Operational Surface
Quick route navigation
Custody
Multisig
Authority transfer
Custody Workspace
Multisig and authority transfer are now an explicit launch workflow
This route turns the custody story into a live operating surface. It keeps the signer split, transfer sequence, and evidence checklist visible without pretending the external ceremony has already happened.
Live proofs
2
Baseline proof and dedicated V3 proof packet are both reviewer-facing
ZK anchors
3
On-chain proof anchors exposed in the Devnet evidence path
Wallets
50
Multi-wallet Devnet rehearsal already captured and packaged
Commercial rails
4
Grant, fund, gaming, and enterprise service packs remain part of the UI
Canonical custody proof
Repo-backed multisig and authority proof, with exact pending items and explorer-linked closure points
pending-external · 1/25
PrivateDAO is devnet-proven and internally hardened, but real-funds mainnet production remains blocked until external audit, custody, monitoring, runtime, settlement-receipt, and release-ceremony items are closed with evidence.
Multisig and timelock
Implementation: pending-selection
Multisig address: Pending external
Threshold: 2-of-3
Creation signature: Pending external
Rehearsal signature: Pending external
Configured timelock: Pending external
Timelock config proof: Pending external
Signer roster
Slot 1 · founder-operator
Public key: Pending external
Storage class: cold-or-hardware
Backup documented: no
Slot 2 · independent-security-or-ops-signer
Public key: Pending external
Storage class: cold-or-hardware
Backup documented: no
Slot 3 · recovery-or-governance-signer
Public key: Pending external
Storage class: cold-or-hardware
Backup documented: no
Authority transfer proof
program upgrade authority
Program ID: 5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
Destination authority: Pending external
Transfer signature: Pending external
Post-transfer readout: Pending external
dao authority
Program ID: 5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
Destination authority: Pending external
Transfer signature: Pending external
Post-transfer readout: Pending external
treasury operator authority
Program ID: 5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
Destination authority: Pending external
Transfer signature: Pending external
Post-transfer readout: Pending external
Exact pending items
chosen multisig implementation
multisig public address
multisig creation signature
rehearsal signature
timelock configuration of at least 48 hours
timelock configuration signature or readout
signer slot 1 public key
backup procedure for signer slot 1
signer slot 2 public key
backup procedure for signer slot 2
signer slot 3 public key
backup procedure for signer slot 3
program upgrade authority destination authority
program upgrade authority transfer signature
program upgrade authority post-transfer readout
program upgrade authority post-transfer readout reference
dao authority destination authority
dao authority transfer signature
dao authority post-transfer readout
dao authority post-transfer readout reference
treasury operator authority destination authority
treasury operator authority transfer signature
treasury operator authority post-transfer readout
treasury operator authority post-transfer readout reference
Exact blocker and sources
Blocker: upgrade-authority-multisig
Severity: critical
Status: pending-external
Move production upgrade authority and operational authorities to a documented multisig or governance-owned path and rehearse rotation.
Observed chain readouts
Current deployed program readout
devnet · observed
Address: 5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
Authority: 4Mm5YTRbJuyA8NcWM85wTnx6ZQMXNph2DSnzCCKLhsMD
ProgramData: CeggEn3sNVbiuJHLKDaCPMH4uLczu1Dr3ZGKKcaKBqeN
Owner: BPFLoaderUpgradeab1e11111111111111111111111
Last deploy slot: 454368825
Balance: 9.82850136 SOL
Executable: yes
This is the currently observed live deployment readout. It is external chain evidence, but it is not mainnet custody proof by itself.
observed at 2026-04-11T04:43:46.722Z
solana program show 5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx --url devnet
Current DAO anchor readout
devnet · observed
Address: FZV9KmpeY1B31XvszQypp5T6nQN5C44JDLM4QWBEDvhx
Owner: 5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
Balance: 0.00235248 SOL
Executable: no
Current DAO PDA visibility on devnet.
observed at 2026-04-11T04:43:47.486Z
solana account FZV9KmpeY1B31XvszQypp5T6nQN5C44JDLM4QWBEDvhx --url devnet --output json
Current treasury anchor readout
devnet · observed
Address: AZUroiNeGAjNdD84eEHnAKHHFwqAFmkjr2g1eoF7Ek5c
Owner: 11111111111111111111111111111111
Balance: 0.15 SOL
Executable: no
Current treasury PDA visibility on devnet.
observed at 2026-04-11T04:43:48.243Z
solana account AZUroiNeGAjNdD84eEHnAKHHFwqAFmkjr2g1eoF7Ek5c --url devnet --output json
Target network program readout
mainnet-beta · not-found
Address: 5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
Observed error: Error: Unable to find the account 5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
If this stays not-found, mainnet custody transfer is not merely pending multisig evidence; there is no current mainnet program readout for this program id.
observed at 2026-04-11T04:43:48.758Z
solana program show 5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx --url mainnet-beta
Target network treasury readout
mainnet-beta · not-found
Address: AZUroiNeGAjNdD84eEHnAKHHFwqAFmkjr2g1eoF7Ek5c
Observed error: Error: AccountNotFound: pubkey=AZUroiNeGAjNdD84eEHnAKHHFwqAFmkjr2g1eoF7Ek5c
Target-network treasury visibility is required before claiming real-funds mainnet readiness.
observed at 2026-04-11T04:43:49.168Z
solana account AZUroiNeGAjNdD84eEHnAKHHFwqAFmkjr2g1eoF7Ek5c --url mainnet-beta --output json
Treasury reviewer-grade
Treasury reviewer-grade bundle
Keep treasury sender discipline and reviewer-facing payments truth next to custody proof, so the ceremony route never drifts away from the business-facing rails it must justify.
Treasury network
Solana Devnet
Exact blocker
upgrade-authority-multisig
pending-external
Payments fit
strong
Reviewer-safe treasury intake and payout framing are already live.
Pending closure
24 items
Move from intake rails to production-safe custody evidence.
Strict sender checklist
1Confirm whether the request is a treasury top-up, pilot-funding packet, vendor payout, or contributor payout before selecting a rail.
2Copy the exact public receive address and explorer link for the selected asset rail. Do not reuse a rail from memory.
3Attach a reference string that includes payer, purpose, amount, and settlement context so the intake packet can be matched later.
4Open reviewer truth surfaces before promising production-safe settlement or custody posture to a sender, buyer, or judge.
5Treat the current rails as Devnet/public treasury intake until authority-transfer evidence closes the production custody blocker.
Reference-linked rails
SOL
Native SOL
AZUroiNeGAjNdD84eEHnAKHHFwqAFmkjr2g1eoF7Ek5c
Use this rail for treasury top-ups, operator funding, and governed SOL transfers on Devnet.
Mint: Configured at deployment / public receive rail only
USDC
USDC
AZUroiNeGAjNdD84eEHnAKHHFwqAFmkjr2g1eoF7Ek5c
Use this rail for governed payouts, vendor settlement, and stable-value treasury requests when USDC is the active stable asset.
Mint: Configured at deployment / public receive rail only
USDG
USDG
AZUroiNeGAjNdD84eEHnAKHHFwqAFmkjr2g1eoF7Ek5c
Use this rail for alternative stable settlement when the team or customer operates with USDG-compatible treasury flows.
Mint: Configured at deployment / public receive rail only
Commercial + payments focus alignment
DAO tooling
strong
The core live product already covers DAO creation, proposal lifecycle, private voting, treasury motion handling, trust packets, telemetry, and reviewer-safe surfaces.
Exact gap: The highest-value next step is to keep treasury professionalism and custody continuity extremely tight as the product advances toward mainnet operations.
Developer tooling
strong
PrivateDAO already provides reviewer telemetry, generated packets, hosted-read proof, runtime diagnostics, and a developer route tied to real product infrastructure.
Exact gap: The best uplift is continued strengthening of exported telemetry, runtime evidence summaries, and infrastructure-facing docs for external engineers.
Payments
strong
Treasury request routing, confidential payout framing, payments-oriented intake flows, and reviewer-safe custody truth are already visible in the live product.
Exact gap: The strongest version still requires strict sender discipline, explorer-linked rails, and completed authority-transfer evidence for real-funds credibility.
Exact blocker visibility
upgrade-authority-multisig
Move production upgrade authority and operational authorities to a documented multisig or governance-owned path and rehearse rotation.
Severity: critical
Status: pending-external
Pending evidence: chosen multisig implementation · multisig public address · multisig creation signature · rehearsal signature
Strict custody ingestion
Record ceremony evidence in the exact shape needed by the canonical custody proof
0/6 gates
This surface no longer collects free-form notes only. It builds a strict, reviewer-safe JSON packet that maps directly into
docs/multisig-setup-intake.json. Only public keys, public transaction signatures, and readout references belong here.Define signer set
Repo-ready
Freeze the real 3-signer roster and backup procedures before any authority movement.
Record multisig package
Strict ingestion live
Collect the implementation, address, creation signature, rehearsal signature, and timelock references in one structured packet.
Capture authority transfer evidence
External execution pending
Record the destination authority, transfer signature, and post-transfer readout reference for each operational surface.
Apply and rebuild canonical proof
Repo automation ready
Save the JSON packet into `docs/custody-evidence-intake.json` and run the apply command to update canonical proof artifacts.
Multisig package
Implementation, address, creation signature, and rehearsal signature
Pending
Need implementation, multisig address, creation signature, and rehearsal signature.
Threshold and timelock
Capture the final threshold and 48+ hour configuration evidence
Pending
Need exact 2-of-3 threshold, 48+ hour timelock, configuration signature, and reference URL.
Signer roster
Record each signer slot with a real public key and backup confirmation
Pending
Slot 1 · founder-operator
Pending
Need a real signer public key and backup confirmation.
Slot 2 · independent-security-or-ops-signer
Pending
Need a real signer public key and backup confirmation.
Slot 3 · recovery-or-governance-signer
Pending
Need a real signer public key and backup confirmation.
Authority transfer surfaces
Each surface needs destination authority, transfer signature, and post-transfer readout reference
program-upgrade-authority
5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
Pending
Need destination authority, transfer signature, readout text, and a reference link.
dao-authority
5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
Pending
Need destination authority, transfer signature, readout text, and a reference link.
treasury-operator-authority
5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx
Pending
Need destination authority, transfer signature, readout text, and a reference link.
Authority split
Mainnet requires a hard separation between upgrade authority, treasury authority, and admin authority. PrivateDAO should not carry a single-wallet super-admin posture into production.
Upgrade authority must be isolated from treasury execution.
Treasury authority must remain bound to proposal execution and treasury policy.
Admin authority should stay bounded and explicitly reduced before launch.
Production ceremony
Authority transfer has to be observable and reviewable. The credible path is a documented multisig ceremony with signer inventory, role assignment, and transaction-backed handoff evidence.
Create the production multisig and define signer roles.
Transfer upgrade authority with transaction evidence.
Transfer treasury authority and record the evidence path.
Launch boundary
Until the ceremony is complete, authority hardening remains part of the explicit Mainnet blocker surface. This is a strength when shown honestly rather than implied away.
Remove unnecessary single-signer powers.
Keep pending steps visible to reviewers and buyers.
Treat authority transfer as a trust event, not an internal note.
Strict intake packet
How to close this fast
When the real ceremony values arrive, download the JSON packet below, save it as
docs/custody-evidence-intake.json, then run npm run apply:custody-evidence-intake. That command updates the canonical intake and rebuilds canonical custody proof, reviewer packet, and launch trust packet artifacts together.Ingestion readiness
0/6 structured gates passed
pending-external
This local packet remains reviewer-safe. It accepts only public keys, public transaction signatures, and docs or explorer references.
Current packet preview
Multisig implementation: pending-selection
Multisig address: Not recorded yet
Timelock configured hours: Not recorded yet
Signer keys populated: 0/3
Authority transfers with signatures: 0/3
Never include secrets
No seed phrases, private keys, unencrypted keypair exports, or screenshots containing secret material belong in this packet.