chore: add Accretion audit report

dev-jodee · dev-jodee · commit b4f85ed06a94 · 2026-04-07T11:10:39.000-04:00
diff --git a/README.md b/README.md
@@ -4,8 +4,6 @@
 [![Built with Pinocchio](https://img.shields.io/badge/Built%20with-Pinocchio-purple)](https://github.com/solana-program/pinocchio)
 [![Solana](https://img.shields.io/badge/Solana-Devnet-green)](https://solana.com)
 
-> **SECURITY NOTICE**: This program has not been audited. Use at your own risk. Not recommended for production use with real funds without a thorough security review.
-
 ## Program ID
 
 ```
@@ -131,6 +129,12 @@ just fmt
 - **[Codama](https://github.com/codama-idl)** - IDL-driven client generation
 - **[LiteSVM](https://github.com/LiteSVM/litesvm)** - Fast local testing
 
+## Security Audit
+
+`escrow` has been audited by [Accretion](https://accretion.xyz). View the [audit report](audits/2026-accretion-solana-foundation-escrow-audit-A26SFR3.pdf).
+
+Audit status, audited-through commit, and the current unaudited delta are tracked in [audits/AUDIT_STATUS.md](audits/AUDIT_STATUS.md).
+
 ---
 
 Built and maintained by the [Solana Foundation](https://solana.org/).
diff --git a/audits/2026-accretion-solana-foundation-escrow-audit-A26SFR3.pdf b/audits/2026-accretion-solana-foundation-escrow-audit-A26SFR3.pdf
diff --git a/audits/AUDIT_STATUS.md b/audits/AUDIT_STATUS.md
@@ -0,0 +1,40 @@
+# Audit Status
+
+Last updated: 2026-04-07
+
+## Current Baseline
+
+- Auditor: Accretion
+- Report: `audits/2026-accretion-solana-foundation-escrow-audit-A26SFR3.pdf`
+- Audited-through commit: `36187ad52c7c03d11b13b6f1da9461f2f757cee2`
+- Compare unaudited delta: https://github.com/solana-program/escrow/compare/36187ad52c7c03d11b13b6f1da9461f2f757cee2...main
+
+Audit scope is commit-based. Commits after the audited-through SHA are considered unaudited until a new audit or mitigation review updates this file.
+
+## Branch and Release Model
+
+- `main` is the integration branch and may contain audited and unaudited commits.
+- Stable production releases are immutable tags/releases (for example `v1.0.0`).
+- Audited baselines are tracked by commit SHA plus immutable tags/releases, not by long-lived release branches.
+
+## Verification Commands
+
+```bash
+# Count commits after the audited baseline
+git rev-list --count 36187ad52c7c03d11b13b6f1da9461f2f757cee2..main
+
+# Inspect commit list since audited baseline
+git log --oneline 36187ad52c7c03d11b13b6f1da9461f2f757cee2..main
+
+# Inspect file-level diff since audited baseline
+git diff --name-status 36187ad52c7c03d11b13b6f1da9461f2f757cee2..main
+```
+
+## Maintenance Rules
+
+When a new audit is completed:
+
+1. Add the new report to `audits/`.
+2. Update `Audited-through commit` and `Compare unaudited delta`.
+3. Tag audited release commit(s) (for example `vX.Y.Z`).
+4. Update README and release notes links if needed.
