Governance
Four-Eyes authorisation framework for high-risk systemic actions. Covers proposals, voting, FX rate approval, risk limit change gating, escalation routing, and dual-signature Governor sign-off flows.
System Overview
The Governance module enforces the Four-Eyes principle across all high-risk systemic actions on the SmartCheq platform. No single operator can unilaterally execute actions that affect the money supply, exchange rates, or risk limits. Every such action must be proposed by one operator and approved by a second, independent operator of equal or higher authority.
Three governance roles exist: Operator (proposes), Supervisor (approves operational changes), and Governor (approves monetary policy changes such as FX rates and issuance authorisations). The Governor Approval Desk requires dual-signature for the highest-consequence actions.
Proposals Queue
- Pending proposals list
- Proposal type filter
- Proposer identity
- Proposed change details
Review & Voting
- Proposal detail view
- Approve / Reject actions
- Vote tally
- Quorum check
Approval Desks
- Supervisor Desk
- Governor Desk
- Issuance Authorizations
- Corridor Escalations
Four-Eyes Rule
Actions Requiring Four-Eyes
| Action | Proposer | Approver | Module |
|---|---|---|---|
| FX Rate Change | Corridor Ops Operator | Supervisor or Governor | Corridor Ops |
| Risk Limit Change | Corridor Ops Operator | Supervisor | Corridor Ops |
| Issuance Authorization | Issuance Operator | Governor | Issuance Tab |
| CVIB Batch Dispatch | Issuance Operator | Governor | Issuance Tab |
| Note Burn | Redemption Operator | Governor | Deposit & Burn |
| Corridor Deactivation | Corridor Ops Operator | Supervisor | Corridor Ops |
| System Override | Any operator + PIN | Audit log (async) | Emergency Actions |
Data Model
Proposal
| Field | Type | Description |
|---|---|---|
| id | uuid | Primary key |
| proposal_type | enum | fx_rate_change | limit_change | burn_authorization | corridor_deactivation | issuance_authorization |
| proposed_by | string | Doorkeeper token owner (proposer) |
| corridor_id | uuid FK | Affected corridor (if applicable) |
| proposed_value | jsonb | The proposed change payload (e.g. {rate: 51.20}) |
| current_value | jsonb | The current system value being replaced |
| status | enum | pending | approved | rejected | expired |
| reference | string | Human reference e.g. GOV-2026040922 |
| expires_at | timestamp | Proposal auto-expires if not acted on |
Vote
| Field | Type | Description |
|---|---|---|
| proposal_id | uuid FK | References Proposal |
| voter_id | string | Doorkeeper token owner (voter — must differ from proposer) |
| vote | enum | approve | reject |
| notes | text | Optional reviewer notes |
| voted_at | timestamp | When vote was cast |
IssuanceAuthorization
| Field | Type | Description |
|---|---|---|
| id | uuid | Primary key |
| corridor_id | uuid FK | Corridor being authorised for issuance |
| governance_status | enum | pending | signed | rejected |
| signed_by | string | Governor who signed |
| signed_at | timestamp | Signature timestamp |
Proposal Flow
Action triggered
Operator clicks "Propose Change" (FX Rate or Limits) or "Escalate to Governance" in Corridor Ops. A proposal reference GOV-XXXXXXXXX is auto-generated.
Proposal created
POST /api/v2/governance/proposals {type, proposed_value, corridor_id, reference}. Proposal status = pending.
Appears in approval desk
Supervisor Desk or Governor Desk shows the pending proposal with current vs proposed values. Original proposer's name is shown but they cannot vote.
Second operator reviews
Approver clicks Approve or Reject. POST /api/v2/governance/proposals/:id/votes {vote: "approve", notes?}.
Action executed
On approve: the proposed change is applied (FX rate updated, limits changed, corridor deactivated etc.). Status → approved. System records who approved and when.
Audit trail
Full proposal lifecycle — proposed_by, proposed_at, approved_by, approved_at, current_value, proposed_value — permanently recorded.
Approval Desks
Supervisor Approval Desk
The Supervisor Desk shows all proposals requiring supervisor-level approval: limit changes, corridor deactivations, and operational escalations. Accessible via the Quick Access panel on the CBDC Sandbox homepage.
| Handles | Quorum |
|---|---|
| Risk limit changes (daily cap, velocity, per-tx) | 1 supervisor vote |
| Corridor deactivation / reactivation | 1 supervisor vote |
| Operational escalations from Corridor Ops | 1 supervisor vote |
Governor Approval Desk
The Governor Desk handles monetary policy actions. These require the highest level of authority and use a dual-signature model where both the Governor and a Deputy must approve before action is taken.
| Handles | Quorum |
|---|---|
| FX rate changes | Governor + Deputy (dual signature) |
| Issuance authorizations | Governor signature via POST /governance_sign |
| CBDC note burns | Governor + Deputy (dual signature) |
API Reference
| Method | Path | Description |
|---|---|---|
| POST | /api/v2/governance/proposals | Create a new governance proposal |
| GET | /api/v2/governance/proposals/:id | Get proposal details |
| POST | /api/v2/governance/proposals/:id/votes | Cast approve or reject vote (must not be proposer) |
| GET | /api/v2/governance/proposals/:id/tally | Get current vote tally and quorum status |
| POST | /api/v2/governance/escalate | Escalate a corridor issue directly to governance queue |
| GET | /api/v2/issuance_authorizations/latest | Get latest issuance authorization for corridor |
| POST | /api/v2/issuance_authorizations/:id/governance_sign | Governor signs issuance authorization |
| POST | /api/v2/issuance_authorizations/:id/governance_reject | Governor rejects issuance authorization |