The Vault struct
policy_account points at the authorization program; the authority is the manager who can propose and execute transactions under that policy’s constraints.
The Transaction struct
did_execute is a one-shot replay guard.
PDAs explained
A Program-Derived Address is a deterministic Solana address derived from a program plus a seed — it has no private key, so only the owning program can sign for it. Hyro uses two distinct PDAs to separate duties:| PDA | Seeds | Role |
|---|---|---|
vault.authority | [vault] | Signs outbound capital and executed CPIs |
vault_share_signer | ["vault_share_signer", vault] | Owns the vault token account, mints/burns LP shares |
The non-custodial security triangle
A manager never signs as the vault. To act, the manager:Proposes via create_tx
Calls
create_tx with a proposed CPI — target program id, accounts, and instruction data — stored in a Transaction PDA. The core fires validate(Creation), which the policy may reject.Validation CPI
The validate interface, in detail.
Program topology
How the programs connect.