housekeeping(useragent): rename

ARCHITECTURE.md

@@ -3,7 +3,6 @@
 Arbiter is a permissioned signing service for cryptocurrency wallets. It runs as a background service on the user's machine with an optional client application for vault management.
 
 **Core principle:** The vault NEVER exposes key material. It only produces signatures when a request satisfies the configured policies.
-
 ---
 
 ## 1. Peer Types

LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 MarketTakers
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -0,0 +1,13 @@
+# Arbiter
+> Policy-first multi-client wallet daemon, allowing permissioned transactions across blockchains
+
+## Security warning
+Arbiter can't meaningfully protect against host compromise. Potential attack flow:
+- Attacker steals TLS keys from database
+- Pretends to be server; just accepts user agent challenge solutions
+- Pretend to be in sealed state and performing DH with client
+- Steals user password and derives seal key
+
+While this attack is highly targetive, it's still possible. 
+
+> This software is experimental. Do not use with funds you cannot afford to lose.

app/pubspec.yaml

@@ -1,89 +0,0 @@
-name: app
-description: "A new Flutter project."
-# The following line prevents the package from being accidentally published to
-# pub.dev using `flutter pub publish`. This is preferred for private packages.
-publish_to: 'none' # Remove this line if you wish to publish to pub.dev
-
-# The following defines the version and build number for your application.
-# A version number is three numbers separated by dots, like 1.2.43
-# followed by an optional build number separated by a +.
-# Both the version and the builder number may be overridden in flutter
-# build by specifying --build-name and --build-number, respectively.
-# In Android, build-name is used as versionName while build-number used as versionCode.
-# Read more about Android versioning at https://developer.android.com/studio/publish/versioning
-# In iOS, build-name is used as CFBundleShortVersionString while build-number is used as CFBundleVersion.
-# Read more about iOS versioning at
-# https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
-# In Windows, build-name is used as the major, minor, and patch parts
-# of the product and file versions while build-number is used as the build suffix.
-version: 1.0.0+1
-
-environment:
-  sdk: ^3.10.8
-
-# Dependencies specify other packages that your package needs in order to work.
-# To automatically upgrade your package dependencies to the latest versions
-# consider running `flutter pub upgrade --major-versions`. Alternatively,
-# dependencies can be manually updated by changing the version numbers below to
-# the latest version available on pub.dev. To see which dependencies have newer
-# versions available, run `flutter pub outdated`.
-dependencies:
-  flutter:
-    sdk: flutter
-
-  # The following adds the Cupertino Icons font to your application.
-  # Use with the CupertinoIcons class for iOS style icons.
-  cupertino_icons: ^1.0.8
-
-dev_dependencies:
-  flutter_test:
-    sdk: flutter
-
-  # The "flutter_lints" package below contains a set of recommended lints to
-  # encourage good coding practices. The lint set provided by the package is
-  # activated in the `analysis_options.yaml` file located at the root of your
-  # package. See that file for information about deactivating specific lint
-  # rules and activating additional ones.
-  flutter_lints: ^6.0.0
-
-# For information on the generic Dart part of this file, see the
-# following page: https://dart.dev/tools/pub/pubspec
-
-# The following section is specific to Flutter packages.
-flutter:
-
-  # The following line ensures that the Material Icons font is
-  # included with your application, so that you can use the icons in
-  # the material Icons class.
-  uses-material-design: true
-
-  # To add assets to your application, add an assets section, like this:
-  # assets:
-  #   - images/a_dot_burr.jpeg
-  #   - images/a_dot_ham.jpeg
-
-  # An image asset can refer to one or more resolution-specific "variants", see
-  # https://flutter.dev/to/resolution-aware-images
-
-  # For details regarding adding assets from package dependencies, see
-  # https://flutter.dev/to/asset-from-package
-
-  # To add custom fonts to your application, add a fonts section here,
-  # in this "flutter" section. Each entry in this list should have a
-  # "family" key with the font family name, and a "fonts" key with a
-  # list giving the asset and other descriptors for the font. For
-  # example:
-  # fonts:
-  #   - family: Schyler
-  #     fonts:
-  #       - asset: fonts/Schyler-Regular.ttf
-  #       - asset: fonts/Schyler-Italic.ttf
-  #         style: italic
-  #   - family: Trajan Pro
-  #     fonts:
-  #       - asset: fonts/TrajanPro.ttf
-  #       - asset: fonts/TrajanPro_Bold.ttf
-  #         weight: 700
-  #
-  # For details regarding fonts from package dependencies,
-  # see https://flutter.dev/to/font-from-package

server/Cargo.lock

@@ -59,14 +59,21 @@ version = "0.1.0"
 name = "arbiter-proto"
 version = "0.1.0"
 dependencies = [
+ "base64",
  "futures",
- "hex",
  "kameo",
+ "miette",
  "prost",
+ "rand",
+ "rcgen",
+ "rstest",
+ "rustls-pki-types",
+ "thiserror",
  "tokio",
  "tonic",
  "tonic-prost",
  "tonic-prost-build",
+ "url",
 ]
 
 [[package]]
@@ -88,6 +95,7 @@ dependencies = [
  "kameo",
  "memsafe",
  "miette",
+ "pem",
  "rand",
  "rcgen",
  "restructed",
@@ -109,6 +117,16 @@ dependencies = [
 [[package]]
 name = "arbiter-useragent"
 version = "0.1.0"
+dependencies = [
+ "arbiter-proto",
+ "ed25519-dalek",
+ "kameo",
+ "smlang",
+ "tokio",
+ "tonic",
+ "tracing",
+ "x25519-dalek",
+]
 
 [[package]]
 name = "argon2"
@@ -859,6 +877,15 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
 
+[[package]]
+name = "form_urlencoded"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
+dependencies = [
+ "percent-encoding",
+]
+
 [[package]]
 name = "fs_extra"
 version = "1.3.0"
@@ -936,6 +963,12 @@ version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
 
+[[package]]
+name = "futures-timer"
+version = "3.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24"
+
 [[package]]
 name = "futures-util"
 version = "0.3.32"
@@ -1006,6 +1039,12 @@ version = "0.32.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e629b9b98ef3dd8afe6ca2bd0f89306cec16d43d907889945bc5d6687f2f13c7"
 
+[[package]]
+name = "glob"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
+
 [[package]]
 name = "h2"
 version = "0.4.13"
@@ -1055,12 +1094,6 @@ version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
 
-[[package]]
-name = "hex"
-version = "0.4.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
-
 [[package]]
 name = "http"
 version = "1.4.0"
@@ -1195,6 +1228,87 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "icu_collections"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
+dependencies = [
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
+
+[[package]]
+name = "icu_properties"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
+dependencies = [
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
+
+[[package]]
+name = "icu_provider"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
 [[package]]
 name = "id-arena"
 version = "2.3.0"
@@ -1207,6 +1321,27 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
 
+[[package]]
+name = "idna"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
 [[package]]
 name = "indexmap"
 version = "2.13.0"
@@ -1342,6 +1477,12 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039"
 
+[[package]]
+name = "litemap"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
+
 [[package]]
 name = "lock_api"
 version = "0.4.14"
@@ -1684,6 +1825,15 @@ version = "1.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
 
+[[package]]
+name = "potential_utf"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
+dependencies = [
+ "zerovec",
+]
+
 [[package]]
 name = "powerfmt"
 version = "0.2.0"
@@ -1700,6 +1850,15 @@ dependencies = [
  "syn 2.0.115",
 ]
 
+[[package]]
+name = "proc-macro-crate"
+version = "3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "219cb19e96be00ab2e37d6e299658a0cfa83e52429179969b0f0121b4ac46983"
+dependencies = [
+ "toml_edit",
+]
+
 [[package]]
 name = "proc-macro-error"
 version = "1.0.4"
@@ -1900,6 +2059,12 @@ version = "0.8.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c"
 
+[[package]]
+name = "relative-path"
+version = "1.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba39f3699c378cd8970968dcbff9c43159ea4cfbd88d43c00b22f2ef10a435d2"
+
 [[package]]
 name = "restructed"
 version = "0.2.2"
@@ -1936,6 +2101,35 @@ dependencies = [
  "thiserror",
 ]
 
+[[package]]
+name = "rstest"
+version = "0.26.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f5a3193c063baaa2a95a33f03035c8a72b83d97a54916055ba22d35ed3839d49"
+dependencies = [
+ "futures-timer",
+ "futures-util",
+ "rstest_macros",
+]
+
+[[package]]
+name = "rstest_macros"
+version = "0.26.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c845311f0ff7951c5506121a9ad75aec44d083c31583b2ea5a30bcb0b0abba0"
+dependencies = [
+ "cfg-if",
+ "glob",
+ "proc-macro-crate",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "relative-path",
+ "rustc_version",
+ "syn 2.0.115",
+ "unicode-ident",
+]
+
 [[package]]
 name = "rustc-demangle"
 version = "0.1.27"
@@ -2206,6 +2400,12 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
+
 [[package]]
 name = "string_morph"
 version = "0.1.0"
@@ -2419,6 +2619,16 @@ dependencies = [
  "time-core",
 ]
 
+[[package]]
+name = "tinystr"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
 [[package]]
 name = "tokio"
 version = "1.49.0"
@@ -2505,6 +2715,18 @@ dependencies = [
  "serde_core",
 ]
 
+[[package]]
+name = "toml_edit"
+version = "0.23.10+spec-1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "84c8b9f757e028cee9fa244aea147aab2a9ec09d5325a9b01e0a49730c2b5269"
+dependencies = [
+ "indexmap",
+ "toml_datetime",
+ "toml_parser",
+ "winnow",
+]
+
 [[package]]
 name = "toml_parser"
 version = "1.0.8+spec-1.1.0"
@@ -2747,6 +2969,24 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
+[[package]]
+name = "url"
+version = "2.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+ "serde",
+]
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
 [[package]]
 name = "uuid"
 version = "1.21.0"
@@ -3138,6 +3378,9 @@ name = "winnow"
 version = "0.7.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829"
+dependencies = [
+ "memchr",
+]
 
 [[package]]
 name = "wit-bindgen"
@@ -3227,6 +3470,12 @@ dependencies = [
  "wasmparser",
 ]
 
+[[package]]
+name = "writeable"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
+
 [[package]]
 name = "x25519-dalek"
 version = "2.0.1"
@@ -3266,6 +3515,50 @@ dependencies = [
  "time",
 ]
 
+[[package]]
+name = "yoke"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
+dependencies = [
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.115",
+ "synstructure",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.115",
+ "synstructure",
+]
+
 [[package]]
 name = "zeroize"
 version = "1.8.2"
@@ -3286,6 +3579,39 @@ dependencies = [
  "syn 2.0.115",
 ]
 
+[[package]]
+name = "zerotrie"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.115",
+]
+
 [[package]]
 name = "zmij"
 version = "1.0.21"

server/Cargo.toml

@@ -23,3 +23,12 @@ async-trait = "0.1.89"
 futures = "0.3.31"
 tokio-stream = { version = "0.1.18", features = ["full"] }
 kameo = "0.19.2"
+x25519-dalek = { version = "2.0.1", features = ["getrandom"] }
+rstest = "0.26.1"
+rustls-pki-types = "1.14.0"
+rcgen = { version = "0.14.7", features = [
+    "aws_lc_rs",
+    "pem",
+    "x509-parser",
+    "zeroize",
+], default-features = false }

server/crates/arbiter-client/Cargo.toml

@@ -3,5 +3,6 @@ name = "arbiter-client"
 version = "0.1.0"
 edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
+license = "Apache-2.0"
 
 [dependencies]

server/crates/arbiter-proto/Cargo.toml

@@ -3,17 +3,31 @@ name = "arbiter-proto"
 version = "0.1.0"
 edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
+license = "Apache-2.0"
 
 [dependencies]
 tonic.workspace = true
 tokio.workspace = true
 futures.workspace = true
-hex = "0.4.3"
 tonic-prost = "0.14.3"
 prost = "0.14.3"
 kameo.workspace = true
+url = "2.5.8"
+miette.workspace = true
+thiserror.workspace = true
+rustls-pki-types.workspace = true
+base64 = "0.22.1"
+
 
 [build-dependencies]
 tonic-prost-build = "0.14.3"
 
+[dev-dependencies]
+rstest.workspace = true
+rand.workspace = true
+rcgen.workspace = true
+
+[package.metadata.cargo-shear]
+ignored = ["tonic-prost", "prost", "kameo"]
+
 

server/crates/arbiter-proto/src/lib.rs

@@ -1,3 +1,8 @@
+pub mod transport;
+pub mod url;
+
+use base64::{Engine, prelude::BASE64_STANDARD};
+
 use crate::proto::auth::AuthChallenge;
 
 pub mod proto {
@@ -8,9 +13,7 @@ pub mod proto {
     }
 }
 
-pub mod transport;
+pub static BOOTSTRAP_PATH: &str = "bootstrap_token";
-
-pub static BOOTSTRAP_TOKEN_PATH: &str = "bootstrap_token";
 
 pub fn home_path() -> Result<std::path::PathBuf, std::io::Error> {
     static ARBITER_HOME: &str = ".arbiter";
@@ -26,6 +29,6 @@ pub fn home_path() -> Result<std::path::PathBuf, std::io::Error> {
 }
 
 pub fn format_challenge(challenge: &AuthChallenge) -> Vec<u8> {
-    let concat_form = format!("{}:{}", challenge.nonce, hex::encode(&challenge.pubkey));
+    let concat_form = format!("{}:{}", challenge.nonce, BASE64_STANDARD.encode(&challenge.pubkey));
     concat_form.into_bytes().to_vec()
 }

server/crates/arbiter-proto/src/url.rs

@@ -0,0 +1,128 @@
+use std::fmt::Display;
+
+use base64::{Engine as _, prelude::BASE64_URL_SAFE};
+use rustls_pki_types::CertificateDer;
+
+const ARBITER_URL_SCHEME: &str = "arbiter";
+const CERT_QUERY_KEY: &str = "cert";
+const BOOTSTRAP_TOKEN_QUERY_KEY: &str = "bootstrap_token";
+
+pub struct ArbiterUrl {
+    pub host: String,
+    pub port: u16,
+    pub ca_cert: CertificateDer<'static>,
+    pub bootstrap_token: Option<String>,
+}
+
+impl Display for ArbiterUrl {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut base = format!(
+            "{ARBITER_URL_SCHEME}://{}:{}?{CERT_QUERY_KEY}={}",
+            self.host,
+            self.port,
+            BASE64_URL_SAFE.encode(self.ca_cert.to_vec())
+        );
+        if let Some(token) = &self.bootstrap_token {
+            base.push_str(&format!("&{BOOTSTRAP_TOKEN_QUERY_KEY}={}", token));
+        }
+        f.write_str(&base)
+    }
+}
+
+#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+pub enum Error {
+    #[error("Invalid URL scheme, expected '{ARBITER_URL_SCHEME}://'")]
+    #[diagnostic(
+        code(arbiter::url::invalid_scheme),
+        help("The URL must start with '{ARBITER_URL_SCHEME}://'")
+    )]
+    InvalidScheme,
+    #[error("Missing host in URL")]
+    #[diagnostic(
+        code(arbiter::url::missing_host),
+        help("The URL must include a host, e.g., '{ARBITER_URL_SCHEME}://127.0.0.1:<port>'")
+    )]
+    MissingHost,
+    #[error("Missing port in URL")]
+    #[diagnostic(
+        code(arbiter::url::missing_port),
+        help("The URL must include a port, e.g., '{ARBITER_URL_SCHEME}://127.0.0.1:1234'")
+    )]
+    MissingPort,
+    #[error("Missing 'cert' query parameter in URL")]
+    #[diagnostic(
+        code(arbiter::url::missing_cert),
+        help("The URL must include a 'cert' query parameter")
+    )]
+    MissingCert,
+    #[error("Invalid base64 in 'cert' query parameter: {0}")]
+    #[diagnostic(code(arbiter::url::invalid_cert_base64))]
+    InvalidCertBase64(#[from] base64::DecodeError),
+}
+
+impl<'a> TryFrom<&'a str> for ArbiterUrl {
+    type Error = Error;
+
+    fn try_from(value: &'a str) -> Result<Self, Self::Error> {
+        let url = url::Url::parse(value).map_err(|_| Error::InvalidScheme)?;
+
+        if url.scheme() != ARBITER_URL_SCHEME {
+            return Err(Error::InvalidScheme);
+        }
+
+        let host = url.host_str().ok_or(Error::MissingHost)?.to_string();
+        let port = url.port().ok_or(Error::MissingPort)?;
+        let cert_str = url
+            .query_pairs()
+            .find(|(k, _)| k == CERT_QUERY_KEY)
+            .ok_or(Error::MissingCert)?
+            .1;
+
+        let cert = BASE64_URL_SAFE.decode(cert_str.as_ref())?;
+        let cert = CertificateDer::from_slice(&cert).into_owned();
+
+        let bootstrap_token = url
+            .query_pairs()
+            .find(|(k, _)| k == BOOTSTRAP_TOKEN_QUERY_KEY)
+            .map(|(_, v)| v.to_string());
+
+        Ok(ArbiterUrl {
+            host,
+            port,
+            ca_cert: cert,
+            bootstrap_token,
+        })
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use rcgen::generate_simple_self_signed;
+    use rstest::rstest;
+
+    use super::*;
+
+    #[rstest]
+
+    fn test_parsing_correctness(
+        #[values("127.0.0.1", "localhost", "192.168.1.1", "some.domain.com")] host: &str,
+
+        #[values(None, Some("token123".to_string()))] bootstrap_token: Option<String>,
+    ) {
+        let cert = generate_simple_self_signed(&["Arbiter CA".into()]).unwrap();
+        let cert = cert.cert.der();
+
+        let url = ArbiterUrl {
+            host: host.to_string(),
+            port: 1234,
+            ca_cert: cert.clone().into_owned(),
+            bootstrap_token,
+        };
+        let url_str = url.to_string();
+        let parsed_url = ArbiterUrl::try_from(url_str.as_str()).unwrap();
+        assert_eq!(url.host, parsed_url.host);
+        assert_eq!(url.port, parsed_url.port);
+        assert_eq!(url.ca_cert.to_vec(), parsed_url.ca_cert.to_vec());
+        assert_eq!(url.bootstrap_token, parsed_url.bootstrap_token);
+    }
+}

server/crates/arbiter-server/Cargo.toml

@@ -3,6 +3,7 @@ name = "arbiter-server"
 version = "0.1.0"
 edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
+license = "Apache-2.0"
 
 [dependencies]
 diesel = { version = "2.3.6", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
@@ -17,6 +18,7 @@ arbiter-proto.path = "../arbiter-proto"
 tracing.workspace = true
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 tonic.workspace = true
+tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
@@ -29,21 +31,17 @@ futures.workspace = true
 tokio-stream.workspace = true
 dashmap = "6.1.0"
 rand.workspace = true
-rcgen = { version = "0.14.7", features = [
+rcgen.workspace = true
-    "aws_lc_rs",
-    "pem",
-    "x509-parser",
-    "zeroize",
-], default-features = false }
 chrono.workspace = true
 memsafe = "0.4.0"
 zeroize = { version = "1.8.2", features = ["std", "simd"] }
 kameo.workspace = true
-x25519-dalek = { version = "2.0.1", features = ["getrandom"] }
+x25519-dalek.workspace = true
 chacha20poly1305 = { version = "0.10.1", features = ["std"] }
 argon2 = { version = "0.5.3", features = ["zeroize"] }
 restructed = "0.2.2"
 strum = { version = "0.27.2", features = ["derive"] }
+pem = "3.0.6"
 
 [dev-dependencies]
 insta = "1.46.3"

server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql

@@ -24,14 +24,24 @@ create unique index if not exists uniq_nonce_per_root_key on aead_encrypted (
     associated_root_key_id
 );
 
+create table if not exists tls_history (
+    id INTEGER not null PRIMARY KEY,
+    cert text not null,
+    cert_key text not null, -- PEM Encoded private key
+    ca_cert text not null, 
+    ca_key text not null, -- PEM Encoded private key
+    created_at integer not null default(unixepoch ('now'))
+) STRICT;
+
 -- This is a singleton
 create table if not exists arbiter_settings (
     id INTEGER not null PRIMARY KEY CHECK (id = 1), -- singleton row, id must be 1
     root_key_id integer references root_key_history (id) on delete RESTRICT, -- if null, means wasn't bootstrapped yet
-    cert_key blob not null,
+    tls_id integer references tls_history (id) on delete RESTRICT
-    cert blob not null
 ) STRICT;
 
+insert into arbiter_settings (id) values (1) on conflict do nothing; -- ensure singleton row exists
+
 create table if not exists useragent_client (
     id integer not null primary key,
     nonce integer not null default(1), -- used for auth challenge

server/crates/arbiter-server/src/actors/bootstrap.rs

@@ -1,28 +1,31 @@
-use arbiter_proto::{BOOTSTRAP_TOKEN_PATH, home_path};
+use arbiter_proto::{BOOTSTRAP_PATH, home_path};
 use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;
 use kameo::{Actor, messages};
 use miette::Diagnostic;
-use rand::{RngExt, distr::StandardUniform, make_rng, rngs::StdRng};
+use rand::{
+    RngExt,
+    distr::{Alphanumeric},
+    make_rng,
+    rngs::StdRng,
+};
 use thiserror::Error;
-use tracing::info;
 
 use crate::db::{self, DatabasePool, schema};
-
 const TOKEN_LENGTH: usize = 64;
 
 pub async fn generate_token() -> Result<String, std::io::Error> {
     let rng: StdRng = make_rng();
 
-    let token: String = rng
+    let token: String = rng.sample_iter(Alphanumeric).take(TOKEN_LENGTH).fold(
-        .sample_iter::<char, _>(StandardUniform)
+        Default::default(),
-        .take(TOKEN_LENGTH)
+        |mut accum, char| {
-        .fold(Default::default(), |mut accum, char| {
             accum += char.to_string().as_str();
             accum
-        });
+        },
+    );
 
-    tokio::fs::write(home_path()?.join(BOOTSTRAP_TOKEN_PATH), token.as_str()).await?;
+    tokio::fs::write(home_path()?.join(BOOTSTRAP_PATH), token.as_str()).await?;
 
     Ok(token)
 }
@@ -58,10 +61,9 @@ impl Bootstrapper {
 
         drop(conn);
 
+
         let token = if row_count == 0 {
             let token = generate_token().await?;
-            info!(%token, "Generated bootstrap token");
-            tokio::fs::write(home_path()?.join(BOOTSTRAP_TOKEN_PATH), token.as_str()).await?;
             Some(token)
         } else {
             None

server/crates/arbiter-server/src/actors/keyholder/mod.rs

@@ -345,30 +345,15 @@ impl KeyHolder {
 #[cfg(test)]
 mod tests {
     use diesel::SelectableHelper;
-    use diesel::dsl::insert_into;
+    
     use diesel_async::RunQueryDsl;
     use memsafe::MemSafe;
 
-    use crate::db::{self, models::ArbiterSetting};
+    use crate::db::{self};
 
     use super::*;
 
-    async fn seed_settings(pool: &db::DatabasePool) {
-        let mut conn = pool.get().await.unwrap();
-        insert_into(schema::arbiter_settings::table)
-            .values(&ArbiterSetting {
-                id: 1,
-                root_key_id: None,
-                cert_key: vec![],
-                cert: vec![],
-            })
-            .execute(&mut conn)
-            .await
-            .unwrap();
-    }
-
     async fn bootstrapped_actor(db: &db::DatabasePool) -> KeyHolder {
-        seed_settings(db).await;
         let mut actor = KeyHolder::new(db.clone()).await.unwrap();
         let seal_key = MemSafe::new(b"test-seal-key".to_vec()).unwrap();
         actor.bootstrap(seal_key).await.unwrap();

server/crates/arbiter-server/src/context/mod.rs

@@ -1,14 +1,12 @@
 use std::sync::Arc;
 
-use diesel::OptionalExtension as _;
-use diesel_async::RunQueryDsl as _;
 use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
     actors::GlobalActors,
-    context::tls::{TlsDataRaw, TlsManager},
+    context::tls::TlsManager,
-    db::{self, models::ArbiterSetting, schema::arbiter_settings},
+    db::{self},
 };
 
 pub mod tls;
@@ -29,7 +27,7 @@ pub enum InitError {
 
     #[error("TLS initialization failed: {0}")]
     #[diagnostic(code(arbiter_server::init::tls_init))]
-    Tls(#[from] tls::TlsInitError),
+    Tls(#[from] tls::InitError),
 
     #[error("Actor spawn failed: {0}")]
     #[diagnostic(code(arbiter_server::init::actor_spawn))]
@@ -57,54 +55,11 @@ impl std::ops::Deref for ServerContext {
 }
 
 impl ServerContext {
-    async fn load_tls(
-        db: &mut db::DatabaseConnection,
-        settings: Option<&ArbiterSetting>,
-    ) -> Result<TlsManager, InitError> {
-        match &settings {
-            Some(settings) => {
-                let tls_data_raw = TlsDataRaw {
-                    cert: settings.cert.clone(),
-                    key: settings.cert_key.clone(),
-                };
-
-                Ok(TlsManager::new(Some(tls_data_raw)).await?)
-            }
-            None => {
-                let tls = TlsManager::new(None).await?;
-                let tls_data_raw = tls.bytes();
-
-                diesel::insert_into(arbiter_settings::table)
-                    .values(&ArbiterSetting {
-                        id: 1,
-                        root_key_id: None,
-                        cert_key: tls_data_raw.key,
-                        cert: tls_data_raw.cert,
-                    })
-                    .execute(db)
-                    .await?;
-
-                Ok(tls)
-            }
-        }
-    }
-
     pub async fn new(db: db::DatabasePool) -> Result<Self, InitError> {
-        let mut conn = db.get().await?;
-
-        let settings = arbiter_settings::table
-            .first::<ArbiterSetting>(&mut conn)
-            .await
-            .optional()?;
-
-        let tls = Self::load_tls(&mut conn, settings.as_ref()).await?;
-
-        drop(conn);
-
         Ok(Self(Arc::new(_ServerContextInner {
             actors: GlobalActors::spawn(db.clone()).await?,
+            tls: TlsManager::new(db.clone()).await?,
             db,
-            tls,
         })))
     }
 }

server/crates/arbiter-server/src/context/tls.rs

@@ -1,12 +1,36 @@
 use std::string::FromUtf8Error;
 
+use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper as _};
+use diesel_async::{AsyncConnection, RunQueryDsl};
 use miette::Diagnostic;
-use rcgen::{Certificate, KeyPair};
+use pem::Pem;
-use rustls::pki_types::CertificateDer;
+use rcgen::{
+    BasicConstraints, Certificate, CertificateParams, CertifiedIssuer, DistinguishedName, DnType,
+    IsCa, Issuer, KeyPair, KeyUsagePurpose,
+};
+use rustls::pki_types::{pem::PemObject};
 use thiserror::Error;
+use tonic::transport::CertificateDer;
+
+use crate::db::{
+    self,
+    models::{NewTlsHistory, TlsHistory},
+    schema::{
+        arbiter_settings,
+        tls_history::{self},
+    },
+};
+
+const ENCODE_CONFIG: pem::EncodeConfig = {
+    let line_ending = match cfg!(target_family = "windows") {
+        true => pem::LineEnding::CRLF,
+        false => pem::LineEnding::LF,
+    };
+    pem::EncodeConfig::new().set_line_ending(line_ending)
+};
 
 #[derive(Error, Debug, Diagnostic)]
-pub enum TlsInitError {
+pub enum InitError {
     #[error("Key generation error during TLS initialization: {0}")]
     #[diagnostic(code(arbiter_server::tls_init::key_generation))]
     KeyGeneration(#[from] rcgen::Error),
@@ -18,68 +42,211 @@ pub enum TlsInitError {
     #[error("Key deserialization error: {0}")]
     #[diagnostic(code(arbiter_server::tls_init::key_deserialization))]
     KeyDeserializationError(rcgen::Error),
+
+    #[error("Database error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::database_error))]
+    DatabaseError(#[from] diesel::result::Error),
+
+    #[error("Pem deserialization error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::pem_deserialization))]
+    PemDeserializationError(#[from] rustls::pki_types::pem::Error),
+
+    #[error("Database pool acquire error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::database_pool_acquire))]
+    DatabasePoolAcquire(#[from] db::PoolError),
 }
 
-pub struct TlsData {
+pub type PemCert = String;
-    pub cert: CertificateDer<'static>,
+
-    pub keypair: KeyPair,
+pub fn encode_cert_to_pem(cert: &CertificateDer) -> PemCert {
+    pem::encode_config(
+        &Pem::new("CERTIFICATE", cert.to_vec()),
+        ENCODE_CONFIG,
+    )
 }
 
-pub struct TlsDataRaw {
+#[allow(unused)]
-    pub cert: Vec<u8>,
+struct SerializedTls {
-    pub key: Vec<u8>,
+    cert_pem: PemCert,
+    cert_key_pem: String,
 }
-impl TlsDataRaw {
+
-    pub fn serialize(cert: &TlsData) -> Self {
+struct TlsCa {
-        Self {
+    issuer: Issuer<'static, KeyPair>,
-            cert: cert.cert.as_ref().to_vec(),
+    cert: CertificateDer<'static>,
-            key: cert.keypair.serialize_pem().as_bytes().to_vec(),
+}
+
+impl TlsCa {
+    fn generate() -> Result<Self, InitError> {
+        let keypair = KeyPair::generate()?;
+        let mut params = CertificateParams::new(["Arbiter Instance CA".into()])?;
+        params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+        params.key_usages = vec![
+            KeyUsagePurpose::KeyCertSign,
+            KeyUsagePurpose::CrlSign,
+            KeyUsagePurpose::DigitalSignature,
+        ];
+
+        let mut dn = DistinguishedName::new();
+        dn.push(DnType::CommonName, "Arbiter Instance CA");
+        params.distinguished_name = dn;
+        let certified_issuer = CertifiedIssuer::self_signed(params, keypair)?;
+
+        let cert_key_pem = certified_issuer.key().serialize_pem();
+
+        let issuer = Issuer::from_ca_cert_pem(
+            &certified_issuer.pem(),
+            KeyPair::from_pem(cert_key_pem.as_ref()).unwrap(),
+        )
+        .unwrap();
+
+        Ok(Self {
+            issuer,
+            cert: certified_issuer.der().clone(),
+        })
+    }
+    fn generate_leaf(&self) -> Result<TlsCert, InitError> {
+        let cert_key = KeyPair::generate()?;
+        let mut params = CertificateParams::new(["Arbiter Instance Leaf".into()])?;
+        params.is_ca = IsCa::NoCa;
+        params.key_usages = vec![
+            KeyUsagePurpose::DigitalSignature,
+            KeyUsagePurpose::KeyEncipherment,
+        ];
+
+        let mut dn = DistinguishedName::new();
+        dn.push(DnType::CommonName, "Arbiter Instance Leaf");
+        params.distinguished_name = dn;
+
+        let new_cert = params.signed_by(&cert_key, &self.issuer)?;
+
+        Ok(TlsCert {
+            cert: new_cert,
+            cert_key,
+        })
+    }
+
+    #[allow(unused)]
+    fn serialize(&self) -> Result<SerializedTls, InitError> {
+        let cert_key_pem = self.issuer.key().serialize_pem();
+        Ok(SerializedTls {
+            cert_pem: encode_cert_to_pem(&self.cert),
+            cert_key_pem,
+        })
+    }
+
+    #[allow(unused)]
+    fn try_deserialize(cert_pem: &str, cert_key_pem: &str) -> Result<Self, InitError> {
+        let keypair =
+            KeyPair::from_pem(cert_key_pem).map_err(InitError::KeyDeserializationError)?;
+        let issuer = Issuer::from_ca_cert_pem(cert_pem, keypair)?;
+        Ok(Self {
+            issuer,
+            cert: CertificateDer::from_pem_slice(cert_pem.as_bytes())?,
+        })
     }
 }
 
-    pub fn deserialize(&self) -> Result<TlsData, TlsInitError> {
+struct TlsCert {
-        let cert = CertificateDer::from_slice(&self.cert).into_owned();
+    cert: Certificate,
-
+    cert_key: KeyPair,
-        let key = String::from_utf8(self.key.clone()).map_err(TlsInitError::KeyInvalidFormat)?;
-
-        let keypair = KeyPair::from_pem(&key).map_err(TlsInitError::KeyDeserializationError)?;
-
-        Ok(TlsData { cert, keypair })
-    }
-}
-
-fn generate_cert(key: &KeyPair) -> Result<Certificate, rcgen::Error> {
-    let params =
-        rcgen::CertificateParams::new(vec!["arbiter.local".to_string(), "localhost".to_string()])?;
-
-    params.self_signed(key)
 }
 
 // TODO: Implement cert rotation
 pub struct TlsManager {
-    data: TlsData,
+    cert: CertificateDer<'static>,
+    keypair: KeyPair,
+    ca_cert: CertificateDer<'static>,
+    _db: db::DatabasePool,
 }
 
 impl TlsManager {
-    pub async fn new(data: Option<TlsDataRaw>) -> Result<Self, TlsInitError> {
+    pub async fn generate_new(db: &db::DatabasePool) -> Result<Self, InitError> {
-        match data {
+        let ca = TlsCa::generate()?;
-            Some(raw) => {
+        let new_cert = ca.generate_leaf()?;
-                let tls_data = raw.deserialize()?;
+
-                Ok(Self { data: tls_data })
+        {
-            }
+            let mut conn = db.get().await?;
-            None => {
+            conn.transaction(|conn| {
-                let keypair = KeyPair::generate()?;
+                Box::pin(async {
-                let cert = generate_cert(&keypair)?;
+                    let new_tls_history = NewTlsHistory {
-                let tls_data = TlsData {
+                        cert: new_cert.cert.pem(),
-                    cert: cert.der().clone(),
+                        cert_key: new_cert.cert_key.serialize_pem(),
-                    keypair,
+                        ca_cert: encode_cert_to_pem(&ca.cert),
+                        ca_key: ca.issuer.key().serialize_pem(),
                     };
-                Ok(Self { data: tls_data })
+
+                    let inserted_tls_history: i32 = diesel::insert_into(tls_history::table)
+                        .values(&new_tls_history)
+                        .returning(tls_history::id)
+                        .get_result(conn)
+                        .await?;
+
+                    diesel::update(arbiter_settings::table)
+                        .set(arbiter_settings::tls_id.eq(inserted_tls_history))
+                        .execute(conn)
+                        .await?;
+
+                    Result::<_, diesel::result::Error>::Ok(())
+                })
+            })
+            .await?;
         }
+
+        Ok(Self {
+            cert: new_cert.cert.der().clone(),
+            keypair: new_cert.cert_key,
+            ca_cert: ca.cert,
+            _db: db.clone(),
+        })
+    }
+
+    pub async fn new(db: db::DatabasePool) -> Result<Self, InitError> {
+        let cert_data: Option<TlsHistory> = {
+            let mut conn = db.get().await?;
+            arbiter_settings::table
+                .left_join(tls_history::table)
+                .select(Option::<TlsHistory>::as_select())
+                .first(&mut conn)
+                .await?
+        };
+
+        match cert_data {
+            Some(data) => {
+                let try_load = || -> Result<_, Box<dyn std::error::Error>> {
+                    let keypair = KeyPair::from_pem(&data.cert_key)?;
+                    let cert = CertificateDer::from_pem_slice(data.cert.as_bytes())?;
+                    let ca_cert = CertificateDer::from_pem_slice(data.ca_cert.as_bytes())?;
+                    Ok(Self {
+                        cert,
+                        keypair,
+                        ca_cert,
+                        _db: db.clone(),
+                    })
+                };
+                match try_load() {
+                    Ok(manager) => Ok(manager),
+                    Err(e) => {
+                        eprintln!("Failed to load existing TLS certs: {e}. Generating new ones.");
+                        Self::generate_new(&db).await
+                    }
+                }
+            }
+            None => Self::generate_new(&db).await,
         }
     }
 
-    pub fn bytes(&self) -> TlsDataRaw {
+    pub fn cert(&self) -> &CertificateDer<'static> {
-        TlsDataRaw::serialize(&self.data)
+        &self.cert
+    }
+    pub fn ca_cert(&self) -> &CertificateDer<'static> {
+        &self.ca_cert
+    }
+
+    pub fn cert_pem(&self) -> PemCert {
+        encode_cert_to_pem(&self.cert)
+    }
+    pub fn key_pem(&self) -> String {
+        self.keypair.serialize_pem()
     }
 }

server/crates/arbiter-server/src/db/mod.rs

@@ -24,23 +24,23 @@ const MIGRATIONS: EmbeddedMigrations = embed_migrations!("migrations");
 #[derive(Error, Diagnostic, Debug)]
 pub enum DatabaseSetupError {
     #[error("Failed to determine home directory")]
-    #[diagnostic(code(arbiter::db::home_dir_error))]
+    #[diagnostic(code(arbiter::db::home_dir))]
     HomeDir(std::io::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::connection_error))]
+    #[diagnostic(code(arbiter::db::connection))]
     Connection(diesel::ConnectionError),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::concurrency_error))]
+    #[diagnostic(code(arbiter::db::concurrency))]
     ConcurrencySetup(diesel::result::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::migration_error))]
+    #[diagnostic(code(arbiter::db::migration))]
     Migration(Box<dyn std::error::Error + Send + Sync>),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::pool_error))]
+    #[diagnostic(code(arbiter::db::pool))]
     Pool(#[from] PoolInitError),
 }
 
@@ -91,12 +91,12 @@ fn initialize_database(url: &str) -> Result<(), DatabaseSetupError> {
 
 #[tracing::instrument(level = "info")]
 pub async fn create_pool(url: Option<&str>) -> Result<DatabasePool, DatabaseSetupError> {
-    let database_url = url.map(String::from).unwrap_or(format!(
+    let database_url = url.map(String::from).unwrap_or(
-        "{}?mode=rwc",
+        database_path()?
-        (database_path()?
             .to_str()
-            .expect("database path is not valid UTF-8"))
+            .expect("database path is not valid UTF-8")
-    ));
+            .to_string(),
+    );
 
     initialize_database(&database_url)?;
 

server/crates/arbiter-server/src/db/models.rs

@@ -1,7 +1,7 @@
 #![allow(unused)]
 #![allow(clippy::all)]
 
-use crate::db::schema::{self, aead_encrypted, arbiter_settings, root_key_history};
+use crate::db::schema::{self, aead_encrypted, arbiter_settings, root_key_history, tls_history};
 use diesel::{prelude::*, sqlite::Sqlite};
 use restructed::Models;
 
@@ -46,13 +46,29 @@ pub struct RootKeyHistory {
     pub salt: Vec<u8>,
 }
 
-#[derive(Queryable, Debug, Insertable)]
+#[derive(Models, Queryable, Debug, Insertable, Selectable)]
+#[diesel(table_name = tls_history, check_for_backend(Sqlite))]
+#[view(
+    NewTlsHistory,
+    derive(Insertable),
+    omit(id, created_at),
+    attributes_with = "deriveless"
+)]
+pub struct TlsHistory {
+    pub id: i32,
+    pub cert: String,
+    pub cert_key: String, // PEM Encoded private key
+    pub ca_cert: String, // PEM Encoded certificate for cert signing
+    pub ca_key: String, // PEM Encoded public key for cert signing
+    pub created_at: i32,
+}
+
+#[derive(Queryable, Debug, Insertable, Selectable)]
 #[diesel(table_name = arbiter_settings, check_for_backend(Sqlite))]
-pub struct ArbiterSetting {
+pub struct ArbiterSettings {
     pub id: i32,
     pub root_key_id: Option<i32>, // references root_key_history.id
-    pub cert_key: Vec<u8>,
+    pub tls_id: Option<i32>, // references tls_history.id
-    pub cert: Vec<u8>,
 }
 
 #[derive(Queryable, Debug)]

server/crates/arbiter-server/src/db/schema.rs

@@ -16,8 +16,7 @@ diesel::table! {
     arbiter_settings (id) {
         id -> Integer,
         root_key_id -> Nullable<Integer>,
-        cert_key -> Binary,
+        tls_id -> Nullable<Integer>,
-        cert -> Binary,
     }
 }
 
@@ -43,6 +42,17 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    tls_history (id) {
+        id -> Integer,
+        cert -> Text,
+        cert_key -> Text,
+        ca_cert -> Text,
+        ca_key -> Text,
+        created_at -> Integer,
+    }
+}
+
 diesel::table! {
     useragent_client (id) {
         id -> Integer,
@@ -55,11 +65,13 @@ diesel::table! {
 
 diesel::joinable!(aead_encrypted -> root_key_history (associated_root_key_id));
 diesel::joinable!(arbiter_settings -> root_key_history (root_key_id));
+diesel::joinable!(arbiter_settings -> tls_history (tls_id));
 
 diesel::allow_tables_to_appear_in_same_query!(
     aead_encrypted,
     arbiter_settings,
     program_client,
     root_key_history,
+    tls_history,
     useragent_client,
 );

server/crates/arbiter-server/src/main.rs

@@ -1,7 +1,13 @@
-use arbiter_proto::proto::arbiter_service_server::ArbiterServiceServer;
+use std::net::SocketAddr;
-use arbiter_server::{Server, context::ServerContext, db};
+
+use arbiter_proto::{proto::arbiter_service_server::ArbiterServiceServer, url::ArbiterUrl};
+use arbiter_server::{Server, actors::bootstrap::GetToken, context::ServerContext, db};
+use miette::miette;
+use tonic::transport::{Identity, ServerTlsConfig};
 use tracing::info;
 
+const PORT: u16 = 50051;
+
 #[tokio::main]
 async fn main() -> miette::Result<()> {
     tracing_subscriber::fmt()
@@ -13,18 +19,31 @@ async fn main() -> miette::Result<()> {
 
     info!("Starting arbiter server");
 
-    info!("Initializing database");
     let db = db::create_pool(None).await?;
     info!("Database ready");
 
-    info!("Initializing server context");
     let context = ServerContext::new(db).await?;
-    info!("Server context ready");
 
-    let addr = "[::1]:50051".parse().expect("valid address");
+    let addr: SocketAddr = format!("127.0.0.1:{PORT}").parse().expect("valid address");
     info!(%addr, "Starting gRPC server");
 
+    let url = ArbiterUrl {
+        host: addr.ip().to_string(),
+        port: addr.port(),
+        ca_cert: context.tls.ca_cert().clone().into_owned(),
+        bootstrap_token: context.actors.bootstrapper.ask(GetToken).await.unwrap(),
+    };
+
+    info!(%url, "Server URL");
+
+    let tls = ServerTlsConfig::new().identity(Identity::from_pem(
+        context.tls.cert_pem(),
+        context.tls.key_pem(),
+    ));
+
     tonic::transport::Server::builder()
+        .tls_config(tls)
+        .map_err(|err| miette!("Faild to setup TLS: {err}"))?
         .add_service(ArbiterServiceServer::new(Server::new(context)))
         .serve(addr)
         .await

server/crates/arbiter-server/tests/common/mod.rs

@@ -1,28 +1,13 @@
 use arbiter_server::{
     actors::keyholder::KeyHolder,
-    db::{self, models::ArbiterSetting, schema},
+    db::{self, schema},
 };
-use diesel::{QueryDsl, insert_into};
+use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;
 use memsafe::MemSafe;
 
-pub async fn seed_settings(pool: &db::DatabasePool) {
-    let mut conn = pool.get().await.unwrap();
-    insert_into(schema::arbiter_settings::table)
-        .values(&ArbiterSetting {
-            id: 1,
-            root_key_id: None,
-            cert_key: vec![],
-            cert: vec![],
-        })
-        .execute(&mut conn)
-        .await
-        .unwrap();
-}
-
 #[allow(dead_code)]
 pub async fn bootstrapped_keyholder(db: &db::DatabasePool) -> KeyHolder {
-    seed_settings(db).await;
     let mut actor = KeyHolder::new(db.clone()).await.unwrap();
     actor
         .bootstrap(MemSafe::new(b"test-seal-key".to_vec()).unwrap())

server/crates/arbiter-server/tests/keyholder/lifecycle.rs

@@ -12,7 +12,6 @@ use crate::common;
 #[test_log::test]
 async fn test_bootstrap() {
     let db = db::create_test_pool().await;
-    common::seed_settings(&db).await;
     let mut actor = KeyHolder::new(db.clone()).await.unwrap();
 
     let seal_key = MemSafe::new(b"test-seal-key".to_vec()).unwrap();
@@ -53,7 +52,6 @@ async fn test_bootstrap_rejects_double() {
 #[test_log::test]
 async fn test_create_new_before_bootstrap_fails() {
     let db = db::create_test_pool().await;
-    common::seed_settings(&db).await;
     let mut actor = KeyHolder::new(db).await.unwrap();
 
     let err = actor
@@ -67,7 +65,6 @@ async fn test_create_new_before_bootstrap_fails() {
 #[test_log::test]
 async fn test_decrypt_before_bootstrap_fails() {
     let db = db::create_test_pool().await;
-    common::seed_settings(&db).await;
     let mut actor = KeyHolder::new(db).await.unwrap();
 
     let err = actor.decrypt(1).await.unwrap_err();

server/crates/arbiter-server/tests/user_agent/auth.rs

@@ -20,7 +20,6 @@ use kameo::actor::Spawn;
 #[test_log::test]
 pub async fn test_bootstrap_token_auth() {
     let db =db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     let token = actors.bootstrapper.ask(GetToken).await.unwrap().unwrap();
@@ -67,7 +66,6 @@ pub async fn test_bootstrap_token_auth() {
 #[test_log::test]
 pub async fn test_bootstrap_invalid_token_auth() {
     let db = db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     let user_agent =
@@ -110,7 +108,6 @@ pub async fn test_bootstrap_invalid_token_auth() {
 #[test_log::test]
 pub async fn test_challenge_auth() {
     let db = db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     let user_agent =

server/crates/arbiter-server/tests/user_agent/unseal.rs

@@ -23,7 +23,6 @@ async fn setup_authenticated_user_agent(
     seal_key: &[u8],
 ) -> (arbiter_server::db::DatabasePool, ActorRef<UserAgentActor>) {
     let db = db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     actors
@@ -167,7 +166,6 @@ pub async fn test_unseal_corrupted_ciphertext() {
 #[test_log::test]
 pub async fn test_unseal_start_without_auth_fails() {
     let db = db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     let user_agent =

server/crates/arbiter-useragent/Cargo.toml

@@ -2,5 +2,14 @@
 name = "arbiter-useragent"
 version = "0.1.0"
 edition = "2024"
+license = "Apache-2.0"
 
 [dependencies]
+arbiter-proto.path = "../arbiter-proto"
+kameo.workspace = true
+tokio = {workspace = true, features = ["net"]}
+tonic.workspace = true
+tracing.workspace = true
+ed25519-dalek.workspace = true
+smlang.workspace = true
+x25519-dalek.workspace = true

server/crates/arbiter-useragent/src/lib.rs

@@ -1,14 +1,13 @@
-pub fn add(left: u64, right: u64) -> u64 {
+use ed25519_dalek::SigningKey;
-    left + right
+use kameo::Actor;
+use tonic::transport::CertificateDer;
+
+struct Storage {
+    pub identity: SigningKey,
+    pub server_ca_cert: CertificateDer<'static>,
 }
 
-#[cfg(test)]
+#[derive(Actor)]
-mod tests {
+pub struct UserAgent {
-    use super::*;
 
-    #[test]
-    fn it_works() {
-        let result = add(2, 2);
-        assert_eq!(result, 4);
-    }
 }

useragent/pubspec.lock

@@ -41,14 +41,6 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "1.19.1"
-  cupertino_icons:
-    dependency: "direct main"
-    description:
-      name: cupertino_icons
-      sha256: ba631d1c7f7bef6b729a622b7b752645a2d076dba9976925b8f25725a30e1ee6
-      url: "https://pub.dev"
-    source: hosted
-    version: "1.0.8"
   fake_async:
     dependency: transitive
     description:

useragent/pubspec.yaml

@@ -0,0 +1,21 @@
+name: arbiter
+description: "User agent for Arbiter"
+publish_to: 'none'
+
+version: 0.1.0
+
+environment:
+  sdk: ^3.10.8
+
+dependencies:
+  flutter:
+    sdk: flutter
+
+dev_dependencies:
+  flutter_test:
+    sdk: flutter
+
+  flutter_lints: ^6.0.0
+
+flutter:
+  uses-material-design: true