# Governance and Emergency Controls

#### Roles

* **Timelock Governor**
  * can change parameters in RiskRegistry, FeeAccumulator, PegRail configs
  * can onboard new collateral profiles (adapter + oracle + params)
* **Guardian**
  * can pause risk-increasing actions
  * cannot loosen parameters
* **Oracle Admin**
  * manages signer sets and feed configs (via timelock ideally)

#### Timelock requirements

* minimum delay on parameter changes (24 hours)
* emergency pause is immediate
* any “risk loosening” must go through timelock

#### Parameter change policy (operational)

* caps increase gradually with observed liquidity
* safety factors change rarely; require risk review
* oracle signer changes require explicit rotation procedure and monitoring

### Emergency controls

The emergency layer exists to contain damage, not to “manage the system day-to-day.”

#### Pause granularity

Separate pause flags for:

* new minting
* collateral withdrawals
* peg rail outflows
* starting new auctions (rare; careful)
* onboarding new profiles

Deposits and repayments should remain possible whenever feasible.

#### Wind-down mode

If a severe failure occurs (oracle compromise, critical exploit, irrecoverable bug), the protocol can enter wind-down:

* freeze issuance
* freeze non-essential transfers from custody
* optionally freeze prices at last known good values
* provide controlled settlement path

Exact settlement design is sensitive and is specified and audited separately by an independent auditor; the key architecture is that the core can be placed into a mode where it stops taking new risk.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.multipli.fi/technical-architecture/governance-and-emergency-controls.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.