Skip to main content
FlowGuard contracts enforce access control with BCH signature checks against contract parameters or mutable NFT state. There is no separate on-chain role registry. The contract itself decides which key or caller is valid for each function.

Role Definitions

RoleHow identified
Senderhash160(pubkey) == senderHash compiled into bytecode
Authorityhash160(pubkey) == authorityHash compiled into bytecode
Recipienthash160(pubkey) == recipient_hash from NFT commitment
Vault Signerhash160(pubkey) matches one of the stored vault signer hashes
M-of-N Signersrequired signer subset validated by the treasury covenant
All N Signersevery registered signer participates in the same transition
Permissionlessany caller may submit the valid transaction when contract conditions are met

Streaming Covenants

FunctionVestingCovenantRecurringPaymentCovenant
claim()Recipient,
pay(),Permissionless
complete()Permissionless after end,
pause()SenderSender
resume()SenderSender
cancel()Sender if cancelableSender if cancelable
transfer()Recipient if transferable,
refill(),Sender

Distribution Covenants

FunctionAirdropGrantBountyReward
claim()Permissionless submission with claim-authority co-sign,Authority co-sign,
releaseMilestone(),Authority,,
reward(),,,Authority
pause()AuthorityAuthorityAuthorityAuthority
resume()AuthorityAuthorityAuthorityAuthority
cancel()Authority if cancelableAuthority if cancelableAuthority if cancelableAuthority if cancelable
transfer(),Recipient if transferable,,

Treasury Covenants

FunctionVaultCovenantProposalCovenant
spend()M-of-N vault signers,
unlockPeriod()any single vault signer,
approve(),registered vault signer
execute(),permissionless after timelock
cancel(),M-of-N vault signers
expire(),permissionless after deadline
pause()any single vault signer,
resume()M-of-N vault signers,
emergencyLock()all registered signers,

Governance Covenants

FunctionVoteLockCovenant
reclaim()voter after unlockTimestamp
earlyReclaim()voter after final proposal state is known

What the Backend Cannot Do

The backend API and indexer do not get special contract privileges. They cannot:
  • spend from a covenant without the right signer set
  • override caps, schedules, or allowlists
  • cancel non-cancelable state
  • redirect payouts to unauthorized recipients
When a function is permissionless, the backend is only one possible caller. Any third party can also submit the valid transaction if the covenant conditions are satisfied.