feat(evm): implement EVM sign transaction handling in client and user agent

2026-03-26 19:57:48 +01:00
parent 2148faa376
commit 6987e5f70f
14 changed files with 605 additions and 51 deletions
--- a/server/crates/arbiter-server/src/actors/client/auth.rs
+++ b/server/crates/arbiter-server/src/actors/client/auth.rs
@@ -54,10 +54,19 @@ pub enum Outbound {
    AuthSuccess,
 }

+#[derive(Debug, Clone)]
+pub struct AuthenticatedClient {
+    pub pubkey: VerifyingKey,
+    pub client_id: i32,
+}
+
 /// Atomically reads and increments the nonce for a known client.
 /// Returns `None` if the pubkey is not registered.
-async fn get_nonce(db: &db::DatabasePool, pubkey: &VerifyingKey) -> Result<Option<i32>, Error> {
-    let pubkey_bytes = pubkey.as_bytes().to_vec();
+async fn get_nonce(
+    db: &db::DatabasePool,
+    pubkey: &VerifyingKey,
+) -> Result<Option<(/* client_id */ i32, /* nonce */ i32)>, Error> {
+    let pubkey_bytes = pubkey.as_bytes();

    let mut conn = db.get().await.map_err(|e| {
        error!(error = ?e, "Database pool error");
@@ -65,7 +74,6 @@ async fn get_nonce(db: &db::DatabasePool, pubkey: &VerifyingKey) -> Result<Optio
    })?;

    conn.exclusive_transaction(|conn| {
-        let pubkey_bytes = pubkey_bytes.clone();
        Box::pin(async move {
            let Some((client_id, current_nonce)) = program_client::table
                .filter(program_client::public_key.eq(&pubkey_bytes))
@@ -83,8 +91,7 @@ async fn get_nonce(db: &db::DatabasePool, pubkey: &VerifyingKey) -> Result<Optio
                .execute(conn)
                .await?;

-            let _ = client_id;
-            Ok(Some(current_nonce))
+            Ok(Some((client_id, current_nonce)))
        })
    })
    .await
@@ -213,23 +220,25 @@ where
 pub async fn authenticate<T>(
    props: &mut ClientConnection,
    transport: &mut T,
-) -> Result<VerifyingKey, Error>
+) -> Result<AuthenticatedClient, Error>
 where
    T: Bi<Inbound, Result<Outbound, Error>> + Send + ?Sized,
 {
-    let Some(Inbound::AuthChallengeRequest { pubkey }) = transport.recv().await
-    else {
+    let Some(Inbound::AuthChallengeRequest { pubkey }) = transport.recv().await else {
        return Err(Error::Transport);
    };

-    let nonce = match get_nonce(&props.db, &pubkey).await? {
-        Some(nonce) => nonce,
+    let (client_id, nonce) = match get_nonce(&props.db, &pubkey).await? {
+        Some(client_nonce) => client_nonce,
        None => {
            approve_new_client(&props.actors, pubkey).await?;
            match insert_client(&props.db, &pubkey).await? {
-                InsertClientResult::Inserted => 0,
+                InsertClientResult::Inserted => match get_nonce(&props.db, &pubkey).await? {
+                    Some((client_id, _)) => (client_id, 0),
+                    None => return Err(Error::DatabaseOperationFailed),
+                },
                InsertClientResult::AlreadyExists => match get_nonce(&props.db, &pubkey).await? {
-                    Some(nonce) => nonce,
+                    Some((client_id, nonce)) => (client_id, nonce),
                    None => return Err(Error::DatabaseOperationFailed),
                },
            }
@@ -245,5 +254,5 @@ where
            Error::Transport
        })?;

-    Ok(pubkey)
+    Ok(AuthenticatedClient { pubkey, client_id })
 }
--- a/server/crates/arbiter-server/src/actors/client/mod.rs
+++ b/server/crates/arbiter-server/src/actors/client/mod.rs
@@ -10,11 +10,16 @@ use crate::{
 pub struct ClientConnection {
    pub(crate) db: db::DatabasePool,
    pub(crate) actors: GlobalActors,
+    pub(crate) client_id: i32,
 }

 impl ClientConnection {
    pub fn new(db: db::DatabasePool, actors: GlobalActors) -> Self {
-        Self { db, actors }
+        Self {
+            db,
+            actors,
+            client_id: 0,
+        }
    }
 }

@@ -26,7 +31,8 @@ where
    T: Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> + Send + ?Sized,
 {
    match auth::authenticate(&mut props, transport).await {
-        Ok(_pubkey) => {
+        Ok(authenticated) => {
+            props.client_id = authenticated.client_id;
            ClientSession::spawn(ClientSession::new(props));
            info!("Client authenticated, session started");
        }
--- a/server/crates/arbiter-server/src/actors/client/session.rs
+++ b/server/crates/arbiter-server/src/actors/client/session.rs
@@ -1,11 +1,18 @@
 use kameo::{Actor, messages};
 use tracing::error;

+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
+
 use crate::{
    actors::{
-        GlobalActors, client::ClientConnection, keyholder::KeyHolderState, router::RegisterClient,
+        GlobalActors,
+        client::ClientConnection,
+        evm::{ClientSignTransaction, SignTransactionError},
+        keyholder::KeyHolderState,
+        router::RegisterClient,
    },
    db,
+    evm::VetError,
 };

 pub struct ClientSession {
@@ -34,6 +41,34 @@ impl ClientSession {

        Ok(vault_state)
    }
+
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionRpcError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id: self.props.client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(kameo::error::SendError::HandlerError(SignTransactionError::Vet(vet_error))) => {
+                Err(SignTransactionRpcError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "Failed to sign EVM transaction in client session");
+                Err(SignTransactionRpcError::Internal)
+            }
+        }
+    }
 }

 impl Actor for ClientSession {
@@ -69,3 +104,12 @@ pub enum Error {
    #[error("Internal error")]
    Internal,
 }
+
+#[derive(Debug, thiserror::Error)]
+pub enum SignTransactionRpcError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] VetError),
+
+    #[error("Internal error")]
+    Internal,
+}
--- a/server/crates/arbiter-server/src/actors/user_agent/session.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session.rs
@@ -36,7 +36,10 @@ impl Error {
 pub struct UserAgentSession {
    props: UserAgentConnection,
    state: UserAgentStateMachine<DummyContext>,
-    #[allow(dead_code, reason = "The session keeps ownership of the outbound transport even before the state-machine flow starts using it directly")]
+    #[allow(
+        dead_code,
+        reason = "The session keeps ownership of the outbound transport even before the state-machine flow starts using it directly"
+    )]
    sender: Box<dyn Sender<OutOfBand>>,
 }

@@ -44,8 +47,11 @@ mod connection;
 pub(crate) use connection::{
    BootstrapError, HandleBootstrapEncryptedKey, HandleEvmWalletCreate, HandleEvmWalletList,
    HandleGrantCreate, HandleGrantDelete, HandleGrantList, HandleQueryVaultState,
+    HandleSignTransaction,
+};
+pub use connection::{
+    HandleUnsealEncryptedKey, HandleUnsealRequest, SignTransactionError, UnsealError,
 };
-pub use connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError};

 impl UserAgentSession {
    pub(crate) fn new(props: UserAgentConnection, sender: Box<dyn Sender<OutOfBand>>) -> Self {
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -1,6 +1,6 @@
 use std::sync::Mutex;

-use alloy::primitives::Address;
+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use kameo::error::SendError;
 use kameo::messages;
@@ -14,13 +14,14 @@ use crate::safe_cell::SafeCell;
 use crate::{
    actors::{
        evm::{
-            Generate, ListWallets, UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
+            ClientSignTransaction, Generate, ListWallets, SignTransactionError as EvmSignError,
+            UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
        },
        keyholder::{self, Bootstrap, TryUnseal},
        user_agent::session::{
-                UserAgentSession,
-                state::{UnsealContext, UserAgentEvents, UserAgentStates},
-            },
+            UserAgentSession,
+            state::{UnsealContext, UserAgentEvents, UserAgentStates},
+        },
    },
    safe_cell::SafeCellHandle as _,
 };
@@ -103,6 +104,15 @@ pub enum BootstrapError {
    General(#[from] super::Error),
 }

+#[derive(Debug, Error)]
+pub enum SignTransactionError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] crate::evm::VetError),
+
+    #[error("Internal signing error")]
+    Internal,
+}
+
 #[messages]
 impl UserAgentSession {
    #[message]
@@ -351,4 +361,33 @@ impl UserAgentSession {
            }
        }
    }
+
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        client_id: i32,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(SendError::HandlerError(EvmSignError::Vet(vet_error))) => {
+                Err(SignTransactionError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "EVM sign transaction failed in user-agent session");
+                Err(SignTransactionError::Internal)
+            }
+        }
+    }
 }