refactor(server, protocol): split big message files into smaller and domain-based

server/crates/arbiter-proto/src/lib.rs

@@ -8,6 +8,30 @@ pub mod proto {
 
     pub mod user_agent {
         tonic::include_proto!("arbiter.user_agent");
+
+        pub mod auth {
+            tonic::include_proto!("arbiter.user_agent.auth");
+        }
+
+        pub mod evm {
+            tonic::include_proto!("arbiter.user_agent.evm");
+        }
+
+        pub mod sdk_client {
+            tonic::include_proto!("arbiter.user_agent.sdk_client");
+        }
+
+        pub mod vault {
+            tonic::include_proto!("arbiter.user_agent.vault");
+
+            pub mod bootstrap {
+                tonic::include_proto!("arbiter.user_agent.vault.bootstrap");
+            }
+
+            pub mod unseal {
+                tonic::include_proto!("arbiter.user_agent.vault.unseal");
+            }
+        }
     }
 
     pub mod client {

server/crates/arbiter-server/src/grpc/user_agent.rs

@@ -2,29 +2,8 @@ use tokio::sync::mpsc;
 
 use arbiter_proto::{
     proto::{
-        client::ClientInfo as ProtoClientMetadata,
-        evm::{
-            EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
-            EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
-            GrantEntry, WalletCreateResponse, WalletEntry, WalletList, WalletListResponse,
-            evm_grant_create_response::Result as EvmGrantCreateResult,
-            evm_grant_delete_response::Result as EvmGrantDeleteResult,
-            evm_grant_list_response::Result as EvmGrantListResult,
-            wallet_create_response::Result as WalletCreateResult,
-            wallet_list_response::Result as WalletListResult,
-        },
         user_agent::{
-            BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
-            BootstrapResult as ProtoBootstrapResult, ListWalletAccessResponse,
-            SdkClientConnectionCancel as ProtoSdkClientConnectionCancel,
-            SdkClientConnectionRequest as ProtoSdkClientConnectionRequest,
-            SdkClientEntry as ProtoSdkClientEntry, SdkClientError as ProtoSdkClientError,
-            SdkClientGrantWalletAccess, SdkClientList as ProtoSdkClientList,
-            SdkClientListResponse as ProtoSdkClientListResponse, SdkClientRevokeWalletAccess,
-            UnsealEncryptedKey as ProtoUnsealEncryptedKey,
-            UnsealResult as ProtoUnsealResult, UnsealStart, UserAgentRequest, UserAgentResponse,
-            VaultState as ProtoVaultState,
-            sdk_client_list_response::Result as ProtoSdkClientListResult,
+            UserAgentRequest, UserAgentResponse,
             user_agent_request::Payload as UserAgentRequestPayload,
             user_agent_response::Payload as UserAgentResponsePayload,
         },
@@ -32,33 +11,20 @@ use arbiter_proto::{
     transport::{Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
 use async_trait::async_trait;
-use kameo::{
-    actor::{ActorRef, Spawn as _},
-    error::SendError,
-};
+use kameo::actor::{ActorRef, Spawn as _};
 use tonic::Status;
 use tracing::{error, info, warn};
 
 use crate::{
-    actors::{
-        keyholder::KeyHolderState,
-        user_agent::{
-            OutOfBand, UserAgentConnection, UserAgentSession,
-            session::connection::{
-                BootstrapError, HandleBootstrapEncryptedKey, HandleEvmWalletCreate,
-                HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
-                HandleGrantEvmWalletAccess, HandleGrantList, HandleListWalletAccess,
-                HandleNewClientApprove, HandleQueryVaultState, HandleRevokeEvmWalletAccess,
-                HandleSdkClientList, HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
-            },
-        },
-    },
-    db::models::NewEvmWalletAccess,
-    grpc::{Convert, TryConvert, request_tracker::RequestTracker},
+    actors::user_agent::{OutOfBand, UserAgentConnection, UserAgentSession},
+    grpc::request_tracker::RequestTracker,
 };
 mod auth;
+mod evm;
 mod inbound;
 mod outbound;
+mod sdk_client;
+mod vault;
 
 pub struct OutOfBandAdapter(mpsc::Sender<OutOfBand>);
 
@@ -86,23 +52,7 @@ async fn dispatch_loop(
                     return;
                 };
 
-                let payload = match oob {
-                    OutOfBand::ClientConnectionRequest { profile } => {
-                        UserAgentResponsePayload::SdkClientConnectionRequest(ProtoSdkClientConnectionRequest {
-                            pubkey: profile.pubkey.to_bytes().to_vec(),
-                            info: Some(ProtoClientMetadata {
-                                name: profile.metadata.name,
-                                description: profile.metadata.description,
-                                version: profile.metadata.version,
-                            }),
-                        })
-                    }
-                    OutOfBand::ClientConnectionCancel { pubkey } => {
-                        UserAgentResponsePayload::SdkClientConnectionCancel(ProtoSdkClientConnectionCancel {
-                            pubkey: pubkey.to_bytes().to_vec(),
-                        })
-                    }
-                };
+                let payload = sdk_client::out_of_band_payload(oob);
 
                 if bi.send(Ok(UserAgentResponse { id: None, payload: Some(payload) })).await.is_err() {
                     return;
@@ -144,7 +94,7 @@ async fn dispatch_loop(
                     }
                     Ok(None) => {}
                     Err(status) => {
-                         error!(?status, "Failed to process user agent request");
+                        error!(?status, "Failed to process user agent request");
                         let _ = bi.send(Err(status)).await;
                         return;
                     }
@@ -159,337 +109,16 @@ async fn dispatch_inner(
     payload: UserAgentRequestPayload,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
     match payload {
-        UserAgentRequestPayload::UnsealStart(req) => handle_unseal_start(actor, req).await,
-        UserAgentRequestPayload::UnsealEncryptedKey(req) => {
-            handle_unseal_encrypted_key(actor, req).await
-        }
-        UserAgentRequestPayload::BootstrapEncryptedKey(req) => {
-            handle_bootstrap_encrypted_key(actor, req).await
-        }
-        UserAgentRequestPayload::QueryVaultState(_) => handle_query_vault_state(actor).await,
-        UserAgentRequestPayload::EvmWalletCreate(_) => handle_evm_wallet_create(actor).await,
-        UserAgentRequestPayload::EvmWalletList(_) => handle_evm_wallet_list(actor).await,
-        UserAgentRequestPayload::EvmGrantList(_) => handle_evm_grant_list(actor).await,
-        UserAgentRequestPayload::EvmGrantCreate(req) => handle_evm_grant_create(actor, req).await,
-        UserAgentRequestPayload::EvmGrantDelete(req) => handle_evm_grant_delete(actor, req).await,
-        UserAgentRequestPayload::SdkClientConnectionResponse(resp) => {
-            handle_sdk_client_connection_response(actor, resp).await
-        }
-        UserAgentRequestPayload::SdkClientRevoke(_) => {
-            Err(Status::unimplemented("SdkClientRevoke is not yet implemented"))
-        }
-        UserAgentRequestPayload::SdkClientList(_) => handle_sdk_client_list(actor).await,
-        UserAgentRequestPayload::GrantWalletAccess(req) => {
-            handle_grant_wallet_access(actor, req).await
-        }
-        UserAgentRequestPayload::RevokeWalletAccess(req) => {
-            handle_revoke_wallet_access(actor, req).await
-        }
-        UserAgentRequestPayload::ListWalletAccess(_) => handle_list_wallet_access(actor).await,
-        UserAgentRequestPayload::AuthChallengeRequest(..)
-        | UserAgentRequestPayload::AuthChallengeSolution(..) => {
-            warn!(?payload, "Unsupported post-auth user agent request");
+        UserAgentRequestPayload::Vault(req) => vault::dispatch(actor, req).await,
+        UserAgentRequestPayload::Evm(req) => evm::dispatch(actor, req).await,
+        UserAgentRequestPayload::SdkClient(req) => sdk_client::dispatch(actor, req).await,
+        UserAgentRequestPayload::Auth(..) => {
+            warn!("Unsupported post-auth user agent auth request");
             Err(Status::invalid_argument("Unsupported user-agent request"))
         }
     }
 }
 
-async fn handle_unseal_start(
-    actor: &ActorRef<UserAgentSession>,
-    req: UnsealStart,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let client_pubkey = <[u8; 32]>::try_from(req.client_pubkey)
-        .map(x25519_dalek::PublicKey::from)
-        .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
-
-    let response = actor
-        .ask(HandleUnsealRequest { client_pubkey })
-        .await
-        .map_err(|err| {
-            warn!(error = ?err, "Failed to handle unseal start request");
-            Status::internal("Failed to start unseal flow")
-        })?;
-
-    Ok(Some(UserAgentResponsePayload::UnsealStartResponse(
-        arbiter_proto::proto::user_agent::UnsealStartResponse {
-            server_pubkey: response.server_pubkey.as_bytes().to_vec(),
-        },
-    )))
-}
-
-async fn handle_unseal_encrypted_key(
-    actor: &ActorRef<UserAgentSession>,
-    req: ProtoUnsealEncryptedKey,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor
-        .ask(HandleUnsealEncryptedKey {
-            nonce: req.nonce,
-            ciphertext: req.ciphertext,
-            associated_data: req.associated_data,
-        })
-        .await
-    {
-        Ok(()) => ProtoUnsealResult::Success,
-        Err(SendError::HandlerError(UnsealError::InvalidKey)) => ProtoUnsealResult::InvalidKey,
-        Err(err) => {
-            warn!(error = ?err, "Failed to handle unseal request");
-            return Err(Status::internal("Failed to unseal vault"));
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::UnsealResult(result.into())))
-}
-
-async fn handle_bootstrap_encrypted_key(
-    actor: &ActorRef<UserAgentSession>,
-    req: ProtoBootstrapEncryptedKey,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor
-        .ask(HandleBootstrapEncryptedKey {
-            nonce: req.nonce,
-            ciphertext: req.ciphertext,
-            associated_data: req.associated_data,
-        })
-        .await
-    {
-        Ok(()) => ProtoBootstrapResult::Success,
-        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => ProtoBootstrapResult::InvalidKey,
-        Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
-            ProtoBootstrapResult::AlreadyBootstrapped
-        }
-        Err(err) => {
-            warn!(error = ?err, "Failed to handle bootstrap request");
-            return Err(Status::internal("Failed to bootstrap vault"));
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::BootstrapResult(result.into())))
-}
-
-async fn handle_query_vault_state(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let state = match actor.ask(HandleQueryVaultState {}).await {
-        Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
-        Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
-        Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
-        Err(err) => {
-            warn!(error = ?err, "Failed to query vault state");
-            ProtoVaultState::Error
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::VaultState(state.into())))
-}
-
-async fn handle_evm_wallet_create(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleEvmWalletCreate {}).await {
-        Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
-            id: wallet_id,
-            address: address.to_vec(),
-        }),
-        Err(err) => {
-            warn!(error = ?err, "Failed to create EVM wallet");
-            WalletCreateResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmWalletCreate(
-        WalletCreateResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_evm_wallet_list(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleEvmWalletList {}).await {
-        Ok(wallets) => WalletListResult::Wallets(WalletList {
-            wallets: wallets
-                .into_iter()
-                .map(|(id, address)| WalletEntry {
-                    address: address.to_vec(),
-                    id,
-                })
-                .collect(),
-        }),
-        Err(err) => {
-            warn!(error = ?err, "Failed to list EVM wallets");
-            WalletListResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmWalletList(
-        WalletListResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_evm_grant_list(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleGrantList {}).await {
-        Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
-            grants: grants
-                .into_iter()
-                .map(|grant| GrantEntry {
-                    id: grant.id,
-                    wallet_access_id: grant.shared.wallet_access_id,
-                    shared: Some(grant.shared.convert()),
-                    specific: Some(grant.settings.convert()),
-                })
-                .collect(),
-        }),
-        Err(err) => {
-            warn!(error = ?err, "Failed to list EVM grants");
-            EvmGrantListResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmGrantList(
-        EvmGrantListResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_evm_grant_create(
-    actor: &ActorRef<UserAgentSession>,
-    req: EvmGrantCreateRequest,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let basic = req
-        .shared
-        .ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
-        .try_convert()?;
-    let grant = req
-        .specific
-        .ok_or_else(|| Status::invalid_argument("Missing specific grant settings"))?
-        .try_convert()?;
-
-    let result = match actor.ask(HandleGrantCreate { basic, grant }).await {
-        Ok(grant_id) => EvmGrantCreateResult::GrantId(grant_id),
-        Err(err) => {
-            warn!(error = ?err, "Failed to create EVM grant");
-            EvmGrantCreateResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmGrantCreate(
-        EvmGrantCreateResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_evm_grant_delete(
-    actor: &ActorRef<UserAgentSession>,
-    req: EvmGrantDeleteRequest,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleGrantDelete { grant_id: req.grant_id }).await {
-        Ok(()) => EvmGrantDeleteResult::Ok(()),
-        Err(err) => {
-            warn!(error = ?err, "Failed to delete EVM grant");
-            EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::EvmGrantDelete(
-        EvmGrantDeleteResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_sdk_client_connection_response(
-    actor: &ActorRef<UserAgentSession>,
-    resp: arbiter_proto::proto::user_agent::SdkClientConnectionResponse,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let pubkey_bytes = <[u8; 32]>::try_from(resp.pubkey)
-        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key length"))?;
-    let pubkey = ed25519_dalek::VerifyingKey::from_bytes(&pubkey_bytes)
-        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key"))?;
-
-    actor
-        .ask(HandleNewClientApprove {
-            approved: resp.approved,
-            pubkey,
-        })
-        .await
-        .map_err(|err| {
-            warn!(?err, "Failed to process client connection response");
-            Status::internal("Failed to process response")
-        })?;
-
-    Ok(None)
-}
-
-async fn handle_sdk_client_list(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleSdkClientList {}).await {
-        Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
-            clients: clients
-                .into_iter()
-                .map(|(client, metadata)| ProtoSdkClientEntry {
-                    id: client.id,
-                    pubkey: client.public_key,
-                    info: Some(ProtoClientMetadata {
-                        name: metadata.name,
-                        description: metadata.description,
-                        version: metadata.version,
-                    }),
-                    created_at: client.created_at.0.timestamp() as i32,
-                })
-                .collect(),
-        }),
-        Err(err) => {
-            warn!(error = ?err, "Failed to list SDK clients");
-            ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
-        }
-    };
-    Ok(Some(UserAgentResponsePayload::SdkClientListResponse(
-        ProtoSdkClientListResponse { result: Some(result) },
-    )))
-}
-
-async fn handle_grant_wallet_access(
-    actor: &ActorRef<UserAgentSession>,
-    req: SdkClientGrantWalletAccess,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let entries: Vec<NewEvmWalletAccess> = req.accesses.into_iter().map(|a| a.convert()).collect();
-    match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
-        Ok(()) => {
-            info!("Successfully granted wallet access");
-            Ok(None)
-        }
-        Err(err) => {
-            warn!(error = ?err, "Failed to grant wallet access");
-            Err(Status::internal("Failed to grant wallet access"))
-        }
-    }
-}
-
-async fn handle_revoke_wallet_access(
-    actor: &ActorRef<UserAgentSession>,
-    req: SdkClientRevokeWalletAccess,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    match actor
-        .ask(HandleRevokeEvmWalletAccess { entries: req.accesses })
-        .await
-    {
-        Ok(()) => {
-            info!("Successfully revoked wallet access");
-            Ok(None)
-        }
-        Err(err) => {
-            warn!(error = ?err, "Failed to revoke wallet access");
-            Err(Status::internal("Failed to revoke wallet access"))
-        }
-    }
-}
-
-async fn handle_list_wallet_access(
-    actor: &ActorRef<UserAgentSession>,
-) -> Result<Option<UserAgentResponsePayload>, Status> {
-    match actor.ask(HandleListWalletAccess {}).await {
-        Ok(accesses) => Ok(Some(UserAgentResponsePayload::ListWalletAccessResponse(
-            ListWalletAccessResponse {
-                accesses: accesses.into_iter().map(|a| a.convert()).collect(),
-            },
-        ))),
-        Err(err) => {
-            warn!(error = ?err, "Failed to list wallet access");
-            Err(Status::internal("Failed to list wallet access"))
-        }
-    }
-}
-
 pub async fn start(
     mut conn: UserAgentConnection,
     mut bi: GrpcBi<UserAgentRequest, UserAgentResponse>,

server/crates/arbiter-server/src/grpc/user_agent/auth.rs

@@ -1,9 +1,12 @@
 use arbiter_proto::{
     proto::user_agent::{
-        AuthChallenge as ProtoAuthChallenge, AuthChallengeRequest as ProtoAuthChallengeRequest,
-        AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
-        KeyType as ProtoKeyType, UserAgentRequest, UserAgentResponse,
-        user_agent_request::Payload as UserAgentRequestPayload,
+        UserAgentRequest, UserAgentResponse, auth::{
+            self as proto_auth, AuthChallenge as ProtoAuthChallenge,
+            AuthChallengeRequest as ProtoAuthChallengeRequest,
+            AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
+            KeyType as ProtoKeyType, request::Payload as AuthRequestPayload,
+            response::Payload as AuthResponsePayload,
+        }, user_agent_request::Payload as UserAgentRequestPayload,
         user_agent_response::Payload as UserAgentResponsePayload,
     },
     transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
@@ -36,12 +39,14 @@ impl<'a> AuthTransportAdapter<'a> {
 
     async fn send_user_agent_response(
         &mut self,
-        payload: UserAgentResponsePayload,
+        payload: AuthResponsePayload,
     ) -> Result<(), TransportError> {
         self.bi
             .send(Ok(UserAgentResponse {
                 id: Some(self.request_tracker.current_request_id()),
-                payload: Some(payload),
+                payload: Some(UserAgentResponsePayload::Auth(proto_auth::Response {
+                    payload: Some(payload),
+                })),
             }))
             .await
     }
@@ -56,19 +61,17 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
         use auth::{Error, Outbound};
         let payload = match item {
             Ok(Outbound::AuthChallenge { nonce }) => {
-                UserAgentResponsePayload::AuthChallenge(ProtoAuthChallenge { nonce })
-            }
-            Ok(Outbound::AuthSuccess) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::Success.into())
+                AuthResponsePayload::Challenge(ProtoAuthChallenge { nonce })
             }
+            Ok(Outbound::AuthSuccess) => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
             Err(Error::UnregisteredPublicKey) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::InvalidKey.into())
+                AuthResponsePayload::Result(ProtoAuthResult::InvalidKey.into())
             }
             Err(Error::InvalidChallengeSolution) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::InvalidSignature.into())
+                AuthResponsePayload::Result(ProtoAuthResult::InvalidSignature.into())
             }
             Err(Error::InvalidBootstrapToken) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::TokenInvalid.into())
+                AuthResponsePayload::Result(ProtoAuthResult::TokenInvalid.into())
             }
             Err(Error::Internal { details }) => {
                 return self.bi.send(Err(Status::internal(details))).await;
@@ -112,8 +115,26 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
             return None;
         };
 
+        let UserAgentRequestPayload::Auth(auth_request) = payload else {
+            let _ = self
+                .bi
+                .send(Err(Status::invalid_argument(
+                    "Unsupported user-agent auth request",
+                )))
+                .await;
+            return None;
+        };
+
+        let Some(payload) = auth_request.payload else {
+            warn!(
+                event = "received auth request with empty payload",
+                "grpc.useragent.auth_adapter"
+            );
+            return None;
+        };
+
         match payload {
-            UserAgentRequestPayload::AuthChallengeRequest(ProtoAuthChallengeRequest {
+            AuthRequestPayload::ChallengeRequest(ProtoAuthChallengeRequest {
                 pubkey,
                 bootstrap_token,
                 key_type,
@@ -150,18 +171,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     bootstrap_token,
                 })
             }
-            UserAgentRequestPayload::AuthChallengeSolution(ProtoAuthChallengeSolution {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
                 signature,
             }) => Some(auth::Inbound::AuthChallengeSolution { signature }),
-            _ => {
-                let _ = self
-                    .bi
-                    .send(Err(Status::invalid_argument(
-                        "Unsupported user-agent auth request",
-                    )))
-                    .await;
-                None
-            }
         }
     }
 }

server/crates/arbiter-server/src/grpc/user_agent/evm.rs

@@ -0,0 +1,170 @@
+use arbiter_proto::proto::{
+    evm::{
+        EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
+        EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
+        GrantEntry, WalletCreateResponse, WalletEntry, WalletList, WalletListResponse,
+        evm_grant_create_response::Result as EvmGrantCreateResult,
+        evm_grant_delete_response::Result as EvmGrantDeleteResult,
+        evm_grant_list_response::Result as EvmGrantListResult,
+        wallet_create_response::Result as WalletCreateResult,
+        wallet_list_response::Result as WalletListResult,
+    },
+    user_agent::{
+        evm::{self as proto_evm, request::Payload as EvmRequestPayload, response::Payload as EvmResponsePayload},
+        user_agent_response::Payload as UserAgentResponsePayload,
+    },
+};
+use kameo::actor::ActorRef;
+use tonic::Status;
+use tracing::warn;
+
+use crate::{
+    actors::user_agent::{
+        UserAgentSession,
+        session::connection::{
+            HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
+            HandleGrantList,
+        },
+    },
+    grpc::{Convert, TryConvert},
+};
+
+fn wrap_evm_response(payload: EvmResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::Evm(proto_evm::Response {
+        payload: Some(payload),
+    })
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_evm::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing EVM request payload"));
+    };
+
+    match payload {
+        EvmRequestPayload::WalletCreate(_) => handle_wallet_create(actor).await,
+        EvmRequestPayload::WalletList(_) => handle_wallet_list(actor).await,
+        EvmRequestPayload::GrantCreate(req) => handle_grant_create(actor, req).await,
+        EvmRequestPayload::GrantDelete(req) => handle_grant_delete(actor, req).await,
+        EvmRequestPayload::GrantList(_) => handle_grant_list(actor).await,
+    }
+}
+
+async fn handle_wallet_create(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleEvmWalletCreate {}).await {
+        Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
+            id: wallet_id,
+            address: address.to_vec(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to create EVM wallet");
+            WalletCreateResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::WalletCreate(
+        WalletCreateResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_wallet_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleEvmWalletList {}).await {
+        Ok(wallets) => WalletListResult::Wallets(WalletList {
+            wallets: wallets
+                .into_iter()
+                .map(|(id, address)| WalletEntry {
+                    address: address.to_vec(),
+                    id,
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list EVM wallets");
+            WalletListResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::WalletList(
+        WalletListResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleGrantList {}).await {
+        Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
+            grants: grants
+                .into_iter()
+                .map(|grant| GrantEntry {
+                    id: grant.id,
+                    wallet_access_id: grant.shared.wallet_access_id,
+                    shared: Some(grant.shared.convert()),
+                    specific: Some(grant.settings.convert()),
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list EVM grants");
+            EvmGrantListResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::GrantList(
+        EvmGrantListResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_create(
+    actor: &ActorRef<UserAgentSession>,
+    req: EvmGrantCreateRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let basic = req
+        .shared
+        .ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
+        .try_convert()?;
+    let grant = req
+        .specific
+        .ok_or_else(|| Status::invalid_argument("Missing specific grant settings"))?
+        .try_convert()?;
+
+    let result = match actor.ask(HandleGrantCreate { basic, grant }).await {
+        Ok(grant_id) => EvmGrantCreateResult::GrantId(grant_id),
+        Err(err) => {
+            warn!(error = ?err, "Failed to create EVM grant");
+            EvmGrantCreateResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::GrantCreate(
+        EvmGrantCreateResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_delete(
+    actor: &ActorRef<UserAgentSession>,
+    req: EvmGrantDeleteRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleGrantDelete { grant_id: req.grant_id }).await {
+        Ok(()) => EvmGrantDeleteResult::Ok(()),
+        Err(err) => {
+            warn!(error = ?err, "Failed to delete EVM grant");
+            EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::GrantDelete(
+        EvmGrantDeleteResponse {
+            result: Some(result),
+        },
+    ))))
+}

server/crates/arbiter-server/src/grpc/user_agent/inbound.rs

@@ -5,12 +5,14 @@ use arbiter_proto::proto::evm::{
     TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
     specific_grant::Grant as ProtoSpecificGrantType,
 };
-use arbiter_proto::proto::user_agent::{SdkClientWalletAccess, WalletAccess};
+use arbiter_proto::proto::user_agent::sdk_client::{
+    WalletAccess, WalletAccessEntry as SdkClientWalletAccess,
+};
 use chrono::{DateTime, TimeZone, Utc};
 use prost_types::Timestamp as ProtoTimestamp;
 use tonic::Status;
 
-use crate::db::models::{CoreEvmWalletAccess, NewEvmWallet, NewEvmWalletAccess};
+use crate::db::models::{CoreEvmWalletAccess, NewEvmWalletAccess};
 use crate::grpc::Convert;
 use crate::{
     evm::policies::{

server/crates/arbiter-server/src/grpc/user_agent/outbound.rs

@@ -5,7 +5,9 @@ use arbiter_proto::proto::{
         TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
         specific_grant::Grant as ProtoSpecificGrantType,
     },
-    user_agent::{SdkClientWalletAccess as ProtoSdkClientWalletAccess, WalletAccess},
+    user_agent::sdk_client::{
+        WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess,
+    },
 };
 use chrono::{DateTime, Utc};
 use prost_types::Timestamp as ProtoTimestamp;

server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs

@@ -0,0 +1,190 @@
+use arbiter_proto::proto::{
+    client::ClientInfo as ProtoClientMetadata,
+    user_agent::{
+        sdk_client::{
+            self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
+            ConnectionRequest as ProtoSdkClientConnectionRequest,
+            ConnectionResponse as ProtoSdkClientConnectionResponse, Entry as ProtoSdkClientEntry,
+            Error as ProtoSdkClientError, GrantWalletAccess as ProtoSdkClientGrantWalletAccess,
+            List as ProtoSdkClientList, ListResponse as ProtoSdkClientListResponse,
+            ListWalletAccessResponse, RevokeWalletAccess as ProtoSdkClientRevokeWalletAccess,
+            list_response::Result as ProtoSdkClientListResult,
+            request::Payload as SdkClientRequestPayload,
+            response::Payload as SdkClientResponsePayload,
+        },
+        user_agent_response::Payload as UserAgentResponsePayload,
+    },
+};
+use kameo::actor::ActorRef;
+use tonic::Status;
+use tracing::{info, warn};
+
+use crate::{
+    actors::user_agent::{
+        OutOfBand, UserAgentSession,
+        session::connection::{
+            HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
+            HandleRevokeEvmWalletAccess, HandleSdkClientList,
+        },
+    },
+    db::models::NewEvmWalletAccess,
+    grpc::Convert,
+};
+
+fn wrap_sdk_client_response(payload: SdkClientResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::SdkClient(proto_sdk_client::Response {
+        payload: Some(payload),
+    })
+}
+
+pub(super) fn out_of_band_payload(oob: OutOfBand) -> UserAgentResponsePayload {
+    match oob {
+        OutOfBand::ClientConnectionRequest { profile } => wrap_sdk_client_response(
+            SdkClientResponsePayload::ConnectionRequest(ProtoSdkClientConnectionRequest {
+                pubkey: profile.pubkey.to_bytes().to_vec(),
+                info: Some(ProtoClientMetadata {
+                    name: profile.metadata.name,
+                    description: profile.metadata.description,
+                    version: profile.metadata.version,
+                }),
+            }),
+        ),
+        OutOfBand::ClientConnectionCancel { pubkey } => wrap_sdk_client_response(
+            SdkClientResponsePayload::ConnectionCancel(ProtoSdkClientConnectionCancel {
+                pubkey: pubkey.to_bytes().to_vec(),
+            }),
+        ),
+    }
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_sdk_client::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing SDK client request payload"));
+    };
+
+    match payload {
+        SdkClientRequestPayload::ConnectionResponse(resp) => {
+            handle_connection_response(actor, resp).await
+        }
+        SdkClientRequestPayload::Revoke(_) => {
+            Err(Status::unimplemented("SdkClientRevoke is not yet implemented"))
+        }
+        SdkClientRequestPayload::List(_) => handle_list(actor).await,
+        SdkClientRequestPayload::GrantWalletAccess(req) => handle_grant_wallet_access(actor, req).await,
+        SdkClientRequestPayload::RevokeWalletAccess(req) => {
+            handle_revoke_wallet_access(actor, req).await
+        }
+        SdkClientRequestPayload::ListWalletAccess(_) => handle_list_wallet_access(actor).await,
+    }
+}
+
+async fn handle_connection_response(
+    actor: &ActorRef<UserAgentSession>,
+    resp: ProtoSdkClientConnectionResponse,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let pubkey_bytes = <[u8; 32]>::try_from(resp.pubkey)
+        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key length"))?;
+    let pubkey = ed25519_dalek::VerifyingKey::from_bytes(&pubkey_bytes)
+        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key"))?;
+
+    actor
+        .ask(HandleNewClientApprove {
+            approved: resp.approved,
+            pubkey,
+        })
+        .await
+        .map_err(|err| {
+            warn!(?err, "Failed to process client connection response");
+            Status::internal("Failed to process response")
+        })?;
+
+    Ok(None)
+}
+
+async fn handle_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleSdkClientList {}).await {
+        Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
+            clients: clients
+                .into_iter()
+                .map(|(client, metadata)| ProtoSdkClientEntry {
+                    id: client.id,
+                    pubkey: client.public_key,
+                    info: Some(ProtoClientMetadata {
+                        name: metadata.name,
+                        description: metadata.description,
+                        version: metadata.version,
+                    }),
+                    created_at: client.created_at.0.timestamp() as i32,
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list SDK clients");
+            ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_sdk_client_response(SdkClientResponsePayload::List(
+        ProtoSdkClientListResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoSdkClientGrantWalletAccess,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let entries: Vec<NewEvmWalletAccess> = req.accesses.into_iter().map(|a| a.convert()).collect();
+    match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
+        Ok(()) => {
+            info!("Successfully granted wallet access");
+            Ok(None)
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to grant wallet access");
+            Err(Status::internal("Failed to grant wallet access"))
+        }
+    }
+}
+
+async fn handle_revoke_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoSdkClientRevokeWalletAccess,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    match actor
+        .ask(HandleRevokeEvmWalletAccess {
+            entries: req.accesses,
+        })
+        .await
+    {
+        Ok(()) => {
+            info!("Successfully revoked wallet access");
+            Ok(None)
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to revoke wallet access");
+            Err(Status::internal("Failed to revoke wallet access"))
+        }
+    }
+}
+
+async fn handle_list_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    match actor.ask(HandleListWalletAccess {}).await {
+        Ok(accesses) => Ok(Some(wrap_sdk_client_response(
+            SdkClientResponsePayload::ListWalletAccess(ListWalletAccessResponse {
+                accesses: accesses.into_iter().map(|a| a.convert()).collect(),
+            }),
+        ))),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list wallet access");
+            Err(Status::internal("Failed to list wallet access"))
+        }
+    }
+}

server/crates/arbiter-server/src/grpc/user_agent/vault.rs

@@ -0,0 +1,180 @@
+use arbiter_proto::proto::user_agent::{
+    user_agent_response::Payload as UserAgentResponsePayload,
+    vault::{
+        self as proto_vault, VaultState as ProtoVaultState,
+        bootstrap::{
+            self as proto_bootstrap, BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
+            BootstrapResult as ProtoBootstrapResult,
+        },
+        request::Payload as VaultRequestPayload,
+        response::Payload as VaultResponsePayload,
+        unseal::{
+            self as proto_unseal, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
+            UnsealResult as ProtoUnsealResult, UnsealStart,
+            request::Payload as UnsealRequestPayload,
+            response::Payload as UnsealResponsePayload,
+        },
+    },
+};
+use kameo::{actor::ActorRef, error::SendError};
+use tonic::Status;
+use tracing::warn;
+
+use crate::{
+    actors::{
+        keyholder::KeyHolderState,
+        user_agent::{
+            UserAgentSession,
+            session::connection::{
+                BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
+                HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+            },
+        },
+    },
+};
+
+fn wrap_vault_response(payload: VaultResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::Vault(proto_vault::Response {
+        payload: Some(payload),
+    })
+}
+
+fn wrap_unseal_response(payload: UnsealResponsePayload) -> UserAgentResponsePayload {
+    wrap_vault_response(VaultResponsePayload::Unseal(proto_unseal::Response {
+        payload: Some(payload),
+    }))
+}
+
+fn wrap_bootstrap_response(result: ProtoBootstrapResult) -> UserAgentResponsePayload {
+    wrap_vault_response(VaultResponsePayload::Bootstrap(proto_bootstrap::Response {
+        result: result.into(),
+    }))
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_vault::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing vault request payload"));
+    };
+
+    match payload {
+        VaultRequestPayload::QueryState(_) => handle_query_vault_state(actor).await,
+        VaultRequestPayload::Unseal(req) => dispatch_unseal_request(actor, req).await,
+        VaultRequestPayload::Bootstrap(req) => handle_bootstrap_request(actor, req).await,
+    }
+}
+
+async fn dispatch_unseal_request(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_unseal::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing unseal request payload"));
+    };
+
+    match payload {
+        UnsealRequestPayload::Start(req) => handle_unseal_start(actor, req).await,
+        UnsealRequestPayload::EncryptedKey(req) => handle_unseal_encrypted_key(actor, req).await,
+    }
+}
+
+async fn handle_unseal_start(
+    actor: &ActorRef<UserAgentSession>,
+    req: UnsealStart,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let client_pubkey = <[u8; 32]>::try_from(req.client_pubkey)
+        .map(x25519_dalek::PublicKey::from)
+        .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
+
+    let response = actor
+        .ask(HandleUnsealRequest { client_pubkey })
+        .await
+        .map_err(|err| {
+            warn!(error = ?err, "Failed to handle unseal start request");
+            Status::internal("Failed to start unseal flow")
+        })?;
+
+    Ok(Some(wrap_unseal_response(UnsealResponsePayload::Start(
+        proto_unseal::UnsealStartResponse {
+            server_pubkey: response.server_pubkey.as_bytes().to_vec(),
+        },
+    ))))
+}
+
+async fn handle_unseal_encrypted_key(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoUnsealEncryptedKey,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor
+        .ask(HandleUnsealEncryptedKey {
+            nonce: req.nonce,
+            ciphertext: req.ciphertext,
+            associated_data: req.associated_data,
+        })
+        .await
+    {
+        Ok(()) => ProtoUnsealResult::Success,
+        Err(SendError::HandlerError(UnsealError::InvalidKey)) => ProtoUnsealResult::InvalidKey,
+        Err(err) => {
+            warn!(error = ?err, "Failed to handle unseal request");
+            return Err(Status::internal("Failed to unseal vault"));
+        }
+    };
+    Ok(Some(wrap_unseal_response(UnsealResponsePayload::Result(
+        result.into(),
+    ))))
+}
+
+async fn handle_bootstrap_request(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_bootstrap::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let encrypted_key = req
+        .encrypted_key
+        .ok_or_else(|| Status::invalid_argument("Missing bootstrap encrypted key"))?;
+    handle_bootstrap_encrypted_key(actor, encrypted_key).await
+}
+
+async fn handle_bootstrap_encrypted_key(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoBootstrapEncryptedKey,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor
+        .ask(HandleBootstrapEncryptedKey {
+            nonce: req.nonce,
+            ciphertext: req.ciphertext,
+            associated_data: req.associated_data,
+        })
+        .await
+    {
+        Ok(()) => ProtoBootstrapResult::Success,
+        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => ProtoBootstrapResult::InvalidKey,
+        Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
+            ProtoBootstrapResult::AlreadyBootstrapped
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to handle bootstrap request");
+            return Err(Status::internal("Failed to bootstrap vault"));
+        }
+    };
+    Ok(Some(wrap_bootstrap_response(result)))
+}
+
+async fn handle_query_vault_state(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let state = match actor.ask(HandleQueryVaultState {}).await {
+        Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+        Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
+        Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
+        Err(err) => {
+            warn!(error = ?err, "Failed to query vault state");
+            ProtoVaultState::Error
+        }
+    };
+    Ok(Some(wrap_vault_response(VaultResponsePayload::State(
+        state.into(),
+    ))))
+}