When the key is gone, the identity is not.
Sigil binds identity to a root anchor, not to one signing key. When a controller key is lost, a four-state on-chain ceremony rotates the key under guardian threshold, timelock, and an offline panic-abort key. No operator override. No exception path.
The key is gone
Identity is held in custody. Losing the key would mean losing the agent.
A device wipes. A seed is forgotten. A phone is stolen. On most chains the account dies with the key. Sigil binds identity to a root anchor, not to one signing key — and the chain knows how to rotate the controller without trusting any intermediary.
Step 1 · RegisterRecovery
RegisterRecovery names the guardians.
At wallet setup the owner names M guardian DIDs, a threshold N, a timelock window, and an offline panic key. The chain anchors the configuration. The constellation is now stamped on chain — dark stars waiting in a known pattern.
Step 2 · InitiateRecovery
InitiateRecovery starts the ceremony.
Whoever holds the new public key opens a Pending ceremony with the subject DID and the proposed controller. The chain stamps `initiated_at_height`, computes `finalize_after_height`, and fires notification events to every channel the owner ever bound.
Step 3 · AddRecoveryAuthorization
AddRecoveryAuthorization brightens each star.
Each guardian signs `(ceremony_id, new_pubkey)` with their registered Ed25519 key and submits the signature on-chain. Duplicates are rejected. Unregistered signers are rejected. Every accepted authorization lights one star.
Threshold met
The threshold lights the path.
When N-of-M stars are lit the chain traces a constellation line between them and through the dimmed identity at the centre. The ceremony is now willing to finalize — but not yet able. The timelock has not yet expired.
Step 4 · Timelock
Timelock — dawn approaches.
The default window is 30 days, user-adjustable in [7, 90]. While the sky is dark the owner can still abort with the panic key or the original (still-valid) controller. Every notification channel rings. The timelock kills timing attacks against unattended owners.
Step 5 · FinalizeRecovery
FinalizeRecovery rotates the pubkey and the agent wakes up.
When the timelock expires and the threshold holds, any signer can submit FinalizeRecovery. The new controller pubkey binds to the subject DID, a RecoveryFinalized event is emitted, and the agent wakes up under new custody. No operator override. No exception path. The chain is the protocol.
Five typed transactions
Recovery is a protocol, not a service.
RegisterRecovery configures the guardian set. InitiateRecovery opens the ceremony. AddRecoveryAuthorization accumulates signatures. AbortRecovery is the panic-key escape hatch. FinalizeRecovery rotates the controller pubkey. Every step is a typed transaction; every transition is on-chain.
| tx | effect | payload |
|---|---|---|
RegisterRecovery | Anchor guardian set, threshold, timelock, and panic pubkey. | guardians, threshold N, timelock_blocks, panic_pubkey_hex |
InitiateRecovery | Open a Pending ceremony with the proposed new pubkey. | subject_did, new_pubkey_hex |
AddRecoveryAuthorization | Submit one guardian signature over (ceremony_id, new_pubkey). | ceremony_id, guardian_did, signature_hex |
AbortRecovery | Panic key or original controller cancels the ceremony. | ceremony_id, abort_sig_hex |
FinalizeRecovery | Rotate controller pubkey after timelock + threshold. | ceremony_id |
Four states · one escape hatch
The chain enforces every transition.
None → Registered → Pending → Ready → Finalized. AbortRecovery short-circuits Pending or Ready back to a clean Registered. There is no fast path, no admin recovery, no support inbox that can rotate the controller. The validator set itself cannot bypass the flow.
A lost key is not a lost identity.
Configure recovery at wallet setup. Name your guardians. Stash a panic key offline. The chain handles the rest, exactly the same way for every user.