> ## Documentation Index
> Fetch the complete documentation index at: https://docs.usecompassai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Trust & security model

> What the agent can do, what it can't, and how those boundaries are enforced on-chain.

> The trust model in Compass is the contract, not the operator. The agent is bounded by code your smart account enforces — it cannot withdraw, cannot upgrade itself into withdrawing, and cannot route outside the rules you wrote.

This page is the answer to one question: *"What is the worst thing the
Compass team — or a compromised LLM, or a malicious agent operator — can do to
my funds?"*

The short version: route inside your rules, or stop working. Nothing else.

<img src="https://mintcdn.com/compassai/Qq7UDvjWweIau4hP/images/trust-security-diagram.svg?fit=max&auto=format&n=Qq7UDvjWweIau4hP&q=85&s=9682d59706776d6763de90d99de1acce" alt="trust security diagram" className="rounded-lg" width="1500" height="800" data-path="images/trust-security-diagram.svg" />

Three signers, three different scopes. The owner has total authority. The
agent and the upgrade authority each have narrow, on-chain-enforced powers
— and the cells marked in red are not policy promises, they are call-graph
restrictions that revert if attempted.

## What the agent can do

Your smart account grants the agent a **scoped session key** — a key with
explicit on-chain limits on what it can call.

The agent can:

* Call **whitelisted protocol functions** on whitelisted venues — for
  example, `supply` and `withdraw` on a whitelisted lending protocol.
* Initiate **cross-chain transfers** of USDC between supported chains via
  Circle Gateway.
* Spend up to a **per-route cap** and **per-day cap** that you set.

The session key is checked at the contract level on every call. Out-of-policy
calls revert before they execute. See [Session keys](/contracts/session-keys).

## What the agent cannot do

The agent **cannot**:

* **Withdraw to any address other than your owner address.** Only the owner
  EOA can withdraw funds. The session key has no permission for this path.
* **Add new protocols or chains to its own whitelist.** Whitelist changes are
  owner-only and require an owner signature.
* **Upgrade the account to remove restrictions.** See "Upgrade authority"
  below.
* **Pause withdrawals.** The owner can always exit, even if the agent is
  offline, paused, or rejecting plans.

These are not policy promises. They are call-graph restrictions enforced by
the Diamond account's `Security` and `Ownership` facets. See
[Diamond account](/contracts/diamond-account).

## Upgrade authority — Add-only, owner-revocable

Compass uses a custom ERC-2535 Diamond. A multisig-controlled **authority** can
ship new facets to your account — for example, support for a new venue like
Morpho or Curve — without the team taking custody.

The authority's power is cryptographically bounded:

* **Add-only.** The authority can register new selectors. It cannot `Replace`
  or `Remove` existing ones.
* **No reach into core facets.** It cannot touch `Security`, `Ownership`,
  `DiamondCut`, `Loupe`, or its own selectors.
* **No owner change.** It cannot transfer ownership of your account.
* **No fund movement.** It has no path to call USDC `transfer` from your
  account.

If you do not want this — even with the limits above — you call
`userRevokeUpgradeAuthority` on your account. From that point your Diamond is
upgrade-frozen and reverts to plain EIP-2535 behavior. See
[Authority & upgrade model](/contracts/authority-upgrade-model).

## What happens when things go wrong

A safety-first design means **liveness fails before safety fails**:

* **Chain outage mid-route.** The cross-chain step uses an EIP-712
  `BurnIntent`, not a broadcast transaction. The intent can be retried after
  the chain recovers. Compass pauses rather than rerouting mid-flight.
* **Indexer lag.** The deterministic loop assumes lag and retries on a
  60-second window. Plans are idempotent.
* **LLM produces something wrong.** The plan is rejected by the policy
  engine, never broadcast. The LLM cannot bypass the engine because the LLM
  does not sign transactions.
* **Agent operator goes down.** Your funds stay in your smart account. You
  withdraw from the dashboard or directly from your owner EOA.

## Trust assumptions, stated plainly

What you *do* have to trust:

* **The Diamond's `Security` and `Ownership` facets are correct.** These
  enforce the rules above. They have not been audited yet. See
  [Status](#status) below.
* **Circle Gateway settles correctly.** Compass uses Gateway as the
  cross-chain primitive. Trust in Gateway is trust in Circle.
* **The deployed contracts match the published source.** Compass publishes
  source and addresses for all account facets.

What you *do not* have to trust:

* The Compass team's intentions over time. Revoke upgrade authority and you
  are on plain EIP-2535.
* The agent operator's uptime. Your funds are not in their custody.
* The LLM's reasoning. It does not sign transactions.

## Status

<Info>
  Compass is on Arc Testnet. Contracts have not yet been audited. Funds are
  testnet only. Audit and mainnet timing track Arc's mainnet launch. The
  trust model above is the design — this page will be updated with audit
  reports as they land.
</Info>

## Next steps

<CardGroup cols={2}>
  <Card title="Diamond account" icon="file-code" href="/contracts/diamond-account">
    The smart account architecture and facet boundaries.
  </Card>

  <Card title="Session keys" icon="key" href="/contracts/session-keys">
    On-chain enforcement of the agent's permissions.
  </Card>

  <Card title="Authority & upgrade model" icon="git-pull-request" href="/contracts/authority-upgrade-model">
    Add-only authority, what it can ship, and how to revoke it.
  </Card>

  <Card title="Audit trail" icon="scroll" href="/architecture/audit-trail">
    Every decision the agent makes, logged and replayable.
  </Card>
</CardGroup>
