# Overview Tapio implements a sophisticated multi-layered governance system designed for institutional-grade protocol management. The governance architecture separates concerns across specialized roles, each with specific permissions and constraints, ensuring secure parameter management while enabling efficient day-to-day operations. The following diagram illustrates the governance structure ![Tapio governance layer (1).png](https://2380600999-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkZe9aCILjSj7IlQ2HV3d%2Fuploads%2Fgit-blob-f3f947fce0d312b5046d2ff54a03c9cded55281d%2Ftapio-governance.png?alt=media) ### **Governance Roles** Tapio's governance system consists of five distinct roles, each designed for specific operational responsibilities: #### **Protocol Owner** The Protocol Owner maintains upgrade authority over all protocol contracts through Beacon proxy patterns. This cold storage multisig is used exclusively for protocol-wide upgrades and emergency pause overrides, typically activated only during major version updates or critical security responses. **Key Permissions:** * Upgrade all contracts via Beacon implementations * Emergency pause override across all SPAs * Transfer upgrade authority #### **Governor** The Governor manages business logic and economic parameters through timelock-controlled actions. This role sets parameter boundaries and manages fee structures while operating within Protocol Owner oversight. **Key Permissions:** * Set parameter boundaries in ParameterRegistry (absolute caps and relative ranges) * Adjust all fee types (swap, mint, redeem, off-peg multipliers) * Configure decay periods and volatility settings * Grant and revoke operational roles (Curator, Guardian) #### **Curator** The Curator handles day-to-day parameter optimization, specifically focused on amplification coefficient management. This role operates without timelock delays for responsive market management. **Key Permissions:** * Initiate A coefficient ramping within Governor-approved bounds * Adjust A values based on market conditions * Monitor and respond to exchange rate provider data **Constraints:** * Cannot exceed absolute caps set in ParameterRegistry * Limited to relative change ranges defined by Governor * All actions must pass Keeper bounds checking #### **Guardian** The Guardian provides emergency response capabilities with immediate effect but limited scope. This role can be automated for rapid incident response. **Key Permissions:** * Pause individual SPAs immediately * Cancel ongoing A coefficient ramping * Monitor protocol health and trigger emergency procedures **Constraints:** * Cannot unpause SPAs (requires Protocol Owner approval) * No parameter adjustment capabilities * Limited to emergency response functions only