Security model

Trust comes from limits, not promises.

The agent can do exactly four things and exactly nothing else. Every constraint is enforced by the program, not by policy. Read what it can and cannot do below.

Read the program source
What the agent can do

Exactly four actions.

Repay loans on your behalf

Up to your configured maximum per action — never more.

Revoke malicious approvals

Only delegates outside the safe-protocol allowlist.

Exit positions below floor

When Pyth oracle confirms price has crossed your threshold.

Write your score on-chain

Public, deterministic, recomputed every polling cycle.

What the agent cannot do

Everything else.

Transfer funds to external wallets

No transfer instruction exists in the program. Period.

Exceed your repay cap

max_repay_percent is enforced on-chain via constraint.

Access your private key

The program only stores your pubkey. Keys never leave your wallet.

Act outside your defined rules

Every action validates against GuardianConfig PDA.

Security properties

Six guarantees. Each one verifiable.

01
Non-custodial
Only pubkey stored on-chain. Wallet keys never transmitted.
02
Action-scoped authority
Agent can only call three pre-defined protective instructions.
03
On-chain enforcement
Every threshold is a constraint, not a hint. Anchor rejects violations.
04
Instant deactivation
deactivate_guardian instruction halts all agent actions in one transaction.
05
PDA seed integrity
ConstraintSeeds prevents PDA injection or impersonation attacks.
06
Event-logged actions
Every execution emits GuardianActionExecuted — fully auditable.
Enforcement

Enforced in Rust, not in policy.

This is the exact Anchor constraint that prevents repay over the user's cap. Submitting a transaction that violates it is rejected by the program before execution.

// Anchor constraint · enforced on-chain
require!(
amount <= obligation.borrowed *
guardian.max_repay_percent / 100,
GuardianError::RepayExceedsCap
);
// Cannot be bypassed by the agent or anyone else.
Known limitations

What we haven't shipped yet.

Current
Devnet only
Not audited for mainnet deployment.
Current
Kamino integration mocked
No devnet liquidity available for real CPI.
Current
Agent key rotation
Requires close_guardian + reinitialize. V2 will add update_agent.
Current
API rate limits
Free-tier Helius and Birdeye limits apply during testing.
Audit roadmap

The path to mainnet trust.

V1
DONE
Self-audit
Internal review documented in SECURITY_AUDIT.md.
V1
DONE
233 tests
200 TypeScript on-chain tests + 33 Rust unit tests.
V2
Planned
External audit
OtterSec, Sec3, or Neodyme — estimated $15k–$40k.
V2
Planned
Mainnet deploy
Pending audit completion and key rotation upgrade.

Don't trust. Verify.

Read the security audit, inspect the program account, run the test suite locally.