@layerzerolabs/protocol-stellar-v2 0.2.48 → 0.2.49

package/contracts/common-macros/src/rbac.rs

@@ -28,7 +28,7 @@ pub fn generate_role_check(args: TokenStream, input: TokenStream, require_auth:
     // Insert the role check at the beginning of the function body
     input_fn.block.stmts.insert(
         0,
-        parse_quote!(utils::rbac::ensure_role(#env_ref, &soroban_sdk::Symbol::new(#env_ref, #role), #param_ref);),
+        parse_quote!(utils::rbac::ensure_role::<Self>(#env_ref, &soroban_sdk::Symbol::new(#env_ref, #role), #param_ref);),
     );
     if require_auth {
         input_fn.block.stmts.insert(1, parse_quote!(#param.require_auth();));

package/contracts/common-macros/src/tests/rbac.rs

@@ -91,7 +91,7 @@ fn test_role_check_inserts_expected_statements_table_driven() {
             args: quote! { caller, "minter" },
             input: quote! { pub fn mint(env: &Env, caller: Address, amount: i128) {} },
             require_auth: false,
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
             expected_auth_stmt: None,
             expected_stmt_count: 1,
         },
@@ -100,7 +100,7 @@ fn test_role_check_inserts_expected_statements_table_driven() {
             args: quote! { caller, "minter" },
             input: quote! { pub fn mint(env: Env, caller: Address, amount: i128) {} },
             require_auth: true,
-            expected_ensure_stmt: "utils::rbac::ensure_role(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
             expected_auth_stmt: Some("caller.require_auth();"),
             expected_stmt_count: 2,
         },
@@ -109,7 +109,7 @@ fn test_role_check_inserts_expected_statements_table_driven() {
             args: quote! { caller, "minter" },
             input: quote! { pub fn mint(env: &Env, caller: Address, amount: i128) {} },
             require_auth: true,
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
             expected_auth_stmt: Some("caller.require_auth();"),
             expected_stmt_count: 2,
         },
@@ -118,7 +118,7 @@ fn test_role_check_inserts_expected_statements_table_driven() {
             args: quote! { account, "admin" },
             input: quote! { pub fn admin_action(env: Env, account: &Address) {} },
             require_auth: false,
-            expected_ensure_stmt: "utils::rbac::ensure_role(&env,&soroban_sdk::Symbol::new(&env,\"admin\"),account);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(&env,&soroban_sdk::Symbol::new(&env,\"admin\"),account);",
             expected_auth_stmt: None,
             expected_stmt_count: 1,
         },
@@ -151,26 +151,26 @@ fn test_has_role_role_arg_variants_generate_expected_symbol_new_table_driven() {
             name: "role string literal passed to Symbol::new (Env ref)",
             args: quote! { caller, "minter" },
             input: quote! { pub fn mint(env: &Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
         },
         Case {
             name: "role const expr passed to Symbol::new (Env ref)",
             args: quote! { caller, MINTER_ROLE },
             input: quote! { pub fn mint(env: &Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,MINTER_ROLE),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,MINTER_ROLE),&caller);",
         },
         Case {
             name: "role const expr passed to Symbol::new (Env owned)",
             args: quote! { caller, MINTER_ROLE },
             input: quote! { pub fn mint(env: Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(&env,&soroban_sdk::Symbol::new(&env,MINTER_ROLE),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(&env,&soroban_sdk::Symbol::new(&env,MINTER_ROLE),&caller);",
         },
         Case {
             name: "role path expr passed to Symbol::new",
             args: quote! { caller, roles::MINTER_ROLE },
             input: quote! { pub fn mint(env: &Env, caller: Address) {} },
             expected_ensure_stmt:
-                "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,roles::MINTER_ROLE),&caller);",
+                "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,roles::MINTER_ROLE),&caller);",
         },
     ];
 
@@ -316,32 +316,32 @@ fn test_has_role_env_variants_generate_correct_env_ref_in_ensure_role() {
         Case {
             name: "owned Env",
             input: quote! { pub fn mint(env: Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
         },
         Case {
             name: "ref Env",
             input: quote! { pub fn mint(env: &Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
         },
         Case {
             name: "mut ref Env",
             input: quote! { pub fn mint(env: &mut Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
         },
         Case {
             name: "qualified owned Env",
             input: quote! { pub fn mint(env: soroban_sdk::Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
         },
         Case {
             name: "qualified ref Env",
             input: quote! { pub fn mint(env: &soroban_sdk::Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
         },
         Case {
             name: "leading :: qualified owned Env",
             input: quote! { pub fn mint(env: ::soroban_sdk::Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
         },
     ];
 
@@ -364,27 +364,27 @@ fn test_has_role_address_variants_generate_correct_param_reference() {
         Case {
             name: "Address by value -> &caller",
             input: quote! { pub fn mint(env: &Env, caller: Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
         },
         Case {
             name: "&Address -> caller",
             input: quote! { pub fn mint(env: &Env, caller: &Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),caller);",
         },
         Case {
             name: "&mut Address -> caller",
             input: quote! { pub fn mint(env: &Env, caller: &mut Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),caller);",
         },
         Case {
             name: "qualified Address by value",
             input: quote! { pub fn mint(env: &Env, caller: soroban_sdk::Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),&caller);",
         },
         Case {
             name: "qualified &Address",
             input: quote! { pub fn mint(env: &Env, caller: &soroban_sdk::Address) {} },
-            expected_ensure_stmt: "utils::rbac::ensure_role(env,&soroban_sdk::Symbol::new(env,\"minter\"),caller);",
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,\"minter\"),caller);",
         },
     ];
 
@@ -407,7 +407,7 @@ fn test_only_role_inserts_expected_statements_and_preserves_original_body() {
         args,
         input,
         true,
-        "utils::rbac::ensure_role(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
+        "utils::rbac::ensure_role::<Self>(&env,&soroban_sdk::Symbol::new(&env,\"minter\"),&caller);",
         Some("caller.require_auth();"),
         Some(4),
         "only_role inserts ensure_role + require_auth",
@@ -418,3 +418,106 @@ fn test_only_role_inserts_expected_statements_and_preserves_original_body() {
     let third_stmt_str = quote::quote!(#third_stmt).to_string().replace(" ", "");
     assert!(third_stmt_str.starts_with("letx=1u32;"), "expected original 'let x = 1u32;' to be preserved");
 }
+
+// ============================================
+// AUTHORIZER: snapshot test
+// ============================================
+
+#[test]
+fn snapshot_authorizer_role() {
+    let args = quote! { operator, AUTHORIZER };
+    let input = quote! {
+        pub fn admin_action(env: Env, operator: Address) {
+            // admin logic
+        }
+    };
+
+    let has_role_result = crate::rbac::generate_role_check(args.clone(), input.clone(), false);
+    let has_role_formatted =
+        prettyplease::unparse(&syn::parse2::<syn::File>(has_role_result).expect("failed to parse generated code"));
+
+    let only_role_result = crate::rbac::generate_role_check(args, input, true);
+    let only_role_formatted =
+        prettyplease::unparse(&syn::parse2::<syn::File>(only_role_result).expect("failed to parse generated code"));
+
+    let combined = format!(
+        "// === has_role(operator, AUTHORIZER) ===\n\n{}\n\n// === only_role(operator, AUTHORIZER) ===\n\n{}",
+        has_role_formatted, only_role_formatted
+    );
+
+    insta::assert_snapshot!(combined);
+}
+
+// ============================================
+// AUTHORIZER: table-driven assertion tests
+// ============================================
+
+#[test]
+fn test_authorizer_role_generates_auth_check_instead_of_ensure_role() {
+    struct Case {
+        name: &'static str,
+        args: TokenStream,
+        input: TokenStream,
+        require_auth: bool,
+        expected_ensure_stmt: &'static str,
+        expected_auth_stmt: Option<&'static str>,
+        expected_stmt_count: usize,
+    }
+
+    let cases = vec![
+        Case {
+            name: "has_role with AUTHORIZER: Env ref + Address value",
+            args: quote! { operator, AUTHORIZER },
+            input: quote! { pub fn admin_action(env: &Env, operator: Address) {} },
+            require_auth: false,
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,AUTHORIZER),&operator);",
+            expected_auth_stmt: None,
+            expected_stmt_count: 1,
+        },
+        Case {
+            name: "only_role with AUTHORIZER: Env owned + Address value",
+            args: quote! { operator, AUTHORIZER },
+            input: quote! { pub fn admin_action(env: Env, operator: Address) {} },
+            require_auth: true,
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(&env,&soroban_sdk::Symbol::new(&env,AUTHORIZER),&operator);",
+            expected_auth_stmt: Some("operator.require_auth();"),
+            expected_stmt_count: 2,
+        },
+        Case {
+            name: "only_role with AUTHORIZER: Env ref + &Address",
+            args: quote! { operator, AUTHORIZER },
+            input: quote! { pub fn admin_action(env: &Env, operator: &Address) {} },
+            require_auth: true,
+            expected_ensure_stmt: "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,AUTHORIZER),operator);",
+            expected_auth_stmt: Some("operator.require_auth();"),
+            expected_stmt_count: 2,
+        },
+    ];
+
+    for c in cases {
+        assert_role_check_exact_stmts(
+            c.args,
+            c.input,
+            c.require_auth,
+            c.expected_ensure_stmt,
+            c.expected_auth_stmt,
+            Some(c.expected_stmt_count),
+            c.name,
+        );
+    }
+}
+
+#[test]
+fn test_non_authorizer_role_still_uses_ensure_role() {
+    let args = quote! { caller, MINTER_ROLE };
+    let input = quote! { pub fn mint(env: &Env, caller: Address) {} };
+    assert_role_check_exact_stmts(
+        args,
+        input,
+        false,
+        "utils::rbac::ensure_role::<Self>(env,&soroban_sdk::Symbol::new(env,MINTER_ROLE),&caller);",
+        None,
+        Some(1),
+        "non-AUTHORIZER const still goes through ensure_role",
+    );
+}

package/contracts/common-macros/src/tests/snapshots/common_macros__tests__rbac__snapshot_authorizer_role.snap

@@ -0,0 +1,21 @@
+---
+source: contracts/common-macros/src/tests/rbac.rs
+expression: combined
+---
+// === has_role(operator, AUTHORIZER) ===
+
+pub fn admin_action(env: Env, operator: Address) {
+    utils::rbac::ensure_role::<
+        Self,
+    >(&env, &soroban_sdk::Symbol::new(&env, AUTHORIZER), &operator);
+}
+
+
+// === only_role(operator, AUTHORIZER) ===
+
+pub fn admin_action(env: Env, operator: Address) {
+    utils::rbac::ensure_role::<
+        Self,
+    >(&env, &soroban_sdk::Symbol::new(&env, AUTHORIZER), &operator);
+    operator.require_auth();
+}

package/contracts/common-macros/src/tests/snapshots/common_macros__tests__rbac__snapshot_preserve_function_signature.snap

@@ -5,13 +5,17 @@ expression: combined
 // === has_role ===
 
 pub fn mint(env: Env, caller: Address, amount: i128) {
-    utils::rbac::ensure_role(&env, &soroban_sdk::Symbol::new(&env, "minter"), &caller);
+    utils::rbac::ensure_role::<
+        Self,
+    >(&env, &soroban_sdk::Symbol::new(&env, "minter"), &caller);
 }
 
 
 // === only_role ===
 
 pub fn mint(env: Env, caller: Address, amount: i128) {
-    utils::rbac::ensure_role(&env, &soroban_sdk::Symbol::new(&env, "minter"), &caller);
+    utils::rbac::ensure_role::<
+        Self,
+    >(&env, &soroban_sdk::Symbol::new(&env, "minter"), &caller);
     caller.require_auth();
 }

package/contracts/macro-integration-tests/tests/runtime/oapp/mod.rs

@@ -1,12 +1,7 @@
 use endpoint_v2::Origin;
-use oapp::oapp_core::OAPP_MANAGER_ROLE;
 use oapp::oapp_receiver::LzReceiveInternal;
 use oapp_macros::oapp;
-use soroban_sdk::{
-    contractimpl, symbol_short,
-    testutils::{MockAuth, MockAuthInvoke},
-    Address, Bytes, BytesN, Env, IntoVal, Symbol,
-};
+use soroban_sdk::{contractimpl, symbol_short, Address, Bytes, BytesN, Env};
 
 mod oapp_core;
 mod options_type3;
@@ -49,19 +44,3 @@ impl TestOApp {
         env.storage().instance().get(&symbol_short!("lzr_c")).unwrap_or(false)
     }
 }
-
-/// Grants `OAPP_MANAGER_ROLE` to `owner` via the public `grant_role` interface.
-/// Call after `init()` in tests that exercise RBAC-protected entrypoints.
-pub fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
-    let role = Symbol::new(env, OAPP_MANAGER_ROLE);
-    env.mock_auths(&[MockAuth {
-        address: owner,
-        invoke: &MockAuthInvoke {
-            contract,
-            fn_name: "grant_role",
-            args: (owner, &role, owner).into_val(env),
-            sub_invokes: &[],
-        },
-    }]);
-    utils::rbac::RoleBasedAccessControlClient::new(env, contract).grant_role(owner, &role, owner);
-}

package/contracts/macro-integration-tests/tests/runtime/oapp/oapp_core.rs

@@ -1,6 +1,6 @@
 // Runtime tests: OAppCore behavior generated by `#[oapp]`.
 
-use super::{grant_oapp_admin, TestOApp, TestOAppClient};
+use super::{TestOApp, TestOAppClient};
 use oapp::oapp_core::{OAppCoreStorage, PeerSet};
 use soroban_sdk::{
     contract, contractimpl,
@@ -64,7 +64,6 @@ fn set_peer_requires_auth_and_updates_storage() {
     let owner = Address::generate(&env);
     let endpoint = Address::generate(&env);
     client.init(&owner, &endpoint);
-    grant_oapp_admin(&env, &contract_id, &owner);
 
     let eid: u32 = 101;
     let peer = Some(BytesN::<32>::from_array(&env, &[7u8; 32]));
@@ -129,7 +128,6 @@ fn set_delegate_requires_auth_and_updates_endpoint() {
 
     let owner = Address::generate(&env);
     client.init(&owner, &endpoint_id);
-    grant_oapp_admin(&env, &contract_id, &owner);
 
     // Unauthorized set should fail.
     let delegate = Some(Address::generate(&env));

package/contracts/macro-integration-tests/tests/runtime/oapp/options_type3.rs

@@ -1,6 +1,6 @@
 // Runtime tests: OAppOptionsType3 defaults generated by `#[oapp]`.
 
-use super::{grant_oapp_admin, TestOApp, TestOAppClient};
+use super::{TestOApp, TestOAppClient};
 use oapp::oapp_options_type3::{EnforcedOptionParam, EnforcedOptionSet};
 use oapp::OAppError;
 use soroban_sdk::{
@@ -28,7 +28,6 @@ fn enforced_options_lifecycle_and_auth() {
 
     let owner = Address::generate(&env);
     client.init(&owner, &Address::generate(&env));
-    grant_oapp_admin(&env, &contract_id, &owner);
 
     // Unset returns None (storage default).
     assert_eq!(client.enforced_options(&999, &999), None);
@@ -83,7 +82,6 @@ fn set_enforced_options_rejects_invalid_option_type() {
 
     let owner = Address::generate(&env);
     client.init(&owner, &Address::generate(&env));
-    grant_oapp_admin(&env, &contract_id, &owner);
 
     // wrong type header (not 3)
     let mut invalid = Bytes::from_array(&env, &(4u16).to_be_bytes());
@@ -112,7 +110,6 @@ fn combine_options_behavior_and_validation() {
 
     let owner = Address::generate(&env);
     client.init(&owner, &Address::generate(&env));
-    grant_oapp_admin(&env, &contract_id, &owner);
 
     // No enforced => returns extra (including empty).
     let extra_only = create_valid_options(&env, &[9, 10, 11]);

package/contracts/macro-integration-tests/tests/runtime/oapp/receiver.rs

@@ -1,6 +1,6 @@
 // Runtime tests: OAppReceiver defaults generated by `#[oapp]`.
 
-use super::{grant_oapp_admin, TestOApp, TestOAppClient};
+use super::{TestOApp, TestOAppClient};
 use endpoint_v2::Origin;
 use oapp::OAppError;
 use soroban_sdk::{
@@ -87,7 +87,6 @@ fn allow_initialize_path_follows_peer_configuration() {
     let owner = Address::generate(&env);
     let endpoint = Address::generate(&env);
     client.init(&owner, &endpoint);
-    grant_oapp_admin(&env, &contract_id, &owner);
 
     let eid: u32 = REMOTE_EID_FOR_ALLOW_INIT;
     let sender = BytesN::<32>::from_array(&env, &[3u8; 32]);
@@ -141,7 +140,6 @@ fn lz_receive_clears_payload_transfers_value_and_calls_internal_handler() {
     let oapp = env.register(TestOApp, ());
     let oapp_client = TestOAppClient::new(&env, &oapp);
     oapp_client.init(&owner, &endpoint);
-    grant_oapp_admin(&env, &oapp, &owner);
 
     // Configure peer so peer check passes.
     let peer = BytesN::<32>::from_array(&env, &[9u8; 32]);
@@ -228,7 +226,6 @@ fn lz_receive_wrong_peer_returns_only_peer() {
     let oapp = env.register(TestOApp, ());
     let oapp_client = TestOAppClient::new(&env, &oapp);
     oapp_client.init(&owner, &endpoint);
-    grant_oapp_admin(&env, &oapp, &owner);
 
     // Set peer to some value...
     let configured_peer = BytesN::<32>::from_array(&env, &[7u8; 32]);
@@ -315,7 +312,6 @@ fn lz_receive_requires_executor_auth() {
     let oapp = env.register(TestOApp, ());
     let oapp_client = TestOAppClient::new(&env, &oapp);
     oapp_client.init(&owner, &endpoint);
-    grant_oapp_admin(&env, &oapp, &owner);
 
     // Configure peer so we fail specifically at executor.require_auth().
     let peer = BytesN::<32>::from_array(&env, &[7u8; 32]);

package/contracts/macro-integration-tests/tests/runtime/oapp/sender.rs

@@ -211,7 +211,6 @@ fn setup() -> Setup {
     let oapp = env.register(TestOAppSender, ());
     let client = TestOAppSenderClient::new(&env, &oapp);
     client.init(&owner, &endpoint);
-    super::grant_oapp_admin(&env, &oapp, &owner);
 
     Setup { env, owner, token_admin, native_token, zro_token, endpoint, oapp }
 }

package/contracts/macro-integration-tests/tests/ui/rbac/pass/basic.rs

@@ -6,12 +6,21 @@
 // - Verifies role argument can be a literal or const expression.
 
 use soroban_sdk::{contract, Address, Env};
+use utils::{auth::Auth, rbac::RoleBasedAccessControl};
 
 const MINTER_ROLE: &str = "minter";
 
 #[contract]
 pub struct MyContract;
 
+impl Auth for MyContract {
+    fn authorizer(_env: &Env) -> Option<Address> {
+        None
+    }
+}
+
+impl RoleBasedAccessControl for MyContract {}
+
 impl MyContract {
     // Env by reference, Address by value, role literal.
     #[common_macros::has_role(caller, "minter")]

package/contracts/oapps/counter/integration_tests/utils.rs

@@ -2,7 +2,7 @@
 
 extern crate std;
 
-use crate::{codec::MsgType, counter::CounterClient, tests::{grant_oapp_admin, mint_to}};
+use crate::{codec::MsgType, counter::CounterClient, tests::mint_to};
 use endpoint_v2::{EndpointV2Client, MessagingFee, Origin, OutboundPacket};
 use message_lib_common::packet_codec_v1;
 use soroban_sdk::{
@@ -63,8 +63,6 @@ pub fn register_library(env: &Env, owner: &Address, endpoint: &EndpointV2Client<
 
 /// Sets the peer address for a counter on a destination EID.
 pub fn set_peer(env: &Env, owner: &Address, counter: &CounterClient<'_>, dst_eid: u32, peer: &BytesN<32>) {
-    grant_oapp_admin(env, &counter.address, owner);
-
     let peer_option = Some(peer.clone());
     env.mock_auths(&[MockAuth {
         address: owner,

package/contracts/oapps/counter/src/tests/mod.rs

@@ -1,8 +1,7 @@
-use oapp::oapp_core::OAPP_MANAGER_ROLE;
 use soroban_sdk::{
     testutils::{MockAuth, MockAuthInvoke},
     token::StellarAssetClient,
-    Address, Env, IntoVal, Symbol,
+    Address, Env, IntoVal,
 };
 
 pub mod test_codec;
@@ -23,18 +22,3 @@ pub fn mint_to(env: &Env, owner: &Address, native_token: &Address, to: &Address,
     let sac = StellarAssetClient::new(env, native_token);
     sac.mint(to, &amount);
 }
-
-pub fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
-    let role = Symbol::new(env, OAPP_MANAGER_ROLE);
-    env.mock_auths(&[MockAuth {
-        address: owner,
-        invoke: &MockAuthInvoke {
-            contract,
-            fn_name: "grant_role",
-            args: (owner, &role, owner).into_val(env),
-            sub_invokes: &[],
-        },
-    }]);
-    utils::rbac::RoleBasedAccessControlClient::new(env, contract).grant_role(owner, &role, owner);
-}
-

package/contracts/oapps/counter/src/tests/test_counter.rs

@@ -88,8 +88,6 @@ fn setup<'a>() -> TestSetup<'a> {
 }
 
 fn setup_mock_peer(env: &Env, owner: &Address, counter: &CounterClient<'_>, dst_eid: u32) -> BytesN<32> {
-    super::grant_oapp_admin(env, &counter.address, owner);
-
     let peer = BytesN::from_array(env, &[1u8; 32]);
     let peer_option = Some(peer.clone());
     env.mock_auths(&[MockAuth {

package/contracts/oapps/oapp/src/oapp_core.rs

@@ -5,12 +5,9 @@ use soroban_sdk::{contractevent, Address, BytesN, Env};
 use utils::{
     option_ext::OptionExt,
     ownable::{Ownable, OwnableInitializer},
-    rbac::RoleBasedAccessControl,
+    rbac::{RoleBasedAccessControl, AUTHORIZER},
 };
 
-/// Role for OApp administrative actions (set_peer, set_delegate, set_enforced_options).
-pub const OAPP_MANAGER_ROLE: &str = "OAPP_MANAGER_ROLE";
-
 // =====================================================
 // OAppCore Storage and Events
 // =====================================================
@@ -73,8 +70,8 @@ pub trait OAppCore: Ownable + RoleBasedAccessControl {
     /// # Arguments
     /// * `eid` - The endpoint ID
     /// * `peer` - The address of the peer to be associated with the corresponding endpoint, or None to remove the peer
-    /// * `operator` - The address that must have OAPP_MANAGER_ROLE
-    #[only_role(operator, OAPP_MANAGER_ROLE)]
+    /// * `operator` - The authorizer address
+    #[only_role(operator, AUTHORIZER)]
     fn set_peer(
         env: &soroban_sdk::Env,
         eid: u32,
@@ -89,8 +86,8 @@ pub trait OAppCore: Ownable + RoleBasedAccessControl {
     ///
     /// # Arguments
     /// * `delegate` - The address of the delegate to be set, or None to remove the delegate
-    /// * `operator` - The address that must have OAPP_MANAGER_ROLE
-    #[only_role(operator, OAPP_MANAGER_ROLE)]
+    /// * `operator` - The authorizer address
+    #[only_role(operator, AUTHORIZER)]
     fn set_delegate(env: &soroban_sdk::Env, delegate: &Option<soroban_sdk::Address>, operator: &soroban_sdk::Address) {
         endpoint_client::<Self>(env).set_delegate(&env.current_contract_address(), delegate);
     }

package/contracts/oapps/oapp/src/oapp_options_type3.rs

@@ -1,7 +1,7 @@
-use crate::{self as oapp, errors::OAppError, oapp_core::OAPP_MANAGER_ROLE};
+use crate::{self as oapp, errors::OAppError};
 use common_macros::{contract_trait, only_role, storage};
 use soroban_sdk::{assert_with_error, contractevent, contracttype, panic_with_error, Bytes, Env, Vec};
-use utils::{buffer_reader::BufferReader, rbac::RoleBasedAccessControl};
+use utils::{buffer_reader::BufferReader, rbac::{RoleBasedAccessControl, AUTHORIZER}};
 
 pub const OPTION_TYPE3: u16 = 3;
 
@@ -53,8 +53,8 @@ pub trait OAppOptionsType3: RoleBasedAccessControl {
     ///
     /// # Arguments
     /// * `options` - A vector of EnforcedOptionParam structures specifying enforced options
-    /// * `operator` - The address that must have OAPP_MANAGER_ROLE
-    #[only_role(operator, OAPP_MANAGER_ROLE)]
+    /// * `operator` - The authorizer address
+    #[only_role(operator, AUTHORIZER)]
     fn set_enforced_options(
         env: &soroban_sdk::Env,
         options: &soroban_sdk::Vec<oapp::oapp_options_type3::EnforcedOptionParam>,

package/contracts/oapps/oapp/src/tests/mod.rs

@@ -3,24 +3,3 @@ mod oapp_options_type3;
 mod oapp_receiver;
 mod oapp_sender;
 mod test_macros;
-
-use crate::oapp_core::OAPP_MANAGER_ROLE;
-use soroban_sdk::{
-    testutils::{MockAuth, MockAuthInvoke},
-    Address, Env, IntoVal, Symbol,
-};
-
-/// Grants `OAPP_MANAGER_ROLE` to `owner` via the public `grant_role` interface.
-pub(super) fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
-    let role = Symbol::new(env, OAPP_MANAGER_ROLE);
-    env.mock_auths(&[MockAuth {
-        address: owner,
-        invoke: &MockAuthInvoke {
-            contract,
-            fn_name: "grant_role",
-            args: (owner, &role, owner).into_val(env),
-            sub_invokes: &[],
-        },
-    }]);
-    utils::rbac::RoleBasedAccessControlClient::new(env, contract).grant_role(owner, &role, owner);
-}

package/contracts/oapps/oapp/src/tests/oapp_core.rs

@@ -76,7 +76,6 @@ fn setup<'a>() -> TestSetup<'a> {
     let oapp = env.register(DummyOApp, (&owner, &endpoint));
     soroban_sdk::log!(&env, "oapp: {}", oapp);
     let oapp_client = DummyOAppClient::new(&env, &oapp);
-    super::grant_oapp_admin(&env, &oapp, &owner);
 
     TestSetup { env, owner, endpoint, oapp_client }
 }

package/contracts/oapps/oapp/src/tests/oapp_options_type3.rs

@@ -77,7 +77,6 @@ fn setup<'a>() -> TestSetup<'a> {
     let delegate = owner.clone();
     let oapp = env.register(DummyOAppOptionsType3, (&owner, &endpoint, &delegate));
     let oapp_client = DummyOAppOptionsType3Client::new(&env, &oapp);
-    super::grant_oapp_admin(&env, &oapp, &owner);
 
     TestSetup { env, owner, oapp_client }
 }

package/contracts/oapps/oapp/src/tests/oapp_receiver.rs

@@ -96,7 +96,6 @@ fn setup<'a>() -> TestSetup<'a> {
     let endpoint = env.register(MockEndpoint, (&native_token,));
     let oapp = env.register(DummyOAppReceiver, (&owner, &endpoint));
     let oapp_client = DummyOAppReceiverClient::new(&env, &oapp);
-    super::grant_oapp_admin(&env, &oapp, &owner);
 
     TestSetup { env, owner, endpoint, token_admin, native_token, native_token_admin_client, oapp_client }
 }

package/contracts/oapps/oapp/src/tests/oapp_sender.rs

@@ -153,7 +153,6 @@ fn setup<'a>() -> TestSetup<'a> {
     // Deploy OApp
     let oapp = env.register(DummyOAppSender, (&owner, &endpoint));
     let oapp_client = DummyOAppSenderClient::new(&env, &oapp);
-    super::grant_oapp_admin(&env, &oapp, &owner);
 
     TestSetup {
         env,