# Governance

Trilobyte uses a **role-based access control** system combined with a **Timelock** for governance delay on critical actions.

## Governance Architecture

```
┌───────────────────────────────────────────────┐
│                  Timelock                      │
│        (OZ TimelockController)                │
│   Proposer / Executor / Canceller roles       │
│   Admin of Globals (governor actions delayed) │
└──────────────────────┬────────────────────────┘
                       │ admin
┌──────────────────────▼────────────────────────┐
│                   Globals                      │
│          (OZ Access + Pausable + Upgradeable)  │
│   Settings · Roles · Fees · Assets · Managers  │
└───────────────────────────────────────────────┘
```

The **Timelock** is set as the admin of the **Globals** contract. This means all admin-level actions must go through a time-delayed governance process.

## Roles

| Role                 | Key         | Assigned To         | Responsibilities                                                           |
| -------------------- | ----------- | ------------------- | -------------------------------------------------------------------------- |
| **Admin**            | `"admin"`   | Governor / Timelock | Global settings, asset whitelist, contract upgrades, treasury, fee updates |
| **Security Admin**   | `"sec_adm"` | Security team       | Emergency pause/unpause of the protocol                                    |
| **Operations Admin** | `"ops_adm"` | Operations team     | Approve/remove pool managers, set credit limits, clear delinquency         |

## Timelock Controller

The Timelock enforces a **minimum delay** on governance operations. This gives protocol participants time to review and react to proposed changes before they take effect.

### Operation Lifecycle

```
Unset → Waiting → Ready → Done
```

1. **Proposer** schedules an operation with a delay
2. The operation enters **Waiting** state
3. After the delay passes, the operation becomes **Ready**
4. **Executor** executes the operation → **Done**

A **Canceller** can cancel any pending operation before execution.

### Timelocked Actions

The following actions go through the Timelock:

| Action                 | Function                 | Impact                         |
| ---------------------- | ------------------------ | ------------------------------ |
| Update global settings | `set_settings`           | Changes loan parameter bounds  |
| Whitelist assets       | `add_supported_asset`    | Enables new tokens for lending |
| Remove assets          | `remove_supported_asset` | Disables tokens                |
| Update protocol fee    | `set_fee`                | Changes fee percentage         |
| Update treasury        | `set_treasury`           | Changes fee recipient          |
| Upgrade contracts      | `upgrade`                | Deploys new contract code      |

### Non-Timelocked Actions

Some actions are intentionally **instant** for operational agility:

| Action                  | Role           | Reason                 |
| ----------------------- | -------------- | ---------------------- |
| Pause/unpause           | Security Admin | Emergency response     |
| Approve/remove managers | Ops Admin      | Operational management |
| Set credit limits       | Ops Admin      | Risk management        |
| Clear delinquency       | Ops Admin      | Manager review         |

## Emergency Powers

The **Security Admin** can pause the entire protocol instantly:

* `pause(caller)` — Halts all state-changing functions protected by `#[when_not_paused]`
* `unpause(caller)` — Resumes normal operation

This is a circuit breaker for emergencies — exploits, critical bugs, or market events that require immediate protocol freeze.

{% hint style="warning" %}
Pausing the protocol prevents new deposits, vault creation, and collateral operations. Existing vaults that are already Active continue to accept payments (the pause is on Globals-level operations).
{% endhint %}

## Self-Administered Timelock

The Timelock is deployed as **self-administered** — it is its own admin. This means:

* No single address can bypass the time delay
* The Timelock's own settings (delay, roles) can only be changed through the Timelock itself
* This creates a fully decentralised governance loop


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.trilobyte.finance/protocol-mechanics/governance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.