lez-programs/ata/src/transfer.rs

use nssa_core::{
    account::{Account, AccountWithMetadata},
    program::{AccountPostState, ChainedCall, ProgramId},
};
use token_core::TokenHolding;

pub fn transfer_from_associated_token_account(
    owner: AccountWithMetadata,
    sender_ata: AccountWithMetadata,
    recipient: AccountWithMetadata,
    ata_program_id: ProgramId,
    token_program_id: ProgramId,
    amount: u128,
) -> (Vec<AccountPostState>, Vec<ChainedCall>) {
    assert!(owner.is_authorized, "Owner authorization is missing");
    assert_eq!(
        sender_ata.account.program_owner, token_program_id,
        "Sender ATA must be owned by expected token program"
    );
    let sender_definition_id = TokenHolding::try_from(&sender_ata.account.data)
        .expect("Sender ATA must hold a valid token")
        .definition_id();
    let sender_seed = ata_core::verify_ata_and_get_seed(
        &sender_ata,
        &owner,
        token_program_id,
        sender_definition_id,
        ata_program_id,
    );

    // The recipient contract: ATA::Transfer requires a recipient token holding that is already
    // initialized, owned by the same token program as the sender ATA, and that points at the same
    // token definition as the sender. Anything else fails here rather than being silently
    // materialized by the downstream token transfer (e.g. via `Claim::Authorized` on a default
    // recipient), so integrators get an ATA-level failure rather than having to reverse-engineer
    // token/runtime semantics.
    assert_ne!(
        recipient.account,
        Account::default(),
        "Recipient token holding must be initialized"
    );
    assert_eq!(
        recipient.account.program_owner, token_program_id,
        "Recipient must be owned by the same token program as the sender ATA"
    );
    let recipient_definition_id = TokenHolding::try_from(&recipient.account.data)
        .expect("Recipient must hold a valid token")
        .definition_id();
    assert_eq!(
        recipient_definition_id, sender_definition_id,
        "Recipient and sender token definitions do not match"
    );

    let post_states = vec![
        AccountPostState::new(owner.account.clone()),
        AccountPostState::new(sender_ata.account.clone()),
        AccountPostState::new(recipient.account.clone()),
    ];
    let mut sender_ata_auth = sender_ata.clone();
    sender_ata_auth.is_authorized = true;

    let chained_call = ChainedCall::new(
        token_program_id,
        vec![sender_ata_auth, recipient],
        &token_core::Instruction::Transfer {
            amount_to_transfer: amount,
        },
    )
    .with_pda_seeds(vec![sender_seed]);
    (post_states, vec![chained_call])
}
chore: initial repository setup for programs 2026-03-17 18:08:53 +01:00			`use nssa_core::{`
fix(ata): lock down `ATA::Transfer` recipient contract Enforce at the ATA layer that the recipient token holding is already initialized, owned by the same token program as the sender ATA, decodes to a valid `TokenHolding`, and points at the same token definition as the sender. Align the core instruction doc and guest wrapper doc with that contract, and cover the boundary with unit tests (default, foreign-owned, malformed, mismatched-definition recipients, plus the missing-owner-auth and happy paths) and end-to-end integration tests (default and mismatched-definition recipients). Without this, the downstream `token::Transfer` default-recipient `Claim::Authorized` path was reachable through ATA, so integrators had to reverse-engineer recipient semantics from token/runtime internals. 2026-05-11 12:44:46 -03:00			`account::{Account, AccountWithMetadata},`
chore: initial repository setup for programs 2026-03-17 18:08:53 +01:00			`program::{AccountPostState, ChainedCall, ProgramId},`
			`};`
			`use token_core::TokenHolding;`

			`pub fn transfer_from_associated_token_account(`
			`owner: AccountWithMetadata,`
			`sender_ata: AccountWithMetadata,`
			`recipient: AccountWithMetadata,`
			`ata_program_id: ProgramId,`
fix(ata)!: namespace accounts by token program ATA accounts are now namespaced by token program, so callers must explicitly pass the token_program_id when invoking ATA::Transfer. BREAKING CHANGE: `Instruction::Transfer`, `Instruction::Burn`, `Instruction::Create` now requires a `token_program_id` field. Any existing call site that omits it will fail to compile. Closes #83 2026-05-13 17:24:11 -03:00			`token_program_id: ProgramId,`
chore: initial repository setup for programs 2026-03-17 18:08:53 +01:00			`amount: u128,`
			`) -> (Vec<AccountPostState>, Vec<ChainedCall>) {`
			`assert!(owner.is_authorized, "Owner authorization is missing");`
fix(ata)!: namespace accounts by token program ATA accounts are now namespaced by token program, so callers must explicitly pass the token_program_id when invoking ATA::Transfer. BREAKING CHANGE: `Instruction::Transfer`, `Instruction::Burn`, `Instruction::Create` now requires a `token_program_id` field. Any existing call site that omits it will fail to compile. Closes #83 2026-05-13 17:24:11 -03:00			`assert_eq!(`
			`sender_ata.account.program_owner, token_program_id,`
			`"Sender ATA must be owned by expected token program"`
			`);`
fix(ata): lock down `ATA::Transfer` recipient contract Enforce at the ATA layer that the recipient token holding is already initialized, owned by the same token program as the sender ATA, decodes to a valid `TokenHolding`, and points at the same token definition as the sender. Align the core instruction doc and guest wrapper doc with that contract, and cover the boundary with unit tests (default, foreign-owned, malformed, mismatched-definition recipients, plus the missing-owner-auth and happy paths) and end-to-end integration tests (default and mismatched-definition recipients). Without this, the downstream `token::Transfer` default-recipient `Claim::Authorized` path was reachable through ATA, so integrators had to reverse-engineer recipient semantics from token/runtime internals. 2026-05-11 12:44:46 -03:00			`let sender_definition_id = TokenHolding::try_from(&sender_ata.account.data)`
chore: initial repository setup for programs 2026-03-17 18:08:53 +01:00			`.expect("Sender ATA must hold a valid token")`
			`.definition_id();`
fix(ata): lock down `ATA::Transfer` recipient contract Enforce at the ATA layer that the recipient token holding is already initialized, owned by the same token program as the sender ATA, decodes to a valid `TokenHolding`, and points at the same token definition as the sender. Align the core instruction doc and guest wrapper doc with that contract, and cover the boundary with unit tests (default, foreign-owned, malformed, mismatched-definition recipients, plus the missing-owner-auth and happy paths) and end-to-end integration tests (default and mismatched-definition recipients). Without this, the downstream `token::Transfer` default-recipient `Claim::Authorized` path was reachable through ATA, so integrators had to reverse-engineer recipient semantics from token/runtime internals. 2026-05-11 12:44:46 -03:00			`let sender_seed = ata_core::verify_ata_and_get_seed(`
			`&sender_ata,`
			`&owner,`
fix(ata)!: namespace accounts by token program ATA accounts are now namespaced by token program, so callers must explicitly pass the token_program_id when invoking ATA::Transfer. BREAKING CHANGE: `Instruction::Transfer`, `Instruction::Burn`, `Instruction::Create` now requires a `token_program_id` field. Any existing call site that omits it will fail to compile. Closes #83 2026-05-13 17:24:11 -03:00			`token_program_id,`
fix(ata): lock down `ATA::Transfer` recipient contract Enforce at the ATA layer that the recipient token holding is already initialized, owned by the same token program as the sender ATA, decodes to a valid `TokenHolding`, and points at the same token definition as the sender. Align the core instruction doc and guest wrapper doc with that contract, and cover the boundary with unit tests (default, foreign-owned, malformed, mismatched-definition recipients, plus the missing-owner-auth and happy paths) and end-to-end integration tests (default and mismatched-definition recipients). Without this, the downstream `token::Transfer` default-recipient `Claim::Authorized` path was reachable through ATA, so integrators had to reverse-engineer recipient semantics from token/runtime internals. 2026-05-11 12:44:46 -03:00			`sender_definition_id,`
			`ata_program_id,`
			`);`

			`// The recipient contract: ATA::Transfer requires a recipient token holding that is already`
			`// initialized, owned by the same token program as the sender ATA, and that points at the same`
			`// token definition as the sender. Anything else fails here rather than being silently`
			// materialized by the downstream token transfer (e.g. via `Claim::Authorized` on a default
			`// recipient), so integrators get an ATA-level failure rather than having to reverse-engineer`
			`// token/runtime semantics.`
			`assert_ne!(`
			`recipient.account,`
			`Account::default(),`
			`"Recipient token holding must be initialized"`
			`);`
			`assert_eq!(`
			`recipient.account.program_owner, token_program_id,`
			`"Recipient must be owned by the same token program as the sender ATA"`
			`);`
			`let recipient_definition_id = TokenHolding::try_from(&recipient.account.data)`
			`.expect("Recipient must hold a valid token")`
			`.definition_id();`
			`assert_eq!(`
			`recipient_definition_id, sender_definition_id,`
			`"Recipient and sender token definitions do not match"`
			`);`
chore: initial repository setup for programs 2026-03-17 18:08:53 +01:00
			`let post_states = vec![`
			`AccountPostState::new(owner.account.clone()),`
			`AccountPostState::new(sender_ata.account.clone()),`
			`AccountPostState::new(recipient.account.clone()),`
			`];`
			`let mut sender_ata_auth = sender_ata.clone();`
			`sender_ata_auth.is_authorized = true;`

			`let chained_call = ChainedCall::new(`
			`token_program_id,`
refactor!: Update dependencies and implement new required features across multiple modules - Updated `nssa_core` and `spel-framework` dependencies to their respective release candidates in `Cargo.toml` and `Cargo.lock` files for `amm`, `ata`, and `token` modules. - Enhanced the `new_definition` function in `amm/src/new_definition.rs` to include new claim logic and updated PDA seed calculations. - Modified tests in `integration_tests/tests/amm.rs`, `integration_tests/tests/ata.rs`, and `integration_tests/tests/token.rs` to accommodate changes in transaction handling and account initialization. - Refactored account initialization logic in `ata/src/create.rs` and `token/src/initialize.rs` to include authorization claims. - Updated various functions in `token/src/mint.rs`, `token/src/new_definition.rs`, and `token/src/transfer.rs` to utilize the new claim system for account states. - Adjusted the IDL generation tool to use the latest version of `spel-framework-core`. 2026-04-15 14:55:04 -03:00			`vec![sender_ata_auth, recipient],`
chore: initial repository setup for programs 2026-03-17 18:08:53 +01:00			`&token_core::Instruction::Transfer {`
			`amount_to_transfer: amount,`
			`},`
			`)`
refactor!: Update dependencies and implement new required features across multiple modules - Updated `nssa_core` and `spel-framework` dependencies to their respective release candidates in `Cargo.toml` and `Cargo.lock` files for `amm`, `ata`, and `token` modules. - Enhanced the `new_definition` function in `amm/src/new_definition.rs` to include new claim logic and updated PDA seed calculations. - Modified tests in `integration_tests/tests/amm.rs`, `integration_tests/tests/ata.rs`, and `integration_tests/tests/token.rs` to accommodate changes in transaction handling and account initialization. - Refactored account initialization logic in `ata/src/create.rs` and `token/src/initialize.rs` to include authorization claims. - Updated various functions in `token/src/mint.rs`, `token/src/new_definition.rs`, and `token/src/transfer.rs` to utilize the new claim system for account states. - Adjusted the IDL generation tool to use the latest version of `spel-framework-core`. 2026-04-15 14:55:04 -03:00			`.with_pda_seeds(vec![sender_seed]);`
chore: initial repository setup for programs 2026-03-17 18:08:53 +01:00			`(post_states, vec![chained_call])`
			`}`