Once RecoverClient (#15) lands, the admin-gated entry points should be callable via a govDAO proposal callback instead of (or in addition to) a single admin address.
Functions that should support a govDAO callback
core.RecoverClient(subjectClientID, substituteClientID string) — the reason admin gating was introduced (see r/aib/ibc/core/client.gno).core.UpgradeClient(...) — still a stub. In ibc-go this is gov-only (MsgIBCSoftwareUpgrade + MsgUpgradeClient). Should use the same callback pattern.core.SetAdmin / core.AddRelayer / core.RemoveRelayer — already admin-gated in admin.gno; routing them through govDAO makes the whitelist auditable on-chain.
Not in scope
CreateClient, UpdateClient, RegisterCounterparty, packet ops (SendPacket/RecvPacket/Acknowledgement/Timeout) — high-frequency relayer operations, keep the relayer whitelist.TMLightClient.VerifyUpgradeAndUpdateState — internal helper of UpgradeClient, no separate auth.
Design notes
ensureAdminCaller() currently compares runtime.OriginCaller() to a single admin address. Extending it to also accept a govDAO proposal executor would let a single gate cover all functions listed above.- Consider whether the admin address should remain as an emergency bootstrap / fallback or be removed entirely once govDAO is wired.
Once
RecoverClient(#15) lands, the admin-gated entry points should be callable via a govDAO proposal callback instead of (or in addition to) a single admin address.Functions that should support a govDAO callback
core.RecoverClient(subjectClientID, substituteClientID string)— the reason admin gating was introduced (seer/aib/ibc/core/client.gno).core.UpgradeClient(...)— still a stub. In ibc-go this is gov-only (MsgIBCSoftwareUpgrade+MsgUpgradeClient). Should use the same callback pattern.core.SetAdmin/core.AddRelayer/core.RemoveRelayer— already admin-gated inadmin.gno; routing them through govDAO makes the whitelist auditable on-chain.Not in scope
CreateClient,UpdateClient,RegisterCounterparty, packet ops (SendPacket/RecvPacket/Acknowledgement/Timeout) — high-frequency relayer operations, keep the relayer whitelist.TMLightClient.VerifyUpgradeAndUpdateState— internal helper ofUpgradeClient, no separate auth.Design notes
ensureAdminCaller()currently comparesruntime.OriginCaller()to a singleadminaddress. Extending it to also accept a govDAO proposal executor would let a single gate cover all functions listed above.