docs(stack): add Trust model page

[Othryades]

Summary

New page: Trust model for the Stack tab. Source: Notion v0.1 draft.

What this covers

• Trust assumptions per component
• Admin keys and upgrade authority
• Trust assumptions per deployment model
• Failure modes and recovery
• What participants can independently verify

Cross-checked against linea-monorepo

✅ Verified

• Role names exist as declared in the contracts. OPERATOR_ROLE, SECURITY_COUNCIL_ROLE, VERIFIER_SETTER_ROLE, RATE_LIMIT_SETTER_ROLE are declared as bytes32 public constant in contracts/src/. DEFAULT_ADMIN_ROLE comes from OZ AccessControlUpgradeable (it is bytes32(0)), so no local declaration is expected. The PAUSE_*_ROLE / UNPAUSE_*_ROLE family is declared in contracts/src/security/pausing/.
• DEFAULT_ADMIN_ROLE cannot be assigned through __Permissions_init. Confirmed in contracts/src/security/access/PermissionsManager.sol:24-26: the initializer reverts with ZeroHashNotAllowed() when role is 0x0. The explicit assignment is in LineaRollupBase.sol:117-121 via _grantRole(DEFAULT_ADMIN_ROLE, _initializationData.defaultAdmin), with an in-code comment stating the permissions init purposefully does not allow it.
• Forced transactions disabled by default in coordinator config. config/coordinator/coordinator-config-v2.toml:257 has disabled = true under [forced-transactions].
• OpenZeppelin upgradeable proxy pattern. All upgradeable contracts inherit from @openzeppelin/contracts-upgradeable; deployment uses upgrades.deployProxy (transparent proxy + ProxyAdmin) per contracts/deploy/*.ts.

⚠️ Verification flags

1. AddressFilter wiring is on a feature branch, not main. The ForcedTransactionGateway contract that uses IAddressFilter lives on origin/feat/tx-gateway and related branches; it is not yet on main in linea-monorepo. The published contracts/abi/LineaRollupV8.0.abi references addressFilter, suggesting it is part of the v8.0 deployment artifact set. The page already states forced transactions are Not yet live; planned, which is consistent. Flagging for visibility.
2. A TimeLock governance contract exists in the repo. contracts/src/governance/TimeLock.sol wraps OZ TimelockController, and contracts/deploy/02_deploy_Timelock.ts deploys it. The page's claim that "there is no protocol-enforced timelock" remains accurate (the rollup proxy itself has no timelock check; the timelock is an operator-implemented governance contract that holds DEFAULT_ADMIN_ROLE), but you may want to mention the in-repo helper for completeness in a future revision.

🔗 Link adjustments

• The plan called for /protocol/contracts for the LineaRollup contracts reference, but that path does not exist on main. The canonical slug is /network/build/contracts. Used that instead. Build passes.
• The Notion draft linked distributed sequencing to a Vercel preview URL. The production page docs/stack/how-to/distributed-sequencing.mdx exists only on origin/maru-multi-validator, not on main. With onBrokenLinks: "throw" in docusaurus.config.js, linking would break the build, so the failure-modes table mentions "distributed sequencing (QBFT)" as plain text. Re-link once the page lands on main.

Build

yarn build passes locally.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
doc-linea	Ready	Preview, Comment	May 3, 2026 3:24pm