Skip to content

Add owner control quickstart to treasury runbook #424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MontrealAI wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add owner control quickstart to treasury runbook #424

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 36 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -470,7 +470,42 @@ flowchart TB

Every control surface above is owner-first: identities, staking limits, orchestrator selection, pause toggles, and observability wiring can all be altered live without redeploying, giving the owner absolute command over transport posture, treasury dispatch, and DCUtR telemetry.

| Verb | Capability | Notes |
#### Owner control quickstart (non-technical path)

1. **Mint guardian keys (per signer)**

```bash
npm run treasury:keygen -- --guardian-id guardian-1 --parameter-set 2 --out ./keys/guardian-1
```

- Emits Dilithium public/private key pairs plus JSON metadata for each guardian slot; files land under `./keys` with restrictive permissions so the owner can onboard new signers safely.【F:scripts/treasury/keygen.ts†L9-L88】

1. **Sign intents with guardian envelopes**

```bash
npm run treasury:sign -- ./intents/transfer.json --public-key @keys/guardian-1.pk --private-key @keys/guardian-1.sk \
--guardian-id guardian-1 --contract 0xYourTreasury --chain-id 1 --out ./envelopes/guardian-1-transfer.cbor
```

- Normalizes the intent, binds it to chain/contract/function selector, and emits CBOR/JSON envelopes ready for threshold aggregation; timestamps and guardian IDs are embedded for auditing.【F:scripts/treasury/sign-intent.ts†L13-L138】

1. **Aggregate + execute under owner authority**

```bash
npm run treasury:execute -- ./intents/transfer.json --envelopes ./envelopes \
--treasury 0xa61a3b3a130a9c20768eebf97e21515a6046a1fa --rpc-url $RPC_URL --key $ORCHESTRATOR_KEY \
--threshold 2 --registry config/guardians.json --ledger logs/intent-ledger.json
Comment on lines +494 to +497
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pass chain id to execute step to match signatures

The new quickstart signs envelopes with --chain-id 1 just above, but the execute command omits --chain-id, so treasury:execute falls back to chainId 0 by default (scripts/treasury/execute-intent.ts options) and recomputes a different digest than the guardians signed. With mismatched digests aggregateGuardianEnvelopes rejects every envelope and the walkthrough cannot reach threshold even with valid approvals; the execution step needs the same chain id (or CHAIN_ID env) to succeed.

Useful? React with 👍 / 👎.

Comment on lines +495 to +497
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Use TreasuryExecutor address instead of AGIALPHA token

The execute command hardcodes --treasury 0xa61a3b3a130a9c20768eebf97e21515a6046a1fa, which is the $AGIALPHA ERC-20 token (src/constants/token.js), not the TreasuryExecutor contract that exposes executeTransaction/IntentExecuted. Pointing treasury:execute at the token address will always revert because that function doesn’t exist there, so the runbook fails unless operators substitute the deployed executor address.

Useful? React with 👍 / 👎.

```

- Collects CBOR envelopes, enforces M-of-N approvals, blocks replays via the ledger, and calls the orchestrator-only `executeTransaction` path while logging both domain-bound and on-chain digests for traceability.【F:scripts/treasury/execute-intent.ts†L1-L203】【F:contracts/TreasuryExecutor.sol†L75-L119】

1. **Hot controls (pause/rotate/sweep)**

- Use `setOrchestrator`, `pause`/`unpause`, `setIntentStatus`, and `sweep` directly on `TreasuryExecutor` to rotate automation keys, halt outbound calls, reset digests, or migrate the vault without redeploying any contracts.【F:contracts/TreasuryExecutor.sol†L26-L119】

> Every lever above is owner-gated. Guardians co-sign intents; the owner (or owner-appointed orchestrator) decides when to broadcast, when to pause, and when to reroute funds.

| Verb | Capability | Notes |
| --- | --- | --- |
| `setOrchestrator(address)` | Rotate the single caller allowed to invoke `executeTransaction`. | Rejects zero address; emits `OrchestratorUpdated` so ops can audit rotations.【F:contracts/TreasuryExecutor.sol†L22-L57】 |
| `pause()` / `unpause()` | Halt or resume any treasury dispatch. | Enforced before every call; protects value transfers while keeping owner supremacy.【F:contracts/TreasuryExecutor.sol†L59-L73】 |
Expand Down
Loading