refactor(server): renamed 'wallet_visibility' to 'wallet_access'

protobufs/evm.proto

@@ -46,7 +46,7 @@ message VolumeRateLimit {
 }
 
 message SharedSettings {
-  int32 visibility_id = 1;
+  int32 wallet_access_id = 1;
   uint64 chain_id = 2;
   optional google.protobuf.Timestamp valid_from = 3;
   optional google.protobuf.Timestamp valid_until = 4;
@@ -164,13 +164,13 @@ message EvmGrantDeleteResponse {
 // Basic grant info returned in grant listings
 message GrantEntry {
   int32 id = 1;
-  int32 visibility_id = 2;
+  int32 wallet_access_id = 2;
   SharedSettings shared = 3;
   SpecificGrant specific = 4;
 }
 
 message EvmGrantListRequest {
-  optional int32 visibility_id = 1;
+  optional int32 wallet_access_id = 1;
 }
 
 message EvmGrantListResponse {

server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql

@@ -93,14 +93,14 @@ create unique index if not exists uniq_evm_wallet_address on evm_wallet (address
 
 create unique index if not exists uniq_evm_wallet_aead on evm_wallet (aead_encrypted_id);
 
-create table if not exists evm_wallet_visibility (
+create table if not exists evm_wallet_access (
     id integer not null primary key,
     wallet_id integer not null references evm_wallet (id) on delete cascade,
     client_id integer not null references program_client (id) on delete cascade,
     created_at integer not null default(unixepoch ('now'))
 ) STRICT;
 
-create unique index if not exists uniq_wallet_visibility on evm_wallet_visibility (wallet_id, client_id);
+create unique index if not exists uniq_wallet_access on evm_wallet_access (wallet_id, client_id);
 
 create table if not exists evm_ether_transfer_limit (
     id integer not null primary key,
@@ -111,7 +111,7 @@ create table if not exists evm_ether_transfer_limit (
 -- Shared grant properties: client scope, timeframe, fee caps, and rate limit
 create table if not exists evm_basic_grant (
     id integer not null primary key,
-    visibility_id integer not null references evm_wallet_visibility (id) on delete restrict,
+    wallet_access_id integer not null references evm_wallet_access (id) on delete restrict,
     chain_id integer not null, -- EIP-155 chain ID
     valid_from integer, -- unix timestamp (seconds), null = no lower bound
     valid_until integer, -- unix timestamp (seconds), null = no upper bound
@@ -126,14 +126,14 @@ create table if not exists evm_basic_grant (
 -- Shared transaction log for all EVM grants, used for rate limit tracking and auditing
 create table if not exists evm_transaction_log (
     id integer not null primary key,
-    visibility_id integer not null references evm_wallet_visibility (id) on delete restrict,
+    wallet_access_id integer not null references evm_wallet_access (id) on delete restrict,
     grant_id integer not null references evm_basic_grant (id) on delete restrict,
     chain_id integer not null,
     eth_value blob not null, -- always present on any EVM tx
     signed_at integer not null default(unixepoch ('now'))
 ) STRICT;
 
-create index if not exists idx_evm_basic_grant_wallet_chain on evm_basic_grant (visibility_id, chain_id);
+create index if not exists idx_evm_basic_grant_access_chain on evm_basic_grant (wallet_access_id, chain_id);
 
 -- ===============================
 -- ERC20 token transfer grant

server/crates/arbiter-server/src/actors/evm/mod.rs

@@ -206,10 +206,10 @@ impl EvmActor {
             .await
             .optional()?
             .ok_or(SignTransactionError::WalletNotFound)?;
-        let visibility = schema::evm_wallet_visibility::table
+        let wallet_access = schema::evm_wallet_access::table
-            .select(models::EvmWalletVisibility::as_select())
+            .select(models::EvmWalletAccess::as_select())
-            .filter(schema::evm_wallet_visibility::wallet_id.eq(wallet.id))
+            .filter(schema::evm_wallet_access::wallet_id.eq(wallet.id))
-            .filter(schema::evm_wallet_visibility::client_id.eq(client_id))
+            .filter(schema::evm_wallet_access::client_id.eq(client_id))
             .first(&mut conn)
             .await
             .optional()?
@@ -218,7 +218,7 @@ impl EvmActor {
 
         let meaning = self
             .engine
-            .evaluate_transaction(visibility, transaction.clone(), RunKind::Execution)
+            .evaluate_transaction(wallet_access, transaction.clone(), RunKind::Execution)
             .await?;
 
         Ok(meaning)
@@ -239,10 +239,10 @@ impl EvmActor {
             .await
             .optional()?
             .ok_or(SignTransactionError::WalletNotFound)?;
-        let visibility = schema::evm_wallet_visibility::table
+        let wallet_access = schema::evm_wallet_access::table
-            .select(models::EvmWalletVisibility::as_select())
+            .select(models::EvmWalletAccess::as_select())
-            .filter(schema::evm_wallet_visibility::wallet_id.eq(wallet.id))
+            .filter(schema::evm_wallet_access::wallet_id.eq(wallet.id))
-            .filter(schema::evm_wallet_visibility::client_id.eq(client_id))
+            .filter(schema::evm_wallet_access::client_id.eq(client_id))
             .first(&mut conn)
             .await
             .optional()?
@@ -260,7 +260,7 @@ impl EvmActor {
         let signer = safe_signer::SafeSigner::from_cell(raw_key)?;
 
         self.engine
-            .evaluate_transaction(visibility, transaction.clone(), RunKind::Execution)
+            .evaluate_transaction(wallet_access, transaction.clone(), RunKind::Execution)
             .await?;
 
         use alloy::network::TxSignerSync as _;

server/crates/arbiter-server/src/db/models.rs

@@ -186,8 +186,8 @@ pub struct EvmWallet {
 }
 
 #[derive(Models, Queryable, Debug, Insertable, Selectable, Clone)]
-#[diesel(table_name = schema::evm_wallet_visibility, check_for_backend(Sqlite))]
+#[diesel(table_name = schema::evm_wallet_access, check_for_backend(Sqlite))]
-pub struct EvmWalletVisibility {
+pub struct EvmWalletAccess {
     pub id: i32,
     pub wallet_id: i32,
     pub client_id: i32,
@@ -259,7 +259,7 @@ pub struct EvmEtherTransferLimit {
 )]
 pub struct EvmBasicGrant {
     pub id: i32,
-    pub visibility_id: i32, // references evm_wallet_visibility.id
+    pub wallet_access_id: i32, // references evm_wallet_access.id
     pub chain_id: i32,
     pub valid_from: Option<SqliteTimestamp>,
     pub valid_until: Option<SqliteTimestamp>,
@@ -282,7 +282,7 @@ pub struct EvmBasicGrant {
 pub struct EvmTransactionLog {
     pub id: i32,
     pub grant_id: i32,
-    pub visibility_id: i32,
+    pub wallet_access_id: i32,
     pub chain_id: i32,
     pub eth_value: Vec<u8>,
     pub signed_at: SqliteTimestamp,

server/crates/arbiter-server/src/db/schema.rs

@@ -42,7 +42,7 @@ diesel::table! {
 diesel::table! {
     evm_basic_grant (id) {
         id -> Integer,
-        visibility_id -> Integer,
+        wallet_access_id -> Integer,
         chain_id -> Integer,
         valid_from -> Nullable<Integer>,
         valid_until -> Nullable<Integer>,
@@ -113,7 +113,7 @@ diesel::table! {
 diesel::table! {
     evm_transaction_log (id) {
         id -> Integer,
-        visibility_id -> Integer,
+        wallet_access_id -> Integer,
         grant_id -> Integer,
         chain_id -> Integer,
         eth_value -> Binary,
@@ -131,7 +131,7 @@ diesel::table! {
 }
 
 diesel::table! {
-    evm_wallet_visibility (id) {
+    evm_wallet_access (id) {
         id -> Integer,
         wallet_id -> Integer,
         client_id -> Integer,
@@ -189,7 +189,7 @@ diesel::joinable!(arbiter_settings -> root_key_history (root_key_id));
 diesel::joinable!(arbiter_settings -> tls_history (tls_id));
 diesel::joinable!(client_metadata_history -> client_metadata (metadata_id));
 diesel::joinable!(client_metadata_history -> program_client (client_id));
-diesel::joinable!(evm_basic_grant -> evm_wallet_visibility (visibility_id));
+diesel::joinable!(evm_basic_grant -> evm_wallet_access (wallet_access_id));
 diesel::joinable!(evm_ether_transfer_grant -> evm_basic_grant (basic_grant_id));
 diesel::joinable!(evm_ether_transfer_grant -> evm_ether_transfer_limit (limit_id));
 diesel::joinable!(evm_ether_transfer_grant_target -> evm_ether_transfer_grant (grant_id));
@@ -198,10 +198,10 @@ diesel::joinable!(evm_token_transfer_log -> evm_token_transfer_grant (grant_id))
 diesel::joinable!(evm_token_transfer_log -> evm_transaction_log (log_id));
 diesel::joinable!(evm_token_transfer_volume_limit -> evm_token_transfer_grant (grant_id));
 diesel::joinable!(evm_transaction_log -> evm_basic_grant (grant_id));
-diesel::joinable!(evm_transaction_log -> evm_wallet_visibility (visibility_id));
+diesel::joinable!(evm_transaction_log -> evm_wallet_access (wallet_access_id));
 diesel::joinable!(evm_wallet -> aead_encrypted (aead_encrypted_id));
-diesel::joinable!(evm_wallet_visibility -> evm_wallet (wallet_id));
+diesel::joinable!(evm_wallet_access -> evm_wallet (wallet_id));
-diesel::joinable!(evm_wallet_visibility -> program_client (client_id));
+diesel::joinable!(evm_wallet_access -> program_client (client_id));
 diesel::joinable!(program_client -> client_metadata (metadata_id));
 
 diesel::allow_tables_to_appear_in_same_query!(
@@ -218,7 +218,7 @@ diesel::allow_tables_to_appear_in_same_query!(
     evm_token_transfer_volume_limit,
     evm_transaction_log,
     evm_wallet,
-    evm_wallet_visibility,
+    evm_wallet_access,
     program_client,
     root_key_history,
     tls_history,

server/crates/arbiter-server/src/evm/mod.rs

@@ -13,8 +13,7 @@ use crate::{
     db::{
         self,
         models::{
-            EvmBasicGrant, EvmWalletVisibility, NewEvmBasicGrant, NewEvmTransactionLog,
+            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
-            SqliteTimestamp,
         },
         schema::{self, evm_transaction_log},
     },
@@ -187,7 +186,7 @@ impl Engine {
                     let log_id: i32 = insert_into(evm_transaction_log::table)
                         .values(&NewEvmTransactionLog {
                             grant_id: grant.shared_grant_id,
-                            visibility_id: context.target.id,
+                            wallet_access_id: context.target.id,
                             chain_id: context.chain as i32,
                             eth_value: utils::u256_to_bytes(context.value).to_vec(),
                             signed_at: Utc::now().into(),
@@ -227,7 +226,7 @@ impl Engine {
                     let basic_grant: EvmBasicGrant = insert_into(evm_basic_grant::table)
                         .values(&NewEvmBasicGrant {
                             chain_id: full_grant.basic.chain as i32,
-                            visibility_id: full_grant.basic.visibility_id,
+                            wallet_access_id: full_grant.basic.wallet_access_id,
                             valid_from: full_grant.basic.valid_from.map(SqliteTimestamp),
                             valid_until: full_grant.basic.valid_until.map(SqliteTimestamp),
                             max_gas_fee_per_gas: full_grant
@@ -295,7 +294,7 @@ impl Engine {
 
     pub async fn evaluate_transaction(
         &self,
-        target: EvmWalletVisibility,
+        target: EvmWalletAccess,
         transaction: TxEip1559,
         run_kind: RunKind,
     ) -> Result<SpecificMeaning, VetError> {

server/crates/arbiter-server/src/evm/policies.rs

@@ -10,7 +10,7 @@ use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
-    db::models::{self, EvmBasicGrant, EvmWalletVisibility},
+    db::models::{self, EvmBasicGrant, EvmWalletAccess},
     evm::utils,
 };
 
@@ -20,7 +20,7 @@ pub mod token_transfers;
 #[derive(Debug, Clone)]
 pub struct EvalContext {
     // Which wallet is this transaction for and who requested it
-    pub target: EvmWalletVisibility,
+    pub target: EvmWalletAccess,
 
     // The transaction data
     pub chain: ChainId,
@@ -144,7 +144,7 @@ pub struct VolumeRateLimit {
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct SharedGrantSettings {
-    pub visibility_id: i32,
+    pub wallet_access_id: i32,
     pub chain: ChainId,
 
     pub valid_from: Option<DateTime<Utc>>,
@@ -159,7 +159,7 @@ pub struct SharedGrantSettings {
 impl SharedGrantSettings {
     fn try_from_model(model: EvmBasicGrant) -> QueryResult<Self> {
         Ok(Self {
-            visibility_id: model.visibility_id,
+            wallet_access_id: model.wallet_access_id,
             chain: model.chain_id as u64, // safe because chain_id is stored as i32 but is guaranteed to be a valid ChainId by the API when creating grants
             valid_from: model.valid_from.map(Into::into),
             valid_until: model.valid_until.map(Into::into),

server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs

@@ -196,7 +196,7 @@ impl Policy for EtherTransfer {
             .inner_join(evm_basic_grant::table)
             .inner_join(evm_ether_transfer_grant_target::table)
             .filter(
-                evm_basic_grant::visibility_id
+                evm_basic_grant::wallet_access_id
                     .eq(context.target.id)
                     .and(evm_basic_grant::revoked_at.is_null())
                     .and(evm_ether_transfer_grant_target::address.eq(&target_bytes)),

server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs

@@ -6,7 +6,7 @@ use diesel_async::RunQueryDsl;
 use crate::db::{
     self, DatabaseConnection,
     models::{
-        EvmBasicGrant, EvmWalletVisibility, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
+        EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
     },
     schema::{evm_basic_grant, evm_transaction_log},
 };
@@ -17,7 +17,7 @@ use crate::evm::{
 
 use super::{EtherTransfer, Settings};
 
-const VISIBILITY_ID: i32 = 1;
+const WALLET_ACCESS_ID: i32 = 1;
 const CHAIN_ID: u64 = 1;
 
 const ALLOWED: Address = address!("1111111111111111111111111111111111111111");
@@ -25,8 +25,8 @@ const OTHER: Address = address!("2222222222222222222222222222222222222222");
 
 fn ctx(to: Address, value: U256) -> EvalContext {
     EvalContext {
-        target: EvmWalletVisibility {
+        target: EvmWalletAccess {
-            id: VISIBILITY_ID,
+            id: WALLET_ACCESS_ID,
             wallet_id: 10,
             client_id: 20,
             created_at: SqliteTimestamp(Utc::now()),
@@ -43,7 +43,7 @@ fn ctx(to: Address, value: U256) -> EvalContext {
 async fn insert_basic(conn: &mut DatabaseConnection, revoked: bool) -> EvmBasicGrant {
     insert_into(evm_basic_grant::table)
         .values(NewEvmBasicGrant {
-            visibility_id: VISIBILITY_ID,
+            wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
             valid_from: None,
             valid_until: None,
@@ -71,7 +71,7 @@ fn make_settings(targets: Vec<Address>, max_volume: u64) -> Settings {
 
 fn shared() -> SharedGrantSettings {
     SharedGrantSettings {
-        visibility_id: VISIBILITY_ID,
+        wallet_access_id: WALLET_ACCESS_ID,
         chain: CHAIN_ID,
         valid_from: None,
         valid_until: None,
@@ -156,7 +156,7 @@ async fn evaluate_passes_when_volume_within_limit() {
     insert_into(evm_transaction_log::table)
         .values(NewEvmTransactionLog {
             grant_id,
-            visibility_id: VISIBILITY_ID,
+            wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
             eth_value: utils::u256_to_bytes(U256::from(500u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
@@ -196,7 +196,7 @@ async fn evaluate_rejects_volume_over_limit() {
     insert_into(evm_transaction_log::table)
         .values(NewEvmTransactionLog {
             grant_id,
-            visibility_id: VISIBILITY_ID,
+            wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
             eth_value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
@@ -237,7 +237,7 @@ async fn evaluate_passes_at_exactly_volume_limit() {
     insert_into(evm_transaction_log::table)
         .values(NewEvmTransactionLog {
             grant_id,
-            visibility_id: VISIBILITY_ID,
+            wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
             eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),

server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs

@@ -209,7 +209,7 @@ impl Policy for TokenTransfer {
 
         let grant: Option<(EvmBasicGrant, EvmTokenTransferGrant)> = grant_join()
             .filter(evm_basic_grant::revoked_at.is_null())
-            .filter(evm_basic_grant::visibility_id.eq(context.target.id))
+            .filter(evm_basic_grant::wallet_access_id.eq(context.target.id))
             .filter(evm_token_transfer_grant::token_contract.eq(&token_contract_bytes))
             .select((
                 EvmBasicGrant::as_select(),

server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs

@@ -6,7 +6,7 @@ use diesel_async::RunQueryDsl;
 
 use crate::db::{
     self, DatabaseConnection,
-    models::{EvmBasicGrant, EvmWalletVisibility, NewEvmBasicGrant, SqliteTimestamp},
+    models::{EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, SqliteTimestamp},
     schema::evm_basic_grant,
 };
 use crate::evm::{
@@ -21,7 +21,7 @@ use super::{Settings, TokenTransfer};
 const CHAIN_ID: u64 = 1;
 const DAI: Address = address!("6B175474E89094C44Da98b954EedeAC495271d0F");
 
-const VISIBILITY_ID: i32 = 1;
+const WALLET_ACCESS_ID: i32 = 1;
 
 const RECIPIENT: Address = address!("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
 const OTHER: Address = address!("bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb");
@@ -37,8 +37,8 @@ fn transfer_calldata(to: Address, value: U256) -> Bytes {
 
 fn ctx(to: Address, calldata: Bytes) -> EvalContext {
     EvalContext {
-        target: EvmWalletVisibility {
+        target: EvmWalletAccess {
-            id: VISIBILITY_ID,
+            id: WALLET_ACCESS_ID,
             wallet_id: 10,
             client_id: 20,
             created_at: SqliteTimestamp(Utc::now()),
@@ -55,7 +55,7 @@ fn ctx(to: Address, calldata: Bytes) -> EvalContext {
 async fn insert_basic(conn: &mut DatabaseConnection, revoked: bool) -> EvmBasicGrant {
     insert_into(evm_basic_grant::table)
         .values(NewEvmBasicGrant {
-            visibility_id: VISIBILITY_ID,
+            wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
             valid_from: None,
             valid_until: None,
@@ -88,7 +88,7 @@ fn make_settings(target: Option<Address>, max_volume: Option<u64>) -> Settings {
 
 fn shared() -> SharedGrantSettings {
     SharedGrantSettings {
-        visibility_id: VISIBILITY_ID,
+        wallet_access_id: WALLET_ACCESS_ID,
         chain: CHAIN_ID,
         valid_from: None,
         valid_until: None,

server/crates/arbiter-server/src/grpc/user_agent.rs

@@ -318,7 +318,7 @@ fn parse_grant_request(
 
 fn shared_settings_from_proto(shared: ProtoSharedSettings) -> Result<SharedGrantSettings, Status> {
     Ok(SharedGrantSettings {
-        visibility_id: shared.visibility_id,
+        wallet_access_id: shared.wallet_access_id,
         chain: shared.chain_id,
         valid_from: shared.valid_from.map(proto_timestamp_to_utc).transpose()?,
         valid_until: shared.valid_until.map(proto_timestamp_to_utc).transpose()?,
@@ -402,7 +402,7 @@ fn proto_timestamp_to_utc(
 
 fn shared_settings_to_proto(shared: SharedGrantSettings) -> ProtoSharedSettings {
     ProtoSharedSettings {
-        visibility_id: shared.visibility_id,
+        wallet_access_id: shared.wallet_access_id,
         chain_id: shared.chain,
         valid_from: shared.valid_from.map(|time| prost_types::Timestamp {
             seconds: time.timestamp(),
@@ -542,7 +542,7 @@ impl EvmGrantOrWallet {
                     .into_iter()
                     .map(|grant| GrantEntry {
                         id: grant.id,
-                        visibility_id: grant.shared.visibility_id,
+                        wallet_access_id: grant.shared.wallet_access_id,
                         shared: Some(shared_settings_to_proto(grant.shared)),
                         specific: Some(specific_grant_to_proto(grant.settings)),
                     })
@@ -566,8 +566,7 @@ pub async fn start(
 ) {
     let mut request_tracker = RequestTracker::default();
 
-    let pubkey = match auth::start(&mut conn, &mut bi, &mut request_tracker).await
+    let pubkey = match auth::start(&mut conn, &mut bi, &mut request_tracker).await {
-    {
         Ok(pubkey) => pubkey,
         Err(e) => {
             warn!(error = ?e, "Authentication failed");

server/crates/arbiter-server/tests/client/auth.rs

@@ -153,9 +153,7 @@ pub async fn test_metadata_unchanged_does_not_append_history() {
     let requested = metadata("client", Some("desc"), Some("1.0.0"));
 
     {
-        use arbiter_server::db::schema::{
+        use arbiter_server::db::schema::{client_metadata, program_client};
-            client_metadata, program_client,
-        };
         let mut conn = db.get().await.unwrap();
         let metadata_id: i32 = insert_into(client_metadata::table)
             .values((
@@ -232,9 +230,7 @@ pub async fn test_metadata_change_appends_history_and_repoints_binding() {
     let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
 
     {
-        use arbiter_server::db::schema::{
+        use arbiter_server::db::schema::{client_metadata, program_client};
-            client_metadata, program_client,
-        };
         let mut conn = db.get().await.unwrap();
         let metadata_id: i32 = insert_into(client_metadata::table)
             .values((