merge: @main into client-integrity-verification

Reviewed-on: #45

.woodpecker/server-test.yaml

@@ -24,4 +24,4 @@ steps:
       - mise install rust 
       - mise install protoc
       - mise install cargo:cargo-nextest
-      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast
+      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast --all-features

IMPLEMENTATION.md

@@ -67,7 +67,18 @@ The `program_client.nonce` column stores the **next usable nonce** — i.e. it i
 ## Cryptography
 
 ### Authentication
-- **Signature scheme:** ed25519
+- **Client protocol:** ed25519
+
+### User-Agent Authentication
+
+User-agent authentication supports multiple signature schemes because platform-provided "hardware-bound" keys do not expose a uniform algorithm across operating systems and hardware.
+
+- **Supported schemes:** RSA, Ed25519, ECDSA (secp256k1)
+- **Why:** the user agent authenticates with keys backed by platform facilities, and those facilities differ by platform
+- **Apple Silicon Secure Enclave / Secure Element:** ECDSA-only in practice
+- **Windows Hello / TPM 2.0:** currently RSA-backed in our integration
+
+This is why the user-agent auth protocol carries an explicit `KeyType`, while the SDK client protocol remains fixed to ed25519.
 
 ### Encryption at Rest
 - **Scheme:** Symmetric AEAD — currently **XChaCha20-Poly1305**
@@ -148,7 +159,7 @@ The central abstraction is the `Policy` trait. Each implementation handles one s
 Every grant has two layers:
 
 - **Shared (`evm_basic_grant`)** — wallet, chain, validity period, gas fee caps, transaction count rate limit. One row per grant regardless of type.
-- **Specific** — policy-owned tables (`evm_ether_transfer_grant`, `evm_token_transfer_grant`, etc.) holding type-specific configuration.
+- **Specific** — policy-owned tables (`evm_ether_transfer_grant`, `evm_token_transfer_grant`) holding type-specific configuration.
 
 `find_all_grants` uses a `#[diesel::auto_type]` base join between the specific and shared tables, then batch-loads related rows (targets, volume limits) in two additional queries to avoid N+1.
 
@@ -171,7 +182,6 @@ These are checked centrally in `check_shared_constraints` before policy evaluati
 - **Only EIP-1559 transactions are supported.** Legacy and EIP-2930 types are rejected outright.
 - **No opaque-calldata (unknown contract) grant type.** The architecture describes a category for unrecognised contracts, but no policy implements it yet. Any transaction that is not a plain ETH transfer or a known ERC-20 transfer is unconditionally rejected.
 - **Token registry is static.** Tokens are recognised only if they appear in the hard-coded `arbiter_tokens_registry` crate. There is no mechanism to register additional contracts at runtime.
-- **Nonce management is not implemented.** The architecture lists nonce deduplication as a core responsibility, but no nonce tracking or enforcement exists yet.
 
 ---
 
@@ -179,5 +189,5 @@ These are checked centrally in `check_shared_constraints` before policy evaluati
 
 The unsealed root key must be held in a hardened memory cell resistant to dumps, page swaps, and hibernation.
 
-- **Current:** Using the `memsafe` crate as an interim solution
+- **Current:** A dedicated memory-protection abstraction is in place, with `memsafe` used behind that abstraction today
-- **Planned:** Custom implementation based on `mlock` (Unix) and `VirtualProtect` (Windows)
+- **Planned:** Additional backends can be introduced behind the same abstraction, including a custom implementation based on `mlock` (Unix) and `VirtualProtect` (Windows)

mise.lock

@@ -8,10 +8,18 @@ backend = "aqua:ast-grep/ast-grep"
 checksum = "sha256:5c830eae8456569e2f7212434ed9c238f58dca412d76045418ed6d394a755836"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-unknown-linux-gnu.zip"
 
+[tools.ast-grep."platforms.linux-arm64-musl"]
+checksum = "sha256:5c830eae8456569e2f7212434ed9c238f58dca412d76045418ed6d394a755836"
+url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-unknown-linux-gnu.zip"
+
 [tools.ast-grep."platforms.linux-x64"]
 checksum = "sha256:e825a05603f0bcc4cd9076c4cc8c9abd6d008b7cd07d9aa3cc323ba4b8606651"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-unknown-linux-gnu.zip"
 
+[tools.ast-grep."platforms.linux-x64-musl"]
+checksum = "sha256:e825a05603f0bcc4cd9076c4cc8c9abd6d008b7cd07d9aa3cc323ba4b8606651"
+url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-unknown-linux-gnu.zip"
+
 [tools.ast-grep."platforms.macos-arm64"]
 checksum = "sha256:fc300d5293b1c770a5aece03a8a193b92e71e87cec726c28096990691a582620"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-apple-darwin.zip"
@@ -32,10 +40,6 @@ backend = "cargo:cargo-audit"
 version = "0.13.9"
 backend = "cargo:cargo-edit"
 
-[[tools."cargo:cargo-features"]]
-version = "1.0.0"
-backend = "cargo:cargo-features"
-
 [[tools."cargo:cargo-features-manager"]]
 version = "0.11.1"
 backend = "cargo:cargo-features-manager"
@@ -49,21 +53,13 @@ version = "0.9.126"
 backend = "cargo:cargo-nextest"
 
 [[tools."cargo:cargo-shear"]]
-version = "1.9.1"
+version = "1.11.2"
 backend = "cargo:cargo-shear"
 
 [[tools."cargo:cargo-vet"]]
 version = "0.10.2"
 backend = "cargo:cargo-vet"
 
-[[tools."cargo:diesel-cli"]]
-version = "2.3.6"
-backend = "cargo:diesel-cli"
-
-[tools."cargo:diesel-cli".options]
-default-features = "false"
-features = "sqlite,sqlite-bundled"
-
 [[tools."cargo:diesel_cli"]]
 version = "2.3.6"
 backend = "cargo:diesel_cli"
@@ -72,10 +68,6 @@ backend = "cargo:diesel_cli"
 default-features = "false"
 features = "sqlite,sqlite-bundled"
 
-[[tools."cargo:rinf_cli"]]
-version = "8.9.1"
-backend = "cargo:rinf_cli"
-
 [[tools.flutter]]
 version = "3.38.9-stable"
 backend = "asdf:flutter"
@@ -88,10 +80,18 @@ backend = "aqua:protocolbuffers/protobuf/protoc"
 checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"
 
+[tools.protoc."platforms.linux-arm64-musl"]
+checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79"
+url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"
+
 [tools.protoc."platforms.linux-x64"]
 checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"
 
+[tools.protoc."platforms.linux-x64-musl"]
+checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323"
+url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"
+
 [tools.protoc."platforms.macos-arm64"]
 checksum = "sha256:b9576b5fa1a1ef3fe13a8c91d9d8204b46545759bea5ae155cd6ba2ea4cdaeed"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-aarch_64.zip"
@@ -109,24 +109,32 @@ version = "3.14.3"
 backend = "core:python"
 
 [tools.python."platforms.linux-arm64"]
-checksum = "sha256:be0f4dc2932f762292b27d46ea7d3e8e66ddf3969a5eb0254a229015ed402625"
+checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+
+[tools.python."platforms.linux-arm64-musl"]
+checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
 
 [tools.python."platforms.linux-x64"]
-checksum = "sha256:0a73413f89efd417871876c9accaab28a9d1e3cd6358fbfff171a38ec99302f0"
+checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
+
+[tools.python."platforms.linux-x64-musl"]
+checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
 
 [tools.python."platforms.macos-arm64"]
-checksum = "sha256:4703cdf18b26798fde7b49b6b66149674c25f97127be6a10dbcf29309bdcdcdb"
+checksum = "sha256:c43aecde4a663aebff99b9b83da0efec506479f1c3f98331442f33d2c43501f9"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-apple-darwin-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-apple-darwin-install_only_stripped.tar.gz"
 
 [tools.python."platforms.macos-x64"]
-checksum = "sha256:76f1cc26e3d262eae8ca546a93e8bded10cf0323613f7e246fea2e10a8115eb7"
+checksum = "sha256:9ab41dbc2f100a2a45d1833b9c11165f51051c558b5213eda9a9731d5948a0c0"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-apple-darwin-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-apple-darwin-install_only_stripped.tar.gz"
 
 [tools.python."platforms.windows-x64"]
-checksum = "sha256:950c5f21a015c1bdd1337f233456df2470fab71e4d794407d27a84cb8b9909a0"
+checksum = "sha256:bbe19034b35b0267176a7442575ae7dc6343480fd4d35598cb7700173d431e09"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
 
 [[tools.rust]]
 version = "1.93.0"

mise.toml

@@ -14,9 +14,9 @@ ast-grep = "0.42.0"
 "cargo:cargo-edit" = "0.13.9"
 
 [tasks.codegen]
-sources = ['protobufs/*.proto']
+sources = ['protobufs/*.proto', 'protobufs/**/*.proto']
-outputs = ['useragent/lib/proto/*']
+outputs = ['useragent/lib/proto/**']
 run = '''
 dart pub global activate protoc_plugin && \
-protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ protobufs/*.proto
+protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ $(find protobufs -name '*.proto' | sort)
 '''

protobufs/user_agent/evm.proto

@@ -5,6 +5,11 @@ package arbiter.user_agent.evm;
 import "evm.proto";
 import "google/protobuf/empty.proto";
 
+message SignTransactionRequest {
+  int32 client_id = 1;
+  arbiter.evm.EvmSignTransactionRequest request = 2;
+}
+
 message Request {
   oneof payload {
     google.protobuf.Empty wallet_create = 1;
@@ -12,6 +17,7 @@ message Request {
     arbiter.evm.EvmGrantCreateRequest grant_create = 3;
     arbiter.evm.EvmGrantDeleteRequest grant_delete = 4;
     arbiter.evm.EvmGrantListRequest grant_list = 5;
+    SignTransactionRequest sign_transaction = 6;
   }
 }
 
@@ -22,5 +28,6 @@ message Response {
     arbiter.evm.EvmGrantCreateResponse grant_create = 3;
     arbiter.evm.EvmGrantDeleteResponse grant_delete = 4;
     arbiter.evm.EvmGrantListResponse grant_list = 5;
+    arbiter.evm.EvmSignTransactionResponse sign_transaction = 6;
   }
 }

server/Cargo.lock

@@ -724,6 +724,7 @@ name = "arbiter-server"
 version = "0.1.0"
 dependencies = [
  "alloy",
+ "anyhow",
  "arbiter-proto",
  "arbiter-tokens-registry",
  "argon2",
@@ -737,11 +738,11 @@ dependencies = [
  "ed25519-dalek",
  "fatality",
  "futures",
+ "hmac",
  "insta",
  "k256",
  "kameo",
  "memsafe",
- "miette",
  "pem",
  "prost-types",
  "rand 0.10.0",

server/Cargo.toml

@@ -22,7 +22,6 @@ chrono = { version = "0.4.44", features = ["serde"] }
 rand = "0.10.0"
 rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
 smlang = "0.8.0"
-miette = { version = "7.6.0", features = ["fancy", "serde"] }
 thiserror = "2.0.18"
 async-trait = "0.1.89"
 futures = "0.3.32"
@@ -43,3 +42,4 @@ k256 = { version = "0.13.4", features = ["ecdsa", "pkcs8"] }
 rsa = { version = "0.9", features = ["sha2"] }
 sha2 = "0.10"
 spki = "0.7"
+miette = { version = "7.6.0", features = ["fancy", "serde"] }

server/crates/arbiter-client/src/auth.rs

@@ -122,9 +122,7 @@ async fn receive_auth_confirmation(
         .await
         .map_err(|_| AuthError::UnexpectedAuthResponse)?;
 
-    let payload = response
+    let payload = response.payload.ok_or(AuthError::UnexpectedAuthResponse)?;
-        .payload
-        .ok_or(AuthError::UnexpectedAuthResponse)?;
     match payload {
         ClientResponsePayload::Auth(response) => match response.payload {
             Some(AuthResponsePayload::Result(result))

server/crates/arbiter-client/src/bin/test_connect.rs

@@ -1,9 +1,7 @@
-
 use std::io::{self, Write};
 
 use arbiter_client::ArbiterClient;
 use arbiter_proto::{ClientMetadata, url::ArbiterUrl};
-use tonic::ConnectError;
 
 #[tokio::main]
 async fn main() {
@@ -23,8 +21,6 @@ async fn main() {
         return;
     }
 
-   
-
     let url = match ArbiterUrl::try_from(input) {
         Ok(url) => url,
         Err(err) => {
@@ -33,7 +29,7 @@ async fn main() {
         }
     };
 
-     println!("{:#?}", url);
+    println!("{:#?}", url);
 
     let metadata = ClientMetadata {
         name: "arbiter-client test_connect".to_string(),

server/crates/arbiter-client/src/client.rs

@@ -1,11 +1,16 @@
-use arbiter_proto::{ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl};
+use arbiter_proto::{
+    ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl,
+};
 use std::sync::Arc;
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::transport::ClientTlsConfig;
 
 use crate::{
-    StorageError, auth::{AuthError, authenticate}, storage::{FileSigningKeyStorage, SigningKeyStorage}, transport::{BUFFER_LENGTH, ClientTransport}
+    StorageError,
+    auth::{AuthError, authenticate},
+    storage::{FileSigningKeyStorage, SigningKeyStorage},
+    transport::{BUFFER_LENGTH, ClientTransport},
 };
 
 #[cfg(feature = "evm")]
@@ -30,7 +35,6 @@ pub enum Error {
 
     #[error("Storage error")]
     Storage(#[from] StorageError),
-    
 }
 
 pub struct ArbiterClient {
@@ -61,10 +65,11 @@ impl ArbiterClient {
         let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
         let tls = ClientTlsConfig::new().trust_anchor(anchor);
 
-        let channel = tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
+        let channel =
-            .tls_config(tls)?
+            tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
-            .connect()
+                .tls_config(tls)?
-            .await?;
+                .connect()
+                .await?;
 
         let mut client = ArbiterServiceClient::new(channel);
         let (tx, rx) = mpsc::channel(BUFFER_LENGTH);

server/crates/arbiter-client/src/lib.rs

@@ -9,4 +9,4 @@ pub use client::{ArbiterClient, Error};
 pub use storage::{FileSigningKeyStorage, SigningKeyStorage, StorageError};
 
 #[cfg(feature = "evm")]
-pub use wallets::evm::ArbiterEvmWallet;
+pub use wallets::evm::{ArbiterEvmSignTransactionError, ArbiterEvmWallet};

server/crates/arbiter-client/src/transport.rs

@@ -1,6 +1,4 @@
-use arbiter_proto::proto::{
+use arbiter_proto::proto::client::{ClientRequest, ClientResponse};
-    client::{ClientRequest, ClientResponse},
-};
 use std::sync::atomic::{AtomicI32, Ordering};
 use tokio::sync::mpsc;
 
@@ -36,9 +34,7 @@ impl ClientTransport {
             .map_err(|_| ClientSignError::ChannelClosed)
     }
 
-    pub(crate) async fn recv(
+    pub(crate) async fn recv(&mut self) -> std::result::Result<ClientResponse, ClientSignError> {
-        &mut self,
-    ) -> std::result::Result<ClientResponse, ClientSignError> {
         match self.receiver.message().await {
             Ok(Some(resp)) => Ok(resp),
             Ok(None) => Err(ClientSignError::ConnectionClosed),

server/crates/arbiter-client/src/wallets/evm.rs

@@ -8,7 +8,49 @@ use async_trait::async_trait;
 use std::sync::Arc;
 use tokio::sync::Mutex;
 
-use crate::transport::ClientTransport;
+use arbiter_proto::proto::{
+    client::{
+        ClientRequest,
+        client_request::Payload as ClientRequestPayload,
+        client_response::Payload as ClientResponsePayload,
+        evm::{
+            self as proto_evm, request::Payload as EvmRequestPayload,
+            response::Payload as EvmResponsePayload,
+        },
+    },
+    evm::{
+        EvmSignTransactionRequest,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    },
+    shared::evm::TransactionEvalError,
+};
+
+use crate::transport::{ClientTransport, next_request_id};
+
+/// A typed error payload returned by [`ArbiterEvmWallet`] transaction signing.
+///
+/// This is wrapped into `alloy::signers::Error::Other`, so consumers can downcast by [`TryFrom`] and
+/// interpret the concrete policy evaluation failure instead of parsing strings.
+#[derive(Debug, thiserror::Error)]
+#[non_exhaustive]
+pub enum ArbiterEvmSignTransactionError {
+    #[error("transaction rejected by policy: {0:?}")]
+    PolicyEval(TransactionEvalError),
+}
+
+impl<'a> TryFrom<&'a Error> for &'a ArbiterEvmSignTransactionError {
+    type Error = ();
+
+    fn try_from(value: &'a Error) -> Result<Self, Self::Error> {
+        if let Error::Other(inner) = value
+            && let Some(eval_error) = inner.downcast_ref()
+        {
+            Ok(eval_error)
+        } else {
+            Err(())
+        }
+    }
+}
 
 pub struct ArbiterEvmWallet {
     transport: Arc<Mutex<ClientTransport>>,
@@ -79,11 +121,72 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
         &self,
         tx: &mut dyn SignableTransaction<Signature>,
     ) -> Result<Signature> {
-        let _transport = self.transport.lock().await;
         self.validate_chain_id(tx)?;
 
-        Err(Error::other(
+        let mut transport = self.transport.lock().await;
-            "transaction signing is not supported by current arbiter.client protocol",
+        let request_id = next_request_id();
-        ))
+        let rlp_transaction = tx.encoded_for_signing();
+
+        transport
+            .send(ClientRequest {
+                request_id,
+                payload: Some(ClientRequestPayload::Evm(proto_evm::Request {
+                    payload: Some(EvmRequestPayload::SignTransaction(
+                        EvmSignTransactionRequest {
+                            wallet_address: self.address.to_vec(),
+                            rlp_transaction,
+                        },
+                    )),
+                })),
+            })
+            .await
+            .map_err(|_| Error::other("failed to send evm sign transaction request"))?;
+
+        let response = transport
+            .recv()
+            .await
+            .map_err(|_| Error::other("failed to receive evm sign transaction response"))?;
+
+        if response.request_id != Some(request_id) {
+            return Err(Error::other(
+                "received mismatched response id for evm sign transaction",
+            ));
+        }
+
+        let payload = response
+            .payload
+            .ok_or_else(|| Error::other("missing evm sign transaction response payload"))?;
+
+        let ClientResponsePayload::Evm(proto_evm::Response {
+            payload: Some(payload),
+        }) = payload
+        else {
+            return Err(Error::other(
+                "unexpected response payload for evm sign transaction request",
+            ));
+        };
+
+        let EvmResponsePayload::SignTransaction(response) = payload else {
+            return Err(Error::other(
+                "unexpected evm response payload for sign transaction request",
+            ));
+        };
+
+        let result = response
+            .result
+            .ok_or_else(|| Error::other("missing evm sign transaction result"))?;
+
+        match result {
+            EvmSignTransactionResult::Signature(signature) => {
+                Signature::try_from(signature.as_slice())
+                    .map_err(|_| Error::other("invalid signature returned by server"))
+            }
+            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(
+                ArbiterEvmSignTransactionError::PolicyEval(eval_error),
+            )),
+            EvmSignTransactionResult::Error(code) => Err(Error::other(format!(
+                "server failed to sign transaction with error code {code}"
+            ))),
+        }
     }
 }

server/crates/arbiter-proto/src/url.rs

@@ -7,7 +7,6 @@ const ARBITER_URL_SCHEME: &str = "arbiter";
 const CERT_QUERY_KEY: &str = "cert";
 const BOOTSTRAP_TOKEN_QUERY_KEY: &str = "bootstrap_token";
 
-
 #[derive(Debug, Clone)]
 pub struct ArbiterUrl {
     pub host: String,

server/crates/arbiter-server/Cargo.toml

@@ -25,7 +25,6 @@ tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
-miette.workspace = true
 thiserror.workspace = true
 fatality = "0.1.1"
 diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
@@ -49,10 +48,12 @@ pem = "3.0.6"
 k256.workspace = true
 rsa.workspace = true
 sha2.workspace = true
+hmac = "0.12"
 spki.workspace = true
 alloy.workspace = true
 prost-types.workspace = true
 arbiter-tokens-registry.path = "../arbiter-tokens-registry"
+anyhow = "1.0.102"
 
 [dev-dependencies]
 insta = "1.46.3"

server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql

@@ -47,6 +47,7 @@ create table if not exists useragent_client (
     id integer not null primary key,
     nonce integer not null default(1), -- used for auth challenge
     public_key blob not null,
+    pubkey_integrity_tag blob,
     key_type integer not null default(1), -- 1=Ed25519, 2=ECDSA(secp256k1)
     created_at integer not null default(unixepoch ('now')),
     updated_at integer not null default(unixepoch ('now'))

server/crates/arbiter-server/src/actors/bootstrap.rs

@@ -2,7 +2,7 @@ use arbiter_proto::{BOOTSTRAP_PATH, home_path};
 use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;
 use kameo::{Actor, messages};
-use miette::Diagnostic;
+
 use rand::{RngExt, distr::Alphanumeric, make_rng, rngs::StdRng};
 use thiserror::Error;
 
@@ -25,18 +25,15 @@ pub async fn generate_token() -> Result<String, std::io::Error> {
     Ok(token)
 }
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum Error {
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter_server::bootstrap::database))]
     Database(#[from] db::PoolError),
 
     #[error("Database query error: {0}")]
-    #[diagnostic(code(arbiter_server::bootstrap::database_query))]
     Query(#[from] diesel::result::Error),
 
     #[error("I/O error: {0}")]
-    #[diagnostic(code(arbiter_server::bootstrap::io))]
     Io(#[from] std::io::Error),
 }
 

server/crates/arbiter-server/src/actors/client/auth.rs

@@ -1,5 +1,6 @@
 use arbiter_proto::{
-    ClientMetadata, format_challenge, transport::{Bi, expect_message}
+    ClientMetadata, format_challenge,
+    transport::{Bi, expect_message},
 };
 use chrono::Utc;
 use diesel::{
@@ -83,7 +84,6 @@ async fn get_client_and_nonce(
     })?;
 
     conn.exclusive_transaction(|conn| {
-        let pubkey_bytes = pubkey_bytes.clone();
         Box::pin(async move {
             let Some((client_id, current_nonce)) = program_client::table
                 .filter(program_client::public_key.eq(&pubkey_bytes))
@@ -287,10 +287,7 @@ where
     Ok(())
 }
 
-pub async fn authenticate<T>(
+pub async fn authenticate<T>(props: &mut ClientConnection, transport: &mut T) -> Result<i32, Error>
-    props: &mut ClientConnection,
-    transport: &mut T,
-) -> Result<VerifyingKey, Error>
 where
     T: Bi<Inbound, Result<Outbound, Error>> + Send + ?Sized,
 {
@@ -318,7 +315,6 @@ where
     };
 
     sync_client_metadata(&props.db, info.id, &metadata).await?;
-
     challenge_client(transport, pubkey, info.current_nonce).await?;
 
     transport
@@ -329,5 +325,5 @@ where
             Error::Transport
         })?;
 
-    Ok(pubkey)
+    Ok(info.id)
 }

server/crates/arbiter-server/src/actors/client/mod.rs

@@ -3,7 +3,7 @@ use kameo::actor::Spawn;
 use tracing::{error, info};
 
 use crate::{
-    actors::{GlobalActors, client::{ session::ClientSession}},
+    actors::{GlobalActors, client::session::ClientSession},
     db,
 };
 
@@ -32,8 +32,8 @@ where
     T: Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> + Send + ?Sized,
 {
     match auth::authenticate(&mut props, transport).await {
-        Ok(_pubkey) => {
+        Ok(client_id) => {
-            ClientSession::spawn(ClientSession::new(props));
+            ClientSession::spawn(ClientSession::new(props, client_id));
             info!("Client authenticated, session started");
         }
         Err(err) => {

server/crates/arbiter-server/src/actors/client/session.rs

@@ -1,21 +1,28 @@
 use kameo::{Actor, messages};
 use tracing::error;
 
+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
+
 use crate::{
     actors::{
-        GlobalActors, client::ClientConnection, flow_coordinator::RegisterClient,
+        GlobalActors,
+        client::ClientConnection,
+        evm::{ClientSignTransaction, SignTransactionError},
+        flow_coordinator::RegisterClient,
         keyholder::KeyHolderState,
     },
     db,
+    evm::VetError,
 };
 
 pub struct ClientSession {
     props: ClientConnection,
+    client_id: i32,
 }
 
 impl ClientSession {
-    pub(crate) fn new(props: ClientConnection) -> Self {
+    pub(crate) fn new(props: ClientConnection, client_id: i32) -> Self {
-        Self { props }
+        Self { props, client_id }
     }
 }
 
@@ -35,6 +42,34 @@ impl ClientSession {
 
         Ok(vault_state)
     }
+
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionRpcError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id: self.client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(kameo::error::SendError::HandlerError(SignTransactionError::Vet(vet_error))) => {
+                Err(SignTransactionRpcError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "Failed to sign EVM transaction in client session");
+                Err(SignTransactionRpcError::Internal)
+            }
+        }
+    }
 }
 
 impl Actor for ClientSession {
@@ -59,7 +94,10 @@ impl Actor for ClientSession {
 impl ClientSession {
     pub fn new_test(db: db::DatabasePool, actors: GlobalActors) -> Self {
         let props = ClientConnection::new(db, actors);
-        Self { props }
+        Self {
+            props,
+            client_id: 0,
+        }
     }
 }
 
@@ -70,3 +108,12 @@ pub enum Error {
     #[error("Internal error")]
     Internal,
 }
+
+#[derive(Debug, thiserror::Error)]
+pub enum SignTransactionRpcError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] VetError),
+
+    #[error("Internal error")]
+    Internal,
+}

server/crates/arbiter-server/src/actors/evm/mod.rs

@@ -9,7 +9,7 @@ use rand::{SeedableRng, rng, rngs::StdRng};
 use crate::{
     actors::keyholder::{CreateNew, Decrypt, KeyHolder},
     db::{
-        self, DatabaseError, DatabasePool,
+        DatabaseError, DatabasePool,
         models::{self, SqliteTimestamp},
         schema,
     },
@@ -25,45 +25,36 @@ use crate::{
 
 pub use crate::evm::safe_signer;
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum SignTransactionError {
     #[error("Wallet not found")]
-    #[diagnostic(code(arbiter::evm::sign::wallet_not_found))]
     WalletNotFound,
 
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::database))]
     Database(#[from] DatabaseError),
 
     #[error("Keyholder error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::keyholder))]
     Keyholder(#[from] crate::actors::keyholder::Error),
 
     #[error("Keyholder mailbox error")]
-    #[diagnostic(code(arbiter::evm::sign::keyholder_send))]
     KeyholderSend,
 
     #[error("Signing error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::signing))]
     Signing(#[from] alloy::signers::Error),
 
     #[error("Policy error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::vet))]
     Vet(#[from] evm::VetError),
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum Error {
     #[error("Keyholder error: {0}")]
-    #[diagnostic(code(arbiter::evm::keyholder))]
     Keyholder(#[from] crate::actors::keyholder::Error),
 
     #[error("Keyholder mailbox error")]
-    #[diagnostic(code(arbiter::evm::keyholder_send))]
     KeyholderSend,
 
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter::evm::database))]
     Database(#[from] DatabaseError),
 }
 

server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs

@@ -15,7 +15,7 @@ use crate::actors::{
 pub struct Args {
     pub client: ClientProfile,
     pub user_agents: Vec<ActorRef<UserAgentSession>>,
-    pub reply: ReplySender<Result<bool, ApprovalError>>
+    pub reply: ReplySender<Result<bool, ApprovalError>>,
 }
 
 pub struct ClientApprovalController {
@@ -39,7 +39,11 @@ impl Actor for ClientApprovalController {
     type Error = ();
 
     async fn on_start(
-        Args { client, mut user_agents, reply }: Self::Args,
+        Args {
+            client,
+            mut user_agents,
+            reply,
+        }: Self::Args,
         actor_ref: ActorRef<Self>,
     ) -> Result<Self, Self::Error> {
         let this = Self {

server/crates/arbiter-server/src/actors/keyholder/mod.rs

@@ -8,7 +8,14 @@ use kameo::{Actor, Reply, messages};
 use strum::{EnumDiscriminants, IntoDiscriminant};
 use tracing::{error, info};
 
-use crate::safe_cell::SafeCell;
+use crate::{
+    crypto::{
+        KeyCell, derive_key,
+        encryption::v1::{self, Nonce},
+        integrity::v1::compute_integrity_tag,
+    },
+    safe_cell::SafeCell,
+};
 use crate::{
     db::{
         self,
@@ -17,9 +24,6 @@ use crate::{
     },
     safe_cell::SafeCellHandle as _,
 };
-use encryption::v1::{self, KeyCell, Nonce};
-
-pub mod encryption;
 
 #[derive(Default, EnumDiscriminants)]
 #[strum_discriminants(derive(Reply), vis(pub), name(KeyHolderState))]
@@ -35,36 +39,28 @@ enum State {
     },
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum Error {
     #[error("Keyholder is already bootstrapped")]
-    #[diagnostic(code(arbiter::keyholder::already_bootstrapped))]
     AlreadyBootstrapped,
     #[error("Keyholder is not bootstrapped")]
-    #[diagnostic(code(arbiter::keyholder::not_bootstrapped))]
     NotBootstrapped,
     #[error("Invalid key provided")]
-    #[diagnostic(code(arbiter::keyholder::invalid_key))]
     InvalidKey,
 
     #[error("Requested aead entry not found")]
-    #[diagnostic(code(arbiter::keyholder::aead_not_found))]
     NotFound,
 
     #[error("Encryption error: {0}")]
-    #[diagnostic(code(arbiter::keyholder::encryption_error))]
     Encryption(#[from] chacha20poly1305::aead::Error),
 
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter::keyholder::database_error))]
     DatabaseConnection(#[from] db::PoolError),
 
     #[error("Database transaction error: {0}")]
-    #[diagnostic(code(arbiter::keyholder::database_transaction_error))]
     DatabaseTransaction(#[from] diesel::result::Error),
 
     #[error("Broken database")]
-    #[diagnostic(code(arbiter::keyholder::broken_database))]
     BrokenDatabase,
 }
 
@@ -114,14 +110,13 @@ impl KeyHolder {
                         .first(conn)
                         .await?;
 
-                    let mut nonce =
+                    let mut nonce = Nonce::try_from(current_nonce.as_slice()).map_err(|_| {
-                        v1::Nonce::try_from(current_nonce.as_slice()).map_err(|_| {
+                        error!(
-                            error!(
+                            "Broken database: invalid nonce for root key history id={}",
-                                "Broken database: invalid nonce for root key history id={}",
+                            root_key_id
-                                root_key_id
+                        );
-                            );
+                        Error::BrokenDatabase
-                            Error::BrokenDatabase
+                    })?;
-                        })?;
                     nonce.increment();
 
                     update(schema::root_key_history::table)
@@ -144,12 +139,12 @@ impl KeyHolder {
             return Err(Error::AlreadyBootstrapped);
         }
         let salt = v1::generate_salt();
-        let mut seal_key = v1::derive_seal_key(seal_key_raw, &salt);
+        let mut seal_key = derive_key(seal_key_raw, &salt);
         let mut root_key = KeyCell::new_secure_random();
 
         // Zero nonces are fine because they are one-time
-        let root_key_nonce = v1::Nonce::default();
+        let root_key_nonce = Nonce::default();
-        let data_encryption_nonce = v1::Nonce::default();
+        let data_encryption_nonce = Nonce::default();
 
         let root_key_ciphertext: Vec<u8> = root_key.0.read_inline(|reader| {
             let root_key_reader = reader.as_slice();
@@ -214,7 +209,6 @@ impl KeyHolder {
             let mut conn = self.db.get().await?;
             schema::root_key_history::table
                 .filter(schema::root_key_history::id.eq(*root_key_history_id))
-                .select(schema::root_key_history::data_encryption_nonce)
                 .select(RootKeyHistory::as_select())
                 .first(&mut conn)
                 .await?
@@ -225,7 +219,7 @@ impl KeyHolder {
             error!("Broken database: invalid salt for root key");
             Error::BrokenDatabase
         })?;
-        let mut seal_key = v1::derive_seal_key(seal_key_raw, &salt);
+        let mut seal_key = derive_key(seal_key_raw, &salt);
 
         let mut root_key = SafeCell::new(current_key.ciphertext.clone());
 
@@ -245,7 +239,7 @@ impl KeyHolder {
 
         self.state = State::Unsealed {
             root_key_history_id: current_key.id,
-            root_key: v1::KeyCell::try_from(root_key).map_err(|err| {
+            root_key: KeyCell::try_from(root_key).map_err(|err| {
                 error!(?err, "Broken database: invalid encryption key size");
                 Error::BrokenDatabase
             })?,
@@ -256,7 +250,22 @@ impl KeyHolder {
         Ok(())
     }
 
-    // Decrypts the `aead_encrypted` entry with the given ID and returns the plaintext
+    // Signs a generic integrity payload using the vault-derived integrity key
+    #[message]
+    pub fn sign_integrity_tag(
+        &mut self,
+        purpose_tag: Vec<u8>,
+        data_parts: Vec<Vec<u8>>,
+    ) -> Result<Vec<u8>, Error> {
+        let State::Unsealed { root_key, .. } = &mut self.state else {
+            return Err(Error::NotBootstrapped);
+        };
+
+        let tag =
+            compute_integrity_tag(root_key, &purpose_tag, data_parts.iter().map(Vec::as_slice));
+        Ok(tag.to_vec())
+    }
+
     #[message]
     pub async fn decrypt(&mut self, aead_id: i32) -> Result<SafeCell<Vec<u8>>, Error> {
         let State::Unsealed { root_key, .. } = &mut self.state else {
@@ -292,6 +301,7 @@ impl KeyHolder {
         let State::Unsealed {
             root_key,
             root_key_history_id,
+            ..
         } = &mut self.state
         else {
             return Err(Error::NotBootstrapped);

server/crates/arbiter-server/src/actors/mod.rs

@@ -1,5 +1,4 @@
 use kameo::actor::{ActorRef, Spawn};
-use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
@@ -17,14 +16,12 @@ pub mod flow_coordinator;
 pub mod keyholder;
 pub mod user_agent;
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum SpawnError {
     #[error("Failed to spawn Bootstrapper actor")]
-    #[diagnostic(code(SpawnError::Bootstrapper))]
     Bootstrapper(#[from] bootstrap::Error),
 
     #[error("Failed to spawn KeyHolder actor")]
-    #[diagnostic(code(SpawnError::KeyHolder))]
     KeyHolder(#[from] keyholder::Error),
 }
 

server/crates/arbiter-server/src/actors/user_agent/auth/state.rs

@@ -1,17 +1,27 @@
 use arbiter_proto::transport::Bi;
 use diesel::{ExpressionMethods as _, OptionalExtension as _, QueryDsl, update};
 use diesel_async::RunQueryDsl;
+use kameo::error::SendError;
 use tracing::error;
 
 use super::Error;
 use crate::{
     actors::{
         bootstrap::ConsumeToken,
+        keyholder::{self, SignIntegrityTag},
         user_agent::{AuthPublicKey, UserAgentConnection, auth::Outbound},
     },
+    crypto::integrity::v1::USERAGENT_INTEGRITY_TAG,
     db::schema,
 };
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum AttestationStatus {
+    Attested,
+    NotAttested,
+    Unavailable,
+}
+
 pub struct ChallengeRequest {
     pub pubkey: AuthPublicKey,
 }
@@ -40,7 +50,11 @@ smlang::statemachine!(
     }
 );
 
-async fn create_nonce(db: &crate::db::DatabasePool, pubkey_bytes: &[u8]) -> Result<i32, Error> {
+async fn create_nonce(
+    db: &crate::db::DatabasePool,
+    pubkey_bytes: &[u8],
+    key_type: crate::db::models::KeyType,
+) -> Result<i32, Error> {
     let mut db_conn = db.get().await.map_err(|e| {
         error!(error = ?e, "Database pool error");
         Error::internal("Database unavailable")
@@ -50,12 +64,14 @@ async fn create_nonce(db: &crate::db::DatabasePool, pubkey_bytes: &[u8]) -> Resu
             Box::pin(async move {
                 let current_nonce = schema::useragent_client::table
                     .filter(schema::useragent_client::public_key.eq(pubkey_bytes.to_vec()))
+                    .filter(schema::useragent_client::key_type.eq(key_type))
                     .select(schema::useragent_client::nonce)
                     .first::<i32>(conn)
                     .await?;
 
                 update(schema::useragent_client::table)
                     .filter(schema::useragent_client::public_key.eq(pubkey_bytes.to_vec()))
+                    .filter(schema::useragent_client::key_type.eq(key_type))
                     .set(schema::useragent_client::nonce.eq(current_nonce + 1))
                     .execute(conn)
                     .await?;
@@ -75,7 +91,11 @@ async fn create_nonce(db: &crate::db::DatabasePool, pubkey_bytes: &[u8]) -> Resu
         })
 }
 
-async fn register_key(db: &crate::db::DatabasePool, pubkey: &AuthPublicKey) -> Result<(), Error> {
+async fn register_key(
+    db: &crate::db::DatabasePool,
+    pubkey: &AuthPublicKey,
+    integrity_tag: Option<Vec<u8>>,
+) -> Result<(), Error> {
     let pubkey_bytes = pubkey.to_stored_bytes();
     let key_type = pubkey.key_type();
     let mut conn = db.get().await.map_err(|e| {
@@ -88,6 +108,7 @@ async fn register_key(db: &crate::db::DatabasePool, pubkey: &AuthPublicKey) -> R
             schema::useragent_client::public_key.eq(pubkey_bytes),
             schema::useragent_client::nonce.eq(1),
             schema::useragent_client::key_type.eq(key_type),
+            schema::useragent_client::pubkey_integrity_tag.eq(integrity_tag),
         ))
         .execute(&mut conn)
         .await
@@ -120,8 +141,15 @@ where
         &mut self,
         ChallengeRequest { pubkey }: ChallengeRequest,
     ) -> Result<ChallengeContext, Self::Error> {
+        match self.verify_pubkey_attestation_status(&pubkey).await? {
+            AttestationStatus::Attested | AttestationStatus::Unavailable => {}
+            AttestationStatus::NotAttested => {
+                return Err(Error::InvalidChallengeSolution);
+            }
+        }
+
         let stored_bytes = pubkey.to_stored_bytes();
-        let nonce = create_nonce(&self.conn.db, &stored_bytes).await?;
+        let nonce = create_nonce(&self.conn.db, &stored_bytes, pubkey.key_type()).await?;
 
         self.transport
             .send(Ok(Outbound::AuthChallenge { nonce }))
@@ -161,7 +189,15 @@ where
             return Err(Error::InvalidBootstrapToken);
         }
 
-        register_key(&self.conn.db, &pubkey).await?;
+        let integrity_tag = self
+            .try_sign_pubkey_integrity_tag(&pubkey)
+            .await
+            .map_err(|err| {
+                error!(?err, "Failed to sign user-agent pubkey integrity tag");
+                Error::internal("Failed to sign user-agent pubkey integrity tag")
+            })?;
+
+        register_key(&self.conn.db, &pubkey, integrity_tag).await?;
 
         self.transport
             .send(Ok(Outbound::AuthSuccess))
@@ -210,13 +246,111 @@ where
             }
         };
 
-        if valid {
+        match valid {
-            self.transport
+            true => {
-                .send(Ok(Outbound::AuthSuccess))
+                self.transport
-                .await
+                    .send(Ok(Outbound::AuthSuccess))
-                .map_err(|_| Error::Transport)?;
+                    .await
+                    .map_err(|_| Error::Transport)?;
+                Ok(key.clone())
+            }
+            false => {
+                self.transport
+                    .send(Err(Error::InvalidChallengeSolution))
+                    .await
+                    .map_err(|_| Error::Transport)?;
+                Err(Error::InvalidChallengeSolution)
+            }
+        }
+    }
+}
+
+impl<T> AuthContext<'_, T>
+where
+    T: Bi<super::Inbound, Result<super::Outbound, Error>> + Send,
+{
+    async fn try_sign_pubkey_integrity_tag(
+        &self,
+        pubkey: &AuthPublicKey,
+    ) -> Result<Option<Vec<u8>>, Error> {
+        let signed = self
+            .conn
+            .actors
+            .key_holder
+            .ask(SignIntegrityTag {
+                purpose_tag: USERAGENT_INTEGRITY_TAG.to_vec(),
+                data_parts: vec![
+                    (pubkey.key_type() as i32).to_be_bytes().to_vec(),
+                    pubkey.to_stored_bytes(),
+                ],
+            })
+            .await;
+
+        match signed {
+            Ok(tag) => Ok(Some(tag)),
+            Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => Ok(None),
+            Err(SendError::HandlerError(err)) => {
+                error!(
+                    ?err,
+                    "Keyholder failed to sign user-agent pubkey integrity tag"
+                );
+                Err(Error::internal(
+                    "Keyholder failed to sign user-agent pubkey integrity tag",
+                ))
+            }
+            Err(err) => {
+                error!(
+                    ?err,
+                    "Failed to contact keyholder for user-agent pubkey integrity tag"
+                );
+                Err(Error::internal(
+                    "Failed to contact keyholder for user-agent pubkey integrity tag",
+                ))
+            }
+        }
+    }
+
+    async fn verify_pubkey_attestation_status(
+        &self,
+        pubkey: &AuthPublicKey,
+    ) -> Result<AttestationStatus, Error> {
+        let stored_tag: Option<Option<Vec<u8>>> = {
+            let mut conn = self.conn.db.get().await.map_err(|e| {
+                error!(error = ?e, "Database pool error");
+                Error::internal("Database unavailable")
+            })?;
+
+            schema::useragent_client::table
+                .filter(schema::useragent_client::public_key.eq(pubkey.to_stored_bytes()))
+                .filter(schema::useragent_client::key_type.eq(pubkey.key_type()))
+                .select(schema::useragent_client::pubkey_integrity_tag)
+                .first::<Option<Vec<u8>>>(&mut conn)
+                .await
+                .optional()
+                .map_err(|e| {
+                    error!(error = ?e, "Database error");
+                    Error::internal("Database operation failed")
+                })?
+        };
+
+        let Some(stored_tag) = stored_tag else {
+            return Err(Error::UnregisteredPublicKey);
+        };
+
+        let Some(expected_tag) = self.try_sign_pubkey_integrity_tag(pubkey).await? else {
+            return Ok(AttestationStatus::Unavailable);
+        };
+
+        match stored_tag {
+            Some(stored_tag) if stored_tag == expected_tag => Ok(AttestationStatus::Attested),
+            Some(_) => {
+                error!("User-agent pubkey integrity tag mismatch");
+                Ok(AttestationStatus::NotAttested)
+            }
+            None => {
+                error!("Missing pubkey integrity tag for registered key while vault is unsealed");
+                Ok(AttestationStatus::NotAttested)
+            }
         }
-
-        Ok(key.clone())
     }
 }

server/crates/arbiter-server/src/actors/user_agent/session/connection.rs

@@ -1,13 +1,12 @@
 use std::sync::Mutex;
 
-use alloy::primitives::Address;
+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
-use diesel::sql_types::ops::Add;
+use diesel::{ExpressionMethods as _, QueryDsl as _, SelectableHelper};
-use diesel::{BoolExpressionMethods as _, ExpressionMethods as _, QueryDsl as _, SelectableHelper};
 use diesel_async::{AsyncConnection, RunQueryDsl};
 use kameo::error::SendError;
+use kameo::messages;
 use kameo::prelude::Context;
-use kameo::{message, messages};
 use tracing::{error, info};
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
@@ -15,15 +14,15 @@ use crate::actors::flow_coordinator::client_connect_approval::ClientApprovalAnsw
 use crate::actors::keyholder::KeyHolderState;
 use crate::actors::user_agent::session::Error;
 use crate::db::models::{
-    CoreEvmWalletAccess, EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
+    EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
 };
-use crate::db::schema::evm_wallet_access;
 use crate::evm::policies::{Grant, SpecificGrant};
 use crate::safe_cell::SafeCell;
 use crate::{
     actors::{
         evm::{
-            Generate, ListWallets, UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
+            ClientSignTransaction, Generate, ListWallets, SignTransactionError as EvmSignError,
+            UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
         },
         keyholder::{self, Bootstrap, TryUnseal},
         user_agent::session::{
@@ -112,6 +111,15 @@ pub enum BootstrapError {
     General(#[from] super::Error),
 }
 
+#[derive(Debug, Error)]
+pub enum SignTransactionError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] crate::evm::VetError),
+
+    #[error("Internal signing error")]
+    Internal,
+}
+
 #[messages]
 impl UserAgentSession {
     #[message]
@@ -356,6 +364,35 @@ impl UserAgentSession {
         }
     }
 
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        client_id: i32,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(SendError::HandlerError(EvmSignError::Vet(vet_error))) => {
+                Err(SignTransactionError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "EVM sign transaction failed in user-agent session");
+                Err(SignTransactionError::Internal)
+            }
+        }
+    }
+
     #[message]
     pub(crate) async fn handle_grant_evm_wallet_access(
         &mut self,

server/crates/arbiter-server/src/context/mod.rs

@@ -1,6 +1,5 @@
 use std::sync::Arc;
 
-use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
@@ -11,30 +10,24 @@ use crate::{
 
 pub mod tls;
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum InitError {
     #[error("Database setup failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::database_setup))]
     DatabaseSetup(#[from] db::DatabaseSetupError),
 
     #[error("Connection acquire failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::database_pool))]
     DatabasePool(#[from] db::PoolError),
 
     #[error("Database query error: {0}")]
-    #[diagnostic(code(arbiter_server::init::database_query))]
     DatabaseQuery(#[from] diesel::result::Error),
 
     #[error("TLS initialization failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::tls_init))]
     Tls(#[from] tls::InitError),
 
     #[error("Actor spawn failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::actor_spawn))]
     ActorSpawn(#[from] crate::actors::SpawnError),
 
     #[error("I/O Error: {0}")]
-    #[diagnostic(code(arbiter_server::init::io))]
     Io(#[from] std::io::Error),
 }
 

server/crates/arbiter-server/src/context/tls.rs

@@ -1,8 +1,8 @@
-use std::{net::IpAddr, string::FromUtf8Error};
+use std::{net::Ipv4Addr, string::FromUtf8Error};
 
 use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper as _};
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use miette::Diagnostic;
+
 use pem::Pem;
 use rcgen::{
     BasicConstraints, Certificate, CertificateParams, CertifiedIssuer, DistinguishedName, DnType,
@@ -29,30 +29,24 @@ const ENCODE_CONFIG: pem::EncodeConfig = {
     pem::EncodeConfig::new().set_line_ending(line_ending)
 };
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum InitError {
     #[error("Key generation error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::key_generation))]
     KeyGeneration(#[from] rcgen::Error),
 
     #[error("Key invalid format: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::key_invalid_format))]
     KeyInvalidFormat(#[from] FromUtf8Error),
 
     #[error("Key deserialization error: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::key_deserialization))]
     KeyDeserializationError(rcgen::Error),
 
     #[error("Database error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::database_error))]
     DatabaseError(#[from] diesel::result::Error),
 
     #[error("Pem deserialization error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::pem_deserialization))]
     PemDeserializationError(#[from] rustls::pki_types::pem::Error),
 
     #[error("Database pool acquire error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::database_pool_acquire))]
     DatabasePoolAcquire(#[from] db::PoolError),
 }
 
@@ -116,9 +110,7 @@ impl TlsCa {
         ];
         params
             .subject_alt_names
-            .push(SanType::IpAddress(IpAddr::from([
+            .push(SanType::IpAddress(Ipv4Addr::LOCALHOST.into()));
-                127, 0, 0, 1,
-            ])));
 
         let mut dn = DistinguishedName::new();
         dn.push(DnType::CommonName, "Arbiter Instance Leaf");

server/crates/arbiter-server/src/crypto/encryption/v1.rs

@@ -0,0 +1,109 @@
+use argon2::password_hash::Salt as ArgonSalt;
+
+use rand::{
+    Rng as _, SeedableRng,
+    rngs::{StdRng, SysRng},
+};
+
+pub const ROOT_KEY_TAG: &[u8] = "arbiter/seal/v1".as_bytes();
+pub const TAG: &[u8] = "arbiter/private-key/v1".as_bytes();
+
+pub const NONCE_LENGTH: usize = 24;
+
+#[derive(Default)]
+pub struct Nonce(pub [u8; NONCE_LENGTH]);
+impl Nonce {
+    pub fn increment(&mut self) {
+        for i in (0..self.0.len()).rev() {
+            if self.0[i] == 0xFF {
+                self.0[i] = 0;
+            } else {
+                self.0[i] += 1;
+                break;
+            }
+        }
+    }
+
+    pub fn to_vec(&self) -> Vec<u8> {
+        self.0.to_vec()
+    }
+}
+impl<'a> TryFrom<&'a [u8]> for Nonce {
+    type Error = ();
+
+    fn try_from(value: &'a [u8]) -> Result<Self, Self::Error> {
+        if value.len() != NONCE_LENGTH {
+            return Err(());
+        }
+        let mut nonce = [0u8; NONCE_LENGTH];
+        nonce.copy_from_slice(value);
+        Ok(Self(nonce))
+    }
+}
+
+pub type Salt = [u8; ArgonSalt::RECOMMENDED_LENGTH];
+
+pub fn generate_salt() -> Salt {
+    let mut salt = Salt::default();
+    #[allow(
+        clippy::unwrap_used,
+        reason = "Rng failure is unrecoverable and should panic"
+    )]
+    let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
+    rng.fill_bytes(&mut salt);
+    salt
+}
+
+#[cfg(test)]
+mod tests {
+    use std::ops::Deref as _;
+
+    use super::*;
+    use crate::{
+        crypto::derive_key,
+        safe_cell::{SafeCell, SafeCellHandle as _},
+    };
+
+    #[test]
+    pub fn derive_seal_key_deterministic() {
+        static PASSWORD: &[u8] = b"password";
+        let password = SafeCell::new(PASSWORD.to_vec());
+        let password2 = SafeCell::new(PASSWORD.to_vec());
+        let salt = generate_salt();
+
+        let mut key1 = derive_key(password, &salt);
+        let mut key2 = derive_key(password2, &salt);
+
+        let key1_reader = key1.0.read();
+        let key2_reader = key2.0.read();
+
+        assert_eq!(key1_reader.deref(), key2_reader.deref());
+    }
+
+    #[test]
+    pub fn successful_derive() {
+        static PASSWORD: &[u8] = b"password";
+        let password = SafeCell::new(PASSWORD.to_vec());
+        let salt = generate_salt();
+
+        let mut key = derive_key(password, &salt);
+        let key_reader = key.0.read();
+        let key_ref = key_reader.deref();
+
+        assert_ne!(key_ref.as_slice(), &[0u8; 32][..]);
+    }
+
+    #[test]
+    // We should fuzz this
+    pub fn test_nonce_increment() {
+        let mut nonce = Nonce([0u8; NONCE_LENGTH]);
+        nonce.increment();
+
+        assert_eq!(
+            nonce.0,
+            [
+                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
+            ]
+        );
+    }
+}

server/crates/arbiter-server/src/crypto/integrity/mod.rs

@@ -0,0 +1 @@
+pub mod v1;

server/crates/arbiter-server/src/crypto/integrity/v1.rs

@@ -0,0 +1,78 @@
+use crate::{crypto::KeyCell, safe_cell::SafeCellHandle as _};
+use chacha20poly1305::Key;
+use hmac::Mac as _;
+
+pub const USERAGENT_INTEGRITY_DERIVE_TAG: &[u8] = "arbiter/useragent/integrity-key/v1".as_bytes();
+pub const USERAGENT_INTEGRITY_TAG: &[u8] = "arbiter/useragent/pubkey-entry/v1".as_bytes();
+
+/// Computes an integrity tag for a specific domain and payload shape.
+pub fn compute_integrity_tag<'a, I>(
+    integrity_key: &mut KeyCell,
+    purpose_tag: &[u8],
+    data_parts: I,
+) -> [u8; 32]
+where
+    I: IntoIterator<Item = &'a [u8]>,
+{
+    type HmacSha256 = hmac::Hmac<sha2::Sha256>;
+
+    let mut output_tag = [0u8; 32];
+    integrity_key.0.read_inline(|integrity_key_bytes: &Key| {
+        let mut mac = <HmacSha256 as hmac::Mac>::new_from_slice(integrity_key_bytes.as_ref())
+            .expect("HMAC key initialization must not fail for 32-byte key");
+        mac.update(purpose_tag);
+        for data_part in data_parts {
+            mac.update(data_part);
+        }
+        output_tag.copy_from_slice(&mac.finalize().into_bytes());
+    });
+
+    output_tag
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::{
+        crypto::{derive_key, encryption::v1::generate_salt},
+        safe_cell::{SafeCell, SafeCellHandle as _},
+    };
+
+    use super::{USERAGENT_INTEGRITY_TAG, compute_integrity_tag};
+
+    #[test]
+    pub fn integrity_tag_deterministic() {
+        let salt = generate_salt();
+        let mut integrity_key = derive_key(SafeCell::new(b"password".to_vec()), &salt);
+        let key_type = 1i32.to_be_bytes();
+        let t1 = compute_integrity_tag(
+            &mut integrity_key,
+            USERAGENT_INTEGRITY_TAG,
+            [key_type.as_slice(), b"pubkey".as_ref()],
+        );
+        let t2 = compute_integrity_tag(
+            &mut integrity_key,
+            USERAGENT_INTEGRITY_TAG,
+            [key_type.as_slice(), b"pubkey".as_ref()],
+        );
+        assert_eq!(t1, t2);
+    }
+
+    #[test]
+    pub fn integrity_tag_changes_with_payload() {
+        let salt = generate_salt();
+        let mut integrity_key = derive_key(SafeCell::new(b"password".to_vec()), &salt);
+        let key_type_1 = 1i32.to_be_bytes();
+        let key_type_2 = 2i32.to_be_bytes();
+        let t1 = compute_integrity_tag(
+            &mut integrity_key,
+            USERAGENT_INTEGRITY_TAG,
+            [key_type_1.as_slice(), b"pubkey".as_ref()],
+        );
+        let t2 = compute_integrity_tag(
+            &mut integrity_key,
+            USERAGENT_INTEGRITY_TAG,
+            [key_type_2.as_slice(), b"pubkey".as_ref()],
+        );
+        assert_ne!(t1, t2);
+    }
+}

server/crates/arbiter-server/src/crypto/mod.rs

@@ -1,52 +1,21 @@
 use std::ops::Deref as _;
 
-use argon2::{Algorithm, Argon2, password_hash::Salt as ArgonSalt};
+use argon2::{Algorithm, Argon2};
 use chacha20poly1305::{
     AeadInPlace, Key, KeyInit as _, XChaCha20Poly1305, XNonce,
     aead::{AeadMut, Error, Payload},
 };
 use rand::{
-    Rng as _, SeedableRng,
+    Rng as _, SeedableRng as _,
     rngs::{StdRng, SysRng},
 };
 
 use crate::safe_cell::{SafeCell, SafeCellHandle as _};
 
-pub const ROOT_KEY_TAG: &[u8] = "arbiter/seal/v1".as_bytes();
+pub mod encryption;
-pub const TAG: &[u8] = "arbiter/private-key/v1".as_bytes();
+pub mod integrity;
 
-pub const NONCE_LENGTH: usize = 24;
+use encryption::v1::{Nonce, Salt};
-
-#[derive(Default)]
-pub struct Nonce([u8; NONCE_LENGTH]);
-impl Nonce {
-    pub fn increment(&mut self) {
-        for i in (0..self.0.len()).rev() {
-            if self.0[i] == 0xFF {
-                self.0[i] = 0;
-            } else {
-                self.0[i] += 1;
-                break;
-            }
-        }
-    }
-
-    pub fn to_vec(&self) -> Vec<u8> {
-        self.0.to_vec()
-    }
-}
-impl<'a> TryFrom<&'a [u8]> for Nonce {
-    type Error = ();
-
-    fn try_from(value: &'a [u8]) -> Result<Self, Self::Error> {
-        if value.len() != NONCE_LENGTH {
-            return Err(());
-        }
-        let mut nonce = [0u8; NONCE_LENGTH];
-        nonce.copy_from_slice(value);
-        Ok(Self(nonce))
-    }
-}
 
 pub struct KeyCell(pub SafeCell<Key>);
 impl From<SafeCell<Key>> for KeyCell {
@@ -133,22 +102,9 @@ impl KeyCell {
     }
 }
 
-pub type Salt = [u8; ArgonSalt::RECOMMENDED_LENGTH];
-
-pub fn generate_salt() -> Salt {
-    let mut salt = Salt::default();
-    #[allow(
-        clippy::unwrap_used,
-        reason = "Rng failure is unrecoverable and should panic"
-    )]
-    let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
-    rng.fill_bytes(&mut salt);
-    salt
-}
-
 /// User password might be of different length, have not enough entropy, etc...
 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
-pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
+pub fn derive_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
     #[allow(clippy::unwrap_used)]
     let params = argon2::Params::new(262_144, 3, 4, None).unwrap();
     let hasher = Argon2::new(Algorithm::Argon2id, argon2::Version::V0x13, params);
@@ -171,37 +127,11 @@ pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell
 
 #[cfg(test)]
 mod tests {
-    use super::*;
+    use super::{
-    use crate::safe_cell::SafeCell;
+        derive_key,
-
+        encryption::v1::{Nonce, generate_salt},
-    #[test]
+    };
-    pub fn derive_seal_key_deterministic() {
+    use crate::safe_cell::{SafeCell, SafeCellHandle as _};
-        static PASSWORD: &[u8] = b"password";
-        let password = SafeCell::new(PASSWORD.to_vec());
-        let password2 = SafeCell::new(PASSWORD.to_vec());
-        let salt = generate_salt();
-
-        let mut key1 = derive_seal_key(password, &salt);
-        let mut key2 = derive_seal_key(password2, &salt);
-
-        let key1_reader = key1.0.read();
-        let key2_reader = key2.0.read();
-
-        assert_eq!(key1_reader.deref(), key2_reader.deref());
-    }
-
-    #[test]
-    pub fn successful_derive() {
-        static PASSWORD: &[u8] = b"password";
-        let password = SafeCell::new(PASSWORD.to_vec());
-        let salt = generate_salt();
-
-        let mut key = derive_seal_key(password, &salt);
-        let key_reader = key.0.read();
-        let key_ref = key_reader.deref();
-
-        assert_ne!(key_ref.as_slice(), &[0u8; 32][..]);
-    }
 
     #[test]
     pub fn encrypt_decrypt() {
@@ -209,7 +139,7 @@ mod tests {
         let password = SafeCell::new(PASSWORD.to_vec());
         let salt = generate_salt();
 
-        let mut key = derive_seal_key(password, &salt);
+        let mut key = derive_key(password, &salt);
         let nonce = Nonce(*b"unique nonce 123 1231233"); // 24 bytes for XChaCha20Poly1305
         let associated_data = b"associated data";
         let mut buffer = b"secret data".to_vec();
@@ -226,18 +156,4 @@ mod tests {
         let buffer = buffer.read();
         assert_eq!(*buffer, b"secret data");
     }
-
-    #[test]
-    // We should fuzz this
-    pub fn test_nonce_increment() {
-        let mut nonce = Nonce([0u8; NONCE_LENGTH]);
-        nonce.increment();
-
-        assert_eq!(
-            nonce.0,
-            [
-                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
-            ]
-        );
-    }
 }

server/crates/arbiter-server/src/db/mod.rs

@@ -5,7 +5,7 @@ use diesel_async::{
     sync_connection_wrapper::SyncConnectionWrapper,
 };
 use diesel_migrations::{EmbeddedMigrations, MigrationHarness, embed_migrations};
-use miette::Diagnostic;
+
 use thiserror::Error;
 use tracing::info;
 
@@ -21,26 +21,21 @@ static DB_FILE: &str = "arbiter.sqlite";
 
 const MIGRATIONS: EmbeddedMigrations = embed_migrations!("migrations");
 
-#[derive(Error, Diagnostic, Debug)]
+#[derive(Error, Debug)]
 pub enum DatabaseSetupError {
     #[error("Failed to determine home directory")]
-    #[diagnostic(code(arbiter::db::home_dir))]
     HomeDir(std::io::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::connection))]
     Connection(diesel::ConnectionError),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::concurrency))]
     ConcurrencySetup(diesel::result::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::migration))]
     Migration(Box<dyn std::error::Error + Send + Sync>),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::pool))]
     Pool(#[from] PoolInitError),
 }
 

server/crates/arbiter-server/src/db/models.rs

@@ -242,6 +242,7 @@ pub struct UseragentClient {
     pub id: i32,
     pub nonce: i32,
     pub public_key: Vec<u8>,
+    pub pubkey_integrity_tag: Option<Vec<u8>>,
     pub created_at: SqliteTimestamp,
     pub updated_at: SqliteTimestamp,
     pub key_type: KeyType,

server/crates/arbiter-server/src/db/schema.rs

@@ -178,6 +178,7 @@ diesel::table! {
         id -> Integer,
         nonce -> Integer,
         public_key -> Binary,
+        pubkey_integrity_tag -> Nullable<Binary>,
         key_type -> Integer,
         created_at -> Integer,
         updated_at -> Integer,

server/crates/arbiter-server/src/evm/mod.rs

@@ -8,7 +8,6 @@ use alloy::{
 use chrono::Utc;
 use diesel::{ExpressionMethods as _, QueryDsl as _, QueryResult, insert_into, sqlite::Sqlite};
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use tracing_subscriber::registry::Data;
 
 use crate::{
     db::{
@@ -29,39 +28,32 @@ pub mod policies;
 mod utils;
 
 /// Errors that can only occur once the transaction meaning is known (during policy evaluation)
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum PolicyError {
     #[error("Database error")]
-    Error(#[from] crate::db::DatabaseError),
+    Database(#[from] crate::db::DatabaseError),
     #[error("Transaction violates policy: {0:?}")]
-    #[diagnostic(code(arbiter_server::evm::policy_error::violation))]
     Violations(Vec<EvalViolation>),
     #[error("No matching grant found")]
-    #[diagnostic(code(arbiter_server::evm::policy_error::no_matching_grant))]
     NoMatchingGrant,
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum VetError {
     #[error("Contract creation transactions are not supported")]
-    #[diagnostic(code(arbiter_server::evm::vet_error::contract_creation_unsupported))]
     ContractCreationNotSupported,
     #[error("Engine can't classify this transaction")]
-    #[diagnostic(code(arbiter_server::evm::vet_error::unsupported))]
     UnsupportedTransactionType,
     #[error("Policy evaluation failed: {1}")]
-    #[diagnostic(code(arbiter_server::evm::vet_error::evaluated))]
     Evaluated(SpecificMeaning, #[source] PolicyError),
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum AnalyzeError {
     #[error("Engine doesn't support granting permissions for contract creation")]
-    #[diagnostic(code(arbiter_server::evm::analyze_error::contract_creation_not_supported))]
     ContractCreationNotSupported,
 
     #[error("Unsupported transaction type")]
-    #[diagnostic(code(arbiter_server::evm::analyze_error::unsupported_transaction_type))]
     UnsupportedTransactionType,
 }
 

server/crates/arbiter-server/src/evm/policies.rs

@@ -6,7 +6,7 @@ use diesel::{
     ExpressionMethods as _, QueryDsl, SelectableHelper, result::QueryResult, sqlite::Sqlite,
 };
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use miette::Diagnostic;
+
 use thiserror::Error;
 
 use crate::{
@@ -33,33 +33,27 @@ pub struct EvalContext {
     pub max_priority_fee_per_gas: u128,
 }
 
-#[derive(Debug, Error, Diagnostic)]
+#[derive(Debug, Error)]
 pub enum EvalViolation {
     #[error("This grant doesn't allow transactions to the target address {target}")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_target))]
     InvalidTarget { target: Address },
 
     #[error("Gas limit exceeded for this grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::gas_limit_exceeded))]
     GasLimitExceeded {
         max_gas_fee_per_gas: Option<U256>,
         max_priority_fee_per_gas: Option<U256>,
     },
 
     #[error("Rate limit exceeded for this grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::rate_limit_exceeded))]
     RateLimitExceeded,
 
     #[error("Transaction exceeds volumetric limits of the grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::volumetric_limit_exceeded))]
     VolumetricLimitExceeded,
 
     #[error("Transaction is outside of the grant's validity period")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_time))]
     InvalidTime,
 
     #[error("Transaction type is not allowed by this grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_transaction_type))]
     InvalidTransactionType,
 }
 

server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs

@@ -36,8 +36,8 @@ use super::{DatabaseID, EvalContext, EvalViolation};
 // Plain ether transfer
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Meaning {
-    to: Address,
+    pub(crate) to: Address,
-    value: U256,
+    pub(crate) value: U256,
 }
 impl Display for Meaning {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -91,6 +91,7 @@ async fn query_relevant_past_transaction(
 
 async fn check_rate_limits(
     grant: &Grant<Settings>,
+    current_transfer_value: U256,
     db: &mut impl AsyncConnection<Backend = Sqlite>,
 ) -> QueryResult<Vec<EvalViolation>> {
     let mut violations = Vec::new();
@@ -99,12 +100,12 @@ async fn check_rate_limits(
     let past_transaction = query_relevant_past_transaction(grant.id, window, db).await?;
 
     let window_start = chrono::Utc::now() - grant.settings.limit.window;
-    let cumulative_volume: U256 = past_transaction
+    let prospective_cumulative_volume: U256 = past_transaction
         .iter()
         .filter(|(_, timestamp)| timestamp >= &window_start)
-        .fold(U256::default(), |acc, (value, _)| acc + *value);
+        .fold(current_transfer_value, |acc, (value, _)| acc + *value);
 
-    if cumulative_volume > grant.settings.limit.max_volume {
+    if prospective_cumulative_volume > grant.settings.limit.max_volume {
         violations.push(EvalViolation::VolumetricLimitExceeded);
     }
 
@@ -141,7 +142,7 @@ impl Policy for EtherTransfer {
             violations.push(EvalViolation::InvalidTarget { target: meaning.to });
         }
 
-        let rate_violations = check_rate_limits(grant, db).await?;
+        let rate_violations = check_rate_limits(grant, meaning.value, db).await?;
         violations.extend(rate_violations);
 
         Ok(violations)

server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs

@@ -198,7 +198,7 @@ async fn evaluate_rejects_volume_over_limit() {
             grant_id,
             wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
-            eth_value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+            eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
         })
         .execute(&mut *conn)
@@ -211,7 +211,7 @@ async fn evaluate_rejects_volume_over_limit() {
         shared: shared(),
         settings,
     };
-    let context = ctx(ALLOWED, U256::from(100u64));
+    let context = ctx(ALLOWED, U256::from(1u64));
     let m = EtherTransfer::analyze(&context).unwrap();
     let v = EtherTransfer::evaluate(&context, &m, &grant, &mut *conn)
         .await
@@ -233,13 +233,13 @@ async fn evaluate_passes_at_exactly_volume_limit() {
         .await
         .unwrap();
 
-    // Exactly at the limit — the check is `>`, so this should not violate
+    // Exactly at the limit including current transfer — check is `>`, so this should not violate
     insert_into(evm_transaction_log::table)
         .values(NewEvmTransactionLog {
             grant_id,
             wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
-            eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
+            eth_value: utils::u256_to_bytes(U256::from(900u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
         })
         .execute(&mut *conn)

server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs

@@ -38,9 +38,9 @@ fn grant_join() -> _ {
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Meaning {
-    token: &'static TokenInfo,
+    pub(crate) token: &'static TokenInfo,
-    to: Address,
+    pub(crate) to: Address,
-    value: U256,
+    pub(crate) value: U256,
 }
 impl std::fmt::Display for Meaning {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -101,6 +101,7 @@ async fn query_relevant_past_transfers(
 
 async fn check_volume_rate_limits(
     grant: &Grant<Settings>,
+    current_transfer_value: U256,
     db: &mut impl AsyncConnection<Backend = Sqlite>,
 ) -> QueryResult<Vec<EvalViolation>> {
     let mut violations = Vec::new();
@@ -113,12 +114,12 @@ async fn check_volume_rate_limits(
 
     for limit in &grant.settings.volume_limits {
         let window_start = chrono::Utc::now() - limit.window;
-        let cumulative_volume: U256 = past_transfers
+        let prospective_cumulative_volume: U256 = past_transfers
             .iter()
             .filter(|(_, timestamp)| timestamp >= &window_start)
-            .fold(U256::default(), |acc, (value, _)| acc + *value);
+            .fold(current_transfer_value, |acc, (value, _)| acc + *value);
 
-        if cumulative_volume > limit.max_volume {
+        if prospective_cumulative_volume > limit.max_volume {
             violations.push(EvalViolation::VolumetricLimitExceeded);
             break;
         }
@@ -163,7 +164,7 @@ impl Policy for TokenTransfer {
             violations.push(EvalViolation::InvalidTarget { target: meaning.to });
         }
 
-        let rate_violations = check_volume_rate_limits(grant, db).await?;
+        let rate_violations = check_volume_rate_limits(grant, meaning.value, db).await?;
         violations.extend(rate_violations);
 
         Ok(violations)

server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs

@@ -220,7 +220,7 @@ async fn evaluate_rejects_wrong_restricted_recipient() {
 }
 
 #[tokio::test]
-async fn evaluate_passes_volume_within_limit() {
+async fn evaluate_passes_volume_at_exact_limit() {
     let db = db::create_test_pool().await;
     let mut conn = db.get().await.unwrap();
 
@@ -230,7 +230,7 @@ async fn evaluate_passes_volume_within_limit() {
         .await
         .unwrap();
 
-    // Record a past transfer of 500 (within 1000 limit)
+    // Record a past transfer of 900, with current transfer 100 => exactly 1000 limit
     use crate::db::{models::NewEvmTokenTransferLog, schema::evm_token_transfer_log};
     insert_into(evm_token_transfer_log::table)
         .values(NewEvmTokenTransferLog {
@@ -239,7 +239,7 @@ async fn evaluate_passes_volume_within_limit() {
             chain_id: CHAIN_ID as i32,
             token_contract: DAI.to_vec(),
             recipient_address: RECIPIENT.to_vec(),
-            value: utils::u256_to_bytes(U256::from(500u64)).to_vec(),
+            value: utils::u256_to_bytes(U256::from(900u64)).to_vec(),
         })
         .execute(&mut *conn)
         .await
@@ -282,7 +282,7 @@ async fn evaluate_rejects_volume_over_limit() {
             chain_id: CHAIN_ID as i32,
             token_contract: DAI.to_vec(),
             recipient_address: RECIPIENT.to_vec(),
-            value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+            value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
         })
         .execute(&mut *conn)
         .await
@@ -294,7 +294,7 @@ async fn evaluate_rejects_volume_over_limit() {
         shared: shared(),
         settings,
     };
-    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let calldata = transfer_calldata(RECIPIENT, U256::from(1u64));
     let context = ctx(DAI, calldata);
     let m = TokenTransfer::analyze(&context).unwrap();
     let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn)

server/crates/arbiter-server/src/grpc/client.rs

@@ -1,36 +1,24 @@
 use arbiter_proto::{
-    proto::{
+    proto::client::{
-        client::{
+        ClientRequest, ClientResponse, client_request::Payload as ClientRequestPayload,
-            ClientRequest, ClientResponse,
+        client_response::Payload as ClientResponsePayload,
-            client_request::Payload as ClientRequestPayload,
-            client_response::Payload as ClientResponsePayload,
-            vault::{self as proto_vault, request::Payload as VaultRequestPayload, response::Payload as VaultResponsePayload},
-        },
-        shared::VaultState as ProtoVaultState,
     },
     transport::{Receiver, Sender, grpc::GrpcBi},
 };
-use kameo::{
+use kameo::actor::{ActorRef, Spawn as _};
-    actor::{ActorRef, Spawn as _},
-    error::SendError,
-};
 use tonic::Status;
 use tracing::{info, warn};
 
 use crate::{
-    actors::{
+    actors::client::{ClientConnection, session::ClientSession},
-        client::{
-            self, ClientConnection,
-            session::{ClientSession, Error, HandleQueryVaultState},
-        },
-        keyholder::KeyHolderState,
-    },
     grpc::request_tracker::RequestTracker,
 };
 
 mod auth;
+mod evm;
 mod inbound;
 mod outbound;
+mod vault;
 
 async fn dispatch_loop(
     mut bi: GrpcBi<ClientRequest, ClientResponse>,
@@ -38,7 +26,9 @@ async fn dispatch_loop(
     mut request_tracker: RequestTracker,
 ) {
     loop {
-        let Some(message) = bi.recv().await else { return };
+        let Some(message) = bi.recv().await else {
+            return;
+        };
 
         let conn = match message {
             Ok(conn) => conn,
@@ -57,16 +47,24 @@ async fn dispatch_loop(
         };
 
         let Some(payload) = conn.payload else {
-            let _ = bi.send(Err(Status::invalid_argument("Missing client request payload"))).await;
+            let _ = bi
+                .send(Err(Status::invalid_argument(
+                    "Missing client request payload",
+                )))
+                .await;
             return;
         };
 
         match dispatch_inner(&actor, payload).await {
             Ok(response) => {
-                if bi.send(Ok(ClientResponse {
+                if bi
-                    request_id: Some(request_id),
+                    .send(Ok(ClientResponse {
-                    payload: Some(response),
+                        request_id: Some(request_id),
-                })).await.is_err() {
+                        payload: Some(response),
+                    }))
+                    .await
+                    .is_err()
+                {
                     return;
                 }
             }
@@ -83,52 +81,33 @@ async fn dispatch_inner(
     payload: ClientRequestPayload,
 ) -> Result<ClientResponsePayload, Status> {
     match payload {
-        ClientRequestPayload::Vault(req) => dispatch_vault_request(actor, req).await,
+        ClientRequestPayload::Vault(req) => vault::dispatch(actor, req).await,
-        payload => {
+        ClientRequestPayload::Evm(req) => evm::dispatch(actor, req).await,
-            warn!(?payload, "Unsupported post-auth client request");
+        ClientRequestPayload::Auth(..) => {
+            warn!("Unsupported post-auth client auth request");
             Err(Status::invalid_argument("Unsupported client request"))
         }
     }
 }
 
-async fn dispatch_vault_request(
-    actor: &ActorRef<ClientSession>,
-    req: proto_vault::Request,
-) -> Result<ClientResponsePayload, Status> {
-    let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument("Missing client vault request payload"));
-    };
-
-    match payload {
-        VaultRequestPayload::QueryState(_) => {
-            let state = match actor.ask(HandleQueryVaultState {}).await {
-                Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
-                Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
-                Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
-                Err(SendError::HandlerError(Error::Internal)) => ProtoVaultState::Error,
-                Err(err) => {
-                    warn!(error = ?err, "Failed to query vault state");
-                    ProtoVaultState::Error
-                }
-            };
-            Ok(ClientResponsePayload::Vault(proto_vault::Response {
-                payload: Some(VaultResponsePayload::State(state.into())),
-            }))
-        }
-    }
-}
-
 pub async fn start(mut conn: ClientConnection, mut bi: GrpcBi<ClientRequest, ClientResponse>) {
     let mut request_tracker = RequestTracker::default();
 
-    if let Err(e) = auth::start(&mut conn, &mut bi, &mut request_tracker).await {
+    let client_id = match auth::start(&mut conn, &mut bi, &mut request_tracker).await {
-        let mut transport = auth::AuthTransportAdapter::new(&mut bi, &mut request_tracker);
+        Ok(id) => id,
-        let _ = transport.send(Err(e.clone())).await;
+        Err(err) => {
-        warn!(error = ?e, "Client authentication failed");
+            let _ = bi
-        return;
+                .send(Err(Status::unauthenticated(format!(
+                    "Authentication failed: {}",
+                    err
+                ))))
+                .await;
+            warn!(error = ?err, "Client authentication failed");
+            return;
+        }
     };
 
-    let actor = client::session::ClientSession::spawn(client::session::ClientSession::new(conn));
+    let actor = ClientSession::spawn(ClientSession::new(conn, client_id));
     let actor_for_cleanup = actor.clone();
 
     info!("Client authenticated successfully");

server/crates/arbiter-server/src/grpc/client/auth.rs

@@ -14,7 +14,7 @@ use arbiter_proto::{
         },
         shared::ClientInfo as ProtoClientInfo,
     },
-    transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi}
+    transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
 use async_trait::async_trait;
 use tonic::Status;
@@ -49,7 +49,9 @@ impl<'a> AuthTransportAdapter<'a> {
                     nonce,
                 })
             }
-            auth::Outbound::AuthSuccess => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
+            auth::Outbound::AuthSuccess => {
+                AuthResponsePayload::Result(ProtoAuthResult::Success.into())
+            }
         }
     }
 
@@ -138,7 +140,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
         let Some(payload) = auth_request.payload else {
             let _ = self
                 .bi
-                .send(Err(Status::invalid_argument("Missing client auth request payload")))
+                .send(Err(Status::invalid_argument(
+                    "Missing client auth request payload",
+                )))
                 .await;
             return None;
         };
@@ -168,9 +172,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     metadata: client_metadata_from_proto(client_info),
                 })
             }
-            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
-                signature,
-            }) => {
                 let Ok(signature) = ed25519_dalek::Signature::try_from(signature.as_slice()) else {
                     let _ = self
                         .send_auth_result(ProtoAuthResult::InvalidSignature)
@@ -197,8 +199,7 @@ pub async fn start(
     conn: &mut ClientConnection,
     bi: &mut GrpcBi<ClientRequest, ClientResponse>,
     request_tracker: &mut RequestTracker,
-) -> Result<(), auth::Error> {
+) -> Result<i32, auth::Error> {
     let mut transport = AuthTransportAdapter::new(bi, request_tracker);
-    client::auth::authenticate(conn, &mut transport).await?;
+    client::auth::authenticate(conn, &mut transport).await
-    Ok(())
 }

server/crates/arbiter-server/src/grpc/client/evm.rs

@@ -0,0 +1,87 @@
+use arbiter_proto::proto::{
+    client::{
+        client_response::Payload as ClientResponsePayload,
+        evm::{
+            self as proto_evm, request::Payload as EvmRequestPayload,
+            response::Payload as EvmResponsePayload,
+        },
+    },
+    evm::{
+        EvmError as ProtoEvmError, EvmSignTransactionResponse,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    },
+};
+use kameo::actor::ActorRef;
+use tonic::Status;
+use tracing::warn;
+
+use crate::{
+    actors::client::session::{ClientSession, HandleSignTransaction, SignTransactionRpcError},
+    grpc::{
+        Convert, TryConvert,
+        common::inbound::{RawEvmAddress, RawEvmTransaction},
+    },
+};
+
+fn wrap_response(payload: EvmResponsePayload) -> ClientResponsePayload {
+    ClientResponsePayload::Evm(proto_evm::Response {
+        payload: Some(payload),
+    })
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<ClientSession>,
+    req: proto_evm::Request,
+) -> Result<ClientResponsePayload, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument(
+            "Missing client EVM request payload",
+        ));
+    };
+
+    match payload {
+        EvmRequestPayload::SignTransaction(request) => {
+            let address = RawEvmAddress(request.wallet_address).try_convert()?;
+            let transaction = RawEvmTransaction(request.rlp_transaction).try_convert()?;
+
+            let response = match actor
+                .ask(HandleSignTransaction {
+                    wallet_address: address,
+                    transaction,
+                })
+                .await
+            {
+                Ok(signature) => EvmSignTransactionResponse {
+                    result: Some(EvmSignTransactionResult::Signature(
+                        signature.as_bytes().to_vec(),
+                    )),
+                },
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Vet(
+                    vet_error,
+                ))) => EvmSignTransactionResponse {
+                    result: Some(vet_error.convert()),
+                },
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Internal)) => {
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+                Err(err) => {
+                    warn!(error = ?err, "Failed to sign EVM transaction");
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+            };
+
+            Ok(wrap_response(EvmResponsePayload::SignTransaction(response)))
+        }
+        EvmRequestPayload::AnalyzeTransaction(_) => Err(Status::unimplemented(
+            "EVM transaction analysis is not yet implemented",
+        )),
+    }
+}

server/crates/arbiter-server/src/grpc/client/inbound.rs

@@ -0,0 +1 @@
+

server/crates/arbiter-server/src/grpc/client/outbound.rs

@@ -0,0 +1 @@
+

server/crates/arbiter-server/src/grpc/client/vault.rs

@@ -0,0 +1,47 @@
+use arbiter_proto::proto::{
+    client::{
+        client_response::Payload as ClientResponsePayload,
+        vault::{
+            self as proto_vault, request::Payload as VaultRequestPayload,
+            response::Payload as VaultResponsePayload,
+        },
+    },
+    shared::VaultState as ProtoVaultState,
+};
+use kameo::{actor::ActorRef, error::SendError};
+use tonic::Status;
+use tracing::warn;
+
+use crate::actors::{
+    client::session::{ClientSession, Error, HandleQueryVaultState},
+    keyholder::KeyHolderState,
+};
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<ClientSession>,
+    req: proto_vault::Request,
+) -> Result<ClientResponsePayload, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument(
+            "Missing client vault request payload",
+        ));
+    };
+
+    match payload {
+        VaultRequestPayload::QueryState(_) => {
+            let state = match actor.ask(HandleQueryVaultState {}).await {
+                Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+                Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
+                Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
+                Err(SendError::HandlerError(Error::Internal)) => ProtoVaultState::Error,
+                Err(err) => {
+                    warn!(error = ?err, "Failed to query vault state");
+                    ProtoVaultState::Error
+                }
+            };
+            Ok(ClientResponsePayload::Vault(proto_vault::Response {
+                payload: Some(VaultResponsePayload::State(state.into())),
+            }))
+        }
+    }
+}

server/crates/arbiter-server/src/grpc/common.rs

@@ -0,0 +1,2 @@
+pub mod inbound;
+pub mod outbound;

server/crates/arbiter-server/src/grpc/common/inbound.rs

@@ -0,0 +1,35 @@
+use alloy::{consensus::TxEip1559, primitives::Address, rlp::Decodable as _};
+
+use crate::grpc::TryConvert;
+
+pub struct RawEvmAddress(pub Vec<u8>);
+impl TryConvert for RawEvmAddress {
+    type Output = Address;
+
+    type Error = tonic::Status;
+
+    fn try_convert(self) -> Result<Self::Output, Self::Error> {
+        let wallet_address = match <[u8; 20]>::try_from(self.0.as_slice()) {
+            Ok(address) => Address::from(address),
+            Err(_) => {
+                return Err(tonic::Status::invalid_argument(
+                    "Invalid EVM wallet address",
+                ));
+            }
+        };
+        Ok(wallet_address)
+    }
+}
+
+pub struct RawEvmTransaction(pub Vec<u8>);
+impl TryConvert for RawEvmTransaction {
+    type Output = TxEip1559;
+
+    type Error = tonic::Status;
+
+    fn try_convert(self) -> Result<Self::Output, Self::Error> {
+        let tx = TxEip1559::decode(&mut self.0.as_slice())
+            .map_err(|_| tonic::Status::invalid_argument("Invalid EVM transaction format"))?;
+        Ok(tx)
+    }
+}

server/crates/arbiter-server/src/grpc/common/outbound.rs

@@ -0,0 +1,119 @@
+use alloy::primitives::U256;
+use arbiter_proto::proto::{
+    evm::{
+        EvmError as ProtoEvmError,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    },
+    shared::evm::{
+        EvalViolation as ProtoEvalViolation, GasLimitExceededViolation, NoMatchingGrantError,
+        PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
+        TokenInfo as ProtoTokenInfo, TransactionEvalError as ProtoTransactionEvalError,
+        eval_violation::Kind as ProtoEvalViolationKind,
+        specific_meaning::Meaning as ProtoSpecificMeaningKind,
+        transaction_eval_error::Kind as ProtoTransactionEvalErrorKind,
+    },
+};
+
+use crate::{
+    evm::{
+        PolicyError, VetError,
+        policies::{EvalViolation, SpecificMeaning},
+    },
+    grpc::Convert,
+};
+
+fn u256_to_proto_bytes(value: U256) -> Vec<u8> {
+    value.to_be_bytes::<32>().to_vec()
+}
+
+impl Convert for SpecificMeaning {
+    type Output = ProtoSpecificMeaning;
+
+    fn convert(self) -> Self::Output {
+        let kind = match self {
+            SpecificMeaning::EtherTransfer(meaning) => ProtoSpecificMeaningKind::EtherTransfer(
+                arbiter_proto::proto::shared::evm::EtherTransferMeaning {
+                    to: meaning.to.to_vec(),
+                    value: u256_to_proto_bytes(meaning.value),
+                },
+            ),
+            SpecificMeaning::TokenTransfer(meaning) => ProtoSpecificMeaningKind::TokenTransfer(
+                arbiter_proto::proto::shared::evm::TokenTransferMeaning {
+                    token: Some(ProtoTokenInfo {
+                        symbol: meaning.token.symbol.to_string(),
+                        address: meaning.token.contract.to_vec(),
+                        chain_id: meaning.token.chain,
+                    }),
+                    to: meaning.to.to_vec(),
+                    value: u256_to_proto_bytes(meaning.value),
+                },
+            ),
+        };
+
+        ProtoSpecificMeaning {
+            meaning: Some(kind),
+        }
+    }
+}
+
+impl Convert for EvalViolation {
+    type Output = ProtoEvalViolation;
+
+    fn convert(self) -> Self::Output {
+        let kind = match self {
+            EvalViolation::InvalidTarget { target } => {
+                ProtoEvalViolationKind::InvalidTarget(target.to_vec())
+            }
+            EvalViolation::GasLimitExceeded {
+                max_gas_fee_per_gas,
+                max_priority_fee_per_gas,
+            } => ProtoEvalViolationKind::GasLimitExceeded(GasLimitExceededViolation {
+                max_gas_fee_per_gas: max_gas_fee_per_gas.map(u256_to_proto_bytes),
+                max_priority_fee_per_gas: max_priority_fee_per_gas.map(u256_to_proto_bytes),
+            }),
+            EvalViolation::RateLimitExceeded => ProtoEvalViolationKind::RateLimitExceeded(()),
+            EvalViolation::VolumetricLimitExceeded => {
+                ProtoEvalViolationKind::VolumetricLimitExceeded(())
+            }
+            EvalViolation::InvalidTime => ProtoEvalViolationKind::InvalidTime(()),
+            EvalViolation::InvalidTransactionType => {
+                ProtoEvalViolationKind::InvalidTransactionType(())
+            }
+        };
+
+        ProtoEvalViolation { kind: Some(kind) }
+    }
+}
+
+impl Convert for VetError {
+    type Output = EvmSignTransactionResult;
+
+    fn convert(self) -> Self::Output {
+        let kind = match self {
+            VetError::ContractCreationNotSupported => {
+                ProtoTransactionEvalErrorKind::ContractCreationNotSupported(())
+            }
+            VetError::UnsupportedTransactionType => {
+                ProtoTransactionEvalErrorKind::UnsupportedTransactionType(())
+            }
+            VetError::Evaluated(meaning, policy_error) => match policy_error {
+                PolicyError::NoMatchingGrant => {
+                    ProtoTransactionEvalErrorKind::NoMatchingGrant(NoMatchingGrantError {
+                        meaning: Some(meaning.convert()),
+                    })
+                }
+                PolicyError::Violations(violations) => {
+                    ProtoTransactionEvalErrorKind::PolicyViolations(PolicyViolationsError {
+                        meaning: Some(meaning.convert()),
+                        violations: violations.into_iter().map(Convert::convert).collect(),
+                    })
+                }
+                PolicyError::Database(_) => {
+                    return EvmSignTransactionResult::Error(ProtoEvmError::Internal.into());
+                }
+            },
+        };
+
+        EvmSignTransactionResult::EvalError(ProtoTransactionEvalError { kind: Some(kind) }.into())
+    }
+}

server/crates/arbiter-server/src/grpc/mod.rs

@@ -14,10 +14,13 @@ use crate::{
     grpc::user_agent::start,
 };
 
-pub mod client;
 mod request_tracker;
+
+pub mod client;
 pub mod user_agent;
 
+mod common;
+
 pub trait Convert {
     type Output;
 

server/crates/arbiter-server/src/grpc/user_agent.rs

@@ -1,12 +1,10 @@
 use tokio::sync::mpsc;
 
 use arbiter_proto::{
-    proto::{
+    proto::user_agent::{
-        user_agent::{
+        UserAgentRequest, UserAgentResponse,
-            UserAgentRequest, UserAgentResponse,
+        user_agent_request::Payload as UserAgentRequestPayload,
-            user_agent_request::Payload as UserAgentRequestPayload,
+        user_agent_response::Payload as UserAgentResponsePayload,
-            user_agent_response::Payload as UserAgentResponsePayload,
-        },
     },
     transport::{Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
@@ -19,6 +17,7 @@ use crate::{
     actors::user_agent::{OutOfBand, UserAgentConnection, UserAgentSession},
     grpc::request_tracker::RequestTracker,
 };
+
 mod auth;
 mod evm;
 mod inbound;

server/crates/arbiter-server/src/grpc/user_agent/auth.rs

@@ -1,12 +1,14 @@
 use arbiter_proto::{
     proto::user_agent::{
-        UserAgentRequest, UserAgentResponse, auth::{
+        UserAgentRequest, UserAgentResponse,
+        auth::{
             self as proto_auth, AuthChallenge as ProtoAuthChallenge,
             AuthChallengeRequest as ProtoAuthChallengeRequest,
             AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
             KeyType as ProtoKeyType, request::Payload as AuthRequestPayload,
             response::Payload as AuthResponsePayload,
-        }, user_agent_request::Payload as UserAgentRequestPayload,
+        },
+        user_agent_request::Payload as UserAgentRequestPayload,
         user_agent_response::Payload as UserAgentResponsePayload,
     },
     transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
@@ -63,7 +65,9 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
             Ok(Outbound::AuthChallenge { nonce }) => {
                 AuthResponsePayload::Challenge(ProtoAuthChallenge { nonce })
             }
-            Ok(Outbound::AuthSuccess) => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
+            Ok(Outbound::AuthSuccess) => {
+                AuthResponsePayload::Result(ProtoAuthResult::Success.into())
+            }
             Err(Error::UnregisteredPublicKey) => {
                 AuthResponsePayload::Result(ProtoAuthResult::InvalidKey.into())
             }
@@ -171,9 +175,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     bootstrap_token,
                 })
             }
-            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
-                signature,
+                Some(auth::Inbound::AuthChallengeSolution { signature })
-            }) => Some(auth::Inbound::AuthChallengeSolution { signature }),
+            }
         }
     }
 }

server/crates/arbiter-server/src/grpc/user_agent/evm.rs

@@ -2,15 +2,19 @@ use arbiter_proto::proto::{
     evm::{
         EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
         EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
-        GrantEntry, WalletCreateResponse, WalletEntry, WalletList, WalletListResponse,
+        EvmSignTransactionResponse, GrantEntry, WalletCreateResponse, WalletEntry, WalletList,
-        evm_grant_create_response::Result as EvmGrantCreateResult,
+        WalletListResponse, evm_grant_create_response::Result as EvmGrantCreateResult,
         evm_grant_delete_response::Result as EvmGrantDeleteResult,
         evm_grant_list_response::Result as EvmGrantListResult,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
         wallet_create_response::Result as WalletCreateResult,
         wallet_list_response::Result as WalletListResult,
     },
     user_agent::{
-        evm::{self as proto_evm, request::Payload as EvmRequestPayload, response::Payload as EvmResponsePayload},
+        evm::{
+            self as proto_evm, SignTransactionRequest as ProtoSignTransactionRequest,
+            request::Payload as EvmRequestPayload, response::Payload as EvmResponsePayload,
+        },
         user_agent_response::Payload as UserAgentResponsePayload,
     },
 };
@@ -23,10 +27,14 @@ use crate::{
         UserAgentSession,
         session::connection::{
             HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
-            HandleGrantList,
+            HandleGrantList, HandleSignTransaction,
+            SignTransactionError as SessionSignTransactionError,
         },
     },
-    grpc::{Convert, TryConvert},
+    grpc::{
+        Convert, TryConvert,
+        common::inbound::{RawEvmAddress, RawEvmTransaction},
+    },
 };
 
 fn wrap_evm_response(payload: EvmResponsePayload) -> UserAgentResponsePayload {
@@ -49,6 +57,7 @@ pub(super) async fn dispatch(
         EvmRequestPayload::GrantCreate(req) => handle_grant_create(actor, req).await,
         EvmRequestPayload::GrantDelete(req) => handle_grant_delete(actor, req).await,
         EvmRequestPayload::GrantList(_) => handle_grant_list(actor).await,
+        EvmRequestPayload::SignTransaction(req) => handle_sign_transaction(actor, req).await,
     }
 }
 
@@ -155,7 +164,12 @@ async fn handle_grant_delete(
     actor: &ActorRef<UserAgentSession>,
     req: EvmGrantDeleteRequest,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor.ask(HandleGrantDelete { grant_id: req.grant_id }).await {
+    let result = match actor
+        .ask(HandleGrantDelete {
+            grant_id: req.grant_id,
+        })
+        .await
+    {
         Ok(()) => EvmGrantDeleteResult::Ok(()),
         Err(err) => {
             warn!(error = ?err, "Failed to delete EVM grant");
@@ -168,3 +182,53 @@ async fn handle_grant_delete(
         },
     ))))
 }
+
+async fn handle_sign_transaction(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoSignTransactionRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let request = req
+        .request
+        .ok_or_else(|| Status::invalid_argument("Missing sign transaction request"))?;
+    let wallet_address = RawEvmAddress(request.wallet_address).try_convert()?;
+    let transaction = RawEvmTransaction(request.rlp_transaction).try_convert()?;
+
+    let response = match actor
+        .ask(HandleSignTransaction {
+            client_id: req.client_id,
+            wallet_address,
+            transaction,
+        })
+        .await
+    {
+        Ok(signature) => EvmSignTransactionResponse {
+            result: Some(EvmSignTransactionResult::Signature(
+                signature.as_bytes().to_vec(),
+            )),
+        },
+        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Vet(vet_error))) => {
+            EvmSignTransactionResponse {
+                result: Some(vet_error.convert()),
+            }
+        }
+        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Internal)) => {
+            EvmSignTransactionResponse {
+                result: Some(EvmSignTransactionResult::Error(
+                    ProtoEvmError::Internal.into(),
+                )),
+            }
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to sign EVM transaction");
+            EvmSignTransactionResponse {
+                result: Some(EvmSignTransactionResult::Error(
+                    ProtoEvmError::Internal.into(),
+                )),
+            }
+        }
+    };
+
+    Ok(Some(wrap_evm_response(
+        EvmResponsePayload::SignTransaction(response),
+    )))
+}

server/crates/arbiter-server/src/grpc/user_agent/outbound.rs

@@ -5,9 +5,7 @@ use arbiter_proto::proto::{
         TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
         specific_grant::Grant as ProtoSpecificGrantType,
     },
-    user_agent::sdk_client::{
+    user_agent::sdk_client::{WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess},
-        WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess,
-    },
 };
 use chrono::{DateTime, Utc};
 use prost_types::Timestamp as ProtoTimestamp;

server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs

@@ -1,4 +1,5 @@
 use arbiter_proto::proto::{
+    shared::ClientInfo as ProtoClientMetadata,
     user_agent::{
         sdk_client::{
             self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
@@ -13,7 +14,6 @@ use arbiter_proto::proto::{
         },
         user_agent_response::Payload as UserAgentResponsePayload,
     },
-    shared::ClientInfo as ProtoClientMetadata,
 };
 use kameo::actor::ActorRef;
 use tonic::Status;
@@ -62,18 +62,22 @@ pub(super) async fn dispatch(
     req: proto_sdk_client::Request,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
     let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument("Missing SDK client request payload"));
+        return Err(Status::invalid_argument(
+            "Missing SDK client request payload",
+        ));
     };
 
     match payload {
         SdkClientRequestPayload::ConnectionResponse(resp) => {
             handle_connection_response(actor, resp).await
         }
-        SdkClientRequestPayload::Revoke(_) => {
+        SdkClientRequestPayload::Revoke(_) => Err(Status::unimplemented(
-            Err(Status::unimplemented("SdkClientRevoke is not yet implemented"))
+            "SdkClientRevoke is not yet implemented",
-        }
+        )),
         SdkClientRequestPayload::List(_) => handle_list(actor).await,
-        SdkClientRequestPayload::GrantWalletAccess(req) => handle_grant_wallet_access(actor, req).await,
+        SdkClientRequestPayload::GrantWalletAccess(req) => {
+            handle_grant_wallet_access(actor, req).await
+        }
         SdkClientRequestPayload::RevokeWalletAccess(req) => {
             handle_revoke_wallet_access(actor, req).await
         }
@@ -128,11 +132,11 @@ async fn handle_list(
             ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
         }
     };
-    Ok(Some(wrap_sdk_client_response(SdkClientResponsePayload::List(
+    Ok(Some(wrap_sdk_client_response(
-        ProtoSdkClientListResponse {
+        SdkClientResponsePayload::List(ProtoSdkClientListResponse {
             result: Some(result),
-        },
+        }),
-    ))))
+    )))
 }
 
 async fn handle_grant_wallet_access(

server/crates/arbiter-server/src/grpc/user_agent/vault.rs

@@ -1,3 +1,4 @@
+use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
 use arbiter_proto::proto::user_agent::{
     user_agent_response::Payload as UserAgentResponsePayload,
     vault::{
@@ -11,25 +12,21 @@ use arbiter_proto::proto::user_agent::{
         unseal::{
             self as proto_unseal, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
             UnsealResult as ProtoUnsealResult, UnsealStart,
-            request::Payload as UnsealRequestPayload,
+            request::Payload as UnsealRequestPayload, response::Payload as UnsealResponsePayload,
-            response::Payload as UnsealResponsePayload,
         },
     },
 };
-use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
 use kameo::{actor::ActorRef, error::SendError};
 use tonic::Status;
 use tracing::warn;
 
-use crate::{
+use crate::actors::{
-    actors::{
+    keyholder::KeyHolderState,
-        keyholder::KeyHolderState,
+    user_agent::{
-        user_agent::{
+        UserAgentSession,
-            UserAgentSession,
+        session::connection::{
-            session::connection::{
+            BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
-                BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
+            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
-                HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
-            },
         },
     },
 };
@@ -151,7 +148,9 @@ async fn handle_bootstrap_encrypted_key(
         .await
     {
         Ok(()) => ProtoBootstrapResult::Success,
-        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => ProtoBootstrapResult::InvalidKey,
+        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => {
+            ProtoBootstrapResult::InvalidKey
+        }
         Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
             ProtoBootstrapResult::AlreadyBootstrapped
         }

server/crates/arbiter-server/src/lib.rs

@@ -3,6 +3,7 @@ use crate::context::ServerContext;
 
 pub mod actors;
 pub mod context;
+pub mod crypto;
 pub mod db;
 pub mod evm;
 pub mod grpc;

server/crates/arbiter-server/src/main.rs

@@ -1,8 +1,8 @@
 use std::net::SocketAddr;
 
+use anyhow::anyhow;
 use arbiter_proto::{proto::arbiter_service_server::ArbiterServiceServer, url::ArbiterUrl};
 use arbiter_server::{Server, actors::bootstrap::GetToken, context::ServerContext, db};
-use miette::miette;
 use rustls::crypto::aws_lc_rs;
 use tonic::transport::{Identity, ServerTlsConfig};
 use tracing::info;
@@ -10,7 +10,7 @@ use tracing::info;
 const PORT: u16 = 50051;
 
 #[tokio::main]
-async fn main() -> miette::Result<()> {
+async fn main() -> anyhow::Result<()> {
     aws_lc_rs::default_provider().install_default().unwrap();
 
     tracing_subscriber::fmt()
@@ -46,11 +46,11 @@ async fn main() -> miette::Result<()> {
 
     tonic::transport::Server::builder()
         .tls_config(tls)
-        .map_err(|err| miette!("Faild to setup TLS: {err}"))?
+        .map_err(|err| anyhow!("Failed to setup TLS: {err}"))?
         .add_service(ArbiterServiceServer::new(Server::new(context)))
         .serve(addr)
         .await
-        .map_err(|e| miette::miette!("gRPC server error: {e}"))?;
+        .map_err(|e| anyhow!("gRPC server error: {e}"))?;
 
     unreachable!("gRPC server should run indefinitely");
 }

server/crates/arbiter-server/tests/keyholder/lifecycle.rs

@@ -1,5 +1,6 @@
 use arbiter_server::{
     actors::keyholder::{Error, KeyHolder},
+    crypto::encryption::v1::{Nonce, ROOT_KEY_TAG},
     db::{self, models, schema},
     safe_cell::{SafeCell, SafeCellHandle as _},
 };
@@ -25,16 +26,10 @@ async fn test_bootstrap() {
         .unwrap();
 
     assert_eq!(row.schema_version, 1);
-    assert_eq!(
+    assert_eq!(row.tag, ROOT_KEY_TAG);
-        row.tag,
-        arbiter_server::actors::keyholder::encryption::v1::ROOT_KEY_TAG
-    );
     assert!(!row.ciphertext.is_empty());
     assert!(!row.salt.is_empty());
-    assert_eq!(
+    assert_eq!(row.data_encryption_nonce, Nonce::default().to_vec());
-        row.data_encryption_nonce,
-        arbiter_server::actors::keyholder::encryption::v1::Nonce::default().to_vec()
-    );
 }
 
 #[tokio::test]

server/crates/arbiter-server/tests/keyholder/storage.rs

@@ -1,7 +1,8 @@
 use std::collections::HashSet;
 
 use arbiter_server::{
-    actors::keyholder::{Error, encryption::v1},
+    actors::keyholder::Error,
+    crypto::encryption::v1::Nonce,
     db::{self, models, schema},
     safe_cell::{SafeCell, SafeCellHandle as _},
 };
@@ -102,7 +103,7 @@ async fn test_nonce_never_reused() {
     assert_eq!(nonces.len(), unique.len(), "all nonces must be unique");
 
     for (i, row) in rows.iter().enumerate() {
-        let mut expected = v1::Nonce::default();
+        let mut expected = Nonce::default();
         for _ in 0..=i {
             expected.increment();
         }

server/crates/arbiter-server/tests/user_agent/auth.rs

@@ -3,9 +3,11 @@ use arbiter_server::{
     actors::{
         GlobalActors,
         bootstrap::GetToken,
+        keyholder::Bootstrap,
         user_agent::{AuthPublicKey, UserAgentConnection, auth},
     },
     db::{self, schema},
+    safe_cell::{SafeCell, SafeCellHandle as _},
 };
 use diesel::{ExpressionMethods as _, QueryDsl, insert_into};
 use diesel_async::RunQueryDsl;
@@ -83,7 +85,6 @@ pub async fn test_bootstrap_invalid_token_auth() {
         Err(auth::Error::InvalidBootstrapToken)
     ));
 
-    // Verify no key was registered
     let mut conn = db.get().await.unwrap();
     let count: i64 = schema::useragent_client::table
         .count()
@@ -102,7 +103,6 @@ pub async fn test_challenge_auth() {
     let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
     let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
 
-    // Pre-register key with key_type
     {
         let mut conn = db.get().await.unwrap();
         insert_into(schema::useragent_client::table)
@@ -122,7 +122,6 @@ pub async fn test_challenge_auth() {
         auth::authenticate(&mut props, server_transport).await
     });
 
-    // Send challenge request
     test_transport
         .send(auth::Inbound::AuthChallengeRequest {
             pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
@@ -131,7 +130,6 @@ pub async fn test_challenge_auth() {
         .await
         .unwrap();
 
-    // Read the challenge response
     let response = test_transport
         .recv()
         .await
@@ -165,3 +163,120 @@ pub async fn test_challenge_auth() {
 
     task.await.unwrap().unwrap();
 }
+
+#[tokio::test]
+#[test_log::test]
+pub async fn test_challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
+    let db = db::create_test_pool().await;
+    let actors = GlobalActors::spawn(db.clone()).await.unwrap();
+
+    actors
+        .key_holder
+        .ask(Bootstrap {
+            seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
+        })
+        .await
+        .unwrap();
+
+    let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
+    let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
+
+    {
+        let mut conn = db.get().await.unwrap();
+        insert_into(schema::useragent_client::table)
+            .values((
+                schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
+                schema::useragent_client::key_type.eq(1i32),
+                schema::useragent_client::pubkey_integrity_tag.eq(Some(vec![0u8; 32])),
+            ))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+    }
+
+    let (server_transport, mut test_transport) = ChannelTransport::new();
+    let db_for_task = db.clone();
+    let task = tokio::spawn(async move {
+        let mut props = UserAgentConnection::new(db_for_task, actors);
+        auth::authenticate(&mut props, server_transport).await
+    });
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeRequest {
+            pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
+            bootstrap_token: None,
+        })
+        .await
+        .unwrap();
+
+    assert!(matches!(
+        task.await.unwrap(),
+        Err(auth::Error::InvalidChallengeSolution)
+    ));
+}
+
+#[tokio::test]
+#[test_log::test]
+pub async fn test_challenge_auth_rejects_invalid_signature() {
+    let db = db::create_test_pool().await;
+    let actors = GlobalActors::spawn(db.clone()).await.unwrap();
+
+    let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
+    let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
+
+    {
+        let mut conn = db.get().await.unwrap();
+        insert_into(schema::useragent_client::table)
+            .values((
+                schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
+                schema::useragent_client::key_type.eq(1i32),
+            ))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+    }
+
+    let (server_transport, mut test_transport) = ChannelTransport::new();
+    let db_for_task = db.clone();
+    let task = tokio::spawn(async move {
+        let mut props = UserAgentConnection::new(db_for_task, actors);
+        auth::authenticate(&mut props, server_transport).await
+    });
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeRequest {
+            pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
+            bootstrap_token: None,
+        })
+        .await
+        .unwrap();
+
+    let response = test_transport
+        .recv()
+        .await
+        .expect("should receive challenge");
+    let challenge = match response {
+        Ok(resp) => match resp {
+            auth::Outbound::AuthChallenge { nonce } => nonce,
+            other => panic!("Expected AuthChallenge, got {other:?}"),
+        },
+        Err(err) => panic!("Expected Ok response, got Err({err:?})"),
+    };
+
+    let wrong_challenge = arbiter_proto::format_challenge(challenge + 1, &pubkey_bytes);
+    let signature = new_key.sign(&wrong_challenge);
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeSolution {
+            signature: signature.to_bytes().to_vec(),
+        })
+        .await
+        .unwrap();
+
+    let expected_err = task.await.unwrap();
+    println!("Received expected error: {expected_err:#?}");
+    assert!(matches!(
+        expected_err,
+        Err(auth::Error::InvalidChallengeSolution)
+    ));
+}

server/crates/arbiter-server/tests/user_agent/unseal.rs

@@ -2,14 +2,17 @@ use arbiter_server::{
     actors::{
         GlobalActors,
         keyholder::{Bootstrap, Seal},
-        user_agent::{UserAgentSession, session::connection::{
+        user_agent::{
-            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+            UserAgentSession,
-        }},
+            session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
+        },
     },
     db,
     safe_cell::{SafeCell, SafeCellHandle as _},
 };
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
+use diesel::{ExpressionMethods as _, QueryDsl as _, insert_into};
+use diesel_async::RunQueryDsl;
 use kameo::actor::Spawn as _;
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
@@ -149,3 +152,42 @@ pub async fn test_unseal_retry_after_invalid_key() {
         assert!(matches!(response, Ok(())));
     }
 }
+
+#[tokio::test]
+#[test_log::test]
+pub async fn test_unseal_backfills_missing_pubkey_integrity_tags() {
+    let seal_key = b"test-seal-key";
+    let (db, user_agent) = setup_sealed_user_agent(seal_key).await;
+
+    {
+        let mut conn = db.get().await.unwrap();
+        insert_into(arbiter_server::db::schema::useragent_client::table)
+            .values((
+                arbiter_server::db::schema::useragent_client::public_key
+                    .eq(vec![1u8, 2u8, 3u8, 4u8]),
+                arbiter_server::db::schema::useragent_client::key_type.eq(1i32),
+                arbiter_server::db::schema::useragent_client::pubkey_integrity_tag
+                    .eq(Option::<Vec<u8>>::None),
+            ))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+    }
+
+    let encrypted_key = client_dh_encrypt(&user_agent, seal_key).await;
+    let response = user_agent.ask(encrypted_key).await;
+    assert!(matches!(response, Ok(())));
+
+    {
+        let mut conn = db.get().await.unwrap();
+        let tags: Vec<Option<Vec<u8>>> = arbiter_server::db::schema::useragent_client::table
+            .select(arbiter_server::db::schema::useragent_client::pubkey_integrity_tag)
+            .load(&mut conn)
+            .await
+            .unwrap();
+        assert!(
+            tags.iter()
+                .all(|tag| matches!(tag, Some(v) if v.len() == 32))
+        );
+    }
+}

useragent/lib/features/callouts/callout_event.dart

@@ -1,6 +1,5 @@
-import 'package:arbiter/proto/client.pb.dart';
+import 'package:arbiter/proto/shared/client.pb.dart';
 import 'package:freezed_annotation/freezed_annotation.dart';
-import 'package:hooks_riverpod/experimental/mutation.dart';
 
 part 'callout_event.freezed.dart';
 

useragent/lib/features/callouts/callout_manager.dart

@@ -2,7 +2,7 @@ import 'package:arbiter/features/callouts/active_callout.dart';
 import 'package:arbiter/features/callouts/callout_event.dart';
 import 'package:arbiter/features/callouts/types/sdk_connect_approve.dart'
     as connect_approve;
-import 'package:arbiter/proto/client.pb.dart';
+import 'package:arbiter/proto/shared/client.pb.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'callout_manager.g.dart';

useragent/lib/features/callouts/types/sdk_connect_approve.dart

@@ -1,6 +1,7 @@
 import 'dart:convert';
 
 import 'package:arbiter/features/callouts/callout_event.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
@@ -14,20 +15,27 @@ Stream<CalloutEvent> connectApproveEvents(Ref ref) async* {
 
   await for (final message in connection.outOfBandMessages) {
     switch (message.whichPayload()) {
-      case UserAgentResponse_Payload.sdkClientConnectionRequest:
+      case UserAgentResponse_Payload.sdkClient:
-        final body = message.sdkClientConnectionRequest;
+        final sdkClientMessage = message.sdkClient;
-        final id = base64Encode(body.pubkey);
+        switch (sdkClientMessage.whichPayload()) {
-        yield CalloutEvent.added(
+          case ua_sdk.Response_Payload.connectionRequest:
-          id: 'connect_approve:$id',
+            final body = sdkClientMessage.connectionRequest;
-          data: CalloutData.connectApproval(
+            final id = base64Encode(body.pubkey);
-            pubkey: id,
+            yield CalloutEvent.added(
-            clientInfo: body.info,
+              id: 'connect_approve:$id',
-          ),
+              data: CalloutData.connectApproval(
-        );
+                pubkey: id,
+                clientInfo: body.info,
+              ),
+            );
 
-      case UserAgentResponse_Payload.sdkClientConnectionCancel:
+          case ua_sdk.Response_Payload.connectionCancel:
-        final id = base64Encode(message.sdkClientConnectionCancel.pubkey);
+            final id = base64Encode(sdkClientMessage.connectionCancel.pubkey);
-        yield CalloutEvent.cancelled(id: 'connect_approve:$id');
+            yield CalloutEvent.cancelled(id: 'connect_approve:$id');
+
+          default:
+            break;
+        }
 
       default:
         break;
@@ -41,11 +49,14 @@ Future<void> sendDecision(Ref ref, String pubkey, bool approved) async {
 
   final bytes = base64Decode(pubkey);
 
-  final req = UserAgentRequest(sdkClientConnectionResponse: SdkClientConnectionResponse(
+  final req = UserAgentRequest(
-    approved: approved,
+    sdkClient: ua_sdk.Request(
-    pubkey: bytes
+      connectionResponse: ua_sdk.ConnectionResponse(
-  ));
+        approved: approved,
+        pubkey: bytes,
+      ),
+    ),
+  );
 
   await connection.tell(req);
-
 }

useragent/lib/features/callouts/types/sdk_connect_approve.g.dart

@@ -47,4 +47,4 @@ final class ConnectApproveEventsProvider
 }
 
 String _$connectApproveEventsHash() =>
-    r'6a0998288afc0836a7c1701a983f64c33d318fd6';
+    r'abab87cc875a9a4834f836c2c0eba4aa7671d82e';

useragent/lib/features/connection/auth.dart

@@ -5,6 +5,7 @@ import 'package:arbiter/features/connection/connection.dart';
 import 'package:arbiter/features/connection/server_info_storage.dart';
 import 'package:arbiter/features/identity/pk_manager.dart';
 import 'package:arbiter/proto/arbiter.pbgrpc.dart';
+import 'package:arbiter/proto/user_agent/auth.pb.dart' as ua_auth;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:grpc/grpc.dart';
 import 'package:mtcore/markettakers.dart';
@@ -12,22 +13,22 @@ import 'package:mtcore/markettakers.dart';
 class AuthorizationException implements Exception {
   const AuthorizationException(this.result);
 
-  final AuthResult result;
+  final ua_auth.AuthResult result;
 
   String get message => switch (result) {
-    AuthResult.AUTH_RESULT_INVALID_KEY =>
+    ua_auth.AuthResult.AUTH_RESULT_INVALID_KEY =>
       'Authentication failed: this device key is not registered on the server.',
-    AuthResult.AUTH_RESULT_INVALID_SIGNATURE =>
+    ua_auth.AuthResult.AUTH_RESULT_INVALID_SIGNATURE =>
       'Authentication failed: the server rejected the signature for this device key.',
-    AuthResult.AUTH_RESULT_BOOTSTRAP_REQUIRED =>
+    ua_auth.AuthResult.AUTH_RESULT_BOOTSTRAP_REQUIRED =>
       'Authentication failed: the server requires bootstrap before this device can connect.',
-    AuthResult.AUTH_RESULT_TOKEN_INVALID =>
+    ua_auth.AuthResult.AUTH_RESULT_TOKEN_INVALID =>
       'Authentication failed: the bootstrap token is invalid.',
-    AuthResult.AUTH_RESULT_INTERNAL =>
+    ua_auth.AuthResult.AUTH_RESULT_INTERNAL =>
       'Authentication failed: the server hit an internal error.',
-    AuthResult.AUTH_RESULT_UNSPECIFIED =>
+    ua_auth.AuthResult.AUTH_RESULT_UNSPECIFIED =>
       'Authentication failed: the server returned an unspecified auth error.',
-    AuthResult.AUTH_RESULT_SUCCESS => 'Authentication succeeded.',
+    ua_auth.AuthResult.AUTH_RESULT_SUCCESS => 'Authentication succeeded.',
     _ => 'Authentication failed: ${result.name}.',
   };
 
@@ -57,56 +58,76 @@ Future<Connection> connectAndAuthorize(
     );
     final pubkey = await key.getPublicKey();
 
-    final req = AuthChallengeRequest(
+    final req = ua_auth.AuthChallengeRequest(
       pubkey: pubkey,
       bootstrapToken: bootstrapToken,
       keyType: switch (key.alg) {
-        KeyAlgorithm.rsa => KeyType.KEY_TYPE_RSA,
+        KeyAlgorithm.rsa => ua_auth.KeyType.KEY_TYPE_RSA,
-        KeyAlgorithm.ecdsa => KeyType.KEY_TYPE_ECDSA_SECP256K1,
+        KeyAlgorithm.ecdsa => ua_auth.KeyType.KEY_TYPE_ECDSA_SECP256K1,
-        KeyAlgorithm.ed25519 => KeyType.KEY_TYPE_ED25519,
+        KeyAlgorithm.ed25519 => ua_auth.KeyType.KEY_TYPE_ED25519,
       },
     );
     final response = await connection.ask(
-      UserAgentRequest(authChallengeRequest: req),
+      UserAgentRequest(auth: ua_auth.Request(challengeRequest: req)),
     );
     talker.info(
       "Sent auth challenge request with pubkey ${base64Encode(pubkey)}",
     );
     talker.info('Received response from server, checking auth flow...');
 
-    if (response.hasAuthResult()) {
+    if (!response.hasAuth()) {
-      if (response.authResult != AuthResult.AUTH_RESULT_SUCCESS) {
+      throw ConnectionException(
-        throw AuthorizationException(response.authResult);
+        'Expected auth response, got ${response.whichPayload()}',
+      );
+    }
+
+    final authResponse = response.auth;
+
+    if (authResponse.hasResult()) {
+      if (authResponse.result != ua_auth.AuthResult.AUTH_RESULT_SUCCESS) {
+        throw AuthorizationException(authResponse.result);
       }
       talker.info('Authentication successful, connection established');
       return connection;
     }
 
-    if (!response.hasAuthChallenge()) {
+    if (!authResponse.hasChallenge()) {
       throw ConnectionException(
-        'Expected AuthChallengeResponse, got ${response.whichPayload()}',
+        'Expected auth challenge response, got ${authResponse.whichPayload()}',
       );
     }
 
-    final challenge = _formatChallenge(response.authChallenge, pubkey);
+    final challenge = _formatChallenge(authResponse.challenge, pubkey);
     talker.info(
       'Received auth challenge, signing with key ${base64Encode(pubkey)}',
     );
 
     final signature = await key.sign(challenge);
     final solutionResponse = await connection.ask(
-      UserAgentRequest(authChallengeSolution: AuthChallengeSolution(signature: signature)),
+      UserAgentRequest(
+        auth: ua_auth.Request(
+          challengeSolution: ua_auth.AuthChallengeSolution(signature: signature),
+        ),
+      ),
     );
 
     talker.info('Sent auth challenge solution, waiting for server response...');
 
-    if (!solutionResponse.hasAuthResult()) {
+    if (!solutionResponse.hasAuth()) {
       throw ConnectionException(
-        'Expected AuthChallengeSolutionResponse, got ${solutionResponse.whichPayload()}',
+        'Expected auth solution response, got ${solutionResponse.whichPayload()}',
       );
     }
-    if (solutionResponse.authResult != AuthResult.AUTH_RESULT_SUCCESS) {
+
-      throw AuthorizationException(solutionResponse.authResult);
+    final authSolutionResponse = solutionResponse.auth;
+
+    if (!authSolutionResponse.hasResult()) {
+      throw ConnectionException(
+        'Expected auth solution result, got ${authSolutionResponse.whichPayload()}',
+      );
+    }
+    if (authSolutionResponse.result != ua_auth.AuthResult.AUTH_RESULT_SUCCESS) {
+      throw AuthorizationException(authSolutionResponse.result);
     }
 
     talker.info('Authentication successful, connection established');
@@ -147,7 +168,7 @@ Future<Connection> _connect(StoredServerInfo serverInfo) async {
   return Connection(channel: channel, tx: tx, rx: rx);
 }
 
-List<int> _formatChallenge(AuthChallenge challenge, List<int> pubkey) {
+List<int> _formatChallenge(ua_auth.AuthChallenge challenge, List<int> pubkey) {
   final encodedPubkey = base64Encode(pubkey);
   final payload = "${challenge.nonce}:$encodedPubkey";
   return utf8.encode(payload);

useragent/lib/features/connection/evm.dart

@@ -1,19 +1,27 @@
 import 'package:arbiter/features/connection/connection.dart';
 import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent/evm.pb.dart' as ua_evm;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart';
 
 Future<List<WalletEntry>> listEvmWallets(Connection connection) async {
   final response = await connection.ask(
-    UserAgentRequest(evmWalletList: Empty()),
+    UserAgentRequest(evm: ua_evm.Request(walletList: Empty())),
   );
-  if (!response.hasEvmWalletList()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM wallet list response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmWalletList;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasWalletList()) {
+    throw Exception(
+      'Expected EVM wallet list response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.walletList;
   switch (result.whichResult()) {
     case WalletListResponse_Result.wallets:
       return result.wallets.wallets.toList(growable: false);
@@ -26,15 +34,22 @@ Future<List<WalletEntry>> listEvmWallets(Connection connection) async {
 
 Future<void> createEvmWallet(Connection connection) async {
   final response = await connection.ask(
-    UserAgentRequest(evmWalletCreate: Empty()),
+    UserAgentRequest(evm: ua_evm.Request(walletCreate: Empty())),
   );
-  if (!response.hasEvmWalletCreate()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM wallet create response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmWalletCreate;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasWalletCreate()) {
+    throw Exception(
+      'Expected EVM wallet create response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.walletCreate;
   switch (result.whichResult()) {
     case WalletCreateResponse_Result.wallet:
       return;

useragent/lib/features/connection/evm/grants.dart

@@ -1,22 +1,28 @@
 import 'package:arbiter/features/connection/connection.dart';
 import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent/evm.pb.dart' as ua_evm;
 import 'package:arbiter/proto/user_agent.pb.dart';
-import 'package:fixnum/fixnum.dart';
-import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart';
 
 Future<List<GrantEntry>> listEvmGrants(Connection connection) async {
   final request = EvmGrantListRequest();
 
   final response = await connection.ask(
-    UserAgentRequest(evmGrantList: request),
+    UserAgentRequest(evm: ua_evm.Request(grantList: request)),
   );
-  if (!response.hasEvmGrantList()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM grant list response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmGrantList;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasGrantList()) {
+    throw Exception(
+      'Expected EVM grant list response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.grantList;
   switch (result.whichResult()) {
     case EvmGrantListResponse_Result.grants:
       return result.grants.grants.toList(growable: false);
@@ -33,36 +39,56 @@ Future<int> createEvmGrant(
   required SpecificGrant specific,
 }) async {
   final request = UserAgentRequest(
-    evmGrantCreate: EvmGrantCreateRequest(
+    evm: ua_evm.Request(
-      shared: sharedSettings,
+      grantCreate: EvmGrantCreateRequest(
-      specific: specific,
+        shared: sharedSettings,
+        specific: specific,
+      ),
     ),
   );
 
   final resp = await connection.ask(request);
 
-  if (!resp.hasEvmGrantCreate()) {
+  if (!resp.hasEvm()) {
     throw Exception(
-      'Expected EVM grant create response, got ${resp.whichPayload()}',
+      'Expected EVM response, got ${resp.whichPayload()}',
     );
   }
 
-  final result = resp.evmGrantCreate;
+  final evmResponse = resp.evm;
+  if (!evmResponse.hasGrantCreate()) {
+    throw Exception(
+      'Expected EVM grant create response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.grantCreate;
 
   return result.grantId;
 }
 
 Future<void> deleteEvmGrant(Connection connection, int grantId) async {
   final response = await connection.ask(
-    UserAgentRequest(evmGrantDelete: EvmGrantDeleteRequest(grantId: grantId)),
+    UserAgentRequest(
+      evm: ua_evm.Request(
+        grantDelete: EvmGrantDeleteRequest(grantId: grantId),
+      ),
+    ),
   );
-  if (!response.hasEvmGrantDelete()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM grant delete response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmGrantDelete;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasGrantDelete()) {
+    throw Exception(
+      'Expected EVM grant delete response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.grantDelete;
   switch (result.whichResult()) {
     case EvmGrantDeleteResponse_Result.ok:
       return;
@@ -73,13 +99,6 @@ Future<void> deleteEvmGrant(Connection connection, int grantId) async {
   }
 }
 
-Timestamp _toTimestamp(DateTime value) {
-  final utc = value.toUtc();
-  return Timestamp()
-    ..seconds = Int64(utc.millisecondsSinceEpoch ~/ 1000)
-    ..nanos = (utc.microsecondsSinceEpoch % 1000000) * 1000;
-}
-
 String _describeGrantError(EvmError error) {
   return switch (error) {
     EvmError.EVM_ERROR_VAULT_SEALED =>

useragent/lib/features/connection/evm/wallet_access.dart

@@ -1,4 +1,5 @@
 import 'package:arbiter/features/connection/connection.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart';
 
@@ -7,31 +8,47 @@ Future<Set<int>> readClientWalletAccess(
   required int clientId,
 }) async {
   final response = await connection.ask(
-    UserAgentRequest(listWalletAccess: Empty()),
+    UserAgentRequest(
+      sdkClient: ua_sdk.Request(listWalletAccess: Empty()),
+    ),
   );
-  if (!response.hasListWalletAccessResponse()) {
+  if (!response.hasSdkClient()) {
     throw Exception(
-      'Expected list wallet access response, got ${response.whichPayload()}',
+      'Expected SDK client response, got ${response.whichPayload()}',
+    );
+  }
+  final sdkClientResponse = response.sdkClient;
+  if (!sdkClientResponse.hasListWalletAccess()) {
+    throw Exception(
+      'Expected list wallet access response, got ${sdkClientResponse.whichPayload()}',
     );
   }
   return {
-    for (final entry in response.listWalletAccessResponse.accesses)
+    for (final entry in sdkClientResponse.listWalletAccess.accesses)
       if (entry.access.sdkClientId == clientId) entry.access.walletId,
   };
 }
 
-Future<List<SdkClientWalletAccess>> listAllWalletAccesses(
+Future<List<ua_sdk.WalletAccessEntry>> listAllWalletAccesses(
   Connection connection,
 ) async {
   final response = await connection.ask(
-    UserAgentRequest(listWalletAccess: Empty()),
+    UserAgentRequest(
+      sdkClient: ua_sdk.Request(listWalletAccess: Empty()),
+    ),
   );
-  if (!response.hasListWalletAccessResponse()) {
+  if (!response.hasSdkClient()) {
     throw Exception(
-      'Expected list wallet access response, got ${response.whichPayload()}',
+      'Expected SDK client response, got ${response.whichPayload()}',
     );
   }
-  return response.listWalletAccessResponse.accesses.toList(growable: false);
+  final sdkClientResponse = response.sdkClient;
+  if (!sdkClientResponse.hasListWalletAccess()) {
+    throw Exception(
+      'Expected list wallet access response, got ${sdkClientResponse.whichPayload()}',
+    );
+  }
+  return sdkClientResponse.listWalletAccess.accesses.toList(growable: false);
 }
 
 Future<void> writeClientWalletAccess(
@@ -47,11 +64,13 @@ Future<void> writeClientWalletAccess(
   if (toGrant.isNotEmpty) {
     await connection.tell(
       UserAgentRequest(
-        grantWalletAccess: SdkClientGrantWalletAccess(
+        sdkClient: ua_sdk.Request(
-          accesses: [
+          grantWalletAccess: ua_sdk.GrantWalletAccess(
-            for (final walletId in toGrant)
+            accesses: [
-              WalletAccess(sdkClientId: clientId, walletId: walletId),
+              for (final walletId in toGrant)
-          ],
+                ua_sdk.WalletAccess(sdkClientId: clientId, walletId: walletId),
+            ],
+          ),
         ),
       ),
     );
@@ -60,11 +79,12 @@ Future<void> writeClientWalletAccess(
   if (toRevoke.isNotEmpty) {
     await connection.tell(
       UserAgentRequest(
-        revokeWalletAccess: SdkClientRevokeWalletAccess(
+        sdkClient: ua_sdk.Request(
-          accesses: [
+          revokeWalletAccess: ua_sdk.RevokeWalletAccess(
-            for (final walletId in toRevoke)
+            accesses: [
-              walletId
+              for (final walletId in toRevoke) walletId,
-          ],
+            ],
+          ),
         ),
       ),
     );

useragent/lib/features/connection/vault.dart

@@ -1,10 +1,13 @@
 import 'package:arbiter/features/connection/connection.dart';
+import 'package:arbiter/proto/user_agent/vault/bootstrap.pb.dart' as ua_bootstrap;
+import 'package:arbiter/proto/user_agent/vault/unseal.pb.dart' as ua_unseal;
+import 'package:arbiter/proto/user_agent/vault/vault.pb.dart' as ua_vault;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:cryptography/cryptography.dart';
 
 const _vaultKeyAssociatedData = 'arbiter.vault.password';
 
-Future<BootstrapResult> bootstrapVault(
+Future<ua_bootstrap.BootstrapResult> bootstrapVault(
   Connection connection,
   String password,
 ) async {
@@ -12,39 +15,76 @@ Future<BootstrapResult> bootstrapVault(
 
   final response = await connection.ask(
     UserAgentRequest(
-      bootstrapEncryptedKey: BootstrapEncryptedKey(
+      vault: ua_vault.Request(
-        nonce: encryptedKey.nonce,
+        bootstrap: ua_bootstrap.Request(
-        ciphertext: encryptedKey.ciphertext,
+          encryptedKey: ua_bootstrap.BootstrapEncryptedKey(
-        associatedData: encryptedKey.associatedData,
+            nonce: encryptedKey.nonce,
+            ciphertext: encryptedKey.ciphertext,
+            associatedData: encryptedKey.associatedData,
+          ),
+        ),
       ),
     ),
   );
-  if (!response.hasBootstrapResult()) {
+  if (!response.hasVault()) {
     throw Exception(
-      'Expected bootstrap result, got ${response.whichPayload()}',
+      'Expected vault response, got ${response.whichPayload()}',
     );
   }
 
-  return response.bootstrapResult;
+  final vaultResponse = response.vault;
+  if (!vaultResponse.hasBootstrap()) {
+    throw Exception(
+      'Expected bootstrap result, got ${vaultResponse.whichPayload()}',
+    );
+  }
+
+  final bootstrapResponse = vaultResponse.bootstrap;
+  if (!bootstrapResponse.hasResult()) {
+    throw Exception('Expected bootstrap result payload.');
+  }
+
+  return bootstrapResponse.result;
 }
 
-Future<UnsealResult> unsealVault(Connection connection, String password) async {
+Future<ua_unseal.UnsealResult> unsealVault(
+  Connection connection,
+  String password,
+) async {
   final encryptedKey = await _encryptVaultKeyMaterial(connection, password);
 
   final response = await connection.ask(
     UserAgentRequest(
-      unsealEncryptedKey: UnsealEncryptedKey(
+      vault: ua_vault.Request(
-        nonce: encryptedKey.nonce,
+        unseal: ua_unseal.Request(
-        ciphertext: encryptedKey.ciphertext,
+          encryptedKey: ua_unseal.UnsealEncryptedKey(
-        associatedData: encryptedKey.associatedData,
+            nonce: encryptedKey.nonce,
+            ciphertext: encryptedKey.ciphertext,
+            associatedData: encryptedKey.associatedData,
+          ),
+        ),
       ),
     ),
   );
-  if (!response.hasUnsealResult()) {
+  if (!response.hasVault()) {
-    throw Exception('Expected unseal result, got ${response.whichPayload()}');
+    throw Exception('Expected vault response, got ${response.whichPayload()}');
   }
 
-  return response.unsealResult;
+  final vaultResponse = response.vault;
+  if (!vaultResponse.hasUnseal()) {
+    throw Exception(
+      'Expected unseal result, got ${vaultResponse.whichPayload()}',
+    );
+  }
+
+  final unsealResponse = vaultResponse.unseal;
+  if (!unsealResponse.hasResult()) {
+    throw Exception(
+      'Expected unseal result payload, got ${unsealResponse.whichPayload()}',
+    );
+  }
+
+  return unsealResponse.result;
 }
 
 Future<_EncryptedVaultKey> _encryptVaultKeyMaterial(
@@ -57,16 +97,36 @@ Future<_EncryptedVaultKey> _encryptVaultKeyMaterial(
   final clientPublicKey = await clientKeyPair.extractPublicKey();
 
   final handshakeResponse = await connection.ask(
-    UserAgentRequest(unsealStart: UnsealStart(clientPubkey: clientPublicKey.bytes)),
+    UserAgentRequest(
+      vault: ua_vault.Request(
+        unseal: ua_unseal.Request(
+          start: ua_unseal.UnsealStart(clientPubkey: clientPublicKey.bytes),
+        ),
+      ),
+    ),
   );
-  if (!handshakeResponse.hasUnsealStartResponse()) {
+  if (!handshakeResponse.hasVault()) {
     throw Exception(
-      'Expected unseal handshake response, got ${handshakeResponse.whichPayload()}',
+      'Expected vault response, got ${handshakeResponse.whichPayload()}',
+    );
+  }
+
+  final vaultResponse = handshakeResponse.vault;
+  if (!vaultResponse.hasUnseal()) {
+    throw Exception(
+      'Expected unseal handshake response, got ${vaultResponse.whichPayload()}',
+    );
+  }
+
+  final unsealResponse = vaultResponse.unseal;
+  if (!unsealResponse.hasStart()) {
+    throw Exception(
+      'Expected unseal handshake payload, got ${unsealResponse.whichPayload()}',
     );
   }
 
   final serverPublicKey = SimplePublicKey(
-    handshakeResponse.unsealStartResponse.serverPubkey,
+    unsealResponse.start.serverPubkey,
     type: KeyPairType.x25519,
   );
   final sharedSecret = await keyExchange.sharedSecretKey(

useragent/lib/proto/client.pb.dart

@@ -13,305 +13,26 @@
 import 'dart:core' as $core;
 
 import 'package:protobuf/protobuf.dart' as $pb;
-import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $0;
 
-import 'client.pbenum.dart';
+import 'client/auth.pb.dart' as $0;
-import 'evm.pb.dart' as $1;
+import 'client/evm.pb.dart' as $2;
+import 'client/vault.pb.dart' as $1;
 
 export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
 
-export 'client.pbenum.dart';
+enum ClientRequest_Payload { auth, vault, evm, notSet }
-
-class ClientInfo extends $pb.GeneratedMessage {
-  factory ClientInfo({
-    $core.String? name,
-    $core.String? description,
-    $core.String? version,
-  }) {
-    final result = create();
-    if (name != null) result.name = name;
-    if (description != null) result.description = description;
-    if (version != null) result.version = version;
-    return result;
-  }
-
-  ClientInfo._();
-
-  factory ClientInfo.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory ClientInfo.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'ClientInfo',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..aOS(1, _omitFieldNames ? '' : 'name')
-    ..aOS(2, _omitFieldNames ? '' : 'description')
-    ..aOS(3, _omitFieldNames ? '' : 'version')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  ClientInfo clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  ClientInfo copyWith(void Function(ClientInfo) updates) =>
-      super.copyWith((message) => updates(message as ClientInfo)) as ClientInfo;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static ClientInfo create() => ClientInfo._();
-  @$core.override
-  ClientInfo createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static ClientInfo getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<ClientInfo>(create);
-  static ClientInfo? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.String get name => $_getSZ(0);
-  @$pb.TagNumber(1)
-  set name($core.String value) => $_setString(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasName() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearName() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.String get description => $_getSZ(1);
-  @$pb.TagNumber(2)
-  set description($core.String value) => $_setString(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasDescription() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearDescription() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $core.String get version => $_getSZ(2);
-  @$pb.TagNumber(3)
-  set version($core.String value) => $_setString(2, value);
-  @$pb.TagNumber(3)
-  $core.bool hasVersion() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearVersion() => $_clearField(3);
-}
-
-class AuthChallengeRequest extends $pb.GeneratedMessage {
-  factory AuthChallengeRequest({
-    $core.List<$core.int>? pubkey,
-    ClientInfo? clientInfo,
-  }) {
-    final result = create();
-    if (pubkey != null) result.pubkey = pubkey;
-    if (clientInfo != null) result.clientInfo = clientInfo;
-    return result;
-  }
-
-  AuthChallengeRequest._();
-
-  factory AuthChallengeRequest.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallengeRequest.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallengeRequest',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..aOM<ClientInfo>(2, _omitFieldNames ? '' : 'clientInfo',
-        subBuilder: ClientInfo.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeRequest clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeRequest copyWith(void Function(AuthChallengeRequest) updates) =>
-      super.copyWith((message) => updates(message as AuthChallengeRequest))
-          as AuthChallengeRequest;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeRequest create() => AuthChallengeRequest._();
-  @$core.override
-  AuthChallengeRequest createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeRequest getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallengeRequest>(create);
-  static AuthChallengeRequest? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get pubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearPubkey() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  ClientInfo get clientInfo => $_getN(1);
-  @$pb.TagNumber(2)
-  set clientInfo(ClientInfo value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasClientInfo() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearClientInfo() => $_clearField(2);
-  @$pb.TagNumber(2)
-  ClientInfo ensureClientInfo() => $_ensure(1);
-}
-
-class AuthChallenge extends $pb.GeneratedMessage {
-  factory AuthChallenge({
-    $core.List<$core.int>? pubkey,
-    $core.int? nonce,
-  }) {
-    final result = create();
-    if (pubkey != null) result.pubkey = pubkey;
-    if (nonce != null) result.nonce = nonce;
-    return result;
-  }
-
-  AuthChallenge._();
-
-  factory AuthChallenge.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallenge.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallenge',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..aI(2, _omitFieldNames ? '' : 'nonce')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallenge clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallenge copyWith(void Function(AuthChallenge) updates) =>
-      super.copyWith((message) => updates(message as AuthChallenge))
-          as AuthChallenge;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallenge create() => AuthChallenge._();
-  @$core.override
-  AuthChallenge createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallenge getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallenge>(create);
-  static AuthChallenge? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get pubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearPubkey() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.int get nonce => $_getIZ(1);
-  @$pb.TagNumber(2)
-  set nonce($core.int value) => $_setSignedInt32(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasNonce() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearNonce() => $_clearField(2);
-}
-
-class AuthChallengeSolution extends $pb.GeneratedMessage {
-  factory AuthChallengeSolution({
-    $core.List<$core.int>? signature,
-  }) {
-    final result = create();
-    if (signature != null) result.signature = signature;
-    return result;
-  }
-
-  AuthChallengeSolution._();
-
-  factory AuthChallengeSolution.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallengeSolution.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallengeSolution',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeSolution clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeSolution copyWith(
-          void Function(AuthChallengeSolution) updates) =>
-      super.copyWith((message) => updates(message as AuthChallengeSolution))
-          as AuthChallengeSolution;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeSolution create() => AuthChallengeSolution._();
-  @$core.override
-  AuthChallengeSolution createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeSolution getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallengeSolution>(create);
-  static AuthChallengeSolution? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get signature => $_getN(0);
-  @$pb.TagNumber(1)
-  set signature($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasSignature() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearSignature() => $_clearField(1);
-}
-
-enum ClientRequest_Payload {
-  authChallengeRequest,
-  authChallengeSolution,
-  queryVaultState,
-  notSet
-}
 
 class ClientRequest extends $pb.GeneratedMessage {
   factory ClientRequest({
-    AuthChallengeRequest? authChallengeRequest,
+    $0.Request? auth,
-    AuthChallengeSolution? authChallengeSolution,
+    $1.Request? vault,
-    $0.Empty? queryVaultState,
+    $2.Request? evm,
     $core.int? requestId,
   }) {
     final result = create();
-    if (authChallengeRequest != null)
+    if (auth != null) result.auth = auth;
-      result.authChallengeRequest = authChallengeRequest;
+    if (vault != null) result.vault = vault;
-    if (authChallengeSolution != null)
+    if (evm != null) result.evm = evm;
-      result.authChallengeSolution = authChallengeSolution;
-    if (queryVaultState != null) result.queryVaultState = queryVaultState;
     if (requestId != null) result.requestId = requestId;
     return result;
   }
@@ -327,9 +48,9 @@ class ClientRequest extends $pb.GeneratedMessage {
 
   static const $core.Map<$core.int, ClientRequest_Payload>
       _ClientRequest_PayloadByTag = {
-    1: ClientRequest_Payload.authChallengeRequest,
+    1: ClientRequest_Payload.auth,
-    2: ClientRequest_Payload.authChallengeSolution,
+    2: ClientRequest_Payload.vault,
-    3: ClientRequest_Payload.queryVaultState,
+    3: ClientRequest_Payload.evm,
     0: ClientRequest_Payload.notSet
   };
   static final $pb.BuilderInfo _i = $pb.BuilderInfo(
@@ -337,14 +58,12 @@ class ClientRequest extends $pb.GeneratedMessage {
       package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
       createEmptyInstance: create)
     ..oo(0, [1, 2, 3])
-    ..aOM<AuthChallengeRequest>(
+    ..aOM<$0.Request>(1, _omitFieldNames ? '' : 'auth',
-        1, _omitFieldNames ? '' : 'authChallengeRequest',
+        subBuilder: $0.Request.create)
-        subBuilder: AuthChallengeRequest.create)
+    ..aOM<$1.Request>(2, _omitFieldNames ? '' : 'vault',
-    ..aOM<AuthChallengeSolution>(
+        subBuilder: $1.Request.create)
-        2, _omitFieldNames ? '' : 'authChallengeSolution',
+    ..aOM<$2.Request>(3, _omitFieldNames ? '' : 'evm',
-        subBuilder: AuthChallengeSolution.create)
+        subBuilder: $2.Request.create)
-    ..aOM<$0.Empty>(3, _omitFieldNames ? '' : 'queryVaultState',
-        subBuilder: $0.Empty.create)
     ..aI(4, _omitFieldNames ? '' : 'requestId')
     ..hasRequiredFields = false;
 
@@ -378,38 +97,37 @@ class ClientRequest extends $pb.GeneratedMessage {
   void clearPayload() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  AuthChallengeRequest get authChallengeRequest => $_getN(0);
+  $0.Request get auth => $_getN(0);
   @$pb.TagNumber(1)
-  set authChallengeRequest(AuthChallengeRequest value) => $_setField(1, value);
+  set auth($0.Request value) => $_setField(1, value);
   @$pb.TagNumber(1)
-  $core.bool hasAuthChallengeRequest() => $_has(0);
+  $core.bool hasAuth() => $_has(0);
   @$pb.TagNumber(1)
-  void clearAuthChallengeRequest() => $_clearField(1);
+  void clearAuth() => $_clearField(1);
   @$pb.TagNumber(1)
-  AuthChallengeRequest ensureAuthChallengeRequest() => $_ensure(0);
+  $0.Request ensureAuth() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  AuthChallengeSolution get authChallengeSolution => $_getN(1);
+  $1.Request get vault => $_getN(1);
   @$pb.TagNumber(2)
-  set authChallengeSolution(AuthChallengeSolution value) =>
+  set vault($1.Request value) => $_setField(2, value);
-      $_setField(2, value);
   @$pb.TagNumber(2)
-  $core.bool hasAuthChallengeSolution() => $_has(1);
+  $core.bool hasVault() => $_has(1);
   @$pb.TagNumber(2)
-  void clearAuthChallengeSolution() => $_clearField(2);
+  void clearVault() => $_clearField(2);
   @$pb.TagNumber(2)
-  AuthChallengeSolution ensureAuthChallengeSolution() => $_ensure(1);
+  $1.Request ensureVault() => $_ensure(1);
 
   @$pb.TagNumber(3)
-  $0.Empty get queryVaultState => $_getN(2);
+  $2.Request get evm => $_getN(2);
   @$pb.TagNumber(3)
-  set queryVaultState($0.Empty value) => $_setField(3, value);
+  set evm($2.Request value) => $_setField(3, value);
   @$pb.TagNumber(3)
-  $core.bool hasQueryVaultState() => $_has(2);
+  $core.bool hasEvm() => $_has(2);
   @$pb.TagNumber(3)
-  void clearQueryVaultState() => $_clearField(3);
+  void clearEvm() => $_clearField(3);
   @$pb.TagNumber(3)
-  $0.Empty ensureQueryVaultState() => $_ensure(2);
+  $2.Request ensureEvm() => $_ensure(2);
 
   @$pb.TagNumber(4)
   $core.int get requestId => $_getIZ(3);
@@ -421,32 +139,19 @@ class ClientRequest extends $pb.GeneratedMessage {
   void clearRequestId() => $_clearField(4);
 }
 
-enum ClientResponse_Payload {
+enum ClientResponse_Payload { auth, vault, evm, notSet }
-  authChallenge,
-  authResult,
-  evmSignTransaction,
-  evmAnalyzeTransaction,
-  vaultState,
-  notSet
-}
 
 class ClientResponse extends $pb.GeneratedMessage {
   factory ClientResponse({
-    AuthChallenge? authChallenge,
+    $0.Response? auth,
-    AuthResult? authResult,
+    $1.Response? vault,
-    $1.EvmSignTransactionResponse? evmSignTransaction,
+    $2.Response? evm,
-    $1.EvmAnalyzeTransactionResponse? evmAnalyzeTransaction,
-    VaultState? vaultState,
     $core.int? requestId,
   }) {
     final result = create();
-    if (authChallenge != null) result.authChallenge = authChallenge;
+    if (auth != null) result.auth = auth;
-    if (authResult != null) result.authResult = authResult;
+    if (vault != null) result.vault = vault;
-    if (evmSignTransaction != null)
+    if (evm != null) result.evm = evm;
-      result.evmSignTransaction = evmSignTransaction;
-    if (evmAnalyzeTransaction != null)
-      result.evmAnalyzeTransaction = evmAnalyzeTransaction;
-    if (vaultState != null) result.vaultState = vaultState;
     if (requestId != null) result.requestId = requestId;
     return result;
   }
@@ -462,30 +167,22 @@ class ClientResponse extends $pb.GeneratedMessage {
 
   static const $core.Map<$core.int, ClientResponse_Payload>
       _ClientResponse_PayloadByTag = {
-    1: ClientResponse_Payload.authChallenge,
+    1: ClientResponse_Payload.auth,
-    2: ClientResponse_Payload.authResult,
+    2: ClientResponse_Payload.vault,
-    3: ClientResponse_Payload.evmSignTransaction,
+    3: ClientResponse_Payload.evm,
-    4: ClientResponse_Payload.evmAnalyzeTransaction,
-    6: ClientResponse_Payload.vaultState,
     0: ClientResponse_Payload.notSet
   };
   static final $pb.BuilderInfo _i = $pb.BuilderInfo(
       _omitMessageNames ? '' : 'ClientResponse',
       package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
       createEmptyInstance: create)
-    ..oo(0, [1, 2, 3, 4, 6])
+    ..oo(0, [1, 2, 3])
-    ..aOM<AuthChallenge>(1, _omitFieldNames ? '' : 'authChallenge',
+    ..aOM<$0.Response>(1, _omitFieldNames ? '' : 'auth',
-        subBuilder: AuthChallenge.create)
+        subBuilder: $0.Response.create)
-    ..aE<AuthResult>(2, _omitFieldNames ? '' : 'authResult',
+    ..aOM<$1.Response>(2, _omitFieldNames ? '' : 'vault',
-        enumValues: AuthResult.values)
+        subBuilder: $1.Response.create)
-    ..aOM<$1.EvmSignTransactionResponse>(
+    ..aOM<$2.Response>(3, _omitFieldNames ? '' : 'evm',
-        3, _omitFieldNames ? '' : 'evmSignTransaction',
+        subBuilder: $2.Response.create)
-        subBuilder: $1.EvmSignTransactionResponse.create)
-    ..aOM<$1.EvmAnalyzeTransactionResponse>(
-        4, _omitFieldNames ? '' : 'evmAnalyzeTransaction',
-        subBuilder: $1.EvmAnalyzeTransactionResponse.create)
-    ..aE<VaultState>(6, _omitFieldNames ? '' : 'vaultState',
-        enumValues: VaultState.values)
     ..aI(7, _omitFieldNames ? '' : 'requestId')
     ..hasRequiredFields = false;
 
@@ -511,76 +208,52 @@ class ClientResponse extends $pb.GeneratedMessage {
   @$pb.TagNumber(1)
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(6)
   ClientResponse_Payload whichPayload() =>
       _ClientResponse_PayloadByTag[$_whichOneof(0)]!;
   @$pb.TagNumber(1)
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(6)
   void clearPayload() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  AuthChallenge get authChallenge => $_getN(0);
+  $0.Response get auth => $_getN(0);
   @$pb.TagNumber(1)
-  set authChallenge(AuthChallenge value) => $_setField(1, value);
+  set auth($0.Response value) => $_setField(1, value);
   @$pb.TagNumber(1)
-  $core.bool hasAuthChallenge() => $_has(0);
+  $core.bool hasAuth() => $_has(0);
   @$pb.TagNumber(1)
-  void clearAuthChallenge() => $_clearField(1);
+  void clearAuth() => $_clearField(1);
   @$pb.TagNumber(1)
-  AuthChallenge ensureAuthChallenge() => $_ensure(0);
+  $0.Response ensureAuth() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  AuthResult get authResult => $_getN(1);
+  $1.Response get vault => $_getN(1);
   @$pb.TagNumber(2)
-  set authResult(AuthResult value) => $_setField(2, value);
+  set vault($1.Response value) => $_setField(2, value);
   @$pb.TagNumber(2)
-  $core.bool hasAuthResult() => $_has(1);
+  $core.bool hasVault() => $_has(1);
   @$pb.TagNumber(2)
-  void clearAuthResult() => $_clearField(2);
+  void clearVault() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $1.Response ensureVault() => $_ensure(1);
 
   @$pb.TagNumber(3)
-  $1.EvmSignTransactionResponse get evmSignTransaction => $_getN(2);
+  $2.Response get evm => $_getN(2);
   @$pb.TagNumber(3)
-  set evmSignTransaction($1.EvmSignTransactionResponse value) =>
+  set evm($2.Response value) => $_setField(3, value);
-      $_setField(3, value);
   @$pb.TagNumber(3)
-  $core.bool hasEvmSignTransaction() => $_has(2);
+  $core.bool hasEvm() => $_has(2);
   @$pb.TagNumber(3)
-  void clearEvmSignTransaction() => $_clearField(3);
+  void clearEvm() => $_clearField(3);
   @$pb.TagNumber(3)
-  $1.EvmSignTransactionResponse ensureEvmSignTransaction() => $_ensure(2);
+  $2.Response ensureEvm() => $_ensure(2);
-
-  @$pb.TagNumber(4)
-  $1.EvmAnalyzeTransactionResponse get evmAnalyzeTransaction => $_getN(3);
-  @$pb.TagNumber(4)
-  set evmAnalyzeTransaction($1.EvmAnalyzeTransactionResponse value) =>
-      $_setField(4, value);
-  @$pb.TagNumber(4)
-  $core.bool hasEvmAnalyzeTransaction() => $_has(3);
-  @$pb.TagNumber(4)
-  void clearEvmAnalyzeTransaction() => $_clearField(4);
-  @$pb.TagNumber(4)
-  $1.EvmAnalyzeTransactionResponse ensureEvmAnalyzeTransaction() => $_ensure(3);
-
-  @$pb.TagNumber(6)
-  VaultState get vaultState => $_getN(4);
-  @$pb.TagNumber(6)
-  set vaultState(VaultState value) => $_setField(6, value);
-  @$pb.TagNumber(6)
-  $core.bool hasVaultState() => $_has(4);
-  @$pb.TagNumber(6)
-  void clearVaultState() => $_clearField(6);
 
   @$pb.TagNumber(7)
-  $core.int get requestId => $_getIZ(5);
+  $core.int get requestId => $_getIZ(3);
   @$pb.TagNumber(7)
-  set requestId($core.int value) => $_setSignedInt32(5, value);
+  set requestId($core.int value) => $_setSignedInt32(3, value);
   @$pb.TagNumber(7)
-  $core.bool hasRequestId() => $_has(5);
+  $core.bool hasRequestId() => $_has(3);
   @$pb.TagNumber(7)
   void clearRequestId() => $_clearField(7);
 }

useragent/lib/proto/client.pbenum.dart

@@ -9,72 +9,3 @@
 // ignore_for_file: curly_braces_in_flow_control_structures
 // ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
 // ignore_for_file: non_constant_identifier_names, prefer_relative_imports
-
-import 'dart:core' as $core;
-
-import 'package:protobuf/protobuf.dart' as $pb;
-
-class AuthResult extends $pb.ProtobufEnum {
-  static const AuthResult AUTH_RESULT_UNSPECIFIED =
-      AuthResult._(0, _omitEnumNames ? '' : 'AUTH_RESULT_UNSPECIFIED');
-  static const AuthResult AUTH_RESULT_SUCCESS =
-      AuthResult._(1, _omitEnumNames ? '' : 'AUTH_RESULT_SUCCESS');
-  static const AuthResult AUTH_RESULT_INVALID_KEY =
-      AuthResult._(2, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_KEY');
-  static const AuthResult AUTH_RESULT_INVALID_SIGNATURE =
-      AuthResult._(3, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_SIGNATURE');
-  static const AuthResult AUTH_RESULT_APPROVAL_DENIED =
-      AuthResult._(4, _omitEnumNames ? '' : 'AUTH_RESULT_APPROVAL_DENIED');
-  static const AuthResult AUTH_RESULT_NO_USER_AGENTS_ONLINE = AuthResult._(
-      5, _omitEnumNames ? '' : 'AUTH_RESULT_NO_USER_AGENTS_ONLINE');
-  static const AuthResult AUTH_RESULT_INTERNAL =
-      AuthResult._(6, _omitEnumNames ? '' : 'AUTH_RESULT_INTERNAL');
-
-  static const $core.List<AuthResult> values = <AuthResult>[
-    AUTH_RESULT_UNSPECIFIED,
-    AUTH_RESULT_SUCCESS,
-    AUTH_RESULT_INVALID_KEY,
-    AUTH_RESULT_INVALID_SIGNATURE,
-    AUTH_RESULT_APPROVAL_DENIED,
-    AUTH_RESULT_NO_USER_AGENTS_ONLINE,
-    AUTH_RESULT_INTERNAL,
-  ];
-
-  static final $core.List<AuthResult?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 6);
-  static AuthResult? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const AuthResult._(super.value, super.name);
-}
-
-class VaultState extends $pb.ProtobufEnum {
-  static const VaultState VAULT_STATE_UNSPECIFIED =
-      VaultState._(0, _omitEnumNames ? '' : 'VAULT_STATE_UNSPECIFIED');
-  static const VaultState VAULT_STATE_UNBOOTSTRAPPED =
-      VaultState._(1, _omitEnumNames ? '' : 'VAULT_STATE_UNBOOTSTRAPPED');
-  static const VaultState VAULT_STATE_SEALED =
-      VaultState._(2, _omitEnumNames ? '' : 'VAULT_STATE_SEALED');
-  static const VaultState VAULT_STATE_UNSEALED =
-      VaultState._(3, _omitEnumNames ? '' : 'VAULT_STATE_UNSEALED');
-  static const VaultState VAULT_STATE_ERROR =
-      VaultState._(4, _omitEnumNames ? '' : 'VAULT_STATE_ERROR');
-
-  static const $core.List<VaultState> values = <VaultState>[
-    VAULT_STATE_UNSPECIFIED,
-    VAULT_STATE_UNBOOTSTRAPPED,
-    VAULT_STATE_SEALED,
-    VAULT_STATE_UNSEALED,
-    VAULT_STATE_ERROR,
-  ];
-
-  static final $core.List<VaultState?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 4);
-  static VaultState? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const VaultState._(super.value, super.name);
-}
-
-const $core.bool _omitEnumNames =
-    $core.bool.fromEnvironment('protobuf.omit_enum_names');

useragent/lib/proto/client.pbjson.dart

@@ -15,160 +15,37 @@ import 'dart:convert' as $convert;
 import 'dart:core' as $core;
 import 'dart:typed_data' as $typed_data;
 
-@$core.Deprecated('Use authResultDescriptor instead')
-const AuthResult$json = {
-  '1': 'AuthResult',
-  '2': [
-    {'1': 'AUTH_RESULT_UNSPECIFIED', '2': 0},
-    {'1': 'AUTH_RESULT_SUCCESS', '2': 1},
-    {'1': 'AUTH_RESULT_INVALID_KEY', '2': 2},
-    {'1': 'AUTH_RESULT_INVALID_SIGNATURE', '2': 3},
-    {'1': 'AUTH_RESULT_APPROVAL_DENIED', '2': 4},
-    {'1': 'AUTH_RESULT_NO_USER_AGENTS_ONLINE', '2': 5},
-    {'1': 'AUTH_RESULT_INTERNAL', '2': 6},
-  ],
-};
-
-/// Descriptor for `AuthResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List authResultDescriptor = $convert.base64Decode(
-    'CgpBdXRoUmVzdWx0EhsKF0FVVEhfUkVTVUxUX1VOU1BFQ0lGSUVEEAASFwoTQVVUSF9SRVNVTF'
-    'RfU1VDQ0VTUxABEhsKF0FVVEhfUkVTVUxUX0lOVkFMSURfS0VZEAISIQodQVVUSF9SRVNVTFRf'
-    'SU5WQUxJRF9TSUdOQVRVUkUQAxIfChtBVVRIX1JFU1VMVF9BUFBST1ZBTF9ERU5JRUQQBBIlCi'
-    'FBVVRIX1JFU1VMVF9OT19VU0VSX0FHRU5UU19PTkxJTkUQBRIYChRBVVRIX1JFU1VMVF9JTlRF'
-    'Uk5BTBAG');
-
-@$core.Deprecated('Use vaultStateDescriptor instead')
-const VaultState$json = {
-  '1': 'VaultState',
-  '2': [
-    {'1': 'VAULT_STATE_UNSPECIFIED', '2': 0},
-    {'1': 'VAULT_STATE_UNBOOTSTRAPPED', '2': 1},
-    {'1': 'VAULT_STATE_SEALED', '2': 2},
-    {'1': 'VAULT_STATE_UNSEALED', '2': 3},
-    {'1': 'VAULT_STATE_ERROR', '2': 4},
-  ],
-};
-
-/// Descriptor for `VaultState`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List vaultStateDescriptor = $convert.base64Decode(
-    'CgpWYXVsdFN0YXRlEhsKF1ZBVUxUX1NUQVRFX1VOU1BFQ0lGSUVEEAASHgoaVkFVTFRfU1RBVE'
-    'VfVU5CT09UU1RSQVBQRUQQARIWChJWQVVMVF9TVEFURV9TRUFMRUQQAhIYChRWQVVMVF9TVEFU'
-    'RV9VTlNFQUxFRBADEhUKEVZBVUxUX1NUQVRFX0VSUk9SEAQ=');
-
-@$core.Deprecated('Use clientInfoDescriptor instead')
-const ClientInfo$json = {
-  '1': 'ClientInfo',
-  '2': [
-    {'1': 'name', '3': 1, '4': 1, '5': 9, '10': 'name'},
-    {
-      '1': 'description',
-      '3': 2,
-      '4': 1,
-      '5': 9,
-      '9': 0,
-      '10': 'description',
-      '17': true
-    },
-    {
-      '1': 'version',
-      '3': 3,
-      '4': 1,
-      '5': 9,
-      '9': 1,
-      '10': 'version',
-      '17': true
-    },
-  ],
-  '8': [
-    {'1': '_description'},
-    {'1': '_version'},
-  ],
-};
-
-/// Descriptor for `ClientInfo`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List clientInfoDescriptor = $convert.base64Decode(
-    'CgpDbGllbnRJbmZvEhIKBG5hbWUYASABKAlSBG5hbWUSJQoLZGVzY3JpcHRpb24YAiABKAlIAF'
-    'ILZGVzY3JpcHRpb26IAQESHQoHdmVyc2lvbhgDIAEoCUgBUgd2ZXJzaW9uiAEBQg4KDF9kZXNj'
-    'cmlwdGlvbkIKCghfdmVyc2lvbg==');
-
-@$core.Deprecated('Use authChallengeRequestDescriptor instead')
-const AuthChallengeRequest$json = {
-  '1': 'AuthChallengeRequest',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {
-      '1': 'client_info',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.client.ClientInfo',
-      '10': 'clientInfo'
-    },
-  ],
-};
-
-/// Descriptor for `AuthChallengeRequest`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeRequestDescriptor = $convert.base64Decode(
-    'ChRBdXRoQ2hhbGxlbmdlUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRI7CgtjbGllbn'
-    'RfaW5mbxgCIAEoCzIaLmFyYml0ZXIuY2xpZW50LkNsaWVudEluZm9SCmNsaWVudEluZm8=');
-
-@$core.Deprecated('Use authChallengeDescriptor instead')
-const AuthChallenge$json = {
-  '1': 'AuthChallenge',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {'1': 'nonce', '3': 2, '4': 1, '5': 5, '10': 'nonce'},
-  ],
-};
-
-/// Descriptor for `AuthChallenge`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeDescriptor = $convert.base64Decode(
-    'Cg1BdXRoQ2hhbGxlbmdlEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5EhQKBW5vbmNlGAIgASgFUg'
-    'Vub25jZQ==');
-
-@$core.Deprecated('Use authChallengeSolutionDescriptor instead')
-const AuthChallengeSolution$json = {
-  '1': 'AuthChallengeSolution',
-  '2': [
-    {'1': 'signature', '3': 1, '4': 1, '5': 12, '10': 'signature'},
-  ],
-};
-
-/// Descriptor for `AuthChallengeSolution`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeSolutionDescriptor = $convert.base64Decode(
-    'ChVBdXRoQ2hhbGxlbmdlU29sdXRpb24SHAoJc2lnbmF0dXJlGAEgASgMUglzaWduYXR1cmU=');
-
 @$core.Deprecated('Use clientRequestDescriptor instead')
 const ClientRequest$json = {
   '1': 'ClientRequest',
   '2': [
     {'1': 'request_id', '3': 4, '4': 1, '5': 5, '10': 'requestId'},
     {
-      '1': 'auth_challenge_request',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.client.AuthChallengeRequest',
+      '6': '.arbiter.client.auth.Request',
       '9': 0,
-      '10': 'authChallengeRequest'
+      '10': 'auth'
     },
     {
-      '1': 'auth_challenge_solution',
+      '1': 'vault',
       '3': 2,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.client.AuthChallengeSolution',
+      '6': '.arbiter.client.vault.Request',
       '9': 0,
-      '10': 'authChallengeSolution'
+      '10': 'vault'
     },
     {
-      '1': 'query_vault_state',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.google.protobuf.Empty',
+      '6': '.arbiter.client.evm.Request',
       '9': 0,
-      '10': 'queryVaultState'
+      '10': 'evm'
     },
   ],
   '8': [
@@ -178,12 +55,10 @@ const ClientRequest$json = {
 
 /// Descriptor for `ClientRequest`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List clientRequestDescriptor = $convert.base64Decode(
-    'Cg1DbGllbnRSZXF1ZXN0Eh0KCnJlcXVlc3RfaWQYBCABKAVSCXJlcXVlc3RJZBJcChZhdXRoX2'
+    'Cg1DbGllbnRSZXF1ZXN0Eh0KCnJlcXVlc3RfaWQYBCABKAVSCXJlcXVlc3RJZBIyCgRhdXRoGA'
-    'NoYWxsZW5nZV9yZXF1ZXN0GAEgASgLMiQuYXJiaXRlci5jbGllbnQuQXV0aENoYWxsZW5nZVJl'
+    'EgASgLMhwuYXJiaXRlci5jbGllbnQuYXV0aC5SZXF1ZXN0SABSBGF1dGgSNQoFdmF1bHQYAiAB'
-    'cXVlc3RIAFIUYXV0aENoYWxsZW5nZVJlcXVlc3QSXwoXYXV0aF9jaGFsbGVuZ2Vfc29sdXRpb2'
+    'KAsyHS5hcmJpdGVyLmNsaWVudC52YXVsdC5SZXF1ZXN0SABSBXZhdWx0Ei8KA2V2bRgDIAEoCz'
-    '4YAiABKAsyJS5hcmJpdGVyLmNsaWVudC5BdXRoQ2hhbGxlbmdlU29sdXRpb25IAFIVYXV0aENo'
+    'IbLmFyYml0ZXIuY2xpZW50LmV2bS5SZXF1ZXN0SABSA2V2bUIJCgdwYXlsb2Fk');
-    'YWxsZW5nZVNvbHV0aW9uEkQKEXF1ZXJ5X3ZhdWx0X3N0YXRlGAMgASgLMhYuZ29vZ2xlLnByb3'
-    'RvYnVmLkVtcHR5SABSD3F1ZXJ5VmF1bHRTdGF0ZUIJCgdwYXlsb2Fk');
 
 @$core.Deprecated('Use clientResponseDescriptor instead')
 const ClientResponse$json = {
@@ -199,49 +74,31 @@ const ClientResponse$json = {
       '17': true
     },
     {
-      '1': 'auth_challenge',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.client.AuthChallenge',
+      '6': '.arbiter.client.auth.Response',
       '9': 0,
-      '10': 'authChallenge'
+      '10': 'auth'
     },
     {
-      '1': 'auth_result',
+      '1': 'vault',
       '3': 2,
       '4': 1,
-      '5': 14,
+      '5': 11,
-      '6': '.arbiter.client.AuthResult',
+      '6': '.arbiter.client.vault.Response',
       '9': 0,
-      '10': 'authResult'
+      '10': 'vault'
     },
     {
-      '1': 'evm_sign_transaction',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.EvmSignTransactionResponse',
+      '6': '.arbiter.client.evm.Response',
       '9': 0,
-      '10': 'evmSignTransaction'
+      '10': 'evm'
-    },
-    {
-      '1': 'evm_analyze_transaction',
-      '3': 4,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmAnalyzeTransactionResponse',
-      '9': 0,
-      '10': 'evmAnalyzeTransaction'
-    },
-    {
-      '1': 'vault_state',
-      '3': 6,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.client.VaultState',
-      '9': 0,
-      '10': 'vaultState'
     },
   ],
   '8': [
@@ -252,12 +109,8 @@ const ClientResponse$json = {
 
 /// Descriptor for `ClientResponse`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List clientResponseDescriptor = $convert.base64Decode(
-    'Cg5DbGllbnRSZXNwb25zZRIiCgpyZXF1ZXN0X2lkGAcgASgFSAFSCXJlcXVlc3RJZIgBARJGCg'
+    'Cg5DbGllbnRSZXNwb25zZRIiCgpyZXF1ZXN0X2lkGAcgASgFSAFSCXJlcXVlc3RJZIgBARIzCg'
-    '5hdXRoX2NoYWxsZW5nZRgBIAEoCzIdLmFyYml0ZXIuY2xpZW50LkF1dGhDaGFsbGVuZ2VIAFIN'
+    'RhdXRoGAEgASgLMh0uYXJiaXRlci5jbGllbnQuYXV0aC5SZXNwb25zZUgAUgRhdXRoEjYKBXZh'
-    'YXV0aENoYWxsZW5nZRI9CgthdXRoX3Jlc3VsdBgCIAEoDjIaLmFyYml0ZXIuY2xpZW50LkF1dG'
+    'dWx0GAIgASgLMh4uYXJiaXRlci5jbGllbnQudmF1bHQuUmVzcG9uc2VIAFIFdmF1bHQSMAoDZX'
-    'hSZXN1bHRIAFIKYXV0aFJlc3VsdBJbChRldm1fc2lnbl90cmFuc2FjdGlvbhgDIAEoCzInLmFy'
+    'ZtGAMgASgLMhwuYXJiaXRlci5jbGllbnQuZXZtLlJlc3BvbnNlSABSA2V2bUIJCgdwYXlsb2Fk'
-    'Yml0ZXIuZXZtLkV2bVNpZ25UcmFuc2FjdGlvblJlc3BvbnNlSABSEmV2bVNpZ25UcmFuc2FjdG'
+    'Qg0KC19yZXF1ZXN0X2lk');
-    'lvbhJkChdldm1fYW5hbHl6ZV90cmFuc2FjdGlvbhgEIAEoCzIqLmFyYml0ZXIuZXZtLkV2bUFu'
-    'YWx5emVUcmFuc2FjdGlvblJlc3BvbnNlSABSFWV2bUFuYWx5emVUcmFuc2FjdGlvbhI9Cgt2YX'
-    'VsdF9zdGF0ZRgGIAEoDjIaLmFyYml0ZXIuY2xpZW50LlZhdWx0U3RhdGVIAFIKdmF1bHRTdGF0'
-    'ZUIJCgdwYXlsb2FkQg0KC19yZXF1ZXN0X2lk');

useragent/lib/proto/client/auth.pb.dart

@@ -0,0 +1,395 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import '../shared/client.pb.dart' as $0;
+import 'auth.pbenum.dart';
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'auth.pbenum.dart';
+
+class AuthChallengeRequest extends $pb.GeneratedMessage {
+  factory AuthChallengeRequest({
+    $core.List<$core.int>? pubkey,
+    $0.ClientInfo? clientInfo,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    if (clientInfo != null) result.clientInfo = clientInfo;
+    return result;
+  }
+
+  AuthChallengeRequest._();
+
+  factory AuthChallengeRequest.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeRequest.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeRequest',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aOM<$0.ClientInfo>(2, _omitFieldNames ? '' : 'clientInfo',
+        subBuilder: $0.ClientInfo.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest copyWith(void Function(AuthChallengeRequest) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeRequest))
+          as AuthChallengeRequest;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest create() => AuthChallengeRequest._();
+  @$core.override
+  AuthChallengeRequest createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeRequest>(create);
+  static AuthChallengeRequest? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $0.ClientInfo get clientInfo => $_getN(1);
+  @$pb.TagNumber(2)
+  set clientInfo($0.ClientInfo value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasClientInfo() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearClientInfo() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.ClientInfo ensureClientInfo() => $_ensure(1);
+}
+
+class AuthChallenge extends $pb.GeneratedMessage {
+  factory AuthChallenge({
+    $core.List<$core.int>? pubkey,
+    $core.int? nonce,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    if (nonce != null) result.nonce = nonce;
+    return result;
+  }
+
+  AuthChallenge._();
+
+  factory AuthChallenge.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallenge.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallenge',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aI(2, _omitFieldNames ? '' : 'nonce')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge copyWith(void Function(AuthChallenge) updates) =>
+      super.copyWith((message) => updates(message as AuthChallenge))
+          as AuthChallenge;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge create() => AuthChallenge._();
+  @$core.override
+  AuthChallenge createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallenge>(create);
+  static AuthChallenge? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.int get nonce => $_getIZ(1);
+  @$pb.TagNumber(2)
+  set nonce($core.int value) => $_setSignedInt32(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasNonce() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearNonce() => $_clearField(2);
+}
+
+class AuthChallengeSolution extends $pb.GeneratedMessage {
+  factory AuthChallengeSolution({
+    $core.List<$core.int>? signature,
+  }) {
+    final result = create();
+    if (signature != null) result.signature = signature;
+    return result;
+  }
+
+  AuthChallengeSolution._();
+
+  factory AuthChallengeSolution.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeSolution.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeSolution',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution copyWith(
+          void Function(AuthChallengeSolution) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeSolution))
+          as AuthChallengeSolution;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution create() => AuthChallengeSolution._();
+  @$core.override
+  AuthChallengeSolution createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeSolution>(create);
+  static AuthChallengeSolution? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get signature => $_getN(0);
+  @$pb.TagNumber(1)
+  set signature($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignature() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignature() => $_clearField(1);
+}
+
+enum Request_Payload { challengeRequest, challengeSolution, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    AuthChallengeRequest? challengeRequest,
+    AuthChallengeSolution? challengeSolution,
+  }) {
+    final result = create();
+    if (challengeRequest != null) result.challengeRequest = challengeRequest;
+    if (challengeSolution != null) result.challengeSolution = challengeSolution;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.challengeRequest,
+    2: Request_Payload.challengeSolution,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallengeRequest>(1, _omitFieldNames ? '' : 'challengeRequest',
+        subBuilder: AuthChallengeRequest.create)
+    ..aOM<AuthChallengeSolution>(2, _omitFieldNames ? '' : 'challengeSolution',
+        subBuilder: AuthChallengeSolution.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallengeRequest get challengeRequest => $_getN(0);
+  @$pb.TagNumber(1)
+  set challengeRequest(AuthChallengeRequest value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallengeRequest() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallengeRequest() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallengeRequest ensureChallengeRequest() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthChallengeSolution get challengeSolution => $_getN(1);
+  @$pb.TagNumber(2)
+  set challengeSolution(AuthChallengeSolution value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasChallengeSolution() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearChallengeSolution() => $_clearField(2);
+  @$pb.TagNumber(2)
+  AuthChallengeSolution ensureChallengeSolution() => $_ensure(1);
+}
+
+enum Response_Payload { challenge, result, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    AuthChallenge? challenge,
+    AuthResult? result,
+  }) {
+    final result$ = create();
+    if (challenge != null) result$.challenge = challenge;
+    if (result != null) result$.result = result;
+    return result$;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.challenge,
+    2: Response_Payload.result,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallenge>(1, _omitFieldNames ? '' : 'challenge',
+        subBuilder: AuthChallenge.create)
+    ..aE<AuthResult>(2, _omitFieldNames ? '' : 'result',
+        enumValues: AuthResult.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallenge get challenge => $_getN(0);
+  @$pb.TagNumber(1)
+  set challenge(AuthChallenge value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallenge() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallenge() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallenge ensureChallenge() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthResult get result => $_getN(1);
+  @$pb.TagNumber(2)
+  set result(AuthResult value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasResult() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearResult() => $_clearField(2);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');

useragent/lib/proto/client/auth.pbenum.dart

@@ -0,0 +1,52 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class AuthResult extends $pb.ProtobufEnum {
+  static const AuthResult AUTH_RESULT_UNSPECIFIED =
+      AuthResult._(0, _omitEnumNames ? '' : 'AUTH_RESULT_UNSPECIFIED');
+  static const AuthResult AUTH_RESULT_SUCCESS =
+      AuthResult._(1, _omitEnumNames ? '' : 'AUTH_RESULT_SUCCESS');
+  static const AuthResult AUTH_RESULT_INVALID_KEY =
+      AuthResult._(2, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_KEY');
+  static const AuthResult AUTH_RESULT_INVALID_SIGNATURE =
+      AuthResult._(3, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_SIGNATURE');
+  static const AuthResult AUTH_RESULT_APPROVAL_DENIED =
+      AuthResult._(4, _omitEnumNames ? '' : 'AUTH_RESULT_APPROVAL_DENIED');
+  static const AuthResult AUTH_RESULT_NO_USER_AGENTS_ONLINE = AuthResult._(
+      5, _omitEnumNames ? '' : 'AUTH_RESULT_NO_USER_AGENTS_ONLINE');
+  static const AuthResult AUTH_RESULT_INTERNAL =
+      AuthResult._(6, _omitEnumNames ? '' : 'AUTH_RESULT_INTERNAL');
+
+  static const $core.List<AuthResult> values = <AuthResult>[
+    AUTH_RESULT_UNSPECIFIED,
+    AUTH_RESULT_SUCCESS,
+    AUTH_RESULT_INVALID_KEY,
+    AUTH_RESULT_INVALID_SIGNATURE,
+    AUTH_RESULT_APPROVAL_DENIED,
+    AUTH_RESULT_NO_USER_AGENTS_ONLINE,
+    AUTH_RESULT_INTERNAL,
+  ];
+
+  static final $core.List<AuthResult?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 6);
+  static AuthResult? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const AuthResult._(super.value, super.name);
+}
+
+const $core.bool _omitEnumNames =
+    $core.bool.fromEnvironment('protobuf.omit_enum_names');

useragent/lib/proto/client/auth.pbjson.dart

@@ -0,0 +1,154 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use authResultDescriptor instead')
+const AuthResult$json = {
+  '1': 'AuthResult',
+  '2': [
+    {'1': 'AUTH_RESULT_UNSPECIFIED', '2': 0},
+    {'1': 'AUTH_RESULT_SUCCESS', '2': 1},
+    {'1': 'AUTH_RESULT_INVALID_KEY', '2': 2},
+    {'1': 'AUTH_RESULT_INVALID_SIGNATURE', '2': 3},
+    {'1': 'AUTH_RESULT_APPROVAL_DENIED', '2': 4},
+    {'1': 'AUTH_RESULT_NO_USER_AGENTS_ONLINE', '2': 5},
+    {'1': 'AUTH_RESULT_INTERNAL', '2': 6},
+  ],
+};
+
+/// Descriptor for `AuthResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List authResultDescriptor = $convert.base64Decode(
+    'CgpBdXRoUmVzdWx0EhsKF0FVVEhfUkVTVUxUX1VOU1BFQ0lGSUVEEAASFwoTQVVUSF9SRVNVTF'
+    'RfU1VDQ0VTUxABEhsKF0FVVEhfUkVTVUxUX0lOVkFMSURfS0VZEAISIQodQVVUSF9SRVNVTFRf'
+    'SU5WQUxJRF9TSUdOQVRVUkUQAxIfChtBVVRIX1JFU1VMVF9BUFBST1ZBTF9ERU5JRUQQBBIlCi'
+    'FBVVRIX1JFU1VMVF9OT19VU0VSX0FHRU5UU19PTkxJTkUQBRIYChRBVVRIX1JFU1VMVF9JTlRF'
+    'Uk5BTBAG');
+
+@$core.Deprecated('Use authChallengeRequestDescriptor instead')
+const AuthChallengeRequest$json = {
+  '1': 'AuthChallengeRequest',
+  '2': [
+    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
+    {
+      '1': 'client_info',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.ClientInfo',
+      '10': 'clientInfo'
+    },
+  ],
+};
+
+/// Descriptor for `AuthChallengeRequest`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeRequestDescriptor = $convert.base64Decode(
+    'ChRBdXRoQ2hhbGxlbmdlUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRI7CgtjbGllbn'
+    'RfaW5mbxgCIAEoCzIaLmFyYml0ZXIuc2hhcmVkLkNsaWVudEluZm9SCmNsaWVudEluZm8=');
+
+@$core.Deprecated('Use authChallengeDescriptor instead')
+const AuthChallenge$json = {
+  '1': 'AuthChallenge',
+  '2': [
+    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
+    {'1': 'nonce', '3': 2, '4': 1, '5': 5, '10': 'nonce'},
+  ],
+};
+
+/// Descriptor for `AuthChallenge`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeDescriptor = $convert.base64Decode(
+    'Cg1BdXRoQ2hhbGxlbmdlEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5EhQKBW5vbmNlGAIgASgFUg'
+    'Vub25jZQ==');
+
+@$core.Deprecated('Use authChallengeSolutionDescriptor instead')
+const AuthChallengeSolution$json = {
+  '1': 'AuthChallengeSolution',
+  '2': [
+    {'1': 'signature', '3': 1, '4': 1, '5': 12, '10': 'signature'},
+  ],
+};
+
+/// Descriptor for `AuthChallengeSolution`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeSolutionDescriptor = $convert.base64Decode(
+    'ChVBdXRoQ2hhbGxlbmdlU29sdXRpb24SHAoJc2lnbmF0dXJlGAEgASgMUglzaWduYXR1cmU=');
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'challenge_request',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.client.auth.AuthChallengeRequest',
+      '9': 0,
+      '10': 'challengeRequest'
+    },
+    {
+      '1': 'challenge_solution',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.client.auth.AuthChallengeSolution',
+      '9': 0,
+      '10': 'challengeSolution'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0ElgKEWNoYWxsZW5nZV9yZXF1ZXN0GAEgASgLMikuYXJiaXRlci5jbGllbnQuYX'
+    'V0aC5BdXRoQ2hhbGxlbmdlUmVxdWVzdEgAUhBjaGFsbGVuZ2VSZXF1ZXN0ElsKEmNoYWxsZW5n'
+    'ZV9zb2x1dGlvbhgCIAEoCzIqLmFyYml0ZXIuY2xpZW50LmF1dGguQXV0aENoYWxsZW5nZVNvbH'
+    'V0aW9uSABSEWNoYWxsZW5nZVNvbHV0aW9uQgkKB3BheWxvYWQ=');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'challenge',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.client.auth.AuthChallenge',
+      '9': 0,
+      '10': 'challenge'
+    },
+    {
+      '1': 'result',
+      '3': 2,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.client.auth.AuthResult',
+      '9': 0,
+      '10': 'result'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJCCgljaGFsbGVuZ2UYASABKAsyIi5hcmJpdGVyLmNsaWVudC5hdXRoLkF1dG'
+    'hDaGFsbGVuZ2VIAFIJY2hhbGxlbmdlEjkKBnJlc3VsdBgCIAEoDjIfLmFyYml0ZXIuY2xpZW50'
+    'LmF1dGguQXV0aFJlc3VsdEgAUgZyZXN1bHRCCQoHcGF5bG9hZA==');

useragent/lib/proto/client/evm.pb.dart

@@ -0,0 +1,208 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import '../evm.pb.dart' as $0;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+enum Request_Payload { signTransaction, analyzeTransaction, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    $0.EvmSignTransactionRequest? signTransaction,
+    $0.EvmAnalyzeTransactionRequest? analyzeTransaction,
+  }) {
+    final result = create();
+    if (signTransaction != null) result.signTransaction = signTransaction;
+    if (analyzeTransaction != null)
+      result.analyzeTransaction = analyzeTransaction;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.signTransaction,
+    2: Request_Payload.analyzeTransaction,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<$0.EvmSignTransactionRequest>(
+        1, _omitFieldNames ? '' : 'signTransaction',
+        subBuilder: $0.EvmSignTransactionRequest.create)
+    ..aOM<$0.EvmAnalyzeTransactionRequest>(
+        2, _omitFieldNames ? '' : 'analyzeTransaction',
+        subBuilder: $0.EvmAnalyzeTransactionRequest.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionRequest get signTransaction => $_getN(0);
+  @$pb.TagNumber(1)
+  set signTransaction($0.EvmSignTransactionRequest value) =>
+      $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignTransaction() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignTransaction() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionRequest ensureSignTransaction() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionRequest get analyzeTransaction => $_getN(1);
+  @$pb.TagNumber(2)
+  set analyzeTransaction($0.EvmAnalyzeTransactionRequest value) =>
+      $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasAnalyzeTransaction() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearAnalyzeTransaction() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionRequest ensureAnalyzeTransaction() => $_ensure(1);
+}
+
+enum Response_Payload { signTransaction, analyzeTransaction, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    $0.EvmSignTransactionResponse? signTransaction,
+    $0.EvmAnalyzeTransactionResponse? analyzeTransaction,
+  }) {
+    final result = create();
+    if (signTransaction != null) result.signTransaction = signTransaction;
+    if (analyzeTransaction != null)
+      result.analyzeTransaction = analyzeTransaction;
+    return result;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.signTransaction,
+    2: Response_Payload.analyzeTransaction,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<$0.EvmSignTransactionResponse>(
+        1, _omitFieldNames ? '' : 'signTransaction',
+        subBuilder: $0.EvmSignTransactionResponse.create)
+    ..aOM<$0.EvmAnalyzeTransactionResponse>(
+        2, _omitFieldNames ? '' : 'analyzeTransaction',
+        subBuilder: $0.EvmAnalyzeTransactionResponse.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionResponse get signTransaction => $_getN(0);
+  @$pb.TagNumber(1)
+  set signTransaction($0.EvmSignTransactionResponse value) =>
+      $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignTransaction() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignTransaction() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionResponse ensureSignTransaction() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionResponse get analyzeTransaction => $_getN(1);
+  @$pb.TagNumber(2)
+  set analyzeTransaction($0.EvmAnalyzeTransactionResponse value) =>
+      $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasAnalyzeTransaction() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearAnalyzeTransaction() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionResponse ensureAnalyzeTransaction() => $_ensure(1);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');

useragent/lib/proto/client/evm.pbenum.dart

@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports

useragent/lib/proto/client/evm.pbjson.dart

@@ -0,0 +1,86 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'sign_transaction',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmSignTransactionRequest',
+      '9': 0,
+      '10': 'signTransaction'
+    },
+    {
+      '1': 'analyze_transaction',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmAnalyzeTransactionRequest',
+      '9': 0,
+      '10': 'analyzeTransaction'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0ElMKEHNpZ25fdHJhbnNhY3Rpb24YASABKAsyJi5hcmJpdGVyLmV2bS5Fdm1TaW'
+    'duVHJhbnNhY3Rpb25SZXF1ZXN0SABSD3NpZ25UcmFuc2FjdGlvbhJcChNhbmFseXplX3RyYW5z'
+    'YWN0aW9uGAIgASgLMikuYXJiaXRlci5ldm0uRXZtQW5hbHl6ZVRyYW5zYWN0aW9uUmVxdWVzdE'
+    'gAUhJhbmFseXplVHJhbnNhY3Rpb25CCQoHcGF5bG9hZA==');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'sign_transaction',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmSignTransactionResponse',
+      '9': 0,
+      '10': 'signTransaction'
+    },
+    {
+      '1': 'analyze_transaction',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmAnalyzeTransactionResponse',
+      '9': 0,
+      '10': 'analyzeTransaction'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJUChBzaWduX3RyYW5zYWN0aW9uGAEgASgLMicuYXJiaXRlci5ldm0uRXZtU2'
+    'lnblRyYW5zYWN0aW9uUmVzcG9uc2VIAFIPc2lnblRyYW5zYWN0aW9uEl0KE2FuYWx5emVfdHJh'
+    'bnNhY3Rpb24YAiABKAsyKi5hcmJpdGVyLmV2bS5Fdm1BbmFseXplVHJhbnNhY3Rpb25SZXNwb2'
+    '5zZUgAUhJhbmFseXplVHJhbnNhY3Rpb25CCQoHcGF5bG9hZA==');

useragent/lib/proto/client/vault.pb.dart

@@ -0,0 +1,161 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $0;
+
+import '../shared/vault.pbenum.dart' as $1;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+enum Request_Payload { queryState, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    $0.Empty? queryState,
+  }) {
+    final result = create();
+    if (queryState != null) result.queryState = queryState;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.queryState,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.client.vault'),
+      createEmptyInstance: create)
+    ..oo(0, [1])
+    ..aOM<$0.Empty>(1, _omitFieldNames ? '' : 'queryState',
+        subBuilder: $0.Empty.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.Empty get queryState => $_getN(0);
+  @$pb.TagNumber(1)
+  set queryState($0.Empty value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasQueryState() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearQueryState() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.Empty ensureQueryState() => $_ensure(0);
+}
+
+enum Response_Payload { state, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    $1.VaultState? state,
+  }) {
+    final result = create();
+    if (state != null) result.state = state;
+    return result;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.state,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.client.vault'),
+      createEmptyInstance: create)
+    ..oo(0, [1])
+    ..aE<$1.VaultState>(1, _omitFieldNames ? '' : 'state',
+        enumValues: $1.VaultState.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $1.VaultState get state => $_getN(0);
+  @$pb.TagNumber(1)
+  set state($1.VaultState value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasState() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearState() => $_clearField(1);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');

useragent/lib/proto/client/vault.pbenum.dart

@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports

useragent/lib/proto/client/vault.pbjson.dart

@@ -0,0 +1,64 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'query_state',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'queryState'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0EjkKC3F1ZXJ5X3N0YXRlGAEgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SA'
+    'BSCnF1ZXJ5U3RhdGVCCQoHcGF5bG9hZA==');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'state',
+      '3': 1,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.shared.VaultState',
+      '9': 0,
+      '10': 'state'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRIyCgVzdGF0ZRgBIAEoDjIaLmFyYml0ZXIuc2hhcmVkLlZhdWx0U3RhdGVIAF'
+    'IFc3RhdGVCCQoHcGF5bG9hZA==');

useragent/lib/proto/evm.pb.dart

@@ -19,6 +19,7 @@ import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart'
     as $0;
 
 import 'evm.pbenum.dart';
+import 'shared/evm.pb.dart' as $2;
 
 export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
 
@@ -815,825 +816,6 @@ class SpecificGrant extends $pb.GeneratedMessage {
   TokenTransferSettings ensureTokenTransfer() => $_ensure(1);
 }
 
-class EtherTransferMeaning extends $pb.GeneratedMessage {
-  factory EtherTransferMeaning({
-    $core.List<$core.int>? to,
-    $core.List<$core.int>? value,
-  }) {
-    final result = create();
-    if (to != null) result.to = to;
-    if (value != null) result.value = value;
-    return result;
-  }
-
-  EtherTransferMeaning._();
-
-  factory EtherTransferMeaning.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory EtherTransferMeaning.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'EtherTransferMeaning',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'to', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'value', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  EtherTransferMeaning clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  EtherTransferMeaning copyWith(void Function(EtherTransferMeaning) updates) =>
-      super.copyWith((message) => updates(message as EtherTransferMeaning))
-          as EtherTransferMeaning;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static EtherTransferMeaning create() => EtherTransferMeaning._();
-  @$core.override
-  EtherTransferMeaning createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static EtherTransferMeaning getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<EtherTransferMeaning>(create);
-  static EtherTransferMeaning? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get to => $_getN(0);
-  @$pb.TagNumber(1)
-  set to($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasTo() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearTo() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get value => $_getN(1);
-  @$pb.TagNumber(2)
-  set value($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasValue() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearValue() => $_clearField(2);
-}
-
-class TokenInfo extends $pb.GeneratedMessage {
-  factory TokenInfo({
-    $core.String? symbol,
-    $core.List<$core.int>? address,
-    $fixnum.Int64? chainId,
-  }) {
-    final result = create();
-    if (symbol != null) result.symbol = symbol;
-    if (address != null) result.address = address;
-    if (chainId != null) result.chainId = chainId;
-    return result;
-  }
-
-  TokenInfo._();
-
-  factory TokenInfo.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory TokenInfo.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'TokenInfo',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..aOS(1, _omitFieldNames ? '' : 'symbol')
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'address', $pb.PbFieldType.OY)
-    ..a<$fixnum.Int64>(3, _omitFieldNames ? '' : 'chainId', $pb.PbFieldType.OU6,
-        defaultOrMaker: $fixnum.Int64.ZERO)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TokenInfo clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TokenInfo copyWith(void Function(TokenInfo) updates) =>
-      super.copyWith((message) => updates(message as TokenInfo)) as TokenInfo;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static TokenInfo create() => TokenInfo._();
-  @$core.override
-  TokenInfo createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static TokenInfo getDefault() =>
-      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<TokenInfo>(create);
-  static TokenInfo? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.String get symbol => $_getSZ(0);
-  @$pb.TagNumber(1)
-  set symbol($core.String value) => $_setString(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasSymbol() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearSymbol() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get address => $_getN(1);
-  @$pb.TagNumber(2)
-  set address($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasAddress() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearAddress() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $fixnum.Int64 get chainId => $_getI64(2);
-  @$pb.TagNumber(3)
-  set chainId($fixnum.Int64 value) => $_setInt64(2, value);
-  @$pb.TagNumber(3)
-  $core.bool hasChainId() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearChainId() => $_clearField(3);
-}
-
-/// Mirror of token_transfers::Meaning
-class TokenTransferMeaning extends $pb.GeneratedMessage {
-  factory TokenTransferMeaning({
-    TokenInfo? token,
-    $core.List<$core.int>? to,
-    $core.List<$core.int>? value,
-  }) {
-    final result = create();
-    if (token != null) result.token = token;
-    if (to != null) result.to = to;
-    if (value != null) result.value = value;
-    return result;
-  }
-
-  TokenTransferMeaning._();
-
-  factory TokenTransferMeaning.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory TokenTransferMeaning.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'TokenTransferMeaning',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..aOM<TokenInfo>(1, _omitFieldNames ? '' : 'token',
-        subBuilder: TokenInfo.create)
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'to', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        3, _omitFieldNames ? '' : 'value', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TokenTransferMeaning clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TokenTransferMeaning copyWith(void Function(TokenTransferMeaning) updates) =>
-      super.copyWith((message) => updates(message as TokenTransferMeaning))
-          as TokenTransferMeaning;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static TokenTransferMeaning create() => TokenTransferMeaning._();
-  @$core.override
-  TokenTransferMeaning createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static TokenTransferMeaning getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<TokenTransferMeaning>(create);
-  static TokenTransferMeaning? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  TokenInfo get token => $_getN(0);
-  @$pb.TagNumber(1)
-  set token(TokenInfo value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasToken() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearToken() => $_clearField(1);
-  @$pb.TagNumber(1)
-  TokenInfo ensureToken() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get to => $_getN(1);
-  @$pb.TagNumber(2)
-  set to($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasTo() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearTo() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $core.List<$core.int> get value => $_getN(2);
-  @$pb.TagNumber(3)
-  set value($core.List<$core.int> value) => $_setBytes(2, value);
-  @$pb.TagNumber(3)
-  $core.bool hasValue() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearValue() => $_clearField(3);
-}
-
-enum SpecificMeaning_Meaning { etherTransfer, tokenTransfer, notSet }
-
-/// Mirror of policies::SpecificMeaning
-class SpecificMeaning extends $pb.GeneratedMessage {
-  factory SpecificMeaning({
-    EtherTransferMeaning? etherTransfer,
-    TokenTransferMeaning? tokenTransfer,
-  }) {
-    final result = create();
-    if (etherTransfer != null) result.etherTransfer = etherTransfer;
-    if (tokenTransfer != null) result.tokenTransfer = tokenTransfer;
-    return result;
-  }
-
-  SpecificMeaning._();
-
-  factory SpecificMeaning.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory SpecificMeaning.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static const $core.Map<$core.int, SpecificMeaning_Meaning>
-      _SpecificMeaning_MeaningByTag = {
-    1: SpecificMeaning_Meaning.etherTransfer,
-    2: SpecificMeaning_Meaning.tokenTransfer,
-    0: SpecificMeaning_Meaning.notSet
-  };
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'SpecificMeaning',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..oo(0, [1, 2])
-    ..aOM<EtherTransferMeaning>(1, _omitFieldNames ? '' : 'etherTransfer',
-        subBuilder: EtherTransferMeaning.create)
-    ..aOM<TokenTransferMeaning>(2, _omitFieldNames ? '' : 'tokenTransfer',
-        subBuilder: TokenTransferMeaning.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SpecificMeaning clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  SpecificMeaning copyWith(void Function(SpecificMeaning) updates) =>
-      super.copyWith((message) => updates(message as SpecificMeaning))
-          as SpecificMeaning;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static SpecificMeaning create() => SpecificMeaning._();
-  @$core.override
-  SpecificMeaning createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static SpecificMeaning getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<SpecificMeaning>(create);
-  static SpecificMeaning? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  SpecificMeaning_Meaning whichMeaning() =>
-      _SpecificMeaning_MeaningByTag[$_whichOneof(0)]!;
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  void clearMeaning() => $_clearField($_whichOneof(0));
-
-  @$pb.TagNumber(1)
-  EtherTransferMeaning get etherTransfer => $_getN(0);
-  @$pb.TagNumber(1)
-  set etherTransfer(EtherTransferMeaning value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasEtherTransfer() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearEtherTransfer() => $_clearField(1);
-  @$pb.TagNumber(1)
-  EtherTransferMeaning ensureEtherTransfer() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  TokenTransferMeaning get tokenTransfer => $_getN(1);
-  @$pb.TagNumber(2)
-  set tokenTransfer(TokenTransferMeaning value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasTokenTransfer() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearTokenTransfer() => $_clearField(2);
-  @$pb.TagNumber(2)
-  TokenTransferMeaning ensureTokenTransfer() => $_ensure(1);
-}
-
-/// --- Eval error types ---
-class GasLimitExceededViolation extends $pb.GeneratedMessage {
-  factory GasLimitExceededViolation({
-    $core.List<$core.int>? maxGasFeePerGas,
-    $core.List<$core.int>? maxPriorityFeePerGas,
-  }) {
-    final result = create();
-    if (maxGasFeePerGas != null) result.maxGasFeePerGas = maxGasFeePerGas;
-    if (maxPriorityFeePerGas != null)
-      result.maxPriorityFeePerGas = maxPriorityFeePerGas;
-    return result;
-  }
-
-  GasLimitExceededViolation._();
-
-  factory GasLimitExceededViolation.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory GasLimitExceededViolation.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'GasLimitExceededViolation',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'maxGasFeePerGas', $pb.PbFieldType.OY)
-    ..a<$core.List<$core.int>>(
-        2, _omitFieldNames ? '' : 'maxPriorityFeePerGas', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  GasLimitExceededViolation clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  GasLimitExceededViolation copyWith(
-          void Function(GasLimitExceededViolation) updates) =>
-      super.copyWith((message) => updates(message as GasLimitExceededViolation))
-          as GasLimitExceededViolation;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static GasLimitExceededViolation create() => GasLimitExceededViolation._();
-  @$core.override
-  GasLimitExceededViolation createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static GasLimitExceededViolation getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<GasLimitExceededViolation>(create);
-  static GasLimitExceededViolation? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get maxGasFeePerGas => $_getN(0);
-  @$pb.TagNumber(1)
-  set maxGasFeePerGas($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasMaxGasFeePerGas() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearMaxGasFeePerGas() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.List<$core.int> get maxPriorityFeePerGas => $_getN(1);
-  @$pb.TagNumber(2)
-  set maxPriorityFeePerGas($core.List<$core.int> value) => $_setBytes(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasMaxPriorityFeePerGas() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearMaxPriorityFeePerGas() => $_clearField(2);
-}
-
-enum EvalViolation_Kind {
-  invalidTarget,
-  gasLimitExceeded,
-  rateLimitExceeded,
-  volumetricLimitExceeded,
-  invalidTime,
-  invalidTransactionType,
-  notSet
-}
-
-class EvalViolation extends $pb.GeneratedMessage {
-  factory EvalViolation({
-    $core.List<$core.int>? invalidTarget,
-    GasLimitExceededViolation? gasLimitExceeded,
-    $1.Empty? rateLimitExceeded,
-    $1.Empty? volumetricLimitExceeded,
-    $1.Empty? invalidTime,
-    $1.Empty? invalidTransactionType,
-  }) {
-    final result = create();
-    if (invalidTarget != null) result.invalidTarget = invalidTarget;
-    if (gasLimitExceeded != null) result.gasLimitExceeded = gasLimitExceeded;
-    if (rateLimitExceeded != null) result.rateLimitExceeded = rateLimitExceeded;
-    if (volumetricLimitExceeded != null)
-      result.volumetricLimitExceeded = volumetricLimitExceeded;
-    if (invalidTime != null) result.invalidTime = invalidTime;
-    if (invalidTransactionType != null)
-      result.invalidTransactionType = invalidTransactionType;
-    return result;
-  }
-
-  EvalViolation._();
-
-  factory EvalViolation.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory EvalViolation.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static const $core.Map<$core.int, EvalViolation_Kind>
-      _EvalViolation_KindByTag = {
-    1: EvalViolation_Kind.invalidTarget,
-    2: EvalViolation_Kind.gasLimitExceeded,
-    3: EvalViolation_Kind.rateLimitExceeded,
-    4: EvalViolation_Kind.volumetricLimitExceeded,
-    5: EvalViolation_Kind.invalidTime,
-    6: EvalViolation_Kind.invalidTransactionType,
-    0: EvalViolation_Kind.notSet
-  };
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'EvalViolation',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..oo(0, [1, 2, 3, 4, 5, 6])
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'invalidTarget', $pb.PbFieldType.OY)
-    ..aOM<GasLimitExceededViolation>(
-        2, _omitFieldNames ? '' : 'gasLimitExceeded',
-        subBuilder: GasLimitExceededViolation.create)
-    ..aOM<$1.Empty>(3, _omitFieldNames ? '' : 'rateLimitExceeded',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(4, _omitFieldNames ? '' : 'volumetricLimitExceeded',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(5, _omitFieldNames ? '' : 'invalidTime',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(6, _omitFieldNames ? '' : 'invalidTransactionType',
-        subBuilder: $1.Empty.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  EvalViolation clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  EvalViolation copyWith(void Function(EvalViolation) updates) =>
-      super.copyWith((message) => updates(message as EvalViolation))
-          as EvalViolation;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static EvalViolation create() => EvalViolation._();
-  @$core.override
-  EvalViolation createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static EvalViolation getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<EvalViolation>(create);
-  static EvalViolation? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(5)
-  @$pb.TagNumber(6)
-  EvalViolation_Kind whichKind() => _EvalViolation_KindByTag[$_whichOneof(0)]!;
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(5)
-  @$pb.TagNumber(6)
-  void clearKind() => $_clearField($_whichOneof(0));
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get invalidTarget => $_getN(0);
-  @$pb.TagNumber(1)
-  set invalidTarget($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasInvalidTarget() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearInvalidTarget() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  GasLimitExceededViolation get gasLimitExceeded => $_getN(1);
-  @$pb.TagNumber(2)
-  set gasLimitExceeded(GasLimitExceededViolation value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasGasLimitExceeded() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearGasLimitExceeded() => $_clearField(2);
-  @$pb.TagNumber(2)
-  GasLimitExceededViolation ensureGasLimitExceeded() => $_ensure(1);
-
-  @$pb.TagNumber(3)
-  $1.Empty get rateLimitExceeded => $_getN(2);
-  @$pb.TagNumber(3)
-  set rateLimitExceeded($1.Empty value) => $_setField(3, value);
-  @$pb.TagNumber(3)
-  $core.bool hasRateLimitExceeded() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearRateLimitExceeded() => $_clearField(3);
-  @$pb.TagNumber(3)
-  $1.Empty ensureRateLimitExceeded() => $_ensure(2);
-
-  @$pb.TagNumber(4)
-  $1.Empty get volumetricLimitExceeded => $_getN(3);
-  @$pb.TagNumber(4)
-  set volumetricLimitExceeded($1.Empty value) => $_setField(4, value);
-  @$pb.TagNumber(4)
-  $core.bool hasVolumetricLimitExceeded() => $_has(3);
-  @$pb.TagNumber(4)
-  void clearVolumetricLimitExceeded() => $_clearField(4);
-  @$pb.TagNumber(4)
-  $1.Empty ensureVolumetricLimitExceeded() => $_ensure(3);
-
-  @$pb.TagNumber(5)
-  $1.Empty get invalidTime => $_getN(4);
-  @$pb.TagNumber(5)
-  set invalidTime($1.Empty value) => $_setField(5, value);
-  @$pb.TagNumber(5)
-  $core.bool hasInvalidTime() => $_has(4);
-  @$pb.TagNumber(5)
-  void clearInvalidTime() => $_clearField(5);
-  @$pb.TagNumber(5)
-  $1.Empty ensureInvalidTime() => $_ensure(4);
-
-  @$pb.TagNumber(6)
-  $1.Empty get invalidTransactionType => $_getN(5);
-  @$pb.TagNumber(6)
-  set invalidTransactionType($1.Empty value) => $_setField(6, value);
-  @$pb.TagNumber(6)
-  $core.bool hasInvalidTransactionType() => $_has(5);
-  @$pb.TagNumber(6)
-  void clearInvalidTransactionType() => $_clearField(6);
-  @$pb.TagNumber(6)
-  $1.Empty ensureInvalidTransactionType() => $_ensure(5);
-}
-
-/// Transaction was classified but no grant covers it
-class NoMatchingGrantError extends $pb.GeneratedMessage {
-  factory NoMatchingGrantError({
-    SpecificMeaning? meaning,
-  }) {
-    final result = create();
-    if (meaning != null) result.meaning = meaning;
-    return result;
-  }
-
-  NoMatchingGrantError._();
-
-  factory NoMatchingGrantError.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory NoMatchingGrantError.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'NoMatchingGrantError',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
-        subBuilder: SpecificMeaning.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  NoMatchingGrantError clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  NoMatchingGrantError copyWith(void Function(NoMatchingGrantError) updates) =>
-      super.copyWith((message) => updates(message as NoMatchingGrantError))
-          as NoMatchingGrantError;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static NoMatchingGrantError create() => NoMatchingGrantError._();
-  @$core.override
-  NoMatchingGrantError createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static NoMatchingGrantError getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<NoMatchingGrantError>(create);
-  static NoMatchingGrantError? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  SpecificMeaning get meaning => $_getN(0);
-  @$pb.TagNumber(1)
-  set meaning(SpecificMeaning value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasMeaning() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearMeaning() => $_clearField(1);
-  @$pb.TagNumber(1)
-  SpecificMeaning ensureMeaning() => $_ensure(0);
-}
-
-/// Transaction was classified and a grant was found, but constraints were violated
-class PolicyViolationsError extends $pb.GeneratedMessage {
-  factory PolicyViolationsError({
-    SpecificMeaning? meaning,
-    $core.Iterable<EvalViolation>? violations,
-  }) {
-    final result = create();
-    if (meaning != null) result.meaning = meaning;
-    if (violations != null) result.violations.addAll(violations);
-    return result;
-  }
-
-  PolicyViolationsError._();
-
-  factory PolicyViolationsError.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory PolicyViolationsError.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'PolicyViolationsError',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
-        subBuilder: SpecificMeaning.create)
-    ..pPM<EvalViolation>(2, _omitFieldNames ? '' : 'violations',
-        subBuilder: EvalViolation.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  PolicyViolationsError clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  PolicyViolationsError copyWith(
-          void Function(PolicyViolationsError) updates) =>
-      super.copyWith((message) => updates(message as PolicyViolationsError))
-          as PolicyViolationsError;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static PolicyViolationsError create() => PolicyViolationsError._();
-  @$core.override
-  PolicyViolationsError createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static PolicyViolationsError getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<PolicyViolationsError>(create);
-  static PolicyViolationsError? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  SpecificMeaning get meaning => $_getN(0);
-  @$pb.TagNumber(1)
-  set meaning(SpecificMeaning value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasMeaning() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearMeaning() => $_clearField(1);
-  @$pb.TagNumber(1)
-  SpecificMeaning ensureMeaning() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  $pb.PbList<EvalViolation> get violations => $_getList(1);
-}
-
-enum TransactionEvalError_Kind {
-  contractCreationNotSupported,
-  unsupportedTransactionType,
-  noMatchingGrant,
-  policyViolations,
-  notSet
-}
-
-/// top-level error returned when transaction evaluation fails
-class TransactionEvalError extends $pb.GeneratedMessage {
-  factory TransactionEvalError({
-    $1.Empty? contractCreationNotSupported,
-    $1.Empty? unsupportedTransactionType,
-    NoMatchingGrantError? noMatchingGrant,
-    PolicyViolationsError? policyViolations,
-  }) {
-    final result = create();
-    if (contractCreationNotSupported != null)
-      result.contractCreationNotSupported = contractCreationNotSupported;
-    if (unsupportedTransactionType != null)
-      result.unsupportedTransactionType = unsupportedTransactionType;
-    if (noMatchingGrant != null) result.noMatchingGrant = noMatchingGrant;
-    if (policyViolations != null) result.policyViolations = policyViolations;
-    return result;
-  }
-
-  TransactionEvalError._();
-
-  factory TransactionEvalError.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory TransactionEvalError.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static const $core.Map<$core.int, TransactionEvalError_Kind>
-      _TransactionEvalError_KindByTag = {
-    1: TransactionEvalError_Kind.contractCreationNotSupported,
-    2: TransactionEvalError_Kind.unsupportedTransactionType,
-    3: TransactionEvalError_Kind.noMatchingGrant,
-    4: TransactionEvalError_Kind.policyViolations,
-    0: TransactionEvalError_Kind.notSet
-  };
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'TransactionEvalError',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
-      createEmptyInstance: create)
-    ..oo(0, [1, 2, 3, 4])
-    ..aOM<$1.Empty>(1, _omitFieldNames ? '' : 'contractCreationNotSupported',
-        subBuilder: $1.Empty.create)
-    ..aOM<$1.Empty>(2, _omitFieldNames ? '' : 'unsupportedTransactionType',
-        subBuilder: $1.Empty.create)
-    ..aOM<NoMatchingGrantError>(3, _omitFieldNames ? '' : 'noMatchingGrant',
-        subBuilder: NoMatchingGrantError.create)
-    ..aOM<PolicyViolationsError>(4, _omitFieldNames ? '' : 'policyViolations',
-        subBuilder: PolicyViolationsError.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TransactionEvalError clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  TransactionEvalError copyWith(void Function(TransactionEvalError) updates) =>
-      super.copyWith((message) => updates(message as TransactionEvalError))
-          as TransactionEvalError;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static TransactionEvalError create() => TransactionEvalError._();
-  @$core.override
-  TransactionEvalError createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static TransactionEvalError getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<TransactionEvalError>(create);
-  static TransactionEvalError? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  TransactionEvalError_Kind whichKind() =>
-      _TransactionEvalError_KindByTag[$_whichOneof(0)]!;
-  @$pb.TagNumber(1)
-  @$pb.TagNumber(2)
-  @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  void clearKind() => $_clearField($_whichOneof(0));
-
-  @$pb.TagNumber(1)
-  $1.Empty get contractCreationNotSupported => $_getN(0);
-  @$pb.TagNumber(1)
-  set contractCreationNotSupported($1.Empty value) => $_setField(1, value);
-  @$pb.TagNumber(1)
-  $core.bool hasContractCreationNotSupported() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearContractCreationNotSupported() => $_clearField(1);
-  @$pb.TagNumber(1)
-  $1.Empty ensureContractCreationNotSupported() => $_ensure(0);
-
-  @$pb.TagNumber(2)
-  $1.Empty get unsupportedTransactionType => $_getN(1);
-  @$pb.TagNumber(2)
-  set unsupportedTransactionType($1.Empty value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasUnsupportedTransactionType() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearUnsupportedTransactionType() => $_clearField(2);
-  @$pb.TagNumber(2)
-  $1.Empty ensureUnsupportedTransactionType() => $_ensure(1);
-
-  @$pb.TagNumber(3)
-  NoMatchingGrantError get noMatchingGrant => $_getN(2);
-  @$pb.TagNumber(3)
-  set noMatchingGrant(NoMatchingGrantError value) => $_setField(3, value);
-  @$pb.TagNumber(3)
-  $core.bool hasNoMatchingGrant() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearNoMatchingGrant() => $_clearField(3);
-  @$pb.TagNumber(3)
-  NoMatchingGrantError ensureNoMatchingGrant() => $_ensure(2);
-
-  @$pb.TagNumber(4)
-  PolicyViolationsError get policyViolations => $_getN(3);
-  @$pb.TagNumber(4)
-  set policyViolations(PolicyViolationsError value) => $_setField(4, value);
-  @$pb.TagNumber(4)
-  $core.bool hasPolicyViolations() => $_has(3);
-  @$pb.TagNumber(4)
-  void clearPolicyViolations() => $_clearField(4);
-  @$pb.TagNumber(4)
-  PolicyViolationsError ensurePolicyViolations() => $_ensure(3);
-}
-
 /// --- UserAgent grant management ---
 class EvmGrantCreateRequest extends $pb.GeneratedMessage {
   factory EvmGrantCreateRequest({
@@ -2297,7 +1479,7 @@ enum EvmSignTransactionResponse_Result { signature, evalError, error, notSet }
 class EvmSignTransactionResponse extends $pb.GeneratedMessage {
   factory EvmSignTransactionResponse({
     $core.List<$core.int>? signature,
-    TransactionEvalError? evalError,
+    $2.TransactionEvalError? evalError,
     EvmError? error,
   }) {
     final result = create();
@@ -2330,8 +1512,8 @@ class EvmSignTransactionResponse extends $pb.GeneratedMessage {
     ..oo(0, [1, 2, 3])
     ..a<$core.List<$core.int>>(
         1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
-    ..aOM<TransactionEvalError>(2, _omitFieldNames ? '' : 'evalError',
+    ..aOM<$2.TransactionEvalError>(2, _omitFieldNames ? '' : 'evalError',
-        subBuilder: TransactionEvalError.create)
+        subBuilder: $2.TransactionEvalError.create)
     ..aE<EvmError>(3, _omitFieldNames ? '' : 'error',
         enumValues: EvmError.values)
     ..hasRequiredFields = false;
@@ -2377,15 +1559,15 @@ class EvmSignTransactionResponse extends $pb.GeneratedMessage {
   void clearSignature() => $_clearField(1);
 
   @$pb.TagNumber(2)
-  TransactionEvalError get evalError => $_getN(1);
+  $2.TransactionEvalError get evalError => $_getN(1);
   @$pb.TagNumber(2)
-  set evalError(TransactionEvalError value) => $_setField(2, value);
+  set evalError($2.TransactionEvalError value) => $_setField(2, value);
   @$pb.TagNumber(2)
   $core.bool hasEvalError() => $_has(1);
   @$pb.TagNumber(2)
   void clearEvalError() => $_clearField(2);
   @$pb.TagNumber(2)
-  TransactionEvalError ensureEvalError() => $_ensure(1);
+  $2.TransactionEvalError ensureEvalError() => $_ensure(1);
 
   @$pb.TagNumber(3)
   EvmError get error => $_getN(2);
@@ -2472,8 +1654,8 @@ enum EvmAnalyzeTransactionResponse_Result { meaning, evalError, error, notSet }
 
 class EvmAnalyzeTransactionResponse extends $pb.GeneratedMessage {
   factory EvmAnalyzeTransactionResponse({
-    SpecificMeaning? meaning,
+    $2.SpecificMeaning? meaning,
-    TransactionEvalError? evalError,
+    $2.TransactionEvalError? evalError,
     EvmError? error,
   }) {
     final result = create();
@@ -2504,10 +1686,10 @@ class EvmAnalyzeTransactionResponse extends $pb.GeneratedMessage {
       package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.evm'),
       createEmptyInstance: create)
     ..oo(0, [1, 2, 3])
-    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
+    ..aOM<$2.SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
-        subBuilder: SpecificMeaning.create)
+        subBuilder: $2.SpecificMeaning.create)
-    ..aOM<TransactionEvalError>(2, _omitFieldNames ? '' : 'evalError',
+    ..aOM<$2.TransactionEvalError>(2, _omitFieldNames ? '' : 'evalError',
-        subBuilder: TransactionEvalError.create)
+        subBuilder: $2.TransactionEvalError.create)
     ..aE<EvmError>(3, _omitFieldNames ? '' : 'error',
         enumValues: EvmError.values)
     ..hasRequiredFields = false;
@@ -2545,26 +1727,26 @@ class EvmAnalyzeTransactionResponse extends $pb.GeneratedMessage {
   void clearResult() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  SpecificMeaning get meaning => $_getN(0);
+  $2.SpecificMeaning get meaning => $_getN(0);
   @$pb.TagNumber(1)
-  set meaning(SpecificMeaning value) => $_setField(1, value);
+  set meaning($2.SpecificMeaning value) => $_setField(1, value);
   @$pb.TagNumber(1)
   $core.bool hasMeaning() => $_has(0);
   @$pb.TagNumber(1)
   void clearMeaning() => $_clearField(1);
   @$pb.TagNumber(1)
-  SpecificMeaning ensureMeaning() => $_ensure(0);
+  $2.SpecificMeaning ensureMeaning() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  TransactionEvalError get evalError => $_getN(1);
+  $2.TransactionEvalError get evalError => $_getN(1);
   @$pb.TagNumber(2)
-  set evalError(TransactionEvalError value) => $_setField(2, value);
+  set evalError($2.TransactionEvalError value) => $_setField(2, value);
   @$pb.TagNumber(2)
   $core.bool hasEvalError() => $_has(1);
   @$pb.TagNumber(2)
   void clearEvalError() => $_clearField(2);
   @$pb.TagNumber(2)
-  TransactionEvalError ensureEvalError() => $_ensure(1);
+  $2.TransactionEvalError ensureEvalError() => $_ensure(1);
 
   @$pb.TagNumber(3)
   EvmError get error => $_getN(2);

useragent/lib/proto/evm.pbjson.dart

@@ -327,308 +327,6 @@ final $typed_data.Uint8List specificGrantDescriptor = $convert.base64Decode(
     'AiABKAsyIi5hcmJpdGVyLmV2bS5Ub2tlblRyYW5zZmVyU2V0dGluZ3NIAFINdG9rZW5UcmFuc2'
     'ZlckIHCgVncmFudA==');
 
-@$core.Deprecated('Use etherTransferMeaningDescriptor instead')
-const EtherTransferMeaning$json = {
-  '1': 'EtherTransferMeaning',
-  '2': [
-    {'1': 'to', '3': 1, '4': 1, '5': 12, '10': 'to'},
-    {'1': 'value', '3': 2, '4': 1, '5': 12, '10': 'value'},
-  ],
-};
-
-/// Descriptor for `EtherTransferMeaning`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List etherTransferMeaningDescriptor = $convert.base64Decode(
-    'ChRFdGhlclRyYW5zZmVyTWVhbmluZxIOCgJ0bxgBIAEoDFICdG8SFAoFdmFsdWUYAiABKAxSBX'
-    'ZhbHVl');
-
-@$core.Deprecated('Use tokenInfoDescriptor instead')
-const TokenInfo$json = {
-  '1': 'TokenInfo',
-  '2': [
-    {'1': 'symbol', '3': 1, '4': 1, '5': 9, '10': 'symbol'},
-    {'1': 'address', '3': 2, '4': 1, '5': 12, '10': 'address'},
-    {'1': 'chain_id', '3': 3, '4': 1, '5': 4, '10': 'chainId'},
-  ],
-};
-
-/// Descriptor for `TokenInfo`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List tokenInfoDescriptor = $convert.base64Decode(
-    'CglUb2tlbkluZm8SFgoGc3ltYm9sGAEgASgJUgZzeW1ib2wSGAoHYWRkcmVzcxgCIAEoDFIHYW'
-    'RkcmVzcxIZCghjaGFpbl9pZBgDIAEoBFIHY2hhaW5JZA==');
-
-@$core.Deprecated('Use tokenTransferMeaningDescriptor instead')
-const TokenTransferMeaning$json = {
-  '1': 'TokenTransferMeaning',
-  '2': [
-    {
-      '1': 'token',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.TokenInfo',
-      '10': 'token'
-    },
-    {'1': 'to', '3': 2, '4': 1, '5': 12, '10': 'to'},
-    {'1': 'value', '3': 3, '4': 1, '5': 12, '10': 'value'},
-  ],
-};
-
-/// Descriptor for `TokenTransferMeaning`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List tokenTransferMeaningDescriptor = $convert.base64Decode(
-    'ChRUb2tlblRyYW5zZmVyTWVhbmluZxIsCgV0b2tlbhgBIAEoCzIWLmFyYml0ZXIuZXZtLlRva2'
-    'VuSW5mb1IFdG9rZW4SDgoCdG8YAiABKAxSAnRvEhQKBXZhbHVlGAMgASgMUgV2YWx1ZQ==');
-
-@$core.Deprecated('Use specificMeaningDescriptor instead')
-const SpecificMeaning$json = {
-  '1': 'SpecificMeaning',
-  '2': [
-    {
-      '1': 'ether_transfer',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EtherTransferMeaning',
-      '9': 0,
-      '10': 'etherTransfer'
-    },
-    {
-      '1': 'token_transfer',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.TokenTransferMeaning',
-      '9': 0,
-      '10': 'tokenTransfer'
-    },
-  ],
-  '8': [
-    {'1': 'meaning'},
-  ],
-};
-
-/// Descriptor for `SpecificMeaning`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List specificMeaningDescriptor = $convert.base64Decode(
-    'Cg9TcGVjaWZpY01lYW5pbmcSSgoOZXRoZXJfdHJhbnNmZXIYASABKAsyIS5hcmJpdGVyLmV2bS'
-    '5FdGhlclRyYW5zZmVyTWVhbmluZ0gAUg1ldGhlclRyYW5zZmVyEkoKDnRva2VuX3RyYW5zZmVy'
-    'GAIgASgLMiEuYXJiaXRlci5ldm0uVG9rZW5UcmFuc2Zlck1lYW5pbmdIAFINdG9rZW5UcmFuc2'
-    'ZlckIJCgdtZWFuaW5n');
-
-@$core.Deprecated('Use gasLimitExceededViolationDescriptor instead')
-const GasLimitExceededViolation$json = {
-  '1': 'GasLimitExceededViolation',
-  '2': [
-    {
-      '1': 'max_gas_fee_per_gas',
-      '3': 1,
-      '4': 1,
-      '5': 12,
-      '9': 0,
-      '10': 'maxGasFeePerGas',
-      '17': true
-    },
-    {
-      '1': 'max_priority_fee_per_gas',
-      '3': 2,
-      '4': 1,
-      '5': 12,
-      '9': 1,
-      '10': 'maxPriorityFeePerGas',
-      '17': true
-    },
-  ],
-  '8': [
-    {'1': '_max_gas_fee_per_gas'},
-    {'1': '_max_priority_fee_per_gas'},
-  ],
-};
-
-/// Descriptor for `GasLimitExceededViolation`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List gasLimitExceededViolationDescriptor = $convert.base64Decode(
-    'ChlHYXNMaW1pdEV4Y2VlZGVkVmlvbGF0aW9uEjEKE21heF9nYXNfZmVlX3Blcl9nYXMYASABKA'
-    'xIAFIPbWF4R2FzRmVlUGVyR2FziAEBEjsKGG1heF9wcmlvcml0eV9mZWVfcGVyX2dhcxgCIAEo'
-    'DEgBUhRtYXhQcmlvcml0eUZlZVBlckdhc4gBAUIWChRfbWF4X2dhc19mZWVfcGVyX2dhc0IbCh'
-    'lfbWF4X3ByaW9yaXR5X2ZlZV9wZXJfZ2Fz');
-
-@$core.Deprecated('Use evalViolationDescriptor instead')
-const EvalViolation$json = {
-  '1': 'EvalViolation',
-  '2': [
-    {
-      '1': 'invalid_target',
-      '3': 1,
-      '4': 1,
-      '5': 12,
-      '9': 0,
-      '10': 'invalidTarget'
-    },
-    {
-      '1': 'gas_limit_exceeded',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.GasLimitExceededViolation',
-      '9': 0,
-      '10': 'gasLimitExceeded'
-    },
-    {
-      '1': 'rate_limit_exceeded',
-      '3': 3,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'rateLimitExceeded'
-    },
-    {
-      '1': 'volumetric_limit_exceeded',
-      '3': 4,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'volumetricLimitExceeded'
-    },
-    {
-      '1': 'invalid_time',
-      '3': 5,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'invalidTime'
-    },
-    {
-      '1': 'invalid_transaction_type',
-      '3': 6,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'invalidTransactionType'
-    },
-  ],
-  '8': [
-    {'1': 'kind'},
-  ],
-};
-
-/// Descriptor for `EvalViolation`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List evalViolationDescriptor = $convert.base64Decode(
-    'Cg1FdmFsVmlvbGF0aW9uEicKDmludmFsaWRfdGFyZ2V0GAEgASgMSABSDWludmFsaWRUYXJnZX'
-    'QSVgoSZ2FzX2xpbWl0X2V4Y2VlZGVkGAIgASgLMiYuYXJiaXRlci5ldm0uR2FzTGltaXRFeGNl'
-    'ZWRlZFZpb2xhdGlvbkgAUhBnYXNMaW1pdEV4Y2VlZGVkEkgKE3JhdGVfbGltaXRfZXhjZWVkZW'
-    'QYAyABKAsyFi5nb29nbGUucHJvdG9idWYuRW1wdHlIAFIRcmF0ZUxpbWl0RXhjZWVkZWQSVAoZ'
-    'dm9sdW1ldHJpY19saW1pdF9leGNlZWRlZBgEIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eU'
-    'gAUhd2b2x1bWV0cmljTGltaXRFeGNlZWRlZBI7CgxpbnZhbGlkX3RpbWUYBSABKAsyFi5nb29n'
-    'bGUucHJvdG9idWYuRW1wdHlIAFILaW52YWxpZFRpbWUSUgoYaW52YWxpZF90cmFuc2FjdGlvbl'
-    '90eXBlGAYgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSFmludmFsaWRUcmFuc2FjdGlv'
-    'blR5cGVCBgoEa2luZA==');
-
-@$core.Deprecated('Use noMatchingGrantErrorDescriptor instead')
-const NoMatchingGrantError$json = {
-  '1': 'NoMatchingGrantError',
-  '2': [
-    {
-      '1': 'meaning',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.SpecificMeaning',
-      '10': 'meaning'
-    },
-  ],
-};
-
-/// Descriptor for `NoMatchingGrantError`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List noMatchingGrantErrorDescriptor = $convert.base64Decode(
-    'ChROb01hdGNoaW5nR3JhbnRFcnJvchI2CgdtZWFuaW5nGAEgASgLMhwuYXJiaXRlci5ldm0uU3'
-    'BlY2lmaWNNZWFuaW5nUgdtZWFuaW5n');
-
-@$core.Deprecated('Use policyViolationsErrorDescriptor instead')
-const PolicyViolationsError$json = {
-  '1': 'PolicyViolationsError',
-  '2': [
-    {
-      '1': 'meaning',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.SpecificMeaning',
-      '10': 'meaning'
-    },
-    {
-      '1': 'violations',
-      '3': 2,
-      '4': 3,
-      '5': 11,
-      '6': '.arbiter.evm.EvalViolation',
-      '10': 'violations'
-    },
-  ],
-};
-
-/// Descriptor for `PolicyViolationsError`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List policyViolationsErrorDescriptor = $convert.base64Decode(
-    'ChVQb2xpY3lWaW9sYXRpb25zRXJyb3ISNgoHbWVhbmluZxgBIAEoCzIcLmFyYml0ZXIuZXZtLl'
-    'NwZWNpZmljTWVhbmluZ1IHbWVhbmluZxI6Cgp2aW9sYXRpb25zGAIgAygLMhouYXJiaXRlci5l'
-    'dm0uRXZhbFZpb2xhdGlvblIKdmlvbGF0aW9ucw==');
-
-@$core.Deprecated('Use transactionEvalErrorDescriptor instead')
-const TransactionEvalError$json = {
-  '1': 'TransactionEvalError',
-  '2': [
-    {
-      '1': 'contract_creation_not_supported',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'contractCreationNotSupported'
-    },
-    {
-      '1': 'unsupported_transaction_type',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'unsupportedTransactionType'
-    },
-    {
-      '1': 'no_matching_grant',
-      '3': 3,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.NoMatchingGrantError',
-      '9': 0,
-      '10': 'noMatchingGrant'
-    },
-    {
-      '1': 'policy_violations',
-      '3': 4,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.PolicyViolationsError',
-      '9': 0,
-      '10': 'policyViolations'
-    },
-  ],
-  '8': [
-    {'1': 'kind'},
-  ],
-};
-
-/// Descriptor for `TransactionEvalError`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List transactionEvalErrorDescriptor = $convert.base64Decode(
-    'ChRUcmFuc2FjdGlvbkV2YWxFcnJvchJfCh9jb250cmFjdF9jcmVhdGlvbl9ub3Rfc3VwcG9ydG'
-    'VkGAEgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSHGNvbnRyYWN0Q3JlYXRpb25Ob3RT'
-    'dXBwb3J0ZWQSWgocdW5zdXBwb3J0ZWRfdHJhbnNhY3Rpb25fdHlwZRgCIAEoCzIWLmdvb2dsZS'
-    '5wcm90b2J1Zi5FbXB0eUgAUhp1bnN1cHBvcnRlZFRyYW5zYWN0aW9uVHlwZRJPChFub19tYXRj'
-    'aGluZ19ncmFudBgDIAEoCzIhLmFyYml0ZXIuZXZtLk5vTWF0Y2hpbmdHcmFudEVycm9ySABSD2'
-    '5vTWF0Y2hpbmdHcmFudBJRChFwb2xpY3lfdmlvbGF0aW9ucxgEIAEoCzIiLmFyYml0ZXIuZXZt'
-    'LlBvbGljeVZpb2xhdGlvbnNFcnJvckgAUhBwb2xpY3lWaW9sYXRpb25zQgYKBGtpbmQ=');
-
 @$core.Deprecated('Use evmGrantCreateRequestDescriptor instead')
 const EvmGrantCreateRequest$json = {
   '1': 'EvmGrantCreateRequest',
@@ -865,7 +563,7 @@ const EvmSignTransactionResponse$json = {
       '3': 2,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.TransactionEvalError',
+      '6': '.arbiter.shared.evm.TransactionEvalError',
       '9': 0,
       '10': 'evalError'
     },
@@ -887,9 +585,9 @@ const EvmSignTransactionResponse$json = {
 /// Descriptor for `EvmSignTransactionResponse`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List evmSignTransactionResponseDescriptor = $convert.base64Decode(
     'ChpFdm1TaWduVHJhbnNhY3Rpb25SZXNwb25zZRIeCglzaWduYXR1cmUYASABKAxIAFIJc2lnbm'
-    'F0dXJlEkIKCmV2YWxfZXJyb3IYAiABKAsyIS5hcmJpdGVyLmV2bS5UcmFuc2FjdGlvbkV2YWxF'
+    'F0dXJlEkkKCmV2YWxfZXJyb3IYAiABKAsyKC5hcmJpdGVyLnNoYXJlZC5ldm0uVHJhbnNhY3Rp'
-    'cnJvckgAUglldmFsRXJyb3ISLQoFZXJyb3IYAyABKA4yFS5hcmJpdGVyLmV2bS5Fdm1FcnJvck'
+    'b25FdmFsRXJyb3JIAFIJZXZhbEVycm9yEi0KBWVycm9yGAMgASgOMhUuYXJiaXRlci5ldm0uRX'
-    'gAUgVlcnJvckIICgZyZXN1bHQ=');
+    'ZtRXJyb3JIAFIFZXJyb3JCCAoGcmVzdWx0');
 
 @$core.Deprecated('Use evmAnalyzeTransactionRequestDescriptor instead')
 const EvmAnalyzeTransactionRequest$json = {
@@ -915,7 +613,7 @@ const EvmAnalyzeTransactionResponse$json = {
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.SpecificMeaning',
+      '6': '.arbiter.shared.evm.SpecificMeaning',
       '9': 0,
       '10': 'meaning'
     },
@@ -924,7 +622,7 @@ const EvmAnalyzeTransactionResponse$json = {
       '3': 2,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.TransactionEvalError',
+      '6': '.arbiter.shared.evm.TransactionEvalError',
       '9': 0,
       '10': 'evalError'
     },
@@ -945,7 +643,8 @@ const EvmAnalyzeTransactionResponse$json = {
 
 /// Descriptor for `EvmAnalyzeTransactionResponse`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List evmAnalyzeTransactionResponseDescriptor = $convert.base64Decode(
-    'Ch1Fdm1BbmFseXplVHJhbnNhY3Rpb25SZXNwb25zZRI4CgdtZWFuaW5nGAEgASgLMhwuYXJiaX'
+    'Ch1Fdm1BbmFseXplVHJhbnNhY3Rpb25SZXNwb25zZRI/CgdtZWFuaW5nGAEgASgLMiMuYXJiaX'
-    'Rlci5ldm0uU3BlY2lmaWNNZWFuaW5nSABSB21lYW5pbmcSQgoKZXZhbF9lcnJvchgCIAEoCzIh'
+    'Rlci5zaGFyZWQuZXZtLlNwZWNpZmljTWVhbmluZ0gAUgdtZWFuaW5nEkkKCmV2YWxfZXJyb3IY'
-    'LmFyYml0ZXIuZXZtLlRyYW5zYWN0aW9uRXZhbEVycm9ySABSCWV2YWxFcnJvchItCgVlcnJvch'
+    'AiABKAsyKC5hcmJpdGVyLnNoYXJlZC5ldm0uVHJhbnNhY3Rpb25FdmFsRXJyb3JIAFIJZXZhbE'
-    'gDIAEoDjIVLmFyYml0ZXIuZXZtLkV2bUVycm9ySABSBWVycm9yQggKBnJlc3VsdA==');
+    'Vycm9yEi0KBWVycm9yGAMgASgOMhUuYXJiaXRlci5ldm0uRXZtRXJyb3JIAFIFZXJyb3JCCAoG'
+    'cmVzdWx0');

useragent/lib/proto/shared/client.pb.dart

@@ -0,0 +1,99 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/client.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+class ClientInfo extends $pb.GeneratedMessage {
+  factory ClientInfo({
+    $core.String? name,
+    $core.String? description,
+    $core.String? version,
+  }) {
+    final result = create();
+    if (name != null) result.name = name;
+    if (description != null) result.description = description;
+    if (version != null) result.version = version;
+    return result;
+  }
+
+  ClientInfo._();
+
+  factory ClientInfo.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory ClientInfo.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'ClientInfo',
+      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared'),
+      createEmptyInstance: create)
+    ..aOS(1, _omitFieldNames ? '' : 'name')
+    ..aOS(2, _omitFieldNames ? '' : 'description')
+    ..aOS(3, _omitFieldNames ? '' : 'version')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ClientInfo clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  ClientInfo copyWith(void Function(ClientInfo) updates) =>
+      super.copyWith((message) => updates(message as ClientInfo)) as ClientInfo;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static ClientInfo create() => ClientInfo._();
+  @$core.override
+  ClientInfo createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static ClientInfo getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<ClientInfo>(create);
+  static ClientInfo? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.String get name => $_getSZ(0);
+  @$pb.TagNumber(1)
+  set name($core.String value) => $_setString(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasName() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearName() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.String get description => $_getSZ(1);
+  @$pb.TagNumber(2)
+  set description($core.String value) => $_setString(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasDescription() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearDescription() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  $core.String get version => $_getSZ(2);
+  @$pb.TagNumber(3)
+  set version($core.String value) => $_setString(2, value);
+  @$pb.TagNumber(3)
+  $core.bool hasVersion() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearVersion() => $_clearField(3);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');

useragent/lib/proto/shared/client.pbenum.dart

@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/client.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports

useragent/lib/proto/shared/client.pbjson.dart

@@ -0,0 +1,52 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/client.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use clientInfoDescriptor instead')
+const ClientInfo$json = {
+  '1': 'ClientInfo',
+  '2': [
+    {'1': 'name', '3': 1, '4': 1, '5': 9, '10': 'name'},
+    {
+      '1': 'description',
+      '3': 2,
+      '4': 1,
+      '5': 9,
+      '9': 0,
+      '10': 'description',
+      '17': true
+    },
+    {
+      '1': 'version',
+      '3': 3,
+      '4': 1,
+      '5': 9,
+      '9': 1,
+      '10': 'version',
+      '17': true
+    },
+  ],
+  '8': [
+    {'1': '_description'},
+    {'1': '_version'},
+  ],
+};
+
+/// Descriptor for `ClientInfo`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List clientInfoDescriptor = $convert.base64Decode(
+    'CgpDbGllbnRJbmZvEhIKBG5hbWUYASABKAlSBG5hbWUSJQoLZGVzY3JpcHRpb24YAiABKAlIAF'
+    'ILZGVzY3JpcHRpb26IAQESHQoHdmVyc2lvbhgDIAEoCUgBUgd2ZXJzaW9uiAEBQg4KDF9kZXNj'
+    'cmlwdGlvbkIKCghfdmVyc2lvbg==');

useragent/lib/proto/shared/evm.pb.dart

@@ -0,0 +1,851 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:fixnum/fixnum.dart' as $fixnum;
+import 'package:protobuf/protobuf.dart' as $pb;
+import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $0;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+class EtherTransferMeaning extends $pb.GeneratedMessage {
+  factory EtherTransferMeaning({
+    $core.List<$core.int>? to,
+    $core.List<$core.int>? value,
+  }) {
+    final result = create();
+    if (to != null) result.to = to;
+    if (value != null) result.value = value;
+    return result;
+  }
+
+  EtherTransferMeaning._();
+
+  factory EtherTransferMeaning.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory EtherTransferMeaning.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'EtherTransferMeaning',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'to', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'value', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  EtherTransferMeaning clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  EtherTransferMeaning copyWith(void Function(EtherTransferMeaning) updates) =>
+      super.copyWith((message) => updates(message as EtherTransferMeaning))
+          as EtherTransferMeaning;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static EtherTransferMeaning create() => EtherTransferMeaning._();
+  @$core.override
+  EtherTransferMeaning createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static EtherTransferMeaning getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<EtherTransferMeaning>(create);
+  static EtherTransferMeaning? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get to => $_getN(0);
+  @$pb.TagNumber(1)
+  set to($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasTo() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearTo() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get value => $_getN(1);
+  @$pb.TagNumber(2)
+  set value($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasValue() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearValue() => $_clearField(2);
+}
+
+class TokenInfo extends $pb.GeneratedMessage {
+  factory TokenInfo({
+    $core.String? symbol,
+    $core.List<$core.int>? address,
+    $fixnum.Int64? chainId,
+  }) {
+    final result = create();
+    if (symbol != null) result.symbol = symbol;
+    if (address != null) result.address = address;
+    if (chainId != null) result.chainId = chainId;
+    return result;
+  }
+
+  TokenInfo._();
+
+  factory TokenInfo.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory TokenInfo.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'TokenInfo',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..aOS(1, _omitFieldNames ? '' : 'symbol')
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'address', $pb.PbFieldType.OY)
+    ..a<$fixnum.Int64>(3, _omitFieldNames ? '' : 'chainId', $pb.PbFieldType.OU6,
+        defaultOrMaker: $fixnum.Int64.ZERO)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TokenInfo clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TokenInfo copyWith(void Function(TokenInfo) updates) =>
+      super.copyWith((message) => updates(message as TokenInfo)) as TokenInfo;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static TokenInfo create() => TokenInfo._();
+  @$core.override
+  TokenInfo createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static TokenInfo getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<TokenInfo>(create);
+  static TokenInfo? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.String get symbol => $_getSZ(0);
+  @$pb.TagNumber(1)
+  set symbol($core.String value) => $_setString(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSymbol() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSymbol() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get address => $_getN(1);
+  @$pb.TagNumber(2)
+  set address($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasAddress() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearAddress() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  $fixnum.Int64 get chainId => $_getI64(2);
+  @$pb.TagNumber(3)
+  set chainId($fixnum.Int64 value) => $_setInt64(2, value);
+  @$pb.TagNumber(3)
+  $core.bool hasChainId() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearChainId() => $_clearField(3);
+}
+
+/// Mirror of token_transfers::Meaning
+class TokenTransferMeaning extends $pb.GeneratedMessage {
+  factory TokenTransferMeaning({
+    TokenInfo? token,
+    $core.List<$core.int>? to,
+    $core.List<$core.int>? value,
+  }) {
+    final result = create();
+    if (token != null) result.token = token;
+    if (to != null) result.to = to;
+    if (value != null) result.value = value;
+    return result;
+  }
+
+  TokenTransferMeaning._();
+
+  factory TokenTransferMeaning.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory TokenTransferMeaning.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'TokenTransferMeaning',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..aOM<TokenInfo>(1, _omitFieldNames ? '' : 'token',
+        subBuilder: TokenInfo.create)
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'to', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        3, _omitFieldNames ? '' : 'value', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TokenTransferMeaning clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TokenTransferMeaning copyWith(void Function(TokenTransferMeaning) updates) =>
+      super.copyWith((message) => updates(message as TokenTransferMeaning))
+          as TokenTransferMeaning;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static TokenTransferMeaning create() => TokenTransferMeaning._();
+  @$core.override
+  TokenTransferMeaning createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static TokenTransferMeaning getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<TokenTransferMeaning>(create);
+  static TokenTransferMeaning? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  TokenInfo get token => $_getN(0);
+  @$pb.TagNumber(1)
+  set token(TokenInfo value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasToken() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearToken() => $_clearField(1);
+  @$pb.TagNumber(1)
+  TokenInfo ensureToken() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get to => $_getN(1);
+  @$pb.TagNumber(2)
+  set to($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasTo() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearTo() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  $core.List<$core.int> get value => $_getN(2);
+  @$pb.TagNumber(3)
+  set value($core.List<$core.int> value) => $_setBytes(2, value);
+  @$pb.TagNumber(3)
+  $core.bool hasValue() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearValue() => $_clearField(3);
+}
+
+enum SpecificMeaning_Meaning { etherTransfer, tokenTransfer, notSet }
+
+/// Mirror of policies::SpecificMeaning
+class SpecificMeaning extends $pb.GeneratedMessage {
+  factory SpecificMeaning({
+    EtherTransferMeaning? etherTransfer,
+    TokenTransferMeaning? tokenTransfer,
+  }) {
+    final result = create();
+    if (etherTransfer != null) result.etherTransfer = etherTransfer;
+    if (tokenTransfer != null) result.tokenTransfer = tokenTransfer;
+    return result;
+  }
+
+  SpecificMeaning._();
+
+  factory SpecificMeaning.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory SpecificMeaning.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, SpecificMeaning_Meaning>
+      _SpecificMeaning_MeaningByTag = {
+    1: SpecificMeaning_Meaning.etherTransfer,
+    2: SpecificMeaning_Meaning.tokenTransfer,
+    0: SpecificMeaning_Meaning.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'SpecificMeaning',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<EtherTransferMeaning>(1, _omitFieldNames ? '' : 'etherTransfer',
+        subBuilder: EtherTransferMeaning.create)
+    ..aOM<TokenTransferMeaning>(2, _omitFieldNames ? '' : 'tokenTransfer',
+        subBuilder: TokenTransferMeaning.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  SpecificMeaning clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  SpecificMeaning copyWith(void Function(SpecificMeaning) updates) =>
+      super.copyWith((message) => updates(message as SpecificMeaning))
+          as SpecificMeaning;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static SpecificMeaning create() => SpecificMeaning._();
+  @$core.override
+  SpecificMeaning createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static SpecificMeaning getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<SpecificMeaning>(create);
+  static SpecificMeaning? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  SpecificMeaning_Meaning whichMeaning() =>
+      _SpecificMeaning_MeaningByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearMeaning() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  EtherTransferMeaning get etherTransfer => $_getN(0);
+  @$pb.TagNumber(1)
+  set etherTransfer(EtherTransferMeaning value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasEtherTransfer() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearEtherTransfer() => $_clearField(1);
+  @$pb.TagNumber(1)
+  EtherTransferMeaning ensureEtherTransfer() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  TokenTransferMeaning get tokenTransfer => $_getN(1);
+  @$pb.TagNumber(2)
+  set tokenTransfer(TokenTransferMeaning value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasTokenTransfer() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearTokenTransfer() => $_clearField(2);
+  @$pb.TagNumber(2)
+  TokenTransferMeaning ensureTokenTransfer() => $_ensure(1);
+}
+
+class GasLimitExceededViolation extends $pb.GeneratedMessage {
+  factory GasLimitExceededViolation({
+    $core.List<$core.int>? maxGasFeePerGas,
+    $core.List<$core.int>? maxPriorityFeePerGas,
+  }) {
+    final result = create();
+    if (maxGasFeePerGas != null) result.maxGasFeePerGas = maxGasFeePerGas;
+    if (maxPriorityFeePerGas != null)
+      result.maxPriorityFeePerGas = maxPriorityFeePerGas;
+    return result;
+  }
+
+  GasLimitExceededViolation._();
+
+  factory GasLimitExceededViolation.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory GasLimitExceededViolation.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'GasLimitExceededViolation',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'maxGasFeePerGas', $pb.PbFieldType.OY)
+    ..a<$core.List<$core.int>>(
+        2, _omitFieldNames ? '' : 'maxPriorityFeePerGas', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  GasLimitExceededViolation clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  GasLimitExceededViolation copyWith(
+          void Function(GasLimitExceededViolation) updates) =>
+      super.copyWith((message) => updates(message as GasLimitExceededViolation))
+          as GasLimitExceededViolation;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static GasLimitExceededViolation create() => GasLimitExceededViolation._();
+  @$core.override
+  GasLimitExceededViolation createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static GasLimitExceededViolation getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<GasLimitExceededViolation>(create);
+  static GasLimitExceededViolation? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get maxGasFeePerGas => $_getN(0);
+  @$pb.TagNumber(1)
+  set maxGasFeePerGas($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasMaxGasFeePerGas() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearMaxGasFeePerGas() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.List<$core.int> get maxPriorityFeePerGas => $_getN(1);
+  @$pb.TagNumber(2)
+  set maxPriorityFeePerGas($core.List<$core.int> value) => $_setBytes(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasMaxPriorityFeePerGas() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearMaxPriorityFeePerGas() => $_clearField(2);
+}
+
+enum EvalViolation_Kind {
+  invalidTarget,
+  gasLimitExceeded,
+  rateLimitExceeded,
+  volumetricLimitExceeded,
+  invalidTime,
+  invalidTransactionType,
+  notSet
+}
+
+class EvalViolation extends $pb.GeneratedMessage {
+  factory EvalViolation({
+    $core.List<$core.int>? invalidTarget,
+    GasLimitExceededViolation? gasLimitExceeded,
+    $0.Empty? rateLimitExceeded,
+    $0.Empty? volumetricLimitExceeded,
+    $0.Empty? invalidTime,
+    $0.Empty? invalidTransactionType,
+  }) {
+    final result = create();
+    if (invalidTarget != null) result.invalidTarget = invalidTarget;
+    if (gasLimitExceeded != null) result.gasLimitExceeded = gasLimitExceeded;
+    if (rateLimitExceeded != null) result.rateLimitExceeded = rateLimitExceeded;
+    if (volumetricLimitExceeded != null)
+      result.volumetricLimitExceeded = volumetricLimitExceeded;
+    if (invalidTime != null) result.invalidTime = invalidTime;
+    if (invalidTransactionType != null)
+      result.invalidTransactionType = invalidTransactionType;
+    return result;
+  }
+
+  EvalViolation._();
+
+  factory EvalViolation.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory EvalViolation.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, EvalViolation_Kind>
+      _EvalViolation_KindByTag = {
+    1: EvalViolation_Kind.invalidTarget,
+    2: EvalViolation_Kind.gasLimitExceeded,
+    3: EvalViolation_Kind.rateLimitExceeded,
+    4: EvalViolation_Kind.volumetricLimitExceeded,
+    5: EvalViolation_Kind.invalidTime,
+    6: EvalViolation_Kind.invalidTransactionType,
+    0: EvalViolation_Kind.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'EvalViolation',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3, 4, 5, 6])
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'invalidTarget', $pb.PbFieldType.OY)
+    ..aOM<GasLimitExceededViolation>(
+        2, _omitFieldNames ? '' : 'gasLimitExceeded',
+        subBuilder: GasLimitExceededViolation.create)
+    ..aOM<$0.Empty>(3, _omitFieldNames ? '' : 'rateLimitExceeded',
+        subBuilder: $0.Empty.create)
+    ..aOM<$0.Empty>(4, _omitFieldNames ? '' : 'volumetricLimitExceeded',
+        subBuilder: $0.Empty.create)
+    ..aOM<$0.Empty>(5, _omitFieldNames ? '' : 'invalidTime',
+        subBuilder: $0.Empty.create)
+    ..aOM<$0.Empty>(6, _omitFieldNames ? '' : 'invalidTransactionType',
+        subBuilder: $0.Empty.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  EvalViolation clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  EvalViolation copyWith(void Function(EvalViolation) updates) =>
+      super.copyWith((message) => updates(message as EvalViolation))
+          as EvalViolation;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static EvalViolation create() => EvalViolation._();
+  @$core.override
+  EvalViolation createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static EvalViolation getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<EvalViolation>(create);
+  static EvalViolation? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  EvalViolation_Kind whichKind() => _EvalViolation_KindByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  @$pb.TagNumber(5)
+  @$pb.TagNumber(6)
+  void clearKind() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get invalidTarget => $_getN(0);
+  @$pb.TagNumber(1)
+  set invalidTarget($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasInvalidTarget() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearInvalidTarget() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  GasLimitExceededViolation get gasLimitExceeded => $_getN(1);
+  @$pb.TagNumber(2)
+  set gasLimitExceeded(GasLimitExceededViolation value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasGasLimitExceeded() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearGasLimitExceeded() => $_clearField(2);
+  @$pb.TagNumber(2)
+  GasLimitExceededViolation ensureGasLimitExceeded() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  $0.Empty get rateLimitExceeded => $_getN(2);
+  @$pb.TagNumber(3)
+  set rateLimitExceeded($0.Empty value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasRateLimitExceeded() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearRateLimitExceeded() => $_clearField(3);
+  @$pb.TagNumber(3)
+  $0.Empty ensureRateLimitExceeded() => $_ensure(2);
+
+  @$pb.TagNumber(4)
+  $0.Empty get volumetricLimitExceeded => $_getN(3);
+  @$pb.TagNumber(4)
+  set volumetricLimitExceeded($0.Empty value) => $_setField(4, value);
+  @$pb.TagNumber(4)
+  $core.bool hasVolumetricLimitExceeded() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearVolumetricLimitExceeded() => $_clearField(4);
+  @$pb.TagNumber(4)
+  $0.Empty ensureVolumetricLimitExceeded() => $_ensure(3);
+
+  @$pb.TagNumber(5)
+  $0.Empty get invalidTime => $_getN(4);
+  @$pb.TagNumber(5)
+  set invalidTime($0.Empty value) => $_setField(5, value);
+  @$pb.TagNumber(5)
+  $core.bool hasInvalidTime() => $_has(4);
+  @$pb.TagNumber(5)
+  void clearInvalidTime() => $_clearField(5);
+  @$pb.TagNumber(5)
+  $0.Empty ensureInvalidTime() => $_ensure(4);
+
+  @$pb.TagNumber(6)
+  $0.Empty get invalidTransactionType => $_getN(5);
+  @$pb.TagNumber(6)
+  set invalidTransactionType($0.Empty value) => $_setField(6, value);
+  @$pb.TagNumber(6)
+  $core.bool hasInvalidTransactionType() => $_has(5);
+  @$pb.TagNumber(6)
+  void clearInvalidTransactionType() => $_clearField(6);
+  @$pb.TagNumber(6)
+  $0.Empty ensureInvalidTransactionType() => $_ensure(5);
+}
+
+/// Transaction was classified but no grant covers it
+class NoMatchingGrantError extends $pb.GeneratedMessage {
+  factory NoMatchingGrantError({
+    SpecificMeaning? meaning,
+  }) {
+    final result = create();
+    if (meaning != null) result.meaning = meaning;
+    return result;
+  }
+
+  NoMatchingGrantError._();
+
+  factory NoMatchingGrantError.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory NoMatchingGrantError.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'NoMatchingGrantError',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
+        subBuilder: SpecificMeaning.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  NoMatchingGrantError clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  NoMatchingGrantError copyWith(void Function(NoMatchingGrantError) updates) =>
+      super.copyWith((message) => updates(message as NoMatchingGrantError))
+          as NoMatchingGrantError;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static NoMatchingGrantError create() => NoMatchingGrantError._();
+  @$core.override
+  NoMatchingGrantError createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static NoMatchingGrantError getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<NoMatchingGrantError>(create);
+  static NoMatchingGrantError? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  SpecificMeaning get meaning => $_getN(0);
+  @$pb.TagNumber(1)
+  set meaning(SpecificMeaning value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasMeaning() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearMeaning() => $_clearField(1);
+  @$pb.TagNumber(1)
+  SpecificMeaning ensureMeaning() => $_ensure(0);
+}
+
+/// Transaction was classified and a grant was found, but constraints were violated
+class PolicyViolationsError extends $pb.GeneratedMessage {
+  factory PolicyViolationsError({
+    SpecificMeaning? meaning,
+    $core.Iterable<EvalViolation>? violations,
+  }) {
+    final result = create();
+    if (meaning != null) result.meaning = meaning;
+    if (violations != null) result.violations.addAll(violations);
+    return result;
+  }
+
+  PolicyViolationsError._();
+
+  factory PolicyViolationsError.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory PolicyViolationsError.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'PolicyViolationsError',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..aOM<SpecificMeaning>(1, _omitFieldNames ? '' : 'meaning',
+        subBuilder: SpecificMeaning.create)
+    ..pPM<EvalViolation>(2, _omitFieldNames ? '' : 'violations',
+        subBuilder: EvalViolation.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  PolicyViolationsError clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  PolicyViolationsError copyWith(
+          void Function(PolicyViolationsError) updates) =>
+      super.copyWith((message) => updates(message as PolicyViolationsError))
+          as PolicyViolationsError;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static PolicyViolationsError create() => PolicyViolationsError._();
+  @$core.override
+  PolicyViolationsError createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static PolicyViolationsError getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<PolicyViolationsError>(create);
+  static PolicyViolationsError? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  SpecificMeaning get meaning => $_getN(0);
+  @$pb.TagNumber(1)
+  set meaning(SpecificMeaning value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasMeaning() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearMeaning() => $_clearField(1);
+  @$pb.TagNumber(1)
+  SpecificMeaning ensureMeaning() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $pb.PbList<EvalViolation> get violations => $_getList(1);
+}
+
+enum TransactionEvalError_Kind {
+  contractCreationNotSupported,
+  unsupportedTransactionType,
+  noMatchingGrant,
+  policyViolations,
+  notSet
+}
+
+/// top-level error returned when transaction evaluation fails
+class TransactionEvalError extends $pb.GeneratedMessage {
+  factory TransactionEvalError({
+    $0.Empty? contractCreationNotSupported,
+    $0.Empty? unsupportedTransactionType,
+    NoMatchingGrantError? noMatchingGrant,
+    PolicyViolationsError? policyViolations,
+  }) {
+    final result = create();
+    if (contractCreationNotSupported != null)
+      result.contractCreationNotSupported = contractCreationNotSupported;
+    if (unsupportedTransactionType != null)
+      result.unsupportedTransactionType = unsupportedTransactionType;
+    if (noMatchingGrant != null) result.noMatchingGrant = noMatchingGrant;
+    if (policyViolations != null) result.policyViolations = policyViolations;
+    return result;
+  }
+
+  TransactionEvalError._();
+
+  factory TransactionEvalError.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory TransactionEvalError.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, TransactionEvalError_Kind>
+      _TransactionEvalError_KindByTag = {
+    1: TransactionEvalError_Kind.contractCreationNotSupported,
+    2: TransactionEvalError_Kind.unsupportedTransactionType,
+    3: TransactionEvalError_Kind.noMatchingGrant,
+    4: TransactionEvalError_Kind.policyViolations,
+    0: TransactionEvalError_Kind.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'TransactionEvalError',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.shared.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2, 3, 4])
+    ..aOM<$0.Empty>(1, _omitFieldNames ? '' : 'contractCreationNotSupported',
+        subBuilder: $0.Empty.create)
+    ..aOM<$0.Empty>(2, _omitFieldNames ? '' : 'unsupportedTransactionType',
+        subBuilder: $0.Empty.create)
+    ..aOM<NoMatchingGrantError>(3, _omitFieldNames ? '' : 'noMatchingGrant',
+        subBuilder: NoMatchingGrantError.create)
+    ..aOM<PolicyViolationsError>(4, _omitFieldNames ? '' : 'policyViolations',
+        subBuilder: PolicyViolationsError.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TransactionEvalError clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  TransactionEvalError copyWith(void Function(TransactionEvalError) updates) =>
+      super.copyWith((message) => updates(message as TransactionEvalError))
+          as TransactionEvalError;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static TransactionEvalError create() => TransactionEvalError._();
+  @$core.override
+  TransactionEvalError createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static TransactionEvalError getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<TransactionEvalError>(create);
+  static TransactionEvalError? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  TransactionEvalError_Kind whichKind() =>
+      _TransactionEvalError_KindByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  @$pb.TagNumber(3)
+  @$pb.TagNumber(4)
+  void clearKind() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.Empty get contractCreationNotSupported => $_getN(0);
+  @$pb.TagNumber(1)
+  set contractCreationNotSupported($0.Empty value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasContractCreationNotSupported() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearContractCreationNotSupported() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.Empty ensureContractCreationNotSupported() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $0.Empty get unsupportedTransactionType => $_getN(1);
+  @$pb.TagNumber(2)
+  set unsupportedTransactionType($0.Empty value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasUnsupportedTransactionType() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearUnsupportedTransactionType() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.Empty ensureUnsupportedTransactionType() => $_ensure(1);
+
+  @$pb.TagNumber(3)
+  NoMatchingGrantError get noMatchingGrant => $_getN(2);
+  @$pb.TagNumber(3)
+  set noMatchingGrant(NoMatchingGrantError value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasNoMatchingGrant() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearNoMatchingGrant() => $_clearField(3);
+  @$pb.TagNumber(3)
+  NoMatchingGrantError ensureNoMatchingGrant() => $_ensure(2);
+
+  @$pb.TagNumber(4)
+  PolicyViolationsError get policyViolations => $_getN(3);
+  @$pb.TagNumber(4)
+  set policyViolations(PolicyViolationsError value) => $_setField(4, value);
+  @$pb.TagNumber(4)
+  $core.bool hasPolicyViolations() => $_has(3);
+  @$pb.TagNumber(4)
+  void clearPolicyViolations() => $_clearField(4);
+  @$pb.TagNumber(4)
+  PolicyViolationsError ensurePolicyViolations() => $_ensure(3);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');

useragent/lib/proto/shared/evm.pbenum.dart

@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports

useragent/lib/proto/shared/evm.pbjson.dart

@@ -0,0 +1,320 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use etherTransferMeaningDescriptor instead')
+const EtherTransferMeaning$json = {
+  '1': 'EtherTransferMeaning',
+  '2': [
+    {'1': 'to', '3': 1, '4': 1, '5': 12, '10': 'to'},
+    {'1': 'value', '3': 2, '4': 1, '5': 12, '10': 'value'},
+  ],
+};
+
+/// Descriptor for `EtherTransferMeaning`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List etherTransferMeaningDescriptor = $convert.base64Decode(
+    'ChRFdGhlclRyYW5zZmVyTWVhbmluZxIOCgJ0bxgBIAEoDFICdG8SFAoFdmFsdWUYAiABKAxSBX'
+    'ZhbHVl');
+
+@$core.Deprecated('Use tokenInfoDescriptor instead')
+const TokenInfo$json = {
+  '1': 'TokenInfo',
+  '2': [
+    {'1': 'symbol', '3': 1, '4': 1, '5': 9, '10': 'symbol'},
+    {'1': 'address', '3': 2, '4': 1, '5': 12, '10': 'address'},
+    {'1': 'chain_id', '3': 3, '4': 1, '5': 4, '10': 'chainId'},
+  ],
+};
+
+/// Descriptor for `TokenInfo`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List tokenInfoDescriptor = $convert.base64Decode(
+    'CglUb2tlbkluZm8SFgoGc3ltYm9sGAEgASgJUgZzeW1ib2wSGAoHYWRkcmVzcxgCIAEoDFIHYW'
+    'RkcmVzcxIZCghjaGFpbl9pZBgDIAEoBFIHY2hhaW5JZA==');
+
+@$core.Deprecated('Use tokenTransferMeaningDescriptor instead')
+const TokenTransferMeaning$json = {
+  '1': 'TokenTransferMeaning',
+  '2': [
+    {
+      '1': 'token',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.TokenInfo',
+      '10': 'token'
+    },
+    {'1': 'to', '3': 2, '4': 1, '5': 12, '10': 'to'},
+    {'1': 'value', '3': 3, '4': 1, '5': 12, '10': 'value'},
+  ],
+};
+
+/// Descriptor for `TokenTransferMeaning`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List tokenTransferMeaningDescriptor = $convert.base64Decode(
+    'ChRUb2tlblRyYW5zZmVyTWVhbmluZxIzCgV0b2tlbhgBIAEoCzIdLmFyYml0ZXIuc2hhcmVkLm'
+    'V2bS5Ub2tlbkluZm9SBXRva2VuEg4KAnRvGAIgASgMUgJ0bxIUCgV2YWx1ZRgDIAEoDFIFdmFs'
+    'dWU=');
+
+@$core.Deprecated('Use specificMeaningDescriptor instead')
+const SpecificMeaning$json = {
+  '1': 'SpecificMeaning',
+  '2': [
+    {
+      '1': 'ether_transfer',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.EtherTransferMeaning',
+      '9': 0,
+      '10': 'etherTransfer'
+    },
+    {
+      '1': 'token_transfer',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.TokenTransferMeaning',
+      '9': 0,
+      '10': 'tokenTransfer'
+    },
+  ],
+  '8': [
+    {'1': 'meaning'},
+  ],
+};
+
+/// Descriptor for `SpecificMeaning`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List specificMeaningDescriptor = $convert.base64Decode(
+    'Cg9TcGVjaWZpY01lYW5pbmcSUQoOZXRoZXJfdHJhbnNmZXIYASABKAsyKC5hcmJpdGVyLnNoYX'
+    'JlZC5ldm0uRXRoZXJUcmFuc2Zlck1lYW5pbmdIAFINZXRoZXJUcmFuc2ZlchJRCg50b2tlbl90'
+    'cmFuc2ZlchgCIAEoCzIoLmFyYml0ZXIuc2hhcmVkLmV2bS5Ub2tlblRyYW5zZmVyTWVhbmluZ0'
+    'gAUg10b2tlblRyYW5zZmVyQgkKB21lYW5pbmc=');
+
+@$core.Deprecated('Use gasLimitExceededViolationDescriptor instead')
+const GasLimitExceededViolation$json = {
+  '1': 'GasLimitExceededViolation',
+  '2': [
+    {
+      '1': 'max_gas_fee_per_gas',
+      '3': 1,
+      '4': 1,
+      '5': 12,
+      '9': 0,
+      '10': 'maxGasFeePerGas',
+      '17': true
+    },
+    {
+      '1': 'max_priority_fee_per_gas',
+      '3': 2,
+      '4': 1,
+      '5': 12,
+      '9': 1,
+      '10': 'maxPriorityFeePerGas',
+      '17': true
+    },
+  ],
+  '8': [
+    {'1': '_max_gas_fee_per_gas'},
+    {'1': '_max_priority_fee_per_gas'},
+  ],
+};
+
+/// Descriptor for `GasLimitExceededViolation`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List gasLimitExceededViolationDescriptor = $convert.base64Decode(
+    'ChlHYXNMaW1pdEV4Y2VlZGVkVmlvbGF0aW9uEjEKE21heF9nYXNfZmVlX3Blcl9nYXMYASABKA'
+    'xIAFIPbWF4R2FzRmVlUGVyR2FziAEBEjsKGG1heF9wcmlvcml0eV9mZWVfcGVyX2dhcxgCIAEo'
+    'DEgBUhRtYXhQcmlvcml0eUZlZVBlckdhc4gBAUIWChRfbWF4X2dhc19mZWVfcGVyX2dhc0IbCh'
+    'lfbWF4X3ByaW9yaXR5X2ZlZV9wZXJfZ2Fz');
+
+@$core.Deprecated('Use evalViolationDescriptor instead')
+const EvalViolation$json = {
+  '1': 'EvalViolation',
+  '2': [
+    {
+      '1': 'invalid_target',
+      '3': 1,
+      '4': 1,
+      '5': 12,
+      '9': 0,
+      '10': 'invalidTarget'
+    },
+    {
+      '1': 'gas_limit_exceeded',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.GasLimitExceededViolation',
+      '9': 0,
+      '10': 'gasLimitExceeded'
+    },
+    {
+      '1': 'rate_limit_exceeded',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'rateLimitExceeded'
+    },
+    {
+      '1': 'volumetric_limit_exceeded',
+      '3': 4,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'volumetricLimitExceeded'
+    },
+    {
+      '1': 'invalid_time',
+      '3': 5,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'invalidTime'
+    },
+    {
+      '1': 'invalid_transaction_type',
+      '3': 6,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'invalidTransactionType'
+    },
+  ],
+  '8': [
+    {'1': 'kind'},
+  ],
+};
+
+/// Descriptor for `EvalViolation`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List evalViolationDescriptor = $convert.base64Decode(
+    'Cg1FdmFsVmlvbGF0aW9uEicKDmludmFsaWRfdGFyZ2V0GAEgASgMSABSDWludmFsaWRUYXJnZX'
+    'QSXQoSZ2FzX2xpbWl0X2V4Y2VlZGVkGAIgASgLMi0uYXJiaXRlci5zaGFyZWQuZXZtLkdhc0xp'
+    'bWl0RXhjZWVkZWRWaW9sYXRpb25IAFIQZ2FzTGltaXRFeGNlZWRlZBJIChNyYXRlX2xpbWl0X2'
+    'V4Y2VlZGVkGAMgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSEXJhdGVMaW1pdEV4Y2Vl'
+    'ZGVkElQKGXZvbHVtZXRyaWNfbGltaXRfZXhjZWVkZWQYBCABKAsyFi5nb29nbGUucHJvdG9idW'
+    'YuRW1wdHlIAFIXdm9sdW1ldHJpY0xpbWl0RXhjZWVkZWQSOwoMaW52YWxpZF90aW1lGAUgASgL'
+    'MhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSC2ludmFsaWRUaW1lElIKGGludmFsaWRfdHJhbn'
+    'NhY3Rpb25fdHlwZRgGIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eUgAUhZpbnZhbGlkVHJh'
+    'bnNhY3Rpb25UeXBlQgYKBGtpbmQ=');
+
+@$core.Deprecated('Use noMatchingGrantErrorDescriptor instead')
+const NoMatchingGrantError$json = {
+  '1': 'NoMatchingGrantError',
+  '2': [
+    {
+      '1': 'meaning',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.SpecificMeaning',
+      '10': 'meaning'
+    },
+  ],
+};
+
+/// Descriptor for `NoMatchingGrantError`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List noMatchingGrantErrorDescriptor = $convert.base64Decode(
+    'ChROb01hdGNoaW5nR3JhbnRFcnJvchI9CgdtZWFuaW5nGAEgASgLMiMuYXJiaXRlci5zaGFyZW'
+    'QuZXZtLlNwZWNpZmljTWVhbmluZ1IHbWVhbmluZw==');
+
+@$core.Deprecated('Use policyViolationsErrorDescriptor instead')
+const PolicyViolationsError$json = {
+  '1': 'PolicyViolationsError',
+  '2': [
+    {
+      '1': 'meaning',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.SpecificMeaning',
+      '10': 'meaning'
+    },
+    {
+      '1': 'violations',
+      '3': 2,
+      '4': 3,
+      '5': 11,
+      '6': '.arbiter.shared.evm.EvalViolation',
+      '10': 'violations'
+    },
+  ],
+};
+
+/// Descriptor for `PolicyViolationsError`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List policyViolationsErrorDescriptor = $convert.base64Decode(
+    'ChVQb2xpY3lWaW9sYXRpb25zRXJyb3ISPQoHbWVhbmluZxgBIAEoCzIjLmFyYml0ZXIuc2hhcm'
+    'VkLmV2bS5TcGVjaWZpY01lYW5pbmdSB21lYW5pbmcSQQoKdmlvbGF0aW9ucxgCIAMoCzIhLmFy'
+    'Yml0ZXIuc2hhcmVkLmV2bS5FdmFsVmlvbGF0aW9uUgp2aW9sYXRpb25z');
+
+@$core.Deprecated('Use transactionEvalErrorDescriptor instead')
+const TransactionEvalError$json = {
+  '1': 'TransactionEvalError',
+  '2': [
+    {
+      '1': 'contract_creation_not_supported',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'contractCreationNotSupported'
+    },
+    {
+      '1': 'unsupported_transaction_type',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.google.protobuf.Empty',
+      '9': 0,
+      '10': 'unsupportedTransactionType'
+    },
+    {
+      '1': 'no_matching_grant',
+      '3': 3,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.NoMatchingGrantError',
+      '9': 0,
+      '10': 'noMatchingGrant'
+    },
+    {
+      '1': 'policy_violations',
+      '3': 4,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.evm.PolicyViolationsError',
+      '9': 0,
+      '10': 'policyViolations'
+    },
+  ],
+  '8': [
+    {'1': 'kind'},
+  ],
+};
+
+/// Descriptor for `TransactionEvalError`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List transactionEvalErrorDescriptor = $convert.base64Decode(
+    'ChRUcmFuc2FjdGlvbkV2YWxFcnJvchJfCh9jb250cmFjdF9jcmVhdGlvbl9ub3Rfc3VwcG9ydG'
+    'VkGAEgASgLMhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5SABSHGNvbnRyYWN0Q3JlYXRpb25Ob3RT'
+    'dXBwb3J0ZWQSWgocdW5zdXBwb3J0ZWRfdHJhbnNhY3Rpb25fdHlwZRgCIAEoCzIWLmdvb2dsZS'
+    '5wcm90b2J1Zi5FbXB0eUgAUhp1bnN1cHBvcnRlZFRyYW5zYWN0aW9uVHlwZRJWChFub19tYXRj'
+    'aGluZ19ncmFudBgDIAEoCzIoLmFyYml0ZXIuc2hhcmVkLmV2bS5Ob01hdGNoaW5nR3JhbnRFcn'
+    'JvckgAUg9ub01hdGNoaW5nR3JhbnQSWAoRcG9saWN5X3Zpb2xhdGlvbnMYBCABKAsyKS5hcmJp'
+    'dGVyLnNoYXJlZC5ldm0uUG9saWN5VmlvbGF0aW9uc0Vycm9ySABSEHBvbGljeVZpb2xhdGlvbn'
+    'NCBgoEa2luZA==');

useragent/lib/proto/shared/vault.pb.dart

@@ -0,0 +1,17 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'vault.pbenum.dart';

useragent/lib/proto/shared/vault.pbenum.dart

@@ -0,0 +1,46 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class VaultState extends $pb.ProtobufEnum {
+  static const VaultState VAULT_STATE_UNSPECIFIED =
+      VaultState._(0, _omitEnumNames ? '' : 'VAULT_STATE_UNSPECIFIED');
+  static const VaultState VAULT_STATE_UNBOOTSTRAPPED =
+      VaultState._(1, _omitEnumNames ? '' : 'VAULT_STATE_UNBOOTSTRAPPED');
+  static const VaultState VAULT_STATE_SEALED =
+      VaultState._(2, _omitEnumNames ? '' : 'VAULT_STATE_SEALED');
+  static const VaultState VAULT_STATE_UNSEALED =
+      VaultState._(3, _omitEnumNames ? '' : 'VAULT_STATE_UNSEALED');
+  static const VaultState VAULT_STATE_ERROR =
+      VaultState._(4, _omitEnumNames ? '' : 'VAULT_STATE_ERROR');
+
+  static const $core.List<VaultState> values = <VaultState>[
+    VAULT_STATE_UNSPECIFIED,
+    VAULT_STATE_UNBOOTSTRAPPED,
+    VAULT_STATE_SEALED,
+    VAULT_STATE_UNSEALED,
+    VAULT_STATE_ERROR,
+  ];
+
+  static final $core.List<VaultState?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 4);
+  static VaultState? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const VaultState._(super.value, super.name);
+}
+
+const $core.bool _omitEnumNames =
+    $core.bool.fromEnvironment('protobuf.omit_enum_names');

useragent/lib/proto/shared/vault.pbjson.dart

@@ -0,0 +1,34 @@
+// This is a generated file - do not edit.
+//
+// Generated from shared/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use vaultStateDescriptor instead')
+const VaultState$json = {
+  '1': 'VaultState',
+  '2': [
+    {'1': 'VAULT_STATE_UNSPECIFIED', '2': 0},
+    {'1': 'VAULT_STATE_UNBOOTSTRAPPED', '2': 1},
+    {'1': 'VAULT_STATE_SEALED', '2': 2},
+    {'1': 'VAULT_STATE_UNSEALED', '2': 3},
+    {'1': 'VAULT_STATE_ERROR', '2': 4},
+  ],
+};
+
+/// Descriptor for `VaultState`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List vaultStateDescriptor = $convert.base64Decode(
+    'CgpWYXVsdFN0YXRlEhsKF1ZBVUxUX1NUQVRFX1VOU1BFQ0lGSUVEEAASHgoaVkFVTFRfU1RBVE'
+    'VfVU5CT09UU1RSQVBQRUQQARIWChJWQVVMVF9TVEFURV9TRUFMRUQQAhIYChRWQVVMVF9TVEFU'
+    'RV9VTlNFQUxFRBADEhUKEVZBVUxUX1NUQVRFX0VSUk9SEAQ=');

useragent/lib/proto/user_agent.pbenum.dart

@@ -9,178 +9,3 @@
 // ignore_for_file: curly_braces_in_flow_control_structures
 // ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
 // ignore_for_file: non_constant_identifier_names, prefer_relative_imports
-
-import 'dart:core' as $core;
-
-import 'package:protobuf/protobuf.dart' as $pb;
-
-class KeyType extends $pb.ProtobufEnum {
-  static const KeyType KEY_TYPE_UNSPECIFIED =
-      KeyType._(0, _omitEnumNames ? '' : 'KEY_TYPE_UNSPECIFIED');
-  static const KeyType KEY_TYPE_ED25519 =
-      KeyType._(1, _omitEnumNames ? '' : 'KEY_TYPE_ED25519');
-  static const KeyType KEY_TYPE_ECDSA_SECP256K1 =
-      KeyType._(2, _omitEnumNames ? '' : 'KEY_TYPE_ECDSA_SECP256K1');
-  static const KeyType KEY_TYPE_RSA =
-      KeyType._(3, _omitEnumNames ? '' : 'KEY_TYPE_RSA');
-
-  static const $core.List<KeyType> values = <KeyType>[
-    KEY_TYPE_UNSPECIFIED,
-    KEY_TYPE_ED25519,
-    KEY_TYPE_ECDSA_SECP256K1,
-    KEY_TYPE_RSA,
-  ];
-
-  static final $core.List<KeyType?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 3);
-  static KeyType? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const KeyType._(super.value, super.name);
-}
-
-class SdkClientError extends $pb.ProtobufEnum {
-  static const SdkClientError SDK_CLIENT_ERROR_UNSPECIFIED =
-      SdkClientError._(0, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_UNSPECIFIED');
-  static const SdkClientError SDK_CLIENT_ERROR_ALREADY_EXISTS =
-      SdkClientError._(
-          1, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_ALREADY_EXISTS');
-  static const SdkClientError SDK_CLIENT_ERROR_NOT_FOUND =
-      SdkClientError._(2, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_NOT_FOUND');
-  static const SdkClientError SDK_CLIENT_ERROR_HAS_RELATED_DATA =
-      SdkClientError._(
-          3, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_HAS_RELATED_DATA');
-  static const SdkClientError SDK_CLIENT_ERROR_INTERNAL =
-      SdkClientError._(4, _omitEnumNames ? '' : 'SDK_CLIENT_ERROR_INTERNAL');
-
-  static const $core.List<SdkClientError> values = <SdkClientError>[
-    SDK_CLIENT_ERROR_UNSPECIFIED,
-    SDK_CLIENT_ERROR_ALREADY_EXISTS,
-    SDK_CLIENT_ERROR_NOT_FOUND,
-    SDK_CLIENT_ERROR_HAS_RELATED_DATA,
-    SDK_CLIENT_ERROR_INTERNAL,
-  ];
-
-  static final $core.List<SdkClientError?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 4);
-  static SdkClientError? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const SdkClientError._(super.value, super.name);
-}
-
-class AuthResult extends $pb.ProtobufEnum {
-  static const AuthResult AUTH_RESULT_UNSPECIFIED =
-      AuthResult._(0, _omitEnumNames ? '' : 'AUTH_RESULT_UNSPECIFIED');
-  static const AuthResult AUTH_RESULT_SUCCESS =
-      AuthResult._(1, _omitEnumNames ? '' : 'AUTH_RESULT_SUCCESS');
-  static const AuthResult AUTH_RESULT_INVALID_KEY =
-      AuthResult._(2, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_KEY');
-  static const AuthResult AUTH_RESULT_INVALID_SIGNATURE =
-      AuthResult._(3, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_SIGNATURE');
-  static const AuthResult AUTH_RESULT_BOOTSTRAP_REQUIRED =
-      AuthResult._(4, _omitEnumNames ? '' : 'AUTH_RESULT_BOOTSTRAP_REQUIRED');
-  static const AuthResult AUTH_RESULT_TOKEN_INVALID =
-      AuthResult._(5, _omitEnumNames ? '' : 'AUTH_RESULT_TOKEN_INVALID');
-  static const AuthResult AUTH_RESULT_INTERNAL =
-      AuthResult._(6, _omitEnumNames ? '' : 'AUTH_RESULT_INTERNAL');
-
-  static const $core.List<AuthResult> values = <AuthResult>[
-    AUTH_RESULT_UNSPECIFIED,
-    AUTH_RESULT_SUCCESS,
-    AUTH_RESULT_INVALID_KEY,
-    AUTH_RESULT_INVALID_SIGNATURE,
-    AUTH_RESULT_BOOTSTRAP_REQUIRED,
-    AUTH_RESULT_TOKEN_INVALID,
-    AUTH_RESULT_INTERNAL,
-  ];
-
-  static final $core.List<AuthResult?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 6);
-  static AuthResult? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const AuthResult._(super.value, super.name);
-}
-
-class UnsealResult extends $pb.ProtobufEnum {
-  static const UnsealResult UNSEAL_RESULT_UNSPECIFIED =
-      UnsealResult._(0, _omitEnumNames ? '' : 'UNSEAL_RESULT_UNSPECIFIED');
-  static const UnsealResult UNSEAL_RESULT_SUCCESS =
-      UnsealResult._(1, _omitEnumNames ? '' : 'UNSEAL_RESULT_SUCCESS');
-  static const UnsealResult UNSEAL_RESULT_INVALID_KEY =
-      UnsealResult._(2, _omitEnumNames ? '' : 'UNSEAL_RESULT_INVALID_KEY');
-  static const UnsealResult UNSEAL_RESULT_UNBOOTSTRAPPED =
-      UnsealResult._(3, _omitEnumNames ? '' : 'UNSEAL_RESULT_UNBOOTSTRAPPED');
-
-  static const $core.List<UnsealResult> values = <UnsealResult>[
-    UNSEAL_RESULT_UNSPECIFIED,
-    UNSEAL_RESULT_SUCCESS,
-    UNSEAL_RESULT_INVALID_KEY,
-    UNSEAL_RESULT_UNBOOTSTRAPPED,
-  ];
-
-  static final $core.List<UnsealResult?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 3);
-  static UnsealResult? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const UnsealResult._(super.value, super.name);
-}
-
-class BootstrapResult extends $pb.ProtobufEnum {
-  static const BootstrapResult BOOTSTRAP_RESULT_UNSPECIFIED = BootstrapResult._(
-      0, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_UNSPECIFIED');
-  static const BootstrapResult BOOTSTRAP_RESULT_SUCCESS =
-      BootstrapResult._(1, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_SUCCESS');
-  static const BootstrapResult BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED =
-      BootstrapResult._(
-          2, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED');
-  static const BootstrapResult BOOTSTRAP_RESULT_INVALID_KEY = BootstrapResult._(
-      3, _omitEnumNames ? '' : 'BOOTSTRAP_RESULT_INVALID_KEY');
-
-  static const $core.List<BootstrapResult> values = <BootstrapResult>[
-    BOOTSTRAP_RESULT_UNSPECIFIED,
-    BOOTSTRAP_RESULT_SUCCESS,
-    BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED,
-    BOOTSTRAP_RESULT_INVALID_KEY,
-  ];
-
-  static final $core.List<BootstrapResult?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 3);
-  static BootstrapResult? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const BootstrapResult._(super.value, super.name);
-}
-
-class VaultState extends $pb.ProtobufEnum {
-  static const VaultState VAULT_STATE_UNSPECIFIED =
-      VaultState._(0, _omitEnumNames ? '' : 'VAULT_STATE_UNSPECIFIED');
-  static const VaultState VAULT_STATE_UNBOOTSTRAPPED =
-      VaultState._(1, _omitEnumNames ? '' : 'VAULT_STATE_UNBOOTSTRAPPED');
-  static const VaultState VAULT_STATE_SEALED =
-      VaultState._(2, _omitEnumNames ? '' : 'VAULT_STATE_SEALED');
-  static const VaultState VAULT_STATE_UNSEALED =
-      VaultState._(3, _omitEnumNames ? '' : 'VAULT_STATE_UNSEALED');
-  static const VaultState VAULT_STATE_ERROR =
-      VaultState._(4, _omitEnumNames ? '' : 'VAULT_STATE_ERROR');
-
-  static const $core.List<VaultState> values = <VaultState>[
-    VAULT_STATE_UNSPECIFIED,
-    VAULT_STATE_UNBOOTSTRAPPED,
-    VAULT_STATE_SEALED,
-    VAULT_STATE_UNSEALED,
-    VAULT_STATE_ERROR,
-  ];
-
-  static final $core.List<VaultState?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 4);
-  static VaultState? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const VaultState._(super.value, super.name);
-}
-
-const $core.bool _omitEnumNames =
-    $core.bool.fromEnvironment('protobuf.omit_enum_names');

useragent/lib/proto/user_agent.pbjson.dart

@@ -15,657 +15,46 @@ import 'dart:convert' as $convert;
 import 'dart:core' as $core;
 import 'dart:typed_data' as $typed_data;
 
-@$core.Deprecated('Use keyTypeDescriptor instead')
-const KeyType$json = {
-  '1': 'KeyType',
-  '2': [
-    {'1': 'KEY_TYPE_UNSPECIFIED', '2': 0},
-    {'1': 'KEY_TYPE_ED25519', '2': 1},
-    {'1': 'KEY_TYPE_ECDSA_SECP256K1', '2': 2},
-    {'1': 'KEY_TYPE_RSA', '2': 3},
-  ],
-};
-
-/// Descriptor for `KeyType`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List keyTypeDescriptor = $convert.base64Decode(
-    'CgdLZXlUeXBlEhgKFEtFWV9UWVBFX1VOU1BFQ0lGSUVEEAASFAoQS0VZX1RZUEVfRUQyNTUxOR'
-    'ABEhwKGEtFWV9UWVBFX0VDRFNBX1NFQ1AyNTZLMRACEhAKDEtFWV9UWVBFX1JTQRAD');
-
-@$core.Deprecated('Use sdkClientErrorDescriptor instead')
-const SdkClientError$json = {
-  '1': 'SdkClientError',
-  '2': [
-    {'1': 'SDK_CLIENT_ERROR_UNSPECIFIED', '2': 0},
-    {'1': 'SDK_CLIENT_ERROR_ALREADY_EXISTS', '2': 1},
-    {'1': 'SDK_CLIENT_ERROR_NOT_FOUND', '2': 2},
-    {'1': 'SDK_CLIENT_ERROR_HAS_RELATED_DATA', '2': 3},
-    {'1': 'SDK_CLIENT_ERROR_INTERNAL', '2': 4},
-  ],
-};
-
-/// Descriptor for `SdkClientError`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List sdkClientErrorDescriptor = $convert.base64Decode(
-    'Cg5TZGtDbGllbnRFcnJvchIgChxTREtfQ0xJRU5UX0VSUk9SX1VOU1BFQ0lGSUVEEAASIwofU0'
-    'RLX0NMSUVOVF9FUlJPUl9BTFJFQURZX0VYSVNUUxABEh4KGlNES19DTElFTlRfRVJST1JfTk9U'
-    'X0ZPVU5EEAISJQohU0RLX0NMSUVOVF9FUlJPUl9IQVNfUkVMQVRFRF9EQVRBEAMSHQoZU0RLX0'
-    'NMSUVOVF9FUlJPUl9JTlRFUk5BTBAE');
-
-@$core.Deprecated('Use authResultDescriptor instead')
-const AuthResult$json = {
-  '1': 'AuthResult',
-  '2': [
-    {'1': 'AUTH_RESULT_UNSPECIFIED', '2': 0},
-    {'1': 'AUTH_RESULT_SUCCESS', '2': 1},
-    {'1': 'AUTH_RESULT_INVALID_KEY', '2': 2},
-    {'1': 'AUTH_RESULT_INVALID_SIGNATURE', '2': 3},
-    {'1': 'AUTH_RESULT_BOOTSTRAP_REQUIRED', '2': 4},
-    {'1': 'AUTH_RESULT_TOKEN_INVALID', '2': 5},
-    {'1': 'AUTH_RESULT_INTERNAL', '2': 6},
-  ],
-};
-
-/// Descriptor for `AuthResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List authResultDescriptor = $convert.base64Decode(
-    'CgpBdXRoUmVzdWx0EhsKF0FVVEhfUkVTVUxUX1VOU1BFQ0lGSUVEEAASFwoTQVVUSF9SRVNVTF'
-    'RfU1VDQ0VTUxABEhsKF0FVVEhfUkVTVUxUX0lOVkFMSURfS0VZEAISIQodQVVUSF9SRVNVTFRf'
-    'SU5WQUxJRF9TSUdOQVRVUkUQAxIiCh5BVVRIX1JFU1VMVF9CT09UU1RSQVBfUkVRVUlSRUQQBB'
-    'IdChlBVVRIX1JFU1VMVF9UT0tFTl9JTlZBTElEEAUSGAoUQVVUSF9SRVNVTFRfSU5URVJOQUwQ'
-    'Bg==');
-
-@$core.Deprecated('Use unsealResultDescriptor instead')
-const UnsealResult$json = {
-  '1': 'UnsealResult',
-  '2': [
-    {'1': 'UNSEAL_RESULT_UNSPECIFIED', '2': 0},
-    {'1': 'UNSEAL_RESULT_SUCCESS', '2': 1},
-    {'1': 'UNSEAL_RESULT_INVALID_KEY', '2': 2},
-    {'1': 'UNSEAL_RESULT_UNBOOTSTRAPPED', '2': 3},
-  ],
-};
-
-/// Descriptor for `UnsealResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List unsealResultDescriptor = $convert.base64Decode(
-    'CgxVbnNlYWxSZXN1bHQSHQoZVU5TRUFMX1JFU1VMVF9VTlNQRUNJRklFRBAAEhkKFVVOU0VBTF'
-    '9SRVNVTFRfU1VDQ0VTUxABEh0KGVVOU0VBTF9SRVNVTFRfSU5WQUxJRF9LRVkQAhIgChxVTlNF'
-    'QUxfUkVTVUxUX1VOQk9PVFNUUkFQUEVEEAM=');
-
-@$core.Deprecated('Use bootstrapResultDescriptor instead')
-const BootstrapResult$json = {
-  '1': 'BootstrapResult',
-  '2': [
-    {'1': 'BOOTSTRAP_RESULT_UNSPECIFIED', '2': 0},
-    {'1': 'BOOTSTRAP_RESULT_SUCCESS', '2': 1},
-    {'1': 'BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED', '2': 2},
-    {'1': 'BOOTSTRAP_RESULT_INVALID_KEY', '2': 3},
-  ],
-};
-
-/// Descriptor for `BootstrapResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List bootstrapResultDescriptor = $convert.base64Decode(
-    'Cg9Cb290c3RyYXBSZXN1bHQSIAocQk9PVFNUUkFQX1JFU1VMVF9VTlNQRUNJRklFRBAAEhwKGE'
-    'JPT1RTVFJBUF9SRVNVTFRfU1VDQ0VTUxABEikKJUJPT1RTVFJBUF9SRVNVTFRfQUxSRUFEWV9C'
-    'T09UU1RSQVBQRUQQAhIgChxCT09UU1RSQVBfUkVTVUxUX0lOVkFMSURfS0VZEAM=');
-
-@$core.Deprecated('Use vaultStateDescriptor instead')
-const VaultState$json = {
-  '1': 'VaultState',
-  '2': [
-    {'1': 'VAULT_STATE_UNSPECIFIED', '2': 0},
-    {'1': 'VAULT_STATE_UNBOOTSTRAPPED', '2': 1},
-    {'1': 'VAULT_STATE_SEALED', '2': 2},
-    {'1': 'VAULT_STATE_UNSEALED', '2': 3},
-    {'1': 'VAULT_STATE_ERROR', '2': 4},
-  ],
-};
-
-/// Descriptor for `VaultState`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List vaultStateDescriptor = $convert.base64Decode(
-    'CgpWYXVsdFN0YXRlEhsKF1ZBVUxUX1NUQVRFX1VOU1BFQ0lGSUVEEAASHgoaVkFVTFRfU1RBVE'
-    'VfVU5CT09UU1RSQVBQRUQQARIWChJWQVVMVF9TVEFURV9TRUFMRUQQAhIYChRWQVVMVF9TVEFU'
-    'RV9VTlNFQUxFRBADEhUKEVZBVUxUX1NUQVRFX0VSUk9SEAQ=');
-
-@$core.Deprecated('Use sdkClientRevokeRequestDescriptor instead')
-const SdkClientRevokeRequest$json = {
-  '1': 'SdkClientRevokeRequest',
-  '2': [
-    {'1': 'client_id', '3': 1, '4': 1, '5': 5, '10': 'clientId'},
-  ],
-};
-
-/// Descriptor for `SdkClientRevokeRequest`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientRevokeRequestDescriptor =
-    $convert.base64Decode(
-        'ChZTZGtDbGllbnRSZXZva2VSZXF1ZXN0EhsKCWNsaWVudF9pZBgBIAEoBVIIY2xpZW50SWQ=');
-
-@$core.Deprecated('Use sdkClientEntryDescriptor instead')
-const SdkClientEntry$json = {
-  '1': 'SdkClientEntry',
-  '2': [
-    {'1': 'id', '3': 1, '4': 1, '5': 5, '10': 'id'},
-    {'1': 'pubkey', '3': 2, '4': 1, '5': 12, '10': 'pubkey'},
-    {
-      '1': 'info',
-      '3': 3,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.client.ClientInfo',
-      '10': 'info'
-    },
-    {'1': 'created_at', '3': 4, '4': 1, '5': 5, '10': 'createdAt'},
-  ],
-};
-
-/// Descriptor for `SdkClientEntry`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientEntryDescriptor = $convert.base64Decode(
-    'Cg5TZGtDbGllbnRFbnRyeRIOCgJpZBgBIAEoBVICaWQSFgoGcHVia2V5GAIgASgMUgZwdWJrZX'
-    'kSLgoEaW5mbxgDIAEoCzIaLmFyYml0ZXIuY2xpZW50LkNsaWVudEluZm9SBGluZm8SHQoKY3Jl'
-    'YXRlZF9hdBgEIAEoBVIJY3JlYXRlZEF0');
-
-@$core.Deprecated('Use sdkClientListDescriptor instead')
-const SdkClientList$json = {
-  '1': 'SdkClientList',
-  '2': [
-    {
-      '1': 'clients',
-      '3': 1,
-      '4': 3,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientEntry',
-      '10': 'clients'
-    },
-  ],
-};
-
-/// Descriptor for `SdkClientList`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientListDescriptor = $convert.base64Decode(
-    'Cg1TZGtDbGllbnRMaXN0EjwKB2NsaWVudHMYASADKAsyIi5hcmJpdGVyLnVzZXJfYWdlbnQuU2'
-    'RrQ2xpZW50RW50cnlSB2NsaWVudHM=');
-
-@$core.Deprecated('Use sdkClientRevokeResponseDescriptor instead')
-const SdkClientRevokeResponse$json = {
-  '1': 'SdkClientRevokeResponse',
-  '2': [
-    {
-      '1': 'ok',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'ok'
-    },
-    {
-      '1': 'error',
-      '3': 2,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.SdkClientError',
-      '9': 0,
-      '10': 'error'
-    },
-  ],
-  '8': [
-    {'1': 'result'},
-  ],
-};
-
-/// Descriptor for `SdkClientRevokeResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientRevokeResponseDescriptor = $convert.base64Decode(
-    'ChdTZGtDbGllbnRSZXZva2VSZXNwb25zZRIoCgJvaxgBIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi'
-    '5FbXB0eUgAUgJvaxI6CgVlcnJvchgCIAEoDjIiLmFyYml0ZXIudXNlcl9hZ2VudC5TZGtDbGll'
-    'bnRFcnJvckgAUgVlcnJvckIICgZyZXN1bHQ=');
-
-@$core.Deprecated('Use sdkClientListResponseDescriptor instead')
-const SdkClientListResponse$json = {
-  '1': 'SdkClientListResponse',
-  '2': [
-    {
-      '1': 'clients',
-      '3': 1,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientList',
-      '9': 0,
-      '10': 'clients'
-    },
-    {
-      '1': 'error',
-      '3': 2,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.SdkClientError',
-      '9': 0,
-      '10': 'error'
-    },
-  ],
-  '8': [
-    {'1': 'result'},
-  ],
-};
-
-/// Descriptor for `SdkClientListResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientListResponseDescriptor = $convert.base64Decode(
-    'ChVTZGtDbGllbnRMaXN0UmVzcG9uc2USPQoHY2xpZW50cxgBIAEoCzIhLmFyYml0ZXIudXNlcl'
-    '9hZ2VudC5TZGtDbGllbnRMaXN0SABSB2NsaWVudHMSOgoFZXJyb3IYAiABKA4yIi5hcmJpdGVy'
-    'LnVzZXJfYWdlbnQuU2RrQ2xpZW50RXJyb3JIAFIFZXJyb3JCCAoGcmVzdWx0');
-
-@$core.Deprecated('Use authChallengeRequestDescriptor instead')
-const AuthChallengeRequest$json = {
-  '1': 'AuthChallengeRequest',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {
-      '1': 'bootstrap_token',
-      '3': 2,
-      '4': 1,
-      '5': 9,
-      '9': 0,
-      '10': 'bootstrapToken',
-      '17': true
-    },
-    {
-      '1': 'key_type',
-      '3': 3,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.KeyType',
-      '10': 'keyType'
-    },
-  ],
-  '8': [
-    {'1': '_bootstrap_token'},
-  ],
-};
-
-/// Descriptor for `AuthChallengeRequest`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeRequestDescriptor = $convert.base64Decode(
-    'ChRBdXRoQ2hhbGxlbmdlUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRIsCg9ib290c3'
-    'RyYXBfdG9rZW4YAiABKAlIAFIOYm9vdHN0cmFwVG9rZW6IAQESNgoIa2V5X3R5cGUYAyABKA4y'
-    'Gy5hcmJpdGVyLnVzZXJfYWdlbnQuS2V5VHlwZVIHa2V5VHlwZUISChBfYm9vdHN0cmFwX3Rva2'
-    'Vu');
-
-@$core.Deprecated('Use authChallengeDescriptor instead')
-const AuthChallenge$json = {
-  '1': 'AuthChallenge',
-  '2': [
-    {'1': 'nonce', '3': 2, '4': 1, '5': 5, '10': 'nonce'},
-  ],
-  '9': [
-    {'1': 1, '2': 2},
-  ],
-};
-
-/// Descriptor for `AuthChallenge`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeDescriptor = $convert.base64Decode(
-    'Cg1BdXRoQ2hhbGxlbmdlEhQKBW5vbmNlGAIgASgFUgVub25jZUoECAEQAg==');
-
-@$core.Deprecated('Use authChallengeSolutionDescriptor instead')
-const AuthChallengeSolution$json = {
-  '1': 'AuthChallengeSolution',
-  '2': [
-    {'1': 'signature', '3': 1, '4': 1, '5': 12, '10': 'signature'},
-  ],
-};
-
-/// Descriptor for `AuthChallengeSolution`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeSolutionDescriptor = $convert.base64Decode(
-    'ChVBdXRoQ2hhbGxlbmdlU29sdXRpb24SHAoJc2lnbmF0dXJlGAEgASgMUglzaWduYXR1cmU=');
-
-@$core.Deprecated('Use unsealStartDescriptor instead')
-const UnsealStart$json = {
-  '1': 'UnsealStart',
-  '2': [
-    {'1': 'client_pubkey', '3': 1, '4': 1, '5': 12, '10': 'clientPubkey'},
-  ],
-};
-
-/// Descriptor for `UnsealStart`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List unsealStartDescriptor = $convert.base64Decode(
-    'CgtVbnNlYWxTdGFydBIjCg1jbGllbnRfcHVia2V5GAEgASgMUgxjbGllbnRQdWJrZXk=');
-
-@$core.Deprecated('Use unsealStartResponseDescriptor instead')
-const UnsealStartResponse$json = {
-  '1': 'UnsealStartResponse',
-  '2': [
-    {'1': 'server_pubkey', '3': 1, '4': 1, '5': 12, '10': 'serverPubkey'},
-  ],
-};
-
-/// Descriptor for `UnsealStartResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List unsealStartResponseDescriptor = $convert.base64Decode(
-    'ChNVbnNlYWxTdGFydFJlc3BvbnNlEiMKDXNlcnZlcl9wdWJrZXkYASABKAxSDHNlcnZlclB1Ym'
-    'tleQ==');
-
-@$core.Deprecated('Use unsealEncryptedKeyDescriptor instead')
-const UnsealEncryptedKey$json = {
-  '1': 'UnsealEncryptedKey',
-  '2': [
-    {'1': 'nonce', '3': 1, '4': 1, '5': 12, '10': 'nonce'},
-    {'1': 'ciphertext', '3': 2, '4': 1, '5': 12, '10': 'ciphertext'},
-    {'1': 'associated_data', '3': 3, '4': 1, '5': 12, '10': 'associatedData'},
-  ],
-};
-
-/// Descriptor for `UnsealEncryptedKey`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List unsealEncryptedKeyDescriptor = $convert.base64Decode(
-    'ChJVbnNlYWxFbmNyeXB0ZWRLZXkSFAoFbm9uY2UYASABKAxSBW5vbmNlEh4KCmNpcGhlcnRleH'
-    'QYAiABKAxSCmNpcGhlcnRleHQSJwoPYXNzb2NpYXRlZF9kYXRhGAMgASgMUg5hc3NvY2lhdGVk'
-    'RGF0YQ==');
-
-@$core.Deprecated('Use bootstrapEncryptedKeyDescriptor instead')
-const BootstrapEncryptedKey$json = {
-  '1': 'BootstrapEncryptedKey',
-  '2': [
-    {'1': 'nonce', '3': 1, '4': 1, '5': 12, '10': 'nonce'},
-    {'1': 'ciphertext', '3': 2, '4': 1, '5': 12, '10': 'ciphertext'},
-    {'1': 'associated_data', '3': 3, '4': 1, '5': 12, '10': 'associatedData'},
-  ],
-};
-
-/// Descriptor for `BootstrapEncryptedKey`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List bootstrapEncryptedKeyDescriptor = $convert.base64Decode(
-    'ChVCb290c3RyYXBFbmNyeXB0ZWRLZXkSFAoFbm9uY2UYASABKAxSBW5vbmNlEh4KCmNpcGhlcn'
-    'RleHQYAiABKAxSCmNpcGhlcnRleHQSJwoPYXNzb2NpYXRlZF9kYXRhGAMgASgMUg5hc3NvY2lh'
-    'dGVkRGF0YQ==');
-
-@$core.Deprecated('Use sdkClientConnectionRequestDescriptor instead')
-const SdkClientConnectionRequest$json = {
-  '1': 'SdkClientConnectionRequest',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {
-      '1': 'info',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.client.ClientInfo',
-      '10': 'info'
-    },
-  ],
-};
-
-/// Descriptor for `SdkClientConnectionRequest`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientConnectionRequestDescriptor =
-    $convert.base64Decode(
-        'ChpTZGtDbGllbnRDb25uZWN0aW9uUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRIuCg'
-        'RpbmZvGAIgASgLMhouYXJiaXRlci5jbGllbnQuQ2xpZW50SW5mb1IEaW5mbw==');
-
-@$core.Deprecated('Use sdkClientConnectionResponseDescriptor instead')
-const SdkClientConnectionResponse$json = {
-  '1': 'SdkClientConnectionResponse',
-  '2': [
-    {'1': 'approved', '3': 1, '4': 1, '5': 8, '10': 'approved'},
-    {'1': 'pubkey', '3': 2, '4': 1, '5': 12, '10': 'pubkey'},
-  ],
-};
-
-/// Descriptor for `SdkClientConnectionResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientConnectionResponseDescriptor =
-    $convert.base64Decode(
-        'ChtTZGtDbGllbnRDb25uZWN0aW9uUmVzcG9uc2USGgoIYXBwcm92ZWQYASABKAhSCGFwcHJvdm'
-        'VkEhYKBnB1YmtleRgCIAEoDFIGcHVia2V5');
-
-@$core.Deprecated('Use sdkClientConnectionCancelDescriptor instead')
-const SdkClientConnectionCancel$json = {
-  '1': 'SdkClientConnectionCancel',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-  ],
-};
-
-/// Descriptor for `SdkClientConnectionCancel`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientConnectionCancelDescriptor =
-    $convert.base64Decode(
-        'ChlTZGtDbGllbnRDb25uZWN0aW9uQ2FuY2VsEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5');
-
-@$core.Deprecated('Use walletAccessDescriptor instead')
-const WalletAccess$json = {
-  '1': 'WalletAccess',
-  '2': [
-    {'1': 'wallet_id', '3': 1, '4': 1, '5': 5, '10': 'walletId'},
-    {'1': 'sdk_client_id', '3': 2, '4': 1, '5': 5, '10': 'sdkClientId'},
-  ],
-};
-
-/// Descriptor for `WalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List walletAccessDescriptor = $convert.base64Decode(
-    'CgxXYWxsZXRBY2Nlc3MSGwoJd2FsbGV0X2lkGAEgASgFUgh3YWxsZXRJZBIiCg1zZGtfY2xpZW'
-    '50X2lkGAIgASgFUgtzZGtDbGllbnRJZA==');
-
-@$core.Deprecated('Use sdkClientWalletAccessDescriptor instead')
-const SdkClientWalletAccess$json = {
-  '1': 'SdkClientWalletAccess',
-  '2': [
-    {'1': 'id', '3': 1, '4': 1, '5': 5, '10': 'id'},
-    {
-      '1': 'access',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.WalletAccess',
-      '10': 'access'
-    },
-  ],
-};
-
-/// Descriptor for `SdkClientWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientWalletAccessDescriptor = $convert.base64Decode(
-    'ChVTZGtDbGllbnRXYWxsZXRBY2Nlc3MSDgoCaWQYASABKAVSAmlkEjgKBmFjY2VzcxgCIAEoCz'
-    'IgLmFyYml0ZXIudXNlcl9hZ2VudC5XYWxsZXRBY2Nlc3NSBmFjY2Vzcw==');
-
-@$core.Deprecated('Use sdkClientGrantWalletAccessDescriptor instead')
-const SdkClientGrantWalletAccess$json = {
-  '1': 'SdkClientGrantWalletAccess',
-  '2': [
-    {
-      '1': 'accesses',
-      '3': 1,
-      '4': 3,
-      '5': 11,
-      '6': '.arbiter.user_agent.WalletAccess',
-      '10': 'accesses'
-    },
-  ],
-};
-
-/// Descriptor for `SdkClientGrantWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientGrantWalletAccessDescriptor =
-    $convert.base64Decode(
-        'ChpTZGtDbGllbnRHcmFudFdhbGxldEFjY2VzcxI8CghhY2Nlc3NlcxgBIAMoCzIgLmFyYml0ZX'
-        'IudXNlcl9hZ2VudC5XYWxsZXRBY2Nlc3NSCGFjY2Vzc2Vz');
-
-@$core.Deprecated('Use sdkClientRevokeWalletAccessDescriptor instead')
-const SdkClientRevokeWalletAccess$json = {
-  '1': 'SdkClientRevokeWalletAccess',
-  '2': [
-    {'1': 'accesses', '3': 1, '4': 3, '5': 5, '10': 'accesses'},
-  ],
-};
-
-/// Descriptor for `SdkClientRevokeWalletAccess`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List sdkClientRevokeWalletAccessDescriptor =
-    $convert.base64Decode(
-        'ChtTZGtDbGllbnRSZXZva2VXYWxsZXRBY2Nlc3MSGgoIYWNjZXNzZXMYASADKAVSCGFjY2Vzc2'
-        'Vz');
-
-@$core.Deprecated('Use listWalletAccessResponseDescriptor instead')
-const ListWalletAccessResponse$json = {
-  '1': 'ListWalletAccessResponse',
-  '2': [
-    {
-      '1': 'accesses',
-      '3': 1,
-      '4': 3,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientWalletAccess',
-      '10': 'accesses'
-    },
-  ],
-};
-
-/// Descriptor for `ListWalletAccessResponse`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List listWalletAccessResponseDescriptor =
-    $convert.base64Decode(
-        'ChhMaXN0V2FsbGV0QWNjZXNzUmVzcG9uc2USRQoIYWNjZXNzZXMYASADKAsyKS5hcmJpdGVyLn'
-        'VzZXJfYWdlbnQuU2RrQ2xpZW50V2FsbGV0QWNjZXNzUghhY2Nlc3Nlcw==');
-
 @$core.Deprecated('Use userAgentRequestDescriptor instead')
 const UserAgentRequest$json = {
   '1': 'UserAgentRequest',
   '2': [
     {'1': 'id', '3': 16, '4': 1, '5': 5, '10': 'id'},
     {
-      '1': 'auth_challenge_request',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.AuthChallengeRequest',
+      '6': '.arbiter.user_agent.auth.Request',
       '9': 0,
-      '10': 'authChallengeRequest'
+      '10': 'auth'
     },
     {
-      '1': 'auth_challenge_solution',
+      '1': 'vault',
       '3': 2,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.AuthChallengeSolution',
+      '6': '.arbiter.user_agent.vault.Request',
       '9': 0,
-      '10': 'authChallengeSolution'
+      '10': 'vault'
     },
     {
-      '1': 'unseal_start',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.UnsealStart',
+      '6': '.arbiter.user_agent.evm.Request',
       '9': 0,
-      '10': 'unsealStart'
+      '10': 'evm'
     },
     {
-      '1': 'unseal_encrypted_key',
+      '1': 'sdk_client',
       '3': 4,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.UnsealEncryptedKey',
+      '6': '.arbiter.user_agent.sdk_client.Request',
       '9': 0,
-      '10': 'unsealEncryptedKey'
+      '10': 'sdkClient'
-    },
-    {
-      '1': 'query_vault_state',
-      '3': 5,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'queryVaultState'
-    },
-    {
-      '1': 'evm_wallet_create',
-      '3': 6,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'evmWalletCreate'
-    },
-    {
-      '1': 'evm_wallet_list',
-      '3': 7,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'evmWalletList'
-    },
-    {
-      '1': 'evm_grant_create',
-      '3': 8,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantCreateRequest',
-      '9': 0,
-      '10': 'evmGrantCreate'
-    },
-    {
-      '1': 'evm_grant_delete',
-      '3': 9,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantDeleteRequest',
-      '9': 0,
-      '10': 'evmGrantDelete'
-    },
-    {
-      '1': 'evm_grant_list',
-      '3': 10,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantListRequest',
-      '9': 0,
-      '10': 'evmGrantList'
-    },
-    {
-      '1': 'sdk_client_connection_response',
-      '3': 11,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientConnectionResponse',
-      '9': 0,
-      '10': 'sdkClientConnectionResponse'
-    },
-    {
-      '1': 'sdk_client_revoke',
-      '3': 12,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientRevokeRequest',
-      '9': 0,
-      '10': 'sdkClientRevoke'
-    },
-    {
-      '1': 'sdk_client_list',
-      '3': 13,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'sdkClientList'
-    },
-    {
-      '1': 'bootstrap_encrypted_key',
-      '3': 14,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.BootstrapEncryptedKey',
-      '9': 0,
-      '10': 'bootstrapEncryptedKey'
-    },
-    {
-      '1': 'grant_wallet_access',
-      '3': 15,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientGrantWalletAccess',
-      '9': 0,
-      '10': 'grantWalletAccess'
-    },
-    {
-      '1': 'revoke_wallet_access',
-      '3': 17,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientRevokeWalletAccess',
-      '9': 0,
-      '10': 'revokeWalletAccess'
-    },
-    {
-      '1': 'list_wallet_access',
-      '3': 18,
-      '4': 1,
-      '5': 11,
-      '6': '.google.protobuf.Empty',
-      '9': 0,
-      '10': 'listWalletAccess'
     },
   ],
   '8': [
@@ -675,33 +64,12 @@ const UserAgentRequest$json = {
 
 /// Descriptor for `UserAgentRequest`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List userAgentRequestDescriptor = $convert.base64Decode(
-    'ChBVc2VyQWdlbnRSZXF1ZXN0Eg4KAmlkGBAgASgFUgJpZBJgChZhdXRoX2NoYWxsZW5nZV9yZX'
+    'ChBVc2VyQWdlbnRSZXF1ZXN0Eg4KAmlkGBAgASgFUgJpZBI2CgRhdXRoGAEgASgLMiAuYXJiaX'
-    'F1ZXN0GAEgASgLMiguYXJiaXRlci51c2VyX2FnZW50LkF1dGhDaGFsbGVuZ2VSZXF1ZXN0SABS'
+    'Rlci51c2VyX2FnZW50LmF1dGguUmVxdWVzdEgAUgRhdXRoEjkKBXZhdWx0GAIgASgLMiEuYXJi'
-    'FGF1dGhDaGFsbGVuZ2VSZXF1ZXN0EmMKF2F1dGhfY2hhbGxlbmdlX3NvbHV0aW9uGAIgASgLMi'
+    'aXRlci51c2VyX2FnZW50LnZhdWx0LlJlcXVlc3RIAFIFdmF1bHQSMwoDZXZtGAMgASgLMh8uYX'
-    'kuYXJiaXRlci51c2VyX2FnZW50LkF1dGhDaGFsbGVuZ2VTb2x1dGlvbkgAUhVhdXRoQ2hhbGxl'
+    'JiaXRlci51c2VyX2FnZW50LmV2bS5SZXF1ZXN0SABSA2V2bRJHCgpzZGtfY2xpZW50GAQgASgL'
-    'bmdlU29sdXRpb24SRAoMdW5zZWFsX3N0YXJ0GAMgASgLMh8uYXJiaXRlci51c2VyX2FnZW50Ll'
+    'MiYuYXJiaXRlci51c2VyX2FnZW50LnNka19jbGllbnQuUmVxdWVzdEgAUglzZGtDbGllbnRCCQ'
-    'Vuc2VhbFN0YXJ0SABSC3Vuc2VhbFN0YXJ0EloKFHVuc2VhbF9lbmNyeXB0ZWRfa2V5GAQgASgL'
+    'oHcGF5bG9hZA==');
-    'MiYuYXJiaXRlci51c2VyX2FnZW50LlVuc2VhbEVuY3J5cHRlZEtleUgAUhJ1bnNlYWxFbmNyeX'
-    'B0ZWRLZXkSRAoRcXVlcnlfdmF1bHRfc3RhdGUYBSABKAsyFi5nb29nbGUucHJvdG9idWYuRW1w'
-    'dHlIAFIPcXVlcnlWYXVsdFN0YXRlEkQKEWV2bV93YWxsZXRfY3JlYXRlGAYgASgLMhYuZ29vZ2'
-    'xlLnByb3RvYnVmLkVtcHR5SABSD2V2bVdhbGxldENyZWF0ZRJACg9ldm1fd2FsbGV0X2xpc3QY'
-    'ByABKAsyFi5nb29nbGUucHJvdG9idWYuRW1wdHlIAFINZXZtV2FsbGV0TGlzdBJOChBldm1fZ3'
-    'JhbnRfY3JlYXRlGAggASgLMiIuYXJiaXRlci5ldm0uRXZtR3JhbnRDcmVhdGVSZXF1ZXN0SABS'
-    'DmV2bUdyYW50Q3JlYXRlEk4KEGV2bV9ncmFudF9kZWxldGUYCSABKAsyIi5hcmJpdGVyLmV2bS'
-    '5Fdm1HcmFudERlbGV0ZVJlcXVlc3RIAFIOZXZtR3JhbnREZWxldGUSSAoOZXZtX2dyYW50X2xp'
-    'c3QYCiABKAsyIC5hcmJpdGVyLmV2bS5Fdm1HcmFudExpc3RSZXF1ZXN0SABSDGV2bUdyYW50TG'
-    'lzdBJ2Ch5zZGtfY2xpZW50X2Nvbm5lY3Rpb25fcmVzcG9uc2UYCyABKAsyLy5hcmJpdGVyLnVz'
-    'ZXJfYWdlbnQuU2RrQ2xpZW50Q29ubmVjdGlvblJlc3BvbnNlSABSG3Nka0NsaWVudENvbm5lY3'
-    'Rpb25SZXNwb25zZRJYChFzZGtfY2xpZW50X3Jldm9rZRgMIAEoCzIqLmFyYml0ZXIudXNlcl9h'
-    'Z2VudC5TZGtDbGllbnRSZXZva2VSZXF1ZXN0SABSD3Nka0NsaWVudFJldm9rZRJACg9zZGtfY2'
-    'xpZW50X2xpc3QYDSABKAsyFi5nb29nbGUucHJvdG9idWYuRW1wdHlIAFINc2RrQ2xpZW50TGlz'
-    'dBJjChdib290c3RyYXBfZW5jcnlwdGVkX2tleRgOIAEoCzIpLmFyYml0ZXIudXNlcl9hZ2VudC'
-    '5Cb290c3RyYXBFbmNyeXB0ZWRLZXlIAFIVYm9vdHN0cmFwRW5jcnlwdGVkS2V5EmAKE2dyYW50'
-    'X3dhbGxldF9hY2Nlc3MYDyABKAsyLi5hcmJpdGVyLnVzZXJfYWdlbnQuU2RrQ2xpZW50R3Jhbn'
-    'RXYWxsZXRBY2Nlc3NIAFIRZ3JhbnRXYWxsZXRBY2Nlc3MSYwoUcmV2b2tlX3dhbGxldF9hY2Nl'
-    'c3MYESABKAsyLy5hcmJpdGVyLnVzZXJfYWdlbnQuU2RrQ2xpZW50UmV2b2tlV2FsbGV0QWNjZX'
-    'NzSABSEnJldm9rZVdhbGxldEFjY2VzcxJGChJsaXN0X3dhbGxldF9hY2Nlc3MYEiABKAsyFi5n'
-    'b29nbGUucHJvdG9idWYuRW1wdHlIAFIQbGlzdFdhbGxldEFjY2Vzc0IJCgdwYXlsb2Fk');
 
 @$core.Deprecated('Use userAgentResponseDescriptor instead')
 const UserAgentResponse$json = {
@@ -709,148 +77,40 @@ const UserAgentResponse$json = {
   '2': [
     {'1': 'id', '3': 16, '4': 1, '5': 5, '9': 1, '10': 'id', '17': true},
     {
-      '1': 'auth_challenge',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.AuthChallenge',
+      '6': '.arbiter.user_agent.auth.Response',
       '9': 0,
-      '10': 'authChallenge'
+      '10': 'auth'
     },
     {
-      '1': 'auth_result',
+      '1': 'vault',
       '3': 2,
       '4': 1,
-      '5': 14,
+      '5': 11,
-      '6': '.arbiter.user_agent.AuthResult',
+      '6': '.arbiter.user_agent.vault.Response',
       '9': 0,
-      '10': 'authResult'
+      '10': 'vault'
     },
     {
-      '1': 'unseal_start_response',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.user_agent.UnsealStartResponse',
+      '6': '.arbiter.user_agent.evm.Response',
       '9': 0,
-      '10': 'unsealStartResponse'
+      '10': 'evm'
     },
     {
-      '1': 'unseal_result',
+      '1': 'sdk_client',
       '3': 4,
       '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.UnsealResult',
-      '9': 0,
-      '10': 'unsealResult'
-    },
-    {
-      '1': 'vault_state',
-      '3': 5,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.VaultState',
-      '9': 0,
-      '10': 'vaultState'
-    },
-    {
-      '1': 'evm_wallet_create',
-      '3': 6,
-      '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.WalletCreateResponse',
+      '6': '.arbiter.user_agent.sdk_client.Response',
       '9': 0,
-      '10': 'evmWalletCreate'
+      '10': 'sdkClient'
-    },
-    {
-      '1': 'evm_wallet_list',
-      '3': 7,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.WalletListResponse',
-      '9': 0,
-      '10': 'evmWalletList'
-    },
-    {
-      '1': 'evm_grant_create',
-      '3': 8,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantCreateResponse',
-      '9': 0,
-      '10': 'evmGrantCreate'
-    },
-    {
-      '1': 'evm_grant_delete',
-      '3': 9,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantDeleteResponse',
-      '9': 0,
-      '10': 'evmGrantDelete'
-    },
-    {
-      '1': 'evm_grant_list',
-      '3': 10,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmGrantListResponse',
-      '9': 0,
-      '10': 'evmGrantList'
-    },
-    {
-      '1': 'sdk_client_connection_request',
-      '3': 11,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientConnectionRequest',
-      '9': 0,
-      '10': 'sdkClientConnectionRequest'
-    },
-    {
-      '1': 'sdk_client_connection_cancel',
-      '3': 12,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientConnectionCancel',
-      '9': 0,
-      '10': 'sdkClientConnectionCancel'
-    },
-    {
-      '1': 'sdk_client_revoke_response',
-      '3': 13,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientRevokeResponse',
-      '9': 0,
-      '10': 'sdkClientRevokeResponse'
-    },
-    {
-      '1': 'sdk_client_list_response',
-      '3': 14,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.SdkClientListResponse',
-      '9': 0,
-      '10': 'sdkClientListResponse'
-    },
-    {
-      '1': 'bootstrap_result',
-      '3': 15,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.user_agent.BootstrapResult',
-      '9': 0,
-      '10': 'bootstrapResult'
-    },
-    {
-      '1': 'list_wallet_access_response',
-      '3': 17,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.user_agent.ListWalletAccessResponse',
-      '9': 0,
-      '10': 'listWalletAccessResponse'
     },
   ],
   '8': [
@@ -861,30 +121,9 @@ const UserAgentResponse$json = {
 
 /// Descriptor for `UserAgentResponse`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List userAgentResponseDescriptor = $convert.base64Decode(
-    'ChFVc2VyQWdlbnRSZXNwb25zZRITCgJpZBgQIAEoBUgBUgJpZIgBARJKCg5hdXRoX2NoYWxsZW'
+    'ChFVc2VyQWdlbnRSZXNwb25zZRITCgJpZBgQIAEoBUgBUgJpZIgBARI3CgRhdXRoGAEgASgLMi'
-    '5nZRgBIAEoCzIhLmFyYml0ZXIudXNlcl9hZ2VudC5BdXRoQ2hhbGxlbmdlSABSDWF1dGhDaGFs'
+    'EuYXJiaXRlci51c2VyX2FnZW50LmF1dGguUmVzcG9uc2VIAFIEYXV0aBI6CgV2YXVsdBgCIAEo'
-    'bGVuZ2USQQoLYXV0aF9yZXN1bHQYAiABKA4yHi5hcmJpdGVyLnVzZXJfYWdlbnQuQXV0aFJlc3'
+    'CzIiLmFyYml0ZXIudXNlcl9hZ2VudC52YXVsdC5SZXNwb25zZUgAUgV2YXVsdBI0CgNldm0YAy'
-    'VsdEgAUgphdXRoUmVzdWx0El0KFXVuc2VhbF9zdGFydF9yZXNwb25zZRgDIAEoCzInLmFyYml0'
+    'ABKAsyIC5hcmJpdGVyLnVzZXJfYWdlbnQuZXZtLlJlc3BvbnNlSABSA2V2bRJICgpzZGtfY2xp'
-    'ZXIudXNlcl9hZ2VudC5VbnNlYWxTdGFydFJlc3BvbnNlSABSE3Vuc2VhbFN0YXJ0UmVzcG9uc2'
+    'ZW50GAQgASgLMicuYXJiaXRlci51c2VyX2FnZW50LnNka19jbGllbnQuUmVzcG9uc2VIAFIJc2'
-    'USRwoNdW5zZWFsX3Jlc3VsdBgEIAEoDjIgLmFyYml0ZXIudXNlcl9hZ2VudC5VbnNlYWxSZXN1'
+    'RrQ2xpZW50QgkKB3BheWxvYWRCBQoDX2lk');
-    'bHRIAFIMdW5zZWFsUmVzdWx0EkEKC3ZhdWx0X3N0YXRlGAUgASgOMh4uYXJiaXRlci51c2VyX2'
-    'FnZW50LlZhdWx0U3RhdGVIAFIKdmF1bHRTdGF0ZRJPChFldm1fd2FsbGV0X2NyZWF0ZRgGIAEo'
-    'CzIhLmFyYml0ZXIuZXZtLldhbGxldENyZWF0ZVJlc3BvbnNlSABSD2V2bVdhbGxldENyZWF0ZR'
-    'JJCg9ldm1fd2FsbGV0X2xpc3QYByABKAsyHy5hcmJpdGVyLmV2bS5XYWxsZXRMaXN0UmVzcG9u'
-    'c2VIAFINZXZtV2FsbGV0TGlzdBJPChBldm1fZ3JhbnRfY3JlYXRlGAggASgLMiMuYXJiaXRlci'
-    '5ldm0uRXZtR3JhbnRDcmVhdGVSZXNwb25zZUgAUg5ldm1HcmFudENyZWF0ZRJPChBldm1fZ3Jh'
-    'bnRfZGVsZXRlGAkgASgLMiMuYXJiaXRlci5ldm0uRXZtR3JhbnREZWxldGVSZXNwb25zZUgAUg'
-    '5ldm1HcmFudERlbGV0ZRJJCg5ldm1fZ3JhbnRfbGlzdBgKIAEoCzIhLmFyYml0ZXIuZXZtLkV2'
-    'bUdyYW50TGlzdFJlc3BvbnNlSABSDGV2bUdyYW50TGlzdBJzCh1zZGtfY2xpZW50X2Nvbm5lY3'
-    'Rpb25fcmVxdWVzdBgLIAEoCzIuLmFyYml0ZXIudXNlcl9hZ2VudC5TZGtDbGllbnRDb25uZWN0'
-    'aW9uUmVxdWVzdEgAUhpzZGtDbGllbnRDb25uZWN0aW9uUmVxdWVzdBJwChxzZGtfY2xpZW50X2'
-    'Nvbm5lY3Rpb25fY2FuY2VsGAwgASgLMi0uYXJiaXRlci51c2VyX2FnZW50LlNka0NsaWVudENv'
-    'bm5lY3Rpb25DYW5jZWxIAFIZc2RrQ2xpZW50Q29ubmVjdGlvbkNhbmNlbBJqChpzZGtfY2xpZW'
-    '50X3Jldm9rZV9yZXNwb25zZRgNIAEoCzIrLmFyYml0ZXIudXNlcl9hZ2VudC5TZGtDbGllbnRS'
-    'ZXZva2VSZXNwb25zZUgAUhdzZGtDbGllbnRSZXZva2VSZXNwb25zZRJkChhzZGtfY2xpZW50X2'
-    'xpc3RfcmVzcG9uc2UYDiABKAsyKS5hcmJpdGVyLnVzZXJfYWdlbnQuU2RrQ2xpZW50TGlzdFJl'
-    'c3BvbnNlSABSFXNka0NsaWVudExpc3RSZXNwb25zZRJQChBib290c3RyYXBfcmVzdWx0GA8gAS'
-    'gOMiMuYXJiaXRlci51c2VyX2FnZW50LkJvb3RzdHJhcFJlc3VsdEgAUg9ib290c3RyYXBSZXN1'
-    'bHQSbQobbGlzdF93YWxsZXRfYWNjZXNzX3Jlc3BvbnNlGBEgASgLMiwuYXJiaXRlci51c2VyX2'
-    'FnZW50Lkxpc3RXYWxsZXRBY2Nlc3NSZXNwb25zZUgAUhhsaXN0V2FsbGV0QWNjZXNzUmVzcG9u'
-    'c2VCCQoHcGF5bG9hZEIFCgNfaWQ=');

useragent/lib/proto/user_agent/auth.pb.dart

@@ -0,0 +1,391 @@
+// This is a generated file - do not edit.
+//
+// Generated from user_agent/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import 'auth.pbenum.dart';
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'auth.pbenum.dart';
+
+class AuthChallengeRequest extends $pb.GeneratedMessage {
+  factory AuthChallengeRequest({
+    $core.List<$core.int>? pubkey,
+    $core.String? bootstrapToken,
+    KeyType? keyType,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    if (bootstrapToken != null) result.bootstrapToken = bootstrapToken;
+    if (keyType != null) result.keyType = keyType;
+    return result;
+  }
+
+  AuthChallengeRequest._();
+
+  factory AuthChallengeRequest.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeRequest.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeRequest',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aOS(2, _omitFieldNames ? '' : 'bootstrapToken')
+    ..aE<KeyType>(3, _omitFieldNames ? '' : 'keyType',
+        enumValues: KeyType.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest copyWith(void Function(AuthChallengeRequest) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeRequest))
+          as AuthChallengeRequest;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest create() => AuthChallengeRequest._();
+  @$core.override
+  AuthChallengeRequest createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeRequest>(create);
+  static AuthChallengeRequest? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.String get bootstrapToken => $_getSZ(1);
+  @$pb.TagNumber(2)
+  set bootstrapToken($core.String value) => $_setString(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasBootstrapToken() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearBootstrapToken() => $_clearField(2);
+
+  @$pb.TagNumber(3)
+  KeyType get keyType => $_getN(2);
+  @$pb.TagNumber(3)
+  set keyType(KeyType value) => $_setField(3, value);
+  @$pb.TagNumber(3)
+  $core.bool hasKeyType() => $_has(2);
+  @$pb.TagNumber(3)
+  void clearKeyType() => $_clearField(3);
+}
+
+class AuthChallenge extends $pb.GeneratedMessage {
+  factory AuthChallenge({
+    $core.int? nonce,
+  }) {
+    final result = create();
+    if (nonce != null) result.nonce = nonce;
+    return result;
+  }
+
+  AuthChallenge._();
+
+  factory AuthChallenge.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallenge.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallenge',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..aI(1, _omitFieldNames ? '' : 'nonce')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge copyWith(void Function(AuthChallenge) updates) =>
+      super.copyWith((message) => updates(message as AuthChallenge))
+          as AuthChallenge;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge create() => AuthChallenge._();
+  @$core.override
+  AuthChallenge createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallenge>(create);
+  static AuthChallenge? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.int get nonce => $_getIZ(0);
+  @$pb.TagNumber(1)
+  set nonce($core.int value) => $_setSignedInt32(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasNonce() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearNonce() => $_clearField(1);
+}
+
+class AuthChallengeSolution extends $pb.GeneratedMessage {
+  factory AuthChallengeSolution({
+    $core.List<$core.int>? signature,
+  }) {
+    final result = create();
+    if (signature != null) result.signature = signature;
+    return result;
+  }
+
+  AuthChallengeSolution._();
+
+  factory AuthChallengeSolution.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeSolution.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeSolution',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution copyWith(
+          void Function(AuthChallengeSolution) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeSolution))
+          as AuthChallengeSolution;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution create() => AuthChallengeSolution._();
+  @$core.override
+  AuthChallengeSolution createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeSolution>(create);
+  static AuthChallengeSolution? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get signature => $_getN(0);
+  @$pb.TagNumber(1)
+  set signature($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignature() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignature() => $_clearField(1);
+}
+
+enum Request_Payload { challengeRequest, challengeSolution, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    AuthChallengeRequest? challengeRequest,
+    AuthChallengeSolution? challengeSolution,
+  }) {
+    final result = create();
+    if (challengeRequest != null) result.challengeRequest = challengeRequest;
+    if (challengeSolution != null) result.challengeSolution = challengeSolution;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.challengeRequest,
+    2: Request_Payload.challengeSolution,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallengeRequest>(1, _omitFieldNames ? '' : 'challengeRequest',
+        subBuilder: AuthChallengeRequest.create)
+    ..aOM<AuthChallengeSolution>(2, _omitFieldNames ? '' : 'challengeSolution',
+        subBuilder: AuthChallengeSolution.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallengeRequest get challengeRequest => $_getN(0);
+  @$pb.TagNumber(1)
+  set challengeRequest(AuthChallengeRequest value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallengeRequest() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallengeRequest() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallengeRequest ensureChallengeRequest() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthChallengeSolution get challengeSolution => $_getN(1);
+  @$pb.TagNumber(2)
+  set challengeSolution(AuthChallengeSolution value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasChallengeSolution() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearChallengeSolution() => $_clearField(2);
+  @$pb.TagNumber(2)
+  AuthChallengeSolution ensureChallengeSolution() => $_ensure(1);
+}
+
+enum Response_Payload { challenge, result, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    AuthChallenge? challenge,
+    AuthResult? result,
+  }) {
+    final result$ = create();
+    if (challenge != null) result$.challenge = challenge;
+    if (result != null) result$.result = result;
+    return result$;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.challenge,
+    2: Response_Payload.result,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.user_agent.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallenge>(1, _omitFieldNames ? '' : 'challenge',
+        subBuilder: AuthChallenge.create)
+    ..aE<AuthResult>(2, _omitFieldNames ? '' : 'result',
+        enumValues: AuthResult.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallenge get challenge => $_getN(0);
+  @$pb.TagNumber(1)
+  set challenge(AuthChallenge value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallenge() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallenge() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallenge ensureChallenge() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthResult get result => $_getN(1);
+  @$pb.TagNumber(2)
+  set result(AuthResult value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasResult() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearResult() => $_clearField(2);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');