Wallet and Custody Control Planes

This note narrows the broader control-surfaces and permissions-and-policy lenses to wallet, custody, treasury, and delegated-execution stacks.

The key question is not just who holds keys? but where does practical authority accumulate after setup?

Questions worth asking:

• Does authority live in onchain account logic, in workflow software, or in an operator-managed signer stack?
• Who controls approvals, whitelists, recoveries, policy engines, or routing defaults?
• Which parts stay legible onchain, and which disappear into service boundaries?

Canonical comparison set

• Visible onchain account substrate: safe, squads, and erc-4337
• Hierarchy or policy extension above that substrate: palmera and candide
• Institutional custody-policy operators: fireblocks and bitgo
• App-owned signer and embedded-wallet operators: privy, turnkey, and coinbase-developer-platform
• Relay and session contrast where authority lives in connectivity defaults rather than direct custody: walletconnect and reown
• Chain-operator contrast where the execution venue is distinct from the wallet or policy stack around it: base

Keep these surfaces separate

• Onchain account substrate is where the account logic itself stays comparatively legible.
• Hosted signer / policy surface is where durable leverage moves into offchain approval systems, enclaves, recovery flows, or operator dashboards.
• Session / relay surface matters when the sticky authority is the wallet-app connection rail, namespace grammar, verification layer, or app-kit default rather than the signer backend itself.
• Approval-hygiene and transaction-review surface is adjacent but separate; warning overlays are not the same thing as signer or custody control.
• Execution venue is the chain-facing destination, which should not be collapsed into the wallet or policy stack steering activity toward it.

Useful traversal questions

• Is the durable authority object an account, a workflow system, an MPC enclave, a relay session, or an approval graph?
• Which vendor becomes the practical choke point even when the asset authority looks decentralized?
• Does the product move power onchain, or simply move it into nicer middleware?
• Are we flattening chain venue, wallet substrate, hosted signer, and relay infrastructure into one wallet bucket?

Adjacent lenses

• control-surfaces
• permissions-and-policy
• wallet-connectivity
• operator-and-admin