> For the complete documentation index, see [llms.txt](https://docs.bextree.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bextree.com/security/program-architecture.md).

# Program Architecture

Bextree runs three Anchor programs on Solana:

| Program                   | Job                                                                                                                  |
| ------------------------- | -------------------------------------------------------------------------------------------------------------------- |
| **asset-vault**           | Custody of pre-custodied assets (LP position NFTs) from listing time until settlement or withdrawal                  |
| **settlement**            | Buyer USDC escrow and atomic asset-for-payment settlement of vaulted assets                                          |
| **streamflow-settlement** | Buyer USDC escrow, settlement-window tracking, verified-transfer release, and bond handling for Streamflow positions |

## Authority structure

* **`SETTLEMENT_AUTHORITY`** — a PDA of the settlement program (derived from its program ID, no private key exists). The vault authorizes settlement CPIs against this PDA — meaning only the settlement program, executing its own encoded logic, can pull an asset out of the vault for a trade.
* **`SETTLEMENT_CREATE_AUTHORITY`** — the backend's hot signer, compiled into the programs. It can create settlement records when auctions end; it cannot redirect funds or assets to arbitrary destinations.
* **`TREASURY_AUTHORITY`** — the platform-fee destination is validated by an owner check compiled into the programs. Fees can only flow to the treasury; see [Treasury](/security/treasury.md).
* **Upgrade authority** — held per program; see [Upgrade Authority](/security/upgrade-authority.md).

## Design properties

* **The programs know settlements, not auctions.** A settlement is "seller, buyer, asset, amount" — the programs contain no marketplace logic, which keeps their attack surface and audit scope small.
* **Escrow paths are total.** Every escrowed deposit has exactly two exits: verified settlement to the seller, or refund to the buyer. There is no administrative "sweep" path.
* **Verification is on-chain.** A Streamflow settlement releases funds only when the contract's recipient is confirmed on-chain to be the buyer — not when anyone says so.
