metaDAOproject
diff --git a/‎CLAUDE.md‎
Lines changed: 17 additions & 9 deletions b/‎CLAUDE.md‎
Lines changed: 17 additions & 9 deletions
diff --git a/‎programs/futarchy/src/instructions/initiate_vault_spend_optimistic_proposal.rs‎
Lines changed: 102 additions & 88 deletions b/‎programs/futarchy/src/instructions/initiate_vault_spend_optimistic_proposal.rs‎
Lines changed: 102 additions & 88 deletions
diff --git a/‎sdk/src/v0.7/FutarchyClient.ts‎
Lines changed: 48 additions & 14 deletions b/‎sdk/src/v0.7/FutarchyClient.ts‎
Lines changed: 48 additions & 14 deletions
@@ -196,13 +196,7 @@ await client
 
 Do NOT use `advanceBySlots()` for this purpose - it changes the clock which may affect time-dependent tests.
 
-**Token amounts in tests:** Use easy-to-read round numbers like hundreds or thousands of tokens. Our standard mint decimals is 6, so:
-- 100 tokens = `100_000_000` (100 * 10^6)
-- 1,000 tokens = `1_000_000_000` (1000 * 10^6)
-
-This makes test assertions and calculations much easier to verify at a glance.
-
-**Isolating tests during development:** When developing or debugging tests, use `.only` to run only the tests you're working on:
+**Isolating tests during development:** When writing or editing tests, ALWAYS add `.only` to the `describe`/`it` block you're working on before running. This keeps feedback fast and output clean. Once your changes pass, remove `.only` and run the full suite (`anchor test --skip-build`) to confirm nothing else broke.
 
 ```typescript
 // Run only this specific test
@@ -216,8 +210,6 @@ describe.only("#split_tokens", function () {
 });
 ```
 
-This significantly speeds up iteration and makes test output easier to read. Remember to remove `.only` before finishing development.
-
 **Assertion messages:** Do not include assertion messages for better readability. The assertion itself should be clear enough:
 
 ```typescript
@@ -231,6 +223,22 @@ assert.equal(recipientBalance.toString(), "500000000", "Recipient should have 50
 
 Exceptions: Keep messages in `expectError()` calls and `assert.fail()` within try-catch blocks, since those are part of error handling patterns and help identify which check failed.
 
+
+**Token amounts in tests:** Use easy-to-read round numbers like hundreds or thousands of tokens. Our standard mint decimals is 6, so:
+- 100 tokens = `100_000_000` (100 * 10^6)
+- 1,000 tokens = `1_000_000_000` (1000 * 10^6)
+
+This makes test assertions and calculations much easier to verify at a glance.
+
+### Solana Reentrancy Guard
+The Solana runtime prevents a program from appearing more than once in the same CPI stack. This affects two patterns in our codebase:
+
+1. **futarchy → squads → futarchy** (e.g., admin-executing a DAO config change): Futarchy cannot CPI into Squads to execute a vault transaction whose inner instructions CPI back into futarchy. Workaround: futarchy only approves/validates the Squads transaction, then the client executes it as a separate top-level transaction.
+
+2. **squads → futarchy → squads** (e.g., a team multisig that is itself a Squads wallet): If a Squads-initiated transaction calls a futarchy instruction that needs to CPI into Squads, the runtime will reject it. Workaround: have futarchy validate pre-created Squads accounts on-chain instead of creating them via CPI.
+
+When designing instructions that involve Squads CPIs, check whether either pattern applies and flag it early. The general solution is: split the operation across multiple transactions — validate/approve in one, execute in another.
+
 ## SDK Usage
 
 ```typescript
 
@@ -8,7 +8,7 @@ pub struct InitiateVaultSpendOptimisticProposalParams {
 #[derive(Accounts)]
 #[event_cpi]
 pub struct InitiateVaultSpendOptimisticProposal<'info> {
-    #[account(mut, seeds = [squads_multisig_program::SEED_PREFIX, squads_multisig_program::SEED_MULTISIG, dao.key().as_ref()], bump, seeds::program = squads_program)]
+    #[account(seeds = [squads_multisig_program::SEED_PREFIX, squads_multisig_program::SEED_MULTISIG, dao.key().as_ref()], bump, seeds::program = squads_program)]
     pub squads_multisig: Account<'info, squads_multisig_program::Multisig>,
 
     /// CHECK: The squads multisig vault that executes the transaction
@@ -18,35 +18,26 @@ pub struct InitiateVaultSpendOptimisticProposal<'info> {
     #[account(seeds = [squads_multisig_program::SEED_PREFIX, squads_multisig.key().as_ref(), squads_multisig_program::SEED_SPENDING_LIMIT, dao.key().as_ref()], bump, seeds::program = squads_program)]
     pub squads_spending_limit: Account<'info, squads_multisig_program::SpendingLimit>,
 
-    /// CHECK: Squads multisig proposal, initialized by squads multisig program, checked by squads multisig program
-    #[account(mut)]
-    pub squads_proposal: UncheckedAccount<'info>,
+    #[account(constraint = squads_proposal.multisig == squads_multisig.key() @ FutarchyError::InvalidTransaction)]
+    pub squads_proposal: Account<'info, squads_multisig_program::Proposal>,
 
-    /// CHECK: Squads multisig vault transaction, initialized by squads multisig program, checked by squads multisig program
-    #[account(mut)]
-    pub squads_vault_transaction: UncheckedAccount<'info>,
-
-    #[account(address = permissionless_account::id())]
-    pub squads_multisig_permissionless_account: Signer<'info>,
+    #[account(constraint = squads_vault_transaction.multisig == squads_multisig.key() @ FutarchyError::InvalidTransaction)]
+    pub squads_vault_transaction: Account<'info, squads_multisig_program::VaultTransaction>,
 
     #[account(mut, has_one = squads_multisig, has_one = squads_multisig_vault)]
     pub dao: Box<Account<'info, Dao>>,
-    #[account(mut, associated_token::mint = dao.quote_mint, associated_token::authority = dao.squads_multisig_vault)]
+    #[account(associated_token::mint = dao.quote_mint, associated_token::authority = dao.squads_multisig_vault)]
     pub dao_quote_vault_account: Account<'info, TokenAccount>,
 
     // Only the team can initiate an optimistic proposal
-    #[account(mut, address = dao.team_address)]
+    #[account(address = dao.team_address)]
     pub proposer: Signer<'info>,
 
     /// CHECK: Used for constraints
     pub recipient: UncheckedAccount<'info>,
-    #[account(mut, associated_token::mint = dao.quote_mint, associated_token::authority = recipient)]
+    #[account(associated_token::mint = dao.quote_mint, associated_token::authority = recipient)]
     pub recipient_quote_account: Account<'info, TokenAccount>,
 
-    #[account(mut)]
-    pub payer: Signer<'info>,
-
-    pub system_program: Program<'info, System>,
     pub squads_program: Program<'info, squads_multisig_program::program::SquadsMultisigProgram>,
     pub token_program: Program<'info, Token>,
 }
@@ -85,6 +76,97 @@ impl InitiateVaultSpendOptimisticProposal<'_> {
             FutarchyError::InvalidAmount
         );
 
+        // Validate the squads proposal is Active
+        require!(
+            matches!(
+                self.squads_proposal.status,
+                squads_multisig_program::ProposalStatus::Active { .. }
+            ),
+            FutarchyError::InvalidSquadsProposalStatus
+        );
+
+        // Validate the proposal references the vault transaction
+        require_eq!(
+            self.squads_proposal.transaction_index,
+            self.squads_vault_transaction.index,
+            FutarchyError::InvalidTransaction
+        );
+
+        // Validate the vault transaction message contains exactly the expected SPL transfer
+        let message = &self.squads_vault_transaction.message;
+
+        // Must have exactly 1 instruction
+        require!(
+            message.instructions.len() == 1,
+            FutarchyError::InvalidTransaction
+        );
+
+        let instruction = &message.instructions[0];
+
+        // Program ID must be SPL Token
+        let program_id = message
+            .account_keys
+            .get(instruction.program_id_index as usize)
+            .ok_or(error!(FutarchyError::InvalidTransaction))?;
+        require_keys_eq!(
+            *program_id,
+            self.token_program.key(),
+            FutarchyError::InvalidTransaction
+        );
+
+        // Instruction data must be a Transfer: discriminator [3] + amount as u64 LE (9 bytes total)
+        require!(
+            instruction.data.len() == 9,
+            FutarchyError::InvalidTransaction
+        );
+        require!(instruction.data[0] == 3, FutarchyError::InvalidTransaction);
+        let encoded_amount = u64::from_le_bytes(
+            instruction.data[1..9]
+                .try_into()
+                .map_err(|_| error!(FutarchyError::InvalidTransaction))?,
+        );
+        require_eq!(
+            encoded_amount,
+            params.amount,
+            FutarchyError::InvalidTransaction
+        );
+
+        // Validate the transfer accounts: source, destination, authority
+        require!(
+            instruction.account_indexes.len() >= 3,
+            FutarchyError::InvalidTransaction
+        );
+
+        let source = message
+            .account_keys
+            .get(instruction.account_indexes[0] as usize)
+            .ok_or(error!(FutarchyError::InvalidTransaction))?;
+        require_keys_eq!(
+            *source,
+            self.dao_quote_vault_account.key(),
+            FutarchyError::InvalidTransaction
+        );
+
+        let destination = message
+            .account_keys
+            .get(instruction.account_indexes[1] as usize)
+            .ok_or(error!(FutarchyError::InvalidTransaction))?;
+        require_keys_eq!(
+            *destination,
+            self.recipient_quote_account.key(),
+            FutarchyError::InvalidTransaction
+        );
+
+        let authority = message
+            .account_keys
+            .get(instruction.account_indexes[2] as usize)
+            .ok_or(error!(FutarchyError::InvalidTransaction))?;
+        require_keys_eq!(
+            *authority,
+            self.squads_multisig_vault.key(),
+            FutarchyError::InvalidTransaction
+        );
+
         Ok(())
     }
 
@@ -97,86 +179,18 @@ impl InitiateVaultSpendOptimisticProposal<'_> {
             squads_multisig_vault,
             squads_spending_limit: _,
             squads_proposal,
-            squads_vault_transaction,
+            squads_vault_transaction: _,
             dao,
-            payer: _,
-            system_program,
             event_authority: _,
             program: _,
-            squads_program,
+            squads_program: _,
             proposer,
             recipient: _,
             recipient_quote_account,
-            squads_multisig_permissionless_account,
-            token_program,
+            token_program: _,
             dao_quote_vault_account,
         } = ctx.accounts;
 
-        // Prepare the transfer instruction
-        let transfer_ix = anchor_spl::token::spl_token::instruction::transfer(
-            &token_program.key(),
-            &dao_quote_vault_account.key(),
-            &recipient_quote_account.key(),
-            &squads_multisig_vault.key(),
-            &[&squads_multisig_vault.key()],
-            params.amount,
-        )?;
-
-        // Compile the transaction message in Squads' format
-        let transaction_message =
-            compile_squads_transaction_message(&squads_multisig_vault.key(), &[transfer_ix])?;
-
-        let transaction_message_bytes = transaction_message.try_to_vec()?;
-
-        let dao_nonce = &dao.nonce.to_le_bytes();
-        let dao_creator_key = dao.dao_creator.as_ref();
-        let dao_seeds = &[b"dao".as_ref(), dao_creator_key, dao_nonce, &[dao.pda_bump]];
-
-        let dao_signer = &[&dao_seeds[..]];
-
-        // Create the squads transaction
-        squads_multisig_program::cpi::vault_transaction_create(
-            CpiContext::new(
-                squads_program.to_account_info(),
-                squads_multisig_program::cpi::accounts::VaultTransactionCreate {
-                    creator: squads_multisig_permissionless_account.to_account_info(),
-                    multisig: squads_multisig.to_account_info(),
-                    rent_payer: proposer.to_account_info(),
-                    system_program: system_program.to_account_info(),
-                    transaction: squads_vault_transaction.to_account_info(),
-                },
-            ),
-            squads_multisig_program::VaultTransactionCreateArgs {
-                ephemeral_signers: 0,
-                vault_index: 0,
-                transaction_message: transaction_message_bytes,
-                memo: None,
-            },
-        )?;
-
-        // Reload the squads multisig account to get the latest transaction index
-        squads_multisig.reload()?;
-        let transaction_index = squads_multisig.transaction_index;
-
-        // Create the squads proposal
-        squads_multisig_program::cpi::proposal_create(
-            CpiContext::new_with_signer(
-                squads_program.to_account_info(),
-                squads_multisig_program::cpi::accounts::ProposalCreate {
-                    creator: squads_multisig_permissionless_account.to_account_info(),
-                    multisig: squads_multisig.to_account_info(),
-                    rent_payer: proposer.to_account_info(),
-                    system_program: system_program.to_account_info(),
-                    proposal: squads_proposal.to_account_info(),
-                },
-                dao_signer,
-            ),
-            squads_multisig_program::ProposalCreateArgs {
-                transaction_index,
-                draft: false,
-            },
-        )?;
-
         // Update the DAO state
         let clock = Clock::get()?;
 
 
@@ -53,6 +53,7 @@ import {
 import { ConditionalVaultClient } from "./ConditionalVaultClient.js";
 import {
   createAssociatedTokenAccountIdempotentInstruction,
+  createTransferInstruction,
   getAssociatedTokenAddressSync,
   unpackMint,
   TOKEN_PROGRAM_ID,
@@ -1160,6 +1161,48 @@ export class FutarchyClient {
       index: transactionIndex,
     })[0];
 
+    const daoQuoteVaultAccount = getAssociatedTokenAddressSync(
+      quoteMint,
+      squadsMultisigVault,
+      true,
+    );
+    const recipientQuoteAccount = getAssociatedTokenAddressSync(
+      quoteMint,
+      recipient,
+      true,
+    );
+
+    // Build the SPL token transfer instruction for the vault transaction
+    const transferIx = createTransferInstruction(
+      daoQuoteVaultAccount,
+      recipientQuoteAccount,
+      squadsMultisigVault,
+      BigInt(amount.toString()),
+    );
+
+    const transactionMessage = new TransactionMessage({
+      payerKey: payer,
+      recentBlockhash: "",
+      instructions: [transferIx],
+    });
+
+    const vaultTxCreate = multisig.instructions.vaultTransactionCreate({
+      multisigPda,
+      transactionIndex,
+      creator: PERMISSIONLESS_ACCOUNT.publicKey,
+      rentPayer: payer,
+      vaultIndex: 0,
+      ephemeralSigners: 0,
+      transactionMessage,
+    });
+
+    const proposalCreate = multisig.instructions.proposalCreate({
+      multisigPda,
+      transactionIndex,
+      creator: PERMISSIONLESS_ACCOUNT.publicKey,
+      rentPayer: payer,
+    });
+
     return this.autocrat.methods
       .initiateVaultSpendOptimisticProposal({ amount })
       .accounts({
@@ -1168,32 +1211,23 @@ export class FutarchyClient {
         squadsSpendingLimit,
         squadsProposal,
         squadsVaultTransaction,
-        squadsMultisigPermissionlessAccount: PERMISSIONLESS_ACCOUNT.publicKey,
         dao,
-        daoQuoteVaultAccount: getAssociatedTokenAddressSync(
-          quoteMint,
-          squadsMultisigVault,
-          true,
-        ),
+        daoQuoteVaultAccount,
         proposer,
         recipient,
-        recipientQuoteAccount: getAssociatedTokenAddressSync(
-          quoteMint,
-          recipient,
-          true,
-        ),
-        payer,
-        systemProgram: SystemProgram.programId,
+        recipientQuoteAccount,
         squadsProgram: SQUADS_PROGRAM_ID,
         tokenProgram: TOKEN_PROGRAM_ID,
       })
       .preInstructions([
         createAssociatedTokenAccountIdempotentInstruction(
           payer,
-          getAssociatedTokenAddressSync(quoteMint, recipient, true),
+          recipientQuoteAccount,
           recipient,
           quoteMint,
         ),
+        vaultTxCreate,
+        proposalCreate,
       ]);
   }