GuardZero144 · Josie123-Dev · Jun 17, 2026 · Jun 17, 2026
diff --git a/contracts/src/identity_registry.rs b/contracts/src/identity_registry.rs
@@ -180,4 +180,22 @@ impl IdentityRegistry {
     pub fn get_upgrade_admin(env: &Env) -> Option<Address> {
         upgrade::get_admin(env)
     }
+
+    /// Transfer the upgrade admin role to `new_admin`.
+    /// Both `current_admin` and `new_admin` must authorise this call,
+    /// preventing accidental lock-out.
+    pub fn transfer_upgrade_admin(env: &Env, current_admin: Address, new_admin: Address) {
+        upgrade::transfer_admin(env, &current_admin, &new_admin);
+    }
+
+    /// Return the default credential TTL (seconds) written by `migrate_v1_to_v2`,
+    /// or `None` if the migration has not yet run.
+    pub fn get_credential_ttl(env: &Env) -> Option<u64> {
+        upgrade::get_credential_ttl(env)
+    }
+
+    /// Return `true` once `migrate_v1_to_v2` has completed successfully.
+    pub fn is_migration_complete(env: &Env) -> bool {
+        upgrade::is_migrated_v2(env)
+    }
 }
diff --git a/contracts/src/upgrade.rs b/contracts/src/upgrade.rs
@@ -5,6 +5,9 @@ use crate::errors::Error;
 const ADMIN_KEY: &str = "upg_admin";
 const VERSION_KEY: &str = "upg_ver";
 const MIGRATED_V2_KEY: &str = "migrated_v2";
+const CRED_TTL_KEY: &str = "cred_ttl";
+
+pub const DEFAULT_CRED_TTL_SECONDS: u64 = 2_592_000; // 30 days
 
 pub const INITIAL_VERSION: u32 = 1;
 
@@ -48,8 +51,9 @@ pub fn run_migration_v2(env: &Env) {
     if env.storage().instance().has(&MIGRATED_V2_KEY) {
         panic_with_error!(env, Error::AlreadyInitialized);
     }
-    // New v2 global: default credential time-to-live in seconds
-    env.storage().instance().set(&"cred_ttl", &2_592_000u64);
+    env.storage()
+        .instance()
+        .set(&CRED_TTL_KEY, &DEFAULT_CRED_TTL_SECONDS);
     env.storage().instance().set(&MIGRATED_V2_KEY, &true);
 }
 
@@ -67,3 +71,17 @@ pub fn get_admin(env: &Env) -> Option<Address> {
 pub fn is_migrated_v2(env: &Env) -> bool {
     env.storage().instance().has(&MIGRATED_V2_KEY)
 }
+
+/// Transfer upgrade admin to `new_admin`. Both parties must authorise.
+/// Prevents accidentally locking out the contract by requiring the new
+/// admin to co-sign.
+pub fn transfer_admin(env: &Env, current_admin: &Address, new_admin: &Address) {
+    require_admin(env, current_admin);
+    new_admin.require_auth();
+    env.storage().instance().set(&ADMIN_KEY, new_admin);
+}
+
+/// Return the default credential TTL set by the v2 migration, if run.
+pub fn get_credential_ttl(env: &Env) -> Option<u64> {
+    env.storage().instance().get(&CRED_TTL_KEY)
+}
diff --git a/contracts/src/upgrade_tests.rs b/contracts/src/upgrade_tests.rs
@@ -121,6 +121,92 @@ fn test_migrate_panics_before_admin_initialized() {
     client.migrate_v1_to_v2(&admin);
 }
 
+// ── transfer_upgrade_admin ───────────────────────────────────────────────────
+
+#[test]
+fn test_transfer_admin_updates_admin() {
+    let (env, client, admin) = setup();
+    let new_admin = Address::generate(&env);
+    client.initialize_admin(&admin);
+    client.transfer_upgrade_admin(&admin, &new_admin);
+    assert_eq!(client.get_upgrade_admin(), Some(new_admin));
+}
+
+#[test]
+fn test_new_admin_can_migrate_after_transfer() {
+    let (env, client, admin) = setup();
+    let new_admin = Address::generate(&env);
+    client.initialize_admin(&admin);
+    client.transfer_upgrade_admin(&admin, &new_admin);
+    // new admin should be able to trigger migration without panic
+    client.migrate_v1_to_v2(&new_admin);
+    assert!(client.is_migration_complete());
+}
+
+#[test]
+#[should_panic]
+fn test_old_admin_cannot_migrate_after_transfer() {
+    let (env, client, admin) = setup();
+    let new_admin = Address::generate(&env);
+    client.initialize_admin(&admin);
+    client.transfer_upgrade_admin(&admin, &new_admin);
+    // old admin is no longer authorised
+    client.migrate_v1_to_v2(&admin);
+}
+
+#[test]
+#[should_panic]
+fn test_transfer_admin_non_admin_panics() {
+    let (env, client, admin) = setup();
+    let attacker = Address::generate(&env);
+    let new_admin = Address::generate(&env);
+    client.initialize_admin(&admin);
+    client.transfer_upgrade_admin(&attacker, &new_admin);
+}
+
+#[test]
+#[should_panic]
+fn test_transfer_admin_before_init_panics() {
+    let (env, client, _) = setup();
+    let a = Address::generate(&env);
+    let b = Address::generate(&env);
+    client.transfer_upgrade_admin(&a, &b);
+}
+
+// ── get_credential_ttl ───────────────────────────────────────────────────────
+
+#[test]
+fn test_get_credential_ttl_none_before_migration() {
+    let (_, client, admin) = setup();
+    client.initialize_admin(&admin);
+    assert_eq!(client.get_credential_ttl(), None);
+}
+
+#[test]
+fn test_get_credential_ttl_set_after_migration() {
+    let (_, client, admin) = setup();
+    client.initialize_admin(&admin);
+    client.migrate_v1_to_v2(&admin);
+    assert_eq!(client.get_credential_ttl(), Some(2_592_000u64));
+}
+
+// ── is_migration_complete ────────────────────────────────────────────────────
+
+#[test]
+fn test_is_migration_complete_false_before_migration() {
+    let (_, client, admin) = setup();
+    client.initialize_admin(&admin);
+    assert!(!client.is_migration_complete());
+}
+
+#[test]
+fn test_is_migration_complete_true_after_migration() {
+    let (_, client, admin) = setup();
+    client.initialize_admin(&admin);
+    client.migrate_v1_to_v2(&admin);
+    assert!(client.is_migration_complete());
+}
+
 // ── upgrade + identity data coexistence ──────────────────────────────────────
 
 #[test]