3. Workspace & Vault Topology

Workspace · Vault Account · Asset Wallet · Address — 4 단계 hierarchy

Workspace = 최상위 격리·거버넌스 단위

user-roles.md, p.1 직접 인용: "Every workspace requires one (and only one) Owner to set up the Vault."

  • 1 workspace = 1 Owner — DB UNIQUE constraint 로 강제
  • workspace type 3 종: hot / cold / Sandbox (Sandbox 는 별도 role 모델 + auto-approve)
  • workspace-level 작업: Freeze (O/A/NSA/SecAdmin), Policy 변경 (Q+O), Admin Quorum 변경 (Q+O), AML/Travel Rule 설정
CREATE TABLE workspaces (
  id              BINARY(16) PRIMARY KEY,
  type            ENUM('hot', 'cold', 'sandbox') NOT NULL,
  owner_user_id   BINARY(16) NOT NULL UNIQUE,        -- 1-Owner invariant
  name            VARCHAR(128) NOT NULL,
  region          ENUM('us', 'eu', 'eu2') NOT NULL,  -- 3-region SaaS
  aml_default     ENUM('fail-on-unknown', 'pass-on-unknown') NOT NULL,
  created_at      DATETIME(6) NOT NULL,
  frozen_at       DATETIME(6),                       -- Emergency Freeze
  frozen_by       BINARY(16),                        -- O / A / NSA / SecAdmin
  KEY (frozen_at)
);

CREATE TABLE workspace_freeze_events (
  -- append-only, freeze/unfreeze 이력
  id              BINARY(16) PRIMARY KEY,
  workspace_id    BINARY(16) NOT NULL,
  event_type      ENUM('freeze', 'unfreeze') NOT NULL,
  actor_user_id   BINARY(16) NOT NULL,
  support_ticket_id VARCHAR(64),                     -- unfreeze 시 Support 경유 증빙
  occurred_at     DATETIME(6) NOT NULL
);
Freeze 효과 (Stage 6 명세)

Freeze 발동 시 모든 user role 이 Viewer 로 강제 변경 (Owner 포함). 차단: transfer / address whitelisting / 새 fiat·exchange / P2P Network connection. Incoming transfer 는 계속 수신. Unfreeze 는 Owner only via Fireblocks Support (Console 불가).

Vault Account — 자산 보유 단위

Workspace 안의 자산 보유 그룹. 권한표상 운영 동사: create / rename / hide / unhide.

CREATE TABLE vault_accounts (
  id              BINARY(16) PRIMARY KEY,
  workspace_id    BINARY(16) NOT NULL,
  name            VARCHAR(128) NOT NULL,
  hidden          BOOLEAN NOT NULL DEFAULT FALSE,
  account_role    ENUM('treasury', 'client', 'intermediate',
                       'mint', 'burn', 'pause', 'deploy', 'upgrade',
                       'withdrawal', 'general') NOT NULL,
  created_by      BINARY(16) NOT NULL,
  created_at      DATETIME(6) NOT NULL,
  archived_at     DATETIME(6),                       -- hide 는 soft-archive
  KEY (workspace_id, account_role)
);

Vault Structure 패턴 (Stage 9 — vault-structure-best-practices.md)

  • Omnibus: 중앙 vault + intermediate vault per client (account-based chain 의 1 address 제약 회피)
  • Segregated: per-client / per-team / per-operation vault account
  • Treasury vault: 가장 restrictive Policy
  • Smart contract per-op vault: Mint / Burn / Pause / Deploy / Upgrade — privileged personnel 만 Policy 로 access 제한
  • Withdrawal vault round-robin: EVM nonce / Bitcoin 25-chain limit 회피

Sandbox Workspace 의 특수성

  • 3 role 만 제공 (Non-Signing Admin / Editor / Viewer) — Owner role 은 backend service 가 대행
  • 모든 transaction auto-approve (Policy 흐름 자체가 다름)
  • API user 생성 시 CSR 인증서 브라우저 자동 생성
  • Sandbox NSA 는 mainnet/testnet 에 없는 추가 능력 (user create/delete, 2FA reset, tx sign)