Sync asset-scoped jurisdiction governance updates

config/gru-governance-supervision-profile.json

@@ -57,9 +57,6 @@
       "EXECUTOR_ROLE",
       "CANCELLER_ROLE",
       "UPGRADER_ROLE"
-    ],
-    "deprecatedGovernanceRoles": [
-      "JURISDICTION_TAGGER_ROLE"
     ]
   },
   "storageNamespaces": {
@@ -82,9 +79,14 @@
     "assetScopeRequiredForUpgradeSensitiveChanges": true,
     "jurisdictionDerivedFromRegistryAssetState": true,
     "queueRequiresJurisdictionApprovalWhenFlagged": true,
+    "jurisdictionTransitionRequiresBothAuthorities": true,
     "defaultMinimumUpgradeNoticePeriodSeconds": 604800,
     "approvalSource": "UniversalAssetRegistry.jurisdictionAuthorities",
     "proposalEntryPoint": "GovernanceController.proposeForAsset",
+    "jurisdictionPolicyEntryPoints": [
+      "UniversalAssetRegistry.setDerivedJurisdictionProfile",
+      "UniversalAssetRegistry.setDerivedJurisdictionAuthority"
+    ],
     "metadataExecutionSurface": "GovernanceController.execute -> token/registry governanceController-only setters",
     "manualJurisdictionTaggingAllowed": false,
     "minimumReviewData": [

docs/04-configuration/GRU_STORAGE_GOVERNANCE_AND_SUPERVISION_STANDARD.md

@@ -49,13 +49,16 @@ This creates one place to express supervisory expectations without hardcoding a
 
 - Governance proposals are created per asset through `GovernanceController.proposeForAsset`.
 - The jurisdiction review id, review-required flag, and minimum notice period are derived from `UniversalAssetRegistry` state for that asset instead of being manually tagged afterward.
+- Jurisdiction-policy changes in the registry are executed through asset-derived registry entry points so the affected jurisdiction is still anchored to a concrete registered asset.
 - When the derived asset profile is jurisdiction-review-sensitive, a proposal cannot be queued until at least one authorized jurisdictional authority has approved it.
+- If a proposal changes an asset’s primary jurisdiction, it must collect approval from both the current jurisdiction and the destination jurisdiction before queueing.
 - The queue delay must respect the larger of:
   - the proposal’s governance-mode timelock
   - the asset’s derived minimum upgrade notice period, including stronger jurisdiction defaults from the registry
 - Asset-scoped proposals can only target:
   - the asset contract itself
   - registry calls whose scoped asset argument matches the proposal asset
+  - asset-derived registry jurisdiction entry points that resolve policy updates from that same proposal asset
 
 This is now enforced in the shared governance controller, so “upgradeability” is not only a proxy question but also a policy and supervision workflow question.
 

scripts/validation/validate-config-files.sh

@@ -53,6 +53,7 @@ if $DRY_RUN; then
   echo "=== Validation (--dry-run: would check) ==="
   echo "  REQUIRED_FILES: ${REQUIRED_FILES:-<default: config/ip-addresses.conf, .env.example, token-mapping*.json, gru-transport-active.json, gru-iso4217-currency-manifest.json, gru-governance-supervision-profile.json>}"
   echo "  OPTIONAL_ENV: ${OPTIONAL_ENV:-<empty; set VALIDATE_OPTIONAL_ENV for Proxmox API vars>}"
+  echo "  config/xdc-zero: validate-xdc-zero-config.sh (when config/xdc-zero exists)"
   exit 0
 fi
 
@@ -381,6 +382,14 @@ NODE
         and (.roles.governanceRoles | type == "array")
         and (.storageNamespaces | type == "object")
         and (.proposalPolicy.defaultMinimumUpgradeNoticePeriodSeconds | type == "number")
+        and (.proposalPolicy.assetScopeRequiredForUpgradeSensitiveChanges == true)
+        and (.proposalPolicy.jurisdictionDerivedFromRegistryAssetState == true)
+        and (.proposalPolicy.jurisdictionTransitionRequiresBothAuthorities == true)
+        and (.proposalPolicy.proposalEntryPoint == "GovernanceController.proposeForAsset")
+        and (.proposalPolicy.manualJurisdictionTaggingAllowed == false)
+        and (.proposalPolicy.jurisdictionPolicyEntryPoints | type == "array")
+        and (.emergencyPolicy.manualAdminPathsRemainAvailable == true)
+        and ((.emergencyPolicy.authorizedRoles | index("EMERGENCY_ADMIN_ROLE")) != null)
       ' "$PROJECT_ROOT/config/gru-governance-supervision-profile.json" &>/dev/null; then
         log_ok "gru-governance-supervision-profile.json: top-level structure is valid"
       else
@@ -554,6 +563,24 @@ if command -v check-jsonschema &>/dev/null && [[ -x "$SCRIPT_DIR/validate-dbis-i
   fi
 fi
 
+if command -v node &>/dev/null && [[ -f "$PROJECT_ROOT/scripts/verify/validate-address-registry-xe-aliases.mjs" ]]; then
+  if node "$PROJECT_ROOT/scripts/verify/validate-address-registry-xe-aliases.mjs" &>/dev/null; then
+    log_ok "DBIS institutional web3_eth_iban (XE) example aliases"
+  else
+    log_err "DBIS institutional web3_eth_iban validation failed (validate-address-registry-xe-aliases.mjs)"
+    ERRORS=$((ERRORS + 1))
+  fi
+fi
+
+if command -v check-jsonschema &>/dev/null && [[ -x "$SCRIPT_DIR/validate-naming-convention-registry-examples.sh" ]]; then
+  if SCHEMA_STRICT=1 bash "$SCRIPT_DIR/validate-naming-convention-registry-examples.sh" &>/dev/null; then
+    log_ok "Naming conventions registry examples (UTRNF / DBIS token-registry-entry schema)"
+  else
+    log_err "Naming conventions registry example validation failed (see validate-naming-convention-registry-examples.sh)"
+    ERRORS=$((ERRORS + 1))
+  fi
+fi
+
 if [[ -f "$PROJECT_ROOT/config/smart-contracts-master.json" ]] && command -v jq &>/dev/null && [[ -x "$SCRIPT_DIR/validate-explorer-chain138-inventory.sh" ]]; then
   if bash "$SCRIPT_DIR/validate-explorer-chain138-inventory.sh" &>/dev/null; then
     log_ok "Explorer address-inventory Chain 138 vs smart-contracts-master.json"
@@ -563,6 +590,15 @@ if [[ -f "$PROJECT_ROOT/config/smart-contracts-master.json" ]] && command -v jq
   fi
 fi
 
+if [[ -d "$PROJECT_ROOT/config/xdc-zero" ]] && [[ -x "$SCRIPT_DIR/validate-xdc-zero-config.sh" ]]; then
+  if bash "$SCRIPT_DIR/validate-xdc-zero-config.sh" &>/dev/null; then
+    log_ok "config/xdc-zero/*.json (parse)"
+  else
+    log_err "config/xdc-zero JSON parse failed (validate-xdc-zero-config.sh)"
+    ERRORS=$((ERRORS + 1))
+  fi
+fi
+
 if [[ $ERRORS -gt 0 ]]; then
   log_err "Validation failed with $ERRORS error(s). Set VALIDATE_REQUIRED_FILES='path1 path2' to require specific files."
   exit 1