Console security
developerThe deny-by-default kernel: canonical contract and asset allowlist, plan-hash integrity, no server keys, no arbitrary calldata, no session keys, no Safe module, the kill switch, tool-manifest drift detection, and the provenance barrier for action-critical fields.
The Console security model is deny-by-default. Every prepared action passes an additional capability kernel (in kernel.ts) before it can be shown for review or handed to a wallet. The kernel does not replace the contract- or core-level fuses; it consolidates them for the Console and adds Console-specific checks.
The kernel checks
- Kill switch and prepare gate. If
HISS_CONSOLE_KILL_SWITCHis active, or prepare is disabled, every action is blocked. - Plan-hash integrity. The frozen plan hash is re-verified; any mutation of a critical field produces
plan_hash_mismatchand blocks the action. - Expiry. A lapsed plan is blocked (
plan_expired). - Canonical allowlist. A value-bearing action must target a contract in the canonical registry and, when it carries a token, a canonical asset — otherwise
contract_not_canonicalorasset_not_canonical. The chain must be exactly Robinhood Chain 4663. - Amount sanity. The amount must be a positive base-unit integer, and if a balance is readable it must not exceed it.
- Signing gate. A value-bearing action may only reach a wallet when signing is enabled and the owner gate is on — otherwise
signing_disabled. See wallet handoff.
Structural guarantees
- No server keys.
serverSigningEnabledis always false; the server signs nothing. - No arbitrary calldata. Calldata is produced only by existing deterministic HISS encoders for the exact reviewed plan; the Console never accepts free-form calldata.
- No session keys, no Safe module, no automation. These do not exist in the product — the capability model stops at L2.
- Kill switch. A single flag forces prepare and signing off immediately.
Tool-manifest drift detection
The Console pins a hash of each tool’s schema, description, and version. If any drifts from the pinned manifest — a defense against tool-poisoning — the tool is disabled for signing. Read-only use may remain, at the caller’s discretion.
The Console stores no credentials and asks for none. HISS never stores brokerage credentials, never places brokerage orders, and never takes custody.