Skip to main content
Authorization is delegated, per operation, to a vault’s configured policy. The same validate interface is implemented by eight interchangeable policies, hot-swappable via update_vault_policy (only while transactions are disabled).

The shipped policies

PolicyUse caseProgram ID
policy_ownersGate by an owner set stored in the policy PDAHyroXELvGkzBwgKz2Fsz2XEMDM6TYupZZ1A9qAtEM9Qs
policy_manager_accessManager-set gating for fund operationsLive on devnet
policy_multisigOn-chain M-of-N signature gatingLive on devnet
policy_limit_transferMin/max transfer bounds; drawdown / size cap7tSgfcgnfsPjogCSHP5BDe48vWFRMDddaC5KtEgsGvxb
policy_withdrawal_windowRestrict ProcessWithdrawals to periodic windowsLive on devnet
policy_challengesThe prop-firm challenge engine; authorizes oracle NAV reportsHyrowgoRRXfq1vwN5CTynd6keUAkm1kn2adRNqjTScwM
policy_allow_anyPermit all (testing)xrs3my6WB4KNyc9g7H2LCKCmUXUFJydyr5Un9AFTD1t
policy_deny_allBlock all (emergency stop)HmRxhUgc4rNR5dpzZvnBJYGUsL6a8w7keDr1hb8qAzCo

What policies enforce on creation & execution

PolicyOn CreationOn Execution
policy_ownersPDA checkrequire signer ∈ owners
policy_manager_accessrequire signer == adminrequire signer == admin
policy_multisigreject if a tx is pending; record pending + proposer’s bitrequire set-bits ≥ threshold, then clear
policy_limit_transferPDA checkdecode proposed amount; require min ≤ amount ≤ max
policy_allow_anyallowallow
policy_deny_allallowreject (freeze)
Rejections surface as typed errors: TransactionAlreadyPending, NotEnoughSigners, AmountTooHigh / AmountTooLow, UnauthorizedSender.

The challenge policy and the oracle

policy_challenges is special: it authorizes the oracle’s NAV reports. Its validate(Report) reads the ChallengeTemplate and requires template.admin == signer — so only the designated oracle (the template admin) may push NAV for a challenge-bound vault. This is what makes the oracle trustworthy.
Each policy constrains only the operations it cares about; the rest pass through. To enforce several constraints at once, a combinator policy (planned) fans out to multiple checks. A vault binds exactly one policy at a time.