Architecture

HRM is an isolated payment lane added to Hermes on purpose.

The goal is simple: keep a real wallet and token flow isolated from the messaging and calling foundations that already work in production, while leaving the Wallet lane ready for more EVM assets later.

Wallet model

The HRM wallet is created on the iPhone with a 12-word recovery phrase and a standard Ethereum derivation path. Hermes does not custody the wallet. Revealing the phrase, deleting the wallet or signing a transfer stays tied to device-level authentication and local confirmation.

Backend model

The backend only covers what the app should not fake or duplicate locally: returning balances, reading token transfer history, issuing activation challenges, preparing transaction parameters, broadcasting signed raw transactions and exposing the active network configuration.

Trust boundaries

The device creates and stores the wallet credentials.
The device signs outgoing transfers locally.
The server can help broadcast a signed transaction, but it does not hold the user's spend key.
Wallet ownership is not assumed from an address alone; activation still requires a signed challenge.
HRM remains separated from Hermes calls, WebRTC and the legacy payment ledger.

Why this version stays small

No custom blockchain and no bridge.
No custodial balances for HRM.
No microservice sprawl for the first release.
No dependency on a full exchange stack inside Hermes.

Current limitations

Network, explorer and liquidity readiness still depend on the deployed environment and market state.
Explorer history is basic ERC-20 transfer history, not a portfolio engine.
The first launch centers on HRM even though the wallet lane is designed to grow into more EVM assets.
ETH on Base Mainnet is still required for gas.

Security model

Address binding is not treated as strong identity on its own. Hermes requires a signed activation challenge to prove wallet control, and real transfers are always signed on-device before the raw transaction is sent out.