Squads Mainnet Custody Ceremony Reference

This file exists to define the exact `Squads Protocol` ceremony for the real production custody closure.

It is not the same artifact as the existing Devnet rehearsal multisig. The product already works on Devnet. This ceremony adds institutional proof, not basic functionality.

Current Facts

• legacy devnet program id: `5AhUsbQ4mJ8Xh7QJEomuS85qGgmK9iNvFqzF669Y7Psx`
• current Testnet program id: `EP9xE8MJZ6FfyEwLqns6HDdUZBknEa7WGYs1Jzsecuva`
• currently observed devnet upgrade authority: `4Mm5YTRbJuyA8NcWM85wTnx6ZQMXNph2DSnzCCKLhsMD`
• selected multisig implementation: `Squads Protocol`
• existing devnet rehearsal implementation: `spl-token-2022-multisig`
• existing devnet rehearsal multisig: `EqbW1xQRABPNmPM4TMkdygp6j94i7A3DSbgFKTpqXvJE`
• existing devnet rehearsal creation signature: `4KSyTYQTzeNpBDWou7GFLmvUpAhLgmNKkNdd4PZqndLpCWmUnArffYRQUwe6zrTmQD5uCbBfBR6pakf9Gz8dviRp`
• Squads web and SDK flows currently target `mainnet-beta`, not Devnet rehearsal custody

Required Ceremony Shape

• network: `mainnet-beta`
• signers: `3`
• threshold: `2-of-3`
• timelock: `48+ hours`
• client: `Squads Protocol`

Candidate Signer Roster

| Slot | Role | Wallet | Candidate public key | | --- | --- | --- | --- | | 1 | founder-operator | Solflare | `73EzhBNNdM2ZV3LzMxyNZ5FwGiZCZJrbZTHyRxhTsdq9` | | 2 | independent-security-or-ops-signer | Phantom | `BBBPcpUnnBi3CWUhcv6vLTqaY9pugAGuhgw2Axjpvcr2` | | 3 | recovery-or-governance-signer | Backpack | `2KpA69UB55tfWUSkKj5j7Tvebd3eG22hEs9hjXUq7pf5` |

These public keys may only be promoted if the signer posture is documented and the repository never stores seed phrases or private keys.

Exact Operator Sequence

• Open `https://app.squads.so/squads`
• Connect the current authority wallet or the designated signer wallet.
• Create a new Squads multisig.
• Enter the `3` signer public keys.
• Set threshold to `2`.
• Configure a timelock of at least `48` hours.
• Record:
• multisig address
• creation transaction signature
• timelock configuration transaction signature
• approval history screenshot if available
• Submit a low-risk rehearsal transaction inside Squads and record its signature.
• Transfer the program upgrade authority from `4Mm5YTRbJuyA8NcWM85wTnx6ZQMXNph2DSnzCCKLhsMD` to the new multisig on the target production surface.
• Record:
• transfer transaction signature
• `solana program show EP9xE8MJZ6FfyEwLqns6HDdUZBknEa7WGYs1Jzsecuva --url testnet`
• explorer links
• If DAO and treasury authorities are also transferred, record those signatures and post-transfer readouts in the same intake.
• Save the captured fields into `docs/custody-evidence-intake.json`.
• Run:

npm run apply:custody-evidence-intake

Minimum Evidence To Capture

• Squads multisig address
• creation signature
• timelock configuration signature
• rehearsal signature
• signer public keys
• program upgrade authority transfer signature
• post-transfer `solana program show` readout
• explorer links or repo-backed screenshots

Honest Boundary

Creating the multisig is not the same as completing authority transfer.

Authority transfer is not complete until the destination authority, transfer signature, and post-transfer readout are all recorded.