feat(transport): add domain error type to GrpcTransportActor

ARCHITECTURE.md

@@ -3,7 +3,6 @@
 Arbiter is a permissioned signing service for cryptocurrency wallets. It runs as a background service on the user's machine with an optional client application for vault management.
 
 **Core principle:** The vault NEVER exposes key material. It only produces signatures when a request satisfies the configured policies.
-
 ---
 
 ## 1. Peer Types

LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 MarketTakers
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -0,0 +1,13 @@
+# Arbiter
+> Policy-first multi-client wallet daemon, allowing permissioned transactions across blockchains
+
+## Security warning
+Arbiter can't meaningfully protect against host compromise. Potential attack flow:
+- Attacker steals TLS keys from database
+- Pretends to be server; just accepts user agent challenge solutions
+- Pretend to be in sealed state and performing DH with client
+- Steals user password and derives seal key
+
+While this attack is highly targetive, it's still possible. 
+
+> This software is experimental. Do not use with funds you cannot afford to lose.

app/.dart_tool/package_config.json

@@ -0,0 +1,178 @@
+{
+  "configVersion": 2,
+  "packages": [
+    {
+      "name": "async",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/async-2.13.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "boolean_selector",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/boolean_selector-2.1.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "characters",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/characters-1.4.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "clock",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/clock-1.1.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "collection",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/collection-1.19.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "cupertino_icons",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/cupertino_icons-1.0.8",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "fake_async",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/fake_async-1.3.3",
+      "packageUri": "lib/",
+      "languageVersion": "3.3"
+    },
+    {
+      "name": "flutter",
+      "rootUri": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable/packages/flutter",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "flutter_lints",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/flutter_lints-6.0.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "flutter_test",
+      "rootUri": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable/packages/flutter_test",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "leak_tracker",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/leak_tracker-11.0.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.2"
+    },
+    {
+      "name": "leak_tracker_flutter_testing",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/leak_tracker_flutter_testing-3.0.10",
+      "packageUri": "lib/",
+      "languageVersion": "3.2"
+    },
+    {
+      "name": "leak_tracker_testing",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/leak_tracker_testing-3.0.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.2"
+    },
+    {
+      "name": "lints",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/lints-6.1.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "matcher",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/matcher-0.12.17",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "material_color_utilities",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/material_color_utilities-0.11.1",
+      "packageUri": "lib/",
+      "languageVersion": "2.17"
+    },
+    {
+      "name": "meta",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/meta-1.17.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.5"
+    },
+    {
+      "name": "path",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/path-1.9.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "sky_engine",
+      "rootUri": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable/bin/cache/pkg/sky_engine",
+      "packageUri": "lib/",
+      "languageVersion": "3.8"
+    },
+    {
+      "name": "source_span",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/source_span-1.10.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "stack_trace",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/stack_trace-1.12.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.4"
+    },
+    {
+      "name": "stream_channel",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/stream_channel-2.1.4",
+      "packageUri": "lib/",
+      "languageVersion": "3.3"
+    },
+    {
+      "name": "string_scanner",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/string_scanner-1.4.1",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "term_glyph",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/term_glyph-1.2.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "test_api",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/test_api-0.7.7",
+      "packageUri": "lib/",
+      "languageVersion": "3.5"
+    },
+    {
+      "name": "vector_math",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/vector_math-2.2.0",
+      "packageUri": "lib/",
+      "languageVersion": "3.1"
+    },
+    {
+      "name": "vm_service",
+      "rootUri": "file:///Users/kaska/.pub-cache/hosted/pub.dev/vm_service-15.0.2",
+      "packageUri": "lib/",
+      "languageVersion": "3.5"
+    },
+    {
+      "name": "app",
+      "rootUri": "../",
+      "packageUri": "lib/",
+      "languageVersion": "3.10"
+    }
+  ],
+  "generator": "pub",
+  "generatorVersion": "3.10.8",
+  "flutterRoot": "file:///Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable",
+  "flutterVersion": "3.38.9",
+  "pubCache": "file:///Users/kaska/.pub-cache"
+}

app/.dart_tool/package_graph.json

@@ -0,0 +1,230 @@
+{
+  "roots": [
+    "app"
+  ],
+  "packages": [
+    {
+      "name": "app",
+      "version": "1.0.0+1",
+      "dependencies": [
+        "cupertino_icons",
+        "flutter"
+      ],
+      "devDependencies": [
+        "flutter_lints",
+        "flutter_test"
+      ]
+    },
+    {
+      "name": "flutter_lints",
+      "version": "6.0.0",
+      "dependencies": [
+        "lints"
+      ]
+    },
+    {
+      "name": "flutter_test",
+      "version": "0.0.0",
+      "dependencies": [
+        "clock",
+        "collection",
+        "fake_async",
+        "flutter",
+        "leak_tracker_flutter_testing",
+        "matcher",
+        "meta",
+        "path",
+        "stack_trace",
+        "stream_channel",
+        "test_api",
+        "vector_math"
+      ]
+    },
+    {
+      "name": "cupertino_icons",
+      "version": "1.0.8",
+      "dependencies": []
+    },
+    {
+      "name": "flutter",
+      "version": "0.0.0",
+      "dependencies": [
+        "characters",
+        "collection",
+        "material_color_utilities",
+        "meta",
+        "sky_engine",
+        "vector_math"
+      ]
+    },
+    {
+      "name": "lints",
+      "version": "6.1.0",
+      "dependencies": []
+    },
+    {
+      "name": "stream_channel",
+      "version": "2.1.4",
+      "dependencies": [
+        "async"
+      ]
+    },
+    {
+      "name": "meta",
+      "version": "1.17.0",
+      "dependencies": []
+    },
+    {
+      "name": "collection",
+      "version": "1.19.1",
+      "dependencies": []
+    },
+    {
+      "name": "leak_tracker_flutter_testing",
+      "version": "3.0.10",
+      "dependencies": [
+        "flutter",
+        "leak_tracker",
+        "leak_tracker_testing",
+        "matcher",
+        "meta"
+      ]
+    },
+    {
+      "name": "vector_math",
+      "version": "2.2.0",
+      "dependencies": []
+    },
+    {
+      "name": "stack_trace",
+      "version": "1.12.1",
+      "dependencies": [
+        "path"
+      ]
+    },
+    {
+      "name": "clock",
+      "version": "1.1.2",
+      "dependencies": []
+    },
+    {
+      "name": "fake_async",
+      "version": "1.3.3",
+      "dependencies": [
+        "clock",
+        "collection"
+      ]
+    },
+    {
+      "name": "path",
+      "version": "1.9.1",
+      "dependencies": []
+    },
+    {
+      "name": "matcher",
+      "version": "0.12.17",
+      "dependencies": [
+        "async",
+        "meta",
+        "stack_trace",
+        "term_glyph",
+        "test_api"
+      ]
+    },
+    {
+      "name": "test_api",
+      "version": "0.7.7",
+      "dependencies": [
+        "async",
+        "boolean_selector",
+        "collection",
+        "meta",
+        "source_span",
+        "stack_trace",
+        "stream_channel",
+        "string_scanner",
+        "term_glyph"
+      ]
+    },
+    {
+      "name": "sky_engine",
+      "version": "0.0.0",
+      "dependencies": []
+    },
+    {
+      "name": "material_color_utilities",
+      "version": "0.11.1",
+      "dependencies": [
+        "collection"
+      ]
+    },
+    {
+      "name": "characters",
+      "version": "1.4.0",
+      "dependencies": []
+    },
+    {
+      "name": "async",
+      "version": "2.13.0",
+      "dependencies": [
+        "collection",
+        "meta"
+      ]
+    },
+    {
+      "name": "leak_tracker_testing",
+      "version": "3.0.2",
+      "dependencies": [
+        "leak_tracker",
+        "matcher",
+        "meta"
+      ]
+    },
+    {
+      "name": "leak_tracker",
+      "version": "11.0.2",
+      "dependencies": [
+        "clock",
+        "collection",
+        "meta",
+        "path",
+        "vm_service"
+      ]
+    },
+    {
+      "name": "term_glyph",
+      "version": "1.2.2",
+      "dependencies": []
+    },
+    {
+      "name": "string_scanner",
+      "version": "1.4.1",
+      "dependencies": [
+        "source_span"
+      ]
+    },
+    {
+      "name": "source_span",
+      "version": "1.10.2",
+      "dependencies": [
+        "collection",
+        "path",
+        "term_glyph"
+      ]
+    },
+    {
+      "name": "boolean_selector",
+      "version": "2.1.2",
+      "dependencies": [
+        "source_span",
+        "string_scanner"
+      ]
+    },
+    {
+      "name": "vm_service",
+      "version": "15.0.2",
+      "dependencies": []
+    }
+  ],
+  "configVersion": 1
+}

app/.dart_tool/version

@@ -0,0 +1 @@
+3.38.9

app/macos/Flutter/ephemeral/Flutter-Generated.xcconfig

@@ -0,0 +1,11 @@
+// This is a generated file; do not edit or check into version control.
+FLUTTER_ROOT=/Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable
+FLUTTER_APPLICATION_PATH=/Users/kaska/Documents/Projects/Major/arbiter/app
+COCOAPODS_PARALLEL_CODE_SIGN=true
+FLUTTER_BUILD_DIR=build
+FLUTTER_BUILD_NAME=1.0.0
+FLUTTER_BUILD_NUMBER=1
+DART_OBFUSCATION=false
+TRACK_WIDGET_CREATION=true
+TREE_SHAKE_ICONS=false
+PACKAGE_CONFIG=.dart_tool/package_config.json

app/macos/Flutter/ephemeral/flutter_export_environment.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+# This is a generated file; do not edit or check into version control.
+export "FLUTTER_ROOT=/Users/kaska/.local/share/mise/installs/flutter/3.38.9-stable"
+export "FLUTTER_APPLICATION_PATH=/Users/kaska/Documents/Projects/Major/arbiter/app"
+export "COCOAPODS_PARALLEL_CODE_SIGN=true"
+export "FLUTTER_BUILD_DIR=build"
+export "FLUTTER_BUILD_NAME=1.0.0"
+export "FLUTTER_BUILD_NUMBER=1"
+export "DART_OBFUSCATION=false"
+export "TRACK_WIDGET_CREATION=true"
+export "TREE_SHAKE_ICONS=false"
+export "PACKAGE_CONFIG=.dart_tool/package_config.json"

app/pubspec.yaml

@@ -1,89 +0,0 @@
-name: app
-description: "A new Flutter project."
-# The following line prevents the package from being accidentally published to
-# pub.dev using `flutter pub publish`. This is preferred for private packages.
-publish_to: 'none' # Remove this line if you wish to publish to pub.dev
-
-# The following defines the version and build number for your application.
-# A version number is three numbers separated by dots, like 1.2.43
-# followed by an optional build number separated by a +.
-# Both the version and the builder number may be overridden in flutter
-# build by specifying --build-name and --build-number, respectively.
-# In Android, build-name is used as versionName while build-number used as versionCode.
-# Read more about Android versioning at https://developer.android.com/studio/publish/versioning
-# In iOS, build-name is used as CFBundleShortVersionString while build-number is used as CFBundleVersion.
-# Read more about iOS versioning at
-# https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
-# In Windows, build-name is used as the major, minor, and patch parts
-# of the product and file versions while build-number is used as the build suffix.
-version: 1.0.0+1
-
-environment:
-  sdk: ^3.10.8
-
-# Dependencies specify other packages that your package needs in order to work.
-# To automatically upgrade your package dependencies to the latest versions
-# consider running `flutter pub upgrade --major-versions`. Alternatively,
-# dependencies can be manually updated by changing the version numbers below to
-# the latest version available on pub.dev. To see which dependencies have newer
-# versions available, run `flutter pub outdated`.
-dependencies:
-  flutter:
-    sdk: flutter
-
-  # The following adds the Cupertino Icons font to your application.
-  # Use with the CupertinoIcons class for iOS style icons.
-  cupertino_icons: ^1.0.8
-
-dev_dependencies:
-  flutter_test:
-    sdk: flutter
-
-  # The "flutter_lints" package below contains a set of recommended lints to
-  # encourage good coding practices. The lint set provided by the package is
-  # activated in the `analysis_options.yaml` file located at the root of your
-  # package. See that file for information about deactivating specific lint
-  # rules and activating additional ones.
-  flutter_lints: ^6.0.0
-
-# For information on the generic Dart part of this file, see the
-# following page: https://dart.dev/tools/pub/pubspec
-
-# The following section is specific to Flutter packages.
-flutter:
-
-  # The following line ensures that the Material Icons font is
-  # included with your application, so that you can use the icons in
-  # the material Icons class.
-  uses-material-design: true
-
-  # To add assets to your application, add an assets section, like this:
-  # assets:
-  #   - images/a_dot_burr.jpeg
-  #   - images/a_dot_ham.jpeg
-
-  # An image asset can refer to one or more resolution-specific "variants", see
-  # https://flutter.dev/to/resolution-aware-images
-
-  # For details regarding adding assets from package dependencies, see
-  # https://flutter.dev/to/asset-from-package
-
-  # To add custom fonts to your application, add a fonts section here,
-  # in this "flutter" section. Each entry in this list should have a
-  # "family" key with the font family name, and a "fonts" key with a
-  # list giving the asset and other descriptors for the font. For
-  # example:
-  # fonts:
-  #   - family: Schyler
-  #     fonts:
-  #       - asset: fonts/Schyler-Regular.ttf
-  #       - asset: fonts/Schyler-Italic.ttf
-  #         style: italic
-  #   - family: Trajan Pro
-  #     fonts:
-  #       - asset: fonts/TrajanPro.ttf
-  #       - asset: fonts/TrajanPro_Bold.ttf
-  #         weight: 700
-  #
-  # For details regarding fonts from package dependencies,
-  # see https://flutter.dev/to/font-from-package

server/Cargo.lock

@@ -59,14 +59,22 @@ version = "0.1.0"
 name = "arbiter-proto"
 version = "0.1.0"
 dependencies = [
+ "base64",
  "futures",
- "hex",
  "kameo",
+ "miette",
  "prost",
+ "rand",
+ "rcgen",
+ "rstest",
+ "rustls-pki-types",
+ "thiserror",
  "tokio",
  "tonic",
  "tonic-prost",
  "tonic-prost-build",
+ "tracing",
+ "url",
 ]
 
 [[package]]
@@ -88,6 +96,7 @@ dependencies = [
  "kameo",
  "memsafe",
  "miette",
+ "pem",
  "rand",
  "rcgen",
  "restructed",
@@ -109,6 +118,16 @@ dependencies = [
 [[package]]
 name = "arbiter-useragent"
 version = "0.1.0"
+dependencies = [
+ "arbiter-proto",
+ "ed25519-dalek",
+ "kameo",
+ "smlang",
+ "tokio",
+ "tonic",
+ "tracing",
+ "x25519-dalek",
+]
 
 [[package]]
 name = "argon2"
@@ -859,6 +878,15 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
 
+[[package]]
+name = "form_urlencoded"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
+dependencies = [
+ "percent-encoding",
+]
+
 [[package]]
 name = "fs_extra"
 version = "1.3.0"
@@ -936,6 +964,12 @@ version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
 
+[[package]]
+name = "futures-timer"
+version = "3.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24"
+
 [[package]]
 name = "futures-util"
 version = "0.3.32"
@@ -1006,6 +1040,12 @@ version = "0.32.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e629b9b98ef3dd8afe6ca2bd0f89306cec16d43d907889945bc5d6687f2f13c7"
 
+[[package]]
+name = "glob"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
+
 [[package]]
 name = "h2"
 version = "0.4.13"
@@ -1055,12 +1095,6 @@ version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
 
-[[package]]
-name = "hex"
-version = "0.4.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
-
 [[package]]
 name = "http"
 version = "1.4.0"
@@ -1195,6 +1229,87 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "icu_collections"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
+dependencies = [
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
+
+[[package]]
+name = "icu_properties"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
+dependencies = [
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
+
+[[package]]
+name = "icu_provider"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
 [[package]]
 name = "id-arena"
 version = "2.3.0"
@@ -1207,6 +1322,27 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
 
+[[package]]
+name = "idna"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
 [[package]]
 name = "indexmap"
 version = "2.13.0"
@@ -1342,6 +1478,12 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039"
 
+[[package]]
+name = "litemap"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
+
 [[package]]
 name = "lock_api"
 version = "0.4.14"
@@ -1684,6 +1826,15 @@ version = "1.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
 
+[[package]]
+name = "potential_utf"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
+dependencies = [
+ "zerovec",
+]
+
 [[package]]
 name = "powerfmt"
 version = "0.2.0"
@@ -1700,6 +1851,15 @@ dependencies = [
  "syn 2.0.115",
 ]
 
+[[package]]
+name = "proc-macro-crate"
+version = "3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "219cb19e96be00ab2e37d6e299658a0cfa83e52429179969b0f0121b4ac46983"
+dependencies = [
+ "toml_edit",
+]
+
 [[package]]
 name = "proc-macro-error"
 version = "1.0.4"
@@ -1900,6 +2060,12 @@ version = "0.8.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c"
 
+[[package]]
+name = "relative-path"
+version = "1.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba39f3699c378cd8970968dcbff9c43159ea4cfbd88d43c00b22f2ef10a435d2"
+
 [[package]]
 name = "restructed"
 version = "0.2.2"
@@ -1936,6 +2102,35 @@ dependencies = [
  "thiserror",
 ]
 
+[[package]]
+name = "rstest"
+version = "0.26.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f5a3193c063baaa2a95a33f03035c8a72b83d97a54916055ba22d35ed3839d49"
+dependencies = [
+ "futures-timer",
+ "futures-util",
+ "rstest_macros",
+]
+
+[[package]]
+name = "rstest_macros"
+version = "0.26.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c845311f0ff7951c5506121a9ad75aec44d083c31583b2ea5a30bcb0b0abba0"
+dependencies = [
+ "cfg-if",
+ "glob",
+ "proc-macro-crate",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "relative-path",
+ "rustc_version",
+ "syn 2.0.115",
+ "unicode-ident",
+]
+
 [[package]]
 name = "rustc-demangle"
 version = "0.1.27"
@@ -2206,6 +2401,12 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
+
 [[package]]
 name = "string_morph"
 version = "0.1.0"
@@ -2419,6 +2620,16 @@ dependencies = [
  "time-core",
 ]
 
+[[package]]
+name = "tinystr"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
 [[package]]
 name = "tokio"
 version = "1.49.0"
@@ -2505,6 +2716,18 @@ dependencies = [
  "serde_core",
 ]
 
+[[package]]
+name = "toml_edit"
+version = "0.23.10+spec-1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "84c8b9f757e028cee9fa244aea147aab2a9ec09d5325a9b01e0a49730c2b5269"
+dependencies = [
+ "indexmap",
+ "toml_datetime",
+ "toml_parser",
+ "winnow",
+]
+
 [[package]]
 name = "toml_parser"
 version = "1.0.8+spec-1.1.0"
@@ -2747,6 +2970,24 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
+[[package]]
+name = "url"
+version = "2.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+ "serde",
+]
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
 [[package]]
 name = "uuid"
 version = "1.21.0"
@@ -3138,6 +3379,9 @@ name = "winnow"
 version = "0.7.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829"
+dependencies = [
+ "memchr",
+]
 
 [[package]]
 name = "wit-bindgen"
@@ -3227,6 +3471,12 @@ dependencies = [
  "wasmparser",
 ]
 
+[[package]]
+name = "writeable"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
+
 [[package]]
 name = "x25519-dalek"
 version = "2.0.1"
@@ -3266,6 +3516,50 @@ dependencies = [
  "time",
 ]
 
+[[package]]
+name = "yoke"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
+dependencies = [
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.115",
+ "synstructure",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.115",
+ "synstructure",
+]
+
 [[package]]
 name = "zeroize"
 version = "1.8.2"
@@ -3286,6 +3580,39 @@ dependencies = [
  "syn 2.0.115",
 ]
 
+[[package]]
+name = "zerotrie"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.115",
+]
+
 [[package]]
 name = "zmij"
 version = "1.0.21"

server/Cargo.toml

@@ -23,3 +23,12 @@ async-trait = "0.1.89"
 futures = "0.3.31"
 tokio-stream = { version = "0.1.18", features = ["full"] }
 kameo = "0.19.2"
+x25519-dalek = { version = "2.0.1", features = ["getrandom"] }
+rstest = "0.26.1"
+rustls-pki-types = "1.14.0"
+rcgen = { version = "0.14.7", features = [
+    "aws_lc_rs",
+    "pem",
+    "x509-parser",
+    "zeroize",
+], default-features = false }

server/crates/arbiter-client/Cargo.toml

@@ -3,5 +3,6 @@ name = "arbiter-client"
 version = "0.1.0"
 edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
+license = "Apache-2.0"
 
 [dependencies]

server/crates/arbiter-proto/Cargo.toml

@@ -3,17 +3,32 @@ name = "arbiter-proto"
 version = "0.1.0"
 edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
+license = "Apache-2.0"
 
 [dependencies]
 tonic.workspace = true
 tokio.workspace = true
 futures.workspace = true
-hex = "0.4.3"
 tonic-prost = "0.14.3"
 prost = "0.14.3"
 kameo.workspace = true
+url = "2.5.8"
+miette.workspace = true
+thiserror.workspace = true
+rustls-pki-types.workspace = true
+base64 = "0.22.1"
+tracing.workspace = true
+
 
 [build-dependencies]
 tonic-prost-build = "0.14.3"
 
+[dev-dependencies]
+rstest.workspace = true
+rand.workspace = true
+rcgen.workspace = true
+
+[package.metadata.cargo-shear]
+ignored = ["tonic-prost", "prost", "kameo"]
+
 

server/crates/arbiter-proto/src/lib.rs

@@ -1,3 +1,8 @@
+pub mod transport;
+pub mod url;
+
+use base64::{Engine, prelude::BASE64_STANDARD};
+
 use crate::proto::auth::AuthChallenge;
 
 pub mod proto {
@@ -8,9 +13,7 @@ pub mod proto {
     }
 }
 
-pub mod transport;
+pub static BOOTSTRAP_PATH: &str = "bootstrap_token";
-
-pub static BOOTSTRAP_TOKEN_PATH: &str = "bootstrap_token";
 
 pub fn home_path() -> Result<std::path::PathBuf, std::io::Error> {
     static ARBITER_HOME: &str = ".arbiter";
@@ -26,6 +29,6 @@ pub fn home_path() -> Result<std::path::PathBuf, std::io::Error> {
 }
 
 pub fn format_challenge(challenge: &AuthChallenge) -> Vec<u8> {
-    let concat_form = format!("{}:{}", challenge.nonce, hex::encode(&challenge.pubkey));
+    let concat_form = format!("{}:{}", challenge.nonce, BASE64_STANDARD.encode(&challenge.pubkey));
     concat_form.into_bytes().to_vec()
 }

server/crates/arbiter-proto/src/transport.rs

@@ -1,9 +1,75 @@
+//! Transport abstraction layer for bridging gRPC bidirectional streaming with kameo actors.
+//!
+//! This module provides a clean separation between the gRPC transport layer and business logic
+//! by modeling the connection as two linked kameo actors:
+//!
+//! - A **transport actor** ([`GrpcTransportActor`]) that owns the gRPC stream and channel,
+//!   forwarding inbound messages to the business actor and outbound messages to the client.
+//! - A **business logic actor** that receives inbound messages from the transport actor and
+//!   sends outbound messages back through the transport actor.
+//!
+//! The [`wire()`] function sets up bidirectional linking between the two actors, ensuring
+//! that if either actor dies, the other is notified and can shut down gracefully.
+//!
+//! # Terminology
+//!
+//! - **InboundMessage**: a message received by the transport actor from the channel/socket
+//!   and forwarded to the business actor.
+//! - **OutboundMessage**: a message produced by the business actor and sent to the transport
+//!   actor to be forwarded to the channel/socket.
+//!
+//! # Architecture
+//!
+//! ```text
+//! gRPC Stream ──InboundMessage──▶ GrpcTransportActor ──tell(InboundMessage)──▶ BusinessActor
+//!                                 ▲                                    │
+//!                                 └─tell(Result<OutboundMessage, _>)────┘
+//!                                 │
+//!                          mpsc::Sender ──▶ Client
+//! ```
+//!
+//! # Example
+//!
+//! ```rust,ignore
+//! let (tx, rx) = mpsc::channel(1000);
+//! let context = server_context.clone();
+//!
+//! wire(
+//!     |transport_ref| MyBusinessActor::new(context, transport_ref),
+//!     |business_recipient, business_id| GrpcTransportActor {
+//!         sender: tx,
+//!         receiver: grpc_stream,
+//!         business_logic_actor: business_recipient,
+//!         business_logic_actor_id: business_id,
+//!     },
+//! ).await;
+//!
+//! Ok(Response::new(ReceiverStream::new(rx)))
+//! ```
+
 use futures::{Stream, StreamExt};
-use tokio::sync::mpsc::{self, error::SendError};
+use kameo::{
+    Actor,
+    actor::{ActorRef, PreparedActor, Recipient, Spawn, WeakActorRef},
+    mailbox::Signal,
+    prelude::Message,
+};
+use tokio::{
+    select,
+    sync::mpsc::{self, error::SendError},
+};
 use tonic::{Status, Streaming};
+use tracing::{debug, error};
 
-
+/// A bidirectional stream abstraction for sans-io testing.
-// Abstraction for stream for sans-io capabilities
+///
+/// Combines a [`Stream`] of incoming messages with the ability to [`send`](Bi::send)
+/// outgoing responses. This trait allows business logic to be tested without a real
+/// gRPC connection by swapping in an in-memory implementation.
+///
+/// # Type Parameters
+/// - `T`: `InboundMessage` received from the channel/socket (e.g., `UserAgentRequest`)
+/// - `U`: `OutboundMessage` sent to the channel/socket (e.g., `UserAgentResponse`)
 pub trait Bi<T, U>: Stream<Item = Result<T, Status>> + Send + Sync + 'static {
     type Error;
     fn send(
@@ -12,7 +78,10 @@ pub trait Bi<T, U>: Stream<Item = Result<T, Status>> + Send + Sync + 'static {
     ) -> impl std::future::Future<Output = Result<(), Self::Error>> + Send;
 }
 
-// Bi-directional stream abstraction for handling gRPC streaming requests and responses
+/// Concrete [`Bi`] implementation backed by a tonic gRPC [`Streaming`] and an [`mpsc::Sender`].
+///
+/// This is the production implementation used in gRPC service handlers. The `request_stream`
+/// receives messages from the client, and `response_sender` sends responses back.
 pub struct BiStream<T, U> {
     pub request_stream: Streaming<T>,
     pub response_sender: mpsc::Sender<Result<U, Status>>,
@@ -44,3 +113,259 @@ where
         self.response_sender.send(item).await
     }
 }
+
+/// Marker trait for transport actors that can receive outbound messages of type `T`.
+///
+/// Implement this on your transport actor to indicate it can handle outbound messages
+/// produced by the business actor. Requires the actor to implement [`Message<Result<T, E>>`]
+/// so business logic can forward responses via [`tell()`](ActorRef::tell).
+///
+/// # Example
+///
+/// ```rust,ignore
+/// #[derive(Actor)]
+/// struct MyTransportActor { /* ... */ }
+///
+/// impl Message<Result<MyResponse, MyError>> for MyTransportActor {
+///     type Reply = ();
+///     async fn handle(&mut self, msg: Result<MyResponse, MyError>, _ctx: &mut Context<Self, Self::Reply>) -> Self::Reply {
+///         // forward outbound message to channel/socket
+///     }
+/// }
+///
+/// impl TransportActor<MyResponse, MyError> for MyTransportActor {}
+/// ```
+pub trait TransportActor<Outbound: Send + 'static, DomainError: Send + 'static>:
+    Actor + Send + Message<Result<Outbound, DomainError>>
+{
+}
+
+/// A kameo actor that bridges a gRPC bidirectional stream with a business logic actor.
+///
+/// This actor owns the gRPC [`Streaming`] receiver and an [`mpsc::Sender`] for responses.
+/// It multiplexes between its own mailbox (for outbound messages from the business actor)
+/// and the gRPC stream (for inbound client messages) using [`tokio::select!`].
+///
+/// # Message Flow
+///
+/// - **Inbound**: Messages from the gRPC stream are forwarded to `business_logic_actor`
+///   via [`tell()`](Recipient::tell).
+/// - **Outbound**: The business actor sends `Result<Outbound, DomainError>` messages to this
+///   actor, which forwards them through the `sender` channel to the gRPC response stream.
+///
+/// # Lifecycle
+///
+/// - If the business logic actor dies (detected via actor linking), this actor stops,
+///   which closes the gRPC stream.
+/// - If the gRPC stream closes or errors, this actor stops, which (via linking) notifies
+///   the business actor.
+/// - Error responses (`Err(DomainError)`) are forwarded to the client and then the actor stops,
+///   closing the connection.
+///
+/// # Type Parameters
+/// - `Outbound`: `OutboundMessage` sent to the client (e.g., `UserAgentResponse`)
+/// - `Inbound`: `InboundMessage` received from the client (e.g., `UserAgentRequest`)
+/// - `E`: The domain error type, must implement `Into<tonic::Status>` for gRPC conversion
+pub struct GrpcTransportActor<Outbound, Inbound, DomainError>
+where
+    Outbound: Send + 'static,
+    Inbound: Send + 'static,
+    DomainError: Into<tonic::Status> + Send + 'static,
+{
+    sender: mpsc::Sender<Result<Outbound, tonic::Status>>,
+    receiver: tonic::Streaming<Inbound>,
+    business_logic_actor: Recipient<Inbound>,
+    _error: std::marker::PhantomData<DomainError>,
+}
+
+impl<Outbound, Inbound, DomainError> GrpcTransportActor<Outbound, Inbound, DomainError>
+where
+    Outbound: Send + 'static,
+    Inbound: Send + 'static,
+    DomainError: Into<tonic::Status> + Send + 'static,
+{
+    pub fn new(
+        sender: mpsc::Sender<Result<Outbound, tonic::Status>>,
+        receiver: tonic::Streaming<Inbound>,
+        business_logic_actor: Recipient<Inbound>,
+    ) -> Self {
+        Self {
+            sender,
+            receiver,
+            business_logic_actor,
+            _error: std::marker::PhantomData,
+        }
+    }
+}
+
+impl<Outbound, Inbound, E> Actor for GrpcTransportActor<Outbound, Inbound, E>
+where
+    Outbound: Send + 'static,
+    Inbound: Send + 'static,
+    E: Into<tonic::Status> + Send + 'static,
+{
+    type Args = Self;
+
+    type Error = ();
+
+    async fn on_start(args: Self::Args, _: ActorRef<Self>) -> Result<Self, Self::Error> {
+        Ok(args)
+    }
+
+    fn on_link_died(
+        &mut self,
+        _: WeakActorRef<Self>,
+        id: kameo::prelude::ActorId,
+        _: kameo::prelude::ActorStopReason,
+    ) -> impl Future<
+        Output = Result<std::ops::ControlFlow<kameo::prelude::ActorStopReason>, Self::Error>,
+    > + Send {
+        async move {
+            if id == self.business_logic_actor.id() {
+                error!("Business logic actor died, stopping GrpcTransportActor");
+                Ok(std::ops::ControlFlow::Break(
+                    kameo::prelude::ActorStopReason::Normal,
+                ))
+            } else {
+                debug!(
+                    "Linked actor {} died, but it's not the business logic actor, ignoring",
+                    id
+                );
+                Ok(std::ops::ControlFlow::Continue(()))
+            }
+        }
+    }
+
+    async fn next(
+        &mut self,
+        _: WeakActorRef<Self>,
+        mailbox_rx: &mut kameo::prelude::MailboxReceiver<Self>,
+    ) -> Option<kameo::mailbox::Signal<Self>> {
+        select! {
+            msg = mailbox_rx.recv() => {
+                msg
+            }
+            recv_msg = self.receiver.next() => {
+                match recv_msg {
+                    Some(Ok(msg)) => {
+                        match self.business_logic_actor.tell(msg).await {
+                            Ok(_) => None,
+                            Err(e) => {
+                                // TODO: this would probably require better error handling - or resending if backpressure is the issue
+                                error!("Failed to send message to business logic actor: {}", e);
+                                Some(Signal::Stop)
+                            }
+                        }
+                    }
+                    Some(Err(e)) => {
+                        error!("Received error from stream: {}, stopping GrpcTransportActor", e);
+                        Some(Signal::Stop)
+                    }
+                    None => {
+                        error!("Receiver channel closed, stopping GrpcTransportActor");
+                        Some(Signal::Stop)
+                    }
+                }
+            }
+        }
+    }
+}
+
+impl<Outbound, Inbound, E> Message<Result<Outbound, E>> for GrpcTransportActor<Outbound, Inbound, E>
+where
+    Outbound: Send + 'static,
+    Inbound: Send + 'static,
+    E: Into<tonic::Status> + Send + 'static,
+{
+    type Reply = ();
+
+    async fn handle(
+        &mut self,
+        msg: Result<Outbound, E>,
+        ctx: &mut kameo::prelude::Context<Self, Self::Reply>,
+    ) -> Self::Reply {
+        let is_err = msg.is_err();
+        let grpc_msg = msg.map_err(Into::into);
+        match self.sender.send(grpc_msg).await {
+            Ok(_) => {
+                if is_err {
+                    ctx.stop();
+                }
+            }
+            Err(e) => {
+                error!("Failed to send message: {}", e);
+                ctx.stop();
+            }
+        }
+    }
+}
+
+impl<Outbound, Inbound, E> TransportActor<Outbound, E> for GrpcTransportActor<Outbound, Inbound, E>
+where
+    Outbound: Send + 'static,
+    Inbound: Send + 'static,
+    E: Into<tonic::Status> + Send + 'static,
+{
+}
+
+/// Wires together a transport actor and a business logic actor with bidirectional linking.
+///
+/// This function handles the chicken-and-egg problem of two actors that need references
+/// to each other at construction time. It uses kameo's [`PreparedActor`] to obtain
+/// [`ActorRef`]s before spawning, then links both actors so that if either dies,
+/// the other is notified via [`on_link_died`](Actor::on_link_died).
+///
+/// The business actor receives a type-erased [`Recipient<Result<Outbound, DomainError>>`] instead of an
+/// `ActorRef<Transport>`, keeping it decoupled from the concrete transport implementation.
+///
+/// # Type Parameters
+/// - `Transport`: The transport actor type (e.g., [`GrpcTransportActor`])
+/// - `Inbound`: `InboundMessage` received by the business actor from the transport
+/// - `Outbound`: `OutboundMessage` sent by the business actor back to the transport
+/// - `Business`: The business logic actor
+/// - `BusinessCtor`: Closure that receives a prepared business actor and transport recipient,
+///   spawns the business actor, and returns its [`ActorRef`]
+/// - `TransportCtor`: Closure that receives a prepared transport actor, a recipient for
+///   inbound messages, and the business actor id, then spawns the transport actor
+///
+/// # Returns
+/// A tuple of `(transport_ref, business_ref)` — actor references for both spawned actors.
+pub async fn wire<
+    Transport,
+    Inbound,
+    Outbound,
+    DomainError,
+    Business,
+    BusinessCtor,
+    TransportCtor,
+>(
+    business_ctor: BusinessCtor,
+    transport_ctor: TransportCtor,
+) -> (ActorRef<Transport>, ActorRef<Business>)
+where
+    Transport: TransportActor<Outbound, DomainError>,
+    Inbound: Send + 'static,
+    Outbound: Send + 'static,
+    DomainError: Send + 'static,
+    Business: Actor + Message<Inbound> + Send + 'static,
+    BusinessCtor: FnOnce(PreparedActor<Business>, Recipient<Result<Outbound, DomainError>>),
+    TransportCtor:
+        FnOnce(PreparedActor<Transport>, Recipient<Inbound>),
+{
+    let prepared_business: PreparedActor<Business> = Spawn::prepare();
+    let prepared_transport: PreparedActor<Transport> = Spawn::prepare();
+
+    let business_ref = prepared_business.actor_ref().clone();
+    let transport_ref = prepared_transport.actor_ref().clone();
+
+    transport_ref.link(&business_ref).await;
+    business_ref.link(&transport_ref).await;
+
+    let recipient = transport_ref.clone().recipient();
+    business_ctor(prepared_business, recipient);
+    let business_recipient = business_ref.clone().recipient();
+    transport_ctor(prepared_transport, business_recipient);
+
+
+    (transport_ref, business_ref)
+}

server/crates/arbiter-proto/src/url.rs

@@ -0,0 +1,128 @@
+use std::fmt::Display;
+
+use base64::{Engine as _, prelude::BASE64_URL_SAFE};
+use rustls_pki_types::CertificateDer;
+
+const ARBITER_URL_SCHEME: &str = "arbiter";
+const CERT_QUERY_KEY: &str = "cert";
+const BOOTSTRAP_TOKEN_QUERY_KEY: &str = "bootstrap_token";
+
+pub struct ArbiterUrl {
+    pub host: String,
+    pub port: u16,
+    pub ca_cert: CertificateDer<'static>,
+    pub bootstrap_token: Option<String>,
+}
+
+impl Display for ArbiterUrl {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut base = format!(
+            "{ARBITER_URL_SCHEME}://{}:{}?{CERT_QUERY_KEY}={}",
+            self.host,
+            self.port,
+            BASE64_URL_SAFE.encode(self.ca_cert.to_vec())
+        );
+        if let Some(token) = &self.bootstrap_token {
+            base.push_str(&format!("&{BOOTSTRAP_TOKEN_QUERY_KEY}={}", token));
+        }
+        f.write_str(&base)
+    }
+}
+
+#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+pub enum Error {
+    #[error("Invalid URL scheme, expected '{ARBITER_URL_SCHEME}://'")]
+    #[diagnostic(
+        code(arbiter::url::invalid_scheme),
+        help("The URL must start with '{ARBITER_URL_SCHEME}://'")
+    )]
+    InvalidScheme,
+    #[error("Missing host in URL")]
+    #[diagnostic(
+        code(arbiter::url::missing_host),
+        help("The URL must include a host, e.g., '{ARBITER_URL_SCHEME}://127.0.0.1:<port>'")
+    )]
+    MissingHost,
+    #[error("Missing port in URL")]
+    #[diagnostic(
+        code(arbiter::url::missing_port),
+        help("The URL must include a port, e.g., '{ARBITER_URL_SCHEME}://127.0.0.1:1234'")
+    )]
+    MissingPort,
+    #[error("Missing 'cert' query parameter in URL")]
+    #[diagnostic(
+        code(arbiter::url::missing_cert),
+        help("The URL must include a 'cert' query parameter")
+    )]
+    MissingCert,
+    #[error("Invalid base64 in 'cert' query parameter: {0}")]
+    #[diagnostic(code(arbiter::url::invalid_cert_base64))]
+    InvalidCertBase64(#[from] base64::DecodeError),
+}
+
+impl<'a> TryFrom<&'a str> for ArbiterUrl {
+    type Error = Error;
+
+    fn try_from(value: &'a str) -> Result<Self, Self::Error> {
+        let url = url::Url::parse(value).map_err(|_| Error::InvalidScheme)?;
+
+        if url.scheme() != ARBITER_URL_SCHEME {
+            return Err(Error::InvalidScheme);
+        }
+
+        let host = url.host_str().ok_or(Error::MissingHost)?.to_string();
+        let port = url.port().ok_or(Error::MissingPort)?;
+        let cert_str = url
+            .query_pairs()
+            .find(|(k, _)| k == CERT_QUERY_KEY)
+            .ok_or(Error::MissingCert)?
+            .1;
+
+        let cert = BASE64_URL_SAFE.decode(cert_str.as_ref())?;
+        let cert = CertificateDer::from_slice(&cert).into_owned();
+
+        let bootstrap_token = url
+            .query_pairs()
+            .find(|(k, _)| k == BOOTSTRAP_TOKEN_QUERY_KEY)
+            .map(|(_, v)| v.to_string());
+
+        Ok(ArbiterUrl {
+            host,
+            port,
+            ca_cert: cert,
+            bootstrap_token,
+        })
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use rcgen::generate_simple_self_signed;
+    use rstest::rstest;
+
+    use super::*;
+
+    #[rstest]
+
+    fn test_parsing_correctness(
+        #[values("127.0.0.1", "localhost", "192.168.1.1", "some.domain.com")] host: &str,
+
+        #[values(None, Some("token123".to_string()))] bootstrap_token: Option<String>,
+    ) {
+        let cert = generate_simple_self_signed(&["Arbiter CA".into()]).unwrap();
+        let cert = cert.cert.der();
+
+        let url = ArbiterUrl {
+            host: host.to_string(),
+            port: 1234,
+            ca_cert: cert.clone().into_owned(),
+            bootstrap_token,
+        };
+        let url_str = url.to_string();
+        let parsed_url = ArbiterUrl::try_from(url_str.as_str()).unwrap();
+        assert_eq!(url.host, parsed_url.host);
+        assert_eq!(url.port, parsed_url.port);
+        assert_eq!(url.ca_cert.to_vec(), parsed_url.ca_cert.to_vec());
+        assert_eq!(url.bootstrap_token, parsed_url.bootstrap_token);
+    }
+}

server/crates/arbiter-server/Cargo.toml

@@ -3,6 +3,7 @@ name = "arbiter-server"
 version = "0.1.0"
 edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
+license = "Apache-2.0"
 
 [dependencies]
 diesel = { version = "2.3.6", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
@@ -17,6 +18,7 @@ arbiter-proto.path = "../arbiter-proto"
 tracing.workspace = true
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 tonic.workspace = true
+tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
@@ -29,21 +31,17 @@ futures.workspace = true
 tokio-stream.workspace = true
 dashmap = "6.1.0"
 rand.workspace = true
-rcgen = { version = "0.14.7", features = [
+rcgen.workspace = true
-    "aws_lc_rs",
-    "pem",
-    "x509-parser",
-    "zeroize",
-], default-features = false }
 chrono.workspace = true
 memsafe = "0.4.0"
 zeroize = { version = "1.8.2", features = ["std", "simd"] }
 kameo.workspace = true
-x25519-dalek = { version = "2.0.1", features = ["getrandom"] }
+x25519-dalek.workspace = true
 chacha20poly1305 = { version = "0.10.1", features = ["std"] }
 argon2 = { version = "0.5.3", features = ["zeroize"] }
 restructed = "0.2.2"
 strum = { version = "0.27.2", features = ["derive"] }
+pem = "3.0.6"
 
 [dev-dependencies]
 insta = "1.46.3"

server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql

@@ -24,14 +24,24 @@ create unique index if not exists uniq_nonce_per_root_key on aead_encrypted (
     associated_root_key_id
 );
 
+create table if not exists tls_history (
+    id INTEGER not null PRIMARY KEY,
+    cert text not null,
+    cert_key text not null, -- PEM Encoded private key
+    ca_cert text not null, 
+    ca_key text not null, -- PEM Encoded private key
+    created_at integer not null default(unixepoch ('now'))
+) STRICT;
+
 -- This is a singleton
 create table if not exists arbiter_settings (
     id INTEGER not null PRIMARY KEY CHECK (id = 1), -- singleton row, id must be 1
     root_key_id integer references root_key_history (id) on delete RESTRICT, -- if null, means wasn't bootstrapped yet
-    cert_key blob not null,
+    tls_id integer references tls_history (id) on delete RESTRICT
-    cert blob not null
 ) STRICT;
 
+insert into arbiter_settings (id) values (1) on conflict do nothing; -- ensure singleton row exists
+
 create table if not exists useragent_client (
     id integer not null primary key,
     nonce integer not null default(1), -- used for auth challenge

server/crates/arbiter-server/src/actors/bootstrap.rs

@@ -1,28 +1,31 @@
-use arbiter_proto::{BOOTSTRAP_TOKEN_PATH, home_path};
+use arbiter_proto::{BOOTSTRAP_PATH, home_path};
 use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;
 use kameo::{Actor, messages};
 use miette::Diagnostic;
-use rand::{RngExt, distr::StandardUniform, make_rng, rngs::StdRng};
+use rand::{
+    RngExt,
+    distr::{Alphanumeric},
+    make_rng,
+    rngs::StdRng,
+};
 use thiserror::Error;
-use tracing::info;
 
 use crate::db::{self, DatabasePool, schema};
-
 const TOKEN_LENGTH: usize = 64;
 
 pub async fn generate_token() -> Result<String, std::io::Error> {
     let rng: StdRng = make_rng();
 
-    let token: String = rng
+    let token: String = rng.sample_iter(Alphanumeric).take(TOKEN_LENGTH).fold(
-        .sample_iter::<char, _>(StandardUniform)
+        Default::default(),
-        .take(TOKEN_LENGTH)
+        |mut accum, char| {
-        .fold(Default::default(), |mut accum, char| {
             accum += char.to_string().as_str();
             accum
-        });
+        },
+    );
 
-    tokio::fs::write(home_path()?.join(BOOTSTRAP_TOKEN_PATH), token.as_str()).await?;
+    tokio::fs::write(home_path()?.join(BOOTSTRAP_PATH), token.as_str()).await?;
 
     Ok(token)
 }
@@ -58,10 +61,9 @@ impl Bootstrapper {
 
         drop(conn);
 
+
         let token = if row_count == 0 {
             let token = generate_token().await?;
-            info!(%token, "Generated bootstrap token");
-            tokio::fs::write(home_path()?.join(BOOTSTRAP_TOKEN_PATH), token.as_str()).await?;
             Some(token)
         } else {
             None

server/crates/arbiter-server/src/actors/keyholder/mod.rs

@@ -345,30 +345,15 @@ impl KeyHolder {
 #[cfg(test)]
 mod tests {
     use diesel::SelectableHelper;
-    use diesel::dsl::insert_into;
+    
     use diesel_async::RunQueryDsl;
     use memsafe::MemSafe;
 
-    use crate::db::{self, models::ArbiterSetting};
+    use crate::db::{self};
 
     use super::*;
 
-    async fn seed_settings(pool: &db::DatabasePool) {
-        let mut conn = pool.get().await.unwrap();
-        insert_into(schema::arbiter_settings::table)
-            .values(&ArbiterSetting {
-                id: 1,
-                root_key_id: None,
-                cert_key: vec![],
-                cert: vec![],
-            })
-            .execute(&mut conn)
-            .await
-            .unwrap();
-    }
-
     async fn bootstrapped_actor(db: &db::DatabasePool) -> KeyHolder {
-        seed_settings(db).await;
         let mut actor = KeyHolder::new(db.clone()).await.unwrap();
         let seal_key = MemSafe::new(b"test-seal-key".to_vec()).unwrap();
         actor.bootstrap(seal_key).await.unwrap();

server/crates/arbiter-server/src/actors/user_agent/error.rs

@@ -0,0 +1,57 @@
+use tonic::Status;
+
+use crate::db;
+
+#[derive(Debug, thiserror::Error)]
+pub enum UserAgentError {
+    #[error("Missing payload in request")]
+    MissingPayload,
+
+    #[error("Invalid bootstrap token")]
+    InvalidBootstrapToken,
+
+    #[error("Public key not registered")]
+    PubkeyNotRegistered,
+
+    #[error("Invalid public key format")]
+    InvalidPubkey,
+
+    #[error("Invalid signature length")]
+    InvalidSignatureLength,
+
+    #[error("Invalid challenge solution")]
+    InvalidChallengeSolution,
+
+    #[error("Invalid state for operation")]
+    InvalidState,
+
+    #[error("Actor unavailable")]
+    ActorUnavailable,
+
+    #[error("Database error")]
+    Database(#[from] diesel::result::Error),
+
+    #[error("Database pool error")]
+    DatabasePool(#[from] db::PoolError),
+}
+
+impl From<UserAgentError> for Status {
+    fn from(err: UserAgentError) -> Self {
+        match err {
+            UserAgentError::MissingPayload
+            | UserAgentError::InvalidBootstrapToken
+            | UserAgentError::InvalidPubkey
+            | UserAgentError::InvalidSignatureLength => Status::invalid_argument(err.to_string()),
+
+            UserAgentError::PubkeyNotRegistered | UserAgentError::InvalidChallengeSolution => {
+                Status::unauthenticated(err.to_string())
+            }
+
+            UserAgentError::InvalidState => Status::failed_precondition(err.to_string()),
+
+            UserAgentError::ActorUnavailable
+            | UserAgentError::Database(_)
+            | UserAgentError::DatabasePool(_) => Status::internal(err.to_string()),
+        }
+    }
+}

server/crates/arbiter-server/src/actors/user_agent/mod.rs

@@ -1,21 +1,23 @@
 use std::{ops::DerefMut, sync::Mutex};
 
 use arbiter_proto::proto::{
-    UnsealEncryptedKey, UnsealResult, UnsealStart, UnsealStartResponse, UserAgentResponse,
+    UnsealEncryptedKey, UnsealResult, UnsealStart, UnsealStartResponse, UserAgentRequest,
+    UserAgentResponse,
     auth::{
-        self, AuthChallengeRequest, AuthOk, ServerMessage as AuthServerMessage,
+        self, AuthChallengeRequest, AuthOk, ClientMessage as ClientAuthMessage,
+        ServerMessage as AuthServerMessage,
+        client_message::Payload as ClientAuthPayload,
         server_message::Payload as ServerAuthPayload,
     },
+    user_agent_request::Payload as UserAgentRequestPayload,
     user_agent_response::Payload as UserAgentResponsePayload,
 };
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use diesel::{ExpressionMethods as _, OptionalExtension as _, QueryDsl, dsl::update};
 use diesel_async::RunQueryDsl;
 use ed25519_dalek::VerifyingKey;
-use kameo::{Actor, error::SendError, messages};
+use kameo::{Actor, actor::Recipient, error::SendError, messages, prelude::Message};
 use memsafe::MemSafe;
-use tokio::sync::mpsc::Sender;
-use tonic::Status;
 use tracing::{error, info};
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
@@ -31,53 +33,74 @@ use crate::{
         },
     },
     db::{self, schema},
-    errors::GrpcStatusExt,
 };
 
+mod error;
 mod state;
 
-mod transport;
+pub use error::UserAgentError;
-pub(crate) use transport::handle_user_agent;
 
 #[derive(Actor)]
 pub struct UserAgentActor {
     db: db::DatabasePool,
     actors: GlobalActors,
     state: UserAgentStateMachine<DummyContext>,
-    // will be used in future
+    transport: Recipient<Result<UserAgentResponse, UserAgentError>>,
-    _tx: Sender<Result<UserAgentResponse, Status>>,
 }
 
 impl UserAgentActor {
     pub(crate) fn new(
         context: ServerContext,
-        tx: Sender<Result<UserAgentResponse, Status>>,
+        transport: Recipient<Result<UserAgentResponse, UserAgentError>>,
     ) -> Self {
         Self {
             db: context.db.clone(),
             actors: context.actors.clone(),
             state: UserAgentStateMachine::new(DummyContext),
-            _tx: tx,
+            transport,
         }
     }
 
     pub fn new_manual(
         db: db::DatabasePool,
         actors: GlobalActors,
-        tx: Sender<Result<UserAgentResponse, Status>>,
+        transport: Recipient<Result<UserAgentResponse, UserAgentError>>,
     ) -> Self {
         Self {
             db,
             actors,
             state: UserAgentStateMachine::new(DummyContext),
-            _tx: tx,
+            transport,
         }
     }
 
-    fn transition(&mut self, event: UserAgentEvents) -> Result<(), Status> {
+    async fn process_request(&mut self, req: UserAgentRequest) -> Output {
+        let msg = req.payload.ok_or_else(|| {
+            error!(actor = "useragent", "Received message with no payload");
+            UserAgentError::MissingPayload
+        })?;
+
+        match msg {
+            UserAgentRequestPayload::AuthMessage(ClientAuthMessage {
+                payload: Some(ClientAuthPayload::AuthChallengeRequest(req)),
+            }) => self.handle_auth_challenge_request(req).await,
+            UserAgentRequestPayload::AuthMessage(ClientAuthMessage {
+                payload: Some(ClientAuthPayload::AuthChallengeSolution(solution)),
+            }) => self.handle_auth_challenge_solution(solution).await,
+            UserAgentRequestPayload::UnsealStart(unseal_start) => {
+                self.handle_unseal_request(unseal_start).await
+            }
+            UserAgentRequestPayload::UnsealEncryptedKey(unseal_encrypted_key) => {
+                self.handle_unseal_encrypted_key(unseal_encrypted_key).await
+            }
+            _ => Err(UserAgentError::MissingPayload),
+        }
+    }
+
+    fn transition(&mut self, event: UserAgentEvents) -> Result<(), UserAgentError> {
         self.state.process_event(event).map_err(|e| {
             error!(?e, "State transition failed");
-            Status::internal("State machine error")
+            UserAgentError::InvalidState
         })?;
         Ok(())
     }
@@ -86,7 +109,7 @@ impl UserAgentActor {
         &mut self,
         pubkey: ed25519_dalek::VerifyingKey,
         token: String,
-    ) -> Result<UserAgentResponse, Status> {
+    ) -> Output {
         let token_ok: bool = self
             .actors
             .bootstrapper
@@ -94,16 +117,16 @@ impl UserAgentActor {
             .await
             .map_err(|e| {
                 error!(?pubkey, "Failed to consume bootstrap token: {e}");
-                Status::internal("Bootstrap token consumption failed")
+                UserAgentError::ActorUnavailable
             })?;
 
         if !token_ok {
             error!(?pubkey, "Invalid bootstrap token provided");
-            return Err(Status::invalid_argument("Invalid bootstrap token"));
+            return Err(UserAgentError::InvalidBootstrapToken);
         }
 
         {
-            let mut conn = self.db.get().await.to_status()?;
+            let mut conn = self.db.get().await?;
 
             diesel::insert_into(schema::useragent_client::table)
                 .values((
@@ -111,8 +134,7 @@ impl UserAgentActor {
                     schema::useragent_client::nonce.eq(1),
                 ))
                 .execute(&mut conn)
-                .await
+                .await?;
-                .to_status()?;
         }
 
         self.transition(UserAgentEvents::ReceivedBootstrapToken)?;
@@ -122,7 +144,7 @@ impl UserAgentActor {
 
     async fn auth_with_challenge(&mut self, pubkey: VerifyingKey, pubkey_bytes: Vec<u8>) -> Output {
         let nonce: Option<i32> = {
-            let mut db_conn = self.db.get().await.to_status()?;
+            let mut db_conn = self.db.get().await?;
             db_conn
                 .exclusive_transaction(|conn| {
                     Box::pin(async move {
@@ -146,13 +168,12 @@ impl UserAgentActor {
                     })
                 })
                 .await
-                .optional()
+                .optional()?
-                .to_status()?
         };
 
         let Some(nonce) = nonce else {
             error!(?pubkey, "Public key not found in database");
-            return Err(Status::unauthenticated("Public key not registered"));
+            return Err(UserAgentError::PubkeyNotRegistered);
         };
 
         let challenge = auth::AuthChallenge {
@@ -177,19 +198,17 @@ impl UserAgentActor {
     fn verify_challenge_solution(
         &self,
         solution: &auth::AuthChallengeSolution,
-    ) -> Result<(bool, &ChallengeContext), Status> {
+    ) -> Result<(bool, &ChallengeContext), UserAgentError> {
         let UserAgentStates::WaitingForChallengeSolution(challenge_context) = self.state.state()
         else {
             error!("Received challenge solution in invalid state");
-            return Err(Status::invalid_argument(
+            return Err(UserAgentError::InvalidState);
-                "Invalid state for challenge solution",
-            ));
         };
         let formatted_challenge = arbiter_proto::format_challenge(&challenge_context.challenge);
 
         let signature = solution.signature.as_slice().try_into().map_err(|_| {
             error!(?solution, "Invalid signature length");
-            Status::invalid_argument("Invalid signature length")
+            UserAgentError::InvalidSignatureLength
         })?;
 
         let valid = challenge_context
@@ -201,7 +220,7 @@ impl UserAgentActor {
     }
 }
 
-type Output = Result<UserAgentResponse, Status>;
+type Output = Result<UserAgentResponse, UserAgentError>;
 
 fn auth_response(payload: ServerAuthPayload) -> UserAgentResponse {
     UserAgentResponse {
@@ -227,7 +246,7 @@ impl UserAgentActor {
         let client_pubkey_bytes: [u8; 32] = req
             .client_pubkey
             .try_into()
-            .map_err(|_| Status::invalid_argument("client_pubkey must be 32 bytes"))?;
+            .map_err(|_| UserAgentError::InvalidPubkey)?;
 
         let client_public_key = PublicKey::from(client_pubkey_bytes);
 
@@ -247,9 +266,7 @@ impl UserAgentActor {
     pub async fn handle_unseal_encrypted_key(&mut self, req: UnsealEncryptedKey) -> Output {
         let UserAgentStates::WaitingForUnsealKey(unseal_context) = self.state.state() else {
             error!("Received unseal encrypted key in invalid state");
-            return Err(Status::failed_precondition(
+            return Err(UserAgentError::InvalidState);
-                "Invalid state for unseal encrypted key",
-            ));
         };
         let ephemeral_secret = {
             let mut secret_lock = unseal_context.secret.lock().unwrap();
@@ -313,7 +330,7 @@ impl UserAgentActor {
                     Err(err) => {
                         error!(?err, "Failed to send unseal request to keyholder");
                         self.transition(UserAgentEvents::ReceivedInvalidKey)?;
-                        Err(Status::internal("Vault is not available"))
+                        Err(UserAgentError::ActorUnavailable)
                     }
                 }
             }
@@ -329,12 +346,13 @@ impl UserAgentActor {
 
     #[message]
     pub async fn handle_auth_challenge_request(&mut self, req: AuthChallengeRequest) -> Output {
-        let pubkey = req.pubkey.as_array().ok_or(Status::invalid_argument(
+        let pubkey = req
-            "Expected pubkey to have specific length",
+            .pubkey
-        ))?;
+            .as_array()
+            .ok_or(UserAgentError::InvalidPubkey)?;
         let pubkey = VerifyingKey::from_bytes(pubkey).map_err(|_err| {
             error!(?pubkey, "Failed to convert to VerifyingKey");
-            Status::invalid_argument("Failed to convert pubkey to VerifyingKey")
+            UserAgentError::InvalidPubkey
         })?;
 
         self.transition(UserAgentEvents::AuthRequest)?;
@@ -362,7 +380,22 @@ impl UserAgentActor {
         } else {
             error!("Client provided invalid solution to authentication challenge");
             self.transition(UserAgentEvents::ReceivedBadSolution)?;
-            Err(Status::unauthenticated("Invalid challenge solution"))
+            Err(UserAgentError::InvalidChallengeSolution)
+        }
+    }
+}
+
+impl Message<UserAgentRequest> for UserAgentActor {
+    type Reply = ();
+
+    async fn handle(
+        &mut self,
+        msg: UserAgentRequest,
+        _ctx: &mut kameo::prelude::Context<Self, Self::Reply>,
+    ) -> Self::Reply {
+        let result = self.process_request(msg).await;
+        if let Err(e) = self.transport.tell(result).await {
+            error!(actor = "useragent", "Failed to send response to transport: {}", e);
         }
     }
 }

server/crates/arbiter-server/src/actors/user_agent/transport.rs

@@ -1,95 +0,0 @@
-use super::UserAgentActor;
-use arbiter_proto::proto::{
-    UserAgentRequest, UserAgentResponse,
-    auth::{ClientMessage as ClientAuthMessage, client_message::Payload as ClientAuthPayload},
-    user_agent_request::Payload as UserAgentRequestPayload,
-};
-use futures::StreamExt;
-use kameo::{
-    actor::{ActorRef, Spawn as _},
-    error::SendError,
-};
-use tokio::sync::mpsc;
-use tonic::Status;
-use tracing::error;
-
-use crate::{
-    actors::user_agent::{
-        HandleAuthChallengeRequest, HandleAuthChallengeSolution, HandleUnsealEncryptedKey,
-        HandleUnsealRequest,
-    },
-    context::ServerContext,
-};
-
-pub(crate) async fn handle_user_agent(
-    context: ServerContext,
-    mut req_stream: tonic::Streaming<UserAgentRequest>,
-    tx: mpsc::Sender<Result<UserAgentResponse, Status>>,
-) {
-    let actor = UserAgentActor::spawn(UserAgentActor::new(context, tx.clone()));
-
-    while let Some(Ok(req)) = req_stream.next().await
-        && actor.is_alive()
-    {
-        match process_message(&actor, req).await {
-            Ok(resp) => {
-                if tx.send(Ok(resp)).await.is_err() {
-                    error!(actor = "useragent", "Failed to send response to client");
-                    break;
-                }
-            }
-            Err(status) => {
-                let _ = tx.send(Err(status)).await;
-                break;
-            }
-        }
-    }
-
-    actor.kill();
-}
-
-async fn process_message(
-    actor: &ActorRef<UserAgentActor>,
-    req: UserAgentRequest,
-) -> Result<UserAgentResponse, Status> {
-    let msg = req.payload.ok_or_else(|| {
-        error!(actor = "useragent", "Received message with no payload");
-        Status::invalid_argument("Expected message with payload")
-    })?;
-
-    match msg {
-        UserAgentRequestPayload::AuthMessage(ClientAuthMessage {
-            payload: Some(ClientAuthPayload::AuthChallengeRequest(req)),
-        }) => actor
-            .ask(HandleAuthChallengeRequest { req })
-            .await
-            .map_err(into_status),
-        UserAgentRequestPayload::AuthMessage(ClientAuthMessage {
-            payload: Some(ClientAuthPayload::AuthChallengeSolution(solution)),
-        }) => actor
-            .ask(HandleAuthChallengeSolution { solution })
-            .await
-            .map_err(into_status),
-        UserAgentRequestPayload::UnsealStart(unseal_start) => actor
-            .ask(HandleUnsealRequest { req: unseal_start })
-            .await
-            .map_err(into_status),
-        UserAgentRequestPayload::UnsealEncryptedKey(unseal_encrypted_key) => actor
-            .ask(HandleUnsealEncryptedKey {
-                req: unseal_encrypted_key,
-            })
-            .await
-            .map_err(into_status),
-        _ => Err(Status::invalid_argument("Expected message with payload")),
-    }
-}
-
-fn into_status<M>(e: SendError<M, Status>) -> Status {
-    match e {
-        SendError::HandlerError(status) => status,
-        _ => {
-            error!(actor = "useragent", "Failed to send message to actor");
-            Status::internal("session failure")
-        }
-    }
-}

server/crates/arbiter-server/src/context/mod.rs

@@ -1,14 +1,12 @@
 use std::sync::Arc;
 
-use diesel::OptionalExtension as _;
-use diesel_async::RunQueryDsl as _;
 use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
     actors::GlobalActors,
-    context::tls::{TlsDataRaw, TlsManager},
+    context::tls::TlsManager,
-    db::{self, models::ArbiterSetting, schema::arbiter_settings},
+    db::{self},
 };
 
 pub mod tls;
@@ -29,7 +27,7 @@ pub enum InitError {
 
     #[error("TLS initialization failed: {0}")]
     #[diagnostic(code(arbiter_server::init::tls_init))]
-    Tls(#[from] tls::TlsInitError),
+    Tls(#[from] tls::InitError),
 
     #[error("Actor spawn failed: {0}")]
     #[diagnostic(code(arbiter_server::init::actor_spawn))]
@@ -57,54 +55,11 @@ impl std::ops::Deref for ServerContext {
 }
 
 impl ServerContext {
-    async fn load_tls(
-        db: &mut db::DatabaseConnection,
-        settings: Option<&ArbiterSetting>,
-    ) -> Result<TlsManager, InitError> {
-        match &settings {
-            Some(settings) => {
-                let tls_data_raw = TlsDataRaw {
-                    cert: settings.cert.clone(),
-                    key: settings.cert_key.clone(),
-                };
-
-                Ok(TlsManager::new(Some(tls_data_raw)).await?)
-            }
-            None => {
-                let tls = TlsManager::new(None).await?;
-                let tls_data_raw = tls.bytes();
-
-                diesel::insert_into(arbiter_settings::table)
-                    .values(&ArbiterSetting {
-                        id: 1,
-                        root_key_id: None,
-                        cert_key: tls_data_raw.key,
-                        cert: tls_data_raw.cert,
-                    })
-                    .execute(db)
-                    .await?;
-
-                Ok(tls)
-            }
-        }
-    }
-
     pub async fn new(db: db::DatabasePool) -> Result<Self, InitError> {
-        let mut conn = db.get().await?;
-
-        let settings = arbiter_settings::table
-            .first::<ArbiterSetting>(&mut conn)
-            .await
-            .optional()?;
-
-        let tls = Self::load_tls(&mut conn, settings.as_ref()).await?;
-
-        drop(conn);
-
         Ok(Self(Arc::new(_ServerContextInner {
             actors: GlobalActors::spawn(db.clone()).await?,
+            tls: TlsManager::new(db.clone()).await?,
             db,
-            tls,
         })))
     }
 }

server/crates/arbiter-server/src/context/tls.rs

@@ -1,12 +1,36 @@
 use std::string::FromUtf8Error;
 
+use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper as _};
+use diesel_async::{AsyncConnection, RunQueryDsl};
 use miette::Diagnostic;
-use rcgen::{Certificate, KeyPair};
+use pem::Pem;
-use rustls::pki_types::CertificateDer;
+use rcgen::{
+    BasicConstraints, Certificate, CertificateParams, CertifiedIssuer, DistinguishedName, DnType,
+    IsCa, Issuer, KeyPair, KeyUsagePurpose,
+};
+use rustls::pki_types::{pem::PemObject};
 use thiserror::Error;
+use tonic::transport::CertificateDer;
+
+use crate::db::{
+    self,
+    models::{NewTlsHistory, TlsHistory},
+    schema::{
+        arbiter_settings,
+        tls_history::{self},
+    },
+};
+
+const ENCODE_CONFIG: pem::EncodeConfig = {
+    let line_ending = match cfg!(target_family = "windows") {
+        true => pem::LineEnding::CRLF,
+        false => pem::LineEnding::LF,
+    };
+    pem::EncodeConfig::new().set_line_ending(line_ending)
+};
 
 #[derive(Error, Debug, Diagnostic)]
-pub enum TlsInitError {
+pub enum InitError {
     #[error("Key generation error during TLS initialization: {0}")]
     #[diagnostic(code(arbiter_server::tls_init::key_generation))]
     KeyGeneration(#[from] rcgen::Error),
@@ -18,68 +42,211 @@ pub enum TlsInitError {
     #[error("Key deserialization error: {0}")]
     #[diagnostic(code(arbiter_server::tls_init::key_deserialization))]
     KeyDeserializationError(rcgen::Error),
+
+    #[error("Database error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::database_error))]
+    DatabaseError(#[from] diesel::result::Error),
+
+    #[error("Pem deserialization error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::pem_deserialization))]
+    PemDeserializationError(#[from] rustls::pki_types::pem::Error),
+
+    #[error("Database pool acquire error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::database_pool_acquire))]
+    DatabasePoolAcquire(#[from] db::PoolError),
 }
 
-pub struct TlsData {
+pub type PemCert = String;
-    pub cert: CertificateDer<'static>,
+
-    pub keypair: KeyPair,
+pub fn encode_cert_to_pem(cert: &CertificateDer) -> PemCert {
+    pem::encode_config(
+        &Pem::new("CERTIFICATE", cert.to_vec()),
+        ENCODE_CONFIG,
+    )
 }
 
-pub struct TlsDataRaw {
+#[allow(unused)]
-    pub cert: Vec<u8>,
+struct SerializedTls {
-    pub key: Vec<u8>,
+    cert_pem: PemCert,
+    cert_key_pem: String,
 }
-impl TlsDataRaw {
+
-    pub fn serialize(cert: &TlsData) -> Self {
+struct TlsCa {
-        Self {
+    issuer: Issuer<'static, KeyPair>,
-            cert: cert.cert.as_ref().to_vec(),
+    cert: CertificateDer<'static>,
-            key: cert.keypair.serialize_pem().as_bytes().to_vec(),
+}
-        }
+
+impl TlsCa {
+    fn generate() -> Result<Self, InitError> {
+        let keypair = KeyPair::generate()?;
+        let mut params = CertificateParams::new(["Arbiter Instance CA".into()])?;
+        params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+        params.key_usages = vec![
+            KeyUsagePurpose::KeyCertSign,
+            KeyUsagePurpose::CrlSign,
+            KeyUsagePurpose::DigitalSignature,
+        ];
+
+        let mut dn = DistinguishedName::new();
+        dn.push(DnType::CommonName, "Arbiter Instance CA");
+        params.distinguished_name = dn;
+        let certified_issuer = CertifiedIssuer::self_signed(params, keypair)?;
+
+        let cert_key_pem = certified_issuer.key().serialize_pem();
+
+        let issuer = Issuer::from_ca_cert_pem(
+            &certified_issuer.pem(),
+            KeyPair::from_pem(cert_key_pem.as_ref()).unwrap(),
+        )
+        .unwrap();
+
+        Ok(Self {
+            issuer,
+            cert: certified_issuer.der().clone(),
+        })
+    }
+    fn generate_leaf(&self) -> Result<TlsCert, InitError> {
+        let cert_key = KeyPair::generate()?;
+        let mut params = CertificateParams::new(["Arbiter Instance Leaf".into()])?;
+        params.is_ca = IsCa::NoCa;
+        params.key_usages = vec![
+            KeyUsagePurpose::DigitalSignature,
+            KeyUsagePurpose::KeyEncipherment,
+        ];
+
+        let mut dn = DistinguishedName::new();
+        dn.push(DnType::CommonName, "Arbiter Instance Leaf");
+        params.distinguished_name = dn;
+
+        let new_cert = params.signed_by(&cert_key, &self.issuer)?;
+
+        Ok(TlsCert {
+            cert: new_cert,
+            cert_key,
+        })
     }
 
-    pub fn deserialize(&self) -> Result<TlsData, TlsInitError> {
+    #[allow(unused)]
-        let cert = CertificateDer::from_slice(&self.cert).into_owned();
+    fn serialize(&self) -> Result<SerializedTls, InitError> {
+        let cert_key_pem = self.issuer.key().serialize_pem();
+        Ok(SerializedTls {
+            cert_pem: encode_cert_to_pem(&self.cert),
+            cert_key_pem,
+        })
+    }
 
-        let key = String::from_utf8(self.key.clone()).map_err(TlsInitError::KeyInvalidFormat)?;
+    #[allow(unused)]
-
+    fn try_deserialize(cert_pem: &str, cert_key_pem: &str) -> Result<Self, InitError> {
-        let keypair = KeyPair::from_pem(&key).map_err(TlsInitError::KeyDeserializationError)?;
+        let keypair =
-
+            KeyPair::from_pem(cert_key_pem).map_err(InitError::KeyDeserializationError)?;
-        Ok(TlsData { cert, keypair })
+        let issuer = Issuer::from_ca_cert_pem(cert_pem, keypair)?;
+        Ok(Self {
+            issuer,
+            cert: CertificateDer::from_pem_slice(cert_pem.as_bytes())?,
+        })
     }
 }
 
-fn generate_cert(key: &KeyPair) -> Result<Certificate, rcgen::Error> {
+struct TlsCert {
-    let params =
+    cert: Certificate,
-        rcgen::CertificateParams::new(vec!["arbiter.local".to_string(), "localhost".to_string()])?;
+    cert_key: KeyPair,
-
-    params.self_signed(key)
 }
 
 // TODO: Implement cert rotation
 pub struct TlsManager {
-    data: TlsData,
+    cert: CertificateDer<'static>,
+    keypair: KeyPair,
+    ca_cert: CertificateDer<'static>,
+    _db: db::DatabasePool,
 }
 
 impl TlsManager {
-    pub async fn new(data: Option<TlsDataRaw>) -> Result<Self, TlsInitError> {
+    pub async fn generate_new(db: &db::DatabasePool) -> Result<Self, InitError> {
-        match data {
+        let ca = TlsCa::generate()?;
-            Some(raw) => {
+        let new_cert = ca.generate_leaf()?;
-                let tls_data = raw.deserialize()?;
+
-                Ok(Self { data: tls_data })
+        {
-            }
+            let mut conn = db.get().await?;
-            None => {
+            conn.transaction(|conn| {
-                let keypair = KeyPair::generate()?;
+                Box::pin(async {
-                let cert = generate_cert(&keypair)?;
+                    let new_tls_history = NewTlsHistory {
-                let tls_data = TlsData {
+                        cert: new_cert.cert.pem(),
-                    cert: cert.der().clone(),
+                        cert_key: new_cert.cert_key.serialize_pem(),
-                    keypair,
+                        ca_cert: encode_cert_to_pem(&ca.cert),
+                        ca_key: ca.issuer.key().serialize_pem(),
+                    };
+
+                    let inserted_tls_history: i32 = diesel::insert_into(tls_history::table)
+                        .values(&new_tls_history)
+                        .returning(tls_history::id)
+                        .get_result(conn)
+                        .await?;
+
+                    diesel::update(arbiter_settings::table)
+                        .set(arbiter_settings::tls_id.eq(inserted_tls_history))
+                        .execute(conn)
+                        .await?;
+
+                    Result::<_, diesel::result::Error>::Ok(())
+                })
+            })
+            .await?;
+        }
+
+        Ok(Self {
+            cert: new_cert.cert.der().clone(),
+            keypair: new_cert.cert_key,
+            ca_cert: ca.cert,
+            _db: db.clone(),
+        })
+    }
+
+    pub async fn new(db: db::DatabasePool) -> Result<Self, InitError> {
+        let cert_data: Option<TlsHistory> = {
+            let mut conn = db.get().await?;
+            arbiter_settings::table
+                .left_join(tls_history::table)
+                .select(Option::<TlsHistory>::as_select())
+                .first(&mut conn)
+                .await?
+        };
+
+        match cert_data {
+            Some(data) => {
+                let try_load = || -> Result<_, Box<dyn std::error::Error>> {
+                    let keypair = KeyPair::from_pem(&data.cert_key)?;
+                    let cert = CertificateDer::from_pem_slice(data.cert.as_bytes())?;
+                    let ca_cert = CertificateDer::from_pem_slice(data.ca_cert.as_bytes())?;
+                    Ok(Self {
+                        cert,
+                        keypair,
+                        ca_cert,
+                        _db: db.clone(),
+                    })
                 };
-                Ok(Self { data: tls_data })
+                match try_load() {
+                    Ok(manager) => Ok(manager),
+                    Err(e) => {
+                        eprintln!("Failed to load existing TLS certs: {e}. Generating new ones.");
+                        Self::generate_new(&db).await
+                    }
+                }
             }
+            None => Self::generate_new(&db).await,
         }
     }
 
-    pub fn bytes(&self) -> TlsDataRaw {
+    pub fn cert(&self) -> &CertificateDer<'static> {
-        TlsDataRaw::serialize(&self.data)
+        &self.cert
+    }
+    pub fn ca_cert(&self) -> &CertificateDer<'static> {
+        &self.ca_cert
+    }
+
+    pub fn cert_pem(&self) -> PemCert {
+        encode_cert_to_pem(&self.cert)
+    }
+    pub fn key_pem(&self) -> String {
+        self.keypair.serialize_pem()
     }
 }

server/crates/arbiter-server/src/db/mod.rs

@@ -24,23 +24,23 @@ const MIGRATIONS: EmbeddedMigrations = embed_migrations!("migrations");
 #[derive(Error, Diagnostic, Debug)]
 pub enum DatabaseSetupError {
     #[error("Failed to determine home directory")]
-    #[diagnostic(code(arbiter::db::home_dir_error))]
+    #[diagnostic(code(arbiter::db::home_dir))]
     HomeDir(std::io::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::connection_error))]
+    #[diagnostic(code(arbiter::db::connection))]
     Connection(diesel::ConnectionError),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::concurrency_error))]
+    #[diagnostic(code(arbiter::db::concurrency))]
     ConcurrencySetup(diesel::result::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::migration_error))]
+    #[diagnostic(code(arbiter::db::migration))]
     Migration(Box<dyn std::error::Error + Send + Sync>),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::pool_error))]
+    #[diagnostic(code(arbiter::db::pool))]
     Pool(#[from] PoolInitError),
 }
 
@@ -91,12 +91,12 @@ fn initialize_database(url: &str) -> Result<(), DatabaseSetupError> {
 
 #[tracing::instrument(level = "info")]
 pub async fn create_pool(url: Option<&str>) -> Result<DatabasePool, DatabaseSetupError> {
-    let database_url = url.map(String::from).unwrap_or(format!(
+    let database_url = url.map(String::from).unwrap_or(
-        "{}?mode=rwc",
+        database_path()?
-        (database_path()?
             .to_str()
-            .expect("database path is not valid UTF-8"))
+            .expect("database path is not valid UTF-8")
-    ));
+            .to_string(),
+    );
 
     initialize_database(&database_url)?;
 

server/crates/arbiter-server/src/db/models.rs

@@ -1,7 +1,7 @@
 #![allow(unused)]
 #![allow(clippy::all)]
 
-use crate::db::schema::{self, aead_encrypted, arbiter_settings, root_key_history};
+use crate::db::schema::{self, aead_encrypted, arbiter_settings, root_key_history, tls_history};
 use diesel::{prelude::*, sqlite::Sqlite};
 use restructed::Models;
 
@@ -46,13 +46,29 @@ pub struct RootKeyHistory {
     pub salt: Vec<u8>,
 }
 
-#[derive(Queryable, Debug, Insertable)]
+#[derive(Models, Queryable, Debug, Insertable, Selectable)]
+#[diesel(table_name = tls_history, check_for_backend(Sqlite))]
+#[view(
+    NewTlsHistory,
+    derive(Insertable),
+    omit(id, created_at),
+    attributes_with = "deriveless"
+)]
+pub struct TlsHistory {
+    pub id: i32,
+    pub cert: String,
+    pub cert_key: String, // PEM Encoded private key
+    pub ca_cert: String, // PEM Encoded certificate for cert signing
+    pub ca_key: String, // PEM Encoded public key for cert signing
+    pub created_at: i32,
+}
+
+#[derive(Queryable, Debug, Insertable, Selectable)]
 #[diesel(table_name = arbiter_settings, check_for_backend(Sqlite))]
-pub struct ArbiterSetting {
+pub struct ArbiterSettings {
     pub id: i32,
     pub root_key_id: Option<i32>, // references root_key_history.id
-    pub cert_key: Vec<u8>,
+    pub tls_id: Option<i32>, // references tls_history.id
-    pub cert: Vec<u8>,
 }
 
 #[derive(Queryable, Debug)]

server/crates/arbiter-server/src/db/schema.rs

@@ -16,8 +16,7 @@ diesel::table! {
     arbiter_settings (id) {
         id -> Integer,
         root_key_id -> Nullable<Integer>,
-        cert_key -> Binary,
+        tls_id -> Nullable<Integer>,
-        cert -> Binary,
     }
 }
 
@@ -43,6 +42,17 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    tls_history (id) {
+        id -> Integer,
+        cert -> Text,
+        cert_key -> Text,
+        ca_cert -> Text,
+        ca_key -> Text,
+        created_at -> Integer,
+    }
+}
+
 diesel::table! {
     useragent_client (id) {
         id -> Integer,
@@ -55,11 +65,13 @@ diesel::table! {
 
 diesel::joinable!(aead_encrypted -> root_key_history (associated_root_key_id));
 diesel::joinable!(arbiter_settings -> root_key_history (root_key_id));
+diesel::joinable!(arbiter_settings -> tls_history (tls_id));
 
 diesel::allow_tables_to_appear_in_same_query!(
     aead_encrypted,
     arbiter_settings,
     program_client,
     root_key_history,
+    tls_history,
     useragent_client,
 );

server/crates/arbiter-server/src/errors.rs

@@ -1,24 +0,0 @@
-use tonic::Status;
-use tracing::error;
-
-pub trait GrpcStatusExt<T> {
-    fn to_status(self) -> Result<T, Status>;
-}
-
-impl<T> GrpcStatusExt<T> for Result<T, diesel::result::Error> {
-    fn to_status(self) -> Result<T, Status> {
-        self.map_err(|e| {
-            error!(error = ?e, "Database error");
-            Status::internal("Database error")
-        })
-    }
-}
-
-impl<T> GrpcStatusExt<T> for Result<T, crate::db::PoolError> {
-    fn to_status(self) -> Result<T, Status> {
-        self.map_err(|e| {
-            error!(error = ?e, "Database pool error");
-            Status::internal("Database pool error")
-        })
-    }
-}

server/crates/arbiter-server/src/lib.rs

@@ -1,23 +1,26 @@
 #![forbid(unsafe_code)]
 use arbiter_proto::{
     proto::{ClientRequest, ClientResponse, UserAgentRequest, UserAgentResponse},
-    transport::BiStream,
+    transport::{BiStream, GrpcTransportActor, wire},
 };
 use async_trait::async_trait;
+use kameo::actor::PreparedActor;
 use tokio_stream::wrappers::ReceiverStream;
 
 use tokio::sync::mpsc;
 use tonic::{Request, Response, Status};
 
 use crate::{
-    actors::{client::handle_client, user_agent::handle_user_agent},
+    actors::{
+        client::handle_client,
+        user_agent::UserAgentActor,
+    },
     context::ServerContext,
 };
 
 pub mod actors;
 pub mod context;
 pub mod db;
-mod errors;
 
 const DEFAULT_CHANNEL_SIZE: usize = 1000;
 
@@ -59,7 +62,22 @@ impl arbiter_proto::proto::arbiter_service_server::ArbiterService for Server {
     ) -> Result<Response<Self::UserAgentStream>, Status> {
         let req_stream = request.into_inner();
         let (tx, rx) = mpsc::channel(DEFAULT_CHANNEL_SIZE);
-        tokio::spawn(handle_user_agent(self.context.clone(), req_stream, tx));
+        let context = self.context.clone();
+
+        wire(
+            |prepared: PreparedActor<UserAgentActor>, recipient| {
+                prepared.spawn(UserAgentActor::new(context, recipient));
+            },
+            |prepared: PreparedActor<GrpcTransportActor<_, _, _>>, business_recipient| {
+                prepared.spawn(GrpcTransportActor::new(
+                    tx,
+                    req_stream,
+                    business_recipient,
+                ));
+            },
+        )
+        .await;
+
         Ok(Response::new(ReceiverStream::new(rx)))
     }
 }

server/crates/arbiter-server/src/main.rs

@@ -1,7 +1,13 @@
-use arbiter_proto::proto::arbiter_service_server::ArbiterServiceServer;
+use std::net::SocketAddr;
-use arbiter_server::{Server, context::ServerContext, db};
+
+use arbiter_proto::{proto::arbiter_service_server::ArbiterServiceServer, url::ArbiterUrl};
+use arbiter_server::{Server, actors::bootstrap::GetToken, context::ServerContext, db};
+use miette::miette;
+use tonic::transport::{Identity, ServerTlsConfig};
 use tracing::info;
 
+const PORT: u16 = 50051;
+
 #[tokio::main]
 async fn main() -> miette::Result<()> {
     tracing_subscriber::fmt()
@@ -13,18 +19,31 @@ async fn main() -> miette::Result<()> {
 
     info!("Starting arbiter server");
 
-    info!("Initializing database");
     let db = db::create_pool(None).await?;
     info!("Database ready");
 
-    info!("Initializing server context");
     let context = ServerContext::new(db).await?;
-    info!("Server context ready");
 
-    let addr = "[::1]:50051".parse().expect("valid address");
+    let addr: SocketAddr = format!("127.0.0.1:{PORT}").parse().expect("valid address");
     info!(%addr, "Starting gRPC server");
 
+    let url = ArbiterUrl {
+        host: addr.ip().to_string(),
+        port: addr.port(),
+        ca_cert: context.tls.ca_cert().clone().into_owned(),
+        bootstrap_token: context.actors.bootstrapper.ask(GetToken).await.unwrap(),
+    };
+
+    info!(%url, "Server URL");
+
+    let tls = ServerTlsConfig::new().identity(Identity::from_pem(
+        context.tls.cert_pem(),
+        context.tls.key_pem(),
+    ));
+
     tonic::transport::Server::builder()
+        .tls_config(tls)
+        .map_err(|err| miette!("Faild to setup TLS: {err}"))?
         .add_service(ArbiterServiceServer::new(Server::new(context)))
         .serve(addr)
         .await

server/crates/arbiter-server/tests/common/mod.rs

@@ -1,28 +1,13 @@
 use arbiter_server::{
     actors::keyholder::KeyHolder,
-    db::{self, models::ArbiterSetting, schema},
+    db::{self, schema},
 };
-use diesel::{QueryDsl, insert_into};
+use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;
 use memsafe::MemSafe;
 
-pub async fn seed_settings(pool: &db::DatabasePool) {
-    let mut conn = pool.get().await.unwrap();
-    insert_into(schema::arbiter_settings::table)
-        .values(&ArbiterSetting {
-            id: 1,
-            root_key_id: None,
-            cert_key: vec![],
-            cert: vec![],
-        })
-        .execute(&mut conn)
-        .await
-        .unwrap();
-}
-
 #[allow(dead_code)]
 pub async fn bootstrapped_keyholder(db: &db::DatabasePool) -> KeyHolder {
-    seed_settings(db).await;
     let mut actor = KeyHolder::new(db.clone()).await.unwrap();
     actor
         .bootstrap(MemSafe::new(b"test-seal-key".to_vec()).unwrap())

server/crates/arbiter-server/tests/keyholder/lifecycle.rs

@@ -12,7 +12,6 @@ use crate::common;
 #[test_log::test]
 async fn test_bootstrap() {
     let db = db::create_test_pool().await;
-    common::seed_settings(&db).await;
     let mut actor = KeyHolder::new(db.clone()).await.unwrap();
 
     let seal_key = MemSafe::new(b"test-seal-key".to_vec()).unwrap();
@@ -53,7 +52,6 @@ async fn test_bootstrap_rejects_double() {
 #[test_log::test]
 async fn test_create_new_before_bootstrap_fails() {
     let db = db::create_test_pool().await;
-    common::seed_settings(&db).await;
     let mut actor = KeyHolder::new(db).await.unwrap();
 
     let err = actor
@@ -67,7 +65,6 @@ async fn test_create_new_before_bootstrap_fails() {
 #[test_log::test]
 async fn test_decrypt_before_bootstrap_fails() {
     let db = db::create_test_pool().await;
-    common::seed_settings(&db).await;
     let mut actor = KeyHolder::new(db).await.unwrap();
 
     let err = actor.decrypt(1).await.unwrap_err();

server/crates/arbiter-server/tests/user_agent.rs

@@ -1,5 +1,30 @@
 mod common;
 
+use arbiter_proto::proto::UserAgentResponse;
+use arbiter_server::actors::user_agent::UserAgentError;
+use kameo::{Actor, actor::Recipient, actor::Spawn, prelude::Message};
+
+/// A no-op actor that discards any messages it receives.
+#[derive(Actor)]
+struct NullSink;
+
+impl Message<Result<UserAgentResponse, UserAgentError>> for NullSink {
+    type Reply = ();
+
+    async fn handle(
+        &mut self,
+        _msg: Result<UserAgentResponse, UserAgentError>,
+        _ctx: &mut kameo::prelude::Context<Self, Self::Reply>,
+    ) -> Self::Reply {
+    }
+}
+
+/// Creates a `Recipient` that silently discards all messages.
+fn null_recipient() -> Recipient<Result<UserAgentResponse, UserAgentError>> {
+    let actor_ref = NullSink::spawn(NullSink);
+    actor_ref.recipient()
+}
+
 #[path = "user_agent/auth.rs"]
 mod auth;
 #[path = "user_agent/unseal.rs"]

server/crates/arbiter-server/tests/user_agent/auth.rs

@@ -20,12 +20,11 @@ use kameo::actor::Spawn;
 #[test_log::test]
 pub async fn test_bootstrap_token_auth() {
     let db =db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     let token = actors.bootstrapper.ask(GetToken).await.unwrap().unwrap();
     let user_agent =
-        UserAgentActor::new_manual(db.clone(), actors, tokio::sync::mpsc::channel(1).0);
+        UserAgentActor::new_manual(db.clone(), actors, super::null_recipient());
     let user_agent_ref = UserAgentActor::spawn(user_agent);
 
     let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
@@ -67,11 +66,10 @@ pub async fn test_bootstrap_token_auth() {
 #[test_log::test]
 pub async fn test_bootstrap_invalid_token_auth() {
     let db = db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     let user_agent =
-        UserAgentActor::new_manual(db.clone(), actors, tokio::sync::mpsc::channel(1).0);
+        UserAgentActor::new_manual(db.clone(), actors, super::null_recipient());
     let user_agent_ref = UserAgentActor::spawn(user_agent);
 
     let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
@@ -87,15 +85,11 @@ pub async fn test_bootstrap_invalid_token_auth() {
         .await;
 
     match result {
-        Err(kameo::error::SendError::HandlerError(status)) => {
+        Err(kameo::error::SendError::HandlerError(err)) => {
-            assert_eq!(status.code(), tonic::Code::InvalidArgument);
+            assert!(
-            insta::assert_debug_snapshot!(status, @r#"
+                matches!(err, arbiter_server::actors::user_agent::UserAgentError::InvalidBootstrapToken),
-                Status {
+                "Expected InvalidBootstrapToken, got {err:?}"
-                    code: InvalidArgument,
+            );
-                    message: "Invalid bootstrap token",
-                    source: None,
-                }
-                "#);
         }
         Err(other) => {
             panic!("Expected SendError::HandlerError, got {other:?}");
@@ -110,11 +104,10 @@ pub async fn test_bootstrap_invalid_token_auth() {
 #[test_log::test]
 pub async fn test_challenge_auth() {
     let db = db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     let user_agent =
-        UserAgentActor::new_manual(db.clone(), actors, tokio::sync::mpsc::channel(1).0);
+        UserAgentActor::new_manual(db.clone(), actors, super::null_recipient());
     let user_agent_ref = UserAgentActor::spawn(user_agent);
 
     let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());

server/crates/arbiter-server/tests/user_agent/unseal.rs

@@ -23,7 +23,6 @@ async fn setup_authenticated_user_agent(
     seal_key: &[u8],
 ) -> (arbiter_server::db::DatabasePool, ActorRef<UserAgentActor>) {
     let db = db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     actors
@@ -36,7 +35,7 @@ async fn setup_authenticated_user_agent(
     actors.key_holder.ask(Seal).await.unwrap();
 
     let user_agent =
-        UserAgentActor::new_manual(db.clone(), actors.clone(), tokio::sync::mpsc::channel(1).0);
+        UserAgentActor::new_manual(db.clone(), actors.clone(), super::null_recipient());
     let user_agent_ref = UserAgentActor::spawn(user_agent);
 
     let token = actors.bootstrapper.ask(GetToken).await.unwrap().unwrap();
@@ -167,11 +166,10 @@ pub async fn test_unseal_corrupted_ciphertext() {
 #[test_log::test]
 pub async fn test_unseal_start_without_auth_fails() {
     let db = db::create_test_pool().await;
-    crate::common::seed_settings(&db).await;
 
     let actors = GlobalActors::spawn(db.clone()).await.unwrap();
     let user_agent =
-        UserAgentActor::new_manual(db.clone(), actors, tokio::sync::mpsc::channel(1).0);
+        UserAgentActor::new_manual(db.clone(), actors, super::null_recipient());
     let user_agent_ref = UserAgentActor::spawn(user_agent);
 
     let client_secret = EphemeralSecret::random();
@@ -186,8 +184,11 @@ pub async fn test_unseal_start_without_auth_fails() {
         .await;
 
     match result {
-        Err(kameo::error::SendError::HandlerError(status)) => {
+        Err(kameo::error::SendError::HandlerError(err)) => {
-            assert_eq!(status.code(), tonic::Code::Internal);
+            assert!(
+                matches!(err, arbiter_server::actors::user_agent::UserAgentError::InvalidState),
+                "Expected InvalidState, got {err:?}"
+            );
         }
         other => panic!("Expected state machine error, got {other:?}"),
     }

server/crates/arbiter-useragent/Cargo.toml

@@ -2,5 +2,14 @@
 name = "arbiter-useragent"
 version = "0.1.0"
 edition = "2024"
+license = "Apache-2.0"
 
 [dependencies]
+arbiter-proto.path = "../arbiter-proto"
+kameo.workspace = true
+tokio = {workspace = true, features = ["net"]}
+tonic.workspace = true
+tracing.workspace = true
+ed25519-dalek.workspace = true
+smlang.workspace = true
+x25519-dalek.workspace = true

server/crates/arbiter-useragent/src/lib.rs

@@ -1,14 +1,66 @@
-pub fn add(left: u64, right: u64) -> u64 {
+use arbiter_proto::{proto::UserAgentRequest, transport::TransportActor};
-    left + right
+use ed25519_dalek::SigningKey;
+use kameo::{
+    Actor, Reply,
+    actor::{ActorRef, WeakActorRef},
+    prelude::Message,
+};
+use smlang::statemachine;
+use tonic::transport::CertificateDer;
+use tracing::{debug, error};
+
+struct Storage {
+    pub identity: SigningKey,
+    pub server_ca_cert: CertificateDer<'static>,
 }
 
-#[cfg(test)]
+#[derive(Debug)]
-mod tests {
+pub enum InitError {
-    use super::*;
+    StorageError,
+    Other(String),
+}
 
-    #[test]
+statemachine! {
-    fn it_works() {
+    name: UserAgentStateMachine,
-        let result = add(2, 2);
+    custom_error: false,
-        assert_eq!(result, 4);
+    transitions: {
+        *Init + SendAuthChallenge = WaitingForAuthSolution
+    }
+}
+
+
+
+pub struct UserAgentActor<A: TransportActor<UserAgentRequest>> {
+    key: SigningKey,
+    server_ca_cert: CertificateDer<'static>,
+    sender: ActorRef<A>,
+}
+impl<A: TransportActor<UserAgentRequest>> Actor for UserAgentActor<A> {
+    type Args = Self;
+
+    type Error = InitError;
+
+    async fn on_start(args: Self::Args, actor_ref: ActorRef<Self>) -> Result<Self, Self::Error> {
+        todo!()
+    }
+
+    async fn on_link_died(
+        &mut self,
+        _: WeakActorRef<Self>,
+        id: kameo::prelude::ActorId,
+        _: kameo::prelude::ActorStopReason,
+    ) -> Result<std::ops::ControlFlow<kameo::prelude::ActorStopReason>, Self::Error> {
+        if id == self.sender.id() {
+            error!("Transport actor died, stopping UserAgentActor");
+            Ok(std::ops::ControlFlow::Break(
+                kameo::prelude::ActorStopReason::Normal,
+            ))
+        } else {
+            debug!(
+                "Linked actor {} died, but it's not the transport actor, ignoring",
+                id
+            );
+            Ok(std::ops::ControlFlow::Continue(()))
+        }
     }
 }

useragent/pubspec.lock

@@ -41,14 +41,6 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "1.19.1"
-  cupertino_icons:
-    dependency: "direct main"
-    description:
-      name: cupertino_icons
-      sha256: ba631d1c7f7bef6b729a622b7b752645a2d076dba9976925b8f25725a30e1ee6
-      url: "https://pub.dev"
-    source: hosted
-    version: "1.0.8"
   fake_async:
     dependency: transitive
     description:

useragent/pubspec.yaml

@@ -0,0 +1,21 @@
+name: arbiter
+description: "User agent for Arbiter"
+publish_to: 'none'
+
+version: 0.1.0
+
+environment:
+  sdk: ^3.10.8
+
+dependencies:
+  flutter:
+    sdk: flutter
+
+dev_dependencies:
+  flutter_test:
+    sdk: flutter
+
+  flutter_lints: ^6.0.0
+
+flutter:
+  uses-material-design: true