The flow
validate CPI. Every fund movement is metered by a charge_fees CPI. The claim_fees path is a payout, not a charge.
The security triangle
A manager never signs as the vault. Instead:create_tx
The manager proposes a CPI (target program, accounts, data) stored in a Transaction PDA. The core fires
validate(Creation) — the policy can inspect the proposal before it’s allowed to exist.Two PDAs, separate duties
| PDA | Seeds | Role |
|---|---|---|
vault.authority | [vault] | Signs outbound capital and executed CPIs |
vault_share_signer | ["vault_share_signer", vault] | Owns the vault token account, mints/burns LP shares |
Pluggability
A vault’s entire economic and authorization configuration is just two on-chain pubkeys plus their config accounts:policy_program— who may do whatfee_calc_program— how much is charged