The physical HSM acts as a blind cryptographic gatekeeper that operates under Zero-Trust principles.
The Cloud/Hardware Decoupling: Our core architecture ensures that the cloud infrastructure passes transaction payloads to the physical HSM via a dedicated component. The hardware layer does not trust or rely on cloud validation logic.
Firmware Enforcement: A custom, proprietary Functionality Module (FM) running natively inside the HSM's Secure Execution Environment independently validates client signatures. It enforces delegated multisignature policies via quorum-based clause validation entirely within its physical secure boundary.
The Human Circuit-Breaker: Even if a rogue TCSS blindly appends its signature to a malicious payload, the HSM looks at the hardcoded wallet policy rules. For external destinations, the policy dictates a separate high-tier threshold—specifically, a 2-of-5 quorum of Instruction Keys generated inside physical iOS Secure Enclaves. Because those physical device keys are isolated in the real world, the transaction will stall at the HSM layer until a human reviews the payload on their screen and manually signs it.