Agent Vault currently has a devnet version and an internal v0.1.0 security review. It has not received an external production audit and there is no mainnet release. Do not use this program with valuable assets until a mainnet release, published release manifest, and production security review are available.

Please report suspected vulnerabilities privately to Quantu Labs before opening a public issue. Include:

• affected commit or release;
• exact program ID or cluster, if relevant;
• reproduction steps;
• expected impact;
• suggested fix, if known.

Do not include private keys, seed phrases, wallet backups, or production secrets in any report.

Only the latest main branch and the published devnet manifest are currently supported for security review.

The internal v0.1.0 review report is tracked in docs/SECURITY_REVIEW_0.1.0.md.

• Do not use Agent Vault with valuable assets while it is devnet-only.
• Keep SDK writes gated by deployment verification.
• Keep allowUnverifiedDeployment limited to localnet or devnet deployments you control.
• In docs and integrations, distinguish agentAsset from wallet PDA addresses and wallet indexes.
• Never request or store private keys, seed phrases, wallet backups, or production secrets.

Production releases should keep SDK writes fail-closed against a published manifest that verifies the program account, ProgramData address, deployed byte hash, byte size, upgrade authority policy, and global config fields.