Production-Style Custody Closure Plan
Minimal-delta plan for moving from the live Devnet rehearsal multisig to a production-shaped custody closure model without overstating that rehearsal artifacts are already production custody.
Document context
Planning packet only; it does not claim the production multisig, timelock, or authority transfers already exist.
Audience: Operators, reviewers, release owners
Open raw fileProduction-Style Custody Closure Plan
This plan converts the live Devnet rehearsal multisig into a production-style closure model with the smallest possible conceptual delta.
It is intentionally not the production custody record itself.
What Stays The Same
- signer count:
3 - threshold:
2-of-3 - custody model: multisig-first
- authority-transfer targets:
program-upgrade-authoritydao-authoritytreasury-operator-authority- minimum timelock target:
48+ hours
What Changes For Production
- network changes from
devnettomainnet-beta - a new production multisig address must be created on
mainnet-beta - signer custody must be upgraded from browser-wallet rehearsal posture to
cold-or-hardware - authority-transfer signatures and post-transfer readouts must be recorded
Rehearsal Source
- rehearsal multisig address:
EqbW1xQRABPNmPM4TMkdygp6j94i7A3DSbgFKTpqXvJE- rehearsal creation signature:
4KSyTYQTzeNpBDWou7GFLmvUpAhLgmNKkNdd4PZqndLpCWmUnArffYRQUwe6zrTmQD5uCbBfBR6pakf9Gz8dviRp
This rehearsal proves that the signer model is live and technically workable. It does not replace production custody.
Candidate Production Signer Model
| Slot | Role | Current Rehearsal Wallet | Public Key | Keep For Production Only If |
|---|---|---|---|---|
| 1 | founder-operator | Solflare | 73EzhBNNdM2ZV3LzMxyNZ5FwGiZCZJrbZTHyRxhTsdq9 | moved to cold/hardware custody and remains operational founder signer |
| 2 | independent-security-or-ops-signer | Phantom | BBBPcpUnnBi3CWUhcv6vLTqaY9pugAGuhgw2Axjpvcr2 | signer is operationally independent and approval path is documented |
| 3 | recovery-or-governance-signer | Backpack | 2KpA69UB55tfWUSkKj5j7Tvebd3eG22hEs9hjXUq7pf5 | recovery/governance role remains separate and backup path is documented |
Minimal-Difference Production Path
- program upgrade authority transfer
- DAO authority transfer
- treasury operator authority transfer
- multisig creation signature
- rehearsal signature
- timelock configuration signature
- transfer signatures
- post-transfer readouts
- keep the
2-of-3model unchanged - keep the same role model unchanged
- create a new
mainnet-betamultisig address - keep these exact signer public keys only if they satisfy production custody rules
- otherwise replace only the signer public keys while keeping the same slot and role model
- configure and record the
48+ hourtimelock - execute:
- record:
Honest Boundary
This plan is the closest production-shaped continuation of the live Devnet rehearsal.
It does not mean:
- the rehearsal multisig address becomes the production multisig address
- browser wallets are automatically acceptable for production custody
- production authority transfer is already closed
Related Files
docs/devnet-rehearsal-multisig.mddocs/devnet-rehearsal-multisig.jsondocs/multisig-setup-intake.mddocs/multisig-setup-intake.jsondocs/mainnet-external-closure-packet.md
Related next docs
Operational brief for DAO-controlled micropayment batches, showing how approved policy becomes batched stablecoin settlement with judge-visible runtime proof and telemetry continuity.
Shortest reviewer path across live proof, V3 hardening, trust links, and launch boundary surfaces.
Generated reviewer-visible route into telemetry, hosted reads, runtime evidence, indexed governance, and the infrastructure value layer behind PrivateDAO.