Add Or Update Roles¶

Purpose¶

Grant, revoke, or rotate governor roles without collapsing separation of duties.

Required Authority¶

roleAdmin.

Procedure For New Grants¶

1. Confirm role need, holder Safe, threshold, signer list, and custody policy.
2. Call proposeRoleGrant(role, account).
3. Monitor through minDelay.
4. Before execution, verify no compromise signal exists.
5. Call executeRoleGrant(role, account).
6. Read hasRole(role, account).

Procedure For Revocation¶

1. Identify current holder and role.
2. Confirm replacement path if role is required for continuity.
3. Call revokeRole(role, account).
4. Verify role removal and pending grant cleanup.

RoleAdmin Transfer¶

Use transferRoleAdmin, wait through delay, then acceptRoleAdmin from the pending admin. This is root authority movement and requires board-level approval.

Abort Conditions¶

Abort grants if the destination is an EOA, signer list is unknown, Safe threshold is weak, or the role duplicates a separation boundary without governance approval.

Evidence To Archive¶

Role ticket, Safe details, signer approvals, propose/execute/revoke txs, delay proof, hasRole reads, and updated custody inventory.

Operational Procedure¶

Purpose¶

Use this runbook to grant, revoke, or rotate privileged roles and operational owners without hidden authority drift.

When To Use¶

Use it for production, staging, or rehearsal actions that affect live authority, validator custody, economic accounting, claims, or incident response. Do not use it as a substitute for source review; deployed-state evidence remains Evidence required unless captured for the exact chain and address set.

Required Authority¶

Required authority: role admin or current owner/admin for the affected plane. Read-only preparation can be performed by an operator or auditor, but transaction submission must come from the documented production holder in the permission matrix.

Preconditions¶

• The current source manifest and generated inventory are up to date.
• The acting Safe or owner has been verified against the current permission matrix.
• No unresolved incident is active for the same contract, validator, role, or operation.
• The reviewer can identify which layer is affected: Upgrade governance, Deposit permissioning, Custody/readiness, or Economic/claim safety.

Inputs Required¶

• r.
• o.
• l.
• e.
• .
• i.
• d.
• ,.
• .
• c.
• u.
• r.
• r.
• e.
• n.
• t.
• .
• h.
• o.
• l.
• d.
• e.
• r.
• ,.
• .
• p.
• r.
• o.
• p.
• o.
• s.
• e.
• d.
• .
• h.
• o.
• l.
• d.
• e.
• r.
• ,.
• .
• c.
• u.
• s.
• t.
• o.
• d.
• y.
• .
• p.
• r.
• o.
• o.
• f.
• ,.
• .
• r.
• e.
• a.
• s.
• o.
• n.
• ,.
• .
• d.
• e.
• l.
• a.
• y.
• ,.
• .
• r.
• o.
• l.
• l.
• b.
• a.
• c.
• k.
• .
• p.
• l.
• a.
• n.

Step-By-Step Procedure¶

1. verify role need.
2. stage grant or admin transfer.
3. monitor delay.
4. execute or accept only after review.
5. revoke stale authority.

Independent Review Requirement¶

A second reviewer must check the decoded calldata, expected state transition, affected role or validator, and expected events before submission. For emergency use, capture the reviewer identity and incident ticket before or immediately after the transaction.

Abort Conditions¶

• Source manifest hash drift or unexpected implementation metadata.
• Caller or Safe does not match the permission matrix.
• Revert reason points at a different layer than the runbook is trying to change.
• Any required input is missing or only inferred.
• A guardian, canceller, or incident commander has frozen the action window.

On-Chain Pre-Checks¶

Read current role/owner/admin state, operation status, target code hash where applicable, validator/vault mapping where applicable, and the latest readiness or claim state that the action depends on. Record block number and RPC endpoint.

On-Chain Post-Checks¶

Confirm the intended state changed, no adjacent authority changed unexpectedly, and no pending operation or stale intent was left active. Re-read the affected contract rather than relying only on transaction success.

Events Or Logs To Monitor¶

• RoleGrantProposed.
• RoleGrantExecuted.
• RoleRevoked.
• OwnershipTransferred.

Evidence To Archive¶

Archive calldata, transaction hash, decoded event logs, pre/post reads, reviewer approval, incident or change ticket, and any source-manifest or release-artifact references used to justify the action.

Escalation Path¶

Escalate to governance signers for authority or upgrade anomalies, to controller/risk owners for economic or claim anomalies, to admission operators for intent mistakes, and to security incident response for unexpected code, role, or event drift.