1  # Admin-Driven Upgrades
 2  In many production scenarios, developers will want to deploy a program that is upgradable by a designated administrator.
 3  Leo provides a configuration for this use case.
 4  
 5  Be sure to review the **Security Practices** section.
 6  
 7  ## Initializing the Project
 8  You may either use the existing `admin` project
 9  ```
10  > cd admin
11  ```
12  or create a new Leo project with the following command:
13  ```
14  > leo new admin
15  ```
16  
17  ## The Program
18  
19  ```leo
20  program admin_example.alpha {
21      @admin(address="aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px")
22      async constructor() {}
23      
24      transition main(public a: u32, b: u32) -> u32 {
25          let c: u32 = a + b;
26          return c;
27      }
28  
29      // Uncomment me to test the upgrade.
30      // transition foo() {}
31  }
32  ```
33  
34  In this example, we annotate the `constructor` with the `@admin` annotation.
35  The `"address"` field is the address of the administrator.
36  The private key associated with this address must sign the deployment transaction associated with upgrade.
37  
38  The Leo compiler will generate AVM code that checks that the program's owner is the administrator.
39  If a program is deployed by a different address, the constructor will fail to execute, and the deployment will be rejected.
40  
41  ## Deploying the Program
42  ```
43  > leo deploy --broadcast
44  .
45  .
46  .
47  🔧 You program 'admin_example.alpha' has the following constructor.
48  ──────────────────────────────────────────────
49  constructor:
50  assert.eq program_owner aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px;
51  ──────────────────────────────────────────────
52  Once it is deployed, it CANNOT be changed.
53  .
54  .
55  .
56  ```
57  
58  If we query the network, we can see that the deployment transaction has been accepted.
59  ```
60  leo query transaction at13226r67fxkf66qlrug4vp06yme4sw4n36f5ujcc8fzfkc6y78uys5yatra
61  ```
62  
63  ## Upgrading the Program
64  To test the upgrade functionality, we can try to deploy the same program again.
65  You may also try to modify the program to add a new function.
66  Please refer to the [documentation](https://docs.leo-lang.org/guides/upgradability) for more details on what constitutes a valid upgrade.
67  
68  First, let's attempt to upgrade the program using a different private key.
69  We will use this private key: `APrivateKey1zkp2RWGDcde3efb89rjhME1VYA8QMxcxep5DShNBR6n8Yjh`, whose address is `aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t`.
70  We can verify that this address has a balance by querying the network.
71  ```
72  leo query program credits.alpha --mapping-value account aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t
73  ```
74  
75  First, modify the source code by adding a `transition` of your choice.
76  Now, if we run 
77  ```
78  > leo upgrade --broadcast --private-key APrivateKey1zkp2RWGDcde3efb89rjhME1VYA8QMxcxep5DShNBR6n8Yjh
79  ```
80  we will find that the transaction is rejected.
81  
82  Now if we run
83  ```
84  > leo upgrade --broadcast
85  ```
86  we will find that the transaction is accepted. 
87  We can verify that the program has been upgraded by querying the network.
88  ```
89  leo query program admin_example.alpha
90  ```
91  
92  ## Security Practices
93  - The administrator's private key must be kept secure and not shared with anyone.
94  - We recommend that deployment transactions are signed offline and broadcasted to the network using a secure method.
95  
96  In the `admin` directory, you'll find a Rust CLI utility `sign-deployment` which can be used to sign deployment transactions with a separate private key.
97  
98  This can be especially useful if you are storing your admin key on a separate, air-gapped machine.