Product navigation
The security story stays productized without flattening the truth: additive V3 hardening, integration rails, audit packets, readiness gates, and the cryptographic rails behind the protocol.
Baseline proof and dedicated V3 proof packet are both reviewer-facing
On-chain proof anchors exposed in the Testnet evidence path
Multi-wallet Testnet rehearsal already captured and packaged
Grant, fund, gaming, and enterprise service packs remain part of the UI
Security is where privacy claims, custody discipline, and runtime evidence meet one operating surface
This route is not an audit appendix. It is the operator view for how PrivateDAO protects proposal intent, payout execution, wallet signing, custody posture, and reviewer visibility without flattening the product into a spreadsheet.
REFHE and MagicBlock are now on-chain settlement gates, not posture-only claims
The 2026-05-23 Testnet run configured and settled a REFHE envelope, configured and settled a MagicBlock private payment corridor, consumed settlement evidence, and executed the V3 token payout. The IKA lane remains truthfully scoped to SDK/Sui readiness and Solana pre-alpha approval preparation until a funded dWallet DKG is recorded.
Squads custody now shows 4/6 gates passed on Testnet
The security route now reflects the actual public evidence: Squads vault authority, 2-of-3 threshold, signer roster, canonical program-upgrade authority transfer, ZK verifier authority transfer, and enforced timelock behavior. DAO and treasury authority transfers remain the two post-unlock gates after the Squads execution window opens.
Browser vote salts are no longer persisted
The web commit/reveal lane now redacts persisted governance state, keeps reveal preimages in memory only, removes salt rendering from the DOM, and documents the ZK, API, monitoring, and REFHE/FHE claim boundaries.
Testnet program upgrades now route through Squads 2-of-3
The current Testnet program-upgrade authority moved from the deployer key to Squads vault authority CALHr...PqBv. Judges can verify the multisig creation, 48-hour timelock, signer roster, and authority-transfer signature directly on Solana Explorer.
Trust posture, custody summary, and mainnet framing should update in the same surface where hardening and launch discipline are reviewed.
Security architecture
Proposal-level governance snapshots, supply-based quorum mode, and reveal rebate vaults keep the path additive instead of reinterpreting legacy objects.
Payout caps, evidence aging, and proposal-scoped settlement policy snapshots keep confidential execution bounded and versioned.
ZK anchors, REFHE envelopes, MagicBlock corridor evidence, and backend-indexed Fast RPC reads remain part of the product story.
Audit packet, trust package, launch trust packet, and release-gate packet stay visible as product-facing security boundaries.
Security posture
Private governance, treasury execution, generated proof packets, V3 hardening proofs, and partial custody ceremony evidence now sit together inside one product-facing security surface.
The signer split and transfer path are becoming inspectable, but missing signatures or post-transfer readouts still keep mainnet custody outside the fully closed claim boundary.
This matters because reviewers and buyers can see security maturity improving in real time without losing the explicit boundary around what is not yet closed.
Mainnet authority separation should be explicit, reviewable, and multisig-backed
Mainnet requires a hard separation between upgrade authority, treasury authority, and admin authority. PrivateDAO should not carry a single-wallet super-admin posture into production.
Production ceremony evidence is partially recorded (4/6). This is already stronger than a static plan, and the next step is to complete the remaining signatures and readouts.
The launch path stays explicit, and it is now supported by partially inspectable custody evidence instead of a purely forward-looking note.
Selective disclosure turns privacy into an institutional review lane
This is where PrivateDAO explains the narrow window between protected operator intent and reviewer-visible proof. The goal is not full public exposure. The goal is bounded, product-safe disclosure.
Give reviewers a narrow window into the operation without turning private work into public exposure
Selective disclosure is the bridge between strong privacy and institutional review. It decides what the operator can keep private, what the reviewer can inspect, and which links are enough to prove the action happened correctly on Testnet.
Use this when an external reviewer needs a bounded proof path for governance or treasury actions without reading the full internal operating log.
Record ceremony evidence in the exact shape needed by the canonical custody proof
docs/multisig-setup-intake.json. Only public keys, public transaction signatures, and readout references belong here.Mainnet requires a hard separation between upgrade authority, treasury authority, and admin authority. PrivateDAO should not carry a single-wallet super-admin posture into production.
Authority transfer has to be observable and reviewable. The credible path is a documented multisig ceremony with signer inventory, role assignment, and transaction-backed handoff evidence.
Until the ceremony is complete, authority hardening remains part of the explicit production-gate surface. This is a strength when shown clearly rather than implied away.
Strict intake packet
docs/custody-evidence-intake.json, then run npm run apply:custody-evidence-intake. That command updates the canonical intake and rebuilds canonical custody proof, reviewer packet, and launch trust packet artifacts together.Security posture now has to survive real-world signer attacks, not only audit checklists
The Drift exploit and STRIDE response changed what serious judges expect. PrivateDAO keeps signer discipline, readiness gates, runtime visibility, and migration-safe hardening in the product surface instead of hiding them in ops notes.
Product impact matters more than narrative stacking
The single most important operating truth is that product impact, startup quality, and believable user value matter more than stacking narratives around one build.
Drift proved ops failures can beat good code
The largest Solana DeFi exploit in history came through signer hygiene, durable nonce exposure, weak admin thresholding, and missing timelocks rather than a contract bug.
STRIDE and SIRN raised the security bar
Operational security, threat monitoring, incident readiness, and governance posture now matter alongside audits.
Anchor v1 rewards disciplined upgrade posture
Teams now have stronger migration, testing, and runtime safety defaults available through Anchor 1.0.
Bootcamp 2026 and Engineering Solana raised judge literacy
Judges and builders are seeing more production-readiness, indexing, security, and systems-engineering content than before.
A PrivateDAO-specific matrix for what ZK proves now and what it does not claim
This matrix turns the ZK story into a reviewer-friendly surface: live proofs, proposal-bound anchors, attestation, and zk_enforced posture on one side, with explicit non-claims on the other.
PrivateDAO ZK matrix
Verifier path: prove + verify commands
Boundary: Additive to current protocol
Verifier path: prove + verify commands
Boundary: Additive to current protocol
Verifier path: bounded tally proof
Boundary: Not a full hidden tally replacement
Verifier path: Core integrations + live proof V3
Boundary: Reviewer-facing on-chain anchoring
Verifier path: verifier strategy + V3 proof packet
Boundary: Not yet the dominant production recommendation
Verifier path: Not claimed
Boundary: Future protocol phase
Why this matrix matters
Layer-by-layer truth-aligned matrix for proofs, anchors, attestation, `zk_enforced`, and verifier boundaries.
A deterministic scoring engine for ZK, REFHE, MagicBlock, and Fast RPC
This surface does not claim magical security. It explains, with explicit weights, why one proposal pattern has stronger privacy depth, enforcement depth, execution integrity, or reviewer confidence than another.
Cryptographic confidence engine
Scenario scorecards
Payroll flows benefit from private signal collection, versioned governance snapshots, REFHE-bound manifests, and runtime evidence that stays visible to reviewers.
Grant committees need private signal collection and strong reviewer context more than confidential payout corridors. ZK and proof anchors do most of the heavy lifting here.
Token reward programs rely more on settlement evidence and corridor controls than on encrypted payroll-style envelopes. The score reflects that difference instead of pretending every pack has the same cryptographic posture.
Formula, weights, factor-by-factor meaning, and explicit non-claims for the PrivateDAO cryptographic confidence engine.
Private payout is now packaged as a reviewer-safe service lane
Plan a sponsor-grade confidential operation inside the product
{
"requestId": "ENCRYPTED:CONFIDENTIAL-PAYROLL:MANIFEST-HASH-AND-COMMIT-REVEAL:ATTESTED-EVIDENCE",
"operationProfile": "Confidential payroll",
"privacyMode": "Manifest hash + commit-reveal",
"settlementMode": "Attested evidence",
"operatorVisibility": "Hybrid",
"sponsorLift": [
"Privacy",
"Umbra",
"Encrypt"
],
"recommendedAmount": "1,000 USDC",
"recipientCountHint": "8",
"posture": "Reviewer-safe confidential operation",
"rationale": "Prepare a governed salary or grant disbursement where the manifest stays off-chain and the settlement path remains reviewable. Use the existing private governance discipline and keep recipient detail in an encrypted off-chain manifest. Use the current settlement evidence posture with explicit reviewer-safe continuity.",
"reviewerPath": "/security",
"servicePath": "/services",
"settlementPath": "/documents/settlement-receipt-closure",
"proofPath": "/documents/confidential-payout-evidence-packet",
"nextOperatorAction": "Keep the manifest boundary explicit and carry the same operation plan into treasury review and governed execution."
}- Confirm the operation profile is confidential payroll and the recipient count posture still matches the intended treasury motion.
- Confirm Manifest hash + commit-reveal is the right privacy mode for the sponsor and reviewer expectations.
- Confirm Attested evidence keeps the trust boundary readable enough for this submission and release stage.
- Confirm Hybrid keeps the operation understandable to the target reviewer without weakening the privacy story.
How payout proof, receipts, and blockers connect in one route
The last operational gap between live Testnet proof and a credible mainnet release path
The two operating systems that turn a strong Testnet product into a confident mainnet candidate
The real-device capture board that expands Testnet proof into release-grade confidence
How much of the mainnet path is already structured vs what still depends on external closure
Four-week company launch path after the hackathon
The current Testnet product is deliberately staged for production: custody, audit, wallet coverage, monitoring, mainnet deployment, and wallet-placement launch are sequenced as one operating plan.
The exact operating path between defined alert rules and believable live delivery
Defined monitoring rules and the live delivery route
Proposal, treasury, voting, RPC, and gaming analysis belong inside the security story
PrivateDAO should help users detect abnormal treasury motions, summarize governance discussion, and interpret runtime health before signatures happen. This is where AI-style assistance becomes operational instead of cosmetic.
Security + Intelligence layer
This is where AI belongs in PrivateDAO: proposal review, treasury execution review, voting compression, RPC interpretation, and gaming-governance assistance. It is decision support, not a shallow chatbot.
How to use this route
Proposal Review AI
Proposal execution review
This proposal should keep explanation, trust context, and destination rationale visible before signatures are collected.
This layer is built to help users now with browser-side intelligence and clear governance heuristics. If you later want a free open-model path, the same UX can be connected to a Hugging Face-hosted summarization or classification adapter without changing the product surface.