Wallet handoff (A.2)
userThe user-signs-each-action model: you sign in your own wallet, the HISS server signs nothing, and the handoff is gated behind the signing flag plus owner approval — currently disabled.
The wallet handoff is capability level L2 SIGN_EACH_ACTION — the A.2 model. It means exactly one thing: you sign each action in your own wallet. HISS hands the reviewed, hash-verified plan to your wallet for you to inspect and sign; the HISS server signs nothing. This is a web and product wallet handoff, not something HISS executes.
How a handoff works when it is enabled
- A plan reaches
APPROVED_FOR_WALLETfrom the inbox. - The security kernel re-verifies the plan hash, expiry, canonical contract and asset, and the signing gate before any handoff. See the security model.
- Your wallet receives the transaction to review and sign. HISS produces the calldata from existing deterministic HISS encoders — never from model text — and only for the exact reviewed plan.
- You sign. The run advances to
SUBMITTEDand is reconciled against the canonical receipt. From here, cancellation no longer applies.
The gates
Signing is doubly gated: HISS_CONSOLE_SIGNING_ENABLED must be true and the owner approval OWNER_APPROVED_HISS_CONSOLE_L2_SIGNING must be true, on top of prepare being enabled and the kill switch being off. It defaults off and never auto-enables. See feature stages.