Add an auth guard to `migrate` before any future migration logic is implemented

[mikewheeleer]

Description

migrate has no require_auth and is safe today only because it panic!s on every path. The rustdoc warns that adding migration logic without an auth guard would make it callable by any account. Pre-emptively add an admin require_auth (and a guard test) so a future implementer cannot ship a state-mutating migration without authentication.

Requirements and context

• Scoped to the LiquiFact escrow Soroban contract.
• Add Self::get_escrow(env.clone()).admin.require_auth() at the top of migrate, keeping the existing version assertions and terminal panic!.
• Add a test asserting migrate requires admin auth even though it still panics, locking in the guard before logic exists.
• Invariant: any future migration path is admin-gated by construction; version checks remain.
• Reference ADR-007 and docs/OPERATOR_RUNBOOK.md.
• Must be secure, tested, and documented.

Suggested execution

• Fork the repo and create a branch:
  • git checkout -b security/migrate-auth-guard
• Implement changes:
  • escrow/src/lib.rs
  • Tests: escrow/src/tests/init.rs
  • Docs: docs/OPERATOR_RUNBOOK.md
  • Include rustdoc/NatSpec-style doc comments on public functions
  • Validate security assumptions (auth, overflow, storage TTL, double-spend)

Test and commit

• Run tests: cargo test
• Cover edge cases (zero amounts, overflow, unauthorized callers, double-spend, state-machine misuse)
• Include test output and security notes in the PR

Example commit message

fix(escrow): require admin auth in migrate entrypoint

Guidelines

• Minimum 95% test coverage on new/changed code
• Clear documentation
• Timeframe: 96 hours from assignment

[Hillzo]

@Hillzo has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi, I would like to work on this issue. Kindly assign me

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Hillzo to this issue.

[drips-wave]

Congratulations, @Hillzo! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @Hillzo: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊