@@ -31,11 +31,18 @@ The solution consists of two main components:
3131- ** Provider Withdrawals** : Allows providers to withdraw earnings in XLM
3232- ** Conversion Events** : Emits events for transparency
3333- ** Backward Compatibility** : Works with existing custom tokens
34+ - ** Emergency Trust Mode** : Enables manual recovery when oracle heartbeat is stale for 72 hours
35+ - ** Unanimous Governance Guard** : Emergency actions require 100% approval from all active members
3436
3537#### New Functions:
3638- ` top_up() ` - Enhanced to handle XLM→USD conversion
3739- ` withdraw_earnings() ` - New function for USD→XLM conversion
3840- ` get_current_rate() ` - Get current exchange rate
41+ - ` is_trust_mode() ` - Returns true when oracle heartbeat is stale for more than 72 hours
42+ - ` propose_emergency_flow_rate() ` - Create emergency proposal to set manual flow rate
43+ - ` propose_emergency_pause() ` - Create emergency proposal to pause a meter cycle
44+ - ` approve_emergency_action() ` - Approve an emergency proposal (one vote per member)
45+ - ` execute_emergency_action() ` - Execute only after unanimous member approval
3946
4047## Usage Flow
4148
@@ -76,6 +83,48 @@ New error types added:
76832 . ** Staleness Checks** : Rejects old price data
77843 . ** Access Control** : Admin controls updater role
78854 . ** Event Logging** : All conversions emit events for transparency
86+ 5 . ** Trust Mode Gate** : Emergency manual controls are blocked while oracle heartbeat is healthy
87+ 6 . ** Strict Unanimity** : Every registered active member must approve emergency actions
88+ 7 . ** Duplicate Vote Prevention** : A member can approve a proposal only once
89+
90+ ## Trust Mode and Manual Fallback
91+
92+ ### Activation Rule
93+
94+ Trust Mode is derived from on-chain oracle heartbeat state:
95+
96+ - Utility contract fetches oracle ` PriceData.last_updated `
97+ - If ` now - last_updated > 72 hours ` , Trust Mode is active
98+ - If no oracle address is configured, Trust Mode is treated as active for recovery operations
99+
100+ Boundary behavior is strict:
101+
102+ - exactly 72 hours stale: not yet in Trust Mode
103+ - greater than 72 hours stale: Trust Mode active
104+
105+ ### Allowed Actions in Trust Mode
106+
107+ Only in Trust Mode, active members can unanimously approve:
108+
109+ 1 . manual ` max_flow_rate_per_hour ` update for a meter
110+ 2 . manual cycle pause (` is_paused = true ` ) for a meter
111+
112+ Outside Trust Mode these manual emergency actions revert.
113+
114+ ### Member Eligibility and Unanimity
115+
116+ - Members are addresses registered through ` register_active_user() `
117+ - Membership is tracked uniquely per address
118+ - Proposal creator auto-approves their proposal
119+ - Additional approvals are counted once per member
120+ - Execution requires ` approval_count == active_member_count `
121+
122+ ### Oracle Recovery Assumption
123+
124+ - When oracle heartbeat becomes healthy again, new emergency proposals and approvals are blocked
125+ - Already executed emergency actions remain in state (no automatic rollback)
126+
127+ This keeps fallback narrowly scoped to catastrophic oracle inactivity without weakening normal oracle-driven behavior.
79128
80129## Testing
81130
0 commit comments