Agent Vault SDK targets the current Agent Vault devnet version. It should not be used with valuable assets until a mainnet release and production security review are published.
Please report suspected vulnerabilities privately to Quantu Labs before opening a public issue. Include:
- affected package version or commit;
- cluster and RPC endpoint, if relevant;
- reproduction steps;
- expected impact;
- suggested fix, if known.
Do not include private keys, seed phrases, wallet backups, or production secrets in any report.
The SDK follows the current Solana JavaScript package ecosystem. Dependency
advisories are reviewed before release; compatible security pins may be applied
through overrides when they do not break the public API or transaction
builders.
- Treat
agentAssetas the agent identity root andwalletas a numeric index. - Use
vault.wallets.verifyDeployment()before debugging signed write failures. - Do not set
allowUnverifiedDeploymentin production or mainnet-like flows. - Return unsigned transactions with
{ send: false, sign: false }when a browser wallet must review and sign. - Never collect or store user private keys, seed phrases, or keypair files in SDK integrations.
Signed writes are expected to fail closed unless deployment verification passes against a published release manifest. Mainnet writes remain blocked until a canonical mainnet manifest and upgrade policy are published.