WIP: some things

mise.toml

@@ -22,3 +22,5 @@ run = '''
 dart pub global activate protoc_plugin && \
 protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ $(find protobufs -name '*.proto' | sort)
 '''
+
+[tasks.generate_schema]

protobufs/shared/vault.proto

@@ -5,7 +5,8 @@ package arbiter.shared;
 enum VaultState {
   VAULT_STATE_UNSPECIFIED = 0;
   VAULT_STATE_UNBOOTSTRAPPED = 1;
-  VAULT_STATE_SEALED = 2;
+  VAULT_STATE_BOOSTRAPPING = 2;
-  VAULT_STATE_UNSEALED = 3;
+  VAULT_STATE_SEALED = 3;
-  VAULT_STATE_ERROR = 4;
+  VAULT_STATE_UNSEALED = 4;
+  VAULT_STATE_ERROR = 5;
 }

server/.cargo/config.toml

@@ -0,0 +1,2 @@
+[env]
+MACOSX_DEPLOYMENT_TARGET = "26.3"

server/Cargo.toml

@@ -6,30 +6,27 @@ resolver = "3"
 
 
 [workspace.dependencies]
-alloy = "2.0.0"
+alloy = "2.0.4"
 async-trait = "0.1.89"
 base64 = "0.22.1"
 chrono = { version = "0.4.44", features = ["serde"] }
-ed25519-dalek = { version = "3.0.0-pre.6", features = ["rand_core"] }
 futures = "0.3.32"
 k256 = { version = "0.13.4", features = ["ecdsa", "pkcs8"] }
 kameo = {git = "https://github.com/hdbg/kameo.git", rev = "805b417"}
 kameo_actors = {git = "https://github.com/hdbg/kameo.git", rev = "805b417"}
 hmac = "0.13.0"
 miette = { version = "7.6.0", features = ["fancy", "serde"] }
-ml-dsa = { version = "0.1.0-rc.8", features = ["zeroize"] }
+ml-dsa = { version = "0.1.0-rc.9", features = ["zeroize"] }
 mutants = "0.0.4"
 prost = "0.14.3"
 prost-types = { version = "0.14.3", features = ["chrono"] }
 rand = "0.10.1"
 rcgen = { version = "0.14.7", features = [ "aws_lc_rs",  "pem", "x509-parser", "zeroize" ], default-features = false }
-rsa = { version = "0.9", features = ["sha2"] }
 rstest = "0.26.1"
-rustls = { version = "0.23.38", features = ["aws-lc-rs", "logging", "prefer-post-quantum", "std"], default-features = false }
+rustls = { version = "0.23.40", features = ["aws-lc-rs", "logging", "prefer-post-quantum", "std"], default-features = false }
-rustls-pki-types = "1.14.0"
+rustls-pki-types = "1.14.1"
 sha2 = "0.11"
 smlang = "0.8.0"
-spki = "0.8"
 thiserror = "2.0.18"
 tokio = { version = "1.52.1", features = ["full"] }
 tokio-stream = { version = "0.1.18", features = ["full"] }

server/crates/arbiter-client/Cargo.toml

@@ -21,7 +21,9 @@ tokio.workspace = true
 tokio-stream.workspace = true
 thiserror.workspace = true
 http = "1.4.0"
-rustls-webpki = { version = "0.103.12", features = ["aws-lc-rs"] }
+rustls-webpki = { version = "0.103.13", features = ["aws-lc-rs"] }
 async-trait.workspace = true
-rand.workspace = true
 chrono.workspace = true
+
+[lib]
+doctest = false

server/crates/arbiter-crypto/Cargo.toml

@@ -20,3 +20,6 @@ workspace = true
 default = ["authn", "safecell"]
 authn = ["dep:ml-dsa", "dep:rand"]
 safecell = ["dep:memsafe"]
+
+[lib]
+doctest = false

server/crates/arbiter-crypto/src/safecell.rs

@@ -22,7 +22,7 @@ pub trait SafeCellHandle<T> {
     fn read(&mut self) -> Self::CellRead<'_>;
     fn write(&mut self) -> Self::CellWrite<'_>;
 
-    fn new_inline<F>(f: F) -> Self
+    fn new_inline_default<F>(f: F) -> Self
     where
         Self: Sized,
         T: Default,
@@ -36,6 +36,14 @@ pub trait SafeCellHandle<T> {
         cell
     }
 
+    fn new_inline<F>(f: Box<F>) -> Self
+    where
+        Self: Sized,
+        F: for<'a> FnOnce() -> T,
+    {
+        Self::new(f())
+    }
+
     #[inline(always)]
     fn read_inline<F, R>(&mut self, f: F) -> R
     where

server/crates/arbiter-macros/Cargo.toml

@@ -5,6 +5,7 @@ edition = "2024"
 
 [lib]
 proc-macro = true
+doctest = false
 
 [dependencies]
 proc-macro2 = "1.0"

server/crates/arbiter-proto/Cargo.toml

@@ -9,7 +9,6 @@ license = "Apache-2.0"
 tonic.workspace = true
 tokio.workspace = true
 futures.workspace = true
-hex = "0.4.3"
 tonic-prost = "0.14.5"
 prost.workspace = true
 kameo.workspace = true
@@ -19,18 +18,18 @@ thiserror.workspace = true
 rustls-pki-types.workspace = true
 base64.workspace = true
 prost-types.workspace = true
-tracing.workspace = true
 async-trait.workspace = true
 tokio-stream.workspace = true
 
 [build-dependencies]
 tonic-prost-build = "0.14.5"
-protoc-bin-vendored = "3"
 
 [dev-dependencies]
 rstest.workspace = true
-rand.workspace = true
 rcgen.workspace = true
 
+[lib]
+doctest = false
+
 [package.metadata.cargo-shear]
-ignored = ["tonic-prost", "prost", "kameo"]
+ignored = ["tonic-prost", "prost"]

server/crates/arbiter-server/Cargo.toml

@@ -9,8 +9,8 @@ license = "Apache-2.0"
 workspace = true
 
 [dependencies]
-diesel = { version = "2.3.7", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
+diesel = { version = "2.3.9", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
-diesel-async = { version = "0.8.0", features = [
+diesel-async = { version = "0.9.0", features = [
     "bb8",
     "migrations",
     "sqlite",
@@ -27,17 +27,12 @@ tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
 thiserror.workspace = true
-fatality = "0.1.1"
+diesel_migrations = { version = "2.3.2", features = ["sqlite"] }
-diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
 async-trait.workspace = true
-secrecy = "0.10.3"
-futures.workspace = true
 tokio-stream.workspace = true
-dashmap = "6.1.0"
 rand.workspace = true
 rcgen.workspace = true
 chrono.workspace = true
-zeroize = { version = "1.8.2", features = ["std", "simd"] }
 kameo.workspace = true
 chacha20poly1305 = { version = "0.10.1", features = ["std"] }
 argon2 = { version = "0.5.3", features = ["zeroize"] }
@@ -46,23 +41,22 @@ strum = { version = "0.28.0", features = ["derive"] }
 pem = "3.0.6"
 sha2.workspace = true
 hmac.workspace = true
-spki.workspace = true
 alloy.workspace = true
 prost-types.workspace = true
-prost.workspace = true
 arbiter-tokens-registry.path = "../arbiter-tokens-registry"
 anyhow = "1.0.102"
-serde_with = "3.18.0"
 mutants.workspace = true
 subtle = "2.6.1"
-ml-dsa.workspace = true
-ed25519-dalek.workspace = true
 x25519-dalek.workspace = true
 k256.workspace = true
 kameo_actors.workspace = true
+vsss-rs = "5.4.0"
 
 [dev-dependencies]
-insta = "1.47.2"
 proptest = "1.11.0"
 rstest.workspace = true
 test-log = { version = "0.2", default-features = false, features = ["trace"] }
+ml-dsa.workspace = true
+
+[lib]
+doctest = false

server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql

@@ -43,13 +43,24 @@ create table if not exists arbiter_settings (
 insert into arbiter_settings (id) values (1) on conflict do nothing;
 -- ensure singleton row exists
 
-create table if not exists operator_client (
+create table if not exists operator_identity (
     id integer not null primary key,
     public_key blob not null,
     created_at integer not null default(unixepoch ('now')),
     updated_at integer not null default(unixepoch ('now'))
 ) STRICT;
-create unique index if not exists uniq_operator_client_public_key on operator_client (public_key);
+create unique index if not exists uniq_operator_identity_public_key on operator_identity (public_key);
+
+create table if not exists operator (
+    id integer primary key references operator_identity(id) on delete restrict, -- same id as operator_identity
+
+    share blob not null,
+    share_nonce blob not null,
+
+    created_at integer not null default(unixepoch ('now')),
+    updated_at integer not null default(unixepoch ('now'))
+
+) STRICT;
 
 create table if not exists client_metadata (
     id integer not null primary key,

server/crates/arbiter-server/src/actors/bootstrap.rs

@@ -48,7 +48,7 @@ impl Bootstrapper {
         let row_count: i64 = {
             let mut conn = db.get().await?;
 
-            schema::operator_client::table
+            schema::operator::table
                 .count()
                 .get_result(&mut conn)
                 .await?

server/crates/arbiter-server/src/actors/evm/mod.rs

@@ -3,7 +3,7 @@ use crate::{
     crypto::integrity,
     db::{
         DatabaseError, DatabasePool,
-        models::{self},
+        models::{self, EvmWalletId},
         schema,
     },
     evm::{
@@ -116,7 +116,7 @@ impl EvmActor {
     }
 
     #[message]
-    pub async fn list_wallets(&self) -> Result<Vec<(i32, Address)>, Error> {
+    pub async fn list_wallets(&self) -> Result<Vec<(EvmWalletId, Address)>, Error> {
         let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
         let rows: Vec<models::EvmWallet> = schema::evm_wallet::table
             .select(models::EvmWallet::as_select())

server/crates/arbiter-server/src/actors/vault/mod.rs

@@ -1,3 +1,5 @@
+use std::collections::HashMap;
+
 use crate::{
     crypto::{
         KeyCell, derive_key,
@@ -6,7 +8,7 @@ use crate::{
     },
     db::{
         self,
-        models::{self, RootKeyHistory},
+        models::{self, OperatorId, OperatorIdentityId, RootKeyHistory, RootKeyHistoryId},
         schema::{self},
     },
 };
@@ -15,17 +17,17 @@ use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use chrono::Utc;
 use diesel::{
     ExpressionMethods as _, OptionalExtension, QueryDsl, SelectableHelper,
-    dsl::{insert_into, update},
+    dsl::{count, insert_into, update},
+    select,
 };
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use hmac::{KeyInit as _, Mac as _};
+use hmac::{KeyInit as _, Mac as _, digest::common};
 use kameo::{Actor, Reply, actor::ActorRef, messages};
 use kameo_actors::message_bus::{MessageBus, Publish};
 use strum::{EnumDiscriminants, IntoDiscriminant};
 use tracing::{error, info};
 
 pub mod events {
-
     #[derive(Clone, Copy)]
     pub struct Bootstrapped;
 
@@ -63,8 +65,17 @@ pub enum Error {
     BrokenDatabase,
 }
 
+#[derive(Debug, thiserror::Error)]
+pub enum UnsealError {}
+
+#[derive(Debug, thiserror::Error)]
+pub enum BootstrapError {
+    #[error("That operator already contributed his share")]
+    AlreadyContributed,
+}
+
 struct Unsealed {
-    root_key_history_id: i32,
+    root_key_history_id: RootKeyHistoryId,
     root_key: KeyCell,
 }
 
@@ -73,8 +84,16 @@ struct Unsealed {
 enum State {
     #[default]
     Unbootstrapped,
+
+    Bootstrapping {
+        declared_operators: u64,
+        current_passphrases: HashMap<OperatorIdentityId, SafeCell<Vec<u8>>>,
+    },
+
     Sealed {
-        root_key_history_id: i32,
+        threshold: u64, // basically, quorum size
+        root_key_history_id: RootKeyHistoryId,
+        current_shares: HashMap<OperatorId, SafeCell<Vec<u8>>>,
     },
     Unsealed(Unsealed),
 }
@@ -90,7 +109,6 @@ pub struct Vault {
     events: ActorRef<MessageBus>,
 }
 
-#[messages]
 impl Vault {
     pub async fn new(db: db::DatabasePool, events: ActorRef<MessageBus>) -> Result<Self, Error> {
         let state = {
@@ -103,9 +121,17 @@ impl Vault {
                 .await?;
 
             match root_key_history {
-                Some(root_key_history) => State::Sealed {
+                Some(root_key_history) => {
+                    let operator_count: i64 = schema::operator::table
+                        .count()
+                        .get_result(&mut conn)
+                        .await?;
+                    State::Sealed {
                         root_key_history_id: root_key_history.id,
-                },
+                        current_shares: HashMap::default(),
+                        threshold: shamir_threshold(operator_count.cast_unsigned()), // invariant: db couldn't return negative number of rows
+                    }
+                }
                 None => State::Unbootstrapped,
             }
         };
@@ -115,21 +141,23 @@ impl Vault {
 
     // Exclusive transaction to avoid race condtions if multiple vaults write
     // additional layer of protection against nonce-reuse
-    async fn get_new_nonce(pool: &db::DatabasePool, root_key_id: i32) -> Result<Nonce, Error> {
+    async fn get_new_nonce(
+        pool: &db::DatabasePool,
+        root_key_id: RootKeyHistoryId,
+    ) -> Result<Nonce, Error> {
         let mut conn = pool.get().await?;
 
         let nonce = conn
-            .exclusive_transaction(|conn| {
+            .exclusive_transaction(async |conn| {
-                Box::pin(async move {
                 let current_nonce: Vec<u8> = schema::root_key_history::table
                     .filter(schema::root_key_history::id.eq(root_key_id))
                     .select(schema::root_key_history::data_encryption_nonce)
-                        .first(conn)
+                    .first(&mut *conn)
                     .await?;
 
                 let mut nonce = Nonce::try_from(current_nonce.as_slice()).map_err(|()| {
                     error!(
-                            "Broken database: invalid nonce for root key history id={}",
+                        "Broken database: invalid nonce for root key history id={:#?}",
                         root_key_id
                     );
                     Error::BrokenDatabase
@@ -139,12 +167,11 @@ impl Vault {
                 update(schema::root_key_history::table)
                     .filter(schema::root_key_history::id.eq(root_key_id))
                     .set(schema::root_key_history::data_encryption_nonce.eq(nonce.to_vec()))
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
 
                 Result::<_, Error>::Ok(nonce)
             })
-            })
             .await?;
 
         Ok(nonce)
@@ -153,19 +180,28 @@ impl Vault {
     const fn expect_unsealed(state: &mut State) -> Result<&mut Unsealed, Error> {
         match state {
             State::Unsealed(unsealed) => Ok(unsealed),
+            State::Bootstrapping { .. } => Err(Error::NotBootstrapped),
             State::Unbootstrapped => Err(Error::NotBootstrapped),
             State::Sealed { .. } => Err(Error::Sealed),
         }
     }
 
-    #[message]
+    pub async fn finalize_bootstrap(&mut self) -> Result<(), Error> {
-    pub async fn bootstrap(&mut self, seal_key_raw: SafeCell<Vec<u8>>) -> Result<(), Error> {
+        let State::Bootstrapping {
-        if !matches!(self.state, State::Unbootstrapped) {
+            declared_operators,
+            current_passphrases,
+        } = &mut self.state
+        else {
             return Err(Error::AlreadyBootstrapped);
-        }
+        };
-        let salt = v1::generate_salt();
-        let mut seal_key = derive_key(seal_key_raw, &salt);
         let mut root_key = KeyCell::new_secure_random();
+        let root_key_salt = v1::generate_salt();
+
+        let mut seal_key = KeyCell::new_secure_random();
+
+        let shares = seal_key.0.read_inline(|seal_key| {
+            generate_shamir_shares(current_passphrases.len() as u64, seal_key.as_slice())
+        });
 
         // Zero nonces are fine because they are one-time
         let root_key_nonce = Nonce::default();
@@ -181,32 +217,42 @@ impl Vault {
                 })
         })?;
 
+        let data_encryption_nonce_bytes = data_encryption_nonce.to_vec();
         let mut conn = self.db.get().await?;
 
-        let data_encryption_nonce_bytes = data_encryption_nonce.to_vec();
         let root_key_history_id = conn
-            .transaction(|conn| {
+            .transaction(async |conn| {
-                Box::pin(async move {
+                for ((operator_id, raw_passphrase), raw_share) in
-                    let root_key_history_id: i32 = insert_into(schema::root_key_history::table)
+                    current_passphrases.iter_mut().zip(shares.iter())
+                {
+                    let salt = v1::generate_salt();
+                    let mut share_seal_key = derive_key(&mut raw_passphrase, &salt);
+                    let share_encryption_nonce = Nonce::default();
+
+                    let share_key = derive_key(&mut raw_passphrase, &salt);
+                }
+
+                let root_key_history_id = insert_into(schema::root_key_history::table)
                     .values(&models::NewRootKeyHistory {
-                            ciphertext: root_key_ciphertext,
+                        ciphertext: root_key_ciphertext.clone(),
                         tag: v1::ROOT_KEY_TAG.to_vec(),
                         root_key_encryption_nonce: root_key_nonce.to_vec(),
-                            data_encryption_nonce: data_encryption_nonce_bytes,
+                        data_encryption_nonce: data_encryption_nonce_bytes.clone(),
                         schema_version: 1,
-                            salt: salt.to_vec(),
+                        salt: root_key_salt.to_vec(),
                     })
                     .returning(schema::root_key_history::id)
-                        .get_result(conn)
+                    .get_result(&mut *conn)
                     .await?;
 
                 update(schema::arbiter_settings::table)
                     .set(schema::arbiter_settings::root_key_id.eq(root_key_history_id))
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
 
-                    Result::<_, diesel::result::Error>::Ok(root_key_history_id)
+                Result::<_, diesel::result::Error>::Ok(RootKeyHistoryId::from_raw(
-                })
+                    root_key_history_id,
+                ))
             })
             .await?;
 
@@ -220,11 +266,59 @@ impl Vault {
 
         Ok(())
     }
+}
+
+// Seal / unseal / bootstrap stuff. Will be separated into another actor, eventually
+#[messages]
+impl Vault {
+    #[message]
+    pub async fn start_bootstrap(&mut self, declared_operators: u64) -> Result<(), Error> {
+        if !matches!(&self.state, State::Unbootstrapped) {
+            return Err(Error::AlreadyBootstrapped);
+        }
+
+        self.state = State::Bootstrapping {
+            declared_operators,
+            current_passphrases: HashMap::default(),
+        };
+        Ok(())
+    }
 
     #[message]
-    pub async fn try_unseal(&mut self, seal_key_raw: SafeCell<Vec<u8>>) -> Result<(), Error> {
+    pub async fn contribute_bootstrap(
+        &mut self,
+        operator: OperatorIdentityId,
+        key_raw: SafeCell<Vec<u8>>,
+    ) -> Result<(), Error> {
+        let State::Bootstrapping {
+            current_passphrases,
+            declared_operators,
+        } = &mut self.state
+        else {
+            return Err(Error::AlreadyBootstrapped);
+        };
+
+        if current_passphrases.contains_key(&operator) {
+            return Err(Error::AlreadyBootstrapped);
+        }
+        current_passphrases.insert(operator, key_raw);
+
+        if current_passphrases.len() == declared_operators {
+            return self.finalize_bootstrap(seal_key_raw);
+        }
+
+        Ok(())
+    }
+
+    #[message]
+    pub async fn contribute_unseal(
+        &mut self,
+        operator: OperatorId,
+        key_raw: SafeCell<Vec<u8>>,
+    ) -> Result<(), Error> {
         let State::Sealed {
             root_key_history_id,
+            current_shares,
         } = &self.state
         else {
             return Err(Error::NotBootstrapped);
@@ -245,7 +339,7 @@ impl Vault {
             error!("Broken database: invalid salt for root key");
             Error::BrokenDatabase
         })?;
-        let mut seal_key = derive_key(seal_key_raw, &salt);
+        let mut seal_key = derive_key(key_raw, &salt);
 
         let mut root_key = SafeCell::new(current_key.ciphertext.clone());
 
@@ -276,6 +370,25 @@ impl Vault {
         Ok(())
     }
 
+    #[message]
+    pub async fn seal(&mut self) -> Result<(), Error> {
+        let Unsealed {
+            root_key_history_id,
+            ..
+        } = Self::expect_unsealed(&mut self.state)?;
+
+        self.state = State::Sealed {
+            root_key_history_id: *root_key_history_id,
+            current_shares: HashMap::new(),
+        };
+        let _ = self.events.tell(Publish(events::VaultResealed)).await;
+        Ok(())
+    }
+}
+
+// Server-side cryptographic operations
+#[messages]
+impl Vault {
     #[message]
     pub async fn decrypt(&mut self, aead_id: i32) -> Result<SafeCell<Vec<u8>>, Error> {
         let Unsealed { root_key, .. } = Self::expect_unsealed(&mut self.state)?;
@@ -344,7 +457,10 @@ impl Vault {
     }
 
     #[message]
-    pub fn sign_integrity(&mut self, mac_input: Vec<u8>) -> Result<(i32, Vec<u8>), Error> {
+    pub fn sign_integrity(
+        &mut self,
+        mac_input: Vec<u8>,
+    ) -> Result<(RootKeyHistoryId, Vec<u8>), Error> {
         let Unsealed {
             root_key,
             root_key_history_id,
@@ -356,7 +472,7 @@ impl Vault {
                 Ok(v) => v,
                 Err(_) => unreachable!("HMAC accepts keys of any size"),
             });
-        hmac.update(&root_key_history_id.to_be_bytes());
+        hmac.update(&root_key_history_id.to_raw().to_be_bytes());
         hmac.update(&mac_input);
 
         let mac = hmac.finalize().into_bytes().to_vec();
@@ -368,7 +484,7 @@ impl Vault {
         &mut self,
         mac_input: Vec<u8>,
         expected_mac: Vec<u8>,
-        key_version: i32,
+        key_version: RootKeyHistoryId,
     ) -> Result<bool, Error> {
         let Unsealed {
             root_key,
@@ -385,25 +501,47 @@ impl Vault {
                 Ok(v) => v,
                 Err(_) => unreachable!("HMAC accepts keys of any size"),
             });
-        hmac.update(&key_version.to_be_bytes());
+        hmac.update(&key_version.to_raw().to_be_bytes());
         hmac.update(&mac_input);
 
         Ok(hmac.verify_slice(&expected_mac).is_ok())
     }
-
-    #[message]
-    pub async fn seal(&mut self) -> Result<(), Error> {
-        let Unsealed {
-            root_key_history_id,
-            ..
-        } = Self::expect_unsealed(&mut self.state)?;
-
-        self.state = State::Sealed {
-            root_key_history_id: *root_key_history_id,
-        };
-        let _ = self.events.tell(Publish(events::VaultResealed)).await;
-        Ok(())
 }
+
+/// According to the spec, the quorum is 50% + 1
+/// with exception for 1 and 2 operators, those require exactly the number of operators registered
+fn shamir_threshold(comittee_size: u64) -> u64 {
+    if comittee_size == 2 || comittee_size == 1 {
+        return comittee_size;
+    }
+
+    let half_comittee = match comittee_size % 2 != 0 {
+        true => (comittee_size - 1) / 2,
+        false => comittee_size / 2,
+    };
+
+    half_comittee + 1
+}
+
+/// Beware: this function accepts raw key references (without memory protection)
+fn generate_shamir_shares(threshold: u64, key: &[u8]) -> Vec<SafeCell<Vec<u8>>> {
+    use vsss_rs::{shamir, *};
+
+    type P256Share = DefaultShare<IdentifierPrimeField<Scalar>, IdentifierPrimeField<Scalar>>;
+
+    let mut osrng = rand_core::OsRng::default();
+    let sk = SecretKey::random(&mut osrng);
+    let nzs = sk.to_nonzero_scalar();
+    let shared_secret = IdentifierPrimeField(*nzs.as_ref());
+    let res = shamir::split_secret::<P256Share>(2, 3, &shared_secret, &mut osrng);
+    assert!(res.is_ok());
+    let shares = res.unwrap();
+    let res = shares.combine();
+    assert!(res.is_ok());
+    let scalar = res.unwrap();
+    let nzs_dup = NonZeroScalar::from_repr(scalar.0.to_repr()).unwrap();
+    let sk_dup = SecretKey::from(nzs_dup);
+    assert_eq!(sk_dup.to_bytes(), sk.to_bytes());
 }
 
 #[cfg(test)]
@@ -418,7 +556,7 @@ mod tests {
             .await
             .unwrap();
         let seal_key = SafeCell::new(b"test-seal-key".to_vec());
-        actor.bootstrap(seal_key).await.unwrap();
+        actor.finalize_bootstrap(seal_key).await.unwrap();
         actor
     }
 
@@ -444,8 +582,8 @@ mod tests {
         assert!(n2.to_vec() > n1.to_vec(), "nonce must increase");
 
         let mut conn = db.get().await.unwrap();
-        let root_row: models::RootKeyHistory = schema::root_key_history::table
+        let root_row: RootKeyHistory = schema::root_key_history::table
-            .select(models::RootKeyHistory::as_select())
+            .select(RootKeyHistory::as_select())
             .first(&mut conn)
             .await
             .unwrap();

server/crates/arbiter-server/src/context/tls.rs

@@ -174,8 +174,7 @@ impl TlsManager {
 
         {
             let mut conn = db.get().await?;
-            conn.transaction(|conn| {
+            conn.transaction(async |conn| {
-                Box::pin(async {
                 let new_tls_history = NewTlsHistory {
                     cert: new_cert.cert.pem(),
                     cert_key: new_cert.cert_key.serialize_pem(),
@@ -186,17 +185,16 @@ impl TlsManager {
                 let inserted_tls_history: i32 = diesel::insert_into(tls_history::table)
                     .values(&new_tls_history)
                     .returning(tls_history::id)
-                        .get_result(conn)
+                    .get_result(&mut *conn)
                     .await?;
 
                 diesel::update(arbiter_settings::table)
                     .set(arbiter_settings::tls_id.eq(inserted_tls_history))
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
 
                 Result::<_, diesel::result::Error>::Ok(())
             })
-            })
             .await?;
         }
 

server/crates/arbiter-server/src/crypto/mod.rs

@@ -28,7 +28,7 @@ impl TryFrom<SafeCell<Vec<u8>>> for KeyCell {
         if value.len() != size_of::<Key>() {
             return Err(());
         }
-        let cell = SafeCell::new_inline(|cell_write: &mut Key| {
+        let cell = SafeCell::new_inline_default(|cell_write: &mut Key| {
             cell_write.copy_from_slice(&value);
         });
         Ok(Self(cell))
@@ -37,7 +37,7 @@ impl TryFrom<SafeCell<Vec<u8>>> for KeyCell {
 
 impl KeyCell {
     pub fn new_secure_random() -> Self {
-        let key = SafeCell::new_inline(|key_buffer: &mut Key| {
+        let key = SafeCell::new_inline_default(|key_buffer: &mut Key| {
             let mut rng = StdRng::try_from_rng(&mut SysRng)
                 .expect("Rng failure is unrecoverable and should panic");
             rng.fill_bytes(key_buffer);
@@ -94,7 +94,7 @@ impl KeyCell {
 }
 
 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
-pub fn derive_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
+pub fn derive_key(password: &mut SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
     let params = {
         #[cfg(debug_assertions)]
         {

server/crates/arbiter-server/src/db/models.rs

@@ -79,10 +79,41 @@ pub mod types {
         }
     }
 
-    #[derive(Debug, FromSqlRow, AsExpression, Clone)]
+    macro_rules! declare_id {
+        ($name:ident) => {
+            #[derive(Debug, FromSqlRow, AsExpression, Clone, Hash, Copy, PartialEq, Eq)]
             #[diesel(sql_type = Integer)]
             #[repr(transparent)] // hint compiler to optimize the wrapper struct away
-    pub struct ChainId(pub i32);
+            pub struct $name(i32);
+
+            impl $name {
+                pub const fn to_raw(self) -> i32 {
+                    self.0
+                }
+                pub const fn from_raw(raw: i32) -> Self {
+                    Self(raw)
+                }
+            }
+
+            impl FromSql<Integer, Sqlite> for $name {
+                fn from_sql(
+                    bytes: <Sqlite as diesel::backend::Backend>::RawValue<'_>,
+                ) -> diesel::deserialize::Result<Self> {
+                    FromSql::<Integer, Sqlite>::from_sql(bytes).map(Self)
+                }
+            }
+            impl ToSql<Integer, Sqlite> for $name {
+                fn to_sql<'b>(
+                    &'b self,
+                    out: &mut diesel::serialize::Output<'b, '_, Sqlite>,
+                ) -> diesel::serialize::Result {
+                    ToSql::<Integer, Sqlite>::to_sql(&self.0, out)
+                }
+            }
+        };
+    }
+
+    declare_id!(ChainId);
 
     #[expect(
         clippy::cast_sign_loss,
@@ -103,21 +134,13 @@ pub mod types {
         }
     };
 
-    impl FromSql<Integer, Sqlite> for ChainId {
+    declare_id!(OperatorId);
-        fn from_sql(
+    declare_id!(OperatorIdentityId);
-            bytes: <Sqlite as diesel::backend::Backend>::RawValue<'_>,
+    declare_id!(AeadEncryptedId);
-        ) -> diesel::deserialize::Result<Self> {
+    declare_id!(RootKeyHistoryId);
-            FromSql::<Integer, Sqlite>::from_sql(bytes).map(Self)
+    declare_id!(TlsHistoryId);
-        }
+    declare_id!(EvmWalletId);
-    }
+    declare_id!(ClientId);
-    impl ToSql<Integer, Sqlite> for ChainId {
-        fn to_sql<'b>(
-            &'b self,
-            out: &mut diesel::serialize::Output<'b, '_, Sqlite>,
-        ) -> diesel::serialize::Result {
-            ToSql::<Integer, Sqlite>::to_sql(&self.0, out)
-        }
-    }
 }
 pub use types::*;
 
@@ -130,12 +153,12 @@ pub use types::*;
 )]
 #[diesel(table_name = aead_encrypted, check_for_backend(Sqlite))]
 pub struct AeadEncrypted {
-    pub id: i32,
+    pub id: AeadEncryptedId,
     pub ciphertext: Vec<u8>,
     pub tag: Vec<u8>,
     pub current_nonce: Vec<u8>,
     pub schema_version: i32,
-    pub associated_root_key_id: i32, // references root_key_history.id
+    pub associated_root_key_id: RootKeyHistoryId,
     pub created_at: SqliteTimestamp,
 }
 
@@ -148,7 +171,7 @@ pub struct AeadEncrypted {
     attributes_with = "deriveless"
 )]
 pub struct RootKeyHistory {
-    pub id: i32,
+    pub id: RootKeyHistoryId,
     pub ciphertext: Vec<u8>,
     pub tag: Vec<u8>,
     pub root_key_encryption_nonce: Vec<u8>,
@@ -166,7 +189,7 @@ pub struct RootKeyHistory {
     attributes_with = "deriveless"
 )]
 pub struct TlsHistory {
-    pub id: i32,
+    pub id: TlsHistoryId,
     pub cert: String,
     pub cert_key: String, // PEM Encoded private key
     pub ca_cert: String,  // PEM Encoded certificate for cert signing
@@ -191,7 +214,7 @@ pub struct ArbiterSettings {
     attributes_with = "deriveless"
 )]
 pub struct EvmWallet {
-    pub id: i32,
+    pub id: EvmWalletId,
     pub address: Vec<u8>,
     pub aead_encrypted_id: i32,
     pub created_at: SqliteTimestamp,
@@ -213,7 +236,7 @@ pub struct EvmWallet {
 )]
 pub struct EvmWalletAccess {
     pub id: i32,
-    pub wallet_id: i32,
+    pub wallet_id: EvmWalletId,
     pub client_id: i32,
     pub created_at: SqliteTimestamp,
 }
@@ -240,7 +263,7 @@ pub struct ProgramClientMetadataHistory {
 #[derive(Models, Queryable, Debug, Insertable, Selectable)]
 #[diesel(table_name = schema::program_client, check_for_backend(Sqlite))]
 pub struct ProgramClient {
-    pub id: i32,
+    pub id: ClientId,
     pub public_key: Vec<u8>,
     pub metadata_id: i32,
     pub created_at: SqliteTimestamp,
@@ -250,12 +273,22 @@ pub struct ProgramClient {
 #[derive(Queryable, Debug)]
 #[diesel(table_name = schema::operator_client, check_for_backend(Sqlite))]
 pub struct OperatorClient {
-    pub id: i32,
+    pub id: OperatorIdentityId,
     pub public_key: Vec<u8>,
     pub created_at: SqliteTimestamp,
     pub updated_at: SqliteTimestamp,
 }
 
+#[derive(Queryable, Debug)]
+#[diesel(table_name = schema::operator, check_for_backend(Sqlite))]
+pub struct Operator {
+    pub id: OperatorId,
+    pub share: Vec<u8>,
+    pub share_nonce: Vec<u8>,
+    pub created_at: SqliteTimestamp,
+    pub updated_at: SqliteTimestamp,
+}
+
 #[derive(Models, Queryable, Debug, Insertable, Selectable)]
 #[diesel(table_name = evm_ether_transfer_limit, check_for_backend(Sqlite))]
 #[view(
@@ -399,7 +432,7 @@ pub struct IntegrityEnvelope {
     pub entity_kind: String,
     pub entity_id: Vec<u8>,
     pub payload_version: i32,
-    pub key_version: i32,
+    pub key_version: RootKeyHistoryId,
     pub mac: Vec<u8>,
     pub signed_at: SqliteTimestamp,
     pub created_at: SqliteTimestamp,

server/crates/arbiter-server/src/db/schema.rs

@@ -152,6 +152,25 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    operator (id) {
+        id -> Nullable<Integer>,
+        share -> Binary,
+        share_nonce -> Binary,
+        created_at -> Integer,
+        updated_at -> Integer,
+    }
+}
+
+diesel::table! {
+    operator_identity (id) {
+        id -> Integer,
+        public_key -> Binary,
+        created_at -> Integer,
+        updated_at -> Integer,
+    }
+}
+
 diesel::table! {
     program_client (id) {
         id -> Integer,
@@ -185,15 +204,6 @@ diesel::table! {
     }
 }
 
-diesel::table! {
-    operator_client (id) {
-        id -> Integer,
-        public_key -> Binary,
-        created_at -> Integer,
-        updated_at -> Integer,
-    }
-}
-
 diesel::joinable!(aead_encrypted -> root_key_history (associated_root_key_id));
 diesel::joinable!(arbiter_settings -> root_key_history (root_key_id));
 diesel::joinable!(arbiter_settings -> tls_history (tls_id));
@@ -212,6 +222,7 @@ diesel::joinable!(evm_transaction_log -> evm_wallet_access (wallet_access_id));
 diesel::joinable!(evm_wallet -> aead_encrypted (aead_encrypted_id));
 diesel::joinable!(evm_wallet_access -> evm_wallet (wallet_id));
 diesel::joinable!(evm_wallet_access -> program_client (client_id));
+diesel::joinable!(operator -> operator_identity (id));
 diesel::joinable!(program_client -> client_metadata (metadata_id));
 
 diesel::allow_tables_to_appear_in_same_query!(
@@ -230,8 +241,9 @@ diesel::allow_tables_to_appear_in_same_query!(
     evm_wallet,
     evm_wallet_access,
     integrity_envelope,
+    operator,
+    operator_identity,
     program_client,
     root_key_history,
     tls_history,
-    operator_client,
 );

server/crates/arbiter-server/src/evm/mod.rs

@@ -179,8 +179,7 @@ impl Engine {
         }
 
         if run_kind == RunKind::Execution {
-            conn.transaction(|conn| {
+            conn.transaction(async |conn| {
-                Box::pin(async move {
                 let log_id: i32 = insert_into(evm_transaction_log::table)
                     .values(&NewEvmTransactionLog {
                         grant_id: grant.common_settings_id,
@@ -190,14 +189,13 @@ impl Engine {
                         signed_at: Utc::now().into(),
                     })
                     .returning(evm_transaction_log::id)
-                        .get_result(conn)
+                    .get_result(&mut *conn)
                     .await?;
 
-                    P::record_transaction(&context, meaning, log_id, &grant, conn).await?;
+                P::record_transaction(&context, meaning, log_id, &grant, &mut *conn).await?;
 
                 QueryResult::Ok(())
             })
-            })
             .await
             .map_err(DatabaseError::from)?;
         }
@@ -222,8 +220,7 @@ impl Engine {
         let vault = self.vault.clone();
 
         let id = conn
-            .transaction(|conn| {
+            .transaction(async |conn| {
-                Box::pin(async move {
                 use schema::evm_basic_grant;
 
                 #[expect(
@@ -259,18 +256,17 @@ impl Engine {
                         revoked_at: None,
                     })
                     .returning(evm_basic_grant::all_columns)
-                        .get_result(conn)
+                    .get_result(&mut *conn)
                     .await?;
 
-                    P::create_grant(&basic_grant, &full_grant.specific, conn).await?;
+                P::create_grant(&basic_grant, &full_grant.specific, &mut *conn).await?;
 
-                    integrity::sign_entity(conn, &vault, &full_grant, basic_grant.id)
+                integrity::sign_entity(&mut *conn, &vault, &full_grant, basic_grant.id)
                     .await
                     .map_err(|_| diesel::result::Error::RollbackTransaction)?;
 
                 QueryResult::Ok(basic_grant.id)
             })
-            })
             .await?;
 
         Ok(id)
@@ -363,7 +359,8 @@ mod tests {
     use crate::db::{
         self, DatabaseConnection,
         models::{
-            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
+            EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, NewEvmTransactionLog,
+            SqliteTimestamp,
         },
         schema::{evm_basic_grant, evm_transaction_log},
     };
@@ -381,7 +378,7 @@ mod tests {
         EvalContext {
             target: EvmWalletAccess {
                 id: WALLET_ACCESS_ID,
-                wallet_id: 10,
+                wallet_id: EvmWalletId::from_raw(5),
                 client_id: 20,
                 created_at: SqliteTimestamp(Utc::now()),
             },

server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs

@@ -3,7 +3,8 @@ use crate::{
     db::{
         self, DatabaseConnection,
         models::{
-            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
+            EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, NewEvmTransactionLog,
+            SqliteTimestamp,
         },
         schema::{evm_basic_grant, evm_transaction_log},
     },
@@ -31,7 +32,7 @@ fn ctx(to: Address, value: U256) -> EvalContext {
     EvalContext {
         target: EvmWalletAccess {
             id: WALLET_ACCESS_ID,
-            wallet_id: 10,
+            wallet_id: EvmWalletId::from_raw(10),
             client_id: 20,
             created_at: SqliteTimestamp(Utc::now()),
         },

server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs

@@ -2,7 +2,7 @@ use super::{Settings, TokenTransfer};
 use crate::{
     db::{
         self, DatabaseConnection,
-        models::{EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, SqliteTimestamp},
+        models::{EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, SqliteTimestamp},
         schema::evm_basic_grant,
     },
     evm::{
@@ -45,7 +45,7 @@ fn ctx(to: Address, calldata: Bytes) -> EvalContext {
     EvalContext {
         target: EvmWalletAccess {
             id: WALLET_ACCESS_ID,
-            wallet_id: 10,
+            wallet_id: EvmWalletId::from_raw(10),
             client_id: 20,
             created_at: SqliteTimestamp(Utc::now()),
         },

server/crates/arbiter-server/src/evm/safe_signer.rs

@@ -44,7 +44,7 @@ impl std::fmt::Debug for SafeSigner {
 /// Returns the protected key bytes and the derived Ethereum address.
 pub fn generate(rng: &mut impl rand::Rng) -> (SafeCell<[u8; 32]>, Address) {
     loop {
-        let mut cell = SafeCell::new_inline(|w: &mut [u8; 32]| {
+        let mut cell = SafeCell::new_inline_default(|w: &mut [u8; 32]| {
             rng.fill_bytes(w);
         });
 

server/crates/arbiter-server/src/grpc/client/vault.rs

@@ -31,6 +31,7 @@ pub(super) async fn dispatch(
         VaultRequestPayload::QueryState(()) => {
             let state = match actor.ask(HandleQueryVaultState {}).await {
                 Ok(VaultState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+                Ok(VaultState::Bootstrapping) => ProtoVaultState::Boostrapping,
                 Ok(VaultState::Sealed) => ProtoVaultState::Sealed,
                 Ok(VaultState::Unsealed) => ProtoVaultState::Unsealed,
                 Err(SendError::HandlerError(Error::Internal)) => ProtoVaultState::Error,

server/crates/arbiter-server/src/grpc/operator/evm.rs

@@ -90,7 +90,7 @@ async fn handle_wallet_list(
                 .into_iter()
                 .map(|(id, address)| WalletEntry {
                     address: address.to_vec(),
-                    id,
+                    id: id.to_raw(),
                 })
                 .collect(),
         }),

server/crates/arbiter-server/src/grpc/operator/inbound.rs

@@ -1,11 +1,10 @@
 use crate::{
-    db::models::{CoreEvmWalletAccess, NewEvmWalletAccess},
+    db::models::{CoreEvmWalletAccess, EvmWalletId, NewEvmWalletAccess},
     evm::policies::{
         SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit, ether_transfer,
         token_transfers,
     },
-    grpc::Convert,
+    grpc::{Convert, TryConvert},
-    grpc::TryConvert,
 };
 use arbiter_proto::{
     proto::evm::{
@@ -150,7 +149,7 @@ impl Convert for WalletAccess {
 
     fn convert(self) -> Self::Output {
         NewEvmWalletAccess {
-            wallet_id: self.wallet_id,
+            wallet_id: EvmWalletId::from_raw(self.wallet_id),
             client_id: self.sdk_client_id,
         }
     }
@@ -165,7 +164,7 @@ impl TryConvert for SdkClientWalletAccess {
             return Err(Status::invalid_argument("Missing wallet access entry"));
         };
         Ok(CoreEvmWalletAccess {
-            wallet_id: access.wallet_id,
+            wallet_id: EvmWalletId::from_raw(access.wallet_id),
             client_id: access.sdk_client_id,
             id: self.id,
         })

server/crates/arbiter-server/src/grpc/operator/outbound.rs

@@ -103,7 +103,7 @@ impl Convert for EvmWalletAccess {
         Self::Output {
             id: self.id,
             access: Some(WalletAccess {
-                wallet_id: self.wallet_id,
+                wallet_id: self.wallet_id.to_raw(),
                 sdk_client_id: self.client_id,
             }),
         }

server/crates/arbiter-server/src/grpc/operator/sdk_client.rs

@@ -2,7 +2,7 @@ use crate::{
     db::models::NewEvmWalletAccess,
     grpc::Convert,
     peers::operator::{
-        OutOfBand, OperatorSession,
+        OperatorSession, OutOfBand,
         session::handlers::{
             HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
             HandleRevokeEvmWalletAccess, HandleSdkClientList,
@@ -11,8 +11,8 @@ use crate::{
 };
 use arbiter_crypto::authn;
 use arbiter_proto::proto::{
-    shared::ClientInfo as ProtoClientMetadata,
     operator::{
+        operator_response::Payload as OperatorResponsePayload,
         sdk_client::{
             self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
             ConnectionRequest as ProtoSdkClientConnectionRequest,
@@ -24,8 +24,8 @@ use arbiter_proto::proto::{
             request::Payload as SdkClientRequestPayload,
             response::Payload as SdkClientResponsePayload,
         },
-        operator_response::Payload as OperatorResponsePayload,
     },
+    shared::ClientInfo as ProtoClientMetadata,
 };
 
 use kameo::actor::ActorRef;
@@ -115,7 +115,7 @@ async fn handle_list(
             clients: clients
                 .into_iter()
                 .map(|(client, metadata)| ProtoSdkClientEntry {
-                    id: client.id,
+                    id: client.id.to_raw(),
                     pubkey: client.public_key.clone(),
                     info: Some(ProtoClientMetadata {
                         name: metadata.name,

server/crates/arbiter-server/src/grpc/operator/vault.rs

@@ -3,7 +3,6 @@ use crate::{
     peers::operator::{OperatorSession, session::handlers::HandleQueryVaultState},
 };
 use arbiter_proto::{
-    proto::shared::VaultState as ProtoVaultState,
     proto::operator::{
         operator_response::Payload as OperatorResponsePayload,
         vault::{
@@ -11,6 +10,7 @@ use arbiter_proto::{
             response::Payload as VaultResponsePayload,
         },
     },
+    proto::shared::VaultState as ProtoVaultState,
 };
 
 use kameo::actor::ActorRef;
@@ -47,6 +47,7 @@ async fn handle_query_vault_state(
     let state = match actor.ask(HandleQueryVaultState {}).await {
         Ok(VaultState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
         Ok(VaultState::Sealed) => ProtoVaultState::Sealed,
+        Ok(VaultState::Bootstrapping) => ProtoVaultState::Boostrapping,
         Ok(VaultState::Unsealed) => ProtoVaultState::Unsealed,
         Err(err) => {
             warn!(error = ?err, "Failed to query vault state");

server/crates/arbiter-server/src/grpc/operator/vault_gate/outbound.rs

@@ -4,7 +4,6 @@ use crate::{
     peers::operator::vault_gate::{self as vault_gate},
 };
 use arbiter_proto::proto::{
-    shared::VaultState as ProtoVaultState,
     operator::{
         operator_response::Payload as OperatorResponsePayload,
         vault::{
@@ -17,6 +16,7 @@ use arbiter_proto::proto::{
             },
         },
     },
+    shared::VaultState as ProtoVaultState,
 };
 
 use tonic::Status;
@@ -46,6 +46,7 @@ impl Convert for VaultState {
     fn convert(self) -> OperatorResponsePayload {
         let proto_state = match self {
             Self::Unbootstrapped => ProtoVaultState::Unbootstrapped,
+            Self::Bootstrapping => ProtoVaultState::Boostrapping,
             Self::Sealed => ProtoVaultState::Sealed,
             Self::Unsealed => ProtoVaultState::Unsealed,
         };

server/crates/arbiter-server/src/peers/client/auth.rs

@@ -171,10 +171,7 @@ async fn insert_client(
         Error::DatabasePoolUnavailable
     })?;
 
-    conn.exclusive_transaction(|conn| {
+    conn.exclusive_transaction(async |conn| {
-        let vault = vault.clone();
-        let pubkey = pubkey.clone();
-        Box::pin(async move {
         let metadata_id = insert_into(client_metadata::table)
             .values((
                 client_metadata::name.eq(&metadata.name),
@@ -182,7 +179,7 @@ async fn insert_client(
                 client_metadata::version.eq(&metadata.version),
             ))
             .returning(client_metadata::id)
-                .get_result::<i32>(conn)
+            .get_result::<i32>(&mut *conn)
             .await?;
 
         let client_id = insert_into(program_client::table)
@@ -192,12 +189,12 @@ async fn insert_client(
             ))
             .on_conflict_do_nothing()
             .returning(program_client::id)
-                .get_result::<i32>(conn)
+            .get_result::<i32>(&mut *conn)
             .await?;
 
         integrity::sign_entity(
-                conn,
+            &mut *conn,
-                &vault,
+            vault,
             &ClientCredentials {
                 pubkey: pubkey.clone(),
             },
@@ -211,7 +208,6 @@ async fn insert_client(
 
         Ok(client_id)
     })
-    })
     .await
 }
 
@@ -229,18 +225,15 @@ async fn sync_client_metadata(
         Error::DatabasePoolUnavailable
     })?;
 
-    conn.exclusive_transaction(|conn| {
+    conn.exclusive_transaction(async |conn| {
-        let metadata = metadata.clone();
+        let (current_metadata_id, current): (i32, ProgramClientMetadata) = program_client::table
-        Box::pin(async move {
-            let (current_metadata_id, current): (i32, ProgramClientMetadata) =
-                program_client::table
             .find(client_id)
             .inner_join(client_metadata::table)
             .select((
                 program_client::metadata_id,
                 ProgramClientMetadata::as_select(),
             ))
-                    .first(conn)
+            .first(&mut *conn)
             .await?;
 
         let unchanged = current.name == metadata.name
@@ -255,7 +248,7 @@ async fn sync_client_metadata(
                 client_metadata_history::metadata_id.eq(current_metadata_id),
                 client_metadata_history::client_id.eq(client_id),
             ))
-                .execute(conn)
+            .execute(&mut *conn)
             .await?;
 
         let metadata_id = insert_into(client_metadata::table)
@@ -265,7 +258,7 @@ async fn sync_client_metadata(
                 client_metadata::version.eq(&metadata.version),
             ))
             .returning(client_metadata::id)
-                .get_result::<i32>(conn)
+            .get_result::<i32>(&mut *conn)
             .await?;
 
         update(program_client::table.find(client_id))
@@ -273,12 +266,11 @@ async fn sync_client_metadata(
                 program_client::metadata_id.eq(metadata_id),
                 program_client::updated_at.eq(now),
             ))
-                .execute(conn)
+            .execute(&mut *conn)
             .await?;
 
         Ok::<(), diesel::result::Error>(())
     })
-    })
     .await
     .map_err(|e| {
         error!(error = ?e, "Database error");

server/crates/arbiter-server/src/peers/operator/auth/state.rs

@@ -4,7 +4,7 @@ use super::{
 };
 use crate::{
     actors::bootstrap::ConsumeToken,
-    db::{DatabasePool, schema::operator_client},
+    db::{DatabasePool, schema::operator_identity},
     peers::operator::auth::Outbound,
 };
 use arbiter_crypto::authn::{self, AuthChallenge, OPERATOR_CONTEXT};
@@ -44,9 +44,9 @@ async fn get_client_id(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<O
         Error::internal("Database unavailable")
     })?;
 
-    operator_client::table
+    operator_identity::table
-        .filter(operator_client::public_key.eq(pubkey.to_bytes()))
+        .filter(operator_identity::public_key.eq(pubkey.to_bytes()))
-        .select(operator_client::id)
+        .select(operator_identity::id)
         .first::<i32>(&mut conn)
         .await
         .optional()
@@ -63,9 +63,9 @@ async fn register_key(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<i3
         Error::internal("Database unavailable")
     })?;
 
-    let id: i32 = diesel::insert_into(operator_client::table)
+    let id: i32 = diesel::insert_into(operator_identity::table)
-        .values((operator_client::public_key.eq(pubkey_bytes),))
+        .values((operator_identity::public_key.eq(pubkey_bytes),))
-        .returning(operator_client::id)
+        .returning(operator_identity::id)
         .get_result(&mut conn)
         .await
         .map_err(|e| {

server/crates/arbiter-server/src/peers/operator/session/handlers.rs

@@ -1,12 +1,16 @@
 use super::{Error, OperatorSession};
 use crate::{
-    actors::evm::{
+    actors::{
-        ClientSignTransaction, Generate, ListWallets, SignTransactionError as EvmSignError,
+        evm::{
-        OperatorCreateGrant, OperatorListGrants,
+            ClientSignTransaction, Generate, ListWallets, OperatorCreateGrant, OperatorListGrants,
+            SignTransactionError as EvmSignError,
+        },
+        flow_coordinator::client_connect_approval::ClientApprovalAnswer,
+        vault::VaultState,
+    },
+    db::models::{
+        EvmWalletAccess, EvmWalletId, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
     },
-    actors::flow_coordinator::client_connect_approval::ClientApprovalAnswer,
-    actors::vault::VaultState,
-    db::models::{EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata},
     evm::policies::{Grant, SpecificGrant},
 };
 use arbiter_crypto::authn;
@@ -70,7 +74,9 @@ impl OperatorSession {
     }
 
     #[message]
-    pub(crate) async fn handle_evm_wallet_list(&mut self) -> Result<Vec<(i32, Address)>, Error> {
+    pub(crate) async fn handle_evm_wallet_list(
+        &mut self,
+    ) -> Result<Vec<(EvmWalletId, Address)>, Error> {
         match self.props.actors.evm.ask(ListWallets {}).await {
             Ok(wallets) => Ok(wallets),
             Err(err) => {
@@ -169,21 +175,19 @@ impl OperatorSession {
         entries: Vec<NewEvmWalletAccess>,
     ) -> Result<(), Error> {
         let mut conn = self.props.db.get().await?;
-        conn.transaction(|conn| {
+        conn.transaction(async |conn| {
-            Box::pin(async move {
             use crate::db::schema::evm_wallet_access;
 
             for entry in entries {
                 diesel::insert_into(evm_wallet_access::table)
                     .values(&entry)
                     .on_conflict_do_nothing()
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
             }
 
             Result::<_, Error>::Ok(())
         })
-        })
         .await?;
         Ok(())
     }
@@ -194,19 +198,17 @@ impl OperatorSession {
         entries: Vec<i32>,
     ) -> Result<(), Error> {
         let mut conn = self.props.db.get().await?;
-        conn.transaction(|conn| {
+        conn.transaction(async |conn| {
-            Box::pin(async move {
             use crate::db::schema::evm_wallet_access;
             for entry in entries {
                 diesel::delete(evm_wallet_access::table)
                     .filter(evm_wallet_access::wallet_id.eq(entry))
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
             }
 
             Result::<_, Error>::Ok(())
         })
-        })
         .await?;
         Ok(())
     }

server/crates/arbiter-server/tests/client/auth.rs

@@ -86,8 +86,8 @@ async fn insert_bootstrap_sentinel_operator(db: &db::DatabasePool) {
         .0
         .to_vec();
 
-    insert_into(schema::operator_client::table)
+    insert_into(schema::operator_identity::table)
-        .values((schema::operator_client::public_key.eq(sentinel_key),))
+        .values((schema::operator_identity::public_key.eq(sentinel_key),))
         .execute(&mut conn)
         .await
         .unwrap();

server/crates/arbiter-server/tests/operator/auth.rs

@@ -206,8 +206,8 @@ pub async fn bootstrap_token_auth() {
     task.await.unwrap().unwrap();
 
     let mut conn = db.get().await.unwrap();
-    let stored_pubkey: Vec<u8> = schema::operator_client::table
+    let stored_pubkey: Vec<u8> = schema::operator_identity::table
-        .select(schema::operator_client::public_key)
+        .select(schema::operator_identity::public_key)
         .first::<Vec<u8>>(&mut conn)
         .await
         .unwrap();
@@ -259,7 +259,7 @@ pub async fn bootstrap_invalid_token_auth() {
     ));
 
     let mut conn = db.get().await.unwrap();
-    let count: i64 = schema::operator_client::table
+    let count: i64 = schema::operator_identity::table
         .count()
         .get_result::<i64>(&mut conn)
         .await
@@ -285,9 +285,9 @@ pub async fn challenge_auth() {
 
     {
         let mut conn = db.get().await.unwrap();
-        let id: i32 = insert_into(schema::operator_client::table)
+        let id: i32 = insert_into(schema::operator_identity::table)
-            .values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
+            .values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
-            .returning(schema::operator_client::id)
+            .returning(schema::operator_identity::id)
             .get_result(&mut conn)
             .await
             .unwrap();
@@ -371,8 +371,8 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
 
     {
         let mut conn = db.get().await.unwrap();
-        insert_into(schema::operator_client::table)
+        insert_into(schema::operator_identity::table)
-            .values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
+            .values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
             .execute(&mut conn)
             .await
             .unwrap();
@@ -444,9 +444,9 @@ pub async fn challenge_auth_rejects_invalid_signature() {
 
     {
         let mut conn = db.get().await.unwrap();
-        let id: i32 = insert_into(schema::operator_client::table)
+        let id: i32 = insert_into(schema::operator_identity::table)
-            .values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
+            .values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
-            .returning(schema::operator_client::id)
+            .returning(schema::operator_identity::id)
             .get_result(&mut conn)
             .await
             .unwrap();

server/crates/arbiter-tokens-registry/Cargo.toml

@@ -5,3 +5,7 @@ edition = "2024"
 
 [dependencies]
 alloy.workspace = true
+
+[lib]
+test = false
+doctest = false