--- taskmaster_id: "11" status: "pending" priority: "high" depends_on: [] parent_id: "" source: "taskmaster" generated_at: "2026-05-28T11:49:27.076Z" --- # 11 - Trezor signing for admin actions (release/refund/sweep) - [ ] 11 - Trezor signing for admin actions (release/refund/sweep) #taskmaster #priority/high #status/pending โซ ๐Ÿ†” tm-11 ## Metadata | Field | Value | | --- | --- | | Taskmaster ID | 11 | | Status | pending | | Priority | high | | Dependencies | None | | Parent | None | ## Description Replace the hot-key admin signing flow with a WebUSB-based Trezor flow so the backend never holds a private key. All admin-side txes are built backend, signed via Trezor in the browser, broadcast from the browser. ## Details See PRD - Wallet, Multichain, Confirmations, AML, Trezor.md ยง5. Lib: @trezor/connect-web (WebUSB; Chromium-only โ€” Firefox users need Trezor Bridge native helper). Files: new frontend/src/web3/trezor/trezorConnector.ts wrapping @trezor/connect-web; existing admin actions (release/refund/sweep when #7 lands) get a 'Sign with Trezor' button that flows: POST /api/admin/actions/build-tx โ†’ returns unsigned tx bytes โ†’ send to Trezor โ†’ sign โ†’ wagmi sendTransaction broadcasts โ†’ POST /api/admin/actions/confirm-tx with hash; admin settings page to register Trezor address(es) (backend rejects signatures from unauthorized devices); audit log on every Trezor-signed action; break-glass hot-key path requires explicit admin toggle, expires after 1h, fires Telegram alarm. Open questions: m-of-n multi-admin signing โ€” default single-signer for v1; Trezor One vs Model T โ€” lib abstracts; fallback when Trezor unavailable โ€” break-glass with alarm. Acceptance: admin registers Trezor address; release flow uses Trezor end-to-end; backend rejects signatures from unregistered devices; audit log captures admin user + Trezor addr + tx hash + before/after escrow state; break-glass works and alarms. Non-goals: mobile Trezor flow, buyer-side Trezor (buyer uses wagmi injected). Dependencies: task #7 (ephemeral wallets) for the sweep step โ€” but task #11 can ship the release/refund flows first. This is task #11 in the PRD. ## Verification _No verification strategy._