{ "schema_version": "initiative.v1", "id": "security-readiness", "name": "Security Readiness", "status": "draft", "summary": "Evidence-backed security guidance for agents and builders choosing smart-account, protocol, paymaster, automation, and agent-transaction stacks.", "problem": "Builders and agents often treat security as a generic audit checkbox. Security-sensitive crypto apps need clearer separation between contract audits, deployment verification, smart-account permissions, paymaster policy limits, agent spend controls, source provenance, and operational fallback paths before a stack can be recommended for production.", "audiences": [ "app_builders", "protocol_teams", "wallet_teams", "ai_agents", "security_reviewers", "hackathon_builders", "jury_reviewers" ], "tags": [ "security", "smart-accounts", "account-abstraction", "paymasters", "session-keys", "agent-safety", "deployment-verification", "source-provenance" ], "homepage_url": "https://docs.openzeppelin.com/contracts/5.x/", "official_sources": [ { "id": "openzeppelin-contracts-docs", "title": "OpenZeppelin Contracts documentation", "url": "https://docs.openzeppelin.com/contracts/5.x/" }, { "id": "openzeppelin-access-control", "title": "OpenZeppelin access control documentation", "url": "https://docs.openzeppelin.com/contracts/5.x/access-control" }, { "id": "safe-docs", "title": "Safe documentation", "url": "https://docs.safe.global/" }, { "id": "zerodev-sponsor-gas", "title": "ZeroDev gas sponsorship documentation", "url": "https://docs.zerodev.app/smart-accounts/sponsor-gas/evm" }, { "id": "zerodev-permissions", "title": "ZeroDev permissions and session keys documentation", "url": "https://docs.zerodev.app/smart-accounts/permissions/intro" }, { "id": "biconomy-docs", "title": "Biconomy documentation", "url": "https://docs.biconomy.io/" }, { "id": "erc-8004-eip", "title": "ERC-8004 draft specification", "url": "https://eips.ethereum.org/EIPS/eip-8004" }, { "id": "x402-docs", "title": "x402 documentation", "url": "https://www.x402.org/" } ], "related_chains": [ "ethereum", "arbitrum-one", "base", "optimism", "polygon", "bsc" ], "related_protocols": [ "safe", "biconomy", "zerodev", "privy", "erc-8004", "x402", "gelato", "chainlink", "the-graph", "goldsky" ], "related_intents": [ "build-with-smart-accounts", "gasless-onboarding", "build-agentic-commerce-with-x402", "build-on-bnb-smart-chain", "secure-cross-chain-messaging" ], "initiative_intents": [ { "id": "assess-smart-account-security", "title": "Assess smart-account security", "description": "Review account owners, validators, modules, permissions, session keys, recovery, paymasters, and fallback behavior before recommending a smart-account stack.", "audience": [ "wallet_teams", "app_builders", "ai_agents", "security_reviewers" ], "input_requirements": [ "account owner model", "validator or plugin model", "session-key and permission requirements", "recovery model", "target chains", "production timeline" ], "recommended_outputs": [ "smart-account threat model", "permission and session-key checklist", "paymaster fallback plan", "deployment verification checklist", "do-not-claim guidance", "source refs" ], "related_changes": [ "security-smart-account-permission-surface", "security-paymaster-policy-surface", "security-deployment-verification-surface" ], "default_priority": "high", "evidence_refs": [ "official:safe-docs", "official:zerodev-permissions", "official:openzeppelin-access-control" ] }, { "id": "assess-agent-transaction-safety", "title": "Assess agent transaction safety", "description": "Check spend caps, delegated permissions, replay protection, payment authorization, identity and validation signals, and monitoring before allowing agents to transact.", "audience": [ "ai_agents", "agentic_app_builders", "security_reviewers", "protocol_teams" ], "input_requirements": [ "agent role and allowed actions", "wallet or smart-account authority", "payment rails", "trust or reputation mechanism", "refund or dispute requirements", "monitoring requirements" ], "recommended_outputs": [ "agent permission boundary", "spend and rate limits", "replay and refund checklist", "identity and validation caveats", "monitoring and incident response plan" ], "related_changes": [ "security-agent-transaction-safety-surface", "security-smart-account-permission-surface", "security-paymaster-policy-surface" ], "default_priority": "high", "evidence_refs": [ "official:erc-8004-eip", "official:x402-docs", "official:zerodev-permissions" ] }, { "id": "verify-protocol-deployments-and-sources", "title": "Verify protocol deployments and sources", "description": "Confirm docs, contract addresses, source maps, release provenance, audits, advisories, and chain-specific deployment support before production recommendations.", "audience": [ "protocol_teams", "app_builders", "ai_agents", "security_reviewers" ], "input_requirements": [ "protocol list", "target chains", "contract addresses or deployment references", "source repositories", "audit and advisory expectations", "upgrade and admin controls" ], "recommended_outputs": [ "deployment verification checklist", "source provenance gaps", "chain-specific caveats", "admin and upgradeability review notes", "production blockers" ], "related_changes": [ "security-deployment-verification-surface" ], "default_priority": "high", "evidence_refs": [ "official:openzeppelin-contracts-docs", "official:safe-docs" ] } ], "assessment_modes": [ "smart_account_security_review", "paymaster_policy_review", "agent_transaction_safety", "deployment_verification", "source_provenance_review", "production_readiness_gate" ], "evidence_refs": [ "official:openzeppelin-contracts-docs", "official:openzeppelin-access-control", "official:safe-docs", "official:zerodev-sponsor-gas", "official:zerodev-permissions", "official:biconomy-docs", "official:erc-8004-eip", "official:x402-docs" ], "last_verified_at": "2026-06-10", "review_status": "unreviewed", "changes": [ { "schema_version": "initiative-change.v1", "id": "security-agent-transaction-safety-surface", "initiative_id": "security-readiness", "type": "protocol_architecture", "status": "watch", "summary": "Agent-controlled transactions require explicit authority boundaries, spend limits, replay protection, identity or validation signals, and monitoring before production use.", "affected_roles": [ "ai_agents", "agentic_app_builders", "security_reviewers", "app_builders" ], "affected_builder_groups": [ "agent_wallet_builders", "agentic_commerce_builders", "marketplace_builders", "wallet_builders" ], "affected_protocols": [ "erc-8004", "x402", "zerodev", "biconomy", "safe" ], "affected_chains": [ "ethereum", "base", "arbitrum-one", "optimism" ], "affected_intents": [ "build-agentic-commerce-with-x402", "build-with-smart-accounts", "gasless-onboarding" ], "possible_consequences": [ "Agent wallets should have bounded permissions, spending policies, replay-safe order IDs, expiry windows, and cancellation or recovery paths.", "Payment rails and trust registries do not replace fulfillment, escrow, dispute handling, or incident response for agentic commerce.", "Agents should cite whether identity, reputation, validation, payment, and wallet-permission claims come from separate protocols." ], "priority": "high", "recommended_action": "assess", "recommendation_strength": "actionable", "evidence_refs": [ "official:erc-8004-eip", "official:x402-docs", "official:zerodev-permissions" ], "last_verified_at": "2026-06-10" }, { "schema_version": "initiative-change.v1", "id": "security-deployment-verification-surface", "initiative_id": "security-readiness", "type": "external_reference", "status": "watch", "summary": "Production recommendations should verify chain-specific deployments, contract addresses, source repositories, release provenance, admin controls, and known advisories before claiming support.", "affected_roles": [ "protocol_teams", "app_builders", "security_reviewers", "ai_agents" ], "affected_builder_groups": [ "protocol_integrators", "multichain_app_builders", "registry_maintainers", "hackathon_builders" ], "affected_protocols": [ "safe", "biconomy", "zerodev", "chainlink", "the-graph", "gelato", "layerzero" ], "affected_chains": [ "ethereum", "arbitrum-one", "base", "optimism", "polygon", "bsc" ], "affected_intents": [ "build-with-smart-accounts", "gasless-onboarding", "build-on-bnb-smart-chain", "secure-cross-chain-messaging", "real-time-price-feeds" ], "possible_consequences": [ "EVM compatibility should not be treated as proof that a protocol has a live, supported, production-ready deployment on a specific chain.", "Agents should distinguish docs links, SDK repositories, audited contracts, deployment addresses, source maps, advisories, and release provenance.", "Admin keys, upgradeability, pausing, and emergency controls should be reviewed alongside contract addresses before production use." ], "priority": "high", "recommended_action": "assess", "recommendation_strength": "actionable", "evidence_refs": [ "official:openzeppelin-contracts-docs", "official:safe-docs" ], "last_verified_at": "2026-06-10" }, { "schema_version": "initiative-change.v1", "id": "security-paymaster-policy-surface", "initiative_id": "security-readiness", "type": "protocol_architecture", "status": "watch", "summary": "Paymaster and gas-sponsorship flows need policy limits, billing controls, abuse monitoring, and fallback behavior before they are safe to expose to users or agents.", "affected_roles": [ "app_builders", "wallet_teams", "security_reviewers", "ai_agents" ], "affected_builder_groups": [ "gasless_onboarding_teams", "consumer_app_builders", "agentic_app_builders", "protocol_operations_teams" ], "affected_protocols": [ "biconomy", "zerodev" ], "affected_chains": [ "ethereum", "arbitrum-one", "base", "optimism", "polygon", "bsc" ], "affected_intents": [ "gasless-onboarding", "build-with-smart-accounts", "build-on-bnb-smart-chain" ], "possible_consequences": [ "Sponsored transactions should define who pays, which actions are eligible, how limits are enforced, and what happens when limits are exhausted.", "Apps should implement fallback paths for actions that should proceed without sponsorship, and hard failure paths for actions that should never bypass policy.", "Agents should not describe gasless UX as free execution without checking quotas, billing, chain support, abuse controls, and paymaster failure modes." ], "priority": "high", "recommended_action": "assess", "recommendation_strength": "actionable", "evidence_refs": [ "official:zerodev-sponsor-gas", "official:biconomy-docs" ], "last_verified_at": "2026-06-10" }, { "schema_version": "initiative-change.v1", "id": "security-smart-account-permission-surface", "initiative_id": "security-readiness", "type": "protocol_architecture", "status": "watch", "summary": "Smart-account security depends on owners, validators, modules, session-key permissions, recovery paths, and upgrade or admin authority, not only the wallet SDK.", "affected_roles": [ "wallet_teams", "app_builders", "security_reviewers", "ai_agents" ], "affected_builder_groups": [ "smart_account_builders", "consumer_wallet_builders", "agentic_app_builders", "protocol_frontend_teams" ], "affected_protocols": [ "safe", "biconomy", "zerodev", "privy" ], "affected_chains": [ "ethereum", "arbitrum-one", "base", "optimism", "polygon" ], "affected_intents": [ "build-with-smart-accounts", "gasless-onboarding" ], "possible_consequences": [ "Agents should ask for owner model, validator or module choices, recovery assumptions, and target chains before recommending a smart-account path.", "Session keys and delegated permissions should include contract allowlists, method allowlists, spend caps, rate limits, and expirations.", "Recovery and upgrade authority should be treated as production security surfaces, not onboarding details." ], "priority": "high", "recommended_action": "assess", "recommendation_strength": "actionable", "evidence_refs": [ "official:safe-docs", "official:zerodev-permissions", "official:openzeppelin-access-control" ], "last_verified_at": "2026-06-10" } ] }