# Governance and Emergency Controls

#### Roles

* **Timelock Governor**
  * can change parameters in RiskRegistry, FeeAccumulator, PegRail configs
  * can onboard new collateral profiles (adapter + oracle + params)
* **Guardian**
  * can pause risk-increasing actions
  * cannot loosen parameters
* **Oracle Admin**
  * manages signer sets and feed configs (via timelock ideally)

#### Timelock requirements

* minimum delay on parameter changes (24 hours)
* emergency pause is immediate
* any “risk loosening” must go through timelock

#### Parameter change policy (operational)

* caps increase gradually with observed liquidity
* safety factors change rarely; require risk review
* oracle signer changes require explicit rotation procedure and monitoring

### Emergency controls

The emergency layer exists to contain damage, not to “manage the system day-to-day.”

#### Pause granularity

Separate pause flags for:

* new minting
* collateral withdrawals
* peg rail outflows
* starting new auctions (rare; careful)
* onboarding new profiles

Deposits and repayments should remain possible whenever feasible.

#### Wind-down mode

If a severe failure occurs (oracle compromise, critical exploit, irrecoverable bug), the protocol can enter wind-down:

* freeze issuance
* freeze non-essential transfers from custody
* optionally freeze prices at last known good values
* provide controlled settlement path

Exact settlement design is sensitive and is specified and audited separately by an independent auditor; the key architecture is that the core can be placed into a mode where it stops taking new risk.