feat(server): integrity envelope engine for EVM grants with HMAC verification

2026-04-04 21:52:50 +02:00
parent f5eb51978d
commit 4057c1fc12
20 changed files with 889 additions and 32 deletions
--- a/server/crates/arbiter-server/src/grpc/common/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/common/outbound.rs
@@ -108,12 +108,12 @@ impl Convert for VetError {
                        violations: violations.into_iter().map(Convert::convert).collect(),
                    })
                }
-                PolicyError::Database(_) => {
+                PolicyError::Database(_)| PolicyError::Integrity(_) => {
                    return EvmSignTransactionResult::Error(ProtoEvmError::Internal.into());
                }
            },
        };

-        EvmSignTransactionResult::EvalError(ProtoTransactionEvalError { kind: Some(kind) }.into())
+        EvmSignTransactionResult::EvalError(ProtoTransactionEvalError { kind: Some(kind) })
    }
 }
--- a/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
@@ -26,8 +26,8 @@ use crate::{
    actors::user_agent::{
        UserAgentSession,
        session::connection::{
-            HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
-            HandleGrantList, HandleSignTransaction,
+            GrantMutationError, HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate,
+            HandleGrantDelete, HandleGrantList, HandleSignTransaction,
            SignTransactionError as SessionSignTransactionError,
        },
    },
@@ -114,7 +114,7 @@ async fn handle_grant_list(
            grants: grants
                .into_iter()
                .map(|grant| GrantEntry {
-                    id: grant.id,
+                    id: grant.shared_grant_id,
                    wallet_access_id: grant.shared.wallet_access_id,
                    shared: Some(grant.shared.convert()),
                    specific: Some(grant.settings.convert()),
@@ -148,6 +148,9 @@ async fn handle_grant_create(

    let result = match actor.ask(HandleGrantCreate { basic, grant }).await {
        Ok(grant_id) => EvmGrantCreateResult::GrantId(grant_id),
+        Err(kameo::error::SendError::HandlerError(GrantMutationError::VaultSealed)) => {
+            EvmGrantCreateResult::Error(ProtoEvmError::VaultSealed.into())
+        }
        Err(err) => {
            warn!(error = ?err, "Failed to create EVM grant");
            EvmGrantCreateResult::Error(ProtoEvmError::Internal.into())
@@ -171,6 +174,9 @@ async fn handle_grant_delete(
        .await
    {
        Ok(()) => EvmGrantDeleteResult::Ok(()),
+        Err(kameo::error::SendError::HandlerError(GrantMutationError::VaultSealed)) => {
+            EvmGrantDeleteResult::Error(ProtoEvmError::VaultSealed.into())
+        }
        Err(err) => {
            warn!(error = ?err, "Failed to delete EVM grant");
            EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())