merge: @main into client-integrity-verification

Merge branch 'main' into push-zmyvyloztluy
fix(server): use LOCALHOST const instead of hard-coded ip value
2026-04-05 10:25:46 +02:00 · 2026-04-05 07:57:31 +00:00 · 2026-04-04 14:14:15 +00:00 · 2026-04-04 14:10:44 +00:00 · 2026-04-04 14:06:02 +00:00 · 2026-04-04 14:33:48 +02:00
56 changed files with 3007 additions and 365 deletions
--- a/.woodpecker/server-test.yaml
+++ b/.woodpecker/server-test.yaml
@@ -24,4 +24,4 @@ steps:
      - mise install rust 
      - mise install protoc
      - mise install cargo:cargo-nextest
-      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast
+      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast --all-features
--- a/docs/superpowers/plans/2026-03-28-grant-creation-refactor.md
+++ b/docs/superpowers/plans/2026-03-28-grant-creation-refactor.md
--- a/docs/superpowers/plans/2026-03-28-grant-grid-view.md
+++ b/docs/superpowers/plans/2026-03-28-grant-grid-view.md
@@ -0,0 +1,821 @@
 # Grant Grid View Implementation Plan
 > **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
 **Goal:** Add an "EVM Grants" dashboard tab that displays all grants as enriched cards (type, chain, wallet address, client name) with per-card revoke support.
 **Architecture:** A new `walletAccessListProvider` fetches wallet accesses with their DB row IDs. The screen (`grants.dart`) watches only `evmGrantsProvider` for top-level state. Each `GrantCard` widget (its own file) watches enrichment providers (`walletAccessListProvider`, `evmProvider`, `sdkClientsProvider`) and the revoke mutation directly — keeping rebuilds scoped to the card. The screen is registered as a dashboard tab in `AdaptiveScaffold`.
 **Tech Stack:** Flutter, Riverpod (`riverpod_annotation` + `build_runner` codegen), `sizer` (adaptive sizing), `auto_route`, Protocol Buffers (Dart), `Palette` design tokens.
 ---
 ## File Map
 | File | Action | Responsibility |
 |---|---|---|
 | `useragent/lib/theme/palette.dart` | Modify | Add `Palette.token` (indigo accent for token-transfer cards) |
 | `useragent/lib/features/connection/evm/wallet_access.dart` | Modify | Add `listAllWalletAccesses()` function |
 | `useragent/lib/providers/sdk_clients/wallet_access_list.dart` | Create | `WalletAccessListProvider` — fetches full wallet access list with IDs |
 | `useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart` | Create | `GrantCard` widget — watches enrichment providers + revoke mutation; one card per grant |
 | `useragent/lib/screens/dashboard/evm/grants/grants.dart` | Create | `EvmGrantsScreen` — watches `evmGrantsProvider`; handles loading/error/empty/data states; renders `GrantCard` list |
 | `useragent/lib/router.dart` | Modify | Register `EvmGrantsRoute` in dashboard children |
 | `useragent/lib/screens/dashboard.dart` | Modify | Add Grants entry to `routes` list and `NavigationDestination` list |
 ---
 ## Task 1: Add `Palette.token`
 **Files:**
 - Modify: `useragent/lib/theme/palette.dart`
 - [ ] **Step 1: Add the color**
 Replace the contents of `useragent/lib/theme/palette.dart` with:
 ```dart
 import 'package:flutter/material.dart';
 class Palette {
  static const ink = Color(0xFF15263C);
  static const coral = Color(0xFFE26254);
  static const cream = Color(0xFFFFFAF4);
  static const line = Color(0x1A15263C);
  static const token = Color(0xFF5C6BC0);
 }
 ```
 - [ ] **Step 2: Verify**
 ```sh
 cd useragent && flutter analyze lib/theme/palette.dart
 ```
 Expected: no issues.
 - [ ] **Step 3: Commit**
 ```sh
 jj describe -m "feat(theme): add Palette.token for token-transfer grant cards"
 jj new
 ```
 ---
 ## Task 2: Add `listAllWalletAccesses` feature function
 **Files:**
 - Modify: `useragent/lib/features/connection/evm/wallet_access.dart`
 `readClientWalletAccess` (existing) filters the list to one client's wallet IDs and returns `Set<int>`. This new function returns the complete unfiltered list with row IDs so the grant cards can resolve wallet_access_id → wallet + client.
 - [ ] **Step 1: Append function**
 Add at the bottom of `useragent/lib/features/connection/evm/wallet_access.dart`:
 ```dart
 Future<List<SdkClientWalletAccess>> listAllWalletAccesses(
  Connection connection,
 ) async {
  final response = await connection.ask(
    UserAgentRequest(listWalletAccess: Empty()),
  );
  if (!response.hasListWalletAccessResponse()) {
    throw Exception(
      'Expected list wallet access response, got ${response.whichPayload()}',
    );
  }
  return response.listWalletAccessResponse.accesses.toList(growable: false);
 }
 ```
 Each returned `SdkClientWalletAccess` has:
 - `.id` — the `evm_wallet_access` row ID (same value as `wallet_access_id` in a `GrantEntry`)
 - `.access.walletId` — the EVM wallet DB ID
 - `.access.sdkClientId` — the SDK client DB ID
 - [ ] **Step 2: Verify**
 ```sh
 cd useragent && flutter analyze lib/features/connection/evm/wallet_access.dart
 ```
 Expected: no issues.
 - [ ] **Step 3: Commit**
 ```sh
 jj describe -m "feat(evm): add listAllWalletAccesses feature function"
 jj new
 ```
 ---
 ## Task 3: Create `WalletAccessListProvider`
 **Files:**
 - Create: `useragent/lib/providers/sdk_clients/wallet_access_list.dart`
 - Generated: `useragent/lib/providers/sdk_clients/wallet_access_list.g.dart`
 Mirrors the structure of `EvmGrants` in `providers/evm/evm_grants.dart` — class-based `@riverpod` with a `refresh()` method.
 - [ ] **Step 1: Write the provider**
 Create `useragent/lib/providers/sdk_clients/wallet_access_list.dart`:
 ```dart
 import 'package:arbiter/features/connection/evm/wallet_access.dart';
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:mtcore/markettakers.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 part 'wallet_access_list.g.dart';
@riverpod
 class WalletAccessList extends _$WalletAccessList {
  @override
  Future<List<SdkClientWalletAccess>?> build() async {
    final connection = await ref.watch(connectionManagerProvider.future);
    if (connection == null) {
      return null;
    }
    try {
      return await listAllWalletAccesses(connection);
    } catch (e, st) {
      talker.handle(e, st);
      rethrow;
    }
  }
  Future<void> refresh() async {
    final connection = await ref.read(connectionManagerProvider.future);
    if (connection == null) {
      state = const AsyncData(null);
      return;
    }
    state = const AsyncLoading();
    state = await AsyncValue.guard(() => listAllWalletAccesses(connection));
  }
 }
 ```
 - [ ] **Step 2: Run code generation**
 ```sh
 cd useragent && dart run build_runner build --delete-conflicting-outputs
 ```
 Expected: `useragent/lib/providers/sdk_clients/wallet_access_list.g.dart` created. No errors.
 - [ ] **Step 3: Verify**
 ```sh
 cd useragent && flutter analyze lib/providers/sdk_clients/
 ```
 Expected: no issues.
 - [ ] **Step 4: Commit**
 ```sh
 jj describe -m "feat(providers): add WalletAccessListProvider"
 jj new
 ```
 ---
 ## Task 4: Create `GrantCard` widget
 **Files:**
 - Create: `useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart`
 This widget owns all per-card logic: enrichment lookups, revoke action, and rebuild scope. The screen only passes it a `GrantEntry` — the card fetches everything else itself.
 **Key types:**
 - `GrantEntry` (from `proto/evm.pb.dart`): `.id`, `.shared.walletAccessId`, `.shared.chainId`, `.specific.whichGrant()`
 - `SpecificGrant_Grant.etherTransfer` / `.tokenTransfer` — enum values for the oneof
 - `SdkClientWalletAccess` (from `proto/user_agent.pb.dart`): `.id`, `.access.walletId`, `.access.sdkClientId`
 - `WalletEntry` (from `proto/evm.pb.dart`): `.id`, `.address` (List<int>)
 - `SdkClientEntry` (from `proto/user_agent.pb.dart`): `.id`, `.info.name`
 - `revokeEvmGrantMutation` — `Mutation<void>` (global; all revoke buttons disable together while any revoke is in flight)
 - `executeRevokeEvmGrant(ref, grantId: int)` — `Future<void>`
 - [ ] **Step 1: Write the widget**
 Create `useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart`:
 ```dart
 import 'package:arbiter/proto/evm.pb.dart';
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:arbiter/providers/evm/evm.dart';
 import 'package:arbiter/providers/evm/evm_grants.dart';
 import 'package:arbiter/providers/sdk_clients/list.dart';
 import 'package:arbiter/providers/sdk_clients/wallet_access_list.dart';
 import 'package:arbiter/theme/palette.dart';
 import 'package:flutter/material.dart';
 import 'package:hooks_riverpod/experimental/mutation.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:sizer/sizer.dart';
 String _shortAddress(List<int> bytes) {
  final hex = bytes.map((b) => b.toRadixString(16).padLeft(2, '0')).join();
  return '0x${hex.substring(0, 6)}...${hex.substring(hex.length - 4)}';
 }
 String _formatError(Object error) {
  final message = error.toString();
  if (message.startsWith('Exception: ')) {
    return message.substring('Exception: '.length);
  }
  return message;
 }
 class GrantCard extends ConsumerWidget {
  const GrantCard({super.key, required this.grant});
  final GrantEntry grant;
  @override
  Widget build(BuildContext context, WidgetRef ref) {
    // Enrichment lookups — each watch scopes rebuilds to this card only
    final walletAccesses =
        ref.watch(walletAccessListProvider).asData?.value ?? const [];
    final wallets = ref.watch(evmProvider).asData?.value ?? const [];
    final clients = ref.watch(sdkClientsProvider).asData?.value ?? const [];
    final revoking = ref.watch(revokeEvmGrantMutation) is MutationPending;
    final isEther =
        grant.specific.whichGrant() == SpecificGrant_Grant.etherTransfer;
    final accent = isEther ? Palette.coral : Palette.token;
    final typeLabel = isEther ? 'Ether' : 'Token';
    final theme = Theme.of(context);
    final muted = Palette.ink.withValues(alpha: 0.62);
    // Resolve wallet_access_id → wallet address + client name
    final accessById = <int, SdkClientWalletAccess>{
      for (final a in walletAccesses) a.id: a,
    };
    final walletById = <int, WalletEntry>{
      for (final w in wallets) w.id: w,
    };
    final clientNameById = <int, String>{
      for (final c in clients) c.id: c.info.name,
    };
    final accessId = grant.shared.walletAccessId;
    final access = accessById[accessId];
    final wallet = access != null ? walletById[access.access.walletId] : null;
    final walletLabel = wallet != null
        ? _shortAddress(wallet.address)
        : 'Access #$accessId';
    final clientLabel = () {
      if (access == null) return '';
      final name = clientNameById[access.access.sdkClientId] ?? '';
      return name.isEmpty ? 'Client #${access.access.sdkClientId}' : name;
    }();
    void showError(String message) {
      if (!context.mounted) return;
      ScaffoldMessenger.of(context).showSnackBar(
        SnackBar(content: Text(message), behavior: SnackBarBehavior.floating),
      );
    }
    Future<void> revoke() async {
      try {
        await executeRevokeEvmGrant(ref, grantId: grant.id);
      } catch (e) {
        showError(_formatError(e));
      }
    }
    return Container(
      decoration: BoxDecoration(
        borderRadius: BorderRadius.circular(24),
        color: Palette.cream.withValues(alpha: 0.92),
        border: Border.all(color: Palette.line),
      ),
      child: IntrinsicHeight(
        child: Row(
          crossAxisAlignment: CrossAxisAlignment.stretch,
          children: [
            // Accent strip
            Container(
              width: 0.8.w,
              decoration: BoxDecoration(
                color: accent,
                borderRadius: const BorderRadius.horizontal(
                  left: Radius.circular(24),
                ),
              ),
            ),
            // Card body
            Expanded(
              child: Padding(
                padding: EdgeInsets.symmetric(
                  horizontal: 1.6.w,
                  vertical: 1.4.h,
                ),
                child: Column(
                  crossAxisAlignment: CrossAxisAlignment.start,
                  children: [
                    // Row 1: type badge · chain · spacer · revoke button
                    Row(
                      children: [
                        Container(
                          padding: EdgeInsets.symmetric(
                            horizontal: 1.w,
                            vertical: 0.4.h,
                          ),
                          decoration: BoxDecoration(
                            color: accent.withValues(alpha: 0.15),
                            borderRadius: BorderRadius.circular(8),
                          ),
                          child: Text(
                            typeLabel,
                            style: theme.textTheme.labelSmall?.copyWith(
                              color: accent,
                              fontWeight: FontWeight.w800,
                            ),
                          ),
                        ),
                        SizedBox(width: 1.w),
                        Container(
                          padding: EdgeInsets.symmetric(
                            horizontal: 1.w,
                            vertical: 0.4.h,
                          ),
                          decoration: BoxDecoration(
                            color: Palette.ink.withValues(alpha: 0.06),
                            borderRadius: BorderRadius.circular(8),
                          ),
                          child: Text(
                            'Chain ${grant.shared.chainId}',
                            style: theme.textTheme.labelSmall?.copyWith(
                              color: muted,
                              fontWeight: FontWeight.w700,
                            ),
                          ),
                        ),
                        const Spacer(),
                        if (revoking)
                          SizedBox(
                            width: 1.8.h,
                            height: 1.8.h,
                            child: CircularProgressIndicator(
                              strokeWidth: 2,
                              color: Palette.coral,
                            ),
                          )
                        else
                          OutlinedButton.icon(
                            onPressed: revoke,
                            style: OutlinedButton.styleFrom(
                              foregroundColor: Palette.coral,
                              side: BorderSide(
                                color: Palette.coral.withValues(alpha: 0.4),
                              ),
                              padding: EdgeInsets.symmetric(
                                horizontal: 1.w,
                                vertical: 0.6.h,
                              ),
                              shape: RoundedRectangleBorder(
                                borderRadius: BorderRadius.circular(10),
                              ),
                            ),
                            icon: const Icon(Icons.block_rounded, size: 16),
                            label: const Text('Revoke'),
                          ),
                      ],
                    ),
                    SizedBox(height: 0.8.h),
                    // Row 2: wallet address · client name
                    Row(
                      children: [
                        Text(
                          walletLabel,
                          style: theme.textTheme.bodySmall?.copyWith(
                            color: Palette.ink,
                            fontFamily: 'monospace',
                          ),
                        ),
                        Padding(
                          padding: EdgeInsets.symmetric(horizontal: 0.8.w),
                          child: Text(
                            '·',
                            style: theme.textTheme.bodySmall
                                ?.copyWith(color: muted),
                          ),
                        ),
                        Expanded(
                          child: Text(
                            clientLabel,
                            maxLines: 1,
                            overflow: TextOverflow.ellipsis,
                            style: theme.textTheme.bodySmall
                                ?.copyWith(color: muted),
                          ),
                        ),
                      ],
                    ),
                  ],
                ),
              ),
            ),
          ],
        ),
      ),
    );
  }
 }
 ```
 - [ ] **Step 2: Verify**
 ```sh
 cd useragent && flutter analyze lib/screens/dashboard/evm/grants/widgets/grant_card.dart
 ```
 Expected: no issues.
 - [ ] **Step 3: Commit**
 ```sh
 jj describe -m "feat(grants): add GrantCard widget with self-contained enrichment"
 jj new
 ```
 ---
 ## Task 5: Create `EvmGrantsScreen`
 **Files:**
 - Create: `useragent/lib/screens/dashboard/evm/grants/grants.dart`
 The screen watches only `evmGrantsProvider` for top-level state (loading / error / no connection / empty / data). When there is data it renders a list of `GrantCard` widgets — each card manages its own enrichment subscriptions.
 - [ ] **Step 1: Write the screen**
 Create `useragent/lib/screens/dashboard/evm/grants/grants.dart`:
 ```dart
 import 'package:arbiter/proto/evm.pb.dart';
 import 'package:arbiter/providers/evm/evm_grants.dart';
 import 'package:arbiter/providers/sdk_clients/wallet_access_list.dart';
 import 'package:arbiter/router.gr.dart';
 import 'package:arbiter/screens/dashboard/evm/grants/widgets/grant_card.dart';
 import 'package:arbiter/theme/palette.dart';
 import 'package:arbiter/widgets/page_header.dart';
 import 'package:auto_route/auto_route.dart';
 import 'package:flutter/material.dart';
 import 'package:hooks_riverpod/hooks_riverpod.dart';
 import 'package:sizer/sizer.dart';
 String _formatError(Object error) {
  final message = error.toString();
  if (message.startsWith('Exception: ')) {
    return message.substring('Exception: '.length);
  }
  return message;
 }
 // ─── State panel ──────────────────────────────────────────────────────────────
 class _StatePanel extends StatelessWidget {
  const _StatePanel({
    required this.icon,
    required this.title,
    required this.body,
    this.actionLabel,
    this.onAction,
    this.busy = false,
  });
  final IconData icon;
  final String title;
  final String body;
  final String? actionLabel;
  final Future<void> Function()? onAction;
  final bool busy;
  @override
  Widget build(BuildContext context) {
    final theme = Theme.of(context);
    return Container(
      decoration: BoxDecoration(
        borderRadius: BorderRadius.circular(24),
        color: Palette.cream.withValues(alpha: 0.92),
        border: Border.all(color: Palette.line),
      ),
      child: Padding(
        padding: EdgeInsets.all(2.8.h),
        child: Column(
          crossAxisAlignment: CrossAxisAlignment.start,
          children: [
            if (busy)
              SizedBox(
                width: 2.8.h,
                height: 2.8.h,
                child: const CircularProgressIndicator(strokeWidth: 2.5),
              )
            else
              Icon(icon, size: 34, color: Palette.coral),
            SizedBox(height: 1.8.h),
            Text(
              title,
              style: theme.textTheme.headlineSmall?.copyWith(
                color: Palette.ink,
                fontWeight: FontWeight.w800,
              ),
            ),
            SizedBox(height: 1.h),
            Text(
              body,
              style: theme.textTheme.bodyLarge?.copyWith(
                color: Palette.ink.withValues(alpha: 0.72),
                height: 1.5,
              ),
            ),
            if (actionLabel != null && onAction != null) ...[
              SizedBox(height: 2.h),
              OutlinedButton.icon(
                onPressed: () => onAction!(),
                icon: const Icon(Icons.refresh),
                label: Text(actionLabel!),
              ),
            ],
          ],
        ),
      ),
    );
  }
 }
 // ─── Grant list ───────────────────────────────────────────────────────────────
 class _GrantList extends StatelessWidget {
  const _GrantList({required this.grants});
  final List<GrantEntry> grants;
  @override
  Widget build(BuildContext context) {
    return Column(
      children: [
        for (var i = 0; i < grants.length; i++)
          Padding(
            padding: EdgeInsets.only(
              bottom: i == grants.length - 1 ? 0 : 1.8.h,
            ),
            child: GrantCard(grant: grants[i]),
          ),
      ],
    );
  }
 }
 // ─── Screen ───────────────────────────────────────────────────────────────────
@RoutePage()
 class EvmGrantsScreen extends ConsumerWidget {
  const EvmGrantsScreen({super.key});
  @override
  Widget build(BuildContext context, WidgetRef ref) {
    // Screen watches only the grant list for top-level state decisions
    final grantsAsync = ref.watch(evmGrantsProvider);
    Future<void> refresh() async {
      await Future.wait([
        ref.read(evmGrantsProvider.notifier).refresh(),
        ref.read(walletAccessListProvider.notifier).refresh(),
      ]);
    }
    void showMessage(String message) {
      if (!context.mounted) return;
      ScaffoldMessenger.of(context).showSnackBar(
        SnackBar(content: Text(message), behavior: SnackBarBehavior.floating),
      );
    }
    Future<void> safeRefresh() async {
      try {
        await refresh();
      } catch (e) {
        showMessage(_formatError(e));
      }
    }
    final grantsState = grantsAsync.asData?.value;
    final grants = grantsState?.grants;
    final content = switch (grantsAsync) {
      AsyncLoading() when grantsState == null => const _StatePanel(
        icon: Icons.hourglass_top,
        title: 'Loading grants',
        body: 'Pulling grant registry from Arbiter.',
        busy: true,
      ),
      AsyncError(:final error) => _StatePanel(
        icon: Icons.sync_problem,
        title: 'Grant registry unavailable',
        body: _formatError(error),
        actionLabel: 'Retry',
        onAction: safeRefresh,
      ),
      AsyncData(:final value) when value == null => _StatePanel(
        icon: Icons.portable_wifi_off,
        title: 'No active server connection',
        body: 'Reconnect to Arbiter to list EVM grants.',
        actionLabel: 'Refresh',
        onAction: safeRefresh,
      ),
      _ when grants != null && grants.isEmpty => _StatePanel(
        icon: Icons.policy_outlined,
        title: 'No grants yet',
        body: 'Create a grant to allow SDK clients to sign transactions.',
        actionLabel: 'Create grant',
        onAction: () => context.router.push(const CreateEvmGrantRoute()),
      ),
      _ => _GrantList(grants: grants ?? const []),
    };
    return Scaffold(
      body: SafeArea(
        child: RefreshIndicator.adaptive(
          color: Palette.ink,
          backgroundColor: Colors.white,
          onRefresh: safeRefresh,
          child: ListView(
            physics: const BouncingScrollPhysics(
              parent: AlwaysScrollableScrollPhysics(),
            ),
            padding: EdgeInsets.fromLTRB(2.4.w, 2.4.h, 2.4.w, 3.2.h),
            children: [
              PageHeader(
                title: 'EVM Grants',
                isBusy: grantsAsync.isLoading,
                actions: [
                  FilledButton.icon(
                    onPressed: () =>
                        context.router.push(const CreateEvmGrantRoute()),
                    icon: const Icon(Icons.add_rounded),
                    label: const Text('Create grant'),
                  ),
                  SizedBox(width: 1.w),
                  OutlinedButton.icon(
                    onPressed: safeRefresh,
                    style: OutlinedButton.styleFrom(
                      foregroundColor: Palette.ink,
                      side: BorderSide(color: Palette.line),
                      padding: EdgeInsets.symmetric(
                        horizontal: 1.4.w,
                        vertical: 1.2.h,
                      ),
                      shape: RoundedRectangleBorder(
                        borderRadius: BorderRadius.circular(14),
                      ),
                    ),
                    icon: const Icon(Icons.refresh, size: 18),
                    label: const Text('Refresh'),
                  ),
                ],
              ),
              SizedBox(height: 1.8.h),
              content,
            ],
          ),
        ),
      ),
    );
  }
 }
 ```
 - [ ] **Step 2: Verify**
 ```sh
 cd useragent && flutter analyze lib/screens/dashboard/evm/grants/
 ```
 Expected: no issues.
 - [ ] **Step 3: Commit**
 ```sh
 jj describe -m "feat(grants): add EvmGrantsScreen"
 jj new
 ```
 ---
 ## Task 6: Wire router and dashboard tab
 **Files:**
 - Modify: `useragent/lib/router.dart`
 - Modify: `useragent/lib/screens/dashboard.dart`
 - Regenerated: `useragent/lib/router.gr.dart`
 - [ ] **Step 1: Add route to `router.dart`**
 Replace the contents of `useragent/lib/router.dart` with:
 ```dart
 import 'package:auto_route/auto_route.dart';
 import 'router.gr.dart';
@AutoRouterConfig(generateForDir: ['lib/screens'])
 class Router extends RootStackRouter {
  @override
  List<AutoRoute> get routes => [
    AutoRoute(page: Bootstrap.page, path: '/bootstrap', initial: true),
    AutoRoute(page: ServerInfoSetupRoute.page, path: '/server-info'),
    AutoRoute(page: ServerConnectionRoute.page, path: '/server-connection'),
    AutoRoute(page: VaultSetupRoute.page, path: '/vault'),
    AutoRoute(page: ClientDetailsRoute.page, path: '/clients/:clientId'),
    AutoRoute(page: CreateEvmGrantRoute.page, path: '/evm-grants/create'),
    AutoRoute(
      page: DashboardRouter.page,
      path: '/dashboard',
      children: [
        AutoRoute(page: EvmRoute.page, path: 'evm'),
        AutoRoute(page: ClientsRoute.page, path: 'clients'),
        AutoRoute(page: EvmGrantsRoute.page, path: 'grants'),
        AutoRoute(page: AboutRoute.page, path: 'about'),
      ],
    ),
  ];
 }
 ```
 - [ ] **Step 2: Update `dashboard.dart`**
 In `useragent/lib/screens/dashboard.dart`, replace the `routes` constant:
 ```dart
 final routes = [
  const EvmRoute(),
  const ClientsRoute(),
  const EvmGrantsRoute(),
  const AboutRoute(),
 ];
 ```
 And replace the `destinations` list inside `AdaptiveScaffold`:
 ```dart
 destinations: const [
  NavigationDestination(
    icon: Icon(Icons.account_balance_wallet_outlined),
    selectedIcon: Icon(Icons.account_balance_wallet),
    label: 'Wallets',
  ),
  NavigationDestination(
    icon: Icon(Icons.devices_other_outlined),
    selectedIcon: Icon(Icons.devices_other),
    label: 'Clients',
  ),
  NavigationDestination(
    icon: Icon(Icons.policy_outlined),
    selectedIcon: Icon(Icons.policy),
    label: 'Grants',
  ),
  NavigationDestination(
    icon: Icon(Icons.info_outline),
    selectedIcon: Icon(Icons.info),
    label: 'About',
  ),
 ],
 ```
 - [ ] **Step 3: Regenerate router**
 ```sh
 cd useragent && dart run build_runner build --delete-conflicting-outputs
 ```
 Expected: `lib/router.gr.dart` updated, `EvmGrantsRoute` now available, no errors.
 - [ ] **Step 4: Full project verify**
 ```sh
 cd useragent && flutter analyze
 ```
 Expected: no issues.
 - [ ] **Step 5: Commit**
 ```sh
 jj describe -m "feat(nav): add Grants dashboard tab"
 jj new
 ```
--- a/docs/superpowers/specs/2026-03-28-grant-grid-view-design.md
+++ b/docs/superpowers/specs/2026-03-28-grant-grid-view-design.md
@@ -0,0 +1,170 @@
 # Grant Grid View — Design Spec
 **Date:** 2026-03-28
 ## Overview
 Add a "Grants" dashboard tab to the Flutter user-agent app that displays all EVM grants as a card-based grid. Each card shows a compact summary (type, chain, wallet address, client name) with a revoke action. The tab integrates into the existing `AdaptiveScaffold` navigation alongside Wallets, Clients, and About.
 ## Scope
 - New `walletAccessListProvider` for fetching wallet access entries with their DB row IDs
 - New `EvmGrantsScreen` as a dashboard tab
 - Grant card widget with enriched display (type, chain, wallet, client)
 - Revoke action wired to existing `executeRevokeEvmGrant` mutation
 - Dashboard tab bar and router updated
 - New token-transfer accent color added to `Palette`
 **Out of scope:** Fixing grant creation (separate task).
 ---
 ## Data Layer
 ### `walletAccessListProvider`
 **File:** `useragent/lib/providers/sdk_clients/wallet_access_list.dart`
 - `@riverpod` class, watches `connectionManagerProvider.future`
 - Returns `List<SdkClientWalletAccess>?` (null when not connected)
 - Each entry: `.id` (wallet_access_id), `.access.walletId`, `.access.sdkClientId`
 - Exposes a `refresh()` method following the same pattern as `EvmGrants.refresh()`
 ### Enrichment at render time (Approach A)
 The `EvmGrantsScreen` watches four providers:
 1. `evmGrantsProvider` — the grant list
 2. `walletAccessListProvider` — to resolve wallet_access_id → (wallet_id, sdk_client_id)
 3. `evmProvider` — to resolve wallet_id → wallet address
 4. `sdkClientsProvider` — to resolve sdk_client_id → client name
 All lookups are in-memory Maps built inside the build method; no extra model class needed.
 Fallbacks:
 - Wallet address not found → `"Access #N"` where N is the wallet_access_id
 - Client name not found → `"Client #N"` where N is the sdk_client_id
 ---
 ## Route Structure
 ```
 /dashboard
  /evm          ← existing (Wallets tab)
  /clients      ← existing (Clients tab)
  /grants       ← NEW (Grants tab)
  /about        ← existing
 /evm-grants/create  ← existing push route (unchanged)
 ```
 ### Changes to `router.dart`
 Add inside dashboard children:
 ```dart
 AutoRoute(page: EvmGrantsRoute.page, path: 'grants'),
 ```
 ### Changes to `dashboard.dart`
 Add to `routes` list:
 ```dart
 const EvmGrantsRoute()
 ```
 Add `NavigationDestination`:
 ```dart
 NavigationDestination(
  icon: Icon(Icons.policy_outlined),
  selectedIcon: Icon(Icons.policy),
  label: 'Grants',
 ),
 ```
 ---
 ## Screen: `EvmGrantsScreen`
 **File:** `useragent/lib/screens/dashboard/evm/grants/grants.dart`
 ```
 Scaffold
 └─ SafeArea
   └─ RefreshIndicator.adaptive (refreshes evmGrantsProvider + walletAccessListProvider)
      └─ ListView (BouncingScrollPhysics + AlwaysScrollableScrollPhysics)
         ├─ PageHeader
         │    title: 'EVM Grants'
         │    isBusy: evmGrantsProvider.isLoading
         │    actions: [CreateGrantButton, RefreshButton]
         ├─ SizedBox(height: 1.8.h)
         └─ <content>
 ```
 ### State handling
 Matches the pattern from `EvmScreen` and `ClientsScreen`:
 | State | Display |
 |---|---|
 | Loading (no data yet) | `_StatePanel` with spinner, "Loading grants" |
 | Error | `_StatePanel` with coral icon, error message, Retry button |
 | No connection | `_StatePanel`, "No active server connection" |
 | Empty list | `_StatePanel`, "No grants yet", with Create Grant shortcut |
 | Data | Column of `_GrantCard` widgets |
 ### Header actions
 **CreateGrantButton:** `FilledButton.icon` with `Icons.add_rounded`, pushes `CreateEvmGrantRoute()` via `context.router.push(...)`.
 **RefreshButton:** `OutlinedButton.icon` with `Icons.refresh`, calls `ref.read(evmGrantsProvider.notifier).refresh()`.
 ---
 ## Grant Card: `_GrantCard`
 **Layout:**
 ```
 Container (rounded 24, Palette.cream bg, Palette.line border)
 └─ IntrinsicHeight > Row
   ├─ Accent strip (0.8.w wide, full height, rounded left)
   └─ Padding > Column
        ├─ Row 1: TypeBadge + ChainChip + Spacer + RevokeButton
        └─ Row 2: WalletText + "·" + ClientText
 ```
 **Accent color by grant type:**
 - Ether transfer → `Palette.coral`
 - Token transfer → `Palette.token` (new entry in `Palette` — indigo, e.g. `Color(0xFF5C6BC0)`)
 **TypeBadge:** Small pill container with accent color background at 15% opacity, accent-colored text. Label: `'Ether'` or `'Token'`.
 **ChainChip:** Small container: `'Chain ${grant.shared.chainId}'`, muted ink color.
 **WalletText:** Short hex address (`0xabc...def`) from wallet lookup, `bodySmall`, monospace font family.
 **ClientText:** Client name from `sdkClientsProvider` lookup, or fallback string. `bodySmall`, muted ink.
 **RevokeButton:**
 - `OutlinedButton` with `Icons.block_rounded` icon, label `'Revoke'`
 - `foregroundColor: Palette.coral`, `side: BorderSide(color: Palette.coral.withValues(alpha: 0.4))`
 - Disabled (replaced with `CircularProgressIndicator`) while `revokeEvmGrantMutation` is pending — note: this is a single global mutation, so all revoke buttons disable while any revoke is in flight
 - On press: calls `executeRevokeEvmGrant(ref, grantId: grant.id)`; shows `SnackBar` on error
 ---
 ## Adaptive Sizing
 All sizing uses `sizer` units (`1.h`, `1.w`, etc.). No hardcoded pixel values.
 ---
 ## Files to Create / Modify
 | File | Action |
 |---|---|
 | `lib/theme/palette.dart` | Modify — add `Palette.token` color |
 | `lib/providers/sdk_clients/wallet_access_list.dart` | Create |
 | `lib/screens/dashboard/evm/grants/grants.dart` | Create |
 | `lib/router.dart` | Modify — add grants route to dashboard children |
 | `lib/screens/dashboard.dart` | Modify — add tab to routes list and NavigationDestinations |
--- a/server/Cargo.lock
+++ b/server/Cargo.lock
@@ -724,6 +724,7 @@ name = "arbiter-server"
 version = "0.1.0"
 dependencies = [
 "alloy",
 "anyhow",
 "arbiter-proto",
 "arbiter-tokens-registry",
 "argon2",
@@ -737,11 +738,11 @@ dependencies = [
 "ed25519-dalek",
 "fatality",
 "futures",
 "hmac",
 "insta",
 "k256",
 "kameo",
 "memsafe",
 "miette",
 "pem",
 "prost-types",
 "rand 0.10.0",
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -22,7 +22,6 @@ chrono = { version = "0.4.44", features = ["serde"] }
 rand = "0.10.0"
 rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
 smlang = "0.8.0"
 miette = { version = "7.6.0", features = ["fancy", "serde"] }
 thiserror = "2.0.18"
 async-trait = "0.1.89"
 futures = "0.3.32"
@@ -43,3 +42,4 @@ k256 = { version = "0.13.4", features = ["ecdsa", "pkcs8"] }
 rsa = { version = "0.9", features = ["sha2"] }
 sha2 = "0.10"
 spki = "0.7"
 miette = { version = "7.6.0", features = ["fancy", "serde"] }
--- a/server/crates/arbiter-client/src/auth.rs
+++ b/server/crates/arbiter-client/src/auth.rs
@@ -122,9 +122,7 @@ async fn receive_auth_confirmation(
        .await
        .map_err(|_| AuthError::UnexpectedAuthResponse)?;
-    let payload = response
+    let payload = response.payload.ok_or(AuthError::UnexpectedAuthResponse)?;
        .payload
        .ok_or(AuthError::UnexpectedAuthResponse)?;
    match payload {
        ClientResponsePayload::Auth(response) => match response.payload {
            Some(AuthResponsePayload::Result(result))
--- a/server/crates/arbiter-client/src/bin/test_connect.rs
+++ b/server/crates/arbiter-client/src/bin/test_connect.rs
@@ -1,4 +1,3 @@
 use std::io::{self, Write};
 use arbiter_client::ArbiterClient;
@@ -22,8 +21,6 @@ async fn main() {
        return;
    }
    let url = match ArbiterUrl::try_from(input) {
        Ok(url) => url,
        Err(err) => {
@@ -32,7 +29,7 @@ async fn main() {
        }
    };
-     println!("{:#?}", url);
+    println!("{:#?}", url);
    let metadata = ClientMetadata {
        name: "arbiter-client test_connect".to_string(),
@@ -44,4 +41,4 @@ async fn main() {
        Ok(_) => println!("Connected and authenticated successfully."),
        Err(err) => eprintln!("Failed to connect: {:#?}", err),
    }
-}
+}
--- a/server/crates/arbiter-client/src/client.rs
+++ b/server/crates/arbiter-client/src/client.rs
@@ -1,11 +1,16 @@
-use arbiter_proto::{ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl};
+use arbiter_proto::{
    ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl,
 };
 use std::sync::Arc;
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::transport::ClientTlsConfig;
 use crate::{
-    StorageError, auth::{AuthError, authenticate}, storage::{FileSigningKeyStorage, SigningKeyStorage}, transport::{BUFFER_LENGTH, ClientTransport}
+    StorageError,
    auth::{AuthError, authenticate},
    storage::{FileSigningKeyStorage, SigningKeyStorage},
    transport::{BUFFER_LENGTH, ClientTransport},
 };
 #[cfg(feature = "evm")]
@@ -30,7 +35,6 @@ pub enum Error {
    #[error("Storage error")]
    Storage(#[from] StorageError),
 }
 pub struct ArbiterClient {
@@ -61,10 +65,11 @@ impl ArbiterClient {
        let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
        let tls = ClientTlsConfig::new().trust_anchor(anchor);
-        let channel = tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
+        let channel =
-            .tls_config(tls)?
+            tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
-            .connect()
+                .tls_config(tls)?
-            .await?;
+                .connect()
                .await?;
        let mut client = ArbiterServiceClient::new(channel);
        let (tx, rx) = mpsc::channel(BUFFER_LENGTH);
--- a/server/crates/arbiter-client/src/lib.rs
+++ b/server/crates/arbiter-client/src/lib.rs
@@ -9,4 +9,4 @@ pub use client::{ArbiterClient, Error};
 pub use storage::{FileSigningKeyStorage, SigningKeyStorage, StorageError};
 #[cfg(feature = "evm")]
-pub use wallets::evm::ArbiterEvmWallet;
+pub use wallets::evm::{ArbiterEvmSignTransactionError, ArbiterEvmWallet};
--- a/server/crates/arbiter-client/src/wallets/evm.rs
+++ b/server/crates/arbiter-client/src/wallets/evm.rs
@@ -10,14 +10,48 @@ use tokio::sync::Mutex;
 use arbiter_proto::proto::{
    client::{
-        ClientRequest, client_request::Payload as ClientRequestPayload,
+        ClientRequest,
        client_request::Payload as ClientRequestPayload,
        client_response::Payload as ClientResponsePayload,
        evm::{
            self as proto_evm, request::Payload as EvmRequestPayload,
            response::Payload as EvmResponsePayload,
        },
    },
-    evm::evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    evm::{
        EvmSignTransactionRequest,
        evm_sign_transaction_response::Result as EvmSignTransactionResult,
    },
    shared::evm::TransactionEvalError,
 };
 use crate::transport::{ClientTransport, next_request_id};
 /// A typed error payload returned by [`ArbiterEvmWallet`] transaction signing.
 ///
 /// This is wrapped into `alloy::signers::Error::Other`, so consumers can downcast by [`TryFrom`] and
 /// interpret the concrete policy evaluation failure instead of parsing strings.
 #[derive(Debug, thiserror::Error)]
 #[non_exhaustive]
 pub enum ArbiterEvmSignTransactionError {
    #[error("transaction rejected by policy: {0:?}")]
    PolicyEval(TransactionEvalError),
 }
 impl<'a> TryFrom<&'a Error> for &'a ArbiterEvmSignTransactionError {
    type Error = ();
    fn try_from(value: &'a Error) -> Result<Self, Self::Error> {
        if let Error::Other(inner) = value
            && let Some(eval_error) = inner.downcast_ref()
        {
            Ok(eval_error)
        } else {
            Err(())
        }
    }
 }
 pub struct ArbiterEvmWallet {
    transport: Arc<Mutex<ClientTransport>>,
    address: Address,
@@ -96,12 +130,14 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
        transport
            .send(ClientRequest {
                request_id,
-                payload: Some(ClientRequestPayload::EvmSignTransaction(
+                payload: Some(ClientRequestPayload::Evm(proto_evm::Request {
-                    arbiter_proto::proto::evm::EvmSignTransactionRequest {
+                    payload: Some(EvmRequestPayload::SignTransaction(
-                        wallet_address: self.address.to_vec(),
+                        EvmSignTransactionRequest {
-                        rlp_transaction,
+                            wallet_address: self.address.to_vec(),
-                    },
+                            rlp_transaction,
-                )),
+                        },
                    )),
                })),
            })
            .await
            .map_err(|_| Error::other("failed to send evm sign transaction request"))?;
@@ -121,12 +157,21 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
            .payload
            .ok_or_else(|| Error::other("missing evm sign transaction response payload"))?;
-        let ClientResponsePayload::EvmSignTransaction(response) = payload else {
+        let ClientResponsePayload::Evm(proto_evm::Response {
            payload: Some(payload),
        }) = payload
        else {
            return Err(Error::other(
                "unexpected response payload for evm sign transaction request",
            ));
        };
        let EvmResponsePayload::SignTransaction(response) = payload else {
            return Err(Error::other(
                "unexpected evm response payload for sign transaction request",
            ));
        };
        let result = response
            .result
            .ok_or_else(|| Error::other("missing evm sign transaction result"))?;
@@ -136,9 +181,9 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
                Signature::try_from(signature.as_slice())
                    .map_err(|_| Error::other("invalid signature returned by server"))
            }
-            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(format!(
+            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(
-                "transaction rejected by policy: {eval_error:?}"
+                ArbiterEvmSignTransactionError::PolicyEval(eval_error),
-            ))),
+            )),
            EvmSignTransactionResult::Error(code) => Err(Error::other(format!(
                "server failed to sign transaction with error code {code}"
            ))),
--- a/server/crates/arbiter-proto/src/url.rs
+++ b/server/crates/arbiter-proto/src/url.rs
@@ -7,7 +7,6 @@ const ARBITER_URL_SCHEME: &str = "arbiter";
 const CERT_QUERY_KEY: &str = "cert";
 const BOOTSTRAP_TOKEN_QUERY_KEY: &str = "bootstrap_token";
 #[derive(Debug, Clone)]
 pub struct ArbiterUrl {
    pub host: String,
--- a/server/crates/arbiter-server/Cargo.toml
+++ b/server/crates/arbiter-server/Cargo.toml
@@ -25,7 +25,6 @@ tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
 miette.workspace = true
 thiserror.workspace = true
 fatality = "0.1.1"
 diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
@@ -49,10 +48,12 @@ pem = "3.0.6"
 k256.workspace = true
 rsa.workspace = true
 sha2.workspace = true
 hmac = "0.12"
 spki.workspace = true
 alloy.workspace = true
 prost-types.workspace = true
 arbiter-tokens-registry.path = "../arbiter-tokens-registry"
 anyhow = "1.0.102"
 [dev-dependencies]
 insta = "1.46.3"
--- a/server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
+++ b/server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
@@ -47,6 +47,7 @@ create table if not exists useragent_client (
    id integer not null primary key,
    nonce integer not null default(1), -- used for auth challenge
    public_key blob not null,
    pubkey_integrity_tag blob,
    key_type integer not null default(1), -- 1=Ed25519, 2=ECDSA(secp256k1)
    created_at integer not null default(unixepoch ('now')),
    updated_at integer not null default(unixepoch ('now'))
--- a/server/crates/arbiter-server/src/actors/bootstrap.rs
+++ b/server/crates/arbiter-server/src/actors/bootstrap.rs
@@ -2,7 +2,7 @@ use arbiter_proto::{BOOTSTRAP_PATH, home_path};
 use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;
 use kameo::{Actor, messages};
-use miette::Diagnostic;
+
 use rand::{RngExt, distr::Alphanumeric, make_rng, rngs::StdRng};
 use thiserror::Error;
@@ -25,18 +25,15 @@ pub async fn generate_token() -> Result<String, std::io::Error> {
    Ok(token)
 }
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum Error {
    #[error("Database error: {0}")]
    #[diagnostic(code(arbiter_server::bootstrap::database))]
    Database(#[from] db::PoolError),
    #[error("Database query error: {0}")]
    #[diagnostic(code(arbiter_server::bootstrap::database_query))]
    Query(#[from] diesel::result::Error),
    #[error("I/O error: {0}")]
    #[diagnostic(code(arbiter_server::bootstrap::io))]
    Io(#[from] std::io::Error),
 }
--- a/server/crates/arbiter-server/src/actors/client/auth.rs
+++ b/server/crates/arbiter-server/src/actors/client/auth.rs
@@ -287,10 +287,7 @@ where
    Ok(())
 }
-pub async fn authenticate<T>(
+pub async fn authenticate<T>(props: &mut ClientConnection, transport: &mut T) -> Result<i32, Error>
    props: &mut ClientConnection,
    transport: &mut T,
 ) -> Result<i32, Error>
 where
    T: Bi<Inbound, Result<Outbound, Error>> + Send + ?Sized,
 {
@@ -319,7 +316,7 @@ where
    sync_client_metadata(&props.db, info.id, &metadata).await?;
    challenge_client(transport, pubkey, info.current_nonce).await?;
-    
+
    transport
        .send(Ok(Outbound::AuthSuccess))
        .await
--- a/server/crates/arbiter-server/src/actors/client/mod.rs
+++ b/server/crates/arbiter-server/src/actors/client/mod.rs
@@ -20,10 +20,7 @@ pub struct ClientConnection {
 impl ClientConnection {
    pub fn new(db: db::DatabasePool, actors: GlobalActors) -> Self {
-        Self {
+        Self { db, actors }
            db,
            actors,
        }
    }
 }
--- a/server/crates/arbiter-server/src/actors/client/session.rs
+++ b/server/crates/arbiter-server/src/actors/client/session.rs
@@ -6,11 +6,10 @@ use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use crate::{
    actors::{
        GlobalActors,
-        client::ClientConnection, flow_coordinator::RegisterClient,
+        client::ClientConnection,
        evm::{ClientSignTransaction, SignTransactionError},
        flow_coordinator::RegisterClient,
        keyholder::KeyHolderState,
    },
    db,
    evm::VetError,
@@ -95,7 +94,10 @@ impl Actor for ClientSession {
 impl ClientSession {
    pub fn new_test(db: db::DatabasePool, actors: GlobalActors) -> Self {
        let props = ClientConnection::new(db, actors);
-        Self { props, client_id: 0 }
+        Self {
            props,
            client_id: 0,
        }
    }
 }
--- a/server/crates/arbiter-server/src/actors/evm/mod.rs
+++ b/server/crates/arbiter-server/src/actors/evm/mod.rs
@@ -25,45 +25,36 @@ use crate::{
 pub use crate::evm::safe_signer;
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum SignTransactionError {
    #[error("Wallet not found")]
    #[diagnostic(code(arbiter::evm::sign::wallet_not_found))]
    WalletNotFound,
    #[error("Database error: {0}")]
    #[diagnostic(code(arbiter::evm::sign::database))]
    Database(#[from] DatabaseError),
    #[error("Keyholder error: {0}")]
    #[diagnostic(code(arbiter::evm::sign::keyholder))]
    Keyholder(#[from] crate::actors::keyholder::Error),
    #[error("Keyholder mailbox error")]
    #[diagnostic(code(arbiter::evm::sign::keyholder_send))]
    KeyholderSend,
    #[error("Signing error: {0}")]
    #[diagnostic(code(arbiter::evm::sign::signing))]
    Signing(#[from] alloy::signers::Error),
    #[error("Policy error: {0}")]
    #[diagnostic(code(arbiter::evm::sign::vet))]
    Vet(#[from] evm::VetError),
 }
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum Error {
    #[error("Keyholder error: {0}")]
    #[diagnostic(code(arbiter::evm::keyholder))]
    Keyholder(#[from] crate::actors::keyholder::Error),
    #[error("Keyholder mailbox error")]
    #[diagnostic(code(arbiter::evm::keyholder_send))]
    KeyholderSend,
    #[error("Database error: {0}")]
    #[diagnostic(code(arbiter::evm::database))]
    Database(#[from] DatabaseError),
 }
--- a/server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs
+++ b/server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs
@@ -15,7 +15,7 @@ use crate::actors::{
 pub struct Args {
    pub client: ClientProfile,
    pub user_agents: Vec<ActorRef<UserAgentSession>>,
-    pub reply: ReplySender<Result<bool, ApprovalError>>
+    pub reply: ReplySender<Result<bool, ApprovalError>>,
 }
 pub struct ClientApprovalController {
@@ -39,7 +39,11 @@ impl Actor for ClientApprovalController {
    type Error = ();
    async fn on_start(
-        Args { client, mut user_agents, reply }: Self::Args,
+        Args {
            client,
            mut user_agents,
            reply,
        }: Self::Args,
        actor_ref: ActorRef<Self>,
    ) -> Result<Self, Self::Error> {
        let this = Self {
--- a/server/crates/arbiter-server/src/actors/keyholder/mod.rs
+++ b/server/crates/arbiter-server/src/actors/keyholder/mod.rs
@@ -8,7 +8,14 @@ use kameo::{Actor, Reply, messages};
 use strum::{EnumDiscriminants, IntoDiscriminant};
 use tracing::{error, info};
-use crate::safe_cell::SafeCell;
+use crate::{
    crypto::{
        KeyCell, derive_key,
        encryption::v1::{self, Nonce},
        integrity::v1::compute_integrity_tag,
    },
    safe_cell::SafeCell,
 };
 use crate::{
    db::{
        self,
@@ -17,9 +24,6 @@ use crate::{
    },
    safe_cell::SafeCellHandle as _,
 };
 use encryption::v1::{self, KeyCell, Nonce};
 pub mod encryption;
 #[derive(Default, EnumDiscriminants)]
 #[strum_discriminants(derive(Reply), vis(pub), name(KeyHolderState))]
@@ -35,36 +39,28 @@ enum State {
    },
 }
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum Error {
    #[error("Keyholder is already bootstrapped")]
    #[diagnostic(code(arbiter::keyholder::already_bootstrapped))]
    AlreadyBootstrapped,
    #[error("Keyholder is not bootstrapped")]
    #[diagnostic(code(arbiter::keyholder::not_bootstrapped))]
    NotBootstrapped,
    #[error("Invalid key provided")]
    #[diagnostic(code(arbiter::keyholder::invalid_key))]
    InvalidKey,
    #[error("Requested aead entry not found")]
    #[diagnostic(code(arbiter::keyholder::aead_not_found))]
    NotFound,
    #[error("Encryption error: {0}")]
    #[diagnostic(code(arbiter::keyholder::encryption_error))]
    Encryption(#[from] chacha20poly1305::aead::Error),
    #[error("Database error: {0}")]
    #[diagnostic(code(arbiter::keyholder::database_error))]
    DatabaseConnection(#[from] db::PoolError),
    #[error("Database transaction error: {0}")]
    #[diagnostic(code(arbiter::keyholder::database_transaction_error))]
    DatabaseTransaction(#[from] diesel::result::Error),
    #[error("Broken database")]
    #[diagnostic(code(arbiter::keyholder::broken_database))]
    BrokenDatabase,
 }
@@ -114,14 +110,13 @@ impl KeyHolder {
                        .first(conn)
                        .await?;
-                    let mut nonce =
+                    let mut nonce = Nonce::try_from(current_nonce.as_slice()).map_err(|_| {
-                        v1::Nonce::try_from(current_nonce.as_slice()).map_err(|_| {
+                        error!(
-                            error!(
+                            "Broken database: invalid nonce for root key history id={}",
-                                "Broken database: invalid nonce for root key history id={}",
+                            root_key_id
-                                root_key_id
+                        );
-                            );
+                        Error::BrokenDatabase
-                            Error::BrokenDatabase
+                    })?;
                        })?;
                    nonce.increment();
                    update(schema::root_key_history::table)
@@ -144,12 +139,12 @@ impl KeyHolder {
            return Err(Error::AlreadyBootstrapped);
        }
        let salt = v1::generate_salt();
-        let mut seal_key = v1::derive_seal_key(seal_key_raw, &salt);
+        let mut seal_key = derive_key(seal_key_raw, &salt);
        let mut root_key = KeyCell::new_secure_random();
        // Zero nonces are fine because they are one-time
-        let root_key_nonce = v1::Nonce::default();
+        let root_key_nonce = Nonce::default();
-        let data_encryption_nonce = v1::Nonce::default();
+        let data_encryption_nonce = Nonce::default();
        let root_key_ciphertext: Vec<u8> = root_key.0.read_inline(|reader| {
            let root_key_reader = reader.as_slice();
@@ -224,7 +219,7 @@ impl KeyHolder {
            error!("Broken database: invalid salt for root key");
            Error::BrokenDatabase
        })?;
-        let mut seal_key = v1::derive_seal_key(seal_key_raw, &salt);
+        let mut seal_key = derive_key(seal_key_raw, &salt);
        let mut root_key = SafeCell::new(current_key.ciphertext.clone());
@@ -244,7 +239,7 @@ impl KeyHolder {
        self.state = State::Unsealed {
            root_key_history_id: current_key.id,
-            root_key: v1::KeyCell::try_from(root_key).map_err(|err| {
+            root_key: KeyCell::try_from(root_key).map_err(|err| {
                error!(?err, "Broken database: invalid encryption key size");
                Error::BrokenDatabase
            })?,
@@ -255,7 +250,22 @@ impl KeyHolder {
        Ok(())
    }
-    // Decrypts the `aead_encrypted` entry with the given ID and returns the plaintext
+    // Signs a generic integrity payload using the vault-derived integrity key
    #[message]
    pub fn sign_integrity_tag(
        &mut self,
        purpose_tag: Vec<u8>,
        data_parts: Vec<Vec<u8>>,
    ) -> Result<Vec<u8>, Error> {
        let State::Unsealed { root_key, .. } = &mut self.state else {
            return Err(Error::NotBootstrapped);
        };
        let tag =
            compute_integrity_tag(root_key, &purpose_tag, data_parts.iter().map(Vec::as_slice));
        Ok(tag.to_vec())
    }
    #[message]
    pub async fn decrypt(&mut self, aead_id: i32) -> Result<SafeCell<Vec<u8>>, Error> {
        let State::Unsealed { root_key, .. } = &mut self.state else {
@@ -291,6 +301,7 @@ impl KeyHolder {
        let State::Unsealed {
            root_key,
            root_key_history_id,
            ..
        } = &mut self.state
        else {
            return Err(Error::NotBootstrapped);
--- a/server/crates/arbiter-server/src/actors/mod.rs
+++ b/server/crates/arbiter-server/src/actors/mod.rs
@@ -1,5 +1,4 @@
 use kameo::actor::{ActorRef, Spawn};
 use miette::Diagnostic;
 use thiserror::Error;
 use crate::{
@@ -17,14 +16,12 @@ pub mod flow_coordinator;
 pub mod keyholder;
 pub mod user_agent;
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum SpawnError {
    #[error("Failed to spawn Bootstrapper actor")]
    #[diagnostic(code(SpawnError::Bootstrapper))]
    Bootstrapper(#[from] bootstrap::Error),
    #[error("Failed to spawn KeyHolder actor")]
    #[diagnostic(code(SpawnError::KeyHolder))]
    KeyHolder(#[from] keyholder::Error),
 }
--- a/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
@@ -1,17 +1,27 @@
 use arbiter_proto::transport::Bi;
 use diesel::{ExpressionMethods as _, OptionalExtension as _, QueryDsl, update};
 use diesel_async::RunQueryDsl;
 use kameo::error::SendError;
 use tracing::error;
 use super::Error;
 use crate::{
    actors::{
        bootstrap::ConsumeToken,
        keyholder::{self, SignIntegrityTag},
        user_agent::{AuthPublicKey, UserAgentConnection, auth::Outbound},
    },
    crypto::integrity::v1::USERAGENT_INTEGRITY_TAG,
    db::schema,
 };
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum AttestationStatus {
    Attested,
    NotAttested,
    Unavailable,
 }
 pub struct ChallengeRequest {
    pub pubkey: AuthPublicKey,
 }
@@ -40,7 +50,11 @@ smlang::statemachine!(
    }
 );
-async fn create_nonce(db: &crate::db::DatabasePool, pubkey_bytes: &[u8]) -> Result<i32, Error> {
+async fn create_nonce(
    db: &crate::db::DatabasePool,
    pubkey_bytes: &[u8],
    key_type: crate::db::models::KeyType,
 ) -> Result<i32, Error> {
    let mut db_conn = db.get().await.map_err(|e| {
        error!(error = ?e, "Database pool error");
        Error::internal("Database unavailable")
@@ -50,12 +64,14 @@ async fn create_nonce(db: &crate::db::DatabasePool, pubkey_bytes: &[u8]) -> Resu
            Box::pin(async move {
                let current_nonce = schema::useragent_client::table
                    .filter(schema::useragent_client::public_key.eq(pubkey_bytes.to_vec()))
                    .filter(schema::useragent_client::key_type.eq(key_type))
                    .select(schema::useragent_client::nonce)
                    .first::<i32>(conn)
                    .await?;
                update(schema::useragent_client::table)
                    .filter(schema::useragent_client::public_key.eq(pubkey_bytes.to_vec()))
                    .filter(schema::useragent_client::key_type.eq(key_type))
                    .set(schema::useragent_client::nonce.eq(current_nonce + 1))
                    .execute(conn)
                    .await?;
@@ -75,7 +91,11 @@ async fn create_nonce(db: &crate::db::DatabasePool, pubkey_bytes: &[u8]) -> Resu
        })
 }
-async fn register_key(db: &crate::db::DatabasePool, pubkey: &AuthPublicKey) -> Result<(), Error> {
+async fn register_key(
    db: &crate::db::DatabasePool,
    pubkey: &AuthPublicKey,
    integrity_tag: Option<Vec<u8>>,
 ) -> Result<(), Error> {
    let pubkey_bytes = pubkey.to_stored_bytes();
    let key_type = pubkey.key_type();
    let mut conn = db.get().await.map_err(|e| {
@@ -88,6 +108,7 @@ async fn register_key(db: &crate::db::DatabasePool, pubkey: &AuthPublicKey) -> R
            schema::useragent_client::public_key.eq(pubkey_bytes),
            schema::useragent_client::nonce.eq(1),
            schema::useragent_client::key_type.eq(key_type),
            schema::useragent_client::pubkey_integrity_tag.eq(integrity_tag),
        ))
        .execute(&mut conn)
        .await
@@ -120,8 +141,15 @@ where
        &mut self,
        ChallengeRequest { pubkey }: ChallengeRequest,
    ) -> Result<ChallengeContext, Self::Error> {
        match self.verify_pubkey_attestation_status(&pubkey).await? {
            AttestationStatus::Attested | AttestationStatus::Unavailable => {}
            AttestationStatus::NotAttested => {
                return Err(Error::InvalidChallengeSolution);
            }
        }
        let stored_bytes = pubkey.to_stored_bytes();
-        let nonce = create_nonce(&self.conn.db, &stored_bytes).await?;
+        let nonce = create_nonce(&self.conn.db, &stored_bytes, pubkey.key_type()).await?;
        self.transport
            .send(Ok(Outbound::AuthChallenge { nonce }))
@@ -161,7 +189,15 @@ where
            return Err(Error::InvalidBootstrapToken);
        }
-        register_key(&self.conn.db, &pubkey).await?;
+        let integrity_tag = self
            .try_sign_pubkey_integrity_tag(&pubkey)
            .await
            .map_err(|err| {
                error!(?err, "Failed to sign user-agent pubkey integrity tag");
                Error::internal("Failed to sign user-agent pubkey integrity tag")
            })?;
        register_key(&self.conn.db, &pubkey, integrity_tag).await?;
        self.transport
            .send(Ok(Outbound::AuthSuccess))
@@ -210,16 +246,111 @@ where
            }
        };
-        if !valid {
+        match valid {
-            error!("Invalid challenge solution signature");
+            true => {
-            return Err(Error::InvalidChallengeSolution);
+                self.transport
                    .send(Ok(Outbound::AuthSuccess))
                    .await
                    .map_err(|_| Error::Transport)?;
                Ok(key.clone())
            }
            false => {
                self.transport
                    .send(Err(Error::InvalidChallengeSolution))
                    .await
                    .map_err(|_| Error::Transport)?;
                Err(Error::InvalidChallengeSolution)
            }
        }
    }
 }
 impl<T> AuthContext<'_, T>
 where
    T: Bi<super::Inbound, Result<super::Outbound, Error>> + Send,
 {
    async fn try_sign_pubkey_integrity_tag(
        &self,
        pubkey: &AuthPublicKey,
    ) -> Result<Option<Vec<u8>>, Error> {
        let signed = self
            .conn
            .actors
            .key_holder
            .ask(SignIntegrityTag {
                purpose_tag: USERAGENT_INTEGRITY_TAG.to_vec(),
                data_parts: vec![
                    (pubkey.key_type() as i32).to_be_bytes().to_vec(),
                    pubkey.to_stored_bytes(),
                ],
            })
            .await;
        match signed {
            Ok(tag) => Ok(Some(tag)),
            Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => Ok(None),
            Err(SendError::HandlerError(err)) => {
                error!(
                    ?err,
                    "Keyholder failed to sign user-agent pubkey integrity tag"
                );
                Err(Error::internal(
                    "Keyholder failed to sign user-agent pubkey integrity tag",
                ))
            }
            Err(err) => {
                error!(
                    ?err,
                    "Failed to contact keyholder for user-agent pubkey integrity tag"
                );
                Err(Error::internal(
                    "Failed to contact keyholder for user-agent pubkey integrity tag",
                ))
            }
        }
    }
    async fn verify_pubkey_attestation_status(
        &self,
        pubkey: &AuthPublicKey,
    ) -> Result<AttestationStatus, Error> {
        let stored_tag: Option<Option<Vec<u8>>> = {
            let mut conn = self.conn.db.get().await.map_err(|e| {
                error!(error = ?e, "Database pool error");
                Error::internal("Database unavailable")
            })?;
            schema::useragent_client::table
                .filter(schema::useragent_client::public_key.eq(pubkey.to_stored_bytes()))
                .filter(schema::useragent_client::key_type.eq(pubkey.key_type()))
                .select(schema::useragent_client::pubkey_integrity_tag)
                .first::<Option<Vec<u8>>>(&mut conn)
                .await
                .optional()
                .map_err(|e| {
                    error!(error = ?e, "Database error");
                    Error::internal("Database operation failed")
                })?
        };
        let Some(stored_tag) = stored_tag else {
            return Err(Error::UnregisteredPublicKey);
        };
        let Some(expected_tag) = self.try_sign_pubkey_integrity_tag(pubkey).await? else {
            return Ok(AttestationStatus::Unavailable);
        };
        match stored_tag {
            Some(stored_tag) if stored_tag == expected_tag => Ok(AttestationStatus::Attested),
            Some(_) => {
                error!("User-agent pubkey integrity tag mismatch");
                Ok(AttestationStatus::NotAttested)
            }
            None => {
                error!("Missing pubkey integrity tag for registered key while vault is unsealed");
                Ok(AttestationStatus::NotAttested)
            }
        }
        self.transport
            .send(Ok(Outbound::AuthSuccess))
            .await
            .map_err(|_| Error::Transport)?;
        Ok(key.clone())
    }
 }
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -5,8 +5,8 @@ use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use diesel::{ExpressionMethods as _, QueryDsl as _, SelectableHelper};
 use diesel_async::{AsyncConnection, RunQueryDsl};
 use kameo::error::SendError;
 use kameo::prelude::Context;
 use kameo::messages;
 use kameo::prelude::Context;
 use tracing::{error, info};
 use x25519_dalek::{EphemeralSecret, PublicKey};
--- a/server/crates/arbiter-server/src/context/mod.rs
+++ b/server/crates/arbiter-server/src/context/mod.rs
@@ -1,6 +1,5 @@
 use std::sync::Arc;
 use miette::Diagnostic;
 use thiserror::Error;
 use crate::{
@@ -11,30 +10,24 @@ use crate::{
 pub mod tls;
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum InitError {
    #[error("Database setup failed: {0}")]
    #[diagnostic(code(arbiter_server::init::database_setup))]
    DatabaseSetup(#[from] db::DatabaseSetupError),
    #[error("Connection acquire failed: {0}")]
    #[diagnostic(code(arbiter_server::init::database_pool))]
    DatabasePool(#[from] db::PoolError),
    #[error("Database query error: {0}")]
    #[diagnostic(code(arbiter_server::init::database_query))]
    DatabaseQuery(#[from] diesel::result::Error),
    #[error("TLS initialization failed: {0}")]
    #[diagnostic(code(arbiter_server::init::tls_init))]
    Tls(#[from] tls::InitError),
    #[error("Actor spawn failed: {0}")]
    #[diagnostic(code(arbiter_server::init::actor_spawn))]
    ActorSpawn(#[from] crate::actors::SpawnError),
    #[error("I/O Error: {0}")]
    #[diagnostic(code(arbiter_server::init::io))]
    Io(#[from] std::io::Error),
 }
--- a/server/crates/arbiter-server/src/context/tls.rs
+++ b/server/crates/arbiter-server/src/context/tls.rs
@@ -1,8 +1,8 @@
-use std::{net::IpAddr, string::FromUtf8Error};
+use std::{net::Ipv4Addr, string::FromUtf8Error};
 use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper as _};
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use miette::Diagnostic;
+
 use pem::Pem;
 use rcgen::{
    BasicConstraints, Certificate, CertificateParams, CertifiedIssuer, DistinguishedName, DnType,
@@ -29,30 +29,24 @@ const ENCODE_CONFIG: pem::EncodeConfig = {
    pem::EncodeConfig::new().set_line_ending(line_ending)
 };
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum InitError {
    #[error("Key generation error during TLS initialization: {0}")]
    #[diagnostic(code(arbiter_server::tls_init::key_generation))]
    KeyGeneration(#[from] rcgen::Error),
    #[error("Key invalid format: {0}")]
    #[diagnostic(code(arbiter_server::tls_init::key_invalid_format))]
    KeyInvalidFormat(#[from] FromUtf8Error),
    #[error("Key deserialization error: {0}")]
    #[diagnostic(code(arbiter_server::tls_init::key_deserialization))]
    KeyDeserializationError(rcgen::Error),
    #[error("Database error during TLS initialization: {0}")]
    #[diagnostic(code(arbiter_server::tls_init::database_error))]
    DatabaseError(#[from] diesel::result::Error),
    #[error("Pem deserialization error during TLS initialization: {0}")]
    #[diagnostic(code(arbiter_server::tls_init::pem_deserialization))]
    PemDeserializationError(#[from] rustls::pki_types::pem::Error),
    #[error("Database pool acquire error during TLS initialization: {0}")]
    #[diagnostic(code(arbiter_server::tls_init::database_pool_acquire))]
    DatabasePoolAcquire(#[from] db::PoolError),
 }
@@ -116,9 +110,7 @@ impl TlsCa {
        ];
        params
            .subject_alt_names
-            .push(SanType::IpAddress(IpAddr::from([
+            .push(SanType::IpAddress(Ipv4Addr::LOCALHOST.into()));
                127, 0, 0, 1,
            ])));
        let mut dn = DistinguishedName::new();
        dn.push(DnType::CommonName, "Arbiter Instance Leaf");
--- a/server/crates/arbiter-server/src/actors/keyholder/encryption.rs
+++ b/server/crates/arbiter-server/src/actors/keyholder/encryption.rs
--- a/server/crates/arbiter-server/src/crypto/encryption/v1.rs
+++ b/server/crates/arbiter-server/src/crypto/encryption/v1.rs
@@ -0,0 +1,109 @@
 use argon2::password_hash::Salt as ArgonSalt;
 use rand::{
    Rng as _, SeedableRng,
    rngs::{StdRng, SysRng},
 };
 pub const ROOT_KEY_TAG: &[u8] = "arbiter/seal/v1".as_bytes();
 pub const TAG: &[u8] = "arbiter/private-key/v1".as_bytes();
 pub const NONCE_LENGTH: usize = 24;
 #[derive(Default)]
 pub struct Nonce(pub [u8; NONCE_LENGTH]);
 impl Nonce {
    pub fn increment(&mut self) {
        for i in (0..self.0.len()).rev() {
            if self.0[i] == 0xFF {
                self.0[i] = 0;
            } else {
                self.0[i] += 1;
                break;
            }
        }
    }
    pub fn to_vec(&self) -> Vec<u8> {
        self.0.to_vec()
    }
 }
 impl<'a> TryFrom<&'a [u8]> for Nonce {
    type Error = ();
    fn try_from(value: &'a [u8]) -> Result<Self, Self::Error> {
        if value.len() != NONCE_LENGTH {
            return Err(());
        }
        let mut nonce = [0u8; NONCE_LENGTH];
        nonce.copy_from_slice(value);
        Ok(Self(nonce))
    }
 }
 pub type Salt = [u8; ArgonSalt::RECOMMENDED_LENGTH];
 pub fn generate_salt() -> Salt {
    let mut salt = Salt::default();
    #[allow(
        clippy::unwrap_used,
        reason = "Rng failure is unrecoverable and should panic"
    )]
    let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
    rng.fill_bytes(&mut salt);
    salt
 }
 #[cfg(test)]
 mod tests {
    use std::ops::Deref as _;
    use super::*;
    use crate::{
        crypto::derive_key,
        safe_cell::{SafeCell, SafeCellHandle as _},
    };
    #[test]
    pub fn derive_seal_key_deterministic() {
        static PASSWORD: &[u8] = b"password";
        let password = SafeCell::new(PASSWORD.to_vec());
        let password2 = SafeCell::new(PASSWORD.to_vec());
        let salt = generate_salt();
        let mut key1 = derive_key(password, &salt);
        let mut key2 = derive_key(password2, &salt);
        let key1_reader = key1.0.read();
        let key2_reader = key2.0.read();
        assert_eq!(key1_reader.deref(), key2_reader.deref());
    }
    #[test]
    pub fn successful_derive() {
        static PASSWORD: &[u8] = b"password";
        let password = SafeCell::new(PASSWORD.to_vec());
        let salt = generate_salt();
        let mut key = derive_key(password, &salt);
        let key_reader = key.0.read();
        let key_ref = key_reader.deref();
        assert_ne!(key_ref.as_slice(), &[0u8; 32][..]);
    }
    #[test]
    // We should fuzz this
    pub fn test_nonce_increment() {
        let mut nonce = Nonce([0u8; NONCE_LENGTH]);
        nonce.increment();
        assert_eq!(
            nonce.0,
            [
                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
            ]
        );
    }
 }
--- a/server/crates/arbiter-server/src/crypto/integrity/mod.rs
+++ b/server/crates/arbiter-server/src/crypto/integrity/mod.rs
@@ -0,0 +1 @@
 pub mod v1;
--- a/server/crates/arbiter-server/src/crypto/integrity/v1.rs
+++ b/server/crates/arbiter-server/src/crypto/integrity/v1.rs
@@ -0,0 +1,78 @@
 use crate::{crypto::KeyCell, safe_cell::SafeCellHandle as _};
 use chacha20poly1305::Key;
 use hmac::Mac as _;
 pub const USERAGENT_INTEGRITY_DERIVE_TAG: &[u8] = "arbiter/useragent/integrity-key/v1".as_bytes();
 pub const USERAGENT_INTEGRITY_TAG: &[u8] = "arbiter/useragent/pubkey-entry/v1".as_bytes();
 /// Computes an integrity tag for a specific domain and payload shape.
 pub fn compute_integrity_tag<'a, I>(
    integrity_key: &mut KeyCell,
    purpose_tag: &[u8],
    data_parts: I,
 ) -> [u8; 32]
 where
    I: IntoIterator<Item = &'a [u8]>,
 {
    type HmacSha256 = hmac::Hmac<sha2::Sha256>;
    let mut output_tag = [0u8; 32];
    integrity_key.0.read_inline(|integrity_key_bytes: &Key| {
        let mut mac = <HmacSha256 as hmac::Mac>::new_from_slice(integrity_key_bytes.as_ref())
            .expect("HMAC key initialization must not fail for 32-byte key");
        mac.update(purpose_tag);
        for data_part in data_parts {
            mac.update(data_part);
        }
        output_tag.copy_from_slice(&mac.finalize().into_bytes());
    });
    output_tag
 }
 #[cfg(test)]
 mod tests {
    use crate::{
        crypto::{derive_key, encryption::v1::generate_salt},
        safe_cell::{SafeCell, SafeCellHandle as _},
    };
    use super::{USERAGENT_INTEGRITY_TAG, compute_integrity_tag};
    #[test]
    pub fn integrity_tag_deterministic() {
        let salt = generate_salt();
        let mut integrity_key = derive_key(SafeCell::new(b"password".to_vec()), &salt);
        let key_type = 1i32.to_be_bytes();
        let t1 = compute_integrity_tag(
            &mut integrity_key,
            USERAGENT_INTEGRITY_TAG,
            [key_type.as_slice(), b"pubkey".as_ref()],
        );
        let t2 = compute_integrity_tag(
            &mut integrity_key,
            USERAGENT_INTEGRITY_TAG,
            [key_type.as_slice(), b"pubkey".as_ref()],
        );
        assert_eq!(t1, t2);
    }
    #[test]
    pub fn integrity_tag_changes_with_payload() {
        let salt = generate_salt();
        let mut integrity_key = derive_key(SafeCell::new(b"password".to_vec()), &salt);
        let key_type_1 = 1i32.to_be_bytes();
        let key_type_2 = 2i32.to_be_bytes();
        let t1 = compute_integrity_tag(
            &mut integrity_key,
            USERAGENT_INTEGRITY_TAG,
            [key_type_1.as_slice(), b"pubkey".as_ref()],
        );
        let t2 = compute_integrity_tag(
            &mut integrity_key,
            USERAGENT_INTEGRITY_TAG,
            [key_type_2.as_slice(), b"pubkey".as_ref()],
        );
        assert_ne!(t1, t2);
    }
 }
--- a/server/crates/arbiter-server/src/actors/keyholder/encryption/v1.rs
+++ b/server/crates/arbiter-server/src/actors/keyholder/encryption/v1.rs
@@ -1,52 +1,21 @@
 use std::ops::Deref as _;
-use argon2::{Algorithm, Argon2, password_hash::Salt as ArgonSalt};
+use argon2::{Algorithm, Argon2};
 use chacha20poly1305::{
    AeadInPlace, Key, KeyInit as _, XChaCha20Poly1305, XNonce,
    aead::{AeadMut, Error, Payload},
 };
 use rand::{
-    Rng as _, SeedableRng,
+    Rng as _, SeedableRng as _,
    rngs::{StdRng, SysRng},
 };
 use crate::safe_cell::{SafeCell, SafeCellHandle as _};
-pub const ROOT_KEY_TAG: &[u8] = "arbiter/seal/v1".as_bytes();
+pub mod encryption;
-pub const TAG: &[u8] = "arbiter/private-key/v1".as_bytes();
+pub mod integrity;
-pub const NONCE_LENGTH: usize = 24;
+use encryption::v1::{Nonce, Salt};
 #[derive(Default)]
 pub struct Nonce([u8; NONCE_LENGTH]);
 impl Nonce {
    pub fn increment(&mut self) {
        for i in (0..self.0.len()).rev() {
            if self.0[i] == 0xFF {
                self.0[i] = 0;
            } else {
                self.0[i] += 1;
                break;
            }
        }
    }
    pub fn to_vec(&self) -> Vec<u8> {
        self.0.to_vec()
    }
 }
 impl<'a> TryFrom<&'a [u8]> for Nonce {
    type Error = ();
    fn try_from(value: &'a [u8]) -> Result<Self, Self::Error> {
        if value.len() != NONCE_LENGTH {
            return Err(());
        }
        let mut nonce = [0u8; NONCE_LENGTH];
        nonce.copy_from_slice(value);
        Ok(Self(nonce))
    }
 }
 pub struct KeyCell(pub SafeCell<Key>);
 impl From<SafeCell<Key>> for KeyCell {
@@ -133,22 +102,9 @@ impl KeyCell {
    }
 }
 pub type Salt = [u8; ArgonSalt::RECOMMENDED_LENGTH];
 pub fn generate_salt() -> Salt {
    let mut salt = Salt::default();
    #[allow(
        clippy::unwrap_used,
        reason = "Rng failure is unrecoverable and should panic"
    )]
    let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
    rng.fill_bytes(&mut salt);
    salt
 }
 /// User password might be of different length, have not enough entropy, etc...
 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
-pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
+pub fn derive_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
    #[allow(clippy::unwrap_used)]
    let params = argon2::Params::new(262_144, 3, 4, None).unwrap();
    let hasher = Argon2::new(Algorithm::Argon2id, argon2::Version::V0x13, params);
@@ -171,37 +127,11 @@ pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell
 #[cfg(test)]
 mod tests {
-    use super::*;
+    use super::{
-    use crate::safe_cell::SafeCell;
+        derive_key,
-
+        encryption::v1::{Nonce, generate_salt},
-    #[test]
+    };
-    pub fn derive_seal_key_deterministic() {
+    use crate::safe_cell::{SafeCell, SafeCellHandle as _};
        static PASSWORD: &[u8] = b"password";
        let password = SafeCell::new(PASSWORD.to_vec());
        let password2 = SafeCell::new(PASSWORD.to_vec());
        let salt = generate_salt();
        let mut key1 = derive_seal_key(password, &salt);
        let mut key2 = derive_seal_key(password2, &salt);
        let key1_reader = key1.0.read();
        let key2_reader = key2.0.read();
        assert_eq!(key1_reader.deref(), key2_reader.deref());
    }
    #[test]
    pub fn successful_derive() {
        static PASSWORD: &[u8] = b"password";
        let password = SafeCell::new(PASSWORD.to_vec());
        let salt = generate_salt();
        let mut key = derive_seal_key(password, &salt);
        let key_reader = key.0.read();
        let key_ref = key_reader.deref();
        assert_ne!(key_ref.as_slice(), &[0u8; 32][..]);
    }
    #[test]
    pub fn encrypt_decrypt() {
@@ -209,7 +139,7 @@ mod tests {
        let password = SafeCell::new(PASSWORD.to_vec());
        let salt = generate_salt();
-        let mut key = derive_seal_key(password, &salt);
+        let mut key = derive_key(password, &salt);
        let nonce = Nonce(*b"unique nonce 123 1231233"); // 24 bytes for XChaCha20Poly1305
        let associated_data = b"associated data";
        let mut buffer = b"secret data".to_vec();
@@ -226,18 +156,4 @@ mod tests {
        let buffer = buffer.read();
        assert_eq!(*buffer, b"secret data");
    }
    #[test]
    // We should fuzz this
    pub fn test_nonce_increment() {
        let mut nonce = Nonce([0u8; NONCE_LENGTH]);
        nonce.increment();
        assert_eq!(
            nonce.0,
            [
                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
            ]
        );
    }
 }
--- a/server/crates/arbiter-server/src/db/mod.rs
+++ b/server/crates/arbiter-server/src/db/mod.rs
@@ -5,7 +5,7 @@ use diesel_async::{
    sync_connection_wrapper::SyncConnectionWrapper,
 };
 use diesel_migrations::{EmbeddedMigrations, MigrationHarness, embed_migrations};
-use miette::Diagnostic;
+
 use thiserror::Error;
 use tracing::info;
@@ -21,26 +21,21 @@ static DB_FILE: &str = "arbiter.sqlite";
 const MIGRATIONS: EmbeddedMigrations = embed_migrations!("migrations");
-#[derive(Error, Diagnostic, Debug)]
+#[derive(Error, Debug)]
 pub enum DatabaseSetupError {
    #[error("Failed to determine home directory")]
    #[diagnostic(code(arbiter::db::home_dir))]
    HomeDir(std::io::Error),
    #[error(transparent)]
    #[diagnostic(code(arbiter::db::connection))]
    Connection(diesel::ConnectionError),
    #[error(transparent)]
    #[diagnostic(code(arbiter::db::concurrency))]
    ConcurrencySetup(diesel::result::Error),
    #[error(transparent)]
    #[diagnostic(code(arbiter::db::migration))]
    Migration(Box<dyn std::error::Error + Send + Sync>),
    #[error(transparent)]
    #[diagnostic(code(arbiter::db::pool))]
    Pool(#[from] PoolInitError),
 }
--- a/server/crates/arbiter-server/src/db/models.rs
+++ b/server/crates/arbiter-server/src/db/models.rs
@@ -242,6 +242,7 @@ pub struct UseragentClient {
    pub id: i32,
    pub nonce: i32,
    pub public_key: Vec<u8>,
    pub pubkey_integrity_tag: Option<Vec<u8>>,
    pub created_at: SqliteTimestamp,
    pub updated_at: SqliteTimestamp,
    pub key_type: KeyType,
--- a/server/crates/arbiter-server/src/db/schema.rs
+++ b/server/crates/arbiter-server/src/db/schema.rs
@@ -178,6 +178,7 @@ diesel::table! {
        id -> Integer,
        nonce -> Integer,
        public_key -> Binary,
        pubkey_integrity_tag -> Nullable<Binary>,
        key_type -> Integer,
        created_at -> Integer,
        updated_at -> Integer,
--- a/server/crates/arbiter-server/src/evm/mod.rs
+++ b/server/crates/arbiter-server/src/evm/mod.rs
@@ -28,39 +28,32 @@ pub mod policies;
 mod utils;
 /// Errors that can only occur once the transaction meaning is known (during policy evaluation)
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum PolicyError {
    #[error("Database error")]
    Database(#[from] crate::db::DatabaseError),
    #[error("Transaction violates policy: {0:?}")]
    #[diagnostic(code(arbiter_server::evm::policy_error::violation))]
    Violations(Vec<EvalViolation>),
    #[error("No matching grant found")]
    #[diagnostic(code(arbiter_server::evm::policy_error::no_matching_grant))]
    NoMatchingGrant,
 }
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum VetError {
    #[error("Contract creation transactions are not supported")]
    #[diagnostic(code(arbiter_server::evm::vet_error::contract_creation_unsupported))]
    ContractCreationNotSupported,
    #[error("Engine can't classify this transaction")]
    #[diagnostic(code(arbiter_server::evm::vet_error::unsupported))]
    UnsupportedTransactionType,
    #[error("Policy evaluation failed: {1}")]
    #[diagnostic(code(arbiter_server::evm::vet_error::evaluated))]
    Evaluated(SpecificMeaning, #[source] PolicyError),
 }
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum AnalyzeError {
    #[error("Engine doesn't support granting permissions for contract creation")]
    #[diagnostic(code(arbiter_server::evm::analyze_error::contract_creation_not_supported))]
    ContractCreationNotSupported,
    #[error("Unsupported transaction type")]
    #[diagnostic(code(arbiter_server::evm::analyze_error::unsupported_transaction_type))]
    UnsupportedTransactionType,
 }
--- a/server/crates/arbiter-server/src/evm/policies.rs
+++ b/server/crates/arbiter-server/src/evm/policies.rs
@@ -6,7 +6,7 @@ use diesel::{
    ExpressionMethods as _, QueryDsl, SelectableHelper, result::QueryResult, sqlite::Sqlite,
 };
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use miette::Diagnostic;
+
 use thiserror::Error;
 use crate::{
@@ -33,33 +33,27 @@ pub struct EvalContext {
    pub max_priority_fee_per_gas: u128,
 }
-#[derive(Debug, Error, Diagnostic)]
+#[derive(Debug, Error)]
 pub enum EvalViolation {
    #[error("This grant doesn't allow transactions to the target address {target}")]
    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_target))]
    InvalidTarget { target: Address },
    #[error("Gas limit exceeded for this grant")]
    #[diagnostic(code(arbiter_server::evm::eval_violation::gas_limit_exceeded))]
    GasLimitExceeded {
        max_gas_fee_per_gas: Option<U256>,
        max_priority_fee_per_gas: Option<U256>,
    },
    #[error("Rate limit exceeded for this grant")]
    #[diagnostic(code(arbiter_server::evm::eval_violation::rate_limit_exceeded))]
    RateLimitExceeded,
    #[error("Transaction exceeds volumetric limits of the grant")]
    #[diagnostic(code(arbiter_server::evm::eval_violation::volumetric_limit_exceeded))]
    VolumetricLimitExceeded,
    #[error("Transaction is outside of the grant's validity period")]
    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_time))]
    InvalidTime,
    #[error("Transaction type is not allowed by this grant")]
    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_transaction_type))]
    InvalidTransactionType,
 }
--- a/server/crates/arbiter-server/src/grpc/client/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/client/auth.rs
@@ -140,7 +140,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
        let Some(payload) = auth_request.payload else {
            let _ = self
                .bi
-                .send(Err(Status::invalid_argument("Missing client auth request payload")))
+                .send(Err(Status::invalid_argument(
                    "Missing client auth request payload",
                )))
                .await;
            return None;
        };
@@ -170,9 +172,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                    metadata: client_metadata_from_proto(client_info),
                })
            }
-            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
                signature,
            }) => {
                let Ok(signature) = ed25519_dalek::Signature::try_from(signature.as_slice()) else {
                    let _ = self
                        .send_auth_result(ProtoAuthResult::InvalidSignature)
--- a/server/crates/arbiter-server/src/grpc/client/evm.rs
+++ b/server/crates/arbiter-server/src/grpc/client/evm.rs
@@ -34,7 +34,9 @@ pub(super) async fn dispatch(
    req: proto_evm::Request,
 ) -> Result<ClientResponsePayload, Status> {
    let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument("Missing client EVM request payload"));
+        return Err(Status::invalid_argument(
            "Missing client EVM request payload",
        ));
    };
    match payload {
@@ -59,13 +61,13 @@ pub(super) async fn dispatch(
                ))) => EvmSignTransactionResponse {
                    result: Some(vet_error.convert()),
                },
-                Err(kameo::error::SendError::HandlerError(
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Internal)) => {
-                    SignTransactionRpcError::Internal,
+                    EvmSignTransactionResponse {
-                )) => EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
-                    result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
-                        ProtoEvmError::Internal.into(),
+                        )),
-                    )),
+                    }
-                },
+                }
                Err(err) => {
                    warn!(error = ?err, "Failed to sign EVM transaction");
                    EvmSignTransactionResponse {
@@ -78,8 +80,8 @@ pub(super) async fn dispatch(
            Ok(wrap_response(EvmResponsePayload::SignTransaction(response)))
        }
-        EvmRequestPayload::AnalyzeTransaction(_) => {
+        EvmRequestPayload::AnalyzeTransaction(_) => Err(Status::unimplemented(
-            Err(Status::unimplemented("EVM transaction analysis is not yet implemented"))
+            "EVM transaction analysis is not yet implemented",
-        }
+        )),
    }
 }
--- a/server/crates/arbiter-server/src/grpc/client/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/client/inbound.rs
@@ -0,0 +1 @@
--- a/server/crates/arbiter-server/src/grpc/client/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/client/outbound.rs
@@ -0,0 +1 @@
--- a/server/crates/arbiter-server/src/grpc/client/vault.rs
+++ b/server/crates/arbiter-server/src/grpc/client/vault.rs
@@ -12,11 +12,9 @@ use kameo::{actor::ActorRef, error::SendError};
 use tonic::Status;
 use tracing::warn;
-use crate::{
+use crate::actors::{
-    actors::{
+    client::session::{ClientSession, Error, HandleQueryVaultState},
-        client::session::{ClientSession, Error, HandleQueryVaultState},
+    keyholder::KeyHolderState,
        keyholder::KeyHolderState,
    },
 };
 pub(super) async fn dispatch(
@@ -24,7 +22,9 @@ pub(super) async fn dispatch(
    req: proto_vault::Request,
 ) -> Result<ClientResponsePayload, Status> {
    let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument("Missing client vault request payload"));
+        return Err(Status::invalid_argument(
            "Missing client vault request payload",
        ));
    };
    match payload {
--- a/server/crates/arbiter-server/src/grpc/common/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/common/inbound.rs
@@ -28,9 +28,8 @@ impl TryConvert for RawEvmTransaction {
    type Error = tonic::Status;
    fn try_convert(self) -> Result<Self::Output, Self::Error> {
-        let tx = TxEip1559::decode(&mut self.0.as_slice()).map_err(|_| {
+        let tx = TxEip1559::decode(&mut self.0.as_slice())
-            tonic::Status::invalid_argument("Invalid EVM transaction format")
+            .map_err(|_| tonic::Status::invalid_argument("Invalid EVM transaction format"))?;
        })?;
        Ok(tx)
    }
-}
+}
--- a/server/crates/arbiter-server/src/grpc/common/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/common/outbound.rs
@@ -1,9 +1,12 @@
 use alloy::primitives::U256;
 use arbiter_proto::proto::{
-    evm::{EvmError as ProtoEvmError, evm_sign_transaction_response::Result as EvmSignTransactionResult},
+    evm::{
        EvmError as ProtoEvmError,
        evm_sign_transaction_response::Result as EvmSignTransactionResult,
    },
    shared::evm::{
-        EvalViolation as ProtoEvalViolation, GasLimitExceededViolation,
+        EvalViolation as ProtoEvalViolation, GasLimitExceededViolation, NoMatchingGrantError,
-        NoMatchingGrantError, PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
+        PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
        TokenInfo as ProtoTokenInfo, TransactionEvalError as ProtoTransactionEvalError,
        eval_violation::Kind as ProtoEvalViolationKind,
        specific_meaning::Meaning as ProtoSpecificMeaningKind,
--- a/server/crates/arbiter-server/src/grpc/user_agent.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent.rs
@@ -1,12 +1,10 @@
 use tokio::sync::mpsc;
 use arbiter_proto::{
-    proto::{
+    proto::user_agent::{
-        user_agent::{
+        UserAgentRequest, UserAgentResponse,
-            UserAgentRequest, UserAgentResponse,
+        user_agent_request::Payload as UserAgentRequestPayload,
-            user_agent_request::Payload as UserAgentRequestPayload,
+        user_agent_response::Payload as UserAgentResponsePayload,
            user_agent_response::Payload as UserAgentResponsePayload,
        },
    },
    transport::{Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
@@ -19,6 +17,7 @@ use crate::{
    actors::user_agent::{OutOfBand, UserAgentConnection, UserAgentSession},
    grpc::request_tracker::RequestTracker,
 };
 mod auth;
 mod evm;
 mod inbound;
--- a/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/auth.rs
@@ -1,12 +1,14 @@
 use arbiter_proto::{
    proto::user_agent::{
-        UserAgentRequest, UserAgentResponse, auth::{
+        UserAgentRequest, UserAgentResponse,
        auth::{
            self as proto_auth, AuthChallenge as ProtoAuthChallenge,
            AuthChallengeRequest as ProtoAuthChallengeRequest,
            AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
            KeyType as ProtoKeyType, request::Payload as AuthRequestPayload,
            response::Payload as AuthResponsePayload,
-        }, user_agent_request::Payload as UserAgentRequestPayload,
+        },
        user_agent_request::Payload as UserAgentRequestPayload,
        user_agent_response::Payload as UserAgentResponsePayload,
    },
    transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
@@ -63,7 +65,9 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
            Ok(Outbound::AuthChallenge { nonce }) => {
                AuthResponsePayload::Challenge(ProtoAuthChallenge { nonce })
            }
-            Ok(Outbound::AuthSuccess) => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
+            Ok(Outbound::AuthSuccess) => {
                AuthResponsePayload::Result(ProtoAuthResult::Success.into())
            }
            Err(Error::UnregisteredPublicKey) => {
                AuthResponsePayload::Result(ProtoAuthResult::InvalidKey.into())
            }
@@ -171,9 +175,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                    bootstrap_token,
                })
            }
-            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
-                signature,
+                Some(auth::Inbound::AuthChallengeSolution { signature })
-            }) => Some(auth::Inbound::AuthChallengeSolution { signature }),
+            }
        }
    }
 }
--- a/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/evm.rs
@@ -3,8 +3,7 @@ use arbiter_proto::proto::{
        EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
        EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
        EvmSignTransactionResponse, GrantEntry, WalletCreateResponse, WalletEntry, WalletList,
-        WalletListResponse,
+        WalletListResponse, evm_grant_create_response::Result as EvmGrantCreateResult,
        evm_grant_create_response::Result as EvmGrantCreateResult,
        evm_grant_delete_response::Result as EvmGrantDeleteResult,
        evm_grant_list_response::Result as EvmGrantListResult,
        evm_sign_transaction_response::Result as EvmSignTransactionResult,
@@ -165,7 +164,12 @@ async fn handle_grant_delete(
    actor: &ActorRef<UserAgentSession>,
    req: EvmGrantDeleteRequest,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleGrantDelete { grant_id: req.grant_id }).await {
+    let result = match actor
        .ask(HandleGrantDelete {
            grant_id: req.grant_id,
        })
        .await
    {
        Ok(()) => EvmGrantDeleteResult::Ok(()),
        Err(err) => {
            warn!(error = ?err, "Failed to delete EVM grant");
@@ -202,18 +206,18 @@ async fn handle_sign_transaction(
                signature.as_bytes().to_vec(),
            )),
        },
-        Err(kameo::error::SendError::HandlerError(
+        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Vet(vet_error))) => {
-            SessionSignTransactionError::Vet(vet_error),
+            EvmSignTransactionResponse {
-        )) => EvmSignTransactionResponse {
+                result: Some(vet_error.convert()),
-            result: Some(vet_error.convert()),
+            }
-        },
+        }
-        Err(kameo::error::SendError::HandlerError(
+        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Internal)) => {
-            SessionSignTransactionError::Internal,
+            EvmSignTransactionResponse {
-        )) => EvmSignTransactionResponse {
+                result: Some(EvmSignTransactionResult::Error(
-            result: Some(EvmSignTransactionResult::Error(
+                    ProtoEvmError::Internal.into(),
-                ProtoEvmError::Internal.into(),
+                )),
-            )),
+            }
-        },
+        }
        Err(err) => {
            warn!(error = ?err, "Failed to sign EVM transaction");
            EvmSignTransactionResponse {
@@ -224,7 +228,7 @@ async fn handle_sign_transaction(
        }
    };
-    Ok(Some(wrap_evm_response(EvmResponsePayload::SignTransaction(
+    Ok(Some(wrap_evm_response(
-        response,
+        EvmResponsePayload::SignTransaction(response),
-    ))))
+    )))
 }
--- a/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/outbound.rs
@@ -5,9 +5,7 @@ use arbiter_proto::proto::{
        TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
        specific_grant::Grant as ProtoSpecificGrantType,
    },
-    user_agent::sdk_client::{
+    user_agent::sdk_client::{WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess},
        WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess,
    },
 };
 use chrono::{DateTime, Utc};
 use prost_types::Timestamp as ProtoTimestamp;
--- a/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
@@ -1,4 +1,5 @@
 use arbiter_proto::proto::{
    shared::ClientInfo as ProtoClientMetadata,
    user_agent::{
        sdk_client::{
            self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
@@ -13,7 +14,6 @@ use arbiter_proto::proto::{
        },
        user_agent_response::Payload as UserAgentResponsePayload,
    },
    shared::ClientInfo as ProtoClientMetadata,
 };
 use kameo::actor::ActorRef;
 use tonic::Status;
@@ -62,18 +62,22 @@ pub(super) async fn dispatch(
    req: proto_sdk_client::Request,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
    let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument("Missing SDK client request payload"));
+        return Err(Status::invalid_argument(
            "Missing SDK client request payload",
        ));
    };
    match payload {
        SdkClientRequestPayload::ConnectionResponse(resp) => {
            handle_connection_response(actor, resp).await
        }
-        SdkClientRequestPayload::Revoke(_) => {
+        SdkClientRequestPayload::Revoke(_) => Err(Status::unimplemented(
-            Err(Status::unimplemented("SdkClientRevoke is not yet implemented"))
+            "SdkClientRevoke is not yet implemented",
-        }
+        )),
        SdkClientRequestPayload::List(_) => handle_list(actor).await,
-        SdkClientRequestPayload::GrantWalletAccess(req) => handle_grant_wallet_access(actor, req).await,
+        SdkClientRequestPayload::GrantWalletAccess(req) => {
            handle_grant_wallet_access(actor, req).await
        }
        SdkClientRequestPayload::RevokeWalletAccess(req) => {
            handle_revoke_wallet_access(actor, req).await
        }
@@ -128,11 +132,11 @@ async fn handle_list(
            ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
        }
    };
-    Ok(Some(wrap_sdk_client_response(SdkClientResponsePayload::List(
+    Ok(Some(wrap_sdk_client_response(
-        ProtoSdkClientListResponse {
+        SdkClientResponsePayload::List(ProtoSdkClientListResponse {
            result: Some(result),
-        },
+        }),
-    ))))
+    )))
 }
 async fn handle_grant_wallet_access(
--- a/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent/vault.rs
@@ -1,3 +1,4 @@
 use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
 use arbiter_proto::proto::user_agent::{
    user_agent_response::Payload as UserAgentResponsePayload,
    vault::{
@@ -11,25 +12,21 @@ use arbiter_proto::proto::user_agent::{
        unseal::{
            self as proto_unseal, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
            UnsealResult as ProtoUnsealResult, UnsealStart,
-            request::Payload as UnsealRequestPayload,
+            request::Payload as UnsealRequestPayload, response::Payload as UnsealResponsePayload,
            response::Payload as UnsealResponsePayload,
        },
    },
 };
 use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
 use kameo::{actor::ActorRef, error::SendError};
 use tonic::Status;
 use tracing::warn;
-use crate::{
+use crate::actors::{
-    actors::{
+    keyholder::KeyHolderState,
-        keyholder::KeyHolderState,
+    user_agent::{
-        user_agent::{
+        UserAgentSession,
-            UserAgentSession,
+        session::connection::{
-            session::connection::{
+            BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
-                BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
+            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
                HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
            },
        },
    },
 };
@@ -151,7 +148,9 @@ async fn handle_bootstrap_encrypted_key(
        .await
    {
        Ok(()) => ProtoBootstrapResult::Success,
-        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => ProtoBootstrapResult::InvalidKey,
+        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => {
            ProtoBootstrapResult::InvalidKey
        }
        Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
            ProtoBootstrapResult::AlreadyBootstrapped
        }
--- a/server/crates/arbiter-server/src/lib.rs
+++ b/server/crates/arbiter-server/src/lib.rs
@@ -3,6 +3,7 @@ use crate::context::ServerContext;
 pub mod actors;
 pub mod context;
 pub mod crypto;
 pub mod db;
 pub mod evm;
 pub mod grpc;
--- a/server/crates/arbiter-server/src/main.rs
+++ b/server/crates/arbiter-server/src/main.rs
@@ -1,8 +1,8 @@
 use std::net::SocketAddr;
 use anyhow::anyhow;
 use arbiter_proto::{proto::arbiter_service_server::ArbiterServiceServer, url::ArbiterUrl};
 use arbiter_server::{Server, actors::bootstrap::GetToken, context::ServerContext, db};
 use miette::miette;
 use rustls::crypto::aws_lc_rs;
 use tonic::transport::{Identity, ServerTlsConfig};
 use tracing::info;
@@ -10,7 +10,7 @@ use tracing::info;
 const PORT: u16 = 50051;
 #[tokio::main]
-async fn main() -> miette::Result<()> {
+async fn main() -> anyhow::Result<()> {
    aws_lc_rs::default_provider().install_default().unwrap();
    tracing_subscriber::fmt()
@@ -46,11 +46,11 @@ async fn main() -> miette::Result<()> {
    tonic::transport::Server::builder()
        .tls_config(tls)
-        .map_err(|err| miette!("Faild to setup TLS: {err}"))?
+        .map_err(|err| anyhow!("Failed to setup TLS: {err}"))?
        .add_service(ArbiterServiceServer::new(Server::new(context)))
        .serve(addr)
        .await
-        .map_err(|e| miette::miette!("gRPC server error: {e}"))?;
+        .map_err(|e| anyhow!("gRPC server error: {e}"))?;
    unreachable!("gRPC server should run indefinitely");
 }
--- a/server/crates/arbiter-server/tests/keyholder/lifecycle.rs
+++ b/server/crates/arbiter-server/tests/keyholder/lifecycle.rs
@@ -1,5 +1,6 @@
 use arbiter_server::{
    actors::keyholder::{Error, KeyHolder},
    crypto::encryption::v1::{Nonce, ROOT_KEY_TAG},
    db::{self, models, schema},
    safe_cell::{SafeCell, SafeCellHandle as _},
 };
@@ -25,16 +26,10 @@ async fn test_bootstrap() {
        .unwrap();
    assert_eq!(row.schema_version, 1);
-    assert_eq!(
+    assert_eq!(row.tag, ROOT_KEY_TAG);
        row.tag,
        arbiter_server::actors::keyholder::encryption::v1::ROOT_KEY_TAG
    );
    assert!(!row.ciphertext.is_empty());
    assert!(!row.salt.is_empty());
-    assert_eq!(
+    assert_eq!(row.data_encryption_nonce, Nonce::default().to_vec());
        row.data_encryption_nonce,
        arbiter_server::actors::keyholder::encryption::v1::Nonce::default().to_vec()
    );
 }
 #[tokio::test]
--- a/server/crates/arbiter-server/tests/keyholder/storage.rs
+++ b/server/crates/arbiter-server/tests/keyholder/storage.rs
@@ -1,7 +1,8 @@
 use std::collections::HashSet;
 use arbiter_server::{
-    actors::keyholder::{Error, encryption::v1},
+    actors::keyholder::Error,
    crypto::encryption::v1::Nonce,
    db::{self, models, schema},
    safe_cell::{SafeCell, SafeCellHandle as _},
 };
@@ -102,7 +103,7 @@ async fn test_nonce_never_reused() {
    assert_eq!(nonces.len(), unique.len(), "all nonces must be unique");
    for (i, row) in rows.iter().enumerate() {
-        let mut expected = v1::Nonce::default();
+        let mut expected = Nonce::default();
        for _ in 0..=i {
            expected.increment();
        }
--- a/server/crates/arbiter-server/tests/user_agent/auth.rs
+++ b/server/crates/arbiter-server/tests/user_agent/auth.rs
@@ -3,9 +3,11 @@ use arbiter_server::{
    actors::{
        GlobalActors,
        bootstrap::GetToken,
        keyholder::Bootstrap,
        user_agent::{AuthPublicKey, UserAgentConnection, auth},
    },
    db::{self, schema},
    safe_cell::{SafeCell, SafeCellHandle as _},
 };
 use diesel::{ExpressionMethods as _, QueryDsl, insert_into};
 use diesel_async::RunQueryDsl;
@@ -83,7 +85,6 @@ pub async fn test_bootstrap_invalid_token_auth() {
        Err(auth::Error::InvalidBootstrapToken)
    ));
    // Verify no key was registered
    let mut conn = db.get().await.unwrap();
    let count: i64 = schema::useragent_client::table
        .count()
@@ -102,7 +103,6 @@ pub async fn test_challenge_auth() {
    let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
    let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
    // Pre-register key with key_type
    {
        let mut conn = db.get().await.unwrap();
        insert_into(schema::useragent_client::table)
@@ -122,7 +122,6 @@ pub async fn test_challenge_auth() {
        auth::authenticate(&mut props, server_transport).await
    });
    // Send challenge request
    test_transport
        .send(auth::Inbound::AuthChallengeRequest {
            pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
@@ -131,7 +130,6 @@ pub async fn test_challenge_auth() {
        .await
        .unwrap();
    // Read the challenge response
    let response = test_transport
        .recv()
        .await
@@ -166,6 +164,57 @@ pub async fn test_challenge_auth() {
    task.await.unwrap().unwrap();
 }
 #[tokio::test]
 #[test_log::test]
 pub async fn test_challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
    let db = db::create_test_pool().await;
    let actors = GlobalActors::spawn(db.clone()).await.unwrap();
    actors
        .key_holder
        .ask(Bootstrap {
            seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
        })
        .await
        .unwrap();
    let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
    let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
    {
        let mut conn = db.get().await.unwrap();
        insert_into(schema::useragent_client::table)
            .values((
                schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
                schema::useragent_client::key_type.eq(1i32),
                schema::useragent_client::pubkey_integrity_tag.eq(Some(vec![0u8; 32])),
            ))
            .execute(&mut conn)
            .await
            .unwrap();
    }
    let (server_transport, mut test_transport) = ChannelTransport::new();
    let db_for_task = db.clone();
    let task = tokio::spawn(async move {
        let mut props = UserAgentConnection::new(db_for_task, actors);
        auth::authenticate(&mut props, server_transport).await
    });
    test_transport
        .send(auth::Inbound::AuthChallengeRequest {
            pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
            bootstrap_token: None,
        })
        .await
        .unwrap();
    assert!(matches!(
        task.await.unwrap(),
        Err(auth::Error::InvalidChallengeSolution)
    ));
 }
 #[tokio::test]
 #[test_log::test]
 pub async fn test_challenge_auth_rejects_invalid_signature() {
@@ -175,7 +224,6 @@ pub async fn test_challenge_auth_rejects_invalid_signature() {
    let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
    let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
    // Pre-register key with key_type
    {
        let mut conn = db.get().await.unwrap();
        insert_into(schema::useragent_client::table)
@@ -215,7 +263,6 @@ pub async fn test_challenge_auth_rejects_invalid_signature() {
        Err(err) => panic!("Expected Ok response, got Err({err:?})"),
    };
    // Sign a different challenge value so signature format is valid but verification must fail.
    let wrong_challenge = arbiter_proto::format_challenge(challenge + 1, &pubkey_bytes);
    let signature = new_key.sign(&wrong_challenge);
@@ -226,8 +273,10 @@ pub async fn test_challenge_auth_rejects_invalid_signature() {
        .await
        .unwrap();
    let expected_err = task.await.unwrap();
    println!("Received expected error: {expected_err:#?}");
    assert!(matches!(
-        task.await.unwrap(),
+        expected_err,
        Err(auth::Error::InvalidChallengeSolution)
    ));
 }
--- a/server/crates/arbiter-server/tests/user_agent/unseal.rs
+++ b/server/crates/arbiter-server/tests/user_agent/unseal.rs
@@ -2,14 +2,17 @@ use arbiter_server::{
    actors::{
        GlobalActors,
        keyholder::{Bootstrap, Seal},
-        user_agent::{UserAgentSession, session::connection::{
+        user_agent::{
-            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+            UserAgentSession,
-        }},
+            session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
        },
    },
    db,
    safe_cell::{SafeCell, SafeCellHandle as _},
 };
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use diesel::{ExpressionMethods as _, QueryDsl as _, insert_into};
 use diesel_async::RunQueryDsl;
 use kameo::actor::Spawn as _;
 use x25519_dalek::{EphemeralSecret, PublicKey};
@@ -149,3 +152,42 @@ pub async fn test_unseal_retry_after_invalid_key() {
        assert!(matches!(response, Ok(())));
    }
 }
 #[tokio::test]
 #[test_log::test]
 pub async fn test_unseal_backfills_missing_pubkey_integrity_tags() {
    let seal_key = b"test-seal-key";
    let (db, user_agent) = setup_sealed_user_agent(seal_key).await;
    {
        let mut conn = db.get().await.unwrap();
        insert_into(arbiter_server::db::schema::useragent_client::table)
            .values((
                arbiter_server::db::schema::useragent_client::public_key
                    .eq(vec![1u8, 2u8, 3u8, 4u8]),
                arbiter_server::db::schema::useragent_client::key_type.eq(1i32),
                arbiter_server::db::schema::useragent_client::pubkey_integrity_tag
                    .eq(Option::<Vec<u8>>::None),
            ))
            .execute(&mut conn)
            .await
            .unwrap();
    }
    let encrypted_key = client_dh_encrypt(&user_agent, seal_key).await;
    let response = user_agent.ask(encrypted_key).await;
    assert!(matches!(response, Ok(())));
    {
        let mut conn = db.get().await.unwrap();
        let tags: Vec<Option<Vec<u8>>> = arbiter_server::db::schema::useragent_client::table
            .select(arbiter_server::db::schema::useragent_client::pubkey_integrity_tag)
            .load(&mut conn)
            .await
            .unwrap();
        assert!(
            tags.iter()
                .all(|tag| matches!(tag, Some(v) if v.len() == 32))
        );
    }
 }
--- a/useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart
+++ b/useragent/lib/screens/dashboard/evm/grants/widgets/grant_card.dart
@@ -30,7 +30,6 @@ class GrantCard extends ConsumerWidget {
  @override
  Widget build(BuildContext context, WidgetRef ref) {
    // Enrichment lookups — each watch scopes rebuilds to this card only
    final walletAccesses =
        ref.watch(walletAccessListProvider).asData?.value ?? const [];
    final wallets = ref.watch(evmProvider).asData?.value ?? const [];
@@ -44,7 +43,6 @@ class GrantCard extends ConsumerWidget {
    final theme = Theme.of(context);
    final muted = Palette.ink.withValues(alpha: 0.62);
    // Resolve wallet_access_id → wallet address + client name
    final accessById = <int, ua_sdk.WalletAccessEntry>{
      for (final a in walletAccesses) a.id: a,
    };
@@ -94,7 +92,6 @@ class GrantCard extends ConsumerWidget {
        child: Row(
          crossAxisAlignment: CrossAxisAlignment.stretch,
          children: [
            // Accent strip
            Container(
              width: 0.8.w,
              decoration: BoxDecoration(
@@ -104,7 +101,6 @@ class GrantCard extends ConsumerWidget {
                ),
              ),
            ),
            // Card body
            Expanded(
              child: Padding(
                padding: EdgeInsets.symmetric(
@@ -114,7 +110,6 @@ class GrantCard extends ConsumerWidget {
                child: Column(
                  crossAxisAlignment: CrossAxisAlignment.start,
                  children: [
                    // Row 1: type badge · chain · spacer · revoke button
                    Row(
                      children: [
                        Container(
@@ -184,7 +179,6 @@ class GrantCard extends ConsumerWidget {
                      ],
                    ),
                    SizedBox(height: 0.8.h),
                    // Row 2: wallet address · client name
                    Row(
                      children: [
                        Text(
Author	SHA1	Message	Date
hdbg	7aca281a81	merge: @main into client-integrity-verification Some checks failed ci/woodpecker/push/server-vet Pipeline failed Details ci/woodpecker/push/server-lint Pipeline failed Details ci/woodpecker/pr/useragent-analyze Pipeline failed Details ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/push/useragent-analyze Pipeline failed Details ci/woodpecker/push/server-test Pipeline failed Details ci/woodpecker/pr/server-test Pipeline failed Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/push/server-audit Pipeline was successful Details ci/woodpecker/pr/server-audit Pipeline was successful Details	2026-04-05 10:25:46 +02:00
Stas	0daad1dd37	Merge branch 'main' into push-zmyvyloztluy Some checks failed ci/woodpecker/push/server-lint Pipeline failed Details ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/push/server-vet Pipeline failed Details ci/woodpecker/push/server-audit Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline was successful Details ci/woodpecker/push/server-test Pipeline was successful Details	2026-04-05 07:57:31 +00:00
Stas	9ea474e1b2	fix(server): use `LOCALHOST` const instead of hard-coded ip value Some checks failed ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline was successful Details	2026-04-04 14:14:15 +00:00
CleverWild	c6f440fdad	fix(client): evm-feature's code for new proto Some checks failed ci/woodpecker/push/server-audit Pipeline was successful Details ci/woodpecker/push/server-vet Pipeline failed Details ci/woodpecker/push/server-lint Pipeline failed Details ci/woodpecker/push/server-test Pipeline was successful Details	2026-04-04 14:10:44 +00:00
Stas	e17c25a604	ci(server-test): ensure that all features are compiling Some checks failed ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-test Pipeline failed Details ci/woodpecker/push/server-audit Pipeline was successful Details ci/woodpecker/push/server-vet Pipeline failed Details ci/woodpecker/push/server-lint Pipeline failed Details ci/woodpecker/push/server-test Pipeline failed Details	2026-04-04 14:06:02 +00:00
hdbg	01b12515bd	housekeeping(server): fixed clippy warns Some checks failed ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-test Pipeline failed Details ci/woodpecker/pr/useragent-analyze Pipeline failed Details	2026-04-04 14:33:48 +02:00
hdbg	4a50daa7ea	refactor(user-agent): remove backfill pubkey integrity tags Some checks failed ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline failed Details ci/woodpecker/pr/useragent-analyze Pipeline failed Details	2026-04-04 14:32:00 +02:00
hdbg	352ee3ee63	fix(server): previously, user agent auth accepted invalid signatures Some checks failed ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline failed Details ci/woodpecker/pr/useragent-analyze Pipeline failed Details	2026-04-04 14:28:07 +02:00
hdbg	dd51d756da	refactor(server): separate crypto by purpose and moved outside of actor into separate module	2026-04-04 14:21:52 +02:00
CleverWild	0bb6e596ac	feat(auth): implement attestation status verification for public keys Some checks failed ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline failed Details ci/woodpecker/pr/useragent-analyze Pipeline failed Details	2026-04-04 12:10:45 +02:00
hdbg	083ff66af2	refactor(server): removed `miette` out of server Some checks failed ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-test Pipeline was successful Details	2026-04-04 12:10:34 +02:00
CleverWild	881f16bb1a	fix(keyholder): comment drift	2026-04-04 12:02:50 +02:00
CleverWild	78895bca5b	refactor(keyholder): generalize derive_useragent_integrity_key and compute_useragent_pubkey_integrity_tag corespondenly to derive_integrity_key and compute_integrity_tag	2026-04-04 12:00:39 +02:00
CleverWild	a02ef68a70	feat(auth): add seal-key-derived pubkey integrity tags with auth enforcement and unseal backfill Some checks failed ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline failed Details	2026-03-30 00:17:04 +02:00
hdbg	e5be55e141	style(dashboard): format code and add title margin Some checks failed ci/woodpecker/push/useragent-analyze Pipeline failed Details	2026-03-29 10:54:02 +02:00
hdbg	8f0eb7130b	feat(grants-create): add configurable grant authorization fields	2026-03-29 00:37:58 +01:00
hdbg	94fe04a6a4	refactor(useragent::evm::grants): split into more files & flutter_form_builder usage	2026-03-29 00:37:58 +01:00
hdbg	976c11902c	fix(useragent::dashboard): screen pushed twice due to improper listen hook	2026-03-29 00:37:58 +01:00
hdbg	c8d2662a36	refactor(grants): wrap grant list in SingleChildScrollView	2026-03-29 00:37:58 +01:00
hdbg	ac5fedddd1	style(dashboard): remove const from _CalloutBell and add title to nav rail	2026-03-29 00:37:58 +01:00
hdbg	0c2d4986a2	refactor(useragent): moved shared CreamPanel and StatePanel into generic widgets	2026-03-29 00:37:58 +01:00
hdbg	a3203936d2	feat(evm): add EVM grants screen with create UI and list	2026-03-29 00:37:58 +01:00
hdbg	fb1c0ec130	refactor(proto): restructure wallet access messages for improved data organization	2026-03-29 00:37:58 +01:00
hdbg	2a21758369	refactor(server::evm): removed repetetive errors and error variants	2026-03-29 00:37:58 +01:00
hdbg	1abb5fa006	refactor(useragent::evm::table): broke down into more widgets	2026-03-29 00:37:58 +01:00
hdbg	e1b1c857fa	refactor(useragent::evm): moved out header into general widget	2026-03-29 00:37:58 +01:00
hdbg	4216007af3	feat(useragent): vibe-coded access list	2026-03-29 00:37:58 +01:00