ClearSignClearSign

Documentation

ClearSign docs

ClearSign adds a human-readable, hash-locked approval layer to Squads multisig treasuries on Solana. No more blind-signing — every proposal is readable, tamper-evident, and time-boxed before it reaches the chain.

Squads v4Solana mainnetSHA-256 locked

How it works

Most multisig tools show signers a transaction blob and ask them to approve. ClearSign flips that — the proposal is written in plain English first, cryptographically locked, and only then submitted to Squads for on-chain execution.

1
Create

A team member fills out a proposal: title, amount, asset, recipient, threshold, and TTL. The app serializes it into a canonical JSON object.

2
Lock

A SHA-256 hash is computed over the canonical proposal. This fingerprint means if anything in the proposal changes, the hash changes.

3
Share

The creator gets a /p/[token] link. Any listed signer opens it, reads the proposal in plain English, and verifies the hash before signing.

4
Sign

Each signer connects their wallet and signs the hash. Signatures are collected on the share page and shown in real time.

5
Execute

Once the threshold is met, any signer initiates the Squads on-chain transaction. Funds move from the vault to the recipient.

Why this mattersBlind-signing is how treasury attacks succeed. A signer who doesn't know what they're approving is the weakest link. ClearSign makes "I didn't know what I signed" impossible.

Web app

The web app lives at app.clearsign.fun/create. Six sections accessible from the left sidebar.

Dashboard

All proposals you created, filtered by status. Each row links to the share page.

Members

Create teams, add members with roles, deploy a Squads multisig, or import one by vault PDA.

Treasury

Live vault balances — SOL and SPL tokens with USD values. Links to Solana Explorer.

Proposals

The proposal workbench. Fill details, preview the locked hash, save, and get a share link.

Policy

Spending limits, program rules, signing time windows, recipient allowlist. Admin only.

Activity

Chronological log — proposals saved, members changed, policy updated, transfers executed.

Connect your wallet

Click Connect wallet on any page. ClearSign supports Phantom, Backpack, Solflare, and any wallet that implements the Solana wallet standard. Sessions are stored in a signed HTTP-only cookie — no private key ever leaves the browser.

Roles

Founder

Full access — members, policy, and proposals.

Admin

Manage members and policy. Create proposals.

Signer

Sign and execute proposals. No policy access.

Viewer

Read-only access to proposals and treasury.

Import a Squads multisig

If your team already has a Squads v4 multisig, paste the vault PDA in Members → Import multisig. ClearSign fetches the member list on-chain and links the vault to your team so you can create proposals and execute transfers from the existing vault.

Vault PDA vs Multisig PDAThe vault PDA holds funds. The multisig PDA is the governance account. You can find both in Squads under your multisig settings.

Creating proposals

Go to Proposals in the sidebar. The workbench has two panels — the form on the left, and the locked preview on the right.

1
Fill in the details

Title, description, amount, asset (USDC, SOL, any SPL token), recipient wallet, and who is requesting the transfer.

2
Set threshold and TTL

Choose how many signatures are required and how long the proposal stays valid. After TTL expires it can no longer be signed.

3
Select a team

Picking a team auto-fills the signers list from members and pre-sets the threshold. You can also add signers manually.

4
Save and share

Click Save. ClearSign computes the SHA-256 hash and gives you a /p/[token] share link to send to signers.

Templates

Save any proposal as a template for recurring payments — payroll, vendor invoices, grants. Templates are stored locally and load with one click to pre-fill the form.

Import and verify

Switch to Import & Verifyto paste a proposal JSON from another ClearSign user. The app recomputes the SHA-256 hash client-side and confirms it matches the embedded hash before loading. If the hash doesn't match, the proposal was tampered with.

Signing & executing

Share the /p/[token] link with your signers. They only need the link and a Solana wallet — no workbench login required.

What signers see

The share page shows the proposal in plain English — title, amount, recipient, threshold, expiry countdown, and a policy review checklist. The SHA-256 hash is displayed prominently. Signers can download the raw JSON and verify the hash independently.

What is being signedSigners sign the message Sign ClearSign proposal\nHash: [sha256]\nID: [id]. This is a wallet message — it does not authorize any on-chain transaction on its own. The actual transfer only happens in the Execute step.

Executing the transfer

Once threshold is met, the Execute Transfer panel appears for teams with a Squads multisig connected.

1
Initiate

Creates the vault transaction on Squads and casts the first on-chain approval. Requires a wallet signature.

2
Approve

Each remaining signer clicks Add My Approval. Each approval is an on-chain Squads transaction.

3
Execute

Once all approvals are collected, any signer executes the transfer. Funds move from the vault on-chain.

Audit trail

Every event — created, signed, approved, executed — is recorded with wallet addresses and timestamps. Executed transfers link directly to Solscan.

Policy & rules

Admins and Founders configure spending rules in the Policy tab. Rules are enforced at proposal creation and shown in the policy review checklist on every share page.

Spending limits

Max SOL and max USD per transaction. Proposals exceeding these limits are blocked at creation.

Program rules

Allow or block specific on-chain programs. Require ClearSign-decoded programs only, or block specific program IDs.

Active signing window

Restrict signing to specific UTC hours. Prevents late-night or weekend approvals being pushed through.

Recipient allowlist

Named addresses that can receive funds. If non-empty, proposals to unlisted addresses are blocked. Names appear as a dropdown in the proposal form.

Role-gatedOnly Admin and Founder roles can view or change policy. Signers and Viewers cannot access the Policy tab.

Security model

SHA-256 hash locking

The proposal body is canonicalized — keys sorted alphabetically, no whitespace — before hashing. Any two users computing the hash of the same proposal get the same result. If a single character changes after creation, the hash changes and import verification fails.

Anomaly detection

ClearSign monitors signing patterns and flags suspicious behavior in the policy review checklist.

Speed signing

All required sigs collected in under 10 seconds. Looks automated or coerced. Can be configured to auto-void.

Off-hours

A signature collected outside the team's configured business hours window.

High value

Transfer amount exceeds the configured threshold and requires extra scrutiny.

Single process

Multiple signatures share identical millisecond timestamps — one process may have signed for multiple signers.

What ClearSign cannot do

ClearSign does not custody funds, hold private keys, or move money unilaterally. Funds stay in the Squads vault at all times. ClearSign only submits a transaction to Squads when a signer explicitly clicks Execute Transfer with their wallet connected.

CLI reference

For teams that want to create and verify proposals outside the browser. Every command runs locally — no keys ever leave the machine.

Terminal
$ npm install -g clearsign
clearsign propose

Build a new proposal JSON with a SHA-256 hash and explicit expiry.

--title
Human-readable description
--asset
Token symbol (USDC, SOL, …)
--amount
Quantity to transfer
--to
Recipient address or .sol name
--ttl
Time-to-live, e.g. 30m, 2h
--signers
Comma-separated signer public keys
--threshold
Minimum signatures required
clearsign review

Print a human-readable summary and verify the hash matches the contents.

<file>
Path to proposal.json
clearsign sign

Sign the proposal hash and append the signature to the output file.

<file>
Path to proposal.json
--key
Path to key (default: ~/.clearsign/keys/default)
--out
Output path (default: proposal.signed.json)
clearsign gate

Run enforcement checks: hash integrity, TTL, anomaly detection, allowlist. Exits non-zero on failure.

<file>
Path to proposal.signed.json
--policy
Path to policy config (optional)

SDK

Embed ClearSign proposal verification inside your own treasury app or execution service.

Terminal
$ npm install clearsign

buildProposal

TypeScript
import { buildProposal } from "clearsign";

const proposal = await buildProposal({
  title:      "Monthly Treasury Rebalance",
  asset:      "USDC",
  amount:     150_000,
  to:         "vault.sol",
  ttlSeconds: 1800,
  signers:    ["alice.sol", "bob.sol"],
  threshold:  2,
});

// proposal.hash      — SHA-256 of canonical JSON
// proposal.expiresAt — ISO timestamp

ExecutionGate

TypeScript
import { ExecutionGate } from "clearsign";

const gate   = new ExecutionGate({ policy: "./policy.json" });
const result = await gate.check(signedProposal);

if (!result.ok) throw new Error(result.errors.join(", "));
await execute(signedProposal);

Proposal schema

Every proposal is a deterministically serialized JSON object. The SHA-256 hash is computed over the canonical form — keys sorted alphabetically, no whitespace.

JSON
{
  "version":      "clearsign-web/v1",
  "title":        "Pay auditors",
  "description":  "Transfer 10,000 USDC for Q2 security audit.",
  "action":       "transfer",
  "chain":        "solana:mainnet",
  "amount":       { "value": "10000", "asset": "USDC" },
  "recipient":    "auditors.sol",
  "recipientName":"Auditors",
  "requester":    "ops-team",
  "threshold":    { "required": 2, "total": 3 },
  "signers":      ["alice.sol", "bob.sol", "carol.sol"],
  "createdAt":    "2026-06-01T10:00:00.000Z",
  "expiresAt":    "2026-06-01T10:30:00.000Z",
  "proposalHash": "8f3c9a2b4d1ef7a03c..."
}
versionstringSchema version — clearsign-web/v1
titlestringHuman-readable proposal title shown to signers
descriptionstringFull description of the intent
actionstringAlways transfer for the current schema
chainstringsolana:mainnet or solana:devnet
amountobject{ value, asset } — transfer amount and token symbol
recipientstringRecipient wallet address or .sol name
recipientNamestring?Optional human-readable name for the recipient
requesterstringWho is requesting the transfer
thresholdobject{ required, total } — signature threshold
signersstring[]Authorized signer names or wallet addresses
createdAtISO 8601Proposal creation timestamp
expiresAtISO 8601Hard expiry — cannot be signed after this time
proposalHashsha256SHA-256 of the canonical proposal body