This document is a repository-grounded view of the current PrivateDAO codebase and the execution path ahead. It distinguishes between:
- implemented and verified
- implemented but not yet fully evidenced
- active development targets
- the next closure required before stronger production claims
It exists to keep roadmap language, live surfaces, reviewer packets, and repository reality aligned while making the engineering strategy legible to reviewers, investors, and community supporters.
PrivateDAO is being built as production-intent privacy and governance infrastructure. The operating posture is simple: keep the work legible, keep the product verifiable, and keep raising the technical standard until each serious tranche makes the system stronger, easier to trust, and closer to mainnet-grade readiness. That is the tone this document is meant to preserve.
This verification covers:
- Solana program modularization
- protocol traits and deduplication
- multisig and custody evidence
- ZK and privacy surfaces
- FHE and confidential settlement claims
- API, SDK, and live service claims
- Kamino, Jupiter, and Solflare integration posture
- tests, coverage, CI, and docs
- public UX changes visible to ordinary users
- Solana program modularization is real:
- The Anchor program compiles after the modularization refactor.
- Pure protocol helpers now have direct Rust unit coverage and pass.
- Browser-wallet Devnet proof exists for create DAO, create proposal, commit vote, and related lifecycle captures.
- The public Next.js surface is live and wallet-first on
/,/start, and/govern. - The SDK already contains Poseidon-based commitment and nullifier helpers:
- ZK circuits exist in
zk/, with Circom artifacts, setup files, proofs, and sample inputs. - Confidential settlement and REFHE/MagicBlock rails exist in the program and reviewer surfaces.
- Solflare is present in runtime evidence, product copy, and wallet-path guidance.
- Multisig readiness packets, intake files, and review surfaces exist, but they still explicitly preserve a
pending-externalboundary.
- Production multisig closure
- authority transfer signatures and post-transfer readouts
- external audit closure
- standalone live API service under
services/api/ - gRPC server
- WebSocket server
- Kamino execution integration
- Jupiter swap execution integration
- FHE execution with a linked runtime library such as Zama
concrete - quantified coverage proof showing
>80% - complete Arabic i18n and RTL implementation across the product
These are not abstract wishes. They are the active execution lanes through which the product earns stronger trust, stronger support, and a more defensible path to first-place outcomes and long-horizon ecosystem relevance.
lib.rsis no longer the only source of instruction bodies.- Error definitions are centralized in
error.rs. - helper and validation logic are centralized in
utils.rs. - traits are defined in
traits.rs:VoteCommitmentProposalLifecycleTreasuryActionPolicy
- Treasury, voting, privacy, and DAO logic were split into dedicated modules.
- The traits exist and are used for some policy logic, but they do not yet replace all parallel feature variants or fully eliminate all versioned paths.
- The repository still contains V2 and V3 surfaces by design. They are not fully unified behind feature flags yet.
- Custody and multisig evidence scaffolding is real:
- Verification scripts exist for these evidence surfaces.
- The repository currently keeps production multisig closure in a
pending-externalboundary through the canonical custody proof and multisig intake surfaces. - The next step is to move from intake and ceremony planning into recorded authority-transfer signatures and post-transfer readouts.
- The requested
docs/custody-proof/ceremony shape has not yet been materialized as the canonical recorded path; current evidence lives in the existing custody and multisig docs set. - Upgrade-authority hardening is already framed operationally, and the remaining work is to turn that framing into signed custody evidence.
- Nullifier logic exists in the SDK:
- ZK assets exist in
zk/:- Circom circuits
- proving keys
- verification keys
- sample inputs
- generated proof files
- Privacy and proof-verification instruction paths exist in
privacy.rs.
- The current on-chain vote commitment function in
utils.rsstill uses:sha256(vote || salt || proposal || voter)- not the requested
sha256(vote || salt || nullifier || proposal_id)
- The immediate development target is to push nullifier semantics from SDK and proof artifacts into the live on-chain commitment path.
- Halo2 or zkVM-style expansion is still a forward engineering lane rather than a closed repository integration.
- The
zk/folder is real and useful today, and the next maturity step is to wire it into a clearer runtime integration path from the main program and tooling.
- REFHE-related structures and settlement rails exist in the program and docs.
- Validation and runtime proof surfaces reference encrypted payout posture.
- REFHE and encrypted settlement posture are already represented in the program and evidence surfaces.
- The next technical milestone is to move from evidence-gated encrypted settlement posture into a linked runtime library and demonstrable encrypted treasury execution path.
- There is a TypeScript SDK entrypoint:
- Hosted-read and telemetry reviewer surfaces exist in docs and UI.
- The current top-level
services/path is being used as a static exported site artifact, while the backend API lane remains the next build target. - The repository is ready for a real
services/api/implementation, but that service has not yet been cut over into a live backend project. - gRPC, WebSocket, and authenticated API delivery remain part of the next backend tranche rather than a closed repository service today.
- The current SDK posture is a top-level TypeScript SDK; the next step is to split that into productized JS and Rust SDK surfaces once the backend API contract is fixed.
- Solflare is present in:
- runtime evidence
- UI guidance
- product copy
- browser-wallet and real-device packets
- Solflare-based Devnet browser-wallet actions have real captured evidence in repository-generated artifacts.
- Solflare already has the strongest runtime posture among the three integrations through wallet guidance and capture evidence.
- Kamino and Jupiter remain active integration targets, with the next milestone being one executable end-to-end treasury scenario per protocol.
- The integration story is already prepared in product framing; the remaining work is to convert that framing into captured Devnet execution and then stable product UI.
- Rust unit tests now exist in:
- TypeScript integration suites exist in:
- GitHub Actions exist under
.github/.
- This tranche improved direct Rust test coverage materially, but did not yet produce a formal coverage report.
- The next validation step is to extract a reproducible coverage artifact and enforce it in CI for the newly modularized program surfaces.
- The public product is already structured around:
- first product view
- start flow
- govern flow
- proof / trust / live state
- The first product view already explains:
- FHE / REFHE
- ZK
- MagicBlock
- Fast RPC
- and maps them to product services
- The public UX already moved toward a clearer wallet-first flow and technology-to-service explanation.
- Arabic localization, explicit RTL plumbing, and a fuller guided mode remain active product-UX targets.
- FAQ and direct feedback are being added as part of the public-surface hardening path rather than treated as separate marketing-only assets.
The following were executed successfully during the current reform work:
cd PrivateDAO
cargo test -p private-dao --lib -- --nocapture
cargo check -p private-dao
git diff --checkObserved result:
17Rust unit tests passed- the program still compiles after modularization and added tests
- remaining warnings are mostly Anchor macro
unexpected cfgnoise and a deprecatedreallocwarning
What can be claimed honestly now:
- the program modularization is real
- the protocol helpers and lifecycle logic now have direct Rust unit coverage
- browser-wallet Devnet governance flow is evidenced
- ZK and privacy artifacts exist in the repository
- custody and multisig review surfaces exist
What is being actively developed before stronger production claims:
- production multisig closure
- final upgrade-authority transfer evidence
- external audit closure
- live Kamino and Jupiter execution integrations
- a real hosted API platform like Helius-style infrastructure
- fully linked FHE treasury execution
- full Arabic localization and RTL completion
- Build a real backend service under
services/api/or stop describing it as implemented. - Either wire nullifier semantics into the live on-chain commitment path or soften any claim that this is already enforced on-chain.
- Convert custody from
pending-externalintake to real signed authority-transfer evidence. - Implement one real DeFi integration end-to-end, starting with Jupiter or Solflare, before claiming a multi-protocol DeFi layer.
- Add a reproducible coverage report and make CI fail on regressions for the new protocol modules.
PrivateDAO is in a stronger state than a loose prototype, but it is not yet in the state implied by a completed mainnet-grade backend, finished custody hardening, deployed multisig ceremony, or production DeFi integrations.
That distinction is part of the strategy, not a weakness: the repository already carries enough structure and evidence to support credible review, and the next engineering goal is to convert the remaining targets into signed, tested, and reviewable proof with the right technical support, ecosystem backing, and execution capital.