ci: fix step name

.woodpecker/server-compile.yaml

@@ -0,0 +1,26 @@
+when:
+  - event: pull_request
+    path:
+      include: [".woodpecker/server-*.yaml", "server/**"]
+  - event: push
+    branch: main
+    path:
+      include: [".woodpecker/server-*.yaml", "server/**"]
+
+steps:
+  - name: compile
+    image: jdxcode/mise:latest
+    directory: server
+    environment:
+      CARGO_TERM_COLOR: always
+      CARGO_TARGET_DIR: /usr/local/cargo/target
+      CARGO_HOME: /usr/local/cargo/registry
+    volumes:
+      - cargo-target:/usr/local/cargo/target
+      - cargo-registry:/usr/local/cargo/registry
+    commands:
+      - apt-get update && apt-get install -y pkg-config
+      # Install only the necessary Rust toolchain
+      - mise install rust
+      - mise install protoc
+      - cargo check --all-features

.woodpecker/server-test.yaml

@@ -24,4 +24,4 @@ steps:
       - mise install rust 
       - mise install protoc
       - mise install cargo:cargo-nextest
-      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast --all-features
+      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast

ARCHITECTURE.md

@@ -11,7 +11,6 @@ Arbiter distinguishes two kinds of peers:
 
 - **User Agent** — A client application used by the owner to manage the vault (create wallets, approve SDK clients, configure policies).
 - **SDK Client** — A consumer of signing capabilities, typically an automation tool. In the future, this could include a browser-based wallet.
-- **Recovery Operator** — A dormant recovery participant with narrowly scoped authority used only for custody recovery and operator replacement.
 
 ---
 
@@ -43,149 +42,7 @@ There is no bootstrap mechanism for SDK clients. They must be explicitly approve
 
 ---
 
-## 3. Multi-Operator Governance
-
-When more than one User Agent is registered, the vault is treated as having multiple operators. In that mode, sensitive actions are governed by voting rather than by a single operator decision.
-
-### 3.1 Voting Rules
-
-Voting is based on the total number of registered operators:
-
-- **1 operator:** no vote is needed; the single operator decides directly.
-- **2 operators:** full consensus is required; both operators must approve.
-- **3 or more operators:** quorum is `floor(N / 2) + 1`.
-
-For a decision to count, the operator's approval or rejection must be signed by that operator's associated key. Unsigned votes, or votes that fail signature verification, are ignored.
-
-Examples:
-
-- **3 operators:** 2 approvals required
-- **4 operators:** 3 approvals required
-
-### 3.2 Actions Requiring a Vote
-
-In multi-operator mode, a successful vote is required for:
-
-- approving new SDK clients
-- granting an SDK client visibility to a wallet
-- approving a one-off transaction
-- approving creation of a persistent grant
-- approving operator replacement
-- approving server updates
-- updating Shamir secret-sharing parameters
-
-### 3.3 Special Rule for Key Rotation
-
-Key rotation always requires full quorum, regardless of the normal voting threshold.
-
-This is stricter than ordinary governance actions because rotating the root key requires every operator to participate in coordinated share refresh/update steps. The root key itself is not redistributed directly, but each operator's share material must be changed consistently.
-
-### 3.4 Root Key Custody
-
-When the vault has multiple operators, the vault root key is protected using Shamir secret sharing.
-
-The vault root key is encrypted in a way that requires reconstruction from user-held shares rather than from a single shared password.
-
-For ordinary operators, the Shamir threshold matches the ordinary governance quorum. For example:
-
-- **2 operators:** `2-of-2`
-- **3 operators:** `2-of-3`
-- **4 operators:** `3-of-4`
-
-In practice, the Shamir share set also includes Recovery Operator shares. This means the effective Shamir parameters are computed over the combined share pool while keeping the same threshold. For example:
-
-- **3 ordinary operators + 2 recovery shares:** `2-of-5`
-
-This ensures that the normal custody threshold follows the ordinary operator quorum, while still allowing dormant recovery shares to exist for break-glass recovery flows.
-
-### 3.5 Recovery Operators
-
-Recovery Operators are a separate peer type from ordinary vault operators.
-
-Their role is intentionally narrow. They can only:
-
-- participate in unsealing the vault
-- vote for operator replacement
-
-Recovery Operators do not participate in routine governance such as approving SDK clients, granting wallet visibility, approving transactions, creating grants, approving server updates, or changing Shamir parameters.
-
-### 3.6 Sleeping and Waking Recovery Operators
-
-By default, Recovery Operators are **sleeping** and do not participate in any active flow.
-
-Any ordinary operator may request that Recovery Operators **wake up**.
-
-Any ordinary operator may also cancel a pending wake-up request.
-
-This creates a dispute window before recovery powers become active. The default wake-up delay is **14 days**.
-
-Recovery Operators are therefore part of the break-glass recovery path rather than the normal operating quorum.
-
-The high-level recovery flow is:
-
-```mermaid
-sequenceDiagram
-    autonumber
-    actor Op as Ordinary Operator
-    participant Server
-    actor Other as Other Operator
-    actor Rec as Recovery Operator
-
-    Op->>Server: Request recovery wake-up
-    Server-->>Op: Wake-up pending
-    Note over Server: Default dispute window: 14 days
-
-    alt Wake-up cancelled during dispute window
-        Other->>Server: Cancel wake-up
-        Server-->>Op: Recovery cancelled
-        Server-->>Rec: Stay sleeping
-    else No cancellation for 14 days
-        Server-->>Rec: Wake up
-        Rec->>Server: Join recovery flow
-        critical Recovery authority
-            Rec->>Server: Participate in unseal
-            Rec->>Server: Vote on operator replacement
-        end
-        Server-->>Op: Recovery mode active
-    end
-```
-
-### 3.7 Committee Formation
-
-There are two ways to form a multi-operator committee:
-
-- convert an existing single-operator vault by adding new operators
-- bootstrap an unbootstrapped vault directly into multi-operator mode
-
-In both cases, committee formation is a coordinated process. Arbiter does not allow multi-operator custody to emerge implicitly from unrelated registrations.
-
-### 3.8 Bootstrapping an Unbootstrapped Vault into Multi-Operator Mode
-
-When an unbootstrapped vault is initialized as a multi-operator vault, the setup proceeds as follows:
-
-1. An operator connects to the unbootstrapped vault using a User Agent and the bootstrap token.
-2. During bootstrap setup, that operator declares:
-   - the total number of ordinary operators
-   - the total number of Recovery Operators
-3. The vault enters **multi-bootstrap mode**.
-4. While in multi-bootstrap mode:
-   - every ordinary operator must connect with a User Agent using the bootstrap token
-   - every Recovery Operator must also connect using the bootstrap token
-   - each participant is registered individually
-   - each participant's share is created and protected with that participant's credentials
-5. The vault is considered fully bootstrapped only after all declared operator and recovery-share registrations have completed successfully.
-
-This means the operator and recovery set is fixed at bootstrap completion time, based on the counts declared when multi-bootstrap mode was entered.
-
-### 3.9 Special Bootstrap Constraint for Two-Operator Vaults
-
-If a vault is declared with exactly **2 ordinary operators**, Arbiter requires at least **1 Recovery Operator** to be configured during bootstrap.
-
-This prevents the worst-case custody failure in which a `2-of-2` operator set becomes permanently unrecoverable after loss of a single operator.
-
----
-
-## 4. Server Identity
+## 3. Server Identity
 
 The server proves its identity using TLS with a self-signed certificate. The TLS private key is generated on first run and is long-term; no rotation mechanism exists yet due to the complexity of multi-peer coordination.
 
@@ -198,9 +55,9 @@ Peers verify the server by its **public key fingerprint**:
 
 ---
 
-## 5. Key Management
+## 4. Key Management
 
-### 5.1 Key Hierarchy
+### 4.1 Key Hierarchy
 
 There are three layers of keys:
 
@@ -215,19 +72,19 @@ This layered design enables:
 - **Password rotation** without re-encrypting every wallet key (only the root key is re-encrypted).
 - **Root key rotation** without requiring the user to change their password.
 
-### 5.2 Encryption at Rest
+### 4.2 Encryption at Rest
 
 The database stores everything in encrypted form using symmetric AEAD. The encryption scheme is versioned to support transparent migration — when the vault unseals, Arbiter automatically re-encrypts any entries that are behind the current scheme version. See [IMPLEMENTATION.md](IMPLEMENTATION.md) for the specific scheme and versioning mechanism.
 
 ---
 
-## 6. Vault Lifecycle
+## 5. Vault Lifecycle
 
-### 6.1 Sealed State
+### 5.1 Sealed State
 
 On boot, the root key is encrypted and the server cannot perform any signing operations. This state is called **Sealed**.
 
-### 6.2 Unseal Flow
+### 5.2 Unseal Flow
 
 To transition to the **Unsealed** state, a User Agent must provide the password:
 
@@ -238,7 +95,7 @@ To transition to the **Unsealed** state, a User Agent must provide the password:
    - **Success:** The root key is decrypted and placed into a hardened memory cell. The server transitions to `Unsealed`. Any entries pending encryption scheme migration are re-encrypted.
    - **Failure:** The server returns an error indicating the password is incorrect.
 
-### 6.3 Memory Protection
+### 5.3 Memory Protection
 
 Once unsealed, the root key must be protected in memory against:
 
@@ -250,9 +107,9 @@ See [IMPLEMENTATION.md](IMPLEMENTATION.md) for the current and planned memory pr
 
 ---
 
-## 7. Permission Engine
+## 6. Permission Engine
 
-### 7.1 Fundamental Rules
+### 6.1 Fundamental Rules
 
 - SDK clients have **no access by default**.
 - Access is granted **explicitly** by a User Agent.
@@ -262,45 +119,11 @@ Each blockchain requires its own policy system due to differences in static tran
 
 Arbiter is also responsible for ensuring that **transaction nonces are never reused**.
 
-### 7.2 EVM Policies
+### 6.2 EVM Policies
 
 Every EVM grant is scoped to a specific **wallet** and **chain ID**.
 
-#### 7.2.0 Transaction Signing Sequence
-
-The high-level interaction order is:
-
-```mermaid
-sequenceDiagram
-    autonumber
-    actor SDK as SDK Client
-    participant Server
-    participant UA as User Agent
-
-    SDK->>Server: SignTransactionRequest
-    Server->>Server: Resolve wallet and wallet visibility
-    alt Visibility approval required
-        Server->>UA: Ask for wallet visibility approval
-        UA-->>Server: Vote result
-    end
-    Server->>Server: Evaluate transaction
-    Server->>Server: Load grant and limits context
-    alt Grant approval required
-        Server->>UA: Ask for execution / grant approval
-        UA-->>Server: Vote result
-        opt Create persistent grant
-            Server->>Server: Create and store grant
-        end
-        Server->>Server: Retry evaluation
-    end
-    critical Final authorization path
-        Server->>Server: Check limits and record execution
-        Server-->>Server: Signature or evaluation error
-    end
-    Server-->>SDK: Signature or error
-```
-
-#### 7.2.1 Transaction Sub-Grants
+#### 6.2.1 Transaction Sub-Grants
 
 Arbiter maintains an ever-expanding database of known contracts and their ABIs. Based on contract knowledge, transaction requests fall into three categories:
 
@@ -324,9 +147,9 @@ Available restrictions:
 
 These transactions have no `calldata` and therefore cannot interact with contracts. They can be subject to the same volume and rate restrictions as above.
 
-#### 7.2.2 Global Limits
+#### 6.2.2 Global Limits
 
 In addition to sub-grant-specific restrictions, the following limits can be applied across all grant types:
 
 - **Gas limit** — Maximum gas per transaction.
-- **Time-window restrictions** — e.g., signing allowed only 08:00–20:00 on Mondays and Thursdays.
+- **Time-window restrictions** — e.g., signing allowed only 08:00–20:00 on Mondays and Thursdays.

IMPLEMENTATION.md

@@ -128,52 +128,6 @@ The central abstraction is the `Policy` trait. Each implementation handles one s
 4. **Evaluate** — `Policy::evaluate` checks the decoded meaning against the grant's policy-specific constraints and returns any violations.
 5. **Record** — If `RunKind::Execution` and there are no violations, the engine writes to `evm_transaction_log` and calls `Policy::record_transaction` for any policy-specific logging (e.g., token transfer volume).
 
-The detailed branch structure is shown below:
-
-```mermaid
-flowchart TD
-    A[SDK Client sends sign transaction request] --> B[Server resolves wallet]
-    B --> C{Wallet exists?}
-
-    C -- No --> Z1[Return wallet not found error]
-    C -- Yes --> D[Check SDK client wallet visibility]
-
-    D --> E{Wallet visible to SDK client?}
-    E -- No --> F[Start wallet visibility voting flow]
-    F --> G{Vote approved?}
-    G -- No --> Z2[Return wallet access denied error]
-    G -- Yes --> H[Persist wallet visibility]
-    E -- Yes --> I[Classify transaction meaning]
-    H --> I
-
-    I --> J{Meaning supported?}
-    J -- No --> Z3[Return unsupported transaction error]
-    J -- Yes --> K[Find matching grant]
-
-    K --> L{Grant exists?}
-    L -- Yes --> M[Check grant limits]
-    L -- No --> N[Start execution or grant voting flow]
-
-    N --> O{User-agent decision}
-    O -- Reject --> Z4[Return no matching grant error]
-    O -- Allow once --> M
-    O -- Create grant --> P[Create grant with user-selected limits]
-    P --> Q[Persist grant]
-    Q --> M
-
-    M --> R{Limits exceeded?}
-    R -- Yes --> Z5[Return evaluation error]
-    R -- No --> S[Record transaction in logs]
-    S --> T[Produce signature]
-    T --> U[Return signature to SDK client]
-
-    note1[Limit checks include volume, count, and gas constraints.]
-    note2[Grant lookup depends on classified meaning, such as ether transfer or token transfer.]
-
-    K -. uses .-> note2
-    M -. checks .-> note1
-```
-
 ### Policy Trait
 
 | Method | Purpose |

server/Cargo.lock

@@ -724,7 +724,6 @@ name = "arbiter-server"
 version = "0.1.0"
 dependencies = [
  "alloy",
- "anyhow",
  "arbiter-proto",
  "arbiter-tokens-registry",
  "argon2",
@@ -742,6 +741,7 @@ dependencies = [
  "k256",
  "kameo",
  "memsafe",
+ "miette",
  "pem",
  "prost-types",
  "rand 0.10.0",

server/Cargo.toml

@@ -22,6 +22,7 @@ chrono = { version = "0.4.44", features = ["serde"] }
 rand = "0.10.0"
 rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
 smlang = "0.8.0"
+miette = { version = "7.6.0", features = ["fancy", "serde"] }
 thiserror = "2.0.18"
 async-trait = "0.1.89"
 futures = "0.3.32"
@@ -42,4 +43,3 @@ k256 = { version = "0.13.4", features = ["ecdsa", "pkcs8"] }
 rsa = { version = "0.9", features = ["sha2"] }
 sha2 = "0.10"
 spki = "0.7"
-miette = { version = "7.6.0", features = ["fancy", "serde"] }

server/crates/arbiter-client/src/auth.rs

@@ -122,7 +122,9 @@ async fn receive_auth_confirmation(
         .await
         .map_err(|_| AuthError::UnexpectedAuthResponse)?;
 
-    let payload = response.payload.ok_or(AuthError::UnexpectedAuthResponse)?;
+    let payload = response
+        .payload
+        .ok_or(AuthError::UnexpectedAuthResponse)?;
     match payload {
         ClientResponsePayload::Auth(response) => match response.payload {
             Some(AuthResponsePayload::Result(result))

server/crates/arbiter-client/src/bin/test_connect.rs

@@ -1,3 +1,4 @@
+
 use std::io::{self, Write};
 
 use arbiter_client::ArbiterClient;
@@ -21,6 +22,8 @@ async fn main() {
         return;
     }
 
+   
+
     let url = match ArbiterUrl::try_from(input) {
         Ok(url) => url,
         Err(err) => {
@@ -29,7 +32,7 @@ async fn main() {
         }
     };
 
-    println!("{:#?}", url);
+     println!("{:#?}", url);
 
     let metadata = ClientMetadata {
         name: "arbiter-client test_connect".to_string(),
@@ -41,4 +44,4 @@ async fn main() {
         Ok(_) => println!("Connected and authenticated successfully."),
         Err(err) => eprintln!("Failed to connect: {:#?}", err),
     }
-}
+}

server/crates/arbiter-client/src/client.rs

@@ -1,16 +1,11 @@
-use arbiter_proto::{
-    ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl,
-};
+use arbiter_proto::{ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl};
 use std::sync::Arc;
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::transport::ClientTlsConfig;
 
 use crate::{
-    StorageError,
-    auth::{AuthError, authenticate},
-    storage::{FileSigningKeyStorage, SigningKeyStorage},
-    transport::{BUFFER_LENGTH, ClientTransport},
+    StorageError, auth::{AuthError, authenticate}, storage::{FileSigningKeyStorage, SigningKeyStorage}, transport::{BUFFER_LENGTH, ClientTransport}
 };
 
 #[cfg(feature = "evm")]
@@ -35,6 +30,7 @@ pub enum Error {
 
     #[error("Storage error")]
     Storage(#[from] StorageError),
+    
 }
 
 pub struct ArbiterClient {
@@ -65,11 +61,10 @@ impl ArbiterClient {
         let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
         let tls = ClientTlsConfig::new().trust_anchor(anchor);
 
-        let channel =
-            tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
-                .tls_config(tls)?
-                .connect()
-                .await?;
+        let channel = tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
+            .tls_config(tls)?
+            .connect()
+            .await?;
 
         let mut client = ArbiterServiceClient::new(channel);
         let (tx, rx) = mpsc::channel(BUFFER_LENGTH);

server/crates/arbiter-client/src/lib.rs

@@ -9,4 +9,4 @@ pub use client::{ArbiterClient, Error};
 pub use storage::{FileSigningKeyStorage, SigningKeyStorage, StorageError};
 
 #[cfg(feature = "evm")]
-pub use wallets::evm::{ArbiterEvmSignTransactionError, ArbiterEvmWallet};
+pub use wallets::evm::ArbiterEvmWallet;

server/crates/arbiter-client/src/wallets/evm.rs

@@ -10,48 +10,14 @@ use tokio::sync::Mutex;
 
 use arbiter_proto::proto::{
     client::{
-        ClientRequest,
-        client_request::Payload as ClientRequestPayload,
+        ClientRequest, client_request::Payload as ClientRequestPayload,
         client_response::Payload as ClientResponsePayload,
-        evm::{
-            self as proto_evm, request::Payload as EvmRequestPayload,
-            response::Payload as EvmResponsePayload,
-        },
     },
-    evm::{
-        EvmSignTransactionRequest,
-        evm_sign_transaction_response::Result as EvmSignTransactionResult,
-    },
-    shared::evm::TransactionEvalError,
+    evm::evm_sign_transaction_response::Result as EvmSignTransactionResult,
 };
 
 use crate::transport::{ClientTransport, next_request_id};
 
-/// A typed error payload returned by [`ArbiterEvmWallet`] transaction signing.
-///
-/// This is wrapped into `alloy::signers::Error::Other`, so consumers can downcast by [`TryFrom`] and
-/// interpret the concrete policy evaluation failure instead of parsing strings.
-#[derive(Debug, thiserror::Error)]
-#[non_exhaustive]
-pub enum ArbiterEvmSignTransactionError {
-    #[error("transaction rejected by policy: {0:?}")]
-    PolicyEval(TransactionEvalError),
-}
-
-impl<'a> TryFrom<&'a Error> for &'a ArbiterEvmSignTransactionError {
-    type Error = ();
-
-    fn try_from(value: &'a Error) -> Result<Self, Self::Error> {
-        if let Error::Other(inner) = value
-            && let Some(eval_error) = inner.downcast_ref()
-        {
-            Ok(eval_error)
-        } else {
-            Err(())
-        }
-    }
-}
-
 pub struct ArbiterEvmWallet {
     transport: Arc<Mutex<ClientTransport>>,
     address: Address,
@@ -130,14 +96,12 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
         transport
             .send(ClientRequest {
                 request_id,
-                payload: Some(ClientRequestPayload::Evm(proto_evm::Request {
-                    payload: Some(EvmRequestPayload::SignTransaction(
-                        EvmSignTransactionRequest {
-                            wallet_address: self.address.to_vec(),
-                            rlp_transaction,
-                        },
-                    )),
-                })),
+                payload: Some(ClientRequestPayload::EvmSignTransaction(
+                    arbiter_proto::proto::evm::EvmSignTransactionRequest {
+                        wallet_address: self.address.to_vec(),
+                        rlp_transaction,
+                    },
+                )),
             })
             .await
             .map_err(|_| Error::other("failed to send evm sign transaction request"))?;
@@ -157,21 +121,12 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
             .payload
             .ok_or_else(|| Error::other("missing evm sign transaction response payload"))?;
 
-        let ClientResponsePayload::Evm(proto_evm::Response {
-            payload: Some(payload),
-        }) = payload
-        else {
+        let ClientResponsePayload::EvmSignTransaction(response) = payload else {
             return Err(Error::other(
                 "unexpected response payload for evm sign transaction request",
             ));
         };
 
-        let EvmResponsePayload::SignTransaction(response) = payload else {
-            return Err(Error::other(
-                "unexpected evm response payload for sign transaction request",
-            ));
-        };
-
         let result = response
             .result
             .ok_or_else(|| Error::other("missing evm sign transaction result"))?;
@@ -181,9 +136,9 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
                 Signature::try_from(signature.as_slice())
                     .map_err(|_| Error::other("invalid signature returned by server"))
             }
-            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(
-                ArbiterEvmSignTransactionError::PolicyEval(eval_error),
-            )),
+            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(format!(
+                "transaction rejected by policy: {eval_error:?}"
+            ))),
             EvmSignTransactionResult::Error(code) => Err(Error::other(format!(
                 "server failed to sign transaction with error code {code}"
             ))),

server/crates/arbiter-proto/src/url.rs

@@ -7,6 +7,7 @@ const ARBITER_URL_SCHEME: &str = "arbiter";
 const CERT_QUERY_KEY: &str = "cert";
 const BOOTSTRAP_TOKEN_QUERY_KEY: &str = "bootstrap_token";
 
+
 #[derive(Debug, Clone)]
 pub struct ArbiterUrl {
     pub host: String,

server/crates/arbiter-server/Cargo.toml

@@ -25,6 +25,7 @@ tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
+miette.workspace = true
 thiserror.workspace = true
 fatality = "0.1.1"
 diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
@@ -52,7 +53,6 @@ spki.workspace = true
 alloy.workspace = true
 prost-types.workspace = true
 arbiter-tokens-registry.path = "../arbiter-tokens-registry"
-anyhow = "1.0.102"
 
 [dev-dependencies]
 insta = "1.46.3"

server/crates/arbiter-server/src/actors/bootstrap.rs

@@ -2,7 +2,7 @@ use arbiter_proto::{BOOTSTRAP_PATH, home_path};
 use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;
 use kameo::{Actor, messages};
-
+use miette::Diagnostic;
 use rand::{RngExt, distr::Alphanumeric, make_rng, rngs::StdRng};
 use thiserror::Error;
 
@@ -25,15 +25,18 @@ pub async fn generate_token() -> Result<String, std::io::Error> {
     Ok(token)
 }
 
-#[derive(Error, Debug)]
+#[derive(Error, Debug, Diagnostic)]
 pub enum Error {
     #[error("Database error: {0}")]
+    #[diagnostic(code(arbiter_server::bootstrap::database))]
     Database(#[from] db::PoolError),
 
     #[error("Database query error: {0}")]
+    #[diagnostic(code(arbiter_server::bootstrap::database_query))]
     Query(#[from] diesel::result::Error),
 
     #[error("I/O error: {0}")]
+    #[diagnostic(code(arbiter_server::bootstrap::io))]
     Io(#[from] std::io::Error),
 }
 

server/crates/arbiter-server/src/actors/client/auth.rs

@@ -287,7 +287,10 @@ where
     Ok(())
 }
 
-pub async fn authenticate<T>(props: &mut ClientConnection, transport: &mut T) -> Result<i32, Error>
+pub async fn authenticate<T>(
+    props: &mut ClientConnection,
+    transport: &mut T,
+) -> Result<i32, Error>
 where
     T: Bi<Inbound, Result<Outbound, Error>> + Send + ?Sized,
 {
@@ -316,7 +319,7 @@ where
 
     sync_client_metadata(&props.db, info.id, &metadata).await?;
     challenge_client(transport, pubkey, info.current_nonce).await?;
-
+    
     transport
         .send(Ok(Outbound::AuthSuccess))
         .await

server/crates/arbiter-server/src/actors/client/mod.rs

@@ -20,7 +20,10 @@ pub struct ClientConnection {
 
 impl ClientConnection {
     pub fn new(db: db::DatabasePool, actors: GlobalActors) -> Self {
-        Self { db, actors }
+        Self {
+            db,
+            actors,
+        }
     }
 }
 

server/crates/arbiter-server/src/actors/client/session.rs

@@ -6,10 +6,11 @@ use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use crate::{
     actors::{
         GlobalActors,
-        client::ClientConnection,
+        client::ClientConnection, flow_coordinator::RegisterClient,
+       
         evm::{ClientSignTransaction, SignTransactionError},
-        flow_coordinator::RegisterClient,
         keyholder::KeyHolderState,
+       
     },
     db,
     evm::VetError,
@@ -94,10 +95,7 @@ impl Actor for ClientSession {
 impl ClientSession {
     pub fn new_test(db: db::DatabasePool, actors: GlobalActors) -> Self {
         let props = ClientConnection::new(db, actors);
-        Self {
-            props,
-            client_id: 0,
-        }
+        Self { props, client_id: 0 }
     }
 }
 

server/crates/arbiter-server/src/actors/evm/mod.rs

@@ -25,36 +25,45 @@ use crate::{
 
 pub use crate::evm::safe_signer;
 
-#[derive(Debug, thiserror::Error)]
+#[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum SignTransactionError {
     #[error("Wallet not found")]
+    #[diagnostic(code(arbiter::evm::sign::wallet_not_found))]
     WalletNotFound,
 
     #[error("Database error: {0}")]
+    #[diagnostic(code(arbiter::evm::sign::database))]
     Database(#[from] DatabaseError),
 
     #[error("Keyholder error: {0}")]
+    #[diagnostic(code(arbiter::evm::sign::keyholder))]
     Keyholder(#[from] crate::actors::keyholder::Error),
 
     #[error("Keyholder mailbox error")]
+    #[diagnostic(code(arbiter::evm::sign::keyholder_send))]
     KeyholderSend,
 
     #[error("Signing error: {0}")]
+    #[diagnostic(code(arbiter::evm::sign::signing))]
     Signing(#[from] alloy::signers::Error),
 
     #[error("Policy error: {0}")]
+    #[diagnostic(code(arbiter::evm::sign::vet))]
     Vet(#[from] evm::VetError),
 }
 
-#[derive(Debug, thiserror::Error)]
+#[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum Error {
     #[error("Keyholder error: {0}")]
+    #[diagnostic(code(arbiter::evm::keyholder))]
     Keyholder(#[from] crate::actors::keyholder::Error),
 
     #[error("Keyholder mailbox error")]
+    #[diagnostic(code(arbiter::evm::keyholder_send))]
     KeyholderSend,
 
     #[error("Database error: {0}")]
+    #[diagnostic(code(arbiter::evm::database))]
     Database(#[from] DatabaseError),
 }
 

server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs

@@ -15,7 +15,7 @@ use crate::actors::{
 pub struct Args {
     pub client: ClientProfile,
     pub user_agents: Vec<ActorRef<UserAgentSession>>,
-    pub reply: ReplySender<Result<bool, ApprovalError>>,
+    pub reply: ReplySender<Result<bool, ApprovalError>>
 }
 
 pub struct ClientApprovalController {
@@ -39,11 +39,7 @@ impl Actor for ClientApprovalController {
     type Error = ();
 
     async fn on_start(
-        Args {
-            client,
-            mut user_agents,
-            reply,
-        }: Self::Args,
+        Args { client, mut user_agents, reply }: Self::Args,
         actor_ref: ActorRef<Self>,
     ) -> Result<Self, Self::Error> {
         let this = Self {

server/crates/arbiter-server/src/actors/keyholder/mod.rs

@@ -35,28 +35,36 @@ enum State {
     },
 }
 
-#[derive(Debug, thiserror::Error)]
+#[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum Error {
     #[error("Keyholder is already bootstrapped")]
+    #[diagnostic(code(arbiter::keyholder::already_bootstrapped))]
     AlreadyBootstrapped,
     #[error("Keyholder is not bootstrapped")]
+    #[diagnostic(code(arbiter::keyholder::not_bootstrapped))]
     NotBootstrapped,
     #[error("Invalid key provided")]
+    #[diagnostic(code(arbiter::keyholder::invalid_key))]
     InvalidKey,
 
     #[error("Requested aead entry not found")]
+    #[diagnostic(code(arbiter::keyholder::aead_not_found))]
     NotFound,
 
     #[error("Encryption error: {0}")]
+    #[diagnostic(code(arbiter::keyholder::encryption_error))]
     Encryption(#[from] chacha20poly1305::aead::Error),
 
     #[error("Database error: {0}")]
+    #[diagnostic(code(arbiter::keyholder::database_error))]
     DatabaseConnection(#[from] db::PoolError),
 
     #[error("Database transaction error: {0}")]
+    #[diagnostic(code(arbiter::keyholder::database_transaction_error))]
     DatabaseTransaction(#[from] diesel::result::Error),
 
     #[error("Broken database")]
+    #[diagnostic(code(arbiter::keyholder::broken_database))]
     BrokenDatabase,
 }
 

server/crates/arbiter-server/src/actors/mod.rs

@@ -1,4 +1,5 @@
 use kameo::actor::{ActorRef, Spawn};
+use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
@@ -16,12 +17,14 @@ pub mod flow_coordinator;
 pub mod keyholder;
 pub mod user_agent;
 
-#[derive(Error, Debug)]
+#[derive(Error, Debug, Diagnostic)]
 pub enum SpawnError {
     #[error("Failed to spawn Bootstrapper actor")]
+    #[diagnostic(code(SpawnError::Bootstrapper))]
     Bootstrapper(#[from] bootstrap::Error),
 
     #[error("Failed to spawn KeyHolder actor")]
+    #[diagnostic(code(SpawnError::KeyHolder))]
     KeyHolder(#[from] keyholder::Error),
 }
 

server/crates/arbiter-server/src/actors/user_agent/session/connection.rs

@@ -5,8 +5,8 @@ use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use diesel::{ExpressionMethods as _, QueryDsl as _, SelectableHelper};
 use diesel_async::{AsyncConnection, RunQueryDsl};
 use kameo::error::SendError;
-use kameo::messages;
 use kameo::prelude::Context;
+use kameo::messages;
 use tracing::{error, info};
 use x25519_dalek::{EphemeralSecret, PublicKey};
 

server/crates/arbiter-server/src/context/mod.rs

@@ -1,5 +1,6 @@
 use std::sync::Arc;
 
+use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
@@ -10,24 +11,30 @@ use crate::{
 
 pub mod tls;
 
-#[derive(Error, Debug)]
+#[derive(Error, Debug, Diagnostic)]
 pub enum InitError {
     #[error("Database setup failed: {0}")]
+    #[diagnostic(code(arbiter_server::init::database_setup))]
     DatabaseSetup(#[from] db::DatabaseSetupError),
 
     #[error("Connection acquire failed: {0}")]
+    #[diagnostic(code(arbiter_server::init::database_pool))]
     DatabasePool(#[from] db::PoolError),
 
     #[error("Database query error: {0}")]
+    #[diagnostic(code(arbiter_server::init::database_query))]
     DatabaseQuery(#[from] diesel::result::Error),
 
     #[error("TLS initialization failed: {0}")]
+    #[diagnostic(code(arbiter_server::init::tls_init))]
     Tls(#[from] tls::InitError),
 
     #[error("Actor spawn failed: {0}")]
+    #[diagnostic(code(arbiter_server::init::actor_spawn))]
     ActorSpawn(#[from] crate::actors::SpawnError),
 
     #[error("I/O Error: {0}")]
+    #[diagnostic(code(arbiter_server::init::io))]
     Io(#[from] std::io::Error),
 }
 

server/crates/arbiter-server/src/context/tls.rs

@@ -1,8 +1,8 @@
-use std::{net::{IpAddr, Ipv4Addr}, string::FromUtf8Error};
+use std::{net::IpAddr, string::FromUtf8Error};
 
 use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper as _};
 use diesel_async::{AsyncConnection, RunQueryDsl};
-
+use miette::Diagnostic;
 use pem::Pem;
 use rcgen::{
     BasicConstraints, Certificate, CertificateParams, CertifiedIssuer, DistinguishedName, DnType,
@@ -29,24 +29,30 @@ const ENCODE_CONFIG: pem::EncodeConfig = {
     pem::EncodeConfig::new().set_line_ending(line_ending)
 };
 
-#[derive(Error, Debug)]
+#[derive(Error, Debug, Diagnostic)]
 pub enum InitError {
     #[error("Key generation error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::key_generation))]
     KeyGeneration(#[from] rcgen::Error),
 
     #[error("Key invalid format: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::key_invalid_format))]
     KeyInvalidFormat(#[from] FromUtf8Error),
 
     #[error("Key deserialization error: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::key_deserialization))]
     KeyDeserializationError(rcgen::Error),
 
     #[error("Database error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::database_error))]
     DatabaseError(#[from] diesel::result::Error),
 
     #[error("Pem deserialization error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::pem_deserialization))]
     PemDeserializationError(#[from] rustls::pki_types::pem::Error),
 
     #[error("Database pool acquire error during TLS initialization: {0}")]
+    #[diagnostic(code(arbiter_server::tls_init::database_pool_acquire))]
     DatabasePoolAcquire(#[from] db::PoolError),
 }
 
@@ -110,7 +116,9 @@ impl TlsCa {
         ];
         params
             .subject_alt_names
-            .push(SanType::IpAddress(Ipv4Addr::LOCALHOST.into()));
+            .push(SanType::IpAddress(IpAddr::from([
+                127, 0, 0, 1,
+            ])));
 
         let mut dn = DistinguishedName::new();
         dn.push(DnType::CommonName, "Arbiter Instance Leaf");

server/crates/arbiter-server/src/db/mod.rs

@@ -5,7 +5,7 @@ use diesel_async::{
     sync_connection_wrapper::SyncConnectionWrapper,
 };
 use diesel_migrations::{EmbeddedMigrations, MigrationHarness, embed_migrations};
-
+use miette::Diagnostic;
 use thiserror::Error;
 use tracing::info;
 
@@ -21,21 +21,26 @@ static DB_FILE: &str = "arbiter.sqlite";
 
 const MIGRATIONS: EmbeddedMigrations = embed_migrations!("migrations");
 
-#[derive(Error, Debug)]
+#[derive(Error, Diagnostic, Debug)]
 pub enum DatabaseSetupError {
     #[error("Failed to determine home directory")]
+    #[diagnostic(code(arbiter::db::home_dir))]
     HomeDir(std::io::Error),
 
     #[error(transparent)]
+    #[diagnostic(code(arbiter::db::connection))]
     Connection(diesel::ConnectionError),
 
     #[error(transparent)]
+    #[diagnostic(code(arbiter::db::concurrency))]
     ConcurrencySetup(diesel::result::Error),
 
     #[error(transparent)]
+    #[diagnostic(code(arbiter::db::migration))]
     Migration(Box<dyn std::error::Error + Send + Sync>),
 
     #[error(transparent)]
+    #[diagnostic(code(arbiter::db::pool))]
     Pool(#[from] PoolInitError),
 }
 

server/crates/arbiter-server/src/evm/mod.rs

@@ -28,32 +28,39 @@ pub mod policies;
 mod utils;
 
 /// Errors that can only occur once the transaction meaning is known (during policy evaluation)
-#[derive(Debug, thiserror::Error)]
+#[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum PolicyError {
     #[error("Database error")]
     Database(#[from] crate::db::DatabaseError),
     #[error("Transaction violates policy: {0:?}")]
+    #[diagnostic(code(arbiter_server::evm::policy_error::violation))]
     Violations(Vec<EvalViolation>),
     #[error("No matching grant found")]
+    #[diagnostic(code(arbiter_server::evm::policy_error::no_matching_grant))]
     NoMatchingGrant,
 }
 
-#[derive(Debug, thiserror::Error)]
+#[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum VetError {
     #[error("Contract creation transactions are not supported")]
+    #[diagnostic(code(arbiter_server::evm::vet_error::contract_creation_unsupported))]
     ContractCreationNotSupported,
     #[error("Engine can't classify this transaction")]
+    #[diagnostic(code(arbiter_server::evm::vet_error::unsupported))]
     UnsupportedTransactionType,
     #[error("Policy evaluation failed: {1}")]
+    #[diagnostic(code(arbiter_server::evm::vet_error::evaluated))]
     Evaluated(SpecificMeaning, #[source] PolicyError),
 }
 
-#[derive(Debug, thiserror::Error)]
+#[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum AnalyzeError {
     #[error("Engine doesn't support granting permissions for contract creation")]
+    #[diagnostic(code(arbiter_server::evm::analyze_error::contract_creation_not_supported))]
     ContractCreationNotSupported,
 
     #[error("Unsupported transaction type")]
+    #[diagnostic(code(arbiter_server::evm::analyze_error::unsupported_transaction_type))]
     UnsupportedTransactionType,
 }
 

server/crates/arbiter-server/src/evm/policies.rs

@@ -6,7 +6,7 @@ use diesel::{
     ExpressionMethods as _, QueryDsl, SelectableHelper, result::QueryResult, sqlite::Sqlite,
 };
 use diesel_async::{AsyncConnection, RunQueryDsl};
-
+use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
@@ -33,27 +33,33 @@ pub struct EvalContext {
     pub max_priority_fee_per_gas: u128,
 }
 
-#[derive(Debug, Error)]
+#[derive(Debug, Error, Diagnostic)]
 pub enum EvalViolation {
     #[error("This grant doesn't allow transactions to the target address {target}")]
+    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_target))]
     InvalidTarget { target: Address },
 
     #[error("Gas limit exceeded for this grant")]
+    #[diagnostic(code(arbiter_server::evm::eval_violation::gas_limit_exceeded))]
     GasLimitExceeded {
         max_gas_fee_per_gas: Option<U256>,
         max_priority_fee_per_gas: Option<U256>,
     },
 
     #[error("Rate limit exceeded for this grant")]
+    #[diagnostic(code(arbiter_server::evm::eval_violation::rate_limit_exceeded))]
     RateLimitExceeded,
 
     #[error("Transaction exceeds volumetric limits of the grant")]
+    #[diagnostic(code(arbiter_server::evm::eval_violation::volumetric_limit_exceeded))]
     VolumetricLimitExceeded,
 
     #[error("Transaction is outside of the grant's validity period")]
+    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_time))]
     InvalidTime,
 
     #[error("Transaction type is not allowed by this grant")]
+    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_transaction_type))]
     InvalidTransactionType,
 }
 

server/crates/arbiter-server/src/grpc/client/auth.rs

@@ -140,9 +140,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
         let Some(payload) = auth_request.payload else {
             let _ = self
                 .bi
-                .send(Err(Status::invalid_argument(
-                    "Missing client auth request payload",
-                )))
+                .send(Err(Status::invalid_argument("Missing client auth request payload")))
                 .await;
             return None;
         };
@@ -172,7 +170,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     metadata: client_metadata_from_proto(client_info),
                 })
             }
-            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
+                signature,
+            }) => {
                 let Ok(signature) = ed25519_dalek::Signature::try_from(signature.as_slice()) else {
                     let _ = self
                         .send_auth_result(ProtoAuthResult::InvalidSignature)

server/crates/arbiter-server/src/grpc/client/evm.rs

@@ -34,9 +34,7 @@ pub(super) async fn dispatch(
     req: proto_evm::Request,
 ) -> Result<ClientResponsePayload, Status> {
     let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument(
-            "Missing client EVM request payload",
-        ));
+        return Err(Status::invalid_argument("Missing client EVM request payload"));
     };
 
     match payload {
@@ -61,13 +59,13 @@ pub(super) async fn dispatch(
                 ))) => EvmSignTransactionResponse {
                     result: Some(vet_error.convert()),
                 },
-                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Internal)) => {
-                    EvmSignTransactionResponse {
-                        result: Some(EvmSignTransactionResult::Error(
-                            ProtoEvmError::Internal.into(),
-                        )),
-                    }
-                }
+                Err(kameo::error::SendError::HandlerError(
+                    SignTransactionRpcError::Internal,
+                )) => EvmSignTransactionResponse {
+                    result: Some(EvmSignTransactionResult::Error(
+                        ProtoEvmError::Internal.into(),
+                    )),
+                },
                 Err(err) => {
                     warn!(error = ?err, "Failed to sign EVM transaction");
                     EvmSignTransactionResponse {
@@ -80,8 +78,8 @@ pub(super) async fn dispatch(
 
             Ok(wrap_response(EvmResponsePayload::SignTransaction(response)))
         }
-        EvmRequestPayload::AnalyzeTransaction(_) => Err(Status::unimplemented(
-            "EVM transaction analysis is not yet implemented",
-        )),
+        EvmRequestPayload::AnalyzeTransaction(_) => {
+            Err(Status::unimplemented("EVM transaction analysis is not yet implemented"))
+        }
     }
 }

server/crates/arbiter-server/src/grpc/client/inbound.rs

@@ -1 +0,0 @@
-

server/crates/arbiter-server/src/grpc/client/outbound.rs

@@ -1 +0,0 @@
-

server/crates/arbiter-server/src/grpc/client/vault.rs

@@ -12,9 +12,11 @@ use kameo::{actor::ActorRef, error::SendError};
 use tonic::Status;
 use tracing::warn;
 
-use crate::actors::{
-    client::session::{ClientSession, Error, HandleQueryVaultState},
-    keyholder::KeyHolderState,
+use crate::{
+    actors::{
+        client::session::{ClientSession, Error, HandleQueryVaultState},
+        keyholder::KeyHolderState,
+    },
 };
 
 pub(super) async fn dispatch(
@@ -22,9 +24,7 @@ pub(super) async fn dispatch(
     req: proto_vault::Request,
 ) -> Result<ClientResponsePayload, Status> {
     let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument(
-            "Missing client vault request payload",
-        ));
+        return Err(Status::invalid_argument("Missing client vault request payload"));
     };
 
     match payload {

server/crates/arbiter-server/src/grpc/common/inbound.rs

@@ -28,8 +28,9 @@ impl TryConvert for RawEvmTransaction {
     type Error = tonic::Status;
 
     fn try_convert(self) -> Result<Self::Output, Self::Error> {
-        let tx = TxEip1559::decode(&mut self.0.as_slice())
-            .map_err(|_| tonic::Status::invalid_argument("Invalid EVM transaction format"))?;
+        let tx = TxEip1559::decode(&mut self.0.as_slice()).map_err(|_| {
+            tonic::Status::invalid_argument("Invalid EVM transaction format")
+        })?;
         Ok(tx)
     }
-}
+}

server/crates/arbiter-server/src/grpc/common/outbound.rs

@@ -1,12 +1,9 @@
 use alloy::primitives::U256;
 use arbiter_proto::proto::{
-    evm::{
-        EvmError as ProtoEvmError,
-        evm_sign_transaction_response::Result as EvmSignTransactionResult,
-    },
+    evm::{EvmError as ProtoEvmError, evm_sign_transaction_response::Result as EvmSignTransactionResult},
     shared::evm::{
-        EvalViolation as ProtoEvalViolation, GasLimitExceededViolation, NoMatchingGrantError,
-        PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
+        EvalViolation as ProtoEvalViolation, GasLimitExceededViolation,
+        NoMatchingGrantError, PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
         TokenInfo as ProtoTokenInfo, TransactionEvalError as ProtoTransactionEvalError,
         eval_violation::Kind as ProtoEvalViolationKind,
         specific_meaning::Meaning as ProtoSpecificMeaningKind,

server/crates/arbiter-server/src/grpc/user_agent.rs

@@ -1,10 +1,12 @@
 use tokio::sync::mpsc;
 
 use arbiter_proto::{
-    proto::user_agent::{
-        UserAgentRequest, UserAgentResponse,
-        user_agent_request::Payload as UserAgentRequestPayload,
-        user_agent_response::Payload as UserAgentResponsePayload,
+    proto::{
+        user_agent::{
+            UserAgentRequest, UserAgentResponse,
+            user_agent_request::Payload as UserAgentRequestPayload,
+            user_agent_response::Payload as UserAgentResponsePayload,
+        },
     },
     transport::{Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };

server/crates/arbiter-server/src/grpc/user_agent/auth.rs

@@ -1,14 +1,12 @@
 use arbiter_proto::{
     proto::user_agent::{
-        UserAgentRequest, UserAgentResponse,
-        auth::{
+        UserAgentRequest, UserAgentResponse, auth::{
             self as proto_auth, AuthChallenge as ProtoAuthChallenge,
             AuthChallengeRequest as ProtoAuthChallengeRequest,
             AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
             KeyType as ProtoKeyType, request::Payload as AuthRequestPayload,
             response::Payload as AuthResponsePayload,
-        },
-        user_agent_request::Payload as UserAgentRequestPayload,
+        }, user_agent_request::Payload as UserAgentRequestPayload,
         user_agent_response::Payload as UserAgentResponsePayload,
     },
     transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
@@ -65,9 +63,7 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
             Ok(Outbound::AuthChallenge { nonce }) => {
                 AuthResponsePayload::Challenge(ProtoAuthChallenge { nonce })
             }
-            Ok(Outbound::AuthSuccess) => {
-                AuthResponsePayload::Result(ProtoAuthResult::Success.into())
-            }
+            Ok(Outbound::AuthSuccess) => AuthResponsePayload::Result(ProtoAuthResult::Success.into()),
             Err(Error::UnregisteredPublicKey) => {
                 AuthResponsePayload::Result(ProtoAuthResult::InvalidKey.into())
             }
@@ -175,9 +171,9 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     bootstrap_token,
                 })
             }
-            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
-                Some(auth::Inbound::AuthChallengeSolution { signature })
-            }
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution {
+                signature,
+            }) => Some(auth::Inbound::AuthChallengeSolution { signature }),
         }
     }
 }

server/crates/arbiter-server/src/grpc/user_agent/evm.rs

@@ -3,7 +3,8 @@ use arbiter_proto::proto::{
         EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
         EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
         EvmSignTransactionResponse, GrantEntry, WalletCreateResponse, WalletEntry, WalletList,
-        WalletListResponse, evm_grant_create_response::Result as EvmGrantCreateResult,
+        WalletListResponse,
+        evm_grant_create_response::Result as EvmGrantCreateResult,
         evm_grant_delete_response::Result as EvmGrantDeleteResult,
         evm_grant_list_response::Result as EvmGrantListResult,
         evm_sign_transaction_response::Result as EvmSignTransactionResult,
@@ -164,12 +165,7 @@ async fn handle_grant_delete(
     actor: &ActorRef<UserAgentSession>,
     req: EvmGrantDeleteRequest,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let result = match actor
-        .ask(HandleGrantDelete {
-            grant_id: req.grant_id,
-        })
-        .await
-    {
+    let result = match actor.ask(HandleGrantDelete { grant_id: req.grant_id }).await {
         Ok(()) => EvmGrantDeleteResult::Ok(()),
         Err(err) => {
             warn!(error = ?err, "Failed to delete EVM grant");
@@ -206,18 +202,18 @@ async fn handle_sign_transaction(
                 signature.as_bytes().to_vec(),
             )),
         },
-        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Vet(vet_error))) => {
-            EvmSignTransactionResponse {
-                result: Some(vet_error.convert()),
-            }
-        }
-        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Internal)) => {
-            EvmSignTransactionResponse {
-                result: Some(EvmSignTransactionResult::Error(
-                    ProtoEvmError::Internal.into(),
-                )),
-            }
-        }
+        Err(kameo::error::SendError::HandlerError(
+            SessionSignTransactionError::Vet(vet_error),
+        )) => EvmSignTransactionResponse {
+            result: Some(vet_error.convert()),
+        },
+        Err(kameo::error::SendError::HandlerError(
+            SessionSignTransactionError::Internal,
+        )) => EvmSignTransactionResponse {
+            result: Some(EvmSignTransactionResult::Error(
+                ProtoEvmError::Internal.into(),
+            )),
+        },
         Err(err) => {
             warn!(error = ?err, "Failed to sign EVM transaction");
             EvmSignTransactionResponse {
@@ -228,7 +224,7 @@ async fn handle_sign_transaction(
         }
     };
 
-    Ok(Some(wrap_evm_response(
-        EvmResponsePayload::SignTransaction(response),
-    )))
+    Ok(Some(wrap_evm_response(EvmResponsePayload::SignTransaction(
+        response,
+    ))))
 }

server/crates/arbiter-server/src/grpc/user_agent/outbound.rs

@@ -5,7 +5,9 @@ use arbiter_proto::proto::{
         TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
         specific_grant::Grant as ProtoSpecificGrantType,
     },
-    user_agent::sdk_client::{WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess},
+    user_agent::sdk_client::{
+        WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess,
+    },
 };
 use chrono::{DateTime, Utc};
 use prost_types::Timestamp as ProtoTimestamp;

server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs

@@ -1,5 +1,4 @@
 use arbiter_proto::proto::{
-    shared::ClientInfo as ProtoClientMetadata,
     user_agent::{
         sdk_client::{
             self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
@@ -14,6 +13,7 @@ use arbiter_proto::proto::{
         },
         user_agent_response::Payload as UserAgentResponsePayload,
     },
+    shared::ClientInfo as ProtoClientMetadata,
 };
 use kameo::actor::ActorRef;
 use tonic::Status;
@@ -62,22 +62,18 @@ pub(super) async fn dispatch(
     req: proto_sdk_client::Request,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
     let Some(payload) = req.payload else {
-        return Err(Status::invalid_argument(
-            "Missing SDK client request payload",
-        ));
+        return Err(Status::invalid_argument("Missing SDK client request payload"));
     };
 
     match payload {
         SdkClientRequestPayload::ConnectionResponse(resp) => {
             handle_connection_response(actor, resp).await
         }
-        SdkClientRequestPayload::Revoke(_) => Err(Status::unimplemented(
-            "SdkClientRevoke is not yet implemented",
-        )),
-        SdkClientRequestPayload::List(_) => handle_list(actor).await,
-        SdkClientRequestPayload::GrantWalletAccess(req) => {
-            handle_grant_wallet_access(actor, req).await
+        SdkClientRequestPayload::Revoke(_) => {
+            Err(Status::unimplemented("SdkClientRevoke is not yet implemented"))
         }
+        SdkClientRequestPayload::List(_) => handle_list(actor).await,
+        SdkClientRequestPayload::GrantWalletAccess(req) => handle_grant_wallet_access(actor, req).await,
         SdkClientRequestPayload::RevokeWalletAccess(req) => {
             handle_revoke_wallet_access(actor, req).await
         }
@@ -132,11 +128,11 @@ async fn handle_list(
             ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
         }
     };
-    Ok(Some(wrap_sdk_client_response(
-        SdkClientResponsePayload::List(ProtoSdkClientListResponse {
+    Ok(Some(wrap_sdk_client_response(SdkClientResponsePayload::List(
+        ProtoSdkClientListResponse {
             result: Some(result),
-        }),
-    )))
+        },
+    ))))
 }
 
 async fn handle_grant_wallet_access(

server/crates/arbiter-server/src/grpc/user_agent/vault.rs

@@ -1,4 +1,3 @@
-use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
 use arbiter_proto::proto::user_agent::{
     user_agent_response::Payload as UserAgentResponsePayload,
     vault::{
@@ -12,21 +11,25 @@ use arbiter_proto::proto::user_agent::{
         unseal::{
             self as proto_unseal, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
             UnsealResult as ProtoUnsealResult, UnsealStart,
-            request::Payload as UnsealRequestPayload, response::Payload as UnsealResponsePayload,
+            request::Payload as UnsealRequestPayload,
+            response::Payload as UnsealResponsePayload,
         },
     },
 };
+use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
 use kameo::{actor::ActorRef, error::SendError};
 use tonic::Status;
 use tracing::warn;
 
-use crate::actors::{
-    keyholder::KeyHolderState,
-    user_agent::{
-        UserAgentSession,
-        session::connection::{
-            BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
-            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+use crate::{
+    actors::{
+        keyholder::KeyHolderState,
+        user_agent::{
+            UserAgentSession,
+            session::connection::{
+                BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
+                HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+            },
         },
     },
 };
@@ -148,9 +151,7 @@ async fn handle_bootstrap_encrypted_key(
         .await
     {
         Ok(()) => ProtoBootstrapResult::Success,
-        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => {
-            ProtoBootstrapResult::InvalidKey
-        }
+        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => ProtoBootstrapResult::InvalidKey,
         Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
             ProtoBootstrapResult::AlreadyBootstrapped
         }

server/crates/arbiter-server/src/main.rs

@@ -1,8 +1,8 @@
 use std::net::SocketAddr;
 
-use anyhow::anyhow;
 use arbiter_proto::{proto::arbiter_service_server::ArbiterServiceServer, url::ArbiterUrl};
 use arbiter_server::{Server, actors::bootstrap::GetToken, context::ServerContext, db};
+use miette::miette;
 use rustls::crypto::aws_lc_rs;
 use tonic::transport::{Identity, ServerTlsConfig};
 use tracing::info;
@@ -10,7 +10,7 @@ use tracing::info;
 const PORT: u16 = 50051;
 
 #[tokio::main]
-async fn main() -> anyhow::Result<()> {
+async fn main() -> miette::Result<()> {
     aws_lc_rs::default_provider().install_default().unwrap();
 
     tracing_subscriber::fmt()
@@ -46,11 +46,11 @@ async fn main() -> anyhow::Result<()> {
 
     tonic::transport::Server::builder()
         .tls_config(tls)
-        .map_err(|err| anyhow!("Failed to setup TLS: {err}"))?
+        .map_err(|err| miette!("Faild to setup TLS: {err}"))?
         .add_service(ArbiterServiceServer::new(Server::new(context)))
         .serve(addr)
         .await
-        .map_err(|e| anyhow!("gRPC server error: {e}"))?;
+        .map_err(|e| miette::miette!("gRPC server error: {e}"))?;
 
     unreachable!("gRPC server should run indefinitely");
 }

server/crates/arbiter-server/tests/user_agent/unseal.rs

@@ -2,10 +2,9 @@ use arbiter_server::{
     actors::{
         GlobalActors,
         keyholder::{Bootstrap, Seal},
-        user_agent::{
-            UserAgentSession,
-            session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
-        },
+        user_agent::{UserAgentSession, session::connection::{
+            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+        }},
     },
     db,
     safe_cell::{SafeCell, SafeCellHandle as _},