From 6987e5f70fb450a954e3046af97a382208f4c196 Mon Sep 17 00:00:00 2001
From: CleverWild <cleverwilddev@gmail.com>
Date: Thu, 26 Mar 2026 19:57:48 +0100
Subject: [PATCH 01/29] feat(evm): implement EVM sign transaction handling in
 client and user agent

---
 protobufs/client.proto                        |   1 +
 protobufs/user_agent.proto                    |   7 +
 server/crates/arbiter-client/src/transport.rs |   8 +-
 .../crates/arbiter-client/src/wallets/evm.rs  |  68 +++++-
 .../arbiter-server/src/actors/client/auth.rs  |  35 ++-
 .../arbiter-server/src/actors/client/mod.rs   |  10 +-
 .../src/actors/client/session.rs              |  46 +++-
 .../src/actors/user_agent/session.rs          |  10 +-
 .../actors/user_agent/session/connection.rs   |  49 +++-
 .../src/evm/policies/ether_transfer/mod.rs    |   4 +-
 .../src/evm/policies/token_transfers/mod.rs   |   6 +-
 .../crates/arbiter-server/src/grpc/client.rs  | 180 +++++++++++++-
 .../arbiter-server/src/grpc/client/auth.rs    |   7 +-
 .../arbiter-server/src/grpc/user_agent.rs     | 225 +++++++++++++++++-
 14 files changed, 605 insertions(+), 51 deletions(-)

diff --git a/protobufs/client.proto b/protobufs/client.proto
index c090a0d..126d99d 100644
--- a/protobufs/client.proto
+++ b/protobufs/client.proto
@@ -42,6 +42,7 @@ message ClientRequest {
     AuthChallengeRequest auth_challenge_request = 1;
     AuthChallengeSolution auth_challenge_solution = 2;
     google.protobuf.Empty query_vault_state = 3;
+    arbiter.evm.EvmSignTransactionRequest evm_sign_transaction = 5;
   }
 }
 
diff --git a/protobufs/user_agent.proto b/protobufs/user_agent.proto
index fe41f87..79d8346 100644
--- a/protobufs/user_agent.proto
+++ b/protobufs/user_agent.proto
@@ -137,6 +137,11 @@ message SdkClientConnectionResponse {
 
 message SdkClientConnectionCancel {}
 
+message UserAgentEvmSignTransactionRequest {
+  int32 client_id = 1;
+  arbiter.evm.EvmSignTransactionRequest request = 2;
+}
+
 message UserAgentRequest {
   int32 id = 16;
   oneof payload {
@@ -155,6 +160,7 @@ message UserAgentRequest {
     SdkClientRevokeRequest sdk_client_revoke = 13;
     google.protobuf.Empty sdk_client_list = 14;
     BootstrapEncryptedKey bootstrap_encrypted_key = 15;
+    UserAgentEvmSignTransactionRequest evm_sign_transaction = 17;
   }
 }
 message UserAgentResponse {
@@ -175,5 +181,6 @@ message UserAgentResponse {
     SdkClientRevokeResponse sdk_client_revoke_response = 13;
     SdkClientListResponse sdk_client_list_response = 14;
     BootstrapResult bootstrap_result = 15;
+    arbiter.evm.EvmSignTransactionResponse evm_sign_transaction = 17;
   }
 }
diff --git a/server/crates/arbiter-client/src/transport.rs b/server/crates/arbiter-client/src/transport.rs
index d56a9f8..7332e89 100644
--- a/server/crates/arbiter-client/src/transport.rs
+++ b/server/crates/arbiter-client/src/transport.rs
@@ -1,6 +1,4 @@
-use arbiter_proto::proto::{
-    client::{ClientRequest, ClientResponse},
-};
+use arbiter_proto::proto::client::{ClientRequest, ClientResponse};
 use std::sync::atomic::{AtomicI32, Ordering};
 use tokio::sync::mpsc;
 
@@ -36,9 +34,7 @@ impl ClientTransport {
             .map_err(|_| ClientSignError::ChannelClosed)
     }
 
-    pub(crate) async fn recv(
-        &mut self,
-    ) -> std::result::Result<ClientResponse, ClientSignError> {
+    pub(crate) async fn recv(&mut self) -> std::result::Result<ClientResponse, ClientSignError> {
         match self.receiver.message().await {
             Ok(Some(resp)) => Ok(resp),
             Ok(None) => Err(ClientSignError::ConnectionClosed),
diff --git a/server/crates/arbiter-client/src/wallets/evm.rs b/server/crates/arbiter-client/src/wallets/evm.rs
index 32ae735..4533793 100644
--- a/server/crates/arbiter-client/src/wallets/evm.rs
+++ b/server/crates/arbiter-client/src/wallets/evm.rs
@@ -8,7 +8,15 @@ use async_trait::async_trait;
 use std::sync::Arc;
 use tokio::sync::Mutex;
 
-use crate::transport::ClientTransport;
+use arbiter_proto::proto::{
+    client::{
+        ClientRequest, client_request::Payload as ClientRequestPayload,
+        client_response::Payload as ClientResponsePayload,
+    },
+    evm::evm_sign_transaction_response::Result as EvmSignTransactionResult,
+};
+
+use crate::transport::{ClientTransport, next_request_id};
 
 pub struct ArbiterEvmWallet {
     transport: Arc<Mutex<ClientTransport>>,
@@ -79,11 +87,61 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
         &self,
         tx: &mut dyn SignableTransaction<Signature>,
     ) -> Result<Signature> {
-        let _transport = self.transport.lock().await;
         self.validate_chain_id(tx)?;
 
-        Err(Error::other(
-            "transaction signing is not supported by current arbiter.client protocol",
-        ))
+        let mut transport = self.transport.lock().await;
+        let request_id = next_request_id();
+        let rlp_transaction = tx.encoded_for_signing();
+
+        transport
+            .send(ClientRequest {
+                request_id,
+                payload: Some(ClientRequestPayload::EvmSignTransaction(
+                    arbiter_proto::proto::evm::EvmSignTransactionRequest {
+                        wallet_address: self.address.to_vec(),
+                        rlp_transaction,
+                    },
+                )),
+            })
+            .await
+            .map_err(|_| Error::other("failed to send evm sign transaction request"))?;
+
+        let response = transport
+            .recv()
+            .await
+            .map_err(|_| Error::other("failed to receive evm sign transaction response"))?;
+
+        if response.request_id != Some(request_id) {
+            return Err(Error::other(
+                "received mismatched response id for evm sign transaction",
+            ));
+        }
+
+        let payload = response
+            .payload
+            .ok_or_else(|| Error::other("missing evm sign transaction response payload"))?;
+
+        let ClientResponsePayload::EvmSignTransaction(response) = payload else {
+            return Err(Error::other(
+                "unexpected response payload for evm sign transaction request",
+            ));
+        };
+
+        let result = response
+            .result
+            .ok_or_else(|| Error::other("missing evm sign transaction result"))?;
+
+        match result {
+            EvmSignTransactionResult::Signature(signature) => {
+                Signature::try_from(signature.as_slice())
+                    .map_err(|_| Error::other("invalid signature returned by server"))
+            }
+            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(format!(
+                "transaction rejected by policy: {eval_error:?}"
+            ))),
+            EvmSignTransactionResult::Error(code) => Err(Error::other(format!(
+                "server failed to sign transaction with error code {code}"
+            ))),
+        }
     }
 }
diff --git a/server/crates/arbiter-server/src/actors/client/auth.rs b/server/crates/arbiter-server/src/actors/client/auth.rs
index d957da8..bcf85d2 100644
--- a/server/crates/arbiter-server/src/actors/client/auth.rs
+++ b/server/crates/arbiter-server/src/actors/client/auth.rs
@@ -54,10 +54,19 @@ pub enum Outbound {
     AuthSuccess,
 }
 
+#[derive(Debug, Clone)]
+pub struct AuthenticatedClient {
+    pub pubkey: VerifyingKey,
+    pub client_id: i32,
+}
+
 /// Atomically reads and increments the nonce for a known client.
 /// Returns `None` if the pubkey is not registered.
-async fn get_nonce(db: &db::DatabasePool, pubkey: &VerifyingKey) -> Result<Option<i32>, Error> {
-    let pubkey_bytes = pubkey.as_bytes().to_vec();
+async fn get_nonce(
+    db: &db::DatabasePool,
+    pubkey: &VerifyingKey,
+) -> Result<Option<(/* client_id */ i32, /* nonce */ i32)>, Error> {
+    let pubkey_bytes = pubkey.as_bytes();
 
     let mut conn = db.get().await.map_err(|e| {
         error!(error = ?e, "Database pool error");
@@ -65,7 +74,6 @@ async fn get_nonce(db: &db::DatabasePool, pubkey: &VerifyingKey) -> Result<Optio
     })?;
 
     conn.exclusive_transaction(|conn| {
-        let pubkey_bytes = pubkey_bytes.clone();
         Box::pin(async move {
             let Some((client_id, current_nonce)) = program_client::table
                 .filter(program_client::public_key.eq(&pubkey_bytes))
@@ -83,8 +91,7 @@ async fn get_nonce(db: &db::DatabasePool, pubkey: &VerifyingKey) -> Result<Optio
                 .execute(conn)
                 .await?;
 
-            let _ = client_id;
-            Ok(Some(current_nonce))
+            Ok(Some((client_id, current_nonce)))
         })
     })
     .await
@@ -213,23 +220,25 @@ where
 pub async fn authenticate<T>(
     props: &mut ClientConnection,
     transport: &mut T,
-) -> Result<VerifyingKey, Error>
+) -> Result<AuthenticatedClient, Error>
 where
     T: Bi<Inbound, Result<Outbound, Error>> + Send + ?Sized,
 {
-    let Some(Inbound::AuthChallengeRequest { pubkey }) = transport.recv().await
-    else {
+    let Some(Inbound::AuthChallengeRequest { pubkey }) = transport.recv().await else {
         return Err(Error::Transport);
     };
 
-    let nonce = match get_nonce(&props.db, &pubkey).await? {
-        Some(nonce) => nonce,
+    let (client_id, nonce) = match get_nonce(&props.db, &pubkey).await? {
+        Some(client_nonce) => client_nonce,
         None => {
             approve_new_client(&props.actors, pubkey).await?;
             match insert_client(&props.db, &pubkey).await? {
-                InsertClientResult::Inserted => 0,
+                InsertClientResult::Inserted => match get_nonce(&props.db, &pubkey).await? {
+                    Some((client_id, _)) => (client_id, 0),
+                    None => return Err(Error::DatabaseOperationFailed),
+                },
                 InsertClientResult::AlreadyExists => match get_nonce(&props.db, &pubkey).await? {
-                    Some(nonce) => nonce,
+                    Some((client_id, nonce)) => (client_id, nonce),
                     None => return Err(Error::DatabaseOperationFailed),
                 },
             }
@@ -245,5 +254,5 @@ where
             Error::Transport
         })?;
 
-    Ok(pubkey)
+    Ok(AuthenticatedClient { pubkey, client_id })
 }
diff --git a/server/crates/arbiter-server/src/actors/client/mod.rs b/server/crates/arbiter-server/src/actors/client/mod.rs
index 3fae866..cf69ba7 100644
--- a/server/crates/arbiter-server/src/actors/client/mod.rs
+++ b/server/crates/arbiter-server/src/actors/client/mod.rs
@@ -10,11 +10,16 @@ use crate::{
 pub struct ClientConnection {
     pub(crate) db: db::DatabasePool,
     pub(crate) actors: GlobalActors,
+    pub(crate) client_id: i32,
 }
 
 impl ClientConnection {
     pub fn new(db: db::DatabasePool, actors: GlobalActors) -> Self {
-        Self { db, actors }
+        Self {
+            db,
+            actors,
+            client_id: 0,
+        }
     }
 }
 
@@ -26,7 +31,8 @@ where
     T: Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> + Send + ?Sized,
 {
     match auth::authenticate(&mut props, transport).await {
-        Ok(_pubkey) => {
+        Ok(authenticated) => {
+            props.client_id = authenticated.client_id;
             ClientSession::spawn(ClientSession::new(props));
             info!("Client authenticated, session started");
         }
diff --git a/server/crates/arbiter-server/src/actors/client/session.rs b/server/crates/arbiter-server/src/actors/client/session.rs
index 93f2c6e..155c37d 100644
--- a/server/crates/arbiter-server/src/actors/client/session.rs
+++ b/server/crates/arbiter-server/src/actors/client/session.rs
@@ -1,11 +1,18 @@
 use kameo::{Actor, messages};
 use tracing::error;
 
+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
+
 use crate::{
     actors::{
-        GlobalActors, client::ClientConnection, keyholder::KeyHolderState, router::RegisterClient,
+        GlobalActors,
+        client::ClientConnection,
+        evm::{ClientSignTransaction, SignTransactionError},
+        keyholder::KeyHolderState,
+        router::RegisterClient,
     },
     db,
+    evm::VetError,
 };
 
 pub struct ClientSession {
@@ -34,6 +41,34 @@ impl ClientSession {
 
         Ok(vault_state)
     }
+
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionRpcError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id: self.props.client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(kameo::error::SendError::HandlerError(SignTransactionError::Vet(vet_error))) => {
+                Err(SignTransactionRpcError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "Failed to sign EVM transaction in client session");
+                Err(SignTransactionRpcError::Internal)
+            }
+        }
+    }
 }
 
 impl Actor for ClientSession {
@@ -69,3 +104,12 @@ pub enum Error {
     #[error("Internal error")]
     Internal,
 }
+
+#[derive(Debug, thiserror::Error)]
+pub enum SignTransactionRpcError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] VetError),
+
+    #[error("Internal error")]
+    Internal,
+}
diff --git a/server/crates/arbiter-server/src/actors/user_agent/session.rs b/server/crates/arbiter-server/src/actors/user_agent/session.rs
index b13bfd9..e719b18 100644
--- a/server/crates/arbiter-server/src/actors/user_agent/session.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session.rs
@@ -36,7 +36,10 @@ impl Error {
 pub struct UserAgentSession {
     props: UserAgentConnection,
     state: UserAgentStateMachine<DummyContext>,
-    #[allow(dead_code, reason = "The session keeps ownership of the outbound transport even before the state-machine flow starts using it directly")]
+    #[allow(
+        dead_code,
+        reason = "The session keeps ownership of the outbound transport even before the state-machine flow starts using it directly"
+    )]
     sender: Box<dyn Sender<OutOfBand>>,
 }
 
@@ -44,8 +47,11 @@ mod connection;
 pub(crate) use connection::{
     BootstrapError, HandleBootstrapEncryptedKey, HandleEvmWalletCreate, HandleEvmWalletList,
     HandleGrantCreate, HandleGrantDelete, HandleGrantList, HandleQueryVaultState,
+    HandleSignTransaction,
+};
+pub use connection::{
+    HandleUnsealEncryptedKey, HandleUnsealRequest, SignTransactionError, UnsealError,
 };
-pub use connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError};
 
 impl UserAgentSession {
     pub(crate) fn new(props: UserAgentConnection, sender: Box<dyn Sender<OutOfBand>>) -> Self {
diff --git a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
index 44b47c3..49de59a 100644
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -1,6 +1,6 @@
 use std::sync::Mutex;
 
-use alloy::primitives::Address;
+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use kameo::error::SendError;
 use kameo::messages;
@@ -14,13 +14,14 @@ use crate::safe_cell::SafeCell;
 use crate::{
     actors::{
         evm::{
-            Generate, ListWallets, UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
+            ClientSignTransaction, Generate, ListWallets, SignTransactionError as EvmSignError,
+            UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
         },
         keyholder::{self, Bootstrap, TryUnseal},
         user_agent::session::{
-                UserAgentSession,
-                state::{UnsealContext, UserAgentEvents, UserAgentStates},
-            },
+            UserAgentSession,
+            state::{UnsealContext, UserAgentEvents, UserAgentStates},
+        },
     },
     safe_cell::SafeCellHandle as _,
 };
@@ -103,6 +104,15 @@ pub enum BootstrapError {
     General(#[from] super::Error),
 }
 
+#[derive(Debug, Error)]
+pub enum SignTransactionError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] crate::evm::VetError),
+
+    #[error("Internal signing error")]
+    Internal,
+}
+
 #[messages]
 impl UserAgentSession {
     #[message]
@@ -351,4 +361,33 @@ impl UserAgentSession {
             }
         }
     }
+
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        client_id: i32,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(SendError::HandlerError(EvmSignError::Vet(vet_error))) => {
+                Err(SignTransactionError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "EVM sign transaction failed in user-agent session");
+                Err(SignTransactionError::Internal)
+            }
+        }
+    }
 }
diff --git a/server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs b/server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs
index e77d994..2c43d05 100644
--- a/server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs
+++ b/server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs
@@ -36,8 +36,8 @@ use super::{DatabaseID, EvalContext, EvalViolation};
 // Plain ether transfer
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Meaning {
-    to: Address,
-    value: U256,
+    pub(crate) to: Address,
+    pub(crate) value: U256,
 }
 impl Display for Meaning {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
diff --git a/server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs b/server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs
index 34378ed..21799ea 100644
--- a/server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs
+++ b/server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs
@@ -38,9 +38,9 @@ fn grant_join() -> _ {
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Meaning {
-    token: &'static TokenInfo,
-    to: Address,
-    value: U256,
+    pub(crate) token: &'static TokenInfo,
+    pub(crate) to: Address,
+    pub(crate) value: U256,
 }
 impl std::fmt::Display for Meaning {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
diff --git a/server/crates/arbiter-server/src/grpc/client.rs b/server/crates/arbiter-server/src/grpc/client.rs
index 2fb1d24..f384092 100644
--- a/server/crates/arbiter-server/src/grpc/client.rs
+++ b/server/crates/arbiter-server/src/grpc/client.rs
@@ -1,4 +1,5 @@
 use arbiter_proto::{
+    google::protobuf::Empty as ProtoEmpty,
     proto::client::{
         ClientRequest, ClientResponse, VaultState as ProtoVaultState,
         client_request::Payload as ClientRequestPayload,
@@ -17,16 +18,135 @@ use crate::{
     actors::{
         client::{
             self, ClientConnection,
-            session::{ClientSession, Error, HandleQueryVaultState},
+            session::{
+                ClientSession, Error, HandleQueryVaultState, HandleSignTransaction,
+                SignTransactionRpcError,
+            },
         },
         keyholder::KeyHolderState,
     },
+    evm::{PolicyError, VetError, policies::EvalViolation},
     grpc::request_tracker::RequestTracker,
     utils::defer,
 };
 
+use alloy::{
+    consensus::TxEip1559,
+    primitives::{Address, U256},
+    rlp::Decodable,
+};
+use arbiter_proto::proto::evm::{
+    EvmError as ProtoEvmError, EvmSignTransactionResponse, EvalViolation as ProtoEvalViolation,
+    GasLimitExceededViolation, NoMatchingGrantError, PolicyViolationsError,
+    SpecificMeaning as ProtoSpecificMeaning, TokenInfo as ProtoTokenInfo,
+    TransactionEvalError,
+    evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    eval_violation::Kind as ProtoEvalViolationKind,
+    specific_meaning::Meaning as ProtoSpecificMeaningKind,
+    transaction_eval_error::Kind as ProtoTransactionEvalErrorKind,
+};
+
 mod auth;
 
+fn u256_to_proto_bytes(value: U256) -> Vec<u8> {
+    value.to_be_bytes::<32>().to_vec()
+}
+
+fn meaning_to_proto(meaning: crate::evm::policies::SpecificMeaning) -> ProtoSpecificMeaning {
+    let kind = match meaning {
+        crate::evm::policies::SpecificMeaning::EtherTransfer(meaning) => {
+            ProtoSpecificMeaningKind::EtherTransfer(arbiter_proto::proto::evm::EtherTransferMeaning {
+                to: meaning.to.to_vec(),
+                value: u256_to_proto_bytes(meaning.value),
+            })
+        }
+        crate::evm::policies::SpecificMeaning::TokenTransfer(meaning) => {
+            ProtoSpecificMeaningKind::TokenTransfer(arbiter_proto::proto::evm::TokenTransferMeaning {
+                token: Some(ProtoTokenInfo {
+                    symbol: meaning.token.symbol.to_string(),
+                    address: meaning.token.contract.to_vec(),
+                    chain_id: meaning.token.chain,
+                }),
+                to: meaning.to.to_vec(),
+                value: u256_to_proto_bytes(meaning.value),
+            })
+        }
+    };
+
+    ProtoSpecificMeaning {
+        meaning: Some(kind),
+    }
+}
+
+fn violation_to_proto(violation: EvalViolation) -> ProtoEvalViolation {
+    let kind = match violation {
+        EvalViolation::InvalidTarget { target } => ProtoEvalViolationKind::InvalidTarget(target.to_vec()),
+        EvalViolation::GasLimitExceeded {
+            max_gas_fee_per_gas,
+            max_priority_fee_per_gas,
+        } => ProtoEvalViolationKind::GasLimitExceeded(GasLimitExceededViolation {
+            max_gas_fee_per_gas: max_gas_fee_per_gas.map(u256_to_proto_bytes),
+            max_priority_fee_per_gas: max_priority_fee_per_gas.map(u256_to_proto_bytes),
+        }),
+        EvalViolation::RateLimitExceeded => ProtoEvalViolationKind::RateLimitExceeded(ProtoEmpty {}),
+        EvalViolation::VolumetricLimitExceeded => {
+            ProtoEvalViolationKind::VolumetricLimitExceeded(ProtoEmpty {})
+        }
+        EvalViolation::InvalidTime => ProtoEvalViolationKind::InvalidTime(ProtoEmpty {}),
+        EvalViolation::InvalidTransactionType => {
+            ProtoEvalViolationKind::InvalidTransactionType(ProtoEmpty {})
+        }
+    };
+
+    ProtoEvalViolation { kind: Some(kind) }
+}
+
+fn eval_error_to_proto(err: VetError) -> Option<TransactionEvalError> {
+    let kind = match err {
+        VetError::ContractCreationNotSupported => {
+            ProtoTransactionEvalErrorKind::ContractCreationNotSupported(ProtoEmpty {})
+        }
+        VetError::UnsupportedTransactionType => {
+            ProtoTransactionEvalErrorKind::UnsupportedTransactionType(ProtoEmpty {})
+        }
+        VetError::Evaluated(meaning, policy_error) => match policy_error {
+            PolicyError::NoMatchingGrant => {
+                ProtoTransactionEvalErrorKind::NoMatchingGrant(NoMatchingGrantError {
+                    meaning: Some(meaning_to_proto(meaning)),
+                })
+            }
+            PolicyError::Violations(violations) => {
+                ProtoTransactionEvalErrorKind::PolicyViolations(PolicyViolationsError {
+                    meaning: Some(meaning_to_proto(meaning)),
+                    violations: violations.into_iter().map(violation_to_proto).collect(),
+                })
+            }
+            PolicyError::Pool(_) | PolicyError::Database(_) => {
+                return None;
+            }
+        },
+    };
+
+    Some(TransactionEvalError { kind: Some(kind) })
+}
+
+fn decode_eip1559_transaction(payload: &[u8]) -> Result<TxEip1559, ()> {
+    let mut body = payload;
+    if let Some((prefix, rest)) = payload.split_first()
+        && *prefix == 0x02
+    {
+        body = rest;
+    }
+
+    let mut cursor = body;
+    let transaction = TxEip1559::decode(&mut cursor).map_err(|_| ())?;
+    if !cursor.is_empty() {
+        return Err(());
+    }
+
+    Ok(transaction)
+}
+
 async fn dispatch_loop(
     mut bi: GrpcBi<ClientRequest, ClientResponse>,
     actor: ActorRef<ClientSession>,
@@ -90,6 +210,64 @@ async fn dispatch_conn_message(
             }
             .into(),
         ),
+        ClientRequestPayload::EvmSignTransaction(request) => {
+            let wallet_address = match <[u8; 20]>::try_from(request.wallet_address.as_slice()) {
+                Ok(address) => Address::from(address),
+                Err(_) => {
+                    let _ = bi
+                        .send(Err(Status::invalid_argument("Invalid EVM wallet address")))
+                        .await;
+                    return Err(());
+                }
+            };
+
+            let transaction = match decode_eip1559_transaction(&request.rlp_transaction) {
+                Ok(transaction) => transaction,
+                Err(()) => {
+                    let _ = bi
+                        .send(Err(Status::invalid_argument(
+                            "Invalid EIP-1559 RLP transaction",
+                        )))
+                        .await;
+                    return Err(());
+                }
+            };
+
+            let response = match actor
+                .ask(HandleSignTransaction {
+                    wallet_address,
+                    transaction,
+                })
+                .await
+            {
+                Ok(signature) => EvmSignTransactionResponse {
+                    result: Some(EvmSignTransactionResult::Signature(signature.as_bytes().to_vec())),
+                },
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Vet(vet_error))) => {
+                    match eval_error_to_proto(vet_error) {
+                        Some(eval_error) => EvmSignTransactionResponse {
+                            result: Some(EvmSignTransactionResult::EvalError(eval_error)),
+                        },
+                        None => EvmSignTransactionResponse {
+                            result: Some(EvmSignTransactionResult::Error(ProtoEvmError::Internal.into())),
+                        },
+                    }
+                }
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Internal)) => {
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(ProtoEvmError::Internal.into())),
+                    }
+                }
+                Err(err) => {
+                    warn!(error = ?err, "Failed to sign EVM transaction");
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(ProtoEvmError::Internal.into())),
+                    }
+                }
+            };
+
+            ClientResponsePayload::EvmSignTransaction(response)
+        }
         payload => {
             warn!(?payload, "Unsupported post-auth client request");
             let _ = bi
diff --git a/server/crates/arbiter-server/src/grpc/client/auth.rs b/server/crates/arbiter-server/src/grpc/client/auth.rs
index 49d8d55..8427efe 100644
--- a/server/crates/arbiter-server/src/grpc/client/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/client/auth.rs
@@ -151,7 +151,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
             _ => {
                 let _ = self
                     .bi
-                    .send(Err(Status::invalid_argument("Unsupported client auth request")))
+                    .send(Err(Status::invalid_argument(
+                        "Unsupported client auth request",
+                    )))
                     .await;
                 None
             }
@@ -168,6 +170,7 @@ pub async fn start(
     response_id: &mut Option<i32>,
 ) -> Result<(), auth::Error> {
     let mut transport = AuthTransportAdapter::new(bi, request_tracker, response_id);
-    client::auth::authenticate(conn, &mut transport).await?;
+    let authenticated = client::auth::authenticate(conn, &mut transport).await?;
+    conn.client_id = authenticated.client_id;
     Ok(())
 }
diff --git a/server/crates/arbiter-server/src/grpc/user_agent.rs b/server/crates/arbiter-server/src/grpc/user_agent.rs
index 674471c..81cc863 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent.rs
@@ -4,17 +4,24 @@ use arbiter_proto::{
     google::protobuf::{Empty as ProtoEmpty, Timestamp as ProtoTimestamp},
     proto::{
         evm::{
-            EtherTransferSettings as ProtoEtherTransferSettings, EvmError as ProtoEvmError,
-            EvmGrantCreateRequest, EvmGrantCreateResponse, EvmGrantDeleteRequest,
-            EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse, GrantEntry,
+            EtherTransferSettings as ProtoEtherTransferSettings,
+            EvalViolation as ProtoEvalViolation, EvmError as ProtoEvmError, EvmGrantCreateRequest,
+            EvmGrantCreateResponse, EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList,
+            EvmGrantListResponse, EvmSignTransactionResponse, GasLimitExceededViolation,
+            GrantEntry, NoMatchingGrantError, PolicyViolationsError,
             SharedSettings as ProtoSharedSettings, SpecificGrant as ProtoSpecificGrant,
-            TokenTransferSettings as ProtoTokenTransferSettings,
+            SpecificMeaning as ProtoSpecificMeaning, TokenInfo as ProtoTokenInfo,
+            TokenTransferSettings as ProtoTokenTransferSettings, TransactionEvalError,
             TransactionRateLimit as ProtoTransactionRateLimit,
             VolumeRateLimit as ProtoVolumeRateLimit, WalletCreateResponse, WalletEntry, WalletList,
-            WalletListResponse, evm_grant_create_response::Result as EvmGrantCreateResult,
+            WalletListResponse, eval_violation::Kind as ProtoEvalViolationKind,
+            evm_grant_create_response::Result as EvmGrantCreateResult,
             evm_grant_delete_response::Result as EvmGrantDeleteResult,
             evm_grant_list_response::Result as EvmGrantListResult,
+            evm_sign_transaction_response::Result as EvmSignTransactionResult,
             specific_grant::Grant as ProtoSpecificGrantType,
+            specific_meaning::Meaning as ProtoSpecificMeaningKind,
+            transaction_eval_error::Kind as ProtoTransactionEvalErrorKind,
             wallet_create_response::Result as WalletCreateResult,
             wallet_list_response::Result as WalletListResult,
         },
@@ -23,8 +30,8 @@ use arbiter_proto::{
             BootstrapResult as ProtoBootstrapResult,
             SdkClientConnectionResponse as ProtoSdkClientConnectionResponse,
             UnsealEncryptedKey as ProtoUnsealEncryptedKey, UnsealResult as ProtoUnsealResult,
-            UnsealStart, UserAgentRequest, UserAgentResponse, VaultState as ProtoVaultState,
-            user_agent_request::Payload as UserAgentRequestPayload,
+            UnsealStart, UserAgentEvmSignTransactionRequest, UserAgentRequest, UserAgentResponse,
+            VaultState as ProtoVaultState, user_agent_request::Payload as UserAgentRequestPayload,
             user_agent_response::Payload as UserAgentResponsePayload,
         },
     },
@@ -47,7 +54,9 @@ use crate::{
             session::{
                 BootstrapError, Error, HandleBootstrapEncryptedKey, HandleEvmWalletCreate,
                 HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete, HandleGrantList,
-                HandleQueryVaultState, HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+                HandleQueryVaultState, HandleSignTransaction, HandleUnsealEncryptedKey,
+                HandleUnsealRequest, SignTransactionError as SessionSignTransactionError,
+                UnsealError,
             },
         },
     },
@@ -55,12 +64,124 @@ use crate::{
         Grant, SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit,
         ether_transfer, token_transfers,
     },
+    evm::{PolicyError, VetError, policies::EvalViolation},
     grpc::request_tracker::RequestTracker,
     utils::defer,
 };
-use alloy::primitives::{Address, U256};
+use alloy::{
+    consensus::TxEip1559,
+    primitives::{Address, U256},
+    rlp::Decodable,
+};
 mod auth;
 
+fn u256_to_proto_bytes(value: U256) -> Vec<u8> {
+    value.to_be_bytes::<32>().to_vec()
+}
+
+fn meaning_to_proto(meaning: crate::evm::policies::SpecificMeaning) -> ProtoSpecificMeaning {
+    let kind = match meaning {
+        crate::evm::policies::SpecificMeaning::EtherTransfer(meaning) => {
+            ProtoSpecificMeaningKind::EtherTransfer(
+                arbiter_proto::proto::evm::EtherTransferMeaning {
+                    to: meaning.to.to_vec(),
+                    value: u256_to_proto_bytes(meaning.value),
+                },
+            )
+        }
+        crate::evm::policies::SpecificMeaning::TokenTransfer(meaning) => {
+            ProtoSpecificMeaningKind::TokenTransfer(
+                arbiter_proto::proto::evm::TokenTransferMeaning {
+                    token: Some(ProtoTokenInfo {
+                        symbol: meaning.token.symbol.to_string(),
+                        address: meaning.token.contract.to_vec(),
+                        chain_id: meaning.token.chain,
+                    }),
+                    to: meaning.to.to_vec(),
+                    value: u256_to_proto_bytes(meaning.value),
+                },
+            )
+        }
+    };
+
+    ProtoSpecificMeaning {
+        meaning: Some(kind),
+    }
+}
+
+fn violation_to_proto(violation: EvalViolation) -> ProtoEvalViolation {
+    let kind = match violation {
+        EvalViolation::InvalidTarget { target } => {
+            ProtoEvalViolationKind::InvalidTarget(target.to_vec())
+        }
+        EvalViolation::GasLimitExceeded {
+            max_gas_fee_per_gas,
+            max_priority_fee_per_gas,
+        } => ProtoEvalViolationKind::GasLimitExceeded(GasLimitExceededViolation {
+            max_gas_fee_per_gas: max_gas_fee_per_gas.map(u256_to_proto_bytes),
+            max_priority_fee_per_gas: max_priority_fee_per_gas.map(u256_to_proto_bytes),
+        }),
+        EvalViolation::RateLimitExceeded => {
+            ProtoEvalViolationKind::RateLimitExceeded(ProtoEmpty {})
+        }
+        EvalViolation::VolumetricLimitExceeded => {
+            ProtoEvalViolationKind::VolumetricLimitExceeded(ProtoEmpty {})
+        }
+        EvalViolation::InvalidTime => ProtoEvalViolationKind::InvalidTime(ProtoEmpty {}),
+        EvalViolation::InvalidTransactionType => {
+            ProtoEvalViolationKind::InvalidTransactionType(ProtoEmpty {})
+        }
+    };
+
+    ProtoEvalViolation { kind: Some(kind) }
+}
+
+fn eval_error_to_proto(err: VetError) -> Option<TransactionEvalError> {
+    let kind = match err {
+        VetError::ContractCreationNotSupported => {
+            ProtoTransactionEvalErrorKind::ContractCreationNotSupported(ProtoEmpty {})
+        }
+        VetError::UnsupportedTransactionType => {
+            ProtoTransactionEvalErrorKind::UnsupportedTransactionType(ProtoEmpty {})
+        }
+        VetError::Evaluated(meaning, policy_error) => match policy_error {
+            PolicyError::NoMatchingGrant => {
+                ProtoTransactionEvalErrorKind::NoMatchingGrant(NoMatchingGrantError {
+                    meaning: Some(meaning_to_proto(meaning)),
+                })
+            }
+            PolicyError::Violations(violations) => {
+                ProtoTransactionEvalErrorKind::PolicyViolations(PolicyViolationsError {
+                    meaning: Some(meaning_to_proto(meaning)),
+                    violations: violations.into_iter().map(violation_to_proto).collect(),
+                })
+            }
+            PolicyError::Pool(_) | PolicyError::Database(_) => {
+                return None;
+            }
+        },
+    };
+
+    Some(TransactionEvalError { kind: Some(kind) })
+}
+
+fn decode_eip1559_transaction(payload: &[u8]) -> Result<TxEip1559, ()> {
+    let mut body = payload;
+    if let Some((prefix, rest)) = payload.split_first()
+        && *prefix == 0x02
+    {
+        body = rest;
+    }
+
+    let mut cursor = body;
+    let transaction = TxEip1559::decode(&mut cursor).map_err(|_| ())?;
+    if !cursor.is_empty() {
+        return Err(());
+    }
+
+    Ok(transaction)
+}
+
 pub struct OutOfBandAdapter(mpsc::Sender<OutOfBand>);
 
 #[async_trait]
@@ -271,6 +392,92 @@ async fn dispatch_conn_message(
                 actor.ask(HandleGrantDelete { grant_id }).await,
             ))
         }
+        UserAgentRequestPayload::EvmSignTransaction(UserAgentEvmSignTransactionRequest {
+            client_id,
+            request,
+        }) => {
+            if client_id <= 0 {
+                let _ = bi
+                    .send(Err(Status::invalid_argument("Invalid SDK client id")))
+                    .await;
+                return Err(());
+            }
+
+            let Some(request) = request else {
+                let _ = bi
+                    .send(Err(Status::invalid_argument(
+                        "Missing EVM sign transaction payload",
+                    )))
+                    .await;
+                return Err(());
+            };
+
+            let wallet_address = match <[u8; 20]>::try_from(request.wallet_address.as_slice()) {
+                Ok(address) => Address::from(address),
+                Err(_) => {
+                    let _ = bi
+                        .send(Err(Status::invalid_argument("Invalid EVM wallet address")))
+                        .await;
+                    return Err(());
+                }
+            };
+
+            let transaction = match decode_eip1559_transaction(&request.rlp_transaction) {
+                Ok(transaction) => transaction,
+                Err(()) => {
+                    let _ = bi
+                        .send(Err(Status::invalid_argument(
+                            "Invalid EIP-1559 RLP transaction",
+                        )))
+                        .await;
+                    return Err(());
+                }
+            };
+
+            let response = match actor
+                .ask(HandleSignTransaction {
+                    client_id,
+                    wallet_address,
+                    transaction,
+                })
+                .await
+            {
+                Ok(signature) => EvmSignTransactionResponse {
+                    result: Some(EvmSignTransactionResult::Signature(
+                        signature.as_bytes().to_vec(),
+                    )),
+                },
+                Err(SendError::HandlerError(SessionSignTransactionError::Vet(vet_error))) => {
+                    match eval_error_to_proto(vet_error) {
+                        Some(eval_error) => EvmSignTransactionResponse {
+                            result: Some(EvmSignTransactionResult::EvalError(eval_error)),
+                        },
+                        None => EvmSignTransactionResponse {
+                            result: Some(EvmSignTransactionResult::Error(
+                                ProtoEvmError::Internal.into(),
+                            )),
+                        },
+                    }
+                }
+                Err(SendError::HandlerError(SessionSignTransactionError::Internal)) => {
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+                Err(err) => {
+                    warn!(error = ?err, "Failed to sign EVM transaction via user-agent");
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+            };
+
+            UserAgentResponsePayload::EvmSignTransaction(response)
+        }
         payload => {
             warn!(?payload, "Unsupported post-auth user agent request");
             let _ = bi

From 7f8b9cc63ec6e6711e6d828f714f688a89e59e7c Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Wed, 25 Mar 2026 11:52:10 +0100
Subject: [PATCH 02/29] feat(useragent): vibe-coded access list

---
 .../connection/evm/wallet_access.dart         |  58 ++++
 .../lib/providers/sdk_clients/details.dart    |  19 ++
 .../lib/providers/sdk_clients/details.g.dart  |  85 ++++++
 .../providers/sdk_clients/wallet_access.dart  | 181 ++++++++++--
 .../sdk_clients/wallet_access.g.dart          | 261 ++++++++++++++++--
 useragent/lib/router.dart                     |   1 +
 useragent/lib/router.gr.dart                  | 174 ++++++++----
 .../clients/details/client_details.dart       |  56 ++++
 .../widgets/client_details_content.dart       |  55 ++++
 .../widgets/client_details_header.dart        |  23 ++
 .../widgets/client_details_state_panel.dart   |  45 +++
 .../details/widgets/client_summary_card.dart  |  82 ++++++
 .../details/widgets/wallet_access_list.dart   |  33 +++
 .../widgets/wallet_access_save_bar.dart       |  60 ++++
 .../widgets/wallet_access_search_field.dart   |  24 ++
 .../widgets/wallet_access_section.dart        | 176 ++++++++++++
 .../details/widgets/wallet_access_tile.dart   |  28 ++
 .../lib/screens/dashboard/clients/table.dart  |  28 +-
 .../details/client_details_screen_test.dart   |  69 +++++
 .../client_wallet_access_controller_test.dart | 105 +++++++
 20 files changed, 1462 insertions(+), 101 deletions(-)
 create mode 100644 useragent/lib/features/connection/evm/wallet_access.dart
 create mode 100644 useragent/lib/providers/sdk_clients/details.dart
 create mode 100644 useragent/lib/providers/sdk_clients/details.g.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/client_details.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/widgets/client_details_content.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/widgets/client_details_header.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/widgets/client_details_state_panel.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_list.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_save_bar.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_search_field.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_section.dart
 create mode 100644 useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_tile.dart
 create mode 100644 useragent/test/screens/dashboard/clients/details/client_details_screen_test.dart
 create mode 100644 useragent/test/screens/dashboard/clients/details/client_wallet_access_controller_test.dart

diff --git a/useragent/lib/features/connection/evm/wallet_access.dart b/useragent/lib/features/connection/evm/wallet_access.dart
new file mode 100644
index 0000000..1876fbd
--- /dev/null
+++ b/useragent/lib/features/connection/evm/wallet_access.dart
@@ -0,0 +1,58 @@
+import 'package:arbiter/features/connection/connection.dart';
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart';
+
+Future<Set<int>> readClientWalletAccess(
+  Connection connection, {
+  required int clientId,
+}) async {
+  final response = await connection.ask(
+    UserAgentRequest(listWalletAccess: Empty()),
+  );
+  if (!response.hasListWalletAccessResponse()) {
+    throw Exception(
+      'Expected list wallet access response, got ${response.whichPayload()}',
+    );
+  }
+  return {
+    for (final access in response.listWalletAccessResponse.accesses)
+      if (access.clientId == clientId) access.walletId,
+  };
+}
+
+Future<void> writeClientWalletAccess(
+  Connection connection, {
+  required int clientId,
+  required Set<int> walletIds,
+}) async {
+  final current = await readClientWalletAccess(connection, clientId: clientId);
+
+  final toGrant = walletIds.difference(current);
+  final toRevoke = current.difference(walletIds);
+
+  if (toGrant.isNotEmpty) {
+    await connection.tell(
+      UserAgentRequest(
+        grantWalletAccess: SdkClientGrantWalletAccess(
+          accesses: [
+            for (final walletId in toGrant)
+              SdkClientWalletAccess(clientId: clientId, walletId: walletId),
+          ],
+        ),
+      ),
+    );
+  }
+
+  if (toRevoke.isNotEmpty) {
+    await connection.tell(
+      UserAgentRequest(
+        revokeWalletAccess: SdkClientRevokeWalletAccess(
+          accesses: [
+            for (final walletId in toRevoke)
+              SdkClientWalletAccess(clientId: clientId, walletId: walletId),
+          ],
+        ),
+      ),
+    );
+  }
+}
diff --git a/useragent/lib/providers/sdk_clients/details.dart b/useragent/lib/providers/sdk_clients/details.dart
new file mode 100644
index 0000000..1e1fb2b
--- /dev/null
+++ b/useragent/lib/providers/sdk_clients/details.dart
@@ -0,0 +1,19 @@
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/providers/sdk_clients/list.dart';
+import 'package:riverpod_annotation/riverpod_annotation.dart';
+
+part 'details.g.dart';
+
+@riverpod
+Future<SdkClientEntry?> clientDetails(Ref ref, int clientId) async {
+  final clients = await ref.watch(sdkClientsProvider.future);
+  if (clients == null) {
+    return null;
+  }
+  for (final client in clients) {
+    if (client.id == clientId) {
+      return client;
+    }
+  }
+  return null;
+}
diff --git a/useragent/lib/providers/sdk_clients/details.g.dart b/useragent/lib/providers/sdk_clients/details.g.dart
new file mode 100644
index 0000000..4f59df2
--- /dev/null
+++ b/useragent/lib/providers/sdk_clients/details.g.dart
@@ -0,0 +1,85 @@
+// GENERATED CODE - DO NOT MODIFY BY HAND
+
+part of 'details.dart';
+
+// **************************************************************************
+// RiverpodGenerator
+// **************************************************************************
+
+// GENERATED CODE - DO NOT MODIFY BY HAND
+// ignore_for_file: type=lint, type=warning
+
+@ProviderFor(clientDetails)
+final clientDetailsProvider = ClientDetailsFamily._();
+
+final class ClientDetailsProvider
+    extends
+        $FunctionalProvider<
+          AsyncValue<SdkClientEntry?>,
+          SdkClientEntry?,
+          FutureOr<SdkClientEntry?>
+        >
+    with $FutureModifier<SdkClientEntry?>, $FutureProvider<SdkClientEntry?> {
+  ClientDetailsProvider._({
+    required ClientDetailsFamily super.from,
+    required int super.argument,
+  }) : super(
+         retry: null,
+         name: r'clientDetailsProvider',
+         isAutoDispose: true,
+         dependencies: null,
+         $allTransitiveDependencies: null,
+       );
+
+  @override
+  String debugGetCreateSourceHash() => _$clientDetailsHash();
+
+  @override
+  String toString() {
+    return r'clientDetailsProvider'
+        ''
+        '($argument)';
+  }
+
+  @$internal
+  @override
+  $FutureProviderElement<SdkClientEntry?> $createElement(
+    $ProviderPointer pointer,
+  ) => $FutureProviderElement(pointer);
+
+  @override
+  FutureOr<SdkClientEntry?> create(Ref ref) {
+    final argument = this.argument as int;
+    return clientDetails(ref, argument);
+  }
+
+  @override
+  bool operator ==(Object other) {
+    return other is ClientDetailsProvider && other.argument == argument;
+  }
+
+  @override
+  int get hashCode {
+    return argument.hashCode;
+  }
+}
+
+String _$clientDetailsHash() => r'21449a1a2cc4fa4e65ce761e6342e97c1d957a7a';
+
+final class ClientDetailsFamily extends $Family
+    with $FunctionalFamilyOverride<FutureOr<SdkClientEntry?>, int> {
+  ClientDetailsFamily._()
+    : super(
+        retry: null,
+        name: r'clientDetailsProvider',
+        dependencies: null,
+        $allTransitiveDependencies: null,
+        isAutoDispose: true,
+      );
+
+  ClientDetailsProvider call(int clientId) =>
+      ClientDetailsProvider._(argument: clientId, from: this);
+
+  @override
+  String toString() => r'clientDetailsProvider';
+}
diff --git a/useragent/lib/providers/sdk_clients/wallet_access.dart b/useragent/lib/providers/sdk_clients/wallet_access.dart
index 1e0e1bc..faf4f95 100644
--- a/useragent/lib/providers/sdk_clients/wallet_access.dart
+++ b/useragent/lib/providers/sdk_clients/wallet_access.dart
@@ -1,25 +1,174 @@
-
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/features/connection/evm/wallet_access.dart';
+import 'package:arbiter/proto/evm.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
-import 'package:mtcore/markettakers.dart';
-import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart';
+import 'package:arbiter/providers/evm/evm.dart';
+import 'package:flutter/foundation.dart';
+import 'package:hooks_riverpod/experimental/mutation.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'wallet_access.g.dart';
 
-@riverpod
-Future<List<SdkClientWalletAccess>?> walletAccess(Ref ref) async {
-  final connection = await ref.watch(connectionManagerProvider.future);
-  if (connection == null) {
-    return null;
-  }
+class ClientWalletOption {
+  const ClientWalletOption({required this.walletId, required this.address});
 
-  final accesses = await connection.ask(UserAgentRequest(listWalletAccess: Empty()));
+  final int walletId;
+  final String address;
+}
 
-  if (accesses.hasListWalletAccessResponse()) {
-    return accesses.listWalletAccessResponse.accesses.toList();
-  } else {
-    talker.warning('Received unexpected response for listWalletAccess: $accesses');
-    return null;
+class ClientWalletAccessState {
+  const ClientWalletAccessState({
+    this.searchQuery = '',
+    this.originalWalletIds = const {},
+    this.selectedWalletIds = const {},
+  });
+
+  final String searchQuery;
+  final Set<int> originalWalletIds;
+  final Set<int> selectedWalletIds;
+
+  bool get hasChanges => !setEquals(originalWalletIds, selectedWalletIds);
+
+  ClientWalletAccessState copyWith({
+    String? searchQuery,
+    Set<int>? originalWalletIds,
+    Set<int>? selectedWalletIds,
+  }) {
+    return ClientWalletAccessState(
+      searchQuery: searchQuery ?? this.searchQuery,
+      originalWalletIds: originalWalletIds ?? this.originalWalletIds,
+      selectedWalletIds: selectedWalletIds ?? this.selectedWalletIds,
+    );
   }
 }
+
+final saveClientWalletAccessMutation = Mutation<void>();
+
+abstract class ClientWalletAccessRepository {
+  Future<Set<int>> fetchSelectedWalletIds(int clientId);
+  Future<void> saveSelectedWalletIds(int clientId, Set<int> walletIds);
+}
+
+class ServerClientWalletAccessRepository
+    implements ClientWalletAccessRepository {
+  ServerClientWalletAccessRepository(this.ref);
+
+  final Ref ref;
+
+  @override
+  Future<Set<int>> fetchSelectedWalletIds(int clientId) async {
+    final connection = await ref.read(connectionManagerProvider.future);
+    if (connection == null) {
+      throw Exception('Not connected to the server.');
+    }
+    return readClientWalletAccess(connection, clientId: clientId);
+  }
+
+  @override
+  Future<void> saveSelectedWalletIds(int clientId, Set<int> walletIds) async {
+    final connection = await ref.read(connectionManagerProvider.future);
+    if (connection == null) {
+      throw Exception('Not connected to the server.');
+    }
+    await writeClientWalletAccess(
+      connection,
+      clientId: clientId,
+      walletIds: walletIds,
+    );
+  }
+}
+
+@riverpod
+ClientWalletAccessRepository clientWalletAccessRepository(Ref ref) {
+  return ServerClientWalletAccessRepository(ref);
+}
+
+@riverpod
+Future<List<ClientWalletOption>> clientWalletOptions(Ref ref) async {
+  final wallets = await ref.watch(evmProvider.future) ?? const <WalletEntry>[];
+  return [
+    for (var index = 0; index < wallets.length; index++)
+      ClientWalletOption(
+        walletId: index + 1,
+        address: formatWalletAddress(wallets[index].address),
+      ),
+  ];
+}
+
+@riverpod
+Future<Set<int>> clientWalletAccessSelection(Ref ref, int clientId) async {
+  final repository = ref.watch(clientWalletAccessRepositoryProvider);
+  return repository.fetchSelectedWalletIds(clientId);
+}
+
+@riverpod
+class ClientWalletAccessController extends _$ClientWalletAccessController {
+  @override
+  ClientWalletAccessState build(int clientId) {
+    final selection = ref.read(clientWalletAccessSelectionProvider(clientId));
+
+    void sync(AsyncValue<Set<int>> value) {
+      value.when(data: hydrate, error: (_, _) {}, loading: () {});
+    }
+
+    ref.listen<AsyncValue<Set<int>>>(
+      clientWalletAccessSelectionProvider(clientId),
+      (_, next) => sync(next),
+    );
+    return selection.when(
+      data: (walletIds) => ClientWalletAccessState(
+        originalWalletIds: Set.of(walletIds),
+        selectedWalletIds: Set.of(walletIds),
+      ),
+      error: (error, _) => const ClientWalletAccessState(),
+      loading: () => const ClientWalletAccessState(),
+    );
+  }
+
+  void hydrate(Set<int> selectedWalletIds) {
+    state = state.copyWith(
+      originalWalletIds: Set.of(selectedWalletIds),
+      selectedWalletIds: Set.of(selectedWalletIds),
+    );
+  }
+
+  void setSearchQuery(String value) {
+    state = state.copyWith(searchQuery: value);
+  }
+
+  void toggleWallet(int walletId) {
+    final next = Set<int>.of(state.selectedWalletIds);
+    if (!next.add(walletId)) {
+      next.remove(walletId);
+    }
+    state = state.copyWith(selectedWalletIds: next);
+  }
+
+  void discardChanges() {
+    state = state.copyWith(selectedWalletIds: Set.of(state.originalWalletIds));
+  }
+}
+
+Future<void> executeSaveClientWalletAccess(
+  MutationTarget ref, {
+  required int clientId,
+}) {
+  final mutation = saveClientWalletAccessMutation(clientId);
+  return mutation.run(ref, (tsx) async {
+    final repository = tsx.get(clientWalletAccessRepositoryProvider);
+    final controller = tsx.get(
+      clientWalletAccessControllerProvider(clientId).notifier,
+    );
+    final selectedWalletIds = tsx
+        .get(clientWalletAccessControllerProvider(clientId))
+        .selectedWalletIds;
+    await repository.saveSelectedWalletIds(clientId, selectedWalletIds);
+    controller.hydrate(selectedWalletIds);
+  });
+}
+
+String formatWalletAddress(List<int> bytes) {
+  final hex = bytes
+      .map((byte) => byte.toRadixString(16).padLeft(2, '0'))
+      .join();
+  return '0x$hex';
+}
diff --git a/useragent/lib/providers/sdk_clients/wallet_access.g.dart b/useragent/lib/providers/sdk_clients/wallet_access.g.dart
index cb61d63..413ff16 100644
--- a/useragent/lib/providers/sdk_clients/wallet_access.g.dart
+++ b/useragent/lib/providers/sdk_clients/wallet_access.g.dart
@@ -9,43 +9,272 @@ part of 'wallet_access.dart';
 // GENERATED CODE - DO NOT MODIFY BY HAND
 // ignore_for_file: type=lint, type=warning
 
-@ProviderFor(walletAccess)
-final walletAccessProvider = WalletAccessProvider._();
+@ProviderFor(clientWalletAccessRepository)
+final clientWalletAccessRepositoryProvider =
+    ClientWalletAccessRepositoryProvider._();
 
-final class WalletAccessProvider
+final class ClientWalletAccessRepositoryProvider
     extends
         $FunctionalProvider<
-          AsyncValue<List<SdkClientWalletAccess>?>,
-          List<SdkClientWalletAccess>?,
-          FutureOr<List<SdkClientWalletAccess>?>
+          ClientWalletAccessRepository,
+          ClientWalletAccessRepository,
+          ClientWalletAccessRepository
         >
-    with
-        $FutureModifier<List<SdkClientWalletAccess>?>,
-        $FutureProvider<List<SdkClientWalletAccess>?> {
-  WalletAccessProvider._()
+    with $Provider<ClientWalletAccessRepository> {
+  ClientWalletAccessRepositoryProvider._()
     : super(
         from: null,
         argument: null,
         retry: null,
-        name: r'walletAccessProvider',
+        name: r'clientWalletAccessRepositoryProvider',
         isAutoDispose: true,
         dependencies: null,
         $allTransitiveDependencies: null,
       );
 
   @override
-  String debugGetCreateSourceHash() => _$walletAccessHash();
+  String debugGetCreateSourceHash() => _$clientWalletAccessRepositoryHash();
 
   @$internal
   @override
-  $FutureProviderElement<List<SdkClientWalletAccess>?> $createElement(
+  $ProviderElement<ClientWalletAccessRepository> $createElement(
+    $ProviderPointer pointer,
+  ) => $ProviderElement(pointer);
+
+  @override
+  ClientWalletAccessRepository create(Ref ref) {
+    return clientWalletAccessRepository(ref);
+  }
+
+  /// {@macro riverpod.override_with_value}
+  Override overrideWithValue(ClientWalletAccessRepository value) {
+    return $ProviderOverride(
+      origin: this,
+      providerOverride: $SyncValueProvider<ClientWalletAccessRepository>(value),
+    );
+  }
+}
+
+String _$clientWalletAccessRepositoryHash() =>
+    r'bbc332284bc36a8b5d807bd5c45362b6b12b19e7';
+
+@ProviderFor(clientWalletOptions)
+final clientWalletOptionsProvider = ClientWalletOptionsProvider._();
+
+final class ClientWalletOptionsProvider
+    extends
+        $FunctionalProvider<
+          AsyncValue<List<ClientWalletOption>>,
+          List<ClientWalletOption>,
+          FutureOr<List<ClientWalletOption>>
+        >
+    with
+        $FutureModifier<List<ClientWalletOption>>,
+        $FutureProvider<List<ClientWalletOption>> {
+  ClientWalletOptionsProvider._()
+    : super(
+        from: null,
+        argument: null,
+        retry: null,
+        name: r'clientWalletOptionsProvider',
+        isAutoDispose: true,
+        dependencies: null,
+        $allTransitiveDependencies: null,
+      );
+
+  @override
+  String debugGetCreateSourceHash() => _$clientWalletOptionsHash();
+
+  @$internal
+  @override
+  $FutureProviderElement<List<ClientWalletOption>> $createElement(
     $ProviderPointer pointer,
   ) => $FutureProviderElement(pointer);
 
   @override
-  FutureOr<List<SdkClientWalletAccess>?> create(Ref ref) {
-    return walletAccess(ref);
+  FutureOr<List<ClientWalletOption>> create(Ref ref) {
+    return clientWalletOptions(ref);
   }
 }
 
-String _$walletAccessHash() => r'954aae12d2d18999efaa97d01be983bf849f2296';
+String _$clientWalletOptionsHash() =>
+    r'32183c2b281e2a41400de07f2381132a706815ab';
+
+@ProviderFor(clientWalletAccessSelection)
+final clientWalletAccessSelectionProvider =
+    ClientWalletAccessSelectionFamily._();
+
+final class ClientWalletAccessSelectionProvider
+    extends
+        $FunctionalProvider<AsyncValue<Set<int>>, Set<int>, FutureOr<Set<int>>>
+    with $FutureModifier<Set<int>>, $FutureProvider<Set<int>> {
+  ClientWalletAccessSelectionProvider._({
+    required ClientWalletAccessSelectionFamily super.from,
+    required int super.argument,
+  }) : super(
+         retry: null,
+         name: r'clientWalletAccessSelectionProvider',
+         isAutoDispose: true,
+         dependencies: null,
+         $allTransitiveDependencies: null,
+       );
+
+  @override
+  String debugGetCreateSourceHash() => _$clientWalletAccessSelectionHash();
+
+  @override
+  String toString() {
+    return r'clientWalletAccessSelectionProvider'
+        ''
+        '($argument)';
+  }
+
+  @$internal
+  @override
+  $FutureProviderElement<Set<int>> $createElement($ProviderPointer pointer) =>
+      $FutureProviderElement(pointer);
+
+  @override
+  FutureOr<Set<int>> create(Ref ref) {
+    final argument = this.argument as int;
+    return clientWalletAccessSelection(ref, argument);
+  }
+
+  @override
+  bool operator ==(Object other) {
+    return other is ClientWalletAccessSelectionProvider &&
+        other.argument == argument;
+  }
+
+  @override
+  int get hashCode {
+    return argument.hashCode;
+  }
+}
+
+String _$clientWalletAccessSelectionHash() =>
+    r'f33705ee7201cd9b899cc058d6642de85a22b03e';
+
+final class ClientWalletAccessSelectionFamily extends $Family
+    with $FunctionalFamilyOverride<FutureOr<Set<int>>, int> {
+  ClientWalletAccessSelectionFamily._()
+    : super(
+        retry: null,
+        name: r'clientWalletAccessSelectionProvider',
+        dependencies: null,
+        $allTransitiveDependencies: null,
+        isAutoDispose: true,
+      );
+
+  ClientWalletAccessSelectionProvider call(int clientId) =>
+      ClientWalletAccessSelectionProvider._(argument: clientId, from: this);
+
+  @override
+  String toString() => r'clientWalletAccessSelectionProvider';
+}
+
+@ProviderFor(ClientWalletAccessController)
+final clientWalletAccessControllerProvider =
+    ClientWalletAccessControllerFamily._();
+
+final class ClientWalletAccessControllerProvider
+    extends
+        $NotifierProvider<
+          ClientWalletAccessController,
+          ClientWalletAccessState
+        > {
+  ClientWalletAccessControllerProvider._({
+    required ClientWalletAccessControllerFamily super.from,
+    required int super.argument,
+  }) : super(
+         retry: null,
+         name: r'clientWalletAccessControllerProvider',
+         isAutoDispose: true,
+         dependencies: null,
+         $allTransitiveDependencies: null,
+       );
+
+  @override
+  String debugGetCreateSourceHash() => _$clientWalletAccessControllerHash();
+
+  @override
+  String toString() {
+    return r'clientWalletAccessControllerProvider'
+        ''
+        '($argument)';
+  }
+
+  @$internal
+  @override
+  ClientWalletAccessController create() => ClientWalletAccessController();
+
+  /// {@macro riverpod.override_with_value}
+  Override overrideWithValue(ClientWalletAccessState value) {
+    return $ProviderOverride(
+      origin: this,
+      providerOverride: $SyncValueProvider<ClientWalletAccessState>(value),
+    );
+  }
+
+  @override
+  bool operator ==(Object other) {
+    return other is ClientWalletAccessControllerProvider &&
+        other.argument == argument;
+  }
+
+  @override
+  int get hashCode {
+    return argument.hashCode;
+  }
+}
+
+String _$clientWalletAccessControllerHash() =>
+    r'45bff81382fec3e8610190167b55667a7dfc1111';
+
+final class ClientWalletAccessControllerFamily extends $Family
+    with
+        $ClassFamilyOverride<
+          ClientWalletAccessController,
+          ClientWalletAccessState,
+          ClientWalletAccessState,
+          ClientWalletAccessState,
+          int
+        > {
+  ClientWalletAccessControllerFamily._()
+    : super(
+        retry: null,
+        name: r'clientWalletAccessControllerProvider',
+        dependencies: null,
+        $allTransitiveDependencies: null,
+        isAutoDispose: true,
+      );
+
+  ClientWalletAccessControllerProvider call(int clientId) =>
+      ClientWalletAccessControllerProvider._(argument: clientId, from: this);
+
+  @override
+  String toString() => r'clientWalletAccessControllerProvider';
+}
+
+abstract class _$ClientWalletAccessController
+    extends $Notifier<ClientWalletAccessState> {
+  late final _$args = ref.$arg as int;
+  int get clientId => _$args;
+
+  ClientWalletAccessState build(int clientId);
+  @$mustCallSuper
+  @override
+  void runBuild() {
+    final ref =
+        this.ref as $Ref<ClientWalletAccessState, ClientWalletAccessState>;
+    final element =
+        ref.element
+            as $ClassProviderElement<
+              AnyNotifier<ClientWalletAccessState, ClientWalletAccessState>,
+              ClientWalletAccessState,
+              Object?,
+              Object?
+            >;
+    element.handleCreate(ref, () => build(_$args));
+  }
+}
diff --git a/useragent/lib/router.dart b/useragent/lib/router.dart
index c5a17f2..5342ff5 100644
--- a/useragent/lib/router.dart
+++ b/useragent/lib/router.dart
@@ -10,6 +10,7 @@ class Router extends RootStackRouter {
     AutoRoute(page: ServerInfoSetupRoute.page, path: '/server-info'),
     AutoRoute(page: ServerConnectionRoute.page, path: '/server-connection'),
     AutoRoute(page: VaultSetupRoute.page, path: '/vault'),
+    AutoRoute(page: ClientDetailsRoute.page, path: '/clients/:clientId'),
     AutoRoute(page: CreateEvmGrantRoute.page, path: '/evm-grants/create'),
 
     AutoRoute(
diff --git a/useragent/lib/router.gr.dart b/useragent/lib/router.gr.dart
index dbab355..b661a9d 100644
--- a/useragent/lib/router.gr.dart
+++ b/useragent/lib/router.gr.dart
@@ -9,29 +9,31 @@
 // coverage:ignore-file
 
 // ignore_for_file: no_leading_underscores_for_library_prefixes
-import 'package:arbiter/proto/user_agent.pb.dart' as _i13;
+import 'package:arbiter/proto/user_agent.pb.dart' as _i14;
 import 'package:arbiter/screens/bootstrap.dart' as _i2;
-import 'package:arbiter/screens/dashboard.dart' as _i6;
+import 'package:arbiter/screens/dashboard.dart' as _i7;
 import 'package:arbiter/screens/dashboard/about.dart' as _i1;
 import 'package:arbiter/screens/dashboard/clients/details.dart' as _i3;
-import 'package:arbiter/screens/dashboard/clients/table.dart' as _i4;
-import 'package:arbiter/screens/dashboard/evm/evm.dart' as _i7;
-import 'package:arbiter/screens/dashboard/evm/grants/grant_create.dart' as _i5;
-import 'package:arbiter/screens/server_connection.dart' as _i8;
-import 'package:arbiter/screens/server_info_setup.dart' as _i9;
-import 'package:arbiter/screens/vault_setup.dart' as _i10;
-import 'package:auto_route/auto_route.dart' as _i11;
-import 'package:flutter/material.dart' as _i12;
+import 'package:arbiter/screens/dashboard/clients/details/client_details.dart'
+    as _i4;
+import 'package:arbiter/screens/dashboard/clients/table.dart' as _i5;
+import 'package:arbiter/screens/dashboard/evm/evm.dart' as _i8;
+import 'package:arbiter/screens/dashboard/evm/grants/grant_create.dart' as _i6;
+import 'package:arbiter/screens/server_connection.dart' as _i9;
+import 'package:arbiter/screens/server_info_setup.dart' as _i10;
+import 'package:arbiter/screens/vault_setup.dart' as _i11;
+import 'package:auto_route/auto_route.dart' as _i12;
+import 'package:flutter/material.dart' as _i13;
 
 /// generated route for
 /// [_i1.AboutScreen]
-class AboutRoute extends _i11.PageRouteInfo<void> {
-  const AboutRoute({List<_i11.PageRouteInfo>? children})
+class AboutRoute extends _i12.PageRouteInfo<void> {
+  const AboutRoute({List<_i12.PageRouteInfo>? children})
     : super(AboutRoute.name, initialChildren: children);
 
   static const String name = 'AboutRoute';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
       return const _i1.AboutScreen();
@@ -41,13 +43,13 @@ class AboutRoute extends _i11.PageRouteInfo<void> {
 
 /// generated route for
 /// [_i2.Bootstrap]
-class Bootstrap extends _i11.PageRouteInfo<void> {
-  const Bootstrap({List<_i11.PageRouteInfo>? children})
+class Bootstrap extends _i12.PageRouteInfo<void> {
+  const Bootstrap({List<_i12.PageRouteInfo>? children})
     : super(Bootstrap.name, initialChildren: children);
 
   static const String name = 'Bootstrap';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
       return const _i2.Bootstrap();
@@ -57,11 +59,11 @@ class Bootstrap extends _i11.PageRouteInfo<void> {
 
 /// generated route for
 /// [_i3.ClientDetails]
-class ClientDetails extends _i11.PageRouteInfo<ClientDetailsArgs> {
+class ClientDetails extends _i12.PageRouteInfo<ClientDetailsArgs> {
   ClientDetails({
-    _i12.Key? key,
-    required _i13.SdkClientEntry client,
-    List<_i11.PageRouteInfo>? children,
+    _i13.Key? key,
+    required _i14.SdkClientEntry client,
+    List<_i12.PageRouteInfo>? children,
   }) : super(
          ClientDetails.name,
          args: ClientDetailsArgs(key: key, client: client),
@@ -70,7 +72,7 @@ class ClientDetails extends _i11.PageRouteInfo<ClientDetailsArgs> {
 
   static const String name = 'ClientDetails';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
       final args = data.argsAs<ClientDetailsArgs>();
@@ -82,9 +84,9 @@ class ClientDetails extends _i11.PageRouteInfo<ClientDetailsArgs> {
 class ClientDetailsArgs {
   const ClientDetailsArgs({this.key, required this.client});
 
-  final _i12.Key? key;
+  final _i13.Key? key;
 
-  final _i13.SdkClientEntry client;
+  final _i14.SdkClientEntry client;
 
   @override
   String toString() {
@@ -103,77 +105,129 @@ class ClientDetailsArgs {
 }
 
 /// generated route for
-/// [_i4.ClientsScreen]
-class ClientsRoute extends _i11.PageRouteInfo<void> {
-  const ClientsRoute({List<_i11.PageRouteInfo>? children})
+/// [_i4.ClientDetailsScreen]
+class ClientDetailsRoute extends _i12.PageRouteInfo<ClientDetailsRouteArgs> {
+  ClientDetailsRoute({
+    _i13.Key? key,
+    required int clientId,
+    List<_i12.PageRouteInfo>? children,
+  }) : super(
+         ClientDetailsRoute.name,
+         args: ClientDetailsRouteArgs(key: key, clientId: clientId),
+         rawPathParams: {'clientId': clientId},
+         initialChildren: children,
+       );
+
+  static const String name = 'ClientDetailsRoute';
+
+  static _i12.PageInfo page = _i12.PageInfo(
+    name,
+    builder: (data) {
+      final pathParams = data.inheritedPathParams;
+      final args = data.argsAs<ClientDetailsRouteArgs>(
+        orElse: () =>
+            ClientDetailsRouteArgs(clientId: pathParams.getInt('clientId')),
+      );
+      return _i4.ClientDetailsScreen(key: args.key, clientId: args.clientId);
+    },
+  );
+}
+
+class ClientDetailsRouteArgs {
+  const ClientDetailsRouteArgs({this.key, required this.clientId});
+
+  final _i13.Key? key;
+
+  final int clientId;
+
+  @override
+  String toString() {
+    return 'ClientDetailsRouteArgs{key: $key, clientId: $clientId}';
+  }
+
+  @override
+  bool operator ==(Object other) {
+    if (identical(this, other)) return true;
+    if (other is! ClientDetailsRouteArgs) return false;
+    return key == other.key && clientId == other.clientId;
+  }
+
+  @override
+  int get hashCode => key.hashCode ^ clientId.hashCode;
+}
+
+/// generated route for
+/// [_i5.ClientsScreen]
+class ClientsRoute extends _i12.PageRouteInfo<void> {
+  const ClientsRoute({List<_i12.PageRouteInfo>? children})
     : super(ClientsRoute.name, initialChildren: children);
 
   static const String name = 'ClientsRoute';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
-      return const _i4.ClientsScreen();
+      return const _i5.ClientsScreen();
     },
   );
 }
 
 /// generated route for
-/// [_i5.CreateEvmGrantScreen]
-class CreateEvmGrantRoute extends _i11.PageRouteInfo<void> {
-  const CreateEvmGrantRoute({List<_i11.PageRouteInfo>? children})
+/// [_i6.CreateEvmGrantScreen]
+class CreateEvmGrantRoute extends _i12.PageRouteInfo<void> {
+  const CreateEvmGrantRoute({List<_i12.PageRouteInfo>? children})
     : super(CreateEvmGrantRoute.name, initialChildren: children);
 
   static const String name = 'CreateEvmGrantRoute';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
-      return const _i5.CreateEvmGrantScreen();
+      return const _i6.CreateEvmGrantScreen();
     },
   );
 }
 
 /// generated route for
-/// [_i6.DashboardRouter]
-class DashboardRouter extends _i11.PageRouteInfo<void> {
-  const DashboardRouter({List<_i11.PageRouteInfo>? children})
+/// [_i7.DashboardRouter]
+class DashboardRouter extends _i12.PageRouteInfo<void> {
+  const DashboardRouter({List<_i12.PageRouteInfo>? children})
     : super(DashboardRouter.name, initialChildren: children);
 
   static const String name = 'DashboardRouter';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
-      return const _i6.DashboardRouter();
+      return const _i7.DashboardRouter();
     },
   );
 }
 
 /// generated route for
-/// [_i7.EvmScreen]
-class EvmRoute extends _i11.PageRouteInfo<void> {
-  const EvmRoute({List<_i11.PageRouteInfo>? children})
+/// [_i8.EvmScreen]
+class EvmRoute extends _i12.PageRouteInfo<void> {
+  const EvmRoute({List<_i12.PageRouteInfo>? children})
     : super(EvmRoute.name, initialChildren: children);
 
   static const String name = 'EvmRoute';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
-      return const _i7.EvmScreen();
+      return const _i8.EvmScreen();
     },
   );
 }
 
 /// generated route for
-/// [_i8.ServerConnectionScreen]
+/// [_i9.ServerConnectionScreen]
 class ServerConnectionRoute
-    extends _i11.PageRouteInfo<ServerConnectionRouteArgs> {
+    extends _i12.PageRouteInfo<ServerConnectionRouteArgs> {
   ServerConnectionRoute({
-    _i12.Key? key,
+    _i13.Key? key,
     String? arbiterUrl,
-    List<_i11.PageRouteInfo>? children,
+    List<_i12.PageRouteInfo>? children,
   }) : super(
          ServerConnectionRoute.name,
          args: ServerConnectionRouteArgs(key: key, arbiterUrl: arbiterUrl),
@@ -182,13 +236,13 @@ class ServerConnectionRoute
 
   static const String name = 'ServerConnectionRoute';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
       final args = data.argsAs<ServerConnectionRouteArgs>(
         orElse: () => const ServerConnectionRouteArgs(),
       );
-      return _i8.ServerConnectionScreen(
+      return _i9.ServerConnectionScreen(
         key: args.key,
         arbiterUrl: args.arbiterUrl,
       );
@@ -199,7 +253,7 @@ class ServerConnectionRoute
 class ServerConnectionRouteArgs {
   const ServerConnectionRouteArgs({this.key, this.arbiterUrl});
 
-  final _i12.Key? key;
+  final _i13.Key? key;
 
   final String? arbiterUrl;
 
@@ -220,33 +274,33 @@ class ServerConnectionRouteArgs {
 }
 
 /// generated route for
-/// [_i9.ServerInfoSetupScreen]
-class ServerInfoSetupRoute extends _i11.PageRouteInfo<void> {
-  const ServerInfoSetupRoute({List<_i11.PageRouteInfo>? children})
+/// [_i10.ServerInfoSetupScreen]
+class ServerInfoSetupRoute extends _i12.PageRouteInfo<void> {
+  const ServerInfoSetupRoute({List<_i12.PageRouteInfo>? children})
     : super(ServerInfoSetupRoute.name, initialChildren: children);
 
   static const String name = 'ServerInfoSetupRoute';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
-      return const _i9.ServerInfoSetupScreen();
+      return const _i10.ServerInfoSetupScreen();
     },
   );
 }
 
 /// generated route for
-/// [_i10.VaultSetupScreen]
-class VaultSetupRoute extends _i11.PageRouteInfo<void> {
-  const VaultSetupRoute({List<_i11.PageRouteInfo>? children})
+/// [_i11.VaultSetupScreen]
+class VaultSetupRoute extends _i12.PageRouteInfo<void> {
+  const VaultSetupRoute({List<_i12.PageRouteInfo>? children})
     : super(VaultSetupRoute.name, initialChildren: children);
 
   static const String name = 'VaultSetupRoute';
 
-  static _i11.PageInfo page = _i11.PageInfo(
+  static _i12.PageInfo page = _i12.PageInfo(
     name,
     builder: (data) {
-      return const _i10.VaultSetupScreen();
+      return const _i11.VaultSetupScreen();
     },
   );
 }
diff --git a/useragent/lib/screens/dashboard/clients/details/client_details.dart b/useragent/lib/screens/dashboard/clients/details/client_details.dart
new file mode 100644
index 0000000..854c5d9
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/client_details.dart
@@ -0,0 +1,56 @@
+import 'package:arbiter/providers/sdk_clients/details.dart';
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/client_details_content.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/client_details_state_panel.dart';
+import 'package:auto_route/auto_route.dart';
+import 'package:flutter/material.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+
+@RoutePage()
+class ClientDetailsScreen extends ConsumerWidget {
+  const ClientDetailsScreen({super.key, @pathParam required this.clientId});
+
+  final int clientId;
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final clientAsync = ref.watch(clientDetailsProvider(clientId));
+    return Scaffold(
+      body: SafeArea(
+        child: clientAsync.when(
+          data: (client) =>
+              _ClientDetailsState(clientId: clientId, client: client),
+          error: (error, _) => ClientDetailsStatePanel(
+            title: 'Client unavailable',
+            body: error.toString(),
+            icon: Icons.sync_problem,
+          ),
+          loading: () => const ClientDetailsStatePanel(
+            title: 'Loading client',
+            body: 'Pulling client details from Arbiter.',
+            icon: Icons.hourglass_top,
+          ),
+        ),
+      ),
+    );
+  }
+}
+
+class _ClientDetailsState extends StatelessWidget {
+  const _ClientDetailsState({required this.clientId, required this.client});
+
+  final int clientId;
+  final SdkClientEntry? client;
+
+  @override
+  Widget build(BuildContext context) {
+    if (client == null) {
+      return const ClientDetailsStatePanel(
+        title: 'Client not found',
+        body: 'The selected SDK client is no longer available.',
+        icon: Icons.person_off_outlined,
+      );
+    }
+    return ClientDetailsContent(clientId: clientId, client: client!);
+  }
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/client_details_content.dart b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_content.dart
new file mode 100644
index 0000000..cf2693f
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_content.dart
@@ -0,0 +1,55 @@
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/client_details_header.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/client_summary_card.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/wallet_access_save_bar.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/wallet_access_section.dart';
+import 'package:flutter/material.dart';
+import 'package:hooks_riverpod/experimental/mutation.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+
+class ClientDetailsContent extends ConsumerWidget {
+  const ClientDetailsContent({
+    super.key,
+    required this.clientId,
+    required this.client,
+  });
+
+  final int clientId;
+  final SdkClientEntry client;
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final state = ref.watch(clientWalletAccessControllerProvider(clientId));
+    final notifier = ref.read(
+      clientWalletAccessControllerProvider(clientId).notifier,
+    );
+    final saveMutation = ref.watch(saveClientWalletAccessMutation(clientId));
+    return ListView(
+      padding: const EdgeInsets.all(16),
+      children: [
+        const ClientDetailsHeader(),
+        const SizedBox(height: 16),
+        ClientSummaryCard(client: client),
+        const SizedBox(height: 16),
+        WalletAccessSection(
+          clientId: clientId,
+          state: state,
+          accessSelectionAsync: ref.watch(
+            clientWalletAccessSelectionProvider(clientId),
+          ),
+          isSavePending: saveMutation is MutationPending,
+          onSearchChanged: notifier.setSearchQuery,
+          onToggleWallet: notifier.toggleWallet,
+        ),
+        const SizedBox(height: 16),
+        WalletAccessSaveBar(
+          state: state,
+          saveMutation: saveMutation,
+          onDiscard: notifier.discardChanges,
+          onSave: () => executeSaveClientWalletAccess(ref, clientId: clientId),
+        ),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/client_details_header.dart b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_header.dart
new file mode 100644
index 0000000..f93562a
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_header.dart
@@ -0,0 +1,23 @@
+import 'package:flutter/material.dart';
+
+class ClientDetailsHeader extends StatelessWidget {
+  const ClientDetailsHeader({super.key});
+
+  @override
+  Widget build(BuildContext context) {
+    final theme = Theme.of(context);
+    return Row(
+      children: [
+        BackButton(onPressed: () => Navigator.of(context).maybePop()),
+        Expanded(
+          child: Text(
+            'Client Details',
+            style: theme.textTheme.headlineSmall?.copyWith(
+              fontWeight: FontWeight.w800,
+            ),
+          ),
+        ),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/client_details_state_panel.dart b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_state_panel.dart
new file mode 100644
index 0000000..f9c40d5
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_state_panel.dart
@@ -0,0 +1,45 @@
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+
+class ClientDetailsStatePanel extends StatelessWidget {
+  const ClientDetailsStatePanel({
+    super.key,
+    required this.title,
+    required this.body,
+    required this.icon,
+  });
+
+  final String title;
+  final String body;
+  final IconData icon;
+
+  @override
+  Widget build(BuildContext context) {
+    final theme = Theme.of(context);
+    return Center(
+      child: Padding(
+        padding: const EdgeInsets.all(24),
+        child: DecoratedBox(
+          decoration: BoxDecoration(
+            color: Palette.cream,
+            borderRadius: BorderRadius.circular(24),
+            border: Border.all(color: Palette.line),
+          ),
+          child: Padding(
+            padding: const EdgeInsets.all(24),
+            child: Column(
+              mainAxisSize: MainAxisSize.min,
+              children: [
+                Icon(icon, color: Palette.coral),
+                const SizedBox(height: 12),
+                Text(title, style: theme.textTheme.titleLarge),
+                const SizedBox(height: 8),
+                Text(body, textAlign: TextAlign.center),
+              ],
+            ),
+          ),
+        ),
+      ),
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart b/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart
new file mode 100644
index 0000000..7fa081c
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart
@@ -0,0 +1,82 @@
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+
+class ClientSummaryCard extends StatelessWidget {
+  const ClientSummaryCard({super.key, required this.client});
+
+  final SdkClientEntry client;
+
+  @override
+  Widget build(BuildContext context) {
+    return DecoratedBox(
+      decoration: BoxDecoration(
+        color: Palette.cream,
+        borderRadius: BorderRadius.circular(24),
+        border: Border.all(color: Palette.line),
+      ),
+      child: Padding(
+        padding: const EdgeInsets.all(20),
+        child: Column(
+          crossAxisAlignment: CrossAxisAlignment.start,
+          children: [
+            Text(
+              client.info.name,
+              style: Theme.of(context).textTheme.titleLarge,
+            ),
+            const SizedBox(height: 8),
+            Text(client.info.description),
+            const SizedBox(height: 16),
+            Wrap(
+              runSpacing: 8,
+              spacing: 16,
+              children: [
+                _Fact(label: 'Client ID', value: '${client.id}'),
+                _Fact(label: 'Version', value: client.info.version),
+                _Fact(
+                  label: 'Registered',
+                  value: _formatDate(client.createdAt),
+                ),
+                _Fact(label: 'Pubkey', value: _shortPubkey(client.pubkey)),
+              ],
+            ),
+          ],
+        ),
+      ),
+    );
+  }
+}
+
+class _Fact extends StatelessWidget {
+  const _Fact({required this.label, required this.value});
+
+  final String label;
+  final String value;
+
+  @override
+  Widget build(BuildContext context) {
+    final theme = Theme.of(context);
+    return Column(
+      crossAxisAlignment: CrossAxisAlignment.start,
+      children: [
+        Text(label, style: theme.textTheme.labelMedium),
+        Text(value.isEmpty ? '—' : value, style: theme.textTheme.bodyMedium),
+      ],
+    );
+  }
+}
+
+String _formatDate(int unixSecs) {
+  final dt = DateTime.fromMillisecondsSinceEpoch(unixSecs * 1000).toLocal();
+  return '${dt.year}-${dt.month.toString().padLeft(2, '0')}-${dt.day.toString().padLeft(2, '0')}';
+}
+
+String _shortPubkey(List<int> bytes) {
+  final hex = bytes
+      .map((byte) => byte.toRadixString(16).padLeft(2, '0'))
+      .join();
+  if (hex.length < 12) {
+    return '0x$hex';
+  }
+  return '0x${hex.substring(0, 8)}...${hex.substring(hex.length - 4)}';
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_list.dart b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_list.dart
new file mode 100644
index 0000000..a59a909
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_list.dart
@@ -0,0 +1,33 @@
+import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/wallet_access_tile.dart';
+import 'package:flutter/material.dart';
+
+class WalletAccessList extends StatelessWidget {
+  const WalletAccessList({
+    super.key,
+    required this.options,
+    required this.selectedWalletIds,
+    required this.enabled,
+    required this.onToggleWallet,
+  });
+
+  final List<ClientWalletOption> options;
+  final Set<int> selectedWalletIds;
+  final bool enabled;
+  final ValueChanged<int> onToggleWallet;
+
+  @override
+  Widget build(BuildContext context) {
+    return Column(
+      children: [
+        for (final option in options)
+          WalletAccessTile(
+            option: option,
+            value: selectedWalletIds.contains(option.walletId),
+            enabled: enabled,
+            onChanged: () => onToggleWallet(option.walletId),
+          ),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_save_bar.dart b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_save_bar.dart
new file mode 100644
index 0000000..52e820d
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_save_bar.dart
@@ -0,0 +1,60 @@
+import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+import 'package:hooks_riverpod/experimental/mutation.dart';
+
+class WalletAccessSaveBar extends StatelessWidget {
+  const WalletAccessSaveBar({
+    super.key,
+    required this.state,
+    required this.saveMutation,
+    required this.onDiscard,
+    required this.onSave,
+  });
+
+  final ClientWalletAccessState state;
+  final MutationState<void> saveMutation;
+  final VoidCallback onDiscard;
+  final Future<void> Function() onSave;
+
+  @override
+  Widget build(BuildContext context) {
+    final isPending = saveMutation is MutationPending;
+    final errorText = switch (saveMutation) {
+      MutationError(:final error) => error.toString(),
+      _ => null,
+    };
+    return DecoratedBox(
+      decoration: BoxDecoration(
+        color: Palette.cream,
+        borderRadius: BorderRadius.circular(24),
+        border: Border.all(color: Palette.line),
+      ),
+      child: Padding(
+        padding: const EdgeInsets.all(16),
+        child: Column(
+          crossAxisAlignment: CrossAxisAlignment.start,
+          children: [
+            if (errorText != null) ...[
+              Text(errorText, style: TextStyle(color: Palette.coral)),
+              const SizedBox(height: 12),
+            ],
+            Row(
+              children: [
+                TextButton(
+                  onPressed: state.hasChanges && !isPending ? onDiscard : null,
+                  child: const Text('Reset'),
+                ),
+                const Spacer(),
+                FilledButton(
+                  onPressed: state.hasChanges && !isPending ? onSave : null,
+                  child: Text(isPending ? 'Saving...' : 'Save changes'),
+                ),
+              ],
+            ),
+          ],
+        ),
+      ),
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_search_field.dart b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_search_field.dart
new file mode 100644
index 0000000..62196c7
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_search_field.dart
@@ -0,0 +1,24 @@
+import 'package:flutter/material.dart';
+
+class WalletAccessSearchField extends StatelessWidget {
+  const WalletAccessSearchField({
+    super.key,
+    required this.searchQuery,
+    required this.onChanged,
+  });
+
+  final String searchQuery;
+  final ValueChanged<String> onChanged;
+
+  @override
+  Widget build(BuildContext context) {
+    return TextFormField(
+      initialValue: searchQuery,
+      decoration: const InputDecoration(
+        labelText: 'Search wallets',
+        prefixIcon: Icon(Icons.search),
+      ),
+      onChanged: onChanged,
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_section.dart b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_section.dart
new file mode 100644
index 0000000..e5b40f2
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_section.dart
@@ -0,0 +1,176 @@
+import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/client_details_state_panel.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/wallet_access_list.dart';
+import 'package:arbiter/screens/dashboard/clients/details/widgets/wallet_access_search_field.dart';
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+
+class WalletAccessSection extends ConsumerWidget {
+  const WalletAccessSection({
+    super.key,
+    required this.clientId,
+    required this.state,
+    required this.accessSelectionAsync,
+    required this.isSavePending,
+    required this.onSearchChanged,
+    required this.onToggleWallet,
+  });
+
+  final int clientId;
+  final ClientWalletAccessState state;
+  final AsyncValue<Set<int>> accessSelectionAsync;
+  final bool isSavePending;
+  final ValueChanged<String> onSearchChanged;
+  final ValueChanged<int> onToggleWallet;
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final optionsAsync = ref.watch(clientWalletOptionsProvider);
+    return DecoratedBox(
+      decoration: BoxDecoration(
+        color: Palette.cream,
+        borderRadius: BorderRadius.circular(24),
+        border: Border.all(color: Palette.line),
+      ),
+      child: Padding(
+        padding: const EdgeInsets.all(20),
+        child: Column(
+          crossAxisAlignment: CrossAxisAlignment.start,
+          children: [
+            Text(
+              'Wallet access',
+              style: Theme.of(context).textTheme.titleLarge,
+            ),
+            const SizedBox(height: 8),
+            Text('Choose which managed wallets this client can see.'),
+            const SizedBox(height: 16),
+            _WalletAccessBody(
+              clientId: clientId,
+              state: state,
+              accessSelectionAsync: accessSelectionAsync,
+              isSavePending: isSavePending,
+              optionsAsync: optionsAsync,
+              onSearchChanged: onSearchChanged,
+              onToggleWallet: onToggleWallet,
+            ),
+          ],
+        ),
+      ),
+    );
+  }
+}
+
+class _WalletAccessBody extends StatelessWidget {
+  const _WalletAccessBody({
+    required this.clientId,
+    required this.state,
+    required this.accessSelectionAsync,
+    required this.isSavePending,
+    required this.optionsAsync,
+    required this.onSearchChanged,
+    required this.onToggleWallet,
+  });
+
+  final int clientId;
+  final ClientWalletAccessState state;
+  final AsyncValue<Set<int>> accessSelectionAsync;
+  final bool isSavePending;
+  final AsyncValue<List<ClientWalletOption>> optionsAsync;
+  final ValueChanged<String> onSearchChanged;
+  final ValueChanged<int> onToggleWallet;
+
+  @override
+  Widget build(BuildContext context) {
+    final selectionState = accessSelectionAsync;
+    if (selectionState.isLoading) {
+      return const ClientDetailsStatePanel(
+        title: 'Loading wallet access',
+        body: 'Pulling the current wallet permissions for this client.',
+        icon: Icons.hourglass_top,
+      );
+    }
+    if (selectionState.hasError) {
+      return ClientDetailsStatePanel(
+        title: 'Wallet access unavailable',
+        body: selectionState.error.toString(),
+        icon: Icons.lock_outline,
+      );
+    }
+    return optionsAsync.when(
+      data: (options) => _WalletAccessLoaded(
+        state: state,
+        isSavePending: isSavePending,
+        options: options,
+        onSearchChanged: onSearchChanged,
+        onToggleWallet: onToggleWallet,
+      ),
+      error: (error, _) => ClientDetailsStatePanel(
+        title: 'Wallet list unavailable',
+        body: error.toString(),
+        icon: Icons.sync_problem,
+      ),
+      loading: () => const ClientDetailsStatePanel(
+        title: 'Loading wallets',
+        body: 'Pulling the managed wallet inventory.',
+        icon: Icons.hourglass_top,
+      ),
+    );
+  }
+}
+
+class _WalletAccessLoaded extends StatelessWidget {
+  const _WalletAccessLoaded({
+    required this.state,
+    required this.isSavePending,
+    required this.options,
+    required this.onSearchChanged,
+    required this.onToggleWallet,
+  });
+
+  final ClientWalletAccessState state;
+  final bool isSavePending;
+  final List<ClientWalletOption> options;
+  final ValueChanged<String> onSearchChanged;
+  final ValueChanged<int> onToggleWallet;
+
+  @override
+  Widget build(BuildContext context) {
+    if (options.isEmpty) {
+      return const ClientDetailsStatePanel(
+        title: 'No wallets yet',
+        body: 'Create a managed wallet before assigning client access.',
+        icon: Icons.account_balance_wallet_outlined,
+      );
+    }
+    return Column(
+      crossAxisAlignment: CrossAxisAlignment.start,
+      children: [
+        WalletAccessSearchField(
+          searchQuery: state.searchQuery,
+          onChanged: onSearchChanged,
+        ),
+        const SizedBox(height: 16),
+        WalletAccessList(
+          options: _filterOptions(options, state.searchQuery),
+          selectedWalletIds: state.selectedWalletIds,
+          enabled: !isSavePending,
+          onToggleWallet: onToggleWallet,
+        ),
+      ],
+    );
+  }
+}
+
+List<ClientWalletOption> _filterOptions(
+  List<ClientWalletOption> options,
+  String query,
+) {
+  if (query.isEmpty) {
+    return options;
+  }
+  final normalized = query.toLowerCase();
+  return options
+      .where((option) => option.address.toLowerCase().contains(normalized))
+      .toList(growable: false);
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_tile.dart b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_tile.dart
new file mode 100644
index 0000000..066c9fb
--- /dev/null
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_tile.dart
@@ -0,0 +1,28 @@
+import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
+import 'package:flutter/material.dart';
+
+class WalletAccessTile extends StatelessWidget {
+  const WalletAccessTile({
+    super.key,
+    required this.option,
+    required this.value,
+    required this.enabled,
+    required this.onChanged,
+  });
+
+  final ClientWalletOption option;
+  final bool value;
+  final bool enabled;
+  final VoidCallback onChanged;
+
+  @override
+  Widget build(BuildContext context) {
+    return CheckboxListTile(
+      contentPadding: EdgeInsets.zero,
+      value: value,
+      onChanged: enabled ? (_) => onChanged() : null,
+      title: Text('Wallet ${option.walletId}'),
+      subtitle: Text(option.address),
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/clients/table.dart b/useragent/lib/screens/dashboard/clients/table.dart
index 8bdb88d..a84cfe9 100644
--- a/useragent/lib/screens/dashboard/clients/table.dart
+++ b/useragent/lib/screens/dashboard/clients/table.dart
@@ -2,6 +2,7 @@ import 'dart:math' as math;
 
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
+import 'package:arbiter/router.gr.dart';
 import 'package:arbiter/providers/sdk_clients/list.dart';
 import 'package:auto_route/auto_route.dart';
 import 'package:flutter/material.dart';
@@ -176,10 +177,7 @@ class _Header extends StatelessWidget {
             style: OutlinedButton.styleFrom(
               foregroundColor: Palette.ink,
               side: BorderSide(color: Palette.line),
-              padding: EdgeInsets.symmetric(
-                horizontal: 1.4.w,
-                vertical: 1.2.h,
-              ),
+              padding: EdgeInsets.symmetric(horizontal: 1.4.w, vertical: 1.2.h),
               shape: RoundedRectangleBorder(
                 borderRadius: BorderRadius.circular(14),
               ),
@@ -215,9 +213,15 @@ class _ClientTableHeader extends StatelessWidget {
       child: Row(
         children: [
           SizedBox(width: _accentStripWidth + _cellHPad),
-          SizedBox(width: _idColWidth, child: Text('ID', style: style)),
+          SizedBox(
+            width: _idColWidth,
+            child: Text('ID', style: style),
+          ),
           SizedBox(width: _colGap),
-          SizedBox(width: _nameColWidth, child: Text('Name', style: style)),
+          SizedBox(
+            width: _nameColWidth,
+            child: Text('Name', style: style),
+          ),
           SizedBox(width: _colGap),
           SizedBox(
             width: _versionColWidth,
@@ -397,9 +401,7 @@ class _ClientTableRow extends HookWidget {
                             color: muted,
                             onPressed: () async {
                               await Clipboard.setData(
-                                ClipboardData(
-                                  text: _fullPubkey(client.pubkey),
-                                ),
+                                ClipboardData(text: _fullPubkey(client.pubkey)),
                               );
                               if (!context.mounted) return;
                               ScaffoldMessenger.of(context).showSnackBar(
@@ -410,6 +412,14 @@ class _ClientTableRow extends HookWidget {
                               );
                             },
                           ),
+                          FilledButton.tonal(
+                            onPressed: () {
+                              context.router.push(
+                                ClientDetailsRoute(clientId: client.id),
+                              );
+                            },
+                            child: const Text('Manage access'),
+                          ),
                         ],
                       ),
                     ],
diff --git a/useragent/test/screens/dashboard/clients/details/client_details_screen_test.dart b/useragent/test/screens/dashboard/clients/details/client_details_screen_test.dart
new file mode 100644
index 0000000..5e4e1b4
--- /dev/null
+++ b/useragent/test/screens/dashboard/clients/details/client_details_screen_test.dart
@@ -0,0 +1,69 @@
+import 'package:arbiter/proto/client.pb.dart';
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/providers/evm/evm.dart';
+import 'package:arbiter/providers/sdk_clients/list.dart';
+import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
+import 'package:arbiter/screens/dashboard/clients/details/client_details.dart';
+import 'package:flutter/material.dart';
+import 'package:flutter_test/flutter_test.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+
+class _FakeEvm extends Evm {
+  _FakeEvm(this.wallets);
+
+  final List<WalletEntry> wallets;
+
+  @override
+  Future<List<WalletEntry>?> build() async => wallets;
+}
+
+class _FakeWalletAccessRepository implements ClientWalletAccessRepository {
+  @override
+  Future<Set<int>> fetchSelectedWalletIds(int clientId) async => {1};
+
+  @override
+  Future<void> saveSelectedWalletIds(int clientId, Set<int> walletIds) async {}
+}
+
+void main() {
+  testWidgets('renders client summary and wallet access controls', (
+    tester,
+  ) async {
+    final client = SdkClientEntry(
+      id: 42,
+      createdAt: 1,
+      info: ClientInfo(
+        name: 'Safe Wallet SDK',
+        version: '1.3.0',
+        description: 'Primary signing client',
+      ),
+      pubkey: List.filled(32, 17),
+    );
+
+    final wallets = [
+      WalletEntry(address: List.filled(20, 1)),
+      WalletEntry(address: List.filled(20, 2)),
+    ];
+
+    await tester.pumpWidget(
+      ProviderScope(
+        overrides: [
+          sdkClientsProvider.overrideWith((ref) async => [client]),
+          evmProvider.overrideWith(() => _FakeEvm(wallets)),
+          clientWalletAccessRepositoryProvider.overrideWithValue(
+            _FakeWalletAccessRepository(),
+          ),
+        ],
+        child: const MaterialApp(home: ClientDetailsScreen(clientId: 42)),
+      ),
+    );
+
+    await tester.pumpAndSettle();
+
+    expect(find.text('Safe Wallet SDK'), findsOneWidget);
+    expect(find.text('Wallet access'), findsOneWidget);
+    expect(find.textContaining('0x0101'), findsOneWidget);
+    expect(find.widgetWithText(FilledButton, 'Save changes'), findsOneWidget);
+  });
+}
diff --git a/useragent/test/screens/dashboard/clients/details/client_wallet_access_controller_test.dart b/useragent/test/screens/dashboard/clients/details/client_wallet_access_controller_test.dart
new file mode 100644
index 0000000..d916eab
--- /dev/null
+++ b/useragent/test/screens/dashboard/clients/details/client_wallet_access_controller_test.dart
@@ -0,0 +1,105 @@
+import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
+import 'package:hooks_riverpod/experimental/mutation.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+import 'package:flutter_test/flutter_test.dart';
+
+class _SuccessRepository implements ClientWalletAccessRepository {
+  Set<int>? savedWalletIds;
+
+  @override
+  Future<Set<int>> fetchSelectedWalletIds(int clientId) async => {1};
+
+  @override
+  Future<void> saveSelectedWalletIds(int clientId, Set<int> walletIds) async {
+    savedWalletIds = walletIds;
+  }
+}
+
+class _FailureRepository implements ClientWalletAccessRepository {
+  @override
+  Future<Set<int>> fetchSelectedWalletIds(int clientId) async => const {};
+
+  @override
+  Future<void> saveSelectedWalletIds(int clientId, Set<int> walletIds) async {
+    throw UnsupportedError('Not supported yet: $walletIds');
+  }
+}
+
+void main() {
+  test('save updates the original selection after toggles', () async {
+    final repository = _SuccessRepository();
+    final container = ProviderContainer(
+      overrides: [
+        clientWalletAccessRepositoryProvider.overrideWithValue(repository),
+      ],
+    );
+    addTearDown(container.dispose);
+
+    final controller = container.read(
+      clientWalletAccessControllerProvider(42).notifier,
+    );
+    await container.read(clientWalletAccessSelectionProvider(42).future);
+    controller.toggleWallet(2);
+
+    expect(
+      container
+          .read(clientWalletAccessControllerProvider(42))
+          .selectedWalletIds,
+      {1, 2},
+    );
+    expect(
+      container.read(clientWalletAccessControllerProvider(42)).hasChanges,
+      isTrue,
+    );
+
+    await executeSaveClientWalletAccess(container, clientId: 42);
+
+    expect(repository.savedWalletIds, {1, 2});
+    expect(
+      container
+          .read(clientWalletAccessControllerProvider(42))
+          .originalWalletIds,
+      {1, 2},
+    );
+    expect(
+      container.read(clientWalletAccessControllerProvider(42)).hasChanges,
+      isFalse,
+    );
+  });
+
+  test('save failure preserves edits and exposes a mutation error', () async {
+    final container = ProviderContainer(
+      overrides: [
+        clientWalletAccessRepositoryProvider.overrideWithValue(
+          _FailureRepository(),
+        ),
+      ],
+    );
+    addTearDown(container.dispose);
+
+    final controller = container.read(
+      clientWalletAccessControllerProvider(42).notifier,
+    );
+    await container.read(clientWalletAccessSelectionProvider(42).future);
+    controller.toggleWallet(3);
+    await expectLater(
+      executeSaveClientWalletAccess(container, clientId: 42),
+      throwsUnsupportedError,
+    );
+
+    expect(
+      container
+          .read(clientWalletAccessControllerProvider(42))
+          .selectedWalletIds,
+      {3},
+    );
+    expect(
+      container.read(clientWalletAccessControllerProvider(42)).hasChanges,
+      isTrue,
+    );
+    expect(
+      container.read(saveClientWalletAccessMutation(42)),
+      isA<MutationError<void>>(),
+    );
+  });
+}

From 29cc4d9e5b58912d6a2ee889536ab7cf562a49f8 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Thu, 26 Mar 2026 20:42:48 +0100
Subject: [PATCH 03/29] refactor(useragent::evm): moved out header into general
 widget

---
 useragent/lib/screens/dashboard/evm/evm.dart | 132 +++++++------------
 useragent/lib/widgets/page_header.dart       |  63 +++++++++
 2 files changed, 107 insertions(+), 88 deletions(-)
 create mode 100644 useragent/lib/widgets/page_header.dart

diff --git a/useragent/lib/screens/dashboard/evm/evm.dart b/useragent/lib/screens/dashboard/evm/evm.dart
index fac14aa..ea407a9 100644
--- a/useragent/lib/screens/dashboard/evm/evm.dart
+++ b/useragent/lib/screens/dashboard/evm/evm.dart
@@ -4,6 +4,7 @@ import 'package:arbiter/proto/evm.pb.dart';
 import 'package:arbiter/theme/palette.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:arbiter/providers/evm/evm.dart';
+import 'package:arbiter/widgets/page_header.dart';
 import 'package:auto_route/auto_route.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter_hooks/flutter_hooks.dart';
@@ -99,11 +100,50 @@ class EvmScreen extends HookConsumerWidget {
             ),
             padding: EdgeInsets.fromLTRB(2.4.w, 2.4.h, 2.4.w, 3.2.h),
             children: [
-              _Header(
+              PageHeader(
+                title: 'EVM Wallet Vault',
                 isBusy: walletsAsync.isLoading,
-                isCreating: isCreating.value,
-                onCreate: createWallet,
-                onRefresh: refreshWallets,
+                actions: [
+                  FilledButton.icon(
+                    onPressed: isCreating.value ? null : () => createWallet(),
+                    style: FilledButton.styleFrom(
+                      backgroundColor: Palette.ink,
+                      foregroundColor: Colors.white,
+                      padding: EdgeInsets.symmetric(
+                        horizontal: 1.4.w,
+                        vertical: 1.2.h,
+                      ),
+                      shape: RoundedRectangleBorder(
+                        borderRadius: BorderRadius.circular(14),
+                      ),
+                    ),
+                    icon: isCreating.value
+                        ? SizedBox(
+                            width: 1.6.h,
+                            height: 1.6.h,
+                            child: CircularProgressIndicator(strokeWidth: 2.2),
+                          )
+                        : const Icon(Icons.add_circle_outline, size: 18),
+                    label: Text(isCreating.value ? 'Creating...' : 'Create'),
+                  ),
+                  SizedBox(width: 1.w),
+                  OutlinedButton.icon(
+                    onPressed: () => refreshWallets(),
+                    style: OutlinedButton.styleFrom(
+                      foregroundColor: Palette.ink,
+                      side: BorderSide(color: Palette.line),
+                      padding: EdgeInsets.symmetric(
+                        horizontal: 1.4.w,
+                        vertical: 1.2.h,
+                      ),
+                      shape: RoundedRectangleBorder(
+                        borderRadius: BorderRadius.circular(14),
+                      ),
+                    ),
+                    icon: const Icon(Icons.refresh, size: 18),
+                    label: const Text('Refresh'),
+                  ),
+                ],
               ),
               SizedBox(height: 1.8.h),
               content,
@@ -121,90 +161,6 @@ double get _walletColumnWidth => 18.w;
 double get _columnGap => 1.8.w;
 double get _tableMinWidth => 72.w;
 
-class _Header extends StatelessWidget {
-  const _Header({
-    required this.isBusy,
-    required this.isCreating,
-    required this.onCreate,
-    required this.onRefresh,
-  });
-
-  final bool isBusy;
-  final bool isCreating;
-  final Future<void> Function() onCreate;
-  final Future<void> Function() onRefresh;
-
-  @override
-  Widget build(BuildContext context) {
-    final theme = Theme.of(context);
-
-    return Container(
-      padding: EdgeInsets.symmetric(horizontal: 1.6.w, vertical: 1.2.h),
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(18),
-        color: Palette.cream,
-        border: Border.all(color: Palette.line),
-      ),
-      child: Row(
-        children: [
-          Expanded(
-            child: Text(
-              'EVM Wallet Vault',
-              style: theme.textTheme.titleMedium?.copyWith(
-                color: Palette.ink,
-                fontWeight: FontWeight.w800,
-              ),
-            ),
-          ),
-          if (isBusy) ...[
-            Text(
-              'Syncing',
-              style: theme.textTheme.bodySmall?.copyWith(
-                color: Palette.ink.withValues(alpha: 0.62),
-                fontWeight: FontWeight.w700,
-              ),
-            ),
-            SizedBox(width: 1.w),
-          ],
-          FilledButton.icon(
-            onPressed: isCreating ? null : () => onCreate(),
-            style: FilledButton.styleFrom(
-              backgroundColor: Palette.ink,
-              foregroundColor: Colors.white,
-              padding: EdgeInsets.symmetric(horizontal: 1.4.w, vertical: 1.2.h),
-              shape: RoundedRectangleBorder(
-                borderRadius: BorderRadius.circular(14),
-              ),
-            ),
-            icon: isCreating
-                ? SizedBox(
-                    width: 1.6.h,
-                    height: 1.6.h,
-                    child: CircularProgressIndicator(strokeWidth: 2.2),
-                  )
-                : const Icon(Icons.add_circle_outline, size: 18),
-            label: Text(isCreating ? 'Creating...' : 'Create'),
-          ),
-          SizedBox(width: 1.w),
-          OutlinedButton.icon(
-            onPressed: () => onRefresh(),
-            style: OutlinedButton.styleFrom(
-              foregroundColor: Palette.ink,
-              side: BorderSide(color: Palette.line),
-              padding: EdgeInsets.symmetric(horizontal: 1.4.w, vertical: 1.2.h),
-              shape: RoundedRectangleBorder(
-                borderRadius: BorderRadius.circular(14),
-              ),
-            ),
-            icon: const Icon(Icons.refresh, size: 18),
-            label: const Text('Refresh'),
-          ),
-        ],
-      ),
-    );
-  }
-}
-
 class _WalletTable extends StatelessWidget {
   const _WalletTable({required this.wallets});
 
diff --git a/useragent/lib/widgets/page_header.dart b/useragent/lib/widgets/page_header.dart
new file mode 100644
index 0000000..798bf2a
--- /dev/null
+++ b/useragent/lib/widgets/page_header.dart
@@ -0,0 +1,63 @@
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+import 'package:sizer/sizer.dart';
+
+class PageHeader extends StatelessWidget {
+  const PageHeader({
+    super.key,
+    required this.title,
+    this.isBusy = false,
+    this.busyLabel = 'Syncing',
+    this.actions = const <Widget>[],
+    this.padding,
+    this.backgroundColor,
+    this.borderColor,
+  });
+
+  final String title;
+  final bool isBusy;
+  final String busyLabel;
+  final List<Widget> actions;
+  final EdgeInsetsGeometry? padding;
+  final Color? backgroundColor;
+  final Color? borderColor;
+
+  @override
+  Widget build(BuildContext context) {
+    final theme = Theme.of(context);
+
+    return Container(
+      padding:
+          padding ?? EdgeInsets.symmetric(horizontal: 1.6.w, vertical: 1.2.h),
+      decoration: BoxDecoration(
+        borderRadius: BorderRadius.circular(18),
+        color: backgroundColor ?? Palette.cream,
+        border: Border.all(color: borderColor ?? Palette.line),
+      ),
+      child: Row(
+        children: [
+          Expanded(
+            child: Text(
+              title,
+              style: theme.textTheme.titleMedium?.copyWith(
+                color: Palette.ink,
+                fontWeight: FontWeight.w800,
+              ),
+            ),
+          ),
+          if (isBusy) ...[
+            Text(
+              busyLabel,
+              style: theme.textTheme.bodySmall?.copyWith(
+                color: Palette.ink.withValues(alpha: 0.62),
+                fontWeight: FontWeight.w700,
+              ),
+            ),
+            SizedBox(width: 1.w),
+          ],
+          ...actions,
+        ],
+      ),
+    );
+  }
+}

From 78006e90f250388d80ec3be8e5e5d85f80395634 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Thu, 26 Mar 2026 20:46:15 +0100
Subject: [PATCH 04/29] refactor(useragent::evm::table): broke down into more
 widgets

---
 useragent/lib/providers/evm/evm.dart          |  25 +-
 useragent/lib/providers/evm/evm.g.dart        |   2 +-
 useragent/lib/screens/dashboard/evm/evm.dart  | 295 +-----------------
 .../screens/dashboard/evm/wallets/header.dart |  98 ++++++
 .../screens/dashboard/evm/wallets/table.dart  | 209 +++++++++++++
 5 files changed, 337 insertions(+), 292 deletions(-)
 create mode 100644 useragent/lib/screens/dashboard/evm/wallets/header.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/wallets/table.dart

diff --git a/useragent/lib/providers/evm/evm.dart b/useragent/lib/providers/evm/evm.dart
index 7cb89f3..f32386f 100644
--- a/useragent/lib/providers/evm/evm.dart
+++ b/useragent/lib/providers/evm/evm.dart
@@ -1,6 +1,8 @@
-import 'package:arbiter/features/connection/evm.dart';
+import 'package:arbiter/features/connection/evm.dart' as evm;
 import 'package:arbiter/proto/evm.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
+import 'package:hooks_riverpod/experimental/mutation.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'evm.g.dart';
@@ -14,7 +16,7 @@ class Evm extends _$Evm {
       return null;
     }
 
-    return listEvmWallets(connection);
+    return evm.listEvmWallets(connection);
   }
 
   Future<void> refreshWallets() async {
@@ -25,16 +27,21 @@ class Evm extends _$Evm {
     }
 
     state = const AsyncLoading();
-    state = await AsyncValue.guard(() => listEvmWallets(connection));
+    state = await AsyncValue.guard(() => evm.listEvmWallets(connection));
   }
+}
 
-  Future<void> createWallet() async {
-    final connection = await ref.read(connectionManagerProvider.future);
+final createEvmWallet = Mutation();
+
+Future<void> executeCreateEvmWallet(MutationTarget target) async {
+  return await createEvmWallet.run(target, (tsx) async {
+       final connection = await tsx.get(connectionManagerProvider.future);
     if (connection == null) {
       throw Exception('Not connected to the server.');
     }
 
-    await createEvmWallet(connection);
-    state = await AsyncValue.guard(() => listEvmWallets(connection));
-  }
-}
+    await evm.createEvmWallet(connection);
+
+    await tsx.get(evmProvider.notifier).refreshWallets();
+  });
+}
\ No newline at end of file
diff --git a/useragent/lib/providers/evm/evm.g.dart b/useragent/lib/providers/evm/evm.g.dart
index 8c5bb02..ab490d7 100644
--- a/useragent/lib/providers/evm/evm.g.dart
+++ b/useragent/lib/providers/evm/evm.g.dart
@@ -33,7 +33,7 @@ final class EvmProvider
   Evm create() => Evm();
 }
 
-String _$evmHash() => r'f5d05bfa7b820d0b96026a47ca47702a3793af5d';
+String _$evmHash() => r'ca2c9736065c5dc7cc45d8485000dd85dfbfa572';
 
 abstract class _$Evm extends $AsyncNotifier<List<WalletEntry>?> {
   FutureOr<List<WalletEntry>?> build();
diff --git a/useragent/lib/screens/dashboard/evm/evm.dart b/useragent/lib/screens/dashboard/evm/evm.dart
index ea407a9..743b369 100644
--- a/useragent/lib/screens/dashboard/evm/evm.dart
+++ b/useragent/lib/screens/dashboard/evm/evm.dart
@@ -1,13 +1,11 @@
-import 'dart:math' as math;
-
 import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/screens/dashboard/evm/wallets/header.dart';
+import 'package:arbiter/screens/dashboard/evm/wallets/table.dart';
 import 'package:arbiter/theme/palette.dart';
-import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:arbiter/providers/evm/evm.dart';
 import 'package:arbiter/widgets/page_header.dart';
 import 'package:auto_route/auto_route.dart';
 import 'package:flutter/material.dart';
-import 'package:flutter_hooks/flutter_hooks.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:sizer/sizer.dart';
 
@@ -17,13 +15,10 @@ class EvmScreen extends HookConsumerWidget {
 
   @override
   Widget build(BuildContext context, WidgetRef ref) {
-    final walletsAsync = ref.watch(evmProvider);
-    final isCreating = useState(false);
+    final evm = ref.watch(evmProvider);
 
-    final wallets = walletsAsync.asData?.value;
+    final wallets = evm.asData?.value;
     final loadedWallets = wallets ?? const <WalletEntry>[];
-    final isConnected =
-        ref.watch(connectionManagerProvider).asData?.value != null;
 
     void showMessage(String message) {
       if (!context.mounted) return;
@@ -35,28 +30,12 @@ class EvmScreen extends HookConsumerWidget {
     Future<void> refreshWallets() async {
       try {
         await ref.read(evmProvider.notifier).refreshWallets();
-      } catch (error) {
-        showMessage(_formatError(error));
+      } catch (e) {
+        showMessage('Failed to refresh wallets: ${_formatError(e)}');
       }
     }
 
-    Future<void> createWallet() async {
-      if (isCreating.value) {
-        return;
-      }
-
-      isCreating.value = true;
-      try {
-        await ref.read(evmProvider.notifier).createWallet();
-        showMessage('Wallet created.');
-      } catch (error) {
-        showMessage(_formatError(error));
-      } finally {
-        isCreating.value = false;
-      }
-    }
-
-    final content = switch (walletsAsync) {
+    final content = switch (evm) {
       AsyncLoading() when wallets == null => const _StatePanel(
         icon: Icons.hourglass_top,
         title: 'Loading wallets',
@@ -70,22 +49,14 @@ class EvmScreen extends HookConsumerWidget {
         actionLabel: 'Retry',
         onAction: refreshWallets,
       ),
-      _ when !isConnected => _StatePanel(
+      AsyncData(:final value) when value == null => _StatePanel(
         icon: Icons.portable_wifi_off,
         title: 'No active server connection',
         body: 'Reconnect to Arbiter to list or create EVM wallets.',
         actionLabel: 'Refresh',
-        onAction: refreshWallets,
+        onAction: () => refreshWallets(),
       ),
-      _ when loadedWallets.isEmpty => _StatePanel(
-        icon: Icons.account_balance_wallet_outlined,
-        title: 'No wallets yet',
-        body:
-            'Create the first vault-backed wallet to start building your EVM registry.',
-        actionLabel: isCreating.value ? 'Creating...' : 'Create wallet',
-        onAction: isCreating.value ? null : createWallet,
-      ),
-      _ => _WalletTable(wallets: loadedWallets),
+      _ => WalletTable(wallets: loadedWallets),
     };
 
     return Scaffold(
@@ -102,47 +73,11 @@ class EvmScreen extends HookConsumerWidget {
             children: [
               PageHeader(
                 title: 'EVM Wallet Vault',
-                isBusy: walletsAsync.isLoading,
+                isBusy: evm.isLoading,
                 actions: [
-                  FilledButton.icon(
-                    onPressed: isCreating.value ? null : () => createWallet(),
-                    style: FilledButton.styleFrom(
-                      backgroundColor: Palette.ink,
-                      foregroundColor: Colors.white,
-                      padding: EdgeInsets.symmetric(
-                        horizontal: 1.4.w,
-                        vertical: 1.2.h,
-                      ),
-                      shape: RoundedRectangleBorder(
-                        borderRadius: BorderRadius.circular(14),
-                      ),
-                    ),
-                    icon: isCreating.value
-                        ? SizedBox(
-                            width: 1.6.h,
-                            height: 1.6.h,
-                            child: CircularProgressIndicator(strokeWidth: 2.2),
-                          )
-                        : const Icon(Icons.add_circle_outline, size: 18),
-                    label: Text(isCreating.value ? 'Creating...' : 'Create'),
-                  ),
+                  const CreateWalletButton(),
                   SizedBox(width: 1.w),
-                  OutlinedButton.icon(
-                    onPressed: () => refreshWallets(),
-                    style: OutlinedButton.styleFrom(
-                      foregroundColor: Palette.ink,
-                      side: BorderSide(color: Palette.line),
-                      padding: EdgeInsets.symmetric(
-                        horizontal: 1.4.w,
-                        vertical: 1.2.h,
-                      ),
-                      shape: RoundedRectangleBorder(
-                        borderRadius: BorderRadius.circular(14),
-                      ),
-                    ),
-                    icon: const Icon(Icons.refresh, size: 18),
-                    label: const Text('Refresh'),
-                  ),
+                  const RefreshWalletButton(),
                 ],
               ),
               SizedBox(height: 1.8.h),
@@ -155,197 +90,6 @@ class EvmScreen extends HookConsumerWidget {
   }
 }
 
-double get _accentStripWidth => 0.8.w;
-double get _cellHorizontalPadding => 1.8.w;
-double get _walletColumnWidth => 18.w;
-double get _columnGap => 1.8.w;
-double get _tableMinWidth => 72.w;
-
-class _WalletTable extends StatelessWidget {
-  const _WalletTable({required this.wallets});
-
-  final List<WalletEntry> wallets;
-
-  @override
-  Widget build(BuildContext context) {
-    final theme = Theme.of(context);
-
-    return Container(
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(24),
-        color: Palette.cream.withValues(alpha: 0.92),
-        border: Border.all(color: Palette.line),
-      ),
-      child: Padding(
-        padding: EdgeInsets.all(2.h),
-        child: LayoutBuilder(
-          builder: (context, constraints) {
-            final tableWidth = math.max(_tableMinWidth, constraints.maxWidth);
-
-            return Column(
-              crossAxisAlignment: CrossAxisAlignment.start,
-              children: [
-                Text(
-                  'Managed wallets',
-                  style: theme.textTheme.titleLarge?.copyWith(
-                    color: Palette.ink,
-                    fontWeight: FontWeight.w800,
-                  ),
-                ),
-                SizedBox(height: 0.6.h),
-                Text(
-                  'Every address here is generated and held by Arbiter.',
-                  style: theme.textTheme.bodyMedium?.copyWith(
-                    color: Palette.ink.withValues(alpha: 0.70),
-                    height: 1.4,
-                  ),
-                ),
-                SizedBox(height: 1.6.h),
-                SingleChildScrollView(
-                  scrollDirection: Axis.horizontal,
-                  child: SizedBox(
-                    width: tableWidth,
-                    child: Column(
-                      children: [
-                        const _WalletTableHeader(),
-                        SizedBox(height: 1.h),
-                        for (var i = 0; i < wallets.length; i++)
-                          Padding(
-                            padding: EdgeInsets.only(
-                              bottom: i == wallets.length - 1 ? 0 : 1.h,
-                            ),
-                            child: _WalletTableRow(
-                              wallet: wallets[i],
-                              index: i,
-                            ),
-                          ),
-                      ],
-                    ),
-                  ),
-                ),
-              ],
-            );
-          },
-        ),
-      ),
-    );
-  }
-}
-
-class _WalletTableHeader extends StatelessWidget {
-  const _WalletTableHeader();
-
-  @override
-  Widget build(BuildContext context) {
-    final style = Theme.of(context).textTheme.labelLarge?.copyWith(
-      color: Palette.ink.withValues(alpha: 0.72),
-      fontWeight: FontWeight.w800,
-      letterSpacing: 0.3,
-    );
-
-    return Container(
-      padding: EdgeInsets.symmetric(vertical: 1.4.h),
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(16),
-        color: Palette.ink.withValues(alpha: 0.04),
-      ),
-      child: Row(
-        children: [
-          SizedBox(width: _accentStripWidth + _cellHorizontalPadding),
-          SizedBox(
-            width: _walletColumnWidth,
-            child: Text('Wallet', style: style),
-          ),
-          SizedBox(width: _columnGap),
-          Expanded(child: Text('Address', style: style)),
-          SizedBox(width: _cellHorizontalPadding),
-        ],
-      ),
-    );
-  }
-}
-
-class _WalletTableRow extends StatelessWidget {
-  const _WalletTableRow({required this.wallet, required this.index});
-
-  final WalletEntry wallet;
-  final int index;
-
-  @override
-  Widget build(BuildContext context) {
-    final accent = _accentColor(wallet.address);
-    final address = _hexAddress(wallet.address);
-    final rowHeight = 5.h;
-    final walletStyle = Theme.of(
-      context,
-    ).textTheme.bodyLarge?.copyWith(color: Palette.ink);
-    final addressStyle = Theme.of(
-      context,
-    ).textTheme.bodyMedium?.copyWith(color: Palette.ink);
-
-    return Container(
-      height: rowHeight,
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(18),
-        color: accent.withValues(alpha: 0.10),
-        border: Border.all(color: accent.withValues(alpha: 0.28)),
-      ),
-      child: Row(
-        children: [
-          Container(
-            width: _accentStripWidth,
-            height: rowHeight,
-            decoration: BoxDecoration(
-              color: accent,
-              borderRadius: const BorderRadius.horizontal(
-                left: Radius.circular(18),
-              ),
-            ),
-          ),
-          Expanded(
-            child: Padding(
-              padding: EdgeInsets.symmetric(horizontal: _cellHorizontalPadding),
-              child: Row(
-                children: [
-                  SizedBox(
-                    width: _walletColumnWidth,
-                    child: Row(
-                      children: [
-                        Container(
-                          width: 1.2.h,
-                          height: 1.2.h,
-                          decoration: BoxDecoration(
-                            shape: BoxShape.circle,
-                            color: accent,
-                          ),
-                        ),
-                        SizedBox(width: 1.w),
-                        Text(
-                          'Wallet ${(index + 1).toString().padLeft(2, '0')}',
-                          style: walletStyle,
-                        ),
-                      ],
-                    ),
-                  ),
-                  SizedBox(width: _columnGap),
-                  Expanded(
-                    child: Text(
-                      address,
-                      maxLines: 1,
-                      overflow: TextOverflow.ellipsis,
-                      style: addressStyle,
-                    ),
-                  ),
-                ],
-              ),
-            ),
-          ),
-        ],
-      ),
-    );
-  }
-}
-
 class _StatePanel extends StatelessWidget {
   const _StatePanel({
     required this.icon,
@@ -417,19 +161,6 @@ class _StatePanel extends StatelessWidget {
   }
 }
 
-String _hexAddress(List<int> bytes) {
-  final hex = bytes
-      .map((byte) => byte.toRadixString(16).padLeft(2, '0'))
-      .join();
-  return '0x$hex';
-}
-
-Color _accentColor(List<int> bytes) {
-  final seed = bytes.fold<int>(0, (value, byte) => value + byte);
-  final hue = (seed * 17) % 360;
-  return HSLColor.fromAHSL(1, hue.toDouble(), 0.68, 0.54).toColor();
-}
-
 String _formatError(Object error) {
   final message = error.toString();
   if (message.startsWith('Exception: ')) {
diff --git a/useragent/lib/screens/dashboard/evm/wallets/header.dart b/useragent/lib/screens/dashboard/evm/wallets/header.dart
new file mode 100644
index 0000000..646d5ea
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/wallets/header.dart
@@ -0,0 +1,98 @@
+import 'package:arbiter/providers/evm/evm.dart';
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+import 'package:hooks_riverpod/experimental/mutation.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+import 'package:sizer/sizer.dart';
+
+
+class CreateWalletButton extends ConsumerWidget {
+  const CreateWalletButton({super.key});
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final createWallet = ref.watch(createEvmWallet);
+    final isCreating = createWallet is MutationPending;
+
+    Future<void> handleCreateWallet() async {
+      try {
+        await executeCreateEvmWallet(ref);
+        if (!context.mounted) return;
+        ScaffoldMessenger.of(context).showSnackBar(
+          const SnackBar(
+            content: Text('New wallet created successfully.'),
+            behavior: SnackBarBehavior.floating,
+          ),
+        );
+      } catch (e) {
+        if (!context.mounted) return;
+        ScaffoldMessenger.of(context).showSnackBar(
+          SnackBar(
+            content: Text('Failed to create wallet: ${_formatError(e)}'),
+            behavior: SnackBarBehavior.floating,
+          ),
+        );
+      }
+    }
+
+    return FilledButton.icon(
+      onPressed: isCreating ? null : () => handleCreateWallet(),
+      style: FilledButton.styleFrom(
+        backgroundColor: Palette.ink,
+        foregroundColor: Colors.white,
+        padding: EdgeInsets.symmetric(horizontal: 1.4.w, vertical: 1.2.h),
+        shape: RoundedRectangleBorder(borderRadius: BorderRadius.circular(14)),
+      ),
+      icon: isCreating
+          ? SizedBox(
+              width: 1.6.h,
+              height: 1.6.h,
+              child: CircularProgressIndicator(strokeWidth: 2.2),
+            )
+          : const Icon(Icons.add_circle_outline, size: 18),
+      label: Text(isCreating ? 'Creating...' : 'Create'),
+    );
+  }
+}
+
+class RefreshWalletButton extends ConsumerWidget {
+  const RefreshWalletButton({super.key});
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    Future<void> handleRefreshWallets() async {
+      try {
+        await ref.read(evmProvider.notifier).refreshWallets();
+      } catch (e) {
+        if (!context.mounted) return;
+        ScaffoldMessenger.of(context).showSnackBar(
+          SnackBar(
+            content: Text('Failed to refresh wallets: ${_formatError(e)}'),
+            behavior: SnackBarBehavior.floating,
+          ),
+        );
+      }
+    }
+
+    return OutlinedButton.icon(
+      onPressed: () => handleRefreshWallets(),
+      style: OutlinedButton.styleFrom(
+        foregroundColor: Palette.ink,
+        side: BorderSide(color: Palette.line),
+        padding: EdgeInsets.symmetric(horizontal: 1.4.w, vertical: 1.2.h),
+        shape: RoundedRectangleBorder(borderRadius: BorderRadius.circular(14)),
+      ),
+      icon: const Icon(Icons.refresh, size: 18),
+      label: const Text('Refresh'),
+    );
+  }
+}
+
+
+String _formatError(Object error) {
+  final message = error.toString();
+  if (message.startsWith('Exception: ')) {
+    return message.substring('Exception: '.length);
+  }
+  return message;
+}
diff --git a/useragent/lib/screens/dashboard/evm/wallets/table.dart b/useragent/lib/screens/dashboard/evm/wallets/table.dart
new file mode 100644
index 0000000..1093dfd
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/wallets/table.dart
@@ -0,0 +1,209 @@
+import 'dart:math' as math;
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+import 'package:sizer/sizer.dart';
+
+double get _accentStripWidth => 0.8.w;
+double get _cellHorizontalPadding => 1.8.w;
+double get _walletColumnWidth => 18.w;
+double get _columnGap => 1.8.w;
+double get _tableMinWidth => 72.w;
+
+String _hexAddress(List<int> bytes) {
+  final hex = bytes
+      .map((byte) => byte.toRadixString(16).padLeft(2, '0'))
+      .join();
+  return '0x$hex';
+}
+
+Color _accentColor(List<int> bytes) {
+  final seed = bytes.fold<int>(0, (value, byte) => value + byte);
+  final hue = (seed * 17) % 360;
+  return HSLColor.fromAHSL(1, hue.toDouble(), 0.68, 0.54).toColor();
+}
+
+class WalletTable extends StatelessWidget {
+  const WalletTable({super.key, required this.wallets});
+
+  final List<WalletEntry> wallets;
+
+  @override
+  Widget build(BuildContext context) {
+    final theme = Theme.of(context);
+
+    return Container(
+      decoration: BoxDecoration(
+        borderRadius: BorderRadius.circular(24),
+        color: Palette.cream.withValues(alpha: 0.92),
+        border: Border.all(color: Palette.line),
+      ),
+      child: Padding(
+        padding: EdgeInsets.all(2.h),
+        child: LayoutBuilder(
+          builder: (context, constraints) {
+            final tableWidth = math.max(_tableMinWidth, constraints.maxWidth);
+
+            return Column(
+              crossAxisAlignment: CrossAxisAlignment.start,
+              children: [
+                Text(
+                  'Managed wallets',
+                  style: theme.textTheme.titleLarge?.copyWith(
+                    color: Palette.ink,
+                    fontWeight: FontWeight.w800,
+                  ),
+                ),
+                SizedBox(height: 0.6.h),
+                Text(
+                  'Every address here is generated and held by Arbiter.',
+                  style: theme.textTheme.bodyMedium?.copyWith(
+                    color: Palette.ink.withValues(alpha: 0.70),
+                    height: 1.4,
+                  ),
+                ),
+                SizedBox(height: 1.6.h),
+                SingleChildScrollView(
+                  scrollDirection: Axis.horizontal,
+                  child: SizedBox(
+                    width: tableWidth,
+                    child: Column(
+                      children: [
+                        const _WalletTableHeader(),
+                        SizedBox(height: 1.h),
+                        for (var i = 0; i < wallets.length; i++)
+                          Padding(
+                            padding: EdgeInsets.only(
+                              bottom: i == wallets.length - 1 ? 0 : 1.h,
+                            ),
+                            child: _WalletTableRow(
+                              wallet: wallets[i],
+                              index: i,
+                            ),
+                          ),
+                      ],
+                    ),
+                  ),
+                ),
+              ],
+            );
+          },
+        ),
+      ),
+    );
+  }
+}
+
+class _WalletTableHeader extends StatelessWidget {
+  const _WalletTableHeader();
+
+  @override
+  Widget build(BuildContext context) {
+    final style = Theme.of(context).textTheme.labelLarge?.copyWith(
+      color: Palette.ink.withValues(alpha: 0.72),
+      fontWeight: FontWeight.w800,
+      letterSpacing: 0.3,
+    );
+
+    return Container(
+      padding: EdgeInsets.symmetric(vertical: 1.4.h),
+      decoration: BoxDecoration(
+        borderRadius: BorderRadius.circular(16),
+        color: Palette.ink.withValues(alpha: 0.04),
+      ),
+      child: Row(
+        children: [
+          SizedBox(width: _accentStripWidth + _cellHorizontalPadding),
+          SizedBox(
+            width: _walletColumnWidth,
+            child: Text('Wallet', style: style),
+          ),
+          SizedBox(width: _columnGap),
+          Expanded(child: Text('Address', style: style)),
+          SizedBox(width: _cellHorizontalPadding),
+        ],
+      ),
+    );
+  }
+}
+
+class _WalletTableRow extends StatelessWidget {
+  const _WalletTableRow({required this.wallet, required this.index});
+
+  final WalletEntry wallet;
+  final int index;
+
+  @override
+  Widget build(BuildContext context) {
+    final accent = _accentColor(wallet.address);
+    final address = _hexAddress(wallet.address);
+    final rowHeight = 5.h;
+    final walletStyle = Theme.of(
+      context,
+    ).textTheme.bodyLarge?.copyWith(color: Palette.ink);
+    final addressStyle = Theme.of(
+      context,
+    ).textTheme.bodyMedium?.copyWith(color: Palette.ink);
+
+    return Container(
+      height: rowHeight,
+      decoration: BoxDecoration(
+        borderRadius: BorderRadius.circular(18),
+        color: accent.withValues(alpha: 0.10),
+        border: Border.all(color: accent.withValues(alpha: 0.28)),
+      ),
+      child: Row(
+        children: [
+          Container(
+            width: _accentStripWidth,
+            height: rowHeight,
+            decoration: BoxDecoration(
+              color: accent,
+              borderRadius: const BorderRadius.horizontal(
+                left: Radius.circular(18),
+              ),
+            ),
+          ),
+          Expanded(
+            child: Padding(
+              padding: EdgeInsets.symmetric(horizontal: _cellHorizontalPadding),
+              child: Row(
+                children: [
+                  SizedBox(
+                    width: _walletColumnWidth,
+                    child: Row(
+                      children: [
+                        Container(
+                          width: 1.2.h,
+                          height: 1.2.h,
+                          decoration: BoxDecoration(
+                            shape: BoxShape.circle,
+                            color: accent,
+                          ),
+                        ),
+                        SizedBox(width: 1.w),
+                        Text(
+                          'Wallet ${(index + 1).toString().padLeft(2, '0')}',
+                          style: walletStyle,
+                        ),
+                      ],
+                    ),
+                  ),
+                  SizedBox(width: _columnGap),
+                  Expanded(
+                    child: Text(
+                      address,
+                      maxLines: 1,
+                      overflow: TextOverflow.ellipsis,
+                      style: addressStyle,
+                    ),
+                  ),
+                ],
+              ),
+            ),
+          ),
+        ],
+      ),
+    );
+  }
+}

From 27428f709a4764fa9bb462fe9444233bae4d33fb Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Fri, 27 Mar 2026 15:32:40 +0100
Subject: [PATCH 05/29] refactor(server::evm): removed repetetive errors and
 error variants

---
 .../arbiter-server/src/actors/evm/mod.rs      | 63 +++++++++---------
 server/crates/arbiter-server/src/evm/mod.rs   | 64 ++++++-------------
 2 files changed, 47 insertions(+), 80 deletions(-)

diff --git a/server/crates/arbiter-server/src/actors/evm/mod.rs b/server/crates/arbiter-server/src/actors/evm/mod.rs
index c44da1a..e3a954b 100644
--- a/server/crates/arbiter-server/src/actors/evm/mod.rs
+++ b/server/crates/arbiter-server/src/actors/evm/mod.rs
@@ -9,12 +9,12 @@ use rand::{SeedableRng, rng, rngs::StdRng};
 use crate::{
     actors::keyholder::{CreateNew, Decrypt, KeyHolder},
     db::{
-        self, DatabasePool,
+        self, DatabaseError, DatabasePool,
         models::{self, SqliteTimestamp},
         schema,
     },
     evm::{
-        self, ListGrantsError, RunKind,
+        self, RunKind,
         policies::{
             FullGrant, Grant, SharedGrantSettings, SpecificGrant, SpecificMeaning,
             ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
@@ -33,11 +33,7 @@ pub enum SignTransactionError {
 
     #[error("Database error: {0}")]
     #[diagnostic(code(arbiter::evm::sign::database))]
-    Database(#[from] diesel::result::Error),
-
-    #[error("Database pool error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::pool))]
-    Pool(#[from] db::PoolError),
+    Database(#[from] DatabaseError),
 
     #[error("Keyholder error: {0}")]
     #[diagnostic(code(arbiter::evm::sign::keyholder))]
@@ -68,15 +64,7 @@ pub enum Error {
 
     #[error("Database error: {0}")]
     #[diagnostic(code(arbiter::evm::database))]
-    Database(#[from] diesel::result::Error),
-
-    #[error("Database pool error: {0}")]
-    #[diagnostic(code(arbiter::evm::database_pool))]
-    DatabasePool(#[from] db::PoolError),
-
-    #[error("Grant creation error: {0}")]
-    #[diagnostic(code(arbiter::evm::creation))]
-    Creation(#[from] evm::CreationError),
+    Database(#[from] DatabaseError),
 }
 
 #[derive(Actor)]
@@ -116,7 +104,7 @@ impl EvmActor {
             .await
             .map_err(|_| Error::KeyholderSend)?;
 
-        let mut conn = self.db.get().await?;
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
         let wallet_id = insert_into(schema::evm_wallet::table)
             .values(&models::NewEvmWallet {
                 address: address.as_slice().to_vec(),
@@ -124,18 +112,20 @@ impl EvmActor {
             })
             .returning(schema::evm_wallet::id)
             .get_result(&mut conn)
-            .await?;
+            .await
+            .map_err(DatabaseError::from)?;
 
         Ok((wallet_id, address))
     }
 
     #[message]
     pub async fn list_wallets(&self) -> Result<Vec<(i32, Address)>, Error> {
-        let mut conn = self.db.get().await?;
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
         let rows: Vec<models::EvmWallet> = schema::evm_wallet::table
             .select(models::EvmWallet::as_select())
             .load(&mut conn)
-            .await?;
+            .await
+            .map_err(DatabaseError::from)?;
 
         Ok(rows
             .into_iter()
@@ -151,7 +141,7 @@ impl EvmActor {
         &mut self,
         basic: SharedGrantSettings,
         grant: SpecificGrant,
-    ) -> Result<i32, evm::CreationError> {
+    ) -> Result<i32, DatabaseError> {
         match grant {
             SpecificGrant::EtherTransfer(settings) => {
                 self.engine
@@ -174,22 +164,23 @@ impl EvmActor {
 
     #[message]
     pub async fn useragent_delete_grant(&mut self, grant_id: i32) -> Result<(), Error> {
-        let mut conn = self.db.get().await?;
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
         diesel::update(schema::evm_basic_grant::table)
             .filter(schema::evm_basic_grant::id.eq(grant_id))
             .set(schema::evm_basic_grant::revoked_at.eq(SqliteTimestamp::now()))
             .execute(&mut conn)
-            .await?;
+            .await
+            .map_err(DatabaseError::from)?;
         Ok(())
     }
 
     #[message]
     pub async fn useragent_list_grants(&mut self) -> Result<Vec<Grant<SpecificGrant>>, Error> {
-        match self.engine.list_all_grants().await {
-            Ok(grants) => Ok(grants),
-            Err(ListGrantsError::Database(db)) => Err(Error::Database(db)),
-            Err(ListGrantsError::Pool(pool)) => Err(Error::DatabasePool(pool)),
-        }
+        Ok(self
+            .engine
+            .list_all_grants()
+            .await
+            .map_err(DatabaseError::from)?)
     }
 
     #[message]
@@ -199,13 +190,14 @@ impl EvmActor {
         wallet_address: Address,
         transaction: TxEip1559,
     ) -> Result<SpecificMeaning, SignTransactionError> {
-        let mut conn = self.db.get().await?;
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
         let wallet = schema::evm_wallet::table
             .select(models::EvmWallet::as_select())
             .filter(schema::evm_wallet::address.eq(wallet_address.as_slice()))
             .first(&mut conn)
             .await
-            .optional()?
+            .optional()
+            .map_err(DatabaseError::from)?
             .ok_or(SignTransactionError::WalletNotFound)?;
         let wallet_access = schema::evm_wallet_access::table
             .select(models::EvmWalletAccess::as_select())
@@ -213,7 +205,8 @@ impl EvmActor {
             .filter(schema::evm_wallet_access::client_id.eq(client_id))
             .first(&mut conn)
             .await
-            .optional()?
+            .optional()
+            .map_err(DatabaseError::from)?
             .ok_or(SignTransactionError::WalletNotFound)?;
         drop(conn);
 
@@ -232,13 +225,14 @@ impl EvmActor {
         wallet_address: Address,
         mut transaction: TxEip1559,
     ) -> Result<Signature, SignTransactionError> {
-        let mut conn = self.db.get().await?;
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
         let wallet = schema::evm_wallet::table
             .select(models::EvmWallet::as_select())
             .filter(schema::evm_wallet::address.eq(wallet_address.as_slice()))
             .first(&mut conn)
             .await
-            .optional()?
+            .optional()
+            .map_err(DatabaseError::from)?
             .ok_or(SignTransactionError::WalletNotFound)?;
         let wallet_access = schema::evm_wallet_access::table
             .select(models::EvmWalletAccess::as_select())
@@ -246,7 +240,8 @@ impl EvmActor {
             .filter(schema::evm_wallet_access::client_id.eq(client_id))
             .first(&mut conn)
             .await
-            .optional()?
+            .optional()
+            .map_err(DatabaseError::from)?
             .ok_or(SignTransactionError::WalletNotFound)?;
         drop(conn);
 
diff --git a/server/crates/arbiter-server/src/evm/mod.rs b/server/crates/arbiter-server/src/evm/mod.rs
index ef9bf77..54bcb1e 100644
--- a/server/crates/arbiter-server/src/evm/mod.rs
+++ b/server/crates/arbiter-server/src/evm/mod.rs
@@ -8,10 +8,11 @@ use alloy::{
 use chrono::Utc;
 use diesel::{ExpressionMethods as _, QueryDsl as _, QueryResult, insert_into, sqlite::Sqlite};
 use diesel_async::{AsyncConnection, RunQueryDsl};
+use tracing_subscriber::registry::Data;
 
 use crate::{
     db::{
-        self,
+        self, DatabaseError,
         models::{
             EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
         },
@@ -30,12 +31,8 @@ mod utils;
 /// Errors that can only occur once the transaction meaning is known (during policy evaluation)
 #[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum PolicyError {
-    #[error("Database connection pool error")]
-    #[diagnostic(code(arbiter_server::evm::policy_error::pool))]
-    Pool(#[from] db::PoolError),
-    #[error("Database returned error")]
-    #[diagnostic(code(arbiter_server::evm::policy_error::database))]
-    Database(#[from] diesel::result::Error),
+    #[error("Database error")]
+    Error(#[from] crate::db::DatabaseError),
     #[error("Transaction violates policy: {0:?}")]
     #[diagnostic(code(arbiter_server::evm::policy_error::violation))]
     Violations(Vec<EvalViolation>),
@@ -57,16 +54,6 @@ pub enum VetError {
     Evaluated(SpecificMeaning, #[source] PolicyError),
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
-pub enum SignError {
-    #[error("Database connection pool error")]
-    #[diagnostic(code(arbiter_server::evm::database_error))]
-    Pool(#[from] db::PoolError),
-    #[error("Database returned error")]
-    #[diagnostic(code(arbiter_server::evm::database_error))]
-    Database(#[from] diesel::result::Error),
-}
-
 #[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum AnalyzeError {
     #[error("Engine doesn't support granting permissions for contract creation")]
@@ -78,28 +65,6 @@ pub enum AnalyzeError {
     UnsupportedTransactionType,
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
-pub enum CreationError {
-    #[error("Database connection pool error")]
-    #[diagnostic(code(arbiter_server::evm::creation_error::database_error))]
-    Pool(#[from] db::PoolError),
-
-    #[error("Database returned error")]
-    #[diagnostic(code(arbiter_server::evm::creation_error::database_error))]
-    Database(#[from] diesel::result::Error),
-}
-
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
-pub enum ListGrantsError {
-    #[error("Database connection pool error")]
-    #[diagnostic(code(arbiter_server::evm::list_grants_error::pool))]
-    Pool(#[from] db::PoolError),
-
-    #[error("Database returned error")]
-    #[diagnostic(code(arbiter_server::evm::list_grants_error::database))]
-    Database(#[from] diesel::result::Error),
-}
-
 /// Controls whether a transaction should be executed or only validated
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum RunKind {
@@ -167,16 +132,22 @@ impl Engine {
         meaning: &P::Meaning,
         run_kind: RunKind,
     ) -> Result<(), PolicyError> {
-        let mut conn = self.db.get().await?;
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
 
         let grant = P::try_find_grant(&context, &mut conn)
-            .await?
+            .await
+            .map_err(DatabaseError::from)?
             .ok_or(PolicyError::NoMatchingGrant)?;
 
         let mut violations =
             check_shared_constraints(&context, &grant.shared, grant.shared_grant_id, &mut conn)
-                .await?;
-        violations.extend(P::evaluate(&context, meaning, &grant, &mut conn).await?);
+                .await
+                .map_err(DatabaseError::from)?;
+        violations.extend(
+            P::evaluate(&context, meaning, &grant, &mut conn)
+                .await
+                .map_err(DatabaseError::from)?,
+        );
 
         if !violations.is_empty() {
             return Err(PolicyError::Violations(violations));
@@ -200,7 +171,8 @@ impl Engine {
                     QueryResult::Ok(())
                 })
             })
-            .await?;
+            .await
+            .map_err(DatabaseError::from)?;
         }
 
         Ok(())
@@ -215,7 +187,7 @@ impl Engine {
     pub async fn create_grant<P: Policy>(
         &self,
         full_grant: FullGrant<P::Settings>,
-    ) -> Result<i32, CreationError> {
+    ) -> Result<i32, DatabaseError> {
         let mut conn = self.db.get().await?;
 
         let id = conn
@@ -261,7 +233,7 @@ impl Engine {
         Ok(id)
     }
 
-    pub async fn list_all_grants(&self) -> Result<Vec<Grant<SpecificGrant>>, ListGrantsError> {
+    pub async fn list_all_grants(&self) -> Result<Vec<Grant<SpecificGrant>>, DatabaseError> {
         let mut conn = self.db.get().await?;
 
         let mut grants: Vec<Grant<SpecificGrant>> = Vec::new();

From ca35b9fed72c084e606b07373897474aaf1e7fa4 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sat, 28 Mar 2026 12:49:47 +0100
Subject: [PATCH 06/29] refactor(proto): restructure wallet access messages for
 improved data organization

---
 protobufs/user_agent.proto                    |  13 +-
 .../src/actors/user_agent/mod.rs              |   5 -
 .../actors/user_agent/session/connection.rs   |  39 ++----
 server/crates/arbiter-server/src/db/models.rs |   6 +
 .../arbiter-server/src/grpc/user_agent.rs     |  14 ++-
 .../src/grpc/user_agent/inbound.rs            |  64 ++++++----
 .../src/grpc/user_agent/outbound.rs           |  15 ++-
 .../connection/evm/wallet_access.dart         |   8 +-
 useragent/lib/proto/user_agent.pb.dart        | 113 ++++++++++++++----
 useragent/lib/proto/user_agent.pbjson.dart    |  48 +++++---
 10 files changed, 212 insertions(+), 113 deletions(-)

diff --git a/protobufs/user_agent.proto b/protobufs/user_agent.proto
index edcbbbf..79e0f2c 100644
--- a/protobufs/user_agent.proto
+++ b/protobufs/user_agent.proto
@@ -132,17 +132,22 @@ message SdkClientConnectionCancel {
   bytes pubkey = 1;
 }
 
+message WalletAccess {
+  int32 wallet_id = 1;
+  int32 sdk_client_id = 2;
+}
+
 message SdkClientWalletAccess {
-  int32 client_id = 1;
-  int32 wallet_id = 2;
+  int32 id = 1;
+  WalletAccess access = 2;
 }
 
 message SdkClientGrantWalletAccess {
-  repeated SdkClientWalletAccess accesses = 1;
+  repeated WalletAccess accesses = 1;
 }
 
 message SdkClientRevokeWalletAccess {
-  repeated SdkClientWalletAccess accesses = 1;
+  repeated int32 accesses = 1;
 }
 
 message ListWalletAccessResponse {
diff --git a/server/crates/arbiter-server/src/actors/user_agent/mod.rs b/server/crates/arbiter-server/src/actors/user_agent/mod.rs
index 33ea98d..3a45cc5 100644
--- a/server/crates/arbiter-server/src/actors/user_agent/mod.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/mod.rs
@@ -3,11 +3,6 @@ use crate::{
     db::{self, models::KeyType},
 };
 
-pub struct EvmAccessEntry {
-    pub wallet_id: i32,
-    pub sdk_client_id: i32,
-}
-
 /// Abstraction over Ed25519 / ECDSA-secp256k1 / RSA public keys used during the auth handshake.
 #[derive(Clone, Debug)]
 pub enum AuthPublicKey {
diff --git a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
index ac63c87..30b10ae 100644
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -13,9 +13,10 @@ use x25519_dalek::{EphemeralSecret, PublicKey};
 
 use crate::actors::flow_coordinator::client_connect_approval::ClientApprovalAnswer;
 use crate::actors::keyholder::KeyHolderState;
-use crate::actors::user_agent::EvmAccessEntry;
 use crate::actors::user_agent::session::Error;
-use crate::db::models::{ProgramClient, ProgramClientMetadata};
+use crate::db::models::{
+    CoreEvmWalletAccess, EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
+};
 use crate::db::schema::evm_wallet_access;
 use crate::evm::policies::{Grant, SpecificGrant};
 use crate::safe_cell::SafeCell;
@@ -304,8 +305,6 @@ impl UserAgentSession {
     }
 }
 
-
-
 #[messages]
 impl UserAgentSession {
     #[message]
@@ -360,20 +359,16 @@ impl UserAgentSession {
     #[message]
     pub(crate) async fn handle_grant_evm_wallet_access(
         &mut self,
-        entries: Vec<EvmAccessEntry>,
+        entries: Vec<NewEvmWalletAccess>,
     ) -> Result<(), Error> {
         let mut conn = self.props.db.get().await?;
         conn.transaction(|conn| {
             Box::pin(async move {
-                use crate::db::models::NewEvmWalletAccess;
                 use crate::db::schema::evm_wallet_access;
 
                 for entry in entries {
                     diesel::insert_into(evm_wallet_access::table)
-                        .values(&NewEvmWalletAccess {
-                            wallet_id: entry.wallet_id,
-                            client_id: entry.sdk_client_id,
-                        })
+                        .values(&entry)
                         .on_conflict_do_nothing()
                         .execute(conn)
                         .await?;
@@ -389,7 +384,7 @@ impl UserAgentSession {
     #[message]
     pub(crate) async fn handle_revoke_evm_wallet_access(
         &mut self,
-        entries: Vec<EvmAccessEntry>,
+        entries: Vec<i32>,
     ) -> Result<(), Error> {
         let mut conn = self.props.db.get().await?;
         conn.transaction(|conn| {
@@ -397,11 +392,7 @@ impl UserAgentSession {
                 use crate::db::schema::evm_wallet_access;
                 for entry in entries {
                     diesel::delete(evm_wallet_access::table)
-                        .filter(
-                            evm_wallet_access::wallet_id
-                                .eq(entry.wallet_id)
-                                .and(evm_wallet_access::client_id.eq(entry.sdk_client_id)),
-                        )
+                        .filter(evm_wallet_access::wallet_id.eq(entry))
                         .execute(conn)
                         .await?;
                 }
@@ -414,19 +405,15 @@ impl UserAgentSession {
     }
 
     #[message]
-    pub(crate) async fn handle_list_wallet_access(&mut self) -> Result<Vec<EvmAccessEntry>, Error> {
+    pub(crate) async fn handle_list_wallet_access(
+        &mut self,
+    ) -> Result<Vec<EvmWalletAccess>, Error> {
         let mut conn = self.props.db.get().await?;
         use crate::db::schema::evm_wallet_access;
         let access_entries = evm_wallet_access::table
-            .select((evm_wallet_access::wallet_id, evm_wallet_access::client_id))
-            .load::<(i32, i32)>(&mut conn)
-            .await?
-            .into_iter()
-            .map(|(wallet_id, sdk_client_id)| EvmAccessEntry {
-                wallet_id,
-                sdk_client_id,
-            })
-            .collect();
+            .select(EvmWalletAccess::as_select())
+            .load::<_>(&mut conn)
+            .await?;
         Ok(access_entries)
     }
 }
diff --git a/server/crates/arbiter-server/src/db/models.rs b/server/crates/arbiter-server/src/db/models.rs
index 2925039..48d2c22 100644
--- a/server/crates/arbiter-server/src/db/models.rs
+++ b/server/crates/arbiter-server/src/db/models.rs
@@ -193,6 +193,12 @@ pub struct EvmWallet {
     omit(id, created_at),
     attributes_with = "deriveless"
 )]
+#[view(
+    CoreEvmWalletAccess,
+    derive(Insertable),
+    omit(created_at),
+    attributes_with = "deriveless"
+)]
 pub struct EvmWalletAccess {
     pub id: i32,
     pub wallet_id: i32,
diff --git a/server/crates/arbiter-server/src/grpc/user_agent.rs b/server/crates/arbiter-server/src/grpc/user_agent.rs
index 7ad74c1..832c468 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent.rs
@@ -45,10 +45,15 @@ use crate::{
         user_agent::{
             OutOfBand, UserAgentConnection, UserAgentSession,
             session::connection::{
-                BootstrapError, HandleBootstrapEncryptedKey, HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete, HandleGrantEvmWalletAccess, HandleGrantList, HandleListWalletAccess, HandleNewClientApprove, HandleQueryVaultState, HandleRevokeEvmWalletAccess, HandleSdkClientList, HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError
+                BootstrapError, HandleBootstrapEncryptedKey, HandleEvmWalletCreate,
+                HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
+                HandleGrantEvmWalletAccess, HandleGrantList, HandleListWalletAccess,
+                HandleNewClientApprove, HandleQueryVaultState, HandleRevokeEvmWalletAccess,
+                HandleSdkClientList, HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
             },
         },
     },
+    db::models::{CoreEvmWalletAccess, NewEvmWalletAccess},
     grpc::{Convert, TryConvert, request_tracker::RequestTracker},
 };
 mod auth;
@@ -383,7 +388,8 @@ async fn dispatch_inner(
         }
 
         UserAgentRequestPayload::GrantWalletAccess(SdkClientGrantWalletAccess { accesses }) => {
-            let entries = accesses.try_convert()?;
+            let entries: Vec<NewEvmWalletAccess> =
+                accesses.into_iter().map(|a| a.convert()).collect();
 
             match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
                 Ok(()) => {
@@ -398,9 +404,7 @@ async fn dispatch_inner(
         }
 
         UserAgentRequestPayload::RevokeWalletAccess(SdkClientRevokeWalletAccess { accesses }) => {
-            let entries = accesses.try_convert()?;
-
-            match actor.ask(HandleRevokeEvmWalletAccess { entries }).await {
+            match actor.ask(HandleRevokeEvmWalletAccess { entries: accesses }).await {
                 Ok(()) => {
                     info!("Successfully revoked wallet access");
                     return Ok(None);
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs b/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs
index 6c6572f..769b7d8 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs
@@ -1,23 +1,21 @@
+use alloy::primitives::{Address, U256};
 use arbiter_proto::proto::evm::{
-    EtherTransferSettings as ProtoEtherTransferSettings,
-    SharedSettings as ProtoSharedSettings,
-    SpecificGrant as ProtoSpecificGrant,
-    TokenTransferSettings as ProtoTokenTransferSettings,
-    TransactionRateLimit as ProtoTransactionRateLimit,
-    VolumeRateLimit as ProtoVolumeRateLimit,
+    EtherTransferSettings as ProtoEtherTransferSettings, SharedSettings as ProtoSharedSettings,
+    SpecificGrant as ProtoSpecificGrant, TokenTransferSettings as ProtoTokenTransferSettings,
+    TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
     specific_grant::Grant as ProtoSpecificGrantType,
 };
-use arbiter_proto::proto::user_agent::SdkClientWalletAccess;
-use alloy::primitives::{Address, U256};
+use arbiter_proto::proto::user_agent::{SdkClientWalletAccess, WalletAccess};
 use chrono::{DateTime, TimeZone, Utc};
 use prost_types::Timestamp as ProtoTimestamp;
 use tonic::Status;
 
-use crate::actors::user_agent::EvmAccessEntry;
+use crate::db::models::{CoreEvmWalletAccess, NewEvmWallet, NewEvmWalletAccess};
+use crate::grpc::Convert;
 use crate::{
     evm::policies::{
-        SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit,
-        ether_transfer, token_transfers,
+        SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit, ether_transfer,
+        token_transfers,
     },
     grpc::TryConvert,
 };
@@ -79,8 +77,14 @@ impl TryConvert for ProtoSharedSettings {
         Ok(SharedGrantSettings {
             wallet_access_id: self.wallet_access_id,
             chain: self.chain_id,
-            valid_from: self.valid_from.map(ProtoTimestamp::try_convert).transpose()?,
-            valid_until: self.valid_until.map(ProtoTimestamp::try_convert).transpose()?,
+            valid_from: self
+                .valid_from
+                .map(ProtoTimestamp::try_convert)
+                .transpose()?,
+            valid_until: self
+                .valid_until
+                .map(ProtoTimestamp::try_convert)
+                .transpose()?,
             max_gas_fee_per_gas: self
                 .max_gas_fee_per_gas
                 .as_deref()
@@ -136,17 +140,29 @@ impl TryConvert for ProtoSpecificGrant {
     }
 }
 
-impl TryConvert for Vec<SdkClientWalletAccess> {
-    type Output = Vec<EvmAccessEntry>;
-    type Error = Status;
+impl Convert for WalletAccess {
+    type Output = NewEvmWalletAccess;
 
-    fn try_convert(self) -> Result<Vec<EvmAccessEntry>, Status> {
-        Ok(self
-            .into_iter()
-            .map(|SdkClientWalletAccess { client_id, wallet_id }| EvmAccessEntry {
-                wallet_id,
-                sdk_client_id: client_id,
-            })
-            .collect())
+    fn convert(self) -> Self::Output {
+        NewEvmWalletAccess {
+            wallet_id: self.wallet_id,
+            client_id: self.sdk_client_id,
+        }
+    }
+}
+
+impl TryConvert for SdkClientWalletAccess {
+    type Output = CoreEvmWalletAccess;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<CoreEvmWalletAccess, Status> {
+        let Some(access) = self.access else {
+            return Err(Status::invalid_argument("Missing wallet access entry"));
+        };
+        Ok(CoreEvmWalletAccess {
+            wallet_id: access.wallet_id,
+            client_id: access.sdk_client_id,
+            id: self.id,
+        })
     }
 }
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs b/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
index af93635..7d490b7 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
@@ -5,13 +5,13 @@ use arbiter_proto::proto::{
         TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
         specific_grant::Grant as ProtoSpecificGrantType,
     },
-    user_agent::SdkClientWalletAccess as ProtoSdkClientWalletAccess,
+    user_agent::{SdkClientWalletAccess as ProtoSdkClientWalletAccess, WalletAccess},
 };
 use chrono::{DateTime, Utc};
 use prost_types::Timestamp as ProtoTimestamp;
 
 use crate::{
-    actors::user_agent::EvmAccessEntry,
+    db::models::EvmWalletAccess,
     evm::policies::{SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit},
     grpc::Convert,
 };
@@ -96,13 +96,16 @@ impl Convert for SpecificGrant {
     }
 }
 
-impl Convert for EvmAccessEntry {
+impl Convert for EvmWalletAccess {
     type Output = ProtoSdkClientWalletAccess;
 
     fn convert(self) -> Self::Output {
-        ProtoSdkClientWalletAccess {
-            client_id: self.sdk_client_id,
-            wallet_id: self.wallet_id,
+        Self::Output {
+            id: self.id,
+            access: Some(WalletAccess {
+                wallet_id: self.wallet_id,
+                sdk_client_id: self.client_id,
+            }),
         }
     }
 }
diff --git a/useragent/lib/features/connection/evm/wallet_access.dart b/useragent/lib/features/connection/evm/wallet_access.dart
index 1876fbd..66dbb56 100644
--- a/useragent/lib/features/connection/evm/wallet_access.dart
+++ b/useragent/lib/features/connection/evm/wallet_access.dart
@@ -15,8 +15,8 @@ Future<Set<int>> readClientWalletAccess(
     );
   }
   return {
-    for (final access in response.listWalletAccessResponse.accesses)
-      if (access.clientId == clientId) access.walletId,
+    for (final entry in response.listWalletAccessResponse.accesses)
+      if (entry.access != null && entry.access.sdkClientId == clientId) entry.access.walletId,
   };
 }
 
@@ -36,7 +36,7 @@ Future<void> writeClientWalletAccess(
         grantWalletAccess: SdkClientGrantWalletAccess(
           accesses: [
             for (final walletId in toGrant)
-              SdkClientWalletAccess(clientId: clientId, walletId: walletId),
+              WalletAccess(sdkClientId: clientId, walletId: walletId),
           ],
         ),
       ),
@@ -49,7 +49,7 @@ Future<void> writeClientWalletAccess(
         revokeWalletAccess: SdkClientRevokeWalletAccess(
           accesses: [
             for (final walletId in toRevoke)
-              SdkClientWalletAccess(clientId: clientId, walletId: walletId),
+              walletId
           ],
         ),
       ),
diff --git a/useragent/lib/proto/user_agent.pb.dart b/useragent/lib/proto/user_agent.pb.dart
index 51195bb..f327b40 100644
--- a/useragent/lib/proto/user_agent.pb.dart
+++ b/useragent/lib/proto/user_agent.pb.dart
@@ -1072,14 +1072,81 @@ class SdkClientConnectionCancel extends $pb.GeneratedMessage {
   void clearPubkey() => $_clearField(1);
 }
 
-class SdkClientWalletAccess extends $pb.GeneratedMessage {
-  factory SdkClientWalletAccess({
-    $core.int? clientId,
+class WalletAccess extends $pb.GeneratedMessage {
+  factory WalletAccess({
     $core.int? walletId,
+    $core.int? sdkClientId,
   }) {
     final result = create();
-    if (clientId != null) result.clientId = clientId;
     if (walletId != null) result.walletId = walletId;
+    if (sdkClientId != null) result.sdkClientId = sdkClientId;
+    return result;
+  }
+
+  WalletAccess._();
+
+  factory WalletAccess.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory WalletAccess.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'WalletAccess',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
+      createEmptyInstance: create)
+    ..aI(1, _omitFieldNames ? '' : 'walletId')
+    ..aI(2, _omitFieldNames ? '' : 'sdkClientId')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  WalletAccess clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  WalletAccess copyWith(void Function(WalletAccess) updates) =>
+      super.copyWith((message) => updates(message as WalletAccess))
+          as WalletAccess;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static WalletAccess create() => WalletAccess._();
+  @$core.override
+  WalletAccess createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static WalletAccess getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<WalletAccess>(create);
+  static WalletAccess? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get walletId => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set walletId($core.int value) => $_setSignedInt32(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasWalletId() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearWalletId() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.int get sdkClientId => $_getIZ(1);
+  @$pb.TagNumber(2)
+  set sdkClientId($core.int value) => $_setSignedInt32(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasSdkClientId() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearSdkClientId() => $_clearField(2);
+}
+
+class SdkClientWalletAccess extends $pb.GeneratedMessage {
+  factory SdkClientWalletAccess({
+    $core.int? id,
+    WalletAccess? access,
+  }) {
+    final result = create();
+    if (id != null) result.id = id;
+    if (access != null) result.access = access;
     return result;
   }
 
@@ -1097,8 +1164,9 @@ class SdkClientWalletAccess extends $pb.GeneratedMessage {
       package:
           const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
       createEmptyInstance: create)
-    ..aI(1, _omitFieldNames ? '' : 'clientId')
-    ..aI(2, _omitFieldNames ? '' : 'walletId')
+    ..aI(1, _omitFieldNames ? '' : 'id')
+    ..aOM<WalletAccess>(2, _omitFieldNames ? '' : 'access',
+        subBuilder: WalletAccess.create)
     ..hasRequiredFields = false;
 
   @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
@@ -1122,27 +1190,29 @@ class SdkClientWalletAccess extends $pb.GeneratedMessage {
   static SdkClientWalletAccess? _defaultInstance;
 
   @$pb.TagNumber(1)
-  $core.int get clientId => $_getIZ(0);
+  $core.int get id => $_getIZ(0);
   @$pb.TagNumber(1)
-  set clientId($core.int value) => $_setSignedInt32(0, value);
+  set id($core.int value) => $_setSignedInt32(0, value);
   @$pb.TagNumber(1)
-  $core.bool hasClientId() => $_has(0);
+  $core.bool hasId() => $_has(0);
   @$pb.TagNumber(1)
-  void clearClientId() => $_clearField(1);
+  void clearId() => $_clearField(1);
 
   @$pb.TagNumber(2)
-  $core.int get walletId => $_getIZ(1);
+  WalletAccess get access => $_getN(1);
   @$pb.TagNumber(2)
-  set walletId($core.int value) => $_setSignedInt32(1, value);
+  set access(WalletAccess value) => $_setField(2, value);
   @$pb.TagNumber(2)
-  $core.bool hasWalletId() => $_has(1);
+  $core.bool hasAccess() => $_has(1);
   @$pb.TagNumber(2)
-  void clearWalletId() => $_clearField(2);
+  void clearAccess() => $_clearField(2);
+  @$pb.TagNumber(2)
+  WalletAccess ensureAccess() => $_ensure(1);
 }
 
 class SdkClientGrantWalletAccess extends $pb.GeneratedMessage {
   factory SdkClientGrantWalletAccess({
-    $core.Iterable<SdkClientWalletAccess>? accesses,
+    $core.Iterable<WalletAccess>? accesses,
   }) {
     final result = create();
     if (accesses != null) result.accesses.addAll(accesses);
@@ -1163,8 +1233,8 @@ class SdkClientGrantWalletAccess extends $pb.GeneratedMessage {
       package:
           const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
       createEmptyInstance: create)
-    ..pPM<SdkClientWalletAccess>(1, _omitFieldNames ? '' : 'accesses',
-        subBuilder: SdkClientWalletAccess.create)
+    ..pPM<WalletAccess>(1, _omitFieldNames ? '' : 'accesses',
+        subBuilder: WalletAccess.create)
     ..hasRequiredFields = false;
 
   @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
@@ -1189,12 +1259,12 @@ class SdkClientGrantWalletAccess extends $pb.GeneratedMessage {
   static SdkClientGrantWalletAccess? _defaultInstance;
 
   @$pb.TagNumber(1)
-  $pb.PbList<SdkClientWalletAccess> get accesses => $_getList(0);
+  $pb.PbList<WalletAccess> get accesses => $_getList(0);
 }
 
 class SdkClientRevokeWalletAccess extends $pb.GeneratedMessage {
   factory SdkClientRevokeWalletAccess({
-    $core.Iterable<SdkClientWalletAccess>? accesses,
+    $core.Iterable<$core.int>? accesses,
   }) {
     final result = create();
     if (accesses != null) result.accesses.addAll(accesses);
@@ -1215,8 +1285,7 @@ class SdkClientRevokeWalletAccess extends $pb.GeneratedMessage {
       package:
           const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
       createEmptyInstance: create)
-    ..pPM<SdkClientWalletAccess>(1, _omitFieldNames ? '' : 'accesses',
-        subBuilder: SdkClientWalletAccess.create)
+    ..p<$core.int>(1, _omitFieldNames ? '' : 'accesses', $pb.PbFieldType.K3)
     ..hasRequiredFields = false;
 
   @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
@@ -1242,7 +1311,7 @@ class SdkClientRevokeWalletAccess extends $pb.GeneratedMessage {
   static SdkClientRevokeWalletAccess? _defaultInstance;
 
   @$pb.TagNumber(1)
-  $pb.PbList<SdkClientWalletAccess> get accesses => $_getList(0);
+  $pb.PbList<$core.int> get accesses => $_getList(0);
 }
 
 class ListWalletAccessResponse extends $pb.GeneratedMessage {
diff --git a/useragent/lib/proto/user_agent.pbjson.dart b/useragent/lib/proto/user_agent.pbjson.dart
index cb98a21..c5bd9bb 100644
--- a/useragent/lib/proto/user_agent.pbjson.dart
+++ b/useragent/lib/proto/user_agent.pbjson.dart
@@ -418,19 +418,40 @@ final $typed_data.Uint8List sdkClientConnectionCancelDescriptor =
     $convert.base64Decode(
         'ChlTZGtDbGllbnRDb25uZWN0aW9uQ2FuY2VsEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5');
 
+@$core.Deprecated('Use walletAccessDescriptor instead')
+const WalletAccess$json = {
+  '1': 'WalletAccess',
+  '2': [
+    {'1': 'wallet_id', '3': 1, '4': 1, '5': 5, '10': 'walletId'},
+    {'1': 'sdk_client_id', '3': 2, '4': 1, '5': 5, '10': 'sdkClientId'},
+  ],
+};
+
+/// Descriptor for `WalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List walletAccessDescriptor = $convert.base64Decode(
+    'CgxXYWxsZXRBY2Nlc3MSGwoJd2FsbGV0X2lkGAEgASgFUgh3YWxsZXRJZBIiCg1zZGtfY2xpZW'
+    '50X2lkGAIgASgFUgtzZGtDbGllbnRJZA==');
+
 @$core.Deprecated('Use sdkClientWalletAccessDescriptor instead')
 const SdkClientWalletAccess$json = {
   '1': 'SdkClientWalletAccess',
   '2': [
-    {'1': 'client_id', '3': 1, '4': 1, '5': 5, '10': 'clientId'},
-    {'1': 'wallet_id', '3': 2, '4': 1, '5': 5, '10': 'walletId'},
+    {'1': 'id', '3': 1, '4': 1, '5': 5, '10': 'id'},
+    {
+      '1': 'access',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.WalletAccess',
+      '10': 'access'
+    },
   ],
 };
 
 /// Descriptor for `SdkClientWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List sdkClientWalletAccessDescriptor = $convert.base64Decode(
-    'ChVTZGtDbGllbnRXYWxsZXRBY2Nlc3MSGwoJY2xpZW50X2lkGAEgASgFUghjbGllbnRJZBIbCg'
-    'l3YWxsZXRfaWQYAiABKAVSCHdhbGxldElk');
+    'ChVTZGtDbGllbnRXYWxsZXRBY2Nlc3MSDgoCaWQYASABKAVSAmlkEjgKBmFjY2VzcxgCIAEoCz'
+    'IgLmFyYml0ZXIudXNlcl9hZ2VudC5XYWxsZXRBY2Nlc3NSBmFjY2Vzcw==');
 
 @$core.Deprecated('Use sdkClientGrantWalletAccessDescriptor instead')
 const SdkClientGrantWalletAccess$json = {
@@ -441,7 +462,7 @@ const SdkClientGrantWalletAccess$json = {
       '3': 1,
       '4': 3,
       '5': 11,
-      '6': '.arbiter.user_agent.SdkClientWalletAccess',
+      '6': '.arbiter.user_agent.WalletAccess',
       '10': 'accesses'
     },
   ],
@@ -450,29 +471,22 @@ const SdkClientGrantWalletAccess$json = {
 /// Descriptor for `SdkClientGrantWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List sdkClientGrantWalletAccessDescriptor =
     $convert.base64Decode(
-        'ChpTZGtDbGllbnRHcmFudFdhbGxldEFjY2VzcxJFCghhY2Nlc3NlcxgBIAMoCzIpLmFyYml0ZX'
-        'IudXNlcl9hZ2VudC5TZGtDbGllbnRXYWxsZXRBY2Nlc3NSCGFjY2Vzc2Vz');
+        'ChpTZGtDbGllbnRHcmFudFdhbGxldEFjY2VzcxI8CghhY2Nlc3NlcxgBIAMoCzIgLmFyYml0ZX'
+        'IudXNlcl9hZ2VudC5XYWxsZXRBY2Nlc3NSCGFjY2Vzc2Vz');
 
 @$core.Deprecated('Use sdkClientRevokeWalletAccessDescriptor instead')
 const SdkClientRevokeWalletAccess$json = {
   '1': 'SdkClientRevokeWalletAccess',
   '2': [
-    {
-      '1': 'accesses',
-      '3': 1,
-      '4': 3,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientWalletAccess',
-      '10': 'accesses'
-    },
+    {'1': 'accesses', '3': 1, '4': 3, '5': 5, '10': 'accesses'},
   ],
 };
 
 /// Descriptor for `SdkClientRevokeWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List sdkClientRevokeWalletAccessDescriptor =
     $convert.base64Decode(
-        'ChtTZGtDbGllbnRSZXZva2VXYWxsZXRBY2Nlc3MSRQoIYWNjZXNzZXMYASADKAsyKS5hcmJpdG'
-        'VyLnVzZXJfYWdlbnQuU2RrQ2xpZW50V2FsbGV0QWNjZXNzUghhY2Nlc3Nlcw==');
+        'ChtTZGtDbGllbnRSZXZva2VXYWxsZXRBY2Nlc3MSGgoIYWNjZXNzZXMYASADKAVSCGFjY2Vzc2'
+        'Vz');
 
 @$core.Deprecated('Use listWalletAccessResponseDescriptor instead')
 const ListWalletAccessResponse$json = {

From 54b2183be555212e17ca6a3c6b687fe17e5543dd Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sat, 28 Mar 2026 14:00:13 +0100
Subject: [PATCH 07/29] feat(evm): add EVM grants screen with create UI and
 list

---
 .../memory/feedback_widget_decomposition.md   |  11 +
 .gitignore                                    |   1 +
 .../lib/features/connection/evm/grants.dart   |  28 ++-
 .../connection/evm/wallet_access.dart         |  16 +-
 useragent/lib/providers/evm/evm_grants.dart   |  19 +-
 .../sdk_clients/wallet_access_list.dart       |  22 ++
 .../sdk_clients/wallet_access_list.g.dart     |  51 ++++
 useragent/lib/router.dart                     |   1 +
 useragent/lib/router.gr.dart                  | 133 +++++-----
 useragent/lib/screens/dashboard.dart          |  12 +-
 .../dashboard/evm/grants/grant_create.dart    | 168 +++++++++----
 .../screens/dashboard/evm/grants/grants.dart  | 231 ++++++++++++++++++
 .../evm/grants/widgets/grant_card.dart        | 225 +++++++++++++++++
 useragent/lib/theme/palette.dart              |   1 +
 14 files changed, 789 insertions(+), 130 deletions(-)
 create mode 100644 .claude/memory/feedback_widget_decomposition.md
 create mode 100644 useragent/lib/providers/sdk_clients/wallet_access_list.dart
 create mode 100644 useragent/lib/providers/sdk_clients/wallet_access_list.g.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/grants.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart

diff --git a/.claude/memory/feedback_widget_decomposition.md b/.claude/memory/feedback_widget_decomposition.md
new file mode 100644
index 0000000..a6ea5f0
--- /dev/null
+++ b/.claude/memory/feedback_widget_decomposition.md
@@ -0,0 +1,11 @@
+---
+name: Widget decomposition and provider subscriptions
+description: Prefer splitting screens into multiple focused files/widgets; each widget subscribes to its own relevant providers
+type: feedback
+---
+
+Split screens into multiple smaller widgets across multiple files. Each widget should subscribe only to the providers it needs (`ref.watch` at lowest possible level), rather than having one large screen widget that watches everything and passes data down as parameters.
+
+**Why:** Reduces unnecessary rebuilds; improves readability; each file has one clear responsibility.
+
+**How to apply:** When building a new screen, identify which sub-widgets need their own provider subscriptions and extract them into separate files (e.g., `widgets/grant_card.dart` watches enrichment providers itself, rather than the screen doing it and passing resolved strings down).
diff --git a/.gitignore b/.gitignore
index 57db88f..6777228 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ scripts/__pycache__/
 .DS_Store
 .cargo/config.toml
 .vscode/
+docs/
diff --git a/useragent/lib/features/connection/evm/grants.dart b/useragent/lib/features/connection/evm/grants.dart
index 168644d..050a1d2 100644
--- a/useragent/lib/features/connection/evm/grants.dart
+++ b/useragent/lib/features/connection/evm/grants.dart
@@ -29,17 +29,27 @@ Future<List<GrantEntry>> listEvmGrants(Connection connection) async {
 
 Future<int> createEvmGrant(
   Connection connection, {
-  required int clientId,
-  required int walletId,
-  required Int64 chainId,
-  DateTime? validFrom,
-  DateTime? validUntil,
-  List<int>? maxGasFeePerGas,
-  List<int>? maxPriorityFeePerGas,
-  TransactionRateLimit? rateLimit,
+  required SharedSettings sharedSettings,
   required SpecificGrant specific,
 }) async {
-  throw UnimplementedError('EVM grant creation is not yet implemented.');
+  final request = UserAgentRequest(
+    evmGrantCreate: EvmGrantCreateRequest(
+      shared: sharedSettings,
+      specific: specific,
+    ),
+  );
+
+  final resp = await connection.ask(request);
+
+  if (!resp.hasEvmGrantCreate()) {
+    throw Exception(
+      'Expected EVM grant create response, got ${resp.whichPayload()}',
+    );
+  }
+
+  final result = resp.evmGrantCreate;
+
+  return result.grantId;
 }
 
 Future<void> deleteEvmGrant(Connection connection, int grantId) async {
diff --git a/useragent/lib/features/connection/evm/wallet_access.dart b/useragent/lib/features/connection/evm/wallet_access.dart
index 66dbb56..8f38344 100644
--- a/useragent/lib/features/connection/evm/wallet_access.dart
+++ b/useragent/lib/features/connection/evm/wallet_access.dart
@@ -16,10 +16,24 @@ Future<Set<int>> readClientWalletAccess(
   }
   return {
     for (final entry in response.listWalletAccessResponse.accesses)
-      if (entry.access != null && entry.access.sdkClientId == clientId) entry.access.walletId,
+      if (entry.access.sdkClientId == clientId) entry.access.walletId,
   };
 }
 
+Future<List<SdkClientWalletAccess>> listAllWalletAccesses(
+  Connection connection,
+) async {
+  final response = await connection.ask(
+    UserAgentRequest(listWalletAccess: Empty()),
+  );
+  if (!response.hasListWalletAccessResponse()) {
+    throw Exception(
+      'Expected list wallet access response, got ${response.whichPayload()}',
+    );
+  }
+  return response.listWalletAccessResponse.accesses.toList(growable: false);
+}
+
 Future<void> writeClientWalletAccess(
   Connection connection, {
   required int clientId,
diff --git a/useragent/lib/providers/evm/evm_grants.dart b/useragent/lib/providers/evm/evm_grants.dart
index ae4a817..6d7747e 100644
--- a/useragent/lib/providers/evm/evm_grants.dart
+++ b/useragent/lib/providers/evm/evm_grants.dart
@@ -5,6 +5,7 @@ import 'package:fixnum/fixnum.dart';
 import 'package:freezed_annotation/freezed_annotation.dart';
 import 'package:hooks_riverpod/experimental/mutation.dart';
 import 'package:mtcore/markettakers.dart';
+import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'evm_grants.freezed.dart';
@@ -73,14 +74,7 @@ class EvmGrants extends _$EvmGrants {
 
 Future<int> executeCreateEvmGrant(
   MutationTarget ref, {
-  required int clientId,
-  required int walletId,
-  required Int64 chainId,
-  DateTime? validFrom,
-  DateTime? validUntil,
-  List<int>? maxGasFeePerGas,
-  List<int>? maxPriorityFeePerGas,
-  TransactionRateLimit? rateLimit,
+  required SharedSettings sharedSettings,
   required SpecificGrant specific,
 }) {
   return createEvmGrantMutation.run(ref, (tsx) async {
@@ -91,14 +85,7 @@ Future<int> executeCreateEvmGrant(
 
     final grantId = await createEvmGrant(
       connection,
-      clientId: clientId,
-      walletId: walletId,
-      chainId: chainId,
-      validFrom: validFrom,
-      validUntil: validUntil,
-      maxGasFeePerGas: maxGasFeePerGas,
-      maxPriorityFeePerGas: maxPriorityFeePerGas,
-      rateLimit: rateLimit,
+      sharedSettings: sharedSettings,
       specific: specific,
     );
 
diff --git a/useragent/lib/providers/sdk_clients/wallet_access_list.dart b/useragent/lib/providers/sdk_clients/wallet_access_list.dart
new file mode 100644
index 0000000..f126c97
--- /dev/null
+++ b/useragent/lib/providers/sdk_clients/wallet_access_list.dart
@@ -0,0 +1,22 @@
+import 'package:arbiter/features/connection/evm/wallet_access.dart';
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/providers/connection/connection_manager.dart';
+import 'package:mtcore/markettakers.dart';
+import 'package:riverpod_annotation/riverpod_annotation.dart';
+
+part 'wallet_access_list.g.dart';
+
+@riverpod
+Future<List<SdkClientWalletAccess>?> walletAccessList(Ref ref) async {
+  final connection = await ref.watch(connectionManagerProvider.future);
+  if (connection == null) {
+    return null;
+  }
+
+  try {
+    return await listAllWalletAccesses(connection);
+  } catch (e, st) {
+    talker.handle(e, st);
+    rethrow;
+  }
+}
diff --git a/useragent/lib/providers/sdk_clients/wallet_access_list.g.dart b/useragent/lib/providers/sdk_clients/wallet_access_list.g.dart
new file mode 100644
index 0000000..314ce1d
--- /dev/null
+++ b/useragent/lib/providers/sdk_clients/wallet_access_list.g.dart
@@ -0,0 +1,51 @@
+// GENERATED CODE - DO NOT MODIFY BY HAND
+
+part of 'wallet_access_list.dart';
+
+// **************************************************************************
+// RiverpodGenerator
+// **************************************************************************
+
+// GENERATED CODE - DO NOT MODIFY BY HAND
+// ignore_for_file: type=lint, type=warning
+
+@ProviderFor(walletAccessList)
+final walletAccessListProvider = WalletAccessListProvider._();
+
+final class WalletAccessListProvider
+    extends
+        $FunctionalProvider<
+          AsyncValue<List<SdkClientWalletAccess>?>,
+          List<SdkClientWalletAccess>?,
+          FutureOr<List<SdkClientWalletAccess>?>
+        >
+    with
+        $FutureModifier<List<SdkClientWalletAccess>?>,
+        $FutureProvider<List<SdkClientWalletAccess>?> {
+  WalletAccessListProvider._()
+    : super(
+        from: null,
+        argument: null,
+        retry: null,
+        name: r'walletAccessListProvider',
+        isAutoDispose: true,
+        dependencies: null,
+        $allTransitiveDependencies: null,
+      );
+
+  @override
+  String debugGetCreateSourceHash() => _$walletAccessListHash();
+
+  @$internal
+  @override
+  $FutureProviderElement<List<SdkClientWalletAccess>?> $createElement(
+    $ProviderPointer pointer,
+  ) => $FutureProviderElement(pointer);
+
+  @override
+  FutureOr<List<SdkClientWalletAccess>?> create(Ref ref) {
+    return walletAccessList(ref);
+  }
+}
+
+String _$walletAccessListHash() => r'c06006d6792ae463105a539723e9bb396192f96b';
diff --git a/useragent/lib/router.dart b/useragent/lib/router.dart
index 5342ff5..ab06b07 100644
--- a/useragent/lib/router.dart
+++ b/useragent/lib/router.dart
@@ -19,6 +19,7 @@ class Router extends RootStackRouter {
       children: [
         AutoRoute(page: EvmRoute.page, path: 'evm'),
         AutoRoute(page: ClientsRoute.page, path: 'clients'),
+        AutoRoute(page: EvmGrantsRoute.page, path: 'grants'),
         AutoRoute(page: AboutRoute.page, path: 'about'),
       ],
     ),
diff --git a/useragent/lib/router.gr.dart b/useragent/lib/router.gr.dart
index b661a9d..e4d05bb 100644
--- a/useragent/lib/router.gr.dart
+++ b/useragent/lib/router.gr.dart
@@ -9,7 +9,7 @@
 // coverage:ignore-file
 
 // ignore_for_file: no_leading_underscores_for_library_prefixes
-import 'package:arbiter/proto/user_agent.pb.dart' as _i14;
+import 'package:arbiter/proto/user_agent.pb.dart' as _i15;
 import 'package:arbiter/screens/bootstrap.dart' as _i2;
 import 'package:arbiter/screens/dashboard.dart' as _i7;
 import 'package:arbiter/screens/dashboard/about.dart' as _i1;
@@ -17,23 +17,24 @@ import 'package:arbiter/screens/dashboard/clients/details.dart' as _i3;
 import 'package:arbiter/screens/dashboard/clients/details/client_details.dart'
     as _i4;
 import 'package:arbiter/screens/dashboard/clients/table.dart' as _i5;
-import 'package:arbiter/screens/dashboard/evm/evm.dart' as _i8;
+import 'package:arbiter/screens/dashboard/evm/evm.dart' as _i9;
 import 'package:arbiter/screens/dashboard/evm/grants/grant_create.dart' as _i6;
-import 'package:arbiter/screens/server_connection.dart' as _i9;
-import 'package:arbiter/screens/server_info_setup.dart' as _i10;
-import 'package:arbiter/screens/vault_setup.dart' as _i11;
-import 'package:auto_route/auto_route.dart' as _i12;
-import 'package:flutter/material.dart' as _i13;
+import 'package:arbiter/screens/dashboard/evm/grants/grants.dart' as _i8;
+import 'package:arbiter/screens/server_connection.dart' as _i10;
+import 'package:arbiter/screens/server_info_setup.dart' as _i11;
+import 'package:arbiter/screens/vault_setup.dart' as _i12;
+import 'package:auto_route/auto_route.dart' as _i13;
+import 'package:flutter/material.dart' as _i14;
 
 /// generated route for
 /// [_i1.AboutScreen]
-class AboutRoute extends _i12.PageRouteInfo<void> {
-  const AboutRoute({List<_i12.PageRouteInfo>? children})
+class AboutRoute extends _i13.PageRouteInfo<void> {
+  const AboutRoute({List<_i13.PageRouteInfo>? children})
     : super(AboutRoute.name, initialChildren: children);
 
   static const String name = 'AboutRoute';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
       return const _i1.AboutScreen();
@@ -43,13 +44,13 @@ class AboutRoute extends _i12.PageRouteInfo<void> {
 
 /// generated route for
 /// [_i2.Bootstrap]
-class Bootstrap extends _i12.PageRouteInfo<void> {
-  const Bootstrap({List<_i12.PageRouteInfo>? children})
+class Bootstrap extends _i13.PageRouteInfo<void> {
+  const Bootstrap({List<_i13.PageRouteInfo>? children})
     : super(Bootstrap.name, initialChildren: children);
 
   static const String name = 'Bootstrap';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
       return const _i2.Bootstrap();
@@ -59,11 +60,11 @@ class Bootstrap extends _i12.PageRouteInfo<void> {
 
 /// generated route for
 /// [_i3.ClientDetails]
-class ClientDetails extends _i12.PageRouteInfo<ClientDetailsArgs> {
+class ClientDetails extends _i13.PageRouteInfo<ClientDetailsArgs> {
   ClientDetails({
-    _i13.Key? key,
-    required _i14.SdkClientEntry client,
-    List<_i12.PageRouteInfo>? children,
+    _i14.Key? key,
+    required _i15.SdkClientEntry client,
+    List<_i13.PageRouteInfo>? children,
   }) : super(
          ClientDetails.name,
          args: ClientDetailsArgs(key: key, client: client),
@@ -72,7 +73,7 @@ class ClientDetails extends _i12.PageRouteInfo<ClientDetailsArgs> {
 
   static const String name = 'ClientDetails';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
       final args = data.argsAs<ClientDetailsArgs>();
@@ -84,9 +85,9 @@ class ClientDetails extends _i12.PageRouteInfo<ClientDetailsArgs> {
 class ClientDetailsArgs {
   const ClientDetailsArgs({this.key, required this.client});
 
-  final _i13.Key? key;
+  final _i14.Key? key;
 
-  final _i14.SdkClientEntry client;
+  final _i15.SdkClientEntry client;
 
   @override
   String toString() {
@@ -106,11 +107,11 @@ class ClientDetailsArgs {
 
 /// generated route for
 /// [_i4.ClientDetailsScreen]
-class ClientDetailsRoute extends _i12.PageRouteInfo<ClientDetailsRouteArgs> {
+class ClientDetailsRoute extends _i13.PageRouteInfo<ClientDetailsRouteArgs> {
   ClientDetailsRoute({
-    _i13.Key? key,
+    _i14.Key? key,
     required int clientId,
-    List<_i12.PageRouteInfo>? children,
+    List<_i13.PageRouteInfo>? children,
   }) : super(
          ClientDetailsRoute.name,
          args: ClientDetailsRouteArgs(key: key, clientId: clientId),
@@ -120,7 +121,7 @@ class ClientDetailsRoute extends _i12.PageRouteInfo<ClientDetailsRouteArgs> {
 
   static const String name = 'ClientDetailsRoute';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
       final pathParams = data.inheritedPathParams;
@@ -136,7 +137,7 @@ class ClientDetailsRoute extends _i12.PageRouteInfo<ClientDetailsRouteArgs> {
 class ClientDetailsRouteArgs {
   const ClientDetailsRouteArgs({this.key, required this.clientId});
 
-  final _i13.Key? key;
+  final _i14.Key? key;
 
   final int clientId;
 
@@ -158,13 +159,13 @@ class ClientDetailsRouteArgs {
 
 /// generated route for
 /// [_i5.ClientsScreen]
-class ClientsRoute extends _i12.PageRouteInfo<void> {
-  const ClientsRoute({List<_i12.PageRouteInfo>? children})
+class ClientsRoute extends _i13.PageRouteInfo<void> {
+  const ClientsRoute({List<_i13.PageRouteInfo>? children})
     : super(ClientsRoute.name, initialChildren: children);
 
   static const String name = 'ClientsRoute';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
       return const _i5.ClientsScreen();
@@ -174,13 +175,13 @@ class ClientsRoute extends _i12.PageRouteInfo<void> {
 
 /// generated route for
 /// [_i6.CreateEvmGrantScreen]
-class CreateEvmGrantRoute extends _i12.PageRouteInfo<void> {
-  const CreateEvmGrantRoute({List<_i12.PageRouteInfo>? children})
+class CreateEvmGrantRoute extends _i13.PageRouteInfo<void> {
+  const CreateEvmGrantRoute({List<_i13.PageRouteInfo>? children})
     : super(CreateEvmGrantRoute.name, initialChildren: children);
 
   static const String name = 'CreateEvmGrantRoute';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
       return const _i6.CreateEvmGrantScreen();
@@ -190,13 +191,13 @@ class CreateEvmGrantRoute extends _i12.PageRouteInfo<void> {
 
 /// generated route for
 /// [_i7.DashboardRouter]
-class DashboardRouter extends _i12.PageRouteInfo<void> {
-  const DashboardRouter({List<_i12.PageRouteInfo>? children})
+class DashboardRouter extends _i13.PageRouteInfo<void> {
+  const DashboardRouter({List<_i13.PageRouteInfo>? children})
     : super(DashboardRouter.name, initialChildren: children);
 
   static const String name = 'DashboardRouter';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
       return const _i7.DashboardRouter();
@@ -205,29 +206,45 @@ class DashboardRouter extends _i12.PageRouteInfo<void> {
 }
 
 /// generated route for
-/// [_i8.EvmScreen]
-class EvmRoute extends _i12.PageRouteInfo<void> {
-  const EvmRoute({List<_i12.PageRouteInfo>? children})
-    : super(EvmRoute.name, initialChildren: children);
+/// [_i8.EvmGrantsScreen]
+class EvmGrantsRoute extends _i13.PageRouteInfo<void> {
+  const EvmGrantsRoute({List<_i13.PageRouteInfo>? children})
+    : super(EvmGrantsRoute.name, initialChildren: children);
 
-  static const String name = 'EvmRoute';
+  static const String name = 'EvmGrantsRoute';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
-      return const _i8.EvmScreen();
+      return const _i8.EvmGrantsScreen();
     },
   );
 }
 
 /// generated route for
-/// [_i9.ServerConnectionScreen]
+/// [_i9.EvmScreen]
+class EvmRoute extends _i13.PageRouteInfo<void> {
+  const EvmRoute({List<_i13.PageRouteInfo>? children})
+    : super(EvmRoute.name, initialChildren: children);
+
+  static const String name = 'EvmRoute';
+
+  static _i13.PageInfo page = _i13.PageInfo(
+    name,
+    builder: (data) {
+      return const _i9.EvmScreen();
+    },
+  );
+}
+
+/// generated route for
+/// [_i10.ServerConnectionScreen]
 class ServerConnectionRoute
-    extends _i12.PageRouteInfo<ServerConnectionRouteArgs> {
+    extends _i13.PageRouteInfo<ServerConnectionRouteArgs> {
   ServerConnectionRoute({
-    _i13.Key? key,
+    _i14.Key? key,
     String? arbiterUrl,
-    List<_i12.PageRouteInfo>? children,
+    List<_i13.PageRouteInfo>? children,
   }) : super(
          ServerConnectionRoute.name,
          args: ServerConnectionRouteArgs(key: key, arbiterUrl: arbiterUrl),
@@ -236,13 +253,13 @@ class ServerConnectionRoute
 
   static const String name = 'ServerConnectionRoute';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
       final args = data.argsAs<ServerConnectionRouteArgs>(
         orElse: () => const ServerConnectionRouteArgs(),
       );
-      return _i9.ServerConnectionScreen(
+      return _i10.ServerConnectionScreen(
         key: args.key,
         arbiterUrl: args.arbiterUrl,
       );
@@ -253,7 +270,7 @@ class ServerConnectionRoute
 class ServerConnectionRouteArgs {
   const ServerConnectionRouteArgs({this.key, this.arbiterUrl});
 
-  final _i13.Key? key;
+  final _i14.Key? key;
 
   final String? arbiterUrl;
 
@@ -274,33 +291,33 @@ class ServerConnectionRouteArgs {
 }
 
 /// generated route for
-/// [_i10.ServerInfoSetupScreen]
-class ServerInfoSetupRoute extends _i12.PageRouteInfo<void> {
-  const ServerInfoSetupRoute({List<_i12.PageRouteInfo>? children})
+/// [_i11.ServerInfoSetupScreen]
+class ServerInfoSetupRoute extends _i13.PageRouteInfo<void> {
+  const ServerInfoSetupRoute({List<_i13.PageRouteInfo>? children})
     : super(ServerInfoSetupRoute.name, initialChildren: children);
 
   static const String name = 'ServerInfoSetupRoute';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
-      return const _i10.ServerInfoSetupScreen();
+      return const _i11.ServerInfoSetupScreen();
     },
   );
 }
 
 /// generated route for
-/// [_i11.VaultSetupScreen]
-class VaultSetupRoute extends _i12.PageRouteInfo<void> {
-  const VaultSetupRoute({List<_i12.PageRouteInfo>? children})
+/// [_i12.VaultSetupScreen]
+class VaultSetupRoute extends _i13.PageRouteInfo<void> {
+  const VaultSetupRoute({List<_i13.PageRouteInfo>? children})
     : super(VaultSetupRoute.name, initialChildren: children);
 
   static const String name = 'VaultSetupRoute';
 
-  static _i12.PageInfo page = _i12.PageInfo(
+  static _i13.PageInfo page = _i13.PageInfo(
     name,
     builder: (data) {
-      return const _i11.VaultSetupScreen();
+      return const _i12.VaultSetupScreen();
     },
   );
 }
diff --git a/useragent/lib/screens/dashboard.dart b/useragent/lib/screens/dashboard.dart
index acfb828..55d97c6 100644
--- a/useragent/lib/screens/dashboard.dart
+++ b/useragent/lib/screens/dashboard.dart
@@ -9,7 +9,12 @@ import 'package:hooks_riverpod/hooks_riverpod.dart';
 
 const breakpoints = MaterialAdaptiveBreakpoints();
 
-final routes = [const EvmRoute(), const ClientsRoute(), const AboutRoute()];
+final routes = [
+  const EvmRoute(),
+  const ClientsRoute(),
+  const EvmGrantsRoute(),
+  const AboutRoute(),
+];
 
 @RoutePage()
 class DashboardRouter extends StatelessWidget {
@@ -38,6 +43,11 @@ class DashboardRouter extends StatelessWidget {
               selectedIcon: Icon(Icons.devices_other),
               label: "Clients",
             ),
+            NavigationDestination(
+              icon: Icon(Icons.policy_outlined),
+              selectedIcon: Icon(Icons.policy),
+              label: "Grants",
+            ),
             NavigationDestination(
               icon: Icon(Icons.info_outline),
               selectedIcon: Icon(Icons.info),
diff --git a/useragent/lib/screens/dashboard/evm/grants/grant_create.dart b/useragent/lib/screens/dashboard/evm/grants/grant_create.dart
index 4cb27a4..7a11d5c 100644
--- a/useragent/lib/screens/dashboard/evm/grants/grant_create.dart
+++ b/useragent/lib/screens/dashboard/evm/grants/grant_create.dart
@@ -1,12 +1,16 @@
 import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:arbiter/providers/evm/evm.dart';
 import 'package:arbiter/providers/evm/evm_grants.dart';
+import 'package:arbiter/providers/sdk_clients/list.dart';
+import 'package:arbiter/providers/sdk_clients/wallet_access_list.dart';
 import 'package:auto_route/auto_route.dart';
 import 'package:fixnum/fixnum.dart';
 import 'package:flutter/material.dart';
 import 'package:flutter_hooks/flutter_hooks.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:hooks_riverpod/experimental/mutation.dart';
+import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart';
 import 'package:sizer/sizer.dart';
 
 @RoutePage()
@@ -15,11 +19,10 @@ class CreateEvmGrantScreen extends HookConsumerWidget {
 
   @override
   Widget build(BuildContext context, WidgetRef ref) {
-    final wallets = ref.watch(evmProvider).asData?.value ?? const <WalletEntry>[];
     final createMutation = ref.watch(createEvmGrantMutation);
 
-    final selectedWalletIndex = useState<int?>(wallets.isEmpty ? null : 0);
-    final clientIdController = useTextEditingController();
+    final selectedClientId = useState<int?>(null);
+    final selectedWalletAccessId = useState<int?>(null);
     final chainIdController = useTextEditingController(text: '1');
     final gasFeeController = useTextEditingController();
     final priorityFeeController = useTextEditingController();
@@ -40,14 +43,13 @@ class CreateEvmGrantScreen extends HookConsumerWidget {
     ]);
 
     Future<void> submit() async {
-      final selectedWallet = selectedWalletIndex.value;
-      if (selectedWallet == null) {
-        _showCreateMessage(context, 'At least one wallet is required.');
+      final accessId = selectedWalletAccessId.value;
+      if (accessId == null) {
+        _showCreateMessage(context, 'Select a client and wallet access.');
         return;
       }
 
       try {
-        final clientId = int.parse(clientIdController.text.trim());
         final chainId = Int64.parseInt(chainIdController.text.trim());
         final rateLimit = _buildRateLimit(
           txCountController.text,
@@ -83,16 +85,25 @@ class CreateEvmGrantScreen extends HookConsumerWidget {
           _ => throw Exception('Unsupported grant type.'),
         };
 
+        final sharedSettings = SharedSettings(
+          walletAccessId: accessId,
+          chainId: chainId,
+        );
+        if (validFrom.value != null) {
+          sharedSettings.validFrom = _toTimestamp(validFrom.value!);
+        }
+        if (validUntil.value != null) {
+          sharedSettings.validUntil = _toTimestamp(validUntil.value!);
+        }
+        final gasBytes = _optionalBigIntBytes(gasFeeController.text);
+        if (gasBytes != null) sharedSettings.maxGasFeePerGas = gasBytes;
+        final priorityBytes = _optionalBigIntBytes(priorityFeeController.text);
+        if (priorityBytes != null) sharedSettings.maxPriorityFeePerGas = priorityBytes;
+        if (rateLimit != null) sharedSettings.rateLimit = rateLimit;
+
         await executeCreateEvmGrant(
           ref,
-          clientId: clientId,
-          walletId: selectedWallet + 1,
-          chainId: chainId,
-          validFrom: validFrom.value,
-          validUntil: validUntil.value,
-          maxGasFeePerGas: _optionalBigIntBytes(gasFeeController.text),
-          maxPriorityFeePerGas: _optionalBigIntBytes(priorityFeeController.text),
-          rateLimit: rateLimit,
+          sharedSettings: sharedSettings,
           specific: specific,
         );
         if (!context.mounted) {
@@ -113,22 +124,23 @@ class CreateEvmGrantScreen extends HookConsumerWidget {
         child: ListView(
           padding: EdgeInsets.fromLTRB(2.4.w, 2.h, 2.4.w, 3.2.h),
           children: [
-            _CreateIntroCard(walletCount: wallets.length),
+            const _CreateIntroCard(),
             SizedBox(height: 1.8.h),
             _CreateSection(
               title: 'Shared grant options',
               children: [
-                _WalletPickerField(
-                  wallets: wallets,
-                  selectedIndex: selectedWalletIndex.value,
-                  onChanged: (value) => selectedWalletIndex.value = value,
+                _ClientPickerField(
+                  selectedClientId: selectedClientId.value,
+                  onChanged: (clientId) {
+                    selectedClientId.value = clientId;
+                    selectedWalletAccessId.value = null;
+                  },
                 ),
-                _NumberInputField(
-                  controller: clientIdController,
-                  label: 'Client ID',
-                  hint: '42',
-                  helper:
-                      'Manual for now. The app does not yet expose a client picker.',
+                _WalletAccessPickerField(
+                  selectedClientId: selectedClientId.value,
+                  selectedAccessId: selectedWalletAccessId.value,
+                  onChanged: (accessId) =>
+                      selectedWalletAccessId.value = accessId,
                 ),
                 _NumberInputField(
                   controller: chainIdController,
@@ -204,9 +216,7 @@ class CreateEvmGrantScreen extends HookConsumerWidget {
 }
 
 class _CreateIntroCard extends StatelessWidget {
-  const _CreateIntroCard({required this.walletCount});
-
-  final int walletCount;
+  const _CreateIntroCard();
 
   @override
   Widget build(BuildContext context) {
@@ -222,7 +232,7 @@ class _CreateIntroCard extends StatelessWidget {
         border: Border.all(color: const Color(0x1A17324A)),
       ),
       child: Text(
-        'Compose shared constraints once, then switch between Ether and token transfer rules. $walletCount wallet${walletCount == 1 ? '' : 's'} currently available.',
+        'Pick a client, then select one of the wallet accesses already granted to it. Compose shared constraints once, then switch between Ether and token transfer rules.',
         style: Theme.of(context).textTheme.bodyLarge?.copyWith(height: 1.5),
       ),
     );
@@ -266,37 +276,98 @@ class _CreateSection extends StatelessWidget {
   }
 }
 
-class _WalletPickerField extends StatelessWidget {
-  const _WalletPickerField({
-    required this.wallets,
-    required this.selectedIndex,
+class _ClientPickerField extends ConsumerWidget {
+  const _ClientPickerField({
+    required this.selectedClientId,
     required this.onChanged,
   });
 
-  final List<WalletEntry> wallets;
-  final int? selectedIndex;
+  final int? selectedClientId;
   final ValueChanged<int?> onChanged;
 
   @override
-  Widget build(BuildContext context) {
+  Widget build(BuildContext context, WidgetRef ref) {
+    final clients =
+        ref.watch(sdkClientsProvider).asData?.value ?? const <SdkClientEntry>[];
+
     return DropdownButtonFormField<int>(
-      initialValue: selectedIndex,
+      value: clients.any((c) => c.id == selectedClientId)
+          ? selectedClientId
+          : null,
       decoration: const InputDecoration(
-        labelText: 'Wallet',
-        helperText:
-            'Uses the current wallet order. The API still does not expose stable wallet IDs directly.',
+        labelText: 'Client',
         border: OutlineInputBorder(),
       ),
       items: [
-        for (var i = 0; i < wallets.length; i++)
+        for (final c in clients)
           DropdownMenuItem(
-            value: i,
+            value: c.id,
             child: Text(
-              'Wallet ${(i + 1).toString().padLeft(2, '0')} · ${_shortAddress(wallets[i].address)}',
+              c.info.name.isEmpty ? 'Client #${c.id}' : c.info.name,
             ),
           ),
       ],
-      onChanged: wallets.isEmpty ? null : onChanged,
+      onChanged: clients.isEmpty ? null : onChanged,
+    );
+  }
+}
+
+class _WalletAccessPickerField extends ConsumerWidget {
+  const _WalletAccessPickerField({
+    required this.selectedClientId,
+    required this.selectedAccessId,
+    required this.onChanged,
+  });
+
+  final int? selectedClientId;
+  final int? selectedAccessId;
+  final ValueChanged<int?> onChanged;
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final allAccesses =
+        ref.watch(walletAccessListProvider).asData?.value ??
+        const <SdkClientWalletAccess>[];
+    final wallets =
+        ref.watch(evmProvider).asData?.value ?? const <WalletEntry>[];
+
+    final walletById = <int, WalletEntry>{
+      for (final w in wallets) w.id: w,
+    };
+
+    final accesses = selectedClientId == null
+        ? const <SdkClientWalletAccess>[]
+        : allAccesses
+              .where((a) => a.access.sdkClientId == selectedClientId)
+              .toList();
+
+    final effectiveValue =
+        accesses.any((a) => a.id == selectedAccessId) ? selectedAccessId : null;
+
+    return DropdownButtonFormField<int>(
+      value: effectiveValue,
+      decoration: InputDecoration(
+        labelText: 'Wallet access',
+        helperText: selectedClientId == null
+            ? 'Select a client first'
+            : accesses.isEmpty
+            ? 'No wallet accesses for this client'
+            : null,
+        border: const OutlineInputBorder(),
+      ),
+      items: [
+        for (final a in accesses)
+          DropdownMenuItem(
+            value: a.id,
+            child: Text(() {
+              final wallet = walletById[a.access.walletId];
+              return wallet != null
+                  ? _shortAddress(wallet.address)
+                  : 'Wallet #${a.access.walletId}';
+            }()),
+          ),
+      ],
+      onChanged: accesses.isEmpty ? null : onChanged,
     );
   }
 }
@@ -735,6 +806,13 @@ class _VolumeLimitValue {
   }
 }
 
+Timestamp _toTimestamp(DateTime value) {
+  final utc = value.toUtc();
+  return Timestamp()
+    ..seconds = Int64(utc.millisecondsSinceEpoch ~/ 1000)
+    ..nanos = (utc.microsecondsSinceEpoch % 1000000) * 1000;
+}
+
 TransactionRateLimit? _buildRateLimit(String countText, String windowText) {
   if (countText.trim().isEmpty || windowText.trim().isEmpty) {
     return null;
diff --git a/useragent/lib/screens/dashboard/evm/grants/grants.dart b/useragent/lib/screens/dashboard/evm/grants/grants.dart
new file mode 100644
index 0000000..eb73efc
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/grants.dart
@@ -0,0 +1,231 @@
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/providers/evm/evm_grants.dart';
+import 'package:arbiter/providers/sdk_clients/wallet_access_list.dart';
+import 'package:arbiter/router.gr.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/widgets/grant_card.dart';
+import 'package:arbiter/theme/palette.dart';
+import 'package:arbiter/widgets/page_header.dart';
+import 'package:auto_route/auto_route.dart';
+import 'package:flutter/material.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+import 'package:sizer/sizer.dart';
+
+String _formatError(Object error) {
+  final message = error.toString();
+  if (message.startsWith('Exception: ')) {
+    return message.substring('Exception: '.length);
+  }
+  return message;
+}
+
+// ─── State panel ──────────────────────────────────────────────────────────────
+
+class _StatePanel extends StatelessWidget {
+  const _StatePanel({
+    required this.icon,
+    required this.title,
+    required this.body,
+    this.actionLabel,
+    this.onAction,
+    this.busy = false,
+  });
+
+  final IconData icon;
+  final String title;
+  final String body;
+  final String? actionLabel;
+  final Future<void> Function()? onAction;
+  final bool busy;
+
+  @override
+  Widget build(BuildContext context) {
+    final theme = Theme.of(context);
+
+    return Container(
+      decoration: BoxDecoration(
+        borderRadius: BorderRadius.circular(24),
+        color: Palette.cream.withValues(alpha: 0.92),
+        border: Border.all(color: Palette.line),
+      ),
+      child: Padding(
+        padding: EdgeInsets.all(2.8.h),
+        child: Column(
+          crossAxisAlignment: CrossAxisAlignment.start,
+          children: [
+            if (busy)
+              SizedBox(
+                width: 2.8.h,
+                height: 2.8.h,
+                child: const CircularProgressIndicator(strokeWidth: 2.5),
+              )
+            else
+              Icon(icon, size: 34, color: Palette.coral),
+            SizedBox(height: 1.8.h),
+            Text(
+              title,
+              style: theme.textTheme.headlineSmall?.copyWith(
+                color: Palette.ink,
+                fontWeight: FontWeight.w800,
+              ),
+            ),
+            SizedBox(height: 1.h),
+            Text(
+              body,
+              style: theme.textTheme.bodyLarge?.copyWith(
+                color: Palette.ink.withValues(alpha: 0.72),
+                height: 1.5,
+              ),
+            ),
+            if (actionLabel != null && onAction != null) ...[
+              SizedBox(height: 2.h),
+              OutlinedButton.icon(
+                onPressed: () => onAction!(),
+                icon: const Icon(Icons.refresh),
+                label: Text(actionLabel!),
+              ),
+            ],
+          ],
+        ),
+      ),
+    );
+  }
+}
+
+// ─── Grant list ───────────────────────────────────────────────────────────────
+
+class _GrantList extends StatelessWidget {
+  const _GrantList({required this.grants});
+
+  final List<GrantEntry> grants;
+
+  @override
+  Widget build(BuildContext context) {
+    return Column(
+      children: [
+        for (var i = 0; i < grants.length; i++)
+          Padding(
+            padding: EdgeInsets.only(
+              bottom: i == grants.length - 1 ? 0 : 1.8.h,
+            ),
+            child: GrantCard(grant: grants[i]),
+          ),
+      ],
+    );
+  }
+}
+
+// ─── Screen ───────────────────────────────────────────────────────────────────
+
+@RoutePage()
+class EvmGrantsScreen extends ConsumerWidget {
+  const EvmGrantsScreen({super.key});
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    // Screen watches only the grant list for top-level state decisions
+    final grantsAsync = ref.watch(evmGrantsProvider);
+
+    Future<void> refresh() async {
+      ref.invalidate(walletAccessListProvider);
+      ref.invalidate(evmGrantsProvider);
+    }
+
+    void showMessage(String message) {
+      if (!context.mounted) return;
+      ScaffoldMessenger.of(context).showSnackBar(
+        SnackBar(content: Text(message), behavior: SnackBarBehavior.floating),
+      );
+    }
+
+    Future<void> safeRefresh() async {
+      try {
+        await refresh();
+      } catch (e) {
+        showMessage(_formatError(e));
+      }
+    }
+
+    final grantsState = grantsAsync.asData?.value;
+    final grants = grantsState?.grants;
+
+    final content = switch (grantsAsync) {
+      AsyncLoading() when grantsState == null => const _StatePanel(
+        icon: Icons.hourglass_top,
+        title: 'Loading grants',
+        body: 'Pulling grant registry from Arbiter.',
+        busy: true,
+      ),
+      AsyncError(:final error) => _StatePanel(
+        icon: Icons.sync_problem,
+        title: 'Grant registry unavailable',
+        body: _formatError(error),
+        actionLabel: 'Retry',
+        onAction: safeRefresh,
+      ),
+      AsyncData(:final value) when value == null => _StatePanel(
+        icon: Icons.portable_wifi_off,
+        title: 'No active server connection',
+        body: 'Reconnect to Arbiter to list EVM grants.',
+        actionLabel: 'Refresh',
+        onAction: safeRefresh,
+      ),
+      _ when grants != null && grants.isEmpty => _StatePanel(
+        icon: Icons.policy_outlined,
+        title: 'No grants yet',
+        body: 'Create a grant to allow SDK clients to sign transactions.',
+        actionLabel: 'Create grant',
+        onAction: () async => context.router.push(const CreateEvmGrantRoute()),
+      ),
+      _ => _GrantList(grants: grants ?? const []),
+    };
+
+    return Scaffold(
+      body: SafeArea(
+        child: RefreshIndicator.adaptive(
+          color: Palette.ink,
+          backgroundColor: Colors.white,
+          onRefresh: safeRefresh,
+          child: ListView(
+            physics: const BouncingScrollPhysics(
+              parent: AlwaysScrollableScrollPhysics(),
+            ),
+            padding: EdgeInsets.fromLTRB(2.4.w, 2.4.h, 2.4.w, 3.2.h),
+            children: [
+              PageHeader(
+                title: 'EVM Grants',
+                isBusy: grantsAsync.isLoading,
+                actions: [
+                  FilledButton.icon(
+                    onPressed: () =>
+                        context.router.push(const CreateEvmGrantRoute()),
+                    icon: const Icon(Icons.add_rounded),
+                    label: const Text('Create grant'),
+                  ),
+                  SizedBox(width: 1.w),
+                  OutlinedButton.icon(
+                    onPressed: safeRefresh,
+                    style: OutlinedButton.styleFrom(
+                      foregroundColor: Palette.ink,
+                      side: BorderSide(color: Palette.line),
+                      padding: EdgeInsets.symmetric(
+                        horizontal: 1.4.w,
+                        vertical: 1.2.h,
+                      ),
+                      shape: RoundedRectangleBorder(
+                        borderRadius: BorderRadius.circular(14),
+                      ),
+                    ),
+                    icon: const Icon(Icons.refresh, size: 18),
+                    label: const Text('Refresh'),
+                  ),
+                ],
+              ),
+              SizedBox(height: 1.8.h),
+              content,
+            ],
+          ),
+        ),
+      ),
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart b/useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart
new file mode 100644
index 0000000..5e01b1c
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart
@@ -0,0 +1,225 @@
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/providers/evm/evm.dart';
+import 'package:arbiter/providers/evm/evm_grants.dart';
+import 'package:arbiter/providers/sdk_clients/list.dart';
+import 'package:arbiter/providers/sdk_clients/wallet_access_list.dart';
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+import 'package:hooks_riverpod/experimental/mutation.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+import 'package:sizer/sizer.dart';
+
+String _shortAddress(List<int> bytes) {
+  final hex = bytes.map((b) => b.toRadixString(16).padLeft(2, '0')).join();
+  return '0x${hex.substring(0, 6)}...${hex.substring(hex.length - 4)}';
+}
+
+String _formatError(Object error) {
+  final message = error.toString();
+  if (message.startsWith('Exception: ')) {
+    return message.substring('Exception: '.length);
+  }
+  return message;
+}
+
+class GrantCard extends ConsumerWidget {
+  const GrantCard({super.key, required this.grant});
+
+  final GrantEntry grant;
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    // Enrichment lookups — each watch scopes rebuilds to this card only
+    final walletAccesses =
+        ref.watch(walletAccessListProvider).asData?.value ?? const [];
+    final wallets = ref.watch(evmProvider).asData?.value ?? const [];
+    final clients = ref.watch(sdkClientsProvider).asData?.value ?? const [];
+    final revoking = ref.watch(revokeEvmGrantMutation) is MutationPending;
+
+    final isEther =
+        grant.specific.whichGrant() == SpecificGrant_Grant.etherTransfer;
+    final accent = isEther ? Palette.coral : Palette.token;
+    final typeLabel = isEther ? 'Ether' : 'Token';
+    final theme = Theme.of(context);
+    final muted = Palette.ink.withValues(alpha: 0.62);
+
+    // Resolve wallet_access_id → wallet address + client name
+    final accessById = <int, SdkClientWalletAccess>{
+      for (final a in walletAccesses) a.id: a,
+    };
+    final walletById = <int, WalletEntry>{
+      for (final w in wallets) w.id: w,
+    };
+    final clientNameById = <int, String>{
+      for (final c in clients) c.id: c.info.name,
+    };
+
+    final accessId = grant.shared.walletAccessId;
+    final access = accessById[accessId];
+    final wallet = access != null ? walletById[access.access.walletId] : null;
+
+    final walletLabel = wallet != null
+        ? _shortAddress(wallet.address)
+        : 'Access #$accessId';
+
+    final clientLabel = () {
+      if (access == null) return '';
+      final name = clientNameById[access.access.sdkClientId] ?? '';
+      return name.isEmpty ? 'Client #${access.access.sdkClientId}' : name;
+    }();
+
+    void showError(String message) {
+      if (!context.mounted) return;
+      ScaffoldMessenger.of(context).showSnackBar(
+        SnackBar(content: Text(message), behavior: SnackBarBehavior.floating),
+      );
+    }
+
+    Future<void> revoke() async {
+      try {
+        await executeRevokeEvmGrant(ref, grantId: grant.id);
+      } catch (e) {
+        showError(_formatError(e));
+      }
+    }
+
+    return Container(
+      decoration: BoxDecoration(
+        borderRadius: BorderRadius.circular(24),
+        color: Palette.cream.withValues(alpha: 0.92),
+        border: Border.all(color: Palette.line),
+      ),
+      child: IntrinsicHeight(
+        child: Row(
+          crossAxisAlignment: CrossAxisAlignment.stretch,
+          children: [
+            // Accent strip
+            Container(
+              width: 0.8.w,
+              decoration: BoxDecoration(
+                color: accent,
+                borderRadius: const BorderRadius.horizontal(
+                  left: Radius.circular(24),
+                ),
+              ),
+            ),
+            // Card body
+            Expanded(
+              child: Padding(
+                padding: EdgeInsets.symmetric(
+                  horizontal: 1.6.w,
+                  vertical: 1.4.h,
+                ),
+                child: Column(
+                  crossAxisAlignment: CrossAxisAlignment.start,
+                  children: [
+                    // Row 1: type badge · chain · spacer · revoke button
+                    Row(
+                      children: [
+                        Container(
+                          padding: EdgeInsets.symmetric(
+                            horizontal: 1.w,
+                            vertical: 0.4.h,
+                          ),
+                          decoration: BoxDecoration(
+                            color: accent.withValues(alpha: 0.15),
+                            borderRadius: BorderRadius.circular(8),
+                          ),
+                          child: Text(
+                            typeLabel,
+                            style: theme.textTheme.labelSmall?.copyWith(
+                              color: accent,
+                              fontWeight: FontWeight.w800,
+                            ),
+                          ),
+                        ),
+                        SizedBox(width: 1.w),
+                        Container(
+                          padding: EdgeInsets.symmetric(
+                            horizontal: 1.w,
+                            vertical: 0.4.h,
+                          ),
+                          decoration: BoxDecoration(
+                            color: Palette.ink.withValues(alpha: 0.06),
+                            borderRadius: BorderRadius.circular(8),
+                          ),
+                          child: Text(
+                            'Chain ${grant.shared.chainId}',
+                            style: theme.textTheme.labelSmall?.copyWith(
+                              color: muted,
+                              fontWeight: FontWeight.w700,
+                            ),
+                          ),
+                        ),
+                        const Spacer(),
+                        if (revoking)
+                          SizedBox(
+                            width: 1.8.h,
+                            height: 1.8.h,
+                            child: CircularProgressIndicator(
+                              strokeWidth: 2,
+                              color: Palette.coral,
+                            ),
+                          )
+                        else
+                          OutlinedButton.icon(
+                            onPressed: revoke,
+                            style: OutlinedButton.styleFrom(
+                              foregroundColor: Palette.coral,
+                              side: BorderSide(
+                                color: Palette.coral.withValues(alpha: 0.4),
+                              ),
+                              padding: EdgeInsets.symmetric(
+                                horizontal: 1.w,
+                                vertical: 0.6.h,
+                              ),
+                              shape: RoundedRectangleBorder(
+                                borderRadius: BorderRadius.circular(10),
+                              ),
+                            ),
+                            icon: const Icon(Icons.block_rounded, size: 16),
+                            label: const Text('Revoke'),
+                          ),
+                      ],
+                    ),
+                    SizedBox(height: 0.8.h),
+                    // Row 2: wallet address · client name
+                    Row(
+                      children: [
+                        Text(
+                          walletLabel,
+                          style: theme.textTheme.bodySmall?.copyWith(
+                            color: Palette.ink,
+                            fontFamily: 'monospace',
+                          ),
+                        ),
+                        Padding(
+                          padding: EdgeInsets.symmetric(horizontal: 0.8.w),
+                          child: Text(
+                            '·',
+                            style: theme.textTheme.bodySmall
+                                ?.copyWith(color: muted),
+                          ),
+                        ),
+                        Expanded(
+                          child: Text(
+                            clientLabel,
+                            maxLines: 1,
+                            overflow: TextOverflow.ellipsis,
+                            style: theme.textTheme.bodySmall
+                                ?.copyWith(color: muted),
+                          ),
+                        ),
+                      ],
+                    ),
+                  ],
+                ),
+              ),
+            ),
+          ],
+        ),
+      ),
+    );
+  }
+}
diff --git a/useragent/lib/theme/palette.dart b/useragent/lib/theme/palette.dart
index 1b87a9b..a2a5194 100644
--- a/useragent/lib/theme/palette.dart
+++ b/useragent/lib/theme/palette.dart
@@ -5,4 +5,5 @@ class Palette {
   static const coral = Color(0xFFE26254);
   static const cream = Color(0xFFFFFAF4);
   static const line = Color(0x1A15263C);
+  static const token = Color(0xFF5C6BC0);
 }

From 32743741e19a2953bafe4cf4637319a35869bf1e Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sat, 28 Mar 2026 17:57:50 +0100
Subject: [PATCH 08/29] refactor(useragent): moved shared CreamPanel and
 StatePanel into generic widgets

---
 useragent/lib/providers/evm/evm_grants.dart   |   2 -
 .../lib/screens/callouts/sdk_connect.dart     |   8 +-
 .../widgets/client_details_state_panel.dart   |  32 +++---
 .../details/widgets/client_summary_card.dart  |  15 +--
 .../widgets/wallet_access_save_bar.dart       |  14 +--
 .../widgets/wallet_access_section.dart        |  15 +--
 .../lib/screens/dashboard/clients/table.dart  | 100 ++----------------
 useragent/lib/screens/dashboard/evm/evm.dart  |  78 +-------------
 .../screens/dashboard/evm/grants/grants.dart  |  82 +-------------
 .../screens/dashboard/evm/wallets/table.dart  |  14 +--
 useragent/lib/widgets/cream_frame.dart        |  32 ++++++
 useragent/lib/widgets/state_panel.dart        |  69 ++++++++++++
 12 files changed, 151 insertions(+), 310 deletions(-)
 create mode 100644 useragent/lib/widgets/cream_frame.dart
 create mode 100644 useragent/lib/widgets/state_panel.dart

diff --git a/useragent/lib/providers/evm/evm_grants.dart b/useragent/lib/providers/evm/evm_grants.dart
index 6d7747e..fb03342 100644
--- a/useragent/lib/providers/evm/evm_grants.dart
+++ b/useragent/lib/providers/evm/evm_grants.dart
@@ -1,11 +1,9 @@
 import 'package:arbiter/features/connection/evm/grants.dart';
 import 'package:arbiter/proto/evm.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
-import 'package:fixnum/fixnum.dart';
 import 'package:freezed_annotation/freezed_annotation.dart';
 import 'package:hooks_riverpod/experimental/mutation.dart';
 import 'package:mtcore/markettakers.dart';
-import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'evm_grants.freezed.dart';
diff --git a/useragent/lib/screens/callouts/sdk_connect.dart b/useragent/lib/screens/callouts/sdk_connect.dart
index c26fd36..3e005eb 100644
--- a/useragent/lib/screens/callouts/sdk_connect.dart
+++ b/useragent/lib/screens/callouts/sdk_connect.dart
@@ -1,5 +1,6 @@
 import 'package:arbiter/proto/client.pb.dart';
 import 'package:arbiter/theme/palette.dart';
+import 'package:arbiter/widgets/cream_frame.dart';
 import 'package:flutter/material.dart';
 import 'package:sizer/sizer.dart';
 
@@ -31,12 +32,7 @@ class SdkConnectCallout extends StatelessWidget {
         clientInfo.hasVersion() && clientInfo.version.isNotEmpty;
     final showInfoCard = hasDescription || hasVersion;
 
-    return Container(
-      decoration: BoxDecoration(
-        color: Palette.cream,
-        borderRadius: BorderRadius.circular(24),
-        border: Border.all(color: Palette.line),
-      ),
+    return CreamFrame(
       padding: EdgeInsets.all(2.4.h),
       child: Column(
         mainAxisSize: MainAxisSize.min,
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/client_details_state_panel.dart b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_state_panel.dart
index f9c40d5..82f5b41 100644
--- a/useragent/lib/screens/dashboard/clients/details/widgets/client_details_state_panel.dart
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_state_panel.dart
@@ -1,4 +1,5 @@
 import 'package:arbiter/theme/palette.dart';
+import 'package:arbiter/widgets/cream_frame.dart';
 import 'package:flutter/material.dart';
 
 class ClientDetailsStatePanel extends StatelessWidget {
@@ -17,27 +18,18 @@ class ClientDetailsStatePanel extends StatelessWidget {
   Widget build(BuildContext context) {
     final theme = Theme.of(context);
     return Center(
-      child: Padding(
+      child: CreamFrame(
+        margin: const EdgeInsets.all(24),
         padding: const EdgeInsets.all(24),
-        child: DecoratedBox(
-          decoration: BoxDecoration(
-            color: Palette.cream,
-            borderRadius: BorderRadius.circular(24),
-            border: Border.all(color: Palette.line),
-          ),
-          child: Padding(
-            padding: const EdgeInsets.all(24),
-            child: Column(
-              mainAxisSize: MainAxisSize.min,
-              children: [
-                Icon(icon, color: Palette.coral),
-                const SizedBox(height: 12),
-                Text(title, style: theme.textTheme.titleLarge),
-                const SizedBox(height: 8),
-                Text(body, textAlign: TextAlign.center),
-              ],
-            ),
-          ),
+        child: Column(
+          mainAxisSize: MainAxisSize.min,
+          children: [
+            Icon(icon, color: Palette.coral),
+            const SizedBox(height: 12),
+            Text(title, style: theme.textTheme.titleLarge),
+            const SizedBox(height: 8),
+            Text(body, textAlign: TextAlign.center),
+          ],
         ),
       ),
     );
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart b/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart
index 7fa081c..f04576d 100644
--- a/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart
@@ -1,5 +1,5 @@
 import 'package:arbiter/proto/user_agent.pb.dart';
-import 'package:arbiter/theme/palette.dart';
+import 'package:arbiter/widgets/cream_frame.dart';
 import 'package:flutter/material.dart';
 
 class ClientSummaryCard extends StatelessWidget {
@@ -9,15 +9,9 @@ class ClientSummaryCard extends StatelessWidget {
 
   @override
   Widget build(BuildContext context) {
-    return DecoratedBox(
-      decoration: BoxDecoration(
-        color: Palette.cream,
-        borderRadius: BorderRadius.circular(24),
-        border: Border.all(color: Palette.line),
-      ),
-      child: Padding(
-        padding: const EdgeInsets.all(20),
-        child: Column(
+    return CreamFrame(
+      padding: const EdgeInsets.all(20),
+      child: Column(
           crossAxisAlignment: CrossAxisAlignment.start,
           children: [
             Text(
@@ -42,7 +36,6 @@ class ClientSummaryCard extends StatelessWidget {
             ),
           ],
         ),
-      ),
     );
   }
 }
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_save_bar.dart b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_save_bar.dart
index 52e820d..b96f2f6 100644
--- a/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_save_bar.dart
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_save_bar.dart
@@ -1,5 +1,6 @@
 import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
 import 'package:arbiter/theme/palette.dart';
+import 'package:arbiter/widgets/cream_frame.dart';
 import 'package:flutter/material.dart';
 import 'package:hooks_riverpod/experimental/mutation.dart';
 
@@ -24,15 +25,9 @@ class WalletAccessSaveBar extends StatelessWidget {
       MutationError(:final error) => error.toString(),
       _ => null,
     };
-    return DecoratedBox(
-      decoration: BoxDecoration(
-        color: Palette.cream,
-        borderRadius: BorderRadius.circular(24),
-        border: Border.all(color: Palette.line),
-      ),
-      child: Padding(
-        padding: const EdgeInsets.all(16),
-        child: Column(
+    return CreamFrame(
+      padding: const EdgeInsets.all(16),
+      child: Column(
           crossAxisAlignment: CrossAxisAlignment.start,
           children: [
             if (errorText != null) ...[
@@ -54,7 +49,6 @@ class WalletAccessSaveBar extends StatelessWidget {
             ),
           ],
         ),
-      ),
     );
   }
 }
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_section.dart b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_section.dart
index e5b40f2..cf55b29 100644
--- a/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_section.dart
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/wallet_access_section.dart
@@ -2,7 +2,7 @@ import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
 import 'package:arbiter/screens/dashboard/clients/details/widgets/client_details_state_panel.dart';
 import 'package:arbiter/screens/dashboard/clients/details/widgets/wallet_access_list.dart';
 import 'package:arbiter/screens/dashboard/clients/details/widgets/wallet_access_search_field.dart';
-import 'package:arbiter/theme/palette.dart';
+import 'package:arbiter/widgets/cream_frame.dart';
 import 'package:flutter/material.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 
@@ -27,15 +27,9 @@ class WalletAccessSection extends ConsumerWidget {
   @override
   Widget build(BuildContext context, WidgetRef ref) {
     final optionsAsync = ref.watch(clientWalletOptionsProvider);
-    return DecoratedBox(
-      decoration: BoxDecoration(
-        color: Palette.cream,
-        borderRadius: BorderRadius.circular(24),
-        border: Border.all(color: Palette.line),
-      ),
-      child: Padding(
-        padding: const EdgeInsets.all(20),
-        child: Column(
+    return CreamFrame(
+      padding: const EdgeInsets.all(20),
+      child: Column(
           crossAxisAlignment: CrossAxisAlignment.start,
           children: [
             Text(
@@ -56,7 +50,6 @@ class WalletAccessSection extends ConsumerWidget {
             ),
           ],
         ),
-      ),
     );
   }
 }
diff --git a/useragent/lib/screens/dashboard/clients/table.dart b/useragent/lib/screens/dashboard/clients/table.dart
index a84cfe9..7bfd43c 100644
--- a/useragent/lib/screens/dashboard/clients/table.dart
+++ b/useragent/lib/screens/dashboard/clients/table.dart
@@ -10,6 +10,8 @@ import 'package:flutter/services.dart';
 import 'package:flutter_hooks/flutter_hooks.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:arbiter/theme/palette.dart';
+import 'package:arbiter/widgets/cream_frame.dart';
+import 'package:arbiter/widgets/state_panel.dart';
 import 'package:sizer/sizer.dart';
 
 // ─── Column width getters ─────────────────────────────────────────────────────
@@ -59,79 +61,6 @@ String _formatError(Object error) {
   return message;
 }
 
-// ─── State panel ─────────────────────────────────────────────────────────────
-
-class _StatePanel extends StatelessWidget {
-  const _StatePanel({
-    required this.icon,
-    required this.title,
-    required this.body,
-    this.actionLabel,
-    this.onAction,
-    this.busy = false,
-  });
-
-  final IconData icon;
-  final String title;
-  final String body;
-  final String? actionLabel;
-  final Future<void> Function()? onAction;
-  final bool busy;
-
-  @override
-  Widget build(BuildContext context) {
-    final theme = Theme.of(context);
-
-    return Container(
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(24),
-        color: Palette.cream.withValues(alpha: 0.92),
-        border: Border.all(color: Palette.line),
-      ),
-      child: Padding(
-        padding: EdgeInsets.all(2.8.h),
-        child: Column(
-          crossAxisAlignment: CrossAxisAlignment.start,
-          children: [
-            if (busy)
-              SizedBox(
-                width: 2.8.h,
-                height: 2.8.h,
-                child: const CircularProgressIndicator(strokeWidth: 2.5),
-              )
-            else
-              Icon(icon, size: 34, color: Palette.coral),
-            SizedBox(height: 1.8.h),
-            Text(
-              title,
-              style: theme.textTheme.headlineSmall?.copyWith(
-                color: Palette.ink,
-                fontWeight: FontWeight.w800,
-              ),
-            ),
-            SizedBox(height: 1.h),
-            Text(
-              body,
-              style: theme.textTheme.bodyLarge?.copyWith(
-                color: Palette.ink.withValues(alpha: 0.72),
-                height: 1.5,
-              ),
-            ),
-            if (actionLabel != null && onAction != null) ...[
-              SizedBox(height: 2.h),
-              OutlinedButton.icon(
-                onPressed: () => onAction!(),
-                icon: const Icon(Icons.refresh),
-                label: Text(actionLabel!),
-              ),
-            ],
-          ],
-        ),
-      ),
-    );
-  }
-}
-
 // ─── Header ───────────────────────────────────────────────────────────────────
 
 class _Header extends StatelessWidget {
@@ -443,17 +372,11 @@ class _ClientTable extends StatelessWidget {
   Widget build(BuildContext context) {
     final theme = Theme.of(context);
 
-    return Container(
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(24),
-        color: Palette.cream.withValues(alpha: 0.92),
-        border: Border.all(color: Palette.line),
-      ),
-      child: Padding(
-        padding: EdgeInsets.all(2.h),
-        child: LayoutBuilder(
-          builder: (context, constraints) {
-            final tableWidth = math.max(_tableMinWidth, constraints.maxWidth);
+    return CreamFrame(
+      padding: EdgeInsets.all(2.h),
+      child: LayoutBuilder(
+        builder: (context, constraints) {
+          final tableWidth = math.max(_tableMinWidth, constraints.maxWidth);
 
             return Column(
               crossAxisAlignment: CrossAxisAlignment.start,
@@ -497,7 +420,6 @@ class _ClientTable extends StatelessWidget {
             );
           },
         ),
-      ),
     );
   }
 }
@@ -533,27 +455,27 @@ class ClientsScreen extends HookConsumerWidget {
     final clients = clientsAsync.asData?.value;
 
     final content = switch (clientsAsync) {
-      AsyncLoading() when clients == null => const _StatePanel(
+      AsyncLoading() when clients == null => const StatePanel(
         icon: Icons.hourglass_top,
         title: 'Loading clients',
         body: 'Pulling client registry from Arbiter.',
         busy: true,
       ),
-      AsyncError(:final error) => _StatePanel(
+      AsyncError(:final error) => StatePanel(
         icon: Icons.sync_problem,
         title: 'Client registry unavailable',
         body: _formatError(error),
         actionLabel: 'Retry',
         onAction: refresh,
       ),
-      _ when !isConnected => _StatePanel(
+      _ when !isConnected => StatePanel(
         icon: Icons.portable_wifi_off,
         title: 'No active server connection',
         body: 'Reconnect to Arbiter to list SDK clients.',
         actionLabel: 'Refresh',
         onAction: refresh,
       ),
-      _ when clients != null && clients.isEmpty => _StatePanel(
+      _ when clients != null && clients.isEmpty => StatePanel(
         icon: Icons.devices_other_outlined,
         title: 'No clients yet',
         body: 'SDK clients appear here once they register with Arbiter.',
diff --git a/useragent/lib/screens/dashboard/evm/evm.dart b/useragent/lib/screens/dashboard/evm/evm.dart
index 743b369..89bab30 100644
--- a/useragent/lib/screens/dashboard/evm/evm.dart
+++ b/useragent/lib/screens/dashboard/evm/evm.dart
@@ -4,6 +4,7 @@ import 'package:arbiter/screens/dashboard/evm/wallets/table.dart';
 import 'package:arbiter/theme/palette.dart';
 import 'package:arbiter/providers/evm/evm.dart';
 import 'package:arbiter/widgets/page_header.dart';
+import 'package:arbiter/widgets/state_panel.dart';
 import 'package:auto_route/auto_route.dart';
 import 'package:flutter/material.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
@@ -36,20 +37,20 @@ class EvmScreen extends HookConsumerWidget {
     }
 
     final content = switch (evm) {
-      AsyncLoading() when wallets == null => const _StatePanel(
+      AsyncLoading() when wallets == null => const StatePanel(
         icon: Icons.hourglass_top,
         title: 'Loading wallets',
         body: 'Pulling wallet registry from Arbiter.',
         busy: true,
       ),
-      AsyncError(:final error) => _StatePanel(
+      AsyncError(:final error) => StatePanel(
         icon: Icons.sync_problem,
         title: 'Wallet registry unavailable',
         body: _formatError(error),
         actionLabel: 'Retry',
         onAction: refreshWallets,
       ),
-      AsyncData(:final value) when value == null => _StatePanel(
+      AsyncData(:final value) when value == null => StatePanel(
         icon: Icons.portable_wifi_off,
         title: 'No active server connection',
         body: 'Reconnect to Arbiter to list or create EVM wallets.',
@@ -90,77 +91,6 @@ class EvmScreen extends HookConsumerWidget {
   }
 }
 
-class _StatePanel extends StatelessWidget {
-  const _StatePanel({
-    required this.icon,
-    required this.title,
-    required this.body,
-    this.actionLabel,
-    this.onAction,
-    this.busy = false,
-  });
-
-  final IconData icon;
-  final String title;
-  final String body;
-  final String? actionLabel;
-  final Future<void> Function()? onAction;
-  final bool busy;
-
-  @override
-  Widget build(BuildContext context) {
-    final theme = Theme.of(context);
-
-    return Container(
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(24),
-        color: Palette.cream.withValues(alpha: 0.92),
-        border: Border.all(color: Palette.line),
-      ),
-      child: Padding(
-        padding: EdgeInsets.all(2.8.h),
-        child: Column(
-          crossAxisAlignment: CrossAxisAlignment.start,
-          children: [
-            if (busy)
-              SizedBox(
-                width: 2.8.h,
-                height: 2.8.h,
-                child: CircularProgressIndicator(strokeWidth: 2.5),
-              )
-            else
-              Icon(icon, size: 34, color: Palette.coral),
-            SizedBox(height: 1.8.h),
-            Text(
-              title,
-              style: theme.textTheme.headlineSmall?.copyWith(
-                color: Palette.ink,
-                fontWeight: FontWeight.w800,
-              ),
-            ),
-            SizedBox(height: 1.h),
-            Text(
-              body,
-              style: theme.textTheme.bodyLarge?.copyWith(
-                color: Palette.ink.withValues(alpha: 0.72),
-                height: 1.5,
-              ),
-            ),
-            if (actionLabel != null && onAction != null) ...[
-              SizedBox(height: 2.h),
-              OutlinedButton.icon(
-                onPressed: () => onAction!(),
-                icon: const Icon(Icons.refresh),
-                label: Text(actionLabel!),
-              ),
-            ],
-          ],
-        ),
-      ),
-    );
-  }
-}
-
 String _formatError(Object error) {
   final message = error.toString();
   if (message.startsWith('Exception: ')) {
diff --git a/useragent/lib/screens/dashboard/evm/grants/grants.dart b/useragent/lib/screens/dashboard/evm/grants/grants.dart
index eb73efc..b3b314b 100644
--- a/useragent/lib/screens/dashboard/evm/grants/grants.dart
+++ b/useragent/lib/screens/dashboard/evm/grants/grants.dart
@@ -5,6 +5,7 @@ import 'package:arbiter/router.gr.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/widgets/grant_card.dart';
 import 'package:arbiter/theme/palette.dart';
 import 'package:arbiter/widgets/page_header.dart';
+import 'package:arbiter/widgets/state_panel.dart';
 import 'package:auto_route/auto_route.dart';
 import 'package:flutter/material.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
@@ -18,79 +19,6 @@ String _formatError(Object error) {
   return message;
 }
 
-// ─── State panel ──────────────────────────────────────────────────────────────
-
-class _StatePanel extends StatelessWidget {
-  const _StatePanel({
-    required this.icon,
-    required this.title,
-    required this.body,
-    this.actionLabel,
-    this.onAction,
-    this.busy = false,
-  });
-
-  final IconData icon;
-  final String title;
-  final String body;
-  final String? actionLabel;
-  final Future<void> Function()? onAction;
-  final bool busy;
-
-  @override
-  Widget build(BuildContext context) {
-    final theme = Theme.of(context);
-
-    return Container(
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(24),
-        color: Palette.cream.withValues(alpha: 0.92),
-        border: Border.all(color: Palette.line),
-      ),
-      child: Padding(
-        padding: EdgeInsets.all(2.8.h),
-        child: Column(
-          crossAxisAlignment: CrossAxisAlignment.start,
-          children: [
-            if (busy)
-              SizedBox(
-                width: 2.8.h,
-                height: 2.8.h,
-                child: const CircularProgressIndicator(strokeWidth: 2.5),
-              )
-            else
-              Icon(icon, size: 34, color: Palette.coral),
-            SizedBox(height: 1.8.h),
-            Text(
-              title,
-              style: theme.textTheme.headlineSmall?.copyWith(
-                color: Palette.ink,
-                fontWeight: FontWeight.w800,
-              ),
-            ),
-            SizedBox(height: 1.h),
-            Text(
-              body,
-              style: theme.textTheme.bodyLarge?.copyWith(
-                color: Palette.ink.withValues(alpha: 0.72),
-                height: 1.5,
-              ),
-            ),
-            if (actionLabel != null && onAction != null) ...[
-              SizedBox(height: 2.h),
-              OutlinedButton.icon(
-                onPressed: () => onAction!(),
-                icon: const Icon(Icons.refresh),
-                label: Text(actionLabel!),
-              ),
-            ],
-          ],
-        ),
-      ),
-    );
-  }
-}
-
 // ─── Grant list ───────────────────────────────────────────────────────────────
 
 class _GrantList extends StatelessWidget {
@@ -149,27 +77,27 @@ class EvmGrantsScreen extends ConsumerWidget {
     final grants = grantsState?.grants;
 
     final content = switch (grantsAsync) {
-      AsyncLoading() when grantsState == null => const _StatePanel(
+      AsyncLoading() when grantsState == null => const StatePanel(
         icon: Icons.hourglass_top,
         title: 'Loading grants',
         body: 'Pulling grant registry from Arbiter.',
         busy: true,
       ),
-      AsyncError(:final error) => _StatePanel(
+      AsyncError(:final error) => StatePanel(
         icon: Icons.sync_problem,
         title: 'Grant registry unavailable',
         body: _formatError(error),
         actionLabel: 'Retry',
         onAction: safeRefresh,
       ),
-      AsyncData(:final value) when value == null => _StatePanel(
+      AsyncData(:final value) when value == null => StatePanel(
         icon: Icons.portable_wifi_off,
         title: 'No active server connection',
         body: 'Reconnect to Arbiter to list EVM grants.',
         actionLabel: 'Refresh',
         onAction: safeRefresh,
       ),
-      _ when grants != null && grants.isEmpty => _StatePanel(
+      _ when grants != null && grants.isEmpty => StatePanel(
         icon: Icons.policy_outlined,
         title: 'No grants yet',
         body: 'Create a grant to allow SDK clients to sign transactions.',
diff --git a/useragent/lib/screens/dashboard/evm/wallets/table.dart b/useragent/lib/screens/dashboard/evm/wallets/table.dart
index 1093dfd..a364d72 100644
--- a/useragent/lib/screens/dashboard/evm/wallets/table.dart
+++ b/useragent/lib/screens/dashboard/evm/wallets/table.dart
@@ -1,6 +1,7 @@
 import 'dart:math' as math;
 import 'package:arbiter/proto/evm.pb.dart';
 import 'package:arbiter/theme/palette.dart';
+import 'package:arbiter/widgets/cream_frame.dart';
 import 'package:flutter/material.dart';
 import 'package:sizer/sizer.dart';
 
@@ -32,15 +33,9 @@ class WalletTable extends StatelessWidget {
   Widget build(BuildContext context) {
     final theme = Theme.of(context);
 
-    return Container(
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(24),
-        color: Palette.cream.withValues(alpha: 0.92),
-        border: Border.all(color: Palette.line),
-      ),
-      child: Padding(
-        padding: EdgeInsets.all(2.h),
-        child: LayoutBuilder(
+    return CreamFrame(
+      padding: EdgeInsets.all(2.h),
+      child: LayoutBuilder(
           builder: (context, constraints) {
             final tableWidth = math.max(_tableMinWidth, constraints.maxWidth);
 
@@ -89,7 +84,6 @@ class WalletTable extends StatelessWidget {
             );
           },
         ),
-      ),
     );
   }
 }
diff --git a/useragent/lib/widgets/cream_frame.dart b/useragent/lib/widgets/cream_frame.dart
new file mode 100644
index 0000000..a4e19f7
--- /dev/null
+++ b/useragent/lib/widgets/cream_frame.dart
@@ -0,0 +1,32 @@
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+
+/// A card-shaped frame with the cream background, rounded corners, and a
+/// subtle border. Use [padding] for interior spacing and [margin] for exterior
+/// spacing.
+class CreamFrame extends StatelessWidget {
+  const CreamFrame({
+    super.key,
+    required this.child,
+    this.padding = EdgeInsets.zero,
+    this.margin,
+  });
+
+  final Widget child;
+  final EdgeInsetsGeometry padding;
+  final EdgeInsetsGeometry? margin;
+
+  @override
+  Widget build(BuildContext context) {
+    return Container(
+      margin: margin,
+      padding: padding,
+      decoration: BoxDecoration(
+        borderRadius: BorderRadius.circular(24),
+        color: Palette.cream,
+        border: Border.all(color: Palette.line),
+      ),
+      child: child,
+    );
+  }
+}
diff --git a/useragent/lib/widgets/state_panel.dart b/useragent/lib/widgets/state_panel.dart
new file mode 100644
index 0000000..4c73875
--- /dev/null
+++ b/useragent/lib/widgets/state_panel.dart
@@ -0,0 +1,69 @@
+import 'package:arbiter/widgets/cream_frame.dart';
+import 'package:arbiter/theme/palette.dart';
+import 'package:flutter/material.dart';
+import 'package:sizer/sizer.dart';
+
+class StatePanel extends StatelessWidget {
+  const StatePanel({
+    super.key,
+    required this.icon,
+    required this.title,
+    required this.body,
+    this.actionLabel,
+    this.onAction,
+    this.busy = false,
+  });
+
+  final IconData icon;
+  final String title;
+  final String body;
+  final String? actionLabel;
+  final Future<void> Function()? onAction;
+  final bool busy;
+
+  @override
+  Widget build(BuildContext context) {
+    final theme = Theme.of(context);
+
+    return CreamFrame(
+      padding: EdgeInsets.all(2.8.h),
+      child: Column(
+          crossAxisAlignment: CrossAxisAlignment.start,
+          children: [
+            if (busy)
+              SizedBox(
+                width: 2.8.h,
+                height: 2.8.h,
+                child: const CircularProgressIndicator(strokeWidth: 2.5),
+              )
+            else
+              Icon(icon, size: 34, color: Palette.coral),
+            SizedBox(height: 1.8.h),
+            Text(
+              title,
+              style: theme.textTheme.headlineSmall?.copyWith(
+                color: Palette.ink,
+                fontWeight: FontWeight.w800,
+              ),
+            ),
+            SizedBox(height: 1.h),
+            Text(
+              body,
+              style: theme.textTheme.bodyLarge?.copyWith(
+                color: Palette.ink.withValues(alpha: 0.72),
+                height: 1.5,
+              ),
+            ),
+            if (actionLabel != null && onAction != null) ...[
+              SizedBox(height: 2.h),
+              OutlinedButton.icon(
+                onPressed: () => onAction!(),
+                icon: const Icon(Icons.refresh),
+                label: Text(actionLabel!),
+              ),
+            ],
+          ],
+        ),
+    );
+  }
+}

From f32728a2776072cbae31321b3f396bd0116a5930 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sat, 28 Mar 2026 18:13:13 +0100
Subject: [PATCH 09/29] style(dashboard): remove const from _CalloutBell and
 add title to nav rail

---
 useragent/lib/screens/dashboard.dart | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/useragent/lib/screens/dashboard.dart b/useragent/lib/screens/dashboard.dart
index 55d97c6..ea6813e 100644
--- a/useragent/lib/screens/dashboard.dart
+++ b/useragent/lib/screens/dashboard.dart
@@ -22,6 +22,9 @@ class DashboardRouter extends StatelessWidget {
 
   @override
   Widget build(BuildContext context) {
+    final title = const Text("Arbiter", style: TextStyle(fontWeight: FontWeight.w800));
+
+
     return AutoTabsRouter(
       routes: routes,
       transitionBuilder: (context, child, animation) => FadeTransition(
@@ -58,9 +61,12 @@ class DashboardRouter extends StatelessWidget {
           onSelectedIndexChange: (index) {
             tabsRouter.navigate(routes[index]);
           },
+          leadingExtendedNavRail: title,
+          leadingUnextendedNavRail: title,
           selectedIndex: currentActive,
           transitionDuration: const Duration(milliseconds: 800),
           internalAnimations: true,
+          
           trailingNavRail: const _CalloutBell(),
         );
       },

From bce6ecd409db771f37f45ec9ae5a6cca3c833374 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sat, 28 Mar 2026 18:18:28 +0100
Subject: [PATCH 10/29] refactor(grants): wrap grant list in
 SingleChildScrollView

---
 .../screens/dashboard/evm/grants/grants.dart  | 24 +++++++++----------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/useragent/lib/screens/dashboard/evm/grants/grants.dart b/useragent/lib/screens/dashboard/evm/grants/grants.dart
index b3b314b..cccec5d 100644
--- a/useragent/lib/screens/dashboard/evm/grants/grants.dart
+++ b/useragent/lib/screens/dashboard/evm/grants/grants.dart
@@ -19,8 +19,6 @@ String _formatError(Object error) {
   return message;
 }
 
-// ─── Grant list ───────────────────────────────────────────────────────────────
-
 class _GrantList extends StatelessWidget {
   const _GrantList({required this.grants});
 
@@ -28,22 +26,22 @@ class _GrantList extends StatelessWidget {
 
   @override
   Widget build(BuildContext context) {
-    return Column(
-      children: [
-        for (var i = 0; i < grants.length; i++)
-          Padding(
-            padding: EdgeInsets.only(
-              bottom: i == grants.length - 1 ? 0 : 1.8.h,
+    return SingleChildScrollView(
+      child: Column(
+        children: [
+          for (var i = 0; i < grants.length; i++)
+            Padding(
+              padding: EdgeInsets.only(
+                bottom: i == grants.length - 1 ? 0 : 1.8.h,
+              ),
+              child: GrantCard(grant: grants[i]),
             ),
-            child: GrantCard(grant: grants[i]),
-          ),
-      ],
+        ],
+      ),
     );
   }
 }
 
-// ─── Screen ───────────────────────────────────────────────────────────────────
-
 @RoutePage()
 class EvmGrantsScreen extends ConsumerWidget {
   const EvmGrantsScreen({super.key});

From 643f2514195ff4881d675946e511b9231bad9b6a Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sat, 28 Mar 2026 19:17:55 +0100
Subject: [PATCH 11/29] fix(useragent::dashboard): screen pushed twice due to
 improper listen hook

---
 useragent/lib/screens/server_connection.dart | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/useragent/lib/screens/server_connection.dart b/useragent/lib/screens/server_connection.dart
index 3a407cf..9f8e851 100644
--- a/useragent/lib/screens/server_connection.dart
+++ b/useragent/lib/screens/server_connection.dart
@@ -15,11 +15,11 @@ class ServerConnectionScreen extends HookConsumerWidget {
   Widget build(BuildContext context, WidgetRef ref) {
     final connectionState = ref.watch(connectionManagerProvider);
 
-    if (connectionState.value != null) {
-      WidgetsBinding.instance.addPostFrameCallback((_) {
+    ref.listen(connectionManagerProvider, (_, next) {
+      if (next.value != null && context.mounted) {
         context.router.replace(const VaultSetupRoute());
-      });
-    }
+      }
+    });
 
     final body = switch (connectionState) {
       AsyncLoading() => const CircularProgressIndicator(),

From 523bf783ac074ed3957b97b32457294bf229f77c Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sun, 29 Mar 2026 12:45:00 +0200
Subject: [PATCH 12/29] refactor(grpc): extract user agent request handlers
 into separate functions

---
 .../arbiter-server/src/grpc/user_agent.rs     | 587 ++++++++++--------
 1 file changed, 319 insertions(+), 268 deletions(-)

diff --git a/server/crates/arbiter-server/src/grpc/user_agent.rs b/server/crates/arbiter-server/src/grpc/user_agent.rs
index 832c468..3a8de53 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent.rs
@@ -21,7 +21,7 @@ use arbiter_proto::{
             SdkClientEntry as ProtoSdkClientEntry, SdkClientError as ProtoSdkClientError,
             SdkClientGrantWalletAccess, SdkClientList as ProtoSdkClientList,
             SdkClientListResponse as ProtoSdkClientListResponse, SdkClientRevokeWalletAccess,
-            SdkClientWalletAccess, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
+            UnsealEncryptedKey as ProtoUnsealEncryptedKey,
             UnsealResult as ProtoUnsealResult, UnsealStart, UserAgentRequest, UserAgentResponse,
             VaultState as ProtoVaultState,
             sdk_client_list_response::Result as ProtoSdkClientListResult,
@@ -53,7 +53,7 @@ use crate::{
             },
         },
     },
-    db::models::{CoreEvmWalletAccess, NewEvmWalletAccess},
+    db::models::NewEvmWalletAccess,
     grpc::{Convert, TryConvert, request_tracker::RequestTracker},
 };
 mod auth;
@@ -158,285 +158,336 @@ async fn dispatch_inner(
     actor: &ActorRef<UserAgentSession>,
     payload: UserAgentRequestPayload,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let response = match payload {
-        UserAgentRequestPayload::UnsealStart(UnsealStart { client_pubkey }) => {
-            let client_pubkey = <[u8; 32]>::try_from(client_pubkey)
-                .map(x25519_dalek::PublicKey::from)
-                .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
-
-            let response = actor
-                .ask(HandleUnsealRequest { client_pubkey })
-                .await
-                .map_err(|err| {
-                    warn!(error = ?err, "Failed to handle unseal start request");
-                    Status::internal("Failed to start unseal flow")
-                })?;
-
-            UserAgentResponsePayload::UnsealStartResponse(
-                arbiter_proto::proto::user_agent::UnsealStartResponse {
-                    server_pubkey: response.server_pubkey.as_bytes().to_vec(),
-                },
-            )
+    match payload {
+        UserAgentRequestPayload::UnsealStart(req) => handle_unseal_start(actor, req).await,
+        UserAgentRequestPayload::UnsealEncryptedKey(req) => {
+            handle_unseal_encrypted_key(actor, req).await
         }
-
-        UserAgentRequestPayload::UnsealEncryptedKey(ProtoUnsealEncryptedKey {
-            nonce,
-            ciphertext,
-            associated_data,
-        }) => {
-            let result = match actor
-                .ask(HandleUnsealEncryptedKey {
-                    nonce,
-                    ciphertext,
-                    associated_data,
-                })
-                .await
-            {
-                Ok(()) => ProtoUnsealResult::Success,
-                Err(SendError::HandlerError(UnsealError::InvalidKey)) => {
-                    ProtoUnsealResult::InvalidKey
-                }
-                Err(err) => {
-                    warn!(error = ?err, "Failed to handle unseal request");
-                    return Err(Status::internal("Failed to unseal vault"));
-                }
-            };
-            UserAgentResponsePayload::UnsealResult(result.into())
+        UserAgentRequestPayload::BootstrapEncryptedKey(req) => {
+            handle_bootstrap_encrypted_key(actor, req).await
         }
-
-        UserAgentRequestPayload::BootstrapEncryptedKey(ProtoBootstrapEncryptedKey {
-            nonce,
-            ciphertext,
-            associated_data,
-        }) => {
-            let result = match actor
-                .ask(HandleBootstrapEncryptedKey {
-                    nonce,
-                    ciphertext,
-                    associated_data,
-                })
-                .await
-            {
-                Ok(()) => ProtoBootstrapResult::Success,
-                Err(SendError::HandlerError(BootstrapError::InvalidKey)) => {
-                    ProtoBootstrapResult::InvalidKey
-                }
-                Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
-                    ProtoBootstrapResult::AlreadyBootstrapped
-                }
-                Err(err) => {
-                    warn!(error = ?err, "Failed to handle bootstrap request");
-                    return Err(Status::internal("Failed to bootstrap vault"));
-                }
-            };
-            UserAgentResponsePayload::BootstrapResult(result.into())
-        }
-
-        UserAgentRequestPayload::QueryVaultState(_) => {
-            let state = match actor.ask(HandleQueryVaultState {}).await {
-                Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
-                Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
-                Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
-                Err(err) => {
-                    warn!(error = ?err, "Failed to query vault state");
-                    ProtoVaultState::Error
-                }
-            };
-            UserAgentResponsePayload::VaultState(state.into())
-        }
-
-        UserAgentRequestPayload::EvmWalletCreate(_) => {
-            let result = match actor.ask(HandleEvmWalletCreate {}).await {
-                Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
-                    id: wallet_id,
-                    address: address.to_vec(),
-                }),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to create EVM wallet");
-                    WalletCreateResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmWalletCreate(WalletCreateResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::EvmWalletList(_) => {
-            let result = match actor.ask(HandleEvmWalletList {}).await {
-                Ok(wallets) => WalletListResult::Wallets(WalletList {
-                    wallets: wallets
-                        .into_iter()
-                        .map(|(id, address)| WalletEntry {
-                            address: address.to_vec(),
-                            id,
-                        })
-                        .collect(),
-                }),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to list EVM wallets");
-                    WalletListResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmWalletList(WalletListResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::EvmGrantList(_) => {
-            let result = match actor.ask(HandleGrantList {}).await {
-                Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
-                    grants: grants
-                        .into_iter()
-                        .map(|grant| GrantEntry {
-                            id: grant.id,
-                            wallet_access_id: grant.shared.wallet_access_id,
-                            shared: Some(grant.shared.convert()),
-                            specific: Some(grant.settings.convert()),
-                        })
-                        .collect(),
-                }),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to list EVM grants");
-                    EvmGrantListResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmGrantList(EvmGrantListResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::EvmGrantCreate(EvmGrantCreateRequest { shared, specific }) => {
-            let basic = shared
-                .ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
-                .try_convert()?;
-            let grant = specific
-                .ok_or_else(|| Status::invalid_argument("Missing specific grant settings"))?
-                .try_convert()?;
-
-            let result = match actor.ask(HandleGrantCreate { basic, grant }).await {
-                Ok(grant_id) => EvmGrantCreateResult::GrantId(grant_id),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to create EVM grant");
-                    EvmGrantCreateResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmGrantCreate(EvmGrantCreateResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::EvmGrantDelete(EvmGrantDeleteRequest { grant_id }) => {
-            let result = match actor.ask(HandleGrantDelete { grant_id }).await {
-                Ok(()) => EvmGrantDeleteResult::Ok(()),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to delete EVM grant");
-                    EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmGrantDelete(EvmGrantDeleteResponse {
-                result: Some(result),
-            })
-        }
-
+        UserAgentRequestPayload::QueryVaultState(_) => handle_query_vault_state(actor).await,
+        UserAgentRequestPayload::EvmWalletCreate(_) => handle_evm_wallet_create(actor).await,
+        UserAgentRequestPayload::EvmWalletList(_) => handle_evm_wallet_list(actor).await,
+        UserAgentRequestPayload::EvmGrantList(_) => handle_evm_grant_list(actor).await,
+        UserAgentRequestPayload::EvmGrantCreate(req) => handle_evm_grant_create(actor, req).await,
+        UserAgentRequestPayload::EvmGrantDelete(req) => handle_evm_grant_delete(actor, req).await,
         UserAgentRequestPayload::SdkClientConnectionResponse(resp) => {
-            let pubkey_bytes = <[u8; 32]>::try_from(resp.pubkey)
-                .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key length"))?;
-            let pubkey = ed25519_dalek::VerifyingKey::from_bytes(&pubkey_bytes)
-                .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key"))?;
-
-            actor
-                .ask(HandleNewClientApprove {
-                    approved: resp.approved,
-                    pubkey,
-                })
-                .await
-                .map_err(|err| {
-                    warn!(?err, "Failed to process client connection response");
-                    Status::internal("Failed to process response")
-                })?;
-
-            return Ok(None);
+            handle_sdk_client_connection_response(actor, resp).await
         }
-
-        UserAgentRequestPayload::SdkClientRevoke(_) => todo!(),
-
-        UserAgentRequestPayload::SdkClientList(_) => {
-            let result = match actor.ask(HandleSdkClientList {}).await {
-                Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
-                    clients: clients
-                        .into_iter()
-                        .map(|(client, metadata)| ProtoSdkClientEntry {
-                            id: client.id,
-                            pubkey: client.public_key,
-                            info: Some(ProtoClientMetadata {
-                                name: metadata.name,
-                                description: metadata.description,
-                                version: metadata.version,
-                            }),
-                            created_at: client.created_at.0.timestamp() as i32,
-                        })
-                        .collect(),
-                }),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to list SDK clients");
-                    ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::SdkClientListResponse(ProtoSdkClientListResponse {
-                result: Some(result),
-            })
+        UserAgentRequestPayload::SdkClientRevoke(_) => {
+            Err(Status::unimplemented("SdkClientRevoke is not yet implemented"))
         }
-
-        UserAgentRequestPayload::GrantWalletAccess(SdkClientGrantWalletAccess { accesses }) => {
-            let entries: Vec<NewEvmWalletAccess> =
-                accesses.into_iter().map(|a| a.convert()).collect();
-
-            match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
-                Ok(()) => {
-                    info!("Successfully granted wallet access");
-                    return Ok(None);
-                }
-                Err(err) => {
-                    warn!(error = ?err, "Failed to grant wallet access");
-                    return Err(Status::internal("Failed to grant wallet access"));
-                }
-            }
+        UserAgentRequestPayload::SdkClientList(_) => handle_sdk_client_list(actor).await,
+        UserAgentRequestPayload::GrantWalletAccess(req) => {
+            handle_grant_wallet_access(actor, req).await
         }
-
-        UserAgentRequestPayload::RevokeWalletAccess(SdkClientRevokeWalletAccess { accesses }) => {
-            match actor.ask(HandleRevokeEvmWalletAccess { entries: accesses }).await {
-                Ok(()) => {
-                    info!("Successfully revoked wallet access");
-                    return Ok(None);
-                }
-                Err(err) => {
-                    warn!(error = ?err, "Failed to revoke wallet access");
-                    return Err(Status::internal("Failed to revoke wallet access"));
-                }
-            }
+        UserAgentRequestPayload::RevokeWalletAccess(req) => {
+            handle_revoke_wallet_access(actor, req).await
         }
-
-        UserAgentRequestPayload::ListWalletAccess(_) => {
-            let result = match actor.ask(HandleListWalletAccess {}).await {
-                Ok(accesses) => ListWalletAccessResponse {
-                    accesses: accesses.into_iter().map(|a| a.convert()).collect(),
-                },
-                Err(err) => {
-                    warn!(error = ?err, "Failed to list wallet access");
-                    return Err(Status::internal("Failed to list wallet access"));
-                }
-            };
-            UserAgentResponsePayload::ListWalletAccessResponse(result)
-        }
-
+        UserAgentRequestPayload::ListWalletAccess(_) => handle_list_wallet_access(actor).await,
         UserAgentRequestPayload::AuthChallengeRequest(..)
         | UserAgentRequestPayload::AuthChallengeSolution(..) => {
             warn!(?payload, "Unsupported post-auth user agent request");
-            return Err(Status::invalid_argument("Unsupported user-agent request"));
+            Err(Status::invalid_argument("Unsupported user-agent request"))
+        }
+    }
+}
+
+async fn handle_unseal_start(
+    actor: &ActorRef<UserAgentSession>,
+    req: UnsealStart,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let client_pubkey = <[u8; 32]>::try_from(req.client_pubkey)
+        .map(x25519_dalek::PublicKey::from)
+        .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
+
+    let response = actor
+        .ask(HandleUnsealRequest { client_pubkey })
+        .await
+        .map_err(|err| {
+            warn!(error = ?err, "Failed to handle unseal start request");
+            Status::internal("Failed to start unseal flow")
+        })?;
+
+    Ok(Some(UserAgentResponsePayload::UnsealStartResponse(
+        arbiter_proto::proto::user_agent::UnsealStartResponse {
+            server_pubkey: response.server_pubkey.as_bytes().to_vec(),
+        },
+    )))
+}
+
+async fn handle_unseal_encrypted_key(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoUnsealEncryptedKey,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor
+        .ask(HandleUnsealEncryptedKey {
+            nonce: req.nonce,
+            ciphertext: req.ciphertext,
+            associated_data: req.associated_data,
+        })
+        .await
+    {
+        Ok(()) => ProtoUnsealResult::Success,
+        Err(SendError::HandlerError(UnsealError::InvalidKey)) => ProtoUnsealResult::InvalidKey,
+        Err(err) => {
+            warn!(error = ?err, "Failed to handle unseal request");
+            return Err(Status::internal("Failed to unseal vault"));
         }
     };
+    Ok(Some(UserAgentResponsePayload::UnsealResult(result.into())))
+}
 
-    Ok(Some(response))
+async fn handle_bootstrap_encrypted_key(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoBootstrapEncryptedKey,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor
+        .ask(HandleBootstrapEncryptedKey {
+            nonce: req.nonce,
+            ciphertext: req.ciphertext,
+            associated_data: req.associated_data,
+        })
+        .await
+    {
+        Ok(()) => ProtoBootstrapResult::Success,
+        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => ProtoBootstrapResult::InvalidKey,
+        Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
+            ProtoBootstrapResult::AlreadyBootstrapped
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to handle bootstrap request");
+            return Err(Status::internal("Failed to bootstrap vault"));
+        }
+    };
+    Ok(Some(UserAgentResponsePayload::BootstrapResult(result.into())))
+}
+
+async fn handle_query_vault_state(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let state = match actor.ask(HandleQueryVaultState {}).await {
+        Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+        Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
+        Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
+        Err(err) => {
+            warn!(error = ?err, "Failed to query vault state");
+            ProtoVaultState::Error
+        }
+    };
+    Ok(Some(UserAgentResponsePayload::VaultState(state.into())))
+}
+
+async fn handle_evm_wallet_create(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleEvmWalletCreate {}).await {
+        Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
+            id: wallet_id,
+            address: address.to_vec(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to create EVM wallet");
+            WalletCreateResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(UserAgentResponsePayload::EvmWalletCreate(
+        WalletCreateResponse { result: Some(result) },
+    )))
+}
+
+async fn handle_evm_wallet_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleEvmWalletList {}).await {
+        Ok(wallets) => WalletListResult::Wallets(WalletList {
+            wallets: wallets
+                .into_iter()
+                .map(|(id, address)| WalletEntry {
+                    address: address.to_vec(),
+                    id,
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list EVM wallets");
+            WalletListResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(UserAgentResponsePayload::EvmWalletList(
+        WalletListResponse { result: Some(result) },
+    )))
+}
+
+async fn handle_evm_grant_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleGrantList {}).await {
+        Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
+            grants: grants
+                .into_iter()
+                .map(|grant| GrantEntry {
+                    id: grant.id,
+                    wallet_access_id: grant.shared.wallet_access_id,
+                    shared: Some(grant.shared.convert()),
+                    specific: Some(grant.settings.convert()),
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list EVM grants");
+            EvmGrantListResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(UserAgentResponsePayload::EvmGrantList(
+        EvmGrantListResponse { result: Some(result) },
+    )))
+}
+
+async fn handle_evm_grant_create(
+    actor: &ActorRef<UserAgentSession>,
+    req: EvmGrantCreateRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let basic = req
+        .shared
+        .ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
+        .try_convert()?;
+    let grant = req
+        .specific
+        .ok_or_else(|| Status::invalid_argument("Missing specific grant settings"))?
+        .try_convert()?;
+
+    let result = match actor.ask(HandleGrantCreate { basic, grant }).await {
+        Ok(grant_id) => EvmGrantCreateResult::GrantId(grant_id),
+        Err(err) => {
+            warn!(error = ?err, "Failed to create EVM grant");
+            EvmGrantCreateResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(UserAgentResponsePayload::EvmGrantCreate(
+        EvmGrantCreateResponse { result: Some(result) },
+    )))
+}
+
+async fn handle_evm_grant_delete(
+    actor: &ActorRef<UserAgentSession>,
+    req: EvmGrantDeleteRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleGrantDelete { grant_id: req.grant_id }).await {
+        Ok(()) => EvmGrantDeleteResult::Ok(()),
+        Err(err) => {
+            warn!(error = ?err, "Failed to delete EVM grant");
+            EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(UserAgentResponsePayload::EvmGrantDelete(
+        EvmGrantDeleteResponse { result: Some(result) },
+    )))
+}
+
+async fn handle_sdk_client_connection_response(
+    actor: &ActorRef<UserAgentSession>,
+    resp: arbiter_proto::proto::user_agent::SdkClientConnectionResponse,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let pubkey_bytes = <[u8; 32]>::try_from(resp.pubkey)
+        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key length"))?;
+    let pubkey = ed25519_dalek::VerifyingKey::from_bytes(&pubkey_bytes)
+        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key"))?;
+
+    actor
+        .ask(HandleNewClientApprove {
+            approved: resp.approved,
+            pubkey,
+        })
+        .await
+        .map_err(|err| {
+            warn!(?err, "Failed to process client connection response");
+            Status::internal("Failed to process response")
+        })?;
+
+    Ok(None)
+}
+
+async fn handle_sdk_client_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleSdkClientList {}).await {
+        Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
+            clients: clients
+                .into_iter()
+                .map(|(client, metadata)| ProtoSdkClientEntry {
+                    id: client.id,
+                    pubkey: client.public_key,
+                    info: Some(ProtoClientMetadata {
+                        name: metadata.name,
+                        description: metadata.description,
+                        version: metadata.version,
+                    }),
+                    created_at: client.created_at.0.timestamp() as i32,
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list SDK clients");
+            ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
+        }
+    };
+    Ok(Some(UserAgentResponsePayload::SdkClientListResponse(
+        ProtoSdkClientListResponse { result: Some(result) },
+    )))
+}
+
+async fn handle_grant_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+    req: SdkClientGrantWalletAccess,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let entries: Vec<NewEvmWalletAccess> = req.accesses.into_iter().map(|a| a.convert()).collect();
+    match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
+        Ok(()) => {
+            info!("Successfully granted wallet access");
+            Ok(None)
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to grant wallet access");
+            Err(Status::internal("Failed to grant wallet access"))
+        }
+    }
+}
+
+async fn handle_revoke_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+    req: SdkClientRevokeWalletAccess,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    match actor
+        .ask(HandleRevokeEvmWalletAccess { entries: req.accesses })
+        .await
+    {
+        Ok(()) => {
+            info!("Successfully revoked wallet access");
+            Ok(None)
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to revoke wallet access");
+            Err(Status::internal("Failed to revoke wallet access"))
+        }
+    }
+}
+
+async fn handle_list_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    match actor.ask(HandleListWalletAccess {}).await {
+        Ok(accesses) => Ok(Some(UserAgentResponsePayload::ListWalletAccessResponse(
+            ListWalletAccessResponse {
+                accesses: accesses.into_iter().map(|a| a.convert()).collect(),
+            },
+        ))),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list wallet access");
+            Err(Status::internal("Failed to list wallet access"))
+        }
+    }
 }
 
 pub async fn start(

From 59c7091cba2c304c0e72f2316b3e9e6d2d364c81 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sat, 28 Mar 2026 19:35:58 +0100
Subject: [PATCH 13/29] refactor(useragent::evm::grants): split into more files
 & flutter_form_builder usage

---
 useragent/lib/router.gr.dart                  |   2 +-
 .../grants/create/fields/chain_id_field.dart  |  21 +
 .../create/fields/client_picker_field.dart    |  38 +
 .../grants/create/fields/date_time_field.dart |  61 ++
 .../create/fields/gas_fee_options_field.dart  |  39 +
 .../fields/transaction_rate_limit_field.dart  |  39 +
 .../create/fields/validity_window_field.dart  |  29 +
 .../fields/wallet_access_picker_field.dart    |  57 ++
 .../create/grants/ether_transfer_grant.dart   | 225 +++++
 .../create/grants/ether_transfer_grant.g.dart |  63 ++
 .../create/grants/grant_form_handler.dart     |  26 +
 .../create/grants/token_transfer_grant.dart   | 233 +++++
 .../create/grants/token_transfer_grant.g.dart |  63 ++
 .../dashboard/evm/grants/create/provider.dart |  24 +
 .../evm/grants/create/provider.freezed.dart   | 274 ++++++
 .../evm/grants/create/provider.g.dart         |  62 ++
 .../dashboard/evm/grants/create/screen.dart   | 252 +++++
 .../grants/create/shared_grant_fields.dart    |  37 +
 .../dashboard/evm/grants/create/utils.dart    |  73 ++
 .../dashboard/evm/grants/grant_create.dart    | 902 ------------------
 useragent/lib/theme/palette.dart              |   3 +
 useragent/pubspec.lock                        |  60 +-
 useragent/pubspec.yaml                        |   3 +-
 23 files changed, 1656 insertions(+), 930 deletions(-)
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/fields/chain_id_field.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/fields/date_time_field.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/fields/gas_fee_options_field.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/fields/transaction_rate_limit_field.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/fields/validity_window_field.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.g.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/grants/grant_form_handler.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/grants/token_transfer_grant.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/grants/token_transfer_grant.g.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/provider.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/provider.freezed.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/provider.g.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/screen.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart
 create mode 100644 useragent/lib/screens/dashboard/evm/grants/create/utils.dart
 delete mode 100644 useragent/lib/screens/dashboard/evm/grants/grant_create.dart

diff --git a/useragent/lib/router.gr.dart b/useragent/lib/router.gr.dart
index e4d05bb..f20b537 100644
--- a/useragent/lib/router.gr.dart
+++ b/useragent/lib/router.gr.dart
@@ -18,7 +18,7 @@ import 'package:arbiter/screens/dashboard/clients/details/client_details.dart'
     as _i4;
 import 'package:arbiter/screens/dashboard/clients/table.dart' as _i5;
 import 'package:arbiter/screens/dashboard/evm/evm.dart' as _i9;
-import 'package:arbiter/screens/dashboard/evm/grants/grant_create.dart' as _i6;
+import 'package:arbiter/screens/dashboard/evm/grants/create/screen.dart' as _i6;
 import 'package:arbiter/screens/dashboard/evm/grants/grants.dart' as _i8;
 import 'package:arbiter/screens/server_connection.dart' as _i10;
 import 'package:arbiter/screens/server_info_setup.dart' as _i11;
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/fields/chain_id_field.dart b/useragent/lib/screens/dashboard/evm/grants/create/fields/chain_id_field.dart
new file mode 100644
index 0000000..8d2d318
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/fields/chain_id_field.dart
@@ -0,0 +1,21 @@
+// lib/screens/dashboard/evm/grants/create/fields/chain_id_field.dart
+import 'package:flutter/material.dart';
+import 'package:flutter_form_builder/flutter_form_builder.dart';
+
+class ChainIdField extends StatelessWidget {
+  const ChainIdField({super.key});
+
+  @override
+  Widget build(BuildContext context) {
+    return FormBuilderTextField(
+      name: 'chainId',
+      initialValue: '1',
+      keyboardType: TextInputType.number,
+      decoration: const InputDecoration(
+        labelText: 'Chain ID',
+        hintText: '1',
+        border: OutlineInputBorder(),
+      ),
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart b/useragent/lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart
new file mode 100644
index 0000000..8369083
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart
@@ -0,0 +1,38 @@
+// lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/providers/sdk_clients/list.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/provider.dart';
+import 'package:flutter/material.dart';
+import 'package:flutter_form_builder/flutter_form_builder.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+
+class ClientPickerField extends ConsumerWidget {
+  const ClientPickerField({super.key});
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final clients =
+        ref.watch(sdkClientsProvider).asData?.value ?? const <SdkClientEntry>[];
+
+    return FormBuilderDropdown<int>(
+      name: 'clientId',
+      decoration: const InputDecoration(
+        labelText: 'Client',
+        border: OutlineInputBorder(),
+      ),
+      items: [
+        for (final c in clients)
+          DropdownMenuItem(
+            value: c.id,
+            child: Text(c.info.name.isEmpty ? 'Client #${c.id}' : c.info.name),
+          ),
+      ],
+      onChanged: clients.isEmpty
+          ? null
+          : (value) {
+              ref.read(grantCreationProvider.notifier).setClientId(value);
+              FormBuilder.of(context)?.fields['walletAccessId']?.didChange(null);
+            },
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/fields/date_time_field.dart b/useragent/lib/screens/dashboard/evm/grants/create/fields/date_time_field.dart
new file mode 100644
index 0000000..166359c
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/fields/date_time_field.dart
@@ -0,0 +1,61 @@
+// lib/screens/dashboard/evm/grants/create/fields/date_time_field.dart
+import 'package:flutter/material.dart';
+import 'package:flutter_form_builder/flutter_form_builder.dart';
+import 'package:sizer/sizer.dart';
+
+/// A [FormBuilderField] that opens a date picker followed by a time picker.
+/// Long-press clears the value.
+class FormBuilderDateTimeField extends FormBuilderField<DateTime?> {
+  final String label;
+
+  FormBuilderDateTimeField({
+    super.key,
+    required super.name,
+    required this.label,
+    super.initialValue,
+    super.onChanged,
+    super.validator,
+  }) : super(
+          builder: (FormFieldState<DateTime?> field) {
+            final value = field.value;
+            return OutlinedButton(
+              onPressed: () async {
+                final ctx = field.context;
+                final now = DateTime.now();
+                final date = await showDatePicker(
+                  context: ctx,
+                  firstDate: DateTime(now.year - 5),
+                  lastDate: DateTime(now.year + 10),
+                  initialDate: value ?? now,
+                );
+                if (date == null) return;
+                if (!ctx.mounted) return;
+                final time = await showTimePicker(
+                  context: ctx,
+                  initialTime: TimeOfDay.fromDateTime(value ?? now),
+                );
+                if (time == null) return;
+                field.didChange(DateTime(
+                  date.year,
+                  date.month,
+                  date.day,
+                  time.hour,
+                  time.minute,
+                ));
+              },
+              onLongPress: value == null ? null : () => field.didChange(null),
+              child: Padding(
+                padding: EdgeInsets.symmetric(vertical: 1.8.h),
+                child: Column(
+                  crossAxisAlignment: CrossAxisAlignment.start,
+                  children: [
+                    Text(label),
+                    SizedBox(height: 0.6.h),
+                    Text(value?.toLocal().toString() ?? 'Not set'),
+                  ],
+                ),
+              ),
+            );
+          },
+        );
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/fields/gas_fee_options_field.dart b/useragent/lib/screens/dashboard/evm/grants/create/fields/gas_fee_options_field.dart
new file mode 100644
index 0000000..86e3dd0
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/fields/gas_fee_options_field.dart
@@ -0,0 +1,39 @@
+// lib/screens/dashboard/evm/grants/create/fields/gas_fee_options_field.dart
+import 'package:flutter/material.dart';
+import 'package:flutter_form_builder/flutter_form_builder.dart';
+import 'package:sizer/sizer.dart';
+
+class GasFeeOptionsField extends StatelessWidget {
+  const GasFeeOptionsField({super.key});
+
+  @override
+  Widget build(BuildContext context) {
+    return Row(
+      children: [
+        Expanded(
+          child: FormBuilderTextField(
+            name: 'maxGasFeePerGas',
+            keyboardType: TextInputType.number,
+            decoration: const InputDecoration(
+              labelText: 'Max gas fee / gas',
+              hintText: '1000000000',
+              border: OutlineInputBorder(),
+            ),
+          ),
+        ),
+        SizedBox(width: 1.w),
+        Expanded(
+          child: FormBuilderTextField(
+            name: 'maxPriorityFeePerGas',
+            keyboardType: TextInputType.number,
+            decoration: const InputDecoration(
+              labelText: 'Max priority fee / gas',
+              hintText: '100000000',
+              border: OutlineInputBorder(),
+            ),
+          ),
+        ),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/fields/transaction_rate_limit_field.dart b/useragent/lib/screens/dashboard/evm/grants/create/fields/transaction_rate_limit_field.dart
new file mode 100644
index 0000000..f63a1d8
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/fields/transaction_rate_limit_field.dart
@@ -0,0 +1,39 @@
+// lib/screens/dashboard/evm/grants/create/fields/transaction_rate_limit_field.dart
+import 'package:flutter/material.dart';
+import 'package:flutter_form_builder/flutter_form_builder.dart';
+import 'package:sizer/sizer.dart';
+
+class TransactionRateLimitField extends StatelessWidget {
+  const TransactionRateLimitField({super.key});
+
+  @override
+  Widget build(BuildContext context) {
+    return Row(
+      children: [
+        Expanded(
+          child: FormBuilderTextField(
+            name: 'txCount',
+            keyboardType: TextInputType.number,
+            decoration: const InputDecoration(
+              labelText: 'Tx count limit',
+              hintText: '10',
+              border: OutlineInputBorder(),
+            ),
+          ),
+        ),
+        SizedBox(width: 1.w),
+        Expanded(
+          child: FormBuilderTextField(
+            name: 'txWindow',
+            keyboardType: TextInputType.number,
+            decoration: const InputDecoration(
+              labelText: 'Window (seconds)',
+              hintText: '3600',
+              border: OutlineInputBorder(),
+            ),
+          ),
+        ),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/fields/validity_window_field.dart b/useragent/lib/screens/dashboard/evm/grants/create/fields/validity_window_field.dart
new file mode 100644
index 0000000..e86afda
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/fields/validity_window_field.dart
@@ -0,0 +1,29 @@
+// lib/screens/dashboard/evm/grants/create/fields/validity_window_field.dart
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/date_time_field.dart';
+import 'package:flutter/material.dart';
+import 'package:sizer/sizer.dart';
+
+class ValidityWindowField extends StatelessWidget {
+  const ValidityWindowField({super.key});
+
+  @override
+  Widget build(BuildContext context) {
+    return Row(
+      children: [
+        Expanded(
+          child: FormBuilderDateTimeField(
+            name: 'validFrom',
+            label: 'Valid from',
+          ),
+        ),
+        SizedBox(width: 1.w),
+        Expanded(
+          child: FormBuilderDateTimeField(
+            name: 'validUntil',
+            label: 'Valid until',
+          ),
+        ),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart b/useragent/lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart
new file mode 100644
index 0000000..b220e6f
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart
@@ -0,0 +1,57 @@
+// lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/providers/evm/evm.dart';
+import 'package:arbiter/providers/sdk_clients/wallet_access_list.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/provider.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/utils.dart';
+import 'package:flutter/material.dart';
+import 'package:flutter_form_builder/flutter_form_builder.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+
+class WalletAccessPickerField extends ConsumerWidget {
+  const WalletAccessPickerField({super.key});
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final state = ref.watch(grantCreationProvider);
+    final allAccesses =
+        ref.watch(walletAccessListProvider).asData?.value ??
+        const <SdkClientWalletAccess>[];
+    final wallets =
+        ref.watch(evmProvider).asData?.value ?? const <WalletEntry>[];
+
+    final walletById = <int, WalletEntry>{for (final w in wallets) w.id: w};
+    final accesses = state.selectedClientId == null
+        ? const <SdkClientWalletAccess>[]
+        : allAccesses
+              .where((a) => a.access.sdkClientId == state.selectedClientId)
+              .toList();
+
+    return FormBuilderDropdown<int>(
+      name: 'walletAccessId',
+      enabled: accesses.isNotEmpty,
+      decoration: InputDecoration(
+        labelText: 'Wallet access',
+        helperText: state.selectedClientId == null
+            ? 'Select a client first'
+            : accesses.isEmpty
+                ? 'No wallet accesses for this client'
+                : null,
+        border: const OutlineInputBorder(),
+      ),
+      items: [
+        for (final a in accesses)
+          DropdownMenuItem(
+            value: a.id,
+            child: Text(() {
+              final wallet = walletById[a.access.walletId];
+              return wallet != null
+                  ? shortAddress(wallet.address)
+                  : 'Wallet #${a.access.walletId}';
+            }()),
+          ),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.dart b/useragent/lib/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.dart
new file mode 100644
index 0000000..547e247
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.dart
@@ -0,0 +1,225 @@
+// lib/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.dart
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/grants/grant_form_handler.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/utils.dart';
+import 'package:flutter/material.dart';
+import 'package:flutter_form_builder/flutter_form_builder.dart';
+import 'package:flutter_hooks/flutter_hooks.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+import 'package:riverpod_annotation/riverpod_annotation.dart';
+import 'package:sizer/sizer.dart';
+
+part 'ether_transfer_grant.g.dart';
+
+class EtherTargetEntry {
+  EtherTargetEntry({required this.id, this.address = ''});
+
+  final int id;
+  final String address;
+
+  EtherTargetEntry copyWith({String? address}) =>
+      EtherTargetEntry(id: id, address: address ?? this.address);
+}
+
+@riverpod
+class EtherGrantTargets extends _$EtherGrantTargets {
+  int _nextId = 0;
+  int _newId() => _nextId++;
+
+  @override
+  List<EtherTargetEntry> build() => [EtherTargetEntry(id: _newId())];
+
+  void add() => state = [...state, EtherTargetEntry(id: _newId())];
+
+  void update(int index, EtherTargetEntry entry) {
+    final updated = [...state];
+    updated[index] = entry;
+    state = updated;
+  }
+
+  void remove(int index) => state = [...state]..removeAt(index);
+}
+
+class EtherTransferGrantHandler implements GrantFormHandler {
+  const EtherTransferGrantHandler();
+
+  @override
+  Widget buildForm(BuildContext context, WidgetRef ref) =>
+      const _EtherTransferForm();
+
+  @override
+  SpecificGrant buildSpecificGrant(
+    Map<String, dynamic> formValues,
+    WidgetRef ref,
+  ) {
+    final targets = ref.read(etherGrantTargetsProvider);
+
+    return SpecificGrant(
+      etherTransfer: EtherTransferSettings(
+        targets: targets
+            .where((e) => e.address.trim().isNotEmpty)
+            .map((e) => parseHexAddress(e.address))
+            .toList(),
+        limit: buildVolumeLimit(
+          formValues['etherVolume'] as String? ?? '',
+          formValues['etherVolumeWindow'] as String? ?? '',
+        ),
+      ),
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Form widget
+// ---------------------------------------------------------------------------
+
+class _EtherTransferForm extends ConsumerWidget {
+  const _EtherTransferForm();
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final targets = ref.watch(etherGrantTargetsProvider);
+    final notifier = ref.read(etherGrantTargetsProvider.notifier);
+
+    return Column(
+      crossAxisAlignment: CrossAxisAlignment.stretch,
+      children: [
+        _EtherTargetsField(
+          values: targets,
+          onAdd: notifier.add,
+          onUpdate: notifier.update,
+          onRemove: notifier.remove,
+        ),
+        SizedBox(height: 1.6.h),
+        Text(
+          'Ether volume limit',
+          style: Theme.of(context).textTheme.labelLarge?.copyWith(
+                fontWeight: FontWeight.w800,
+              ),
+        ),
+        SizedBox(height: 0.8.h),
+        Row(
+          children: [
+            Expanded(
+              child: FormBuilderTextField(
+                name: 'etherVolume',
+                keyboardType: TextInputType.number,
+                decoration: const InputDecoration(
+                  labelText: 'Max volume',
+                  hintText: '1000000000000000000',
+                  border: OutlineInputBorder(),
+                ),
+              ),
+            ),
+            SizedBox(width: 1.w),
+            Expanded(
+              child: FormBuilderTextField(
+                name: 'etherVolumeWindow',
+                keyboardType: TextInputType.number,
+                decoration: const InputDecoration(
+                  labelText: 'Window (seconds)',
+                  hintText: '86400',
+                  border: OutlineInputBorder(),
+                ),
+              ),
+            ),
+          ],
+        ),
+      ],
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Targets list widget
+// ---------------------------------------------------------------------------
+
+class _EtherTargetsField extends StatelessWidget {
+  const _EtherTargetsField({
+    required this.values,
+    required this.onAdd,
+    required this.onUpdate,
+    required this.onRemove,
+  });
+
+  final List<EtherTargetEntry> values;
+  final VoidCallback onAdd;
+  final void Function(int index, EtherTargetEntry entry) onUpdate;
+  final void Function(int index) onRemove;
+
+  @override
+  Widget build(BuildContext context) {
+    return Column(
+      crossAxisAlignment: CrossAxisAlignment.start,
+      children: [
+        Row(
+          children: [
+            Expanded(
+              child: Text(
+                'Ether targets',
+                style: Theme.of(context).textTheme.labelLarge?.copyWith(
+                      fontWeight: FontWeight.w800,
+                    ),
+              ),
+            ),
+            TextButton.icon(
+              onPressed: onAdd,
+              icon: const Icon(Icons.add_rounded),
+              label: const Text('Add'),
+            ),
+          ],
+        ),
+        SizedBox(height: 0.8.h),
+        for (var i = 0; i < values.length; i++)
+          Padding(
+            padding: EdgeInsets.only(bottom: 1.h),
+            child: _EtherTargetRow(
+              key: ValueKey(values[i].id),
+              value: values[i],
+              onChanged: (entry) => onUpdate(i, entry),
+              onRemove: values.length == 1 ? null : () => onRemove(i),
+            ),
+          ),
+      ],
+    );
+  }
+}
+
+class _EtherTargetRow extends HookWidget {
+  const _EtherTargetRow({
+    super.key,
+    required this.value,
+    required this.onChanged,
+    required this.onRemove,
+  });
+
+  final EtherTargetEntry value;
+  final ValueChanged<EtherTargetEntry> onChanged;
+  final VoidCallback? onRemove;
+
+  @override
+  Widget build(BuildContext context) {
+    final addressController = useTextEditingController(text: value.address);
+
+    return Row(
+      children: [
+        Expanded(
+          child: TextField(
+            controller: addressController,
+            onChanged: (next) => onChanged(value.copyWith(address: next)),
+            decoration: const InputDecoration(
+              labelText: 'Address',
+              hintText: '0x...',
+              border: OutlineInputBorder(),
+            ),
+          ),
+        ),
+        SizedBox(width: 0.4.w),
+        IconButton(
+          onPressed: onRemove,
+          icon: const Icon(Icons.remove_circle_outline_rounded),
+        ),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.g.dart b/useragent/lib/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.g.dart
new file mode 100644
index 0000000..420340a
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.g.dart
@@ -0,0 +1,63 @@
+// GENERATED CODE - DO NOT MODIFY BY HAND
+
+part of 'ether_transfer_grant.dart';
+
+// **************************************************************************
+// RiverpodGenerator
+// **************************************************************************
+
+// GENERATED CODE - DO NOT MODIFY BY HAND
+// ignore_for_file: type=lint, type=warning
+
+@ProviderFor(EtherGrantTargets)
+final etherGrantTargetsProvider = EtherGrantTargetsProvider._();
+
+final class EtherGrantTargetsProvider
+    extends $NotifierProvider<EtherGrantTargets, List<EtherTargetEntry>> {
+  EtherGrantTargetsProvider._()
+    : super(
+        from: null,
+        argument: null,
+        retry: null,
+        name: r'etherGrantTargetsProvider',
+        isAutoDispose: true,
+        dependencies: null,
+        $allTransitiveDependencies: null,
+      );
+
+  @override
+  String debugGetCreateSourceHash() => _$etherGrantTargetsHash();
+
+  @$internal
+  @override
+  EtherGrantTargets create() => EtherGrantTargets();
+
+  /// {@macro riverpod.override_with_value}
+  Override overrideWithValue(List<EtherTargetEntry> value) {
+    return $ProviderOverride(
+      origin: this,
+      providerOverride: $SyncValueProvider<List<EtherTargetEntry>>(value),
+    );
+  }
+}
+
+String _$etherGrantTargetsHash() => r'063aa3180d5e5bbc1525702272686f1fd8ca751d';
+
+abstract class _$EtherGrantTargets extends $Notifier<List<EtherTargetEntry>> {
+  List<EtherTargetEntry> build();
+  @$mustCallSuper
+  @override
+  void runBuild() {
+    final ref =
+        this.ref as $Ref<List<EtherTargetEntry>, List<EtherTargetEntry>>;
+    final element =
+        ref.element
+            as $ClassProviderElement<
+              AnyNotifier<List<EtherTargetEntry>, List<EtherTargetEntry>>,
+              List<EtherTargetEntry>,
+              Object?,
+              Object?
+            >;
+    element.handleCreate(ref, build);
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/grants/grant_form_handler.dart b/useragent/lib/screens/dashboard/evm/grants/create/grants/grant_form_handler.dart
new file mode 100644
index 0000000..542f2b3
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/grants/grant_form_handler.dart
@@ -0,0 +1,26 @@
+// lib/screens/dashboard/evm/grants/create/grants/grant_form_handler.dart
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:flutter/widgets.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+
+abstract class GrantFormHandler {
+  /// Renders the grant-specific form section.
+  ///
+  /// The returned widget must be a descendant of the [FormBuilder] in the
+  /// screen so its [FormBuilderField] children register automatically.
+  ///
+  /// **Field name contract:** All `name:` values used by this handler must be
+  /// unique across ALL [GrantFormHandler] implementations. [FormBuilder]
+  /// retains field state across handler switches, so name collisions cause
+  /// silent data corruption.
+  Widget buildForm(BuildContext context, WidgetRef ref);
+
+  /// Assembles a [SpecificGrant] proto.
+  ///
+  /// [formValues] — `formKey.currentState!.value` after `saveAndValidate()`.
+  /// [ref] — read any provider the handler owns (e.g. token volume limits).
+  SpecificGrant buildSpecificGrant(
+    Map<String, dynamic> formValues,
+    WidgetRef ref,
+  );
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/grants/token_transfer_grant.dart b/useragent/lib/screens/dashboard/evm/grants/create/grants/token_transfer_grant.dart
new file mode 100644
index 0000000..9352b94
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/grants/token_transfer_grant.dart
@@ -0,0 +1,233 @@
+// lib/screens/dashboard/evm/grants/create/grants/token_transfer_grant.dart
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/grants/grant_form_handler.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/utils.dart';
+import 'package:fixnum/fixnum.dart';
+import 'package:flutter/material.dart';
+import 'package:flutter_form_builder/flutter_form_builder.dart';
+import 'package:flutter_hooks/flutter_hooks.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+import 'package:riverpod_annotation/riverpod_annotation.dart';
+import 'package:sizer/sizer.dart';
+
+part 'token_transfer_grant.g.dart';
+
+class VolumeLimitEntry {
+  VolumeLimitEntry({required this.id, this.amount = '', this.windowSeconds = ''});
+
+  final int id;
+  final String amount;
+  final String windowSeconds;
+
+  VolumeLimitEntry copyWith({String? amount, String? windowSeconds}) =>
+      VolumeLimitEntry(
+        id: id,
+        amount: amount ?? this.amount,
+        windowSeconds: windowSeconds ?? this.windowSeconds,
+      );
+}
+
+
+@riverpod
+class TokenGrantLimits extends _$TokenGrantLimits {
+  int _nextId = 0;
+  int _newId() => _nextId++;
+
+  @override
+  List<VolumeLimitEntry> build() => [VolumeLimitEntry(id: _newId())];
+
+  void add() => state = [...state, VolumeLimitEntry(id: _newId())];
+
+  void update(int index, VolumeLimitEntry entry) {
+    final updated = [...state];
+    updated[index] = entry;
+    state = updated;
+  }
+
+  void remove(int index) => state = [...state]..removeAt(index);
+}
+
+
+class TokenTransferGrantHandler implements GrantFormHandler {
+  const TokenTransferGrantHandler();
+
+  @override
+  Widget buildForm(BuildContext context, WidgetRef ref) =>
+      const _TokenTransferForm();
+
+  @override
+  SpecificGrant buildSpecificGrant(
+    Map<String, dynamic> formValues,
+    WidgetRef ref,
+  ) {
+    final limits = ref.read(tokenGrantLimitsProvider);
+    final targetText = formValues['tokenTarget'] as String? ?? '';
+
+    return SpecificGrant(
+      tokenTransfer: TokenTransferSettings(
+        tokenContract:
+            parseHexAddress(formValues['tokenContract'] as String? ?? ''),
+        target: targetText.trim().isEmpty ? null : parseHexAddress(targetText),
+        volumeLimits: limits
+            .where((e) => e.amount.trim().isNotEmpty && e.windowSeconds.trim().isNotEmpty)
+            .map(
+              (e) => VolumeRateLimit(
+                maxVolume: parseBigIntBytes(e.amount),
+                windowSecs: Int64.parseInt(e.windowSeconds),
+              ),
+            )
+            .toList(),
+      ),
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Form widget
+// ---------------------------------------------------------------------------
+
+class _TokenTransferForm extends ConsumerWidget {
+  const _TokenTransferForm();
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final limits = ref.watch(tokenGrantLimitsProvider);
+    final notifier = ref.read(tokenGrantLimitsProvider.notifier);
+
+    return Column(
+      crossAxisAlignment: CrossAxisAlignment.stretch,
+      children: [
+        FormBuilderTextField(
+          name: 'tokenContract',
+          decoration: const InputDecoration(
+            labelText: 'Token contract',
+            hintText: '0x...',
+            border: OutlineInputBorder(),
+          ),
+        ),
+        SizedBox(height: 1.6.h),
+        FormBuilderTextField(
+          name: 'tokenTarget',
+          decoration: const InputDecoration(
+            labelText: 'Token recipient',
+            hintText: '0x... or leave empty for any recipient',
+            border: OutlineInputBorder(),
+          ),
+        ),
+        SizedBox(height: 1.6.h),
+        _TokenVolumeLimitsField(
+          values: limits,
+          onAdd: notifier.add,
+          onUpdate: notifier.update,
+          onRemove: notifier.remove,
+        ),
+      ],
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Volume limits list widget
+// ---------------------------------------------------------------------------
+
+class _TokenVolumeLimitsField extends StatelessWidget {
+  const _TokenVolumeLimitsField({
+    required this.values,
+    required this.onAdd,
+    required this.onUpdate,
+    required this.onRemove,
+  });
+
+  final List<VolumeLimitEntry> values;
+  final VoidCallback onAdd;
+  final void Function(int index, VolumeLimitEntry entry) onUpdate;
+  final void Function(int index) onRemove;
+
+  @override
+  Widget build(BuildContext context) {
+    return Column(
+      crossAxisAlignment: CrossAxisAlignment.start,
+      children: [
+        Row(
+          children: [
+            Expanded(
+              child: Text(
+                'Token volume limits',
+                style: Theme.of(context).textTheme.labelLarge?.copyWith(
+                      fontWeight: FontWeight.w800,
+                    ),
+              ),
+            ),
+            TextButton.icon(
+              onPressed: onAdd,
+              icon: const Icon(Icons.add_rounded),
+              label: const Text('Add'),
+            ),
+          ],
+        ),
+        SizedBox(height: 0.8.h),
+        for (var i = 0; i < values.length; i++)
+          Padding(
+            padding: EdgeInsets.only(bottom: 1.h),
+            child: _TokenVolumeLimitRow(
+              key: ValueKey(values[i].id),
+              value: values[i],
+              onChanged: (entry) => onUpdate(i, entry),
+              onRemove: values.length == 1 ? null : () => onRemove(i),
+            ),
+          ),
+      ],
+    );
+  }
+}
+
+class _TokenVolumeLimitRow extends HookWidget {
+  const _TokenVolumeLimitRow({
+    super.key,
+    required this.value,
+    required this.onChanged,
+    required this.onRemove,
+  });
+
+  final VolumeLimitEntry value;
+  final ValueChanged<VolumeLimitEntry> onChanged;
+  final VoidCallback? onRemove;
+
+  @override
+  Widget build(BuildContext context) {
+    final amountController = useTextEditingController(text: value.amount);
+    final windowController = useTextEditingController(text: value.windowSeconds);
+
+    return Row(
+      children: [
+        Expanded(
+          child: TextField(
+            controller: amountController,
+            onChanged: (next) => onChanged(value.copyWith(amount: next)),
+            decoration: const InputDecoration(
+              labelText: 'Max volume',
+              border: OutlineInputBorder(),
+            ),
+          ),
+        ),
+        SizedBox(width: 1.w),
+        Expanded(
+          child: TextField(
+            controller: windowController,
+            onChanged: (next) =>
+                onChanged(value.copyWith(windowSeconds: next)),
+            decoration: const InputDecoration(
+              labelText: 'Window (seconds)',
+              border: OutlineInputBorder(),
+            ),
+          ),
+        ),
+        SizedBox(width: 0.4.w),
+        IconButton(
+          onPressed: onRemove,
+          icon: const Icon(Icons.remove_circle_outline_rounded),
+        ),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/grants/token_transfer_grant.g.dart b/useragent/lib/screens/dashboard/evm/grants/create/grants/token_transfer_grant.g.dart
new file mode 100644
index 0000000..e3e7bd9
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/grants/token_transfer_grant.g.dart
@@ -0,0 +1,63 @@
+// GENERATED CODE - DO NOT MODIFY BY HAND
+
+part of 'token_transfer_grant.dart';
+
+// **************************************************************************
+// RiverpodGenerator
+// **************************************************************************
+
+// GENERATED CODE - DO NOT MODIFY BY HAND
+// ignore_for_file: type=lint, type=warning
+
+@ProviderFor(TokenGrantLimits)
+final tokenGrantLimitsProvider = TokenGrantLimitsProvider._();
+
+final class TokenGrantLimitsProvider
+    extends $NotifierProvider<TokenGrantLimits, List<VolumeLimitEntry>> {
+  TokenGrantLimitsProvider._()
+    : super(
+        from: null,
+        argument: null,
+        retry: null,
+        name: r'tokenGrantLimitsProvider',
+        isAutoDispose: true,
+        dependencies: null,
+        $allTransitiveDependencies: null,
+      );
+
+  @override
+  String debugGetCreateSourceHash() => _$tokenGrantLimitsHash();
+
+  @$internal
+  @override
+  TokenGrantLimits create() => TokenGrantLimits();
+
+  /// {@macro riverpod.override_with_value}
+  Override overrideWithValue(List<VolumeLimitEntry> value) {
+    return $ProviderOverride(
+      origin: this,
+      providerOverride: $SyncValueProvider<List<VolumeLimitEntry>>(value),
+    );
+  }
+}
+
+String _$tokenGrantLimitsHash() => r'84db377f24940d215af82052e27863ab40c02b24';
+
+abstract class _$TokenGrantLimits extends $Notifier<List<VolumeLimitEntry>> {
+  List<VolumeLimitEntry> build();
+  @$mustCallSuper
+  @override
+  void runBuild() {
+    final ref =
+        this.ref as $Ref<List<VolumeLimitEntry>, List<VolumeLimitEntry>>;
+    final element =
+        ref.element
+            as $ClassProviderElement<
+              AnyNotifier<List<VolumeLimitEntry>, List<VolumeLimitEntry>>,
+              List<VolumeLimitEntry>,
+              Object?,
+              Object?
+            >;
+    element.handleCreate(ref, build);
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/provider.dart b/useragent/lib/screens/dashboard/evm/grants/create/provider.dart
new file mode 100644
index 0000000..89aefeb
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/provider.dart
@@ -0,0 +1,24 @@
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:freezed_annotation/freezed_annotation.dart';
+import 'package:riverpod_annotation/riverpod_annotation.dart';
+
+part 'provider.freezed.dart';
+part 'provider.g.dart';
+
+@freezed
+abstract class GrantCreationState with _$GrantCreationState {
+  const factory GrantCreationState({
+    int? selectedClientId,
+    @Default(SpecificGrant_Grant.etherTransfer) SpecificGrant_Grant grantType,
+  }) = _GrantCreationState;
+}
+
+@riverpod
+class GrantCreation extends _$GrantCreation {
+  @override
+  GrantCreationState build() => const GrantCreationState();
+
+  void setClientId(int? id) => state = state.copyWith(selectedClientId: id);
+  void setGrantType(SpecificGrant_Grant type) =>
+      state = state.copyWith(grantType: type);
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/provider.freezed.dart b/useragent/lib/screens/dashboard/evm/grants/create/provider.freezed.dart
new file mode 100644
index 0000000..e16d346
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/provider.freezed.dart
@@ -0,0 +1,274 @@
+// GENERATED CODE - DO NOT MODIFY BY HAND
+// coverage:ignore-file
+// ignore_for_file: type=lint
+// ignore_for_file: unused_element, deprecated_member_use, deprecated_member_use_from_same_package, use_function_type_syntax_for_parameters, unnecessary_const, avoid_init_to_null, invalid_override_different_default_values_named, prefer_expression_function_bodies, annotate_overrides, invalid_annotation_target, unnecessary_question_mark
+
+part of 'provider.dart';
+
+// **************************************************************************
+// FreezedGenerator
+// **************************************************************************
+
+// dart format off
+T _$identity<T>(T value) => value;
+/// @nodoc
+mixin _$GrantCreationState {
+
+ int? get selectedClientId; SpecificGrant_Grant get grantType;
+/// Create a copy of GrantCreationState
+/// with the given fields replaced by the non-null parameter values.
+@JsonKey(includeFromJson: false, includeToJson: false)
+@pragma('vm:prefer-inline')
+$GrantCreationStateCopyWith<GrantCreationState> get copyWith => _$GrantCreationStateCopyWithImpl<GrantCreationState>(this as GrantCreationState, _$identity);
+
+
+
+@override
+bool operator ==(Object other) {
+  return identical(this, other) || (other.runtimeType == runtimeType&&other is GrantCreationState&&(identical(other.selectedClientId, selectedClientId) || other.selectedClientId == selectedClientId)&&(identical(other.grantType, grantType) || other.grantType == grantType));
+}
+
+
+@override
+int get hashCode => Object.hash(runtimeType,selectedClientId,grantType);
+
+@override
+String toString() {
+  return 'GrantCreationState(selectedClientId: $selectedClientId, grantType: $grantType)';
+}
+
+
+}
+
+/// @nodoc
+abstract mixin class $GrantCreationStateCopyWith<$Res>  {
+  factory $GrantCreationStateCopyWith(GrantCreationState value, $Res Function(GrantCreationState) _then) = _$GrantCreationStateCopyWithImpl;
+@useResult
+$Res call({
+ int? selectedClientId, SpecificGrant_Grant grantType
+});
+
+
+
+
+}
+/// @nodoc
+class _$GrantCreationStateCopyWithImpl<$Res>
+    implements $GrantCreationStateCopyWith<$Res> {
+  _$GrantCreationStateCopyWithImpl(this._self, this._then);
+
+  final GrantCreationState _self;
+  final $Res Function(GrantCreationState) _then;
+
+/// Create a copy of GrantCreationState
+/// with the given fields replaced by the non-null parameter values.
+@pragma('vm:prefer-inline') @override $Res call({Object? selectedClientId = freezed,Object? grantType = null,}) {
+  return _then(_self.copyWith(
+selectedClientId: freezed == selectedClientId ? _self.selectedClientId : selectedClientId // ignore: cast_nullable_to_non_nullable
+as int?,grantType: null == grantType ? _self.grantType : grantType // ignore: cast_nullable_to_non_nullable
+as SpecificGrant_Grant,
+  ));
+}
+
+}
+
+
+/// Adds pattern-matching-related methods to [GrantCreationState].
+extension GrantCreationStatePatterns on GrantCreationState {
+/// A variant of `map` that fallback to returning `orElse`.
+///
+/// It is equivalent to doing:
+/// ```dart
+/// switch (sealedClass) {
+///   case final Subclass value:
+///     return ...;
+///   case _:
+///     return orElse();
+/// }
+/// ```
+
+@optionalTypeArgs TResult maybeMap<TResult extends Object?>(TResult Function( _GrantCreationState value)?  $default,{required TResult orElse(),}){
+final _that = this;
+switch (_that) {
+case _GrantCreationState() when $default != null:
+return $default(_that);case _:
+  return orElse();
+
+}
+}
+/// A `switch`-like method, using callbacks.
+///
+/// Callbacks receives the raw object, upcasted.
+/// It is equivalent to doing:
+/// ```dart
+/// switch (sealedClass) {
+///   case final Subclass value:
+///     return ...;
+///   case final Subclass2 value:
+///     return ...;
+/// }
+/// ```
+
+@optionalTypeArgs TResult map<TResult extends Object?>(TResult Function( _GrantCreationState value)  $default,){
+final _that = this;
+switch (_that) {
+case _GrantCreationState():
+return $default(_that);case _:
+  throw StateError('Unexpected subclass');
+
+}
+}
+/// A variant of `map` that fallback to returning `null`.
+///
+/// It is equivalent to doing:
+/// ```dart
+/// switch (sealedClass) {
+///   case final Subclass value:
+///     return ...;
+///   case _:
+///     return null;
+/// }
+/// ```
+
+@optionalTypeArgs TResult? mapOrNull<TResult extends Object?>(TResult? Function( _GrantCreationState value)?  $default,){
+final _that = this;
+switch (_that) {
+case _GrantCreationState() when $default != null:
+return $default(_that);case _:
+  return null;
+
+}
+}
+/// A variant of `when` that fallback to an `orElse` callback.
+///
+/// It is equivalent to doing:
+/// ```dart
+/// switch (sealedClass) {
+///   case Subclass(:final field):
+///     return ...;
+///   case _:
+///     return orElse();
+/// }
+/// ```
+
+@optionalTypeArgs TResult maybeWhen<TResult extends Object?>(TResult Function( int? selectedClientId,  SpecificGrant_Grant grantType)?  $default,{required TResult orElse(),}) {final _that = this;
+switch (_that) {
+case _GrantCreationState() when $default != null:
+return $default(_that.selectedClientId,_that.grantType);case _:
+  return orElse();
+
+}
+}
+/// A `switch`-like method, using callbacks.
+///
+/// As opposed to `map`, this offers destructuring.
+/// It is equivalent to doing:
+/// ```dart
+/// switch (sealedClass) {
+///   case Subclass(:final field):
+///     return ...;
+///   case Subclass2(:final field2):
+///     return ...;
+/// }
+/// ```
+
+@optionalTypeArgs TResult when<TResult extends Object?>(TResult Function( int? selectedClientId,  SpecificGrant_Grant grantType)  $default,) {final _that = this;
+switch (_that) {
+case _GrantCreationState():
+return $default(_that.selectedClientId,_that.grantType);case _:
+  throw StateError('Unexpected subclass');
+
+}
+}
+/// A variant of `when` that fallback to returning `null`
+///
+/// It is equivalent to doing:
+/// ```dart
+/// switch (sealedClass) {
+///   case Subclass(:final field):
+///     return ...;
+///   case _:
+///     return null;
+/// }
+/// ```
+
+@optionalTypeArgs TResult? whenOrNull<TResult extends Object?>(TResult? Function( int? selectedClientId,  SpecificGrant_Grant grantType)?  $default,) {final _that = this;
+switch (_that) {
+case _GrantCreationState() when $default != null:
+return $default(_that.selectedClientId,_that.grantType);case _:
+  return null;
+
+}
+}
+
+}
+
+/// @nodoc
+
+
+class _GrantCreationState implements GrantCreationState {
+  const _GrantCreationState({this.selectedClientId, this.grantType = SpecificGrant_Grant.etherTransfer});
+  
+
+@override final  int? selectedClientId;
+@override@JsonKey() final  SpecificGrant_Grant grantType;
+
+/// Create a copy of GrantCreationState
+/// with the given fields replaced by the non-null parameter values.
+@override @JsonKey(includeFromJson: false, includeToJson: false)
+@pragma('vm:prefer-inline')
+_$GrantCreationStateCopyWith<_GrantCreationState> get copyWith => __$GrantCreationStateCopyWithImpl<_GrantCreationState>(this, _$identity);
+
+
+
+@override
+bool operator ==(Object other) {
+  return identical(this, other) || (other.runtimeType == runtimeType&&other is _GrantCreationState&&(identical(other.selectedClientId, selectedClientId) || other.selectedClientId == selectedClientId)&&(identical(other.grantType, grantType) || other.grantType == grantType));
+}
+
+
+@override
+int get hashCode => Object.hash(runtimeType,selectedClientId,grantType);
+
+@override
+String toString() {
+  return 'GrantCreationState(selectedClientId: $selectedClientId, grantType: $grantType)';
+}
+
+
+}
+
+/// @nodoc
+abstract mixin class _$GrantCreationStateCopyWith<$Res> implements $GrantCreationStateCopyWith<$Res> {
+  factory _$GrantCreationStateCopyWith(_GrantCreationState value, $Res Function(_GrantCreationState) _then) = __$GrantCreationStateCopyWithImpl;
+@override @useResult
+$Res call({
+ int? selectedClientId, SpecificGrant_Grant grantType
+});
+
+
+
+
+}
+/// @nodoc
+class __$GrantCreationStateCopyWithImpl<$Res>
+    implements _$GrantCreationStateCopyWith<$Res> {
+  __$GrantCreationStateCopyWithImpl(this._self, this._then);
+
+  final _GrantCreationState _self;
+  final $Res Function(_GrantCreationState) _then;
+
+/// Create a copy of GrantCreationState
+/// with the given fields replaced by the non-null parameter values.
+@override @pragma('vm:prefer-inline') $Res call({Object? selectedClientId = freezed,Object? grantType = null,}) {
+  return _then(_GrantCreationState(
+selectedClientId: freezed == selectedClientId ? _self.selectedClientId : selectedClientId // ignore: cast_nullable_to_non_nullable
+as int?,grantType: null == grantType ? _self.grantType : grantType // ignore: cast_nullable_to_non_nullable
+as SpecificGrant_Grant,
+  ));
+}
+
+
+}
+
+// dart format on
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/provider.g.dart b/useragent/lib/screens/dashboard/evm/grants/create/provider.g.dart
new file mode 100644
index 0000000..9ec5c71
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/provider.g.dart
@@ -0,0 +1,62 @@
+// GENERATED CODE - DO NOT MODIFY BY HAND
+
+part of 'provider.dart';
+
+// **************************************************************************
+// RiverpodGenerator
+// **************************************************************************
+
+// GENERATED CODE - DO NOT MODIFY BY HAND
+// ignore_for_file: type=lint, type=warning
+
+@ProviderFor(GrantCreation)
+final grantCreationProvider = GrantCreationProvider._();
+
+final class GrantCreationProvider
+    extends $NotifierProvider<GrantCreation, GrantCreationState> {
+  GrantCreationProvider._()
+    : super(
+        from: null,
+        argument: null,
+        retry: null,
+        name: r'grantCreationProvider',
+        isAutoDispose: true,
+        dependencies: null,
+        $allTransitiveDependencies: null,
+      );
+
+  @override
+  String debugGetCreateSourceHash() => _$grantCreationHash();
+
+  @$internal
+  @override
+  GrantCreation create() => GrantCreation();
+
+  /// {@macro riverpod.override_with_value}
+  Override overrideWithValue(GrantCreationState value) {
+    return $ProviderOverride(
+      origin: this,
+      providerOverride: $SyncValueProvider<GrantCreationState>(value),
+    );
+  }
+}
+
+String _$grantCreationHash() => r'3733d45da30990ef8ecbee946d2eae81bc7f5fc9';
+
+abstract class _$GrantCreation extends $Notifier<GrantCreationState> {
+  GrantCreationState build();
+  @$mustCallSuper
+  @override
+  void runBuild() {
+    final ref = this.ref as $Ref<GrantCreationState, GrantCreationState>;
+    final element =
+        ref.element
+            as $ClassProviderElement<
+              AnyNotifier<GrantCreationState, GrantCreationState>,
+              GrantCreationState,
+              Object?,
+              Object?
+            >;
+    element.handleCreate(ref, build);
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/screen.dart b/useragent/lib/screens/dashboard/evm/grants/create/screen.dart
new file mode 100644
index 0000000..351a2f0
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/screen.dart
@@ -0,0 +1,252 @@
+// lib/screens/dashboard/evm/grants/create/screen.dart
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/providers/evm/evm_grants.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/grants/ether_transfer_grant.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/grants/grant_form_handler.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/grants/token_transfer_grant.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/provider.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/shared_grant_fields.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/utils.dart';
+import 'package:arbiter/theme/palette.dart';
+import 'package:auto_route/auto_route.dart';
+import 'package:fixnum/fixnum.dart';
+import 'package:flutter/material.dart';
+import 'package:flutter_form_builder/flutter_form_builder.dart';
+import 'package:flutter_hooks/flutter_hooks.dart';
+import 'package:hooks_riverpod/hooks_riverpod.dart';
+import 'package:hooks_riverpod/experimental/mutation.dart';
+import 'package:sizer/sizer.dart';
+
+const _etherHandler = EtherTransferGrantHandler();
+const _tokenHandler = TokenTransferGrantHandler();
+
+GrantFormHandler _handlerFor(SpecificGrant_Grant type) => switch (type) {
+      SpecificGrant_Grant.etherTransfer => _etherHandler,
+      SpecificGrant_Grant.tokenTransfer => _tokenHandler,
+      _ => throw ArgumentError('Unsupported grant type: $type'),
+    };
+
+@RoutePage()
+class CreateEvmGrantScreen extends HookConsumerWidget {
+  const CreateEvmGrantScreen({super.key});
+
+  @override
+  Widget build(BuildContext context, WidgetRef ref) {
+    final formKey = useMemoized(() => GlobalKey<FormBuilderState>());
+    final createMutation = ref.watch(createEvmGrantMutation);
+    final state = ref.watch(grantCreationProvider);
+    final notifier = ref.read(grantCreationProvider.notifier);
+    final handler = _handlerFor(state.grantType);
+
+    Future<void> submit() async {
+      if (!(formKey.currentState?.saveAndValidate() ?? false)) return;
+      final formValues = formKey.currentState!.value;
+
+      final accessId = formValues['walletAccessId'] as int?;
+      if (accessId == null) {
+        _showSnackBar(context, 'Select a client and wallet access.');
+        return;
+      }
+
+      try {
+        final specific = handler.buildSpecificGrant(formValues, ref);
+        final sharedSettings = SharedSettings(
+          walletAccessId: accessId,
+          chainId: Int64.parseInt(
+            (formValues['chainId'] as String? ?? '').trim(),
+          ),
+        );
+        final validFrom = formValues['validFrom'] as DateTime?;
+        final validUntil = formValues['validUntil'] as DateTime?;
+        if (validFrom != null) sharedSettings.validFrom = toTimestamp(validFrom);
+        if (validUntil != null) {
+          sharedSettings.validUntil = toTimestamp(validUntil);
+        }
+        final gasBytes =
+            optionalBigIntBytes(formValues['maxGasFeePerGas'] as String? ?? '');
+        if (gasBytes != null) sharedSettings.maxGasFeePerGas = gasBytes;
+        final priorityBytes = optionalBigIntBytes(
+          formValues['maxPriorityFeePerGas'] as String? ?? '',
+        );
+        if (priorityBytes != null) {
+          sharedSettings.maxPriorityFeePerGas = priorityBytes;
+        }
+        final rateLimit = buildRateLimit(
+          formValues['txCount'] as String? ?? '',
+          formValues['txWindow'] as String? ?? '',
+        );
+        if (rateLimit != null) sharedSettings.rateLimit = rateLimit;
+
+        await executeCreateEvmGrant(
+          ref,
+          sharedSettings: sharedSettings,
+          specific: specific,
+        );
+        if (!context.mounted) return;
+        context.router.pop();
+      } catch (error) {
+        if (!context.mounted) return;
+        _showSnackBar(context, _formatError(error));
+      }
+    }
+
+    return Scaffold(
+      appBar: AppBar(title: const Text('Create EVM Grant')),
+      body: SafeArea(
+        child: FormBuilder(
+          key: formKey,
+          child: ListView(
+            padding: EdgeInsets.fromLTRB(2.4.w, 2.h, 2.4.w, 3.2.h),
+            children: [
+              const _IntroCard(),
+              SizedBox(height: 1.8.h),
+              const _Section(
+                title: 'Shared grant options',
+                child: SharedGrantFields(),
+              ),
+              SizedBox(height: 1.8.h),
+              _GrantTypeSelector(
+                value: state.grantType,
+                onChanged: notifier.setGrantType,
+              ),
+              SizedBox(height: 1.8.h),
+              _Section(
+                title: 'Grant-specific options',
+                child: handler.buildForm(context, ref),
+              ),
+              SizedBox(height: 2.2.h),
+              Align(
+                alignment: Alignment.centerRight,
+                child: FilledButton.icon(
+                  onPressed:
+                      createMutation is MutationPending ? null : submit,
+                  icon: createMutation is MutationPending
+                      ? SizedBox(
+                          width: 1.8.h,
+                          height: 1.8.h,
+                          child: const CircularProgressIndicator(
+                            strokeWidth: 2.2,
+                          ),
+                        )
+                      : const Icon(Icons.check_rounded),
+                  label: Text(
+                    createMutation is MutationPending
+                        ? 'Creating...'
+                        : 'Create grant',
+                  ),
+                ),
+              ),
+            ],
+          ),
+        ),
+      ),
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Layout helpers
+// ---------------------------------------------------------------------------
+
+class _IntroCard extends StatelessWidget {
+  const _IntroCard();
+
+  @override
+  Widget build(BuildContext context) {
+    return Container(
+      padding: EdgeInsets.all(2.h),
+      decoration: BoxDecoration(
+        borderRadius: BorderRadius.circular(24),
+        gradient: const LinearGradient(
+          colors: [Palette.introGradientStart, Palette.introGradientEnd],
+          begin: Alignment.topLeft,
+          end: Alignment.bottomRight,
+        ),
+        border: Border.all(color: Palette.cardBorder),
+      ),
+      child: Text(
+        'Pick a client, then select one of the wallet accesses already granted '
+        'to it. Compose shared constraints once, then switch between Ether and '
+        'token transfer rules.',
+        style: Theme.of(context).textTheme.bodyLarge?.copyWith(height: 1.5),
+      ),
+    );
+  }
+}
+
+class _Section extends StatelessWidget {
+  const _Section({required this.title, required this.child});
+
+  final String title;
+  final Widget child;
+
+  @override
+  Widget build(BuildContext context) {
+    return Container(
+      padding: EdgeInsets.all(2.h),
+      decoration: BoxDecoration(
+        borderRadius: BorderRadius.circular(24),
+        color: Colors.white,
+        border: Border.all(color: Palette.cardBorder),
+      ),
+      child: Column(
+        crossAxisAlignment: CrossAxisAlignment.start,
+        children: [
+          Text(
+            title,
+            style: Theme.of(context).textTheme.titleMedium?.copyWith(
+                  fontWeight: FontWeight.w800,
+                ),
+          ),
+          SizedBox(height: 1.4.h),
+          child,
+        ],
+      ),
+    );
+  }
+}
+
+class _GrantTypeSelector extends StatelessWidget {
+  const _GrantTypeSelector({required this.value, required this.onChanged});
+
+  final SpecificGrant_Grant value;
+  final ValueChanged<SpecificGrant_Grant> onChanged;
+
+  @override
+  Widget build(BuildContext context) {
+    return SegmentedButton<SpecificGrant_Grant>(
+      segments: const [
+        ButtonSegment(
+          value: SpecificGrant_Grant.etherTransfer,
+          label: Text('Ether'),
+          icon: Icon(Icons.bolt_rounded),
+        ),
+        ButtonSegment(
+          value: SpecificGrant_Grant.tokenTransfer,
+          label: Text('Token'),
+          icon: Icon(Icons.token_rounded),
+        ),
+      ],
+      selected: {value},
+      onSelectionChanged: (selection) => onChanged(selection.first),
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Utilities
+// ---------------------------------------------------------------------------
+
+void _showSnackBar(BuildContext context, String message) {
+  if (!context.mounted) return;
+  ScaffoldMessenger.of(context).showSnackBar(
+    SnackBar(content: Text(message), behavior: SnackBarBehavior.floating),
+  );
+}
+
+String _formatError(Object error) {
+  final text = error.toString();
+  return text.startsWith('Exception: ')
+      ? text.substring('Exception: '.length)
+      : text;
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart b/useragent/lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart
new file mode 100644
index 0000000..e2b88a5
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart
@@ -0,0 +1,37 @@
+// lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/chain_id_field.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/client_picker_field.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/gas_fee_options_field.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/transaction_rate_limit_field.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/validity_window_field.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart';
+import 'package:flutter/material.dart';
+import 'package:sizer/sizer.dart';
+
+/// All shared grant fields in a single vertical layout.
+///
+/// Every [FormBuilderField] descendant auto-registers with the nearest
+/// [FormBuilder] ancestor via [BuildContext] — no controllers passed.
+class SharedGrantFields extends StatelessWidget {
+  const SharedGrantFields({super.key});
+
+  @override
+  Widget build(BuildContext context) {
+    return Column(
+      crossAxisAlignment: CrossAxisAlignment.stretch,
+      children: [
+        const ClientPickerField(),
+        SizedBox(height: 1.6.h),
+        const WalletAccessPickerField(),
+        SizedBox(height: 1.6.h),
+        const ChainIdField(),
+        SizedBox(height: 1.6.h),
+        const ValidityWindowField(),
+        SizedBox(height: 1.6.h),
+        const GasFeeOptionsField(),
+        SizedBox(height: 1.6.h),
+        const TransactionRateLimitField(),
+      ],
+    );
+  }
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/utils.dart b/useragent/lib/screens/dashboard/evm/grants/create/utils.dart
new file mode 100644
index 0000000..08dad7c
--- /dev/null
+++ b/useragent/lib/screens/dashboard/evm/grants/create/utils.dart
@@ -0,0 +1,73 @@
+import 'package:arbiter/proto/evm.pb.dart';
+import 'package:fixnum/fixnum.dart';
+import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart';
+
+Timestamp toTimestamp(DateTime value) {
+  final utc = value.toUtc();
+  return Timestamp()
+    ..seconds = Int64(utc.millisecondsSinceEpoch ~/ 1000)
+    ..nanos = (utc.microsecondsSinceEpoch % 1000000) * 1000;
+}
+
+TransactionRateLimit? buildRateLimit(String countText, String windowText) {
+  if (countText.trim().isEmpty || windowText.trim().isEmpty) {
+    return null;
+  }
+  return TransactionRateLimit(
+    count: int.parse(countText.trim()),
+    windowSecs: Int64.parseInt(windowText.trim()),
+  );
+}
+
+VolumeRateLimit? buildVolumeLimit(String amountText, String windowText) {
+  if (amountText.trim().isEmpty || windowText.trim().isEmpty) {
+    return null;
+  }
+  return VolumeRateLimit(
+    maxVolume: parseBigIntBytes(amountText),
+    windowSecs: Int64.parseInt(windowText.trim()),
+  );
+}
+
+List<int>? optionalBigIntBytes(String value) {
+  if (value.trim().isEmpty) {
+    return null;
+  }
+  return parseBigIntBytes(value);
+}
+
+List<int> parseBigIntBytes(String value) {
+  final number = BigInt.parse(value.trim());
+  if (number < BigInt.zero) {
+    throw Exception('Numeric values must be positive.');
+  }
+  if (number == BigInt.zero) {
+    return [0];
+  }
+
+  var remaining = number;
+  final bytes = <int>[];
+  while (remaining > BigInt.zero) {
+    bytes.insert(0, (remaining & BigInt.from(0xff)).toInt());
+    remaining >>= 8;
+  }
+  return bytes;
+}
+
+List<int> parseHexAddress(String value) {
+  final normalized = value.trim().replaceFirst(RegExp(r'^0x'), '');
+  if (normalized.length != 40) {
+    throw Exception('Expected a 20-byte hex address.');
+  }
+  return [
+    for (var i = 0; i < normalized.length; i += 2)
+      int.parse(normalized.substring(i, i + 2), radix: 16),
+  ];
+}
+
+String shortAddress(List<int> bytes) {
+  final hex = bytes
+      .map((byte) => byte.toRadixString(16).padLeft(2, '0'))
+      .join();
+  return '0x${hex.substring(0, 6)}...${hex.substring(hex.length - 4)}';
+}
diff --git a/useragent/lib/screens/dashboard/evm/grants/grant_create.dart b/useragent/lib/screens/dashboard/evm/grants/grant_create.dart
deleted file mode 100644
index 7a11d5c..0000000
--- a/useragent/lib/screens/dashboard/evm/grants/grant_create.dart
+++ /dev/null
@@ -1,902 +0,0 @@
-import 'package:arbiter/proto/evm.pb.dart';
-import 'package:arbiter/proto/user_agent.pb.dart';
-import 'package:arbiter/providers/evm/evm.dart';
-import 'package:arbiter/providers/evm/evm_grants.dart';
-import 'package:arbiter/providers/sdk_clients/list.dart';
-import 'package:arbiter/providers/sdk_clients/wallet_access_list.dart';
-import 'package:auto_route/auto_route.dart';
-import 'package:fixnum/fixnum.dart';
-import 'package:flutter/material.dart';
-import 'package:flutter_hooks/flutter_hooks.dart';
-import 'package:hooks_riverpod/hooks_riverpod.dart';
-import 'package:hooks_riverpod/experimental/mutation.dart';
-import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart';
-import 'package:sizer/sizer.dart';
-
-@RoutePage()
-class CreateEvmGrantScreen extends HookConsumerWidget {
-  const CreateEvmGrantScreen({super.key});
-
-  @override
-  Widget build(BuildContext context, WidgetRef ref) {
-    final createMutation = ref.watch(createEvmGrantMutation);
-
-    final selectedClientId = useState<int?>(null);
-    final selectedWalletAccessId = useState<int?>(null);
-    final chainIdController = useTextEditingController(text: '1');
-    final gasFeeController = useTextEditingController();
-    final priorityFeeController = useTextEditingController();
-    final txCountController = useTextEditingController();
-    final txWindowController = useTextEditingController();
-    final recipientsController = useTextEditingController();
-    final etherVolumeController = useTextEditingController();
-    final etherVolumeWindowController = useTextEditingController();
-    final tokenContractController = useTextEditingController();
-    final tokenTargetController = useTextEditingController();
-    final validFrom = useState<DateTime?>(null);
-    final validUntil = useState<DateTime?>(null);
-    final grantType = useState<SpecificGrant_Grant>(
-      SpecificGrant_Grant.etherTransfer,
-    );
-    final tokenVolumeLimits = useState<List<_VolumeLimitValue>>([
-      const _VolumeLimitValue(),
-    ]);
-
-    Future<void> submit() async {
-      final accessId = selectedWalletAccessId.value;
-      if (accessId == null) {
-        _showCreateMessage(context, 'Select a client and wallet access.');
-        return;
-      }
-
-      try {
-        final chainId = Int64.parseInt(chainIdController.text.trim());
-        final rateLimit = _buildRateLimit(
-          txCountController.text,
-          txWindowController.text,
-        );
-        final specific = switch (grantType.value) {
-          SpecificGrant_Grant.etherTransfer => SpecificGrant(
-            etherTransfer: EtherTransferSettings(
-              targets: _parseAddresses(recipientsController.text),
-              limit: _buildVolumeLimit(
-                etherVolumeController.text,
-                etherVolumeWindowController.text,
-              ),
-            ),
-          ),
-          SpecificGrant_Grant.tokenTransfer => SpecificGrant(
-            tokenTransfer: TokenTransferSettings(
-              tokenContract: _parseHexAddress(tokenContractController.text),
-              target: tokenTargetController.text.trim().isEmpty
-                  ? null
-                  : _parseHexAddress(tokenTargetController.text),
-              volumeLimits: tokenVolumeLimits.value
-                  .where((item) => item.amount.trim().isNotEmpty)
-                  .map(
-                    (item) => VolumeRateLimit(
-                      maxVolume: _parseBigIntBytes(item.amount),
-                      windowSecs: Int64.parseInt(item.windowSeconds),
-                    ),
-                  )
-                  .toList(),
-            ),
-          ),
-          _ => throw Exception('Unsupported grant type.'),
-        };
-
-        final sharedSettings = SharedSettings(
-          walletAccessId: accessId,
-          chainId: chainId,
-        );
-        if (validFrom.value != null) {
-          sharedSettings.validFrom = _toTimestamp(validFrom.value!);
-        }
-        if (validUntil.value != null) {
-          sharedSettings.validUntil = _toTimestamp(validUntil.value!);
-        }
-        final gasBytes = _optionalBigIntBytes(gasFeeController.text);
-        if (gasBytes != null) sharedSettings.maxGasFeePerGas = gasBytes;
-        final priorityBytes = _optionalBigIntBytes(priorityFeeController.text);
-        if (priorityBytes != null) sharedSettings.maxPriorityFeePerGas = priorityBytes;
-        if (rateLimit != null) sharedSettings.rateLimit = rateLimit;
-
-        await executeCreateEvmGrant(
-          ref,
-          sharedSettings: sharedSettings,
-          specific: specific,
-        );
-        if (!context.mounted) {
-          return;
-        }
-        context.router.pop();
-      } catch (error) {
-        if (!context.mounted) {
-          return;
-        }
-        _showCreateMessage(context, _formatCreateError(error));
-      }
-    }
-
-    return Scaffold(
-      appBar: AppBar(title: const Text('Create EVM Grant')),
-      body: SafeArea(
-        child: ListView(
-          padding: EdgeInsets.fromLTRB(2.4.w, 2.h, 2.4.w, 3.2.h),
-          children: [
-            const _CreateIntroCard(),
-            SizedBox(height: 1.8.h),
-            _CreateSection(
-              title: 'Shared grant options',
-              children: [
-                _ClientPickerField(
-                  selectedClientId: selectedClientId.value,
-                  onChanged: (clientId) {
-                    selectedClientId.value = clientId;
-                    selectedWalletAccessId.value = null;
-                  },
-                ),
-                _WalletAccessPickerField(
-                  selectedClientId: selectedClientId.value,
-                  selectedAccessId: selectedWalletAccessId.value,
-                  onChanged: (accessId) =>
-                      selectedWalletAccessId.value = accessId,
-                ),
-                _NumberInputField(
-                  controller: chainIdController,
-                  label: 'Chain ID',
-                  hint: '1',
-                ),
-                _ValidityWindowField(
-                  validFrom: validFrom.value,
-                  validUntil: validUntil.value,
-                  onValidFromChanged: (value) => validFrom.value = value,
-                  onValidUntilChanged: (value) => validUntil.value = value,
-                ),
-                _GasFeeOptionsField(
-                  gasFeeController: gasFeeController,
-                  priorityFeeController: priorityFeeController,
-                ),
-                _TransactionRateLimitField(
-                  txCountController: txCountController,
-                  txWindowController: txWindowController,
-                ),
-              ],
-            ),
-            SizedBox(height: 1.8.h),
-            _GrantTypeSelector(
-              value: grantType.value,
-              onChanged: (value) => grantType.value = value,
-            ),
-            SizedBox(height: 1.8.h),
-            _CreateSection(
-              title: 'Grant-specific options',
-              children: [
-                if (grantType.value == SpecificGrant_Grant.etherTransfer) ...[
-                  _EtherTargetsField(controller: recipientsController),
-                  _VolumeLimitField(
-                    amountController: etherVolumeController,
-                    windowController: etherVolumeWindowController,
-                    title: 'Ether volume limit',
-                  ),
-                ] else ...[
-                  _TokenContractField(controller: tokenContractController),
-                  _TokenRecipientField(controller: tokenTargetController),
-                  _TokenVolumeLimitsField(
-                    values: tokenVolumeLimits.value,
-                    onChanged: (values) => tokenVolumeLimits.value = values,
-                  ),
-                ],
-              ],
-            ),
-            SizedBox(height: 2.2.h),
-            Align(
-              alignment: Alignment.centerRight,
-              child: FilledButton.icon(
-                onPressed: createMutation is MutationPending ? null : submit,
-                icon: createMutation is MutationPending
-                    ? SizedBox(
-                        width: 1.8.h,
-                        height: 1.8.h,
-                        child: const CircularProgressIndicator(strokeWidth: 2.2),
-                      )
-                    : const Icon(Icons.check_rounded),
-                label: Text(
-                  createMutation is MutationPending
-                      ? 'Creating...'
-                      : 'Create grant',
-                ),
-              ),
-            ),
-          ],
-        ),
-      ),
-    );
-  }
-}
-
-class _CreateIntroCard extends StatelessWidget {
-  const _CreateIntroCard();
-
-  @override
-  Widget build(BuildContext context) {
-    return Container(
-      padding: EdgeInsets.all(2.h),
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(24),
-        gradient: const LinearGradient(
-          colors: [Color(0xFFF7F9FC), Color(0xFFFDF5EA)],
-          begin: Alignment.topLeft,
-          end: Alignment.bottomRight,
-        ),
-        border: Border.all(color: const Color(0x1A17324A)),
-      ),
-      child: Text(
-        'Pick a client, then select one of the wallet accesses already granted to it. Compose shared constraints once, then switch between Ether and token transfer rules.',
-        style: Theme.of(context).textTheme.bodyLarge?.copyWith(height: 1.5),
-      ),
-    );
-  }
-}
-
-class _CreateSection extends StatelessWidget {
-  const _CreateSection({required this.title, required this.children});
-
-  final String title;
-  final List<Widget> children;
-
-  @override
-  Widget build(BuildContext context) {
-    return Container(
-      padding: EdgeInsets.all(2.h),
-      decoration: BoxDecoration(
-        borderRadius: BorderRadius.circular(24),
-        color: Colors.white,
-        border: Border.all(color: const Color(0x1A17324A)),
-      ),
-      child: Column(
-        crossAxisAlignment: CrossAxisAlignment.start,
-        children: [
-          Text(
-            title,
-            style: Theme.of(context).textTheme.titleMedium?.copyWith(
-              fontWeight: FontWeight.w800,
-            ),
-          ),
-          SizedBox(height: 1.4.h),
-          ...children.map(
-            (child) => Padding(
-              padding: EdgeInsets.only(bottom: 1.6.h),
-              child: child,
-            ),
-          ),
-        ],
-      ),
-    );
-  }
-}
-
-class _ClientPickerField extends ConsumerWidget {
-  const _ClientPickerField({
-    required this.selectedClientId,
-    required this.onChanged,
-  });
-
-  final int? selectedClientId;
-  final ValueChanged<int?> onChanged;
-
-  @override
-  Widget build(BuildContext context, WidgetRef ref) {
-    final clients =
-        ref.watch(sdkClientsProvider).asData?.value ?? const <SdkClientEntry>[];
-
-    return DropdownButtonFormField<int>(
-      value: clients.any((c) => c.id == selectedClientId)
-          ? selectedClientId
-          : null,
-      decoration: const InputDecoration(
-        labelText: 'Client',
-        border: OutlineInputBorder(),
-      ),
-      items: [
-        for (final c in clients)
-          DropdownMenuItem(
-            value: c.id,
-            child: Text(
-              c.info.name.isEmpty ? 'Client #${c.id}' : c.info.name,
-            ),
-          ),
-      ],
-      onChanged: clients.isEmpty ? null : onChanged,
-    );
-  }
-}
-
-class _WalletAccessPickerField extends ConsumerWidget {
-  const _WalletAccessPickerField({
-    required this.selectedClientId,
-    required this.selectedAccessId,
-    required this.onChanged,
-  });
-
-  final int? selectedClientId;
-  final int? selectedAccessId;
-  final ValueChanged<int?> onChanged;
-
-  @override
-  Widget build(BuildContext context, WidgetRef ref) {
-    final allAccesses =
-        ref.watch(walletAccessListProvider).asData?.value ??
-        const <SdkClientWalletAccess>[];
-    final wallets =
-        ref.watch(evmProvider).asData?.value ?? const <WalletEntry>[];
-
-    final walletById = <int, WalletEntry>{
-      for (final w in wallets) w.id: w,
-    };
-
-    final accesses = selectedClientId == null
-        ? const <SdkClientWalletAccess>[]
-        : allAccesses
-              .where((a) => a.access.sdkClientId == selectedClientId)
-              .toList();
-
-    final effectiveValue =
-        accesses.any((a) => a.id == selectedAccessId) ? selectedAccessId : null;
-
-    return DropdownButtonFormField<int>(
-      value: effectiveValue,
-      decoration: InputDecoration(
-        labelText: 'Wallet access',
-        helperText: selectedClientId == null
-            ? 'Select a client first'
-            : accesses.isEmpty
-            ? 'No wallet accesses for this client'
-            : null,
-        border: const OutlineInputBorder(),
-      ),
-      items: [
-        for (final a in accesses)
-          DropdownMenuItem(
-            value: a.id,
-            child: Text(() {
-              final wallet = walletById[a.access.walletId];
-              return wallet != null
-                  ? _shortAddress(wallet.address)
-                  : 'Wallet #${a.access.walletId}';
-            }()),
-          ),
-      ],
-      onChanged: accesses.isEmpty ? null : onChanged,
-    );
-  }
-}
-
-class _NumberInputField extends StatelessWidget {
-  const _NumberInputField({
-    required this.controller,
-    required this.label,
-    required this.hint,
-    this.helper,
-  });
-
-  final TextEditingController controller;
-  final String label;
-  final String hint;
-  final String? helper;
-
-  @override
-  Widget build(BuildContext context) {
-    return TextField(
-      controller: controller,
-      keyboardType: TextInputType.number,
-      decoration: InputDecoration(
-        labelText: label,
-        hintText: hint,
-        helperText: helper,
-        border: const OutlineInputBorder(),
-      ),
-    );
-  }
-}
-
-class _ValidityWindowField extends StatelessWidget {
-  const _ValidityWindowField({
-    required this.validFrom,
-    required this.validUntil,
-    required this.onValidFromChanged,
-    required this.onValidUntilChanged,
-  });
-
-  final DateTime? validFrom;
-  final DateTime? validUntil;
-  final ValueChanged<DateTime?> onValidFromChanged;
-  final ValueChanged<DateTime?> onValidUntilChanged;
-
-  @override
-  Widget build(BuildContext context) {
-    return Row(
-      children: [
-        Expanded(
-          child: _DateButtonField(
-            label: 'Valid from',
-            value: validFrom,
-            onChanged: onValidFromChanged,
-          ),
-        ),
-        SizedBox(width: 1.w),
-        Expanded(
-          child: _DateButtonField(
-            label: 'Valid until',
-            value: validUntil,
-            onChanged: onValidUntilChanged,
-          ),
-        ),
-      ],
-    );
-  }
-}
-
-class _DateButtonField extends StatelessWidget {
-  const _DateButtonField({
-    required this.label,
-    required this.value,
-    required this.onChanged,
-  });
-
-  final String label;
-  final DateTime? value;
-  final ValueChanged<DateTime?> onChanged;
-
-  @override
-  Widget build(BuildContext context) {
-    return OutlinedButton(
-      onPressed: () async {
-        final now = DateTime.now();
-        final date = await showDatePicker(
-          context: context,
-          firstDate: DateTime(now.year - 5),
-          lastDate: DateTime(now.year + 10),
-          initialDate: value ?? now,
-        );
-        if (date == null || !context.mounted) {
-          return;
-        }
-        final time = await showTimePicker(
-          context: context,
-          initialTime: TimeOfDay.fromDateTime(value ?? now),
-        );
-        if (time == null) {
-          return;
-        }
-        onChanged(
-          DateTime(date.year, date.month, date.day, time.hour, time.minute),
-        );
-      },
-      onLongPress: value == null ? null : () => onChanged(null),
-      child: Padding(
-        padding: EdgeInsets.symmetric(vertical: 1.8.h),
-        child: Column(
-          crossAxisAlignment: CrossAxisAlignment.start,
-          children: [
-            Text(label),
-            SizedBox(height: 0.6.h),
-            Text(value?.toLocal().toString() ?? 'Not set'),
-          ],
-        ),
-      ),
-    );
-  }
-}
-
-class _GasFeeOptionsField extends StatelessWidget {
-  const _GasFeeOptionsField({
-    required this.gasFeeController,
-    required this.priorityFeeController,
-  });
-
-  final TextEditingController gasFeeController;
-  final TextEditingController priorityFeeController;
-
-  @override
-  Widget build(BuildContext context) {
-    return Row(
-      children: [
-        Expanded(
-          child: _NumberInputField(
-            controller: gasFeeController,
-            label: 'Max gas fee / gas',
-            hint: '1000000000',
-          ),
-        ),
-        SizedBox(width: 1.w),
-        Expanded(
-          child: _NumberInputField(
-            controller: priorityFeeController,
-            label: 'Max priority fee / gas',
-            hint: '100000000',
-          ),
-        ),
-      ],
-    );
-  }
-}
-
-class _TransactionRateLimitField extends StatelessWidget {
-  const _TransactionRateLimitField({
-    required this.txCountController,
-    required this.txWindowController,
-  });
-
-  final TextEditingController txCountController;
-  final TextEditingController txWindowController;
-
-  @override
-  Widget build(BuildContext context) {
-    return Row(
-      children: [
-        Expanded(
-          child: _NumberInputField(
-            controller: txCountController,
-            label: 'Tx count limit',
-            hint: '10',
-          ),
-        ),
-        SizedBox(width: 1.w),
-        Expanded(
-          child: _NumberInputField(
-            controller: txWindowController,
-            label: 'Window (seconds)',
-            hint: '3600',
-          ),
-        ),
-      ],
-    );
-  }
-}
-
-class _GrantTypeSelector extends StatelessWidget {
-  const _GrantTypeSelector({required this.value, required this.onChanged});
-
-  final SpecificGrant_Grant value;
-  final ValueChanged<SpecificGrant_Grant> onChanged;
-
-  @override
-  Widget build(BuildContext context) {
-    return SegmentedButton<SpecificGrant_Grant>(
-      segments: const [
-        ButtonSegment(
-          value: SpecificGrant_Grant.etherTransfer,
-          label: Text('Ether'),
-          icon: Icon(Icons.bolt_rounded),
-        ),
-        ButtonSegment(
-          value: SpecificGrant_Grant.tokenTransfer,
-          label: Text('Token'),
-          icon: Icon(Icons.token_rounded),
-        ),
-      ],
-      selected: {value},
-      onSelectionChanged: (selection) => onChanged(selection.first),
-    );
-  }
-}
-
-class _EtherTargetsField extends StatelessWidget {
-  const _EtherTargetsField({required this.controller});
-
-  final TextEditingController controller;
-
-  @override
-  Widget build(BuildContext context) {
-    return TextField(
-      controller: controller,
-      minLines: 3,
-      maxLines: 6,
-      decoration: const InputDecoration(
-        labelText: 'Ether recipients',
-        hintText: 'One 0x address per line. Leave empty for unrestricted targets.',
-        border: OutlineInputBorder(),
-      ),
-    );
-  }
-}
-
-class _VolumeLimitField extends StatelessWidget {
-  const _VolumeLimitField({
-    required this.amountController,
-    required this.windowController,
-    required this.title,
-  });
-
-  final TextEditingController amountController;
-  final TextEditingController windowController;
-  final String title;
-
-  @override
-  Widget build(BuildContext context) {
-    return Column(
-      crossAxisAlignment: CrossAxisAlignment.start,
-      children: [
-        Text(
-          title,
-          style: Theme.of(context).textTheme.labelLarge?.copyWith(
-            fontWeight: FontWeight.w800,
-          ),
-        ),
-        SizedBox(height: 0.8.h),
-        Row(
-          children: [
-            Expanded(
-              child: _NumberInputField(
-                controller: amountController,
-                label: 'Max volume',
-                hint: '1000000000000000000',
-              ),
-            ),
-            SizedBox(width: 1.w),
-            Expanded(
-              child: _NumberInputField(
-                controller: windowController,
-                label: 'Window (seconds)',
-                hint: '86400',
-              ),
-            ),
-          ],
-        ),
-      ],
-    );
-  }
-}
-
-class _TokenContractField extends StatelessWidget {
-  const _TokenContractField({required this.controller});
-
-  final TextEditingController controller;
-
-  @override
-  Widget build(BuildContext context) {
-    return TextField(
-      controller: controller,
-      decoration: const InputDecoration(
-        labelText: 'Token contract',
-        hintText: '0x...',
-        border: OutlineInputBorder(),
-      ),
-    );
-  }
-}
-
-class _TokenRecipientField extends StatelessWidget {
-  const _TokenRecipientField({required this.controller});
-
-  final TextEditingController controller;
-
-  @override
-  Widget build(BuildContext context) {
-    return TextField(
-      controller: controller,
-      decoration: const InputDecoration(
-        labelText: 'Token recipient',
-        hintText: '0x... or leave empty for any recipient',
-        border: OutlineInputBorder(),
-      ),
-    );
-  }
-}
-
-class _TokenVolumeLimitsField extends StatelessWidget {
-  const _TokenVolumeLimitsField({
-    required this.values,
-    required this.onChanged,
-  });
-
-  final List<_VolumeLimitValue> values;
-  final ValueChanged<List<_VolumeLimitValue>> onChanged;
-
-  @override
-  Widget build(BuildContext context) {
-    return Column(
-      crossAxisAlignment: CrossAxisAlignment.start,
-      children: [
-        Row(
-          children: [
-            Expanded(
-              child: Text(
-                'Token volume limits',
-                style: Theme.of(context).textTheme.labelLarge?.copyWith(
-                  fontWeight: FontWeight.w800,
-                ),
-              ),
-            ),
-            TextButton.icon(
-              onPressed: () =>
-                  onChanged([...values, const _VolumeLimitValue()]),
-              icon: const Icon(Icons.add_rounded),
-              label: const Text('Add'),
-            ),
-          ],
-        ),
-        SizedBox(height: 0.8.h),
-        for (var i = 0; i < values.length; i++)
-          Padding(
-            padding: EdgeInsets.only(bottom: 1.h),
-            child: _TokenVolumeLimitRow(
-              value: values[i],
-              onChanged: (next) {
-                final updated = [...values];
-                updated[i] = next;
-                onChanged(updated);
-              },
-              onRemove: values.length == 1
-                  ? null
-                  : () {
-                      final updated = [...values]..removeAt(i);
-                      onChanged(updated);
-                    },
-            ),
-          ),
-      ],
-    );
-  }
-}
-
-class _TokenVolumeLimitRow extends StatelessWidget {
-  const _TokenVolumeLimitRow({
-    required this.value,
-    required this.onChanged,
-    required this.onRemove,
-  });
-
-  final _VolumeLimitValue value;
-  final ValueChanged<_VolumeLimitValue> onChanged;
-  final VoidCallback? onRemove;
-
-  @override
-  Widget build(BuildContext context) {
-    final amountController = TextEditingController(text: value.amount);
-    final windowController = TextEditingController(text: value.windowSeconds);
-
-    return Row(
-      children: [
-        Expanded(
-          child: TextField(
-            controller: amountController,
-            onChanged: (next) =>
-                onChanged(value.copyWith(amount: next)),
-            decoration: const InputDecoration(
-              labelText: 'Max volume',
-              border: OutlineInputBorder(),
-            ),
-          ),
-        ),
-        SizedBox(width: 1.w),
-        Expanded(
-          child: TextField(
-            controller: windowController,
-            onChanged: (next) =>
-                onChanged(value.copyWith(windowSeconds: next)),
-            decoration: const InputDecoration(
-              labelText: 'Window (seconds)',
-              border: OutlineInputBorder(),
-            ),
-          ),
-        ),
-        SizedBox(width: 0.4.w),
-        IconButton(
-          onPressed: onRemove,
-          icon: const Icon(Icons.remove_circle_outline_rounded),
-        ),
-      ],
-    );
-  }
-}
-
-class _VolumeLimitValue {
-  const _VolumeLimitValue({this.amount = '', this.windowSeconds = ''});
-
-  final String amount;
-  final String windowSeconds;
-
-  _VolumeLimitValue copyWith({String? amount, String? windowSeconds}) {
-    return _VolumeLimitValue(
-      amount: amount ?? this.amount,
-      windowSeconds: windowSeconds ?? this.windowSeconds,
-    );
-  }
-}
-
-Timestamp _toTimestamp(DateTime value) {
-  final utc = value.toUtc();
-  return Timestamp()
-    ..seconds = Int64(utc.millisecondsSinceEpoch ~/ 1000)
-    ..nanos = (utc.microsecondsSinceEpoch % 1000000) * 1000;
-}
-
-TransactionRateLimit? _buildRateLimit(String countText, String windowText) {
-  if (countText.trim().isEmpty || windowText.trim().isEmpty) {
-    return null;
-  }
-  return TransactionRateLimit(
-    count: int.parse(countText.trim()),
-    windowSecs: Int64.parseInt(windowText.trim()),
-  );
-}
-
-VolumeRateLimit? _buildVolumeLimit(String amountText, String windowText) {
-  if (amountText.trim().isEmpty || windowText.trim().isEmpty) {
-    return null;
-  }
-  return VolumeRateLimit(
-    maxVolume: _parseBigIntBytes(amountText),
-    windowSecs: Int64.parseInt(windowText.trim()),
-  );
-}
-
-List<int>? _optionalBigIntBytes(String value) {
-  if (value.trim().isEmpty) {
-    return null;
-  }
-  return _parseBigIntBytes(value);
-}
-
-List<int> _parseBigIntBytes(String value) {
-  final number = BigInt.parse(value.trim());
-  if (number < BigInt.zero) {
-    throw Exception('Numeric values must be positive.');
-  }
-  if (number == BigInt.zero) {
-    return [0];
-  }
-
-  var remaining = number;
-  final bytes = <int>[];
-  while (remaining > BigInt.zero) {
-    bytes.insert(0, (remaining & BigInt.from(0xff)).toInt());
-    remaining >>= 8;
-  }
-  return bytes;
-}
-
-List<List<int>> _parseAddresses(String input) {
-  final parts = input
-      .split(RegExp(r'[\n,]'))
-      .map((part) => part.trim())
-      .where((part) => part.isNotEmpty);
-  return parts.map(_parseHexAddress).toList();
-}
-
-List<int> _parseHexAddress(String value) {
-  final normalized = value.trim().replaceFirst(RegExp(r'^0x'), '');
-  if (normalized.length != 40) {
-    throw Exception('Expected a 20-byte hex address.');
-  }
-  return [
-    for (var i = 0; i < normalized.length; i += 2)
-      int.parse(normalized.substring(i, i + 2), radix: 16),
-  ];
-}
-
-String _shortAddress(List<int> bytes) {
-  final hex = bytes
-      .map((byte) => byte.toRadixString(16).padLeft(2, '0'))
-      .join();
-  return '0x${hex.substring(0, 6)}...${hex.substring(hex.length - 4)}';
-}
-
-void _showCreateMessage(BuildContext context, String message) {
-  if (!context.mounted) {
-    return;
-  }
-  ScaffoldMessenger.of(context).showSnackBar(
-    SnackBar(content: Text(message), behavior: SnackBarBehavior.floating),
-  );
-}
-
-String _formatCreateError(Object error) {
-  final text = error.toString();
-  if (text.startsWith('Exception: ')) {
-    return text.substring('Exception: '.length);
-  }
-  return text;
-}
diff --git a/useragent/lib/theme/palette.dart b/useragent/lib/theme/palette.dart
index a2a5194..be95981 100644
--- a/useragent/lib/theme/palette.dart
+++ b/useragent/lib/theme/palette.dart
@@ -6,4 +6,7 @@ class Palette {
   static const cream = Color(0xFFFFFAF4);
   static const line = Color(0x1A15263C);
   static const token = Color(0xFF5C6BC0);
+  static const cardBorder = Color(0x1A17324A);
+  static const introGradientStart = Color(0xFFF7F9FC);
+  static const introGradientEnd = Color(0xFFFDF5EA);
 }
diff --git a/useragent/pubspec.lock b/useragent/pubspec.lock
index 1bbf08a..a051ec2 100644
--- a/useragent/pubspec.lock
+++ b/useragent/pubspec.lock
@@ -45,10 +45,10 @@ packages:
     dependency: transitive
     description:
       name: async
-      sha256: "758e6d74e971c3e5aceb4110bfd6698efc7f501675bcfe0c775459a8140750eb"
+      sha256: e2eb0491ba5ddb6177742d2da23904574082139b07c1e33b8503b9f46f3e1a37
       url: "https://pub.dev"
     source: hosted
-    version: "2.13.0"
+    version: "2.13.1"
   auto_route:
     dependency: "direct main"
     description:
@@ -69,10 +69,10 @@ packages:
     dependency: "direct main"
     description:
       name: biometric_signature
-      sha256: "0d22580388e5cc037f6f829b29ecda74e343fd61d26c55e33cbcf48a48e5c1dc"
+      sha256: "86a37a8b514eb3b56980ab6cc9df48ffc3c551147bdf8e3bf2afb2265a7f89e8"
       url: "https://pub.dev"
     source: hosted
-    version: "10.2.0"
+    version: "11.0.1"
   bloc:
     dependency: transitive
     description:
@@ -93,10 +93,10 @@ packages:
     dependency: transitive
     description:
       name: build
-      sha256: "275bf6bb2a00a9852c28d4e0b410da1d833a734d57d39d44f94bfc895a484ec3"
+      sha256: aadd943f4f8cc946882c954c187e6115a84c98c81ad1d9c6cbf0895a8c85da9c
       url: "https://pub.dev"
     source: hosted
-    version: "4.0.4"
+    version: "4.0.5"
   build_config:
     dependency: transitive
     description:
@@ -117,10 +117,10 @@ packages:
     dependency: "direct dev"
     description:
       name: build_runner
-      sha256: "7981eb922842c77033026eb4341d5af651562008cdb116bdfa31fc46516b6462"
+      sha256: "521daf8d189deb79ba474e43a696b41c49fb3987818dbacf3308f1e03673a75e"
       url: "https://pub.dev"
     source: hosted
-    version: "2.12.2"
+    version: "2.13.1"
   built_collection:
     dependency: transitive
     description:
@@ -133,10 +133,10 @@ packages:
     dependency: transitive
     description:
       name: built_value
-      sha256: "6ae8a6435a8c6520c7077b107e77f1fb4ba7009633259a4d49a8afd8e7efc5e9"
+      sha256: "0730c18c770d05636a8f945c32a4d7d81cb6e0f0148c8db4ad12e7748f7e49af"
       url: "https://pub.dev"
     source: hosted
-    version: "8.12.4"
+    version: "8.12.5"
   characters:
     dependency: transitive
     description:
@@ -245,10 +245,10 @@ packages:
     dependency: "direct main"
     description:
       name: cupertino_icons
-      sha256: ba631d1c7f7bef6b729a622b7b752645a2d076dba9976925b8f25725a30e1ee6
+      sha256: "41e005c33bd814be4d3096aff55b1908d419fde52ca656c8c47719ec745873cd"
       url: "https://pub.dev"
     source: hosted
-    version: "1.0.8"
+    version: "1.0.9"
   dart_style:
     dependency: transitive
     description:
@@ -311,6 +311,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "9.1.1"
+  flutter_form_builder:
+    dependency: "direct main"
+    description:
+      name: flutter_form_builder
+      sha256: "1233251b4bc1d5deb245745d2a89dcebf4cdd382e1ec3f21f1c6703b700e574f"
+      url: "https://pub.dev"
+    source: hosted
+    version: "10.3.0+2"
   flutter_hooks:
     dependency: "direct main"
     description:
@@ -653,10 +661,10 @@ packages:
     dependency: transitive
     description:
       name: mockito
-      sha256: a45d1aa065b796922db7b9e7e7e45f921aed17adf3a8318a1f47097e7e695566
+      sha256: eff30d002f0c8bf073b6f929df4483b543133fcafce056870163587b03f1d422
       url: "https://pub.dev"
     source: hosted
-    version: "5.6.3"
+    version: "5.6.4"
   mtcore:
     dependency: "direct main"
     description:
@@ -669,10 +677,10 @@ packages:
     dependency: transitive
     description:
       name: native_toolchain_c
-      sha256: "92b2ca62c8bd2b8d2f267cdfccf9bfbdb7322f778f8f91b3ce5b5cda23a3899f"
+      sha256: "6ba77bb18063eebe9de401f5e6437e95e1438af0a87a3a39084fbd37c90df572"
       url: "https://pub.dev"
     source: hosted
-    version: "0.17.5"
+    version: "0.17.6"
   nested:
     dependency: transitive
     description:
@@ -725,10 +733,10 @@ packages:
     dependency: transitive
     description:
       name: path_provider_android
-      sha256: f2c65e21139ce2c3dad46922be8272bb5963516045659e71bb16e151c93b580e
+      sha256: "149441ca6e4f38193b2e004c0ca6376a3d11f51fa5a77552d8bd4d2b0c0912ba"
       url: "https://pub.dev"
     source: hosted
-    version: "2.2.22"
+    version: "2.2.23"
   path_provider_foundation:
     dependency: transitive
     description:
@@ -938,10 +946,10 @@ packages:
     dependency: transitive
     description:
       name: source_gen
-      sha256: adc962c96fffb2de1728ef396a995aaedcafbe635abdca13d2a987ce17e57751
+      sha256: "732792cfd197d2161a65bb029606a46e0a18ff30ef9e141a7a82172b05ea8ecd"
       url: "https://pub.dev"
     source: hosted
-    version: "4.2.1"
+    version: "4.2.2"
   source_helper:
     dependency: transitive
     description:
@@ -1018,26 +1026,26 @@ packages:
     dependency: "direct main"
     description:
       name: talker
-      sha256: "46a60c6014a870a71ab8e3fa22f9580a8d36faf9b39431dcf124940601c0c266"
+      sha256: c364edc0fbd6c648e1a78e6edd89cccd64df2150ca96d899ecd486b76c185042
       url: "https://pub.dev"
     source: hosted
-    version: "5.1.15"
+    version: "5.1.16"
   talker_flutter:
     dependency: transitive
     description:
       name: talker_flutter
-      sha256: "7e1819c505cdcbf2cf6497410b8fa3b33d170e6f137716bd278940c0e509f414"
+      sha256: "54cbbf852101721664faf4a05639fd2fdefdc37178327990abea00390690d4bc"
       url: "https://pub.dev"
     source: hosted
-    version: "5.1.15"
+    version: "5.1.16"
   talker_logger:
     dependency: transitive
     description:
       name: talker_logger
-      sha256: "70112d016d7b978ccb7ef0b0f4941e0f0b0de88d80589db43143cea1d744eae0"
+      sha256: cea1b8283a28c2118a0b197057fc5beb5b0672c75e40a48725e5e452c0278ff3
       url: "https://pub.dev"
     source: hosted
-    version: "5.1.15"
+    version: "5.1.16"
   term_glyph:
     dependency: transitive
     description:
diff --git a/useragent/pubspec.yaml b/useragent/pubspec.yaml
index 85201b6..9a77966 100644
--- a/useragent/pubspec.yaml
+++ b/useragent/pubspec.yaml
@@ -17,7 +17,7 @@ dependencies:
   riverpod: ^3.1.0
   hooks_riverpod: ^3.1.0
   sizer: ^3.1.3
-  biometric_signature: ^10.2.0
+  biometric_signature: ^11.0.1
   mtcore:
     hosted: https://git.markettakers.org/api/packages/MarketTakers/pub/
     version: ^1.0.6
@@ -34,6 +34,7 @@ dependencies:
   freezed_annotation: ^3.1.0
   json_annotation: ^4.9.0
   timeago: ^3.7.1
+  flutter_form_builder: ^10.3.0+2
 
 dev_dependencies:
   flutter_test:

From cfe01ba1ad5250f1e71a80a88ac44c894671a8f5 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sun, 29 Mar 2026 12:47:27 +0200
Subject: [PATCH 14/29] refactor(server, protocol): split big message files
 into smaller and domain-based

---
 protobufs/user_agent.proto                    | 197 +--------
 protobufs/user_agent/auth.proto               |  48 +++
 protobufs/user_agent/evm.proto                |  26 ++
 protobufs/user_agent/sdk_client.proto         | 100 +++++
 protobufs/user_agent/vault/bootstrap.proto    |  24 ++
 protobufs/user_agent/vault/unseal.proto       |  37 ++
 protobufs/user_agent/vault/vault.proto        |  31 ++
 server/crates/arbiter-proto/src/lib.rs        |  24 ++
 .../arbiter-server/src/grpc/user_agent.rs     | 399 +-----------------
 .../src/grpc/user_agent/auth.rs               |  60 +--
 .../arbiter-server/src/grpc/user_agent/evm.rs | 170 ++++++++
 .../src/grpc/user_agent/inbound.rs            |   6 +-
 .../src/grpc/user_agent/outbound.rs           |   4 +-
 .../src/grpc/user_agent/sdk_client.rs         | 190 +++++++++
 .../src/grpc/user_agent/vault.rs              | 180 ++++++++
 useragent/macos/Podfile.lock                  |   4 +-
 16 files changed, 902 insertions(+), 598 deletions(-)
 create mode 100644 protobufs/user_agent/auth.proto
 create mode 100644 protobufs/user_agent/evm.proto
 create mode 100644 protobufs/user_agent/sdk_client.proto
 create mode 100644 protobufs/user_agent/vault/bootstrap.proto
 create mode 100644 protobufs/user_agent/vault/unseal.proto
 create mode 100644 protobufs/user_agent/vault/vault.proto
 create mode 100644 server/crates/arbiter-server/src/grpc/user_agent/evm.rs
 create mode 100644 server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
 create mode 100644 server/crates/arbiter-server/src/grpc/user_agent/vault.rs

diff --git a/protobufs/user_agent.proto b/protobufs/user_agent.proto
index 79e0f2c..20fe81c 100644
--- a/protobufs/user_agent.proto
+++ b/protobufs/user_agent.proto
@@ -2,198 +2,27 @@ syntax = "proto3";
 
 package arbiter.user_agent;
 
-import "client.proto";
-import "evm.proto";
-import "google/protobuf/empty.proto";
-
-enum KeyType {
-  KEY_TYPE_UNSPECIFIED = 0;
-  KEY_TYPE_ED25519 = 1;
-  KEY_TYPE_ECDSA_SECP256K1 = 2;
-  KEY_TYPE_RSA = 3;
-}
-
-// --- SDK client management ---
-
-enum SdkClientError {
-  SDK_CLIENT_ERROR_UNSPECIFIED = 0;
-  SDK_CLIENT_ERROR_ALREADY_EXISTS = 1;
-  SDK_CLIENT_ERROR_NOT_FOUND = 2;
-  SDK_CLIENT_ERROR_HAS_RELATED_DATA = 3; // hard-delete blocked by FK (client has grants or transaction logs)
-  SDK_CLIENT_ERROR_INTERNAL = 4;
-}
-
-message SdkClientRevokeRequest {
-  int32 client_id = 1;
-}
-
-message SdkClientEntry {
-  int32 id = 1;
-  bytes pubkey = 2;
-  arbiter.client.ClientInfo info = 3;
-  int32 created_at = 4;
-}
-
-message SdkClientList {
-  repeated SdkClientEntry clients = 1;
-}
-
-message SdkClientRevokeResponse {
-  oneof result {
-    google.protobuf.Empty ok = 1;
-    SdkClientError error = 2;
-  }
-}
-
-message SdkClientListResponse {
-  oneof result {
-    SdkClientList clients = 1;
-    SdkClientError error = 2;
-  }
-}
-
-message AuthChallengeRequest {
-  bytes pubkey = 1;
-  optional string bootstrap_token = 2;
-  KeyType key_type = 3;
-}
-
-message AuthChallenge {
-  int32 nonce = 2;
-  reserved 1;
-}
-
-message AuthChallengeSolution {
-  bytes signature = 1;
-}
-
-enum AuthResult {
-  AUTH_RESULT_UNSPECIFIED = 0;
-  AUTH_RESULT_SUCCESS = 1;
-  AUTH_RESULT_INVALID_KEY = 2;
-  AUTH_RESULT_INVALID_SIGNATURE = 3;
-  AUTH_RESULT_BOOTSTRAP_REQUIRED = 4;
-  AUTH_RESULT_TOKEN_INVALID = 5;
-  AUTH_RESULT_INTERNAL = 6;
-}
-
-message UnsealStart {
-  bytes client_pubkey = 1;
-}
-
-message UnsealStartResponse {
-  bytes server_pubkey = 1;
-}
-message UnsealEncryptedKey {
-  bytes nonce = 1;
-  bytes ciphertext = 2;
-  bytes associated_data = 3;
-}
-
-message BootstrapEncryptedKey {
-  bytes nonce = 1;
-  bytes ciphertext = 2;
-  bytes associated_data = 3;
-}
-
-enum UnsealResult {
-  UNSEAL_RESULT_UNSPECIFIED = 0;
-  UNSEAL_RESULT_SUCCESS = 1;
-  UNSEAL_RESULT_INVALID_KEY = 2;
-  UNSEAL_RESULT_UNBOOTSTRAPPED = 3;
-}
-
-enum BootstrapResult {
-  BOOTSTRAP_RESULT_UNSPECIFIED = 0;
-  BOOTSTRAP_RESULT_SUCCESS = 1;
-  BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED = 2;
-  BOOTSTRAP_RESULT_INVALID_KEY = 3;
-}
-
-enum VaultState {
-  VAULT_STATE_UNSPECIFIED = 0;
-  VAULT_STATE_UNBOOTSTRAPPED = 1;
-  VAULT_STATE_SEALED = 2;
-  VAULT_STATE_UNSEALED = 3;
-  VAULT_STATE_ERROR = 4;
-}
-
-message SdkClientConnectionRequest {
-  bytes pubkey = 1;
-  arbiter.client.ClientInfo info = 2;
-}
-
-message SdkClientConnectionResponse {
-  bool approved = 1;
-  bytes pubkey = 2;
-}
-
-message SdkClientConnectionCancel {
-  bytes pubkey = 1;
-}
-
-message WalletAccess {
-  int32 wallet_id = 1;
-  int32 sdk_client_id = 2;
-}
-
-message SdkClientWalletAccess {
-  int32 id = 1;
-  WalletAccess access = 2;
-}
-
-message SdkClientGrantWalletAccess {
-  repeated WalletAccess accesses = 1;
-}
-
-message SdkClientRevokeWalletAccess {
-  repeated int32 accesses = 1;
-}
-
-message ListWalletAccessResponse {
-  repeated SdkClientWalletAccess accesses = 1;
-}
+import "user_agent/auth.proto";
+import "user_agent/evm.proto";
+import "user_agent/sdk_client.proto";
+import "user_agent/vault/vault.proto";
 
 message UserAgentRequest {
   int32 id = 16;
   oneof payload {
-    AuthChallengeRequest auth_challenge_request = 1;
-    AuthChallengeSolution auth_challenge_solution = 2;
-    UnsealStart unseal_start = 3;
-    UnsealEncryptedKey unseal_encrypted_key = 4;
-    google.protobuf.Empty query_vault_state = 5;
-    google.protobuf.Empty evm_wallet_create = 6;
-    google.protobuf.Empty evm_wallet_list = 7;
-    arbiter.evm.EvmGrantCreateRequest evm_grant_create = 8;
-    arbiter.evm.EvmGrantDeleteRequest evm_grant_delete = 9;
-    arbiter.evm.EvmGrantListRequest evm_grant_list = 10;
-    SdkClientConnectionResponse sdk_client_connection_response = 11;
-    SdkClientRevokeRequest sdk_client_revoke = 12;
-    google.protobuf.Empty sdk_client_list = 13;
-    BootstrapEncryptedKey bootstrap_encrypted_key = 14;
-    SdkClientGrantWalletAccess grant_wallet_access = 15;
-    SdkClientRevokeWalletAccess revoke_wallet_access = 17;
-    google.protobuf.Empty list_wallet_access = 18;
+    auth.Request auth = 1;
+    vault.Request vault = 2;
+    evm.Request evm = 3;
+    sdk_client.Request sdk_client = 4;
   }
 }
+
 message UserAgentResponse {
   optional int32 id = 16;
   oneof payload {
-    AuthChallenge auth_challenge = 1;
-    AuthResult auth_result = 2;
-    UnsealStartResponse unseal_start_response = 3;
-    UnsealResult unseal_result = 4;
-    VaultState vault_state = 5;
-    arbiter.evm.WalletCreateResponse evm_wallet_create = 6;
-    arbiter.evm.WalletListResponse evm_wallet_list = 7;
-    arbiter.evm.EvmGrantCreateResponse evm_grant_create = 8;
-    arbiter.evm.EvmGrantDeleteResponse evm_grant_delete = 9;
-    arbiter.evm.EvmGrantListResponse evm_grant_list = 10;
-    SdkClientConnectionRequest sdk_client_connection_request = 11;
-    SdkClientConnectionCancel sdk_client_connection_cancel = 12;
-    SdkClientRevokeResponse sdk_client_revoke_response = 13;
-    SdkClientListResponse sdk_client_list_response = 14;
-    BootstrapResult bootstrap_result = 15;
-    ListWalletAccessResponse list_wallet_access_response = 17;
+    auth.Response auth = 1;
+    vault.Response vault = 2;
+    evm.Response evm = 3;
+    sdk_client.Response sdk_client = 4;
   }
 }
diff --git a/protobufs/user_agent/auth.proto b/protobufs/user_agent/auth.proto
new file mode 100644
index 0000000..d2c5528
--- /dev/null
+++ b/protobufs/user_agent/auth.proto
@@ -0,0 +1,48 @@
+syntax = "proto3";
+
+package arbiter.user_agent.auth;
+
+enum KeyType {
+  KEY_TYPE_UNSPECIFIED = 0;
+  KEY_TYPE_ED25519 = 1;
+  KEY_TYPE_ECDSA_SECP256K1 = 2;
+  KEY_TYPE_RSA = 3;
+}
+
+message AuthChallengeRequest {
+  bytes pubkey = 1;
+  optional string bootstrap_token = 2;
+  KeyType key_type = 3;
+}
+
+message AuthChallenge {
+  int32 nonce = 1;
+}
+
+message AuthChallengeSolution {
+  bytes signature = 1;
+}
+
+enum AuthResult {
+  AUTH_RESULT_UNSPECIFIED = 0;
+  AUTH_RESULT_SUCCESS = 1;
+  AUTH_RESULT_INVALID_KEY = 2;
+  AUTH_RESULT_INVALID_SIGNATURE = 3;
+  AUTH_RESULT_BOOTSTRAP_REQUIRED = 4;
+  AUTH_RESULT_TOKEN_INVALID = 5;
+  AUTH_RESULT_INTERNAL = 6;
+}
+
+message Request {
+  oneof payload {
+    AuthChallengeRequest challenge_request = 1;
+    AuthChallengeSolution challenge_solution = 2;
+  }
+}
+
+message Response {
+  oneof payload {
+    AuthChallenge challenge = 1;
+    AuthResult result = 2;
+  }
+}
diff --git a/protobufs/user_agent/evm.proto b/protobufs/user_agent/evm.proto
new file mode 100644
index 0000000..5668d4d
--- /dev/null
+++ b/protobufs/user_agent/evm.proto
@@ -0,0 +1,26 @@
+syntax = "proto3";
+
+package arbiter.user_agent.evm;
+
+import "evm.proto";
+import "google/protobuf/empty.proto";
+
+message Request {
+  oneof payload {
+    google.protobuf.Empty wallet_create = 1;
+    google.protobuf.Empty wallet_list = 2;
+    arbiter.evm.EvmGrantCreateRequest grant_create = 3;
+    arbiter.evm.EvmGrantDeleteRequest grant_delete = 4;
+    arbiter.evm.EvmGrantListRequest grant_list = 5;
+  }
+}
+
+message Response {
+  oneof payload {
+    arbiter.evm.WalletCreateResponse wallet_create = 1;
+    arbiter.evm.WalletListResponse wallet_list = 2;
+    arbiter.evm.EvmGrantCreateResponse grant_create = 3;
+    arbiter.evm.EvmGrantDeleteResponse grant_delete = 4;
+    arbiter.evm.EvmGrantListResponse grant_list = 5;
+  }
+}
diff --git a/protobufs/user_agent/sdk_client.proto b/protobufs/user_agent/sdk_client.proto
new file mode 100644
index 0000000..62f2a70
--- /dev/null
+++ b/protobufs/user_agent/sdk_client.proto
@@ -0,0 +1,100 @@
+syntax = "proto3";
+
+package arbiter.user_agent.sdk_client;
+
+import "client.proto";
+import "google/protobuf/empty.proto";
+
+enum Error {
+  ERROR_UNSPECIFIED = 0;
+  ERROR_ALREADY_EXISTS = 1;
+  ERROR_NOT_FOUND = 2;
+  ERROR_HAS_RELATED_DATA = 3; // hard-delete blocked by FK (client has grants or transaction logs)
+  ERROR_INTERNAL = 4;
+}
+
+message RevokeRequest {
+  int32 client_id = 1;
+}
+
+message Entry {
+  int32 id = 1;
+  bytes pubkey = 2;
+  arbiter.client.ClientInfo info = 3;
+  int32 created_at = 4;
+}
+
+message List {
+  repeated Entry clients = 1;
+}
+
+message RevokeResponse {
+  oneof result {
+    google.protobuf.Empty ok = 1;
+    Error error = 2;
+  }
+}
+
+message ListResponse {
+  oneof result {
+    List clients = 1;
+    Error error = 2;
+  }
+}
+
+message ConnectionRequest {
+  bytes pubkey = 1;
+  arbiter.client.ClientInfo info = 2;
+}
+
+message ConnectionResponse {
+  bool approved = 1;
+  bytes pubkey = 2;
+}
+
+message ConnectionCancel {
+  bytes pubkey = 1;
+}
+
+message WalletAccess {
+  int32 wallet_id = 1;
+  int32 sdk_client_id = 2;
+}
+
+message WalletAccessEntry {
+  int32 id = 1;
+  WalletAccess access = 2;
+}
+
+message GrantWalletAccess {
+  repeated WalletAccess accesses = 1;
+}
+
+message RevokeWalletAccess {
+  repeated int32 accesses = 1;
+}
+
+message ListWalletAccessResponse {
+  repeated WalletAccessEntry accesses = 1;
+}
+
+message Request {
+  oneof payload {
+    ConnectionResponse connection_response = 1;
+    RevokeRequest revoke = 2;
+    google.protobuf.Empty list = 3;
+    GrantWalletAccess grant_wallet_access = 4;
+    RevokeWalletAccess revoke_wallet_access = 5;
+    google.protobuf.Empty list_wallet_access = 6;
+  }
+}
+
+message Response {
+  oneof payload {
+    ConnectionRequest connection_request = 1;
+    ConnectionCancel connection_cancel = 2;
+    RevokeResponse revoke = 3;
+    ListResponse list = 4;
+    ListWalletAccessResponse list_wallet_access = 5;
+  }
+}
diff --git a/protobufs/user_agent/vault/bootstrap.proto b/protobufs/user_agent/vault/bootstrap.proto
new file mode 100644
index 0000000..8a009cf
--- /dev/null
+++ b/protobufs/user_agent/vault/bootstrap.proto
@@ -0,0 +1,24 @@
+syntax = "proto3";
+
+package arbiter.user_agent.vault.bootstrap;
+
+message BootstrapEncryptedKey {
+  bytes nonce = 1;
+  bytes ciphertext = 2;
+  bytes associated_data = 3;
+}
+
+enum BootstrapResult {
+  BOOTSTRAP_RESULT_UNSPECIFIED = 0;
+  BOOTSTRAP_RESULT_SUCCESS = 1;
+  BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED = 2;
+  BOOTSTRAP_RESULT_INVALID_KEY = 3;
+}
+
+message Request {
+  BootstrapEncryptedKey encrypted_key = 2;
+}
+
+message Response {
+  BootstrapResult result = 1;
+}
diff --git a/protobufs/user_agent/vault/unseal.proto b/protobufs/user_agent/vault/unseal.proto
new file mode 100644
index 0000000..8d0c378
--- /dev/null
+++ b/protobufs/user_agent/vault/unseal.proto
@@ -0,0 +1,37 @@
+syntax = "proto3";
+
+package arbiter.user_agent.vault.unseal;
+
+message UnsealStart {
+  bytes client_pubkey = 1;
+}
+
+message UnsealStartResponse {
+  bytes server_pubkey = 1;
+}
+message UnsealEncryptedKey {
+  bytes nonce = 1;
+  bytes ciphertext = 2;
+  bytes associated_data = 3;
+}
+
+enum UnsealResult {
+  UNSEAL_RESULT_UNSPECIFIED = 0;
+  UNSEAL_RESULT_SUCCESS = 1;
+  UNSEAL_RESULT_INVALID_KEY = 2;
+  UNSEAL_RESULT_UNBOOTSTRAPPED = 3;
+}
+
+message Request {
+  oneof payload {
+    UnsealStart start = 1;
+    UnsealEncryptedKey encrypted_key = 2;
+  }
+}
+
+message Response {
+  oneof payload {
+    UnsealStartResponse start = 1;
+    UnsealResult result = 2;
+  }
+}
diff --git a/protobufs/user_agent/vault/vault.proto b/protobufs/user_agent/vault/vault.proto
new file mode 100644
index 0000000..640b0d3
--- /dev/null
+++ b/protobufs/user_agent/vault/vault.proto
@@ -0,0 +1,31 @@
+syntax = "proto3";
+
+package arbiter.user_agent.vault;
+
+import "google/protobuf/empty.proto";
+import "user_agent/vault/bootstrap.proto";
+import "user_agent/vault/unseal.proto";
+
+enum VaultState {
+  VAULT_STATE_UNSPECIFIED = 0;
+  VAULT_STATE_UNBOOTSTRAPPED = 1;
+  VAULT_STATE_SEALED = 2;
+  VAULT_STATE_UNSEALED = 3;
+  VAULT_STATE_ERROR = 4;
+}
+
+message Request {
+  oneof payload {
+    google.protobuf.Empty query_state = 1;
+    unseal.Request unseal = 2;
+    bootstrap.Request bootstrap = 3;
+  }
+}
+
+message Response {
+  oneof payload {
+    VaultState state = 1;
+    unseal.Response unseal = 2;
+    bootstrap.Response bootstrap = 3;
+  }
+}
diff --git a/server/crates/arbiter-proto/src/lib.rs b/server/crates/arbiter-proto/src/lib.rs
index 732ee65..323254a 100644
--- a/server/crates/arbiter-proto/src/lib.rs
+++ b/server/crates/arbiter-proto/src/lib.rs
@@ -8,6 +8,30 @@ pub mod proto {
 
     pub mod user_agent {
         tonic::include_proto!("arbiter.user_agent");
+
+        pub mod auth {
+            tonic::include_proto!("arbiter.user_agent.auth");
+        }
+
+        pub mod evm {
+            tonic::include_proto!("arbiter.user_agent.evm");
+        }
+
+        pub mod sdk_client {
+            tonic::include_proto!("arbiter.user_agent.sdk_client");
+        }
+
+        pub mod vault {
+            tonic::include_proto!("arbiter.user_agent.vault");
+
+            pub mod bootstrap {
+                tonic::include_proto!("arbiter.user_agent.vault.bootstrap");
+            }
+
+            pub mod unseal {
+                tonic::include_proto!("arbiter.user_agent.vault.unseal");
+            }
+        }
     }
 
     pub mod client {
diff --git a/server/crates/arbiter-server/src/grpc/user_agent.rs b/server/crates/arbiter-server/src/grpc/user_agent.rs
index 3a8de53..4a32ab7 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent.rs
@@ -2,29 +2,8 @@ use tokio::sync::mpsc;
 
 use arbiter_proto::{
     proto::{
-        client::ClientInfo as ProtoClientMetadata,
-        evm::{
-            EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
-            EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
-            GrantEntry, WalletCreateResponse, WalletEntry, WalletList, WalletListResponse,
-            evm_grant_create_response::Result as EvmGrantCreateResult,
-            evm_grant_delete_response::Result as EvmGrantDeleteResult,
-            evm_grant_list_response::Result as EvmGrantListResult,
-            wallet_create_response::Result as WalletCreateResult,
-            wallet_list_response::Result as WalletListResult,
-        },
         user_agent::{
-            BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
-            BootstrapResult as ProtoBootstrapResult, ListWalletAccessResponse,
-            SdkClientConnectionCancel as ProtoSdkClientConnectionCancel,
-            SdkClientConnectionRequest as ProtoSdkClientConnectionRequest,
-            SdkClientEntry as ProtoSdkClientEntry, SdkClientError as ProtoSdkClientError,
-            SdkClientGrantWalletAccess, SdkClientList as ProtoSdkClientList,
-            SdkClientListResponse as ProtoSdkClientListResponse, SdkClientRevokeWalletAccess,
-            UnsealEncryptedKey as ProtoUnsealEncryptedKey,
-            UnsealResult as ProtoUnsealResult, UnsealStart, UserAgentRequest, UserAgentResponse,
-            VaultState as ProtoVaultState,
-            sdk_client_list_response::Result as ProtoSdkClientListResult,
+            UserAgentRequest, UserAgentResponse,
             user_agent_request::Payload as UserAgentRequestPayload,
             user_agent_response::Payload as UserAgentResponsePayload,
         },
@@ -32,33 +11,20 @@ use arbiter_proto::{
     transport::{Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
 use async_trait::async_trait;
-use kameo::{
-    actor::{ActorRef, Spawn as _},
-    error::SendError,
-};
+use kameo::actor::{ActorRef, Spawn as _};
 use tonic::Status;
 use tracing::{error, info, warn};
 
 use crate::{
-    actors::{
-        keyholder::KeyHolderState,
-        user_agent::{
-            OutOfBand, UserAgentConnection, UserAgentSession,
-            session::connection::{
-                BootstrapError, HandleBootstrapEncryptedKey, HandleEvmWalletCreate,
-                HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
-                HandleGrantEvmWalletAccess, HandleGrantList, HandleListWalletAccess,
-                HandleNewClientApprove, HandleQueryVaultState, HandleRevokeEvmWalletAccess,
-                HandleSdkClientList, HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
-            },
-        },
-    },
-    db::models::NewEvmWalletAccess,
-    grpc::{Convert, TryConvert, request_tracker::RequestTracker},
+    actors::user_agent::{OutOfBand, UserAgentConnection, UserAgentSession},
+    grpc::request_tracker::RequestTracker,
 };
 mod auth;
+mod evm;
 mod inbound;
 mod outbound;
+mod sdk_client;
+mod vault;
 
 pub struct OutOfBandAdapter(mpsc::Sender<OutOfBand>);
 
@@ -86,23 +52,7 @@ async fn dispatch_loop(
                     return;
                 };
 
-                let payload = match oob {
-                    OutOfBand::ClientConnectionRequest { profile } => {
-                        UserAgentResponsePayload::SdkClientConnectionRequest(ProtoSdkClientConnectionRequest {
-                            pubkey: profile.pubkey.to_bytes().to_vec(),
-                            info: Some(ProtoClientMetadata {
-                                name: profile.metadata.name,
-                                description: profile.metadata.description,
-                                version: profile.metadata.version,
-                            }),
-                        })
-                    }
-                    OutOfBand::ClientConnectionCancel { pubkey } => {
-                        UserAgentResponsePayload::SdkClientConnectionCancel(ProtoSdkClientConnectionCancel {
-                            pubkey: pubkey.to_bytes().to_vec(),
-                        })
-                    }
-                };
+                let payload = sdk_client::out_of_band_payload(oob);
 
                 if bi.send(Ok(UserAgentResponse { id: None, payload: Some(payload) })).await.is_err() {
                     return;
@@ -144,7 +94,7 @@ async fn dispatch_loop(
                     }
                     Ok(None) => {}
                     Err(status) => {
-                         error!(?status, "Failed to process user agent request");
+                        error!(?status, "Failed to process user agent request");
                         let _ = bi.send(Err(status)).await;
                         return;
                     }
@@ -159,337 +109,16 @@ async fn dispatch_inner(
     payload: UserAgentRequestPayload,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
     match payload {
-        UserAgentRequestPayload::UnsealStart(req) => handle_unseal_start(actor, req).await,
-        UserAgentRequestPayload::UnsealEncryptedKey(req) => {
-            handle_unseal_encrypted_key(actor, req).await
-        }
-        UserAgentRequestPayload::BootstrapEncryptedKey(req) => {
-            handle_bootstrap_encrypted_key(actor, req).await
-        }
-        UserAgentRequestPayload::QueryVaultState(_) => handle_query_vault_state(actor).await,
-        UserAgentRequestPayload::EvmWalletCreate(_) => handle_evm_wallet_create(actor).await,
-        UserAgentRequestPayload::EvmWalletList(_) => handle_evm_wallet_list(actor).await,
-        UserAgentRequestPayload::EvmGrantList(_) => handle_evm_grant_list(actor).await,
-        UserAgentRequestPayload::EvmGrantCreate(req) => handle_evm_grant_create(actor, req).await,
-        UserAgentRequestPayload::EvmGrantDelete(req) => handle_evm_grant_delete(actor, req).await,
-        UserAgentRequestPayload::SdkClientConnectionResponse(resp) => {
-            handle_sdk_client_connection_response(actor, resp).await
-        }
-        UserAgentRequestPayload::SdkClientRevoke(_) => {
-            Err(Status::unimplemented("SdkClientRevoke is not yet implemented"))
-        }
-        UserAgentRequestPayload::SdkClientList(_) => handle_sdk_client_list(actor).await,
-        UserAgentRequestPayload::GrantWalletAccess(req) => {
-            handle_grant_wallet_access(actor, req).await
-        }
-        UserAgentRequestPayload::RevokeWalletAccess(req) => {
-            handle_revoke_wallet_access(actor, req).await
-        }
-        UserAgentRequestPayload::ListWalletAccess(_) => handle_list_wallet_access(actor).await,
-        UserAgentRequestPayload::AuthChallengeRequest(..)
-        | UserAgentRequestPayload::AuthChallengeSolution(..) => {
-            warn!(?payload, "Unsupported post-auth user agent request");
+        UserAgentRequestPayload::Vault(req) => vault::dispatch(actor, req).await,
+        UserAgentRequestPayload::Evm(req) => evm::dispatch(actor, req).await,
+        UserAgentRequestPayload::SdkClient(req) => sdk_client::dispatch(actor, req).await,
+        UserAgentRequestPayload::Auth(..) => {
+            warn!("Unsupported post-auth user agent auth request");
             Err(Status::invalid_argument("Unsupported user-agent request"))
         }
     }
 }
 
-async fn handle_unseal_start(
-    actor: &ActorRef<UserAgentSession>,
-    req: UnsealStart,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let client_pubkey = <[u8; 32]>::try_from(req.client_pubkey)
-        .map(x25519_dalek::PublicKey::from)
-        .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
-
-    let response = actor
-        .ask(HandleUnsealRequest { client_pubkey })
-        .await
-        .map_err(|err| {
-            warn!(error = ?err, "Failed to handle unseal start request");
-            Status::internal("Failed to start unseal flow")
-        })?;
-
-    Ok(Some(UserAgentResponsePayload::UnsealStartResponse(
-        arbiter_proto::proto::user_agent::UnsealStartResponse {
-            server_pubkey: response.server_pubkey.as_bytes().to_vec(),
-        },
-    )))
-}
-
-async fn handle_unseal_encrypted_key(
-    actor: &ActorRef<UserAgentSession>,
-    req: ProtoUnsealEncryptedKey,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor
-        .ask(HandleUnsealEncryptedKey {
-            nonce: req.nonce,
-            ciphertext: req.ciphertext,
-            associated_data: req.associated_data,
-        })
-        .await
-    {
-        Ok(()) => ProtoUnsealResult::Success,
-        Err(SendError::HandlerError(UnsealError::InvalidKey)) => ProtoUnsealResult::InvalidKey,
-        Err(err) => {
-            warn!(error = ?err, "Failed to handle unseal request");
-            return Err(Status::internal("Failed to unseal vault"));
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::UnsealResult(result.into())))
-}
-
-async fn handle_bootstrap_encrypted_key(
-    actor: &ActorRef<UserAgentSession>,
-    req: ProtoBootstrapEncryptedKey,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor
-        .ask(HandleBootstrapEncryptedKey {
-            nonce: req.nonce,
-            ciphertext: req.ciphertext,
-            associated_data: req.associated_data,
-        })
-        .await
-    {
-        Ok(()) => ProtoBootstrapResult::Success,
-        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => ProtoBootstrapResult::InvalidKey,
-        Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
-            ProtoBootstrapResult::AlreadyBootstrapped
-        }
-        Err(err) => {
-            warn!(error = ?err, "Failed to handle bootstrap request");
-            return Err(Status::internal("Failed to bootstrap vault"));
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::BootstrapResult(result.into())))
-}
-
-async fn handle_query_vault_state(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let state = match actor.ask(HandleQueryVaultState {}).await {
-        Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
-        Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
-        Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
-        Err(err) => {
-            warn!(error = ?err, "Failed to query vault state");
-            ProtoVaultState::Error
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::VaultState(state.into())))
-}
-
-async fn handle_evm_wallet_create(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleEvmWalletCreate {}).await {
-        Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
-            id: wallet_id,
-            address: address.to_vec(),
-        }),
-        Err(err) => {
-            warn!(error = ?err, "Failed to create EVM wallet");
-            WalletCreateResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmWalletCreate(
-        WalletCreateResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_evm_wallet_list(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleEvmWalletList {}).await {
-        Ok(wallets) => WalletListResult::Wallets(WalletList {
-            wallets: wallets
-                .into_iter()
-                .map(|(id, address)| WalletEntry {
-                    address: address.to_vec(),
-                    id,
-                })
-                .collect(),
-        }),
-        Err(err) => {
-            warn!(error = ?err, "Failed to list EVM wallets");
-            WalletListResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmWalletList(
-        WalletListResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_evm_grant_list(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleGrantList {}).await {
-        Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
-            grants: grants
-                .into_iter()
-                .map(|grant| GrantEntry {
-                    id: grant.id,
-                    wallet_access_id: grant.shared.wallet_access_id,
-                    shared: Some(grant.shared.convert()),
-                    specific: Some(grant.settings.convert()),
-                })
-                .collect(),
-        }),
-        Err(err) => {
-            warn!(error = ?err, "Failed to list EVM grants");
-            EvmGrantListResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmGrantList(
-        EvmGrantListResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_evm_grant_create(
-    actor: &ActorRef<UserAgentSession>,
-    req: EvmGrantCreateRequest,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let basic = req
-        .shared
-        .ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
-        .try_convert()?;
-    let grant = req
-        .specific
-        .ok_or_else(|| Status::invalid_argument("Missing specific grant settings"))?
-        .try_convert()?;
-
-    let result = match actor.ask(HandleGrantCreate { basic, grant }).await {
-        Ok(grant_id) => EvmGrantCreateResult::GrantId(grant_id),
-        Err(err) => {
-            warn!(error = ?err, "Failed to create EVM grant");
-            EvmGrantCreateResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmGrantCreate(
-        EvmGrantCreateResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_evm_grant_delete(
-    actor: &ActorRef<UserAgentSession>,
-    req: EvmGrantDeleteRequest,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleGrantDelete { grant_id: req.grant_id }).await {
-        Ok(()) => EvmGrantDeleteResult::Ok(()),
-        Err(err) => {
-            warn!(error = ?err, "Failed to delete EVM grant");
-            EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmGrantDelete(
-        EvmGrantDeleteResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_sdk_client_connection_response(
-    actor: &ActorRef<UserAgentSession>,
-    resp: arbiter_proto::proto::user_agent::SdkClientConnectionResponse,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let pubkey_bytes = <[u8; 32]>::try_from(resp.pubkey)
-        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key length"))?;
-    let pubkey = ed25519_dalek::VerifyingKey::from_bytes(&pubkey_bytes)
-        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key"))?;
-
-    actor
-        .ask(HandleNewClientApprove {
-            approved: resp.approved,
-            pubkey,
-        })
-        .await
-        .map_err(|err| {
-            warn!(?err, "Failed to process client connection response");
-            Status::internal("Failed to process response")
-        })?;
-
-    Ok(None)
-}
-
-async fn handle_sdk_client_list(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleSdkClientList {}).await {
-        Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
-            clients: clients
-                .into_iter()
-                .map(|(client, metadata)| ProtoSdkClientEntry {
-                    id: client.id,
-                    pubkey: client.public_key,
-                    info: Some(ProtoClientMetadata {
-                        name: metadata.name,
-                        description: metadata.description,
-                        version: metadata.version,
-                    }),
-                    created_at: client.created_at.0.timestamp() as i32,
-                })
-                .collect(),
-        }),
-        Err(err) => {
-            warn!(error = ?err, "Failed to list SDK clients");
-            ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::SdkClientListResponse(
-        ProtoSdkClientListResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_grant_wallet_access(
-    actor: &ActorRef<UserAgentSession>,
-    req: SdkClientGrantWalletAccess,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let entries: Vec<NewEvmWalletAccess> = req.accesses.into_iter().map(|a| a.convert()).collect();
-    match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
-        Ok(()) => {
-            info!("Successfully granted wallet access");
-            Ok(None)
-        }
-        Err(err) => {
-            warn!(error = ?err, "Failed to grant wallet access");
-            Err(Status::internal("Failed to grant wallet access"))
-        }
-    }
-}
-
-async fn handle_revoke_wallet_access(
-    actor: &ActorRef<UserAgentSession>,
-    req: SdkClientRevokeWalletAccess,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    match actor
-        .ask(HandleRevokeEvmWalletAccess { entries: req.accesses })
-        .await
-    {
-        Ok(()) => {
-            info!("Successfully revoked wallet access");
-            Ok(None)
-        }
-        Err(err) => {
-            warn!(error = ?err, "Failed to revoke wallet access");
-            Err(Status::internal("Failed to revoke wallet access"))
-        }
-    }
-}
-
-async fn handle_list_wallet_access(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    match actor.ask(HandleListWalletAccess {}).await {
-        Ok(accesses) => Ok(Some(UserAgentResponsePayload::ListWalletAccessResponse(
-            ListWalletAccessResponse {
-                accesses: accesses.into_iter().map(|a| a.convert()).collect(),
-            },
-        ))),
-        Err(err) => {
-            warn!(error = ?err, "Failed to list wallet access");
-            Err(Status::internal("Failed to list wallet access"))
-        }
-    }
-}
-
 pub async fn start(
     mut conn: UserAgentConnection,
     mut bi: GrpcBi<UserAgentRequest, UserAgentResponse>,
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/auth.rs b/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
index 578b849..15eeba6 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
@@ -1,9 +1,12 @@
 use arbiter_proto::{
     proto::user_agent::{
-        AuthChallenge as ProtoAuthChallenge, AuthChallengeRequest as ProtoAuthChallengeRequest,
-        AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
-        KeyType as ProtoKeyType, UserAgentRequest, UserAgentResponse,
-        user_agent_request::Payload as UserAgentRequestPayload,
+        UserAgentRequest, UserAgentResponse, auth::{
+            self as proto_auth, AuthChallenge as ProtoAuthChallenge,
+            AuthChallengeRequest as ProtoAuthChallengeRequest,
+            AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
+            KeyType as ProtoKeyType, request::Payload as AuthRequestPayload,
+            response::Payload as AuthResponsePayload,
+        }, user_agent_request::Payload as UserAgentRequestPayload,
         user_agent_response::Payload as UserAgentResponsePayload,
     },
     transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
@@ -36,12 +39,14 @@ impl<'a> AuthTransportAdapter<'a> {
 
     async fn send_user_agent_response(
         &mut self,
-        payload: UserAgentResponsePayload,
+        payload: AuthResponsePayload,
     ) -> Result<(), TransportError> {
         self.bi
             .send(Ok(UserAgentResponse {
                 id: Some(self.request_tracker.current_request_id()),
-                payload: Some(payload),
+                payload: Some(UserAgentResponsePayload::Auth(proto_auth::Response {
+                    payload: Some(payload),
+                })),
             }))
             .await
     }
@@ -56,19 +61,17 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
         use auth::{Error, Outbound};
         let payload = match item {
             Ok(Outbound::AuthChallenge { nonce }) => {
-                UserAgentResponsePayload::AuthChallenge(ProtoAuthChallenge { nonce })
-            }
-            Ok(Outbound::AuthSuccess) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::Success.into())
+                AuthResponsePayload::Challenge(ProtoAuthChallenge { nonce })
             }
+            Ok(Outbound::AuthSuccess) => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
             Err(Error::UnregisteredPublicKey) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::InvalidKey.into())
+                AuthResponsePayload::Result(ProtoAuthResult::InvalidKey.into())
             }
             Err(Error::InvalidChallengeSolution) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::InvalidSignature.into())
+                AuthResponsePayload::Result(ProtoAuthResult::InvalidSignature.into())
             }
             Err(Error::InvalidBootstrapToken) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::TokenInvalid.into())
+                AuthResponsePayload::Result(ProtoAuthResult::TokenInvalid.into())
             }
             Err(Error::Internal { details }) => {
                 return self.bi.send(Err(Status::internal(details))).await;
@@ -112,8 +115,26 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
             return None;
         };
 
+        let UserAgentRequestPayload::Auth(auth_request) = payload else {
+            let _ = self
+                .bi
+                .send(Err(Status::invalid_argument(
+                    "Unsupported user-agent auth request",
+                )))
+                .await;
+            return None;
+        };
+
+        let Some(payload) = auth_request.payload else {
+            warn!(
+                event = "received auth request with empty payload",
+                "grpc.useragent.auth_adapter"
+            );
+            return None;
+        };
+
         match payload {
-            UserAgentRequestPayload::AuthChallengeRequest(ProtoAuthChallengeRequest {
+            AuthRequestPayload::ChallengeRequest(ProtoAuthChallengeRequest {
                 pubkey,
                 bootstrap_token,
                 key_type,
@@ -150,18 +171,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     bootstrap_token,
                 })
             }
-            UserAgentRequestPayload::AuthChallengeSolution(ProtoAuthChallengeSolution {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
                 signature,
             }) => Some(auth::Inbound::AuthChallengeSolution { signature }),
-            _ => {
-                let _ = self
-                    .bi
-                    .send(Err(Status::invalid_argument(
-                        "Unsupported user-agent auth request",
-                    )))
-                    .await;
-                None
-            }
         }
     }
 }
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/evm.rs b/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
new file mode 100644
index 0000000..e64a9ec
--- /dev/null
+++ b/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
@@ -0,0 +1,170 @@
+use arbiter_proto::proto::{
+    evm::{
+        EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
+        EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
+        GrantEntry, WalletCreateResponse, WalletEntry, WalletList, WalletListResponse,
+        evm_grant_create_response::Result as EvmGrantCreateResult,
+        evm_grant_delete_response::Result as EvmGrantDeleteResult,
+        evm_grant_list_response::Result as EvmGrantListResult,
+        wallet_create_response::Result as WalletCreateResult,
+        wallet_list_response::Result as WalletListResult,
+    },
+    user_agent::{
+        evm::{self as proto_evm, request::Payload as EvmRequestPayload, response::Payload as EvmResponsePayload},
+        user_agent_response::Payload as UserAgentResponsePayload,
+    },
+};
+use kameo::actor::ActorRef;
+use tonic::Status;
+use tracing::warn;
+
+use crate::{
+    actors::user_agent::{
+        UserAgentSession,
+        session::connection::{
+            HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
+            HandleGrantList,
+        },
+    },
+    grpc::{Convert, TryConvert},
+};
+
+fn wrap_evm_response(payload: EvmResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::Evm(proto_evm::Response {
+        payload: Some(payload),
+    })
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_evm::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing EVM request payload"));
+    };
+
+    match payload {
+        EvmRequestPayload::WalletCreate(_) => handle_wallet_create(actor).await,
+        EvmRequestPayload::WalletList(_) => handle_wallet_list(actor).await,
+        EvmRequestPayload::GrantCreate(req) => handle_grant_create(actor, req).await,
+        EvmRequestPayload::GrantDelete(req) => handle_grant_delete(actor, req).await,
+        EvmRequestPayload::GrantList(_) => handle_grant_list(actor).await,
+    }
+}
+
+async fn handle_wallet_create(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleEvmWalletCreate {}).await {
+        Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
+            id: wallet_id,
+            address: address.to_vec(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to create EVM wallet");
+            WalletCreateResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::WalletCreate(
+        WalletCreateResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_wallet_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleEvmWalletList {}).await {
+        Ok(wallets) => WalletListResult::Wallets(WalletList {
+            wallets: wallets
+                .into_iter()
+                .map(|(id, address)| WalletEntry {
+                    address: address.to_vec(),
+                    id,
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list EVM wallets");
+            WalletListResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::WalletList(
+        WalletListResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleGrantList {}).await {
+        Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
+            grants: grants
+                .into_iter()
+                .map(|grant| GrantEntry {
+                    id: grant.id,
+                    wallet_access_id: grant.shared.wallet_access_id,
+                    shared: Some(grant.shared.convert()),
+                    specific: Some(grant.settings.convert()),
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list EVM grants");
+            EvmGrantListResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::GrantList(
+        EvmGrantListResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_create(
+    actor: &ActorRef<UserAgentSession>,
+    req: EvmGrantCreateRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let basic = req
+        .shared
+        .ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
+        .try_convert()?;
+    let grant = req
+        .specific
+        .ok_or_else(|| Status::invalid_argument("Missing specific grant settings"))?
+        .try_convert()?;
+
+    let result = match actor.ask(HandleGrantCreate { basic, grant }).await {
+        Ok(grant_id) => EvmGrantCreateResult::GrantId(grant_id),
+        Err(err) => {
+            warn!(error = ?err, "Failed to create EVM grant");
+            EvmGrantCreateResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::GrantCreate(
+        EvmGrantCreateResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_delete(
+    actor: &ActorRef<UserAgentSession>,
+    req: EvmGrantDeleteRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleGrantDelete { grant_id: req.grant_id }).await {
+        Ok(()) => EvmGrantDeleteResult::Ok(()),
+        Err(err) => {
+            warn!(error = ?err, "Failed to delete EVM grant");
+            EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::GrantDelete(
+        EvmGrantDeleteResponse {
+            result: Some(result),
+        },
+    ))))
+}
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs b/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs
index 769b7d8..6cfb2e5 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs
@@ -5,12 +5,14 @@ use arbiter_proto::proto::evm::{
     TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
     specific_grant::Grant as ProtoSpecificGrantType,
 };
-use arbiter_proto::proto::user_agent::{SdkClientWalletAccess, WalletAccess};
+use arbiter_proto::proto::user_agent::sdk_client::{
+    WalletAccess, WalletAccessEntry as SdkClientWalletAccess,
+};
 use chrono::{DateTime, TimeZone, Utc};
 use prost_types::Timestamp as ProtoTimestamp;
 use tonic::Status;
 
-use crate::db::models::{CoreEvmWalletAccess, NewEvmWallet, NewEvmWalletAccess};
+use crate::db::models::{CoreEvmWalletAccess, NewEvmWalletAccess};
 use crate::grpc::Convert;
 use crate::{
     evm::policies::{
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs b/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
index 7d490b7..53ea729 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
@@ -5,7 +5,9 @@ use arbiter_proto::proto::{
         TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
         specific_grant::Grant as ProtoSpecificGrantType,
     },
-    user_agent::{SdkClientWalletAccess as ProtoSdkClientWalletAccess, WalletAccess},
+    user_agent::sdk_client::{
+        WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess,
+    },
 };
 use chrono::{DateTime, Utc};
 use prost_types::Timestamp as ProtoTimestamp;
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs b/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
new file mode 100644
index 0000000..6e40514
--- /dev/null
+++ b/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
@@ -0,0 +1,190 @@
+use arbiter_proto::proto::{
+    client::ClientInfo as ProtoClientMetadata,
+    user_agent::{
+        sdk_client::{
+            self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
+            ConnectionRequest as ProtoSdkClientConnectionRequest,
+            ConnectionResponse as ProtoSdkClientConnectionResponse, Entry as ProtoSdkClientEntry,
+            Error as ProtoSdkClientError, GrantWalletAccess as ProtoSdkClientGrantWalletAccess,
+            List as ProtoSdkClientList, ListResponse as ProtoSdkClientListResponse,
+            ListWalletAccessResponse, RevokeWalletAccess as ProtoSdkClientRevokeWalletAccess,
+            list_response::Result as ProtoSdkClientListResult,
+            request::Payload as SdkClientRequestPayload,
+            response::Payload as SdkClientResponsePayload,
+        },
+        user_agent_response::Payload as UserAgentResponsePayload,
+    },
+};
+use kameo::actor::ActorRef;
+use tonic::Status;
+use tracing::{info, warn};
+
+use crate::{
+    actors::user_agent::{
+        OutOfBand, UserAgentSession,
+        session::connection::{
+            HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
+            HandleRevokeEvmWalletAccess, HandleSdkClientList,
+        },
+    },
+    db::models::NewEvmWalletAccess,
+    grpc::Convert,
+};
+
+fn wrap_sdk_client_response(payload: SdkClientResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::SdkClient(proto_sdk_client::Response {
+        payload: Some(payload),
+    })
+}
+
+pub(super) fn out_of_band_payload(oob: OutOfBand) -> UserAgentResponsePayload {
+    match oob {
+        OutOfBand::ClientConnectionRequest { profile } => wrap_sdk_client_response(
+            SdkClientResponsePayload::ConnectionRequest(ProtoSdkClientConnectionRequest {
+                pubkey: profile.pubkey.to_bytes().to_vec(),
+                info: Some(ProtoClientMetadata {
+                    name: profile.metadata.name,
+                    description: profile.metadata.description,
+                    version: profile.metadata.version,
+                }),
+            }),
+        ),
+        OutOfBand::ClientConnectionCancel { pubkey } => wrap_sdk_client_response(
+            SdkClientResponsePayload::ConnectionCancel(ProtoSdkClientConnectionCancel {
+                pubkey: pubkey.to_bytes().to_vec(),
+            }),
+        ),
+    }
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_sdk_client::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing SDK client request payload"));
+    };
+
+    match payload {
+        SdkClientRequestPayload::ConnectionResponse(resp) => {
+            handle_connection_response(actor, resp).await
+        }
+        SdkClientRequestPayload::Revoke(_) => {
+            Err(Status::unimplemented("SdkClientRevoke is not yet implemented"))
+        }
+        SdkClientRequestPayload::List(_) => handle_list(actor).await,
+        SdkClientRequestPayload::GrantWalletAccess(req) => handle_grant_wallet_access(actor, req).await,
+        SdkClientRequestPayload::RevokeWalletAccess(req) => {
+            handle_revoke_wallet_access(actor, req).await
+        }
+        SdkClientRequestPayload::ListWalletAccess(_) => handle_list_wallet_access(actor).await,
+    }
+}
+
+async fn handle_connection_response(
+    actor: &ActorRef<UserAgentSession>,
+    resp: ProtoSdkClientConnectionResponse,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let pubkey_bytes = <[u8; 32]>::try_from(resp.pubkey)
+        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key length"))?;
+    let pubkey = ed25519_dalek::VerifyingKey::from_bytes(&pubkey_bytes)
+        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key"))?;
+
+    actor
+        .ask(HandleNewClientApprove {
+            approved: resp.approved,
+            pubkey,
+        })
+        .await
+        .map_err(|err| {
+            warn!(?err, "Failed to process client connection response");
+            Status::internal("Failed to process response")
+        })?;
+
+    Ok(None)
+}
+
+async fn handle_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleSdkClientList {}).await {
+        Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
+            clients: clients
+                .into_iter()
+                .map(|(client, metadata)| ProtoSdkClientEntry {
+                    id: client.id,
+                    pubkey: client.public_key,
+                    info: Some(ProtoClientMetadata {
+                        name: metadata.name,
+                        description: metadata.description,
+                        version: metadata.version,
+                    }),
+                    created_at: client.created_at.0.timestamp() as i32,
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list SDK clients");
+            ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_sdk_client_response(SdkClientResponsePayload::List(
+        ProtoSdkClientListResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoSdkClientGrantWalletAccess,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let entries: Vec<NewEvmWalletAccess> = req.accesses.into_iter().map(|a| a.convert()).collect();
+    match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
+        Ok(()) => {
+            info!("Successfully granted wallet access");
+            Ok(None)
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to grant wallet access");
+            Err(Status::internal("Failed to grant wallet access"))
+        }
+    }
+}
+
+async fn handle_revoke_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoSdkClientRevokeWalletAccess,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    match actor
+        .ask(HandleRevokeEvmWalletAccess {
+            entries: req.accesses,
+        })
+        .await
+    {
+        Ok(()) => {
+            info!("Successfully revoked wallet access");
+            Ok(None)
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to revoke wallet access");
+            Err(Status::internal("Failed to revoke wallet access"))
+        }
+    }
+}
+
+async fn handle_list_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    match actor.ask(HandleListWalletAccess {}).await {
+        Ok(accesses) => Ok(Some(wrap_sdk_client_response(
+            SdkClientResponsePayload::ListWalletAccess(ListWalletAccessResponse {
+                accesses: accesses.into_iter().map(|a| a.convert()).collect(),
+            }),
+        ))),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list wallet access");
+            Err(Status::internal("Failed to list wallet access"))
+        }
+    }
+}
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/vault.rs b/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
new file mode 100644
index 0000000..5aad751
--- /dev/null
+++ b/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
@@ -0,0 +1,180 @@
+use arbiter_proto::proto::user_agent::{
+    user_agent_response::Payload as UserAgentResponsePayload,
+    vault::{
+        self as proto_vault, VaultState as ProtoVaultState,
+        bootstrap::{
+            self as proto_bootstrap, BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
+            BootstrapResult as ProtoBootstrapResult,
+        },
+        request::Payload as VaultRequestPayload,
+        response::Payload as VaultResponsePayload,
+        unseal::{
+            self as proto_unseal, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
+            UnsealResult as ProtoUnsealResult, UnsealStart,
+            request::Payload as UnsealRequestPayload,
+            response::Payload as UnsealResponsePayload,
+        },
+    },
+};
+use kameo::{actor::ActorRef, error::SendError};
+use tonic::Status;
+use tracing::warn;
+
+use crate::{
+    actors::{
+        keyholder::KeyHolderState,
+        user_agent::{
+            UserAgentSession,
+            session::connection::{
+                BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
+                HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+            },
+        },
+    },
+};
+
+fn wrap_vault_response(payload: VaultResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::Vault(proto_vault::Response {
+        payload: Some(payload),
+    })
+}
+
+fn wrap_unseal_response(payload: UnsealResponsePayload) -> UserAgentResponsePayload {
+    wrap_vault_response(VaultResponsePayload::Unseal(proto_unseal::Response {
+        payload: Some(payload),
+    }))
+}
+
+fn wrap_bootstrap_response(result: ProtoBootstrapResult) -> UserAgentResponsePayload {
+    wrap_vault_response(VaultResponsePayload::Bootstrap(proto_bootstrap::Response {
+        result: result.into(),
+    }))
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_vault::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing vault request payload"));
+    };
+
+    match payload {
+        VaultRequestPayload::QueryState(_) => handle_query_vault_state(actor).await,
+        VaultRequestPayload::Unseal(req) => dispatch_unseal_request(actor, req).await,
+        VaultRequestPayload::Bootstrap(req) => handle_bootstrap_request(actor, req).await,
+    }
+}
+
+async fn dispatch_unseal_request(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_unseal::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing unseal request payload"));
+    };
+
+    match payload {
+        UnsealRequestPayload::Start(req) => handle_unseal_start(actor, req).await,
+        UnsealRequestPayload::EncryptedKey(req) => handle_unseal_encrypted_key(actor, req).await,
+    }
+}
+
+async fn handle_unseal_start(
+    actor: &ActorRef<UserAgentSession>,
+    req: UnsealStart,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let client_pubkey = <[u8; 32]>::try_from(req.client_pubkey)
+        .map(x25519_dalek::PublicKey::from)
+        .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
+
+    let response = actor
+        .ask(HandleUnsealRequest { client_pubkey })
+        .await
+        .map_err(|err| {
+            warn!(error = ?err, "Failed to handle unseal start request");
+            Status::internal("Failed to start unseal flow")
+        })?;
+
+    Ok(Some(wrap_unseal_response(UnsealResponsePayload::Start(
+        proto_unseal::UnsealStartResponse {
+            server_pubkey: response.server_pubkey.as_bytes().to_vec(),
+        },
+    ))))
+}
+
+async fn handle_unseal_encrypted_key(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoUnsealEncryptedKey,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor
+        .ask(HandleUnsealEncryptedKey {
+            nonce: req.nonce,
+            ciphertext: req.ciphertext,
+            associated_data: req.associated_data,
+        })
+        .await
+    {
+        Ok(()) => ProtoUnsealResult::Success,
+        Err(SendError::HandlerError(UnsealError::InvalidKey)) => ProtoUnsealResult::InvalidKey,
+        Err(err) => {
+            warn!(error = ?err, "Failed to handle unseal request");
+            return Err(Status::internal("Failed to unseal vault"));
+        }
+    };
+    Ok(Some(wrap_unseal_response(UnsealResponsePayload::Result(
+        result.into(),
+    ))))
+}
+
+async fn handle_bootstrap_request(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_bootstrap::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let encrypted_key = req
+        .encrypted_key
+        .ok_or_else(|| Status::invalid_argument("Missing bootstrap encrypted key"))?;
+    handle_bootstrap_encrypted_key(actor, encrypted_key).await
+}
+
+async fn handle_bootstrap_encrypted_key(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoBootstrapEncryptedKey,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor
+        .ask(HandleBootstrapEncryptedKey {
+            nonce: req.nonce,
+            ciphertext: req.ciphertext,
+            associated_data: req.associated_data,
+        })
+        .await
+    {
+        Ok(()) => ProtoBootstrapResult::Success,
+        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => ProtoBootstrapResult::InvalidKey,
+        Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
+            ProtoBootstrapResult::AlreadyBootstrapped
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to handle bootstrap request");
+            return Err(Status::internal("Failed to bootstrap vault"));
+        }
+    };
+    Ok(Some(wrap_bootstrap_response(result)))
+}
+
+async fn handle_query_vault_state(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let state = match actor.ask(HandleQueryVaultState {}).await {
+        Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+        Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
+        Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
+        Err(err) => {
+            warn!(error = ?err, "Failed to query vault state");
+            ProtoVaultState::Error
+        }
+    };
+    Ok(Some(wrap_vault_response(VaultResponsePayload::State(
+        state.into(),
+    ))))
+}
diff --git a/useragent/macos/Podfile.lock b/useragent/macos/Podfile.lock
index c054fb2..2dad058 100644
--- a/useragent/macos/Podfile.lock
+++ b/useragent/macos/Podfile.lock
@@ -1,5 +1,5 @@
 PODS:
-  - biometric_signature (10.2.0):
+  - biometric_signature (11.0.1):
     - FlutterMacOS
   - cryptography_flutter (0.0.1):
     - FlutterMacOS
@@ -35,7 +35,7 @@ EXTERNAL SOURCES:
     :path: Flutter/ephemeral/.symlinks/plugins/share_plus/macos
 
 SPEC CHECKSUMS:
-  biometric_signature: 7ef6a703fcc2c3b0e3d937a8560507b1ba9d3414
+  biometric_signature: bae0597fffbc51252959e78b56a2f5afb8d4e1f5
   cryptography_flutter: be2b3e0e31603521b6a1c2bea232a88a2488a91c
   flutter_secure_storage_darwin: acdb3f316ed05a3e68f856e0353b133eec373a23
   FlutterMacOS: d0db08ddef1a9af05a5ec4b724367152bb0500b1

From 0388fa2c8b0a98fba654517c11b0ecd0107c40c6 Mon Sep 17 00:00:00 2001
From: CleverWild <cleverwilddev@gmail.com>
Date: Sun, 29 Mar 2026 22:54:12 +0200
Subject: [PATCH 15/29] fix(server): enforce volumetric cap using past +
 current transfer value

---
 .../src/evm/policies/ether_transfer/mod.rs             |  9 +++++----
 .../src/evm/policies/ether_transfer/tests.rs           |  8 ++++----
 .../src/evm/policies/token_transfers/mod.rs            |  9 +++++----
 .../src/evm/policies/token_transfers/tests.rs          | 10 +++++-----
 4 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs b/server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs
index b6c68c6..e823f07 100644
--- a/server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs
+++ b/server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs
@@ -91,6 +91,7 @@ async fn query_relevant_past_transaction(
 
 async fn check_rate_limits(
     grant: &Grant<Settings>,
+    current_transfer_value: U256,
     db: &mut impl AsyncConnection<Backend = Sqlite>,
 ) -> QueryResult<Vec<EvalViolation>> {
     let mut violations = Vec::new();
@@ -99,12 +100,12 @@ async fn check_rate_limits(
     let past_transaction = query_relevant_past_transaction(grant.id, window, db).await?;
 
     let window_start = chrono::Utc::now() - grant.settings.limit.window;
-    let cumulative_volume: U256 = past_transaction
+    let prospective_cumulative_volume: U256 = past_transaction
         .iter()
         .filter(|(_, timestamp)| timestamp >= &window_start)
-        .fold(U256::default(), |acc, (value, _)| acc + *value);
+        .fold(current_transfer_value, |acc, (value, _)| acc + *value);
 
-    if cumulative_volume > grant.settings.limit.max_volume {
+    if prospective_cumulative_volume > grant.settings.limit.max_volume {
         violations.push(EvalViolation::VolumetricLimitExceeded);
     }
 
@@ -141,7 +142,7 @@ impl Policy for EtherTransfer {
             violations.push(EvalViolation::InvalidTarget { target: meaning.to });
         }
 
-        let rate_violations = check_rate_limits(grant, db).await?;
+        let rate_violations = check_rate_limits(grant, meaning.value, db).await?;
         violations.extend(rate_violations);
 
         Ok(violations)
diff --git a/server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs b/server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs
index cba78b0..9ba48be 100644
--- a/server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs
+++ b/server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs
@@ -198,7 +198,7 @@ async fn evaluate_rejects_volume_over_limit() {
             grant_id,
             wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
-            eth_value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+            eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
         })
         .execute(&mut *conn)
@@ -211,7 +211,7 @@ async fn evaluate_rejects_volume_over_limit() {
         shared: shared(),
         settings,
     };
-    let context = ctx(ALLOWED, U256::from(100u64));
+    let context = ctx(ALLOWED, U256::from(1u64));
     let m = EtherTransfer::analyze(&context).unwrap();
     let v = EtherTransfer::evaluate(&context, &m, &grant, &mut *conn)
         .await
@@ -233,13 +233,13 @@ async fn evaluate_passes_at_exactly_volume_limit() {
         .await
         .unwrap();
 
-    // Exactly at the limit — the check is `>`, so this should not violate
+    // Exactly at the limit including current transfer — check is `>`, so this should not violate
     insert_into(evm_transaction_log::table)
         .values(NewEvmTransactionLog {
             grant_id,
             wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
-            eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
+            eth_value: utils::u256_to_bytes(U256::from(900u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
         })
         .execute(&mut *conn)
diff --git a/server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs b/server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs
index bfd8ba2..7dfec70 100644
--- a/server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs
+++ b/server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs
@@ -101,6 +101,7 @@ async fn query_relevant_past_transfers(
 
 async fn check_volume_rate_limits(
     grant: &Grant<Settings>,
+    current_transfer_value: U256,
     db: &mut impl AsyncConnection<Backend = Sqlite>,
 ) -> QueryResult<Vec<EvalViolation>> {
     let mut violations = Vec::new();
@@ -113,12 +114,12 @@ async fn check_volume_rate_limits(
 
     for limit in &grant.settings.volume_limits {
         let window_start = chrono::Utc::now() - limit.window;
-        let cumulative_volume: U256 = past_transfers
+        let prospective_cumulative_volume: U256 = past_transfers
             .iter()
             .filter(|(_, timestamp)| timestamp >= &window_start)
-            .fold(U256::default(), |acc, (value, _)| acc + *value);
+            .fold(current_transfer_value, |acc, (value, _)| acc + *value);
 
-        if cumulative_volume > limit.max_volume {
+        if prospective_cumulative_volume > limit.max_volume {
             violations.push(EvalViolation::VolumetricLimitExceeded);
             break;
         }
@@ -163,7 +164,7 @@ impl Policy for TokenTransfer {
             violations.push(EvalViolation::InvalidTarget { target: meaning.to });
         }
 
-        let rate_violations = check_volume_rate_limits(grant, db).await?;
+        let rate_violations = check_volume_rate_limits(grant, meaning.value, db).await?;
         violations.extend(rate_violations);
 
         Ok(violations)
diff --git a/server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs b/server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs
index d8a5947..2f1b72f 100644
--- a/server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs
+++ b/server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs
@@ -220,7 +220,7 @@ async fn evaluate_rejects_wrong_restricted_recipient() {
 }
 
 #[tokio::test]
-async fn evaluate_passes_volume_within_limit() {
+async fn evaluate_passes_volume_at_exact_limit() {
     let db = db::create_test_pool().await;
     let mut conn = db.get().await.unwrap();
 
@@ -230,7 +230,7 @@ async fn evaluate_passes_volume_within_limit() {
         .await
         .unwrap();
 
-    // Record a past transfer of 500 (within 1000 limit)
+    // Record a past transfer of 900, with current transfer 100 => exactly 1000 limit
     use crate::db::{models::NewEvmTokenTransferLog, schema::evm_token_transfer_log};
     insert_into(evm_token_transfer_log::table)
         .values(NewEvmTokenTransferLog {
@@ -239,7 +239,7 @@ async fn evaluate_passes_volume_within_limit() {
             chain_id: CHAIN_ID as i32,
             token_contract: DAI.to_vec(),
             recipient_address: RECIPIENT.to_vec(),
-            value: utils::u256_to_bytes(U256::from(500u64)).to_vec(),
+            value: utils::u256_to_bytes(U256::from(900u64)).to_vec(),
         })
         .execute(&mut *conn)
         .await
@@ -282,7 +282,7 @@ async fn evaluate_rejects_volume_over_limit() {
             chain_id: CHAIN_ID as i32,
             token_contract: DAI.to_vec(),
             recipient_address: RECIPIENT.to_vec(),
-            value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+            value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
         })
         .execute(&mut *conn)
         .await
@@ -294,7 +294,7 @@ async fn evaluate_rejects_volume_over_limit() {
         shared: shared(),
         settings,
     };
-    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let calldata = transfer_calldata(RECIPIENT, U256::from(1u64));
     let context = ctx(DAI, calldata);
     let m = TokenTransfer::analyze(&context).unwrap();
     let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn)

From b5507e7d0f76260197dd028f557815bdb8a2f73e Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sun, 29 Mar 2026 00:13:45 +0100
Subject: [PATCH 16/29] feat(grants-create): add configurable grant
 authorization fields

---
 .../dashboard/evm/grants/create/screen.dart   | 106 ++++++++++++++++--
 .../grants/create/shared_grant_fields.dart    |  21 +---
 2 files changed, 102 insertions(+), 25 deletions(-)

diff --git a/useragent/lib/screens/dashboard/evm/grants/create/screen.dart b/useragent/lib/screens/dashboard/evm/grants/create/screen.dart
index 351a2f0..b813c14 100644
--- a/useragent/lib/screens/dashboard/evm/grants/create/screen.dart
+++ b/useragent/lib/screens/dashboard/evm/grants/create/screen.dart
@@ -5,6 +5,10 @@ import 'package:arbiter/screens/dashboard/evm/grants/create/grants/ether_transfe
 import 'package:arbiter/screens/dashboard/evm/grants/create/grants/grant_form_handler.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/create/grants/token_transfer_grant.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/create/provider.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/chain_id_field.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/gas_fee_options_field.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/transaction_rate_limit_field.dart';
+import 'package:arbiter/screens/dashboard/evm/grants/create/fields/validity_window_field.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/create/shared_grant_fields.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/create/utils.dart';
 import 'package:arbiter/theme/palette.dart';
@@ -101,8 +105,64 @@ class CreateEvmGrantScreen extends HookConsumerWidget {
               const _IntroCard(),
               SizedBox(height: 1.8.h),
               const _Section(
-                title: 'Shared grant options',
-                child: SharedGrantFields(),
+                title: 'Authorization',
+                tooltip: 'Select which SDK client receives this grant and '
+                    'which of its wallet accesses it applies to.',
+                child: AuthorizationFields(),
+              ),
+              SizedBox(height: 1.8.h),
+              IntrinsicHeight(
+                child: Row(
+                  crossAxisAlignment: CrossAxisAlignment.stretch,
+                  children: [
+                    const Expanded(
+                      child: _Section(
+                        title: 'Chain',
+                        tooltip: 'Restrict this grant to a specific EVM chain ID. '
+                            'Leave empty to allow any chain.',
+                        optional: true,
+                        child: ChainIdField(),
+                      ),
+                    ),
+                    SizedBox(width: 1.8.w),
+                    const Expanded(
+                      child: _Section(
+                        title: 'Timing',
+                        tooltip: 'Set an optional validity window. '
+                            'Signing requests outside this period will be rejected.',
+                        optional: true,
+                        child: ValidityWindowField(),
+                      ),
+                    ),
+                  ],
+                ),
+              ),
+              SizedBox(height: 1.8.h),
+              IntrinsicHeight(
+                child: Row(
+                  crossAxisAlignment: CrossAxisAlignment.stretch,
+                  children: [
+                    const Expanded(
+                      child: _Section(
+                        title: 'Gas limits',
+                        tooltip: 'Cap the gas fees this grant may authorize. '
+                            'Transactions exceeding these values will be rejected.',
+                        optional: true,
+                        child: GasFeeOptionsField(),
+                      ),
+                    ),
+                    SizedBox(width: 1.8.w),
+                    const Expanded(
+                      child: _Section(
+                        title: 'Transaction limits',
+                        tooltip: 'Limit how many transactions can be signed '
+                            'within a rolling time window.',
+                        optional: true,
+                        child: TransactionRateLimitField(),
+                      ),
+                    ),
+                  ],
+                ),
               ),
               SizedBox(height: 1.8.h),
               _GrantTypeSelector(
@@ -112,6 +172,8 @@ class CreateEvmGrantScreen extends HookConsumerWidget {
               SizedBox(height: 1.8.h),
               _Section(
                 title: 'Grant-specific options',
+                tooltip: 'Rules specific to the selected transfer type. '
+                    'Switch between Ether and token above to change these fields.',
                 child: handler.buildForm(context, ref),
               ),
               SizedBox(height: 2.2.h),
@@ -175,13 +237,21 @@ class _IntroCard extends StatelessWidget {
 }
 
 class _Section extends StatelessWidget {
-  const _Section({required this.title, required this.child});
+  const _Section({
+    required this.title,
+    required this.tooltip,
+    required this.child,
+    this.optional = false,
+  });
 
   final String title;
+  final String tooltip;
   final Widget child;
+  final bool optional;
 
   @override
   Widget build(BuildContext context) {
+    final subtleColor = Theme.of(context).colorScheme.outline;
     return Container(
       padding: EdgeInsets.all(2.h),
       decoration: BoxDecoration(
@@ -192,11 +262,33 @@ class _Section extends StatelessWidget {
       child: Column(
         crossAxisAlignment: CrossAxisAlignment.start,
         children: [
-          Text(
-            title,
-            style: Theme.of(context).textTheme.titleMedium?.copyWith(
-                  fontWeight: FontWeight.w800,
+          Row(
+            children: [
+              Text(
+                title,
+                style: Theme.of(context).textTheme.titleMedium?.copyWith(
+                      fontWeight: FontWeight.w800,
+                    ),
+              ),
+              SizedBox(width: 0.4.w),
+              Tooltip(
+                message: tooltip,
+                child: Icon(
+                  Icons.info_outline_rounded,
+                  size: 16,
+                  color: subtleColor,
                 ),
+              ),
+              if (optional) ...[
+                SizedBox(width: 0.6.w),
+                Text(
+                  '(optional)',
+                  style: Theme.of(context).textTheme.bodySmall?.copyWith(
+                        color: subtleColor,
+                      ),
+                ),
+              ],
+            ],
           ),
           SizedBox(height: 1.4.h),
           child,
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart b/useragent/lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart
index e2b88a5..9722d05 100644
--- a/useragent/lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart
+++ b/useragent/lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart
@@ -1,19 +1,11 @@
 // lib/screens/dashboard/evm/grants/create/shared_grant_fields.dart
-import 'package:arbiter/screens/dashboard/evm/grants/create/fields/chain_id_field.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/create/fields/client_picker_field.dart';
-import 'package:arbiter/screens/dashboard/evm/grants/create/fields/gas_fee_options_field.dart';
-import 'package:arbiter/screens/dashboard/evm/grants/create/fields/transaction_rate_limit_field.dart';
-import 'package:arbiter/screens/dashboard/evm/grants/create/fields/validity_window_field.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart';
 import 'package:flutter/material.dart';
 import 'package:sizer/sizer.dart';
 
-/// All shared grant fields in a single vertical layout.
-///
-/// Every [FormBuilderField] descendant auto-registers with the nearest
-/// [FormBuilder] ancestor via [BuildContext] — no controllers passed.
-class SharedGrantFields extends StatelessWidget {
-  const SharedGrantFields({super.key});
+class AuthorizationFields extends StatelessWidget {
+  const AuthorizationFields({super.key});
 
   @override
   Widget build(BuildContext context) {
@@ -23,15 +15,8 @@ class SharedGrantFields extends StatelessWidget {
         const ClientPickerField(),
         SizedBox(height: 1.6.h),
         const WalletAccessPickerField(),
-        SizedBox(height: 1.6.h),
-        const ChainIdField(),
-        SizedBox(height: 1.6.h),
-        const ValidityWindowField(),
-        SizedBox(height: 1.6.h),
-        const GasFeeOptionsField(),
-        SizedBox(height: 1.6.h),
-        const TransactionRateLimitField(),
       ],
     );
   }
 }
+

From 16f0e67d02652ecd4f8daa953aa06ca19a63b2c1 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Fri, 3 Apr 2026 19:08:19 +0200
Subject: [PATCH 17/29] refactor(proto): scope client and user-agent schemas
 and extract shared types

---
 protobufs/client.proto                 | 57 ++++-----------------
 protobufs/client/auth.proto            | 43 ++++++++++++++++
 protobufs/client/evm.proto             | 19 +++++++
 protobufs/client/vault.proto           | 18 +++++++
 protobufs/evm.proto                    | 71 ++------------------------
 protobufs/shared/client.proto          |  9 ++++
 protobufs/shared/evm.proto             | 68 ++++++++++++++++++++++++
 protobufs/shared/vault.proto           | 11 ++++
 protobufs/user_agent/sdk_client.proto  |  6 +--
 protobufs/user_agent/vault/vault.proto | 11 +---
 10 files changed, 186 insertions(+), 127 deletions(-)
 create mode 100644 protobufs/client/auth.proto
 create mode 100644 protobufs/client/evm.proto
 create mode 100644 protobufs/client/vault.proto
 create mode 100644 protobufs/shared/client.proto
 create mode 100644 protobufs/shared/evm.proto
 create mode 100644 protobufs/shared/vault.proto

diff --git a/protobufs/client.proto b/protobufs/client.proto
index 83d25cf..e1b346c 100644
--- a/protobufs/client.proto
+++ b/protobufs/client.proto
@@ -2,63 +2,24 @@ syntax = "proto3";
 
 package arbiter.client;
 
-import "evm.proto";
-import "google/protobuf/empty.proto";
-
-message ClientInfo {
-  string name = 1;
-  optional string description = 2;
-  optional string version = 3;
-}
-
-message AuthChallengeRequest {
-  bytes pubkey = 1;
-  ClientInfo client_info = 2;
-}
-
-message AuthChallenge {
-  bytes pubkey = 1;
-  int32 nonce = 2;
-}
-
-message AuthChallengeSolution {
-  bytes signature = 1;
-}
-
-enum AuthResult {
-  AUTH_RESULT_UNSPECIFIED = 0;
-  AUTH_RESULT_SUCCESS = 1;
-  AUTH_RESULT_INVALID_KEY = 2;
-  AUTH_RESULT_INVALID_SIGNATURE = 3;
-  AUTH_RESULT_APPROVAL_DENIED = 4;
-  AUTH_RESULT_NO_USER_AGENTS_ONLINE = 5;
-  AUTH_RESULT_INTERNAL = 6;
-}
-
-enum VaultState {
-  VAULT_STATE_UNSPECIFIED = 0;
-  VAULT_STATE_UNBOOTSTRAPPED = 1;
-  VAULT_STATE_SEALED = 2;
-  VAULT_STATE_UNSEALED = 3;
-  VAULT_STATE_ERROR = 4;
-}
+import "client/auth.proto";
+import "client/evm.proto";
+import "client/vault.proto";
 
 message ClientRequest {
   int32 request_id = 4;
   oneof payload {
-    AuthChallengeRequest auth_challenge_request = 1;
-    AuthChallengeSolution auth_challenge_solution = 2;
-    google.protobuf.Empty query_vault_state = 3;
+    auth.Request auth = 1;
+    vault.Request vault = 2;
+    evm.Request evm = 3;
   }
 }
 
 message ClientResponse {
   optional int32 request_id = 7;
   oneof payload {
-    AuthChallenge auth_challenge = 1;
-    AuthResult auth_result = 2;
-    arbiter.evm.EvmSignTransactionResponse evm_sign_transaction = 3;
-    arbiter.evm.EvmAnalyzeTransactionResponse evm_analyze_transaction = 4;
-    VaultState vault_state = 6;
+    auth.Response auth = 1;
+    vault.Response vault = 2;
+    evm.Response evm = 3;
   }
 }
diff --git a/protobufs/client/auth.proto b/protobufs/client/auth.proto
new file mode 100644
index 0000000..f3d7d2d
--- /dev/null
+++ b/protobufs/client/auth.proto
@@ -0,0 +1,43 @@
+syntax = "proto3";
+
+package arbiter.client.auth;
+
+import "shared/client.proto";
+
+message AuthChallengeRequest {
+  bytes pubkey = 1;
+  arbiter.shared.ClientInfo client_info = 2;
+}
+
+message AuthChallenge {
+  bytes pubkey = 1;
+  int32 nonce = 2;
+}
+
+message AuthChallengeSolution {
+  bytes signature = 1;
+}
+
+enum AuthResult {
+  AUTH_RESULT_UNSPECIFIED = 0;
+  AUTH_RESULT_SUCCESS = 1;
+  AUTH_RESULT_INVALID_KEY = 2;
+  AUTH_RESULT_INVALID_SIGNATURE = 3;
+  AUTH_RESULT_APPROVAL_DENIED = 4;
+  AUTH_RESULT_NO_USER_AGENTS_ONLINE = 5;
+  AUTH_RESULT_INTERNAL = 6;
+}
+
+message Request {
+  oneof payload {
+    AuthChallengeRequest challenge_request = 1;
+    AuthChallengeSolution challenge_solution = 2;
+  }
+}
+
+message Response {
+  oneof payload {
+    AuthChallenge challenge = 1;
+    AuthResult result = 2;
+  }
+}
diff --git a/protobufs/client/evm.proto b/protobufs/client/evm.proto
new file mode 100644
index 0000000..ded097a
--- /dev/null
+++ b/protobufs/client/evm.proto
@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package arbiter.client.evm;
+
+import "evm.proto";
+
+message Request {
+  oneof payload {
+    arbiter.evm.EvmSignTransactionRequest sign_transaction = 1;
+    arbiter.evm.EvmAnalyzeTransactionRequest analyze_transaction = 2;
+  }
+}
+
+message Response {
+  oneof payload {
+    arbiter.evm.EvmSignTransactionResponse sign_transaction = 1;
+    arbiter.evm.EvmAnalyzeTransactionResponse analyze_transaction = 2;
+  }
+}
diff --git a/protobufs/client/vault.proto b/protobufs/client/vault.proto
new file mode 100644
index 0000000..d9165b1
--- /dev/null
+++ b/protobufs/client/vault.proto
@@ -0,0 +1,18 @@
+syntax = "proto3";
+
+package arbiter.client.vault;
+
+import "google/protobuf/empty.proto";
+import "shared/vault.proto";
+
+message Request {
+  oneof payload {
+    google.protobuf.Empty query_state = 1;
+  }
+}
+
+message Response {
+  oneof payload {
+    arbiter.shared.VaultState state = 1;
+  }
+}
diff --git a/protobufs/evm.proto b/protobufs/evm.proto
index f20df52..4f7f910 100644
--- a/protobufs/evm.proto
+++ b/protobufs/evm.proto
@@ -4,6 +4,7 @@ package arbiter.evm;
 
 import "google/protobuf/empty.proto";
 import "google/protobuf/timestamp.proto";
+import "shared/evm.proto";
 
 enum EvmError {
   EVM_ERROR_UNSPECIFIED = 0;
@@ -74,70 +75,6 @@ message SpecificGrant {
   }
 }
 
-message EtherTransferMeaning {
-  bytes to = 1; // 20-byte Ethereum address
-  bytes value = 2; // U256 as big-endian bytes
-}
-
-message TokenInfo {
-  string symbol = 1;
-  bytes address = 2; // 20-byte Ethereum address
-  uint64 chain_id = 3;
-}
-
-// Mirror of token_transfers::Meaning
-message TokenTransferMeaning {
-  TokenInfo token = 1;
-  bytes to = 2; // 20-byte Ethereum address
-  bytes value = 3; // U256 as big-endian bytes
-}
-
-// Mirror of policies::SpecificMeaning
-message SpecificMeaning {
-  oneof meaning {
-    EtherTransferMeaning ether_transfer = 1;
-    TokenTransferMeaning token_transfer = 2;
-  }
-}
-
-// --- Eval error types ---
-message GasLimitExceededViolation {
-  optional bytes max_gas_fee_per_gas = 1; // U256 as big-endian bytes
-  optional bytes max_priority_fee_per_gas = 2; // U256 as big-endian bytes
-}
-
-message EvalViolation {
-  oneof kind {
-    bytes invalid_target = 1; // 20-byte Ethereum address
-    GasLimitExceededViolation gas_limit_exceeded = 2;
-    google.protobuf.Empty rate_limit_exceeded = 3;
-    google.protobuf.Empty volumetric_limit_exceeded = 4;
-    google.protobuf.Empty invalid_time = 5;
-    google.protobuf.Empty invalid_transaction_type = 6;
-  }
-}
-
-// Transaction was classified but no grant covers it
-message NoMatchingGrantError {
-  SpecificMeaning meaning = 1;
-}
-
-// Transaction was classified and a grant was found, but constraints were violated
-message PolicyViolationsError {
-  SpecificMeaning meaning = 1;
-  repeated EvalViolation violations = 2;
-}
-
-// top-level error returned when transaction evaluation fails
-message TransactionEvalError {
-  oneof kind {
-    google.protobuf.Empty contract_creation_not_supported = 1;
-    google.protobuf.Empty unsupported_transaction_type = 2;
-    NoMatchingGrantError no_matching_grant = 3;
-    PolicyViolationsError policy_violations = 4;
-  }
-}
-
 // --- UserAgent grant management ---
 message EvmGrantCreateRequest {
   SharedSettings shared = 1;
@@ -197,7 +134,7 @@ message EvmSignTransactionRequest {
 message EvmSignTransactionResponse {
   oneof result {
     bytes signature = 1; // 65-byte signature: r[32] || s[32] || v[1]
-    TransactionEvalError eval_error = 2;
+    arbiter.shared.evm.TransactionEvalError eval_error = 2;
     EvmError error = 3;
   }
 }
@@ -209,8 +146,8 @@ message EvmAnalyzeTransactionRequest {
 
 message EvmAnalyzeTransactionResponse {
   oneof result {
-    SpecificMeaning meaning = 1;
-    TransactionEvalError eval_error = 2;
+    arbiter.shared.evm.SpecificMeaning meaning = 1;
+    arbiter.shared.evm.TransactionEvalError eval_error = 2;
     EvmError error = 3;
   }
 }
diff --git a/protobufs/shared/client.proto b/protobufs/shared/client.proto
new file mode 100644
index 0000000..b36c840
--- /dev/null
+++ b/protobufs/shared/client.proto
@@ -0,0 +1,9 @@
+syntax = "proto3";
+
+package arbiter.shared;
+
+message ClientInfo {
+  string name = 1;
+  optional string description = 2;
+  optional string version = 3;
+}
diff --git a/protobufs/shared/evm.proto b/protobufs/shared/evm.proto
new file mode 100644
index 0000000..afac94d
--- /dev/null
+++ b/protobufs/shared/evm.proto
@@ -0,0 +1,68 @@
+syntax = "proto3";
+
+package arbiter.shared.evm;
+
+import "google/protobuf/empty.proto";
+
+message EtherTransferMeaning {
+  bytes to = 1; // 20-byte Ethereum address
+  bytes value = 2; // U256 as big-endian bytes
+}
+
+message TokenInfo {
+  string symbol = 1;
+  bytes address = 2; // 20-byte Ethereum address
+  uint64 chain_id = 3;
+}
+
+// Mirror of token_transfers::Meaning
+message TokenTransferMeaning {
+  TokenInfo token = 1;
+  bytes to = 2; // 20-byte Ethereum address
+  bytes value = 3; // U256 as big-endian bytes
+}
+
+// Mirror of policies::SpecificMeaning
+message SpecificMeaning {
+  oneof meaning {
+    EtherTransferMeaning ether_transfer = 1;
+    TokenTransferMeaning token_transfer = 2;
+  }
+}
+
+message GasLimitExceededViolation {
+  optional bytes max_gas_fee_per_gas = 1; // U256 as big-endian bytes
+  optional bytes max_priority_fee_per_gas = 2; // U256 as big-endian bytes
+}
+
+message EvalViolation {
+  oneof kind {
+    bytes invalid_target = 1; // 20-byte Ethereum address
+    GasLimitExceededViolation gas_limit_exceeded = 2;
+    google.protobuf.Empty rate_limit_exceeded = 3;
+    google.protobuf.Empty volumetric_limit_exceeded = 4;
+    google.protobuf.Empty invalid_time = 5;
+    google.protobuf.Empty invalid_transaction_type = 6;
+  }
+}
+
+// Transaction was classified but no grant covers it
+message NoMatchingGrantError {
+  SpecificMeaning meaning = 1;
+}
+
+// Transaction was classified and a grant was found, but constraints were violated
+message PolicyViolationsError {
+  SpecificMeaning meaning = 1;
+  repeated EvalViolation violations = 2;
+}
+
+// top-level error returned when transaction evaluation fails
+message TransactionEvalError {
+  oneof kind {
+    google.protobuf.Empty contract_creation_not_supported = 1;
+    google.protobuf.Empty unsupported_transaction_type = 2;
+    NoMatchingGrantError no_matching_grant = 3;
+    PolicyViolationsError policy_violations = 4;
+  }
+}
diff --git a/protobufs/shared/vault.proto b/protobufs/shared/vault.proto
new file mode 100644
index 0000000..795539f
--- /dev/null
+++ b/protobufs/shared/vault.proto
@@ -0,0 +1,11 @@
+syntax = "proto3";
+
+package arbiter.shared;
+
+enum VaultState {
+  VAULT_STATE_UNSPECIFIED = 0;
+  VAULT_STATE_UNBOOTSTRAPPED = 1;
+  VAULT_STATE_SEALED = 2;
+  VAULT_STATE_UNSEALED = 3;
+  VAULT_STATE_ERROR = 4;
+}
diff --git a/protobufs/user_agent/sdk_client.proto b/protobufs/user_agent/sdk_client.proto
index 62f2a70..30cfe5b 100644
--- a/protobufs/user_agent/sdk_client.proto
+++ b/protobufs/user_agent/sdk_client.proto
@@ -2,7 +2,7 @@ syntax = "proto3";
 
 package arbiter.user_agent.sdk_client;
 
-import "client.proto";
+import "shared/client.proto";
 import "google/protobuf/empty.proto";
 
 enum Error {
@@ -20,7 +20,7 @@ message RevokeRequest {
 message Entry {
   int32 id = 1;
   bytes pubkey = 2;
-  arbiter.client.ClientInfo info = 3;
+  arbiter.shared.ClientInfo info = 3;
   int32 created_at = 4;
 }
 
@@ -44,7 +44,7 @@ message ListResponse {
 
 message ConnectionRequest {
   bytes pubkey = 1;
-  arbiter.client.ClientInfo info = 2;
+  arbiter.shared.ClientInfo info = 2;
 }
 
 message ConnectionResponse {
diff --git a/protobufs/user_agent/vault/vault.proto b/protobufs/user_agent/vault/vault.proto
index 640b0d3..832f13c 100644
--- a/protobufs/user_agent/vault/vault.proto
+++ b/protobufs/user_agent/vault/vault.proto
@@ -3,17 +3,10 @@ syntax = "proto3";
 package arbiter.user_agent.vault;
 
 import "google/protobuf/empty.proto";
+import "shared/vault.proto";
 import "user_agent/vault/bootstrap.proto";
 import "user_agent/vault/unseal.proto";
 
-enum VaultState {
-  VAULT_STATE_UNSPECIFIED = 0;
-  VAULT_STATE_UNBOOTSTRAPPED = 1;
-  VAULT_STATE_SEALED = 2;
-  VAULT_STATE_UNSEALED = 3;
-  VAULT_STATE_ERROR = 4;
-}
-
 message Request {
   oneof payload {
     google.protobuf.Empty query_state = 1;
@@ -24,7 +17,7 @@ message Request {
 
 message Response {
   oneof payload {
-    VaultState state = 1;
+    arbiter.shared.VaultState state = 1;
     unseal.Response unseal = 2;
     bootstrap.Response bootstrap = 3;
   }

From 8feda7990c90c501cefa7044c0a040189ba4c2f6 Mon Sep 17 00:00:00 2001
From: CleverWild <cleverwilddev@gmail.com>
Date: Sun, 29 Mar 2026 23:05:38 +0200
Subject: [PATCH 18/29] fix(auth): reject invalid challenge signatures instead
 of transitioning to AuthOk

---
 .../src/actors/user_agent/auth/state.rs       | 13 ++--
 .../arbiter-server/tests/user_agent/auth.rs   | 66 +++++++++++++++++++
 2 files changed, 74 insertions(+), 5 deletions(-)

diff --git a/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs b/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
index c422589..eea0661 100644
--- a/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
@@ -210,13 +210,16 @@ where
             }
         };
 
-        if valid {
-            self.transport
-                .send(Ok(Outbound::AuthSuccess))
-                .await
-                .map_err(|_| Error::Transport)?;
+        if !valid {
+            error!("Invalid challenge solution signature");
+            return Err(Error::InvalidChallengeSolution);
         }
 
+        self.transport
+            .send(Ok(Outbound::AuthSuccess))
+            .await
+            .map_err(|_| Error::Transport)?;
+
         Ok(key.clone())
     }
 }
diff --git a/server/crates/arbiter-server/tests/user_agent/auth.rs b/server/crates/arbiter-server/tests/user_agent/auth.rs
index 285ddcf..3fd8c92 100644
--- a/server/crates/arbiter-server/tests/user_agent/auth.rs
+++ b/server/crates/arbiter-server/tests/user_agent/auth.rs
@@ -165,3 +165,69 @@ pub async fn test_challenge_auth() {
 
     task.await.unwrap().unwrap();
 }
+
+#[tokio::test]
+#[test_log::test]
+pub async fn test_challenge_auth_rejects_invalid_signature() {
+    let db = db::create_test_pool().await;
+    let actors = GlobalActors::spawn(db.clone()).await.unwrap();
+
+    let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
+    let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
+
+    // Pre-register key with key_type
+    {
+        let mut conn = db.get().await.unwrap();
+        insert_into(schema::useragent_client::table)
+            .values((
+                schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
+                schema::useragent_client::key_type.eq(1i32),
+            ))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+    }
+
+    let (server_transport, mut test_transport) = ChannelTransport::new();
+    let db_for_task = db.clone();
+    let task = tokio::spawn(async move {
+        let mut props = UserAgentConnection::new(db_for_task, actors);
+        auth::authenticate(&mut props, server_transport).await
+    });
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeRequest {
+            pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
+            bootstrap_token: None,
+        })
+        .await
+        .unwrap();
+
+    let response = test_transport
+        .recv()
+        .await
+        .expect("should receive challenge");
+    let challenge = match response {
+        Ok(resp) => match resp {
+            auth::Outbound::AuthChallenge { nonce } => nonce,
+            other => panic!("Expected AuthChallenge, got {other:?}"),
+        },
+        Err(err) => panic!("Expected Ok response, got Err({err:?})"),
+    };
+
+    // Sign a different challenge value so signature format is valid but verification must fail.
+    let wrong_challenge = arbiter_proto::format_challenge(challenge + 1, &pubkey_bytes);
+    let signature = new_key.sign(&wrong_challenge);
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeSolution {
+            signature: signature.to_bytes().to_vec(),
+        })
+        .await
+        .unwrap();
+
+    assert!(matches!(
+        task.await.unwrap(),
+        Err(auth::Error::InvalidChallengeSolution)
+    ));
+}

From e2d8b7841b1e16916bd84b5ac09874610e3f2c0e Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sun, 29 Mar 2026 00:31:28 +0100
Subject: [PATCH 19/29] style(dashboard): format code and add title margin

---
 useragent/lib/screens/dashboard.dart | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/useragent/lib/screens/dashboard.dart b/useragent/lib/screens/dashboard.dart
index ea6813e..4ad5390 100644
--- a/useragent/lib/screens/dashboard.dart
+++ b/useragent/lib/screens/dashboard.dart
@@ -22,15 +22,18 @@ class DashboardRouter extends StatelessWidget {
 
   @override
   Widget build(BuildContext context) {
-    final title = const Text("Arbiter", style: TextStyle(fontWeight: FontWeight.w800));
-
+    final title = Container(
+      margin: const EdgeInsets.all(16),
+      child: const Text(
+        "Arbiter",
+        style: TextStyle(fontWeight: FontWeight.w800),
+      ),
+    );
 
     return AutoTabsRouter(
       routes: routes,
-      transitionBuilder: (context, child, animation) => FadeTransition(
-        opacity: animation,
-        child: child,
-      ),
+      transitionBuilder: (context, child, animation) =>
+          FadeTransition(opacity: animation, child: child),
       builder: (context, child) {
         final tabsRouter = AutoTabsRouter.of(context);
         final currentActive = tabsRouter.activeIndex;
@@ -66,7 +69,7 @@ class DashboardRouter extends StatelessWidget {
           selectedIndex: currentActive,
           transitionDuration: const Duration(milliseconds: 800),
           internalAnimations: true,
-          
+
           trailingNavRail: const _CalloutBell(),
         );
       },
@@ -79,9 +82,7 @@ class _CalloutBell extends ConsumerWidget {
 
   @override
   Widget build(BuildContext context, WidgetRef ref) {
-    final count = ref.watch(
-      calloutManagerProvider.select((map) => map.length),
-    );
+    final count = ref.watch(calloutManagerProvider.select((map) => map.length));
 
     return IconButton(
       onPressed: () => showCalloutList(context, ref),

From 82b5b85f5279ea1fe7406d01952842d2417c2787 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Fri, 3 Apr 2026 19:15:53 +0200
Subject: [PATCH 20/29] refactor(proto): nest client protocol and extract
 shared schemas

---
 server/crates/arbiter-client/src/auth.rs      | 58 +++++++++------
 server/crates/arbiter-proto/src/lib.rs        | 20 ++++++
 .../crates/arbiter-server/src/grpc/client.rs  | 39 +++++++---
 .../arbiter-server/src/grpc/client/auth.rs    | 72 +++++++++++--------
 .../src/grpc/user_agent/sdk_client.rs         |  2 +-
 .../src/grpc/user_agent/vault.rs              |  3 +-
 6 files changed, 133 insertions(+), 61 deletions(-)

diff --git a/server/crates/arbiter-client/src/auth.rs b/server/crates/arbiter-client/src/auth.rs
index a0e2b5c..b42f82a 100644
--- a/server/crates/arbiter-client/src/auth.rs
+++ b/server/crates/arbiter-client/src/auth.rs
@@ -1,9 +1,17 @@
 use arbiter_proto::{
     ClientMetadata, format_challenge,
-    proto::client::{
-        AuthChallengeRequest, AuthChallengeSolution, AuthResult, ClientInfo as ProtoClientInfo,
-        ClientRequest, client_request::Payload as ClientRequestPayload,
-        client_response::Payload as ClientResponsePayload,
+    proto::{
+        client::{
+            ClientRequest,
+            auth::{
+                self as proto_auth, AuthChallenge, AuthChallengeRequest, AuthChallengeSolution,
+                AuthResult, request::Payload as AuthRequestPayload,
+                response::Payload as AuthResponsePayload,
+            },
+            client_request::Payload as ClientRequestPayload,
+            client_response::Payload as ClientResponsePayload,
+        },
+        shared::ClientInfo as ProtoClientInfo,
     },
 };
 use ed25519_dalek::Signer as _;
@@ -51,16 +59,16 @@ async fn send_auth_challenge_request(
     transport
         .send(ClientRequest {
             request_id: next_request_id(),
-            payload: Some(ClientRequestPayload::AuthChallengeRequest(
-                AuthChallengeRequest {
+            payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
+                payload: Some(AuthRequestPayload::ChallengeRequest(AuthChallengeRequest {
                     pubkey: key.verifying_key().to_bytes().to_vec(),
                     client_info: Some(ProtoClientInfo {
                         name: metadata.name,
                         description: metadata.description,
                         version: metadata.version,
                     }),
-                },
-            )),
+                })),
+            })),
         })
         .await
         .map_err(|_| AuthError::UnexpectedAuthResponse)
@@ -68,7 +76,7 @@ async fn send_auth_challenge_request(
 
 async fn receive_auth_challenge(
     transport: &mut ClientTransport,
-) -> std::result::Result<arbiter_proto::proto::client::AuthChallenge, AuthError> {
+) -> std::result::Result<AuthChallenge, AuthError> {
     let response = transport
         .recv()
         .await
@@ -76,8 +84,11 @@ async fn receive_auth_challenge(
 
     let payload = response.payload.ok_or(AuthError::MissingAuthChallenge)?;
     match payload {
-        ClientResponsePayload::AuthChallenge(challenge) => Ok(challenge),
-        ClientResponsePayload::AuthResult(result) => Err(map_auth_result(result)),
+        ClientResponsePayload::Auth(response) => match response.payload {
+            Some(AuthResponsePayload::Challenge(challenge)) => Ok(challenge),
+            Some(AuthResponsePayload::Result(result)) => Err(map_auth_result(result)),
+            None => Err(AuthError::MissingAuthChallenge),
+        },
         _ => Err(AuthError::UnexpectedAuthResponse),
     }
 }
@@ -85,7 +96,7 @@ async fn receive_auth_challenge(
 async fn send_auth_challenge_solution(
     transport: &mut ClientTransport,
     key: &ed25519_dalek::SigningKey,
-    challenge: arbiter_proto::proto::client::AuthChallenge,
+    challenge: AuthChallenge,
 ) -> std::result::Result<(), AuthError> {
     let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
     let signature = key.sign(&challenge_payload).to_bytes().to_vec();
@@ -93,9 +104,11 @@ async fn send_auth_challenge_solution(
     transport
         .send(ClientRequest {
             request_id: next_request_id(),
-            payload: Some(ClientRequestPayload::AuthChallengeSolution(
-                AuthChallengeSolution { signature },
-            )),
+            payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
+                payload: Some(AuthRequestPayload::ChallengeSolution(
+                    AuthChallengeSolution { signature },
+                )),
+            })),
         })
         .await
         .map_err(|_| AuthError::UnexpectedAuthResponse)
@@ -113,12 +126,15 @@ async fn receive_auth_confirmation(
         .payload
         .ok_or(AuthError::UnexpectedAuthResponse)?;
     match payload {
-        ClientResponsePayload::AuthResult(result)
-            if AuthResult::try_from(result).ok() == Some(AuthResult::Success) =>
-        {
-            Ok(())
-        }
-        ClientResponsePayload::AuthResult(result) => Err(map_auth_result(result)),
+        ClientResponsePayload::Auth(response) => match response.payload {
+            Some(AuthResponsePayload::Result(result))
+                if AuthResult::try_from(result).ok() == Some(AuthResult::Success) =>
+            {
+                Ok(())
+            }
+            Some(AuthResponsePayload::Result(result)) => Err(map_auth_result(result)),
+            _ => Err(AuthError::UnexpectedAuthResponse),
+        },
         _ => Err(AuthError::UnexpectedAuthResponse),
     }
 }
diff --git a/server/crates/arbiter-proto/src/lib.rs b/server/crates/arbiter-proto/src/lib.rs
index 323254a..141b231 100644
--- a/server/crates/arbiter-proto/src/lib.rs
+++ b/server/crates/arbiter-proto/src/lib.rs
@@ -6,6 +6,14 @@ use base64::{Engine, prelude::BASE64_STANDARD};
 pub mod proto {
     tonic::include_proto!("arbiter");
 
+    pub mod shared {
+        tonic::include_proto!("arbiter.shared");
+
+        pub mod evm {
+            tonic::include_proto!("arbiter.shared.evm");
+        }
+    }
+
     pub mod user_agent {
         tonic::include_proto!("arbiter.user_agent");
 
@@ -36,6 +44,18 @@ pub mod proto {
 
     pub mod client {
         tonic::include_proto!("arbiter.client");
+
+        pub mod auth {
+            tonic::include_proto!("arbiter.client.auth");
+        }
+
+        pub mod evm {
+            tonic::include_proto!("arbiter.client.evm");
+        }
+
+        pub mod vault {
+            tonic::include_proto!("arbiter.client.vault");
+        }
     }
 
     pub mod evm {
diff --git a/server/crates/arbiter-server/src/grpc/client.rs b/server/crates/arbiter-server/src/grpc/client.rs
index cd032f4..7fff51c 100644
--- a/server/crates/arbiter-server/src/grpc/client.rs
+++ b/server/crates/arbiter-server/src/grpc/client.rs
@@ -1,8 +1,12 @@
 use arbiter_proto::{
-    proto::client::{
-        ClientRequest, ClientResponse, VaultState as ProtoVaultState,
-        client_request::Payload as ClientRequestPayload,
-        client_response::Payload as ClientResponsePayload,
+    proto::{
+        client::{
+            ClientRequest, ClientResponse,
+            client_request::Payload as ClientRequestPayload,
+            client_response::Payload as ClientResponsePayload,
+            vault::{self as proto_vault, request::Payload as VaultRequestPayload, response::Payload as VaultResponsePayload},
+        },
+        shared::VaultState as ProtoVaultState,
     },
     transport::{Receiver, Sender, grpc::GrpcBi},
 };
@@ -79,7 +83,24 @@ async fn dispatch_inner(
     payload: ClientRequestPayload,
 ) -> Result<ClientResponsePayload, Status> {
     match payload {
-        ClientRequestPayload::QueryVaultState(_) => {
+        ClientRequestPayload::Vault(req) => dispatch_vault_request(actor, req).await,
+        payload => {
+            warn!(?payload, "Unsupported post-auth client request");
+            Err(Status::invalid_argument("Unsupported client request"))
+        }
+    }
+}
+
+async fn dispatch_vault_request(
+    actor: &ActorRef<ClientSession>,
+    req: proto_vault::Request,
+) -> Result<ClientResponsePayload, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing client vault request payload"));
+    };
+
+    match payload {
+        VaultRequestPayload::QueryState(_) => {
             let state = match actor.ask(HandleQueryVaultState {}).await {
                 Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
                 Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
@@ -90,11 +111,9 @@ async fn dispatch_inner(
                     ProtoVaultState::Error
                 }
             };
-            Ok(ClientResponsePayload::VaultState(state.into()))
-        }
-        payload => {
-            warn!(?payload, "Unsupported post-auth client request");
-            Err(Status::invalid_argument("Unsupported client request"))
+            Ok(ClientResponsePayload::Vault(proto_vault::Response {
+                payload: Some(VaultResponsePayload::State(state.into())),
+            }))
         }
     }
 }
diff --git a/server/crates/arbiter-server/src/grpc/client/auth.rs b/server/crates/arbiter-server/src/grpc/client/auth.rs
index c711520..e5e141d 100644
--- a/server/crates/arbiter-server/src/grpc/client/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/client/auth.rs
@@ -1,11 +1,20 @@
 use arbiter_proto::{
-    ClientMetadata, proto::client::{
-        AuthChallenge as ProtoAuthChallenge, AuthChallengeRequest as ProtoAuthChallengeRequest,
-        AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
-        ClientInfo as ProtoClientInfo, ClientRequest, ClientResponse,
-        client_request::Payload as ClientRequestPayload,
-        client_response::Payload as ClientResponsePayload,
-    }, transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi}
+    ClientMetadata,
+    proto::{
+        client::{
+            ClientRequest, ClientResponse,
+            auth::{
+                self as proto_auth, AuthChallenge as ProtoAuthChallenge,
+                AuthChallengeRequest as ProtoAuthChallengeRequest,
+                AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
+                request::Payload as AuthRequestPayload, response::Payload as AuthResponsePayload,
+            },
+            client_request::Payload as ClientRequestPayload,
+            client_response::Payload as ClientResponsePayload,
+        },
+        shared::ClientInfo as ProtoClientInfo,
+    },
+    transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi}
 };
 use async_trait::async_trait;
 use tonic::Status;
@@ -32,22 +41,20 @@ impl<'a> AuthTransportAdapter<'a> {
         }
     }
 
-    fn response_to_proto(response: auth::Outbound) -> ClientResponsePayload {
+    fn response_to_proto(response: auth::Outbound) -> AuthResponsePayload {
         match response {
             auth::Outbound::AuthChallenge { pubkey, nonce } => {
-                ClientResponsePayload::AuthChallenge(ProtoAuthChallenge {
+                AuthResponsePayload::Challenge(ProtoAuthChallenge {
                     pubkey: pubkey.to_bytes().to_vec(),
                     nonce,
                 })
             }
-            auth::Outbound::AuthSuccess => {
-                ClientResponsePayload::AuthResult(ProtoAuthResult::Success.into())
-            }
+            auth::Outbound::AuthSuccess => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
         }
     }
 
-    fn error_to_proto(error: auth::Error) -> ClientResponsePayload {
-        ClientResponsePayload::AuthResult(
+    fn error_to_proto(error: auth::Error) -> AuthResponsePayload {
+        AuthResponsePayload::Result(
             match error {
                 auth::Error::InvalidChallengeSolution => ProtoAuthResult::InvalidSignature,
                 auth::Error::ApproveError(auth::ApproveError::Denied) => {
@@ -67,18 +74,20 @@ impl<'a> AuthTransportAdapter<'a> {
 
     async fn send_client_response(
         &mut self,
-        payload: ClientResponsePayload,
+        payload: AuthResponsePayload,
     ) -> Result<(), TransportError> {
         self.bi
             .send(Ok(ClientResponse {
                 request_id: Some(self.request_tracker.current_request_id()),
-                payload: Some(payload),
+                payload: Some(ClientResponsePayload::Auth(proto_auth::Response {
+                    payload: Some(payload),
+                })),
             }))
             .await
     }
 
     async fn send_auth_result(&mut self, result: ProtoAuthResult) -> Result<(), TransportError> {
-        self.send_client_response(ClientResponsePayload::AuthResult(result.into()))
+        self.send_client_response(AuthResponsePayload::Result(result.into()))
             .await
     }
 }
@@ -117,9 +126,25 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
             }
         };
         let payload = request.payload?;
+        let ClientRequestPayload::Auth(auth_request) = payload else {
+            let _ = self
+                .bi
+                .send(Err(Status::invalid_argument(
+                    "Unsupported client auth request",
+                )))
+                .await;
+            return None;
+        };
+        let Some(payload) = auth_request.payload else {
+            let _ = self
+                .bi
+                .send(Err(Status::invalid_argument("Missing client auth request payload")))
+                .await;
+            return None;
+        };
 
         match payload {
-            ClientRequestPayload::AuthChallengeRequest(ProtoAuthChallengeRequest {
+            AuthRequestPayload::ChallengeRequest(ProtoAuthChallengeRequest {
                 pubkey,
                 client_info,
             }) => {
@@ -143,7 +168,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     metadata: client_metadata_from_proto(client_info),
                 })
             }
-            ClientRequestPayload::AuthChallengeSolution(ProtoAuthChallengeSolution {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
                 signature,
             }) => {
                 let Ok(signature) = ed25519_dalek::Signature::try_from(signature.as_slice()) else {
@@ -154,15 +179,6 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                 };
                 Some(auth::Inbound::AuthChallengeSolution { signature })
             }
-            _ => {
-                let _ = self
-                    .bi
-                    .send(Err(Status::invalid_argument(
-                        "Unsupported client auth request",
-                    )))
-                    .await;
-                None
-            }
         }
     }
 }
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs b/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
index 6e40514..f1827af 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
@@ -1,5 +1,4 @@
 use arbiter_proto::proto::{
-    client::ClientInfo as ProtoClientMetadata,
     user_agent::{
         sdk_client::{
             self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
@@ -14,6 +13,7 @@ use arbiter_proto::proto::{
         },
         user_agent_response::Payload as UserAgentResponsePayload,
     },
+    shared::ClientInfo as ProtoClientMetadata,
 };
 use kameo::actor::ActorRef;
 use tonic::Status;
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/vault.rs b/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
index 5aad751..669d35c 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
@@ -1,7 +1,7 @@
 use arbiter_proto::proto::user_agent::{
     user_agent_response::Payload as UserAgentResponsePayload,
     vault::{
-        self as proto_vault, VaultState as ProtoVaultState,
+        self as proto_vault,
         bootstrap::{
             self as proto_bootstrap, BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
             BootstrapResult as ProtoBootstrapResult,
@@ -16,6 +16,7 @@ use arbiter_proto::proto::user_agent::{
         },
     },
 };
+use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
 use kameo::{actor::ActorRef, error::SendError};
 use tonic::Status;
 use tracing::warn;

From 63a4875fdb54b2ee8e4aceffcfbd323118dd70de Mon Sep 17 00:00:00 2001
From: CleverWild <cleverwilddev@gmail.com>
Date: Sun, 29 Mar 2026 23:16:37 +0200
Subject: [PATCH 21/29] fix(keyholder): remove dead overwritten select in
 try_unseal query

---
 server/crates/arbiter-server/src/actors/keyholder/mod.rs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/server/crates/arbiter-server/src/actors/keyholder/mod.rs b/server/crates/arbiter-server/src/actors/keyholder/mod.rs
index 3a245af..fbf3d50 100644
--- a/server/crates/arbiter-server/src/actors/keyholder/mod.rs
+++ b/server/crates/arbiter-server/src/actors/keyholder/mod.rs
@@ -214,7 +214,6 @@ impl KeyHolder {
             let mut conn = self.db.get().await?;
             schema::root_key_history::table
                 .filter(schema::root_key_history::id.eq(*root_key_history_id))
-                .select(schema::root_key_history::data_encryption_nonce)
                 .select(RootKeyHistory::as_select())
                 .first(&mut conn)
                 .await?

From 5bce9fd68ec70e4bc0957bebb4594643efe962ec Mon Sep 17 00:00:00 2001
From: CleverWild <cleverwilddev@gmail.com>
Date: Sun, 29 Mar 2026 19:07:12 +0200
Subject: [PATCH 22/29] chore: bump mise deps

---
 mise.lock | 62 +++++++++++++++++++++++++++++++------------------------
 1 file changed, 35 insertions(+), 27 deletions(-)

diff --git a/mise.lock b/mise.lock
index 3cd025e..9cf1bee 100644
--- a/mise.lock
+++ b/mise.lock
@@ -8,10 +8,18 @@ backend = "aqua:ast-grep/ast-grep"
 checksum = "sha256:5c830eae8456569e2f7212434ed9c238f58dca412d76045418ed6d394a755836"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-unknown-linux-gnu.zip"
 
+[tools.ast-grep."platforms.linux-arm64-musl"]
+checksum = "sha256:5c830eae8456569e2f7212434ed9c238f58dca412d76045418ed6d394a755836"
+url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-unknown-linux-gnu.zip"
+
 [tools.ast-grep."platforms.linux-x64"]
 checksum = "sha256:e825a05603f0bcc4cd9076c4cc8c9abd6d008b7cd07d9aa3cc323ba4b8606651"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-unknown-linux-gnu.zip"
 
+[tools.ast-grep."platforms.linux-x64-musl"]
+checksum = "sha256:e825a05603f0bcc4cd9076c4cc8c9abd6d008b7cd07d9aa3cc323ba4b8606651"
+url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-unknown-linux-gnu.zip"
+
 [tools.ast-grep."platforms.macos-arm64"]
 checksum = "sha256:fc300d5293b1c770a5aece03a8a193b92e71e87cec726c28096990691a582620"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-apple-darwin.zip"
@@ -32,10 +40,6 @@ backend = "cargo:cargo-audit"
 version = "0.13.9"
 backend = "cargo:cargo-edit"
 
-[[tools."cargo:cargo-features"]]
-version = "1.0.0"
-backend = "cargo:cargo-features"
-
 [[tools."cargo:cargo-features-manager"]]
 version = "0.11.1"
 backend = "cargo:cargo-features-manager"
@@ -49,21 +53,13 @@ version = "0.9.126"
 backend = "cargo:cargo-nextest"
 
 [[tools."cargo:cargo-shear"]]
-version = "1.9.1"
+version = "1.11.2"
 backend = "cargo:cargo-shear"
 
 [[tools."cargo:cargo-vet"]]
 version = "0.10.2"
 backend = "cargo:cargo-vet"
 
-[[tools."cargo:diesel-cli"]]
-version = "2.3.6"
-backend = "cargo:diesel-cli"
-
-[tools."cargo:diesel-cli".options]
-default-features = "false"
-features = "sqlite,sqlite-bundled"
-
 [[tools."cargo:diesel_cli"]]
 version = "2.3.6"
 backend = "cargo:diesel_cli"
@@ -72,10 +68,6 @@ backend = "cargo:diesel_cli"
 default-features = "false"
 features = "sqlite,sqlite-bundled"
 
-[[tools."cargo:rinf_cli"]]
-version = "8.9.1"
-backend = "cargo:rinf_cli"
-
 [[tools.flutter]]
 version = "3.38.9-stable"
 backend = "asdf:flutter"
@@ -88,10 +80,18 @@ backend = "aqua:protocolbuffers/protobuf/protoc"
 checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"
 
+[tools.protoc."platforms.linux-arm64-musl"]
+checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79"
+url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"
+
 [tools.protoc."platforms.linux-x64"]
 checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"
 
+[tools.protoc."platforms.linux-x64-musl"]
+checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323"
+url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"
+
 [tools.protoc."platforms.macos-arm64"]
 checksum = "sha256:b9576b5fa1a1ef3fe13a8c91d9d8204b46545759bea5ae155cd6ba2ea4cdaeed"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-aarch_64.zip"
@@ -109,24 +109,32 @@ version = "3.14.3"
 backend = "core:python"
 
 [tools.python."platforms.linux-arm64"]
-checksum = "sha256:be0f4dc2932f762292b27d46ea7d3e8e66ddf3969a5eb0254a229015ed402625"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+
+[tools.python."platforms.linux-arm64-musl"]
+checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
 
 [tools.python."platforms.linux-x64"]
-checksum = "sha256:0a73413f89efd417871876c9accaab28a9d1e3cd6358fbfff171a38ec99302f0"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
+checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
+
+[tools.python."platforms.linux-x64-musl"]
+checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
 
 [tools.python."platforms.macos-arm64"]
-checksum = "sha256:4703cdf18b26798fde7b49b6b66149674c25f97127be6a10dbcf29309bdcdcdb"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-apple-darwin-install_only_stripped.tar.gz"
+checksum = "sha256:c43aecde4a663aebff99b9b83da0efec506479f1c3f98331442f33d2c43501f9"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-apple-darwin-install_only_stripped.tar.gz"
 
 [tools.python."platforms.macos-x64"]
-checksum = "sha256:76f1cc26e3d262eae8ca546a93e8bded10cf0323613f7e246fea2e10a8115eb7"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-apple-darwin-install_only_stripped.tar.gz"
+checksum = "sha256:9ab41dbc2f100a2a45d1833b9c11165f51051c558b5213eda9a9731d5948a0c0"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-apple-darwin-install_only_stripped.tar.gz"
 
 [tools.python."platforms.windows-x64"]
-checksum = "sha256:950c5f21a015c1bdd1337f233456df2470fab71e4d794407d27a84cb8b9909a0"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
+checksum = "sha256:bbe19034b35b0267176a7442575ae7dc6343480fd4d35598cb7700173d431e09"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
 
 [[tools.rust]]
 version = "1.93.0"

From e47ccc31084f7ead86e4768a1a2e00b7703d04ec Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Fri, 3 Apr 2026 22:03:02 +0200
Subject: [PATCH 23/29] fix(useragent): upgraded to new protocol changes

---
 mise.toml                                     |    6 +-
 .../lib/features/callouts/callout_event.dart  |    3 +-
 .../features/callouts/callout_manager.dart    |    2 +-
 .../callouts/types/sdk_connect_approve.dart   |   49 +-
 .../callouts/types/sdk_connect_approve.g.dart |    2 +-
 useragent/lib/features/connection/auth.dart   |   71 +-
 useragent/lib/features/connection/evm.dart    |   31 +-
 .../lib/features/connection/evm/grants.dart   |   65 +-
 .../connection/evm/wallet_access.dart         |   58 +-
 useragent/lib/features/connection/vault.dart  |  100 +-
 useragent/lib/proto/client.pb.dart            |  467 +---
 useragent/lib/proto/client.pbenum.dart        |   69 -
 useragent/lib/proto/client.pbjson.dart        |  203 +-
 useragent/lib/proto/client/auth.pb.dart       |  395 ++++
 useragent/lib/proto/client/auth.pbenum.dart   |   52 +
 useragent/lib/proto/client/auth.pbjson.dart   |  154 ++
 useragent/lib/proto/client/evm.pb.dart        |  208 ++
 useragent/lib/proto/client/evm.pbenum.dart    |   11 +
 useragent/lib/proto/client/evm.pbjson.dart    |   86 +
 useragent/lib/proto/client/vault.pb.dart      |  161 ++
 useragent/lib/proto/client/vault.pbenum.dart  |   11 +
 useragent/lib/proto/client/vault.pbjson.dart  |   64 +
 useragent/lib/proto/evm.pb.dart               |  856 +------
 useragent/lib/proto/evm.pbjson.dart           |  323 +--
 useragent/lib/proto/shared/client.pb.dart     |   99 +
 useragent/lib/proto/shared/client.pbenum.dart |   11 +
 useragent/lib/proto/shared/client.pbjson.dart |   52 +
 useragent/lib/proto/shared/evm.pb.dart        |  851 +++++++
 useragent/lib/proto/shared/evm.pbenum.dart    |   11 +
 useragent/lib/proto/shared/evm.pbjson.dart    |  320 +++
 useragent/lib/proto/shared/vault.pb.dart      |   17 +
 useragent/lib/proto/shared/vault.pbenum.dart  |   46 +
 useragent/lib/proto/shared/vault.pbjson.dart  |   34 +
 useragent/lib/proto/user_agent.pb.dart        | 2049 +----------------
 useragent/lib/proto/user_agent.pbenum.dart    |  175 --
 useragent/lib/proto/user_agent.pbjson.dart    |  835 +------
 useragent/lib/proto/user_agent/auth.pb.dart   |  391 ++++
 .../lib/proto/user_agent/auth.pbenum.dart     |   77 +
 .../lib/proto/user_agent/auth.pbjson.dart     |  182 ++
 useragent/lib/proto/user_agent/evm.pb.dart    |  432 ++++
 .../lib/proto/user_agent/evm.pbenum.dart      |   11 +
 .../lib/proto/user_agent/evm.pbjson.dart      |  190 ++
 .../lib/proto/user_agent/sdk_client.pb.dart   | 1197 ++++++++++
 .../proto/user_agent/sdk_client.pbenum.dart   |   46 +
 .../proto/user_agent/sdk_client.pbjson.dart   |  438 ++++
 .../proto/user_agent/vault/bootstrap.pb.dart  |  221 ++
 .../user_agent/vault/bootstrap.pbenum.dart    |   44 +
 .../user_agent/vault/bootstrap.pbjson.dart    |   89 +
 .../lib/proto/user_agent/vault/unseal.pb.dart |  392 ++++
 .../proto/user_agent/vault/unseal.pbenum.dart |   43 +
 .../proto/user_agent/vault/unseal.pbjson.dart |  144 ++
 .../lib/proto/user_agent/vault/vault.pb.dart  |  235 ++
 .../proto/user_agent/vault/vault.pbenum.dart  |   11 +
 .../proto/user_agent/vault/vault.pbjson.dart  |  105 +
 .../lib/providers/sdk_clients/details.dart    |    4 +-
 .../lib/providers/sdk_clients/details.g.dart  |   16 +-
 useragent/lib/providers/sdk_clients/list.dart |   23 +-
 .../lib/providers/sdk_clients/list.g.dart     |   16 +-
 .../sdk_clients/wallet_access_list.dart       |    4 +-
 .../sdk_clients/wallet_access_list.g.dart     |   16 +-
 useragent/lib/providers/vault_state.dart      |   18 +-
 useragent/lib/providers/vault_state.g.dart    |    2 +-
 useragent/lib/router.gr.dart                  |    6 +-
 .../lib/screens/callouts/sdk_connect.dart     |    2 +-
 .../screens/dashboard/clients/details.dart    |    6 +-
 .../clients/details/client_details.dart       |    4 +-
 .../widgets/client_details_content.dart       |    4 +-
 .../details/widgets/client_summary_card.dart  |    4 +-
 .../lib/screens/dashboard/clients/table.dart  |    6 +-
 .../create/fields/client_picker_field.dart    |    4 +-
 .../fields/wallet_access_picker_field.dart    |    6 +-
 .../evm/grants/widgets/grant_card.dart        |    4 +-
 useragent/lib/screens/vault_setup.dart        |    4 +-
 .../details/client_details_screen_test.dart   |    6 +-
 74 files changed, 7446 insertions(+), 4904 deletions(-)
 create mode 100644 useragent/lib/proto/client/auth.pb.dart
 create mode 100644 useragent/lib/proto/client/auth.pbenum.dart
 create mode 100644 useragent/lib/proto/client/auth.pbjson.dart
 create mode 100644 useragent/lib/proto/client/evm.pb.dart
 create mode 100644 useragent/lib/proto/client/evm.pbenum.dart
 create mode 100644 useragent/lib/proto/client/evm.pbjson.dart
 create mode 100644 useragent/lib/proto/client/vault.pb.dart
 create mode 100644 useragent/lib/proto/client/vault.pbenum.dart
 create mode 100644 useragent/lib/proto/client/vault.pbjson.dart
 create mode 100644 useragent/lib/proto/shared/client.pb.dart
 create mode 100644 useragent/lib/proto/shared/client.pbenum.dart
 create mode 100644 useragent/lib/proto/shared/client.pbjson.dart
 create mode 100644 useragent/lib/proto/shared/evm.pb.dart
 create mode 100644 useragent/lib/proto/shared/evm.pbenum.dart
 create mode 100644 useragent/lib/proto/shared/evm.pbjson.dart
 create mode 100644 useragent/lib/proto/shared/vault.pb.dart
 create mode 100644 useragent/lib/proto/shared/vault.pbenum.dart
 create mode 100644 useragent/lib/proto/shared/vault.pbjson.dart
 create mode 100644 useragent/lib/proto/user_agent/auth.pb.dart
 create mode 100644 useragent/lib/proto/user_agent/auth.pbenum.dart
 create mode 100644 useragent/lib/proto/user_agent/auth.pbjson.dart
 create mode 100644 useragent/lib/proto/user_agent/evm.pb.dart
 create mode 100644 useragent/lib/proto/user_agent/evm.pbenum.dart
 create mode 100644 useragent/lib/proto/user_agent/evm.pbjson.dart
 create mode 100644 useragent/lib/proto/user_agent/sdk_client.pb.dart
 create mode 100644 useragent/lib/proto/user_agent/sdk_client.pbenum.dart
 create mode 100644 useragent/lib/proto/user_agent/sdk_client.pbjson.dart
 create mode 100644 useragent/lib/proto/user_agent/vault/bootstrap.pb.dart
 create mode 100644 useragent/lib/proto/user_agent/vault/bootstrap.pbenum.dart
 create mode 100644 useragent/lib/proto/user_agent/vault/bootstrap.pbjson.dart
 create mode 100644 useragent/lib/proto/user_agent/vault/unseal.pb.dart
 create mode 100644 useragent/lib/proto/user_agent/vault/unseal.pbenum.dart
 create mode 100644 useragent/lib/proto/user_agent/vault/unseal.pbjson.dart
 create mode 100644 useragent/lib/proto/user_agent/vault/vault.pb.dart
 create mode 100644 useragent/lib/proto/user_agent/vault/vault.pbenum.dart
 create mode 100644 useragent/lib/proto/user_agent/vault/vault.pbjson.dart

diff --git a/mise.toml b/mise.toml
index 3a04a6f..e428ba6 100644
--- a/mise.toml
+++ b/mise.toml
@@ -14,9 +14,9 @@ ast-grep = "0.42.0"
 "cargo:cargo-edit" = "0.13.9"
 
 [tasks.codegen]
-sources = ['protobufs/*.proto']
-outputs = ['useragent/lib/proto/*']
+sources = ['protobufs/*.proto', 'protobufs/**/*.proto']
+outputs = ['useragent/lib/proto/**']
 run = '''
 dart pub global activate protoc_plugin && \
-protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ protobufs/*.proto
+protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ $(find protobufs -name '*.proto' | sort)
 '''
diff --git a/useragent/lib/features/callouts/callout_event.dart b/useragent/lib/features/callouts/callout_event.dart
index 8dbb0c2..32b90dc 100644
--- a/useragent/lib/features/callouts/callout_event.dart
+++ b/useragent/lib/features/callouts/callout_event.dart
@@ -1,6 +1,5 @@
-import 'package:arbiter/proto/client.pb.dart';
+import 'package:arbiter/proto/shared/client.pb.dart';
 import 'package:freezed_annotation/freezed_annotation.dart';
-import 'package:hooks_riverpod/experimental/mutation.dart';
 
 part 'callout_event.freezed.dart';
 
diff --git a/useragent/lib/features/callouts/callout_manager.dart b/useragent/lib/features/callouts/callout_manager.dart
index a411304..ad85023 100644
--- a/useragent/lib/features/callouts/callout_manager.dart
+++ b/useragent/lib/features/callouts/callout_manager.dart
@@ -2,7 +2,7 @@ import 'package:arbiter/features/callouts/active_callout.dart';
 import 'package:arbiter/features/callouts/callout_event.dart';
 import 'package:arbiter/features/callouts/types/sdk_connect_approve.dart'
     as connect_approve;
-import 'package:arbiter/proto/client.pb.dart';
+import 'package:arbiter/proto/shared/client.pb.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'callout_manager.g.dart';
diff --git a/useragent/lib/features/callouts/types/sdk_connect_approve.dart b/useragent/lib/features/callouts/types/sdk_connect_approve.dart
index 17481e7..c8e9db6 100644
--- a/useragent/lib/features/callouts/types/sdk_connect_approve.dart
+++ b/useragent/lib/features/callouts/types/sdk_connect_approve.dart
@@ -1,6 +1,7 @@
 import 'dart:convert';
 
 import 'package:arbiter/features/callouts/callout_event.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
@@ -14,20 +15,27 @@ Stream<CalloutEvent> connectApproveEvents(Ref ref) async* {
 
   await for (final message in connection.outOfBandMessages) {
     switch (message.whichPayload()) {
-      case UserAgentResponse_Payload.sdkClientConnectionRequest:
-        final body = message.sdkClientConnectionRequest;
-        final id = base64Encode(body.pubkey);
-        yield CalloutEvent.added(
-          id: 'connect_approve:$id',
-          data: CalloutData.connectApproval(
-            pubkey: id,
-            clientInfo: body.info,
-          ),
-        );
+      case UserAgentResponse_Payload.sdkClient:
+        final sdkClientMessage = message.sdkClient;
+        switch (sdkClientMessage.whichPayload()) {
+          case ua_sdk.Response_Payload.connectionRequest:
+            final body = sdkClientMessage.connectionRequest;
+            final id = base64Encode(body.pubkey);
+            yield CalloutEvent.added(
+              id: 'connect_approve:$id',
+              data: CalloutData.connectApproval(
+                pubkey: id,
+                clientInfo: body.info,
+              ),
+            );
 
-      case UserAgentResponse_Payload.sdkClientConnectionCancel:
-        final id = base64Encode(message.sdkClientConnectionCancel.pubkey);
-        yield CalloutEvent.cancelled(id: 'connect_approve:$id');
+          case ua_sdk.Response_Payload.connectionCancel:
+            final id = base64Encode(sdkClientMessage.connectionCancel.pubkey);
+            yield CalloutEvent.cancelled(id: 'connect_approve:$id');
+
+          default:
+            break;
+        }
 
       default:
         break;
@@ -41,11 +49,14 @@ Future<void> sendDecision(Ref ref, String pubkey, bool approved) async {
 
   final bytes = base64Decode(pubkey);
 
-  final req = UserAgentRequest(sdkClientConnectionResponse: SdkClientConnectionResponse(
-    approved: approved,
-    pubkey: bytes
-  ));
+  final req = UserAgentRequest(
+    sdkClient: ua_sdk.Request(
+      connectionResponse: ua_sdk.ConnectionResponse(
+        approved: approved,
+        pubkey: bytes,
+      ),
+    ),
+  );
 
   await connection.tell(req);
-
-}
\ No newline at end of file
+}
diff --git a/useragent/lib/features/callouts/types/sdk_connect_approve.g.dart b/useragent/lib/features/callouts/types/sdk_connect_approve.g.dart
index 94444f6..226eb6a 100644
--- a/useragent/lib/features/callouts/types/sdk_connect_approve.g.dart
+++ b/useragent/lib/features/callouts/types/sdk_connect_approve.g.dart
@@ -47,4 +47,4 @@ final class ConnectApproveEventsProvider
 }
 
 String _$connectApproveEventsHash() =>
-    r'6a0998288afc0836a7c1701a983f64c33d318fd6';
+    r'abab87cc875a9a4834f836c2c0eba4aa7671d82e';
diff --git a/useragent/lib/features/connection/auth.dart b/useragent/lib/features/connection/auth.dart
index 5d88178..cd512d7 100644
--- a/useragent/lib/features/connection/auth.dart
+++ b/useragent/lib/features/connection/auth.dart
@@ -5,6 +5,7 @@ import 'package:arbiter/features/connection/connection.dart';
 import 'package:arbiter/features/connection/server_info_storage.dart';
 import 'package:arbiter/features/identity/pk_manager.dart';
 import 'package:arbiter/proto/arbiter.pbgrpc.dart';
+import 'package:arbiter/proto/user_agent/auth.pb.dart' as ua_auth;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:grpc/grpc.dart';
 import 'package:mtcore/markettakers.dart';
@@ -12,22 +13,22 @@ import 'package:mtcore/markettakers.dart';
 class AuthorizationException implements Exception {
   const AuthorizationException(this.result);
 
-  final AuthResult result;
+  final ua_auth.AuthResult result;
 
   String get message => switch (result) {
-    AuthResult.AUTH_RESULT_INVALID_KEY =>
+    ua_auth.AuthResult.AUTH_RESULT_INVALID_KEY =>
       'Authentication failed: this device key is not registered on the server.',
-    AuthResult.AUTH_RESULT_INVALID_SIGNATURE =>
+    ua_auth.AuthResult.AUTH_RESULT_INVALID_SIGNATURE =>
       'Authentication failed: the server rejected the signature for this device key.',
-    AuthResult.AUTH_RESULT_BOOTSTRAP_REQUIRED =>
+    ua_auth.AuthResult.AUTH_RESULT_BOOTSTRAP_REQUIRED =>
       'Authentication failed: the server requires bootstrap before this device can connect.',
-    AuthResult.AUTH_RESULT_TOKEN_INVALID =>
+    ua_auth.AuthResult.AUTH_RESULT_TOKEN_INVALID =>
       'Authentication failed: the bootstrap token is invalid.',
-    AuthResult.AUTH_RESULT_INTERNAL =>
+    ua_auth.AuthResult.AUTH_RESULT_INTERNAL =>
       'Authentication failed: the server hit an internal error.',
-    AuthResult.AUTH_RESULT_UNSPECIFIED =>
+    ua_auth.AuthResult.AUTH_RESULT_UNSPECIFIED =>
       'Authentication failed: the server returned an unspecified auth error.',
-    AuthResult.AUTH_RESULT_SUCCESS => 'Authentication succeeded.',
+    ua_auth.AuthResult.AUTH_RESULT_SUCCESS => 'Authentication succeeded.',
     _ => 'Authentication failed: ${result.name}.',
   };
 
@@ -57,56 +58,76 @@ Future<Connection> connectAndAuthorize(
     );
     final pubkey = await key.getPublicKey();
 
-    final req = AuthChallengeRequest(
+    final req = ua_auth.AuthChallengeRequest(
       pubkey: pubkey,
       bootstrapToken: bootstrapToken,
       keyType: switch (key.alg) {
-        KeyAlgorithm.rsa => KeyType.KEY_TYPE_RSA,
-        KeyAlgorithm.ecdsa => KeyType.KEY_TYPE_ECDSA_SECP256K1,
-        KeyAlgorithm.ed25519 => KeyType.KEY_TYPE_ED25519,
+        KeyAlgorithm.rsa => ua_auth.KeyType.KEY_TYPE_RSA,
+        KeyAlgorithm.ecdsa => ua_auth.KeyType.KEY_TYPE_ECDSA_SECP256K1,
+        KeyAlgorithm.ed25519 => ua_auth.KeyType.KEY_TYPE_ED25519,
       },
     );
     final response = await connection.ask(
-      UserAgentRequest(authChallengeRequest: req),
+      UserAgentRequest(auth: ua_auth.Request(challengeRequest: req)),
     );
     talker.info(
       "Sent auth challenge request with pubkey ${base64Encode(pubkey)}",
     );
     talker.info('Received response from server, checking auth flow...');
 
-    if (response.hasAuthResult()) {
-      if (response.authResult != AuthResult.AUTH_RESULT_SUCCESS) {
-        throw AuthorizationException(response.authResult);
+    if (!response.hasAuth()) {
+      throw ConnectionException(
+        'Expected auth response, got ${response.whichPayload()}',
+      );
+    }
+
+    final authResponse = response.auth;
+
+    if (authResponse.hasResult()) {
+      if (authResponse.result != ua_auth.AuthResult.AUTH_RESULT_SUCCESS) {
+        throw AuthorizationException(authResponse.result);
       }
       talker.info('Authentication successful, connection established');
       return connection;
     }
 
-    if (!response.hasAuthChallenge()) {
+    if (!authResponse.hasChallenge()) {
       throw ConnectionException(
-        'Expected AuthChallengeResponse, got ${response.whichPayload()}',
+        'Expected auth challenge response, got ${authResponse.whichPayload()}',
       );
     }
 
-    final challenge = _formatChallenge(response.authChallenge, pubkey);
+    final challenge = _formatChallenge(authResponse.challenge, pubkey);
     talker.info(
       'Received auth challenge, signing with key ${base64Encode(pubkey)}',
     );
 
     final signature = await key.sign(challenge);
     final solutionResponse = await connection.ask(
-      UserAgentRequest(authChallengeSolution: AuthChallengeSolution(signature: signature)),
+      UserAgentRequest(
+        auth: ua_auth.Request(
+          challengeSolution: ua_auth.AuthChallengeSolution(signature: signature),
+        ),
+      ),
     );
 
     talker.info('Sent auth challenge solution, waiting for server response...');
 
-    if (!solutionResponse.hasAuthResult()) {
+    if (!solutionResponse.hasAuth()) {
       throw ConnectionException(
-        'Expected AuthChallengeSolutionResponse, got ${solutionResponse.whichPayload()}',
+        'Expected auth solution response, got ${solutionResponse.whichPayload()}',
       );
     }
-    if (solutionResponse.authResult != AuthResult.AUTH_RESULT_SUCCESS) {
-      throw AuthorizationException(solutionResponse.authResult);
+
+    final authSolutionResponse = solutionResponse.auth;
+
+    if (!authSolutionResponse.hasResult()) {
+      throw ConnectionException(
+        'Expected auth solution result, got ${authSolutionResponse.whichPayload()}',
+      );
+    }
+    if (authSolutionResponse.result != ua_auth.AuthResult.AUTH_RESULT_SUCCESS) {
+      throw AuthorizationException(authSolutionResponse.result);
     }
 
     talker.info('Authentication successful, connection established');
@@ -147,7 +168,7 @@ Future<Connection> _connect(StoredServerInfo serverInfo) async {
   return Connection(channel: channel, tx: tx, rx: rx);
 }
 
-List<int> _formatChallenge(AuthChallenge challenge, List<int> pubkey) {
+List<int> _formatChallenge(ua_auth.AuthChallenge challenge, List<int> pubkey) {
   final encodedPubkey = base64Encode(pubkey);
   final payload = "${challenge.nonce}:$encodedPubkey";
   return utf8.encode(payload);
diff --git a/useragent/lib/features/connection/evm.dart b/useragent/lib/features/connection/evm.dart
index efd6328..f08fc90 100644
--- a/useragent/lib/features/connection/evm.dart
+++ b/useragent/lib/features/connection/evm.dart
@@ -1,19 +1,27 @@
 import 'package:arbiter/features/connection/connection.dart';
 import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent/evm.pb.dart' as ua_evm;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart';
 
 Future<List<WalletEntry>> listEvmWallets(Connection connection) async {
   final response = await connection.ask(
-    UserAgentRequest(evmWalletList: Empty()),
+    UserAgentRequest(evm: ua_evm.Request(walletList: Empty())),
   );
-  if (!response.hasEvmWalletList()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM wallet list response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmWalletList;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasWalletList()) {
+    throw Exception(
+      'Expected EVM wallet list response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.walletList;
   switch (result.whichResult()) {
     case WalletListResponse_Result.wallets:
       return result.wallets.wallets.toList(growable: false);
@@ -26,15 +34,22 @@ Future<List<WalletEntry>> listEvmWallets(Connection connection) async {
 
 Future<void> createEvmWallet(Connection connection) async {
   final response = await connection.ask(
-    UserAgentRequest(evmWalletCreate: Empty()),
+    UserAgentRequest(evm: ua_evm.Request(walletCreate: Empty())),
   );
-  if (!response.hasEvmWalletCreate()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM wallet create response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmWalletCreate;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasWalletCreate()) {
+    throw Exception(
+      'Expected EVM wallet create response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.walletCreate;
   switch (result.whichResult()) {
     case WalletCreateResponse_Result.wallet:
       return;
diff --git a/useragent/lib/features/connection/evm/grants.dart b/useragent/lib/features/connection/evm/grants.dart
index 050a1d2..4e51a58 100644
--- a/useragent/lib/features/connection/evm/grants.dart
+++ b/useragent/lib/features/connection/evm/grants.dart
@@ -1,22 +1,28 @@
 import 'package:arbiter/features/connection/connection.dart';
 import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent/evm.pb.dart' as ua_evm;
 import 'package:arbiter/proto/user_agent.pb.dart';
-import 'package:fixnum/fixnum.dart';
-import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart';
 
 Future<List<GrantEntry>> listEvmGrants(Connection connection) async {
   final request = EvmGrantListRequest();
 
   final response = await connection.ask(
-    UserAgentRequest(evmGrantList: request),
+    UserAgentRequest(evm: ua_evm.Request(grantList: request)),
   );
-  if (!response.hasEvmGrantList()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM grant list response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmGrantList;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasGrantList()) {
+    throw Exception(
+      'Expected EVM grant list response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.grantList;
   switch (result.whichResult()) {
     case EvmGrantListResponse_Result.grants:
       return result.grants.grants.toList(growable: false);
@@ -33,36 +39,56 @@ Future<int> createEvmGrant(
   required SpecificGrant specific,
 }) async {
   final request = UserAgentRequest(
-    evmGrantCreate: EvmGrantCreateRequest(
-      shared: sharedSettings,
-      specific: specific,
+    evm: ua_evm.Request(
+      grantCreate: EvmGrantCreateRequest(
+        shared: sharedSettings,
+        specific: specific,
+      ),
     ),
   );
 
   final resp = await connection.ask(request);
 
-  if (!resp.hasEvmGrantCreate()) {
+  if (!resp.hasEvm()) {
     throw Exception(
-      'Expected EVM grant create response, got ${resp.whichPayload()}',
+      'Expected EVM response, got ${resp.whichPayload()}',
     );
   }
 
-  final result = resp.evmGrantCreate;
+  final evmResponse = resp.evm;
+  if (!evmResponse.hasGrantCreate()) {
+    throw Exception(
+      'Expected EVM grant create response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.grantCreate;
 
   return result.grantId;
 }
 
 Future<void> deleteEvmGrant(Connection connection, int grantId) async {
   final response = await connection.ask(
-    UserAgentRequest(evmGrantDelete: EvmGrantDeleteRequest(grantId: grantId)),
+    UserAgentRequest(
+      evm: ua_evm.Request(
+        grantDelete: EvmGrantDeleteRequest(grantId: grantId),
+      ),
+    ),
   );
-  if (!response.hasEvmGrantDelete()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM grant delete response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmGrantDelete;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasGrantDelete()) {
+    throw Exception(
+      'Expected EVM grant delete response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.grantDelete;
   switch (result.whichResult()) {
     case EvmGrantDeleteResponse_Result.ok:
       return;
@@ -73,13 +99,6 @@ Future<void> deleteEvmGrant(Connection connection, int grantId) async {
   }
 }
 
-Timestamp _toTimestamp(DateTime value) {
-  final utc = value.toUtc();
-  return Timestamp()
-    ..seconds = Int64(utc.millisecondsSinceEpoch ~/ 1000)
-    ..nanos = (utc.microsecondsSinceEpoch % 1000000) * 1000;
-}
-
 String _describeGrantError(EvmError error) {
   return switch (error) {
     EvmError.EVM_ERROR_VAULT_SEALED =>
diff --git a/useragent/lib/features/connection/evm/wallet_access.dart b/useragent/lib/features/connection/evm/wallet_access.dart
index 8f38344..2dcdea0 100644
--- a/useragent/lib/features/connection/evm/wallet_access.dart
+++ b/useragent/lib/features/connection/evm/wallet_access.dart
@@ -1,4 +1,5 @@
 import 'package:arbiter/features/connection/connection.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart';
 
@@ -7,31 +8,47 @@ Future<Set<int>> readClientWalletAccess(
   required int clientId,
 }) async {
   final response = await connection.ask(
-    UserAgentRequest(listWalletAccess: Empty()),
+    UserAgentRequest(
+      sdkClient: ua_sdk.Request(listWalletAccess: Empty()),
+    ),
   );
-  if (!response.hasListWalletAccessResponse()) {
+  if (!response.hasSdkClient()) {
     throw Exception(
-      'Expected list wallet access response, got ${response.whichPayload()}',
+      'Expected SDK client response, got ${response.whichPayload()}',
+    );
+  }
+  final sdkClientResponse = response.sdkClient;
+  if (!sdkClientResponse.hasListWalletAccess()) {
+    throw Exception(
+      'Expected list wallet access response, got ${sdkClientResponse.whichPayload()}',
     );
   }
   return {
-    for (final entry in response.listWalletAccessResponse.accesses)
+    for (final entry in sdkClientResponse.listWalletAccess.accesses)
       if (entry.access.sdkClientId == clientId) entry.access.walletId,
   };
 }
 
-Future<List<SdkClientWalletAccess>> listAllWalletAccesses(
+Future<List<ua_sdk.WalletAccessEntry>> listAllWalletAccesses(
   Connection connection,
 ) async {
   final response = await connection.ask(
-    UserAgentRequest(listWalletAccess: Empty()),
+    UserAgentRequest(
+      sdkClient: ua_sdk.Request(listWalletAccess: Empty()),
+    ),
   );
-  if (!response.hasListWalletAccessResponse()) {
+  if (!response.hasSdkClient()) {
     throw Exception(
-      'Expected list wallet access response, got ${response.whichPayload()}',
+      'Expected SDK client response, got ${response.whichPayload()}',
     );
   }
-  return response.listWalletAccessResponse.accesses.toList(growable: false);
+  final sdkClientResponse = response.sdkClient;
+  if (!sdkClientResponse.hasListWalletAccess()) {
+    throw Exception(
+      'Expected list wallet access response, got ${sdkClientResponse.whichPayload()}',
+    );
+  }
+  return sdkClientResponse.listWalletAccess.accesses.toList(growable: false);
 }
 
 Future<void> writeClientWalletAccess(
@@ -47,11 +64,13 @@ Future<void> writeClientWalletAccess(
   if (toGrant.isNotEmpty) {
     await connection.tell(
       UserAgentRequest(
-        grantWalletAccess: SdkClientGrantWalletAccess(
-          accesses: [
-            for (final walletId in toGrant)
-              WalletAccess(sdkClientId: clientId, walletId: walletId),
-          ],
+        sdkClient: ua_sdk.Request(
+          grantWalletAccess: ua_sdk.GrantWalletAccess(
+            accesses: [
+              for (final walletId in toGrant)
+                ua_sdk.WalletAccess(sdkClientId: clientId, walletId: walletId),
+            ],
+          ),
         ),
       ),
     );
@@ -60,11 +79,12 @@ Future<void> writeClientWalletAccess(
   if (toRevoke.isNotEmpty) {
     await connection.tell(
       UserAgentRequest(
-        revokeWalletAccess: SdkClientRevokeWalletAccess(
-          accesses: [
-            for (final walletId in toRevoke)
-              walletId
-          ],
+        sdkClient: ua_sdk.Request(
+          revokeWalletAccess: ua_sdk.RevokeWalletAccess(
+            accesses: [
+              for (final walletId in toRevoke) walletId,
+            ],
+          ),
         ),
       ),
     );
diff --git a/useragent/lib/features/connection/vault.dart b/useragent/lib/features/connection/vault.dart
index d2f3f83..4f02f9f 100644
--- a/useragent/lib/features/connection/vault.dart
+++ b/useragent/lib/features/connection/vault.dart
@@ -1,10 +1,13 @@
 import 'package:arbiter/features/connection/connection.dart';
+import 'package:arbiter/proto/user_agent/vault/bootstrap.pb.dart' as ua_bootstrap;
+import 'package:arbiter/proto/user_agent/vault/unseal.pb.dart' as ua_unseal;
+import 'package:arbiter/proto/user_agent/vault/vault.pb.dart' as ua_vault;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:cryptography/cryptography.dart';
 
 const _vaultKeyAssociatedData = 'arbiter.vault.password';
 
-Future<BootstrapResult> bootstrapVault(
+Future<ua_bootstrap.BootstrapResult> bootstrapVault(
   Connection connection,
   String password,
 ) async {
@@ -12,39 +15,76 @@ Future<BootstrapResult> bootstrapVault(
 
   final response = await connection.ask(
     UserAgentRequest(
-      bootstrapEncryptedKey: BootstrapEncryptedKey(
-        nonce: encryptedKey.nonce,
-        ciphertext: encryptedKey.ciphertext,
-        associatedData: encryptedKey.associatedData,
+      vault: ua_vault.Request(
+        bootstrap: ua_bootstrap.Request(
+          encryptedKey: ua_bootstrap.BootstrapEncryptedKey(
+            nonce: encryptedKey.nonce,
+            ciphertext: encryptedKey.ciphertext,
+            associatedData: encryptedKey.associatedData,
+          ),
+        ),
       ),
     ),
   );
-  if (!response.hasBootstrapResult()) {
+  if (!response.hasVault()) {
     throw Exception(
-      'Expected bootstrap result, got ${response.whichPayload()}',
+      'Expected vault response, got ${response.whichPayload()}',
     );
   }
 
-  return response.bootstrapResult;
+  final vaultResponse = response.vault;
+  if (!vaultResponse.hasBootstrap()) {
+    throw Exception(
+      'Expected bootstrap result, got ${vaultResponse.whichPayload()}',
+    );
+  }
+
+  final bootstrapResponse = vaultResponse.bootstrap;
+  if (!bootstrapResponse.hasResult()) {
+    throw Exception('Expected bootstrap result payload.');
+  }
+
+  return bootstrapResponse.result;
 }
 
-Future<UnsealResult> unsealVault(Connection connection, String password) async {
+Future<ua_unseal.UnsealResult> unsealVault(
+  Connection connection,
+  String password,
+) async {
   final encryptedKey = await _encryptVaultKeyMaterial(connection, password);
 
   final response = await connection.ask(
     UserAgentRequest(
-      unsealEncryptedKey: UnsealEncryptedKey(
-        nonce: encryptedKey.nonce,
-        ciphertext: encryptedKey.ciphertext,
-        associatedData: encryptedKey.associatedData,
+      vault: ua_vault.Request(
+        unseal: ua_unseal.Request(
+          encryptedKey: ua_unseal.UnsealEncryptedKey(
+            nonce: encryptedKey.nonce,
+            ciphertext: encryptedKey.ciphertext,
+            associatedData: encryptedKey.associatedData,
+          ),
+        ),
       ),
     ),
   );
-  if (!response.hasUnsealResult()) {
-    throw Exception('Expected unseal result, got ${response.whichPayload()}');
+  if (!response.hasVault()) {
+    throw Exception('Expected vault response, got ${response.whichPayload()}');
   }
 
-  return response.unsealResult;
+  final vaultResponse = response.vault;
+  if (!vaultResponse.hasUnseal()) {
+    throw Exception(
+      'Expected unseal result, got ${vaultResponse.whichPayload()}',
+    );
+  }
+
+  final unsealResponse = vaultResponse.unseal;
+  if (!unsealResponse.hasResult()) {
+    throw Exception(
+      'Expected unseal result payload, got ${unsealResponse.whichPayload()}',
+    );
+  }
+
+  return unsealResponse.result;
 }
 
 Future<_EncryptedVaultKey> _encryptVaultKeyMaterial(
@@ -57,16 +97,36 @@ Future<_EncryptedVaultKey> _encryptVaultKeyMaterial(
   final clientPublicKey = await clientKeyPair.extractPublicKey();
 
   final handshakeResponse = await connection.ask(
-    UserAgentRequest(unsealStart: UnsealStart(clientPubkey: clientPublicKey.bytes)),
+    UserAgentRequest(
+      vault: ua_vault.Request(
+        unseal: ua_unseal.Request(
+          start: ua_unseal.UnsealStart(clientPubkey: clientPublicKey.bytes),
+        ),
+      ),
+    ),
   );
-  if (!handshakeResponse.hasUnsealStartResponse()) {
+  if (!handshakeResponse.hasVault()) {
     throw Exception(
-      'Expected unseal handshake response, got ${handshakeResponse.whichPayload()}',
+      'Expected vault response, got ${handshakeResponse.whichPayload()}',
+    );
+  }
+
+  final vaultResponse = handshakeResponse.vault;
+  if (!vaultResponse.hasUnseal()) {
+    throw Exception(
+      'Expected unseal handshake response, got ${vaultResponse.whichPayload()}',
+    );
+  }
+
+  final unsealResponse = vaultResponse.unseal;
+  if (!unsealResponse.hasStart()) {
+    throw Exception(
+      'Expected unseal handshake payload, got ${unsealResponse.whichPayload()}',
     );
   }
 
   final serverPublicKey = SimplePublicKey(
-    handshakeResponse.unsealStartResponse.serverPubkey,
+    unsealResponse.start.serverPubkey,
     type: KeyPairType.x25519,
   );
   final sharedSecret = await keyExchange.sharedSecretKey(
diff --git a/useragent/lib/proto/client.pb.dart b/useragent/lib/proto/client.pb.dart
index 3f5cab1..69cc082 100644
--- a/useragent/lib/proto/client.pb.dart
+++ b/useragent/lib/proto/client.pb.dart
@@ -13,305 +13,26 @@
 import 'dart:core' as $core;
 
 import 'package:protobuf/protobuf.dart' as $pb;
-import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $0;
 
-import 'client.pbenum.dart';
-import 'evm.pb.dart' as $1;
+import 'client/auth.pb.dart' as $0;
+import 'client/evm.pb.dart' as $2;
+import 'client/vault.pb.dart' as $1;
 
 export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
 
-export 'client.pbenum.dart';
-
-class ClientInfo extends $pb.GeneratedMessage {
-  factory ClientInfo({
-    $core.String? name,
-    $core.String? description,
-    $core.String? version,
-  }) {
-    final result = create();
-    if (name != null) result.name = name;
-    if (description != null) result.description = description;
-    if (version != null) result.version = version;
-    return result;
-  }
-
-  ClientInfo._();
-
-  factory ClientInfo.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory ClientInfo.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'ClientInfo',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..aOS(1, _omitFieldNames ? '' : 'name')
-    ..aOS(2, _omitFieldNames ? '' : 'description')
-    ..aOS(3, _omitFieldNames ? '' : 'version')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  ClientInfo clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  ClientInfo copyWith(void Function(ClientInfo) updates) =>
-      super.copyWith((message) => updates(message as ClientInfo)) as ClientInfo;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static ClientInfo create() => ClientInfo._();
-  @$core.override
-  ClientInfo createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static ClientInfo getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<ClientInfo>(create);
-  static ClientInfo? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.String get name => $_getSZ(0);
-  @$pb.TagNumber(1)
-  set name($core.String value) => $_setString(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasName() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearName() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.String get description => $_getSZ(1);
-  @$pb.TagNumber(2)
-  set description($core.String value) => $_setString(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasDescription() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearDescription() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $core.String get version => $_getSZ(2);
-  @$pb.TagNumber(3)
-  set version($core.String value) => $_setString(2, value);
-  @$pb.TagNumber(3)
-  $core.bool hasVersion() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearVersion() => $_clearField(3);
-}
-
-class AuthChallengeRequest extends $pb.GeneratedMessage {
-  factory AuthChallengeRequest({
-    $core.List<$core.int>? pubkey,
-    ClientInfo? clientInfo,
-  }) {
-    final result = create();
-    if (pubkey != null) result.pubkey = pubkey;
-    if (clientInfo != null) result.clientInfo = clientInfo;
-    return result;
-  }
-
-  AuthChallengeRequest._();
-
-  factory AuthChallengeRequest.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallengeRequest.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallengeRequest',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..aOM<ClientInfo>(2, _omitFieldNames ? '' : 'clientInfo',
-        subBuilder: ClientInfo.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeRequest clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeRequest copyWith(void Function(AuthChallengeRequest) updates) =>
-      super.copyWith((message) => updates(message as AuthChallengeRequest))
-          as AuthChallengeRequest;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeRequest create() => AuthChallengeRequest._();
-  @$core.override
-  AuthChallengeRequest createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeRequest getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallengeRequest>(create);
-  static AuthChallengeRequest? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get pubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearPubkey() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  ClientInfo get clientInfo => $_getN(1);
-  @$pb.TagNumber(2)
-  set clientInfo(ClientInfo value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasClientInfo() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearClientInfo() => $_clearField(2);
-  @$pb.TagNumber(2)
-  ClientInfo ensureClientInfo() => $_ensure(1);
-}
-
-class AuthChallenge extends $pb.GeneratedMessage {
-  factory AuthChallenge({
-    $core.List<$core.int>? pubkey,
-    $core.int? nonce,
-  }) {
-    final result = create();
-    if (pubkey != null) result.pubkey = pubkey;
-    if (nonce != null) result.nonce = nonce;
-    return result;
-  }
-
-  AuthChallenge._();
-
-  factory AuthChallenge.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallenge.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallenge',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..aI(2, _omitFieldNames ? '' : 'nonce')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallenge clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallenge copyWith(void Function(AuthChallenge) updates) =>
-      super.copyWith((message) => updates(message as AuthChallenge))
-          as AuthChallenge;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallenge create() => AuthChallenge._();
-  @$core.override
-  AuthChallenge createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallenge getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallenge>(create);
-  static AuthChallenge? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get pubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearPubkey() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.int get nonce => $_getIZ(1);
-  @$pb.TagNumber(2)
-  set nonce($core.int value) => $_setSignedInt32(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasNonce() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearNonce() => $_clearField(2);
-}
-
-class AuthChallengeSolution extends $pb.GeneratedMessage {
-  factory AuthChallengeSolution({
-    $core.List<$core.int>? signature,
-  }) {
-    final result = create();
-    if (signature != null) result.signature = signature;
-    return result;
-  }
-
-  AuthChallengeSolution._();
-
-  factory AuthChallengeSolution.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallengeSolution.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallengeSolution',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeSolution clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeSolution copyWith(
-          void Function(AuthChallengeSolution) updates) =>
-      super.copyWith((message) => updates(message as AuthChallengeSolution))
-          as AuthChallengeSolution;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeSolution create() => AuthChallengeSolution._();
-  @$core.override
-  AuthChallengeSolution createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeSolution getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallengeSolution>(create);
-  static AuthChallengeSolution? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get signature => $_getN(0);
-  @$pb.TagNumber(1)
-  set signature($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasSignature() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearSignature() => $_clearField(1);
-}
-
-enum ClientRequest_Payload {
-  authChallengeRequest,
-  authChallengeSolution,
-  queryVaultState,
-  notSet
-}
+enum ClientRequest_Payload { auth, vault, evm, notSet }
 
 class ClientRequest extends $pb.GeneratedMessage {
   factory ClientRequest({
-    AuthChallengeRequest? authChallengeRequest,
-    AuthChallengeSolution? authChallengeSolution,
-    $0.Empty? queryVaultState,
+    $0.Request? auth,
+    $1.Request? vault,
+    $2.Request? evm,
     $core.int? requestId,
   }) {
     final result = create();
-    if (authChallengeRequest != null)
-      result.authChallengeRequest = authChallengeRequest;
-    if (authChallengeSolution != null)
-      result.authChallengeSolution = authChallengeSolution;
-    if (queryVaultState != null) result.queryVaultState = queryVaultState;
+    if (auth != null) result.auth = auth;
+    if (vault != null) result.vault = vault;
+    if (evm != null) result.evm = evm;
     if (requestId != null) result.requestId = requestId;
     return result;
   }
@@ -327,9 +48,9 @@ class ClientRequest extends $pb.GeneratedMessage {
 
   static const $core.Map<$core.int, ClientRequest_Payload>
       _ClientRequest_PayloadByTag = {
-    1: ClientRequest_Payload.authChallengeRequest,
-    2: ClientRequest_Payload.authChallengeSolution,
-    3: ClientRequest_Payload.queryVaultState,
+    1: ClientRequest_Payload.auth,
+    2: ClientRequest_Payload.vault,
+    3: ClientRequest_Payload.evm,
     0: ClientRequest_Payload.notSet
   };
   static final $pb.BuilderInfo _i = $pb.BuilderInfo(
@@ -337,14 +58,12 @@ class ClientRequest extends $pb.GeneratedMessage {
       package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
       createEmptyInstance: create)
     ..oo(0, [1, 2, 3])
-    ..aOM<AuthChallengeRequest>(
-        1, _omitFieldNames ? '' : 'authChallengeRequest',
-        subBuilder: AuthChallengeRequest.create)
-    ..aOM<AuthChallengeSolution>(
-        2, _omitFieldNames ? '' : 'authChallengeSolution',
-        subBuilder: AuthChallengeSolution.create)
-    ..aOM<$0.Empty>(3, _omitFieldNames ? '' : 'queryVaultState',
-        subBuilder: $0.Empty.create)
+    ..aOM<$0.Request>(1, _omitFieldNames ? '' : 'auth',
+        subBuilder: $0.Request.create)
+    ..aOM<$1.Request>(2, _omitFieldNames ? '' : 'vault',
+        subBuilder: $1.Request.create)
+    ..aOM<$2.Request>(3, _omitFieldNames ? '' : 'evm',
+        subBuilder: $2.Request.create)
     ..aI(4, _omitFieldNames ? '' : 'requestId')
     ..hasRequiredFields = false;
 
@@ -378,38 +97,37 @@ class ClientRequest extends $pb.GeneratedMessage {
   void clearPayload() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  AuthChallengeRequest get authChallengeRequest => $_getN(0);
+  $0.Request get auth => $_getN(0);
   @$pb.TagNumber(1)
-  set authChallengeRequest(AuthChallengeRequest value) => $_setField(1, value);
+  set auth($0.Request value) => $_setField(1, value);
   @$pb.TagNumber(1)
-  $core.bool hasAuthChallengeRequest() => $_has(0);
+  $core.bool hasAuth() => $_has(0);
   @$pb.TagNumber(1)
-  void clearAuthChallengeRequest() => $_clearField(1);
+  void clearAuth() => $_clearField(1);
   @$pb.TagNumber(1)
-  AuthChallengeRequest ensureAuthChallengeRequest() => $_ensure(0);
+  $0.Request ensureAuth() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  AuthChallengeSolution get authChallengeSolution => $_getN(1);
+  $1.Request get vault => $_getN(1);
   @$pb.TagNumber(2)
-  set authChallengeSolution(AuthChallengeSolution value) =>
-      $_setField(2, value);
+  set vault($1.Request value) => $_setField(2, value);
   @$pb.TagNumber(2)
-  $core.bool hasAuthChallengeSolution() => $_has(1);
+  $core.bool hasVault() => $_has(1);
   @$pb.TagNumber(2)
-  void clearAuthChallengeSolution() => $_clearField(2);
+  void clearVault() => $_clearField(2);
   @$pb.TagNumber(2)
-  AuthChallengeSolution ensureAuthChallengeSolution() => $_ensure(1);
+  $1.Request ensureVault() => $_ensure(1);
 
   @$pb.TagNumber(3)
-  $0.Empty get queryVaultState => $_getN(2);
+  $2.Request get evm => $_getN(2);
   @$pb.TagNumber(3)
-  set queryVaultState($0.Empty value) => $_setField(3, value);
+  set evm($2.Request value) => $_setField(3, value);
   @$pb.TagNumber(3)
-  $core.bool hasQueryVaultState() => $_has(2);
+  $core.bool hasEvm() => $_has(2);
   @$pb.TagNumber(3)
-  void clearQueryVaultState() => $_clearField(3);
+  void clearEvm() => $_clearField(3);
   @$pb.TagNumber(3)
-  $0.Empty ensureQueryVaultState() => $_ensure(2);
+  $2.Request ensureEvm() => $_ensure(2);
 
   @$pb.TagNumber(4)
   $core.int get requestId => $_getIZ(3);
@@ -421,32 +139,19 @@ class ClientRequest extends $pb.GeneratedMessage {
   void clearRequestId() => $_clearField(4);
 }
 
-enum ClientResponse_Payload {
-  authChallenge,
-  authResult,
-  evmSignTransaction,
-  evmAnalyzeTransaction,
-  vaultState,
-  notSet
-}
+enum ClientResponse_Payload { auth, vault, evm, notSet }
 
 class ClientResponse extends $pb.GeneratedMessage {
   factory ClientResponse({
-    AuthChallenge? authChallenge,
-    AuthResult? authResult,
-    $1.EvmSignTransactionResponse? evmSignTransaction,
-    $1.EvmAnalyzeTransactionResponse? evmAnalyzeTransaction,
-    VaultState? vaultState,
+    $0.Response? auth,
+    $1.Response? vault,
+    $2.Response? evm,
     $core.int? requestId,
   }) {
     final result = create();
-    if (authChallenge != null) result.authChallenge = authChallenge;
-    if (authResult != null) result.authResult = authResult;
-    if (evmSignTransaction != null)
-      result.evmSignTransaction = evmSignTransaction;
-    if (evmAnalyzeTransaction != null)
-      result.evmAnalyzeTransaction = evmAnalyzeTransaction;
-    if (vaultState != null) result.vaultState = vaultState;
+    if (auth != null) result.auth = auth;
+    if (vault != null) result.vault = vault;
+    if (evm != null) result.evm = evm;
     if (requestId != null) result.requestId = requestId;
     return result;
   }
@@ -462,30 +167,22 @@ class ClientResponse extends $pb.GeneratedMessage {
 
   static const $core.Map<$core.int, ClientResponse_Payload>
       _ClientResponse_PayloadByTag = {
-    1: ClientResponse_Payload.authChallenge,
-    2: ClientResponse_Payload.authResult,
-    3: ClientResponse_Payload.evmSignTransaction,
-    4: ClientResponse_Payload.evmAnalyzeTransaction,
-    6: ClientResponse_Payload.vaultState,
+    1: ClientResponse_Payload.auth,
+    2: ClientResponse_Payload.vault,
+    3: ClientResponse_Payload.evm,
     0: ClientResponse_Payload.notSet
   };
   static final $pb.BuilderInfo _i = $pb.BuilderInfo(
       _omitMessageNames ? '' : 'ClientResponse',
       package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
       createEmptyInstance: create)
-    ..oo(0, [1, 2, 3, 4, 6])
-    ..aOM<AuthChallenge>(1, _omitFieldNames ? '' : 'authChallenge',
-        subBuilder: AuthChallenge.create)
-    ..aE<AuthResult>(2, _omitFieldNames ? '' : 'authResult',
-        enumValues: AuthResult.values)
-    ..aOM<$1.EvmSignTransactionResponse>(
-        3, _omitFieldNames ? '' : 'evmSignTransaction',
-        subBuilder: $1.EvmSignTransactionResponse.create)
-    ..aOM<$1.EvmAnalyzeTransactionResponse>(
-        4, _omitFieldNames ? '' : 'evmAnalyzeTransaction',
-        subBuilder: $1.EvmAnalyzeTransactionResponse.create)
-    ..aE<VaultState>(6, _omitFieldNames ? '' : 'vaultState',
-        enumValues: VaultState.values)
+    ..oo(0, [1, 2, 3])
+    ..aOM<$0.Response>(1, _omitFieldNames ? '' : 'auth',
+        subBuilder: $0.Response.create)
+    ..aOM<$1.Response>(2, _omitFieldNames ? '' : 'vault',
+        subBuilder: $1.Response.create)
+    ..aOM<$2.Response>(3, _omitFieldNames ? '' : 'evm',
+        subBuilder: $2.Response.create)
     ..aI(7, _omitFieldNames ? '' : 'requestId')
     ..hasRequiredFields = false;
 
@@ -511,76 +208,52 @@ class ClientResponse extends $pb.GeneratedMessage {
   @$pb.TagNumber(1)
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(6)
   ClientResponse_Payload whichPayload() =>
       _ClientResponse_PayloadByTag[$_whichOneof(0)]!;
   @$pb.TagNumber(1)
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(6)
   void clearPayload() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  AuthChallenge get authChallenge => $_getN(0);
+  $0.Response get auth => $_getN(0);
   @$pb.TagNumber(1)
-  set authChallenge(AuthChallenge value) => $_setField(1, value);
+  set auth($0.Response value) => $_setField(1, value);
   @$pb.TagNumber(1)
-  $core.bool hasAuthChallenge() => $_has(0);
+  $core.bool hasAuth() => $_has(0);
   @$pb.TagNumber(1)
-  void clearAuthChallenge() => $_clearField(1);
+  void clearAuth() => $_clearField(1);
   @$pb.TagNumber(1)
-  AuthChallenge ensureAuthChallenge() => $_ensure(0);
+  $0.Response ensureAuth() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  AuthResult get authResult => $_getN(1);
+  $1.Response get vault => $_getN(1);
   @$pb.TagNumber(2)
-  set authResult(AuthResult value) => $_setField(2, value);
+  set vault($1.Response value) => $_setField(2, value);
   @$pb.TagNumber(2)
-  $core.bool hasAuthResult() => $_has(1);
+  $core.bool hasVault() => $_has(1);
   @$pb.TagNumber(2)
-  void clearAuthResult() => $_clearField(2);
+  void clearVault() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $1.Response ensureVault() => $_ensure(1);
 
   @$pb.TagNumber(3)
-  $1.EvmSignTransactionResponse get evmSignTransaction => $_getN(2);
+  $2.Response get evm => $_getN(2);
   @$pb.TagNumber(3)
-  set evmSignTransaction($1.EvmSignTransactionResponse value) =>
-      $_setField(3, value);
+  set evm($2.Response value) => $_setField(3, value);
   @$pb.TagNumber(3)
-  $core.bool hasEvmSignTransaction() => $_has(2);
+  $core.bool hasEvm() => $_has(2);
   @$pb.TagNumber(3)
-  void clearEvmSignTransaction() => $_clearField(3);
+  void clearEvm() => $_clearField(3);
   @$pb.TagNumber(3)
-  $1.EvmSignTransactionResponse ensureEvmSignTransaction() => $_ensure(2);
-
-  @$pb.TagNumber(4)
-  $1.EvmAnalyzeTransactionResponse get evmAnalyzeTransaction => $_getN(3);
-  @$pb.TagNumber(4)
-  set evmAnalyzeTransaction($1.EvmAnalyzeTransactionResponse value) =>
-      $_setField(4, value);
-  @$pb.TagNumber(4)
-  $core.bool hasEvmAnalyzeTransaction() => $_has(3);
-  @$pb.TagNumber(4)
-  void clearEvmAnalyzeTransaction() => $_clearField(4);
-  @$pb.TagNumber(4)
-  $1.EvmAnalyzeTransactionResponse ensureEvmAnalyzeTransaction() => $_ensure(3);
-
-  @$pb.TagNumber(6)
-  VaultState get vaultState => $_getN(4);
-  @$pb.TagNumber(6)
-  set vaultState(VaultState value) => $_setField(6, value);
-  @$pb.TagNumber(6)
-  $core.bool hasVaultState() => $_has(4);
-  @$pb.TagNumber(6)
-  void clearVaultState() => $_clearField(6);
+  $2.Response ensureEvm() => $_ensure(2);
 
   @$pb.TagNumber(7)
-  $core.int get requestId => $_getIZ(5);
+  $core.int get requestId => $_getIZ(3);
   @$pb.TagNumber(7)
-  set requestId($core.int value) => $_setSignedInt32(5, value);
+  set requestId($core.int value) => $_setSignedInt32(3, value);
   @$pb.TagNumber(7)
-  $core.bool hasRequestId() => $_has(5);
+  $core.bool hasRequestId() => $_has(3);
   @$pb.TagNumber(7)
   void clearRequestId() => $_clearField(7);
 }
diff --git a/useragent/lib/proto/client.pbenum.dart b/useragent/lib/proto/client.pbenum.dart
index ab30126..685a348 100644
--- a/useragent/lib/proto/client.pbenum.dart
+++ b/useragent/lib/proto/client.pbenum.dart
@@ -9,72 +9,3 @@
 // ignore_for_file: curly_braces_in_flow_control_structures
 // ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
 // ignore_for_file: non_constant_identifier_names, prefer_relative_imports
-
-import 'dart:core' as $core;
-
-import 'package:protobuf/protobuf.dart' as $pb;
-
-class AuthResult extends $pb.ProtobufEnum {
-  static const AuthResult AUTH_RESULT_UNSPECIFIED =
-      AuthResult._(0, _omitEnumNames ? '' : 'AUTH_RESULT_UNSPECIFIED');
-  static const AuthResult AUTH_RESULT_SUCCESS =
-      AuthResult._(1, _omitEnumNames ? '' : 'AUTH_RESULT_SUCCESS');
-  static const AuthResult AUTH_RESULT_INVALID_KEY =
-      AuthResult._(2, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_KEY');
-  static const AuthResult AUTH_RESULT_INVALID_SIGNATURE =
-      AuthResult._(3, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_SIGNATURE');
-  static const AuthResult AUTH_RESULT_APPROVAL_DENIED =
-      AuthResult._(4, _omitEnumNames ? '' : 'AUTH_RESULT_APPROVAL_DENIED');
-  static const AuthResult AUTH_RESULT_NO_USER_AGENTS_ONLINE = AuthResult._(
-      5, _omitEnumNames ? '' : 'AUTH_RESULT_NO_USER_AGENTS_ONLINE');
-  static const AuthResult AUTH_RESULT_INTERNAL =
-      AuthResult._(6, _omitEnumNames ? '' : 'AUTH_RESULT_INTERNAL');
-
-  static const $core.List<AuthResult> values = <AuthResult>[
-    AUTH_RESULT_UNSPECIFIED,
-    AUTH_RESULT_SUCCESS,
-    AUTH_RESULT_INVALID_KEY,
-    AUTH_RESULT_INVALID_SIGNATURE,
-    AUTH_RESULT_APPROVAL_DENIED,
-    AUTH_RESULT_NO_USER_AGENTS_ONLINE,
-    AUTH_RESULT_INTERNAL,
-  ];
-
-  static final $core.List<AuthResult?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 6);
-  static AuthResult? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const AuthResult._(super.value, super.name);
-}
-
-class VaultState extends $pb.ProtobufEnum {
-  static const VaultState VAULT_STATE_UNSPECIFIED =
-      VaultState._(0, _omitEnumNames ? '' : 'VAULT_STATE_UNSPECIFIED');
-  static const VaultState VAULT_STATE_UNBOOTSTRAPPED =
-      VaultState._(1, _omitEnumNames ? '' : 'VAULT_STATE_UNBOOTSTRAPPED');
-  static const VaultState VAULT_STATE_SEALED =
-      VaultState._(2, _omitEnumNames ? '' : 'VAULT_STATE_SEALED');
-  static const VaultState VAULT_STATE_UNSEALED =
-      VaultState._(3, _omitEnumNames ? '' : 'VAULT_STATE_UNSEALED');
-  static const VaultState VAULT_STATE_ERROR =
-      VaultState._(4, _omitEnumNames ? '' : 'VAULT_STATE_ERROR');
-
-  static const $core.List<VaultState> values = <VaultState>[
-    VAULT_STATE_UNSPECIFIED,
-    VAULT_STATE_UNBOOTSTRAPPED,
-    VAULT_STATE_SEALED,
-    VAULT_STATE_UNSEALED,
-    VAULT_STATE_ERROR,
-  ];
-
-  static final $core.List<VaultState?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 4);
-  static VaultState? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const VaultState._(super.value, super.name);
-}
-
-const $core.bool _omitEnumNames =
-    $core.bool.fromEnvironment('protobuf.omit_enum_names');
diff --git a/useragent/lib/proto/client.pbjson.dart b/useragent/lib/proto/client.pbjson.dart
index bc90b04..4f861cc 100644
--- a/useragent/lib/proto/client.pbjson.dart
+++ b/useragent/lib/proto/client.pbjson.dart
@@ -15,160 +15,37 @@ import 'dart:convert' as $convert;
 import 'dart:core' as $core;
 import 'dart:typed_data' as $typed_data;
 
-@$core.Deprecated('Use authResultDescriptor instead')
-const AuthResult$json = {
-  '1': 'AuthResult',
-  '2': [
-    {'1': 'AUTH_RESULT_UNSPECIFIED', '2': 0},
-    {'1': 'AUTH_RESULT_SUCCESS', '2': 1},
-    {'1': 'AUTH_RESULT_INVALID_KEY', '2': 2},
-    {'1': 'AUTH_RESULT_INVALID_SIGNATURE', '2': 3},
-    {'1': 'AUTH_RESULT_APPROVAL_DENIED', '2': 4},
-    {'1': 'AUTH_RESULT_NO_USER_AGENTS_ONLINE', '2': 5},
-    {'1': 'AUTH_RESULT_INTERNAL', '2': 6},
-  ],
-};
-
-/// Descriptor for `AuthResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List authResultDescriptor = $convert.base64Decode(
-    'CgpBdXRoUmVzdWx0EhsKF0FVVEhfUkVTVUxUX1VOU1BFQ0lGSUVEEAASFwoTQVVUSF9SRVNVTF'
-    'RfU1VDQ0VTUxABEhsKF0FVVEhfUkVTVUxUX0lOVkFMSURfS0VZEAISIQodQVVUSF9SRVNVTFRf'
-    'SU5WQUxJRF9TSUdOQVRVUkUQAxIfChtBVVRIX1JFU1VMVF9BUFBST1ZBTF9ERU5JRUQQBBIlCi'
-    'FBVVRIX1JFU1VMVF9OT19VU0VSX0FHRU5UU19PTkxJTkUQBRIYChRBVVRIX1JFU1VMVF9JTlRF'
-    'Uk5BTBAG');
-
-@$core.Deprecated('Use vaultStateDescriptor instead')
-const VaultState$json = {
-  '1': 'VaultState',
-  '2': [
-    {'1': 'VAULT_STATE_UNSPECIFIED', '2': 0},
-    {'1': 'VAULT_STATE_UNBOOTSTRAPPED', '2': 1},
-    {'1': 'VAULT_STATE_SEALED', '2': 2},
-    {'1': 'VAULT_STATE_UNSEALED', '2': 3},
-    {'1': 'VAULT_STATE_ERROR', '2': 4},
-  ],
-};
-
-/// Descriptor for `VaultState`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List vaultStateDescriptor = $convert.base64Decode(
-    'CgpWYXVsdFN0YXRlEhsKF1ZBVUxUX1NUQVRFX1VOU1BFQ0lGSUVEEAASHgoaVkFVTFRfU1RBVE'
-    'VfVU5CT09UU1RSQVBQRUQQARIWChJWQVVMVF9TVEFURV9TRUFMRUQQAhIYChRWQVVMVF9TVEFU'
-    'RV9VTlNFQUxFRBADEhUKEVZBVUxUX1NUQVRFX0VSUk9SEAQ=');
-
-@$core.Deprecated('Use clientInfoDescriptor instead')
-const ClientInfo$json = {
-  '1': 'ClientInfo',
-  '2': [
-    {'1': 'name', '3': 1, '4': 1, '5': 9, '10': 'name'},
-    {
-      '1': 'description',
-      '3': 2,
-      '4': 1,
-      '5': 9,
-      '9': 0,
-      '10': 'description',
-      '17': true
-    },
-    {
-      '1': 'version',
-      '3': 3,
-      '4': 1,
-      '5': 9,
-      '9': 1,
-      '10': 'version',
-      '17': true
-    },
-  ],
-  '8': [
-    {'1': '_description'},
-    {'1': '_version'},
-  ],
-};
-
-/// Descriptor for `ClientInfo`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List clientInfoDescriptor = $convert.base64Decode(
-    'CgpDbGllbnRJbmZvEhIKBG5hbWUYASABKAlSBG5hbWUSJQoLZGVzY3JpcHRpb24YAiABKAlIAF'
-    'ILZGVzY3JpcHRpb26IAQESHQoHdmVyc2lvbhgDIAEoCUgBUgd2ZXJzaW9uiAEBQg4KDF9kZXNj'
-    'cmlwdGlvbkIKCghfdmVyc2lvbg==');
-
-@$core.Deprecated('Use authChallengeRequestDescriptor instead')
-const AuthChallengeRequest$json = {
-  '1': 'AuthChallengeRequest',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {
-      '1': 'client_info',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.client.ClientInfo',
-      '10': 'clientInfo'
-    },
-  ],
-};
-
-/// Descriptor for `AuthChallengeRequest`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeRequestDescriptor = $convert.base64Decode(
-    'ChRBdXRoQ2hhbGxlbmdlUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRI7CgtjbGllbn'
-    'RfaW5mbxgCIAEoCzIaLmFyYml0ZXIuY2xpZW50LkNsaWVudEluZm9SCmNsaWVudEluZm8=');
-
-@$core.Deprecated('Use authChallengeDescriptor instead')
-const AuthChallenge$json = {
-  '1': 'AuthChallenge',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {'1': 'nonce', '3': 2, '4': 1, '5': 5, '10': 'nonce'},
-  ],
-};
-
-/// Descriptor for `AuthChallenge`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeDescriptor = $convert.base64Decode(
-    'Cg1BdXRoQ2hhbGxlbmdlEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5EhQKBW5vbmNlGAIgASgFUg'
-    'Vub25jZQ==');
-
-@$core.Deprecated('Use authChallengeSolutionDescriptor instead')
-const AuthChallengeSolution$json = {
-  '1': 'AuthChallengeSolution',
-  '2': [
-    {'1': 'signature', '3': 1, '4': 1, '5': 12, '10': 'signature'},
-  ],
-};
-
-/// Descriptor for `AuthChallengeSolution`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeSolutionDescriptor = $convert.base64Decode(
-    'ChVBdXRoQ2hhbGxlbmdlU29sdXRpb24SHAoJc2lnbmF0dXJlGAEgASgMUglzaWduYXR1cmU=');
-
 @$core.Deprecated('Use clientRequestDescriptor instead')
 const ClientRequest$json = {
   '1': 'ClientRequest',
   '2': [
     {'1': 'request_id', '3': 4, '4': 1, '5': 5, '10': 'requestId'},
     {
-      '1': 'auth_challenge_request',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.client.AuthChallengeRequest',
+      '6': '.arbiter.client.auth.Request',
       '9': 0,
-      '10': 'authChallengeRequest'
+      '10': 'auth'
     },
     {
-      '1': 'auth_challenge_solution',
+      '1': 'vault',
       '3': 2,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.client.AuthChallengeSolution',
+      '6': '.arbiter.client.vault.Request',
       '9': 0,
-      '10': 'authChallengeSolution'
+      '10': 'vault'
     },
     {
-      '1': 'query_vault_state',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.google.protobuf.Empty',
+      '6': '.arbiter.client.evm.Request',
       '9': 0,
-      '10': 'queryVaultState'
+      '10': 'evm'
     },
   ],
   '8': [
@@ -178,12 +55,10 @@ const ClientRequest$json = {
 
 /// Descriptor for `ClientRequest`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List clientRequestDescriptor = $convert.base64Decode(
-    'Cg1DbGllbnRSZXF1ZXN0Eh0KCnJlcXVlc3RfaWQYBCABKAVSCXJlcXVlc3RJZBJcChZhdXRoX2'
-    'NoYWxsZW5nZV9yZXF1ZXN0GAEgASgLMiQuYXJiaXRlci5jbGllbnQuQXV0aENoYWxsZW5nZVJl'
-    'cXVlc3RIAFIUYXV0aENoYWxsZW5nZVJlcXVlc3QSXwoXYXV0aF9jaGFsbGVuZ2Vfc29sdXRpb2'
-    '4YAiABKAsyJS5hcmJpdGVyLmNsaWVudC5BdXRoQ2hhbGxlbmdlU29sdXRpb25IAFIVYXV0aENo'
-    'YWxsZW5nZVNvbHV0aW9uEkQKEXF1ZXJ5X3ZhdWx0X3N0YXRlGAMgASgLMhYuZ29vZ2xlLnByb3'
-    'RvYnVmLkVtcHR5SABSD3F1ZXJ5VmF1bHRTdGF0ZUIJCgdwYXlsb2Fk');
+    'Cg1DbGllbnRSZXF1ZXN0Eh0KCnJlcXVlc3RfaWQYBCABKAVSCXJlcXVlc3RJZBIyCgRhdXRoGA'
+    'EgASgLMhwuYXJiaXRlci5jbGllbnQuYXV0aC5SZXF1ZXN0SABSBGF1dGgSNQoFdmF1bHQYAiAB'
+    'KAsyHS5hcmJpdGVyLmNsaWVudC52YXVsdC5SZXF1ZXN0SABSBXZhdWx0Ei8KA2V2bRgDIAEoCz'
+    'IbLmFyYml0ZXIuY2xpZW50LmV2bS5SZXF1ZXN0SABSA2V2bUIJCgdwYXlsb2Fk');
 
 @$core.Deprecated('Use clientResponseDescriptor instead')
 const ClientResponse$json = {
@@ -199,49 +74,31 @@ const ClientResponse$json = {
       '17': true
     },
     {
-      '1': 'auth_challenge',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.client.AuthChallenge',
+      '6': '.arbiter.client.auth.Response',
       '9': 0,
-      '10': 'authChallenge'
+      '10': 'auth'
     },
     {
-      '1': 'auth_result',
+      '1': 'vault',
       '3': 2,
       '4': 1,
-      '5': 14,
-      '6': '.arbiter.client.AuthResult',
+      '5': 11,
+      '6': '.arbiter.client.vault.Response',
       '9': 0,
-      '10': 'authResult'
+      '10': 'vault'
     },
     {
-      '1': 'evm_sign_transaction',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.EvmSignTransactionResponse',
+      '6': '.arbiter.client.evm.Response',
       '9': 0,
-      '10': 'evmSignTransaction'
-    },
-    {
-      '1': 'evm_analyze_transaction',
-      '3': 4,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmAnalyzeTransactionResponse',
-      '9': 0,
-      '10': 'evmAnalyzeTransaction'
-    },
-    {
-      '1': 'vault_state',
-      '3': 6,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.client.VaultState',
-      '9': 0,
-      '10': 'vaultState'
+      '10': 'evm'
     },
   ],
   '8': [
@@ -252,12 +109,8 @@ const ClientResponse$json = {
 
 /// Descriptor for `ClientResponse`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List clientResponseDescriptor = $convert.base64Decode(
-    'Cg5DbGllbnRSZXNwb25zZRIiCgpyZXF1ZXN0X2lkGAcgASgFSAFSCXJlcXVlc3RJZIgBARJGCg'
-    '5hdXRoX2NoYWxsZW5nZRgBIAEoCzIdLmFyYml0ZXIuY2xpZW50LkF1dGhDaGFsbGVuZ2VIAFIN'
-    'YXV0aENoYWxsZW5nZRI9CgthdXRoX3Jlc3VsdBgCIAEoDjIaLmFyYml0ZXIuY2xpZW50LkF1dG'
-    'hSZXN1bHRIAFIKYXV0aFJlc3VsdBJbChRldm1fc2lnbl90cmFuc2FjdGlvbhgDIAEoCzInLmFy'
-    'Yml0ZXIuZXZtLkV2bVNpZ25UcmFuc2FjdGlvblJlc3BvbnNlSABSEmV2bVNpZ25UcmFuc2FjdG'
-    'lvbhJkChdldm1fYW5hbHl6ZV90cmFuc2FjdGlvbhgEIAEoCzIqLmFyYml0ZXIuZXZtLkV2bUFu'
-    'YWx5emVUcmFuc2FjdGlvblJlc3BvbnNlSABSFWV2bUFuYWx5emVUcmFuc2FjdGlvbhI9Cgt2YX'
-    'VsdF9zdGF0ZRgGIAEoDjIaLmFyYml0ZXIuY2xpZW50LlZhdWx0U3RhdGVIAFIKdmF1bHRTdGF0'
-    'ZUIJCgdwYXlsb2FkQg0KC19yZXF1ZXN0X2lk');
+    'Cg5DbGllbnRSZXNwb25zZRIiCgpyZXF1ZXN0X2lkGAcgASgFSAFSCXJlcXVlc3RJZIgBARIzCg'
+    'RhdXRoGAEgASgLMh0uYXJiaXRlci5jbGllbnQuYXV0aC5SZXNwb25zZUgAUgRhdXRoEjYKBXZh'
+    'dWx0GAIgASgLMh4uYXJiaXRlci5jbGllbnQudmF1bHQuUmVzcG9uc2VIAFIFdmF1bHQSMAoDZX'
+    'ZtGAMgASgLMhwuYXJiaXRlci5jbGllbnQuZXZtLlJlc3BvbnNlSABSA2V2bUIJCgdwYXlsb2Fk'
+    'Qg0KC19yZXF1ZXN0X2lk');
diff --git a/useragent/lib/proto/client/auth.pb.dart b/useragent/lib/proto/client/auth.pb.dart
new file mode 100644
index 0000000..98eaab1
--- /dev/null
+++ b/useragent/lib/proto/client/auth.pb.dart
@@ -0,0 +1,395 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import '../shared/client.pb.dart' as $0;
+import 'auth.pbenum.dart';
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'auth.pbenum.dart';
+
+class AuthChallengeRequest extends $pb.GeneratedMessage {
+  factory AuthChallengeRequest({
+    $core.List<$core.int>? pubkey,
+    $0.ClientInfo? clientInfo,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    if (clientInfo != null) result.clientInfo = clientInfo;
+    return result;
+  }
+
+  AuthChallengeRequest._();
+
+  factory AuthChallengeRequest.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeRequest.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeRequest',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aOM<$0.ClientInfo>(2, _omitFieldNames ? '' : 'clientInfo',
+        subBuilder: $0.ClientInfo.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest copyWith(void Function(AuthChallengeRequest) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeRequest))
+          as AuthChallengeRequest;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest create() => AuthChallengeRequest._();
+  @$core.override
+  AuthChallengeRequest createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeRequest>(create);
+  static AuthChallengeRequest? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $0.ClientInfo get clientInfo => $_getN(1);
+  @$pb.TagNumber(2)
+  set clientInfo($0.ClientInfo value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasClientInfo() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearClientInfo() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.ClientInfo ensureClientInfo() => $_ensure(1);
+}
+
+class AuthChallenge extends $pb.GeneratedMessage {
+  factory AuthChallenge({
+    $core.List<$core.int>? pubkey,
+    $core.int? nonce,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    if (nonce != null) result.nonce = nonce;
+    return result;
+  }
+
+  AuthChallenge._();
+
+  factory AuthChallenge.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallenge.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallenge',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aI(2, _omitFieldNames ? '' : 'nonce')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge copyWith(void Function(AuthChallenge) updates) =>
+      super.copyWith((message) => updates(message as AuthChallenge))
+          as AuthChallenge;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge create() => AuthChallenge._();
+  @$core.override
+  AuthChallenge createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallenge>(create);
+  static AuthChallenge? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.int get nonce => $_getIZ(1);
+  @$pb.TagNumber(2)
+  set nonce($core.int value) => $_setSignedInt32(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasNonce() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearNonce() => $_clearField(2);
+}
+
+class AuthChallengeSolution extends $pb.GeneratedMessage {
+  factory AuthChallengeSolution({
+    $core.List<$core.int>? signature,
+  }) {
+    final result = create();
+    if (signature != null) result.signature = signature;
+    return result;
+  }
+
+  AuthChallengeSolution._();
+
+  factory AuthChallengeSolution.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeSolution.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeSolution',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution copyWith(
+          void Function(AuthChallengeSolution) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeSolution))
+          as AuthChallengeSolution;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution create() => AuthChallengeSolution._();
+  @$core.override
+  AuthChallengeSolution createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeSolution>(create);
+  static AuthChallengeSolution? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get signature => $_getN(0);
+  @$pb.TagNumber(1)
+  set signature($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignature() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignature() => $_clearField(1);
+}
+
+enum Request_Payload { challengeRequest, challengeSolution, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    AuthChallengeRequest? challengeRequest,
+    AuthChallengeSolution? challengeSolution,
+  }) {
+    final result = create();
+    if (challengeRequest != null) result.challengeRequest = challengeRequest;
+    if (challengeSolution != null) result.challengeSolution = challengeSolution;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.challengeRequest,
+    2: Request_Payload.challengeSolution,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallengeRequest>(1, _omitFieldNames ? '' : 'challengeRequest',
+        subBuilder: AuthChallengeRequest.create)
+    ..aOM<AuthChallengeSolution>(2, _omitFieldNames ? '' : 'challengeSolution',
+        subBuilder: AuthChallengeSolution.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallengeRequest get challengeRequest => $_getN(0);
+  @$pb.TagNumber(1)
+  set challengeRequest(AuthChallengeRequest value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallengeRequest() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallengeRequest() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallengeRequest ensureChallengeRequest() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthChallengeSolution get challengeSolution => $_getN(1);
+  @$pb.TagNumber(2)
+  set challengeSolution(AuthChallengeSolution value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasChallengeSolution() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearChallengeSolution() => $_clearField(2);
+  @$pb.TagNumber(2)
+  AuthChallengeSolution ensureChallengeSolution() => $_ensure(1);
+}
+
+enum Response_Payload { challenge, result, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    AuthChallenge? challenge,
+    AuthResult? result,
+  }) {
+    final result$ = create();
+    if (challenge != null) result$.challenge = challenge;
+    if (result != null) result$.result = result;
+    return result$;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.challenge,
+    2: Response_Payload.result,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallenge>(1, _omitFieldNames ? '' : 'challenge',
+        subBuilder: AuthChallenge.create)
+    ..aE<AuthResult>(2, _omitFieldNames ? '' : 'result',
+        enumValues: AuthResult.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallenge get challenge => $_getN(0);
+  @$pb.TagNumber(1)
+  set challenge(AuthChallenge value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallenge() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallenge() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallenge ensureChallenge() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthResult get result => $_getN(1);
+  @$pb.TagNumber(2)
+  set result(AuthResult value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasResult() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearResult() => $_clearField(2);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/client/auth.pbenum.dart b/useragent/lib/proto/client/auth.pbenum.dart
new file mode 100644
index 0000000..8e1baba
--- /dev/null
+++ b/useragent/lib/proto/client/auth.pbenum.dart
@@ -0,0 +1,52 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class AuthResult extends $pb.ProtobufEnum {
+  static const AuthResult AUTH_RESULT_UNSPECIFIED =
+      AuthResult._(0, _omitEnumNames ? '' : 'AUTH_RESULT_UNSPECIFIED');
+  static const AuthResult AUTH_RESULT_SUCCESS =
+      AuthResult._(1, _omitEnumNames ? '' : 'AUTH_RESULT_SUCCESS');
+  static const AuthResult AUTH_RESULT_INVALID_KEY =
+      AuthResult._(2, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_KEY');
+  static const AuthResult AUTH_RESULT_INVALID_SIGNATURE =
+      AuthResult._(3, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_SIGNATURE');
+  static const AuthResult AUTH_RESULT_APPROVAL_DENIED =
+      AuthResult._(4, _omitEnumNames ? '' : 'AUTH_RESULT_APPROVAL_DENIED');
+  static const AuthResult AUTH_RESULT_NO_USER_AGENTS_ONLINE = AuthResult._(
+      5, _omitEnumNames ? '' : 'AUTH_RESULT_NO_USER_AGENTS_ONLINE');
+  static const AuthResult AUTH_RESULT_INTERNAL =
+      AuthResult._(6, _omitEnumNames ? '' : 'AUTH_RESULT_INTERNAL');
+
+  static const $core.List<AuthResult> values = <AuthResult>[
+    AUTH_RESULT_UNSPECIFIED,
+    AUTH_RESULT_SUCCESS,
+    AUTH_RESULT_INVALID_KEY,
+    AUTH_RESULT_INVALID_SIGNATURE,
+    AUTH_RESULT_APPROVAL_DENIED,
+    AUTH_RESULT_NO_USER_AGENTS_ONLINE,
+    AUTH_RESULT_INTERNAL,
+  ];
+
+  static final $core.List<AuthResult?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 6);
+  static AuthResult? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const AuthResult._(super.value, super.name);
+}
+
+const $core.bool _omitEnumNames =
+    $core.bool.fromEnvironment('protobuf.omit_enum_names');
diff --git a/useragent/lib/proto/client/auth.pbjson.dart b/useragent/lib/proto/client/auth.pbjson.dart
new file mode 100644
index 0000000..c9cf99e
--- /dev/null
+++ b/useragent/lib/proto/client/auth.pbjson.dart
@@ -0,0 +1,154 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use authResultDescriptor instead')
+const AuthResult$json = {
+  '1': 'AuthResult',
+  '2': [
+    {'1': 'AUTH_RESULT_UNSPECIFIED', '2': 0},
+    {'1': 'AUTH_RESULT_SUCCESS', '2': 1},
+    {'1': 'AUTH_RESULT_INVALID_KEY', '2': 2},
+    {'1': 'AUTH_RESULT_INVALID_SIGNATURE', '2': 3},
+    {'1': 'AUTH_RESULT_APPROVAL_DENIED', '2': 4},
+    {'1': 'AUTH_RESULT_NO_USER_AGENTS_ONLINE', '2': 5},
+    {'1': 'AUTH_RESULT_INTERNAL', '2': 6},
+  ],
+};
+
+/// Descriptor for `AuthResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List authResultDescriptor = $convert.base64Decode(
+    'CgpBdXRoUmVzdWx0EhsKF0FVVEhfUkVTVUxUX1VOU1BFQ0lGSUVEEAASFwoTQVVUSF9SRVNVTF'
+    'RfU1VDQ0VTUxABEhsKF0FVVEhfUkVTVUxUX0lOVkFMSURfS0VZEAISIQodQVVUSF9SRVNVTFRf'
+    'SU5WQUxJRF9TSUdOQVRVUkUQAxIfChtBVVRIX1JFU1VMVF9BUFBST1ZBTF9ERU5JRUQQBBIlCi'
+    'FBVVRIX1JFU1VMVF9OT19VU0VSX0FHRU5UU19PTkxJTkUQBRIYChRBVVRIX1JFU1VMVF9JTlRF'
+    'Uk5BTBAG');
+
+@$core.Deprecated('Use authChallengeRequestDescriptor instead')
+const AuthChallengeRequest$json = {
+  '1': 'AuthChallengeRequest',
+  '2': [
+    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
+    {
+      '1': 'client_info',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.ClientInfo',
+      '10': 'clientInfo'
+    },
+  ],
+};
+
+/// Descriptor for `AuthChallengeRequest`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeRequestDescriptor = $convert.base64Decode(
+    'ChRBdXRoQ2hhbGxlbmdlUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRI7CgtjbGllbn'
+    'RfaW5mbxgCIAEoCzIaLmFyYml0ZXIuc2hhcmVkLkNsaWVudEluZm9SCmNsaWVudEluZm8=');
+
+@$core.Deprecated('Use authChallengeDescriptor instead')
+const AuthChallenge$json = {
+  '1': 'AuthChallenge',
+  '2': [
+    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
+    {'1': 'nonce', '3': 2, '4': 1, '5': 5, '10': 'nonce'},
+  ],
+};
+
+/// Descriptor for `AuthChallenge`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeDescriptor = $convert.base64Decode(
+    'Cg1BdXRoQ2hhbGxlbmdlEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5EhQKBW5vbmNlGAIgASgFUg'
+    'Vub25jZQ==');
+
+@$core.Deprecated('Use authChallengeSolutionDescriptor instead')
+const AuthChallengeSolution$json = {
+  '1': 'AuthChallengeSolution',
+  '2': [
+    {'1': 'signature', '3': 1, '4': 1, '5': 12, '10': 'signature'},
+  ],
+};
+
+/// Descriptor for `AuthChallengeSolution`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeSolutionDescriptor = $convert.base64Decode(
+    'ChVBdXRoQ2hhbGxlbmdlU29sdXRpb24SHAoJc2lnbmF0dXJlGAEgASgMUglzaWduYXR1cmU=');
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'challenge_request',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.client.auth.AuthChallengeRequest',
+      '9': 0,
+      '10': 'challengeRequest'
+    },
+    {
+      '1': 'challenge_solution',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.client.auth.AuthChallengeSolution',
+      '9': 0,
+      '10': 'challengeSolution'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0ElgKEWNoYWxsZW5nZV9yZXF1ZXN0GAEgASgLMikuYXJiaXRlci5jbGllbnQuYX'
+    'V0aC5BdXRoQ2hhbGxlbmdlUmVxdWVzdEgAUhBjaGFsbGVuZ2VSZXF1ZXN0ElsKEmNoYWxsZW5n'
+    'ZV9zb2x1dGlvbhgCIAEoCzIqLmFyYml0ZXIuY2xpZW50LmF1dGguQXV0aENoYWxsZW5nZVNvbH'
+    'V0aW9uSABSEWNoYWxsZW5nZVNvbHV0aW9uQgkKB3BheWxvYWQ=');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'challenge',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.client.auth.AuthChallenge',
+      '9': 0,
+      '10': 'challenge'
+    },
+    {
+      '1': 'result',
+      '3': 2,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.client.auth.AuthResult',
+      '9': 0,
+      '10': 'result'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJCCgljaGFsbGVuZ2UYASABKAsyIi5hcmJpdGVyLmNsaWVudC5hdXRoLkF1dG'
+    'hDaGFsbGVuZ2VIAFIJY2hhbGxlbmdlEjkKBnJlc3VsdBgCIAEoDjIfLmFyYml0ZXIuY2xpZW50'
+    'LmF1dGguQXV0aFJlc3VsdEgAUgZyZXN1bHRCCQoHcGF5bG9hZA==');
diff --git a/useragent/lib/proto/client/evm.pb.dart b/useragent/lib/proto/client/evm.pb.dart
new file mode 100644
index 0000000..ca9dd65
--- /dev/null
+++ b/useragent/lib/proto/client/evm.pb.dart
@@ -0,0 +1,208 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import '../evm.pb.dart' as $0;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+enum Request_Payload { signTransaction, analyzeTransaction, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    $0.EvmSignTransactionRequest? signTransaction,
+    $0.EvmAnalyzeTransactionRequest? analyzeTransaction,
+  }) {
+    final result = create();
+    if (signTransaction != null) result.signTransaction = signTransaction;
+    if (analyzeTransaction != null)
+      result.analyzeTransaction = analyzeTransaction;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.signTransaction,
+    2: Request_Payload.analyzeTransaction,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<$0.EvmSignTransactionRequest>(
+        1, _omitFieldNames ? '' : 'signTransaction',
+        subBuilder: $0.EvmSignTransactionRequest.create)
+    ..aOM<$0.EvmAnalyzeTransactionRequest>(
+        2, _omitFieldNames ? '' : 'analyzeTransaction',
+        subBuilder: $0.EvmAnalyzeTransactionRequest.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionRequest get signTransaction => $_getN(0);
+  @$pb.TagNumber(1)
+  set signTransaction($0.EvmSignTransactionRequest value) =>
+      $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignTransaction() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignTransaction() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionRequest ensureSignTransaction() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionRequest get analyzeTransaction => $_getN(1);
+  @$pb.TagNumber(2)
+  set analyzeTransaction($0.EvmAnalyzeTransactionRequest value) =>
+      $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasAnalyzeTransaction() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearAnalyzeTransaction() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionRequest ensureAnalyzeTransaction() => $_ensure(1);
+}
+
+enum Response_Payload { signTransaction, analyzeTransaction, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    $0.EvmSignTransactionResponse? signTransaction,
+    $0.EvmAnalyzeTransactionResponse? analyzeTransaction,
+  }) {
+    final result = create();
+    if (signTransaction != null) result.signTransaction = signTransaction;
+    if (analyzeTransaction != null)
+      result.analyzeTransaction = analyzeTransaction;
+    return result;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.signTransaction,
+    2: Response_Payload.analyzeTransaction,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<$0.EvmSignTransactionResponse>(
+        1, _omitFieldNames ? '' : 'signTransaction',
+        subBuilder: $0.EvmSignTransactionResponse.create)
+    ..aOM<$0.EvmAnalyzeTransactionResponse>(
+        2, _omitFieldNames ? '' : 'analyzeTransaction',
+        subBuilder: $0.EvmAnalyzeTransactionResponse.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionResponse get signTransaction => $_getN(0);
+  @$pb.TagNumber(1)
+  set signTransaction($0.EvmSignTransactionResponse value) =>
+      $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignTransaction() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignTransaction() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionResponse ensureSignTransaction() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionResponse get analyzeTransaction => $_getN(1);
+  @$pb.TagNumber(2)
+  set analyzeTransaction($0.EvmAnalyzeTransactionResponse value) =>
+      $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasAnalyzeTransaction() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearAnalyzeTransaction() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionResponse ensureAnalyzeTransaction() => $_ensure(1);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/client/evm.pbenum.dart b/useragent/lib/proto/client/evm.pbenum.dart
new file mode 100644
index 0000000..cc33348
--- /dev/null
+++ b/useragent/lib/proto/client/evm.pbenum.dart
@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
diff --git a/useragent/lib/proto/client/evm.pbjson.dart b/useragent/lib/proto/client/evm.pbjson.dart
new file mode 100644
index 0000000..af9f349
--- /dev/null
+++ b/useragent/lib/proto/client/evm.pbjson.dart
@@ -0,0 +1,86 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'sign_transaction',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmSignTransactionRequest',
+      '9': 0,
+      '10': 'signTransaction'
+    },
+    {
+      '1': 'analyze_transaction',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmAnalyzeTransactionRequest',
+      '9': 0,
+      '10': 'analyzeTransaction'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0ElMKEHNpZ25fdHJhbnNhY3Rpb24YASABKAsyJi5hcmJpdGVyLmV2bS5Fdm1TaW'
+    'duVHJhbnNhY3Rpb25SZXF1ZXN0SABSD3NpZ25UcmFuc2FjdGlvbhJcChNhbmFseXplX3RyYW5z'
+    'YWN0aW9uGAIgASgLMikuYXJiaXRlci5ldm0uRXZtQW5hbHl6ZVRyYW5zYWN0aW9uUmVxdWVzdE'
+    'gAUhJhbmFseXplVHJhbnNhY3Rpb25CCQoHcGF5bG9hZA==');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'sign_transaction',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmSignTransactionResponse',
+      '9': 0,
+      '10': 'signTransaction'
+    },
+    {
+      '1': 'analyze_transaction',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmAnalyzeTransactionResponse',
+      '9': 0,
+      '10': 'analyzeTransaction'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJUChBzaWduX3RyYW5zYWN0aW9uGAEgASgLMicuYXJiaXRlci5ldm0uRXZtU2'
+    'lnblRyYW5zYWN0aW9uUmVzcG9uc2VIAFIPc2lnblRyYW5zYWN0aW9uEl0KE2FuYWx5emVfdHJh'
+    'bnNhY3Rpb24YAiABKAsyKi5hcmJpdGVyLmV2bS5Fdm1BbmFseXplVHJhbnNhY3Rpb25SZXNwb2'
+    '5zZUgAUhJhbmFseXplVHJhbnNhY3Rpb25CCQoHcGF5bG9hZA==');
diff --git a/useragent/lib/proto/client/vault.pb.dart b/useragent/lib/proto/client/vault.pb.dart
new file mode 100644
index 0000000..c2eb972
--- /dev/null
+++ b/useragent/lib/proto/client/vault.pb.dart
@@ -0,0 +1,161 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $0;
+
+import '../shared/vault.pbenum.dart' as $1;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+enum Request_Payload { queryState, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    $0.Empty? queryState,
+  }) {
+    final result = create();
+    if (queryState != null) result.queryState = queryState;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.queryState,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.client.vault'),
+      createEmptyInstance: create)
+    ..oo(0, [1])
+    ..aOM<$0.Empty>(1, _omitFieldNames ? '' : 'queryState',
+        subBuilder: $0.Empty.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.Empty get queryState => $_getN(0);
+  @$pb.TagNumber(1)
+  set queryState($0.Empty value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasQueryState() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearQueryState() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.Empty ensureQueryState() => $_ensure(0);
+}
+
+enum Response_Payload { state, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    $1.VaultState? state,
+  }) {
+    final result = create();
+    if (state != null) result.state = state;
+    return result;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.state,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.client.vault'),
+      createEmptyInstance: create)
+    ..oo(0, [1])
+    ..aE<$1.VaultState>(1, _omitFieldNames ? '' : 'state',
+        enumValues: $1.VaultState.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $1.VaultState get state => $_getN(0);
+  @$pb.TagNumber(1)
+  set state($1.VaultState value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasState() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearState() => $_clearField(1);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/client/vault.pbenum.dart b/useragent/lib/proto/client/vault.pbenum.dart
new file mode 100644
index 0000000..ab70d5c
--- /dev/null
+++ b/useragent/lib/proto/client/vault.pbenum.dart
@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
diff --git a/useragent/lib/proto/client/vault.pbjson.dart b/useragent/lib/proto/client/vault.pbjson.dart
new file mode 100644
index 0000000..64aad64
--- /dev/null
+++ b/useragent/lib/proto/client/vault.pbjson.dart
@@ -0,0 +1,64 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'query_state',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'queryState'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0EjkKC3F1ZXJ5X3N0YXRlGAEgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SA'
+    'BSCnF1ZXJ5U3RhdGVCCQoHcGF5bG9hZA==');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'state',
+      '3': 1,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.shared.VaultState',
+      '9': 0,
+      '10': 'state'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRIyCgVzdGF0ZRgBIAEoDjIaLmFyYml0ZXIuc2hhcmVkLlZhdWx0U3RhdGVIAF'
+    'IFc3RhdGVCCQoHcGF5bG9hZA==');
diff --git a/useragent/lib/proto/evm.pb.dart b/useragent/lib/proto/evm.pb.dart
index 705d79f..61fc3ae 100644
--- a/useragent/lib/proto/evm.pb.dart
+++ b/useragent/lib/proto/evm.pb.dart
@@ -19,6 +19,7 @@ import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart'
     as $0;
 
 import 'evm.pbenum.dart';
+import 'shared/evm.pb.dart' as $2;
 
 export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
 
@@ -815,825 +816,6 @@ class SpecificGrant extends $pb.GeneratedMessage {
   TokenTransferSettings ensureTokenTransfer() => $_ensure(1);
 }
 
-class EtherTransferMeaning extends $pb.GeneratedMessage {
-  factory EtherTransferMeaning({
-    $core.List<$core.int>? to,
-    $core.List<$core.int>? value,
-  }) {
-    final result = create();
-    if (to != null) result.to = to;
-    if (value != null) result.value = value;
-    return result;
-  }
-
-  EtherTransferMeaning._();
-
-  factory EtherTransferMeaning.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory EtherTransferMeaning.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'EtherTransferMeaning',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'to', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'value', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  EtherTransferMeaning clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  EtherTransferMeaning copyWith(void Function(EtherTransferMeaning) updates) =>
-      super.copyWith((message) => updates(message as EtherTransferMeaning))
-          as EtherTransferMeaning;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static EtherTransferMeaning create() => EtherTransferMeaning._();
-  @$core.override
-  EtherTransferMeaning createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static EtherTransferMeaning getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<EtherTransferMeaning>(create);
-  static EtherTransferMeaning? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get to => $_getN(0);
-  @$pb.TagNumber(1)
-  set to($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasTo() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearTo() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get value => $_getN(1);
-  @$pb.TagNumber(2)
-  set value($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasValue() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearValue() => $_clearField(2);
-}
-
-class TokenInfo extends $pb.GeneratedMessage {
-  factory TokenInfo({
-    $core.String? symbol,
-    $core.List<$core.int>? address,
-    $fixnum.Int64? chainId,
-  }) {
-    final result = create();
-    if (symbol != null) result.symbol = symbol;
-    if (address != null) result.address = address;
-    if (chainId != null) result.chainId = chainId;
-    return result;
-  }
-
-  TokenInfo._();
-
-  factory TokenInfo.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory TokenInfo.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'TokenInfo',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..aOS(1, _omitFieldNames ? '' : 'symbol')
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'address', $pb.PbFieldType.OY)
-    ..a<$fixnum.Int64>(3, _omitFieldNames ? '' : 'chainId', $pb.PbFieldType.OU6,
-        defaultOrMaker: $fixnum.Int64.ZERO)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TokenInfo clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TokenInfo copyWith(void Function(TokenInfo) updates) =>
-      super.copyWith((message) => updates(message as TokenInfo)) as TokenInfo;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static TokenInfo create() => TokenInfo._();
-  @$core.override
-  TokenInfo createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static TokenInfo getDefault() =>
-      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<TokenInfo>(create);
-  static TokenInfo? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.String get symbol => $_getSZ(0);
-  @$pb.TagNumber(1)
-  set symbol($core.String value) => $_setString(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasSymbol() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearSymbol() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get address => $_getN(1);
-  @$pb.TagNumber(2)
-  set address($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasAddress() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearAddress() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $fixnum.Int64 get chainId => $_getI64(2);
-  @$pb.TagNumber(3)
-  set chainId($fixnum.Int64 value) => $_setInt64(2, value);
-  @$pb.TagNumber(3)
-  $core.bool hasChainId() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearChainId() => $_clearField(3);
-}
-
-/// Mirror of token_transfers::Meaning
-class TokenTransferMeaning extends $pb.GeneratedMessage {
-  factory TokenTransferMeaning({
-    TokenInfo? token,
-    $core.List<$core.int>? to,
-    $core.List<$core.int>? value,
-  }) {
-    final result = create();
-    if (token != null) result.token = token;
-    if (to != null) result.to = to;
-    if (value != null) result.value = value;
-    return result;
-  }
-
-  TokenTransferMeaning._();
-
-  factory TokenTransferMeaning.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory TokenTransferMeaning.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'TokenTransferMeaning',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..aOM<TokenInfo>(1, _omitFieldNames ? '' : 'token',
-        subBuilder: TokenInfo.create)
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'to', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        3, _omitFieldNames ? '' : 'value', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TokenTransferMeaning clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TokenTransferMeaning copyWith(void Function(TokenTransferMeaning) updates) =>
-      super.copyWith((message) => updates(message as TokenTransferMeaning))
-          as TokenTransferMeaning;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static TokenTransferMeaning create() => TokenTransferMeaning._();
-  @$core.override
-  TokenTransferMeaning createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static TokenTransferMeaning getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<TokenTransferMeaning>(create);
-  static TokenTransferMeaning? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  TokenInfo get token => $_getN(0);
-  @$pb.TagNumber(1)
-  set token(TokenInfo value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasToken() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearToken() => $_clearField(1);
-  @$pb.TagNumber(1)
-  TokenInfo ensureToken() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get to => $_getN(1);
-  @$pb.TagNumber(2)
-  set to($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasTo() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearTo() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $core.List<$core.int> get value => $_getN(2);
-  @$pb.TagNumber(3)
-  set value($core.List<$core.int> value) => $_setBytes(2, value);
-  @$pb.TagNumber(3)
-  $core.bool hasValue() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearValue() => $_clearField(3);
-}
-
-enum SpecificMeaning_Meaning { etherTransfer, tokenTransfer, notSet }
-
-/// Mirror of policies::SpecificMeaning
-class SpecificMeaning extends $pb.GeneratedMessage {
-  factory SpecificMeaning({
-    EtherTransferMeaning? etherTransfer,
-    TokenTransferMeaning? tokenTransfer,
-  }) {
-    final result = create();
-    if (etherTransfer != null) result.etherTransfer = etherTransfer;
-    if (tokenTransfer != null) result.tokenTransfer = tokenTransfer;
-    return result;
-  }
-
-  SpecificMeaning._();
-
-  factory SpecificMeaning.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SpecificMeaning.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static const $core.Map<$core.int, SpecificMeaning_Meaning>
-      _SpecificMeaning_MeaningByTag = {
-    1: SpecificMeaning_Meaning.etherTransfer,
-    2: SpecificMeaning_Meaning.tokenTransfer,
-    0: SpecificMeaning_Meaning.notSet
-  };
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SpecificMeaning',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..oo(0, [1, 2])
-    ..aOM<EtherTransferMeaning>(1, _omitFieldNames ? '' : 'etherTransfer',
-        subBuilder: EtherTransferMeaning.create)
-    ..aOM<TokenTransferMeaning>(2, _omitFieldNames ? '' : 'tokenTransfer',
-        subBuilder: TokenTransferMeaning.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SpecificMeaning clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SpecificMeaning copyWith(void Function(SpecificMeaning) updates) =>
-      super.copyWith((message) => updates(message as SpecificMeaning))
-          as SpecificMeaning;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SpecificMeaning create() => SpecificMeaning._();
-  @$core.override
-  SpecificMeaning createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SpecificMeaning getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SpecificMeaning>(create);
-  static SpecificMeaning? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  SpecificMeaning_Meaning whichMeaning() =>
-      _SpecificMeaning_MeaningByTag[$_whichOneof(0)]!;
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  void clearMeaning() => $_clearField($_whichOneof(0));
-
-  @$pb.TagNumber(1)
-  EtherTransferMeaning get etherTransfer => $_getN(0);
-  @$pb.TagNumber(1)
-  set etherTransfer(EtherTransferMeaning value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasEtherTransfer() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearEtherTransfer() => $_clearField(1);
-  @$pb.TagNumber(1)
-  EtherTransferMeaning ensureEtherTransfer() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  TokenTransferMeaning get tokenTransfer => $_getN(1);
-  @$pb.TagNumber(2)
-  set tokenTransfer(TokenTransferMeaning value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasTokenTransfer() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearTokenTransfer() => $_clearField(2);
-  @$pb.TagNumber(2)
-  TokenTransferMeaning ensureTokenTransfer() => $_ensure(1);
-}
-
-/// --- Eval error types ---
-class GasLimitExceededViolation extends $pb.GeneratedMessage {
-  factory GasLimitExceededViolation({
-    $core.List<$core.int>? maxGasFeePerGas,
-    $core.List<$core.int>? maxPriorityFeePerGas,
-  }) {
-    final result = create();
-    if (maxGasFeePerGas != null) result.maxGasFeePerGas = maxGasFeePerGas;
-    if (maxPriorityFeePerGas != null)
-      result.maxPriorityFeePerGas = maxPriorityFeePerGas;
-    return result;
-  }
-
-  GasLimitExceededViolation._();
-
-  factory GasLimitExceededViolation.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory GasLimitExceededViolation.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'GasLimitExceededViolation',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'maxGasFeePerGas', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'maxPriorityFeePerGas', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  GasLimitExceededViolation clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  GasLimitExceededViolation copyWith(
-          void Function(GasLimitExceededViolation) updates) =>
-      super.copyWith((message) => updates(message as GasLimitExceededViolation))
-          as GasLimitExceededViolation;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static GasLimitExceededViolation create() => GasLimitExceededViolation._();
-  @$core.override
-  GasLimitExceededViolation createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static GasLimitExceededViolation getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<GasLimitExceededViolation>(create);
-  static GasLimitExceededViolation? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get maxGasFeePerGas => $_getN(0);
-  @$pb.TagNumber(1)
-  set maxGasFeePerGas($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasMaxGasFeePerGas() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearMaxGasFeePerGas() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get maxPriorityFeePerGas => $_getN(1);
-  @$pb.TagNumber(2)
-  set maxPriorityFeePerGas($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasMaxPriorityFeePerGas() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearMaxPriorityFeePerGas() => $_clearField(2);
-}
-
-enum EvalViolation_Kind {
-  invalidTarget,
-  gasLimitExceeded,
-  rateLimitExceeded,
-  volumetricLimitExceeded,
-  invalidTime,
-  invalidTransactionType,
-  notSet
-}
-
-class EvalViolation extends $pb.GeneratedMessage {
-  factory EvalViolation({
-    $core.List<$core.int>? invalidTarget,
-    GasLimitExceededViolation? gasLimitExceeded,
-    $1.Empty? rateLimitExceeded,
-    $1.Empty? volumetricLimitExceeded,
-    $1.Empty? invalidTime,
-    $1.Empty? invalidTransactionType,
-  }) {
-    final result = create();
-    if (invalidTarget != null) result.invalidTarget = invalidTarget;
-    if (gasLimitExceeded != null) result.gasLimitExceeded = gasLimitExceeded;
-    if (rateLimitExceeded != null) result.rateLimitExceeded = rateLimitExceeded;
-    if (volumetricLimitExceeded != null)
-      result.volumetricLimitExceeded = volumetricLimitExceeded;
-    if (invalidTime != null) result.invalidTime = invalidTime;
-    if (invalidTransactionType != null)
-      result.invalidTransactionType = invalidTransactionType;
-    return result;
-  }
-
-  EvalViolation._();
-
-  factory EvalViolation.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory EvalViolation.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static const $core.Map<$core.int, EvalViolation_Kind>
-      _EvalViolation_KindByTag = {
-    1: EvalViolation_Kind.invalidTarget,
-    2: EvalViolation_Kind.gasLimitExceeded,
-    3: EvalViolation_Kind.rateLimitExceeded,
-    4: EvalViolation_Kind.volumetricLimitExceeded,
-    5: EvalViolation_Kind.invalidTime,
-    6: EvalViolation_Kind.invalidTransactionType,
-    0: EvalViolation_Kind.notSet
-  };
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'EvalViolation',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..oo(0, [1, 2, 3, 4, 5, 6])
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'invalidTarget', $pb.PbFieldType.OY)
-    ..aOM<GasLimitExceededViolation>(
-        2, _omitFieldNames ? '' : 'gasLimitExceeded',
-        subBuilder: GasLimitExceededViolation.create)
-    ..aOM<$1.Empty>(3, _omitFieldNames ? '' : 'rateLimitExceeded',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(4, _omitFieldNames ? '' : 'volumetricLimitExceeded',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(5, _omitFieldNames ? '' : 'invalidTime',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(6, _omitFieldNames ? '' : 'invalidTransactionType',
-        subBuilder: $1.Empty.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  EvalViolation clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  EvalViolation copyWith(void Function(EvalViolation) updates) =>
-      super.copyWith((message) => updates(message as EvalViolation))
-          as EvalViolation;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static EvalViolation create() => EvalViolation._();
-  @$core.override
-  EvalViolation createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static EvalViolation getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<EvalViolation>(create);
-  static EvalViolation? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(5)
-  @$pb.TagNumber(6)
-  EvalViolation_Kind whichKind() => _EvalViolation_KindByTag[$_whichOneof(0)]!;
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(5)
-  @$pb.TagNumber(6)
-  void clearKind() => $_clearField($_whichOneof(0));
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get invalidTarget => $_getN(0);
-  @$pb.TagNumber(1)
-  set invalidTarget($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasInvalidTarget() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearInvalidTarget() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  GasLimitExceededViolation get gasLimitExceeded => $_getN(1);
-  @$pb.TagNumber(2)
-  set gasLimitExceeded(GasLimitExceededViolation value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasGasLimitExceeded() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearGasLimitExceeded() => $_clearField(2);
-  @$pb.TagNumber(2)
-  GasLimitExceededViolation ensureGasLimitExceeded() => $_ensure(1);
-
-  @$pb.TagNumber(3)
-  $1.Empty get rateLimitExceeded => $_getN(2);
-  @$pb.TagNumber(3)
-  set rateLimitExceeded($1.Empty value) => $_setField(3, value);
-  @$pb.TagNumber(3)
-  $core.bool hasRateLimitExceeded() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearRateLimitExceeded() => $_clearField(3);
-  @$pb.TagNumber(3)
-  $1.Empty ensureRateLimitExceeded() => $_ensure(2);
-
-  @$pb.TagNumber(4)
-  $1.Empty get volumetricLimitExceeded => $_getN(3);
-  @$pb.TagNumber(4)
-  set volumetricLimitExceeded($1.Empty value) => $_setField(4, value);
-  @$pb.TagNumber(4)
-  $core.bool hasVolumetricLimitExceeded() => $_has(3);
-  @$pb.TagNumber(4)
-  void clearVolumetricLimitExceeded() => $_clearField(4);
-  @$pb.TagNumber(4)
-  $1.Empty ensureVolumetricLimitExceeded() => $_ensure(3);
-
-  @$pb.TagNumber(5)
-  $1.Empty get invalidTime => $_getN(4);
-  @$pb.TagNumber(5)
-  set invalidTime($1.Empty value) => $_setField(5, value);
-  @$pb.TagNumber(5)
-  $core.bool hasInvalidTime() => $_has(4);
-  @$pb.TagNumber(5)
-  void clearInvalidTime() => $_clearField(5);
-  @$pb.TagNumber(5)
-  $1.Empty ensureInvalidTime() => $_ensure(4);
-
-  @$pb.TagNumber(6)
-  $1.Empty get invalidTransactionType => $_getN(5);
-  @$pb.TagNumber(6)
-  set invalidTransactionType($1.Empty value) => $_setField(6, value);
-  @$pb.TagNumber(6)
-  $core.bool hasInvalidTransactionType() => $_has(5);
-  @$pb.TagNumber(6)
-  void clearInvalidTransactionType() => $_clearField(6);
-  @$pb.TagNumber(6)
-  $1.Empty ensureInvalidTransactionType() => $_ensure(5);
-}
-
-/// Transaction was classified but no grant covers it
-class NoMatchingGrantError extends $pb.GeneratedMessage {
-  factory NoMatchingGrantError({
-    SpecificMeaning? meaning,
-  }) {
-    final result = create();
-    if (meaning != null) result.meaning = meaning;
-    return result;
-  }
-
-  NoMatchingGrantError._();
-
-  factory NoMatchingGrantError.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory NoMatchingGrantError.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'NoMatchingGrantError',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
-        subBuilder: SpecificMeaning.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  NoMatchingGrantError clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  NoMatchingGrantError copyWith(void Function(NoMatchingGrantError) updates) =>
-      super.copyWith((message) => updates(message as NoMatchingGrantError))
-          as NoMatchingGrantError;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static NoMatchingGrantError create() => NoMatchingGrantError._();
-  @$core.override
-  NoMatchingGrantError createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static NoMatchingGrantError getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<NoMatchingGrantError>(create);
-  static NoMatchingGrantError? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  SpecificMeaning get meaning => $_getN(0);
-  @$pb.TagNumber(1)
-  set meaning(SpecificMeaning value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasMeaning() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearMeaning() => $_clearField(1);
-  @$pb.TagNumber(1)
-  SpecificMeaning ensureMeaning() => $_ensure(0);
-}
-
-/// Transaction was classified and a grant was found, but constraints were violated
-class PolicyViolationsError extends $pb.GeneratedMessage {
-  factory PolicyViolationsError({
-    SpecificMeaning? meaning,
-    $core.Iterable<EvalViolation>? violations,
-  }) {
-    final result = create();
-    if (meaning != null) result.meaning = meaning;
-    if (violations != null) result.violations.addAll(violations);
-    return result;
-  }
-
-  PolicyViolationsError._();
-
-  factory PolicyViolationsError.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory PolicyViolationsError.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'PolicyViolationsError',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
-        subBuilder: SpecificMeaning.create)
-    ..pPM<EvalViolation>(2, _omitFieldNames ? '' : 'violations',
-        subBuilder: EvalViolation.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  PolicyViolationsError clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  PolicyViolationsError copyWith(
-          void Function(PolicyViolationsError) updates) =>
-      super.copyWith((message) => updates(message as PolicyViolationsError))
-          as PolicyViolationsError;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static PolicyViolationsError create() => PolicyViolationsError._();
-  @$core.override
-  PolicyViolationsError createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static PolicyViolationsError getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<PolicyViolationsError>(create);
-  static PolicyViolationsError? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  SpecificMeaning get meaning => $_getN(0);
-  @$pb.TagNumber(1)
-  set meaning(SpecificMeaning value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasMeaning() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearMeaning() => $_clearField(1);
-  @$pb.TagNumber(1)
-  SpecificMeaning ensureMeaning() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  $pb.PbList<EvalViolation> get violations => $_getList(1);
-}
-
-enum TransactionEvalError_Kind {
-  contractCreationNotSupported,
-  unsupportedTransactionType,
-  noMatchingGrant,
-  policyViolations,
-  notSet
-}
-
-/// top-level error returned when transaction evaluation fails
-class TransactionEvalError extends $pb.GeneratedMessage {
-  factory TransactionEvalError({
-    $1.Empty? contractCreationNotSupported,
-    $1.Empty? unsupportedTransactionType,
-    NoMatchingGrantError? noMatchingGrant,
-    PolicyViolationsError? policyViolations,
-  }) {
-    final result = create();
-    if (contractCreationNotSupported != null)
-      result.contractCreationNotSupported = contractCreationNotSupported;
-    if (unsupportedTransactionType != null)
-      result.unsupportedTransactionType = unsupportedTransactionType;
-    if (noMatchingGrant != null) result.noMatchingGrant = noMatchingGrant;
-    if (policyViolations != null) result.policyViolations = policyViolations;
-    return result;
-  }
-
-  TransactionEvalError._();
-
-  factory TransactionEvalError.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory TransactionEvalError.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static const $core.Map<$core.int, TransactionEvalError_Kind>
-      _TransactionEvalError_KindByTag = {
-    1: TransactionEvalError_Kind.contractCreationNotSupported,
-    2: TransactionEvalError_Kind.unsupportedTransactionType,
-    3: TransactionEvalError_Kind.noMatchingGrant,
-    4: TransactionEvalError_Kind.policyViolations,
-    0: TransactionEvalError_Kind.notSet
-  };
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'TransactionEvalError',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..oo(0, [1, 2, 3, 4])
-    ..aOM<$1.Empty>(1, _omitFieldNames ? '' : 'contractCreationNotSupported',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(2, _omitFieldNames ? '' : 'unsupportedTransactionType',
-        subBuilder: $1.Empty.create)
-    ..aOM<NoMatchingGrantError>(3, _omitFieldNames ? '' : 'noMatchingGrant',
-        subBuilder: NoMatchingGrantError.create)
-    ..aOM<PolicyViolationsError>(4, _omitFieldNames ? '' : 'policyViolations',
-        subBuilder: PolicyViolationsError.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TransactionEvalError clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TransactionEvalError copyWith(void Function(TransactionEvalError) updates) =>
-      super.copyWith((message) => updates(message as TransactionEvalError))
-          as TransactionEvalError;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static TransactionEvalError create() => TransactionEvalError._();
-  @$core.override
-  TransactionEvalError createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static TransactionEvalError getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<TransactionEvalError>(create);
-  static TransactionEvalError? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  TransactionEvalError_Kind whichKind() =>
-      _TransactionEvalError_KindByTag[$_whichOneof(0)]!;
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  void clearKind() => $_clearField($_whichOneof(0));
-
-  @$pb.TagNumber(1)
-  $1.Empty get contractCreationNotSupported => $_getN(0);
-  @$pb.TagNumber(1)
-  set contractCreationNotSupported($1.Empty value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasContractCreationNotSupported() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearContractCreationNotSupported() => $_clearField(1);
-  @$pb.TagNumber(1)
-  $1.Empty ensureContractCreationNotSupported() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  $1.Empty get unsupportedTransactionType => $_getN(1);
-  @$pb.TagNumber(2)
-  set unsupportedTransactionType($1.Empty value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasUnsupportedTransactionType() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearUnsupportedTransactionType() => $_clearField(2);
-  @$pb.TagNumber(2)
-  $1.Empty ensureUnsupportedTransactionType() => $_ensure(1);
-
-  @$pb.TagNumber(3)
-  NoMatchingGrantError get noMatchingGrant => $_getN(2);
-  @$pb.TagNumber(3)
-  set noMatchingGrant(NoMatchingGrantError value) => $_setField(3, value);
-  @$pb.TagNumber(3)
-  $core.bool hasNoMatchingGrant() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearNoMatchingGrant() => $_clearField(3);
-  @$pb.TagNumber(3)
-  NoMatchingGrantError ensureNoMatchingGrant() => $_ensure(2);
-
-  @$pb.TagNumber(4)
-  PolicyViolationsError get policyViolations => $_getN(3);
-  @$pb.TagNumber(4)
-  set policyViolations(PolicyViolationsError value) => $_setField(4, value);
-  @$pb.TagNumber(4)
-  $core.bool hasPolicyViolations() => $_has(3);
-  @$pb.TagNumber(4)
-  void clearPolicyViolations() => $_clearField(4);
-  @$pb.TagNumber(4)
-  PolicyViolationsError ensurePolicyViolations() => $_ensure(3);
-}
-
 /// --- UserAgent grant management ---
 class EvmGrantCreateRequest extends $pb.GeneratedMessage {
   factory EvmGrantCreateRequest({
@@ -2297,7 +1479,7 @@ enum EvmSignTransactionResponse_Result { signature, evalError, error, notSet }
 class EvmSignTransactionResponse extends $pb.GeneratedMessage {
   factory EvmSignTransactionResponse({
     $core.List<$core.int>? signature,
-    TransactionEvalError? evalError,
+    $2.TransactionEvalError? evalError,
     EvmError? error,
   }) {
     final result = create();
@@ -2330,8 +1512,8 @@ class EvmSignTransactionResponse extends $pb.GeneratedMessage {
     ..oo(0, [1, 2, 3])
     ..a<$core.List<$core.int>>(
         1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
-    ..aOM<TransactionEvalError>(2, _omitFieldNames ? '' : 'evalError',
-        subBuilder: TransactionEvalError.create)
+    ..aOM<$2.TransactionEvalError>(2, _omitFieldNames ? '' : 'evalError',
+        subBuilder: $2.TransactionEvalError.create)
     ..aE<EvmError>(3, _omitFieldNames ? '' : 'error',
         enumValues: EvmError.values)
     ..hasRequiredFields = false;
@@ -2377,15 +1559,15 @@ class EvmSignTransactionResponse extends $pb.GeneratedMessage {
   void clearSignature() => $_clearField(1);
 
   @$pb.TagNumber(2)
-  TransactionEvalError get evalError => $_getN(1);
+  $2.TransactionEvalError get evalError => $_getN(1);
   @$pb.TagNumber(2)
-  set evalError(TransactionEvalError value) => $_setField(2, value);
+  set evalError($2.TransactionEvalError value) => $_setField(2, value);
   @$pb.TagNumber(2)
   $core.bool hasEvalError() => $_has(1);
   @$pb.TagNumber(2)
   void clearEvalError() => $_clearField(2);
   @$pb.TagNumber(2)
-  TransactionEvalError ensureEvalError() => $_ensure(1);
+  $2.TransactionEvalError ensureEvalError() => $_ensure(1);
 
   @$pb.TagNumber(3)
   EvmError get error => $_getN(2);
@@ -2472,8 +1654,8 @@ enum EvmAnalyzeTransactionResponse_Result { meaning, evalError, error, notSet }
 
 class EvmAnalyzeTransactionResponse extends $pb.GeneratedMessage {
   factory EvmAnalyzeTransactionResponse({
-    SpecificMeaning? meaning,
-    TransactionEvalError? evalError,
+    $2.SpecificMeaning? meaning,
+    $2.TransactionEvalError? evalError,
     EvmError? error,
   }) {
     final result = create();
@@ -2504,10 +1686,10 @@ class EvmAnalyzeTransactionResponse extends $pb.GeneratedMessage {
       package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
       createEmptyInstance: create)
     ..oo(0, [1, 2, 3])
-    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
-        subBuilder: SpecificMeaning.create)
-    ..aOM<TransactionEvalError>(2, _omitFieldNames ? '' : 'evalError',
-        subBuilder: TransactionEvalError.create)
+    ..aOM<$2.SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
+        subBuilder: $2.SpecificMeaning.create)
+    ..aOM<$2.TransactionEvalError>(2, _omitFieldNames ? '' : 'evalError',
+        subBuilder: $2.TransactionEvalError.create)
     ..aE<EvmError>(3, _omitFieldNames ? '' : 'error',
         enumValues: EvmError.values)
     ..hasRequiredFields = false;
@@ -2545,26 +1727,26 @@ class EvmAnalyzeTransactionResponse extends $pb.GeneratedMessage {
   void clearResult() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  SpecificMeaning get meaning => $_getN(0);
+  $2.SpecificMeaning get meaning => $_getN(0);
   @$pb.TagNumber(1)
-  set meaning(SpecificMeaning value) => $_setField(1, value);
+  set meaning($2.SpecificMeaning value) => $_setField(1, value);
   @$pb.TagNumber(1)
   $core.bool hasMeaning() => $_has(0);
   @$pb.TagNumber(1)
   void clearMeaning() => $_clearField(1);
   @$pb.TagNumber(1)
-  SpecificMeaning ensureMeaning() => $_ensure(0);
+  $2.SpecificMeaning ensureMeaning() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  TransactionEvalError get evalError => $_getN(1);
+  $2.TransactionEvalError get evalError => $_getN(1);
   @$pb.TagNumber(2)
-  set evalError(TransactionEvalError value) => $_setField(2, value);
+  set evalError($2.TransactionEvalError value) => $_setField(2, value);
   @$pb.TagNumber(2)
   $core.bool hasEvalError() => $_has(1);
   @$pb.TagNumber(2)
   void clearEvalError() => $_clearField(2);
   @$pb.TagNumber(2)
-  TransactionEvalError ensureEvalError() => $_ensure(1);
+  $2.TransactionEvalError ensureEvalError() => $_ensure(1);
 
   @$pb.TagNumber(3)
   EvmError get error => $_getN(2);
diff --git a/useragent/lib/proto/evm.pbjson.dart b/useragent/lib/proto/evm.pbjson.dart
index ad6fa07..9fa347c 100644
--- a/useragent/lib/proto/evm.pbjson.dart
+++ b/useragent/lib/proto/evm.pbjson.dart
@@ -327,308 +327,6 @@ final $typed_data.Uint8List specificGrantDescriptor = $convert.base64Decode(
     'AiABKAsyIi5hcmJpdGVyLmV2bS5Ub2tlblRyYW5zZmVyU2V0dGluZ3NIAFINdG9rZW5UcmFuc2'
     'ZlckIHCgVncmFudA==');
 
-@$core.Deprecated('Use etherTransferMeaningDescriptor instead')
-const EtherTransferMeaning$json = {
-  '1': 'EtherTransferMeaning',
-  '2': [
-    {'1': 'to', '3': 1, '4': 1, '5': 12, '10': 'to'},
-    {'1': 'value', '3': 2, '4': 1, '5': 12, '10': 'value'},
-  ],
-};
-
-/// Descriptor for `EtherTransferMeaning`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List etherTransferMeaningDescriptor = $convert.base64Decode(
-    'ChRFdGhlclRyYW5zZmVyTWVhbmluZxIOCgJ0bxgBIAEoDFICdG8SFAoFdmFsdWUYAiABKAxSBX'
-    'ZhbHVl');
-
-@$core.Deprecated('Use tokenInfoDescriptor instead')
-const TokenInfo$json = {
-  '1': 'TokenInfo',
-  '2': [
-    {'1': 'symbol', '3': 1, '4': 1, '5': 9, '10': 'symbol'},
-    {'1': 'address', '3': 2, '4': 1, '5': 12, '10': 'address'},
-    {'1': 'chain_id', '3': 3, '4': 1, '5': 4, '10': 'chainId'},
-  ],
-};
-
-/// Descriptor for `TokenInfo`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List tokenInfoDescriptor = $convert.base64Decode(
-    'CglUb2tlbkluZm8SFgoGc3ltYm9sGAEgASgJUgZzeW1ib2wSGAoHYWRkcmVzcxgCIAEoDFIHYW'
-    'RkcmVzcxIZCghjaGFpbl9pZBgDIAEoBFIHY2hhaW5JZA==');
-
-@$core.Deprecated('Use tokenTransferMeaningDescriptor instead')
-const TokenTransferMeaning$json = {
-  '1': 'TokenTransferMeaning',
-  '2': [
-    {
-      '1': 'token',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.TokenInfo',
-      '10': 'token'
-    },
-    {'1': 'to', '3': 2, '4': 1, '5': 12, '10': 'to'},
-    {'1': 'value', '3': 3, '4': 1, '5': 12, '10': 'value'},
-  ],
-};
-
-/// Descriptor for `TokenTransferMeaning`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List tokenTransferMeaningDescriptor = $convert.base64Decode(
-    'ChRUb2tlblRyYW5zZmVyTWVhbmluZxIsCgV0b2tlbhgBIAEoCzIWLmFyYml0ZXIuZXZtLlRva2'
-    'VuSW5mb1IFdG9rZW4SDgoCdG8YAiABKAxSAnRvEhQKBXZhbHVlGAMgASgMUgV2YWx1ZQ==');
-
-@$core.Deprecated('Use specificMeaningDescriptor instead')
-const SpecificMeaning$json = {
-  '1': 'SpecificMeaning',
-  '2': [
-    {
-      '1': 'ether_transfer',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EtherTransferMeaning',
-      '9': 0,
-      '10': 'etherTransfer'
-    },
-    {
-      '1': 'token_transfer',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.TokenTransferMeaning',
-      '9': 0,
-      '10': 'tokenTransfer'
-    },
-  ],
-  '8': [
-    {'1': 'meaning'},
-  ],
-};
-
-/// Descriptor for `SpecificMeaning`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List specificMeaningDescriptor = $convert.base64Decode(
-    'Cg9TcGVjaWZpY01lYW5pbmcSSgoOZXRoZXJfdHJhbnNmZXIYASABKAsyIS5hcmJpdGVyLmV2bS'
-    '5FdGhlclRyYW5zZmVyTWVhbmluZ0gAUg1ldGhlclRyYW5zZmVyEkoKDnRva2VuX3RyYW5zZmVy'
-    'GAIgASgLMiEuYXJiaXRlci5ldm0uVG9rZW5UcmFuc2Zlck1lYW5pbmdIAFINdG9rZW5UcmFuc2'
-    'ZlckIJCgdtZWFuaW5n');
-
-@$core.Deprecated('Use gasLimitExceededViolationDescriptor instead')
-const GasLimitExceededViolation$json = {
-  '1': 'GasLimitExceededViolation',
-  '2': [
-    {
-      '1': 'max_gas_fee_per_gas',
-      '3': 1,
-      '4': 1,
-      '5': 12,
-      '9': 0,
-      '10': 'maxGasFeePerGas',
-      '17': true
-    },
-    {
-      '1': 'max_priority_fee_per_gas',
-      '3': 2,
-      '4': 1,
-      '5': 12,
-      '9': 1,
-      '10': 'maxPriorityFeePerGas',
-      '17': true
-    },
-  ],
-  '8': [
-    {'1': '_max_gas_fee_per_gas'},
-    {'1': '_max_priority_fee_per_gas'},
-  ],
-};
-
-/// Descriptor for `GasLimitExceededViolation`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List gasLimitExceededViolationDescriptor = $convert.base64Decode(
-    'ChlHYXNMaW1pdEV4Y2VlZGVkVmlvbGF0aW9uEjEKE21heF9nYXNfZmVlX3Blcl9nYXMYASABKA'
-    'xIAFIPbWF4R2FzRmVlUGVyR2FziAEBEjsKGG1heF9wcmlvcml0eV9mZWVfcGVyX2dhcxgCIAEo'
-    'DEgBUhRtYXhQcmlvcml0eUZlZVBlckdhc4gBAUIWChRfbWF4X2dhc19mZWVfcGVyX2dhc0IbCh'
-    'lfbWF4X3ByaW9yaXR5X2ZlZV9wZXJfZ2Fz');
-
-@$core.Deprecated('Use evalViolationDescriptor instead')
-const EvalViolation$json = {
-  '1': 'EvalViolation',
-  '2': [
-    {
-      '1': 'invalid_target',
-      '3': 1,
-      '4': 1,
-      '5': 12,
-      '9': 0,
-      '10': 'invalidTarget'
-    },
-    {
-      '1': 'gas_limit_exceeded',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.GasLimitExceededViolation',
-      '9': 0,
-      '10': 'gasLimitExceeded'
-    },
-    {
-      '1': 'rate_limit_exceeded',
-      '3': 3,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'rateLimitExceeded'
-    },
-    {
-      '1': 'volumetric_limit_exceeded',
-      '3': 4,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'volumetricLimitExceeded'
-    },
-    {
-      '1': 'invalid_time',
-      '3': 5,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'invalidTime'
-    },
-    {
-      '1': 'invalid_transaction_type',
-      '3': 6,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'invalidTransactionType'
-    },
-  ],
-  '8': [
-    {'1': 'kind'},
-  ],
-};
-
-/// Descriptor for `EvalViolation`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List evalViolationDescriptor = $convert.base64Decode(
-    'Cg1FdmFsVmlvbGF0aW9uEicKDmludmFsaWRfdGFyZ2V0GAEgASgMSABSDWludmFsaWRUYXJnZX'
-    'QSVgoSZ2FzX2xpbWl0X2V4Y2VlZGVkGAIgASgLMiYuYXJiaXRlci5ldm0uR2FzTGltaXRFeGNl'
-    'ZWRlZFZpb2xhdGlvbkgAUhBnYXNMaW1pdEV4Y2VlZGVkEkgKE3JhdGVfbGltaXRfZXhjZWVkZW'
-    'QYAyABKAsyFi5nb29nbGUucHJvdG9idWYuRW1wdHlIAFIRcmF0ZUxpbWl0RXhjZWVkZWQSVAoZ'
-    'dm9sdW1ldHJpY19saW1pdF9leGNlZWRlZBgEIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eU'
-    'gAUhd2b2x1bWV0cmljTGltaXRFeGNlZWRlZBI7CgxpbnZhbGlkX3RpbWUYBSABKAsyFi5nb29n'
-    'bGUucHJvdG9idWYuRW1wdHlIAFILaW52YWxpZFRpbWUSUgoYaW52YWxpZF90cmFuc2FjdGlvbl'
-    '90eXBlGAYgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSFmludmFsaWRUcmFuc2FjdGlv'
-    'blR5cGVCBgoEa2luZA==');
-
-@$core.Deprecated('Use noMatchingGrantErrorDescriptor instead')
-const NoMatchingGrantError$json = {
-  '1': 'NoMatchingGrantError',
-  '2': [
-    {
-      '1': 'meaning',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.SpecificMeaning',
-      '10': 'meaning'
-    },
-  ],
-};
-
-/// Descriptor for `NoMatchingGrantError`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List noMatchingGrantErrorDescriptor = $convert.base64Decode(
-    'ChROb01hdGNoaW5nR3JhbnRFcnJvchI2CgdtZWFuaW5nGAEgASgLMhwuYXJiaXRlci5ldm0uU3'
-    'BlY2lmaWNNZWFuaW5nUgdtZWFuaW5n');
-
-@$core.Deprecated('Use policyViolationsErrorDescriptor instead')
-const PolicyViolationsError$json = {
-  '1': 'PolicyViolationsError',
-  '2': [
-    {
-      '1': 'meaning',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.SpecificMeaning',
-      '10': 'meaning'
-    },
-    {
-      '1': 'violations',
-      '3': 2,
-      '4': 3,
-      '5': 11,
-      '6': '.arbiter.evm.EvalViolation',
-      '10': 'violations'
-    },
-  ],
-};
-
-/// Descriptor for `PolicyViolationsError`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List policyViolationsErrorDescriptor = $convert.base64Decode(
-    'ChVQb2xpY3lWaW9sYXRpb25zRXJyb3ISNgoHbWVhbmluZxgBIAEoCzIcLmFyYml0ZXIuZXZtLl'
-    'NwZWNpZmljTWVhbmluZ1IHbWVhbmluZxI6Cgp2aW9sYXRpb25zGAIgAygLMhouYXJiaXRlci5l'
-    'dm0uRXZhbFZpb2xhdGlvblIKdmlvbGF0aW9ucw==');
-
-@$core.Deprecated('Use transactionEvalErrorDescriptor instead')
-const TransactionEvalError$json = {
-  '1': 'TransactionEvalError',
-  '2': [
-    {
-      '1': 'contract_creation_not_supported',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'contractCreationNotSupported'
-    },
-    {
-      '1': 'unsupported_transaction_type',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'unsupportedTransactionType'
-    },
-    {
-      '1': 'no_matching_grant',
-      '3': 3,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.NoMatchingGrantError',
-      '9': 0,
-      '10': 'noMatchingGrant'
-    },
-    {
-      '1': 'policy_violations',
-      '3': 4,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.PolicyViolationsError',
-      '9': 0,
-      '10': 'policyViolations'
-    },
-  ],
-  '8': [
-    {'1': 'kind'},
-  ],
-};
-
-/// Descriptor for `TransactionEvalError`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List transactionEvalErrorDescriptor = $convert.base64Decode(
-    'ChRUcmFuc2FjdGlvbkV2YWxFcnJvchJfCh9jb250cmFjdF9jcmVhdGlvbl9ub3Rfc3VwcG9ydG'
-    'VkGAEgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSHGNvbnRyYWN0Q3JlYXRpb25Ob3RT'
-    'dXBwb3J0ZWQSWgocdW5zdXBwb3J0ZWRfdHJhbnNhY3Rpb25fdHlwZRgCIAEoCzIWLmdvb2dsZS'
-    '5wcm90b2J1Zi5FbXB0eUgAUhp1bnN1cHBvcnRlZFRyYW5zYWN0aW9uVHlwZRJPChFub19tYXRj'
-    'aGluZ19ncmFudBgDIAEoCzIhLmFyYml0ZXIuZXZtLk5vTWF0Y2hpbmdHcmFudEVycm9ySABSD2'
-    '5vTWF0Y2hpbmdHcmFudBJRChFwb2xpY3lfdmlvbGF0aW9ucxgEIAEoCzIiLmFyYml0ZXIuZXZt'
-    'LlBvbGljeVZpb2xhdGlvbnNFcnJvckgAUhBwb2xpY3lWaW9sYXRpb25zQgYKBGtpbmQ=');
-
 @$core.Deprecated('Use evmGrantCreateRequestDescriptor instead')
 const EvmGrantCreateRequest$json = {
   '1': 'EvmGrantCreateRequest',
@@ -865,7 +563,7 @@ const EvmSignTransactionResponse$json = {
       '3': 2,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.TransactionEvalError',
+      '6': '.arbiter.shared.evm.TransactionEvalError',
       '9': 0,
       '10': 'evalError'
     },
@@ -887,9 +585,9 @@ const EvmSignTransactionResponse$json = {
 /// Descriptor for `EvmSignTransactionResponse`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List evmSignTransactionResponseDescriptor = $convert.base64Decode(
     'ChpFdm1TaWduVHJhbnNhY3Rpb25SZXNwb25zZRIeCglzaWduYXR1cmUYASABKAxIAFIJc2lnbm'
-    'F0dXJlEkIKCmV2YWxfZXJyb3IYAiABKAsyIS5hcmJpdGVyLmV2bS5UcmFuc2FjdGlvbkV2YWxF'
-    'cnJvckgAUglldmFsRXJyb3ISLQoFZXJyb3IYAyABKA4yFS5hcmJpdGVyLmV2bS5Fdm1FcnJvck'
-    'gAUgVlcnJvckIICgZyZXN1bHQ=');
+    'F0dXJlEkkKCmV2YWxfZXJyb3IYAiABKAsyKC5hcmJpdGVyLnNoYXJlZC5ldm0uVHJhbnNhY3Rp'
+    'b25FdmFsRXJyb3JIAFIJZXZhbEVycm9yEi0KBWVycm9yGAMgASgOMhUuYXJiaXRlci5ldm0uRX'
+    'ZtRXJyb3JIAFIFZXJyb3JCCAoGcmVzdWx0');
 
 @$core.Deprecated('Use evmAnalyzeTransactionRequestDescriptor instead')
 const EvmAnalyzeTransactionRequest$json = {
@@ -915,7 +613,7 @@ const EvmAnalyzeTransactionResponse$json = {
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.SpecificMeaning',
+      '6': '.arbiter.shared.evm.SpecificMeaning',
       '9': 0,
       '10': 'meaning'
     },
@@ -924,7 +622,7 @@ const EvmAnalyzeTransactionResponse$json = {
       '3': 2,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.TransactionEvalError',
+      '6': '.arbiter.shared.evm.TransactionEvalError',
       '9': 0,
       '10': 'evalError'
     },
@@ -945,7 +643,8 @@ const EvmAnalyzeTransactionResponse$json = {
 
 /// Descriptor for `EvmAnalyzeTransactionResponse`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List evmAnalyzeTransactionResponseDescriptor = $convert.base64Decode(
-    'Ch1Fdm1BbmFseXplVHJhbnNhY3Rpb25SZXNwb25zZRI4CgdtZWFuaW5nGAEgASgLMhwuYXJiaX'
-    'Rlci5ldm0uU3BlY2lmaWNNZWFuaW5nSABSB21lYW5pbmcSQgoKZXZhbF9lcnJvchgCIAEoCzIh'
-    'LmFyYml0ZXIuZXZtLlRyYW5zYWN0aW9uRXZhbEVycm9ySABSCWV2YWxFcnJvchItCgVlcnJvch'
-    'gDIAEoDjIVLmFyYml0ZXIuZXZtLkV2bUVycm9ySABSBWVycm9yQggKBnJlc3VsdA==');
+    'Ch1Fdm1BbmFseXplVHJhbnNhY3Rpb25SZXNwb25zZRI/CgdtZWFuaW5nGAEgASgLMiMuYXJiaX'
+    'Rlci5zaGFyZWQuZXZtLlNwZWNpZmljTWVhbmluZ0gAUgdtZWFuaW5nEkkKCmV2YWxfZXJyb3IY'
+    'AiABKAsyKC5hcmJpdGVyLnNoYXJlZC5ldm0uVHJhbnNhY3Rpb25FdmFsRXJyb3JIAFIJZXZhbE'
+    'Vycm9yEi0KBWVycm9yGAMgASgOMhUuYXJiaXRlci5ldm0uRXZtRXJyb3JIAFIFZXJyb3JCCAoG'
+    'cmVzdWx0');
diff --git a/useragent/lib/proto/shared/client.pb.dart b/useragent/lib/proto/shared/client.pb.dart
new file mode 100644
index 0000000..cb4bdfb
--- /dev/null
+++ b/useragent/lib/proto/shared/client.pb.dart
@@ -0,0 +1,99 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/client.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+class ClientInfo extends $pb.GeneratedMessage {
+  factory ClientInfo({
+    $core.String? name,
+    $core.String? description,
+    $core.String? version,
+  }) {
+    final result = create();
+    if (name != null) result.name = name;
+    if (description != null) result.description = description;
+    if (version != null) result.version = version;
+    return result;
+  }
+
+  ClientInfo._();
+
+  factory ClientInfo.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory ClientInfo.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'ClientInfo',
+      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared'),
+      createEmptyInstance: create)
+    ..aOS(1, _omitFieldNames ? '' : 'name')
+    ..aOS(2, _omitFieldNames ? '' : 'description')
+    ..aOS(3, _omitFieldNames ? '' : 'version')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ClientInfo clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ClientInfo copyWith(void Function(ClientInfo) updates) =>
+      super.copyWith((message) => updates(message as ClientInfo)) as ClientInfo;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static ClientInfo create() => ClientInfo._();
+  @$core.override
+  ClientInfo createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static ClientInfo getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<ClientInfo>(create);
+  static ClientInfo? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.String get name => $_getSZ(0);
+  @$pb.TagNumber(1)
+  set name($core.String value) => $_setString(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasName() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearName() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.String get description => $_getSZ(1);
+  @$pb.TagNumber(2)
+  set description($core.String value) => $_setString(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasDescription() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearDescription() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  $core.String get version => $_getSZ(2);
+  @$pb.TagNumber(3)
+  set version($core.String value) => $_setString(2, value);
+  @$pb.TagNumber(3)
+  $core.bool hasVersion() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearVersion() => $_clearField(3);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/shared/client.pbenum.dart b/useragent/lib/proto/shared/client.pbenum.dart
new file mode 100644
index 0000000..9b4f582
--- /dev/null
+++ b/useragent/lib/proto/shared/client.pbenum.dart
@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/client.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
diff --git a/useragent/lib/proto/shared/client.pbjson.dart b/useragent/lib/proto/shared/client.pbjson.dart
new file mode 100644
index 0000000..b868f5d
--- /dev/null
+++ b/useragent/lib/proto/shared/client.pbjson.dart
@@ -0,0 +1,52 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/client.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use clientInfoDescriptor instead')
+const ClientInfo$json = {
+  '1': 'ClientInfo',
+  '2': [
+    {'1': 'name', '3': 1, '4': 1, '5': 9, '10': 'name'},
+    {
+      '1': 'description',
+      '3': 2,
+      '4': 1,
+      '5': 9,
+      '9': 0,
+      '10': 'description',
+      '17': true
+    },
+    {
+      '1': 'version',
+      '3': 3,
+      '4': 1,
+      '5': 9,
+      '9': 1,
+      '10': 'version',
+      '17': true
+    },
+  ],
+  '8': [
+    {'1': '_description'},
+    {'1': '_version'},
+  ],
+};
+
+/// Descriptor for `ClientInfo`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List clientInfoDescriptor = $convert.base64Decode(
+    'CgpDbGllbnRJbmZvEhIKBG5hbWUYASABKAlSBG5hbWUSJQoLZGVzY3JpcHRpb24YAiABKAlIAF'
+    'ILZGVzY3JpcHRpb26IAQESHQoHdmVyc2lvbhgDIAEoCUgBUgd2ZXJzaW9uiAEBQg4KDF9kZXNj'
+    'cmlwdGlvbkIKCghfdmVyc2lvbg==');
diff --git a/useragent/lib/proto/shared/evm.pb.dart b/useragent/lib/proto/shared/evm.pb.dart
new file mode 100644
index 0000000..4857f1b
--- /dev/null
+++ b/useragent/lib/proto/shared/evm.pb.dart
@@ -0,0 +1,851 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:fixnum/fixnum.dart' as $fixnum;
+import 'package:protobuf/protobuf.dart' as $pb;
+import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $0;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+class EtherTransferMeaning extends $pb.GeneratedMessage {
+  factory EtherTransferMeaning({
+    $core.List<$core.int>? to,
+    $core.List<$core.int>? value,
+  }) {
+    final result = create();
+    if (to != null) result.to = to;
+    if (value != null) result.value = value;
+    return result;
+  }
+
+  EtherTransferMeaning._();
+
+  factory EtherTransferMeaning.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory EtherTransferMeaning.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'EtherTransferMeaning',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'to', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'value', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  EtherTransferMeaning clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  EtherTransferMeaning copyWith(void Function(EtherTransferMeaning) updates) =>
+      super.copyWith((message) => updates(message as EtherTransferMeaning))
+          as EtherTransferMeaning;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static EtherTransferMeaning create() => EtherTransferMeaning._();
+  @$core.override
+  EtherTransferMeaning createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static EtherTransferMeaning getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<EtherTransferMeaning>(create);
+  static EtherTransferMeaning? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get to => $_getN(0);
+  @$pb.TagNumber(1)
+  set to($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasTo() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearTo() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get value => $_getN(1);
+  @$pb.TagNumber(2)
+  set value($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasValue() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearValue() => $_clearField(2);
+}
+
+class TokenInfo extends $pb.GeneratedMessage {
+  factory TokenInfo({
+    $core.String? symbol,
+    $core.List<$core.int>? address,
+    $fixnum.Int64? chainId,
+  }) {
+    final result = create();
+    if (symbol != null) result.symbol = symbol;
+    if (address != null) result.address = address;
+    if (chainId != null) result.chainId = chainId;
+    return result;
+  }
+
+  TokenInfo._();
+
+  factory TokenInfo.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory TokenInfo.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'TokenInfo',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..aOS(1, _omitFieldNames ? '' : 'symbol')
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'address', $pb.PbFieldType.OY)
+    ..a<$fixnum.Int64>(3, _omitFieldNames ? '' : 'chainId', $pb.PbFieldType.OU6,
+        defaultOrMaker: $fixnum.Int64.ZERO)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TokenInfo clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TokenInfo copyWith(void Function(TokenInfo) updates) =>
+      super.copyWith((message) => updates(message as TokenInfo)) as TokenInfo;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static TokenInfo create() => TokenInfo._();
+  @$core.override
+  TokenInfo createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static TokenInfo getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<TokenInfo>(create);
+  static TokenInfo? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.String get symbol => $_getSZ(0);
+  @$pb.TagNumber(1)
+  set symbol($core.String value) => $_setString(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSymbol() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSymbol() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get address => $_getN(1);
+  @$pb.TagNumber(2)
+  set address($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasAddress() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearAddress() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  $fixnum.Int64 get chainId => $_getI64(2);
+  @$pb.TagNumber(3)
+  set chainId($fixnum.Int64 value) => $_setInt64(2, value);
+  @$pb.TagNumber(3)
+  $core.bool hasChainId() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearChainId() => $_clearField(3);
+}
+
+/// Mirror of token_transfers::Meaning
+class TokenTransferMeaning extends $pb.GeneratedMessage {
+  factory TokenTransferMeaning({
+    TokenInfo? token,
+    $core.List<$core.int>? to,
+    $core.List<$core.int>? value,
+  }) {
+    final result = create();
+    if (token != null) result.token = token;
+    if (to != null) result.to = to;
+    if (value != null) result.value = value;
+    return result;
+  }
+
+  TokenTransferMeaning._();
+
+  factory TokenTransferMeaning.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory TokenTransferMeaning.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'TokenTransferMeaning',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..aOM<TokenInfo>(1, _omitFieldNames ? '' : 'token',
+        subBuilder: TokenInfo.create)
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'to', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        3, _omitFieldNames ? '' : 'value', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TokenTransferMeaning clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TokenTransferMeaning copyWith(void Function(TokenTransferMeaning) updates) =>
+      super.copyWith((message) => updates(message as TokenTransferMeaning))
+          as TokenTransferMeaning;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static TokenTransferMeaning create() => TokenTransferMeaning._();
+  @$core.override
+  TokenTransferMeaning createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static TokenTransferMeaning getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<TokenTransferMeaning>(create);
+  static TokenTransferMeaning? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  TokenInfo get token => $_getN(0);
+  @$pb.TagNumber(1)
+  set token(TokenInfo value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasToken() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearToken() => $_clearField(1);
+  @$pb.TagNumber(1)
+  TokenInfo ensureToken() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get to => $_getN(1);
+  @$pb.TagNumber(2)
+  set to($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasTo() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearTo() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  $core.List<$core.int> get value => $_getN(2);
+  @$pb.TagNumber(3)
+  set value($core.List<$core.int> value) => $_setBytes(2, value);
+  @$pb.TagNumber(3)
+  $core.bool hasValue() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearValue() => $_clearField(3);
+}
+
+enum SpecificMeaning_Meaning { etherTransfer, tokenTransfer, notSet }
+
+/// Mirror of policies::SpecificMeaning
+class SpecificMeaning extends $pb.GeneratedMessage {
+  factory SpecificMeaning({
+    EtherTransferMeaning? etherTransfer,
+    TokenTransferMeaning? tokenTransfer,
+  }) {
+    final result = create();
+    if (etherTransfer != null) result.etherTransfer = etherTransfer;
+    if (tokenTransfer != null) result.tokenTransfer = tokenTransfer;
+    return result;
+  }
+
+  SpecificMeaning._();
+
+  factory SpecificMeaning.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory SpecificMeaning.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, SpecificMeaning_Meaning>
+      _SpecificMeaning_MeaningByTag = {
+    1: SpecificMeaning_Meaning.etherTransfer,
+    2: SpecificMeaning_Meaning.tokenTransfer,
+    0: SpecificMeaning_Meaning.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'SpecificMeaning',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<EtherTransferMeaning>(1, _omitFieldNames ? '' : 'etherTransfer',
+        subBuilder: EtherTransferMeaning.create)
+    ..aOM<TokenTransferMeaning>(2, _omitFieldNames ? '' : 'tokenTransfer',
+        subBuilder: TokenTransferMeaning.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  SpecificMeaning clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  SpecificMeaning copyWith(void Function(SpecificMeaning) updates) =>
+      super.copyWith((message) => updates(message as SpecificMeaning))
+          as SpecificMeaning;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static SpecificMeaning create() => SpecificMeaning._();
+  @$core.override
+  SpecificMeaning createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static SpecificMeaning getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<SpecificMeaning>(create);
+  static SpecificMeaning? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  SpecificMeaning_Meaning whichMeaning() =>
+      _SpecificMeaning_MeaningByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearMeaning() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  EtherTransferMeaning get etherTransfer => $_getN(0);
+  @$pb.TagNumber(1)
+  set etherTransfer(EtherTransferMeaning value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasEtherTransfer() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearEtherTransfer() => $_clearField(1);
+  @$pb.TagNumber(1)
+  EtherTransferMeaning ensureEtherTransfer() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  TokenTransferMeaning get tokenTransfer => $_getN(1);
+  @$pb.TagNumber(2)
+  set tokenTransfer(TokenTransferMeaning value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasTokenTransfer() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearTokenTransfer() => $_clearField(2);
+  @$pb.TagNumber(2)
+  TokenTransferMeaning ensureTokenTransfer() => $_ensure(1);
+}
+
+class GasLimitExceededViolation extends $pb.GeneratedMessage {
+  factory GasLimitExceededViolation({
+    $core.List<$core.int>? maxGasFeePerGas,
+    $core.List<$core.int>? maxPriorityFeePerGas,
+  }) {
+    final result = create();
+    if (maxGasFeePerGas != null) result.maxGasFeePerGas = maxGasFeePerGas;
+    if (maxPriorityFeePerGas != null)
+      result.maxPriorityFeePerGas = maxPriorityFeePerGas;
+    return result;
+  }
+
+  GasLimitExceededViolation._();
+
+  factory GasLimitExceededViolation.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory GasLimitExceededViolation.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'GasLimitExceededViolation',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'maxGasFeePerGas', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'maxPriorityFeePerGas', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  GasLimitExceededViolation clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  GasLimitExceededViolation copyWith(
+          void Function(GasLimitExceededViolation) updates) =>
+      super.copyWith((message) => updates(message as GasLimitExceededViolation))
+          as GasLimitExceededViolation;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static GasLimitExceededViolation create() => GasLimitExceededViolation._();
+  @$core.override
+  GasLimitExceededViolation createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static GasLimitExceededViolation getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<GasLimitExceededViolation>(create);
+  static GasLimitExceededViolation? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get maxGasFeePerGas => $_getN(0);
+  @$pb.TagNumber(1)
+  set maxGasFeePerGas($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasMaxGasFeePerGas() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearMaxGasFeePerGas() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get maxPriorityFeePerGas => $_getN(1);
+  @$pb.TagNumber(2)
+  set maxPriorityFeePerGas($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasMaxPriorityFeePerGas() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearMaxPriorityFeePerGas() => $_clearField(2);
+}
+
+enum EvalViolation_Kind {
+  invalidTarget,
+  gasLimitExceeded,
+  rateLimitExceeded,
+  volumetricLimitExceeded,
+  invalidTime,
+  invalidTransactionType,
+  notSet
+}
+
+class EvalViolation extends $pb.GeneratedMessage {
+  factory EvalViolation({
+    $core.List<$core.int>? invalidTarget,
+    GasLimitExceededViolation? gasLimitExceeded,
+    $0.Empty? rateLimitExceeded,
+    $0.Empty? volumetricLimitExceeded,
+    $0.Empty? invalidTime,
+    $0.Empty? invalidTransactionType,
+  }) {
+    final result = create();
+    if (invalidTarget != null) result.invalidTarget = invalidTarget;
+    if (gasLimitExceeded != null) result.gasLimitExceeded = gasLimitExceeded;
+    if (rateLimitExceeded != null) result.rateLimitExceeded = rateLimitExceeded;
+    if (volumetricLimitExceeded != null)
+      result.volumetricLimitExceeded = volumetricLimitExceeded;
+    if (invalidTime != null) result.invalidTime = invalidTime;
+    if (invalidTransactionType != null)
+      result.invalidTransactionType = invalidTransactionType;
+    return result;
+  }
+
+  EvalViolation._();
+
+  factory EvalViolation.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory EvalViolation.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, EvalViolation_Kind>
+      _EvalViolation_KindByTag = {
+    1: EvalViolation_Kind.invalidTarget,
+    2: EvalViolation_Kind.gasLimitExceeded,
+    3: EvalViolation_Kind.rateLimitExceeded,
+    4: EvalViolation_Kind.volumetricLimitExceeded,
+    5: EvalViolation_Kind.invalidTime,
+    6: EvalViolation_Kind.invalidTransactionType,
+    0: EvalViolation_Kind.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'EvalViolation',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3, 4, 5, 6])
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'invalidTarget', $pb.PbFieldType.OY)
+    ..aOM<GasLimitExceededViolation>(
+        2, _omitFieldNames ? '' : 'gasLimitExceeded',
+        subBuilder: GasLimitExceededViolation.create)
+    ..aOM<$0.Empty>(3, _omitFieldNames ? '' : 'rateLimitExceeded',
+        subBuilder: $0.Empty.create)
+    ..aOM<$0.Empty>(4, _omitFieldNames ? '' : 'volumetricLimitExceeded',
+        subBuilder: $0.Empty.create)
+    ..aOM<$0.Empty>(5, _omitFieldNames ? '' : 'invalidTime',
+        subBuilder: $0.Empty.create)
+    ..aOM<$0.Empty>(6, _omitFieldNames ? '' : 'invalidTransactionType',
+        subBuilder: $0.Empty.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  EvalViolation clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  EvalViolation copyWith(void Function(EvalViolation) updates) =>
+      super.copyWith((message) => updates(message as EvalViolation))
+          as EvalViolation;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static EvalViolation create() => EvalViolation._();
+  @$core.override
+  EvalViolation createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static EvalViolation getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<EvalViolation>(create);
+  static EvalViolation? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  EvalViolation_Kind whichKind() => _EvalViolation_KindByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  void clearKind() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get invalidTarget => $_getN(0);
+  @$pb.TagNumber(1)
+  set invalidTarget($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasInvalidTarget() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearInvalidTarget() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  GasLimitExceededViolation get gasLimitExceeded => $_getN(1);
+  @$pb.TagNumber(2)
+  set gasLimitExceeded(GasLimitExceededViolation value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasGasLimitExceeded() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearGasLimitExceeded() => $_clearField(2);
+  @$pb.TagNumber(2)
+  GasLimitExceededViolation ensureGasLimitExceeded() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  $0.Empty get rateLimitExceeded => $_getN(2);
+  @$pb.TagNumber(3)
+  set rateLimitExceeded($0.Empty value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasRateLimitExceeded() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearRateLimitExceeded() => $_clearField(3);
+  @$pb.TagNumber(3)
+  $0.Empty ensureRateLimitExceeded() => $_ensure(2);
+
+  @$pb.TagNumber(4)
+  $0.Empty get volumetricLimitExceeded => $_getN(3);
+  @$pb.TagNumber(4)
+  set volumetricLimitExceeded($0.Empty value) => $_setField(4, value);
+  @$pb.TagNumber(4)
+  $core.bool hasVolumetricLimitExceeded() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearVolumetricLimitExceeded() => $_clearField(4);
+  @$pb.TagNumber(4)
+  $0.Empty ensureVolumetricLimitExceeded() => $_ensure(3);
+
+  @$pb.TagNumber(5)
+  $0.Empty get invalidTime => $_getN(4);
+  @$pb.TagNumber(5)
+  set invalidTime($0.Empty value) => $_setField(5, value);
+  @$pb.TagNumber(5)
+  $core.bool hasInvalidTime() => $_has(4);
+  @$pb.TagNumber(5)
+  void clearInvalidTime() => $_clearField(5);
+  @$pb.TagNumber(5)
+  $0.Empty ensureInvalidTime() => $_ensure(4);
+
+  @$pb.TagNumber(6)
+  $0.Empty get invalidTransactionType => $_getN(5);
+  @$pb.TagNumber(6)
+  set invalidTransactionType($0.Empty value) => $_setField(6, value);
+  @$pb.TagNumber(6)
+  $core.bool hasInvalidTransactionType() => $_has(5);
+  @$pb.TagNumber(6)
+  void clearInvalidTransactionType() => $_clearField(6);
+  @$pb.TagNumber(6)
+  $0.Empty ensureInvalidTransactionType() => $_ensure(5);
+}
+
+/// Transaction was classified but no grant covers it
+class NoMatchingGrantError extends $pb.GeneratedMessage {
+  factory NoMatchingGrantError({
+    SpecificMeaning? meaning,
+  }) {
+    final result = create();
+    if (meaning != null) result.meaning = meaning;
+    return result;
+  }
+
+  NoMatchingGrantError._();
+
+  factory NoMatchingGrantError.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory NoMatchingGrantError.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'NoMatchingGrantError',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
+        subBuilder: SpecificMeaning.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  NoMatchingGrantError clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  NoMatchingGrantError copyWith(void Function(NoMatchingGrantError) updates) =>
+      super.copyWith((message) => updates(message as NoMatchingGrantError))
+          as NoMatchingGrantError;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static NoMatchingGrantError create() => NoMatchingGrantError._();
+  @$core.override
+  NoMatchingGrantError createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static NoMatchingGrantError getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<NoMatchingGrantError>(create);
+  static NoMatchingGrantError? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  SpecificMeaning get meaning => $_getN(0);
+  @$pb.TagNumber(1)
+  set meaning(SpecificMeaning value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasMeaning() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearMeaning() => $_clearField(1);
+  @$pb.TagNumber(1)
+  SpecificMeaning ensureMeaning() => $_ensure(0);
+}
+
+/// Transaction was classified and a grant was found, but constraints were violated
+class PolicyViolationsError extends $pb.GeneratedMessage {
+  factory PolicyViolationsError({
+    SpecificMeaning? meaning,
+    $core.Iterable<EvalViolation>? violations,
+  }) {
+    final result = create();
+    if (meaning != null) result.meaning = meaning;
+    if (violations != null) result.violations.addAll(violations);
+    return result;
+  }
+
+  PolicyViolationsError._();
+
+  factory PolicyViolationsError.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory PolicyViolationsError.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'PolicyViolationsError',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
+        subBuilder: SpecificMeaning.create)
+    ..pPM<EvalViolation>(2, _omitFieldNames ? '' : 'violations',
+        subBuilder: EvalViolation.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  PolicyViolationsError clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  PolicyViolationsError copyWith(
+          void Function(PolicyViolationsError) updates) =>
+      super.copyWith((message) => updates(message as PolicyViolationsError))
+          as PolicyViolationsError;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static PolicyViolationsError create() => PolicyViolationsError._();
+  @$core.override
+  PolicyViolationsError createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static PolicyViolationsError getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<PolicyViolationsError>(create);
+  static PolicyViolationsError? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  SpecificMeaning get meaning => $_getN(0);
+  @$pb.TagNumber(1)
+  set meaning(SpecificMeaning value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasMeaning() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearMeaning() => $_clearField(1);
+  @$pb.TagNumber(1)
+  SpecificMeaning ensureMeaning() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $pb.PbList<EvalViolation> get violations => $_getList(1);
+}
+
+enum TransactionEvalError_Kind {
+  contractCreationNotSupported,
+  unsupportedTransactionType,
+  noMatchingGrant,
+  policyViolations,
+  notSet
+}
+
+/// top-level error returned when transaction evaluation fails
+class TransactionEvalError extends $pb.GeneratedMessage {
+  factory TransactionEvalError({
+    $0.Empty? contractCreationNotSupported,
+    $0.Empty? unsupportedTransactionType,
+    NoMatchingGrantError? noMatchingGrant,
+    PolicyViolationsError? policyViolations,
+  }) {
+    final result = create();
+    if (contractCreationNotSupported != null)
+      result.contractCreationNotSupported = contractCreationNotSupported;
+    if (unsupportedTransactionType != null)
+      result.unsupportedTransactionType = unsupportedTransactionType;
+    if (noMatchingGrant != null) result.noMatchingGrant = noMatchingGrant;
+    if (policyViolations != null) result.policyViolations = policyViolations;
+    return result;
+  }
+
+  TransactionEvalError._();
+
+  factory TransactionEvalError.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory TransactionEvalError.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, TransactionEvalError_Kind>
+      _TransactionEvalError_KindByTag = {
+    1: TransactionEvalError_Kind.contractCreationNotSupported,
+    2: TransactionEvalError_Kind.unsupportedTransactionType,
+    3: TransactionEvalError_Kind.noMatchingGrant,
+    4: TransactionEvalError_Kind.policyViolations,
+    0: TransactionEvalError_Kind.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'TransactionEvalError',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3, 4])
+    ..aOM<$0.Empty>(1, _omitFieldNames ? '' : 'contractCreationNotSupported',
+        subBuilder: $0.Empty.create)
+    ..aOM<$0.Empty>(2, _omitFieldNames ? '' : 'unsupportedTransactionType',
+        subBuilder: $0.Empty.create)
+    ..aOM<NoMatchingGrantError>(3, _omitFieldNames ? '' : 'noMatchingGrant',
+        subBuilder: NoMatchingGrantError.create)
+    ..aOM<PolicyViolationsError>(4, _omitFieldNames ? '' : 'policyViolations',
+        subBuilder: PolicyViolationsError.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TransactionEvalError clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TransactionEvalError copyWith(void Function(TransactionEvalError) updates) =>
+      super.copyWith((message) => updates(message as TransactionEvalError))
+          as TransactionEvalError;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static TransactionEvalError create() => TransactionEvalError._();
+  @$core.override
+  TransactionEvalError createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static TransactionEvalError getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<TransactionEvalError>(create);
+  static TransactionEvalError? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  TransactionEvalError_Kind whichKind() =>
+      _TransactionEvalError_KindByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  void clearKind() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.Empty get contractCreationNotSupported => $_getN(0);
+  @$pb.TagNumber(1)
+  set contractCreationNotSupported($0.Empty value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasContractCreationNotSupported() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearContractCreationNotSupported() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.Empty ensureContractCreationNotSupported() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $0.Empty get unsupportedTransactionType => $_getN(1);
+  @$pb.TagNumber(2)
+  set unsupportedTransactionType($0.Empty value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasUnsupportedTransactionType() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearUnsupportedTransactionType() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.Empty ensureUnsupportedTransactionType() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  NoMatchingGrantError get noMatchingGrant => $_getN(2);
+  @$pb.TagNumber(3)
+  set noMatchingGrant(NoMatchingGrantError value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasNoMatchingGrant() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearNoMatchingGrant() => $_clearField(3);
+  @$pb.TagNumber(3)
+  NoMatchingGrantError ensureNoMatchingGrant() => $_ensure(2);
+
+  @$pb.TagNumber(4)
+  PolicyViolationsError get policyViolations => $_getN(3);
+  @$pb.TagNumber(4)
+  set policyViolations(PolicyViolationsError value) => $_setField(4, value);
+  @$pb.TagNumber(4)
+  $core.bool hasPolicyViolations() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearPolicyViolations() => $_clearField(4);
+  @$pb.TagNumber(4)
+  PolicyViolationsError ensurePolicyViolations() => $_ensure(3);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/shared/evm.pbenum.dart b/useragent/lib/proto/shared/evm.pbenum.dart
new file mode 100644
index 0000000..2175f8a
--- /dev/null
+++ b/useragent/lib/proto/shared/evm.pbenum.dart
@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
diff --git a/useragent/lib/proto/shared/evm.pbjson.dart b/useragent/lib/proto/shared/evm.pbjson.dart
new file mode 100644
index 0000000..3ae3545
--- /dev/null
+++ b/useragent/lib/proto/shared/evm.pbjson.dart
@@ -0,0 +1,320 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use etherTransferMeaningDescriptor instead')
+const EtherTransferMeaning$json = {
+  '1': 'EtherTransferMeaning',
+  '2': [
+    {'1': 'to', '3': 1, '4': 1, '5': 12, '10': 'to'},
+    {'1': 'value', '3': 2, '4': 1, '5': 12, '10': 'value'},
+  ],
+};
+
+/// Descriptor for `EtherTransferMeaning`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List etherTransferMeaningDescriptor = $convert.base64Decode(
+    'ChRFdGhlclRyYW5zZmVyTWVhbmluZxIOCgJ0bxgBIAEoDFICdG8SFAoFdmFsdWUYAiABKAxSBX'
+    'ZhbHVl');
+
+@$core.Deprecated('Use tokenInfoDescriptor instead')
+const TokenInfo$json = {
+  '1': 'TokenInfo',
+  '2': [
+    {'1': 'symbol', '3': 1, '4': 1, '5': 9, '10': 'symbol'},
+    {'1': 'address', '3': 2, '4': 1, '5': 12, '10': 'address'},
+    {'1': 'chain_id', '3': 3, '4': 1, '5': 4, '10': 'chainId'},
+  ],
+};
+
+/// Descriptor for `TokenInfo`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List tokenInfoDescriptor = $convert.base64Decode(
+    'CglUb2tlbkluZm8SFgoGc3ltYm9sGAEgASgJUgZzeW1ib2wSGAoHYWRkcmVzcxgCIAEoDFIHYW'
+    'RkcmVzcxIZCghjaGFpbl9pZBgDIAEoBFIHY2hhaW5JZA==');
+
+@$core.Deprecated('Use tokenTransferMeaningDescriptor instead')
+const TokenTransferMeaning$json = {
+  '1': 'TokenTransferMeaning',
+  '2': [
+    {
+      '1': 'token',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.TokenInfo',
+      '10': 'token'
+    },
+    {'1': 'to', '3': 2, '4': 1, '5': 12, '10': 'to'},
+    {'1': 'value', '3': 3, '4': 1, '5': 12, '10': 'value'},
+  ],
+};
+
+/// Descriptor for `TokenTransferMeaning`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List tokenTransferMeaningDescriptor = $convert.base64Decode(
+    'ChRUb2tlblRyYW5zZmVyTWVhbmluZxIzCgV0b2tlbhgBIAEoCzIdLmFyYml0ZXIuc2hhcmVkLm'
+    'V2bS5Ub2tlbkluZm9SBXRva2VuEg4KAnRvGAIgASgMUgJ0bxIUCgV2YWx1ZRgDIAEoDFIFdmFs'
+    'dWU=');
+
+@$core.Deprecated('Use specificMeaningDescriptor instead')
+const SpecificMeaning$json = {
+  '1': 'SpecificMeaning',
+  '2': [
+    {
+      '1': 'ether_transfer',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.EtherTransferMeaning',
+      '9': 0,
+      '10': 'etherTransfer'
+    },
+    {
+      '1': 'token_transfer',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.TokenTransferMeaning',
+      '9': 0,
+      '10': 'tokenTransfer'
+    },
+  ],
+  '8': [
+    {'1': 'meaning'},
+  ],
+};
+
+/// Descriptor for `SpecificMeaning`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List specificMeaningDescriptor = $convert.base64Decode(
+    'Cg9TcGVjaWZpY01lYW5pbmcSUQoOZXRoZXJfdHJhbnNmZXIYASABKAsyKC5hcmJpdGVyLnNoYX'
+    'JlZC5ldm0uRXRoZXJUcmFuc2Zlck1lYW5pbmdIAFINZXRoZXJUcmFuc2ZlchJRCg50b2tlbl90'
+    'cmFuc2ZlchgCIAEoCzIoLmFyYml0ZXIuc2hhcmVkLmV2bS5Ub2tlblRyYW5zZmVyTWVhbmluZ0'
+    'gAUg10b2tlblRyYW5zZmVyQgkKB21lYW5pbmc=');
+
+@$core.Deprecated('Use gasLimitExceededViolationDescriptor instead')
+const GasLimitExceededViolation$json = {
+  '1': 'GasLimitExceededViolation',
+  '2': [
+    {
+      '1': 'max_gas_fee_per_gas',
+      '3': 1,
+      '4': 1,
+      '5': 12,
+      '9': 0,
+      '10': 'maxGasFeePerGas',
+      '17': true
+    },
+    {
+      '1': 'max_priority_fee_per_gas',
+      '3': 2,
+      '4': 1,
+      '5': 12,
+      '9': 1,
+      '10': 'maxPriorityFeePerGas',
+      '17': true
+    },
+  ],
+  '8': [
+    {'1': '_max_gas_fee_per_gas'},
+    {'1': '_max_priority_fee_per_gas'},
+  ],
+};
+
+/// Descriptor for `GasLimitExceededViolation`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List gasLimitExceededViolationDescriptor = $convert.base64Decode(
+    'ChlHYXNMaW1pdEV4Y2VlZGVkVmlvbGF0aW9uEjEKE21heF9nYXNfZmVlX3Blcl9nYXMYASABKA'
+    'xIAFIPbWF4R2FzRmVlUGVyR2FziAEBEjsKGG1heF9wcmlvcml0eV9mZWVfcGVyX2dhcxgCIAEo'
+    'DEgBUhRtYXhQcmlvcml0eUZlZVBlckdhc4gBAUIWChRfbWF4X2dhc19mZWVfcGVyX2dhc0IbCh'
+    'lfbWF4X3ByaW9yaXR5X2ZlZV9wZXJfZ2Fz');
+
+@$core.Deprecated('Use evalViolationDescriptor instead')
+const EvalViolation$json = {
+  '1': 'EvalViolation',
+  '2': [
+    {
+      '1': 'invalid_target',
+      '3': 1,
+      '4': 1,
+      '5': 12,
+      '9': 0,
+      '10': 'invalidTarget'
+    },
+    {
+      '1': 'gas_limit_exceeded',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.GasLimitExceededViolation',
+      '9': 0,
+      '10': 'gasLimitExceeded'
+    },
+    {
+      '1': 'rate_limit_exceeded',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'rateLimitExceeded'
+    },
+    {
+      '1': 'volumetric_limit_exceeded',
+      '3': 4,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'volumetricLimitExceeded'
+    },
+    {
+      '1': 'invalid_time',
+      '3': 5,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'invalidTime'
+    },
+    {
+      '1': 'invalid_transaction_type',
+      '3': 6,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'invalidTransactionType'
+    },
+  ],
+  '8': [
+    {'1': 'kind'},
+  ],
+};
+
+/// Descriptor for `EvalViolation`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List evalViolationDescriptor = $convert.base64Decode(
+    'Cg1FdmFsVmlvbGF0aW9uEicKDmludmFsaWRfdGFyZ2V0GAEgASgMSABSDWludmFsaWRUYXJnZX'
+    'QSXQoSZ2FzX2xpbWl0X2V4Y2VlZGVkGAIgASgLMi0uYXJiaXRlci5zaGFyZWQuZXZtLkdhc0xp'
+    'bWl0RXhjZWVkZWRWaW9sYXRpb25IAFIQZ2FzTGltaXRFeGNlZWRlZBJIChNyYXRlX2xpbWl0X2'
+    'V4Y2VlZGVkGAMgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSEXJhdGVMaW1pdEV4Y2Vl'
+    'ZGVkElQKGXZvbHVtZXRyaWNfbGltaXRfZXhjZWVkZWQYBCABKAsyFi5nb29nbGUucHJvdG9idW'
+    'YuRW1wdHlIAFIXdm9sdW1ldHJpY0xpbWl0RXhjZWVkZWQSOwoMaW52YWxpZF90aW1lGAUgASgL'
+    'MhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSC2ludmFsaWRUaW1lElIKGGludmFsaWRfdHJhbn'
+    'NhY3Rpb25fdHlwZRgGIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eUgAUhZpbnZhbGlkVHJh'
+    'bnNhY3Rpb25UeXBlQgYKBGtpbmQ=');
+
+@$core.Deprecated('Use noMatchingGrantErrorDescriptor instead')
+const NoMatchingGrantError$json = {
+  '1': 'NoMatchingGrantError',
+  '2': [
+    {
+      '1': 'meaning',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.SpecificMeaning',
+      '10': 'meaning'
+    },
+  ],
+};
+
+/// Descriptor for `NoMatchingGrantError`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List noMatchingGrantErrorDescriptor = $convert.base64Decode(
+    'ChROb01hdGNoaW5nR3JhbnRFcnJvchI9CgdtZWFuaW5nGAEgASgLMiMuYXJiaXRlci5zaGFyZW'
+    'QuZXZtLlNwZWNpZmljTWVhbmluZ1IHbWVhbmluZw==');
+
+@$core.Deprecated('Use policyViolationsErrorDescriptor instead')
+const PolicyViolationsError$json = {
+  '1': 'PolicyViolationsError',
+  '2': [
+    {
+      '1': 'meaning',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.SpecificMeaning',
+      '10': 'meaning'
+    },
+    {
+      '1': 'violations',
+      '3': 2,
+      '4': 3,
+      '5': 11,
+      '6': '.arbiter.shared.evm.EvalViolation',
+      '10': 'violations'
+    },
+  ],
+};
+
+/// Descriptor for `PolicyViolationsError`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List policyViolationsErrorDescriptor = $convert.base64Decode(
+    'ChVQb2xpY3lWaW9sYXRpb25zRXJyb3ISPQoHbWVhbmluZxgBIAEoCzIjLmFyYml0ZXIuc2hhcm'
+    'VkLmV2bS5TcGVjaWZpY01lYW5pbmdSB21lYW5pbmcSQQoKdmlvbGF0aW9ucxgCIAMoCzIhLmFy'
+    'Yml0ZXIuc2hhcmVkLmV2bS5FdmFsVmlvbGF0aW9uUgp2aW9sYXRpb25z');
+
+@$core.Deprecated('Use transactionEvalErrorDescriptor instead')
+const TransactionEvalError$json = {
+  '1': 'TransactionEvalError',
+  '2': [
+    {
+      '1': 'contract_creation_not_supported',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'contractCreationNotSupported'
+    },
+    {
+      '1': 'unsupported_transaction_type',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'unsupportedTransactionType'
+    },
+    {
+      '1': 'no_matching_grant',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.NoMatchingGrantError',
+      '9': 0,
+      '10': 'noMatchingGrant'
+    },
+    {
+      '1': 'policy_violations',
+      '3': 4,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.PolicyViolationsError',
+      '9': 0,
+      '10': 'policyViolations'
+    },
+  ],
+  '8': [
+    {'1': 'kind'},
+  ],
+};
+
+/// Descriptor for `TransactionEvalError`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List transactionEvalErrorDescriptor = $convert.base64Decode(
+    'ChRUcmFuc2FjdGlvbkV2YWxFcnJvchJfCh9jb250cmFjdF9jcmVhdGlvbl9ub3Rfc3VwcG9ydG'
+    'VkGAEgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSHGNvbnRyYWN0Q3JlYXRpb25Ob3RT'
+    'dXBwb3J0ZWQSWgocdW5zdXBwb3J0ZWRfdHJhbnNhY3Rpb25fdHlwZRgCIAEoCzIWLmdvb2dsZS'
+    '5wcm90b2J1Zi5FbXB0eUgAUhp1bnN1cHBvcnRlZFRyYW5zYWN0aW9uVHlwZRJWChFub19tYXRj'
+    'aGluZ19ncmFudBgDIAEoCzIoLmFyYml0ZXIuc2hhcmVkLmV2bS5Ob01hdGNoaW5nR3JhbnRFcn'
+    'JvckgAUg9ub01hdGNoaW5nR3JhbnQSWAoRcG9saWN5X3Zpb2xhdGlvbnMYBCABKAsyKS5hcmJp'
+    'dGVyLnNoYXJlZC5ldm0uUG9saWN5VmlvbGF0aW9uc0Vycm9ySABSEHBvbGljeVZpb2xhdGlvbn'
+    'NCBgoEa2luZA==');
diff --git a/useragent/lib/proto/shared/vault.pb.dart b/useragent/lib/proto/shared/vault.pb.dart
new file mode 100644
index 0000000..10e9074
--- /dev/null
+++ b/useragent/lib/proto/shared/vault.pb.dart
@@ -0,0 +1,17 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'vault.pbenum.dart';
diff --git a/useragent/lib/proto/shared/vault.pbenum.dart b/useragent/lib/proto/shared/vault.pbenum.dart
new file mode 100644
index 0000000..640138e
--- /dev/null
+++ b/useragent/lib/proto/shared/vault.pbenum.dart
@@ -0,0 +1,46 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class VaultState extends $pb.ProtobufEnum {
+  static const VaultState VAULT_STATE_UNSPECIFIED =
+      VaultState._(0, _omitEnumNames ? '' : 'VAULT_STATE_UNSPECIFIED');
+  static const VaultState VAULT_STATE_UNBOOTSTRAPPED =
+      VaultState._(1, _omitEnumNames ? '' : 'VAULT_STATE_UNBOOTSTRAPPED');
+  static const VaultState VAULT_STATE_SEALED =
+      VaultState._(2, _omitEnumNames ? '' : 'VAULT_STATE_SEALED');
+  static const VaultState VAULT_STATE_UNSEALED =
+      VaultState._(3, _omitEnumNames ? '' : 'VAULT_STATE_UNSEALED');
+  static const VaultState VAULT_STATE_ERROR =
+      VaultState._(4, _omitEnumNames ? '' : 'VAULT_STATE_ERROR');
+
+  static const $core.List<VaultState> values = <VaultState>[
+    VAULT_STATE_UNSPECIFIED,
+    VAULT_STATE_UNBOOTSTRAPPED,
+    VAULT_STATE_SEALED,
+    VAULT_STATE_UNSEALED,
+    VAULT_STATE_ERROR,
+  ];
+
+  static final $core.List<VaultState?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 4);
+  static VaultState? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const VaultState._(super.value, super.name);
+}
+
+const $core.bool _omitEnumNames =
+    $core.bool.fromEnvironment('protobuf.omit_enum_names');
diff --git a/useragent/lib/proto/shared/vault.pbjson.dart b/useragent/lib/proto/shared/vault.pbjson.dart
new file mode 100644
index 0000000..db77ab0
--- /dev/null
+++ b/useragent/lib/proto/shared/vault.pbjson.dart
@@ -0,0 +1,34 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use vaultStateDescriptor instead')
+const VaultState$json = {
+  '1': 'VaultState',
+  '2': [
+    {'1': 'VAULT_STATE_UNSPECIFIED', '2': 0},
+    {'1': 'VAULT_STATE_UNBOOTSTRAPPED', '2': 1},
+    {'1': 'VAULT_STATE_SEALED', '2': 2},
+    {'1': 'VAULT_STATE_UNSEALED', '2': 3},
+    {'1': 'VAULT_STATE_ERROR', '2': 4},
+  ],
+};
+
+/// Descriptor for `VaultState`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List vaultStateDescriptor = $convert.base64Decode(
+    'CgpWYXVsdFN0YXRlEhsKF1ZBVUxUX1NUQVRFX1VOU1BFQ0lGSUVEEAASHgoaVkFVTFRfU1RBVE'
+    'VfVU5CT09UU1RSQVBQRUQQARIWChJWQVVMVF9TVEFURV9TRUFMRUQQAhIYChRWQVVMVF9TVEFU'
+    'RV9VTlNFQUxFRBADEhUKEVZBVUxUX1NUQVRFX0VSUk9SEAQ=');
diff --git a/useragent/lib/proto/user_agent.pb.dart b/useragent/lib/proto/user_agent.pb.dart
index f327b40..fae11ca 100644
--- a/useragent/lib/proto/user_agent.pb.dart
+++ b/useragent/lib/proto/user_agent.pb.dart
@@ -13,1425 +13,30 @@
 import 'dart:core' as $core;
 
 import 'package:protobuf/protobuf.dart' as $pb;
-import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $1;
 
-import 'client.pb.dart' as $0;
-import 'evm.pb.dart' as $2;
-import 'user_agent.pbenum.dart';
+import 'user_agent/auth.pb.dart' as $0;
+import 'user_agent/evm.pb.dart' as $2;
+import 'user_agent/sdk_client.pb.dart' as $3;
+import 'user_agent/vault/vault.pb.dart' as $1;
 
 export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
 
-export 'user_agent.pbenum.dart';
-
-class SdkClientRevokeRequest extends $pb.GeneratedMessage {
-  factory SdkClientRevokeRequest({
-    $core.int? clientId,
-  }) {
-    final result = create();
-    if (clientId != null) result.clientId = clientId;
-    return result;
-  }
-
-  SdkClientRevokeRequest._();
-
-  factory SdkClientRevokeRequest.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientRevokeRequest.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientRevokeRequest',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..aI(1, _omitFieldNames ? '' : 'clientId')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientRevokeRequest clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientRevokeRequest copyWith(
-          void Function(SdkClientRevokeRequest) updates) =>
-      super.copyWith((message) => updates(message as SdkClientRevokeRequest))
-          as SdkClientRevokeRequest;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientRevokeRequest create() => SdkClientRevokeRequest._();
-  @$core.override
-  SdkClientRevokeRequest createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientRevokeRequest getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientRevokeRequest>(create);
-  static SdkClientRevokeRequest? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.int get clientId => $_getIZ(0);
-  @$pb.TagNumber(1)
-  set clientId($core.int value) => $_setSignedInt32(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasClientId() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearClientId() => $_clearField(1);
-}
-
-class SdkClientEntry extends $pb.GeneratedMessage {
-  factory SdkClientEntry({
-    $core.int? id,
-    $core.List<$core.int>? pubkey,
-    $0.ClientInfo? info,
-    $core.int? createdAt,
-  }) {
-    final result = create();
-    if (id != null) result.id = id;
-    if (pubkey != null) result.pubkey = pubkey;
-    if (info != null) result.info = info;
-    if (createdAt != null) result.createdAt = createdAt;
-    return result;
-  }
-
-  SdkClientEntry._();
-
-  factory SdkClientEntry.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientEntry.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientEntry',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..aI(1, _omitFieldNames ? '' : 'id')
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..aOM<$0.ClientInfo>(3, _omitFieldNames ? '' : 'info',
-        subBuilder: $0.ClientInfo.create)
-    ..aI(4, _omitFieldNames ? '' : 'createdAt')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientEntry clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientEntry copyWith(void Function(SdkClientEntry) updates) =>
-      super.copyWith((message) => updates(message as SdkClientEntry))
-          as SdkClientEntry;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientEntry create() => SdkClientEntry._();
-  @$core.override
-  SdkClientEntry createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientEntry getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientEntry>(create);
-  static SdkClientEntry? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.int get id => $_getIZ(0);
-  @$pb.TagNumber(1)
-  set id($core.int value) => $_setSignedInt32(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasId() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearId() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get pubkey => $_getN(1);
-  @$pb.TagNumber(2)
-  set pubkey($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasPubkey() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearPubkey() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $0.ClientInfo get info => $_getN(2);
-  @$pb.TagNumber(3)
-  set info($0.ClientInfo value) => $_setField(3, value);
-  @$pb.TagNumber(3)
-  $core.bool hasInfo() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearInfo() => $_clearField(3);
-  @$pb.TagNumber(3)
-  $0.ClientInfo ensureInfo() => $_ensure(2);
-
-  @$pb.TagNumber(4)
-  $core.int get createdAt => $_getIZ(3);
-  @$pb.TagNumber(4)
-  set createdAt($core.int value) => $_setSignedInt32(3, value);
-  @$pb.TagNumber(4)
-  $core.bool hasCreatedAt() => $_has(3);
-  @$pb.TagNumber(4)
-  void clearCreatedAt() => $_clearField(4);
-}
-
-class SdkClientList extends $pb.GeneratedMessage {
-  factory SdkClientList({
-    $core.Iterable<SdkClientEntry>? clients,
-  }) {
-    final result = create();
-    if (clients != null) result.clients.addAll(clients);
-    return result;
-  }
-
-  SdkClientList._();
-
-  factory SdkClientList.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientList.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientList',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..pPM<SdkClientEntry>(1, _omitFieldNames ? '' : 'clients',
-        subBuilder: SdkClientEntry.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientList clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientList copyWith(void Function(SdkClientList) updates) =>
-      super.copyWith((message) => updates(message as SdkClientList))
-          as SdkClientList;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientList create() => SdkClientList._();
-  @$core.override
-  SdkClientList createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientList getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientList>(create);
-  static SdkClientList? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $pb.PbList<SdkClientEntry> get clients => $_getList(0);
-}
-
-enum SdkClientRevokeResponse_Result { ok, error, notSet }
-
-class SdkClientRevokeResponse extends $pb.GeneratedMessage {
-  factory SdkClientRevokeResponse({
-    $1.Empty? ok,
-    SdkClientError? error,
-  }) {
-    final result = create();
-    if (ok != null) result.ok = ok;
-    if (error != null) result.error = error;
-    return result;
-  }
-
-  SdkClientRevokeResponse._();
-
-  factory SdkClientRevokeResponse.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientRevokeResponse.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static const $core.Map<$core.int, SdkClientRevokeResponse_Result>
-      _SdkClientRevokeResponse_ResultByTag = {
-    1: SdkClientRevokeResponse_Result.ok,
-    2: SdkClientRevokeResponse_Result.error,
-    0: SdkClientRevokeResponse_Result.notSet
-  };
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientRevokeResponse',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..oo(0, [1, 2])
-    ..aOM<$1.Empty>(1, _omitFieldNames ? '' : 'ok', subBuilder: $1.Empty.create)
-    ..aE<SdkClientError>(2, _omitFieldNames ? '' : 'error',
-        enumValues: SdkClientError.values)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientRevokeResponse clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientRevokeResponse copyWith(
-          void Function(SdkClientRevokeResponse) updates) =>
-      super.copyWith((message) => updates(message as SdkClientRevokeResponse))
-          as SdkClientRevokeResponse;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientRevokeResponse create() => SdkClientRevokeResponse._();
-  @$core.override
-  SdkClientRevokeResponse createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientRevokeResponse getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientRevokeResponse>(create);
-  static SdkClientRevokeResponse? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  SdkClientRevokeResponse_Result whichResult() =>
-      _SdkClientRevokeResponse_ResultByTag[$_whichOneof(0)]!;
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  void clearResult() => $_clearField($_whichOneof(0));
-
-  @$pb.TagNumber(1)
-  $1.Empty get ok => $_getN(0);
-  @$pb.TagNumber(1)
-  set ok($1.Empty value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasOk() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearOk() => $_clearField(1);
-  @$pb.TagNumber(1)
-  $1.Empty ensureOk() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  SdkClientError get error => $_getN(1);
-  @$pb.TagNumber(2)
-  set error(SdkClientError value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasError() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearError() => $_clearField(2);
-}
-
-enum SdkClientListResponse_Result { clients, error, notSet }
-
-class SdkClientListResponse extends $pb.GeneratedMessage {
-  factory SdkClientListResponse({
-    SdkClientList? clients,
-    SdkClientError? error,
-  }) {
-    final result = create();
-    if (clients != null) result.clients = clients;
-    if (error != null) result.error = error;
-    return result;
-  }
-
-  SdkClientListResponse._();
-
-  factory SdkClientListResponse.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientListResponse.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static const $core.Map<$core.int, SdkClientListResponse_Result>
-      _SdkClientListResponse_ResultByTag = {
-    1: SdkClientListResponse_Result.clients,
-    2: SdkClientListResponse_Result.error,
-    0: SdkClientListResponse_Result.notSet
-  };
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientListResponse',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..oo(0, [1, 2])
-    ..aOM<SdkClientList>(1, _omitFieldNames ? '' : 'clients',
-        subBuilder: SdkClientList.create)
-    ..aE<SdkClientError>(2, _omitFieldNames ? '' : 'error',
-        enumValues: SdkClientError.values)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientListResponse clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientListResponse copyWith(
-          void Function(SdkClientListResponse) updates) =>
-      super.copyWith((message) => updates(message as SdkClientListResponse))
-          as SdkClientListResponse;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientListResponse create() => SdkClientListResponse._();
-  @$core.override
-  SdkClientListResponse createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientListResponse getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientListResponse>(create);
-  static SdkClientListResponse? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  SdkClientListResponse_Result whichResult() =>
-      _SdkClientListResponse_ResultByTag[$_whichOneof(0)]!;
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  void clearResult() => $_clearField($_whichOneof(0));
-
-  @$pb.TagNumber(1)
-  SdkClientList get clients => $_getN(0);
-  @$pb.TagNumber(1)
-  set clients(SdkClientList value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasClients() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearClients() => $_clearField(1);
-  @$pb.TagNumber(1)
-  SdkClientList ensureClients() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  SdkClientError get error => $_getN(1);
-  @$pb.TagNumber(2)
-  set error(SdkClientError value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasError() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearError() => $_clearField(2);
-}
-
-class AuthChallengeRequest extends $pb.GeneratedMessage {
-  factory AuthChallengeRequest({
-    $core.List<$core.int>? pubkey,
-    $core.String? bootstrapToken,
-    KeyType? keyType,
-  }) {
-    final result = create();
-    if (pubkey != null) result.pubkey = pubkey;
-    if (bootstrapToken != null) result.bootstrapToken = bootstrapToken;
-    if (keyType != null) result.keyType = keyType;
-    return result;
-  }
-
-  AuthChallengeRequest._();
-
-  factory AuthChallengeRequest.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallengeRequest.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallengeRequest',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..aOS(2, _omitFieldNames ? '' : 'bootstrapToken')
-    ..aE<KeyType>(3, _omitFieldNames ? '' : 'keyType',
-        enumValues: KeyType.values)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeRequest clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeRequest copyWith(void Function(AuthChallengeRequest) updates) =>
-      super.copyWith((message) => updates(message as AuthChallengeRequest))
-          as AuthChallengeRequest;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeRequest create() => AuthChallengeRequest._();
-  @$core.override
-  AuthChallengeRequest createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeRequest getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallengeRequest>(create);
-  static AuthChallengeRequest? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get pubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearPubkey() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.String get bootstrapToken => $_getSZ(1);
-  @$pb.TagNumber(2)
-  set bootstrapToken($core.String value) => $_setString(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasBootstrapToken() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearBootstrapToken() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  KeyType get keyType => $_getN(2);
-  @$pb.TagNumber(3)
-  set keyType(KeyType value) => $_setField(3, value);
-  @$pb.TagNumber(3)
-  $core.bool hasKeyType() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearKeyType() => $_clearField(3);
-}
-
-class AuthChallenge extends $pb.GeneratedMessage {
-  factory AuthChallenge({
-    $core.int? nonce,
-  }) {
-    final result = create();
-    if (nonce != null) result.nonce = nonce;
-    return result;
-  }
-
-  AuthChallenge._();
-
-  factory AuthChallenge.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallenge.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallenge',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..aI(2, _omitFieldNames ? '' : 'nonce')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallenge clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallenge copyWith(void Function(AuthChallenge) updates) =>
-      super.copyWith((message) => updates(message as AuthChallenge))
-          as AuthChallenge;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallenge create() => AuthChallenge._();
-  @$core.override
-  AuthChallenge createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallenge getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallenge>(create);
-  static AuthChallenge? _defaultInstance;
-
-  @$pb.TagNumber(2)
-  $core.int get nonce => $_getIZ(0);
-  @$pb.TagNumber(2)
-  set nonce($core.int value) => $_setSignedInt32(0, value);
-  @$pb.TagNumber(2)
-  $core.bool hasNonce() => $_has(0);
-  @$pb.TagNumber(2)
-  void clearNonce() => $_clearField(2);
-}
-
-class AuthChallengeSolution extends $pb.GeneratedMessage {
-  factory AuthChallengeSolution({
-    $core.List<$core.int>? signature,
-  }) {
-    final result = create();
-    if (signature != null) result.signature = signature;
-    return result;
-  }
-
-  AuthChallengeSolution._();
-
-  factory AuthChallengeSolution.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallengeSolution.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallengeSolution',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeSolution clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeSolution copyWith(
-          void Function(AuthChallengeSolution) updates) =>
-      super.copyWith((message) => updates(message as AuthChallengeSolution))
-          as AuthChallengeSolution;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeSolution create() => AuthChallengeSolution._();
-  @$core.override
-  AuthChallengeSolution createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeSolution getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallengeSolution>(create);
-  static AuthChallengeSolution? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get signature => $_getN(0);
-  @$pb.TagNumber(1)
-  set signature($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasSignature() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearSignature() => $_clearField(1);
-}
-
-class UnsealStart extends $pb.GeneratedMessage {
-  factory UnsealStart({
-    $core.List<$core.int>? clientPubkey,
-  }) {
-    final result = create();
-    if (clientPubkey != null) result.clientPubkey = clientPubkey;
-    return result;
-  }
-
-  UnsealStart._();
-
-  factory UnsealStart.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory UnsealStart.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'UnsealStart',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'clientPubkey', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  UnsealStart clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  UnsealStart copyWith(void Function(UnsealStart) updates) =>
-      super.copyWith((message) => updates(message as UnsealStart))
-          as UnsealStart;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static UnsealStart create() => UnsealStart._();
-  @$core.override
-  UnsealStart createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static UnsealStart getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<UnsealStart>(create);
-  static UnsealStart? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get clientPubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set clientPubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasClientPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearClientPubkey() => $_clearField(1);
-}
-
-class UnsealStartResponse extends $pb.GeneratedMessage {
-  factory UnsealStartResponse({
-    $core.List<$core.int>? serverPubkey,
-  }) {
-    final result = create();
-    if (serverPubkey != null) result.serverPubkey = serverPubkey;
-    return result;
-  }
-
-  UnsealStartResponse._();
-
-  factory UnsealStartResponse.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory UnsealStartResponse.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'UnsealStartResponse',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'serverPubkey', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  UnsealStartResponse clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  UnsealStartResponse copyWith(void Function(UnsealStartResponse) updates) =>
-      super.copyWith((message) => updates(message as UnsealStartResponse))
-          as UnsealStartResponse;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static UnsealStartResponse create() => UnsealStartResponse._();
-  @$core.override
-  UnsealStartResponse createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static UnsealStartResponse getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<UnsealStartResponse>(create);
-  static UnsealStartResponse? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get serverPubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set serverPubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasServerPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearServerPubkey() => $_clearField(1);
-}
-
-class UnsealEncryptedKey extends $pb.GeneratedMessage {
-  factory UnsealEncryptedKey({
-    $core.List<$core.int>? nonce,
-    $core.List<$core.int>? ciphertext,
-    $core.List<$core.int>? associatedData,
-  }) {
-    final result = create();
-    if (nonce != null) result.nonce = nonce;
-    if (ciphertext != null) result.ciphertext = ciphertext;
-    if (associatedData != null) result.associatedData = associatedData;
-    return result;
-  }
-
-  UnsealEncryptedKey._();
-
-  factory UnsealEncryptedKey.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory UnsealEncryptedKey.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'UnsealEncryptedKey',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'nonce', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'ciphertext', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        3, _omitFieldNames ? '' : 'associatedData', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  UnsealEncryptedKey clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  UnsealEncryptedKey copyWith(void Function(UnsealEncryptedKey) updates) =>
-      super.copyWith((message) => updates(message as UnsealEncryptedKey))
-          as UnsealEncryptedKey;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static UnsealEncryptedKey create() => UnsealEncryptedKey._();
-  @$core.override
-  UnsealEncryptedKey createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static UnsealEncryptedKey getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<UnsealEncryptedKey>(create);
-  static UnsealEncryptedKey? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get nonce => $_getN(0);
-  @$pb.TagNumber(1)
-  set nonce($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasNonce() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearNonce() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get ciphertext => $_getN(1);
-  @$pb.TagNumber(2)
-  set ciphertext($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasCiphertext() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearCiphertext() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $core.List<$core.int> get associatedData => $_getN(2);
-  @$pb.TagNumber(3)
-  set associatedData($core.List<$core.int> value) => $_setBytes(2, value);
-  @$pb.TagNumber(3)
-  $core.bool hasAssociatedData() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearAssociatedData() => $_clearField(3);
-}
-
-class BootstrapEncryptedKey extends $pb.GeneratedMessage {
-  factory BootstrapEncryptedKey({
-    $core.List<$core.int>? nonce,
-    $core.List<$core.int>? ciphertext,
-    $core.List<$core.int>? associatedData,
-  }) {
-    final result = create();
-    if (nonce != null) result.nonce = nonce;
-    if (ciphertext != null) result.ciphertext = ciphertext;
-    if (associatedData != null) result.associatedData = associatedData;
-    return result;
-  }
-
-  BootstrapEncryptedKey._();
-
-  factory BootstrapEncryptedKey.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory BootstrapEncryptedKey.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'BootstrapEncryptedKey',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'nonce', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'ciphertext', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        3, _omitFieldNames ? '' : 'associatedData', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  BootstrapEncryptedKey clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  BootstrapEncryptedKey copyWith(
-          void Function(BootstrapEncryptedKey) updates) =>
-      super.copyWith((message) => updates(message as BootstrapEncryptedKey))
-          as BootstrapEncryptedKey;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static BootstrapEncryptedKey create() => BootstrapEncryptedKey._();
-  @$core.override
-  BootstrapEncryptedKey createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static BootstrapEncryptedKey getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<BootstrapEncryptedKey>(create);
-  static BootstrapEncryptedKey? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get nonce => $_getN(0);
-  @$pb.TagNumber(1)
-  set nonce($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasNonce() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearNonce() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get ciphertext => $_getN(1);
-  @$pb.TagNumber(2)
-  set ciphertext($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasCiphertext() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearCiphertext() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $core.List<$core.int> get associatedData => $_getN(2);
-  @$pb.TagNumber(3)
-  set associatedData($core.List<$core.int> value) => $_setBytes(2, value);
-  @$pb.TagNumber(3)
-  $core.bool hasAssociatedData() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearAssociatedData() => $_clearField(3);
-}
-
-class SdkClientConnectionRequest extends $pb.GeneratedMessage {
-  factory SdkClientConnectionRequest({
-    $core.List<$core.int>? pubkey,
-    $0.ClientInfo? info,
-  }) {
-    final result = create();
-    if (pubkey != null) result.pubkey = pubkey;
-    if (info != null) result.info = info;
-    return result;
-  }
-
-  SdkClientConnectionRequest._();
-
-  factory SdkClientConnectionRequest.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientConnectionRequest.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientConnectionRequest',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..aOM<$0.ClientInfo>(2, _omitFieldNames ? '' : 'info',
-        subBuilder: $0.ClientInfo.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientConnectionRequest clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientConnectionRequest copyWith(
-          void Function(SdkClientConnectionRequest) updates) =>
-      super.copyWith(
-              (message) => updates(message as SdkClientConnectionRequest))
-          as SdkClientConnectionRequest;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientConnectionRequest create() => SdkClientConnectionRequest._();
-  @$core.override
-  SdkClientConnectionRequest createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientConnectionRequest getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientConnectionRequest>(create);
-  static SdkClientConnectionRequest? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get pubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearPubkey() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $0.ClientInfo get info => $_getN(1);
-  @$pb.TagNumber(2)
-  set info($0.ClientInfo value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasInfo() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearInfo() => $_clearField(2);
-  @$pb.TagNumber(2)
-  $0.ClientInfo ensureInfo() => $_ensure(1);
-}
-
-class SdkClientConnectionResponse extends $pb.GeneratedMessage {
-  factory SdkClientConnectionResponse({
-    $core.bool? approved,
-    $core.List<$core.int>? pubkey,
-  }) {
-    final result = create();
-    if (approved != null) result.approved = approved;
-    if (pubkey != null) result.pubkey = pubkey;
-    return result;
-  }
-
-  SdkClientConnectionResponse._();
-
-  factory SdkClientConnectionResponse.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientConnectionResponse.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientConnectionResponse',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..aOB(1, _omitFieldNames ? '' : 'approved')
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientConnectionResponse clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientConnectionResponse copyWith(
-          void Function(SdkClientConnectionResponse) updates) =>
-      super.copyWith(
-              (message) => updates(message as SdkClientConnectionResponse))
-          as SdkClientConnectionResponse;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientConnectionResponse create() =>
-      SdkClientConnectionResponse._();
-  @$core.override
-  SdkClientConnectionResponse createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientConnectionResponse getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientConnectionResponse>(create);
-  static SdkClientConnectionResponse? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.bool get approved => $_getBF(0);
-  @$pb.TagNumber(1)
-  set approved($core.bool value) => $_setBool(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasApproved() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearApproved() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get pubkey => $_getN(1);
-  @$pb.TagNumber(2)
-  set pubkey($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasPubkey() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearPubkey() => $_clearField(2);
-}
-
-class SdkClientConnectionCancel extends $pb.GeneratedMessage {
-  factory SdkClientConnectionCancel({
-    $core.List<$core.int>? pubkey,
-  }) {
-    final result = create();
-    if (pubkey != null) result.pubkey = pubkey;
-    return result;
-  }
-
-  SdkClientConnectionCancel._();
-
-  factory SdkClientConnectionCancel.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientConnectionCancel.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientConnectionCancel',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientConnectionCancel clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientConnectionCancel copyWith(
-          void Function(SdkClientConnectionCancel) updates) =>
-      super.copyWith((message) => updates(message as SdkClientConnectionCancel))
-          as SdkClientConnectionCancel;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientConnectionCancel create() => SdkClientConnectionCancel._();
-  @$core.override
-  SdkClientConnectionCancel createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientConnectionCancel getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientConnectionCancel>(create);
-  static SdkClientConnectionCancel? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get pubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearPubkey() => $_clearField(1);
-}
-
-class WalletAccess extends $pb.GeneratedMessage {
-  factory WalletAccess({
-    $core.int? walletId,
-    $core.int? sdkClientId,
-  }) {
-    final result = create();
-    if (walletId != null) result.walletId = walletId;
-    if (sdkClientId != null) result.sdkClientId = sdkClientId;
-    return result;
-  }
-
-  WalletAccess._();
-
-  factory WalletAccess.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory WalletAccess.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'WalletAccess',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..aI(1, _omitFieldNames ? '' : 'walletId')
-    ..aI(2, _omitFieldNames ? '' : 'sdkClientId')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  WalletAccess clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  WalletAccess copyWith(void Function(WalletAccess) updates) =>
-      super.copyWith((message) => updates(message as WalletAccess))
-          as WalletAccess;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static WalletAccess create() => WalletAccess._();
-  @$core.override
-  WalletAccess createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static WalletAccess getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<WalletAccess>(create);
-  static WalletAccess? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.int get walletId => $_getIZ(0);
-  @$pb.TagNumber(1)
-  set walletId($core.int value) => $_setSignedInt32(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasWalletId() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearWalletId() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.int get sdkClientId => $_getIZ(1);
-  @$pb.TagNumber(2)
-  set sdkClientId($core.int value) => $_setSignedInt32(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasSdkClientId() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearSdkClientId() => $_clearField(2);
-}
-
-class SdkClientWalletAccess extends $pb.GeneratedMessage {
-  factory SdkClientWalletAccess({
-    $core.int? id,
-    WalletAccess? access,
-  }) {
-    final result = create();
-    if (id != null) result.id = id;
-    if (access != null) result.access = access;
-    return result;
-  }
-
-  SdkClientWalletAccess._();
-
-  factory SdkClientWalletAccess.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientWalletAccess.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientWalletAccess',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..aI(1, _omitFieldNames ? '' : 'id')
-    ..aOM<WalletAccess>(2, _omitFieldNames ? '' : 'access',
-        subBuilder: WalletAccess.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientWalletAccess clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientWalletAccess copyWith(
-          void Function(SdkClientWalletAccess) updates) =>
-      super.copyWith((message) => updates(message as SdkClientWalletAccess))
-          as SdkClientWalletAccess;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientWalletAccess create() => SdkClientWalletAccess._();
-  @$core.override
-  SdkClientWalletAccess createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientWalletAccess getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientWalletAccess>(create);
-  static SdkClientWalletAccess? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.int get id => $_getIZ(0);
-  @$pb.TagNumber(1)
-  set id($core.int value) => $_setSignedInt32(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasId() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearId() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  WalletAccess get access => $_getN(1);
-  @$pb.TagNumber(2)
-  set access(WalletAccess value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasAccess() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearAccess() => $_clearField(2);
-  @$pb.TagNumber(2)
-  WalletAccess ensureAccess() => $_ensure(1);
-}
-
-class SdkClientGrantWalletAccess extends $pb.GeneratedMessage {
-  factory SdkClientGrantWalletAccess({
-    $core.Iterable<WalletAccess>? accesses,
-  }) {
-    final result = create();
-    if (accesses != null) result.accesses.addAll(accesses);
-    return result;
-  }
-
-  SdkClientGrantWalletAccess._();
-
-  factory SdkClientGrantWalletAccess.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientGrantWalletAccess.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientGrantWalletAccess',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..pPM<WalletAccess>(1, _omitFieldNames ? '' : 'accesses',
-        subBuilder: WalletAccess.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientGrantWalletAccess clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientGrantWalletAccess copyWith(
-          void Function(SdkClientGrantWalletAccess) updates) =>
-      super.copyWith(
-              (message) => updates(message as SdkClientGrantWalletAccess))
-          as SdkClientGrantWalletAccess;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientGrantWalletAccess create() => SdkClientGrantWalletAccess._();
-  @$core.override
-  SdkClientGrantWalletAccess createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientGrantWalletAccess getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientGrantWalletAccess>(create);
-  static SdkClientGrantWalletAccess? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $pb.PbList<WalletAccess> get accesses => $_getList(0);
-}
-
-class SdkClientRevokeWalletAccess extends $pb.GeneratedMessage {
-  factory SdkClientRevokeWalletAccess({
-    $core.Iterable<$core.int>? accesses,
-  }) {
-    final result = create();
-    if (accesses != null) result.accesses.addAll(accesses);
-    return result;
-  }
-
-  SdkClientRevokeWalletAccess._();
-
-  factory SdkClientRevokeWalletAccess.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SdkClientRevokeWalletAccess.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SdkClientRevokeWalletAccess',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..p<$core.int>(1, _omitFieldNames ? '' : 'accesses', $pb.PbFieldType.K3)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientRevokeWalletAccess clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SdkClientRevokeWalletAccess copyWith(
-          void Function(SdkClientRevokeWalletAccess) updates) =>
-      super.copyWith(
-              (message) => updates(message as SdkClientRevokeWalletAccess))
-          as SdkClientRevokeWalletAccess;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SdkClientRevokeWalletAccess create() =>
-      SdkClientRevokeWalletAccess._();
-  @$core.override
-  SdkClientRevokeWalletAccess createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SdkClientRevokeWalletAccess getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SdkClientRevokeWalletAccess>(create);
-  static SdkClientRevokeWalletAccess? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $pb.PbList<$core.int> get accesses => $_getList(0);
-}
-
-class ListWalletAccessResponse extends $pb.GeneratedMessage {
-  factory ListWalletAccessResponse({
-    $core.Iterable<SdkClientWalletAccess>? accesses,
-  }) {
-    final result = create();
-    if (accesses != null) result.accesses.addAll(accesses);
-    return result;
-  }
-
-  ListWalletAccessResponse._();
-
-  factory ListWalletAccessResponse.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory ListWalletAccessResponse.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'ListWalletAccessResponse',
-      package:
-          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
-      createEmptyInstance: create)
-    ..pPM<SdkClientWalletAccess>(1, _omitFieldNames ? '' : 'accesses',
-        subBuilder: SdkClientWalletAccess.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  ListWalletAccessResponse clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  ListWalletAccessResponse copyWith(
-          void Function(ListWalletAccessResponse) updates) =>
-      super.copyWith((message) => updates(message as ListWalletAccessResponse))
-          as ListWalletAccessResponse;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static ListWalletAccessResponse create() => ListWalletAccessResponse._();
-  @$core.override
-  ListWalletAccessResponse createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static ListWalletAccessResponse getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<ListWalletAccessResponse>(create);
-  static ListWalletAccessResponse? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $pb.PbList<SdkClientWalletAccess> get accesses => $_getList(0);
-}
-
-enum UserAgentRequest_Payload {
-  authChallengeRequest,
-  authChallengeSolution,
-  unsealStart,
-  unsealEncryptedKey,
-  queryVaultState,
-  evmWalletCreate,
-  evmWalletList,
-  evmGrantCreate,
-  evmGrantDelete,
-  evmGrantList,
-  sdkClientConnectionResponse,
-  sdkClientRevoke,
-  sdkClientList,
-  bootstrapEncryptedKey,
-  grantWalletAccess,
-  revokeWalletAccess,
-  listWalletAccess,
-  notSet
-}
+enum UserAgentRequest_Payload { auth, vault, evm, sdkClient, notSet }
 
 class UserAgentRequest extends $pb.GeneratedMessage {
   factory UserAgentRequest({
-    AuthChallengeRequest? authChallengeRequest,
-    AuthChallengeSolution? authChallengeSolution,
-    UnsealStart? unsealStart,
-    UnsealEncryptedKey? unsealEncryptedKey,
-    $1.Empty? queryVaultState,
-    $1.Empty? evmWalletCreate,
-    $1.Empty? evmWalletList,
-    $2.EvmGrantCreateRequest? evmGrantCreate,
-    $2.EvmGrantDeleteRequest? evmGrantDelete,
-    $2.EvmGrantListRequest? evmGrantList,
-    SdkClientConnectionResponse? sdkClientConnectionResponse,
-    SdkClientRevokeRequest? sdkClientRevoke,
-    $1.Empty? sdkClientList,
-    BootstrapEncryptedKey? bootstrapEncryptedKey,
-    SdkClientGrantWalletAccess? grantWalletAccess,
+    $0.Request? auth,
+    $1.Request? vault,
+    $2.Request? evm,
+    $3.Request? sdkClient,
     $core.int? id,
-    SdkClientRevokeWalletAccess? revokeWalletAccess,
-    $1.Empty? listWalletAccess,
   }) {
     final result = create();
-    if (authChallengeRequest != null)
-      result.authChallengeRequest = authChallengeRequest;
-    if (authChallengeSolution != null)
-      result.authChallengeSolution = authChallengeSolution;
-    if (unsealStart != null) result.unsealStart = unsealStart;
-    if (unsealEncryptedKey != null)
-      result.unsealEncryptedKey = unsealEncryptedKey;
-    if (queryVaultState != null) result.queryVaultState = queryVaultState;
-    if (evmWalletCreate != null) result.evmWalletCreate = evmWalletCreate;
-    if (evmWalletList != null) result.evmWalletList = evmWalletList;
-    if (evmGrantCreate != null) result.evmGrantCreate = evmGrantCreate;
-    if (evmGrantDelete != null) result.evmGrantDelete = evmGrantDelete;
-    if (evmGrantList != null) result.evmGrantList = evmGrantList;
-    if (sdkClientConnectionResponse != null)
-      result.sdkClientConnectionResponse = sdkClientConnectionResponse;
-    if (sdkClientRevoke != null) result.sdkClientRevoke = sdkClientRevoke;
-    if (sdkClientList != null) result.sdkClientList = sdkClientList;
-    if (bootstrapEncryptedKey != null)
-      result.bootstrapEncryptedKey = bootstrapEncryptedKey;
-    if (grantWalletAccess != null) result.grantWalletAccess = grantWalletAccess;
+    if (auth != null) result.auth = auth;
+    if (vault != null) result.vault = vault;
+    if (evm != null) result.evm = evm;
+    if (sdkClient != null) result.sdkClient = sdkClient;
     if (id != null) result.id = id;
-    if (revokeWalletAccess != null)
-      result.revokeWalletAccess = revokeWalletAccess;
-    if (listWalletAccess != null) result.listWalletAccess = listWalletAccess;
     return result;
   }
 
@@ -1446,23 +51,10 @@ class UserAgentRequest extends $pb.GeneratedMessage {
 
   static const $core.Map<$core.int, UserAgentRequest_Payload>
       _UserAgentRequest_PayloadByTag = {
-    1: UserAgentRequest_Payload.authChallengeRequest,
-    2: UserAgentRequest_Payload.authChallengeSolution,
-    3: UserAgentRequest_Payload.unsealStart,
-    4: UserAgentRequest_Payload.unsealEncryptedKey,
-    5: UserAgentRequest_Payload.queryVaultState,
-    6: UserAgentRequest_Payload.evmWalletCreate,
-    7: UserAgentRequest_Payload.evmWalletList,
-    8: UserAgentRequest_Payload.evmGrantCreate,
-    9: UserAgentRequest_Payload.evmGrantDelete,
-    10: UserAgentRequest_Payload.evmGrantList,
-    11: UserAgentRequest_Payload.sdkClientConnectionResponse,
-    12: UserAgentRequest_Payload.sdkClientRevoke,
-    13: UserAgentRequest_Payload.sdkClientList,
-    14: UserAgentRequest_Payload.bootstrapEncryptedKey,
-    15: UserAgentRequest_Payload.grantWalletAccess,
-    17: UserAgentRequest_Payload.revokeWalletAccess,
-    18: UserAgentRequest_Payload.listWalletAccess,
+    1: UserAgentRequest_Payload.auth,
+    2: UserAgentRequest_Payload.vault,
+    3: UserAgentRequest_Payload.evm,
+    4: UserAgentRequest_Payload.sdkClient,
     0: UserAgentRequest_Payload.notSet
   };
   static final $pb.BuilderInfo _i = $pb.BuilderInfo(
@@ -1470,48 +62,16 @@ class UserAgentRequest extends $pb.GeneratedMessage {
       package:
           const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
       createEmptyInstance: create)
-    ..oo(0, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18])
-    ..aOM<AuthChallengeRequest>(
-        1, _omitFieldNames ? '' : 'authChallengeRequest',
-        subBuilder: AuthChallengeRequest.create)
-    ..aOM<AuthChallengeSolution>(
-        2, _omitFieldNames ? '' : 'authChallengeSolution',
-        subBuilder: AuthChallengeSolution.create)
-    ..aOM<UnsealStart>(3, _omitFieldNames ? '' : 'unsealStart',
-        subBuilder: UnsealStart.create)
-    ..aOM<UnsealEncryptedKey>(4, _omitFieldNames ? '' : 'unsealEncryptedKey',
-        subBuilder: UnsealEncryptedKey.create)
-    ..aOM<$1.Empty>(5, _omitFieldNames ? '' : 'queryVaultState',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(6, _omitFieldNames ? '' : 'evmWalletCreate',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(7, _omitFieldNames ? '' : 'evmWalletList',
-        subBuilder: $1.Empty.create)
-    ..aOM<$2.EvmGrantCreateRequest>(8, _omitFieldNames ? '' : 'evmGrantCreate',
-        subBuilder: $2.EvmGrantCreateRequest.create)
-    ..aOM<$2.EvmGrantDeleteRequest>(9, _omitFieldNames ? '' : 'evmGrantDelete',
-        subBuilder: $2.EvmGrantDeleteRequest.create)
-    ..aOM<$2.EvmGrantListRequest>(10, _omitFieldNames ? '' : 'evmGrantList',
-        subBuilder: $2.EvmGrantListRequest.create)
-    ..aOM<SdkClientConnectionResponse>(
-        11, _omitFieldNames ? '' : 'sdkClientConnectionResponse',
-        subBuilder: SdkClientConnectionResponse.create)
-    ..aOM<SdkClientRevokeRequest>(12, _omitFieldNames ? '' : 'sdkClientRevoke',
-        subBuilder: SdkClientRevokeRequest.create)
-    ..aOM<$1.Empty>(13, _omitFieldNames ? '' : 'sdkClientList',
-        subBuilder: $1.Empty.create)
-    ..aOM<BootstrapEncryptedKey>(
-        14, _omitFieldNames ? '' : 'bootstrapEncryptedKey',
-        subBuilder: BootstrapEncryptedKey.create)
-    ..aOM<SdkClientGrantWalletAccess>(
-        15, _omitFieldNames ? '' : 'grantWalletAccess',
-        subBuilder: SdkClientGrantWalletAccess.create)
+    ..oo(0, [1, 2, 3, 4])
+    ..aOM<$0.Request>(1, _omitFieldNames ? '' : 'auth',
+        subBuilder: $0.Request.create)
+    ..aOM<$1.Request>(2, _omitFieldNames ? '' : 'vault',
+        subBuilder: $1.Request.create)
+    ..aOM<$2.Request>(3, _omitFieldNames ? '' : 'evm',
+        subBuilder: $2.Request.create)
+    ..aOM<$3.Request>(4, _omitFieldNames ? '' : 'sdkClient',
+        subBuilder: $3.Request.create)
     ..aI(16, _omitFieldNames ? '' : 'id')
-    ..aOM<SdkClientRevokeWalletAccess>(
-        17, _omitFieldNames ? '' : 'revokeWalletAccess',
-        subBuilder: SdkClientRevokeWalletAccess.create)
-    ..aOM<$1.Empty>(18, _omitFieldNames ? '' : 'listWalletAccess',
-        subBuilder: $1.Empty.create)
     ..hasRequiredFields = false;
 
   @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
@@ -1537,307 +97,84 @@ class UserAgentRequest extends $pb.GeneratedMessage {
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
   @$pb.TagNumber(4)
-  @$pb.TagNumber(5)
-  @$pb.TagNumber(6)
-  @$pb.TagNumber(7)
-  @$pb.TagNumber(8)
-  @$pb.TagNumber(9)
-  @$pb.TagNumber(10)
-  @$pb.TagNumber(11)
-  @$pb.TagNumber(12)
-  @$pb.TagNumber(13)
-  @$pb.TagNumber(14)
-  @$pb.TagNumber(15)
-  @$pb.TagNumber(17)
-  @$pb.TagNumber(18)
   UserAgentRequest_Payload whichPayload() =>
       _UserAgentRequest_PayloadByTag[$_whichOneof(0)]!;
   @$pb.TagNumber(1)
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
   @$pb.TagNumber(4)
-  @$pb.TagNumber(5)
-  @$pb.TagNumber(6)
-  @$pb.TagNumber(7)
-  @$pb.TagNumber(8)
-  @$pb.TagNumber(9)
-  @$pb.TagNumber(10)
-  @$pb.TagNumber(11)
-  @$pb.TagNumber(12)
-  @$pb.TagNumber(13)
-  @$pb.TagNumber(14)
-  @$pb.TagNumber(15)
-  @$pb.TagNumber(17)
-  @$pb.TagNumber(18)
   void clearPayload() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  AuthChallengeRequest get authChallengeRequest => $_getN(0);
+  $0.Request get auth => $_getN(0);
   @$pb.TagNumber(1)
-  set authChallengeRequest(AuthChallengeRequest value) => $_setField(1, value);
+  set auth($0.Request value) => $_setField(1, value);
   @$pb.TagNumber(1)
-  $core.bool hasAuthChallengeRequest() => $_has(0);
+  $core.bool hasAuth() => $_has(0);
   @$pb.TagNumber(1)
-  void clearAuthChallengeRequest() => $_clearField(1);
+  void clearAuth() => $_clearField(1);
   @$pb.TagNumber(1)
-  AuthChallengeRequest ensureAuthChallengeRequest() => $_ensure(0);
+  $0.Request ensureAuth() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  AuthChallengeSolution get authChallengeSolution => $_getN(1);
+  $1.Request get vault => $_getN(1);
   @$pb.TagNumber(2)
-  set authChallengeSolution(AuthChallengeSolution value) =>
-      $_setField(2, value);
+  set vault($1.Request value) => $_setField(2, value);
   @$pb.TagNumber(2)
-  $core.bool hasAuthChallengeSolution() => $_has(1);
+  $core.bool hasVault() => $_has(1);
   @$pb.TagNumber(2)
-  void clearAuthChallengeSolution() => $_clearField(2);
+  void clearVault() => $_clearField(2);
   @$pb.TagNumber(2)
-  AuthChallengeSolution ensureAuthChallengeSolution() => $_ensure(1);
+  $1.Request ensureVault() => $_ensure(1);
 
   @$pb.TagNumber(3)
-  UnsealStart get unsealStart => $_getN(2);
+  $2.Request get evm => $_getN(2);
   @$pb.TagNumber(3)
-  set unsealStart(UnsealStart value) => $_setField(3, value);
+  set evm($2.Request value) => $_setField(3, value);
   @$pb.TagNumber(3)
-  $core.bool hasUnsealStart() => $_has(2);
+  $core.bool hasEvm() => $_has(2);
   @$pb.TagNumber(3)
-  void clearUnsealStart() => $_clearField(3);
+  void clearEvm() => $_clearField(3);
   @$pb.TagNumber(3)
-  UnsealStart ensureUnsealStart() => $_ensure(2);
+  $2.Request ensureEvm() => $_ensure(2);
 
   @$pb.TagNumber(4)
-  UnsealEncryptedKey get unsealEncryptedKey => $_getN(3);
+  $3.Request get sdkClient => $_getN(3);
   @$pb.TagNumber(4)
-  set unsealEncryptedKey(UnsealEncryptedKey value) => $_setField(4, value);
+  set sdkClient($3.Request value) => $_setField(4, value);
   @$pb.TagNumber(4)
-  $core.bool hasUnsealEncryptedKey() => $_has(3);
+  $core.bool hasSdkClient() => $_has(3);
   @$pb.TagNumber(4)
-  void clearUnsealEncryptedKey() => $_clearField(4);
+  void clearSdkClient() => $_clearField(4);
   @$pb.TagNumber(4)
-  UnsealEncryptedKey ensureUnsealEncryptedKey() => $_ensure(3);
-
-  @$pb.TagNumber(5)
-  $1.Empty get queryVaultState => $_getN(4);
-  @$pb.TagNumber(5)
-  set queryVaultState($1.Empty value) => $_setField(5, value);
-  @$pb.TagNumber(5)
-  $core.bool hasQueryVaultState() => $_has(4);
-  @$pb.TagNumber(5)
-  void clearQueryVaultState() => $_clearField(5);
-  @$pb.TagNumber(5)
-  $1.Empty ensureQueryVaultState() => $_ensure(4);
-
-  @$pb.TagNumber(6)
-  $1.Empty get evmWalletCreate => $_getN(5);
-  @$pb.TagNumber(6)
-  set evmWalletCreate($1.Empty value) => $_setField(6, value);
-  @$pb.TagNumber(6)
-  $core.bool hasEvmWalletCreate() => $_has(5);
-  @$pb.TagNumber(6)
-  void clearEvmWalletCreate() => $_clearField(6);
-  @$pb.TagNumber(6)
-  $1.Empty ensureEvmWalletCreate() => $_ensure(5);
-
-  @$pb.TagNumber(7)
-  $1.Empty get evmWalletList => $_getN(6);
-  @$pb.TagNumber(7)
-  set evmWalletList($1.Empty value) => $_setField(7, value);
-  @$pb.TagNumber(7)
-  $core.bool hasEvmWalletList() => $_has(6);
-  @$pb.TagNumber(7)
-  void clearEvmWalletList() => $_clearField(7);
-  @$pb.TagNumber(7)
-  $1.Empty ensureEvmWalletList() => $_ensure(6);
-
-  @$pb.TagNumber(8)
-  $2.EvmGrantCreateRequest get evmGrantCreate => $_getN(7);
-  @$pb.TagNumber(8)
-  set evmGrantCreate($2.EvmGrantCreateRequest value) => $_setField(8, value);
-  @$pb.TagNumber(8)
-  $core.bool hasEvmGrantCreate() => $_has(7);
-  @$pb.TagNumber(8)
-  void clearEvmGrantCreate() => $_clearField(8);
-  @$pb.TagNumber(8)
-  $2.EvmGrantCreateRequest ensureEvmGrantCreate() => $_ensure(7);
-
-  @$pb.TagNumber(9)
-  $2.EvmGrantDeleteRequest get evmGrantDelete => $_getN(8);
-  @$pb.TagNumber(9)
-  set evmGrantDelete($2.EvmGrantDeleteRequest value) => $_setField(9, value);
-  @$pb.TagNumber(9)
-  $core.bool hasEvmGrantDelete() => $_has(8);
-  @$pb.TagNumber(9)
-  void clearEvmGrantDelete() => $_clearField(9);
-  @$pb.TagNumber(9)
-  $2.EvmGrantDeleteRequest ensureEvmGrantDelete() => $_ensure(8);
-
-  @$pb.TagNumber(10)
-  $2.EvmGrantListRequest get evmGrantList => $_getN(9);
-  @$pb.TagNumber(10)
-  set evmGrantList($2.EvmGrantListRequest value) => $_setField(10, value);
-  @$pb.TagNumber(10)
-  $core.bool hasEvmGrantList() => $_has(9);
-  @$pb.TagNumber(10)
-  void clearEvmGrantList() => $_clearField(10);
-  @$pb.TagNumber(10)
-  $2.EvmGrantListRequest ensureEvmGrantList() => $_ensure(9);
-
-  @$pb.TagNumber(11)
-  SdkClientConnectionResponse get sdkClientConnectionResponse => $_getN(10);
-  @$pb.TagNumber(11)
-  set sdkClientConnectionResponse(SdkClientConnectionResponse value) =>
-      $_setField(11, value);
-  @$pb.TagNumber(11)
-  $core.bool hasSdkClientConnectionResponse() => $_has(10);
-  @$pb.TagNumber(11)
-  void clearSdkClientConnectionResponse() => $_clearField(11);
-  @$pb.TagNumber(11)
-  SdkClientConnectionResponse ensureSdkClientConnectionResponse() =>
-      $_ensure(10);
-
-  @$pb.TagNumber(12)
-  SdkClientRevokeRequest get sdkClientRevoke => $_getN(11);
-  @$pb.TagNumber(12)
-  set sdkClientRevoke(SdkClientRevokeRequest value) => $_setField(12, value);
-  @$pb.TagNumber(12)
-  $core.bool hasSdkClientRevoke() => $_has(11);
-  @$pb.TagNumber(12)
-  void clearSdkClientRevoke() => $_clearField(12);
-  @$pb.TagNumber(12)
-  SdkClientRevokeRequest ensureSdkClientRevoke() => $_ensure(11);
-
-  @$pb.TagNumber(13)
-  $1.Empty get sdkClientList => $_getN(12);
-  @$pb.TagNumber(13)
-  set sdkClientList($1.Empty value) => $_setField(13, value);
-  @$pb.TagNumber(13)
-  $core.bool hasSdkClientList() => $_has(12);
-  @$pb.TagNumber(13)
-  void clearSdkClientList() => $_clearField(13);
-  @$pb.TagNumber(13)
-  $1.Empty ensureSdkClientList() => $_ensure(12);
-
-  @$pb.TagNumber(14)
-  BootstrapEncryptedKey get bootstrapEncryptedKey => $_getN(13);
-  @$pb.TagNumber(14)
-  set bootstrapEncryptedKey(BootstrapEncryptedKey value) =>
-      $_setField(14, value);
-  @$pb.TagNumber(14)
-  $core.bool hasBootstrapEncryptedKey() => $_has(13);
-  @$pb.TagNumber(14)
-  void clearBootstrapEncryptedKey() => $_clearField(14);
-  @$pb.TagNumber(14)
-  BootstrapEncryptedKey ensureBootstrapEncryptedKey() => $_ensure(13);
-
-  @$pb.TagNumber(15)
-  SdkClientGrantWalletAccess get grantWalletAccess => $_getN(14);
-  @$pb.TagNumber(15)
-  set grantWalletAccess(SdkClientGrantWalletAccess value) =>
-      $_setField(15, value);
-  @$pb.TagNumber(15)
-  $core.bool hasGrantWalletAccess() => $_has(14);
-  @$pb.TagNumber(15)
-  void clearGrantWalletAccess() => $_clearField(15);
-  @$pb.TagNumber(15)
-  SdkClientGrantWalletAccess ensureGrantWalletAccess() => $_ensure(14);
+  $3.Request ensureSdkClient() => $_ensure(3);
 
   @$pb.TagNumber(16)
-  $core.int get id => $_getIZ(15);
+  $core.int get id => $_getIZ(4);
   @$pb.TagNumber(16)
-  set id($core.int value) => $_setSignedInt32(15, value);
+  set id($core.int value) => $_setSignedInt32(4, value);
   @$pb.TagNumber(16)
-  $core.bool hasId() => $_has(15);
+  $core.bool hasId() => $_has(4);
   @$pb.TagNumber(16)
   void clearId() => $_clearField(16);
-
-  @$pb.TagNumber(17)
-  SdkClientRevokeWalletAccess get revokeWalletAccess => $_getN(16);
-  @$pb.TagNumber(17)
-  set revokeWalletAccess(SdkClientRevokeWalletAccess value) =>
-      $_setField(17, value);
-  @$pb.TagNumber(17)
-  $core.bool hasRevokeWalletAccess() => $_has(16);
-  @$pb.TagNumber(17)
-  void clearRevokeWalletAccess() => $_clearField(17);
-  @$pb.TagNumber(17)
-  SdkClientRevokeWalletAccess ensureRevokeWalletAccess() => $_ensure(16);
-
-  @$pb.TagNumber(18)
-  $1.Empty get listWalletAccess => $_getN(17);
-  @$pb.TagNumber(18)
-  set listWalletAccess($1.Empty value) => $_setField(18, value);
-  @$pb.TagNumber(18)
-  $core.bool hasListWalletAccess() => $_has(17);
-  @$pb.TagNumber(18)
-  void clearListWalletAccess() => $_clearField(18);
-  @$pb.TagNumber(18)
-  $1.Empty ensureListWalletAccess() => $_ensure(17);
 }
 
-enum UserAgentResponse_Payload {
-  authChallenge,
-  authResult,
-  unsealStartResponse,
-  unsealResult,
-  vaultState,
-  evmWalletCreate,
-  evmWalletList,
-  evmGrantCreate,
-  evmGrantDelete,
-  evmGrantList,
-  sdkClientConnectionRequest,
-  sdkClientConnectionCancel,
-  sdkClientRevokeResponse,
-  sdkClientListResponse,
-  bootstrapResult,
-  listWalletAccessResponse,
-  notSet
-}
+enum UserAgentResponse_Payload { auth, vault, evm, sdkClient, notSet }
 
 class UserAgentResponse extends $pb.GeneratedMessage {
   factory UserAgentResponse({
-    AuthChallenge? authChallenge,
-    AuthResult? authResult,
-    UnsealStartResponse? unsealStartResponse,
-    UnsealResult? unsealResult,
-    VaultState? vaultState,
-    $2.WalletCreateResponse? evmWalletCreate,
-    $2.WalletListResponse? evmWalletList,
-    $2.EvmGrantCreateResponse? evmGrantCreate,
-    $2.EvmGrantDeleteResponse? evmGrantDelete,
-    $2.EvmGrantListResponse? evmGrantList,
-    SdkClientConnectionRequest? sdkClientConnectionRequest,
-    SdkClientConnectionCancel? sdkClientConnectionCancel,
-    SdkClientRevokeResponse? sdkClientRevokeResponse,
-    SdkClientListResponse? sdkClientListResponse,
-    BootstrapResult? bootstrapResult,
+    $0.Response? auth,
+    $1.Response? vault,
+    $2.Response? evm,
+    $3.Response? sdkClient,
     $core.int? id,
-    ListWalletAccessResponse? listWalletAccessResponse,
   }) {
     final result = create();
-    if (authChallenge != null) result.authChallenge = authChallenge;
-    if (authResult != null) result.authResult = authResult;
-    if (unsealStartResponse != null)
-      result.unsealStartResponse = unsealStartResponse;
-    if (unsealResult != null) result.unsealResult = unsealResult;
-    if (vaultState != null) result.vaultState = vaultState;
-    if (evmWalletCreate != null) result.evmWalletCreate = evmWalletCreate;
-    if (evmWalletList != null) result.evmWalletList = evmWalletList;
-    if (evmGrantCreate != null) result.evmGrantCreate = evmGrantCreate;
-    if (evmGrantDelete != null) result.evmGrantDelete = evmGrantDelete;
-    if (evmGrantList != null) result.evmGrantList = evmGrantList;
-    if (sdkClientConnectionRequest != null)
-      result.sdkClientConnectionRequest = sdkClientConnectionRequest;
-    if (sdkClientConnectionCancel != null)
-      result.sdkClientConnectionCancel = sdkClientConnectionCancel;
-    if (sdkClientRevokeResponse != null)
-      result.sdkClientRevokeResponse = sdkClientRevokeResponse;
-    if (sdkClientListResponse != null)
-      result.sdkClientListResponse = sdkClientListResponse;
-    if (bootstrapResult != null) result.bootstrapResult = bootstrapResult;
+    if (auth != null) result.auth = auth;
+    if (vault != null) result.vault = vault;
+    if (evm != null) result.evm = evm;
+    if (sdkClient != null) result.sdkClient = sdkClient;
     if (id != null) result.id = id;
-    if (listWalletAccessResponse != null)
-      result.listWalletAccessResponse = listWalletAccessResponse;
     return result;
   }
 
@@ -1852,22 +189,10 @@ class UserAgentResponse extends $pb.GeneratedMessage {
 
   static const $core.Map<$core.int, UserAgentResponse_Payload>
       _UserAgentResponse_PayloadByTag = {
-    1: UserAgentResponse_Payload.authChallenge,
-    2: UserAgentResponse_Payload.authResult,
-    3: UserAgentResponse_Payload.unsealStartResponse,
-    4: UserAgentResponse_Payload.unsealResult,
-    5: UserAgentResponse_Payload.vaultState,
-    6: UserAgentResponse_Payload.evmWalletCreate,
-    7: UserAgentResponse_Payload.evmWalletList,
-    8: UserAgentResponse_Payload.evmGrantCreate,
-    9: UserAgentResponse_Payload.evmGrantDelete,
-    10: UserAgentResponse_Payload.evmGrantList,
-    11: UserAgentResponse_Payload.sdkClientConnectionRequest,
-    12: UserAgentResponse_Payload.sdkClientConnectionCancel,
-    13: UserAgentResponse_Payload.sdkClientRevokeResponse,
-    14: UserAgentResponse_Payload.sdkClientListResponse,
-    15: UserAgentResponse_Payload.bootstrapResult,
-    17: UserAgentResponse_Payload.listWalletAccessResponse,
+    1: UserAgentResponse_Payload.auth,
+    2: UserAgentResponse_Payload.vault,
+    3: UserAgentResponse_Payload.evm,
+    4: UserAgentResponse_Payload.sdkClient,
     0: UserAgentResponse_Payload.notSet
   };
   static final $pb.BuilderInfo _i = $pb.BuilderInfo(
@@ -1875,45 +200,16 @@ class UserAgentResponse extends $pb.GeneratedMessage {
       package:
           const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.user_agent'),
       createEmptyInstance: create)
-    ..oo(0, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17])
-    ..aOM<AuthChallenge>(1, _omitFieldNames ? '' : 'authChallenge',
-        subBuilder: AuthChallenge.create)
-    ..aE<AuthResult>(2, _omitFieldNames ? '' : 'authResult',
-        enumValues: AuthResult.values)
-    ..aOM<UnsealStartResponse>(3, _omitFieldNames ? '' : 'unsealStartResponse',
-        subBuilder: UnsealStartResponse.create)
-    ..aE<UnsealResult>(4, _omitFieldNames ? '' : 'unsealResult',
-        enumValues: UnsealResult.values)
-    ..aE<VaultState>(5, _omitFieldNames ? '' : 'vaultState',
-        enumValues: VaultState.values)
-    ..aOM<$2.WalletCreateResponse>(6, _omitFieldNames ? '' : 'evmWalletCreate',
-        subBuilder: $2.WalletCreateResponse.create)
-    ..aOM<$2.WalletListResponse>(7, _omitFieldNames ? '' : 'evmWalletList',
-        subBuilder: $2.WalletListResponse.create)
-    ..aOM<$2.EvmGrantCreateResponse>(8, _omitFieldNames ? '' : 'evmGrantCreate',
-        subBuilder: $2.EvmGrantCreateResponse.create)
-    ..aOM<$2.EvmGrantDeleteResponse>(9, _omitFieldNames ? '' : 'evmGrantDelete',
-        subBuilder: $2.EvmGrantDeleteResponse.create)
-    ..aOM<$2.EvmGrantListResponse>(10, _omitFieldNames ? '' : 'evmGrantList',
-        subBuilder: $2.EvmGrantListResponse.create)
-    ..aOM<SdkClientConnectionRequest>(
-        11, _omitFieldNames ? '' : 'sdkClientConnectionRequest',
-        subBuilder: SdkClientConnectionRequest.create)
-    ..aOM<SdkClientConnectionCancel>(
-        12, _omitFieldNames ? '' : 'sdkClientConnectionCancel',
-        subBuilder: SdkClientConnectionCancel.create)
-    ..aOM<SdkClientRevokeResponse>(
-        13, _omitFieldNames ? '' : 'sdkClientRevokeResponse',
-        subBuilder: SdkClientRevokeResponse.create)
-    ..aOM<SdkClientListResponse>(
-        14, _omitFieldNames ? '' : 'sdkClientListResponse',
-        subBuilder: SdkClientListResponse.create)
-    ..aE<BootstrapResult>(15, _omitFieldNames ? '' : 'bootstrapResult',
-        enumValues: BootstrapResult.values)
+    ..oo(0, [1, 2, 3, 4])
+    ..aOM<$0.Response>(1, _omitFieldNames ? '' : 'auth',
+        subBuilder: $0.Response.create)
+    ..aOM<$1.Response>(2, _omitFieldNames ? '' : 'vault',
+        subBuilder: $1.Response.create)
+    ..aOM<$2.Response>(3, _omitFieldNames ? '' : 'evm',
+        subBuilder: $2.Response.create)
+    ..aOM<$3.Response>(4, _omitFieldNames ? '' : 'sdkClient',
+        subBuilder: $3.Response.create)
     ..aI(16, _omitFieldNames ? '' : 'id')
-    ..aOM<ListWalletAccessResponse>(
-        17, _omitFieldNames ? '' : 'listWalletAccessResponse',
-        subBuilder: ListWalletAccessResponse.create)
     ..hasRequiredFields = false;
 
   @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
@@ -1939,219 +235,66 @@ class UserAgentResponse extends $pb.GeneratedMessage {
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
   @$pb.TagNumber(4)
-  @$pb.TagNumber(5)
-  @$pb.TagNumber(6)
-  @$pb.TagNumber(7)
-  @$pb.TagNumber(8)
-  @$pb.TagNumber(9)
-  @$pb.TagNumber(10)
-  @$pb.TagNumber(11)
-  @$pb.TagNumber(12)
-  @$pb.TagNumber(13)
-  @$pb.TagNumber(14)
-  @$pb.TagNumber(15)
-  @$pb.TagNumber(17)
   UserAgentResponse_Payload whichPayload() =>
       _UserAgentResponse_PayloadByTag[$_whichOneof(0)]!;
   @$pb.TagNumber(1)
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
   @$pb.TagNumber(4)
-  @$pb.TagNumber(5)
-  @$pb.TagNumber(6)
-  @$pb.TagNumber(7)
-  @$pb.TagNumber(8)
-  @$pb.TagNumber(9)
-  @$pb.TagNumber(10)
-  @$pb.TagNumber(11)
-  @$pb.TagNumber(12)
-  @$pb.TagNumber(13)
-  @$pb.TagNumber(14)
-  @$pb.TagNumber(15)
-  @$pb.TagNumber(17)
   void clearPayload() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  AuthChallenge get authChallenge => $_getN(0);
+  $0.Response get auth => $_getN(0);
   @$pb.TagNumber(1)
-  set authChallenge(AuthChallenge value) => $_setField(1, value);
+  set auth($0.Response value) => $_setField(1, value);
   @$pb.TagNumber(1)
-  $core.bool hasAuthChallenge() => $_has(0);
+  $core.bool hasAuth() => $_has(0);
   @$pb.TagNumber(1)
-  void clearAuthChallenge() => $_clearField(1);
+  void clearAuth() => $_clearField(1);
   @$pb.TagNumber(1)
-  AuthChallenge ensureAuthChallenge() => $_ensure(0);
+  $0.Response ensureAuth() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  AuthResult get authResult => $_getN(1);
+  $1.Response get vault => $_getN(1);
   @$pb.TagNumber(2)
-  set authResult(AuthResult value) => $_setField(2, value);
+  set vault($1.Response value) => $_setField(2, value);
   @$pb.TagNumber(2)
-  $core.bool hasAuthResult() => $_has(1);
+  $core.bool hasVault() => $_has(1);
   @$pb.TagNumber(2)
-  void clearAuthResult() => $_clearField(2);
+  void clearVault() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $1.Response ensureVault() => $_ensure(1);
 
   @$pb.TagNumber(3)
-  UnsealStartResponse get unsealStartResponse => $_getN(2);
+  $2.Response get evm => $_getN(2);
   @$pb.TagNumber(3)
-  set unsealStartResponse(UnsealStartResponse value) => $_setField(3, value);
+  set evm($2.Response value) => $_setField(3, value);
   @$pb.TagNumber(3)
-  $core.bool hasUnsealStartResponse() => $_has(2);
+  $core.bool hasEvm() => $_has(2);
   @$pb.TagNumber(3)
-  void clearUnsealStartResponse() => $_clearField(3);
+  void clearEvm() => $_clearField(3);
   @$pb.TagNumber(3)
-  UnsealStartResponse ensureUnsealStartResponse() => $_ensure(2);
+  $2.Response ensureEvm() => $_ensure(2);
 
   @$pb.TagNumber(4)
-  UnsealResult get unsealResult => $_getN(3);
+  $3.Response get sdkClient => $_getN(3);
   @$pb.TagNumber(4)
-  set unsealResult(UnsealResult value) => $_setField(4, value);
+  set sdkClient($3.Response value) => $_setField(4, value);
   @$pb.TagNumber(4)
-  $core.bool hasUnsealResult() => $_has(3);
+  $core.bool hasSdkClient() => $_has(3);
   @$pb.TagNumber(4)
-  void clearUnsealResult() => $_clearField(4);
-
-  @$pb.TagNumber(5)
-  VaultState get vaultState => $_getN(4);
-  @$pb.TagNumber(5)
-  set vaultState(VaultState value) => $_setField(5, value);
-  @$pb.TagNumber(5)
-  $core.bool hasVaultState() => $_has(4);
-  @$pb.TagNumber(5)
-  void clearVaultState() => $_clearField(5);
-
-  @$pb.TagNumber(6)
-  $2.WalletCreateResponse get evmWalletCreate => $_getN(5);
-  @$pb.TagNumber(6)
-  set evmWalletCreate($2.WalletCreateResponse value) => $_setField(6, value);
-  @$pb.TagNumber(6)
-  $core.bool hasEvmWalletCreate() => $_has(5);
-  @$pb.TagNumber(6)
-  void clearEvmWalletCreate() => $_clearField(6);
-  @$pb.TagNumber(6)
-  $2.WalletCreateResponse ensureEvmWalletCreate() => $_ensure(5);
-
-  @$pb.TagNumber(7)
-  $2.WalletListResponse get evmWalletList => $_getN(6);
-  @$pb.TagNumber(7)
-  set evmWalletList($2.WalletListResponse value) => $_setField(7, value);
-  @$pb.TagNumber(7)
-  $core.bool hasEvmWalletList() => $_has(6);
-  @$pb.TagNumber(7)
-  void clearEvmWalletList() => $_clearField(7);
-  @$pb.TagNumber(7)
-  $2.WalletListResponse ensureEvmWalletList() => $_ensure(6);
-
-  @$pb.TagNumber(8)
-  $2.EvmGrantCreateResponse get evmGrantCreate => $_getN(7);
-  @$pb.TagNumber(8)
-  set evmGrantCreate($2.EvmGrantCreateResponse value) => $_setField(8, value);
-  @$pb.TagNumber(8)
-  $core.bool hasEvmGrantCreate() => $_has(7);
-  @$pb.TagNumber(8)
-  void clearEvmGrantCreate() => $_clearField(8);
-  @$pb.TagNumber(8)
-  $2.EvmGrantCreateResponse ensureEvmGrantCreate() => $_ensure(7);
-
-  @$pb.TagNumber(9)
-  $2.EvmGrantDeleteResponse get evmGrantDelete => $_getN(8);
-  @$pb.TagNumber(9)
-  set evmGrantDelete($2.EvmGrantDeleteResponse value) => $_setField(9, value);
-  @$pb.TagNumber(9)
-  $core.bool hasEvmGrantDelete() => $_has(8);
-  @$pb.TagNumber(9)
-  void clearEvmGrantDelete() => $_clearField(9);
-  @$pb.TagNumber(9)
-  $2.EvmGrantDeleteResponse ensureEvmGrantDelete() => $_ensure(8);
-
-  @$pb.TagNumber(10)
-  $2.EvmGrantListResponse get evmGrantList => $_getN(9);
-  @$pb.TagNumber(10)
-  set evmGrantList($2.EvmGrantListResponse value) => $_setField(10, value);
-  @$pb.TagNumber(10)
-  $core.bool hasEvmGrantList() => $_has(9);
-  @$pb.TagNumber(10)
-  void clearEvmGrantList() => $_clearField(10);
-  @$pb.TagNumber(10)
-  $2.EvmGrantListResponse ensureEvmGrantList() => $_ensure(9);
-
-  @$pb.TagNumber(11)
-  SdkClientConnectionRequest get sdkClientConnectionRequest => $_getN(10);
-  @$pb.TagNumber(11)
-  set sdkClientConnectionRequest(SdkClientConnectionRequest value) =>
-      $_setField(11, value);
-  @$pb.TagNumber(11)
-  $core.bool hasSdkClientConnectionRequest() => $_has(10);
-  @$pb.TagNumber(11)
-  void clearSdkClientConnectionRequest() => $_clearField(11);
-  @$pb.TagNumber(11)
-  SdkClientConnectionRequest ensureSdkClientConnectionRequest() => $_ensure(10);
-
-  @$pb.TagNumber(12)
-  SdkClientConnectionCancel get sdkClientConnectionCancel => $_getN(11);
-  @$pb.TagNumber(12)
-  set sdkClientConnectionCancel(SdkClientConnectionCancel value) =>
-      $_setField(12, value);
-  @$pb.TagNumber(12)
-  $core.bool hasSdkClientConnectionCancel() => $_has(11);
-  @$pb.TagNumber(12)
-  void clearSdkClientConnectionCancel() => $_clearField(12);
-  @$pb.TagNumber(12)
-  SdkClientConnectionCancel ensureSdkClientConnectionCancel() => $_ensure(11);
-
-  @$pb.TagNumber(13)
-  SdkClientRevokeResponse get sdkClientRevokeResponse => $_getN(12);
-  @$pb.TagNumber(13)
-  set sdkClientRevokeResponse(SdkClientRevokeResponse value) =>
-      $_setField(13, value);
-  @$pb.TagNumber(13)
-  $core.bool hasSdkClientRevokeResponse() => $_has(12);
-  @$pb.TagNumber(13)
-  void clearSdkClientRevokeResponse() => $_clearField(13);
-  @$pb.TagNumber(13)
-  SdkClientRevokeResponse ensureSdkClientRevokeResponse() => $_ensure(12);
-
-  @$pb.TagNumber(14)
-  SdkClientListResponse get sdkClientListResponse => $_getN(13);
-  @$pb.TagNumber(14)
-  set sdkClientListResponse(SdkClientListResponse value) =>
-      $_setField(14, value);
-  @$pb.TagNumber(14)
-  $core.bool hasSdkClientListResponse() => $_has(13);
-  @$pb.TagNumber(14)
-  void clearSdkClientListResponse() => $_clearField(14);
-  @$pb.TagNumber(14)
-  SdkClientListResponse ensureSdkClientListResponse() => $_ensure(13);
-
-  @$pb.TagNumber(15)
-  BootstrapResult get bootstrapResult => $_getN(14);
-  @$pb.TagNumber(15)
-  set bootstrapResult(BootstrapResult value) => $_setField(15, value);
-  @$pb.TagNumber(15)
-  $core.bool hasBootstrapResult() => $_has(14);
-  @$pb.TagNumber(15)
-  void clearBootstrapResult() => $_clearField(15);
+  void clearSdkClient() => $_clearField(4);
+  @$pb.TagNumber(4)
+  $3.Response ensureSdkClient() => $_ensure(3);
 
   @$pb.TagNumber(16)
-  $core.int get id => $_getIZ(15);
+  $core.int get id => $_getIZ(4);
   @$pb.TagNumber(16)
-  set id($core.int value) => $_setSignedInt32(15, value);
+  set id($core.int value) => $_setSignedInt32(4, value);
   @$pb.TagNumber(16)
-  $core.bool hasId() => $_has(15);
+  $core.bool hasId() => $_has(4);
   @$pb.TagNumber(16)
   void clearId() => $_clearField(16);
-
-  @$pb.TagNumber(17)
-  ListWalletAccessResponse get listWalletAccessResponse => $_getN(16);
-  @$pb.TagNumber(17)
-  set listWalletAccessResponse(ListWalletAccessResponse value) =>
-      $_setField(17, value);
-  @$pb.TagNumber(17)
-  $core.bool hasListWalletAccessResponse() => $_has(16);
-  @$pb.TagNumber(17)
-  void clearListWalletAccessResponse() => $_clearField(17);
-  @$pb.TagNumber(17)
-  ListWalletAccessResponse ensureListWalletAccessResponse() => $_ensure(16);
 }
 
 const $core.bool _omitFieldNames =
diff --git a/useragent/lib/proto/user_agent.pbenum.dart b/useragent/lib/proto/user_agent.pbenum.dart
index dfc4a2d..ef6073b 100644
--- a/useragent/lib/proto/user_agent.pbenum.dart
+++ b/useragent/lib/proto/user_agent.pbenum.dart
@@ -9,178 +9,3 @@
 // ignore_for_file: curly_braces_in_flow_control_structures
 // ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
 // ignore_for_file: non_constant_identifier_names, prefer_relative_imports
-
-import 'dart:core' as $core;
-
-import 'package:protobuf/protobuf.dart' as $pb;
-
-class KeyType extends $pb.ProtobufEnum {
-  static const KeyType KEY_TYPE_UNSPECIFIED =
-      KeyType._(0, _omitEnumNames ? '' : 'KEY_TYPE_UNSPECIFIED');
-  static const KeyType KEY_TYPE_ED25519 =
-      KeyType._(1, _omitEnumNames ? '' : 'KEY_TYPE_ED25519');
-  static const KeyType KEY_TYPE_ECDSA_SECP256K1 =
-      KeyType._(2, _omitEnumNames ? '' : 'KEY_TYPE_ECDSA_SECP256K1');
-  static const KeyType KEY_TYPE_RSA =
-      KeyType._(3, _omitEnumNames ? '' : 'KEY_TYPE_RSA');
-
-  static const $core.List<KeyType> values = <KeyType>[
-    KEY_TYPE_UNSPECIFIED,
-    KEY_TYPE_ED25519,
-    KEY_TYPE_ECDSA_SECP256K1,
-    KEY_TYPE_RSA,
-  ];
-
-  static final $core.List<KeyType?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 3);
-  static KeyType? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const KeyType._(super.value, super.name);
-}
-
-class SdkClientError extends $pb.ProtobufEnum {
-  static const SdkClientError SDK_CLIENT_ERROR_UNSPECIFIED =
-      SdkClientError._(0, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_UNSPECIFIED');
-  static const SdkClientError SDK_CLIENT_ERROR_ALREADY_EXISTS =
-      SdkClientError._(
-          1, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_ALREADY_EXISTS');
-  static const SdkClientError SDK_CLIENT_ERROR_NOT_FOUND =
-      SdkClientError._(2, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_NOT_FOUND');
-  static const SdkClientError SDK_CLIENT_ERROR_HAS_RELATED_DATA =
-      SdkClientError._(
-          3, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_HAS_RELATED_DATA');
-  static const SdkClientError SDK_CLIENT_ERROR_INTERNAL =
-      SdkClientError._(4, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_INTERNAL');
-
-  static const $core.List<SdkClientError> values = <SdkClientError>[
-    SDK_CLIENT_ERROR_UNSPECIFIED,
-    SDK_CLIENT_ERROR_ALREADY_EXISTS,
-    SDK_CLIENT_ERROR_NOT_FOUND,
-    SDK_CLIENT_ERROR_HAS_RELATED_DATA,
-    SDK_CLIENT_ERROR_INTERNAL,
-  ];
-
-  static final $core.List<SdkClientError?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 4);
-  static SdkClientError? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const SdkClientError._(super.value, super.name);
-}
-
-class AuthResult extends $pb.ProtobufEnum {
-  static const AuthResult AUTH_RESULT_UNSPECIFIED =
-      AuthResult._(0, _omitEnumNames ? '' : 'AUTH_RESULT_UNSPECIFIED');
-  static const AuthResult AUTH_RESULT_SUCCESS =
-      AuthResult._(1, _omitEnumNames ? '' : 'AUTH_RESULT_SUCCESS');
-  static const AuthResult AUTH_RESULT_INVALID_KEY =
-      AuthResult._(2, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_KEY');
-  static const AuthResult AUTH_RESULT_INVALID_SIGNATURE =
-      AuthResult._(3, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_SIGNATURE');
-  static const AuthResult AUTH_RESULT_BOOTSTRAP_REQUIRED =
-      AuthResult._(4, _omitEnumNames ? '' : 'AUTH_RESULT_BOOTSTRAP_REQUIRED');
-  static const AuthResult AUTH_RESULT_TOKEN_INVALID =
-      AuthResult._(5, _omitEnumNames ? '' : 'AUTH_RESULT_TOKEN_INVALID');
-  static const AuthResult AUTH_RESULT_INTERNAL =
-      AuthResult._(6, _omitEnumNames ? '' : 'AUTH_RESULT_INTERNAL');
-
-  static const $core.List<AuthResult> values = <AuthResult>[
-    AUTH_RESULT_UNSPECIFIED,
-    AUTH_RESULT_SUCCESS,
-    AUTH_RESULT_INVALID_KEY,
-    AUTH_RESULT_INVALID_SIGNATURE,
-    AUTH_RESULT_BOOTSTRAP_REQUIRED,
-    AUTH_RESULT_TOKEN_INVALID,
-    AUTH_RESULT_INTERNAL,
-  ];
-
-  static final $core.List<AuthResult?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 6);
-  static AuthResult? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const AuthResult._(super.value, super.name);
-}
-
-class UnsealResult extends $pb.ProtobufEnum {
-  static const UnsealResult UNSEAL_RESULT_UNSPECIFIED =
-      UnsealResult._(0, _omitEnumNames ? '' : 'UNSEAL_RESULT_UNSPECIFIED');
-  static const UnsealResult UNSEAL_RESULT_SUCCESS =
-      UnsealResult._(1, _omitEnumNames ? '' : 'UNSEAL_RESULT_SUCCESS');
-  static const UnsealResult UNSEAL_RESULT_INVALID_KEY =
-      UnsealResult._(2, _omitEnumNames ? '' : 'UNSEAL_RESULT_INVALID_KEY');
-  static const UnsealResult UNSEAL_RESULT_UNBOOTSTRAPPED =
-      UnsealResult._(3, _omitEnumNames ? '' : 'UNSEAL_RESULT_UNBOOTSTRAPPED');
-
-  static const $core.List<UnsealResult> values = <UnsealResult>[
-    UNSEAL_RESULT_UNSPECIFIED,
-    UNSEAL_RESULT_SUCCESS,
-    UNSEAL_RESULT_INVALID_KEY,
-    UNSEAL_RESULT_UNBOOTSTRAPPED,
-  ];
-
-  static final $core.List<UnsealResult?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 3);
-  static UnsealResult? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const UnsealResult._(super.value, super.name);
-}
-
-class BootstrapResult extends $pb.ProtobufEnum {
-  static const BootstrapResult BOOTSTRAP_RESULT_UNSPECIFIED = BootstrapResult._(
-      0, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_UNSPECIFIED');
-  static const BootstrapResult BOOTSTRAP_RESULT_SUCCESS =
-      BootstrapResult._(1, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_SUCCESS');
-  static const BootstrapResult BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED =
-      BootstrapResult._(
-          2, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED');
-  static const BootstrapResult BOOTSTRAP_RESULT_INVALID_KEY = BootstrapResult._(
-      3, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_INVALID_KEY');
-
-  static const $core.List<BootstrapResult> values = <BootstrapResult>[
-    BOOTSTRAP_RESULT_UNSPECIFIED,
-    BOOTSTRAP_RESULT_SUCCESS,
-    BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED,
-    BOOTSTRAP_RESULT_INVALID_KEY,
-  ];
-
-  static final $core.List<BootstrapResult?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 3);
-  static BootstrapResult? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const BootstrapResult._(super.value, super.name);
-}
-
-class VaultState extends $pb.ProtobufEnum {
-  static const VaultState VAULT_STATE_UNSPECIFIED =
-      VaultState._(0, _omitEnumNames ? '' : 'VAULT_STATE_UNSPECIFIED');
-  static const VaultState VAULT_STATE_UNBOOTSTRAPPED =
-      VaultState._(1, _omitEnumNames ? '' : 'VAULT_STATE_UNBOOTSTRAPPED');
-  static const VaultState VAULT_STATE_SEALED =
-      VaultState._(2, _omitEnumNames ? '' : 'VAULT_STATE_SEALED');
-  static const VaultState VAULT_STATE_UNSEALED =
-      VaultState._(3, _omitEnumNames ? '' : 'VAULT_STATE_UNSEALED');
-  static const VaultState VAULT_STATE_ERROR =
-      VaultState._(4, _omitEnumNames ? '' : 'VAULT_STATE_ERROR');
-
-  static const $core.List<VaultState> values = <VaultState>[
-    VAULT_STATE_UNSPECIFIED,
-    VAULT_STATE_UNBOOTSTRAPPED,
-    VAULT_STATE_SEALED,
-    VAULT_STATE_UNSEALED,
-    VAULT_STATE_ERROR,
-  ];
-
-  static final $core.List<VaultState?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 4);
-  static VaultState? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const VaultState._(super.value, super.name);
-}
-
-const $core.bool _omitEnumNames =
-    $core.bool.fromEnvironment('protobuf.omit_enum_names');
diff --git a/useragent/lib/proto/user_agent.pbjson.dart b/useragent/lib/proto/user_agent.pbjson.dart
index c5bd9bb..347a28a 100644
--- a/useragent/lib/proto/user_agent.pbjson.dart
+++ b/useragent/lib/proto/user_agent.pbjson.dart
@@ -15,657 +15,46 @@ import 'dart:convert' as $convert;
 import 'dart:core' as $core;
 import 'dart:typed_data' as $typed_data;
 
-@$core.Deprecated('Use keyTypeDescriptor instead')
-const KeyType$json = {
-  '1': 'KeyType',
-  '2': [
-    {'1': 'KEY_TYPE_UNSPECIFIED', '2': 0},
-    {'1': 'KEY_TYPE_ED25519', '2': 1},
-    {'1': 'KEY_TYPE_ECDSA_SECP256K1', '2': 2},
-    {'1': 'KEY_TYPE_RSA', '2': 3},
-  ],
-};
-
-/// Descriptor for `KeyType`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List keyTypeDescriptor = $convert.base64Decode(
-    'CgdLZXlUeXBlEhgKFEtFWV9UWVBFX1VOU1BFQ0lGSUVEEAASFAoQS0VZX1RZUEVfRUQyNTUxOR'
-    'ABEhwKGEtFWV9UWVBFX0VDRFNBX1NFQ1AyNTZLMRACEhAKDEtFWV9UWVBFX1JTQRAD');
-
-@$core.Deprecated('Use sdkClientErrorDescriptor instead')
-const SdkClientError$json = {
-  '1': 'SdkClientError',
-  '2': [
-    {'1': 'SDK_CLIENT_ERROR_UNSPECIFIED', '2': 0},
-    {'1': 'SDK_CLIENT_ERROR_ALREADY_EXISTS', '2': 1},
-    {'1': 'SDK_CLIENT_ERROR_NOT_FOUND', '2': 2},
-    {'1': 'SDK_CLIENT_ERROR_HAS_RELATED_DATA', '2': 3},
-    {'1': 'SDK_CLIENT_ERROR_INTERNAL', '2': 4},
-  ],
-};
-
-/// Descriptor for `SdkClientError`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List sdkClientErrorDescriptor = $convert.base64Decode(
-    'Cg5TZGtDbGllbnRFcnJvchIgChxTREtfQ0xJRU5UX0VSUk9SX1VOU1BFQ0lGSUVEEAASIwofU0'
-    'RLX0NMSUVOVF9FUlJPUl9BTFJFQURZX0VYSVNUUxABEh4KGlNES19DTElFTlRfRVJST1JfTk9U'
-    'X0ZPVU5EEAISJQohU0RLX0NMSUVOVF9FUlJPUl9IQVNfUkVMQVRFRF9EQVRBEAMSHQoZU0RLX0'
-    'NMSUVOVF9FUlJPUl9JTlRFUk5BTBAE');
-
-@$core.Deprecated('Use authResultDescriptor instead')
-const AuthResult$json = {
-  '1': 'AuthResult',
-  '2': [
-    {'1': 'AUTH_RESULT_UNSPECIFIED', '2': 0},
-    {'1': 'AUTH_RESULT_SUCCESS', '2': 1},
-    {'1': 'AUTH_RESULT_INVALID_KEY', '2': 2},
-    {'1': 'AUTH_RESULT_INVALID_SIGNATURE', '2': 3},
-    {'1': 'AUTH_RESULT_BOOTSTRAP_REQUIRED', '2': 4},
-    {'1': 'AUTH_RESULT_TOKEN_INVALID', '2': 5},
-    {'1': 'AUTH_RESULT_INTERNAL', '2': 6},
-  ],
-};
-
-/// Descriptor for `AuthResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List authResultDescriptor = $convert.base64Decode(
-    'CgpBdXRoUmVzdWx0EhsKF0FVVEhfUkVTVUxUX1VOU1BFQ0lGSUVEEAASFwoTQVVUSF9SRVNVTF'
-    'RfU1VDQ0VTUxABEhsKF0FVVEhfUkVTVUxUX0lOVkFMSURfS0VZEAISIQodQVVUSF9SRVNVTFRf'
-    'SU5WQUxJRF9TSUdOQVRVUkUQAxIiCh5BVVRIX1JFU1VMVF9CT09UU1RSQVBfUkVRVUlSRUQQBB'
-    'IdChlBVVRIX1JFU1VMVF9UT0tFTl9JTlZBTElEEAUSGAoUQVVUSF9SRVNVTFRfSU5URVJOQUwQ'
-    'Bg==');
-
-@$core.Deprecated('Use unsealResultDescriptor instead')
-const UnsealResult$json = {
-  '1': 'UnsealResult',
-  '2': [
-    {'1': 'UNSEAL_RESULT_UNSPECIFIED', '2': 0},
-    {'1': 'UNSEAL_RESULT_SUCCESS', '2': 1},
-    {'1': 'UNSEAL_RESULT_INVALID_KEY', '2': 2},
-    {'1': 'UNSEAL_RESULT_UNBOOTSTRAPPED', '2': 3},
-  ],
-};
-
-/// Descriptor for `UnsealResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List unsealResultDescriptor = $convert.base64Decode(
-    'CgxVbnNlYWxSZXN1bHQSHQoZVU5TRUFMX1JFU1VMVF9VTlNQRUNJRklFRBAAEhkKFVVOU0VBTF'
-    '9SRVNVTFRfU1VDQ0VTUxABEh0KGVVOU0VBTF9SRVNVTFRfSU5WQUxJRF9LRVkQAhIgChxVTlNF'
-    'QUxfUkVTVUxUX1VOQk9PVFNUUkFQUEVEEAM=');
-
-@$core.Deprecated('Use bootstrapResultDescriptor instead')
-const BootstrapResult$json = {
-  '1': 'BootstrapResult',
-  '2': [
-    {'1': 'BOOTSTRAP_RESULT_UNSPECIFIED', '2': 0},
-    {'1': 'BOOTSTRAP_RESULT_SUCCESS', '2': 1},
-    {'1': 'BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED', '2': 2},
-    {'1': 'BOOTSTRAP_RESULT_INVALID_KEY', '2': 3},
-  ],
-};
-
-/// Descriptor for `BootstrapResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List bootstrapResultDescriptor = $convert.base64Decode(
-    'Cg9Cb290c3RyYXBSZXN1bHQSIAocQk9PVFNUUkFQX1JFU1VMVF9VTlNQRUNJRklFRBAAEhwKGE'
-    'JPT1RTVFJBUF9SRVNVTFRfU1VDQ0VTUxABEikKJUJPT1RTVFJBUF9SRVNVTFRfQUxSRUFEWV9C'
-    'T09UU1RSQVBQRUQQAhIgChxCT09UU1RSQVBfUkVTVUxUX0lOVkFMSURfS0VZEAM=');
-
-@$core.Deprecated('Use vaultStateDescriptor instead')
-const VaultState$json = {
-  '1': 'VaultState',
-  '2': [
-    {'1': 'VAULT_STATE_UNSPECIFIED', '2': 0},
-    {'1': 'VAULT_STATE_UNBOOTSTRAPPED', '2': 1},
-    {'1': 'VAULT_STATE_SEALED', '2': 2},
-    {'1': 'VAULT_STATE_UNSEALED', '2': 3},
-    {'1': 'VAULT_STATE_ERROR', '2': 4},
-  ],
-};
-
-/// Descriptor for `VaultState`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List vaultStateDescriptor = $convert.base64Decode(
-    'CgpWYXVsdFN0YXRlEhsKF1ZBVUxUX1NUQVRFX1VOU1BFQ0lGSUVEEAASHgoaVkFVTFRfU1RBVE'
-    'VfVU5CT09UU1RSQVBQRUQQARIWChJWQVVMVF9TVEFURV9TRUFMRUQQAhIYChRWQVVMVF9TVEFU'
-    'RV9VTlNFQUxFRBADEhUKEVZBVUxUX1NUQVRFX0VSUk9SEAQ=');
-
-@$core.Deprecated('Use sdkClientRevokeRequestDescriptor instead')
-const SdkClientRevokeRequest$json = {
-  '1': 'SdkClientRevokeRequest',
-  '2': [
-    {'1': 'client_id', '3': 1, '4': 1, '5': 5, '10': 'clientId'},
-  ],
-};
-
-/// Descriptor for `SdkClientRevokeRequest`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientRevokeRequestDescriptor =
-    $convert.base64Decode(
-        'ChZTZGtDbGllbnRSZXZva2VSZXF1ZXN0EhsKCWNsaWVudF9pZBgBIAEoBVIIY2xpZW50SWQ=');
-
-@$core.Deprecated('Use sdkClientEntryDescriptor instead')
-const SdkClientEntry$json = {
-  '1': 'SdkClientEntry',
-  '2': [
-    {'1': 'id', '3': 1, '4': 1, '5': 5, '10': 'id'},
-    {'1': 'pubkey', '3': 2, '4': 1, '5': 12, '10': 'pubkey'},
-    {
-      '1': 'info',
-      '3': 3,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.client.ClientInfo',
-      '10': 'info'
-    },
-    {'1': 'created_at', '3': 4, '4': 1, '5': 5, '10': 'createdAt'},
-  ],
-};
-
-/// Descriptor for `SdkClientEntry`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientEntryDescriptor = $convert.base64Decode(
-    'Cg5TZGtDbGllbnRFbnRyeRIOCgJpZBgBIAEoBVICaWQSFgoGcHVia2V5GAIgASgMUgZwdWJrZX'
-    'kSLgoEaW5mbxgDIAEoCzIaLmFyYml0ZXIuY2xpZW50LkNsaWVudEluZm9SBGluZm8SHQoKY3Jl'
-    'YXRlZF9hdBgEIAEoBVIJY3JlYXRlZEF0');
-
-@$core.Deprecated('Use sdkClientListDescriptor instead')
-const SdkClientList$json = {
-  '1': 'SdkClientList',
-  '2': [
-    {
-      '1': 'clients',
-      '3': 1,
-      '4': 3,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientEntry',
-      '10': 'clients'
-    },
-  ],
-};
-
-/// Descriptor for `SdkClientList`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientListDescriptor = $convert.base64Decode(
-    'Cg1TZGtDbGllbnRMaXN0EjwKB2NsaWVudHMYASADKAsyIi5hcmJpdGVyLnVzZXJfYWdlbnQuU2'
-    'RrQ2xpZW50RW50cnlSB2NsaWVudHM=');
-
-@$core.Deprecated('Use sdkClientRevokeResponseDescriptor instead')
-const SdkClientRevokeResponse$json = {
-  '1': 'SdkClientRevokeResponse',
-  '2': [
-    {
-      '1': 'ok',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'ok'
-    },
-    {
-      '1': 'error',
-      '3': 2,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.SdkClientError',
-      '9': 0,
-      '10': 'error'
-    },
-  ],
-  '8': [
-    {'1': 'result'},
-  ],
-};
-
-/// Descriptor for `SdkClientRevokeResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientRevokeResponseDescriptor = $convert.base64Decode(
-    'ChdTZGtDbGllbnRSZXZva2VSZXNwb25zZRIoCgJvaxgBIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi'
-    '5FbXB0eUgAUgJvaxI6CgVlcnJvchgCIAEoDjIiLmFyYml0ZXIudXNlcl9hZ2VudC5TZGtDbGll'
-    'bnRFcnJvckgAUgVlcnJvckIICgZyZXN1bHQ=');
-
-@$core.Deprecated('Use sdkClientListResponseDescriptor instead')
-const SdkClientListResponse$json = {
-  '1': 'SdkClientListResponse',
-  '2': [
-    {
-      '1': 'clients',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientList',
-      '9': 0,
-      '10': 'clients'
-    },
-    {
-      '1': 'error',
-      '3': 2,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.SdkClientError',
-      '9': 0,
-      '10': 'error'
-    },
-  ],
-  '8': [
-    {'1': 'result'},
-  ],
-};
-
-/// Descriptor for `SdkClientListResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientListResponseDescriptor = $convert.base64Decode(
-    'ChVTZGtDbGllbnRMaXN0UmVzcG9uc2USPQoHY2xpZW50cxgBIAEoCzIhLmFyYml0ZXIudXNlcl'
-    '9hZ2VudC5TZGtDbGllbnRMaXN0SABSB2NsaWVudHMSOgoFZXJyb3IYAiABKA4yIi5hcmJpdGVy'
-    'LnVzZXJfYWdlbnQuU2RrQ2xpZW50RXJyb3JIAFIFZXJyb3JCCAoGcmVzdWx0');
-
-@$core.Deprecated('Use authChallengeRequestDescriptor instead')
-const AuthChallengeRequest$json = {
-  '1': 'AuthChallengeRequest',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {
-      '1': 'bootstrap_token',
-      '3': 2,
-      '4': 1,
-      '5': 9,
-      '9': 0,
-      '10': 'bootstrapToken',
-      '17': true
-    },
-    {
-      '1': 'key_type',
-      '3': 3,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.KeyType',
-      '10': 'keyType'
-    },
-  ],
-  '8': [
-    {'1': '_bootstrap_token'},
-  ],
-};
-
-/// Descriptor for `AuthChallengeRequest`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeRequestDescriptor = $convert.base64Decode(
-    'ChRBdXRoQ2hhbGxlbmdlUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRIsCg9ib290c3'
-    'RyYXBfdG9rZW4YAiABKAlIAFIOYm9vdHN0cmFwVG9rZW6IAQESNgoIa2V5X3R5cGUYAyABKA4y'
-    'Gy5hcmJpdGVyLnVzZXJfYWdlbnQuS2V5VHlwZVIHa2V5VHlwZUISChBfYm9vdHN0cmFwX3Rva2'
-    'Vu');
-
-@$core.Deprecated('Use authChallengeDescriptor instead')
-const AuthChallenge$json = {
-  '1': 'AuthChallenge',
-  '2': [
-    {'1': 'nonce', '3': 2, '4': 1, '5': 5, '10': 'nonce'},
-  ],
-  '9': [
-    {'1': 1, '2': 2},
-  ],
-};
-
-/// Descriptor for `AuthChallenge`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeDescriptor = $convert.base64Decode(
-    'Cg1BdXRoQ2hhbGxlbmdlEhQKBW5vbmNlGAIgASgFUgVub25jZUoECAEQAg==');
-
-@$core.Deprecated('Use authChallengeSolutionDescriptor instead')
-const AuthChallengeSolution$json = {
-  '1': 'AuthChallengeSolution',
-  '2': [
-    {'1': 'signature', '3': 1, '4': 1, '5': 12, '10': 'signature'},
-  ],
-};
-
-/// Descriptor for `AuthChallengeSolution`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeSolutionDescriptor = $convert.base64Decode(
-    'ChVBdXRoQ2hhbGxlbmdlU29sdXRpb24SHAoJc2lnbmF0dXJlGAEgASgMUglzaWduYXR1cmU=');
-
-@$core.Deprecated('Use unsealStartDescriptor instead')
-const UnsealStart$json = {
-  '1': 'UnsealStart',
-  '2': [
-    {'1': 'client_pubkey', '3': 1, '4': 1, '5': 12, '10': 'clientPubkey'},
-  ],
-};
-
-/// Descriptor for `UnsealStart`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List unsealStartDescriptor = $convert.base64Decode(
-    'CgtVbnNlYWxTdGFydBIjCg1jbGllbnRfcHVia2V5GAEgASgMUgxjbGllbnRQdWJrZXk=');
-
-@$core.Deprecated('Use unsealStartResponseDescriptor instead')
-const UnsealStartResponse$json = {
-  '1': 'UnsealStartResponse',
-  '2': [
-    {'1': 'server_pubkey', '3': 1, '4': 1, '5': 12, '10': 'serverPubkey'},
-  ],
-};
-
-/// Descriptor for `UnsealStartResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List unsealStartResponseDescriptor = $convert.base64Decode(
-    'ChNVbnNlYWxTdGFydFJlc3BvbnNlEiMKDXNlcnZlcl9wdWJrZXkYASABKAxSDHNlcnZlclB1Ym'
-    'tleQ==');
-
-@$core.Deprecated('Use unsealEncryptedKeyDescriptor instead')
-const UnsealEncryptedKey$json = {
-  '1': 'UnsealEncryptedKey',
-  '2': [
-    {'1': 'nonce', '3': 1, '4': 1, '5': 12, '10': 'nonce'},
-    {'1': 'ciphertext', '3': 2, '4': 1, '5': 12, '10': 'ciphertext'},
-    {'1': 'associated_data', '3': 3, '4': 1, '5': 12, '10': 'associatedData'},
-  ],
-};
-
-/// Descriptor for `UnsealEncryptedKey`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List unsealEncryptedKeyDescriptor = $convert.base64Decode(
-    'ChJVbnNlYWxFbmNyeXB0ZWRLZXkSFAoFbm9uY2UYASABKAxSBW5vbmNlEh4KCmNpcGhlcnRleH'
-    'QYAiABKAxSCmNpcGhlcnRleHQSJwoPYXNzb2NpYXRlZF9kYXRhGAMgASgMUg5hc3NvY2lhdGVk'
-    'RGF0YQ==');
-
-@$core.Deprecated('Use bootstrapEncryptedKeyDescriptor instead')
-const BootstrapEncryptedKey$json = {
-  '1': 'BootstrapEncryptedKey',
-  '2': [
-    {'1': 'nonce', '3': 1, '4': 1, '5': 12, '10': 'nonce'},
-    {'1': 'ciphertext', '3': 2, '4': 1, '5': 12, '10': 'ciphertext'},
-    {'1': 'associated_data', '3': 3, '4': 1, '5': 12, '10': 'associatedData'},
-  ],
-};
-
-/// Descriptor for `BootstrapEncryptedKey`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List bootstrapEncryptedKeyDescriptor = $convert.base64Decode(
-    'ChVCb290c3RyYXBFbmNyeXB0ZWRLZXkSFAoFbm9uY2UYASABKAxSBW5vbmNlEh4KCmNpcGhlcn'
-    'RleHQYAiABKAxSCmNpcGhlcnRleHQSJwoPYXNzb2NpYXRlZF9kYXRhGAMgASgMUg5hc3NvY2lh'
-    'dGVkRGF0YQ==');
-
-@$core.Deprecated('Use sdkClientConnectionRequestDescriptor instead')
-const SdkClientConnectionRequest$json = {
-  '1': 'SdkClientConnectionRequest',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {
-      '1': 'info',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.client.ClientInfo',
-      '10': 'info'
-    },
-  ],
-};
-
-/// Descriptor for `SdkClientConnectionRequest`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientConnectionRequestDescriptor =
-    $convert.base64Decode(
-        'ChpTZGtDbGllbnRDb25uZWN0aW9uUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRIuCg'
-        'RpbmZvGAIgASgLMhouYXJiaXRlci5jbGllbnQuQ2xpZW50SW5mb1IEaW5mbw==');
-
-@$core.Deprecated('Use sdkClientConnectionResponseDescriptor instead')
-const SdkClientConnectionResponse$json = {
-  '1': 'SdkClientConnectionResponse',
-  '2': [
-    {'1': 'approved', '3': 1, '4': 1, '5': 8, '10': 'approved'},
-    {'1': 'pubkey', '3': 2, '4': 1, '5': 12, '10': 'pubkey'},
-  ],
-};
-
-/// Descriptor for `SdkClientConnectionResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientConnectionResponseDescriptor =
-    $convert.base64Decode(
-        'ChtTZGtDbGllbnRDb25uZWN0aW9uUmVzcG9uc2USGgoIYXBwcm92ZWQYASABKAhSCGFwcHJvdm'
-        'VkEhYKBnB1YmtleRgCIAEoDFIGcHVia2V5');
-
-@$core.Deprecated('Use sdkClientConnectionCancelDescriptor instead')
-const SdkClientConnectionCancel$json = {
-  '1': 'SdkClientConnectionCancel',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-  ],
-};
-
-/// Descriptor for `SdkClientConnectionCancel`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientConnectionCancelDescriptor =
-    $convert.base64Decode(
-        'ChlTZGtDbGllbnRDb25uZWN0aW9uQ2FuY2VsEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5');
-
-@$core.Deprecated('Use walletAccessDescriptor instead')
-const WalletAccess$json = {
-  '1': 'WalletAccess',
-  '2': [
-    {'1': 'wallet_id', '3': 1, '4': 1, '5': 5, '10': 'walletId'},
-    {'1': 'sdk_client_id', '3': 2, '4': 1, '5': 5, '10': 'sdkClientId'},
-  ],
-};
-
-/// Descriptor for `WalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List walletAccessDescriptor = $convert.base64Decode(
-    'CgxXYWxsZXRBY2Nlc3MSGwoJd2FsbGV0X2lkGAEgASgFUgh3YWxsZXRJZBIiCg1zZGtfY2xpZW'
-    '50X2lkGAIgASgFUgtzZGtDbGllbnRJZA==');
-
-@$core.Deprecated('Use sdkClientWalletAccessDescriptor instead')
-const SdkClientWalletAccess$json = {
-  '1': 'SdkClientWalletAccess',
-  '2': [
-    {'1': 'id', '3': 1, '4': 1, '5': 5, '10': 'id'},
-    {
-      '1': 'access',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.WalletAccess',
-      '10': 'access'
-    },
-  ],
-};
-
-/// Descriptor for `SdkClientWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientWalletAccessDescriptor = $convert.base64Decode(
-    'ChVTZGtDbGllbnRXYWxsZXRBY2Nlc3MSDgoCaWQYASABKAVSAmlkEjgKBmFjY2VzcxgCIAEoCz'
-    'IgLmFyYml0ZXIudXNlcl9hZ2VudC5XYWxsZXRBY2Nlc3NSBmFjY2Vzcw==');
-
-@$core.Deprecated('Use sdkClientGrantWalletAccessDescriptor instead')
-const SdkClientGrantWalletAccess$json = {
-  '1': 'SdkClientGrantWalletAccess',
-  '2': [
-    {
-      '1': 'accesses',
-      '3': 1,
-      '4': 3,
-      '5': 11,
-      '6': '.arbiter.user_agent.WalletAccess',
-      '10': 'accesses'
-    },
-  ],
-};
-
-/// Descriptor for `SdkClientGrantWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientGrantWalletAccessDescriptor =
-    $convert.base64Decode(
-        'ChpTZGtDbGllbnRHcmFudFdhbGxldEFjY2VzcxI8CghhY2Nlc3NlcxgBIAMoCzIgLmFyYml0ZX'
-        'IudXNlcl9hZ2VudC5XYWxsZXRBY2Nlc3NSCGFjY2Vzc2Vz');
-
-@$core.Deprecated('Use sdkClientRevokeWalletAccessDescriptor instead')
-const SdkClientRevokeWalletAccess$json = {
-  '1': 'SdkClientRevokeWalletAccess',
-  '2': [
-    {'1': 'accesses', '3': 1, '4': 3, '5': 5, '10': 'accesses'},
-  ],
-};
-
-/// Descriptor for `SdkClientRevokeWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientRevokeWalletAccessDescriptor =
-    $convert.base64Decode(
-        'ChtTZGtDbGllbnRSZXZva2VXYWxsZXRBY2Nlc3MSGgoIYWNjZXNzZXMYASADKAVSCGFjY2Vzc2'
-        'Vz');
-
-@$core.Deprecated('Use listWalletAccessResponseDescriptor instead')
-const ListWalletAccessResponse$json = {
-  '1': 'ListWalletAccessResponse',
-  '2': [
-    {
-      '1': 'accesses',
-      '3': 1,
-      '4': 3,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientWalletAccess',
-      '10': 'accesses'
-    },
-  ],
-};
-
-/// Descriptor for `ListWalletAccessResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List listWalletAccessResponseDescriptor =
-    $convert.base64Decode(
-        'ChhMaXN0V2FsbGV0QWNjZXNzUmVzcG9uc2USRQoIYWNjZXNzZXMYASADKAsyKS5hcmJpdGVyLn'
-        'VzZXJfYWdlbnQuU2RrQ2xpZW50V2FsbGV0QWNjZXNzUghhY2Nlc3Nlcw==');
-
 @$core.Deprecated('Use userAgentRequestDescriptor instead')
 const UserAgentRequest$json = {
   '1': 'UserAgentRequest',
   '2': [
     {'1': 'id', '3': 16, '4': 1, '5': 5, '10': 'id'},
     {
-      '1': 'auth_challenge_request',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.AuthChallengeRequest',
+      '6': '.arbiter.user_agent.auth.Request',
       '9': 0,
-      '10': 'authChallengeRequest'
+      '10': 'auth'
     },
     {
-      '1': 'auth_challenge_solution',
+      '1': 'vault',
       '3': 2,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.AuthChallengeSolution',
+      '6': '.arbiter.user_agent.vault.Request',
       '9': 0,
-      '10': 'authChallengeSolution'
+      '10': 'vault'
     },
     {
-      '1': 'unseal_start',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.UnsealStart',
+      '6': '.arbiter.user_agent.evm.Request',
       '9': 0,
-      '10': 'unsealStart'
+      '10': 'evm'
     },
     {
-      '1': 'unseal_encrypted_key',
+      '1': 'sdk_client',
       '3': 4,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.UnsealEncryptedKey',
+      '6': '.arbiter.user_agent.sdk_client.Request',
       '9': 0,
-      '10': 'unsealEncryptedKey'
-    },
-    {
-      '1': 'query_vault_state',
-      '3': 5,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'queryVaultState'
-    },
-    {
-      '1': 'evm_wallet_create',
-      '3': 6,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'evmWalletCreate'
-    },
-    {
-      '1': 'evm_wallet_list',
-      '3': 7,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'evmWalletList'
-    },
-    {
-      '1': 'evm_grant_create',
-      '3': 8,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantCreateRequest',
-      '9': 0,
-      '10': 'evmGrantCreate'
-    },
-    {
-      '1': 'evm_grant_delete',
-      '3': 9,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantDeleteRequest',
-      '9': 0,
-      '10': 'evmGrantDelete'
-    },
-    {
-      '1': 'evm_grant_list',
-      '3': 10,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantListRequest',
-      '9': 0,
-      '10': 'evmGrantList'
-    },
-    {
-      '1': 'sdk_client_connection_response',
-      '3': 11,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientConnectionResponse',
-      '9': 0,
-      '10': 'sdkClientConnectionResponse'
-    },
-    {
-      '1': 'sdk_client_revoke',
-      '3': 12,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientRevokeRequest',
-      '9': 0,
-      '10': 'sdkClientRevoke'
-    },
-    {
-      '1': 'sdk_client_list',
-      '3': 13,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'sdkClientList'
-    },
-    {
-      '1': 'bootstrap_encrypted_key',
-      '3': 14,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.BootstrapEncryptedKey',
-      '9': 0,
-      '10': 'bootstrapEncryptedKey'
-    },
-    {
-      '1': 'grant_wallet_access',
-      '3': 15,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientGrantWalletAccess',
-      '9': 0,
-      '10': 'grantWalletAccess'
-    },
-    {
-      '1': 'revoke_wallet_access',
-      '3': 17,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientRevokeWalletAccess',
-      '9': 0,
-      '10': 'revokeWalletAccess'
-    },
-    {
-      '1': 'list_wallet_access',
-      '3': 18,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'listWalletAccess'
+      '10': 'sdkClient'
     },
   ],
   '8': [
@@ -675,33 +64,12 @@ const UserAgentRequest$json = {
 
 /// Descriptor for `UserAgentRequest`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List userAgentRequestDescriptor = $convert.base64Decode(
-    'ChBVc2VyQWdlbnRSZXF1ZXN0Eg4KAmlkGBAgASgFUgJpZBJgChZhdXRoX2NoYWxsZW5nZV9yZX'
-    'F1ZXN0GAEgASgLMiguYXJiaXRlci51c2VyX2FnZW50LkF1dGhDaGFsbGVuZ2VSZXF1ZXN0SABS'
-    'FGF1dGhDaGFsbGVuZ2VSZXF1ZXN0EmMKF2F1dGhfY2hhbGxlbmdlX3NvbHV0aW9uGAIgASgLMi'
-    'kuYXJiaXRlci51c2VyX2FnZW50LkF1dGhDaGFsbGVuZ2VTb2x1dGlvbkgAUhVhdXRoQ2hhbGxl'
-    'bmdlU29sdXRpb24SRAoMdW5zZWFsX3N0YXJ0GAMgASgLMh8uYXJiaXRlci51c2VyX2FnZW50Ll'
-    'Vuc2VhbFN0YXJ0SABSC3Vuc2VhbFN0YXJ0EloKFHVuc2VhbF9lbmNyeXB0ZWRfa2V5GAQgASgL'
-    'MiYuYXJiaXRlci51c2VyX2FnZW50LlVuc2VhbEVuY3J5cHRlZEtleUgAUhJ1bnNlYWxFbmNyeX'
-    'B0ZWRLZXkSRAoRcXVlcnlfdmF1bHRfc3RhdGUYBSABKAsyFi5nb29nbGUucHJvdG9idWYuRW1w'
-    'dHlIAFIPcXVlcnlWYXVsdFN0YXRlEkQKEWV2bV93YWxsZXRfY3JlYXRlGAYgASgLMhYuZ29vZ2'
-    'xlLnByb3RvYnVmLkVtcHR5SABSD2V2bVdhbGxldENyZWF0ZRJACg9ldm1fd2FsbGV0X2xpc3QY'
-    'ByABKAsyFi5nb29nbGUucHJvdG9idWYuRW1wdHlIAFINZXZtV2FsbGV0TGlzdBJOChBldm1fZ3'
-    'JhbnRfY3JlYXRlGAggASgLMiIuYXJiaXRlci5ldm0uRXZtR3JhbnRDcmVhdGVSZXF1ZXN0SABS'
-    'DmV2bUdyYW50Q3JlYXRlEk4KEGV2bV9ncmFudF9kZWxldGUYCSABKAsyIi5hcmJpdGVyLmV2bS'
-    '5Fdm1HcmFudERlbGV0ZVJlcXVlc3RIAFIOZXZtR3JhbnREZWxldGUSSAoOZXZtX2dyYW50X2xp'
-    'c3QYCiABKAsyIC5hcmJpdGVyLmV2bS5Fdm1HcmFudExpc3RSZXF1ZXN0SABSDGV2bUdyYW50TG'
-    'lzdBJ2Ch5zZGtfY2xpZW50X2Nvbm5lY3Rpb25fcmVzcG9uc2UYCyABKAsyLy5hcmJpdGVyLnVz'
-    'ZXJfYWdlbnQuU2RrQ2xpZW50Q29ubmVjdGlvblJlc3BvbnNlSABSG3Nka0NsaWVudENvbm5lY3'
-    'Rpb25SZXNwb25zZRJYChFzZGtfY2xpZW50X3Jldm9rZRgMIAEoCzIqLmFyYml0ZXIudXNlcl9h'
-    'Z2VudC5TZGtDbGllbnRSZXZva2VSZXF1ZXN0SABSD3Nka0NsaWVudFJldm9rZRJACg9zZGtfY2'
-    'xpZW50X2xpc3QYDSABKAsyFi5nb29nbGUucHJvdG9idWYuRW1wdHlIAFINc2RrQ2xpZW50TGlz'
-    'dBJjChdib290c3RyYXBfZW5jcnlwdGVkX2tleRgOIAEoCzIpLmFyYml0ZXIudXNlcl9hZ2VudC'
-    '5Cb290c3RyYXBFbmNyeXB0ZWRLZXlIAFIVYm9vdHN0cmFwRW5jcnlwdGVkS2V5EmAKE2dyYW50'
-    'X3dhbGxldF9hY2Nlc3MYDyABKAsyLi5hcmJpdGVyLnVzZXJfYWdlbnQuU2RrQ2xpZW50R3Jhbn'
-    'RXYWxsZXRBY2Nlc3NIAFIRZ3JhbnRXYWxsZXRBY2Nlc3MSYwoUcmV2b2tlX3dhbGxldF9hY2Nl'
-    'c3MYESABKAsyLy5hcmJpdGVyLnVzZXJfYWdlbnQuU2RrQ2xpZW50UmV2b2tlV2FsbGV0QWNjZX'
-    'NzSABSEnJldm9rZVdhbGxldEFjY2VzcxJGChJsaXN0X3dhbGxldF9hY2Nlc3MYEiABKAsyFi5n'
-    'b29nbGUucHJvdG9idWYuRW1wdHlIAFIQbGlzdFdhbGxldEFjY2Vzc0IJCgdwYXlsb2Fk');
+    'ChBVc2VyQWdlbnRSZXF1ZXN0Eg4KAmlkGBAgASgFUgJpZBI2CgRhdXRoGAEgASgLMiAuYXJiaX'
+    'Rlci51c2VyX2FnZW50LmF1dGguUmVxdWVzdEgAUgRhdXRoEjkKBXZhdWx0GAIgASgLMiEuYXJi'
+    'aXRlci51c2VyX2FnZW50LnZhdWx0LlJlcXVlc3RIAFIFdmF1bHQSMwoDZXZtGAMgASgLMh8uYX'
+    'JiaXRlci51c2VyX2FnZW50LmV2bS5SZXF1ZXN0SABSA2V2bRJHCgpzZGtfY2xpZW50GAQgASgL'
+    'MiYuYXJiaXRlci51c2VyX2FnZW50LnNka19jbGllbnQuUmVxdWVzdEgAUglzZGtDbGllbnRCCQ'
+    'oHcGF5bG9hZA==');
 
 @$core.Deprecated('Use userAgentResponseDescriptor instead')
 const UserAgentResponse$json = {
@@ -709,148 +77,40 @@ const UserAgentResponse$json = {
   '2': [
     {'1': 'id', '3': 16, '4': 1, '5': 5, '9': 1, '10': 'id', '17': true},
     {
-      '1': 'auth_challenge',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.AuthChallenge',
+      '6': '.arbiter.user_agent.auth.Response',
       '9': 0,
-      '10': 'authChallenge'
+      '10': 'auth'
     },
     {
-      '1': 'auth_result',
+      '1': 'vault',
       '3': 2,
       '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.AuthResult',
+      '5': 11,
+      '6': '.arbiter.user_agent.vault.Response',
       '9': 0,
-      '10': 'authResult'
+      '10': 'vault'
     },
     {
-      '1': 'unseal_start_response',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.UnsealStartResponse',
+      '6': '.arbiter.user_agent.evm.Response',
       '9': 0,
-      '10': 'unsealStartResponse'
+      '10': 'evm'
     },
     {
-      '1': 'unseal_result',
+      '1': 'sdk_client',
       '3': 4,
       '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.UnsealResult',
-      '9': 0,
-      '10': 'unsealResult'
-    },
-    {
-      '1': 'vault_state',
-      '3': 5,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.VaultState',
-      '9': 0,
-      '10': 'vaultState'
-    },
-    {
-      '1': 'evm_wallet_create',
-      '3': 6,
-      '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.WalletCreateResponse',
+      '6': '.arbiter.user_agent.sdk_client.Response',
       '9': 0,
-      '10': 'evmWalletCreate'
-    },
-    {
-      '1': 'evm_wallet_list',
-      '3': 7,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.WalletListResponse',
-      '9': 0,
-      '10': 'evmWalletList'
-    },
-    {
-      '1': 'evm_grant_create',
-      '3': 8,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantCreateResponse',
-      '9': 0,
-      '10': 'evmGrantCreate'
-    },
-    {
-      '1': 'evm_grant_delete',
-      '3': 9,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantDeleteResponse',
-      '9': 0,
-      '10': 'evmGrantDelete'
-    },
-    {
-      '1': 'evm_grant_list',
-      '3': 10,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantListResponse',
-      '9': 0,
-      '10': 'evmGrantList'
-    },
-    {
-      '1': 'sdk_client_connection_request',
-      '3': 11,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientConnectionRequest',
-      '9': 0,
-      '10': 'sdkClientConnectionRequest'
-    },
-    {
-      '1': 'sdk_client_connection_cancel',
-      '3': 12,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientConnectionCancel',
-      '9': 0,
-      '10': 'sdkClientConnectionCancel'
-    },
-    {
-      '1': 'sdk_client_revoke_response',
-      '3': 13,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientRevokeResponse',
-      '9': 0,
-      '10': 'sdkClientRevokeResponse'
-    },
-    {
-      '1': 'sdk_client_list_response',
-      '3': 14,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientListResponse',
-      '9': 0,
-      '10': 'sdkClientListResponse'
-    },
-    {
-      '1': 'bootstrap_result',
-      '3': 15,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.BootstrapResult',
-      '9': 0,
-      '10': 'bootstrapResult'
-    },
-    {
-      '1': 'list_wallet_access_response',
-      '3': 17,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.ListWalletAccessResponse',
-      '9': 0,
-      '10': 'listWalletAccessResponse'
+      '10': 'sdkClient'
     },
   ],
   '8': [
@@ -861,30 +121,9 @@ const UserAgentResponse$json = {
 
 /// Descriptor for `UserAgentResponse`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List userAgentResponseDescriptor = $convert.base64Decode(
-    'ChFVc2VyQWdlbnRSZXNwb25zZRITCgJpZBgQIAEoBUgBUgJpZIgBARJKCg5hdXRoX2NoYWxsZW'
-    '5nZRgBIAEoCzIhLmFyYml0ZXIudXNlcl9hZ2VudC5BdXRoQ2hhbGxlbmdlSABSDWF1dGhDaGFs'
-    'bGVuZ2USQQoLYXV0aF9yZXN1bHQYAiABKA4yHi5hcmJpdGVyLnVzZXJfYWdlbnQuQXV0aFJlc3'
-    'VsdEgAUgphdXRoUmVzdWx0El0KFXVuc2VhbF9zdGFydF9yZXNwb25zZRgDIAEoCzInLmFyYml0'
-    'ZXIudXNlcl9hZ2VudC5VbnNlYWxTdGFydFJlc3BvbnNlSABSE3Vuc2VhbFN0YXJ0UmVzcG9uc2'
-    'USRwoNdW5zZWFsX3Jlc3VsdBgEIAEoDjIgLmFyYml0ZXIudXNlcl9hZ2VudC5VbnNlYWxSZXN1'
-    'bHRIAFIMdW5zZWFsUmVzdWx0EkEKC3ZhdWx0X3N0YXRlGAUgASgOMh4uYXJiaXRlci51c2VyX2'
-    'FnZW50LlZhdWx0U3RhdGVIAFIKdmF1bHRTdGF0ZRJPChFldm1fd2FsbGV0X2NyZWF0ZRgGIAEo'
-    'CzIhLmFyYml0ZXIuZXZtLldhbGxldENyZWF0ZVJlc3BvbnNlSABSD2V2bVdhbGxldENyZWF0ZR'
-    'JJCg9ldm1fd2FsbGV0X2xpc3QYByABKAsyHy5hcmJpdGVyLmV2bS5XYWxsZXRMaXN0UmVzcG9u'
-    'c2VIAFINZXZtV2FsbGV0TGlzdBJPChBldm1fZ3JhbnRfY3JlYXRlGAggASgLMiMuYXJiaXRlci'
-    '5ldm0uRXZtR3JhbnRDcmVhdGVSZXNwb25zZUgAUg5ldm1HcmFudENyZWF0ZRJPChBldm1fZ3Jh'
-    'bnRfZGVsZXRlGAkgASgLMiMuYXJiaXRlci5ldm0uRXZtR3JhbnREZWxldGVSZXNwb25zZUgAUg'
-    '5ldm1HcmFudERlbGV0ZRJJCg5ldm1fZ3JhbnRfbGlzdBgKIAEoCzIhLmFyYml0ZXIuZXZtLkV2'
-    'bUdyYW50TGlzdFJlc3BvbnNlSABSDGV2bUdyYW50TGlzdBJzCh1zZGtfY2xpZW50X2Nvbm5lY3'
-    'Rpb25fcmVxdWVzdBgLIAEoCzIuLmFyYml0ZXIudXNlcl9hZ2VudC5TZGtDbGllbnRDb25uZWN0'
-    'aW9uUmVxdWVzdEgAUhpzZGtDbGllbnRDb25uZWN0aW9uUmVxdWVzdBJwChxzZGtfY2xpZW50X2'
-    'Nvbm5lY3Rpb25fY2FuY2VsGAwgASgLMi0uYXJiaXRlci51c2VyX2FnZW50LlNka0NsaWVudENv'
-    'bm5lY3Rpb25DYW5jZWxIAFIZc2RrQ2xpZW50Q29ubmVjdGlvbkNhbmNlbBJqChpzZGtfY2xpZW'
-    '50X3Jldm9rZV9yZXNwb25zZRgNIAEoCzIrLmFyYml0ZXIudXNlcl9hZ2VudC5TZGtDbGllbnRS'
-    'ZXZva2VSZXNwb25zZUgAUhdzZGtDbGllbnRSZXZva2VSZXNwb25zZRJkChhzZGtfY2xpZW50X2'
-    'xpc3RfcmVzcG9uc2UYDiABKAsyKS5hcmJpdGVyLnVzZXJfYWdlbnQuU2RrQ2xpZW50TGlzdFJl'
-    'c3BvbnNlSABSFXNka0NsaWVudExpc3RSZXNwb25zZRJQChBib290c3RyYXBfcmVzdWx0GA8gAS'
-    'gOMiMuYXJiaXRlci51c2VyX2FnZW50LkJvb3RzdHJhcFJlc3VsdEgAUg9ib290c3RyYXBSZXN1'
-    'bHQSbQobbGlzdF93YWxsZXRfYWNjZXNzX3Jlc3BvbnNlGBEgASgLMiwuYXJiaXRlci51c2VyX2'
-    'FnZW50Lkxpc3RXYWxsZXRBY2Nlc3NSZXNwb25zZUgAUhhsaXN0V2FsbGV0QWNjZXNzUmVzcG9u'
-    'c2VCCQoHcGF5bG9hZEIFCgNfaWQ=');
+    'ChFVc2VyQWdlbnRSZXNwb25zZRITCgJpZBgQIAEoBUgBUgJpZIgBARI3CgRhdXRoGAEgASgLMi'
+    'EuYXJiaXRlci51c2VyX2FnZW50LmF1dGguUmVzcG9uc2VIAFIEYXV0aBI6CgV2YXVsdBgCIAEo'
+    'CzIiLmFyYml0ZXIudXNlcl9hZ2VudC52YXVsdC5SZXNwb25zZUgAUgV2YXVsdBI0CgNldm0YAy'
+    'ABKAsyIC5hcmJpdGVyLnVzZXJfYWdlbnQuZXZtLlJlc3BvbnNlSABSA2V2bRJICgpzZGtfY2xp'
+    'ZW50GAQgASgLMicuYXJiaXRlci51c2VyX2FnZW50LnNka19jbGllbnQuUmVzcG9uc2VIAFIJc2'
+    'RrQ2xpZW50QgkKB3BheWxvYWRCBQoDX2lk');
diff --git a/useragent/lib/proto/user_agent/auth.pb.dart b/useragent/lib/proto/user_agent/auth.pb.dart
new file mode 100644
index 0000000..8bfea1e
--- /dev/null
+++ b/useragent/lib/proto/user_agent/auth.pb.dart
@@ -0,0 +1,391 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import 'auth.pbenum.dart';
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'auth.pbenum.dart';
+
+class AuthChallengeRequest extends $pb.GeneratedMessage {
+  factory AuthChallengeRequest({
+    $core.List<$core.int>? pubkey,
+    $core.String? bootstrapToken,
+    KeyType? keyType,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    if (bootstrapToken != null) result.bootstrapToken = bootstrapToken;
+    if (keyType != null) result.keyType = keyType;
+    return result;
+  }
+
+  AuthChallengeRequest._();
+
+  factory AuthChallengeRequest.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeRequest.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeRequest',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aOS(2, _omitFieldNames ? '' : 'bootstrapToken')
+    ..aE<KeyType>(3, _omitFieldNames ? '' : 'keyType',
+        enumValues: KeyType.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest copyWith(void Function(AuthChallengeRequest) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeRequest))
+          as AuthChallengeRequest;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest create() => AuthChallengeRequest._();
+  @$core.override
+  AuthChallengeRequest createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeRequest>(create);
+  static AuthChallengeRequest? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.String get bootstrapToken => $_getSZ(1);
+  @$pb.TagNumber(2)
+  set bootstrapToken($core.String value) => $_setString(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasBootstrapToken() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearBootstrapToken() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  KeyType get keyType => $_getN(2);
+  @$pb.TagNumber(3)
+  set keyType(KeyType value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasKeyType() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearKeyType() => $_clearField(3);
+}
+
+class AuthChallenge extends $pb.GeneratedMessage {
+  factory AuthChallenge({
+    $core.int? nonce,
+  }) {
+    final result = create();
+    if (nonce != null) result.nonce = nonce;
+    return result;
+  }
+
+  AuthChallenge._();
+
+  factory AuthChallenge.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallenge.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallenge',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..aI(1, _omitFieldNames ? '' : 'nonce')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge copyWith(void Function(AuthChallenge) updates) =>
+      super.copyWith((message) => updates(message as AuthChallenge))
+          as AuthChallenge;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge create() => AuthChallenge._();
+  @$core.override
+  AuthChallenge createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallenge>(create);
+  static AuthChallenge? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get nonce => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set nonce($core.int value) => $_setSignedInt32(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasNonce() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearNonce() => $_clearField(1);
+}
+
+class AuthChallengeSolution extends $pb.GeneratedMessage {
+  factory AuthChallengeSolution({
+    $core.List<$core.int>? signature,
+  }) {
+    final result = create();
+    if (signature != null) result.signature = signature;
+    return result;
+  }
+
+  AuthChallengeSolution._();
+
+  factory AuthChallengeSolution.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeSolution.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeSolution',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution copyWith(
+          void Function(AuthChallengeSolution) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeSolution))
+          as AuthChallengeSolution;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution create() => AuthChallengeSolution._();
+  @$core.override
+  AuthChallengeSolution createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeSolution>(create);
+  static AuthChallengeSolution? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get signature => $_getN(0);
+  @$pb.TagNumber(1)
+  set signature($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignature() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignature() => $_clearField(1);
+}
+
+enum Request_Payload { challengeRequest, challengeSolution, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    AuthChallengeRequest? challengeRequest,
+    AuthChallengeSolution? challengeSolution,
+  }) {
+    final result = create();
+    if (challengeRequest != null) result.challengeRequest = challengeRequest;
+    if (challengeSolution != null) result.challengeSolution = challengeSolution;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.challengeRequest,
+    2: Request_Payload.challengeSolution,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallengeRequest>(1, _omitFieldNames ? '' : 'challengeRequest',
+        subBuilder: AuthChallengeRequest.create)
+    ..aOM<AuthChallengeSolution>(2, _omitFieldNames ? '' : 'challengeSolution',
+        subBuilder: AuthChallengeSolution.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallengeRequest get challengeRequest => $_getN(0);
+  @$pb.TagNumber(1)
+  set challengeRequest(AuthChallengeRequest value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallengeRequest() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallengeRequest() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallengeRequest ensureChallengeRequest() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthChallengeSolution get challengeSolution => $_getN(1);
+  @$pb.TagNumber(2)
+  set challengeSolution(AuthChallengeSolution value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasChallengeSolution() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearChallengeSolution() => $_clearField(2);
+  @$pb.TagNumber(2)
+  AuthChallengeSolution ensureChallengeSolution() => $_ensure(1);
+}
+
+enum Response_Payload { challenge, result, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    AuthChallenge? challenge,
+    AuthResult? result,
+  }) {
+    final result$ = create();
+    if (challenge != null) result$.challenge = challenge;
+    if (result != null) result$.result = result;
+    return result$;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.challenge,
+    2: Response_Payload.result,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallenge>(1, _omitFieldNames ? '' : 'challenge',
+        subBuilder: AuthChallenge.create)
+    ..aE<AuthResult>(2, _omitFieldNames ? '' : 'result',
+        enumValues: AuthResult.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallenge get challenge => $_getN(0);
+  @$pb.TagNumber(1)
+  set challenge(AuthChallenge value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallenge() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallenge() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallenge ensureChallenge() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthResult get result => $_getN(1);
+  @$pb.TagNumber(2)
+  set result(AuthResult value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasResult() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearResult() => $_clearField(2);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/user_agent/auth.pbenum.dart b/useragent/lib/proto/user_agent/auth.pbenum.dart
new file mode 100644
index 0000000..853cbed
--- /dev/null
+++ b/useragent/lib/proto/user_agent/auth.pbenum.dart
@@ -0,0 +1,77 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class KeyType extends $pb.ProtobufEnum {
+  static const KeyType KEY_TYPE_UNSPECIFIED =
+      KeyType._(0, _omitEnumNames ? '' : 'KEY_TYPE_UNSPECIFIED');
+  static const KeyType KEY_TYPE_ED25519 =
+      KeyType._(1, _omitEnumNames ? '' : 'KEY_TYPE_ED25519');
+  static const KeyType KEY_TYPE_ECDSA_SECP256K1 =
+      KeyType._(2, _omitEnumNames ? '' : 'KEY_TYPE_ECDSA_SECP256K1');
+  static const KeyType KEY_TYPE_RSA =
+      KeyType._(3, _omitEnumNames ? '' : 'KEY_TYPE_RSA');
+
+  static const $core.List<KeyType> values = <KeyType>[
+    KEY_TYPE_UNSPECIFIED,
+    KEY_TYPE_ED25519,
+    KEY_TYPE_ECDSA_SECP256K1,
+    KEY_TYPE_RSA,
+  ];
+
+  static final $core.List<KeyType?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 3);
+  static KeyType? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const KeyType._(super.value, super.name);
+}
+
+class AuthResult extends $pb.ProtobufEnum {
+  static const AuthResult AUTH_RESULT_UNSPECIFIED =
+      AuthResult._(0, _omitEnumNames ? '' : 'AUTH_RESULT_UNSPECIFIED');
+  static const AuthResult AUTH_RESULT_SUCCESS =
+      AuthResult._(1, _omitEnumNames ? '' : 'AUTH_RESULT_SUCCESS');
+  static const AuthResult AUTH_RESULT_INVALID_KEY =
+      AuthResult._(2, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_KEY');
+  static const AuthResult AUTH_RESULT_INVALID_SIGNATURE =
+      AuthResult._(3, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_SIGNATURE');
+  static const AuthResult AUTH_RESULT_BOOTSTRAP_REQUIRED =
+      AuthResult._(4, _omitEnumNames ? '' : 'AUTH_RESULT_BOOTSTRAP_REQUIRED');
+  static const AuthResult AUTH_RESULT_TOKEN_INVALID =
+      AuthResult._(5, _omitEnumNames ? '' : 'AUTH_RESULT_TOKEN_INVALID');
+  static const AuthResult AUTH_RESULT_INTERNAL =
+      AuthResult._(6, _omitEnumNames ? '' : 'AUTH_RESULT_INTERNAL');
+
+  static const $core.List<AuthResult> values = <AuthResult>[
+    AUTH_RESULT_UNSPECIFIED,
+    AUTH_RESULT_SUCCESS,
+    AUTH_RESULT_INVALID_KEY,
+    AUTH_RESULT_INVALID_SIGNATURE,
+    AUTH_RESULT_BOOTSTRAP_REQUIRED,
+    AUTH_RESULT_TOKEN_INVALID,
+    AUTH_RESULT_INTERNAL,
+  ];
+
+  static final $core.List<AuthResult?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 6);
+  static AuthResult? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const AuthResult._(super.value, super.name);
+}
+
+const $core.bool _omitEnumNames =
+    $core.bool.fromEnvironment('protobuf.omit_enum_names');
diff --git a/useragent/lib/proto/user_agent/auth.pbjson.dart b/useragent/lib/proto/user_agent/auth.pbjson.dart
new file mode 100644
index 0000000..87fc1c6
--- /dev/null
+++ b/useragent/lib/proto/user_agent/auth.pbjson.dart
@@ -0,0 +1,182 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use keyTypeDescriptor instead')
+const KeyType$json = {
+  '1': 'KeyType',
+  '2': [
+    {'1': 'KEY_TYPE_UNSPECIFIED', '2': 0},
+    {'1': 'KEY_TYPE_ED25519', '2': 1},
+    {'1': 'KEY_TYPE_ECDSA_SECP256K1', '2': 2},
+    {'1': 'KEY_TYPE_RSA', '2': 3},
+  ],
+};
+
+/// Descriptor for `KeyType`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List keyTypeDescriptor = $convert.base64Decode(
+    'CgdLZXlUeXBlEhgKFEtFWV9UWVBFX1VOU1BFQ0lGSUVEEAASFAoQS0VZX1RZUEVfRUQyNTUxOR'
+    'ABEhwKGEtFWV9UWVBFX0VDRFNBX1NFQ1AyNTZLMRACEhAKDEtFWV9UWVBFX1JTQRAD');
+
+@$core.Deprecated('Use authResultDescriptor instead')
+const AuthResult$json = {
+  '1': 'AuthResult',
+  '2': [
+    {'1': 'AUTH_RESULT_UNSPECIFIED', '2': 0},
+    {'1': 'AUTH_RESULT_SUCCESS', '2': 1},
+    {'1': 'AUTH_RESULT_INVALID_KEY', '2': 2},
+    {'1': 'AUTH_RESULT_INVALID_SIGNATURE', '2': 3},
+    {'1': 'AUTH_RESULT_BOOTSTRAP_REQUIRED', '2': 4},
+    {'1': 'AUTH_RESULT_TOKEN_INVALID', '2': 5},
+    {'1': 'AUTH_RESULT_INTERNAL', '2': 6},
+  ],
+};
+
+/// Descriptor for `AuthResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List authResultDescriptor = $convert.base64Decode(
+    'CgpBdXRoUmVzdWx0EhsKF0FVVEhfUkVTVUxUX1VOU1BFQ0lGSUVEEAASFwoTQVVUSF9SRVNVTF'
+    'RfU1VDQ0VTUxABEhsKF0FVVEhfUkVTVUxUX0lOVkFMSURfS0VZEAISIQodQVVUSF9SRVNVTFRf'
+    'SU5WQUxJRF9TSUdOQVRVUkUQAxIiCh5BVVRIX1JFU1VMVF9CT09UU1RSQVBfUkVRVUlSRUQQBB'
+    'IdChlBVVRIX1JFU1VMVF9UT0tFTl9JTlZBTElEEAUSGAoUQVVUSF9SRVNVTFRfSU5URVJOQUwQ'
+    'Bg==');
+
+@$core.Deprecated('Use authChallengeRequestDescriptor instead')
+const AuthChallengeRequest$json = {
+  '1': 'AuthChallengeRequest',
+  '2': [
+    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
+    {
+      '1': 'bootstrap_token',
+      '3': 2,
+      '4': 1,
+      '5': 9,
+      '9': 0,
+      '10': 'bootstrapToken',
+      '17': true
+    },
+    {
+      '1': 'key_type',
+      '3': 3,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.user_agent.auth.KeyType',
+      '10': 'keyType'
+    },
+  ],
+  '8': [
+    {'1': '_bootstrap_token'},
+  ],
+};
+
+/// Descriptor for `AuthChallengeRequest`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeRequestDescriptor = $convert.base64Decode(
+    'ChRBdXRoQ2hhbGxlbmdlUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRIsCg9ib290c3'
+    'RyYXBfdG9rZW4YAiABKAlIAFIOYm9vdHN0cmFwVG9rZW6IAQESOwoIa2V5X3R5cGUYAyABKA4y'
+    'IC5hcmJpdGVyLnVzZXJfYWdlbnQuYXV0aC5LZXlUeXBlUgdrZXlUeXBlQhIKEF9ib290c3RyYX'
+    'BfdG9rZW4=');
+
+@$core.Deprecated('Use authChallengeDescriptor instead')
+const AuthChallenge$json = {
+  '1': 'AuthChallenge',
+  '2': [
+    {'1': 'nonce', '3': 1, '4': 1, '5': 5, '10': 'nonce'},
+  ],
+};
+
+/// Descriptor for `AuthChallenge`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeDescriptor = $convert
+    .base64Decode('Cg1BdXRoQ2hhbGxlbmdlEhQKBW5vbmNlGAEgASgFUgVub25jZQ==');
+
+@$core.Deprecated('Use authChallengeSolutionDescriptor instead')
+const AuthChallengeSolution$json = {
+  '1': 'AuthChallengeSolution',
+  '2': [
+    {'1': 'signature', '3': 1, '4': 1, '5': 12, '10': 'signature'},
+  ],
+};
+
+/// Descriptor for `AuthChallengeSolution`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeSolutionDescriptor = $convert.base64Decode(
+    'ChVBdXRoQ2hhbGxlbmdlU29sdXRpb24SHAoJc2lnbmF0dXJlGAEgASgMUglzaWduYXR1cmU=');
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'challenge_request',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.auth.AuthChallengeRequest',
+      '9': 0,
+      '10': 'challengeRequest'
+    },
+    {
+      '1': 'challenge_solution',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.auth.AuthChallengeSolution',
+      '9': 0,
+      '10': 'challengeSolution'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0ElwKEWNoYWxsZW5nZV9yZXF1ZXN0GAEgASgLMi0uYXJiaXRlci51c2VyX2FnZW'
+    '50LmF1dGguQXV0aENoYWxsZW5nZVJlcXVlc3RIAFIQY2hhbGxlbmdlUmVxdWVzdBJfChJjaGFs'
+    'bGVuZ2Vfc29sdXRpb24YAiABKAsyLi5hcmJpdGVyLnVzZXJfYWdlbnQuYXV0aC5BdXRoQ2hhbG'
+    'xlbmdlU29sdXRpb25IAFIRY2hhbGxlbmdlU29sdXRpb25CCQoHcGF5bG9hZA==');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'challenge',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.auth.AuthChallenge',
+      '9': 0,
+      '10': 'challenge'
+    },
+    {
+      '1': 'result',
+      '3': 2,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.user_agent.auth.AuthResult',
+      '9': 0,
+      '10': 'result'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJGCgljaGFsbGVuZ2UYASABKAsyJi5hcmJpdGVyLnVzZXJfYWdlbnQuYXV0aC'
+    '5BdXRoQ2hhbGxlbmdlSABSCWNoYWxsZW5nZRI9CgZyZXN1bHQYAiABKA4yIy5hcmJpdGVyLnVz'
+    'ZXJfYWdlbnQuYXV0aC5BdXRoUmVzdWx0SABSBnJlc3VsdEIJCgdwYXlsb2Fk');
diff --git a/useragent/lib/proto/user_agent/evm.pb.dart b/useragent/lib/proto/user_agent/evm.pb.dart
new file mode 100644
index 0000000..1819ca7
--- /dev/null
+++ b/useragent/lib/proto/user_agent/evm.pb.dart
@@ -0,0 +1,432 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $1;
+
+import '../evm.pb.dart' as $0;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+class SignTransactionRequest extends $pb.GeneratedMessage {
+  factory SignTransactionRequest({
+    $core.int? clientId,
+    $0.EvmSignTransactionRequest? request,
+  }) {
+    final result = create();
+    if (clientId != null) result.clientId = clientId;
+    if (request != null) result.request = request;
+    return result;
+  }
+
+  SignTransactionRequest._();
+
+  factory SignTransactionRequest.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory SignTransactionRequest.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'SignTransactionRequest',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.evm'),
+      createEmptyInstance: create)
+    ..aI(1, _omitFieldNames ? '' : 'clientId')
+    ..aOM<$0.EvmSignTransactionRequest>(2, _omitFieldNames ? '' : 'request',
+        subBuilder: $0.EvmSignTransactionRequest.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  SignTransactionRequest clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  SignTransactionRequest copyWith(
+          void Function(SignTransactionRequest) updates) =>
+      super.copyWith((message) => updates(message as SignTransactionRequest))
+          as SignTransactionRequest;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static SignTransactionRequest create() => SignTransactionRequest._();
+  @$core.override
+  SignTransactionRequest createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static SignTransactionRequest getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<SignTransactionRequest>(create);
+  static SignTransactionRequest? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get clientId => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set clientId($core.int value) => $_setSignedInt32(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasClientId() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearClientId() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $0.EvmSignTransactionRequest get request => $_getN(1);
+  @$pb.TagNumber(2)
+  set request($0.EvmSignTransactionRequest value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasRequest() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearRequest() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.EvmSignTransactionRequest ensureRequest() => $_ensure(1);
+}
+
+enum Request_Payload {
+  walletCreate,
+  walletList,
+  grantCreate,
+  grantDelete,
+  grantList,
+  signTransaction,
+  notSet
+}
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    $1.Empty? walletCreate,
+    $1.Empty? walletList,
+    $0.EvmGrantCreateRequest? grantCreate,
+    $0.EvmGrantDeleteRequest? grantDelete,
+    $0.EvmGrantListRequest? grantList,
+    SignTransactionRequest? signTransaction,
+  }) {
+    final result = create();
+    if (walletCreate != null) result.walletCreate = walletCreate;
+    if (walletList != null) result.walletList = walletList;
+    if (grantCreate != null) result.grantCreate = grantCreate;
+    if (grantDelete != null) result.grantDelete = grantDelete;
+    if (grantList != null) result.grantList = grantList;
+    if (signTransaction != null) result.signTransaction = signTransaction;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.walletCreate,
+    2: Request_Payload.walletList,
+    3: Request_Payload.grantCreate,
+    4: Request_Payload.grantDelete,
+    5: Request_Payload.grantList,
+    6: Request_Payload.signTransaction,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3, 4, 5, 6])
+    ..aOM<$1.Empty>(1, _omitFieldNames ? '' : 'walletCreate',
+        subBuilder: $1.Empty.create)
+    ..aOM<$1.Empty>(2, _omitFieldNames ? '' : 'walletList',
+        subBuilder: $1.Empty.create)
+    ..aOM<$0.EvmGrantCreateRequest>(3, _omitFieldNames ? '' : 'grantCreate',
+        subBuilder: $0.EvmGrantCreateRequest.create)
+    ..aOM<$0.EvmGrantDeleteRequest>(4, _omitFieldNames ? '' : 'grantDelete',
+        subBuilder: $0.EvmGrantDeleteRequest.create)
+    ..aOM<$0.EvmGrantListRequest>(5, _omitFieldNames ? '' : 'grantList',
+        subBuilder: $0.EvmGrantListRequest.create)
+    ..aOM<SignTransactionRequest>(6, _omitFieldNames ? '' : 'signTransaction',
+        subBuilder: SignTransactionRequest.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $1.Empty get walletCreate => $_getN(0);
+  @$pb.TagNumber(1)
+  set walletCreate($1.Empty value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasWalletCreate() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearWalletCreate() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $1.Empty ensureWalletCreate() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $1.Empty get walletList => $_getN(1);
+  @$pb.TagNumber(2)
+  set walletList($1.Empty value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasWalletList() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearWalletList() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $1.Empty ensureWalletList() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  $0.EvmGrantCreateRequest get grantCreate => $_getN(2);
+  @$pb.TagNumber(3)
+  set grantCreate($0.EvmGrantCreateRequest value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasGrantCreate() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearGrantCreate() => $_clearField(3);
+  @$pb.TagNumber(3)
+  $0.EvmGrantCreateRequest ensureGrantCreate() => $_ensure(2);
+
+  @$pb.TagNumber(4)
+  $0.EvmGrantDeleteRequest get grantDelete => $_getN(3);
+  @$pb.TagNumber(4)
+  set grantDelete($0.EvmGrantDeleteRequest value) => $_setField(4, value);
+  @$pb.TagNumber(4)
+  $core.bool hasGrantDelete() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearGrantDelete() => $_clearField(4);
+  @$pb.TagNumber(4)
+  $0.EvmGrantDeleteRequest ensureGrantDelete() => $_ensure(3);
+
+  @$pb.TagNumber(5)
+  $0.EvmGrantListRequest get grantList => $_getN(4);
+  @$pb.TagNumber(5)
+  set grantList($0.EvmGrantListRequest value) => $_setField(5, value);
+  @$pb.TagNumber(5)
+  $core.bool hasGrantList() => $_has(4);
+  @$pb.TagNumber(5)
+  void clearGrantList() => $_clearField(5);
+  @$pb.TagNumber(5)
+  $0.EvmGrantListRequest ensureGrantList() => $_ensure(4);
+
+  @$pb.TagNumber(6)
+  SignTransactionRequest get signTransaction => $_getN(5);
+  @$pb.TagNumber(6)
+  set signTransaction(SignTransactionRequest value) => $_setField(6, value);
+  @$pb.TagNumber(6)
+  $core.bool hasSignTransaction() => $_has(5);
+  @$pb.TagNumber(6)
+  void clearSignTransaction() => $_clearField(6);
+  @$pb.TagNumber(6)
+  SignTransactionRequest ensureSignTransaction() => $_ensure(5);
+}
+
+enum Response_Payload {
+  walletCreate,
+  walletList,
+  grantCreate,
+  grantDelete,
+  grantList,
+  signTransaction,
+  notSet
+}
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    $0.WalletCreateResponse? walletCreate,
+    $0.WalletListResponse? walletList,
+    $0.EvmGrantCreateResponse? grantCreate,
+    $0.EvmGrantDeleteResponse? grantDelete,
+    $0.EvmGrantListResponse? grantList,
+    $0.EvmSignTransactionResponse? signTransaction,
+  }) {
+    final result = create();
+    if (walletCreate != null) result.walletCreate = walletCreate;
+    if (walletList != null) result.walletList = walletList;
+    if (grantCreate != null) result.grantCreate = grantCreate;
+    if (grantDelete != null) result.grantDelete = grantDelete;
+    if (grantList != null) result.grantList = grantList;
+    if (signTransaction != null) result.signTransaction = signTransaction;
+    return result;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.walletCreate,
+    2: Response_Payload.walletList,
+    3: Response_Payload.grantCreate,
+    4: Response_Payload.grantDelete,
+    5: Response_Payload.grantList,
+    6: Response_Payload.signTransaction,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3, 4, 5, 6])
+    ..aOM<$0.WalletCreateResponse>(1, _omitFieldNames ? '' : 'walletCreate',
+        subBuilder: $0.WalletCreateResponse.create)
+    ..aOM<$0.WalletListResponse>(2, _omitFieldNames ? '' : 'walletList',
+        subBuilder: $0.WalletListResponse.create)
+    ..aOM<$0.EvmGrantCreateResponse>(3, _omitFieldNames ? '' : 'grantCreate',
+        subBuilder: $0.EvmGrantCreateResponse.create)
+    ..aOM<$0.EvmGrantDeleteResponse>(4, _omitFieldNames ? '' : 'grantDelete',
+        subBuilder: $0.EvmGrantDeleteResponse.create)
+    ..aOM<$0.EvmGrantListResponse>(5, _omitFieldNames ? '' : 'grantList',
+        subBuilder: $0.EvmGrantListResponse.create)
+    ..aOM<$0.EvmSignTransactionResponse>(
+        6, _omitFieldNames ? '' : 'signTransaction',
+        subBuilder: $0.EvmSignTransactionResponse.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.WalletCreateResponse get walletCreate => $_getN(0);
+  @$pb.TagNumber(1)
+  set walletCreate($0.WalletCreateResponse value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasWalletCreate() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearWalletCreate() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.WalletCreateResponse ensureWalletCreate() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $0.WalletListResponse get walletList => $_getN(1);
+  @$pb.TagNumber(2)
+  set walletList($0.WalletListResponse value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasWalletList() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearWalletList() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.WalletListResponse ensureWalletList() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  $0.EvmGrantCreateResponse get grantCreate => $_getN(2);
+  @$pb.TagNumber(3)
+  set grantCreate($0.EvmGrantCreateResponse value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasGrantCreate() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearGrantCreate() => $_clearField(3);
+  @$pb.TagNumber(3)
+  $0.EvmGrantCreateResponse ensureGrantCreate() => $_ensure(2);
+
+  @$pb.TagNumber(4)
+  $0.EvmGrantDeleteResponse get grantDelete => $_getN(3);
+  @$pb.TagNumber(4)
+  set grantDelete($0.EvmGrantDeleteResponse value) => $_setField(4, value);
+  @$pb.TagNumber(4)
+  $core.bool hasGrantDelete() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearGrantDelete() => $_clearField(4);
+  @$pb.TagNumber(4)
+  $0.EvmGrantDeleteResponse ensureGrantDelete() => $_ensure(3);
+
+  @$pb.TagNumber(5)
+  $0.EvmGrantListResponse get grantList => $_getN(4);
+  @$pb.TagNumber(5)
+  set grantList($0.EvmGrantListResponse value) => $_setField(5, value);
+  @$pb.TagNumber(5)
+  $core.bool hasGrantList() => $_has(4);
+  @$pb.TagNumber(5)
+  void clearGrantList() => $_clearField(5);
+  @$pb.TagNumber(5)
+  $0.EvmGrantListResponse ensureGrantList() => $_ensure(4);
+
+  @$pb.TagNumber(6)
+  $0.EvmSignTransactionResponse get signTransaction => $_getN(5);
+  @$pb.TagNumber(6)
+  set signTransaction($0.EvmSignTransactionResponse value) =>
+      $_setField(6, value);
+  @$pb.TagNumber(6)
+  $core.bool hasSignTransaction() => $_has(5);
+  @$pb.TagNumber(6)
+  void clearSignTransaction() => $_clearField(6);
+  @$pb.TagNumber(6)
+  $0.EvmSignTransactionResponse ensureSignTransaction() => $_ensure(5);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/user_agent/evm.pbenum.dart b/useragent/lib/proto/user_agent/evm.pbenum.dart
new file mode 100644
index 0000000..9b0fded
--- /dev/null
+++ b/useragent/lib/proto/user_agent/evm.pbenum.dart
@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
diff --git a/useragent/lib/proto/user_agent/evm.pbjson.dart b/useragent/lib/proto/user_agent/evm.pbjson.dart
new file mode 100644
index 0000000..96739b0
--- /dev/null
+++ b/useragent/lib/proto/user_agent/evm.pbjson.dart
@@ -0,0 +1,190 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use signTransactionRequestDescriptor instead')
+const SignTransactionRequest$json = {
+  '1': 'SignTransactionRequest',
+  '2': [
+    {'1': 'client_id', '3': 1, '4': 1, '5': 5, '10': 'clientId'},
+    {
+      '1': 'request',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmSignTransactionRequest',
+      '10': 'request'
+    },
+  ],
+};
+
+/// Descriptor for `SignTransactionRequest`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List signTransactionRequestDescriptor = $convert.base64Decode(
+    'ChZTaWduVHJhbnNhY3Rpb25SZXF1ZXN0EhsKCWNsaWVudF9pZBgBIAEoBVIIY2xpZW50SWQSQA'
+    'oHcmVxdWVzdBgCIAEoCzImLmFyYml0ZXIuZXZtLkV2bVNpZ25UcmFuc2FjdGlvblJlcXVlc3RS'
+    'B3JlcXVlc3Q=');
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'wallet_create',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'walletCreate'
+    },
+    {
+      '1': 'wallet_list',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'walletList'
+    },
+    {
+      '1': 'grant_create',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmGrantCreateRequest',
+      '9': 0,
+      '10': 'grantCreate'
+    },
+    {
+      '1': 'grant_delete',
+      '3': 4,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmGrantDeleteRequest',
+      '9': 0,
+      '10': 'grantDelete'
+    },
+    {
+      '1': 'grant_list',
+      '3': 5,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmGrantListRequest',
+      '9': 0,
+      '10': 'grantList'
+    },
+    {
+      '1': 'sign_transaction',
+      '3': 6,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.evm.SignTransactionRequest',
+      '9': 0,
+      '10': 'signTransaction'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0Ej0KDXdhbGxldF9jcmVhdGUYASABKAsyFi5nb29nbGUucHJvdG9idWYuRW1wdH'
+    'lIAFIMd2FsbGV0Q3JlYXRlEjkKC3dhbGxldF9saXN0GAIgASgLMhYuZ29vZ2xlLnByb3RvYnVm'
+    'LkVtcHR5SABSCndhbGxldExpc3QSRwoMZ3JhbnRfY3JlYXRlGAMgASgLMiIuYXJiaXRlci5ldm'
+    '0uRXZtR3JhbnRDcmVhdGVSZXF1ZXN0SABSC2dyYW50Q3JlYXRlEkcKDGdyYW50X2RlbGV0ZRgE'
+    'IAEoCzIiLmFyYml0ZXIuZXZtLkV2bUdyYW50RGVsZXRlUmVxdWVzdEgAUgtncmFudERlbGV0ZR'
+    'JBCgpncmFudF9saXN0GAUgASgLMiAuYXJiaXRlci5ldm0uRXZtR3JhbnRMaXN0UmVxdWVzdEgA'
+    'UglncmFudExpc3QSWwoQc2lnbl90cmFuc2FjdGlvbhgGIAEoCzIuLmFyYml0ZXIudXNlcl9hZ2'
+    'VudC5ldm0uU2lnblRyYW5zYWN0aW9uUmVxdWVzdEgAUg9zaWduVHJhbnNhY3Rpb25CCQoHcGF5'
+    'bG9hZA==');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'wallet_create',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.WalletCreateResponse',
+      '9': 0,
+      '10': 'walletCreate'
+    },
+    {
+      '1': 'wallet_list',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.WalletListResponse',
+      '9': 0,
+      '10': 'walletList'
+    },
+    {
+      '1': 'grant_create',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmGrantCreateResponse',
+      '9': 0,
+      '10': 'grantCreate'
+    },
+    {
+      '1': 'grant_delete',
+      '3': 4,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmGrantDeleteResponse',
+      '9': 0,
+      '10': 'grantDelete'
+    },
+    {
+      '1': 'grant_list',
+      '3': 5,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmGrantListResponse',
+      '9': 0,
+      '10': 'grantList'
+    },
+    {
+      '1': 'sign_transaction',
+      '3': 6,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmSignTransactionResponse',
+      '9': 0,
+      '10': 'signTransaction'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJICg13YWxsZXRfY3JlYXRlGAEgASgLMiEuYXJiaXRlci5ldm0uV2FsbGV0Q3'
+    'JlYXRlUmVzcG9uc2VIAFIMd2FsbGV0Q3JlYXRlEkIKC3dhbGxldF9saXN0GAIgASgLMh8uYXJi'
+    'aXRlci5ldm0uV2FsbGV0TGlzdFJlc3BvbnNlSABSCndhbGxldExpc3QSSAoMZ3JhbnRfY3JlYX'
+    'RlGAMgASgLMiMuYXJiaXRlci5ldm0uRXZtR3JhbnRDcmVhdGVSZXNwb25zZUgAUgtncmFudENy'
+    'ZWF0ZRJICgxncmFudF9kZWxldGUYBCABKAsyIy5hcmJpdGVyLmV2bS5Fdm1HcmFudERlbGV0ZV'
+    'Jlc3BvbnNlSABSC2dyYW50RGVsZXRlEkIKCmdyYW50X2xpc3QYBSABKAsyIS5hcmJpdGVyLmV2'
+    'bS5Fdm1HcmFudExpc3RSZXNwb25zZUgAUglncmFudExpc3QSVAoQc2lnbl90cmFuc2FjdGlvbh'
+    'gGIAEoCzInLmFyYml0ZXIuZXZtLkV2bVNpZ25UcmFuc2FjdGlvblJlc3BvbnNlSABSD3NpZ25U'
+    'cmFuc2FjdGlvbkIJCgdwYXlsb2Fk');
diff --git a/useragent/lib/proto/user_agent/sdk_client.pb.dart b/useragent/lib/proto/user_agent/sdk_client.pb.dart
new file mode 100644
index 0000000..1266dbb
--- /dev/null
+++ b/useragent/lib/proto/user_agent/sdk_client.pb.dart
@@ -0,0 +1,1197 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/sdk_client.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $1;
+
+import '../shared/client.pb.dart' as $0;
+import 'sdk_client.pbenum.dart';
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'sdk_client.pbenum.dart';
+
+class RevokeRequest extends $pb.GeneratedMessage {
+  factory RevokeRequest({
+    $core.int? clientId,
+  }) {
+    final result = create();
+    if (clientId != null) result.clientId = clientId;
+    return result;
+  }
+
+  RevokeRequest._();
+
+  factory RevokeRequest.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory RevokeRequest.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'RevokeRequest',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..aI(1, _omitFieldNames ? '' : 'clientId')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  RevokeRequest clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  RevokeRequest copyWith(void Function(RevokeRequest) updates) =>
+      super.copyWith((message) => updates(message as RevokeRequest))
+          as RevokeRequest;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static RevokeRequest create() => RevokeRequest._();
+  @$core.override
+  RevokeRequest createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static RevokeRequest getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<RevokeRequest>(create);
+  static RevokeRequest? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get clientId => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set clientId($core.int value) => $_setSignedInt32(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasClientId() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearClientId() => $_clearField(1);
+}
+
+class Entry extends $pb.GeneratedMessage {
+  factory Entry({
+    $core.int? id,
+    $core.List<$core.int>? pubkey,
+    $0.ClientInfo? info,
+    $core.int? createdAt,
+  }) {
+    final result = create();
+    if (id != null) result.id = id;
+    if (pubkey != null) result.pubkey = pubkey;
+    if (info != null) result.info = info;
+    if (createdAt != null) result.createdAt = createdAt;
+    return result;
+  }
+
+  Entry._();
+
+  factory Entry.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Entry.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Entry',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..aI(1, _omitFieldNames ? '' : 'id')
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aOM<$0.ClientInfo>(3, _omitFieldNames ? '' : 'info',
+        subBuilder: $0.ClientInfo.create)
+    ..aI(4, _omitFieldNames ? '' : 'createdAt')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Entry clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Entry copyWith(void Function(Entry) updates) =>
+      super.copyWith((message) => updates(message as Entry)) as Entry;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Entry create() => Entry._();
+  @$core.override
+  Entry createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Entry getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Entry>(create);
+  static Entry? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get id => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set id($core.int value) => $_setSignedInt32(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasId() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearId() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get pubkey => $_getN(1);
+  @$pb.TagNumber(2)
+  set pubkey($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasPubkey() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearPubkey() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  $0.ClientInfo get info => $_getN(2);
+  @$pb.TagNumber(3)
+  set info($0.ClientInfo value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasInfo() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearInfo() => $_clearField(3);
+  @$pb.TagNumber(3)
+  $0.ClientInfo ensureInfo() => $_ensure(2);
+
+  @$pb.TagNumber(4)
+  $core.int get createdAt => $_getIZ(3);
+  @$pb.TagNumber(4)
+  set createdAt($core.int value) => $_setSignedInt32(3, value);
+  @$pb.TagNumber(4)
+  $core.bool hasCreatedAt() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearCreatedAt() => $_clearField(4);
+}
+
+class List_ extends $pb.GeneratedMessage {
+  factory List_({
+    $core.Iterable<Entry>? clients,
+  }) {
+    final result = create();
+    if (clients != null) result.clients.addAll(clients);
+    return result;
+  }
+
+  List_._();
+
+  factory List_.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory List_.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'List',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..pPM<Entry>(1, _omitFieldNames ? '' : 'clients', subBuilder: Entry.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  List_ clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  List_ copyWith(void Function(List_) updates) =>
+      super.copyWith((message) => updates(message as List_)) as List_;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static List_ create() => List_._();
+  @$core.override
+  List_ createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static List_ getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<List_>(create);
+  static List_? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $pb.PbList<Entry> get clients => $_getList(0);
+}
+
+enum RevokeResponse_Result { ok, error, notSet }
+
+class RevokeResponse extends $pb.GeneratedMessage {
+  factory RevokeResponse({
+    $1.Empty? ok,
+    Error? error,
+  }) {
+    final result = create();
+    if (ok != null) result.ok = ok;
+    if (error != null) result.error = error;
+    return result;
+  }
+
+  RevokeResponse._();
+
+  factory RevokeResponse.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory RevokeResponse.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, RevokeResponse_Result>
+      _RevokeResponse_ResultByTag = {
+    1: RevokeResponse_Result.ok,
+    2: RevokeResponse_Result.error,
+    0: RevokeResponse_Result.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'RevokeResponse',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<$1.Empty>(1, _omitFieldNames ? '' : 'ok', subBuilder: $1.Empty.create)
+    ..aE<Error>(2, _omitFieldNames ? '' : 'error', enumValues: Error.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  RevokeResponse clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  RevokeResponse copyWith(void Function(RevokeResponse) updates) =>
+      super.copyWith((message) => updates(message as RevokeResponse))
+          as RevokeResponse;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static RevokeResponse create() => RevokeResponse._();
+  @$core.override
+  RevokeResponse createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static RevokeResponse getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<RevokeResponse>(create);
+  static RevokeResponse? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  RevokeResponse_Result whichResult() =>
+      _RevokeResponse_ResultByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearResult() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $1.Empty get ok => $_getN(0);
+  @$pb.TagNumber(1)
+  set ok($1.Empty value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasOk() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearOk() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $1.Empty ensureOk() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  Error get error => $_getN(1);
+  @$pb.TagNumber(2)
+  set error(Error value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasError() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearError() => $_clearField(2);
+}
+
+enum ListResponse_Result { clients, error, notSet }
+
+class ListResponse extends $pb.GeneratedMessage {
+  factory ListResponse({
+    List_? clients,
+    Error? error,
+  }) {
+    final result = create();
+    if (clients != null) result.clients = clients;
+    if (error != null) result.error = error;
+    return result;
+  }
+
+  ListResponse._();
+
+  factory ListResponse.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory ListResponse.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, ListResponse_Result>
+      _ListResponse_ResultByTag = {
+    1: ListResponse_Result.clients,
+    2: ListResponse_Result.error,
+    0: ListResponse_Result.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'ListResponse',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<List_>(1, _omitFieldNames ? '' : 'clients', subBuilder: List_.create)
+    ..aE<Error>(2, _omitFieldNames ? '' : 'error', enumValues: Error.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ListResponse clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ListResponse copyWith(void Function(ListResponse) updates) =>
+      super.copyWith((message) => updates(message as ListResponse))
+          as ListResponse;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static ListResponse create() => ListResponse._();
+  @$core.override
+  ListResponse createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static ListResponse getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<ListResponse>(create);
+  static ListResponse? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  ListResponse_Result whichResult() =>
+      _ListResponse_ResultByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearResult() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  List_ get clients => $_getN(0);
+  @$pb.TagNumber(1)
+  set clients(List_ value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasClients() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearClients() => $_clearField(1);
+  @$pb.TagNumber(1)
+  List_ ensureClients() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  Error get error => $_getN(1);
+  @$pb.TagNumber(2)
+  set error(Error value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasError() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearError() => $_clearField(2);
+}
+
+class ConnectionRequest extends $pb.GeneratedMessage {
+  factory ConnectionRequest({
+    $core.List<$core.int>? pubkey,
+    $0.ClientInfo? info,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    if (info != null) result.info = info;
+    return result;
+  }
+
+  ConnectionRequest._();
+
+  factory ConnectionRequest.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory ConnectionRequest.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'ConnectionRequest',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aOM<$0.ClientInfo>(2, _omitFieldNames ? '' : 'info',
+        subBuilder: $0.ClientInfo.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ConnectionRequest clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ConnectionRequest copyWith(void Function(ConnectionRequest) updates) =>
+      super.copyWith((message) => updates(message as ConnectionRequest))
+          as ConnectionRequest;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static ConnectionRequest create() => ConnectionRequest._();
+  @$core.override
+  ConnectionRequest createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static ConnectionRequest getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<ConnectionRequest>(create);
+  static ConnectionRequest? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $0.ClientInfo get info => $_getN(1);
+  @$pb.TagNumber(2)
+  set info($0.ClientInfo value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasInfo() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearInfo() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.ClientInfo ensureInfo() => $_ensure(1);
+}
+
+class ConnectionResponse extends $pb.GeneratedMessage {
+  factory ConnectionResponse({
+    $core.bool? approved,
+    $core.List<$core.int>? pubkey,
+  }) {
+    final result = create();
+    if (approved != null) result.approved = approved;
+    if (pubkey != null) result.pubkey = pubkey;
+    return result;
+  }
+
+  ConnectionResponse._();
+
+  factory ConnectionResponse.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory ConnectionResponse.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'ConnectionResponse',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..aOB(1, _omitFieldNames ? '' : 'approved')
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ConnectionResponse clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ConnectionResponse copyWith(void Function(ConnectionResponse) updates) =>
+      super.copyWith((message) => updates(message as ConnectionResponse))
+          as ConnectionResponse;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static ConnectionResponse create() => ConnectionResponse._();
+  @$core.override
+  ConnectionResponse createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static ConnectionResponse getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<ConnectionResponse>(create);
+  static ConnectionResponse? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.bool get approved => $_getBF(0);
+  @$pb.TagNumber(1)
+  set approved($core.bool value) => $_setBool(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasApproved() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearApproved() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get pubkey => $_getN(1);
+  @$pb.TagNumber(2)
+  set pubkey($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasPubkey() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearPubkey() => $_clearField(2);
+}
+
+class ConnectionCancel extends $pb.GeneratedMessage {
+  factory ConnectionCancel({
+    $core.List<$core.int>? pubkey,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    return result;
+  }
+
+  ConnectionCancel._();
+
+  factory ConnectionCancel.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory ConnectionCancel.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'ConnectionCancel',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ConnectionCancel clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ConnectionCancel copyWith(void Function(ConnectionCancel) updates) =>
+      super.copyWith((message) => updates(message as ConnectionCancel))
+          as ConnectionCancel;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static ConnectionCancel create() => ConnectionCancel._();
+  @$core.override
+  ConnectionCancel createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static ConnectionCancel getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<ConnectionCancel>(create);
+  static ConnectionCancel? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+}
+
+class WalletAccess extends $pb.GeneratedMessage {
+  factory WalletAccess({
+    $core.int? walletId,
+    $core.int? sdkClientId,
+  }) {
+    final result = create();
+    if (walletId != null) result.walletId = walletId;
+    if (sdkClientId != null) result.sdkClientId = sdkClientId;
+    return result;
+  }
+
+  WalletAccess._();
+
+  factory WalletAccess.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory WalletAccess.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'WalletAccess',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..aI(1, _omitFieldNames ? '' : 'walletId')
+    ..aI(2, _omitFieldNames ? '' : 'sdkClientId')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  WalletAccess clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  WalletAccess copyWith(void Function(WalletAccess) updates) =>
+      super.copyWith((message) => updates(message as WalletAccess))
+          as WalletAccess;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static WalletAccess create() => WalletAccess._();
+  @$core.override
+  WalletAccess createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static WalletAccess getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<WalletAccess>(create);
+  static WalletAccess? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get walletId => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set walletId($core.int value) => $_setSignedInt32(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasWalletId() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearWalletId() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.int get sdkClientId => $_getIZ(1);
+  @$pb.TagNumber(2)
+  set sdkClientId($core.int value) => $_setSignedInt32(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasSdkClientId() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearSdkClientId() => $_clearField(2);
+}
+
+class WalletAccessEntry extends $pb.GeneratedMessage {
+  factory WalletAccessEntry({
+    $core.int? id,
+    WalletAccess? access,
+  }) {
+    final result = create();
+    if (id != null) result.id = id;
+    if (access != null) result.access = access;
+    return result;
+  }
+
+  WalletAccessEntry._();
+
+  factory WalletAccessEntry.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory WalletAccessEntry.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'WalletAccessEntry',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..aI(1, _omitFieldNames ? '' : 'id')
+    ..aOM<WalletAccess>(2, _omitFieldNames ? '' : 'access',
+        subBuilder: WalletAccess.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  WalletAccessEntry clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  WalletAccessEntry copyWith(void Function(WalletAccessEntry) updates) =>
+      super.copyWith((message) => updates(message as WalletAccessEntry))
+          as WalletAccessEntry;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static WalletAccessEntry create() => WalletAccessEntry._();
+  @$core.override
+  WalletAccessEntry createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static WalletAccessEntry getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<WalletAccessEntry>(create);
+  static WalletAccessEntry? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get id => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set id($core.int value) => $_setSignedInt32(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasId() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearId() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  WalletAccess get access => $_getN(1);
+  @$pb.TagNumber(2)
+  set access(WalletAccess value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasAccess() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearAccess() => $_clearField(2);
+  @$pb.TagNumber(2)
+  WalletAccess ensureAccess() => $_ensure(1);
+}
+
+class GrantWalletAccess extends $pb.GeneratedMessage {
+  factory GrantWalletAccess({
+    $core.Iterable<WalletAccess>? accesses,
+  }) {
+    final result = create();
+    if (accesses != null) result.accesses.addAll(accesses);
+    return result;
+  }
+
+  GrantWalletAccess._();
+
+  factory GrantWalletAccess.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory GrantWalletAccess.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'GrantWalletAccess',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..pPM<WalletAccess>(1, _omitFieldNames ? '' : 'accesses',
+        subBuilder: WalletAccess.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  GrantWalletAccess clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  GrantWalletAccess copyWith(void Function(GrantWalletAccess) updates) =>
+      super.copyWith((message) => updates(message as GrantWalletAccess))
+          as GrantWalletAccess;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static GrantWalletAccess create() => GrantWalletAccess._();
+  @$core.override
+  GrantWalletAccess createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static GrantWalletAccess getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<GrantWalletAccess>(create);
+  static GrantWalletAccess? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $pb.PbList<WalletAccess> get accesses => $_getList(0);
+}
+
+class RevokeWalletAccess extends $pb.GeneratedMessage {
+  factory RevokeWalletAccess({
+    $core.Iterable<$core.int>? accesses,
+  }) {
+    final result = create();
+    if (accesses != null) result.accesses.addAll(accesses);
+    return result;
+  }
+
+  RevokeWalletAccess._();
+
+  factory RevokeWalletAccess.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory RevokeWalletAccess.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'RevokeWalletAccess',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..p<$core.int>(1, _omitFieldNames ? '' : 'accesses', $pb.PbFieldType.K3)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  RevokeWalletAccess clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  RevokeWalletAccess copyWith(void Function(RevokeWalletAccess) updates) =>
+      super.copyWith((message) => updates(message as RevokeWalletAccess))
+          as RevokeWalletAccess;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static RevokeWalletAccess create() => RevokeWalletAccess._();
+  @$core.override
+  RevokeWalletAccess createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static RevokeWalletAccess getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<RevokeWalletAccess>(create);
+  static RevokeWalletAccess? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $pb.PbList<$core.int> get accesses => $_getList(0);
+}
+
+class ListWalletAccessResponse extends $pb.GeneratedMessage {
+  factory ListWalletAccessResponse({
+    $core.Iterable<WalletAccessEntry>? accesses,
+  }) {
+    final result = create();
+    if (accesses != null) result.accesses.addAll(accesses);
+    return result;
+  }
+
+  ListWalletAccessResponse._();
+
+  factory ListWalletAccessResponse.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory ListWalletAccessResponse.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'ListWalletAccessResponse',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..pPM<WalletAccessEntry>(1, _omitFieldNames ? '' : 'accesses',
+        subBuilder: WalletAccessEntry.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ListWalletAccessResponse clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ListWalletAccessResponse copyWith(
+          void Function(ListWalletAccessResponse) updates) =>
+      super.copyWith((message) => updates(message as ListWalletAccessResponse))
+          as ListWalletAccessResponse;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static ListWalletAccessResponse create() => ListWalletAccessResponse._();
+  @$core.override
+  ListWalletAccessResponse createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static ListWalletAccessResponse getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<ListWalletAccessResponse>(create);
+  static ListWalletAccessResponse? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $pb.PbList<WalletAccessEntry> get accesses => $_getList(0);
+}
+
+enum Request_Payload {
+  connectionResponse,
+  revoke,
+  list,
+  grantWalletAccess,
+  revokeWalletAccess,
+  listWalletAccess,
+  notSet
+}
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    ConnectionResponse? connectionResponse,
+    RevokeRequest? revoke,
+    $1.Empty? list,
+    GrantWalletAccess? grantWalletAccess,
+    RevokeWalletAccess? revokeWalletAccess,
+    $1.Empty? listWalletAccess,
+  }) {
+    final result = create();
+    if (connectionResponse != null)
+      result.connectionResponse = connectionResponse;
+    if (revoke != null) result.revoke = revoke;
+    if (list != null) result.list = list;
+    if (grantWalletAccess != null) result.grantWalletAccess = grantWalletAccess;
+    if (revokeWalletAccess != null)
+      result.revokeWalletAccess = revokeWalletAccess;
+    if (listWalletAccess != null) result.listWalletAccess = listWalletAccess;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.connectionResponse,
+    2: Request_Payload.revoke,
+    3: Request_Payload.list,
+    4: Request_Payload.grantWalletAccess,
+    5: Request_Payload.revokeWalletAccess,
+    6: Request_Payload.listWalletAccess,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3, 4, 5, 6])
+    ..aOM<ConnectionResponse>(1, _omitFieldNames ? '' : 'connectionResponse',
+        subBuilder: ConnectionResponse.create)
+    ..aOM<RevokeRequest>(2, _omitFieldNames ? '' : 'revoke',
+        subBuilder: RevokeRequest.create)
+    ..aOM<$1.Empty>(3, _omitFieldNames ? '' : 'list',
+        subBuilder: $1.Empty.create)
+    ..aOM<GrantWalletAccess>(4, _omitFieldNames ? '' : 'grantWalletAccess',
+        subBuilder: GrantWalletAccess.create)
+    ..aOM<RevokeWalletAccess>(5, _omitFieldNames ? '' : 'revokeWalletAccess',
+        subBuilder: RevokeWalletAccess.create)
+    ..aOM<$1.Empty>(6, _omitFieldNames ? '' : 'listWalletAccess',
+        subBuilder: $1.Empty.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  ConnectionResponse get connectionResponse => $_getN(0);
+  @$pb.TagNumber(1)
+  set connectionResponse(ConnectionResponse value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasConnectionResponse() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearConnectionResponse() => $_clearField(1);
+  @$pb.TagNumber(1)
+  ConnectionResponse ensureConnectionResponse() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  RevokeRequest get revoke => $_getN(1);
+  @$pb.TagNumber(2)
+  set revoke(RevokeRequest value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasRevoke() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearRevoke() => $_clearField(2);
+  @$pb.TagNumber(2)
+  RevokeRequest ensureRevoke() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  $1.Empty get list => $_getN(2);
+  @$pb.TagNumber(3)
+  set list($1.Empty value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasList() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearList() => $_clearField(3);
+  @$pb.TagNumber(3)
+  $1.Empty ensureList() => $_ensure(2);
+
+  @$pb.TagNumber(4)
+  GrantWalletAccess get grantWalletAccess => $_getN(3);
+  @$pb.TagNumber(4)
+  set grantWalletAccess(GrantWalletAccess value) => $_setField(4, value);
+  @$pb.TagNumber(4)
+  $core.bool hasGrantWalletAccess() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearGrantWalletAccess() => $_clearField(4);
+  @$pb.TagNumber(4)
+  GrantWalletAccess ensureGrantWalletAccess() => $_ensure(3);
+
+  @$pb.TagNumber(5)
+  RevokeWalletAccess get revokeWalletAccess => $_getN(4);
+  @$pb.TagNumber(5)
+  set revokeWalletAccess(RevokeWalletAccess value) => $_setField(5, value);
+  @$pb.TagNumber(5)
+  $core.bool hasRevokeWalletAccess() => $_has(4);
+  @$pb.TagNumber(5)
+  void clearRevokeWalletAccess() => $_clearField(5);
+  @$pb.TagNumber(5)
+  RevokeWalletAccess ensureRevokeWalletAccess() => $_ensure(4);
+
+  @$pb.TagNumber(6)
+  $1.Empty get listWalletAccess => $_getN(5);
+  @$pb.TagNumber(6)
+  set listWalletAccess($1.Empty value) => $_setField(6, value);
+  @$pb.TagNumber(6)
+  $core.bool hasListWalletAccess() => $_has(5);
+  @$pb.TagNumber(6)
+  void clearListWalletAccess() => $_clearField(6);
+  @$pb.TagNumber(6)
+  $1.Empty ensureListWalletAccess() => $_ensure(5);
+}
+
+enum Response_Payload {
+  connectionRequest,
+  connectionCancel,
+  revoke,
+  list,
+  listWalletAccess,
+  notSet
+}
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    ConnectionRequest? connectionRequest,
+    ConnectionCancel? connectionCancel,
+    RevokeResponse? revoke,
+    ListResponse? list,
+    ListWalletAccessResponse? listWalletAccess,
+  }) {
+    final result = create();
+    if (connectionRequest != null) result.connectionRequest = connectionRequest;
+    if (connectionCancel != null) result.connectionCancel = connectionCancel;
+    if (revoke != null) result.revoke = revoke;
+    if (list != null) result.list = list;
+    if (listWalletAccess != null) result.listWalletAccess = listWalletAccess;
+    return result;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.connectionRequest,
+    2: Response_Payload.connectionCancel,
+    3: Response_Payload.revoke,
+    4: Response_Payload.list,
+    5: Response_Payload.listWalletAccess,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.sdk_client'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3, 4, 5])
+    ..aOM<ConnectionRequest>(1, _omitFieldNames ? '' : 'connectionRequest',
+        subBuilder: ConnectionRequest.create)
+    ..aOM<ConnectionCancel>(2, _omitFieldNames ? '' : 'connectionCancel',
+        subBuilder: ConnectionCancel.create)
+    ..aOM<RevokeResponse>(3, _omitFieldNames ? '' : 'revoke',
+        subBuilder: RevokeResponse.create)
+    ..aOM<ListResponse>(4, _omitFieldNames ? '' : 'list',
+        subBuilder: ListResponse.create)
+    ..aOM<ListWalletAccessResponse>(
+        5, _omitFieldNames ? '' : 'listWalletAccess',
+        subBuilder: ListWalletAccessResponse.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  ConnectionRequest get connectionRequest => $_getN(0);
+  @$pb.TagNumber(1)
+  set connectionRequest(ConnectionRequest value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasConnectionRequest() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearConnectionRequest() => $_clearField(1);
+  @$pb.TagNumber(1)
+  ConnectionRequest ensureConnectionRequest() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  ConnectionCancel get connectionCancel => $_getN(1);
+  @$pb.TagNumber(2)
+  set connectionCancel(ConnectionCancel value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasConnectionCancel() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearConnectionCancel() => $_clearField(2);
+  @$pb.TagNumber(2)
+  ConnectionCancel ensureConnectionCancel() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  RevokeResponse get revoke => $_getN(2);
+  @$pb.TagNumber(3)
+  set revoke(RevokeResponse value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasRevoke() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearRevoke() => $_clearField(3);
+  @$pb.TagNumber(3)
+  RevokeResponse ensureRevoke() => $_ensure(2);
+
+  @$pb.TagNumber(4)
+  ListResponse get list => $_getN(3);
+  @$pb.TagNumber(4)
+  set list(ListResponse value) => $_setField(4, value);
+  @$pb.TagNumber(4)
+  $core.bool hasList() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearList() => $_clearField(4);
+  @$pb.TagNumber(4)
+  ListResponse ensureList() => $_ensure(3);
+
+  @$pb.TagNumber(5)
+  ListWalletAccessResponse get listWalletAccess => $_getN(4);
+  @$pb.TagNumber(5)
+  set listWalletAccess(ListWalletAccessResponse value) => $_setField(5, value);
+  @$pb.TagNumber(5)
+  $core.bool hasListWalletAccess() => $_has(4);
+  @$pb.TagNumber(5)
+  void clearListWalletAccess() => $_clearField(5);
+  @$pb.TagNumber(5)
+  ListWalletAccessResponse ensureListWalletAccess() => $_ensure(4);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/user_agent/sdk_client.pbenum.dart b/useragent/lib/proto/user_agent/sdk_client.pbenum.dart
new file mode 100644
index 0000000..d8bf9bd
--- /dev/null
+++ b/useragent/lib/proto/user_agent/sdk_client.pbenum.dart
@@ -0,0 +1,46 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/sdk_client.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class Error extends $pb.ProtobufEnum {
+  static const Error ERROR_UNSPECIFIED =
+      Error._(0, _omitEnumNames ? '' : 'ERROR_UNSPECIFIED');
+  static const Error ERROR_ALREADY_EXISTS =
+      Error._(1, _omitEnumNames ? '' : 'ERROR_ALREADY_EXISTS');
+  static const Error ERROR_NOT_FOUND =
+      Error._(2, _omitEnumNames ? '' : 'ERROR_NOT_FOUND');
+  static const Error ERROR_HAS_RELATED_DATA =
+      Error._(3, _omitEnumNames ? '' : 'ERROR_HAS_RELATED_DATA');
+  static const Error ERROR_INTERNAL =
+      Error._(4, _omitEnumNames ? '' : 'ERROR_INTERNAL');
+
+  static const $core.List<Error> values = <Error>[
+    ERROR_UNSPECIFIED,
+    ERROR_ALREADY_EXISTS,
+    ERROR_NOT_FOUND,
+    ERROR_HAS_RELATED_DATA,
+    ERROR_INTERNAL,
+  ];
+
+  static final $core.List<Error?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 4);
+  static Error? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const Error._(super.value, super.name);
+}
+
+const $core.bool _omitEnumNames =
+    $core.bool.fromEnvironment('protobuf.omit_enum_names');
diff --git a/useragent/lib/proto/user_agent/sdk_client.pbjson.dart b/useragent/lib/proto/user_agent/sdk_client.pbjson.dart
new file mode 100644
index 0000000..6a33194
--- /dev/null
+++ b/useragent/lib/proto/user_agent/sdk_client.pbjson.dart
@@ -0,0 +1,438 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/sdk_client.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use errorDescriptor instead')
+const Error$json = {
+  '1': 'Error',
+  '2': [
+    {'1': 'ERROR_UNSPECIFIED', '2': 0},
+    {'1': 'ERROR_ALREADY_EXISTS', '2': 1},
+    {'1': 'ERROR_NOT_FOUND', '2': 2},
+    {'1': 'ERROR_HAS_RELATED_DATA', '2': 3},
+    {'1': 'ERROR_INTERNAL', '2': 4},
+  ],
+};
+
+/// Descriptor for `Error`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List errorDescriptor = $convert.base64Decode(
+    'CgVFcnJvchIVChFFUlJPUl9VTlNQRUNJRklFRBAAEhgKFEVSUk9SX0FMUkVBRFlfRVhJU1RTEA'
+    'ESEwoPRVJST1JfTk9UX0ZPVU5EEAISGgoWRVJST1JfSEFTX1JFTEFURURfREFUQRADEhIKDkVS'
+    'Uk9SX0lOVEVSTkFMEAQ=');
+
+@$core.Deprecated('Use revokeRequestDescriptor instead')
+const RevokeRequest$json = {
+  '1': 'RevokeRequest',
+  '2': [
+    {'1': 'client_id', '3': 1, '4': 1, '5': 5, '10': 'clientId'},
+  ],
+};
+
+/// Descriptor for `RevokeRequest`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List revokeRequestDescriptor = $convert.base64Decode(
+    'Cg1SZXZva2VSZXF1ZXN0EhsKCWNsaWVudF9pZBgBIAEoBVIIY2xpZW50SWQ=');
+
+@$core.Deprecated('Use entryDescriptor instead')
+const Entry$json = {
+  '1': 'Entry',
+  '2': [
+    {'1': 'id', '3': 1, '4': 1, '5': 5, '10': 'id'},
+    {'1': 'pubkey', '3': 2, '4': 1, '5': 12, '10': 'pubkey'},
+    {
+      '1': 'info',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.ClientInfo',
+      '10': 'info'
+    },
+    {'1': 'created_at', '3': 4, '4': 1, '5': 5, '10': 'createdAt'},
+  ],
+};
+
+/// Descriptor for `Entry`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List entryDescriptor = $convert.base64Decode(
+    'CgVFbnRyeRIOCgJpZBgBIAEoBVICaWQSFgoGcHVia2V5GAIgASgMUgZwdWJrZXkSLgoEaW5mbx'
+    'gDIAEoCzIaLmFyYml0ZXIuc2hhcmVkLkNsaWVudEluZm9SBGluZm8SHQoKY3JlYXRlZF9hdBgE'
+    'IAEoBVIJY3JlYXRlZEF0');
+
+@$core.Deprecated('Use list_Descriptor instead')
+const List_$json = {
+  '1': 'List',
+  '2': [
+    {
+      '1': 'clients',
+      '3': 1,
+      '4': 3,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.Entry',
+      '10': 'clients'
+    },
+  ],
+};
+
+/// Descriptor for `List`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List list_Descriptor = $convert.base64Decode(
+    'CgRMaXN0Ej4KB2NsaWVudHMYASADKAsyJC5hcmJpdGVyLnVzZXJfYWdlbnQuc2RrX2NsaWVudC'
+    '5FbnRyeVIHY2xpZW50cw==');
+
+@$core.Deprecated('Use revokeResponseDescriptor instead')
+const RevokeResponse$json = {
+  '1': 'RevokeResponse',
+  '2': [
+    {
+      '1': 'ok',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'ok'
+    },
+    {
+      '1': 'error',
+      '3': 2,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.user_agent.sdk_client.Error',
+      '9': 0,
+      '10': 'error'
+    },
+  ],
+  '8': [
+    {'1': 'result'},
+  ],
+};
+
+/// Descriptor for `RevokeResponse`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List revokeResponseDescriptor = $convert.base64Decode(
+    'Cg5SZXZva2VSZXNwb25zZRIoCgJvaxgBIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eUgAUg'
+    'JvaxI8CgVlcnJvchgCIAEoDjIkLmFyYml0ZXIudXNlcl9hZ2VudC5zZGtfY2xpZW50LkVycm9y'
+    'SABSBWVycm9yQggKBnJlc3VsdA==');
+
+@$core.Deprecated('Use listResponseDescriptor instead')
+const ListResponse$json = {
+  '1': 'ListResponse',
+  '2': [
+    {
+      '1': 'clients',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.List',
+      '9': 0,
+      '10': 'clients'
+    },
+    {
+      '1': 'error',
+      '3': 2,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.user_agent.sdk_client.Error',
+      '9': 0,
+      '10': 'error'
+    },
+  ],
+  '8': [
+    {'1': 'result'},
+  ],
+};
+
+/// Descriptor for `ListResponse`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List listResponseDescriptor = $convert.base64Decode(
+    'CgxMaXN0UmVzcG9uc2USPwoHY2xpZW50cxgBIAEoCzIjLmFyYml0ZXIudXNlcl9hZ2VudC5zZG'
+    'tfY2xpZW50Lkxpc3RIAFIHY2xpZW50cxI8CgVlcnJvchgCIAEoDjIkLmFyYml0ZXIudXNlcl9h'
+    'Z2VudC5zZGtfY2xpZW50LkVycm9ySABSBWVycm9yQggKBnJlc3VsdA==');
+
+@$core.Deprecated('Use connectionRequestDescriptor instead')
+const ConnectionRequest$json = {
+  '1': 'ConnectionRequest',
+  '2': [
+    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
+    {
+      '1': 'info',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.ClientInfo',
+      '10': 'info'
+    },
+  ],
+};
+
+/// Descriptor for `ConnectionRequest`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List connectionRequestDescriptor = $convert.base64Decode(
+    'ChFDb25uZWN0aW9uUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRIuCgRpbmZvGAIgAS'
+    'gLMhouYXJiaXRlci5zaGFyZWQuQ2xpZW50SW5mb1IEaW5mbw==');
+
+@$core.Deprecated('Use connectionResponseDescriptor instead')
+const ConnectionResponse$json = {
+  '1': 'ConnectionResponse',
+  '2': [
+    {'1': 'approved', '3': 1, '4': 1, '5': 8, '10': 'approved'},
+    {'1': 'pubkey', '3': 2, '4': 1, '5': 12, '10': 'pubkey'},
+  ],
+};
+
+/// Descriptor for `ConnectionResponse`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List connectionResponseDescriptor = $convert.base64Decode(
+    'ChJDb25uZWN0aW9uUmVzcG9uc2USGgoIYXBwcm92ZWQYASABKAhSCGFwcHJvdmVkEhYKBnB1Ym'
+    'tleRgCIAEoDFIGcHVia2V5');
+
+@$core.Deprecated('Use connectionCancelDescriptor instead')
+const ConnectionCancel$json = {
+  '1': 'ConnectionCancel',
+  '2': [
+    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
+  ],
+};
+
+/// Descriptor for `ConnectionCancel`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List connectionCancelDescriptor = $convert
+    .base64Decode('ChBDb25uZWN0aW9uQ2FuY2VsEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5');
+
+@$core.Deprecated('Use walletAccessDescriptor instead')
+const WalletAccess$json = {
+  '1': 'WalletAccess',
+  '2': [
+    {'1': 'wallet_id', '3': 1, '4': 1, '5': 5, '10': 'walletId'},
+    {'1': 'sdk_client_id', '3': 2, '4': 1, '5': 5, '10': 'sdkClientId'},
+  ],
+};
+
+/// Descriptor for `WalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List walletAccessDescriptor = $convert.base64Decode(
+    'CgxXYWxsZXRBY2Nlc3MSGwoJd2FsbGV0X2lkGAEgASgFUgh3YWxsZXRJZBIiCg1zZGtfY2xpZW'
+    '50X2lkGAIgASgFUgtzZGtDbGllbnRJZA==');
+
+@$core.Deprecated('Use walletAccessEntryDescriptor instead')
+const WalletAccessEntry$json = {
+  '1': 'WalletAccessEntry',
+  '2': [
+    {'1': 'id', '3': 1, '4': 1, '5': 5, '10': 'id'},
+    {
+      '1': 'access',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.WalletAccess',
+      '10': 'access'
+    },
+  ],
+};
+
+/// Descriptor for `WalletAccessEntry`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List walletAccessEntryDescriptor = $convert.base64Decode(
+    'ChFXYWxsZXRBY2Nlc3NFbnRyeRIOCgJpZBgBIAEoBVICaWQSQwoGYWNjZXNzGAIgASgLMisuYX'
+    'JiaXRlci51c2VyX2FnZW50LnNka19jbGllbnQuV2FsbGV0QWNjZXNzUgZhY2Nlc3M=');
+
+@$core.Deprecated('Use grantWalletAccessDescriptor instead')
+const GrantWalletAccess$json = {
+  '1': 'GrantWalletAccess',
+  '2': [
+    {
+      '1': 'accesses',
+      '3': 1,
+      '4': 3,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.WalletAccess',
+      '10': 'accesses'
+    },
+  ],
+};
+
+/// Descriptor for `GrantWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List grantWalletAccessDescriptor = $convert.base64Decode(
+    'ChFHcmFudFdhbGxldEFjY2VzcxJHCghhY2Nlc3NlcxgBIAMoCzIrLmFyYml0ZXIudXNlcl9hZ2'
+    'VudC5zZGtfY2xpZW50LldhbGxldEFjY2Vzc1IIYWNjZXNzZXM=');
+
+@$core.Deprecated('Use revokeWalletAccessDescriptor instead')
+const RevokeWalletAccess$json = {
+  '1': 'RevokeWalletAccess',
+  '2': [
+    {'1': 'accesses', '3': 1, '4': 3, '5': 5, '10': 'accesses'},
+  ],
+};
+
+/// Descriptor for `RevokeWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List revokeWalletAccessDescriptor =
+    $convert.base64Decode(
+        'ChJSZXZva2VXYWxsZXRBY2Nlc3MSGgoIYWNjZXNzZXMYASADKAVSCGFjY2Vzc2Vz');
+
+@$core.Deprecated('Use listWalletAccessResponseDescriptor instead')
+const ListWalletAccessResponse$json = {
+  '1': 'ListWalletAccessResponse',
+  '2': [
+    {
+      '1': 'accesses',
+      '3': 1,
+      '4': 3,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.WalletAccessEntry',
+      '10': 'accesses'
+    },
+  ],
+};
+
+/// Descriptor for `ListWalletAccessResponse`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List listWalletAccessResponseDescriptor =
+    $convert.base64Decode(
+        'ChhMaXN0V2FsbGV0QWNjZXNzUmVzcG9uc2USTAoIYWNjZXNzZXMYASADKAsyMC5hcmJpdGVyLn'
+        'VzZXJfYWdlbnQuc2RrX2NsaWVudC5XYWxsZXRBY2Nlc3NFbnRyeVIIYWNjZXNzZXM=');
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'connection_response',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.ConnectionResponse',
+      '9': 0,
+      '10': 'connectionResponse'
+    },
+    {
+      '1': 'revoke',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.RevokeRequest',
+      '9': 0,
+      '10': 'revoke'
+    },
+    {
+      '1': 'list',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'list'
+    },
+    {
+      '1': 'grant_wallet_access',
+      '3': 4,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.GrantWalletAccess',
+      '9': 0,
+      '10': 'grantWalletAccess'
+    },
+    {
+      '1': 'revoke_wallet_access',
+      '3': 5,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.RevokeWalletAccess',
+      '9': 0,
+      '10': 'revokeWalletAccess'
+    },
+    {
+      '1': 'list_wallet_access',
+      '3': 6,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'listWalletAccess'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0EmQKE2Nvbm5lY3Rpb25fcmVzcG9uc2UYASABKAsyMS5hcmJpdGVyLnVzZXJfYW'
+    'dlbnQuc2RrX2NsaWVudC5Db25uZWN0aW9uUmVzcG9uc2VIAFISY29ubmVjdGlvblJlc3BvbnNl'
+    'EkYKBnJldm9rZRgCIAEoCzIsLmFyYml0ZXIudXNlcl9hZ2VudC5zZGtfY2xpZW50LlJldm9rZV'
+    'JlcXVlc3RIAFIGcmV2b2tlEiwKBGxpc3QYAyABKAsyFi5nb29nbGUucHJvdG9idWYuRW1wdHlI'
+    'AFIEbGlzdBJiChNncmFudF93YWxsZXRfYWNjZXNzGAQgASgLMjAuYXJiaXRlci51c2VyX2FnZW'
+    '50LnNka19jbGllbnQuR3JhbnRXYWxsZXRBY2Nlc3NIAFIRZ3JhbnRXYWxsZXRBY2Nlc3MSZQoU'
+    'cmV2b2tlX3dhbGxldF9hY2Nlc3MYBSABKAsyMS5hcmJpdGVyLnVzZXJfYWdlbnQuc2RrX2NsaW'
+    'VudC5SZXZva2VXYWxsZXRBY2Nlc3NIAFIScmV2b2tlV2FsbGV0QWNjZXNzEkYKEmxpc3Rfd2Fs'
+    'bGV0X2FjY2VzcxgGIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eUgAUhBsaXN0V2FsbGV0QW'
+    'NjZXNzQgkKB3BheWxvYWQ=');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'connection_request',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.ConnectionRequest',
+      '9': 0,
+      '10': 'connectionRequest'
+    },
+    {
+      '1': 'connection_cancel',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.ConnectionCancel',
+      '9': 0,
+      '10': 'connectionCancel'
+    },
+    {
+      '1': 'revoke',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.RevokeResponse',
+      '9': 0,
+      '10': 'revoke'
+    },
+    {
+      '1': 'list',
+      '3': 4,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.ListResponse',
+      '9': 0,
+      '10': 'list'
+    },
+    {
+      '1': 'list_wallet_access',
+      '3': 5,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.sdk_client.ListWalletAccessResponse',
+      '9': 0,
+      '10': 'listWalletAccess'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJhChJjb25uZWN0aW9uX3JlcXVlc3QYASABKAsyMC5hcmJpdGVyLnVzZXJfYW'
+    'dlbnQuc2RrX2NsaWVudC5Db25uZWN0aW9uUmVxdWVzdEgAUhFjb25uZWN0aW9uUmVxdWVzdBJe'
+    'ChFjb25uZWN0aW9uX2NhbmNlbBgCIAEoCzIvLmFyYml0ZXIudXNlcl9hZ2VudC5zZGtfY2xpZW'
+    '50LkNvbm5lY3Rpb25DYW5jZWxIAFIQY29ubmVjdGlvbkNhbmNlbBJHCgZyZXZva2UYAyABKAsy'
+    'LS5hcmJpdGVyLnVzZXJfYWdlbnQuc2RrX2NsaWVudC5SZXZva2VSZXNwb25zZUgAUgZyZXZva2'
+    'USQQoEbGlzdBgEIAEoCzIrLmFyYml0ZXIudXNlcl9hZ2VudC5zZGtfY2xpZW50Lkxpc3RSZXNw'
+    'b25zZUgAUgRsaXN0EmcKEmxpc3Rfd2FsbGV0X2FjY2VzcxgFIAEoCzI3LmFyYml0ZXIudXNlcl'
+    '9hZ2VudC5zZGtfY2xpZW50Lkxpc3RXYWxsZXRBY2Nlc3NSZXNwb25zZUgAUhBsaXN0V2FsbGV0'
+    'QWNjZXNzQgkKB3BheWxvYWQ=');
diff --git a/useragent/lib/proto/user_agent/vault/bootstrap.pb.dart b/useragent/lib/proto/user_agent/vault/bootstrap.pb.dart
new file mode 100644
index 0000000..bc7f2f9
--- /dev/null
+++ b/useragent/lib/proto/user_agent/vault/bootstrap.pb.dart
@@ -0,0 +1,221 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/vault/bootstrap.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import 'bootstrap.pbenum.dart';
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'bootstrap.pbenum.dart';
+
+class BootstrapEncryptedKey extends $pb.GeneratedMessage {
+  factory BootstrapEncryptedKey({
+    $core.List<$core.int>? nonce,
+    $core.List<$core.int>? ciphertext,
+    $core.List<$core.int>? associatedData,
+  }) {
+    final result = create();
+    if (nonce != null) result.nonce = nonce;
+    if (ciphertext != null) result.ciphertext = ciphertext;
+    if (associatedData != null) result.associatedData = associatedData;
+    return result;
+  }
+
+  BootstrapEncryptedKey._();
+
+  factory BootstrapEncryptedKey.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory BootstrapEncryptedKey.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'BootstrapEncryptedKey',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault.bootstrap'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'nonce', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'ciphertext', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        3, _omitFieldNames ? '' : 'associatedData', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  BootstrapEncryptedKey clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  BootstrapEncryptedKey copyWith(
+          void Function(BootstrapEncryptedKey) updates) =>
+      super.copyWith((message) => updates(message as BootstrapEncryptedKey))
+          as BootstrapEncryptedKey;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static BootstrapEncryptedKey create() => BootstrapEncryptedKey._();
+  @$core.override
+  BootstrapEncryptedKey createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static BootstrapEncryptedKey getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<BootstrapEncryptedKey>(create);
+  static BootstrapEncryptedKey? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get nonce => $_getN(0);
+  @$pb.TagNumber(1)
+  set nonce($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasNonce() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearNonce() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get ciphertext => $_getN(1);
+  @$pb.TagNumber(2)
+  set ciphertext($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasCiphertext() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearCiphertext() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  $core.List<$core.int> get associatedData => $_getN(2);
+  @$pb.TagNumber(3)
+  set associatedData($core.List<$core.int> value) => $_setBytes(2, value);
+  @$pb.TagNumber(3)
+  $core.bool hasAssociatedData() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearAssociatedData() => $_clearField(3);
+}
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    BootstrapEncryptedKey? encryptedKey,
+  }) {
+    final result = create();
+    if (encryptedKey != null) result.encryptedKey = encryptedKey;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault.bootstrap'),
+      createEmptyInstance: create)
+    ..aOM<BootstrapEncryptedKey>(2, _omitFieldNames ? '' : 'encryptedKey',
+        subBuilder: BootstrapEncryptedKey.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(2)
+  BootstrapEncryptedKey get encryptedKey => $_getN(0);
+  @$pb.TagNumber(2)
+  set encryptedKey(BootstrapEncryptedKey value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasEncryptedKey() => $_has(0);
+  @$pb.TagNumber(2)
+  void clearEncryptedKey() => $_clearField(2);
+  @$pb.TagNumber(2)
+  BootstrapEncryptedKey ensureEncryptedKey() => $_ensure(0);
+}
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    BootstrapResult? result,
+  }) {
+    final result$ = create();
+    if (result != null) result$.result = result;
+    return result$;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault.bootstrap'),
+      createEmptyInstance: create)
+    ..aE<BootstrapResult>(1, _omitFieldNames ? '' : 'result',
+        enumValues: BootstrapResult.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  BootstrapResult get result => $_getN(0);
+  @$pb.TagNumber(1)
+  set result(BootstrapResult value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasResult() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearResult() => $_clearField(1);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/user_agent/vault/bootstrap.pbenum.dart b/useragent/lib/proto/user_agent/vault/bootstrap.pbenum.dart
new file mode 100644
index 0000000..aeb96d6
--- /dev/null
+++ b/useragent/lib/proto/user_agent/vault/bootstrap.pbenum.dart
@@ -0,0 +1,44 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/vault/bootstrap.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class BootstrapResult extends $pb.ProtobufEnum {
+  static const BootstrapResult BOOTSTRAP_RESULT_UNSPECIFIED = BootstrapResult._(
+      0, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_UNSPECIFIED');
+  static const BootstrapResult BOOTSTRAP_RESULT_SUCCESS =
+      BootstrapResult._(1, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_SUCCESS');
+  static const BootstrapResult BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED =
+      BootstrapResult._(
+          2, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED');
+  static const BootstrapResult BOOTSTRAP_RESULT_INVALID_KEY = BootstrapResult._(
+      3, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_INVALID_KEY');
+
+  static const $core.List<BootstrapResult> values = <BootstrapResult>[
+    BOOTSTRAP_RESULT_UNSPECIFIED,
+    BOOTSTRAP_RESULT_SUCCESS,
+    BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED,
+    BOOTSTRAP_RESULT_INVALID_KEY,
+  ];
+
+  static final $core.List<BootstrapResult?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 3);
+  static BootstrapResult? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const BootstrapResult._(super.value, super.name);
+}
+
+const $core.bool _omitEnumNames =
+    $core.bool.fromEnvironment('protobuf.omit_enum_names');
diff --git a/useragent/lib/proto/user_agent/vault/bootstrap.pbjson.dart b/useragent/lib/proto/user_agent/vault/bootstrap.pbjson.dart
new file mode 100644
index 0000000..69d5c4a
--- /dev/null
+++ b/useragent/lib/proto/user_agent/vault/bootstrap.pbjson.dart
@@ -0,0 +1,89 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/vault/bootstrap.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use bootstrapResultDescriptor instead')
+const BootstrapResult$json = {
+  '1': 'BootstrapResult',
+  '2': [
+    {'1': 'BOOTSTRAP_RESULT_UNSPECIFIED', '2': 0},
+    {'1': 'BOOTSTRAP_RESULT_SUCCESS', '2': 1},
+    {'1': 'BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED', '2': 2},
+    {'1': 'BOOTSTRAP_RESULT_INVALID_KEY', '2': 3},
+  ],
+};
+
+/// Descriptor for `BootstrapResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List bootstrapResultDescriptor = $convert.base64Decode(
+    'Cg9Cb290c3RyYXBSZXN1bHQSIAocQk9PVFNUUkFQX1JFU1VMVF9VTlNQRUNJRklFRBAAEhwKGE'
+    'JPT1RTVFJBUF9SRVNVTFRfU1VDQ0VTUxABEikKJUJPT1RTVFJBUF9SRVNVTFRfQUxSRUFEWV9C'
+    'T09UU1RSQVBQRUQQAhIgChxCT09UU1RSQVBfUkVTVUxUX0lOVkFMSURfS0VZEAM=');
+
+@$core.Deprecated('Use bootstrapEncryptedKeyDescriptor instead')
+const BootstrapEncryptedKey$json = {
+  '1': 'BootstrapEncryptedKey',
+  '2': [
+    {'1': 'nonce', '3': 1, '4': 1, '5': 12, '10': 'nonce'},
+    {'1': 'ciphertext', '3': 2, '4': 1, '5': 12, '10': 'ciphertext'},
+    {'1': 'associated_data', '3': 3, '4': 1, '5': 12, '10': 'associatedData'},
+  ],
+};
+
+/// Descriptor for `BootstrapEncryptedKey`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List bootstrapEncryptedKeyDescriptor = $convert.base64Decode(
+    'ChVCb290c3RyYXBFbmNyeXB0ZWRLZXkSFAoFbm9uY2UYASABKAxSBW5vbmNlEh4KCmNpcGhlcn'
+    'RleHQYAiABKAxSCmNpcGhlcnRleHQSJwoPYXNzb2NpYXRlZF9kYXRhGAMgASgMUg5hc3NvY2lh'
+    'dGVkRGF0YQ==');
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'encrypted_key',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.vault.bootstrap.BootstrapEncryptedKey',
+      '10': 'encryptedKey'
+    },
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0El4KDWVuY3J5cHRlZF9rZXkYAiABKAsyOS5hcmJpdGVyLnVzZXJfYWdlbnQudm'
+    'F1bHQuYm9vdHN0cmFwLkJvb3RzdHJhcEVuY3J5cHRlZEtleVIMZW5jcnlwdGVkS2V5');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'result',
+      '3': 1,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.user_agent.vault.bootstrap.BootstrapResult',
+      '10': 'result'
+    },
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJLCgZyZXN1bHQYASABKA4yMy5hcmJpdGVyLnVzZXJfYWdlbnQudmF1bHQuYm'
+    '9vdHN0cmFwLkJvb3RzdHJhcFJlc3VsdFIGcmVzdWx0');
diff --git a/useragent/lib/proto/user_agent/vault/unseal.pb.dart b/useragent/lib/proto/user_agent/vault/unseal.pb.dart
new file mode 100644
index 0000000..cb25b7f
--- /dev/null
+++ b/useragent/lib/proto/user_agent/vault/unseal.pb.dart
@@ -0,0 +1,392 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/vault/unseal.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import 'unseal.pbenum.dart';
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'unseal.pbenum.dart';
+
+class UnsealStart extends $pb.GeneratedMessage {
+  factory UnsealStart({
+    $core.List<$core.int>? clientPubkey,
+  }) {
+    final result = create();
+    if (clientPubkey != null) result.clientPubkey = clientPubkey;
+    return result;
+  }
+
+  UnsealStart._();
+
+  factory UnsealStart.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory UnsealStart.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'UnsealStart',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault.unseal'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'clientPubkey', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  UnsealStart clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  UnsealStart copyWith(void Function(UnsealStart) updates) =>
+      super.copyWith((message) => updates(message as UnsealStart))
+          as UnsealStart;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static UnsealStart create() => UnsealStart._();
+  @$core.override
+  UnsealStart createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static UnsealStart getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<UnsealStart>(create);
+  static UnsealStart? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get clientPubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set clientPubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasClientPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearClientPubkey() => $_clearField(1);
+}
+
+class UnsealStartResponse extends $pb.GeneratedMessage {
+  factory UnsealStartResponse({
+    $core.List<$core.int>? serverPubkey,
+  }) {
+    final result = create();
+    if (serverPubkey != null) result.serverPubkey = serverPubkey;
+    return result;
+  }
+
+  UnsealStartResponse._();
+
+  factory UnsealStartResponse.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory UnsealStartResponse.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'UnsealStartResponse',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault.unseal'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'serverPubkey', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  UnsealStartResponse clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  UnsealStartResponse copyWith(void Function(UnsealStartResponse) updates) =>
+      super.copyWith((message) => updates(message as UnsealStartResponse))
+          as UnsealStartResponse;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static UnsealStartResponse create() => UnsealStartResponse._();
+  @$core.override
+  UnsealStartResponse createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static UnsealStartResponse getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<UnsealStartResponse>(create);
+  static UnsealStartResponse? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get serverPubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set serverPubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasServerPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearServerPubkey() => $_clearField(1);
+}
+
+class UnsealEncryptedKey extends $pb.GeneratedMessage {
+  factory UnsealEncryptedKey({
+    $core.List<$core.int>? nonce,
+    $core.List<$core.int>? ciphertext,
+    $core.List<$core.int>? associatedData,
+  }) {
+    final result = create();
+    if (nonce != null) result.nonce = nonce;
+    if (ciphertext != null) result.ciphertext = ciphertext;
+    if (associatedData != null) result.associatedData = associatedData;
+    return result;
+  }
+
+  UnsealEncryptedKey._();
+
+  factory UnsealEncryptedKey.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory UnsealEncryptedKey.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'UnsealEncryptedKey',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault.unseal'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'nonce', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'ciphertext', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        3, _omitFieldNames ? '' : 'associatedData', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  UnsealEncryptedKey clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  UnsealEncryptedKey copyWith(void Function(UnsealEncryptedKey) updates) =>
+      super.copyWith((message) => updates(message as UnsealEncryptedKey))
+          as UnsealEncryptedKey;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static UnsealEncryptedKey create() => UnsealEncryptedKey._();
+  @$core.override
+  UnsealEncryptedKey createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static UnsealEncryptedKey getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<UnsealEncryptedKey>(create);
+  static UnsealEncryptedKey? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get nonce => $_getN(0);
+  @$pb.TagNumber(1)
+  set nonce($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasNonce() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearNonce() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get ciphertext => $_getN(1);
+  @$pb.TagNumber(2)
+  set ciphertext($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasCiphertext() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearCiphertext() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  $core.List<$core.int> get associatedData => $_getN(2);
+  @$pb.TagNumber(3)
+  set associatedData($core.List<$core.int> value) => $_setBytes(2, value);
+  @$pb.TagNumber(3)
+  $core.bool hasAssociatedData() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearAssociatedData() => $_clearField(3);
+}
+
+enum Request_Payload { start, encryptedKey, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    UnsealStart? start,
+    UnsealEncryptedKey? encryptedKey,
+  }) {
+    final result = create();
+    if (start != null) result.start = start;
+    if (encryptedKey != null) result.encryptedKey = encryptedKey;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.start,
+    2: Request_Payload.encryptedKey,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault.unseal'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<UnsealStart>(1, _omitFieldNames ? '' : 'start',
+        subBuilder: UnsealStart.create)
+    ..aOM<UnsealEncryptedKey>(2, _omitFieldNames ? '' : 'encryptedKey',
+        subBuilder: UnsealEncryptedKey.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  UnsealStart get start => $_getN(0);
+  @$pb.TagNumber(1)
+  set start(UnsealStart value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasStart() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearStart() => $_clearField(1);
+  @$pb.TagNumber(1)
+  UnsealStart ensureStart() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  UnsealEncryptedKey get encryptedKey => $_getN(1);
+  @$pb.TagNumber(2)
+  set encryptedKey(UnsealEncryptedKey value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasEncryptedKey() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearEncryptedKey() => $_clearField(2);
+  @$pb.TagNumber(2)
+  UnsealEncryptedKey ensureEncryptedKey() => $_ensure(1);
+}
+
+enum Response_Payload { start, result, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    UnsealStartResponse? start,
+    UnsealResult? result,
+  }) {
+    final result$ = create();
+    if (start != null) result$.start = start;
+    if (result != null) result$.result = result;
+    return result$;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.start,
+    2: Response_Payload.result,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault.unseal'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<UnsealStartResponse>(1, _omitFieldNames ? '' : 'start',
+        subBuilder: UnsealStartResponse.create)
+    ..aE<UnsealResult>(2, _omitFieldNames ? '' : 'result',
+        enumValues: UnsealResult.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  UnsealStartResponse get start => $_getN(0);
+  @$pb.TagNumber(1)
+  set start(UnsealStartResponse value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasStart() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearStart() => $_clearField(1);
+  @$pb.TagNumber(1)
+  UnsealStartResponse ensureStart() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  UnsealResult get result => $_getN(1);
+  @$pb.TagNumber(2)
+  set result(UnsealResult value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasResult() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearResult() => $_clearField(2);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/user_agent/vault/unseal.pbenum.dart b/useragent/lib/proto/user_agent/vault/unseal.pbenum.dart
new file mode 100644
index 0000000..41ddd94
--- /dev/null
+++ b/useragent/lib/proto/user_agent/vault/unseal.pbenum.dart
@@ -0,0 +1,43 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/vault/unseal.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class UnsealResult extends $pb.ProtobufEnum {
+  static const UnsealResult UNSEAL_RESULT_UNSPECIFIED =
+      UnsealResult._(0, _omitEnumNames ? '' : 'UNSEAL_RESULT_UNSPECIFIED');
+  static const UnsealResult UNSEAL_RESULT_SUCCESS =
+      UnsealResult._(1, _omitEnumNames ? '' : 'UNSEAL_RESULT_SUCCESS');
+  static const UnsealResult UNSEAL_RESULT_INVALID_KEY =
+      UnsealResult._(2, _omitEnumNames ? '' : 'UNSEAL_RESULT_INVALID_KEY');
+  static const UnsealResult UNSEAL_RESULT_UNBOOTSTRAPPED =
+      UnsealResult._(3, _omitEnumNames ? '' : 'UNSEAL_RESULT_UNBOOTSTRAPPED');
+
+  static const $core.List<UnsealResult> values = <UnsealResult>[
+    UNSEAL_RESULT_UNSPECIFIED,
+    UNSEAL_RESULT_SUCCESS,
+    UNSEAL_RESULT_INVALID_KEY,
+    UNSEAL_RESULT_UNBOOTSTRAPPED,
+  ];
+
+  static final $core.List<UnsealResult?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 3);
+  static UnsealResult? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const UnsealResult._(super.value, super.name);
+}
+
+const $core.bool _omitEnumNames =
+    $core.bool.fromEnvironment('protobuf.omit_enum_names');
diff --git a/useragent/lib/proto/user_agent/vault/unseal.pbjson.dart b/useragent/lib/proto/user_agent/vault/unseal.pbjson.dart
new file mode 100644
index 0000000..da92281
--- /dev/null
+++ b/useragent/lib/proto/user_agent/vault/unseal.pbjson.dart
@@ -0,0 +1,144 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/vault/unseal.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use unsealResultDescriptor instead')
+const UnsealResult$json = {
+  '1': 'UnsealResult',
+  '2': [
+    {'1': 'UNSEAL_RESULT_UNSPECIFIED', '2': 0},
+    {'1': 'UNSEAL_RESULT_SUCCESS', '2': 1},
+    {'1': 'UNSEAL_RESULT_INVALID_KEY', '2': 2},
+    {'1': 'UNSEAL_RESULT_UNBOOTSTRAPPED', '2': 3},
+  ],
+};
+
+/// Descriptor for `UnsealResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List unsealResultDescriptor = $convert.base64Decode(
+    'CgxVbnNlYWxSZXN1bHQSHQoZVU5TRUFMX1JFU1VMVF9VTlNQRUNJRklFRBAAEhkKFVVOU0VBTF'
+    '9SRVNVTFRfU1VDQ0VTUxABEh0KGVVOU0VBTF9SRVNVTFRfSU5WQUxJRF9LRVkQAhIgChxVTlNF'
+    'QUxfUkVTVUxUX1VOQk9PVFNUUkFQUEVEEAM=');
+
+@$core.Deprecated('Use unsealStartDescriptor instead')
+const UnsealStart$json = {
+  '1': 'UnsealStart',
+  '2': [
+    {'1': 'client_pubkey', '3': 1, '4': 1, '5': 12, '10': 'clientPubkey'},
+  ],
+};
+
+/// Descriptor for `UnsealStart`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List unsealStartDescriptor = $convert.base64Decode(
+    'CgtVbnNlYWxTdGFydBIjCg1jbGllbnRfcHVia2V5GAEgASgMUgxjbGllbnRQdWJrZXk=');
+
+@$core.Deprecated('Use unsealStartResponseDescriptor instead')
+const UnsealStartResponse$json = {
+  '1': 'UnsealStartResponse',
+  '2': [
+    {'1': 'server_pubkey', '3': 1, '4': 1, '5': 12, '10': 'serverPubkey'},
+  ],
+};
+
+/// Descriptor for `UnsealStartResponse`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List unsealStartResponseDescriptor = $convert.base64Decode(
+    'ChNVbnNlYWxTdGFydFJlc3BvbnNlEiMKDXNlcnZlcl9wdWJrZXkYASABKAxSDHNlcnZlclB1Ym'
+    'tleQ==');
+
+@$core.Deprecated('Use unsealEncryptedKeyDescriptor instead')
+const UnsealEncryptedKey$json = {
+  '1': 'UnsealEncryptedKey',
+  '2': [
+    {'1': 'nonce', '3': 1, '4': 1, '5': 12, '10': 'nonce'},
+    {'1': 'ciphertext', '3': 2, '4': 1, '5': 12, '10': 'ciphertext'},
+    {'1': 'associated_data', '3': 3, '4': 1, '5': 12, '10': 'associatedData'},
+  ],
+};
+
+/// Descriptor for `UnsealEncryptedKey`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List unsealEncryptedKeyDescriptor = $convert.base64Decode(
+    'ChJVbnNlYWxFbmNyeXB0ZWRLZXkSFAoFbm9uY2UYASABKAxSBW5vbmNlEh4KCmNpcGhlcnRleH'
+    'QYAiABKAxSCmNpcGhlcnRleHQSJwoPYXNzb2NpYXRlZF9kYXRhGAMgASgMUg5hc3NvY2lhdGVk'
+    'RGF0YQ==');
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'start',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.vault.unseal.UnsealStart',
+      '9': 0,
+      '10': 'start'
+    },
+    {
+      '1': 'encrypted_key',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.vault.unseal.UnsealEncryptedKey',
+      '9': 0,
+      '10': 'encryptedKey'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0EkQKBXN0YXJ0GAEgASgLMiwuYXJiaXRlci51c2VyX2FnZW50LnZhdWx0LnVuc2'
+    'VhbC5VbnNlYWxTdGFydEgAUgVzdGFydBJaCg1lbmNyeXB0ZWRfa2V5GAIgASgLMjMuYXJiaXRl'
+    'ci51c2VyX2FnZW50LnZhdWx0LnVuc2VhbC5VbnNlYWxFbmNyeXB0ZWRLZXlIAFIMZW5jcnlwdG'
+    'VkS2V5QgkKB3BheWxvYWQ=');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'start',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.vault.unseal.UnsealStartResponse',
+      '9': 0,
+      '10': 'start'
+    },
+    {
+      '1': 'result',
+      '3': 2,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.user_agent.vault.unseal.UnsealResult',
+      '9': 0,
+      '10': 'result'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJMCgVzdGFydBgBIAEoCzI0LmFyYml0ZXIudXNlcl9hZ2VudC52YXVsdC51bn'
+    'NlYWwuVW5zZWFsU3RhcnRSZXNwb25zZUgAUgVzdGFydBJHCgZyZXN1bHQYAiABKA4yLS5hcmJp'
+    'dGVyLnVzZXJfYWdlbnQudmF1bHQudW5zZWFsLlVuc2VhbFJlc3VsdEgAUgZyZXN1bHRCCQoHcG'
+    'F5bG9hZA==');
diff --git a/useragent/lib/proto/user_agent/vault/vault.pb.dart b/useragent/lib/proto/user_agent/vault/vault.pb.dart
new file mode 100644
index 0000000..6a772dd
--- /dev/null
+++ b/useragent/lib/proto/user_agent/vault/vault.pb.dart
@@ -0,0 +1,235 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/vault/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $0;
+
+import '../../shared/vault.pbenum.dart' as $3;
+import 'bootstrap.pb.dart' as $2;
+import 'unseal.pb.dart' as $1;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+enum Request_Payload { queryState, unseal, bootstrap, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    $0.Empty? queryState,
+    $1.Request? unseal,
+    $2.Request? bootstrap,
+  }) {
+    final result = create();
+    if (queryState != null) result.queryState = queryState;
+    if (unseal != null) result.unseal = unseal;
+    if (bootstrap != null) result.bootstrap = bootstrap;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.queryState,
+    2: Request_Payload.unseal,
+    3: Request_Payload.bootstrap,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3])
+    ..aOM<$0.Empty>(1, _omitFieldNames ? '' : 'queryState',
+        subBuilder: $0.Empty.create)
+    ..aOM<$1.Request>(2, _omitFieldNames ? '' : 'unseal',
+        subBuilder: $1.Request.create)
+    ..aOM<$2.Request>(3, _omitFieldNames ? '' : 'bootstrap',
+        subBuilder: $2.Request.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.Empty get queryState => $_getN(0);
+  @$pb.TagNumber(1)
+  set queryState($0.Empty value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasQueryState() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearQueryState() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.Empty ensureQueryState() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $1.Request get unseal => $_getN(1);
+  @$pb.TagNumber(2)
+  set unseal($1.Request value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasUnseal() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearUnseal() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $1.Request ensureUnseal() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  $2.Request get bootstrap => $_getN(2);
+  @$pb.TagNumber(3)
+  set bootstrap($2.Request value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasBootstrap() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearBootstrap() => $_clearField(3);
+  @$pb.TagNumber(3)
+  $2.Request ensureBootstrap() => $_ensure(2);
+}
+
+enum Response_Payload { state, unseal, bootstrap, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    $3.VaultState? state,
+    $1.Response? unseal,
+    $2.Response? bootstrap,
+  }) {
+    final result = create();
+    if (state != null) result.state = state;
+    if (unseal != null) result.unseal = unseal;
+    if (bootstrap != null) result.bootstrap = bootstrap;
+    return result;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.state,
+    2: Response_Payload.unseal,
+    3: Response_Payload.bootstrap,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.vault'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3])
+    ..aE<$3.VaultState>(1, _omitFieldNames ? '' : 'state',
+        enumValues: $3.VaultState.values)
+    ..aOM<$1.Response>(2, _omitFieldNames ? '' : 'unseal',
+        subBuilder: $1.Response.create)
+    ..aOM<$2.Response>(3, _omitFieldNames ? '' : 'bootstrap',
+        subBuilder: $2.Response.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $3.VaultState get state => $_getN(0);
+  @$pb.TagNumber(1)
+  set state($3.VaultState value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasState() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearState() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $1.Response get unseal => $_getN(1);
+  @$pb.TagNumber(2)
+  set unseal($1.Response value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasUnseal() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearUnseal() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $1.Response ensureUnseal() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  $2.Response get bootstrap => $_getN(2);
+  @$pb.TagNumber(3)
+  set bootstrap($2.Response value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasBootstrap() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearBootstrap() => $_clearField(3);
+  @$pb.TagNumber(3)
+  $2.Response ensureBootstrap() => $_ensure(2);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');
diff --git a/useragent/lib/proto/user_agent/vault/vault.pbenum.dart b/useragent/lib/proto/user_agent/vault/vault.pbenum.dart
new file mode 100644
index 0000000..43f87e3
--- /dev/null
+++ b/useragent/lib/proto/user_agent/vault/vault.pbenum.dart
@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/vault/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
diff --git a/useragent/lib/proto/user_agent/vault/vault.pbjson.dart b/useragent/lib/proto/user_agent/vault/vault.pbjson.dart
new file mode 100644
index 0000000..88e010f
--- /dev/null
+++ b/useragent/lib/proto/user_agent/vault/vault.pbjson.dart
@@ -0,0 +1,105 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/vault/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'query_state',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'queryState'
+    },
+    {
+      '1': 'unseal',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.vault.unseal.Request',
+      '9': 0,
+      '10': 'unseal'
+    },
+    {
+      '1': 'bootstrap',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.vault.bootstrap.Request',
+      '9': 0,
+      '10': 'bootstrap'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0EjkKC3F1ZXJ5X3N0YXRlGAEgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SA'
+    'BSCnF1ZXJ5U3RhdGUSQgoGdW5zZWFsGAIgASgLMiguYXJiaXRlci51c2VyX2FnZW50LnZhdWx0'
+    'LnVuc2VhbC5SZXF1ZXN0SABSBnVuc2VhbBJLCglib290c3RyYXAYAyABKAsyKy5hcmJpdGVyLn'
+    'VzZXJfYWdlbnQudmF1bHQuYm9vdHN0cmFwLlJlcXVlc3RIAFIJYm9vdHN0cmFwQgkKB3BheWxv'
+    'YWQ=');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'state',
+      '3': 1,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.shared.VaultState',
+      '9': 0,
+      '10': 'state'
+    },
+    {
+      '1': 'unseal',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.vault.unseal.Response',
+      '9': 0,
+      '10': 'unseal'
+    },
+    {
+      '1': 'bootstrap',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.user_agent.vault.bootstrap.Response',
+      '9': 0,
+      '10': 'bootstrap'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRIyCgVzdGF0ZRgBIAEoDjIaLmFyYml0ZXIuc2hhcmVkLlZhdWx0U3RhdGVIAF'
+    'IFc3RhdGUSQwoGdW5zZWFsGAIgASgLMikuYXJiaXRlci51c2VyX2FnZW50LnZhdWx0LnVuc2Vh'
+    'bC5SZXNwb25zZUgAUgZ1bnNlYWwSTAoJYm9vdHN0cmFwGAMgASgLMiwuYXJiaXRlci51c2VyX2'
+    'FnZW50LnZhdWx0LmJvb3RzdHJhcC5SZXNwb25zZUgAUglib290c3RyYXBCCQoHcGF5bG9hZA==');
diff --git a/useragent/lib/providers/sdk_clients/details.dart b/useragent/lib/providers/sdk_clients/details.dart
index 1e1fb2b..b6939f2 100644
--- a/useragent/lib/providers/sdk_clients/details.dart
+++ b/useragent/lib/providers/sdk_clients/details.dart
@@ -1,11 +1,11 @@
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/providers/sdk_clients/list.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'details.g.dart';
 
 @riverpod
-Future<SdkClientEntry?> clientDetails(Ref ref, int clientId) async {
+Future<ua_sdk.Entry?> clientDetails(Ref ref, int clientId) async {
   final clients = await ref.watch(sdkClientsProvider.future);
   if (clients == null) {
     return null;
diff --git a/useragent/lib/providers/sdk_clients/details.g.dart b/useragent/lib/providers/sdk_clients/details.g.dart
index 4f59df2..5c77abf 100644
--- a/useragent/lib/providers/sdk_clients/details.g.dart
+++ b/useragent/lib/providers/sdk_clients/details.g.dart
@@ -15,11 +15,11 @@ final clientDetailsProvider = ClientDetailsFamily._();
 final class ClientDetailsProvider
     extends
         $FunctionalProvider<
-          AsyncValue<SdkClientEntry?>,
-          SdkClientEntry?,
-          FutureOr<SdkClientEntry?>
+          AsyncValue<ua_sdk.Entry?>,
+          ua_sdk.Entry?,
+          FutureOr<ua_sdk.Entry?>
         >
-    with $FutureModifier<SdkClientEntry?>, $FutureProvider<SdkClientEntry?> {
+    with $FutureModifier<ua_sdk.Entry?>, $FutureProvider<ua_sdk.Entry?> {
   ClientDetailsProvider._({
     required ClientDetailsFamily super.from,
     required int super.argument,
@@ -43,12 +43,12 @@ final class ClientDetailsProvider
 
   @$internal
   @override
-  $FutureProviderElement<SdkClientEntry?> $createElement(
+  $FutureProviderElement<ua_sdk.Entry?> $createElement(
     $ProviderPointer pointer,
   ) => $FutureProviderElement(pointer);
 
   @override
-  FutureOr<SdkClientEntry?> create(Ref ref) {
+  FutureOr<ua_sdk.Entry?> create(Ref ref) {
     final argument = this.argument as int;
     return clientDetails(ref, argument);
   }
@@ -64,10 +64,10 @@ final class ClientDetailsProvider
   }
 }
 
-String _$clientDetailsHash() => r'21449a1a2cc4fa4e65ce761e6342e97c1d957a7a';
+String _$clientDetailsHash() => r'907fd39230cc630dcaad3bbe924f343a84a2375e';
 
 final class ClientDetailsFamily extends $Family
-    with $FunctionalFamilyOverride<FutureOr<SdkClientEntry?>, int> {
+    with $FunctionalFamilyOverride<FutureOr<ua_sdk.Entry?>, int> {
   ClientDetailsFamily._()
     : super(
         retry: null,
diff --git a/useragent/lib/providers/sdk_clients/list.dart b/useragent/lib/providers/sdk_clients/list.dart
index a06fd7d..a6ade66 100644
--- a/useragent/lib/providers/sdk_clients/list.dart
+++ b/useragent/lib/providers/sdk_clients/list.dart
@@ -1,3 +1,4 @@
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart';
@@ -6,29 +7,35 @@ import 'package:riverpod_annotation/riverpod_annotation.dart';
 part 'list.g.dart';
 
 @riverpod
-Future<List<SdkClientEntry>?> sdkClients(Ref ref) async {
+Future<List<ua_sdk.Entry>?> sdkClients(Ref ref) async {
   final connection = await ref.watch(connectionManagerProvider.future);
   if (connection == null) {
     return null;
   }
 
   final resp = await connection.ask(
-    UserAgentRequest(sdkClientList: Empty()),
+    UserAgentRequest(sdkClient: ua_sdk.Request(list: Empty())),
   );
 
-  if (!resp.hasSdkClientListResponse()) {
+  if (!resp.hasSdkClient()) {
     throw Exception(
-      'Expected SDK client list response, got ${resp.whichPayload()}',
+      'Expected SDK client response, got ${resp.whichPayload()}',
     );
   }
-  final result = resp.sdkClientListResponse;
+  final sdkClientResponse = resp.sdkClient;
+  if (!sdkClientResponse.hasList()) {
+    throw Exception(
+      'Expected SDK client list response, got ${sdkClientResponse.whichPayload()}',
+    );
+  }
+  final result = sdkClientResponse.list;
 
   switch (result.whichResult()) {
-    case SdkClientListResponse_Result.clients:
+    case ua_sdk.ListResponse_Result.clients:
       return result.clients.clients.toList(growable: false);
-    case SdkClientListResponse_Result.error:
+    case ua_sdk.ListResponse_Result.error:
       throw Exception('Error listing SDK clients: ${result.error}');
-    case SdkClientListResponse_Result.notSet:
+    case ua_sdk.ListResponse_Result.notSet:
       throw Exception('SDK client list response was empty.');
   }
 }
diff --git a/useragent/lib/providers/sdk_clients/list.g.dart b/useragent/lib/providers/sdk_clients/list.g.dart
index e65feb2..e506d5a 100644
--- a/useragent/lib/providers/sdk_clients/list.g.dart
+++ b/useragent/lib/providers/sdk_clients/list.g.dart
@@ -15,13 +15,13 @@ final sdkClientsProvider = SdkClientsProvider._();
 final class SdkClientsProvider
     extends
         $FunctionalProvider<
-          AsyncValue<List<SdkClientEntry>?>,
-          List<SdkClientEntry>?,
-          FutureOr<List<SdkClientEntry>?>
+          AsyncValue<List<ua_sdk.Entry>?>,
+          List<ua_sdk.Entry>?,
+          FutureOr<List<ua_sdk.Entry>?>
         >
     with
-        $FutureModifier<List<SdkClientEntry>?>,
-        $FutureProvider<List<SdkClientEntry>?> {
+        $FutureModifier<List<ua_sdk.Entry>?>,
+        $FutureProvider<List<ua_sdk.Entry>?> {
   SdkClientsProvider._()
     : super(
         from: null,
@@ -38,14 +38,14 @@ final class SdkClientsProvider
 
   @$internal
   @override
-  $FutureProviderElement<List<SdkClientEntry>?> $createElement(
+  $FutureProviderElement<List<ua_sdk.Entry>?> $createElement(
     $ProviderPointer pointer,
   ) => $FutureProviderElement(pointer);
 
   @override
-  FutureOr<List<SdkClientEntry>?> create(Ref ref) {
+  FutureOr<List<ua_sdk.Entry>?> create(Ref ref) {
     return sdkClients(ref);
   }
 }
 
-String _$sdkClientsHash() => r'9b50ef901a7b68e4e604d6d0b4777dbd3e6499e1';
+String _$sdkClientsHash() => r'9b966083effea11035d6edde379e71cc2a0f85c0';
diff --git a/useragent/lib/providers/sdk_clients/wallet_access_list.dart b/useragent/lib/providers/sdk_clients/wallet_access_list.dart
index f126c97..cb33ef4 100644
--- a/useragent/lib/providers/sdk_clients/wallet_access_list.dart
+++ b/useragent/lib/providers/sdk_clients/wallet_access_list.dart
@@ -1,5 +1,5 @@
 import 'package:arbiter/features/connection/evm/wallet_access.dart';
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:mtcore/markettakers.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
@@ -7,7 +7,7 @@ import 'package:riverpod_annotation/riverpod_annotation.dart';
 part 'wallet_access_list.g.dart';
 
 @riverpod
-Future<List<SdkClientWalletAccess>?> walletAccessList(Ref ref) async {
+Future<List<ua_sdk.WalletAccessEntry>?> walletAccessList(Ref ref) async {
   final connection = await ref.watch(connectionManagerProvider.future);
   if (connection == null) {
     return null;
diff --git a/useragent/lib/providers/sdk_clients/wallet_access_list.g.dart b/useragent/lib/providers/sdk_clients/wallet_access_list.g.dart
index 314ce1d..0034b47 100644
--- a/useragent/lib/providers/sdk_clients/wallet_access_list.g.dart
+++ b/useragent/lib/providers/sdk_clients/wallet_access_list.g.dart
@@ -15,13 +15,13 @@ final walletAccessListProvider = WalletAccessListProvider._();
 final class WalletAccessListProvider
     extends
         $FunctionalProvider<
-          AsyncValue<List<SdkClientWalletAccess>?>,
-          List<SdkClientWalletAccess>?,
-          FutureOr<List<SdkClientWalletAccess>?>
+          AsyncValue<List<ua_sdk.WalletAccessEntry>?>,
+          List<ua_sdk.WalletAccessEntry>?,
+          FutureOr<List<ua_sdk.WalletAccessEntry>?>
         >
     with
-        $FutureModifier<List<SdkClientWalletAccess>?>,
-        $FutureProvider<List<SdkClientWalletAccess>?> {
+        $FutureModifier<List<ua_sdk.WalletAccessEntry>?>,
+        $FutureProvider<List<ua_sdk.WalletAccessEntry>?> {
   WalletAccessListProvider._()
     : super(
         from: null,
@@ -38,14 +38,14 @@ final class WalletAccessListProvider
 
   @$internal
   @override
-  $FutureProviderElement<List<SdkClientWalletAccess>?> $createElement(
+  $FutureProviderElement<List<ua_sdk.WalletAccessEntry>?> $createElement(
     $ProviderPointer pointer,
   ) => $FutureProviderElement(pointer);
 
   @override
-  FutureOr<List<SdkClientWalletAccess>?> create(Ref ref) {
+  FutureOr<List<ua_sdk.WalletAccessEntry>?> create(Ref ref) {
     return walletAccessList(ref);
   }
 }
 
-String _$walletAccessListHash() => r'c06006d6792ae463105a539723e9bb396192f96b';
+String _$walletAccessListHash() => r'143387471489ebc36de76b2a8ddcb6d857cbad17';
diff --git a/useragent/lib/providers/vault_state.dart b/useragent/lib/providers/vault_state.dart
index eefc536..874da0f 100644
--- a/useragent/lib/providers/vault_state.dart
+++ b/useragent/lib/providers/vault_state.dart
@@ -1,3 +1,5 @@
+import 'package:arbiter/proto/shared/vault.pbenum.dart';
+import 'package:arbiter/proto/user_agent/vault/vault.pb.dart' as ua_vault;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:mtcore/markettakers.dart';
@@ -13,13 +15,23 @@ Future<VaultState?> vaultState(Ref ref) async {
     return null;
   }
 
-  final resp = await conn.ask(UserAgentRequest(queryVaultState: Empty()));
-  if (resp.whichPayload() != UserAgentResponse_Payload.vaultState) {
+  final resp = await conn.ask(
+    UserAgentRequest(vault: ua_vault.Request(queryState: Empty())),
+  );
+  if (!resp.hasVault()) {
     talker.warning('Expected vault state response, got ${resp.whichPayload()}');
     return null;
   }
 
-  final vaultState = resp.vaultState;
+  final vaultResponse = resp.vault;
+  if (!vaultResponse.hasState()) {
+    talker.warning(
+      'Expected vault state payload, got ${vaultResponse.whichPayload()}',
+    );
+    return null;
+  }
+
+  final vaultState = vaultResponse.state;
 
   return vaultState;
 }
diff --git a/useragent/lib/providers/vault_state.g.dart b/useragent/lib/providers/vault_state.g.dart
index 6bc2cc9..779ecbb 100644
--- a/useragent/lib/providers/vault_state.g.dart
+++ b/useragent/lib/providers/vault_state.g.dart
@@ -46,4 +46,4 @@ final class VaultStateProvider
   }
 }
 
-String _$vaultStateHash() => r'81887aa99a3e928efd73dbe85caf81284c9f5803';
+String _$vaultStateHash() => r'f7247826d92ed583c475dd7f956b1ffea1f9a7da';
diff --git a/useragent/lib/router.gr.dart b/useragent/lib/router.gr.dart
index f20b537..bc417b9 100644
--- a/useragent/lib/router.gr.dart
+++ b/useragent/lib/router.gr.dart
@@ -9,7 +9,7 @@
 // coverage:ignore-file
 
 // ignore_for_file: no_leading_underscores_for_library_prefixes
-import 'package:arbiter/proto/user_agent.pb.dart' as _i15;
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as _i15;
 import 'package:arbiter/screens/bootstrap.dart' as _i2;
 import 'package:arbiter/screens/dashboard.dart' as _i7;
 import 'package:arbiter/screens/dashboard/about.dart' as _i1;
@@ -63,7 +63,7 @@ class Bootstrap extends _i13.PageRouteInfo<void> {
 class ClientDetails extends _i13.PageRouteInfo<ClientDetailsArgs> {
   ClientDetails({
     _i14.Key? key,
-    required _i15.SdkClientEntry client,
+    required _i15.Entry client,
     List<_i13.PageRouteInfo>? children,
   }) : super(
          ClientDetails.name,
@@ -87,7 +87,7 @@ class ClientDetailsArgs {
 
   final _i14.Key? key;
 
-  final _i15.SdkClientEntry client;
+  final _i15.Entry client;
 
   @override
   String toString() {
diff --git a/useragent/lib/screens/callouts/sdk_connect.dart b/useragent/lib/screens/callouts/sdk_connect.dart
index 3e005eb..372261f 100644
--- a/useragent/lib/screens/callouts/sdk_connect.dart
+++ b/useragent/lib/screens/callouts/sdk_connect.dart
@@ -1,4 +1,4 @@
-import 'package:arbiter/proto/client.pb.dart';
+import 'package:arbiter/proto/shared/client.pb.dart';
 import 'package:arbiter/theme/palette.dart';
 import 'package:arbiter/widgets/cream_frame.dart';
 import 'package:flutter/material.dart';
diff --git a/useragent/lib/screens/dashboard/clients/details.dart b/useragent/lib/screens/dashboard/clients/details.dart
index 4825380..3613401 100644
--- a/useragent/lib/screens/dashboard/clients/details.dart
+++ b/useragent/lib/screens/dashboard/clients/details.dart
@@ -1,12 +1,12 @@
 
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:auto_route/auto_route.dart';
 import 'package:flutter/material.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 
 @RoutePage()
 class ClientDetails extends ConsumerWidget {
-  final SdkClientEntry client;
+  final ua_sdk.Entry client;
   const ClientDetails({super.key, required this.client});
 
   @override
@@ -14,4 +14,4 @@ class ClientDetails extends ConsumerWidget {
     throw UnimplementedError();
   }
 
-}
\ No newline at end of file
+}
diff --git a/useragent/lib/screens/dashboard/clients/details/client_details.dart b/useragent/lib/screens/dashboard/clients/details/client_details.dart
index 854c5d9..49af73a 100644
--- a/useragent/lib/screens/dashboard/clients/details/client_details.dart
+++ b/useragent/lib/screens/dashboard/clients/details/client_details.dart
@@ -1,5 +1,5 @@
 import 'package:arbiter/providers/sdk_clients/details.dart';
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/screens/dashboard/clients/details/widgets/client_details_content.dart';
 import 'package:arbiter/screens/dashboard/clients/details/widgets/client_details_state_panel.dart';
 import 'package:auto_route/auto_route.dart';
@@ -40,7 +40,7 @@ class _ClientDetailsState extends StatelessWidget {
   const _ClientDetailsState({required this.clientId, required this.client});
 
   final int clientId;
-  final SdkClientEntry? client;
+  final ua_sdk.Entry? client;
 
   @override
   Widget build(BuildContext context) {
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/client_details_content.dart b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_content.dart
index cf2693f..b7fb7cf 100644
--- a/useragent/lib/screens/dashboard/clients/details/widgets/client_details_content.dart
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/client_details_content.dart
@@ -1,4 +1,4 @@
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
 import 'package:arbiter/screens/dashboard/clients/details/widgets/client_details_header.dart';
 import 'package:arbiter/screens/dashboard/clients/details/widgets/client_summary_card.dart';
@@ -16,7 +16,7 @@ class ClientDetailsContent extends ConsumerWidget {
   });
 
   final int clientId;
-  final SdkClientEntry client;
+  final ua_sdk.Entry client;
 
   @override
   Widget build(BuildContext context, WidgetRef ref) {
diff --git a/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart b/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart
index f04576d..81cc528 100644
--- a/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart
+++ b/useragent/lib/screens/dashboard/clients/details/widgets/client_summary_card.dart
@@ -1,11 +1,11 @@
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/widgets/cream_frame.dart';
 import 'package:flutter/material.dart';
 
 class ClientSummaryCard extends StatelessWidget {
   const ClientSummaryCard({super.key, required this.client});
 
-  final SdkClientEntry client;
+  final ua_sdk.Entry client;
 
   @override
   Widget build(BuildContext context) {
diff --git a/useragent/lib/screens/dashboard/clients/table.dart b/useragent/lib/screens/dashboard/clients/table.dart
index 7bfd43c..9ccbcda 100644
--- a/useragent/lib/screens/dashboard/clients/table.dart
+++ b/useragent/lib/screens/dashboard/clients/table.dart
@@ -1,6 +1,6 @@
 import 'dart:math' as math;
 
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:arbiter/router.gr.dart';
 import 'package:arbiter/providers/sdk_clients/list.dart';
@@ -175,7 +175,7 @@ class _ClientTableHeader extends StatelessWidget {
 class _ClientTableRow extends HookWidget {
   const _ClientTableRow({required this.client});
 
-  final SdkClientEntry client;
+  final ua_sdk.Entry client;
 
   @override
   Widget build(BuildContext context) {
@@ -366,7 +366,7 @@ class _ClientTableRow extends HookWidget {
 class _ClientTable extends StatelessWidget {
   const _ClientTable({required this.clients});
 
-  final List<SdkClientEntry> clients;
+  final List<ua_sdk.Entry> clients;
 
   @override
   Widget build(BuildContext context) {
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart b/useragent/lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart
index 8369083..cfee2fe 100644
--- a/useragent/lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart
+++ b/useragent/lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart
@@ -1,5 +1,5 @@
 // lib/screens/dashboard/evm/grants/create/fields/client_picker_field.dart
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/providers/sdk_clients/list.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/create/provider.dart';
 import 'package:flutter/material.dart';
@@ -12,7 +12,7 @@ class ClientPickerField extends ConsumerWidget {
   @override
   Widget build(BuildContext context, WidgetRef ref) {
     final clients =
-        ref.watch(sdkClientsProvider).asData?.value ?? const <SdkClientEntry>[];
+        ref.watch(sdkClientsProvider).asData?.value ?? const <ua_sdk.Entry>[];
 
     return FormBuilderDropdown<int>(
       name: 'clientId',
diff --git a/useragent/lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart b/useragent/lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart
index b220e6f..72a760a 100644
--- a/useragent/lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart
+++ b/useragent/lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart
@@ -1,6 +1,6 @@
 // lib/screens/dashboard/evm/grants/create/fields/wallet_access_picker_field.dart
 import 'package:arbiter/proto/evm.pb.dart';
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/providers/evm/evm.dart';
 import 'package:arbiter/providers/sdk_clients/wallet_access_list.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/create/provider.dart';
@@ -17,13 +17,13 @@ class WalletAccessPickerField extends ConsumerWidget {
     final state = ref.watch(grantCreationProvider);
     final allAccesses =
         ref.watch(walletAccessListProvider).asData?.value ??
-        const <SdkClientWalletAccess>[];
+        const <ua_sdk.WalletAccessEntry>[];
     final wallets =
         ref.watch(evmProvider).asData?.value ?? const <WalletEntry>[];
 
     final walletById = <int, WalletEntry>{for (final w in wallets) w.id: w};
     final accesses = state.selectedClientId == null
-        ? const <SdkClientWalletAccess>[]
+        ? const <ua_sdk.WalletAccessEntry>[]
         : allAccesses
               .where((a) => a.access.sdkClientId == state.selectedClientId)
               .toList();
diff --git a/useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart b/useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart
index 5e01b1c..8a28da9 100644
--- a/useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart
+++ b/useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart
@@ -1,5 +1,5 @@
 import 'package:arbiter/proto/evm.pb.dart';
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/providers/evm/evm.dart';
 import 'package:arbiter/providers/evm/evm_grants.dart';
 import 'package:arbiter/providers/sdk_clients/list.dart';
@@ -45,7 +45,7 @@ class GrantCard extends ConsumerWidget {
     final muted = Palette.ink.withValues(alpha: 0.62);
 
     // Resolve wallet_access_id → wallet address + client name
-    final accessById = <int, SdkClientWalletAccess>{
+    final accessById = <int, ua_sdk.WalletAccessEntry>{
       for (final a in walletAccesses) a.id: a,
     };
     final walletById = <int, WalletEntry>{
diff --git a/useragent/lib/screens/vault_setup.dart b/useragent/lib/screens/vault_setup.dart
index a350c98..8f306ba 100644
--- a/useragent/lib/screens/vault_setup.dart
+++ b/useragent/lib/screens/vault_setup.dart
@@ -1,5 +1,7 @@
 import 'package:arbiter/features/connection/vault.dart';
-import 'package:arbiter/proto/user_agent.pbenum.dart';
+import 'package:arbiter/proto/shared/vault.pbenum.dart';
+import 'package:arbiter/proto/user_agent/vault/bootstrap.pbenum.dart';
+import 'package:arbiter/proto/user_agent/vault/unseal.pbenum.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:arbiter/providers/vault_state.dart';
 import 'package:arbiter/router.gr.dart';
diff --git a/useragent/test/screens/dashboard/clients/details/client_details_screen_test.dart b/useragent/test/screens/dashboard/clients/details/client_details_screen_test.dart
index 5e4e1b4..64c974d 100644
--- a/useragent/test/screens/dashboard/clients/details/client_details_screen_test.dart
+++ b/useragent/test/screens/dashboard/clients/details/client_details_screen_test.dart
@@ -1,6 +1,6 @@
-import 'package:arbiter/proto/client.pb.dart';
 import 'package:arbiter/proto/evm.pb.dart';
-import 'package:arbiter/proto/user_agent.pb.dart';
+import 'package:arbiter/proto/shared/client.pb.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart';
 import 'package:arbiter/providers/evm/evm.dart';
 import 'package:arbiter/providers/sdk_clients/list.dart';
 import 'package:arbiter/providers/sdk_clients/wallet_access.dart';
@@ -30,7 +30,7 @@ void main() {
   testWidgets('renders client summary and wallet access controls', (
     tester,
   ) async {
-    final client = SdkClientEntry(
+    final client = Entry(
       id: 42,
       createdAt: 1,
       info: ClientInfo(

From 0362044b83d29d0faacb7df4e306f46df64bad42 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Fri, 3 Apr 2026 22:14:41 +0200
Subject: [PATCH 24/29] housekeeping(server): fixed clippy warns

---
 server/crates/arbiter-client/src/bin/test_connect.rs      | 1 -
 server/crates/arbiter-server/src/actors/client/session.rs | 1 -
 server/crates/arbiter-server/src/actors/evm/mod.rs        | 2 +-
 .../src/actors/user_agent/session/connection.rs           | 8 +++-----
 server/crates/arbiter-server/src/evm/mod.rs               | 1 -
 server/crates/arbiter-server/src/grpc/common/inbound.rs   | 2 +-
 6 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/server/crates/arbiter-client/src/bin/test_connect.rs b/server/crates/arbiter-client/src/bin/test_connect.rs
index e078e3d..6b127a2 100644
--- a/server/crates/arbiter-client/src/bin/test_connect.rs
+++ b/server/crates/arbiter-client/src/bin/test_connect.rs
@@ -3,7 +3,6 @@ use std::io::{self, Write};
 
 use arbiter_client::ArbiterClient;
 use arbiter_proto::{ClientMetadata, url::ArbiterUrl};
-use tonic::ConnectError;
 
 #[tokio::main]
 async fn main() {
diff --git a/server/crates/arbiter-server/src/actors/client/session.rs b/server/crates/arbiter-server/src/actors/client/session.rs
index d243f00..a68a3c2 100644
--- a/server/crates/arbiter-server/src/actors/client/session.rs
+++ b/server/crates/arbiter-server/src/actors/client/session.rs
@@ -1,4 +1,3 @@
-use ed25519_dalek::VerifyingKey;
 use kameo::{Actor, messages};
 use tracing::error;
 
diff --git a/server/crates/arbiter-server/src/actors/evm/mod.rs b/server/crates/arbiter-server/src/actors/evm/mod.rs
index e3a954b..10df1d2 100644
--- a/server/crates/arbiter-server/src/actors/evm/mod.rs
+++ b/server/crates/arbiter-server/src/actors/evm/mod.rs
@@ -9,7 +9,7 @@ use rand::{SeedableRng, rng, rngs::StdRng};
 use crate::{
     actors::keyholder::{CreateNew, Decrypt, KeyHolder},
     db::{
-        self, DatabaseError, DatabasePool,
+        DatabaseError, DatabasePool,
         models::{self, SqliteTimestamp},
         schema,
     },
diff --git a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
index f295c73..01f2193 100644
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -2,12 +2,11 @@ use std::sync::Mutex;
 
 use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
-use diesel::sql_types::ops::Add;
-use diesel::{BoolExpressionMethods as _, ExpressionMethods as _, QueryDsl as _, SelectableHelper};
+use diesel::{ExpressionMethods as _, QueryDsl as _, SelectableHelper};
 use diesel_async::{AsyncConnection, RunQueryDsl};
 use kameo::error::SendError;
 use kameo::prelude::Context;
-use kameo::{message, messages};
+use kameo::messages;
 use tracing::{error, info};
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
@@ -15,9 +14,8 @@ use crate::actors::flow_coordinator::client_connect_approval::ClientApprovalAnsw
 use crate::actors::keyholder::KeyHolderState;
 use crate::actors::user_agent::session::Error;
 use crate::db::models::{
-    CoreEvmWalletAccess, EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
+    EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
 };
-use crate::db::schema::evm_wallet_access;
 use crate::evm::policies::{Grant, SpecificGrant};
 use crate::safe_cell::SafeCell;
 use crate::{
diff --git a/server/crates/arbiter-server/src/evm/mod.rs b/server/crates/arbiter-server/src/evm/mod.rs
index c922202..5b4be05 100644
--- a/server/crates/arbiter-server/src/evm/mod.rs
+++ b/server/crates/arbiter-server/src/evm/mod.rs
@@ -8,7 +8,6 @@ use alloy::{
 use chrono::Utc;
 use diesel::{ExpressionMethods as _, QueryDsl as _, QueryResult, insert_into, sqlite::Sqlite};
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use tracing_subscriber::registry::Data;
 
 use crate::{
     db::{
diff --git a/server/crates/arbiter-server/src/grpc/common/inbound.rs b/server/crates/arbiter-server/src/grpc/common/inbound.rs
index bf083f0..d132b31 100644
--- a/server/crates/arbiter-server/src/grpc/common/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/common/inbound.rs
@@ -27,7 +27,7 @@ impl TryConvert for RawEvmTransaction {
 
     type Error = tonic::Status;
 
-    fn try_convert(mut self) -> Result<Self::Output, Self::Error> {
+    fn try_convert(self) -> Result<Self::Output, Self::Error> {
         let tx = TxEip1559::decode(&mut self.0.as_slice()).map_err(|_| {
             tonic::Status::invalid_argument("Invalid EVM transaction format")
         })?;

From 146f7a419ef967c2aa16facb3ce2da48617d7088 Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Fri, 3 Apr 2026 22:25:09 +0200
Subject: [PATCH 25/29] housekeeping: updated docs to match current impl state

---
 IMPLEMENTATION.md | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/IMPLEMENTATION.md b/IMPLEMENTATION.md
index 4718707..67a820b 100644
--- a/IMPLEMENTATION.md
+++ b/IMPLEMENTATION.md
@@ -67,7 +67,18 @@ The `program_client.nonce` column stores the **next usable nonce** — i.e. it i
 ## Cryptography
 
 ### Authentication
-- **Signature scheme:** ed25519
+- **Client protocol:** ed25519
+
+### User-Agent Authentication
+
+User-agent authentication supports multiple signature schemes because platform-provided "hardware-bound" keys do not expose a uniform algorithm across operating systems and hardware.
+
+- **Supported schemes:** RSA, Ed25519, ECDSA (secp256k1)
+- **Why:** the user agent authenticates with keys backed by platform facilities, and those facilities differ by platform
+- **Apple Silicon Secure Enclave / Secure Element:** ECDSA-only in practice
+- **Windows Hello / TPM 2.0:** currently RSA-backed in our integration
+
+This is why the user-agent auth protocol carries an explicit `KeyType`, while the SDK client protocol remains fixed to ed25519.
 
 ### Encryption at Rest
 - **Scheme:** Symmetric AEAD — currently **XChaCha20-Poly1305**
@@ -148,7 +159,7 @@ The central abstraction is the `Policy` trait. Each implementation handles one s
 Every grant has two layers:
 
 - **Shared (`evm_basic_grant`)** — wallet, chain, validity period, gas fee caps, transaction count rate limit. One row per grant regardless of type.
-- **Specific** — policy-owned tables (`evm_ether_transfer_grant`, `evm_token_transfer_grant`, etc.) holding type-specific configuration.
+- **Specific** — policy-owned tables (`evm_ether_transfer_grant`, `evm_token_transfer_grant`) holding type-specific configuration.
 
 `find_all_grants` uses a `#[diesel::auto_type]` base join between the specific and shared tables, then batch-loads related rows (targets, volume limits) in two additional queries to avoid N+1.
 
@@ -171,7 +182,6 @@ These are checked centrally in `check_shared_constraints` before policy evaluati
 - **Only EIP-1559 transactions are supported.** Legacy and EIP-2930 types are rejected outright.
 - **No opaque-calldata (unknown contract) grant type.** The architecture describes a category for unrecognised contracts, but no policy implements it yet. Any transaction that is not a plain ETH transfer or a known ERC-20 transfer is unconditionally rejected.
 - **Token registry is static.** Tokens are recognised only if they appear in the hard-coded `arbiter_tokens_registry` crate. There is no mechanism to register additional contracts at runtime.
-- **Nonce management is not implemented.** The architecture lists nonce deduplication as a core responsibility, but no nonce tracking or enforcement exists yet.
 
 ---
 
@@ -179,5 +189,5 @@ These are checked centrally in `check_shared_constraints` before policy evaluati
 
 The unsealed root key must be held in a hardened memory cell resistant to dumps, page swaps, and hibernation.
 
-- **Current:** Using the `memsafe` crate as an interim solution
-- **Planned:** Custom implementation based on `mlock` (Unix) and `VirtualProtect` (Windows)
+- **Current:** A dedicated memory-protection abstraction is in place, with `memsafe` used behind that abstraction today
+- **Planned:** Additional backends can be introduced behind the same abstraction, including a custom implementation based on `mlock` (Unix) and `VirtualProtect` (Windows)

From 083ff66af23deb8dec0dfef97506af2a0e74ae8f Mon Sep 17 00:00:00 2001
From: hdbg <httpdebugger@protonmail.com>
Date: Sat, 4 Apr 2026 12:04:24 +0200
Subject: [PATCH 26/29] refactor(server): removed `miette` out of server

---
 server/Cargo.lock                             |  2 +-
 server/Cargo.toml                             |  2 +-
 server/crates/arbiter-client/src/auth.rs      |  4 +-
 .../arbiter-client/src/bin/test_connect.rs    |  7 +---
 server/crates/arbiter-client/src/client.rs    | 19 +++++----
 server/crates/arbiter-proto/src/url.rs        |  1 -
 server/crates/arbiter-server/Cargo.toml       |  2 +-
 .../arbiter-server/src/actors/bootstrap.rs    |  7 +---
 .../arbiter-server/src/actors/client/auth.rs  |  7 +---
 .../arbiter-server/src/actors/client/mod.rs   |  5 +--
 .../src/actors/client/session.rs              | 10 +++--
 .../arbiter-server/src/actors/evm/mod.rs      | 13 +-----
 .../client_connect_approval.rs                |  8 +++-
 .../src/actors/keyholder/mod.rs               | 10 +----
 .../crates/arbiter-server/src/actors/mod.rs   |  5 +--
 .../actors/user_agent/session/connection.rs   |  2 +-
 .../crates/arbiter-server/src/context/mod.rs  |  9 +----
 .../crates/arbiter-server/src/context/tls.rs  | 14 ++-----
 server/crates/arbiter-server/src/db/mod.rs    |  9 +----
 server/crates/arbiter-server/src/evm/mod.rs   | 13 ++----
 .../crates/arbiter-server/src/evm/policies.rs | 10 +----
 .../arbiter-server/src/grpc/client/auth.rs    |  8 ++--
 .../arbiter-server/src/grpc/client/evm.rs     | 24 ++++++-----
 .../arbiter-server/src/grpc/client/inbound.rs |  1 +
 .../src/grpc/client/outbound.rs               |  1 +
 .../arbiter-server/src/grpc/client/vault.rs   | 12 +++---
 .../arbiter-server/src/grpc/common/inbound.rs |  7 ++--
 .../src/grpc/common/outbound.rs               |  9 +++--
 .../arbiter-server/src/grpc/user_agent.rs     | 10 ++---
 .../src/grpc/user_agent/auth.rs               | 16 +++++---
 .../arbiter-server/src/grpc/user_agent/evm.rs | 40 ++++++++++---------
 .../src/grpc/user_agent/outbound.rs           |  4 +-
 .../src/grpc/user_agent/sdk_client.rs         | 24 ++++++-----
 .../src/grpc/user_agent/vault.rs              | 25 ++++++------
 server/crates/arbiter-server/src/main.rs      |  8 ++--
 .../arbiter-server/tests/user_agent/unseal.rs |  7 ++--
 36 files changed, 156 insertions(+), 199 deletions(-)

diff --git a/server/Cargo.lock b/server/Cargo.lock
index 32a1587..ae401a6 100644
--- a/server/Cargo.lock
+++ b/server/Cargo.lock
@@ -724,6 +724,7 @@ name = "arbiter-server"
 version = "0.1.0"
 dependencies = [
  "alloy",
+ "anyhow",
  "arbiter-proto",
  "arbiter-tokens-registry",
  "argon2",
@@ -741,7 +742,6 @@ dependencies = [
  "k256",
  "kameo",
  "memsafe",
- "miette",
  "pem",
  "prost-types",
  "rand 0.10.0",
diff --git a/server/Cargo.toml b/server/Cargo.toml
index ddc9416..1e41511 100644
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -22,7 +22,6 @@ chrono = { version = "0.4.44", features = ["serde"] }
 rand = "0.10.0"
 rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
 smlang = "0.8.0"
-miette = { version = "7.6.0", features = ["fancy", "serde"] }
 thiserror = "2.0.18"
 async-trait = "0.1.89"
 futures = "0.3.32"
@@ -43,3 +42,4 @@ k256 = { version = "0.13.4", features = ["ecdsa", "pkcs8"] }
 rsa = { version = "0.9", features = ["sha2"] }
 sha2 = "0.10"
 spki = "0.7"
+miette = { version = "7.6.0", features = ["fancy", "serde"] }
\ No newline at end of file
diff --git a/server/crates/arbiter-client/src/auth.rs b/server/crates/arbiter-client/src/auth.rs
index b42f82a..ff26e09 100644
--- a/server/crates/arbiter-client/src/auth.rs
+++ b/server/crates/arbiter-client/src/auth.rs
@@ -122,9 +122,7 @@ async fn receive_auth_confirmation(
         .await
         .map_err(|_| AuthError::UnexpectedAuthResponse)?;
 
-    let payload = response
-        .payload
-        .ok_or(AuthError::UnexpectedAuthResponse)?;
+    let payload = response.payload.ok_or(AuthError::UnexpectedAuthResponse)?;
     match payload {
         ClientResponsePayload::Auth(response) => match response.payload {
             Some(AuthResponsePayload::Result(result))
diff --git a/server/crates/arbiter-client/src/bin/test_connect.rs b/server/crates/arbiter-client/src/bin/test_connect.rs
index 6b127a2..311d333 100644
--- a/server/crates/arbiter-client/src/bin/test_connect.rs
+++ b/server/crates/arbiter-client/src/bin/test_connect.rs
@@ -1,4 +1,3 @@
-
 use std::io::{self, Write};
 
 use arbiter_client::ArbiterClient;
@@ -22,8 +21,6 @@ async fn main() {
         return;
     }
 
-   
-
     let url = match ArbiterUrl::try_from(input) {
         Ok(url) => url,
         Err(err) => {
@@ -32,7 +29,7 @@ async fn main() {
         }
     };
 
-     println!("{:#?}", url);
+    println!("{:#?}", url);
 
     let metadata = ClientMetadata {
         name: "arbiter-client test_connect".to_string(),
@@ -44,4 +41,4 @@ async fn main() {
         Ok(_) => println!("Connected and authenticated successfully."),
         Err(err) => eprintln!("Failed to connect: {:#?}", err),
     }
-}
\ No newline at end of file
+}
diff --git a/server/crates/arbiter-client/src/client.rs b/server/crates/arbiter-client/src/client.rs
index a9e9391..8a77441 100644
--- a/server/crates/arbiter-client/src/client.rs
+++ b/server/crates/arbiter-client/src/client.rs
@@ -1,11 +1,16 @@
-use arbiter_proto::{ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl};
+use arbiter_proto::{
+    ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl,
+};
 use std::sync::Arc;
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::transport::ClientTlsConfig;
 
 use crate::{
-    StorageError, auth::{AuthError, authenticate}, storage::{FileSigningKeyStorage, SigningKeyStorage}, transport::{BUFFER_LENGTH, ClientTransport}
+    StorageError,
+    auth::{AuthError, authenticate},
+    storage::{FileSigningKeyStorage, SigningKeyStorage},
+    transport::{BUFFER_LENGTH, ClientTransport},
 };
 
 #[cfg(feature = "evm")]
@@ -30,7 +35,6 @@ pub enum Error {
 
     #[error("Storage error")]
     Storage(#[from] StorageError),
-    
 }
 
 pub struct ArbiterClient {
@@ -61,10 +65,11 @@ impl ArbiterClient {
         let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
         let tls = ClientTlsConfig::new().trust_anchor(anchor);
 
-        let channel = tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
-            .tls_config(tls)?
-            .connect()
-            .await?;
+        let channel =
+            tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
+                .tls_config(tls)?
+                .connect()
+                .await?;
 
         let mut client = ArbiterServiceClient::new(channel);
         let (tx, rx) = mpsc::channel(BUFFER_LENGTH);
diff --git a/server/crates/arbiter-proto/src/url.rs b/server/crates/arbiter-proto/src/url.rs
index 7459a4b..321df0b 100644
--- a/server/crates/arbiter-proto/src/url.rs
+++ b/server/crates/arbiter-proto/src/url.rs
@@ -7,7 +7,6 @@ const ARBITER_URL_SCHEME: &str = "arbiter";
 const CERT_QUERY_KEY: &str = "cert";
 const BOOTSTRAP_TOKEN_QUERY_KEY: &str = "bootstrap_token";
 
-
 #[derive(Debug, Clone)]
 pub struct ArbiterUrl {
     pub host: String,
diff --git a/server/crates/arbiter-server/Cargo.toml b/server/crates/arbiter-server/Cargo.toml
index 8996fce..7a3794d 100644
--- a/server/crates/arbiter-server/Cargo.toml
+++ b/server/crates/arbiter-server/Cargo.toml
@@ -25,7 +25,6 @@ tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
-miette.workspace = true
 thiserror.workspace = true
 fatality = "0.1.1"
 diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
@@ -53,6 +52,7 @@ spki.workspace = true
 alloy.workspace = true
 prost-types.workspace = true
 arbiter-tokens-registry.path = "../arbiter-tokens-registry"
+anyhow = "1.0.102"
 
 [dev-dependencies]
 insta = "1.46.3"
diff --git a/server/crates/arbiter-server/src/actors/bootstrap.rs b/server/crates/arbiter-server/src/actors/bootstrap.rs
index 515ad54..de85d06 100644
--- a/server/crates/arbiter-server/src/actors/bootstrap.rs
+++ b/server/crates/arbiter-server/src/actors/bootstrap.rs
@@ -2,7 +2,7 @@ use arbiter_proto::{BOOTSTRAP_PATH, home_path};
 use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;
 use kameo::{Actor, messages};
-use miette::Diagnostic;
+
 use rand::{RngExt, distr::Alphanumeric, make_rng, rngs::StdRng};
 use thiserror::Error;
 
@@ -25,18 +25,15 @@ pub async fn generate_token() -> Result<String, std::io::Error> {
     Ok(token)
 }
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum Error {
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter_server::bootstrap::database))]
     Database(#[from] db::PoolError),
 
     #[error("Database query error: {0}")]
-    #[diagnostic(code(arbiter_server::bootstrap::database_query))]
     Query(#[from] diesel::result::Error),
 
     #[error("I/O error: {0}")]
-    #[diagnostic(code(arbiter_server::bootstrap::io))]
     Io(#[from] std::io::Error),
 }
 
diff --git a/server/crates/arbiter-server/src/actors/client/auth.rs b/server/crates/arbiter-server/src/actors/client/auth.rs
index 181b974..ed049dc 100644
--- a/server/crates/arbiter-server/src/actors/client/auth.rs
+++ b/server/crates/arbiter-server/src/actors/client/auth.rs
@@ -287,10 +287,7 @@ where
     Ok(())
 }
 
-pub async fn authenticate<T>(
-    props: &mut ClientConnection,
-    transport: &mut T,
-) -> Result<i32, Error>
+pub async fn authenticate<T>(props: &mut ClientConnection, transport: &mut T) -> Result<i32, Error>
 where
     T: Bi<Inbound, Result<Outbound, Error>> + Send + ?Sized,
 {
@@ -319,7 +316,7 @@ where
 
     sync_client_metadata(&props.db, info.id, &metadata).await?;
     challenge_client(transport, pubkey, info.current_nonce).await?;
-    
+
     transport
         .send(Ok(Outbound::AuthSuccess))
         .await
diff --git a/server/crates/arbiter-server/src/actors/client/mod.rs b/server/crates/arbiter-server/src/actors/client/mod.rs
index f747572..4984316 100644
--- a/server/crates/arbiter-server/src/actors/client/mod.rs
+++ b/server/crates/arbiter-server/src/actors/client/mod.rs
@@ -20,10 +20,7 @@ pub struct ClientConnection {
 
 impl ClientConnection {
     pub fn new(db: db::DatabasePool, actors: GlobalActors) -> Self {
-        Self {
-            db,
-            actors,
-        }
+        Self { db, actors }
     }
 }
 
diff --git a/server/crates/arbiter-server/src/actors/client/session.rs b/server/crates/arbiter-server/src/actors/client/session.rs
index a68a3c2..184c650 100644
--- a/server/crates/arbiter-server/src/actors/client/session.rs
+++ b/server/crates/arbiter-server/src/actors/client/session.rs
@@ -6,11 +6,10 @@ use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use crate::{
     actors::{
         GlobalActors,
-        client::ClientConnection, flow_coordinator::RegisterClient,
-       
+        client::ClientConnection,
         evm::{ClientSignTransaction, SignTransactionError},
+        flow_coordinator::RegisterClient,
         keyholder::KeyHolderState,
-       
     },
     db,
     evm::VetError,
@@ -95,7 +94,10 @@ impl Actor for ClientSession {
 impl ClientSession {
     pub fn new_test(db: db::DatabasePool, actors: GlobalActors) -> Self {
         let props = ClientConnection::new(db, actors);
-        Self { props, client_id: 0 }
+        Self {
+            props,
+            client_id: 0,
+        }
     }
 }
 
diff --git a/server/crates/arbiter-server/src/actors/evm/mod.rs b/server/crates/arbiter-server/src/actors/evm/mod.rs
index 10df1d2..5a3a2f7 100644
--- a/server/crates/arbiter-server/src/actors/evm/mod.rs
+++ b/server/crates/arbiter-server/src/actors/evm/mod.rs
@@ -25,45 +25,36 @@ use crate::{
 
 pub use crate::evm::safe_signer;
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum SignTransactionError {
     #[error("Wallet not found")]
-    #[diagnostic(code(arbiter::evm::sign::wallet_not_found))]
     WalletNotFound,
 
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::database))]
     Database(#[from] DatabaseError),
 
     #[error("Keyholder error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::keyholder))]
     Keyholder(#[from] crate::actors::keyholder::Error),
 
     #[error("Keyholder mailbox error")]
-    #[diagnostic(code(arbiter::evm::sign::keyholder_send))]
     KeyholderSend,
 
     #[error("Signing error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::signing))]
     Signing(#[from] alloy::signers::Error),
 
     #[error("Policy error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::vet))]
     Vet(#[from] evm::VetError),
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum Error {
     #[error("Keyholder error: {0}")]
-    #[diagnostic(code(arbiter::evm::keyholder))]
     Keyholder(#[from] crate::actors::keyholder::Error),
 
     #[error("Keyholder mailbox error")]
-    #[diagnostic(code(arbiter::evm::keyholder_send))]
     KeyholderSend,
 
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter::evm::database))]
     Database(#[from] DatabaseError),
 }
 
diff --git a/server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs b/server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs
index a3868e0..c5b20c3 100644
--- a/server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs
+++ b/server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs
@@ -15,7 +15,7 @@ use crate::actors::{
 pub struct Args {
     pub client: ClientProfile,
     pub user_agents: Vec<ActorRef<UserAgentSession>>,
-    pub reply: ReplySender<Result<bool, ApprovalError>>
+    pub reply: ReplySender<Result<bool, ApprovalError>>,
 }
 
 pub struct ClientApprovalController {
@@ -39,7 +39,11 @@ impl Actor for ClientApprovalController {
     type Error = ();
 
     async fn on_start(
-        Args { client, mut user_agents, reply }: Self::Args,
+        Args {
+            client,
+            mut user_agents,
+            reply,
+        }: Self::Args,
         actor_ref: ActorRef<Self>,
     ) -> Result<Self, Self::Error> {
         let this = Self {
diff --git a/server/crates/arbiter-server/src/actors/keyholder/mod.rs b/server/crates/arbiter-server/src/actors/keyholder/mod.rs
index fbf3d50..36afe5b 100644
--- a/server/crates/arbiter-server/src/actors/keyholder/mod.rs
+++ b/server/crates/arbiter-server/src/actors/keyholder/mod.rs
@@ -35,36 +35,28 @@ enum State {
     },
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum Error {
     #[error("Keyholder is already bootstrapped")]
-    #[diagnostic(code(arbiter::keyholder::already_bootstrapped))]
     AlreadyBootstrapped,
     #[error("Keyholder is not bootstrapped")]
-    #[diagnostic(code(arbiter::keyholder::not_bootstrapped))]
     NotBootstrapped,
     #[error("Invalid key provided")]
-    #[diagnostic(code(arbiter::keyholder::invalid_key))]
     InvalidKey,
 
     #[error("Requested aead entry not found")]
-    #[diagnostic(code(arbiter::keyholder::aead_not_found))]
     NotFound,
 
     #[error("Encryption error: {0}")]
-    #[diagnostic(code(arbiter::keyholder::encryption_error))]
     Encryption(#[from] chacha20poly1305::aead::Error),
 
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter::keyholder::database_error))]
     DatabaseConnection(#[from] db::PoolError),
 
     #[error("Database transaction error: {0}")]
-    #[diagnostic(code(arbiter::keyholder::database_transaction_error))]
     DatabaseTransaction(#[from] diesel::result::Error),
 
     #[error("Broken database")]
-    #[diagnostic(code(arbiter::keyholder::broken_database))]
     BrokenDatabase,
 }
 
diff --git a/server/crates/arbiter-server/src/actors/mod.rs b/server/crates/arbiter-server/src/actors/mod.rs
index 1b70dd7..8ff1fce 100644
--- a/server/crates/arbiter-server/src/actors/mod.rs
+++ b/server/crates/arbiter-server/src/actors/mod.rs
@@ -1,5 +1,4 @@
 use kameo::actor::{ActorRef, Spawn};
-use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
@@ -17,14 +16,12 @@ pub mod flow_coordinator;
 pub mod keyholder;
 pub mod user_agent;
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum SpawnError {
     #[error("Failed to spawn Bootstrapper actor")]
-    #[diagnostic(code(SpawnError::Bootstrapper))]
     Bootstrapper(#[from] bootstrap::Error),
 
     #[error("Failed to spawn KeyHolder actor")]
-    #[diagnostic(code(SpawnError::KeyHolder))]
     KeyHolder(#[from] keyholder::Error),
 }
 
diff --git a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
index 01f2193..382dec5 100644
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -5,8 +5,8 @@ use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use diesel::{ExpressionMethods as _, QueryDsl as _, SelectableHelper};
 use diesel_async::{AsyncConnection, RunQueryDsl};
 use kameo::error::SendError;
-use kameo::prelude::Context;
 use kameo::messages;
+use kameo::prelude::Context;
 use tracing::{error, info};
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
diff --git a/server/crates/arbiter-server/src/context/mod.rs b/server/crates/arbiter-server/src/context/mod.rs
index 9867cf1..dd44655 100644
--- a/server/crates/arbiter-server/src/context/mod.rs
+++ b/server/crates/arbiter-server/src/context/mod.rs
@@ -1,6 +1,5 @@
 use std::sync::Arc;
 
-use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
@@ -11,30 +10,24 @@ use crate::{
 
 pub mod tls;
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum InitError {
     #[error("Database setup failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::database_setup))]
     DatabaseSetup(#[from] db::DatabaseSetupError),
 
     #[error("Connection acquire failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::database_pool))]
     DatabasePool(#[from] db::PoolError),
 
     #[error("Database query error: {0}")]
-    #[diagnostic(code(arbiter_server::init::database_query))]
     DatabaseQuery(#[from] diesel::result::Error),
 
     #[error("TLS initialization failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::tls_init))]
     Tls(#[from] tls::InitError),
 
     #[error("Actor spawn failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::actor_spawn))]
     ActorSpawn(#[from] crate::actors::SpawnError),
 
     #[error("I/O Error: {0}")]
-    #[diagnostic(code(arbiter_server::init::io))]
     Io(#[from] std::io::Error),
 }
 
diff --git a/server/crates/arbiter-server/src/context/tls.rs b/server/crates/arbiter-server/src/context/tls.rs
index eca7b3f..0a0d95a 100644
--- a/server/crates/arbiter-server/src/context/tls.rs
+++ b/server/crates/arbiter-server/src/context/tls.rs
@@ -2,7 +2,7 @@ use std::{net::IpAddr, string::FromUtf8Error};
 
 use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper as _};
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use miette::Diagnostic;
+
 use pem::Pem;
 use rcgen::{
     BasicConstraints, Certificate, CertificateParams, CertifiedIssuer, DistinguishedName, DnType,
@@ -29,30 +29,24 @@ const ENCODE_CONFIG: pem::EncodeConfig = {
     pem::EncodeConfig::new().set_line_ending(line_ending)
 };
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum InitError {
     #[error("Key generation error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::key_generation))]
     KeyGeneration(#[from] rcgen::Error),
 
     #[error("Key invalid format: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::key_invalid_format))]
     KeyInvalidFormat(#[from] FromUtf8Error),
 
     #[error("Key deserialization error: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::key_deserialization))]
     KeyDeserializationError(rcgen::Error),
 
     #[error("Database error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::database_error))]
     DatabaseError(#[from] diesel::result::Error),
 
     #[error("Pem deserialization error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::pem_deserialization))]
     PemDeserializationError(#[from] rustls::pki_types::pem::Error),
 
     #[error("Database pool acquire error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::database_pool_acquire))]
     DatabasePoolAcquire(#[from] db::PoolError),
 }
 
@@ -116,9 +110,7 @@ impl TlsCa {
         ];
         params
             .subject_alt_names
-            .push(SanType::IpAddress(IpAddr::from([
-                127, 0, 0, 1,
-            ])));
+            .push(SanType::IpAddress(IpAddr::from([127, 0, 0, 1])));
 
         let mut dn = DistinguishedName::new();
         dn.push(DnType::CommonName, "Arbiter Instance Leaf");
diff --git a/server/crates/arbiter-server/src/db/mod.rs b/server/crates/arbiter-server/src/db/mod.rs
index ba7ef0e..c1825b8 100644
--- a/server/crates/arbiter-server/src/db/mod.rs
+++ b/server/crates/arbiter-server/src/db/mod.rs
@@ -5,7 +5,7 @@ use diesel_async::{
     sync_connection_wrapper::SyncConnectionWrapper,
 };
 use diesel_migrations::{EmbeddedMigrations, MigrationHarness, embed_migrations};
-use miette::Diagnostic;
+
 use thiserror::Error;
 use tracing::info;
 
@@ -21,26 +21,21 @@ static DB_FILE: &str = "arbiter.sqlite";
 
 const MIGRATIONS: EmbeddedMigrations = embed_migrations!("migrations");
 
-#[derive(Error, Diagnostic, Debug)]
+#[derive(Error, Debug)]
 pub enum DatabaseSetupError {
     #[error("Failed to determine home directory")]
-    #[diagnostic(code(arbiter::db::home_dir))]
     HomeDir(std::io::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::connection))]
     Connection(diesel::ConnectionError),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::concurrency))]
     ConcurrencySetup(diesel::result::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::migration))]
     Migration(Box<dyn std::error::Error + Send + Sync>),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::pool))]
     Pool(#[from] PoolInitError),
 }
 
diff --git a/server/crates/arbiter-server/src/evm/mod.rs b/server/crates/arbiter-server/src/evm/mod.rs
index 5b4be05..d840d81 100644
--- a/server/crates/arbiter-server/src/evm/mod.rs
+++ b/server/crates/arbiter-server/src/evm/mod.rs
@@ -28,39 +28,32 @@ pub mod policies;
 mod utils;
 
 /// Errors that can only occur once the transaction meaning is known (during policy evaluation)
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum PolicyError {
     #[error("Database error")]
     Database(#[from] crate::db::DatabaseError),
     #[error("Transaction violates policy: {0:?}")]
-    #[diagnostic(code(arbiter_server::evm::policy_error::violation))]
     Violations(Vec<EvalViolation>),
     #[error("No matching grant found")]
-    #[diagnostic(code(arbiter_server::evm::policy_error::no_matching_grant))]
     NoMatchingGrant,
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum VetError {
     #[error("Contract creation transactions are not supported")]
-    #[diagnostic(code(arbiter_server::evm::vet_error::contract_creation_unsupported))]
     ContractCreationNotSupported,
     #[error("Engine can't classify this transaction")]
-    #[diagnostic(code(arbiter_server::evm::vet_error::unsupported))]
     UnsupportedTransactionType,
     #[error("Policy evaluation failed: {1}")]
-    #[diagnostic(code(arbiter_server::evm::vet_error::evaluated))]
     Evaluated(SpecificMeaning, #[source] PolicyError),
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum AnalyzeError {
     #[error("Engine doesn't support granting permissions for contract creation")]
-    #[diagnostic(code(arbiter_server::evm::analyze_error::contract_creation_not_supported))]
     ContractCreationNotSupported,
 
     #[error("Unsupported transaction type")]
-    #[diagnostic(code(arbiter_server::evm::analyze_error::unsupported_transaction_type))]
     UnsupportedTransactionType,
 }
 
diff --git a/server/crates/arbiter-server/src/evm/policies.rs b/server/crates/arbiter-server/src/evm/policies.rs
index 4d37884..f0e7796 100644
--- a/server/crates/arbiter-server/src/evm/policies.rs
+++ b/server/crates/arbiter-server/src/evm/policies.rs
@@ -6,7 +6,7 @@ use diesel::{
     ExpressionMethods as _, QueryDsl, SelectableHelper, result::QueryResult, sqlite::Sqlite,
 };
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use miette::Diagnostic;
+
 use thiserror::Error;
 
 use crate::{
@@ -33,33 +33,27 @@ pub struct EvalContext {
     pub max_priority_fee_per_gas: u128,
 }
 
-#[derive(Debug, Error, Diagnostic)]
+#[derive(Debug, Error)]
 pub enum EvalViolation {
     #[error("This grant doesn't allow transactions to the target address {target}")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_target))]
     InvalidTarget { target: Address },
 
     #[error("Gas limit exceeded for this grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::gas_limit_exceeded))]
     GasLimitExceeded {
         max_gas_fee_per_gas: Option<U256>,
         max_priority_fee_per_gas: Option<U256>,
     },
 
     #[error("Rate limit exceeded for this grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::rate_limit_exceeded))]
     RateLimitExceeded,
 
     #[error("Transaction exceeds volumetric limits of the grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::volumetric_limit_exceeded))]
     VolumetricLimitExceeded,
 
     #[error("Transaction is outside of the grant's validity period")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_time))]
     InvalidTime,
 
     #[error("Transaction type is not allowed by this grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_transaction_type))]
     InvalidTransactionType,
 }
 
diff --git a/server/crates/arbiter-server/src/grpc/client/auth.rs b/server/crates/arbiter-server/src/grpc/client/auth.rs
index 84fdffa..939c057 100644
--- a/server/crates/arbiter-server/src/grpc/client/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/client/auth.rs
@@ -140,7 +140,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
         let Some(payload) = auth_request.payload else {
             let _ = self
                 .bi
-                .send(Err(Status::invalid_argument("Missing client auth request payload")))
+                .send(Err(Status::invalid_argument(
+                    "Missing client auth request payload",
+                )))
                 .await;
             return None;
         };
@@ -170,9 +172,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     metadata: client_metadata_from_proto(client_info),
                 })
             }
-            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
-                signature,
-            }) => {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
                 let Ok(signature) = ed25519_dalek::Signature::try_from(signature.as_slice()) else {
                     let _ = self
                         .send_auth_result(ProtoAuthResult::InvalidSignature)
diff --git a/server/crates/arbiter-server/src/grpc/client/evm.rs b/server/crates/arbiter-server/src/grpc/client/evm.rs
index b44234f..5b5ba2e 100644
--- a/server/crates/arbiter-server/src/grpc/client/evm.rs
+++ b/server/crates/arbiter-server/src/grpc/client/evm.rs
@@ -34,7 +34,9 @@ pub(super) async fn dispatch(
     req: proto_evm::Request,
 ) -> Result<ClientResponsePayload, Status> {
     let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument("Missing client EVM request payload"));
+        return Err(Status::invalid_argument(
+            "Missing client EVM request payload",
+        ));
     };
 
     match payload {
@@ -59,13 +61,13 @@ pub(super) async fn dispatch(
                 ))) => EvmSignTransactionResponse {
                     result: Some(vet_error.convert()),
                 },
-                Err(kameo::error::SendError::HandlerError(
-                    SignTransactionRpcError::Internal,
-                )) => EvmSignTransactionResponse {
-                    result: Some(EvmSignTransactionResult::Error(
-                        ProtoEvmError::Internal.into(),
-                    )),
-                },
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Internal)) => {
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
                 Err(err) => {
                     warn!(error = ?err, "Failed to sign EVM transaction");
                     EvmSignTransactionResponse {
@@ -78,8 +80,8 @@ pub(super) async fn dispatch(
 
             Ok(wrap_response(EvmResponsePayload::SignTransaction(response)))
         }
-        EvmRequestPayload::AnalyzeTransaction(_) => {
-            Err(Status::unimplemented("EVM transaction analysis is not yet implemented"))
-        }
+        EvmRequestPayload::AnalyzeTransaction(_) => Err(Status::unimplemented(
+            "EVM transaction analysis is not yet implemented",
+        )),
     }
 }
diff --git a/server/crates/arbiter-server/src/grpc/client/inbound.rs b/server/crates/arbiter-server/src/grpc/client/inbound.rs
index e69de29..8b13789 100644
--- a/server/crates/arbiter-server/src/grpc/client/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/client/inbound.rs
@@ -0,0 +1 @@
+
diff --git a/server/crates/arbiter-server/src/grpc/client/outbound.rs b/server/crates/arbiter-server/src/grpc/client/outbound.rs
index e69de29..8b13789 100644
--- a/server/crates/arbiter-server/src/grpc/client/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/client/outbound.rs
@@ -0,0 +1 @@
+
diff --git a/server/crates/arbiter-server/src/grpc/client/vault.rs b/server/crates/arbiter-server/src/grpc/client/vault.rs
index 241580f..b5e98e7 100644
--- a/server/crates/arbiter-server/src/grpc/client/vault.rs
+++ b/server/crates/arbiter-server/src/grpc/client/vault.rs
@@ -12,11 +12,9 @@ use kameo::{actor::ActorRef, error::SendError};
 use tonic::Status;
 use tracing::warn;
 
-use crate::{
-    actors::{
-        client::session::{ClientSession, Error, HandleQueryVaultState},
-        keyholder::KeyHolderState,
-    },
+use crate::actors::{
+    client::session::{ClientSession, Error, HandleQueryVaultState},
+    keyholder::KeyHolderState,
 };
 
 pub(super) async fn dispatch(
@@ -24,7 +22,9 @@ pub(super) async fn dispatch(
     req: proto_vault::Request,
 ) -> Result<ClientResponsePayload, Status> {
     let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument("Missing client vault request payload"));
+        return Err(Status::invalid_argument(
+            "Missing client vault request payload",
+        ));
     };
 
     match payload {
diff --git a/server/crates/arbiter-server/src/grpc/common/inbound.rs b/server/crates/arbiter-server/src/grpc/common/inbound.rs
index d132b31..d9e4d9a 100644
--- a/server/crates/arbiter-server/src/grpc/common/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/common/inbound.rs
@@ -28,9 +28,8 @@ impl TryConvert for RawEvmTransaction {
     type Error = tonic::Status;
 
     fn try_convert(self) -> Result<Self::Output, Self::Error> {
-        let tx = TxEip1559::decode(&mut self.0.as_slice()).map_err(|_| {
-            tonic::Status::invalid_argument("Invalid EVM transaction format")
-        })?;
+        let tx = TxEip1559::decode(&mut self.0.as_slice())
+            .map_err(|_| tonic::Status::invalid_argument("Invalid EVM transaction format"))?;
         Ok(tx)
     }
-}
\ No newline at end of file
+}
diff --git a/server/crates/arbiter-server/src/grpc/common/outbound.rs b/server/crates/arbiter-server/src/grpc/common/outbound.rs
index d2c6e7d..6ca8916 100644
--- a/server/crates/arbiter-server/src/grpc/common/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/common/outbound.rs
@@ -1,9 +1,12 @@
 use alloy::primitives::U256;
 use arbiter_proto::proto::{
-    evm::{EvmError as ProtoEvmError, evm_sign_transaction_response::Result as EvmSignTransactionResult},
+    evm::{
+        EvmError as ProtoEvmError,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    },
     shared::evm::{
-        EvalViolation as ProtoEvalViolation, GasLimitExceededViolation,
-        NoMatchingGrantError, PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
+        EvalViolation as ProtoEvalViolation, GasLimitExceededViolation, NoMatchingGrantError,
+        PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
         TokenInfo as ProtoTokenInfo, TransactionEvalError as ProtoTransactionEvalError,
         eval_violation::Kind as ProtoEvalViolationKind,
         specific_meaning::Meaning as ProtoSpecificMeaningKind,
diff --git a/server/crates/arbiter-server/src/grpc/user_agent.rs b/server/crates/arbiter-server/src/grpc/user_agent.rs
index 4a32ab7..651dbe4 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent.rs
@@ -1,12 +1,10 @@
 use tokio::sync::mpsc;
 
 use arbiter_proto::{
-    proto::{
-        user_agent::{
-            UserAgentRequest, UserAgentResponse,
-            user_agent_request::Payload as UserAgentRequestPayload,
-            user_agent_response::Payload as UserAgentResponsePayload,
-        },
+    proto::user_agent::{
+        UserAgentRequest, UserAgentResponse,
+        user_agent_request::Payload as UserAgentRequestPayload,
+        user_agent_response::Payload as UserAgentResponsePayload,
     },
     transport::{Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/auth.rs b/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
index 15eeba6..d7c89e6 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
@@ -1,12 +1,14 @@
 use arbiter_proto::{
     proto::user_agent::{
-        UserAgentRequest, UserAgentResponse, auth::{
+        UserAgentRequest, UserAgentResponse,
+        auth::{
             self as proto_auth, AuthChallenge as ProtoAuthChallenge,
             AuthChallengeRequest as ProtoAuthChallengeRequest,
             AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
             KeyType as ProtoKeyType, request::Payload as AuthRequestPayload,
             response::Payload as AuthResponsePayload,
-        }, user_agent_request::Payload as UserAgentRequestPayload,
+        },
+        user_agent_request::Payload as UserAgentRequestPayload,
         user_agent_response::Payload as UserAgentResponsePayload,
     },
     transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
@@ -63,7 +65,9 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
             Ok(Outbound::AuthChallenge { nonce }) => {
                 AuthResponsePayload::Challenge(ProtoAuthChallenge { nonce })
             }
-            Ok(Outbound::AuthSuccess) => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
+            Ok(Outbound::AuthSuccess) => {
+                AuthResponsePayload::Result(ProtoAuthResult::Success.into())
+            }
             Err(Error::UnregisteredPublicKey) => {
                 AuthResponsePayload::Result(ProtoAuthResult::InvalidKey.into())
             }
@@ -171,9 +175,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     bootstrap_token,
                 })
             }
-            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
-                signature,
-            }) => Some(auth::Inbound::AuthChallengeSolution { signature }),
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
+                Some(auth::Inbound::AuthChallengeSolution { signature })
+            }
         }
     }
 }
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/evm.rs b/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
index c9b02eb..a65b220 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
@@ -3,8 +3,7 @@ use arbiter_proto::proto::{
         EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
         EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
         EvmSignTransactionResponse, GrantEntry, WalletCreateResponse, WalletEntry, WalletList,
-        WalletListResponse,
-        evm_grant_create_response::Result as EvmGrantCreateResult,
+        WalletListResponse, evm_grant_create_response::Result as EvmGrantCreateResult,
         evm_grant_delete_response::Result as EvmGrantDeleteResult,
         evm_grant_list_response::Result as EvmGrantListResult,
         evm_sign_transaction_response::Result as EvmSignTransactionResult,
@@ -165,7 +164,12 @@ async fn handle_grant_delete(
     actor: &ActorRef<UserAgentSession>,
     req: EvmGrantDeleteRequest,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleGrantDelete { grant_id: req.grant_id }).await {
+    let result = match actor
+        .ask(HandleGrantDelete {
+            grant_id: req.grant_id,
+        })
+        .await
+    {
         Ok(()) => EvmGrantDeleteResult::Ok(()),
         Err(err) => {
             warn!(error = ?err, "Failed to delete EVM grant");
@@ -202,18 +206,18 @@ async fn handle_sign_transaction(
                 signature.as_bytes().to_vec(),
             )),
         },
-        Err(kameo::error::SendError::HandlerError(
-            SessionSignTransactionError::Vet(vet_error),
-        )) => EvmSignTransactionResponse {
-            result: Some(vet_error.convert()),
-        },
-        Err(kameo::error::SendError::HandlerError(
-            SessionSignTransactionError::Internal,
-        )) => EvmSignTransactionResponse {
-            result: Some(EvmSignTransactionResult::Error(
-                ProtoEvmError::Internal.into(),
-            )),
-        },
+        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Vet(vet_error))) => {
+            EvmSignTransactionResponse {
+                result: Some(vet_error.convert()),
+            }
+        }
+        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Internal)) => {
+            EvmSignTransactionResponse {
+                result: Some(EvmSignTransactionResult::Error(
+                    ProtoEvmError::Internal.into(),
+                )),
+            }
+        }
         Err(err) => {
             warn!(error = ?err, "Failed to sign EVM transaction");
             EvmSignTransactionResponse {
@@ -224,7 +228,7 @@ async fn handle_sign_transaction(
         }
     };
 
-    Ok(Some(wrap_evm_response(EvmResponsePayload::SignTransaction(
-        response,
-    ))))
+    Ok(Some(wrap_evm_response(
+        EvmResponsePayload::SignTransaction(response),
+    )))
 }
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs b/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
index 53ea729..805386e 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
@@ -5,9 +5,7 @@ use arbiter_proto::proto::{
         TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
         specific_grant::Grant as ProtoSpecificGrantType,
     },
-    user_agent::sdk_client::{
-        WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess,
-    },
+    user_agent::sdk_client::{WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess},
 };
 use chrono::{DateTime, Utc};
 use prost_types::Timestamp as ProtoTimestamp;
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs b/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
index f1827af..e06e4b1 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
@@ -1,4 +1,5 @@
 use arbiter_proto::proto::{
+    shared::ClientInfo as ProtoClientMetadata,
     user_agent::{
         sdk_client::{
             self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
@@ -13,7 +14,6 @@ use arbiter_proto::proto::{
         },
         user_agent_response::Payload as UserAgentResponsePayload,
     },
-    shared::ClientInfo as ProtoClientMetadata,
 };
 use kameo::actor::ActorRef;
 use tonic::Status;
@@ -62,18 +62,22 @@ pub(super) async fn dispatch(
     req: proto_sdk_client::Request,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
     let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument("Missing SDK client request payload"));
+        return Err(Status::invalid_argument(
+            "Missing SDK client request payload",
+        ));
     };
 
     match payload {
         SdkClientRequestPayload::ConnectionResponse(resp) => {
             handle_connection_response(actor, resp).await
         }
-        SdkClientRequestPayload::Revoke(_) => {
-            Err(Status::unimplemented("SdkClientRevoke is not yet implemented"))
-        }
+        SdkClientRequestPayload::Revoke(_) => Err(Status::unimplemented(
+            "SdkClientRevoke is not yet implemented",
+        )),
         SdkClientRequestPayload::List(_) => handle_list(actor).await,
-        SdkClientRequestPayload::GrantWalletAccess(req) => handle_grant_wallet_access(actor, req).await,
+        SdkClientRequestPayload::GrantWalletAccess(req) => {
+            handle_grant_wallet_access(actor, req).await
+        }
         SdkClientRequestPayload::RevokeWalletAccess(req) => {
             handle_revoke_wallet_access(actor, req).await
         }
@@ -128,11 +132,11 @@ async fn handle_list(
             ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
         }
     };
-    Ok(Some(wrap_sdk_client_response(SdkClientResponsePayload::List(
-        ProtoSdkClientListResponse {
+    Ok(Some(wrap_sdk_client_response(
+        SdkClientResponsePayload::List(ProtoSdkClientListResponse {
             result: Some(result),
-        },
-    ))))
+        }),
+    )))
 }
 
 async fn handle_grant_wallet_access(
diff --git a/server/crates/arbiter-server/src/grpc/user_agent/vault.rs b/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
index 669d35c..8a2940f 100644
--- a/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
@@ -1,3 +1,4 @@
+use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
 use arbiter_proto::proto::user_agent::{
     user_agent_response::Payload as UserAgentResponsePayload,
     vault::{
@@ -11,25 +12,21 @@ use arbiter_proto::proto::user_agent::{
         unseal::{
             self as proto_unseal, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
             UnsealResult as ProtoUnsealResult, UnsealStart,
-            request::Payload as UnsealRequestPayload,
-            response::Payload as UnsealResponsePayload,
+            request::Payload as UnsealRequestPayload, response::Payload as UnsealResponsePayload,
         },
     },
 };
-use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
 use kameo::{actor::ActorRef, error::SendError};
 use tonic::Status;
 use tracing::warn;
 
-use crate::{
-    actors::{
-        keyholder::KeyHolderState,
-        user_agent::{
-            UserAgentSession,
-            session::connection::{
-                BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
-                HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
-            },
+use crate::actors::{
+    keyholder::KeyHolderState,
+    user_agent::{
+        UserAgentSession,
+        session::connection::{
+            BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
+            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
         },
     },
 };
@@ -151,7 +148,9 @@ async fn handle_bootstrap_encrypted_key(
         .await
     {
         Ok(()) => ProtoBootstrapResult::Success,
-        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => ProtoBootstrapResult::InvalidKey,
+        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => {
+            ProtoBootstrapResult::InvalidKey
+        }
         Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
             ProtoBootstrapResult::AlreadyBootstrapped
         }
diff --git a/server/crates/arbiter-server/src/main.rs b/server/crates/arbiter-server/src/main.rs
index 7605523..0b8a8e7 100644
--- a/server/crates/arbiter-server/src/main.rs
+++ b/server/crates/arbiter-server/src/main.rs
@@ -1,8 +1,8 @@
 use std::net::SocketAddr;
 
+use anyhow::anyhow;
 use arbiter_proto::{proto::arbiter_service_server::ArbiterServiceServer, url::ArbiterUrl};
 use arbiter_server::{Server, actors::bootstrap::GetToken, context::ServerContext, db};
-use miette::miette;
 use rustls::crypto::aws_lc_rs;
 use tonic::transport::{Identity, ServerTlsConfig};
 use tracing::info;
@@ -10,7 +10,7 @@ use tracing::info;
 const PORT: u16 = 50051;
 
 #[tokio::main]
-async fn main() -> miette::Result<()> {
+async fn main() -> anyhow::Result<()> {
     aws_lc_rs::default_provider().install_default().unwrap();
 
     tracing_subscriber::fmt()
@@ -46,11 +46,11 @@ async fn main() -> miette::Result<()> {
 
     tonic::transport::Server::builder()
         .tls_config(tls)
-        .map_err(|err| miette!("Faild to setup TLS: {err}"))?
+        .map_err(|err| anyhow!("Failed to setup TLS: {err}"))?
         .add_service(ArbiterServiceServer::new(Server::new(context)))
         .serve(addr)
         .await
-        .map_err(|e| miette::miette!("gRPC server error: {e}"))?;
+        .map_err(|e| anyhow!("gRPC server error: {e}"))?;
 
     unreachable!("gRPC server should run indefinitely");
 }
diff --git a/server/crates/arbiter-server/tests/user_agent/unseal.rs b/server/crates/arbiter-server/tests/user_agent/unseal.rs
index 76a68aa..fcc3e50 100644
--- a/server/crates/arbiter-server/tests/user_agent/unseal.rs
+++ b/server/crates/arbiter-server/tests/user_agent/unseal.rs
@@ -2,9 +2,10 @@ use arbiter_server::{
     actors::{
         GlobalActors,
         keyholder::{Bootstrap, Seal},
-        user_agent::{UserAgentSession, session::connection::{
-            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
-        }},
+        user_agent::{
+            UserAgentSession,
+            session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
+        },
     },
     db,
     safe_cell::{SafeCell, SafeCellHandle as _},

From e17c25a60460d172dfc845becf05248d288dc7f2 Mon Sep 17 00:00:00 2001
From: Stas <business@jexter.tech>
Date: Sat, 4 Apr 2026 14:06:02 +0000
Subject: [PATCH 27/29] ci(server-test): ensure that all features are compiling

---
 .woodpecker/server-test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.woodpecker/server-test.yaml b/.woodpecker/server-test.yaml
index 1839e88..027cf87 100644
--- a/.woodpecker/server-test.yaml
+++ b/.woodpecker/server-test.yaml
@@ -24,4 +24,4 @@ steps:
       - mise install rust 
       - mise install protoc
       - mise install cargo:cargo-nextest
-      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast
\ No newline at end of file
+      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast --all-features
\ No newline at end of file

From c6f440fdadbd23294f0ce0f76b457fd1b0401699 Mon Sep 17 00:00:00 2001
From: CleverWild <cleverwilddev@gmail.com>
Date: Sat, 4 Apr 2026 15:28:39 +0200
Subject: [PATCH 28/29] fix(client): evm-feature's code for new proto

---
 server/crates/arbiter-client/src/lib.rs       |  2 +-
 .../crates/arbiter-client/src/wallets/evm.rs  | 69 +++++++++++++++----
 2 files changed, 58 insertions(+), 13 deletions(-)

diff --git a/server/crates/arbiter-client/src/lib.rs b/server/crates/arbiter-client/src/lib.rs
index 83fdf48..6e4516c 100644
--- a/server/crates/arbiter-client/src/lib.rs
+++ b/server/crates/arbiter-client/src/lib.rs
@@ -9,4 +9,4 @@ pub use client::{ArbiterClient, Error};
 pub use storage::{FileSigningKeyStorage, SigningKeyStorage, StorageError};
 
 #[cfg(feature = "evm")]
-pub use wallets::evm::ArbiterEvmWallet;
+pub use wallets::evm::{ArbiterEvmSignTransactionError, ArbiterEvmWallet};
diff --git a/server/crates/arbiter-client/src/wallets/evm.rs b/server/crates/arbiter-client/src/wallets/evm.rs
index 4533793..5c975c9 100644
--- a/server/crates/arbiter-client/src/wallets/evm.rs
+++ b/server/crates/arbiter-client/src/wallets/evm.rs
@@ -10,14 +10,48 @@ use tokio::sync::Mutex;
 
 use arbiter_proto::proto::{
     client::{
-        ClientRequest, client_request::Payload as ClientRequestPayload,
+        ClientRequest,
+        client_request::Payload as ClientRequestPayload,
         client_response::Payload as ClientResponsePayload,
+        evm::{
+            self as proto_evm, request::Payload as EvmRequestPayload,
+            response::Payload as EvmResponsePayload,
+        },
     },
-    evm::evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    evm::{
+        EvmSignTransactionRequest,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    },
+    shared::evm::TransactionEvalError,
 };
 
 use crate::transport::{ClientTransport, next_request_id};
 
+/// A typed error payload returned by [`ArbiterEvmWallet`] transaction signing.
+///
+/// This is wrapped into `alloy::signers::Error::Other`, so consumers can downcast by [`TryFrom`] and
+/// interpret the concrete policy evaluation failure instead of parsing strings.
+#[derive(Debug, thiserror::Error)]
+#[non_exhaustive]
+pub enum ArbiterEvmSignTransactionError {
+    #[error("transaction rejected by policy: {0:?}")]
+    PolicyEval(TransactionEvalError),
+}
+
+impl<'a> TryFrom<&'a Error> for &'a ArbiterEvmSignTransactionError {
+    type Error = ();
+
+    fn try_from(value: &'a Error) -> Result<Self, Self::Error> {
+        if let Error::Other(inner) = value
+            && let Some(eval_error) = inner.downcast_ref()
+        {
+            Ok(eval_error)
+        } else {
+            Err(())
+        }
+    }
+}
+
 pub struct ArbiterEvmWallet {
     transport: Arc<Mutex<ClientTransport>>,
     address: Address,
@@ -96,12 +130,14 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
         transport
             .send(ClientRequest {
                 request_id,
-                payload: Some(ClientRequestPayload::EvmSignTransaction(
-                    arbiter_proto::proto::evm::EvmSignTransactionRequest {
-                        wallet_address: self.address.to_vec(),
-                        rlp_transaction,
-                    },
-                )),
+                payload: Some(ClientRequestPayload::Evm(proto_evm::Request {
+                    payload: Some(EvmRequestPayload::SignTransaction(
+                        EvmSignTransactionRequest {
+                            wallet_address: self.address.to_vec(),
+                            rlp_transaction,
+                        },
+                    )),
+                })),
             })
             .await
             .map_err(|_| Error::other("failed to send evm sign transaction request"))?;
@@ -121,12 +157,21 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
             .payload
             .ok_or_else(|| Error::other("missing evm sign transaction response payload"))?;
 
-        let ClientResponsePayload::EvmSignTransaction(response) = payload else {
+        let ClientResponsePayload::Evm(proto_evm::Response {
+            payload: Some(payload),
+        }) = payload
+        else {
             return Err(Error::other(
                 "unexpected response payload for evm sign transaction request",
             ));
         };
 
+        let EvmResponsePayload::SignTransaction(response) = payload else {
+            return Err(Error::other(
+                "unexpected evm response payload for sign transaction request",
+            ));
+        };
+
         let result = response
             .result
             .ok_or_else(|| Error::other("missing evm sign transaction result"))?;
@@ -136,9 +181,9 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
                 Signature::try_from(signature.as_slice())
                     .map_err(|_| Error::other("invalid signature returned by server"))
             }
-            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(format!(
-                "transaction rejected by policy: {eval_error:?}"
-            ))),
+            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(
+                ArbiterEvmSignTransactionError::PolicyEval(eval_error),
+            )),
             EvmSignTransactionResult::Error(code) => Err(Error::other(format!(
                 "server failed to sign transaction with error code {code}"
             ))),

From 9ea474e1b2d8bc9c6ec6af03e5254eddb9998dda Mon Sep 17 00:00:00 2001
From: Stas <business@jexter.tech>
Date: Sat, 4 Apr 2026 14:14:15 +0000
Subject: [PATCH 29/29] fix(server): use `LOCALHOST` const instead of
 hard-coded ip value

---
 server/crates/arbiter-server/src/context/tls.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/crates/arbiter-server/src/context/tls.rs b/server/crates/arbiter-server/src/context/tls.rs
index 0a0d95a..d82043f 100644
--- a/server/crates/arbiter-server/src/context/tls.rs
+++ b/server/crates/arbiter-server/src/context/tls.rs
@@ -1,4 +1,4 @@
-use std::{net::IpAddr, string::FromUtf8Error};
+use std::{net::{IpAddr, Ipv4Addr}, string::FromUtf8Error};
 
 use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper as _};
 use diesel_async::{AsyncConnection, RunQueryDsl};
@@ -110,7 +110,7 @@ impl TlsCa {
         ];
         params
             .subject_alt_names
-            .push(SanType::IpAddress(IpAddr::from([127, 0, 0, 1])));
+            .push(SanType::IpAddress(Ipv4Addr::LOCALHOST.into()));
 
         let mut dn = DistinguishedName::new();
         dn.push(DnType::CommonName, "Arbiter Instance Leaf");