Documentation
ClearSign docs
ClearSign adds a human-readable, hash-locked approval layer to Squads multisig treasuries on Solana. No more blind-signing — every proposal is readable, tamper-evident, and time-boxed before it reaches the chain.
How it works
Most multisig tools show signers a transaction blob and ask them to approve. ClearSign flips that — the proposal is written in plain English first, cryptographically locked, and only then submitted to Squads for on-chain execution.
A team member fills out a proposal: title, amount, asset, recipient, threshold, and TTL. The app serializes it into a canonical JSON object.
A SHA-256 hash is computed over the canonical proposal. This fingerprint means if anything in the proposal changes, the hash changes.
The creator gets a /p/[token] link. Any listed signer opens it, reads the proposal in plain English, and verifies the hash before signing.
Each signer connects their wallet and signs the hash. Signatures are collected on the share page and shown in real time.
Once the threshold is met, any signer initiates the Squads on-chain transaction. Funds move from the vault to the recipient.
Web app
The web app lives at app.clearsign.fun/create. Six sections accessible from the left sidebar.
DashboardAll proposals you created, filtered by status. Each row links to the share page.
MembersCreate teams, add members with roles, deploy a Squads multisig, or import one by vault PDA.
TreasuryLive vault balances — SOL and SPL tokens with USD values. Links to Solana Explorer.
ProposalsThe proposal workbench. Fill details, preview the locked hash, save, and get a share link.
PolicySpending limits, program rules, signing time windows, recipient allowlist. Admin only.
ActivityChronological log — proposals saved, members changed, policy updated, transfers executed.
Connect your wallet
Click Connect wallet on any page. ClearSign supports Phantom, Backpack, Solflare, and any wallet that implements the Solana wallet standard. Sessions are stored in a signed HTTP-only cookie — no private key ever leaves the browser.
Roles
FounderFull access — members, policy, and proposals.
AdminManage members and policy. Create proposals.
SignerSign and execute proposals. No policy access.
ViewerRead-only access to proposals and treasury.
Import a Squads multisig
If your team already has a Squads v4 multisig, paste the vault PDA in Members → Import multisig. ClearSign fetches the member list on-chain and links the vault to your team so you can create proposals and execute transfers from the existing vault.
Creating proposals
Go to Proposals in the sidebar. The workbench has two panels — the form on the left, and the locked preview on the right.
Title, description, amount, asset (USDC, SOL, any SPL token), recipient wallet, and who is requesting the transfer.
Choose how many signatures are required and how long the proposal stays valid. After TTL expires it can no longer be signed.
Picking a team auto-fills the signers list from members and pre-sets the threshold. You can also add signers manually.
Click Save. ClearSign computes the SHA-256 hash and gives you a /p/[token] share link to send to signers.
Templates
Save any proposal as a template for recurring payments — payroll, vendor invoices, grants. Templates are stored locally and load with one click to pre-fill the form.
Import and verify
Switch to Import & Verifyto paste a proposal JSON from another ClearSign user. The app recomputes the SHA-256 hash client-side and confirms it matches the embedded hash before loading. If the hash doesn't match, the proposal was tampered with.
Signing & executing
Share the /p/[token] link with your signers. They only need the link and a Solana wallet — no workbench login required.
What signers see
The share page shows the proposal in plain English — title, amount, recipient, threshold, expiry countdown, and a policy review checklist. The SHA-256 hash is displayed prominently. Signers can download the raw JSON and verify the hash independently.
Sign ClearSign proposal\nHash: [sha256]\nID: [id]. This is a wallet message — it does not authorize any on-chain transaction on its own. The actual transfer only happens in the Execute step.Executing the transfer
Once threshold is met, the Execute Transfer panel appears for teams with a Squads multisig connected.
Creates the vault transaction on Squads and casts the first on-chain approval. Requires a wallet signature.
Each remaining signer clicks Add My Approval. Each approval is an on-chain Squads transaction.
Once all approvals are collected, any signer executes the transfer. Funds move from the vault on-chain.
Audit trail
Every event — created, signed, approved, executed — is recorded with wallet addresses and timestamps. Executed transfers link directly to Solscan.
Policy & rules
Admins and Founders configure spending rules in the Policy tab. Rules are enforced at proposal creation and shown in the policy review checklist on every share page.
Spending limitsMax SOL and max USD per transaction. Proposals exceeding these limits are blocked at creation.
Program rulesAllow or block specific on-chain programs. Require ClearSign-decoded programs only, or block specific program IDs.
Active signing windowRestrict signing to specific UTC hours. Prevents late-night or weekend approvals being pushed through.
Recipient allowlistNamed addresses that can receive funds. If non-empty, proposals to unlisted addresses are blocked. Names appear as a dropdown in the proposal form.
Security model
SHA-256 hash locking
The proposal body is canonicalized — keys sorted alphabetically, no whitespace — before hashing. Any two users computing the hash of the same proposal get the same result. If a single character changes after creation, the hash changes and import verification fails.
Anomaly detection
ClearSign monitors signing patterns and flags suspicious behavior in the policy review checklist.
Speed signingAll required sigs collected in under 10 seconds. Looks automated or coerced. Can be configured to auto-void.
Off-hoursA signature collected outside the team's configured business hours window.
High valueTransfer amount exceeds the configured threshold and requires extra scrutiny.
Single processMultiple signatures share identical millisecond timestamps — one process may have signed for multiple signers.
What ClearSign cannot do
ClearSign does not custody funds, hold private keys, or move money unilaterally. Funds stay in the Squads vault at all times. ClearSign only submits a transaction to Squads when a signer explicitly clicks Execute Transfer with their wallet connected.
CLI reference
For teams that want to create and verify proposals outside the browser. Every command runs locally — no keys ever leave the machine.
$ npm install -g clearsignclearsign proposeBuild a new proposal JSON with a SHA-256 hash and explicit expiry.
--title- Human-readable description
--asset- Token symbol (USDC, SOL, …)
--amount- Quantity to transfer
--to- Recipient address or .sol name
--ttl- Time-to-live, e.g. 30m, 2h
--signers- Comma-separated signer public keys
--threshold- Minimum signatures required
clearsign reviewPrint a human-readable summary and verify the hash matches the contents.
<file>- Path to proposal.json
clearsign signSign the proposal hash and append the signature to the output file.
<file>- Path to proposal.json
--key- Path to key (default: ~/.clearsign/keys/default)
--out- Output path (default: proposal.signed.json)
clearsign gateRun enforcement checks: hash integrity, TTL, anomaly detection, allowlist. Exits non-zero on failure.
<file>- Path to proposal.signed.json
--policy- Path to policy config (optional)
SDK
Embed ClearSign proposal verification inside your own treasury app or execution service.
$ npm install clearsignbuildProposal
import { buildProposal } from "clearsign";
const proposal = await buildProposal({
title: "Monthly Treasury Rebalance",
asset: "USDC",
amount: 150_000,
to: "vault.sol",
ttlSeconds: 1800,
signers: ["alice.sol", "bob.sol"],
threshold: 2,
});
// proposal.hash — SHA-256 of canonical JSON
// proposal.expiresAt — ISO timestampExecutionGate
import { ExecutionGate } from "clearsign";
const gate = new ExecutionGate({ policy: "./policy.json" });
const result = await gate.check(signedProposal);
if (!result.ok) throw new Error(result.errors.join(", "));
await execute(signedProposal);Proposal schema
Every proposal is a deterministically serialized JSON object. The SHA-256 hash is computed over the canonical form — keys sorted alphabetically, no whitespace.
{
"version": "clearsign-web/v1",
"title": "Pay auditors",
"description": "Transfer 10,000 USDC for Q2 security audit.",
"action": "transfer",
"chain": "solana:mainnet",
"amount": { "value": "10000", "asset": "USDC" },
"recipient": "auditors.sol",
"recipientName":"Auditors",
"requester": "ops-team",
"threshold": { "required": 2, "total": 3 },
"signers": ["alice.sol", "bob.sol", "carol.sol"],
"createdAt": "2026-06-01T10:00:00.000Z",
"expiresAt": "2026-06-01T10:30:00.000Z",
"proposalHash": "8f3c9a2b4d1ef7a03c..."
}versionstringSchema version — clearsign-web/v1titlestringHuman-readable proposal title shown to signersdescriptionstringFull description of the intentactionstringAlways transfer for the current schemachainstringsolana:mainnet or solana:devnetamountobject{ value, asset } — transfer amount and token symbolrecipientstringRecipient wallet address or .sol namerecipientNamestring?Optional human-readable name for the recipientrequesterstringWho is requesting the transferthresholdobject{ required, total } — signature thresholdsignersstring[]Authorized signer names or wallet addressescreatedAtISO 8601Proposal creation timestampexpiresAtISO 8601Hard expiry — cannot be signed after this timeproposalHashsha256SHA-256 of the canonical proposal body