Governance: minimal upgrade-gov pallet, remove community lane, harden tech collective#603
Closed
n13 wants to merge 2 commits into
Closed
Governance: minimal upgrade-gov pallet, remove community lane, harden tech collective#603n13 wants to merge 2 commits into
n13 wants to merge 2 commits into
Conversation
… tech collective Replace the public/token-weighted community governance lane with a minimal, upgrades-only governance pallet, keep the tech-collective referenda lane as a transitional fallback, and fix verified audit findings in the retained code. New: - pallet-upgrade-gov (index 22): M-of-N member approval + timelock that authorizes runtime upgrades via frame_system::authorize_upgrade only. Fixed Action enum (no arbitrary dispatch), internal membership/threshold/delay management, on_initialize timelock. Seeded at genesis with the same trusted set as the tech collective. 11 unit tests. Removed (community lane): - pallet-conviction-voting (deleted). - Community Referenda instance (idx 10) and ConvictionVoting (idx 12); indices kept vacant. CommunityTracksInfo removed. - Dead community-lane integration tests (engine.rs, logic.rs). Retained as transitional fallback: TechCollective + TechReferenda, to be removed once upgrades via pallet-upgrade-gov are proven on-chain. Audit fixes in retained code: - #91267: tech-collective Add/RemoveOrigin now EnsureRootWithSuccess (Root-only, i.e. a passed referendum) instead of any single member. - #91248: removed dead Root branch in RootOrMemberForTechReferendaOrigin. - #91272: referenda submission deposit now refundable for Rejected/TimedOut. - #91165: preimage per-byte deposit corrected (was 1000x too low). spec_version 132 -> 133.
5 tasks
n13
added a commit
that referenced
this pull request
Jun 24, 2026
* governance: minimal upgrade-gov pallet, remove community lane, harden tech collective Replace the public/token-weighted community governance lane with a minimal, upgrades-only governance pallet, keep the tech-collective referenda lane as a transitional fallback, and fix verified audit findings in the retained code. New: - pallet-upgrade-gov (index 22): M-of-N member approval + timelock that authorizes runtime upgrades via frame_system::authorize_upgrade only. Fixed Action enum (no arbitrary dispatch), internal membership/threshold/delay management, on_initialize timelock. Seeded at genesis with the same trusted set as the tech collective. 11 unit tests. Removed (community lane): - pallet-conviction-voting (deleted). - Community Referenda instance (idx 10) and ConvictionVoting (idx 12); indices kept vacant. CommunityTracksInfo removed. - Dead community-lane integration tests (engine.rs, logic.rs). Retained as transitional fallback: TechCollective + TechReferenda, to be removed once upgrades via pallet-upgrade-gov are proven on-chain. Audit fixes in retained code: - #91267: tech-collective Add/RemoveOrigin now EnsureRootWithSuccess (Root-only, i.e. a passed referendum) instead of any single member. - #91248: removed dead Root branch in RootOrMemberForTechReferendaOrigin. - #91272: referenda submission deposit now refundable for Rejected/TimedOut. - #91165: preimage per-byte deposit corrected (was 1000x too low). spec_version 132 -> 133. * format * governance: drop pallet-upgrade-gov, harden tech-collective lane Alternative to the pallet-upgrade-gov approach (#603): keep the tech-collective referenda lane as the sole governance mechanism and harden it, rather than adding a new minimal upgrade pallet. Builds on the shared base (community lane removed, #91267/#91248/#91272/#91165 fixed). Removed: - pallet-upgrade-gov (crate, runtime wiring, config, genesis seeding). The tech lane authorizes runtime upgrades and other Root calls directly. Tech-lane audit fixes (local referenda fork + runtime config): - #91247/#91270 (high): TechCollectiveTracksInfo::track_for now accepts only a Root proposal origin. Previously any Signed(_) mapped to track 0, so a passed referendum could dispatch as an arbitrary account (impersonation) or route Root-level dispatch through the single low-threshold track. All legitimate submissions already use a Root proposal origin. - #91271 (high): ready_for_deciding honors the bounded-queue insertion result instead of unconditionally setting in_queue = true, preventing ghost-queued referenda (skipped by timeout yet absent from TrackQueue). - #91210 (high): schedule_enactment and set_alarm log a loud error on scheduler failure instead of failing silently (debug_assert-only in release). - #91213 (low): cancel/kill only release a deciding slot when the referendum actually held one, preventing DecidingCount corruption (relevant at max_deciding = 1). Parameter hardening: - TechReferenda prepare_period 20 blocks (4 min) -> 2 hours of advance notice. - UndecidingTimeout comment corrected (value is 45 days, not 90). Moot via the community-lane removal already on this branch: - #91141 (abstentions satisfy approval), #91166 (self-vote weight): both were pallet-conviction-voting issues; that pallet is deleted. - #91193 (unbounded member exchange): exchange_member is NeverEnsureOrigin. - #91265 (removed members' votes): non-issue (upstream ranked-collective behavior; membership changes are Root-gated and rare). Tests: pallet-referenda 39/39; runtime governance 23 passed/1 ignored; native + WASM build and runtime-benchmarks compile clean. * format
Collaborator
Author
|
#604 is a better solution - closing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the public/token-weighted community governance lane with a minimal, upgrades-only governance pallet, keeps the tech-collective referenda lane as a transitional fallback, and fixes verified audit findings in the retained code.
New:
pallet-upgrade-gov(pallet index 22)frame_system::authorize_upgradeonly — a fixedActionenum, no arbitrary call dispatch.on_initializetimelock; noSchedulerdependency.Removed (community lane)
pallet-conviction-votingdeleted.Referendainstance (idx 10) andConvictionVoting(idx 12) removed; indices kept vacant so downstream pallet indices stay stable.CommunityTracksInforemoved.engine.rs,logic.rs).Retained as transitional fallback
TechCollective(pallet-ranked-collective) +TechReferenda(pallet-referendaInstance1). Plan: prove a runtime upgrade throughpallet-upgrade-gov, then remove the tech lane in a follow-up.Audit fixes in retained code
AddOrigin/RemoveOriginare nowEnsureRootWithSuccess<AccountId, ConstU16<0>>(Root-only, i.e. a passed referendum) instead of any single member. DeadRootOrMemberForCollectiveOriginhelper deleted.Rootbranch inRootOrMemberForTechReferendaOrigin.Rejected/TimedOut(previously frozen).spec_versionbumped 132 → 133.Test plan
cargo test -p pallet-upgrade-gov— 11 passedcargo test -p quantus-runtime --features fast-governance— 23 passed, 1 ignoredcargo check -p quantus-runtime(std) and--features runtime-benchmarks— cleancargo build -p quantus-runtime(native + WASM artifact) — cleanpallet-upgrade-govActionenum is limited to authorize-upgrade + self-config (no arbitrary Root dispatch)pallet-upgrade-govbefore removing the tech laneKnown open items (transitional lane)