merge: feat-lints into main

2026-04-18 13:55:45 +02:00
parent 41b3fc5d39 18b8a3bbf5
commit 9ab074170b
204 changed files with 14668 additions and 3007 deletions
--- a/server/crates/arbiter-server/src/grpc/client.rs
+++ b/server/crates/arbiter-server/src/grpc/client.rs
@@ -1,3 +1,7 @@
+use crate::{
+    grpc::request_tracker::RequestTracker,
+    peers::client::{ClientConnection, session::ClientSession},
+};
 use arbiter_proto::{
    proto::client::{
        ClientRequest, ClientResponse, client_request::Payload as ClientRequestPayload,
@@ -5,15 +9,11 @@ use arbiter_proto::{
    },
    transport::{Receiver, Sender, grpc::GrpcBi},
 };
+
 use kameo::actor::{ActorRef, Spawn as _};
 use tonic::Status;
 use tracing::{info, warn};

-use crate::{
-    actors::client::{ClientConnection, session::ClientSession},
-    grpc::request_tracker::RequestTracker,
-};
-
 mod auth;
 mod evm;
 mod inbound;
--- a/server/crates/arbiter-server/src/grpc/client/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/client/auth.rs
@@ -1,3 +1,7 @@
+use crate::{
+    grpc::{Convert, request_tracker::RequestTracker},
+    peers::client::{ClientConnection, auth},
+};
 use arbiter_crypto::authn;
 use arbiter_proto::{
    ClientMetadata,
@@ -5,7 +9,8 @@ use arbiter_proto::{
        client::{
            ClientRequest, ClientResponse,
            auth::{
-                self as proto_auth, AuthChallengeRequest as ProtoAuthChallengeRequest,
+                self as proto_auth, AuthChallenge as ProtoAuthChallenge,
+                AuthChallengeRequest as ProtoAuthChallengeRequest,
                AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
                request::Payload as AuthRequestPayload, response::Payload as AuthResponsePayload,
            },
@@ -16,22 +21,18 @@ use arbiter_proto::{
    },
    transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
+
 use async_trait::async_trait;
 use tonic::Status;
 use tracing::warn;

-use crate::{
-    actors::client::{ClientConnection, auth},
-    grpc::request_tracker::RequestTracker,
-};
-
-pub struct AuthTransportAdapter<'a> {
+pub(super) struct AuthTransportAdapter<'a> {
    bi: &'a mut GrpcBi<ClientRequest, ClientResponse>,
    request_tracker: &'a mut RequestTracker,
 }

 impl<'a> AuthTransportAdapter<'a> {
-    pub const fn new(
+    pub(super) const fn new(
        bi: &'a mut GrpcBi<ClientRequest, ClientResponse>,
        request_tracker: &'a mut RequestTracker,
    ) -> Self {
@@ -62,14 +63,14 @@ impl<'a> AuthTransportAdapter<'a> {
 }

 #[async_trait]
-impl Sender<Result<auth::Outbound, auth::ClientAuthError>> for AuthTransportAdapter<'_> {
+impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
    async fn send(
        &mut self,
-        item: Result<auth::Outbound, auth::ClientAuthError>,
+        item: Result<auth::Outbound, auth::Error>,
    ) -> Result<(), TransportError> {
        let payload = match item {
-            Ok(message) => message.into(),
-            Err(err) => AuthResponsePayload::Result(ProtoAuthResult::from(err).into()),
+            Ok(message) => message.convert(),
+            Err(err) => err.convert(),
        };

        self.send_client_response(payload).await
@@ -132,7 +133,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                };
                Some(auth::Inbound::AuthChallengeRequest {
                    pubkey,
-                    metadata: client_metadata_from_proto(client_info),
+                    metadata: client_info.convert(),
                })
            }
            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
@@ -148,21 +149,71 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
    }
 }

-impl Bi<auth::Inbound, Result<auth::Outbound, auth::ClientAuthError>> for AuthTransportAdapter<'_> {}
+impl Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {}

-fn client_metadata_from_proto(metadata: ProtoClientInfo) -> ClientMetadata {
-    ClientMetadata {
-        name: metadata.name,
-        description: metadata.description,
-        version: metadata.version,
+impl Convert for ProtoClientInfo {
+    type Output = ClientMetadata;
+
+    fn convert(self) -> Self::Output {
+        ClientMetadata {
+            name: self.name,
+            description: self.description,
+            version: self.version,
+        }
    }
 }

-pub async fn start(
+impl Convert for auth::Error {
+    type Output = AuthResponsePayload;
+
+    fn convert(self) -> Self::Output {
+        use auth::Error::{
+            ApproveError, DatabaseOperationFailed, DatabasePoolUnavailable, IntegrityCheckFailed,
+            InvalidChallengeSolution, Transport,
+        };
+        AuthResponsePayload::Result(
+            match self {
+                InvalidChallengeSolution => ProtoAuthResult::InvalidSignature,
+                ApproveError(auth::ApproveError::Denied) => ProtoAuthResult::ApprovalDenied,
+                ApproveError(auth::ApproveError::Upstream(
+                    crate::actors::flow_coordinator::ApprovalError::NoUserAgentsConnected,
+                )) => ProtoAuthResult::NoUserAgentsOnline,
+                ApproveError(auth::ApproveError::Internal)
+                | DatabasePoolUnavailable
+                | DatabaseOperationFailed
+                | IntegrityCheckFailed
+                | Transport => ProtoAuthResult::Internal,
+            }
+            .into(),
+        )
+    }
+}
+
+impl Convert for auth::Outbound {
+    type Output = AuthResponsePayload;
+
+    fn convert(self) -> Self::Output {
+        match self {
+            Self::AuthChallenge { challenge } => {
+                AuthResponsePayload::Challenge(ProtoAuthChallenge {
+                    timestamp_nanos: challenge
+                        .timestamp
+                        .timestamp_nanos_opt()
+                        .expect("timestamp within range")
+                        as u64,
+                    random: challenge.nonce.to_vec(),
+                })
+            }
+            Self::AuthSuccess => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
+        }
+    }
+}
+
+pub(super) async fn start(
    conn: &mut ClientConnection,
    bi: &mut GrpcBi<ClientRequest, ClientResponse>,
    request_tracker: &mut RequestTracker,
-) -> Result<i32, auth::ClientAuthError> {
+) -> Result<i32, auth::Error> {
    let mut transport = AuthTransportAdapter::new(bi, request_tracker);
    auth::authenticate(conn, &mut transport).await
 }
--- a/server/crates/arbiter-server/src/grpc/client/evm.rs
+++ b/server/crates/arbiter-server/src/grpc/client/evm.rs
@@ -1,3 +1,10 @@
+use crate::{
+    grpc::{
+        Convert, TryConvert,
+        common::inbound::{RawEvmAddress, RawEvmTransaction},
+    },
+    peers::client::session::{ClientSession, HandleSignTransaction, SignTransactionRpcError},
+};
 use arbiter_proto::proto::{
    client::{
        client_response::Payload as ClientResponsePayload,
@@ -11,18 +18,11 @@ use arbiter_proto::proto::{
        evm_sign_transaction_response::Result as EvmSignTransactionResult,
    },
 };
+
 use kameo::actor::ActorRef;
 use tonic::Status;
 use tracing::warn;

-use crate::{
-    actors::client::session::{ClientSession, HandleSignTransaction, SignTransactionRpcError},
-    grpc::{
-        Convert, TryConvert,
-        common::inbound::{RawEvmAddress, RawEvmTransaction},
-    },
-};
-
 const fn wrap_response(payload: EvmResponsePayload) -> ClientResponsePayload {
    ClientResponsePayload::Evm(proto_evm::Response {
        payload: Some(payload),
--- a/server/crates/arbiter-server/src/grpc/client/vault.rs
+++ b/server/crates/arbiter-server/src/grpc/client/vault.rs
@@ -1,3 +1,7 @@
+use crate::{
+    actors::vault::VaultState,
+    peers::client::session::{ClientSession, Error, HandleQueryVaultState},
+};
 use arbiter_proto::proto::{
    client::{
        client_response::Payload as ClientResponsePayload,
@@ -8,15 +12,11 @@ use arbiter_proto::proto::{
    },
    shared::VaultState as ProtoVaultState,
 };
+
 use kameo::{actor::ActorRef, error::SendError};
 use tonic::Status;
 use tracing::warn;

-use crate::actors::{
-    client::session::{ClientSession, ClientSessionError, HandleQueryVaultState},
-    keyholder::KeyHolderState,
-};
-
 pub(super) async fn dispatch(
    actor: &ActorRef<ClientSession>,
    req: proto_vault::Request,
@@ -30,12 +30,10 @@ pub(super) async fn dispatch(
    match payload {
        VaultRequestPayload::QueryState(()) => {
            let state = match actor.ask(HandleQueryVaultState {}).await {
-                Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
-                Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
-                Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
-                Err(SendError::HandlerError(ClientSessionError::Internal)) => {
-                    ProtoVaultState::Error
-                }
+                Ok(VaultState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+                Ok(VaultState::Sealed) => ProtoVaultState::Sealed,
+                Ok(VaultState::Unsealed) => ProtoVaultState::Unsealed,
+                Err(SendError::HandlerError(Error::Internal)) => ProtoVaultState::Error,
                Err(err) => {
                    warn!(error = ?err, "Failed to query vault state");
                    ProtoVaultState::Error
--- a/server/crates/arbiter-server/src/grpc/common.rs
+++ b/server/crates/arbiter-server/src/grpc/common.rs
@@ -1,2 +1,2 @@
-pub mod inbound;
-pub mod outbound;
+pub(super) mod inbound;
+pub(super) mod outbound;
--- a/server/crates/arbiter-server/src/grpc/common/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/common/inbound.rs
@@ -1,8 +1,8 @@
-use alloy::{consensus::TxEip1559, primitives::Address, rlp::Decodable as _};
-
 use crate::grpc::TryConvert;

-pub struct RawEvmAddress(pub Vec<u8>);
+use alloy::{consensus::TxEip1559, primitives::Address, rlp::Decodable as _};
+
+pub(in crate::grpc) struct RawEvmAddress(pub(in crate::grpc) Vec<u8>);
 impl TryConvert for RawEvmAddress {
    type Output = Address;

@@ -21,7 +21,7 @@ impl TryConvert for RawEvmAddress {
    }
 }

-pub struct RawEvmTransaction(pub Vec<u8>);
+pub(in crate::grpc) struct RawEvmTransaction(pub(in crate::grpc) Vec<u8>);
 impl TryConvert for RawEvmTransaction {
    type Output = TxEip1559;

--- a/server/crates/arbiter-server/src/grpc/common/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/common/outbound.rs
@@ -1,4 +1,10 @@
-use alloy::primitives::U256;
+use crate::{
+    evm::{
+        PolicyError, VetError,
+        policies::{EvalViolation, SpecificMeaning},
+    },
+    grpc::Convert,
+};
 use arbiter_proto::proto::{
    evm::{
        EvmError as ProtoEvmError,
@@ -14,13 +20,7 @@ use arbiter_proto::proto::{
    },
 };

-use crate::{
-    evm::{
-        PolicyError, VetError,
-        policies::{EvalViolation, SpecificMeaning},
-    },
-    grpc::Convert,
-};
+use alloy::primitives::U256;

 fn u256_to_proto_bytes(value: U256) -> Vec<u8> {
    value.to_be_bytes::<32>().to_vec()
--- a/server/crates/arbiter-server/src/grpc/mod.rs
+++ b/server/crates/arbiter-server/src/grpc/mod.rs
@@ -1,3 +1,4 @@
+use crate::peers::{client::ClientConnection, user_agent::UserAgentConnection};
 use arbiter_proto::{
    proto::{
        client::{ClientRequest, ClientResponse},
@@ -5,15 +6,11 @@ use arbiter_proto::{
    },
    transport::grpc::GrpcBi,
 };
+
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::{Request, Response, Status, async_trait};
 use tracing::info;

-use crate::{
-    actors::{client::ClientConnection, user_agent::UserAgentConnection},
-    grpc::user_agent::start,
-};
-
 mod request_tracker;

 pub mod client;
@@ -63,7 +60,7 @@ impl arbiter_proto::proto::arbiter_service_server::ArbiterService for super::Ser

        let (bi, rx) = GrpcBi::from_bi_stream(req_stream);

-        tokio::spawn(start(
+        tokio::spawn(user_agent::start(
            UserAgentConnection {
                db: self.context.db.clone(),
                actors: self.context.actors.clone(),
--- a/server/crates/arbiter-server/src/grpc/request_tracker.rs
+++ b/server/crates/arbiter-server/src/grpc/request_tracker.rs
@@ -1,12 +1,12 @@
 use tonic::Status;

 #[derive(Default)]
-pub struct RequestTracker {
+pub(super) struct RequestTracker {
    next_request_id: i32,
 }

 impl RequestTracker {
-    pub fn request(&mut self, id: i32) -> Result<i32, Status> {
+    pub(super) fn request(&mut self, id: i32) -> Result<i32, Status> {
        if id < self.next_request_id {
            return Err(Status::invalid_argument("Duplicate request id"));
        }
@@ -20,7 +20,7 @@ impl RequestTracker {

    // This is used to set the response id for auth responses, which need to match the request id of the auth challenge request.
    // -1 offset is needed because request() increments the next_request_id after returning the current request id.
-    pub const fn current_request_id(&self) -> i32 {
+    pub(super) const fn current_request_id(&self) -> i32 {
        self.next_request_id - 1
    }
 }
--- a/server/crates/arbiter-server/src/grpc/user_agent.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent.rs
@@ -1,5 +1,7 @@
-use tokio::sync::mpsc;
-
+use crate::{
+    grpc::request_tracker::RequestTracker,
+    peers::user_agent::{OutOfBand, UserAgentConnection, UserAgentSession},
+};
 use arbiter_proto::{
    proto::user_agent::{
        UserAgentRequest, UserAgentResponse,
@@ -8,22 +10,20 @@ use arbiter_proto::{
    },
    transport::{Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
+
 use async_trait::async_trait;
-use kameo::actor::{ActorRef, Spawn as _};
+use kameo::actor::ActorRef;
+use tokio::sync::mpsc;
 use tonic::Status;
 use tracing::{error, info, warn};

-use crate::{
-    actors::user_agent::{OutOfBand, UserAgentConnection, UserAgentSession},
-    grpc::request_tracker::RequestTracker,
-};
-
 mod auth;
 mod evm;
 mod inbound;
 mod outbound;
 mod sdk_client;
 mod vault;
+mod vault_gate;

 pub struct OutOfBandAdapter(mpsc::Sender<OutOfBand>);

@@ -124,21 +124,22 @@ pub async fn start(
 ) {
    let mut request_tracker = RequestTracker::default();

-    let pubkey = match auth::start(&mut conn, &mut bi, &mut request_tracker).await {
-        Ok(pubkey) => pubkey,
-        Err(e) => {
-            warn!(error = ?e, "Authentication failed");
-            return;
-        }
-    };
-
    let (oob_sender, oob_receiver) = mpsc::channel(16);
    let oob_adapter = OutOfBandAdapter(oob_sender);

-    let actor = UserAgentSession::spawn(UserAgentSession::new(conn, Box::new(oob_adapter)));
-    let actor_for_cleanup = actor.clone();
+    let actor = {
+        let transport = auth::AuthTransportAdapter::new(&mut bi, &mut request_tracker);
+        match crate::peers::user_agent::start(&mut conn, transport, Box::new(oob_adapter)).await {
+            Ok(actor) => actor,
+            Err(e) => {
+                warn!(error = ?e, "User agent connection failed");
+                return;
+            }
+        }
+    };

-    info!(?pubkey, "User authenticated successfully");
-    dispatch_loop(bi, actor, oob_receiver, request_tracker).await;
-    actor_for_cleanup.kill();
+    info!("User agent session established");
+
+    dispatch_loop(bi, actor.clone(), oob_receiver, request_tracker).await;
+    actor.kill();
 }
--- a/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
@@ -1,3 +1,4 @@
+use crate::{grpc::request_tracker::RequestTracker, peers::user_agent::auth};
 use arbiter_crypto::authn;
 use arbiter_proto::{
    proto::user_agent::{
@@ -13,22 +14,18 @@ use arbiter_proto::{
    },
    transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
+
 use async_trait::async_trait;
 use tonic::Status;
 use tracing::warn;

-use crate::{
-    actors::user_agent::{UserAgentConnection, auth},
-    grpc::request_tracker::RequestTracker,
-};
-
-pub struct AuthTransportAdapter<'a> {
-    bi: &'a mut GrpcBi<UserAgentRequest, UserAgentResponse>,
-    request_tracker: &'a mut RequestTracker,
+pub(super) struct AuthTransportAdapter<'a> {
+    pub(super) bi: &'a mut GrpcBi<UserAgentRequest, UserAgentResponse>,
+    pub(super) request_tracker: &'a mut RequestTracker,
 }

 impl<'a> AuthTransportAdapter<'a> {
-    pub const fn new(
+    pub(super) const fn new(
        bi: &'a mut GrpcBi<UserAgentRequest, UserAgentResponse>,
        request_tracker: &'a mut RequestTracker,
    ) -> Self {
@@ -38,19 +35,35 @@ impl<'a> AuthTransportAdapter<'a> {
        }
    }

-    async fn send_user_agent_response(
+    pub(super) const fn bi_mut(&mut self) -> &mut GrpcBi<UserAgentRequest, UserAgentResponse> {
+        self.bi
+    }
+
+    pub(super) const fn tracker_mut(&mut self) -> &mut RequestTracker {
+        self.request_tracker
+    }
+
+    pub(super) async fn send_response_payload(
        &mut self,
-        payload: AuthResponsePayload,
+        payload: UserAgentResponsePayload,
    ) -> Result<(), TransportError> {
        self.bi
            .send(Ok(UserAgentResponse {
                id: Some(self.request_tracker.current_request_id()),
-                payload: Some(UserAgentResponsePayload::Auth(proto_auth::Response {
-                    payload: Some(payload),
-                })),
+                payload: Some(payload),
            }))
            .await
    }
+
+    async fn send_user_agent_response(
+        &mut self,
+        payload: AuthResponsePayload,
+    ) -> Result<(), TransportError> {
+        self.send_response_payload(UserAgentResponsePayload::Auth(proto_auth::Response {
+            payload: Some(payload),
+        }))
+        .await
+    }
 }

 #[async_trait]
@@ -61,8 +74,15 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
    ) -> Result<(), TransportError> {
        use auth::{Error, Outbound};
        let payload = match item {
-            Ok(Outbound::AuthChallenge { nonce }) => {
-                AuthResponsePayload::Challenge(ProtoAuthChallenge { nonce })
+            Ok(Outbound::AuthChallenge { challenge }) => {
+                AuthResponsePayload::Challenge(ProtoAuthChallenge {
+                    timestamp_nanos: challenge
+                        .timestamp
+                        .timestamp_nanos_opt()
+                        .expect("timestamp within range")
+                        as u64,
+                    random: challenge.nonce.to_vec(),
+                })
            }
            Ok(Outbound::AuthSuccess) => {
                AuthResponsePayload::Result(ProtoAuthResult::Success.into())
@@ -140,7 +160,6 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
            AuthRequestPayload::ChallengeRequest(ProtoAuthChallengeRequest {
                pubkey,
                bootstrap_token,
-                ..
            }) => {
                let Ok(pubkey) = authn::PublicKey::try_from(pubkey.as_slice()) else {
                    warn!(
@@ -163,12 +182,3 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
 }

 impl Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {}
-
-pub async fn start(
-    conn: &mut UserAgentConnection,
-    bi: &mut GrpcBi<UserAgentRequest, UserAgentResponse>,
-    request_tracker: &mut RequestTracker,
-) -> Result<authn::PublicKey, auth::Error> {
-    let transport = AuthTransportAdapter::new(bi, request_tracker);
-    auth::authenticate(conn, transport).await
-}
--- a/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
@@ -1,3 +1,17 @@
+use crate::{
+    grpc::{
+        Convert, TryConvert,
+        common::inbound::{RawEvmAddress, RawEvmTransaction},
+    },
+    peers::user_agent::{
+        UserAgentSession,
+        session::handlers::{
+            GrantMutationError, HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate,
+            HandleGrantDelete, HandleGrantList, HandleSignTransaction,
+            SignTransactionError as SessionSignTransactionError,
+        },
+    },
+};
 use arbiter_proto::proto::{
    evm::{
        EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
@@ -18,25 +32,11 @@ use arbiter_proto::proto::{
        user_agent_response::Payload as UserAgentResponsePayload,
    },
 };
+
 use kameo::actor::ActorRef;
 use tonic::Status;
 use tracing::warn;

-use crate::{
-    actors::user_agent::{
-        UserAgentSession,
-        session::connection::{
-            GrantMutationError, HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate,
-            HandleGrantDelete, HandleGrantList, HandleSignTransaction,
-            SignTransactionError as SessionSignTransactionError,
-        },
-    },
-    grpc::{
-        Convert, TryConvert,
-        common::inbound::{RawEvmAddress, RawEvmTransaction},
-    },
-};
-
 const fn wrap_evm_response(payload: EvmResponsePayload) -> UserAgentResponsePayload {
    UserAgentResponsePayload::Evm(proto_evm::Response {
        payload: Some(payload),
--- a/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/inbound.rs
@@ -1,26 +1,26 @@
-use alloy::primitives::{Address, U256};
-use arbiter_proto::proto::evm::{
-    EtherTransferSettings as ProtoEtherTransferSettings, SharedSettings as ProtoSharedSettings,
-    SpecificGrant as ProtoSpecificGrant, TokenTransferSettings as ProtoTokenTransferSettings,
-    TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
-    specific_grant::Grant as ProtoSpecificGrantType,
-};
-use arbiter_proto::proto::user_agent::sdk_client::{
-    WalletAccess, WalletAccessEntry as SdkClientWalletAccess,
-};
-use chrono::{DateTime, TimeZone, Utc};
-use prost_types::Timestamp as ProtoTimestamp;
-use tonic::Status;
-
-use crate::db::models::{CoreEvmWalletAccess, NewEvmWalletAccess};
-use crate::grpc::Convert;
 use crate::{
+    db::models::{CoreEvmWalletAccess, NewEvmWalletAccess},
    evm::policies::{
        SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit, ether_transfer,
        token_transfers,
    },
+    grpc::Convert,
    grpc::TryConvert,
 };
+use arbiter_proto::{
+    proto::evm::{
+        EtherTransferSettings as ProtoEtherTransferSettings, SharedSettings as ProtoSharedSettings,
+        SpecificGrant as ProtoSpecificGrant, TokenTransferSettings as ProtoTokenTransferSettings,
+        TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
+        specific_grant::Grant as ProtoSpecificGrantType,
+    },
+    proto::user_agent::sdk_client::{WalletAccess, WalletAccessEntry as SdkClientWalletAccess},
+};
+
+use alloy::primitives::{Address, U256};
+use chrono::{DateTime, TimeZone, Utc};
+use prost_types::Timestamp as ProtoTimestamp;
+use tonic::Status;

 fn address_from_bytes(bytes: &[u8]) -> Result<Address, Status> {
    if bytes.len() != 20 {
--- a/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
@@ -1,3 +1,8 @@
+use crate::{
+    db::models::EvmWalletAccess,
+    evm::policies::{SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit},
+    grpc::Convert,
+};
 use arbiter_proto::proto::{
    evm::{
        EtherTransferSettings as ProtoEtherTransferSettings, SharedSettings as ProtoSharedSettings,
@@ -7,15 +12,10 @@ use arbiter_proto::proto::{
    },
    user_agent::sdk_client::{WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess},
 };
+
 use chrono::{DateTime, Utc};
 use prost_types::Timestamp as ProtoTimestamp;

-use crate::{
-    db::models::EvmWalletAccess,
-    evm::policies::{SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit},
-    grpc::Convert,
-};
-
 impl Convert for DateTime<Utc> {
    type Output = ProtoTimestamp;

--- a/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
@@ -1,3 +1,14 @@
+use crate::{
+    db::models::NewEvmWalletAccess,
+    grpc::Convert,
+    peers::user_agent::{
+        OutOfBand, UserAgentSession,
+        session::handlers::{
+            HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
+            HandleRevokeEvmWalletAccess, HandleSdkClientList,
+        },
+    },
+};
 use arbiter_crypto::authn;
 use arbiter_proto::proto::{
    shared::ClientInfo as ProtoClientMetadata,
@@ -16,22 +27,11 @@ use arbiter_proto::proto::{
        user_agent_response::Payload as UserAgentResponsePayload,
    },
 };
+
 use kameo::actor::ActorRef;
 use tonic::Status;
 use tracing::{info, warn};

-use crate::{
-    actors::user_agent::{
-        OutOfBand, UserAgentSession,
-        session::connection::{
-            HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
-            HandleRevokeEvmWalletAccess, HandleSdkClientList,
-        },
-    },
-    db::models::NewEvmWalletAccess,
-    grpc::Convert,
-};
-
 const fn wrap_sdk_client_response(payload: SdkClientResponsePayload) -> UserAgentResponsePayload {
    UserAgentResponsePayload::SdkClient(proto_sdk_client::Response {
        payload: Some(payload),
--- a/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
@@ -1,54 +1,28 @@
-use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
-use arbiter_proto::proto::user_agent::{
-    user_agent_response::Payload as UserAgentResponsePayload,
-    vault::{
-        self as proto_vault,
-        bootstrap::{
-            self as proto_bootstrap, BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
-            BootstrapResult as ProtoBootstrapResult,
-        },
-        request::Payload as VaultRequestPayload,
-        response::Payload as VaultResponsePayload,
-        unseal::{
-            self as proto_unseal, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
-            UnsealResult as ProtoUnsealResult, UnsealStart,
-            request::Payload as UnsealRequestPayload, response::Payload as UnsealResponsePayload,
+use crate::{
+    actors::vault::VaultState,
+    peers::user_agent::{UserAgentSession, session::handlers::HandleQueryVaultState},
+};
+use arbiter_proto::{
+    proto::shared::VaultState as ProtoVaultState,
+    proto::user_agent::{
+        user_agent_response::Payload as UserAgentResponsePayload,
+        vault::{
+            self as proto_vault, request::Payload as VaultRequestPayload,
+            response::Payload as VaultResponsePayload,
        },
    },
 };
-use kameo::{actor::ActorRef, error::SendError};
+
+use kameo::actor::ActorRef;
 use tonic::Status;
 use tracing::warn;

-use crate::actors::{
-    keyholder::KeyHolderState,
-    user_agent::{
-        UserAgentSession,
-        session::connection::{
-            BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
-            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
-        },
-    },
-};
-
 const fn wrap_vault_response(payload: VaultResponsePayload) -> UserAgentResponsePayload {
    UserAgentResponsePayload::Vault(proto_vault::Response {
        payload: Some(payload),
    })
 }

-const fn wrap_unseal_response(payload: UnsealResponsePayload) -> UserAgentResponsePayload {
-    wrap_vault_response(VaultResponsePayload::Unseal(proto_unseal::Response {
-        payload: Some(payload),
-    }))
-}
-
-fn wrap_bootstrap_response(result: ProtoBootstrapResult) -> UserAgentResponsePayload {
-    wrap_vault_response(VaultResponsePayload::Bootstrap(proto_bootstrap::Response {
-        result: result.into(),
-    }))
-}
-
 pub(super) async fn dispatch(
    actor: &ActorRef<UserAgentSession>,
    req: proto_vault::Request,
@@ -59,116 +33,21 @@ pub(super) async fn dispatch(

    match payload {
        VaultRequestPayload::QueryState(()) => handle_query_vault_state(actor).await,
-        VaultRequestPayload::Unseal(req) => dispatch_unseal_request(actor, req).await,
-        VaultRequestPayload::Bootstrap(req) => handle_bootstrap_request(actor, req).await,
+        VaultRequestPayload::Unseal(_) | VaultRequestPayload::Bootstrap(_) => {
+            Err(Status::permission_denied(
+                "Vault is already unsealed; unseal/bootstrap not permitted in session",
+            ))
+        }
    }
 }

-async fn dispatch_unseal_request(
-    actor: &ActorRef<UserAgentSession>,
-    req: proto_unseal::Request,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument("Missing unseal request payload"));
-    };
-
-    match payload {
-        UnsealRequestPayload::Start(req) => handle_unseal_start(actor, req).await,
-        UnsealRequestPayload::EncryptedKey(req) => handle_unseal_encrypted_key(actor, req).await,
-    }
-}
-
-async fn handle_unseal_start(
-    actor: &ActorRef<UserAgentSession>,
-    req: UnsealStart,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let client_pubkey = <[u8; 32]>::try_from(req.client_pubkey)
-        .map(x25519_dalek::PublicKey::from)
-        .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
-
-    let response = actor
-        .ask(HandleUnsealRequest { client_pubkey })
-        .await
-        .map_err(|err| {
-            warn!(error = ?err, "Failed to handle unseal start request");
-            Status::internal("Failed to start unseal flow")
-        })?;
-
-    Ok(Some(wrap_unseal_response(UnsealResponsePayload::Start(
-        proto_unseal::UnsealStartResponse {
-            server_pubkey: response.server_pubkey.as_bytes().to_vec(),
-        },
-    ))))
-}
-
-async fn handle_unseal_encrypted_key(
-    actor: &ActorRef<UserAgentSession>,
-    req: ProtoUnsealEncryptedKey,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor
-        .ask(HandleUnsealEncryptedKey {
-            nonce: req.nonce,
-            ciphertext: req.ciphertext,
-            associated_data: req.associated_data,
-        })
-        .await
-    {
-        Ok(()) => ProtoUnsealResult::Success,
-        Err(SendError::HandlerError(UnsealError::InvalidKey)) => ProtoUnsealResult::InvalidKey,
-        Err(err) => {
-            warn!(error = ?err, "Failed to handle unseal request");
-            return Err(Status::internal("Failed to unseal vault"));
-        }
-    };
-    Ok(Some(wrap_unseal_response(UnsealResponsePayload::Result(
-        result.into(),
-    ))))
-}
-
-async fn handle_bootstrap_request(
-    actor: &ActorRef<UserAgentSession>,
-    req: proto_bootstrap::Request,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let encrypted_key = req
-        .encrypted_key
-        .ok_or_else(|| Status::invalid_argument("Missing bootstrap encrypted key"))?;
-    handle_bootstrap_encrypted_key(actor, encrypted_key).await
-}
-
-async fn handle_bootstrap_encrypted_key(
-    actor: &ActorRef<UserAgentSession>,
-    req: ProtoBootstrapEncryptedKey,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor
-        .ask(HandleBootstrapEncryptedKey {
-            nonce: req.nonce,
-            ciphertext: req.ciphertext,
-            associated_data: req.associated_data,
-        })
-        .await
-    {
-        Ok(()) => ProtoBootstrapResult::Success,
-        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => {
-            ProtoBootstrapResult::InvalidKey
-        }
-        Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
-            ProtoBootstrapResult::AlreadyBootstrapped
-        }
-        Err(err) => {
-            warn!(error = ?err, "Failed to handle bootstrap request");
-            return Err(Status::internal("Failed to bootstrap vault"));
-        }
-    };
-    Ok(Some(wrap_bootstrap_response(result)))
-}
-
 async fn handle_query_vault_state(
    actor: &ActorRef<UserAgentSession>,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
    let state = match actor.ask(HandleQueryVaultState {}).await {
-        Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
-        Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
-        Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
+        Ok(VaultState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+        Ok(VaultState::Sealed) => ProtoVaultState::Sealed,
+        Ok(VaultState::Unsealed) => ProtoVaultState::Unsealed,
        Err(err) => {
            warn!(error = ?err, "Failed to query vault state");
            ProtoVaultState::Error
--- a/server/crates/arbiter-server/src/grpc/user_agent/vault_gate.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/vault_gate.rs
@@ -0,0 +1,79 @@
+use super::auth::AuthTransportAdapter;
+use crate::{
+    grpc::TryConvert,
+    peers::user_agent::vault_gate::{self as vault_gate},
+};
+use arbiter_proto::transport::{Bi, Error as TransportError, Receiver, Sender};
+
+use async_trait::async_trait;
+use tonic::Status;
+use tracing::warn;
+
+mod inbound;
+mod outbound;
+
+#[async_trait]
+impl Receiver<vault_gate::Inbound> for AuthTransportAdapter<'_> {
+    async fn recv(&mut self) -> Option<vault_gate::Inbound> {
+        let request = match self.bi_mut().recv().await? {
+            Ok(request) => request,
+            Err(error) => {
+                warn!(
+                    ?error,
+                    "Failed to receive user agent request during vault gate"
+                );
+                return None;
+            }
+        };
+
+        if let Err(err) = self.tracker_mut().request(request.id) {
+            let _ = self.bi_mut().send(Err(err)).await;
+            return None;
+        }
+
+        let Some(payload) = request.payload else {
+            let _ = self
+                .bi_mut()
+                .send(Err(Status::invalid_argument("Missing request payload")))
+                .await;
+            return None;
+        };
+
+        match payload.try_convert() {
+            Ok(inbound) => Some(inbound),
+            Err(status) => {
+                let _ = self.bi_mut().send(Err(status)).await;
+                None
+            }
+        }
+    }
+}
+
+#[async_trait]
+impl Sender<Result<vault_gate::Outbound, vault_gate::Error>> for AuthTransportAdapter<'_> {
+    async fn send(
+        &mut self,
+        item: Result<vault_gate::Outbound, vault_gate::Error>,
+    ) -> Result<(), TransportError> {
+        let outbound = match item {
+            Ok(outbound) => outbound,
+            Err(err) => {
+                warn!(?err, "vault gate produced transport-level error");
+                return self
+                    .bi_mut()
+                    .send(Err(Status::internal(err.to_string())))
+                    .await;
+            }
+        };
+
+        match outbound.try_convert() {
+            Ok(payload) => self.send_response_payload(payload).await,
+            Err(status) => self.bi_mut().send(Err(status)).await,
+        }
+    }
+}
+
+impl Bi<vault_gate::Inbound, Result<vault_gate::Outbound, vault_gate::Error>>
+    for AuthTransportAdapter<'_>
+{
+}
--- a/server/crates/arbiter-server/src/grpc/user_agent/vault_gate/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/vault_gate/inbound.rs
@@ -0,0 +1,129 @@
+use crate::{
+    grpc::{Convert, TryConvert},
+    peers::user_agent::vault_gate::{
+        self as vault_gate, HandleBootstrapEncryptedKey, HandleHandshake, HandleUnsealEncryptedKey,
+    },
+};
+use arbiter_proto::proto::user_agent::{
+    user_agent_request::Payload as UserAgentRequestPayload,
+    vault::{
+        self as proto_vault,
+        bootstrap::{self as proto_bootstrap},
+        request::Payload as VaultRequestPayload,
+        unseal::{self as proto_unseal, request::Payload as UnsealRequestPayload},
+    },
+};
+
+use tonic::Status;
+
+impl TryConvert for UserAgentRequestPayload {
+    type Output = vault_gate::Inbound;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<vault_gate::Inbound, Status> {
+        match self {
+            Self::Vault(req) => req.try_convert(),
+            _ => Err(Status::permission_denied(
+                "Only vault operations are permitted before unsealing",
+            )),
+        }
+    }
+}
+
+impl TryConvert for proto_vault::Request {
+    type Output = vault_gate::Inbound;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<vault_gate::Inbound, Status> {
+        self.payload
+            .ok_or_else(|| Status::invalid_argument("Missing vault request payload"))?
+            .try_convert()
+    }
+}
+
+impl TryConvert for VaultRequestPayload {
+    type Output = vault_gate::Inbound;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<vault_gate::Inbound, Status> {
+        match self {
+            Self::QueryState(()) => Ok(vault_gate::Inbound::HandleVaultState),
+            Self::Unseal(req) => req.try_convert(),
+            Self::Bootstrap(req) => req.try_convert(),
+        }
+    }
+}
+
+impl TryConvert for proto_unseal::Request {
+    type Output = vault_gate::Inbound;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<vault_gate::Inbound, Status> {
+        self.payload
+            .ok_or_else(|| Status::invalid_argument("Missing unseal request payload"))?
+            .try_convert()
+    }
+}
+
+impl TryConvert for UnsealRequestPayload {
+    type Output = vault_gate::Inbound;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<vault_gate::Inbound, Status> {
+        match self {
+            Self::Start(start) => start.try_convert(),
+            Self::EncryptedKey(key) => Ok(key.convert()),
+        }
+    }
+}
+
+impl TryConvert for proto_unseal::UnsealStart {
+    type Output = vault_gate::Inbound;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<vault_gate::Inbound, Status> {
+        let bytes = <[u8; 32]>::try_from(self.client_pubkey)
+            .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
+        Ok(vault_gate::Inbound::HandleHandshake(HandleHandshake {
+            client_pubkey: x25519_dalek::PublicKey::from(bytes),
+        }))
+    }
+}
+
+impl Convert for proto_unseal::UnsealEncryptedKey {
+    type Output = vault_gate::Inbound;
+
+    fn convert(self) -> vault_gate::Inbound {
+        vault_gate::Inbound::HandleUnsealEncryptedKey(HandleUnsealEncryptedKey {
+            nonce: self.nonce,
+            ciphertext: self.ciphertext,
+            associated_data: self.associated_data,
+        })
+    }
+}
+
+impl TryConvert for proto_bootstrap::Request {
+    type Output = vault_gate::Inbound;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<vault_gate::Inbound, Status> {
+        self.encrypted_key
+            .ok_or_else(|| Status::invalid_argument("Missing bootstrap encrypted key"))?
+            .try_convert()
+    }
+}
+
+impl TryConvert for proto_bootstrap::BootstrapEncryptedKey {
+    type Output = vault_gate::Inbound;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<vault_gate::Inbound, Status> {
+        Ok(vault_gate::Inbound::HandleBootstrapEncryptedKey(
+            HandleBootstrapEncryptedKey {
+                nonce: self.nonce,
+                ciphertext: self.ciphertext,
+                associated_data: self.associated_data,
+            },
+        ))
+    }
+}
--- a/server/crates/arbiter-server/src/grpc/user_agent/vault_gate/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/vault_gate/outbound.rs
@@ -0,0 +1,115 @@
+use crate::{
+    actors::vault::VaultState,
+    grpc::{Convert, TryConvert},
+    peers::user_agent::vault_gate::{self as vault_gate},
+};
+use arbiter_proto::proto::{
+    shared::VaultState as ProtoVaultState,
+    user_agent::{
+        user_agent_response::Payload as UserAgentResponsePayload,
+        vault::{
+            self as proto_vault,
+            bootstrap::{self as proto_bootstrap, BootstrapResult as ProtoBootstrapResult},
+            response::Payload as VaultResponsePayload,
+            unseal::{
+                self as proto_unseal, UnsealResult as ProtoUnsealResult,
+                response::Payload as UnsealResponsePayload,
+            },
+        },
+    },
+};
+
+use tonic::Status;
+use tracing::warn;
+
+const fn wrap_vault_response(payload: VaultResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::Vault(proto_vault::Response {
+        payload: Some(payload),
+    })
+}
+
+const fn wrap_unseal_response(payload: UnsealResponsePayload) -> UserAgentResponsePayload {
+    wrap_vault_response(VaultResponsePayload::Unseal(proto_unseal::Response {
+        payload: Some(payload),
+    }))
+}
+
+fn wrap_bootstrap_response(result: ProtoBootstrapResult) -> UserAgentResponsePayload {
+    wrap_vault_response(VaultResponsePayload::Bootstrap(proto_bootstrap::Response {
+        result: result.into(),
+    }))
+}
+
+impl Convert for VaultState {
+    type Output = UserAgentResponsePayload;
+
+    fn convert(self) -> UserAgentResponsePayload {
+        let proto_state = match self {
+            Self::Unbootstrapped => ProtoVaultState::Unbootstrapped,
+            Self::Sealed => ProtoVaultState::Sealed,
+            Self::Unsealed => ProtoVaultState::Unsealed,
+        };
+        wrap_vault_response(VaultResponsePayload::State(proto_state.into()))
+    }
+}
+
+impl Convert for vault_gate::HandshakeResponse {
+    type Output = UserAgentResponsePayload;
+
+    fn convert(self) -> UserAgentResponsePayload {
+        wrap_unseal_response(UnsealResponsePayload::Start(
+            proto_unseal::UnsealStartResponse {
+                server_pubkey: self.server_pubkey.as_bytes().to_vec(),
+            },
+        ))
+    }
+}
+
+impl TryConvert for vault_gate::Outbound {
+    type Output = UserAgentResponsePayload;
+    type Error = Status;
+
+    fn try_convert(self) -> Result<UserAgentResponsePayload, Status> {
+        match self {
+            Self::HandleVaultState(result) => result
+                .map_err(|err| {
+                    warn!(?err, "vault state query failed");
+                    Status::internal("Failed to query vault state")
+                })
+                .map(VaultState::convert),
+            Self::HandleHandshake(result) => result
+                .map_err(|err| {
+                    warn!(?err, "handshake failed");
+                    Status::internal("Failed to start unseal flow")
+                })
+                .map(vault_gate::HandshakeResponse::convert),
+            Self::HandleUnsealEncryptedKey(result) => {
+                let proto_result = match result {
+                    Ok(()) => ProtoUnsealResult::Success,
+                    Err(vault_gate::Error::InvalidKey) => ProtoUnsealResult::InvalidKey,
+                    Err(err) => {
+                        warn!(?err, "unseal failed");
+                        return Err(Status::internal("Failed to unseal vault"));
+                    }
+                };
+                Ok(wrap_unseal_response(UnsealResponsePayload::Result(
+                    proto_result.into(),
+                )))
+            }
+            Self::HandleBootstrapEncryptedKey(result) => {
+                let proto_result = match result {
+                    Ok(()) => ProtoBootstrapResult::Success,
+                    Err(vault_gate::Error::InvalidKey) => ProtoBootstrapResult::InvalidKey,
+                    Err(vault_gate::Error::AlreadyBootstrapped) => {
+                        ProtoBootstrapResult::AlreadyBootstrapped
+                    }
+                    Err(err) => {
+                        warn!(?err, "bootstrap failed");
+                        return Err(Status::internal("Failed to bootstrap vault"));
+                    }
+                };
+                Ok(wrap_bootstrap_response(proto_result))
+            }
+        }
+    }
+}