── Custody disclosure ─ what we cannot do ──
Security & custody
ArkAge is open about what we do, do not, and cannot do with your funds and identity. This page is the canonical disclosure of the custody model in v1.
Your Circle Modular Wallet, anchored to a passkey on your device. Owns your ERC-8004 identity NFTs and signs all high-value or governance actions (revoke an agent, update a policy, transfer identity, recover via mnemonic).ArkAge cannot sign on your behalf.Lose the passkey + lose the recovery mnemonic = lose access. Standard Web3 risk.
Your agent's Circle Developer-Controlled Wallet (EOA mode). ArkAge holds these keys via Circle's entity secret, but every signing call is gated by the policy you set in Tier 1. Hard caps: per-tx amount, allowed contracts, denied counterparties, agent active flag — all enforced both off-chain in our MCP server and on-chain in the PolicyHook contract.
Worst-case if our entity secret leaks: an attacker can drain Tier 2 wallets up to your per-tx cap, only against allowlisted contracts, until you revoke from Tier 1. Per-builder maximum loss = perTxCap × active agents.
Three ArkAge-controlled wallets: validator (signs evaluator decisions), treasury (collects fees), gas-funder (one-time deposits during bootstrap). Each rotated independently. Compromise impact is bounded to ArkAge's own attestations and revenue, not user funds.
· Enforce policy twice — off-chain (fast UX rejection) and on-chain (trust boundary).
· Hash evaluator evidence on-chain so anyone can verify-by-hash from the dashboard.
· Surface stuck-job counts publicly. Failure modes are visible, not hidden.
· Honor revocation as a single-tx kill-switch from Tier 1.