Hermes Mobile can approve actions that affect files, terminals, repositories, APIs, cron jobs, and external services. The security model must assume that a paired mobile device is powerful and must be revocable.

• Gateway must not expose mobile endpoints without explicit enablement.
• Devices must pair with short-lived codes.
• Devices must be individually identifiable and revocable.
• Approval actions must be audited.
• High-risk approvals should require biometric confirmation when supported.
• The app must not expose arbitrary filesystem browsing by default.
• Artifacts should be registered and scoped.

Pairing should include:

• Gateway URL;
• short-lived pairing code;
• TLS/server fingerprint;
• device name;
• platform;
• public key or generated credential.

Pairing code should expire quickly and be single-use.

Mobile credentials must be stored in:

• iOS Keychain;
• Android EncryptedSharedPreferences or equivalent secure storage.

Do not store tokens in plain SQLDelight tables.

Target design uses signed requests:

METHOD
PATH
BODY_SHA256
TIMESTAMP
NONCE

Gateway rejects:

• expired timestamps;
• replayed nonces;
• revoked devices;
• invalid signatures.

Record:

• device id;
• session id;
• approval id;
• action;
• decision;
• risk;
• timestamp;
• relevant metadata.

Recommended MVP deployment:

Phone ↔ Tailscale/LAN ↔ Hermes Gateway

Tailscale reduces exposure but does not replace pairing. Pairing is still needed for revoke, audit, and future relay compatibility.