# Governance and Admin Scope

> Role-based control with explicit limits. Admin keys can operate and protect the system but are intentionally constrained.

## Roles

| Role | Can Do | Cannot Do |
|------|--------|-----------|
| **Owner** | Set bounded params, toggle idle, withdraw protocol fees, emergency steps, strategy slippage, 2-step owner transfer | Exceed hard caps; disable emergency once enabled; swap loan manager/strategy; rescue collateral/debt via generic rescue |
| **Gov** | Propose/execute/cancel swapper change via timelock; 2-step gov transfer | Move user funds; bypass timelock |
| **Public** | `rebalance()`, `harvestYield()`, `accrueYieldFees()` | Change config/roles; privileged emergency actions |

## Timelock

- **Scope today**: swapper changes only.
- **Delay**: 1 week (`TIMELOCK_DELAY`).
- **Flow**: `proposeSwapper()` → wait → `executeSwapper()` or `cancelSwapper()`.

## Hard Limits in Code

```
MIN_TARGET_LTV       = 15%
MAX_TARGET_LTV       = 65%
MAX_FEE_RATE         = 20%
MAX_REBALANCE_BOUNTY = 50%
MAX_VAULT_SLIPPAGE   = 10%
TIMELOCK_DELAY       = 1 week
```

## Emergency Authority

- `enterEmergencyMode()` — one-way latch.
- `emergencyStep(step)` — staged unwind.
- `emergencySkipStep(step)` — mark blocked steps resolved if external dependency fails.
- `rescueAssets(token, recipient)` — cannot rescue collateral or debt asset.

## Role Transfers

`transferRole(role, to)` → pending holder calls `acceptRole(role)`. Two-step to reduce accidental handoff risk.