Skip to content

Wallet handoff (A.2)

user

The user-signs-each-action model: you sign in your own wallet, the HISS server signs nothing, and the handoff is gated behind the signing flag plus owner approval — currently disabled.

The wallet handoff is capability level L2 SIGN_EACH_ACTION — the A.2 model. It means exactly one thing: you sign each action in your own wallet. HISS hands the reviewed, hash-verified plan to your wallet for you to inspect and sign; the HISS server signs nothing. This is a web and product wallet handoff, not something HISS executes.

How a handoff works when it is enabled

  1. A plan reaches APPROVED_FOR_WALLET from the inbox.
  2. The security kernel re-verifies the plan hash, expiry, canonical contract and asset, and the signing gate before any handoff. See the security model.
  3. Your wallet receives the transaction to review and sign. HISS produces the calldata from existing deterministic HISS encoders — never from model text — and only for the exact reviewed plan.
  4. You sign. The run advances to SUBMITTED and is reconciled against the canonical receipt. From here, cancellation no longer applies.

The gates

Signing is doubly gated: HISS_CONSOLE_SIGNING_ENABLED must be true and the owner approval OWNER_APPROVED_HISS_CONSOLE_L2_SIGNING must be true, on top of prepare being enabled and the kill switch being off. It defaults off and never auto-enables. See feature stages.

$HISS is independent research software in pre-execution readiness checks — not investment advice, and not affiliated with Robinhood, Bankr, or Chainlink.

Wallet handoff (A.2) · HISS