feat(commit): add magic fee vault support with commit-based fee charging

[taco-paco]

Summary

• Added charging of commits from payer into magic fee vault PDA. 25 commits are sponsored in order to avoid double charging with dlp.
• Add ensure_magic_fee_vault_on_chain to validator startup (magicblock-api): checks vault and delegation record on chain, initializes and/or delegates as needed, exits process on failure
• Add vault/fee integration tests in 03_commit_limit.rs: missing vault errors, within-limit free, over-limit charged, order-book action

Compatibility

• No breaking changes
• Config change (describe):
• Migration needed (describe):

Testing

• tests (or explain)
  • programs/magicblock/src/magic_scheduled_base_intent.rs: unit tests for calculate_commit_fee boundaries
  • test-integration/schedulecommit/test-scenarios/tests/03_commit_limit.rs: integration tests covering vault absent error, within-limit free commits, over-limit fee charging and vault credit, and schedule-commit-with-order-book action

Checklist

• docs updated (if needed)
• closes #

Summary by CodeRabbit

• New Features

  • Vault-aware scheduled commits: optional fee-vault support, commit fee calculation, delegated-payer charging, and new CPI paths (including order-book post-actions).
  • Public fee-calculation APIs and related constants.

• Improvements

  • Validator startup now ensures fee vault presence/delegation with clearer error reporting.

• Tests

  • Expanded unit & integration tests for vault flows, fee charging, nonce modes, and order-book scenarios.

[github-actions]

Manual Deploy Available

You can trigger a manual deploy of this PR branch to testnet:

Deploy to Testnet 🚀

Alternative: Comment /deploy on this PR to trigger deployment directly.

⚠️ Note: Manual deploy requires authorization. Only authorized users can trigger deployments.

Comment updated automatically when the PR is synchronized.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds delegated magic fee-vault support end-to-end. magicblock-api: startup ensures vault exists and delegated ownership, plus two new ApiError variants. Programs: new fee constants and per-account fee calculation APIs, vault PDA lookup/validation, delegated-payer charging, and fee-aware commit/intent processing paths. Utilities: wallet-to-vault charge helper and test-scoped instruction builders. Test harnesses and CPI APIs extended to accept an optional magic_fee_vault PDA and support per-account nonces. Cargo files updated to new revisions for delegation program and related SDKs.

Suggested reviewers

• thlorenz
• snawaz
• bmuddha

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/magic-fee-vault

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test-integration/programs/schedulecommit-security/src/lib.rs (1)

83-87: 🧹 Nitpick | 🔵 Trivial

Expose the vault option instead of hardcoding the legacy layout.

has_magic_vault / magic_fee_vault define how the downstream instruction parses its accounts. Hardcoding false / None in every path means this harness cannot model charged-commit layouts; if a test includes a fee-vault account, it will be interpreted as the first committee PDA instead. Thread the optional vault through ScheduleCommitSecurityInstruction if these security scenarios are meant to cover the new fee-vault flow.

Also applies to: 122-128, 147-148

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test-integration/programs/schedulecommit-security/src/lib.rs` around lines 83
- 87, The harness is hardcoding legacy vault layout by always setting
ProcessSchedulecommitCpiArgs.has_magic_vault = false and magic_fee_vault = None,
so any test that supplies a fee-vault will be mis-parsed; update the
ScheduleCommitSecurityInstruction payload to carry an optional vault
flag/account, propagate that option into the code paths that construct
ProcessSchedulecommitCpiArgs (instead of the literal false/None at the sites
shown), and set has_magic_vault and magic_fee_vault based on the passed-through
optional vault so the CPI instruction reflects the charged-commit layout when
present.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@programs/magicblock/src/magic_scheduled_base_intent.rs`:
- Around line 929-939: Replace the unsafe arithmetic in the
accounts.iter().try_fold closure: change the paid-commit check from "*nonce + 1
> ACTUAL_COMMIT_LIMIT" to "*nonce >= ACTUAL_COMMIT_LIMIT" (use the existing
commit_nonces lookup and ACTUAL_COMMIT_LIMIT constant) to avoid adding to a
possibly-maxed u64, and replace the unchecked fee accumulation "fee +
COMMIT_FEE_LAMPORTS" with a checked addition (e.g.,
fee.checked_add(COMMIT_FEE_LAMPORTS).ok_or(InstructionError::Custom(YOUR_OVERFLOW_ERR)))
so the closure returns an InstructionError on overflow instead of
wrapping/panicking; keep the existing MISSING_COMMIT_NONCE_ERR path for missing
nonces.

In
`@programs/magicblock/src/schedule_transactions/process_schedule_commit_tests.rs`:
- Around line 1402-1446: The test seeds committee_at with ACTUAL_COMMIT_LIMIT
but calculate_commit_fee treats nonce >= ACTUAL_COMMIT_LIMIT as charged, so the
test will charge two fees; change the per_account entry for committee_at to use
ACTUAL_COMMIT_LIMIT - 1 (i.e., one less than the limit) so calculate_commit_fee
will treat committee_at as free. Update the per_account insert for committee_at
in the prepare_delegated_payer_transaction setup (referencing
ACTUAL_COMMIT_LIMIT, committee_at, committee_above,
prepare_delegated_payer_transaction, and process_instruction) accordingly.
- Around line 1289-1339: The test calls magic_fee_vault_pubkey() (which hits
validator_authority_id()) before the Validator is initialized, causing panics
when tests run in isolation; move the ensure_started_validator(&mut
account_data, Some(nonces)) call to happen before deriving the fee_vault_pubkey
(i.e., call ensure_started_validator early in
prepare_delegated_payer_transaction) so that
validator_authority_id()/magic_fee_vault_pubkey() run after the validator is
started and then compute fee_vault_pubkey safely.

In `@test-integration/programs/schedulecommit-security/src/lib.rs`:
- Around line 141-156: The invocation is missing the program account required by
the instruction: when create_schedule_commit_ix sets the instruction's
program_id to *magic_program.key, magic_program must be included in the accounts
slice passed to invoke; fix by inserting magic_program (the AccountInfo
referenced as magic_program) into the account_infos vector before calling invoke
(alongside payer, magic_context and pda_infos) so that the invoke call receives
the program account expected by create_schedule_commit_ix.

In `@test-integration/programs/schedulecommit/src/lib.rs`:
- Around line 686-691: Remove the unused construction of the account_infos
vector: the local variable account_infos (and its pushes of payer,
magic_context, optional magic_fee_vault, and extend from remaining) is never
read or returned, so delete the block that creates and populates account_infos
to eliminate dead code; ensure no other code expects that vector (search for
account_infos) and if a list of AccountInfo references is actually needed by a
call, replace the dead block with the correct call-site usage instead of just
removing logic.
- Around line 81-88: The struct ScheduleCommitCpiWithVaultArgs has a naming
mismatch: it defines pub has_vault while ScheduleCommitCpiArgs uses pub
has_magic_vault; make them consistent by renaming the field in
ScheduleCommitCpiWithVaultArgs to has_magic_vault (or rename the other to
has_vault) and update all references/usages, serialization/deserialization
(Borsh) expectations, and any tests or CPI calls that construct or pattern-match
on ScheduleCommitCpiWithVaultArgs to use the chosen name; ensure both structs
share the exact same field name and type (bool) to avoid runtime or
(de)serialization issues.

In `@test-integration/schedulecommit/test-scenarios/tests/03_commit_limit.rs`:
- Around line 215-218: Replace the local COMMIT_FEE_LAMPORTS constant in this
test with a direct import of COMMIT_FEE_LAMPORTS from the magicblock-program
crate (so the test uses the exported value), and leave ACTUAL_COMMIT_LIMIT
hardcoded because ACTUAL_COMMIT_LIMIT is declared pub(crate) in
magic_scheduled_base_intent.rs and cannot be imported; update the surrounding
comment to note that only COMMIT_FEE_LAMPORTS can be imported while
ACTUAL_COMMIT_LIMIT remains test-local.

In `@test-integration/schedulecommit/test-security/Cargo.toml`:
- Around line 18-19: The Cargo manifest currently lists the log crate under
[dependencies]; if this crate is only used by tests in this test-only package,
move the entry "log = \"0.4.29\"" from the [dependencies] section into a
[dev-dependencies] section so it is treated as a test-only dependency; update
Cargo.toml by removing the line from [dependencies] and adding it under
[dev-dependencies] (keeping the exact version string) to reflect that log is
used only for tests.

---

Outside diff comments:
In `@test-integration/programs/schedulecommit-security/src/lib.rs`:
- Around line 83-87: The harness is hardcoding legacy vault layout by always
setting ProcessSchedulecommitCpiArgs.has_magic_vault = false and magic_fee_vault
= None, so any test that supplies a fee-vault will be mis-parsed; update the
ScheduleCommitSecurityInstruction payload to carry an optional vault
flag/account, propagate that option into the code paths that construct
ProcessSchedulecommitCpiArgs (instead of the literal false/None at the sites
shown), and set has_magic_vault and magic_fee_vault based on the passed-through
optional vault so the CPI instruction reflects the charged-commit layout when
present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 16b3d8aa-4012-4533-bb7d-9b9548996dd1

📥 Commits

Reviewing files that changed from the base of the PR and between b71e317 and c420e79.

⛔ Files ignored due to path filters (3)

• Cargo.lock is excluded by !**/*.lock
• test-integration/Cargo.lock is excluded by !**/*.lock
• test-integration/schedulecommit/elfs/dlp.so is excluded by !**/*.so

📒 Files selected for processing (26)

• Cargo.toml
• magicblock-api/Cargo.toml
• magicblock-api/src/errors.rs
• magicblock-api/src/magic_validator.rs
• magicblock-committor-service/src/tasks/mod.rs
• programs/magicblock/src/magic_scheduled_base_intent.rs
• programs/magicblock/src/schedule_transactions/mod.rs
• programs/magicblock/src/schedule_transactions/process_schedule_commit.rs
• programs/magicblock/src/schedule_transactions/process_schedule_commit_tests.rs
• programs/magicblock/src/schedule_transactions/process_schedule_intent_bundle.rs
• programs/magicblock/src/test_utils/mod.rs
• programs/magicblock/src/utils/instruction_utils.rs
• programs/magicblock/src/utils/mod.rs
• test-integration/Cargo.toml
• test-integration/programs/flexi-counter/src/processor.rs
• test-integration/programs/flexi-counter/src/processor/schedule_intent.rs
• test-integration/programs/schedulecommit-security/src/lib.rs
• test-integration/programs/schedulecommit/src/api.rs
• test-integration/programs/schedulecommit/src/lib.rs
• test-integration/schedulecommit/client/src/schedule_commit_context.rs
• test-integration/schedulecommit/test-scenarios/Cargo.toml
• test-integration/schedulecommit/test-scenarios/tests/01_commits.rs
• test-integration/schedulecommit/test-scenarios/tests/02_commit_and_undelegate.rs
• test-integration/schedulecommit/test-scenarios/tests/03_commit_limit.rs
• test-integration/schedulecommit/test-security/Cargo.toml
• test-integration/schedulecommit/test-security/tests/01_invocations.rs

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

programs/magicblock/src/schedule_transactions/process_schedule_commit_tests.rs (1)

1403-1436: ⚠️ Potential issue | 🟠 Major

Reverse the order: call ensure_started_validator() before magic_fee_vault_pubkey().

The magic_fee_vault_pubkey() function calls validator_authority_id(), which panics with "Validator authority needs to be set on startup" if the validator has not been initialized. Currently at line 1403, magic_fee_vault_pubkey() is called before ensure_started_validator() at line 1436, causing tests to panic when run in isolation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@programs/magicblock/src/schedule_transactions/process_schedule_commit_tests.rs`
around lines 1403 - 1436, Call ensure_started_validator(...) before calling
magic_fee_vault_pubkey() to ensure validator_authority_id() is initialized;
currently magic_fee_vault_pubkey() (which calls validator_authority_id()) runs
first and panics when the validator hasn’t been started. Move the
ensure_started_validator(&mut account_data, Some(nonces)) call to precede the
call to magic_fee_vault_pubkey(), keeping the same arguments and using the
existing ensure_started_validator and magic_fee_vault_pubkey symbols.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@programs/magicblock/src/schedule_transactions/process_schedule_commit_tests.rs`:
- Around line 1483-1488: The assertion duplicating the check used in the find()
call is redundant: remove the assert_eq!(vault.lamports(), COMMIT_FEE_LAMPORTS);
line (or replace it with a short comment) since the .expect("fee vault should
have COMMIT_FEE_LAMPORTS") on the find already guarantees that condition; locate
the usage of vault, accounts, and COMMIT_FEE_LAMPORTS in
process_schedule_commit_tests.rs and drop the redundant assertion to simplify
the test.
- Around line 1507-1512: The inline comments for committee_above and
committee_at are incorrect: per_account currently maps committee_above ->
ACTUAL_COMMIT_LIMIT (which is at the limit and thus charged by the logic) and
committee_at -> ACTUAL_COMMIT_LIMIT - 1 (below the limit and free). Update the
comments next to the Pubkey declarations or the per_account inserts to reflect
those actual values (e.g., mark committee_above as "nonce == limit → charged"
and committee_at as "nonce < limit → free") or alternatively swap the assigned
values if you intended the original comments to be true; adjust only the
comments or the assignments for committee_above, committee_at, and the
per_account.insert calls to keep code and comments consistent.

In
`@programs/magicblock/src/schedule_transactions/process_schedule_intent_bundle.rs`:
- Around line 163-165: The fee calculation uses a single pre-bundle nonce
snapshot (fetch_current_commit_nonces) and get_all_committed_accounts can
contain duplicate pubkeys, allowing undercharging; update calculate_fee (or the
internal calculate_commit_fee it calls) to account for repeated commits by
either deduplicating the list returned by get_all_committed_accounts before
passing to fetch_current_commit_nonces, or (preferably) by iterating the
accounts and maintaining a local mutable nonce map that increments the pubkey's
nonce on each seen occurrence and uses that advanced nonce when checking against
ACTUAL_COMMIT_LIMIT, ensuring duplicate pubkeys are charged as multiple commits;
adjust the logic in calculate_fee / calculate_commit_fee accordingly and keep
fetch_current_commit_nonces as a snapshot-only function.

---

Duplicate comments:
In
`@programs/magicblock/src/schedule_transactions/process_schedule_commit_tests.rs`:
- Around line 1403-1436: Call ensure_started_validator(...) before calling
magic_fee_vault_pubkey() to ensure validator_authority_id() is initialized;
currently magic_fee_vault_pubkey() (which calls validator_authority_id()) runs
first and panics when the validator hasn’t been started. Move the
ensure_started_validator(&mut account_data, Some(nonces)) call to precede the
call to magic_fee_vault_pubkey(), keeping the same arguments and using the
existing ensure_started_validator and magic_fee_vault_pubkey symbols.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 53a95ce9-0c71-437a-b08f-0ce8cca5ae87

📥 Commits

Reviewing files that changed from the base of the PR and between c420e79 and 0afa2cc.

⛔ Files ignored due to path filters (2)

• Cargo.lock is excluded by !**/*.lock
• test-integration/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• magicblock-api/src/magic_validator.rs
• programs/magicblock/src/schedule_transactions/process_schedule_commit_tests.rs
• programs/magicblock/src/schedule_transactions/process_schedule_intent_bundle.rs

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@programs/magicblock/src/magic_scheduled_base_intent.rs`:
- Around line 36-38: The doc comment for COMMIT_FEE_LAMPORTS is inaccurate:
update the comment to reflect that the fee is charged only when
calculate_commit_fee() deems nonce >= ACTUAL_COMMIT_LIMIT (i.e., after the
sponsored commit threshold such as the 25 sponsored commits), not simply “after
the first” commit; reference COMMIT_FEE_LAMPORTS and calculate_commit_fee() and
mention the ACTUAL_COMMIT_LIMIT / 25-sponsored-commits behavior in the updated
comment.

In `@test-integration/programs/schedulecommit/src/api.rs`:
- Around line 237-265: The account meta for the order_book in
schedule_commit_with_vault_and_order_book_instruction is created as readonly but
the doc comment and ScheduleCommitWithVaultAndOrderBookCpi expect it to be
writable; change the AccountMeta for order_book from a readonly meta to a
writable one (use the writable constructor for AccountMeta for the symbol
order_book in the function
schedule_commit_with_vault_and_order_book_instruction) and ensure the doc
comment and any references in ScheduleCommitWithVaultAndOrderBookCpi remain
consistent with the writable access.

In `@test-integration/schedulecommit/test-scenarios/tests/03_commit_limit.rs`:
- Around line 516-601: The test only asserts the committee commit but never
verifies the post-commit UpdateOrderBook action; after calling
verify::fetch_and_verify_commit_result_from_logs(ctx, sig) and
assert_committee_was_committed(...), fetch the order_book_pda account from the
chain (use ctx.fetch_chain_account(order_book_pda) or an equivalent helper),
deserialize or inspect its state to confirm the expected update (e.g., expected
escrow_index/fields changed), or alternatively assert that the commit logs
returned by fetch_and_verify_commit_result_from_logs contain an
"UpdateOrderBook" entry; ensure the check references order_book_pda,
ScheduleCommitWithOrderBookArgs.with_actions, and the sig used when verifying
logs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 43e0fd4b-0d87-4951-b98a-9a039a874516

📥 Commits

Reviewing files that changed from the base of the PR and between 0afa2cc and 1f1e8bb.

⛔ Files ignored due to path filters (1)

• test-integration/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• programs/magicblock/src/magic_scheduled_base_intent.rs
• programs/magicblock/src/schedule_transactions/process_schedule_commit_tests.rs
• test-integration/programs/schedulecommit/src/api.rs
• test-integration/programs/schedulecommit/src/lib.rs
• test-integration/schedulecommit/test-scenarios/tests/03_commit_limit.rs
• test-integration/schedulecommit/test-security/Cargo.toml

[coderabbitai]

♻️ Duplicate comments (1)

test-integration/schedulecommit/test-scenarios/tests/03_commit_limit.rs (1)

604-636: 🧹 Nitpick | 🔵 Trivial

The test does not verify the UpdateOrderBook action was executed.

The test asserts commit success and fee deductions but never confirms the post-commit action actually updated the order book state. Consider fetching order_book_pda after the commit and asserting the expected state change, or verifying an UpdateOrderBook log entry in the transaction logs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test-integration/schedulecommit/test-scenarios/tests/03_commit_limit.rs`
around lines 604 - 636, The test currently checks commit success and fee
transfers (using verify::fetch_and_verify_commit_result_from_logs and
assert_committee_was_committed) but never asserts the post-commit side-effect;
fetch the order book PDA (order_book_pda) or inspect the transaction logs for an
UpdateOrderBook entry after the commit and assert the expected state change
(e.g., updated bids/asks or a version/timestamp field), or explicitly verify an
"UpdateOrderBook" log message in the result returned by
verify::fetch_and_verify_commit_result_from_logs; add this check alongside the
existing fee and vault assertions to ensure the action was executed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@test-integration/schedulecommit/test-scenarios/tests/03_commit_limit.rs`:
- Around line 604-636: The test currently checks commit success and fee
transfers (using verify::fetch_and_verify_commit_result_from_logs and
assert_committee_was_committed) but never asserts the post-commit side-effect;
fetch the order book PDA (order_book_pda) or inspect the transaction logs for an
UpdateOrderBook entry after the commit and assert the expected state change
(e.g., updated bids/asks or a version/timestamp field), or explicitly verify an
"UpdateOrderBook" log message in the result returned by
verify::fetch_and_verify_commit_result_from_logs; add this check alongside the
existing fee and vault assertions to ensure the action was executed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 183b5cbd-c935-4f9f-86eb-6d2d5a5cc660

📥 Commits

Reviewing files that changed from the base of the PR and between 259d73f and beadd42.

📒 Files selected for processing (1)

• test-integration/schedulecommit/test-scenarios/tests/03_commit_limit.rs

[GabrielePicco]

LGTM!