# Confidential Payroll Flow ## Product Goal PrivateDAO should support compensation operations without forcing a DAO to publish a full employee or contributor spreadsheet on-chain. ## Lifecycle ### 1. Author The Batch The operator prepares an encrypted manifest off-chain. The manifest can live in Box, Drive, or another controlled document store, but it must produce: - a stable URI - a manifest hash - a ciphertext hash ### 2. Bind It To Governance The proposal carries a confidential payout plan PDA. That PDA is seeded by the proposal address and stores: - payout type - settlement recipient - token mint if applicable - recipient count - total amount - encrypted manifest URI - immutable hashes ### 3. Approve Privately The proposal still follows the core PrivateDAO lifecycle: - commit - reveal - finalize - timelock - execute This means the compensation batch inherits the same governance checks as any other treasury action. ### 4. Release The Aggregate Batch Execution transfers the aggregate amount from the DAO treasury to the settlement recipient. The settlement recipient then handles the final per-recipient distribution against the encrypted manifest. ## Why This Model This design stays compatible with the current protocol and keeps the security boundary clear: - the DAO approves the batch on-chain - the treasury releases only the approved aggregate amount - the detailed payroll sheet remains encrypted off-chain ## Current Limits - the chain does not privately distribute to each employee directly - the encrypted manifest is off-chain - reviewers must validate manifest provenance through hashes and operator evidence ## Strong Next Step The natural upgrade path is to prove payout correctness with zk constraints over: - total budget - recipient eligibility - duplicate prevention - allocation consistency without exposing the raw payout sheet.