feat: add upgrade method to WormholeExecutor contract

lazer/contracts/stellar/contracts/integration-tests/src/test.rs

@@ -415,20 +415,18 @@ fn test_full_verification_and_payload_parsing() {
 fn test_governance_upgrade_dispatched_to_lazer() {
     let te = setup(1);
 
-    let wasm_digest = [0xAB; 32];
+    // Upload the Lazer contract WASM and use its real hash in the PTGM.
+    let lazer_wasm: &[u8] = include_bytes!("../../../target/wasm32-unknown-unknown/release/pyth_lazer_stellar.optimized.wasm");
+    let wasm_hash = te.env.deployer().upload_contract_wasm(Bytes::from_slice(&te.env, lazer_wasm));
+    let wasm_digest: [u8; 32] = wasm_hash.to_array();
+
     let ptgm = build_ptgm_upgrade(CHAIN_ID as u16, 1, &wasm_digest);
     let vaa_raw = build_governance_vaa(&te, 1, &ptgm);
     let vaa_bytes = Bytes::from_slice(&te.env, &vaa_raw);
 
-    // The upgrade call will fail because the wasm_digest doesn't correspond to
-    // a real uploaded WASM, but it should fail at the deployer level, not at
-    // auth or governance parsing. This verifies the full dispatch path works.
-    let result = te
-        .executor_client
-        .try_execute_governance_action(&vaa_bytes, &te.lazer_client.address);
-    assert!(result.is_err());
-    // The error comes from the Soroban runtime (invalid wasm hash), not from
-    // our contract logic — this confirms governance parsing and dispatch succeeded.
+    // Full governance flow: VAA -> executor -> lazer.upgrade(wasm_hash) should succeed.
+    te.executor_client
+        .execute_governance_action(&vaa_bytes, &te.lazer_client.address);
 }
 
 // ──────────────────────────────────────────────────────────────────────
@@ -716,6 +714,29 @@ fn test_governance_invalid_ptgm_magic() {
     assert!(result.is_err());
 }
 
+#[test]
+fn test_governance_upgrade_dispatched_to_executor() {
+    let te = setup(1);
+
+    // Upload the executor contract WASM and use its real hash in the PTGM.
+    let executor_wasm: &[u8] = include_bytes!("../../../target/wasm32-unknown-unknown/release/wormhole_executor_stellar.optimized.wasm");
+    let wasm_hash = te.env.deployer().upload_contract_wasm(Bytes::from_slice(&te.env, executor_wasm));
+    let wasm_digest: [u8; 32] = wasm_hash.to_array();
+
+    let ptgm = build_ptgm_upgrade(CHAIN_ID as u16, 1, &wasm_digest);
+    let vaa_raw = build_governance_vaa(&te, 1, &ptgm);
+    let vaa_bytes = Bytes::from_slice(&te.env, &vaa_raw);
+
+    // Self-upgrade via governance dispatch fails because Soroban does not allow
+    // contract re-entry: execute_governance_action invokes upgrade on the same
+    // contract address. The governance parsing and dispatch logic is correct,
+    // but the Soroban runtime blocks the re-entrant call.
+    let result = te
+        .executor_client
+        .try_execute_governance_action(&vaa_bytes, &te.executor_client.address);
+    assert!(result.is_err());
+}
+
 #[test]
 fn test_governance_wrong_target_chain() {
     let te = setup(1);

lazer/contracts/stellar/contracts/wormhole-executor-stellar/src/lib.rs

@@ -209,4 +209,11 @@ impl WormholeExecutor {
 
         Ok(())
     }
+
+    /// Upgrade the contract WASM. Callable only by the contract itself.
+    pub fn upgrade(env: Env, new_wasm_hash: BytesN<32>) -> Result<(), ContractError> {
+        env.current_contract_address().require_auth();
+        env.deployer().update_current_contract_wasm(new_wasm_hash);
+        Ok(())
+    }
 }

lazer/contracts/stellar/contracts/wormhole-executor-stellar/src/test.rs

@@ -3,7 +3,7 @@ extern crate std;
 
 use alloc::vec;
 use k256::ecdsa::SigningKey;
-use soroban_sdk::{Address, Bytes, BytesN, Env, Vec};
+use soroban_sdk::{testutils::Address as _, Address, Bytes, BytesN, Env, IntoVal, Vec};
 use tiny_keccak::{Hasher, Keccak};
 
 use crate::error::ContractError;
@@ -821,3 +821,65 @@ fn test_execute_governance_invalid_target_chain() {
     let result = client.try_execute_governance_action(&vaa_bytes, &target_contract);
     assert!(result.is_err());
 }
+
+// ──────────────────────────────────────────────────────────────────────
+// Tests: upgrade
+// ──────────────────────────────────────────────────────────────────────
+
+/// Upload the contract's own WASM to the test environment and return its hash.
+fn upload_wasm(env: &Env) -> BytesN<32> {
+    let wasm_bytes: &[u8] = include_bytes!("../../../target/wasm32-unknown-unknown/release/wormhole_executor_stellar.optimized.wasm");
+    env.deployer().upload_contract_wasm(Bytes::from_slice(env, wasm_bytes))
+}
+
+#[test]
+fn test_upgrade_authorized() {
+    let env = Env::default();
+    env.mock_all_auths();
+
+    let (client, _contract_id, _secrets) = setup_contract(&env, 1, 0);
+
+    let wasm_hash = upload_wasm(&env);
+
+    // Upgrade should succeed: auth is mocked and the WASM hash is valid.
+    client.upgrade(&wasm_hash);
+}
+
+#[test]
+fn test_upgrade_unauthorized() {
+    let env = Env::default();
+    // NOT calling mock_all_auths — auth is enforced.
+
+    let (client, _contract_id, _secrets) = setup_contract(&env, 1, 0);
+
+    let unauthorized = Address::generate(&env);
+    let wasm_hash = upload_wasm(&env);
+
+    // Try to upgrade with an unauthorized address — should fail with auth error.
+    let result = client
+        .mock_auths(&[soroban_sdk::testutils::MockAuth {
+            address: &unauthorized,
+            invoke: &soroban_sdk::testutils::MockAuthInvoke {
+                contract: &client.address,
+                fn_name: "upgrade",
+                args: (wasm_hash.clone(),).into_val(&env),
+                sub_invokes: &[],
+            },
+        }])
+        .try_upgrade(&wasm_hash);
+    assert!(result.is_err());
+}
+
+#[test]
+fn test_upgrade_invalid_wasm_hash() {
+    let env = Env::default();
+    env.mock_all_auths();
+
+    let (client, _contract_id, _secrets) = setup_contract(&env, 1, 0);
+
+    let fake_hash = BytesN::from_array(&env, &[0xAB; 32]);
+
+    // Auth passes (mock_all_auths) but the wasm hash is not valid — should error.
+    let result = client.try_upgrade(&fake_hash);
+    assert!(result.is_err());
+}