,12 +448,12 @@ pub trait OFTCore: OFTInternal {
     /// Pass `None` to remove the inspector and disable outbound validation.
     ///
     /// # Authorization
-    /// Requires the caller to have `OAPP_ADMIN_ROLE`.
+    /// Requires the caller to have `OAPP_MANAGER_ROLE`.
     ///
     /// # Arguments
     /// * `inspector` - Address of the inspector contract, or `None` to remove it
-    /// * `operator` - The address that must have OAPP_ADMIN_ROLE
-    #[only_role(operator, OAPP_ADMIN_ROLE)]
+    /// * `operator` - The address that must have OAPP_MANAGER_ROLE
+    #[only_role(operator, OAPP_MANAGER_ROLE)]
     fn set_msg_inspector(
         env: &soroban_sdk::Env,
         inspector: &Option<soroban_sdk::Address>,

package/contracts/oapps/oft-core/src/tests/test_msg_inspector.rs

@@ -60,7 +60,7 @@ fn test_set_msg_inspector() {
     // Deploy a passing inspector
     let inspector_address = env.register(PassingInspector, ());
 
-    // Owner (with OAPP_ADMIN_ROLE) sets the inspector
+    // Owner (with OAPP_MANAGER_ROLE) sets the inspector
     env.mock_auths(&[MockAuth {
         address: &setup.owner,
         invoke: &MockAuthInvoke {
@@ -127,7 +127,7 @@ fn test_set_msg_inspector_requires_owner() {
     // Deploy a passing inspector
     let inspector_address = env.register(PassingInspector, ());
 
-    // Non-owner (without OAPP_ADMIN_ROLE) tries to set the inspector
+    // Non-owner (without OAPP_MANAGER_ROLE) tries to set the inspector
     let non_owner = Address::generate(&env);
     env.mock_auths(&[MockAuth {
         address: &non_owner,
@@ -139,7 +139,7 @@ fn test_set_msg_inspector_requires_owner() {
         },
     }]);
 
-    // This should panic because non_owner does not have OAPP_ADMIN_ROLE
+    // This should panic because non_owner does not have OAPP_MANAGER_ROLE
     setup.oft.set_msg_inspector(&Some(inspector_address), &non_owner);
 }
 

package/contracts/oapps/oft-core/src/tests/test_utils.rs

@@ -8,7 +8,7 @@ use crate::{
     types::{OFTReceipt, SendParam},
 };
 use endpoint_v2::{LayerZeroReceiverClient, MessagingFee, MessagingParams, MessagingReceipt, Origin};
-use oapp::oapp_core::{OAppCoreClient, OAPP_ADMIN_ROLE};
+use oapp::oapp_core::{OAppCoreClient, OAPP_MANAGER_ROLE};
 use soroban_sdk::{
     address_payload::AddressPayload,
     bytes, contract, contractimpl, log, symbol_short,
@@ -101,7 +101,7 @@ pub fn create_origin(src_eid: u32, sender: &BytesN<32>, nonce: u64) -> Origin {
 }
 
 fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
-    let role = Symbol::new(env, oapp::oapp_core::OAPP_ADMIN_ROLE);
+    let role = Symbol::new(env, oapp::oapp_core::OAPP_MANAGER_ROLE);
     env.mock_auths(&[MockAuth {
         address: owner,
         invoke: &MockAuthInvoke {
@@ -613,12 +613,12 @@ impl<'a> OFTTestSetupBuilder<'a> {
         OFTTestSetup::mint_to(env, &owner, &native_token, &owner, INITIAL_MINT_AMOUNT);
         OFTTestSetup::mint_to(env, &owner, &zro_token, &owner, INITIAL_MINT_AMOUNT);
 
-        // Grant OAPP_ADMIN_ROLE to owner so they can call set_peer, set_delegate, set_msg_inspector, etc.
+        // Grant OAPP_MANAGER_ROLE to owner so they can call set_peer, set_delegate, set_msg_inspector, etc.
         env.as_contract(&oft_address, || {
             grant_role_no_auth(
                 env,
                 &owner,
-                &Symbol::new(env, OAPP_ADMIN_ROLE),
+                &Symbol::new(env, OAPP_MANAGER_ROLE),
                 &owner,
             );
         });

package/package.json

@@ -1,14 +1,15 @@
 {
   "name": "@layerzerolabs/protocol-stellar-v2",
-  "version": "0.2.44",
+  "version": "0.2.46",
   "private": false,
+  "license": "LZBL-1.2",
   "devDependencies": {
     "@types/node": "^22.18.6",
     "tsx": "^4.19.3",
     "typescript": "^5.8.2",
-    "@layerzerolabs/common-node-utils": "0.2.44",
-    "@layerzerolabs/stellar-ts-bindings-gen": "0.2.44",
-    "@layerzerolabs/vm-tooling-stellar": "0.2.44"
+    "@layerzerolabs/common-node-utils": "0.2.46",
+    "@layerzerolabs/stellar-ts-bindings-gen": "0.2.46",
+    "@layerzerolabs/vm-tooling-stellar": "0.2.46"
   },
   "publishConfig": {
     "access": "restricted",
@@ -16,7 +17,8 @@
   },
   "externalRepoConfig": {
     "targets": [
-      "audit-external"
+      "audit-external",
+      "everdawn-asset0"
     ]
   },
   "scripts": {